appleCdsa.c   [plain text]

/*
 * Copyright (c) 2000-2001,2005-2008,2010-2012 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * appleCdsa.c - CDSA based implementation of sslCrypto.h interfaces.
 */

#include "ssl.h"
#if USE_CDSA_CRYPTO

#include "appleCdsa.h"
#include "sslCrypto.h"

#include "CipherSuite.h"
#include "sslContext.h"
#include "sslMemory.h"
#include "sslUtils.h"
#include "sslDebug.h"
#include "sslBER.h"
#include "ModuleAttacher.h"

#ifndef	_SSL_KEYCHAIN_H_
#include "sslKeychain.h"
#endif

#include <string.h>
#include <stdlib.h>
#include <assert.h>

#include <Security/cssm.h>
#include <Security/cssmapple.h>
#include <Security/Security.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecKeyPriv.h>

/* X.509 includes, from cssmapi */
#include <Security/x509defs.h>         /* x.509 function and type defs */
#include <Security/oidsalg.h>
#include <Security/oidscert.h>

#pragma mark -
#pragma mark Utilities

/*
 * Set up a Raw symmetric key with specified algorithm and key bits.
 */
OSStatus sslSetUpSymmKey(
	CSSM_KEY_PTR	symKey,
	CSSM_ALGORITHMS	alg,
	CSSM_KEYUSE		keyUse, 		// CSSM_KEYUSE_ENCRYPT, etc.
	CSSM_BOOL		copyKey,		// true: copy keyData   false: set by reference
	uint8 			*keyData,
	size_t		keyDataLen)		// in bytes
{
	OSStatus serr;
	CSSM_KEYHEADER *hdr;

	memset(symKey, 0, sizeof(CSSM_KEY));
	if(copyKey) {
		serr = stSetUpCssmData(&symKey->KeyData, keyDataLen);
		if(serr) {
			return serr;
		}
		memmove(symKey->KeyData.Data, keyData, keyDataLen);
	}
	else {
		symKey->KeyData.Data = keyData;
		symKey->KeyData.Length = keyDataLen;
	}

	/* set up the header */
	hdr = &symKey->KeyHeader;
	hdr->BlobType = CSSM_KEYBLOB_RAW;
	hdr->Format = CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING;
	hdr->AlgorithmId = alg;
	hdr->KeyClass = CSSM_KEYCLASS_SESSION_KEY;
	hdr->LogicalKeySizeInBits = keyDataLen * 8;
	hdr->KeyAttr = CSSM_KEYATTR_MODIFIABLE | CSSM_KEYATTR_EXTRACTABLE;
	hdr->KeyUsage = keyUse;
	hdr->WrapAlgorithmId = CSSM_ALGID_NONE;
	return noErr;
}

/*
 * Free a CSSM_KEY - its CSP resources, KCItemRef, and the key itself.
 */
OSStatus sslFreeKey(
	CSSM_CSP_HANDLE		cspHand,
	CSSM_KEY_PTR		*key,		/* so we can null it out */
	#if		ST_KC_KEYS_NEED_REF
	SecKeychainRef	*kcItem)
	#else
	void			*kcItem)
	#endif
{
	assert(key != NULL);

	if(*key != NULL) {
		if(cspHand != 0) {
			CSSM_FreeKey(cspHand, NULL, *key, CSSM_FALSE);
		}
		stAppFree(*key, NULL);		// key mallocd by CL using our callback
		*key = NULL;
	}
	#if		ST_KC_KEYS_NEED_REF
	if((kcItem != NULL) && (*kcItem != NULL)) {
		KCReleaseItem(kcItem);		/* does this NULL the referent? */
		*kcItem = NULL;
	}
	#endif
	return noErr;
}

/*
 * Standard app-level memory functions required by CDSA.
 */
void * stAppMalloc (size_t size, void *allocRef) {
	return( malloc(size) );
}
void stAppFree (void *mem_ptr, void *allocRef) {
	free(mem_ptr);
 	return;
}
void * stAppRealloc (void *ptr, size_t size, void *allocRef) {
	return( realloc( ptr, size ) );
}
void * stAppCalloc (uint32_t num, size_t size, void *allocRef) {
	return( calloc( num, size ) );
}

/*
 * Ensure there's a connection to ctx->cspHand. If there
 * already is one, fine.
 * Note that as of 12/18/00, we assume we're connected to
 * all modules all the time (since we do an attachToAll() in
 * SSLNewContext()).
 */
OSStatus attachToCsp(SSLContext *ctx)
{
	assert(ctx != NULL);
	if(ctx->cspHand != 0) {
		return noErr;
	}
	else {
		return errSSLModuleAttach;
	}
}

/*
 * Connect to TP, CL; reusable.
 */
OSStatus attachToCl(SSLContext *ctx)
{
	assert(ctx != NULL);
	if(ctx->clHand != 0) {
		return noErr;
	}
	else {
		return errSSLModuleAttach;
	}
}

OSStatus attachToTp(SSLContext *ctx)
{
	assert(ctx != NULL);
	if(ctx->tpHand != 0) {
		return noErr;
	}
	else {
		return errSSLModuleAttach;
	}
}

/*
 * Convenience function - attach to CSP, CL, TP. Reusable.
 */
OSStatus attachToAll(SSLContext *ctx)
{
	CSSM_RETURN crtn;

	assert(ctx != NULL);
	crtn = attachToModules(&ctx->cspHand, &ctx->clHand, &ctx->tpHand);
	if(crtn) {
	   return errSSLModuleAttach;
	}
	else {
		return noErr;
	}
}

OSStatus detachFromAll(SSLContext *ctx)
{
	#if	0
	/* No more, attachments are kept on a global basis */
	assert(ctx != NULL);
	if(ctx->cspHand != 0) {
		CSSM_ModuleDetach(ctx->cspHand);
		ctx->cspHand = 0;
	}
	if(ctx->tpHand != 0) {
		CSSM_ModuleDetach(ctx->tpHand);
		ctx->tpHand = 0;
	}
	if(ctx->clHand != 0) {
		CSSM_ModuleDetach(ctx->clHand);
		ctx->clHand = 0;
	}
	#endif	/* 0 */
	return noErr;
}

/*
 * Add a CSSM_ATTRIBUTE_RSA_BLINDING attribute to
 * specified crypto context.
 */
static CSSM_RETURN sslAddBlindingAttr(
	CSSM_CC_HANDLE ccHand)
{
	CSSM_CONTEXT_ATTRIBUTE	newAttr;
	CSSM_RETURN				crtn;

	newAttr.AttributeType     = CSSM_ATTRIBUTE_RSA_BLINDING;
	newAttr.AttributeLength   = sizeof(uint32_t);
	newAttr.Attribute.Uint32  = 1;
	crtn = CSSM_UpdateContextAttributes(ccHand, 1, &newAttr);
	if(crtn) {
		stPrintCdsaError("CSSM_UpdateContextAttributes", crtn);
	}
	return crtn;
}

/* Get CSP, key in CSSM format from a SecKeyRef */
static OSStatus sslGetKeyParts(
	SecKeyRef			keyRef,
	const CSSM_KEY		**cssmKey,
	CSSM_CSP_HANDLE		*cspHand)
{
	OSStatus ortn = SecKeyGetCSSMKey(keyRef, cssmKey);
	if(ortn) {
		sslErrorLog("sslGetKeyParts: SecKeyGetCSSMKey err %d\n",
			(int)ortn);
		return ortn;
	}
	ortn = SecKeyGetCSPHandle(keyRef, cspHand);
	if(ortn) {
		sslErrorLog("sslGetKeyParts: SecKeyGetCSPHandle err %d\n",
			(int)ortn);
	}
	return ortn;
}

/* Return the first certificate reference from the supplied array
 * whose data matches the given certificate, or NULL if none match.
 */
 static SecCertificateRef sslGetMatchingCertInArray(
	SecCertificateRef	certRef,
	CFArrayRef          certArray)
{
    CSSM_DATA certData;
    OSStatus ortn;
    int idx, count;

    if(certRef == NULL || certArray == NULL) {
        return NULL;
    }
    ortn = SecCertificateGetData(certRef, &certData);
    if(!ortn) {
        count = CFArrayGetCount(certArray);
        for(idx=0; idx<count; idx++) {
            CSSM_DATA aData = { 0, NULL };
            SecCertificateRef aCert = (SecCertificateRef)CFArrayGetValueAtIndex(certArray, idx);
            ortn = SecCertificateGetData(aCert, &aData);
            if (!ortn && aData.Length == certData.Length &&
                !memcmp(aData.Data, certData.Data, certData.Length)) {
                return aCert;
            }
        }
	}
    return NULL;
}

