X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5c19dc3ae3bd8e40a9c028b0deddd50ff337692c..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_ssl/lib/tlsCallbacks.c?ds=inline

diff --git a/OSX/libsecurity_ssl/lib/tlsCallbacks.c b/OSX/libsecurity_ssl/lib/tlsCallbacks.c
index 95827179..d17e73d4 100644
--- a/OSX/libsecurity_ssl/lib/tlsCallbacks.c
+++ b/OSX/libsecurity_ssl/lib/tlsCallbacks.c
@@ -28,11 +28,12 @@
 #include "sslCrypto.h"
 #include "sslDebug.h"
 #include "sslMemory.h"
-#include "appleSession.h"
 #include <Security/SecCertificate.h>
 #include <Security/SecCertificatePriv.h>
 #include "utilities/SecCFRelease.h"
 
+#include <tls_helpers.h>
+#include <tls_cache.h>
 
 static
 int tls_handshake_write_callback(tls_handshake_ctx_t ctx, const SSLBuffer data, uint8_t content_type)
@@ -65,8 +66,7 @@ tls_handshake_message_callback(tls_handshake_ctx_t ctx, tls_handshake_message_t
             // Need to call this here, in case SetCertificate was already called.
             myCtx->clientCertState = kSSLClientCertRequested;
             myCtx->clientAuthTypes = tls_handshake_get_peer_acceptable_client_auth_type(myCtx->hdsk, &myCtx->numAuthTypes);
-            SSLUpdateNegotiatedClientAuthType(myCtx);
-            if (myCtx->breakOnCertRequest && (myCtx->localCert==NULL)) {
+            if (myCtx->breakOnCertRequest && (myCtx->localCertArray==NULL)) {
                 myCtx->signalCertRequest = true;
                 err = errSSLClientCertRequested;
             }
@@ -80,7 +80,7 @@ tls_handshake_message_callback(tls_handshake_ctx_t ctx, tls_handshake_message_t
         case tls_handshake_message_server_hello:
             myCtx->serverHelloReceived = true;
             alpn_data = tls_handshake_get_peer_alpn_data(myCtx->hdsk);
-            if(alpn_data) {
+            if (alpn_data && myCtx->alpnFunc != NULL) {
                 myCtx->alpnFunc(myCtx, myCtx->alpnFuncInfo, alpn_data->data, alpn_data->length);
             } else {
                 npn_data = tls_handshake_get_peer_npn_data(myCtx->hdsk);
@@ -93,7 +93,7 @@ tls_handshake_message_callback(tls_handshake_ctx_t ctx, tls_handshake_message_t
         case tls_handshake_message_certificate:
             /* For clients, we only check the cert when we receive the ServerHelloDone message.
                For servers, we check the client's cert right here. For both we set the public key */
-            err = tls_set_peer_pubkey(myCtx);
+            err = tls_helper_set_peer_pubkey(myCtx->hdsk);
             if(!err && (myCtx->protocolSide == kSSLServerSide)) {
                 err = tls_verify_peer_cert(myCtx);
             }
@@ -196,43 +196,110 @@ int tls_handshake_set_protocol_version_callback(tls_handshake_ctx_t ctx,
     return myCtx->recFuncs->setProtocolVersion(myCtx->recCtx, protocolVersion);
 }
 