#pragma mark -
#pragma mark CSSM_DATA routines

CSSM_DATA_PTR stMallocCssmData(
	size_t size)
{
	CSSM_DATA_PTR rtn = (CSSM_DATA_PTR)stAppMalloc(sizeof(CSSM_DATA), NULL);

	if(rtn == NULL) {
		return NULL;
	}
	rtn->Length = size;
	if(size == 0) {
		rtn->Data = NULL;
	}
	else {
		rtn->Data = (uint8 *)stAppMalloc(size, NULL);
	}
	return rtn;
}

void stFreeCssmData(
	CSSM_DATA_PTR data,
	CSSM_BOOL freeStruct)
{
	if(data == NULL) {
		return;
	}
	if(data->Data != NULL) {
		stAppFree(data->Data, NULL);
		data->Data   = NULL;
	}
	data->Length = 0;
	if(freeStruct) {
		stAppFree(data, NULL);
	}
}

/*
 * Ensure that indicated CSSM_DATA_PTR can handle 'length' bytes of data.
 * Malloc the Data ptr if necessary.
 */
OSStatus stSetUpCssmData(
	CSSM_DATA_PTR 	data,
	size_t		length)
{
	assert(data != NULL);
	if(data->Length == 0) {
		data->Data = (uint8 *)stAppMalloc(length, NULL);
		if(data->Data == NULL) {
			return memFullErr;
		}
	}
	else if(data->Length < length) {
		sslErrorLog("stSetUpCssmData: length too small\n");
		return memFullErr;
	}
	data->Length = length;
	return noErr;
}

/* All signature ops are "raw", with digest step done by us */
static OSStatus sslKeyToSigAlg(
	const CSSM_KEY *cssmKey,
	CSSM_ALGORITHMS *sigAlg)	/* RETURNED */

{
	OSStatus ortn = noErr;
	switch(cssmKey->KeyHeader.AlgorithmId) {
		case CSSM_ALGID_RSA:
			*sigAlg = CSSM_ALGID_RSA;
			break;
		case CSSM_ALGID_DSA:
			*sigAlg = CSSM_ALGID_DSA;
			break;
		case CSSM_ALGID_ECDSA:
			*sigAlg = CSSM_ALGID_ECDSA;
			break;
		default:
			ortn = errSSLBadConfiguration;
			break;
	}
	return ortn;
}

#pragma mark -
#pragma mark Public CSP Functions

/*
 * Raw RSA/DSA sign/verify.
 */
OSStatus sslRawSign(
	SSLContext		*ctx,
	SecKeyRef		privKeyRef,
	const UInt8		*plainText,
	size_t			plainTextLen,
	UInt8			*sig,			// mallocd by caller; RETURNED
	size_t			sigLen,			// available
	size_t			*actualBytes)	// RETURNED
{
	CSSM_CC_HANDLE			sigHand = 0;
	CSSM_RETURN				crtn;
	OSStatus				serr;
	CSSM_DATA				sigData;
	CSSM_DATA				ptextData;
	CSSM_CSP_HANDLE			cspHand;
	const CSSM_KEY 			*privKey;
	const CSSM_ACCESS_CREDENTIALS	*creds;

	assert(ctx != NULL);
	if((privKeyRef == NULL)	||
	   (plainText == NULL)	||
	   (sig == NULL)		||
	   (actualBytes == NULL)) {
		sslErrorLog("sslRsaRawSign: bad arguments\n");
		return errSSLInternal;
	}
	*actualBytes = 0;

	/* Get CSP, signing key in CSSM format */
	serr = sslGetKeyParts(privKeyRef, &privKey, &cspHand);
	if(serr) {
		return serr;
	}
	assert(privKey->KeyHeader.KeyClass == CSSM_KEYCLASS_PRIVATE_KEY);

	CSSM_ALGORITHMS sigAlg;
	serr = sslKeyToSigAlg(privKey, &sigAlg);
	if(serr) {
		return serr;
	}

	/*
	 * Get default creds
	 * FIXME: per 3420180, this needs to allow app-specified creds via
	 * an new API
	 */
	serr = SecKeyGetCredentials(privKeyRef,
		CSSM_ACL_AUTHORIZATION_SIGN,
		kSecCredentialTypeDefault,
		&creds);
	if(serr) {
		sslErrorLog("sslRawSign: SecKeyGetCredentials err %lu\n", (unsigned long)serr);
		return serr;
	}

	crtn = CSSM_CSP_CreateSignatureContext(cspHand,
		sigAlg,
		creds,
		privKey,
		&sigHand);
	if(crtn) {
		stPrintCdsaError("CSSM_CSP_CreateSignatureContext (1)", crtn);
		return errSSLCrypto;
	}

	if((ctx->rsaBlindingEnable) &&
	   (privKey->KeyHeader.AlgorithmId == CSSM_ALGID_RSA)) {
		/*
		 * Turn on RSA blinding to defeat timing attacks
		 */
		crtn = sslAddBlindingAttr(sigHand);
		if(crtn) {
			return crtn;
		}
	}

	ptextData.Data = (uint8 *)plainText;
	ptextData.Length = plainTextLen;

	/* caller better get this right, or the SignData will fail */
	sigData.Data = sig;
	sigData.Length = sigLen;

	crtn = CSSM_SignData(sigHand,
		&ptextData,
		1,
		CSSM_ALGID_NONE,	// digestAlg for raw sign
		&sigData);
	if(crtn) {
		stPrintCdsaError("CSSM_SignData", crtn);
		serr = errSSLCrypto;
	}
	else {
		*actualBytes = sigData.Length;
		serr = noErr;
	}
	if(sigHand != 0) {
		CSSM_DeleteContext(sigHand);
	}
	return serr;
}

OSStatus sslRawVerify(
	SSLContext			*ctx,
	const SSLPubKey     *sslPubKey,
	const UInt8			*plainText,
	size_t				plainTextLen,
	const UInt8			*sig,
	size_t				sigLen)
{
	CSSM_CC_HANDLE			sigHand = 0;
	CSSM_RETURN				crtn;
	OSStatus				serr;
	CSSM_DATA				sigData;
	CSSM_DATA				ptextData;
	const CSSM_KEY          *pubKey;
	CSSM_CSP_HANDLE         cspHand;

	assert(ctx != NULL);
	if((sslPubKey == NULL)       ||
	   (sslPubKey->key == NULL)  ||
	   (sslPubKey->csp == 0)     ||
	   (plainText == NULL)       ||
	   (sig == NULL)) {
		sslErrorLog("sslRawVerify: bad arguments\n");
		return errSSLInternal;
	}

	pubKey = &sslPubKey->key;
	cspHand = sslPubKey->csp;

	CSSM_ALGORITHMS sigAlg;
	serr = sslKeyToSigAlg(pubKey, &sigAlg);
	if(serr) {
		return serr;
	}
	crtn = CSSM_CSP_CreateSignatureContext(cspHand,
		sigAlg,
		NULL,				// passPhrase
		pubKey,
		&sigHand);
	if(sigHand == 0) {
		stPrintCdsaError("CSSM_CSP_CreateSignatureContext (2)", crtn);
		return errSSLCrypto;
	}

	ptextData.Data = (uint8 *)plainText;
	ptextData.Length = plainTextLen;
	sigData.Data = (uint8 *)sig;
	sigData.Length = sigLen;

	crtn = CSSM_VerifyData(sigHand,
		&ptextData,
		1,
		CSSM_ALGID_NONE,		// digestAlg
		&sigData);
	if(crtn) {
		stPrintCdsaError("CSSM_VerifyData", crtn);
		serr = errSSLCrypto;
	}
	else {
		serr = noErr;
	}
	if(sigHand != 0) {
		CSSM_DeleteContext(sigHand);
	}
	return serr;
}

/*
 * Encrypt/Decrypt
 */
OSStatus sslRsaEncrypt(
	SSLContext			*ctx,
	const CSSM_KEY		*pubKey,
	CSSM_CSP_HANDLE		cspHand,
	CSSM_PADDING		padding,			// CSSM_PADDING_PKCS1, CSSM_PADDING_APPLE_SSLv2
	const UInt8			*plainText,
	size_t				plainTextLen,
	UInt8				*cipherText,		// mallocd by caller; RETURNED
	size_t				cipherTextLen,		// available
	size_t				*actualBytes)		// RETURNED
{
	CSSM_DATA 		ctextData = {0, NULL};
	CSSM_DATA 		ptextData;
	CSSM_DATA		remData = {0, NULL};
	CSSM_CC_HANDLE 	cryptHand = 0;
	OSStatus		serr = errSSLInternal;
	CSSM_RETURN		crtn;
	size_t			bytesMoved = 0;
	CSSM_ACCESS_CREDENTIALS	creds;

	assert(ctx != NULL);
	assert(actualBytes != NULL);
	*actualBytes = 0;

	if((pubKey == NULL) || (cspHand == 0)) {
		sslErrorLog("sslRsaEncrypt: bad pubKey/cspHand\n");
		return errSSLInternal;
	}
	assert(pubKey->KeyHeader.KeyClass == CSSM_KEYCLASS_PUBLIC_KEY);

	#if		RSA_PUB_KEY_USAGE_HACK
	((CSSM_KEY_PTR)pubKey)->KeyHeader.KeyUsage |= CSSM_KEYUSE_ENCRYPT;
	#endif
	memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));

	crtn = CSSM_CSP_CreateAsymmetricContext(cspHand,
		CSSM_ALGID_RSA,
		&creds,
		pubKey,
		padding,
		&cryptHand);
	if(crtn) {
		stPrintCdsaError("CSSM_CSP_CreateAsymmetricContext", crtn);
		return errSSLCrypto;
	}
	ptextData.Data = (uint8 *)plainText;
	ptextData.Length = plainTextLen;

	/*
	 * Have CSP malloc ciphertext
	 */
	crtn = CSSM_EncryptData(cryptHand,
		&ptextData,
		1,
		&ctextData,
		1,
		&bytesMoved,
		&remData);
	if(crtn == CSSM_OK) {
		/*
		 * ciphertext in both ctextData and remData; ensure it'll fit
		 * in caller's buf & copy
		 */
		if(bytesMoved > cipherTextLen) {
			sslErrorLog("sslRsaEncrypt overflow; cipherTextLen %lu bytesMoved %lu\n",
				cipherTextLen, bytesMoved);
			serr = errSSLCrypto;
		}
		else {
			size_t toMoveCtext;
			size_t toMoveRem;

			*actualBytes = bytesMoved;
			/*
			 * Snag valid data from ctextData - its length or bytesMoved,
			 * whichever is less
			 */
			if(ctextData.Length > bytesMoved) {
				/* everything's in ctext */
				toMoveCtext = bytesMoved;
				toMoveRem = 0;
			}
			else {
				/* must be some in remData too */
				toMoveCtext = ctextData.Length;
				toMoveRem = bytesMoved - toMoveCtext;		// remainder
			}
			if(toMoveCtext) {
				memmove(cipherText, ctextData.Data, toMoveCtext);
			}
			if(toMoveRem) {
				memmove(cipherText + toMoveCtext, remData.Data,
					toMoveRem);
			}
			serr = noErr;
		}
	}
	else {
		stPrintCdsaError("CSSM_EncryptData", crtn);
		serr = errSSLCrypto;
	}
	if(cryptHand != 0) {
		CSSM_DeleteContext(cryptHand);
	}

	/* free data mallocd by CSP */
	stFreeCssmData(&ctextData, CSSM_FALSE);
	stFreeCssmData(&remData, CSSM_FALSE);
	return serr;
}

OSStatus sslRsaDecrypt(
	SSLContext			*ctx,
	SecKeyRef			privKeyRef,
	CSSM_PADDING		padding,			// CSSM_PADDING_PKCS1, CSSM_PADDING_APPLE_SSLv2
	const UInt8			*cipherText,
	size_t				cipherTextLen,
	UInt8				*plainText,			// mallocd by caller; RETURNED
	size_t				plainTextLen,		// available
	size_t				*actualBytes)		// RETURNED
{
	CSSM_DATA 		ptextData = {0, NULL};
	CSSM_DATA 		ctextData;
	CSSM_DATA		remData = {0, NULL};
	CSSM_CC_HANDLE 	cryptHand = 0;
	OSStatus		serr = errSSLInternal;
	CSSM_RETURN		crtn;
	size_t			bytesMoved = 0;
	CSSM_CSP_HANDLE	cspHand;
	const CSSM_KEY 	*privKey;
	const CSSM_ACCESS_CREDENTIALS	*creds;

	assert(ctx != NULL);
	assert(actualBytes != NULL);
	*actualBytes = 0;

	if(privKeyRef == NULL) {
		sslErrorLog("sslRsaDecrypt: bad privKey\n");
		return errSSLInternal;
	}

	/* Get CSP, signing key in CSSM format */
	serr = sslGetKeyParts(privKeyRef, &privKey, &cspHand);
	if(serr) {
		return serr;
	}
	assert(privKey->KeyHeader.KeyClass == CSSM_KEYCLASS_PRIVATE_KEY);

	/*
	 * Get default creds
	 * FIXME: per 3420180, this needs to allow app-specified creds via
	 * an new API
	 */
	serr = SecKeyGetCredentials(privKeyRef,
		CSSM_ACL_AUTHORIZATION_DECRYPT,
		kSecCredentialTypeDefault,
		&creds);
	if(serr) {
		sslErrorLog("sslRsaDecrypt: SecKeyGetCredentials err %lu\n", (unsigned long)serr);
		return serr;
	}
	crtn = CSSM_CSP_CreateAsymmetricContext(cspHand,
		CSSM_ALGID_RSA,
		creds,
		privKey,
		padding,
		&cryptHand);
	if(crtn) {
		stPrintCdsaError("CSSM_CSP_CreateAsymmetricContext", crtn);
		return errSSLCrypto;
	}
	ctextData.Data = (uint8 *)cipherText;
	ctextData.Length = cipherTextLen;

	if((ctx->rsaBlindingEnable) &&
	   (privKey->KeyHeader.AlgorithmId == CSSM_ALGID_RSA)) {
		/*
		 * Turn on RSA blinding to defeat timing attacks
		 */
		crtn = sslAddBlindingAttr(cryptHand);
		if(crtn) {
			return crtn;
		}
	}

	/*
	 * Have CSP malloc plaintext
	 */
	crtn = CSSM_DecryptData(cryptHand,
		&ctextData,
		1,
		&ptextData,
		1,
		&bytesMoved,
		&remData);
	if(crtn == CSSM_OK) {
		/*
		 * plaintext in both ptextData and remData; ensure it'll fit
		 * in caller's buf & copy
		 */
		if(bytesMoved > plainTextLen) {
			sslErrorLog("sslRsaDecrypt overflow; plainTextLen %lu bytesMoved %lu\n",
				plainTextLen, bytesMoved);
			serr = errSSLCrypto;
		}
		else {
			size_t toMovePtext;
			size_t toMoveRem;

			*actualBytes = bytesMoved;
			/*
			 * Snag valid data from ptextData - its length or bytesMoved,
			 * whichever is less
			 */
			if(ptextData.Length > bytesMoved) {
				/* everything's in ptext */
				toMovePtext = bytesMoved;
				toMoveRem = 0;
			}
			else {
				/* must be some in remData too */
				toMovePtext = ptextData.Length;
				toMoveRem = bytesMoved - toMovePtext;		// remainder
			}
			if(toMovePtext) {
				memmove(plainText, ptextData.Data, toMovePtext);
			}
			if(toMoveRem) {
				memmove(plainText + toMovePtext, remData.Data,
					toMoveRem);
			}
			serr = noErr;
		}
	}
	else {
		stPrintCdsaError("CSSM_DecryptData", crtn);
		serr = errSSLCrypto;
	}
	if(cryptHand != 0) {
		CSSM_DeleteContext(cryptHand);
	}

	/* free data mallocd by CSP */
	stFreeCssmData(&ptextData, CSSM_FALSE);
	stFreeCssmData(&remData, CSSM_FALSE);
	return serr;
}

/*
 * Obtain size of key in bytes.
 */
uint32_t sslPrivKeyLengthInBytes(const SSLPrivKey *sslKey)
{
    const CSSM_KEY *cssmKey;

	assert(sslKey != NULL);
	assert(sslKey->key != NULL);
	err = SecKeyGetCSSMKey(sslKey->key, &cssmKey);
	if(err) {
		sslErrorLog("sslKeyLengthInBytes: SecKeyGetCSSMKey err %d\n", (int)err);
		return 0;
	}

	return (((cssmKey->KeyHeader.LogicalKeySizeInBits) + 7) / 8);
}

/*
 * Obtain size of key in bytes.
 */
uint32_t sslPubKeyLengthInBytes(const SSLPubKey *sslKey)
{
    const CSSM_KEY *cssmKey;

	assert(sslKey != NULL);
	assert(sslKey->key != NULL);

	return (((sslKey->key.KeyHeader.LogicalKeySizeInBits) + 7) / 8);
}


/*
 * Obtain maximum size of signature in bytes. A bit of a kludge; we could
 * ask the CSP to do this but that would be kind of expensive.
 */
OSStatus sslGetMaxSigSize(
	const CSSM_KEY	*privKey,
	uint32_t		*maxSigSize)
{
	OSStatus ortn = noErr;
	assert(privKey != NULL);
	assert(privKey->KeyHeader.KeyClass == CSSM_KEYCLASS_PRIVATE_KEY);
	switch(privKey->KeyHeader.AlgorithmId) {
		case CSSM_ALGID_RSA:
			*maxSigSize = sslPrivKeyLengthInBytes(privKey);
			break;
		case CSSM_ALGID_DSA:
		{
			/* DSA sig is DER sequence of two 160-bit integers */
			uint32_t sizeOfOneInt;
			sizeOfOneInt = (160 / 8) +	// the raw contents
							1 +			// possible leading zero
							2;			// tag + length (assume DER, not BER)
			*maxSigSize = (2 * sizeOfOneInt) + 5;
			break;
		}
		default:
			ortn = errSSLBadConfiguration;
			break;
	}
	return ortn;
}
/*
 * Get raw key bits from an RSA public key.
 */
OSStatus sslGetPubKeyBits(
	SSLContext			*ctx,
	const CSSM_KEY		*pubKey,
	CSSM_CSP_HANDLE		cspHand,
	SSLBuffer			*modulus,		// data mallocd and RETURNED
	SSLBuffer			*exponent)		// data mallocd and RETURNED
{
	CSSM_KEY			wrappedKey;
	CSSM_BOOL			didWrap = CSSM_FALSE;
	const CSSM_KEYHEADER *hdr;
	SSLBuffer			pubKeyBlob;
	OSStatus			srtn;

	assert(ctx != NULL);
	assert(modulus != NULL);
	assert(exponent != NULL);
	assert(pubKey != NULL);

	hdr = &pubKey->KeyHeader;
	if(hdr->KeyClass != CSSM_KEYCLASS_PUBLIC_KEY) {
		sslErrorLog("sslGetPubKeyBits: bad keyClass (%ld)\n", (long)hdr->KeyClass);
		return errSSLInternal;
	}
	if(hdr->AlgorithmId != CSSM_ALGID_RSA) {
		sslErrorLog("sslGetPubKeyBits: bad AlgorithmId (%ld)\n", (long)hdr->AlgorithmId);
		return errSSLInternal;
	}