+static int
+_buildConfigurationSpecificSessionCacheKey(SSLContext *myCtx, SSLBuffer *sessionKey, SSLBuffer *outputBuffer)
+{
+    SSLBuffer configurationBuffer;
+    configurationBuffer.data = NULL;
+    configurationBuffer.length = 0;
+    int err = SSLGetSessionConfigurationIdentifier(myCtx, &configurationBuffer);
+    if (err != errSecSuccess) {
+        return err;
+    }
+
+    outputBuffer->length = configurationBuffer.length + sessionKey->length;
+    outputBuffer->data = (uint8_t *) malloc(outputBuffer->length);
+    if (outputBuffer->data == NULL) {
+        free(configurationBuffer.data);
+        return errSecAllocate;
+    }
+
+    memcpy(outputBuffer->data, configurationBuffer.data, configurationBuffer.length);
+    memcpy(outputBuffer->data + configurationBuffer.length, sessionKey->data, sessionKey->length);
+
+    free(configurationBuffer.data);
+
+    return errSecSuccess;
+}
+
 static int
 tls_handshake_save_session_data_callback(tls_handshake_ctx_t ctx, SSLBuffer sessionKey, SSLBuffer sessionData)
 {
+    int err = errSSLSessionNotFound;
     SSLContext *myCtx = (SSLContext *)ctx;
-    sslDebugLog("%s: %p, key len=%zd, k[0]=%02x, data len=%zd\n", __FUNCTION__, myCtx, sessionKey.length, sessionKey.data[0], sessionData.length);
-    return sslAddSession(sessionKey, sessionData, myCtx->sessionCacheTimeout);
+
+    if (myCtx->cache == NULL) {
+        return errSSLSessionNotFound;
+    }
+
+    SSLBuffer configurationSpecificKey;
+    configurationSpecificKey.data = NULL;
+    configurationSpecificKey.length = 0;
+    err = _buildConfigurationSpecificSessionCacheKey(myCtx, &sessionKey, &configurationSpecificKey);
+    if (err  != errSecSuccess) {
+        return err;
+    }
+
+    sslDebugLog("%s: %p, key len=%zd, k[0]=%02x, data len=%zd\n", __FUNCTION__, myCtx, configurationSpecificKey.length, configurationSpecificKey.data[0], sessionData.length);
+
+    err = tls_cache_save_session_data(myCtx->cache, &configurationSpecificKey, &sessionData, myCtx->sessionCacheTimeout);
+
+    free(configurationSpecificKey.data);
+
+    return err;
 }
 
 static int
 tls_handshake_load_session_data_callback(tls_handshake_ctx_t ctx, SSLBuffer sessionKey, SSLBuffer *sessionData)
 {
     SSLContext *myCtx = (SSLContext *)ctx;
-    int err;
+    int err = errSSLSessionNotFound;
 
     SSLFreeBuffer(&myCtx->resumableSession);
-    err = sslCopySession(sessionKey, &myCtx->resumableSession);
+    if (myCtx->cache == NULL) {
+        return errSSLSessionNotFound;
+    }
 
-    sslDebugLog("%p, key len=%zd, data len=%zd, err=%d\n", ctx, sessionKey.length, sessionData->length, err);
+    SSLBuffer configurationSpecificKey;
+    configurationSpecificKey.data = NULL;
+    configurationSpecificKey.length = 0;
+    err = _buildConfigurationSpecificSessionCacheKey(myCtx, &sessionKey, &configurationSpecificKey);
+    if (err  != errSecSuccess) {
+        return err;
+    }
 
+    err = tls_cache_load_session_data(myCtx->cache, &configurationSpecificKey, &myCtx->resumableSession);
+    sslDebugLog("%p, key len=%zd, data len=%zd, err=%d\n", ctx, configurationSpecificKey.length, sessionData->length, err);
     *sessionData = myCtx->resumableSession;
 
+    free(configurationSpecificKey.data);
+
     return err;
 }
 
 static int
 tls_handshake_delete_session_data_callback(tls_handshake_ctx_t ctx, SSLBuffer sessionKey)
 {
+    int err = errSSLSessionNotFound;
+    SSLContext *myCtx = (SSLContext *)ctx;
+
     sslDebugLog("%p, key len=%zd k[0]=%02x\n", ctx, sessionKey.length, sessionKey.data[0]);
-    return sslDeleteSession(sessionKey);
+    if(myCtx->cache) {
+        err = tls_cache_delete_session_data(myCtx->cache, &sessionKey);
+    }
+    return err;
 }
 
 static int
 tls_handshake_delete_all_sessions_callback(tls_handshake_ctx_t ctx)
 {
+    SSLContext *myCtx = (SSLContext *)ctx;
     sslDebugLog("%p\n", ctx);
 
-    return sslCleanupSession();
+    if(myCtx->cache) {
+        tls_cache_empty(myCtx->cache);
+    }
+    return 0;
 }
 
 tls_handshake_callbacks_t tls_handshake_callbacks = {
@@ -250,5 +317,3 @@ tls_handshake_callbacks_t tls_handshake_callbacks = {
     .advance_read_cipher = tls_handshake_advance_read_cipher_callback,
     .set_protocol_version = tls_handshake_set_protocol_version_callback,
 };
-
-