	/* Note currently ALL public keys are raw, obtained from the CL... */
	assert(hdr->BlobType == CSSM_KEYBLOB_RAW);

	/*
	 * Handle possible reference format - I think it should be in
	 * blob form since it came from the DL, but conversion is
	 * simple.
	 */
	switch(hdr->BlobType) {
		case CSSM_KEYBLOB_RAW:
			/* easy case */
			CSSM_TO_SSLBUF(&pubKey->KeyData, &pubKeyBlob);
			break;

		case CSSM_KEYBLOB_REFERENCE:

			sslErrorLog("sslGetPubKeyBits: bad BlobType (%ld)\n",
				(long)hdr->BlobType);
			return errSSLInternal;

			#if 0
			/*
			 * Convert to a blob via "NULL wrap"; no wrapping key,
			 * ALGID_NONE
			 */
			srtn = attachToCsp(ctx);
			if(srtn) {
				return srtn;
			}
			memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
			crtn = CSSM_CSP_CreateSymmetricContext(ctx->cspHand,
					CSSM_ALGID_NONE,
					CSSM_ALGMODE_NONE,
					&creds,			// creds
					pubKey,
					NULL,			// InitVector
					CSSM_PADDING_NONE,
					0,			// reserved
					&ccHand);
			if(crtn) {
				stPrintCdsaError("sslGetPubKeyBits: CreateSymmetricContext failure", crtn);
				return errSSLCrypto;
			}
			memset(&wrappedKey, 0, sizeof(CSSM_KEY));
			crtn = CSSM_WrapKey(ccHand,
				&creds,
				pubKey,
				NULL,			// descriptiveData
				&wrappedKey);
			CSSM_DeleteContext(ccHand);
			if(crtn) {
				stPrintCdsaError("CSSM_WrapKey", crtn);
				return errSSLCrypto;
			}
			hdr = &wrappedKey.KeyHeader;
			if(hdr->BlobType != CSSM_KEYBLOB_RAW) {
				sslErrorLog("sslGetPubKeyBits: bad BlobType (%ld) after WrapKey\n",
					hdr->BlobType);
				return errSSLCrypto;
			}
			didWrap = CSSM_TRUE;
			CSSM_TO_SSLBUF(&wrappedKey.KeyData, &pubKeyBlob);
			break;
			#endif	/* 0 */

		default:
			sslErrorLog("sslGetPubKeyBits: bad BlobType (%ld)\n",
				(long)hdr->BlobType);
			return errSSLInternal;

	}	/* switch BlobType */

	assert(hdr->BlobType == CSSM_KEYBLOB_RAW);
	srtn = sslDecodeRsaBlob(&pubKeyBlob, modulus, exponent);
	if(didWrap) {
		CSSM_FreeKey(ctx->cspHand, NULL, &wrappedKey, CSSM_FALSE);
	}
	return srtn;
}

/*
 * Given raw RSA key bits, cook up a CSSM_KEY_PTR. Used in
 * Server-initiated key exchange.
 */
OSStatus sslGetPubKeyFromBits(
	SSLContext			*ctx,
	const SSLBuffer		*modulus,
	const SSLBuffer		*exponent,
	CSSM_KEY_PTR		*pubKey,		// mallocd and RETURNED
	CSSM_CSP_HANDLE		*cspHand)		// RETURNED
{
	CSSM_KEY_PTR		key = NULL;
	OSStatus				serr;
	SSLBuffer			blob;
	CSSM_KEYHEADER_PTR	hdr;
	CSSM_KEY_SIZE		keySize;
	CSSM_RETURN			crtn;

	assert((ctx != NULL) && (modulus != NULL) && (exponent != NULL));
	assert((pubKey != NULL) && (cspHand != NULL));

	*pubKey = NULL;
	*cspHand = 0;

	serr = attachToCsp(ctx);
	if(serr) {
		return serr;
	}
	serr = sslEncodeRsaBlob(modulus, exponent, &blob);
	if(serr) {
		return serr;
	}

	/* the rest is boilerplate, cook up a good-looking public key */
	key = (CSSM_KEY_PTR)sslMalloc(sizeof(CSSM_KEY));
	if(key == NULL) {
		return memFullErr;
	}
	memset(key, 0, sizeof(CSSM_KEY));
	hdr = &key->KeyHeader;

    hdr->HeaderVersion = CSSM_KEYHEADER_VERSION;
    /* key_ptr->KeyHeader.CspId is unknown (remains 0) */
    hdr->BlobType = CSSM_KEYBLOB_RAW;
    hdr->AlgorithmId = CSSM_ALGID_RSA;
    hdr->Format = CSSM_KEYBLOB_RAW_FORMAT_PKCS1;
    hdr->KeyClass = CSSM_KEYCLASS_PUBLIC_KEY;
    /* comply with ASA requirements */
    hdr->KeyUsage = CSSM_KEYUSE_VERIFY;
    hdr->KeyAttr = CSSM_KEYATTR_EXTRACTABLE;
    /* key_ptr->KeyHeader.StartDate is unknown  (remains 0) */
    /* key_ptr->KeyHeader.EndDate is unknown  (remains 0) */
    hdr->WrapAlgorithmId = CSSM_ALGID_NONE;
    hdr->WrapMode = CSSM_ALGMODE_NONE;

	/* blob->data was mallocd by sslEncodeRsaBlob, pass it over to
	 * actual key */
	SSLBUF_TO_CSSM(&blob, &key->KeyData);

	/*
	 * Get keySizeInBits. This also serves to validate the key blob
	 * we just cooked up.
	 */
    crtn = CSSM_QueryKeySizeInBits(ctx->cspHand, CSSM_INVALID_HANDLE, key, &keySize);
	if(crtn) {
    	stPrintCdsaError("sslGetPubKeyFromBits: QueryKeySizeInBits\n", crtn);
		serr = errSSLCrypto;
    	goto abort;
	}

	/* success */
    hdr->LogicalKeySizeInBits = keySize.EffectiveKeySizeInBits;
    *pubKey = key;
    *cspHand = ctx->cspHand;
	return noErr;

abort:
	/* note this frees the blob */
	sslFreeKey(ctx->cspHand, &key, NULL);
	return serr;
}

#ifdef UNUSED_FUNCTIONS
/*
 * NULL-unwrap a raw key to a ref key. Caller must free the returned key.
 */
static OSStatus sslNullUnwrapKey(
	CSSM_CSP_HANDLE cspHand,
	CSSM_KEY_PTR rawKey,
	CSSM_KEY_PTR refKey)
{
	CSSM_DATA descData = {0, 0};
	CSSM_RETURN crtn;
	CSSM_CC_HANDLE ccHand;
	CSSM_ACCESS_CREDENTIALS	creds;
	CSSM_DATA labelData = {4, (uint8 *)"none"};
	uint32 keyAttr;
	OSStatus ortn = noErr;

	memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
	memset(refKey, 0, sizeof(CSSM_KEY));

	crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
			CSSM_ALGID_NONE,
			CSSM_ALGMODE_NONE,
			&creds,
			NULL,			// unwrappingKey
			NULL,			// initVector
			CSSM_PADDING_NONE,
			0,				// Params
			&ccHand);
	if(crtn) {
	stPrintCdsaError("sslNullUnwrapKey: CSSM_CSP_CreateSymmetricContext\n", crtn);
		return errSSLCrypto;
	}

	keyAttr = rawKey->KeyHeader.KeyAttr;
	keyAttr &= ~(CSSM_KEYATTR_ALWAYS_SENSITIVE | CSSM_KEYATTR_NEVER_EXTRACTABLE |
				 CSSM_KEYATTR_MODIFIABLE);
	keyAttr |= CSSM_KEYATTR_RETURN_REF;
	if(rawKey->KeyHeader.KeyClass == CSSM_KEYCLASS_PUBLIC_KEY) {
		/* CSP policy */
		keyAttr |= CSSM_KEYATTR_EXTRACTABLE;
	}
	crtn = CSSM_UnwrapKey(ccHand,
		NULL,				// PublicKey
		rawKey,
		rawKey->KeyHeader.KeyUsage,
		keyAttr,
		&labelData,
		NULL,				// CredAndAclEntry
		refKey,
		&descData);			// required
	if(crtn != CSSM_OK) {
	stPrintCdsaError("sslNullUnwrapKey: CSSM_UnwrapKey\n", crtn);
		ortn = errSSLCrypto;
	}
	if(CSSM_DeleteContext(ccHand)) {
		printf("CSSM_DeleteContext failure\n");
	}
	return crtn;
}
#endif

/*
 * NULL-wrap a ref key to a raw key. Caller must free the returned key.
 */
static OSStatus sslNullWrapKey(
	CSSM_CSP_HANDLE cspHand,
	CSSM_KEY_PTR refKey,
	CSSM_KEY_PTR rawKey)
{
	CSSM_DATA descData = {0, 0};
	CSSM_RETURN crtn;
	CSSM_CC_HANDLE ccHand;
	CSSM_ACCESS_CREDENTIALS	creds;
	uint32 keyAttr;
	OSStatus ortn = noErr;

	memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
	memset(rawKey, 0, sizeof(CSSM_KEY));

	crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
			CSSM_ALGID_NONE,
			CSSM_ALGMODE_NONE,
			&creds,
			NULL,			// unwrappingKey
			NULL,			// initVector
			CSSM_PADDING_NONE,
			0,				// Params
			&ccHand);
	if(crtn) {
	stPrintCdsaError("sslNullWrapKey: CSSM_CSP_CreateSymmetricContext\n", crtn);
		return errSSLCrypto;
	}

	keyAttr = rawKey->KeyHeader.KeyAttr;
	keyAttr &= ~(CSSM_KEYATTR_ALWAYS_SENSITIVE | CSSM_KEYATTR_NEVER_EXTRACTABLE |
				 CSSM_KEYATTR_MODIFIABLE);
	keyAttr |= CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE;
	crtn = CSSM_WrapKey(ccHand,
		&creds,
		refKey,
		&descData,
		rawKey);
	if(crtn != CSSM_OK) {
	stPrintCdsaError("sslNullWrapKey: CSSM_WrapKey\n", crtn);
		ortn = errSSLCrypto;
	}
	if(CSSM_DeleteContext(ccHand)) {
		printf("CSSM_DeleteContext failure\n");
	}
	return crtn;
}

#pragma mark -
#pragma mark Public Certificate Functions

/*
 * Given a DER-encoded cert, obtain its public key as a CSSM_KEY_PTR.
 * Caller must CSSM_FreeKey and free the CSSM_KEY_PTR itself.
 *
 * For now, the returned cspHand is a copy of ctx->cspHand, so it
 * doesn't have to be detached later - this may change.
 *
 * Update: since CSSM_CL_CertGetKeyInfo() doesn't provide a means for
 * us to tell the CL what CSP to use, we really have no way of knowing
 * what is going on here...we return the process-wide (bare) cspHand,
 * which is currently always able to deal with this raw public key.
 */
OSStatus sslPubKeyFromCert(
	SSLContext 			*ctx,
	const SSLBuffer		*derCert,
	SSLPubKey           *pubKey)		// RETURNED
{
	OSStatus 			serr;
	CSSM_DATA		certData;
	CSSM_RETURN		crtn;

	assert(ctx != NULL);
	assert(pubKey != NULL);

	pubKey->key = NULL;
	pubKey->cspHand = 0;

	serr = attachToCl(ctx);
	if(serr) {
		return serr;
	}
	serr = attachToCsp(ctx);
	if(serr) {
		return serr;
	}
	SSLBUF_TO_CSSM(derCert, &certData);
	crtn = CSSM_CL_CertGetKeyInfo(ctx->clHand, &certData, &pubKey->key);
	if(crtn) {
		return errSSLBadCert;
	}
	else {
		pubKey->cspHand = ctx->cspHand;
		return noErr;
	}
}

/*
 * Release each element in a CFArray.
 */
static void sslReleaseArray(
	CFArrayRef a)
{
	CFIndex num = CFArrayGetCount(a);
	CFIndex dex;
	for(dex=0; dex<num; dex++) {
		CFTypeRef elmt = (CFTypeRef)CFArrayGetValueAtIndex(a, dex);
		secdebug("sslcert", "Freeing cert %p", elmt);
		CFRelease(elmt);
	}
}

/*
 * Verify a chain of DER-encoded certs.
 * Last cert in the chain is leaf.
 *
 * If arePeerCerts is true, host name verification is enabled and we
 * save the resulting SecTrustRef in ctx->peerSecTrust. Otherwise
 * we're just validating our own certs; no host name checking and
 * peerSecTrust is transient.
 */
 OSStatus sslVerifyCertChain(
	SSLContext				*ctx,
	const SSLCertificate	*certChain,
	bool					arePeerCerts)
{
	uint32_t					numCerts;
	int 						i;
	OSStatus					serr;
	SSLCertificate				*c = (SSLCertificate *)certChain;
	CSSM_RETURN					crtn;
	CSSM_APPLE_TP_SSL_OPTIONS	sslOpts;
	CSSM_APPLE_TP_ACTION_DATA	tpActionData;
	SecPolicyRef				policy = NULL;
	SecPolicySearchRef			policySearch = NULL;
	CFDataRef					actionData = NULL;
	CSSM_DATA					sslOptsData;
	CFMutableArrayRef			anchors = NULL;
	SecCertificateRef 			cert;			// only lives in CFArrayRefs
	SecTrustResultType			secTrustResult;
	CFMutableArrayRef			kcList = NULL;
	SecTrustRef					theTrust = NULL;

	if(ctx->peerSecTrust && arePeerCerts) {
		/* renegotiate - start with a new SecTrustRef */
		CFRelease(ctx->peerSecTrust);
		ctx->peerSecTrust = NULL;
	}

	numCerts = SSLGetCertificateChainLength(certChain);
	if(numCerts == 0) {
		/* nope */
		return errSSLBadCert;
	}

	/*
	 * SSLCertificate chain --> CFArrayRef of SecCertificateRefs.
	 * TP Cert group has root at the end, opposite of
	 * SSLCertificate chain.
	 */
	CFMutableArrayRef certGroup = CFArrayCreateMutable(NULL, numCerts,
		&kCFTypeArrayCallBacks);
	if(certGroup == NULL) {
		return memFullErr;
	}
	/* subsequent errors to errOut: */

	for(i=numCerts-1; i>=0; i--) {
		CSSM_DATA cdata;
		SSLBUF_TO_CSSM(&c->derCert, &cdata);
		serr = SecCertificateCreateFromData(&cdata,	CSSM_CERT_X_509v3,
			CSSM_CERT_ENCODING_DER, &cert);
		if(serr) {
			goto errOut;
		}
		/*
		 * Can't set a value at index i when there is an empty element
		 * at i=1!
		 */
		secdebug("sslcert", "Adding cert %p", cert);
		CFArrayInsertValueAtIndex(certGroup, 0, cert);
		c = c->next;
	}

	/*
	 * Cook up an SSL-specific SecPolicyRef. This will persists as part
	 * of the SecTrustRef object we'll be creating.
	 */
	serr = SecPolicySearchCreate(CSSM_CERT_X_509v3,
		&CSSMOID_APPLE_TP_SSL,
		NULL,
		&policySearch);
	if(serr) {
		sslErrorLog("***sslVerifyCertChain: SecPolicySearchCreate rtn %d\n",
			(int)serr);
		goto errOut;
	}
	serr = SecPolicySearchCopyNext(policySearch, &policy);
	if(serr) {
		sslErrorLog("***sslVerifyCertChain: SecPolicySearchCopyNext rtn %d\n",
			(int)serr);
		goto errOut;
	}
	sslOpts.Version = CSSM_APPLE_TP_SSL_OPTS_VERSION;
	if(arePeerCerts) {
		sslOpts.ServerNameLen = ctx->peerDomainNameLen;
		sslOpts.ServerName = ctx->peerDomainName;
	}
	else {
		sslOpts.ServerNameLen = 0;
		sslOpts.ServerName = NULL;
	}
	sslOpts.Flags = 0;
	if(ctx->protocolSide == kSSLServerSide) {
		/* we're evaluating a client cert */
		sslOpts.Flags |= CSSM_APPLE_TP_SSL_CLIENT;
	}
	sslOptsData.Data = (uint8 *)&sslOpts;
	sslOptsData.Length = sizeof(sslOpts);
	serr = SecPolicySetValue(policy, &sslOptsData);
	if(serr) {
		sslErrorLog("***sslVerifyCertChain: SecPolicySetValue rtn %d\n",
			(int)serr);
		goto errOut;
	}

	/* now a SecTrustRef */
	serr = SecTrustCreateWithCertificates(certGroup, policy, &theTrust);
	if(serr) {
		sslErrorLog("***sslVerifyCertChain: SecTrustCreateWithCertificates "
			"rtn %d\n",	(int)serr);
		goto errOut;
	}

	/* anchors - default, or ours? */
	if(ctx->trustedCerts != NULL) {
		serr = SecTrustSetAnchorCertificates(theTrust, ctx->trustedCerts);
		if(serr) {
			sslErrorLog("***sslVerifyCertChain: SecTrustSetAnchorCertificates "
				"rtn %d\n",	(int)serr);
			goto errOut;
		}
	}
	tpActionData.Version = CSSM_APPLE_TP_ACTION_VERSION;
	tpActionData.ActionFlags = 0;
	if(ctx->allowExpiredCerts) {
		tpActionData.ActionFlags |= CSSM_TP_ACTION_ALLOW_EXPIRED;
	}
	if(ctx->allowExpiredRoots) {
		tpActionData.ActionFlags |= CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT;
	}
	actionData = CFDataCreate(NULL, (UInt8 *)&tpActionData, sizeof(tpActionData));

	serr = SecTrustSetParameters(theTrust, CSSM_TP_ACTION_DEFAULT,
		actionData);
	if(serr) {
		sslErrorLog("***sslVerifyCertChain: SecTrustSetParameters rtn %d\n",
			(int)serr);
		goto errOut;
	}

	#if 0
	/* Disabled for Radar 3421314 */
	/*
	 * Avoid searching user keychains for intermediate certs by specifying
	 * an empty array of keychains
	 */
	kcList = CFArrayCreateMutable(NULL, 0, NULL);
	if(kcList == NULL) {
		sslErrorLog("***sslVerifyCertChain: error creating null kcList\n");
		serr = memFullErr;
		goto errOut;
	}
	serr = SecTrustSetKeychains(theTrust, kcList);
	if(serr) {
		sslErrorLog("***sslVerifyCertChain: SecTrustSetKeychains rtn %d\n",
			(int)serr);
		goto errOut;
	}
	#endif

	/*
	 * Save this no matter what if we're evaluating peer certs.
	 * We do a retain here so we can unconditionally release theTrust
	 * at the end of this routine in case of previous error or
	 * !arePeerCerts.
	 */
	if(arePeerCerts) {
		ctx->peerSecTrust = theTrust;
		CFRetain(theTrust);
	}

	if(!ctx->enableCertVerify) {
		/* trivial case, this is caller's responsibility */
		serr = noErr;
		goto errOut;
	}

    /*
     * If the caller provided a list of trusted leaf certs, check them here
     */
	if(ctx->trustedLeafCerts) {
		if (sslGetMatchingCertInArray((SecCertificateRef)CFArrayGetValueAtIndex(certGroup, 0),
			ctx->trustedLeafCerts)) {
			serr = noErr;
			goto errOut;
		}
	}

	/*
	 * Here we go; hand it over to SecTrust/TP.
	 */
	serr = SecTrustEvaluate(theTrust, &secTrustResult);
	if(serr) {
		sslErrorLog("***sslVerifyCertChain: SecTrustEvaluate rtn %d\n",
			(int)serr);
		goto errOut;
	}
	switch(secTrustResult) {
		case kSecTrustResultUnspecified:
			/* cert chain valid, no special UserTrust assignments */
		case kSecTrustResultProceed:
			/* cert chain valid AND user explicitly trusts this */
			crtn = CSSM_OK;
			break;
		case kSecTrustResultDeny:
		case kSecTrustResultConfirm:
			/*
			 * Cert chain may well have verified OK, but user has flagged
			 * one of these certs as untrustable.
			 */
			crtn = CSSMERR_TP_NOT_TRUSTED;
			break;
		default:
		{
			OSStatus osCrtn;
			serr = SecTrustGetCssmResultCode(theTrust, &osCrtn);
			if(serr) {
				sslErrorLog("***sslVerifyCertChain: SecTrustGetCssmResultCode"
					" rtn %d\n", (int)serr);
				goto errOut;
			}
			crtn = osCrtn;
		}
	}
	if(crtn) {
		/* get some detailed error info */
		switch(crtn) {
			case CSSMERR_TP_INVALID_ANCHOR_CERT:
				/* root found but we don't trust it */
				if(ctx->allowAnyRoot) {
					serr = noErr;
					sslErrorLog("***Warning: accepting unknown root cert\n");
				}
				else {
					serr = errSSLUnknownRootCert;
				}
				break;
			case CSSMERR_TP_NOT_TRUSTED:
				/* no root, not even in implicit SSL roots */
				if(ctx->allowAnyRoot) {
					sslErrorLog("***Warning: accepting unverified cert chain\n");
					serr = noErr;
				}
				else {
					serr = errSSLNoRootCert;
				}
				break;
			case CSSMERR_TP_CERT_EXPIRED:
				assert(!ctx->allowExpiredCerts);
				serr = errSSLCertExpired;
				break;
			case CSSMERR_TP_CERT_NOT_VALID_YET:
				serr = errSSLCertNotYetValid;
				break;
			case CSSMERR_APPLETP_HOSTNAME_MISMATCH:
				serr = errSSLHostNameMismatch;
				break;
			case errSecInvalidTrustSettings:
				/* these get passed along unmodified */
				serr = crtn;
				break;
			default:
				stPrintCdsaError("sslVerifyCertChain: SecTrustEvaluate returned",
						crtn);
				serr = errSSLXCertChainInvalid;
				break;
		}
	} 	/* SecTrustEvaluate error */

errOut:
	/*
	 * Free up resources - certGroup, policy, etc. Note that most of these
	 * will actually persist as long as the current SSLContext does since
	 * peerSecTrust holds references to these.
	 */
	if(policy) {
		CFRelease(policy);
	}
	if(policySearch) {
		CFRelease(policySearch);
	}
	if(actionData) {
		CFRelease(actionData);
	}
	if(anchors) {
		sslReleaseArray(anchors);
		CFRelease(anchors);
	}
	if(certGroup) {
		sslReleaseArray(certGroup);
		CFRelease(certGroup);
	}
	if(kcList) {
		/* empty, no contents to release */
		CFRelease(kcList);
	}
	if(theTrust) {
		CFRelease(theTrust);
	}
	return serr;
}

#ifndef	NDEBUG
void stPrintCdsaError(const char *op, CSSM_RETURN crtn)
{
	cssmPerror(op, crtn);
}
#endif

#pragma mark -
#pragma mark Diffie-Hellman Support

/*
 * Generate a Diffie-Hellman key pair. Algorithm parameters always
 * come from the server, so on client side we have the parameters
 * as two SSLBuffers. On server side we have the pre-encoded block
 * which comes from ServerDhParams.
 */
OSStatus sslDhGenKeyPairClient(
	SSLContext		*ctx,
	const SSLBuffer	*prime,
	const SSLBuffer	*generator,
	CSSM_KEY_PTR	publicKey,		// RETURNED
	CSSM_KEY_PTR	privateKey)		// RETURNED
{
	assert((prime->data != NULL) && (generator->data != NULL));
	if(prime->data && !generator->data) {
		return errSSLProtocol;
	}
	if(!prime->data && generator->data) {
		return errSSLProtocol;
	}

	SSLBuffer sParam;
	OSStatus ortn = sslEncodeDhParams(prime, generator, &sParam);
	if(ortn) {
		sslErrorLog("***sslDhGenerateKeyPairClient: DH param error\n");
		return ortn;
	}
	ortn = sslDhGenerateKeyPair(ctx, &sParam, prime->length * 8, publicKey, privateKey);
	SSLFreeBuffer(&sParam, ctx);
	return ortn;
}

OSStatus sslDhGenerateKeyPair(
	SSLContext		*ctx,
	const SSLBuffer	*paramBlob,
	uint32_t		keySizeInBits,
	CSSM_KEY_PTR	publicKey,		// RETURNED
	CSSM_KEY_PTR	privateKey)		// RETURNED
{
	CSSM_RETURN		crtn;
	CSSM_CC_HANDLE 	ccHandle;
	CSSM_DATA		labelData = {8, (uint8 *)"tempKey"};
	OSStatus		ortn = noErr;
	CSSM_DATA		cParamBlob;

	assert(ctx != NULL);
	assert(ctx->cspHand != 0);

	memset(publicKey, 0, sizeof(CSSM_KEY));
	memset(privateKey, 0, sizeof(CSSM_KEY));
	SSLBUF_TO_CSSM(paramBlob, &cParamBlob);

	crtn = CSSM_CSP_CreateKeyGenContext(ctx->cspHand,
		CSSM_ALGID_DH,
		keySizeInBits,
		NULL,					// Seed
		NULL,					// Salt
		NULL,					// StartDate
		NULL,					// EndDate
		&cParamBlob,
		&ccHandle);
	if(crtn) {
		stPrintCdsaError("DH CSSM_CSP_CreateKeyGenContext", crtn);
		return errSSLCrypto;
	}

	crtn = CSSM_GenerateKeyPair(ccHandle,
		CSSM_KEYUSE_DERIVE,		// only legal use of a Diffie-Hellman key
		CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE,
		&labelData,
		publicKey,
		/* private key specification */
		CSSM_KEYUSE_DERIVE,
		CSSM_KEYATTR_RETURN_REF,
		&labelData,				// same labels
		NULL,					// CredAndAclEntry
		privateKey);
	if(crtn) {
		stPrintCdsaError("DH CSSM_GenerateKeyPair", crtn);
		ortn = errSSLCrypto;
	}
	CSSM_DeleteContext(ccHandle);
	return ortn;
}

/*
 * Perform Diffie-Hellman key exchange.
 * Valid on entry:
 *    	ctx->dhPrivate
 *		ctx->dhPeerPublic
 *
 * This generates deriveSizeInBits of key-exchanged data.
 */

/* the alg isn't important; we just want to be able to cook up lots of bits */
#define DERIVE_KEY_ALG			CSSM_ALGID_RC5

OSStatus sslDhKeyExchange(
	SSLContext		*ctx,
	uint32_t		deriveSizeInBits,
	SSLBuffer		*exchanged)
{
	CSSM_RETURN 			crtn;
	CSSM_ACCESS_CREDENTIALS	creds;
	CSSM_CC_HANDLE			ccHandle;
	CSSM_DATA				labelData = {8, (uint8 *)"tempKey"};
	CSSM_KEY				derivedKey;
	OSStatus				ortn = noErr;

	assert(ctx != NULL);
	assert(ctx->cspHand != 0);
	assert(ctx->dhPrivate != NULL);
	if(ctx->dhPeerPublic.length == 0) {
		/* comes from peer, don't panic */
		sslErrorLog("cdsaDhKeyExchange: null peer public key\n");
		return errSSLProtocol;
	}

	memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
	memset(&derivedKey, 0, sizeof(CSSM_KEY));

	crtn = CSSM_CSP_CreateDeriveKeyContext(ctx->cspHand,
		CSSM_ALGID_DH,
		DERIVE_KEY_ALG,
		deriveSizeInBits,
		&creds,
		ctx->dhPrivate,	// BaseKey
		0,				// IterationCount
		0,				// Salt
		0,				// Seed
		&ccHandle);
	if(crtn) {
		stPrintCdsaError("DH CSSM_CSP_CreateDeriveKeyContext", crtn);
		return errSSLCrypto;
	}

	/* public key passed in as CSSM_DATA *Param */
	CSSM_DATA theirPubKeyData;
	SSLBUF_TO_CSSM(&ctx->dhPeerPublic, &theirPubKeyData);

	crtn = CSSM_DeriveKey(ccHandle,
		&theirPubKeyData,
		CSSM_KEYUSE_ANY,
		CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE,
		&labelData,
		NULL,				// cread/acl
		&derivedKey);
	if(crtn) {
		stPrintCdsaError("DH CSSM_DeriveKey", crtn);
		ortn = errSSLCrypto;
	}
	else {
		CSSM_TO_SSLBUF(&derivedKey.KeyData, exchanged);
	}
	CSSM_DeleteContext(ccHandle);
	return ortn;
}

#pragma mark -
#pragma mark *** ECDSA support ***

/* specify either 32-bit integer or a pointer as an added attribute value */
typedef enum {
	CAT_Uint32,
	CAT_Ptr
} ContextAttrType;

/*
 * Given a context specified via a CSSM_CC_HANDLE, add a new
 * CSSM_CONTEXT_ATTRIBUTE to the context as specified by AttributeType,
 * AttributeLength, and an untyped pointer.
 */
static CSSM_RETURN sslAddContextAttribute(CSSM_CC_HANDLE CCHandle,
	uint32 AttributeType,
	uint32 AttributeLength,
	ContextAttrType attrType,
	/* specify exactly one of these */
	const void *AttributePtr,
	uint32 attributeInt)
{
	CSSM_CONTEXT_ATTRIBUTE		newAttr;
	CSSM_RETURN					crtn;

	newAttr.AttributeType     = AttributeType;
	newAttr.AttributeLength   = AttributeLength;
	if(attrType == CAT_Uint32) {
		newAttr.Attribute.Uint32  = attributeInt;
	}
	else {
		newAttr.Attribute.Data    = (CSSM_DATA_PTR)AttributePtr;
	}
	crtn = CSSM_UpdateContextAttributes(CCHandle, 1, &newAttr);
	if(crtn) {
		stPrintCdsaError("CSSM_UpdateContextAttributes", crtn);
	}
	return crtn;
}

/*
 * Generate ECDH key pair with the given SSL_ECDSA_NamedCurve.
 * Private key, in ref form, is placed in ctx->ecdhPrivate.
 * Public key, in ECPoint form - which can NOT be used as
 * a key in any CSP ops - is placed in ecdhExchangePublic.
 */
OSStatus sslEcdhGenerateKeyPair(
	SSLContext *ctx,
	SSL_ECDSA_NamedCurve namedCurve)
{
	CSSM_RETURN		crtn;
	CSSM_CC_HANDLE 	ccHandle = 0;
	CSSM_DATA		labelData = {8, (uint8 *)"ecdsaKey"};
	OSStatus		ortn = noErr;
	CSSM_KEY		pubKey;
	uint32			keySizeInBits;

	assert(ctx != NULL);
	assert(ctx->cspHand != 0);
	sslFreeKey(ctx->ecdhPrivCspHand, &ctx->ecdhPrivate, NULL);
    SSLFreeBuffer(&ctx->ecdhExchangePublic, ctx);

	switch(namedCurve) {
		case SSL_Curve_secp256r1:
			keySizeInBits = 256;
			break;
		case SSL_Curve_secp384r1:
			keySizeInBits = 384;
			break;
		case SSL_Curve_secp521r1:
			keySizeInBits = 521;
			break;
		default:
			/* should not have gotten this far */
			sslErrorLog("sslEcdhGenerateKeyPair: bad namedCurve (%u)\n",
				(unsigned)namedCurve);
			return errSSLInternal;
	}

	ctx->ecdhPrivate = (CSSM_KEY *)sslMalloc(sizeof(CSSM_KEY));

	memset(ctx->ecdhPrivate, 0, sizeof(CSSM_KEY));
	memset(&pubKey, 0, sizeof(CSSM_KEY));

	crtn = CSSM_CSP_CreateKeyGenContext(ctx->cspHand,
		CSSM_ALGID_ECDSA,
		keySizeInBits,
		NULL,					// Seed
		NULL,					// Salt
		NULL,					// StartDate
		NULL,					// EndDate
		NULL,					// Params
		&ccHandle);
	if(crtn) {
		stPrintCdsaError("ECDH CSSM_CSP_CreateKeyGenContext", crtn);
		return errSSLCrypto;
	}
	/* subsequent errors to errOut: */

	/*
	 * Here's how we get the raw ECPoint form of a public key
	 */
	crtn = sslAddContextAttribute(ccHandle,
		CSSM_ATTRIBUTE_PUBLIC_KEY_FORMAT,
		sizeof(uint32),
		CAT_Uint32,
		NULL,
		CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING);
	if(crtn) {
		ortn = errSSLCrypto;
		goto errOut;
	}

	crtn = CSSM_GenerateKeyPair(ccHandle,
		/* public key specification */
		CSSM_KEYUSE_DERIVE,		// only legal use - right?
		CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE,
		&labelData,
		&pubKey,
		/* private key specification */
		CSSM_KEYUSE_DERIVE,
		CSSM_KEYATTR_RETURN_REF,
		&labelData,				// same labels
		NULL,					// CredAndAclEntry
		ctx->ecdhPrivate);
	if(crtn) {
		stPrintCdsaError("ECDH CSSM_GenerateKeyPair", crtn);
		ortn = errSSLCrypto;
		goto errOut;
	}
	ctx->ecdhPrivCspHand = ctx->cspHand;

	/*
	 * Take that public key data, drop it into ecdhExchangePublic,
	 * and free the key.
	 */
    ortn = SSLCopyBufferFromData(pubKey.KeyData.Data, pubKey.KeyData.Length,
				&ctx->ecdhExchangePublic);
	CSSM_FreeKey(ctx->cspHand, NULL, &pubKey, CSSM_FALSE);

errOut:
	if(ccHandle != 0) {
		CSSM_DeleteContext(ccHandle);
	}
	return ortn;

}

/*
 * Perform ECDH key exchange. Obtained key material is the same
 * size as our private key.
 *
 * On entry, ecdhPrivate is our private key. The peer's public key
 * is either ctx->ecdhPeerPublic for ECDHE exchange, or
 * ctx->peerPubKey for ECDH exchange.
 */
OSStatus sslEcdhKeyExchange(
	SSLContext		*ctx,
	SSLBuffer		*exchanged)
{
	CSSM_RETURN 			crtn;
	CSSM_ACCESS_CREDENTIALS	creds;
	const CSSM_ACCESS_CREDENTIALS *secCreds;
	const CSSM_ACCESS_CREDENTIALS *useCreds = &creds;
	CSSM_CC_HANDLE			ccHandle;
	CSSM_DATA				labelData = {8, (uint8 *)"tempKey"};
	CSSM_KEY				derivedKey;
	OSStatus				ortn = noErr;
	CSSM_KEY				rawKey;
	bool					useRefKeys = false;
	uint32					keyAttr;
	SSLBuffer				pubKeyBits = {0, NULL};

	assert(ctx != NULL);
	assert(ctx->ecdhPrivCspHand != 0);
	assert(ctx->ecdhPrivate != NULL);

	memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
	memset(&derivedKey, 0, sizeof(CSSM_KEY));
	memset(&rawKey, 0, sizeof(CSSM_KEY));

	/*
	 * If we're using an actual CSSM_KEY for the peer public key, and its
	 * cspHand differs from our private key, we do things a bit different -
	 * our key is in the CSPDL space, and it has a Sec-style ACL for which
	 * we need creds. Also, the peer public key and the derived key have
	 * to be in reference form.
	 */
	switch(ctx->selectedCipherSpec.keyExchangeMethod) {
		case SSL_ECDH_ECDSA:
		case SSL_ECDH_RSA:
			if(ctx->cspHand != ctx->ecdhPrivCspHand) {
				useRefKeys = true;
			}
			break;
		default:
			break;
	}
	if(useRefKeys) {
		assert(ctx->signingPrivKeyRef != NULL);
		ortn = SecKeyGetCredentials(ctx->signingPrivKeyRef,
			CSSM_ACL_AUTHORIZATION_DERIVE,
			kSecCredentialTypeDefault,
			&secCreds);
		if(ortn) {
			stPrintCdsaError("ECDH SecKeyGetCredentials", ortn);
			return ortn;
		}
		useCreds = secCreds;
	}
	crtn = CSSM_CSP_CreateDeriveKeyContext(ctx->ecdhPrivCspHand,
		CSSM_ALGID_ECDH,
		DERIVE_KEY_ALG,
		ctx->ecdhPrivate->KeyHeader.LogicalKeySizeInBits,
		useCreds,
		ctx->ecdhPrivate,	// BaseKey
		0,					// IterationCount
		0,					// Salt
		0,					// Seed
		&ccHandle);
	if(crtn) {
		stPrintCdsaError("ECDH CSSM_CSP_CreateDeriveKeyContext", crtn);
		return errSSLCrypto;
	}
	/* subsequent errors to errOut: */

	CSSM_DATA theirPubKeyData = {0, NULL};

	switch(ctx->selectedCipherSpec.keyExchangeMethod) {
		case SSL_ECDHE_ECDSA:
		case SSL_ECDHE_RSA:
			/* public key passed in as CSSM_DATA *Param */
			if(ctx->ecdhPeerPublic.length == 0) {
				/* comes from peer, don't panic */
				sslErrorLog("sslEcdhKeyExchange: null peer public key\n");
				ortn = errSSLProtocol;
				goto errOut;
			}
			SSLBUF_TO_CSSM(&ctx->ecdhPeerPublic, &theirPubKeyData);
			break;
		case SSL_ECDH_ECDSA:
		case SSL_ECDH_RSA:
			/* add pub key as a context attr */
			if(ctx->peerPubKey == NULL) {
			   sslErrorLog("sslEcdhKeyExchange: no peer key\n");
			   ortn = errSSLInternal;
			   goto errOut;
			}

			/*
			 * If we're using CSPDL, extract the raw public key bits in ECPoint
			 * form and transmit as CSSM_DATA *Param.
			 * The securityd can't transmit a public key in a DeriveKey context
			 * in any form.
			 */
			if(useRefKeys) {
				ortn = sslEcdsaPubKeyBits(ctx->peerPubKey, &pubKeyBits);
				if(ortn) {
					goto errOut;
				}
				SSLBUF_TO_CSSM(&pubKeyBits, &theirPubKeyData);
			}
			else {
				crtn = sslAddContextAttribute(ccHandle,
					CSSM_ATTRIBUTE_PUBLIC_KEY,
					sizeof(CSSM_KEY),
					CAT_Ptr,
					(void *)ctx->peerPubKey,
					0);
				if(crtn) {
					stPrintCdsaError("AddContextAttribute(CSSM_ATTRIBUTE_PUBLIC_KEY)",
						crtn);
					ortn = errSSLInternal;
					goto errOut;
				}
			}
			break;
		default:
			/* shouldn't be here */
			assert(0);
			ortn = errSSLInternal;
			goto errOut;
	}

	if(useRefKeys) {
		keyAttr = CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE;
	}
	else {
		keyAttr = CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE;
	}
	crtn = CSSM_DeriveKey(ccHandle,
		&theirPubKeyData,
		CSSM_KEYUSE_ANY,
		keyAttr,
		&labelData,
		NULL,				// cred/acl
		&derivedKey);
	if(crtn) {
		stPrintCdsaError("ECDH CSSM_DeriveKey", crtn);
		ortn = errSSLCrypto;
		goto errOut;
	}

	if(useRefKeys) {
		/*
		 * one more step: NULL-wrap the generated ref key to something we
		 * can use
		 */
		ortn = sslNullWrapKey(ctx->ecdhPrivCspHand, &derivedKey, &rawKey);
		if(ortn) {
			goto errOut;
		}
		ortn = SSLCopyBufferFromData(rawKey.KeyData.Data, rawKey.KeyData.Length,
			exchanged);
	}
	else {
		ortn = SSLCopyBufferFromData(derivedKey.KeyData.Data,
				derivedKey.KeyData.Length, exchanged);
	}
errOut:
	CSSM_DeleteContext(ccHandle);
	if(useRefKeys) {
		if(pubKeyBits.length) {
			SSLFreeBuffer(&pubKeyBits, ctx);
		}
		if(rawKey.KeyData.Length) {
			CSSM_FreeKey(ctx->ecdhPrivCspHand, NULL, &rawKey, CSSM_FALSE);
		}
	}
	return ortn;
}


/*
 * After ciphersuite negotiation is complete, verify that we have
 * the capability of actually performing the selected cipher.
 * Currently we just verify that we have a cert and private signing
 * key, if needed, and that the signing key's algorithm matches the
 * expected key exchange method.
 *
 * This is currently called from FindCipherSpec(), after it sets
 * ctx->selectedCipherSuite to a (supposedly) valid value, and from
 * sslBuildCipherSuiteArray(), in server mode (pre-negotiation) only.
 */
OSStatus sslVerifySelectedCipher(
	SSLContext *ctx,
	const SSLCipherSpec *selectedCipherSpec)
{
	if(ctx->protocolSide == kSSLClientSide) {
		return noErr;
	}
	#if 	SSL_PAC_SERVER_ENABLE
	if((ctx->masterSecretCallback != NULL) &&
	   (ctx->sessionTicket.data != NULL)) {
		/* EAP via PAC resumption; we can do it */
		return noErr;
	}
	#endif	/* SSL_PAC_SERVER_ENABLE */

	CSSM_ALGORITHMS requireAlg = CSSM_ALGID_NONE;
    if(selectedCipherSpec == NULL) {
		return errSSLInternal;
    }
    switch (selectedCipherSpec->keyExchangeMethod) {
		case SSL_RSA:
        case SSL_RSA_EXPORT:
		case SSL_DH_RSA:
		case SSL_DH_RSA_EXPORT:
		case SSL_DHE_RSA:
		case SSL_DHE_RSA_EXPORT:
			requireAlg = CSSM_ALGID_RSA;
			break;
 		case SSL_DHE_DSS:
		case SSL_DHE_DSS_EXPORT:
 		case SSL_DH_DSS:
		case SSL_DH_DSS_EXPORT:
			requireAlg = CSSM_ALGID_DSA;
			break;
		case SSL_DH_anon:
		case SSL_DH_anon_EXPORT:
			/* CSSM_ALGID_NONE, no signing key */
			break;
		/*
		 * When SSL_ECDSA_SERVER is true and we support ECDSA on the server side,
		 * we'll need to add some logic here...
		 */
		#if SSL_ECDSA_SERVER
		#error Work needed in sslVerifySelectedCipher
		#endif

		default:
			/* needs update per cipherSpecs.c */
			assert(0);
			return errSSLInternal;
    }
	if(requireAlg == CSSM_ALGID_NONE) {
		return noErr;
	}

	/* private signing key required */
	if(ctx->signingPrivKeyRef == NULL) {
		sslErrorLog("sslVerifySelectedCipher: no signing key\n");
		return errSSLBadConfiguration;
	}
	{
		const CSSM_KEY *cssmKey;
		OSStatus ortn = SecKeyGetCSSMKey(ctx->signingPrivKeyRef, &cssmKey);
		if(ortn) {
			sslErrorLog("sslVerifySelectedCipher: SecKeyGetCSSMKey err %d\n",
			(int)ortn);
			return ortn;
		}
		if(cssmKey->KeyHeader.AlgorithmId != requireAlg) {
			sslErrorLog("sslVerifySelectedCipher: signing key alg mismatch\n");
			return errSSLBadConfiguration;
		}
	}
	return noErr;
}

#endif /* USE_CDSA_CRYPTO */