X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/b1ab9ed8d0e0f1c3b66d7daa8fd5564444c56195..e3d3b979fd185d8303f28a937baa53a187fb8c7d:/libsecurity_ssl/lib/sslUtils.c?ds=sidebyside diff --git a/libsecurity_ssl/lib/sslUtils.c b/libsecurity_ssl/lib/sslUtils.c index 91a4f95b..5a262596 100644 --- a/libsecurity_ssl/lib/sslUtils.c +++ b/libsecurity_ssl/lib/sslUtils.c @@ -22,21 +22,16 @@ */ /* - * sslUtils.c - Misc. SSL utility functions + * sslUtils.c - Misc. OS independant SSL utility functions */ -#include "sslContext.h" +/* THIS FILE CONTAINS KERNEL CODE */ + #include "sslUtils.h" -#include "sslMemory.h" +#include "sslTypes.h" #include "sslDebug.h" -#include - -#include // for open -#include // for read -#include // for errno -#include -#include +#include #ifndef NDEBUG void SSLDump(const unsigned char *data, unsigned long len) @@ -56,17 +51,17 @@ unsigned int SSLDecodeInt(const uint8_t *p, size_t length) { unsigned int val = 0; - assert(length > 0 && length <= 4); //anything else would be an internal error. + check(length > 0 && length <= 4); //anything else would be an internal error. while (length--) val = (val << 8) | *p++; return val; } uint8_t * -SSLEncodeInt(uint8_t *p, unsigned int value, size_t length) +SSLEncodeInt(uint8_t *p, size_t value, size_t length) { unsigned char *retVal = p + length; /* Return pointer to char after int */ - assert(length > 0 && length <= 4); //anything else would be an internal error. + check(length > 0 && length <= 4); //anything else would be an internal error. while (length--) /* Assemble backwards */ { p[length] = (uint8_t)value; /* Implicit masking to low byte */ value >>= 8; @@ -78,7 +73,7 @@ size_t SSLDecodeSize(const uint8_t *p, size_t length) { unsigned int val = 0; - assert(length > 0 && length <= 4); //anything else would be an internal error. + check(length > 0 && length <= 4); //anything else would be an internal error. while (length--) val = (val << 8) | *p++; return val; @@ -88,7 +83,7 @@ uint8_t * SSLEncodeSize(uint8_t *p, size_t value, size_t length) { unsigned char *retVal = p + length; /* Return pointer to char after int */ - assert(length > 0 && length <= 4); //anything else would be an internal error. + check(length > 0 && length <= 4); //anything else would be an internal error. while (length--) /* Assemble backwards */ { p[length] = (uint8_t)value; /* Implicit masking to low byte */ value >>= 8; @@ -98,221 +93,48 @@ SSLEncodeSize(uint8_t *p, size_t value, size_t length) uint8_t * -SSLEncodeUInt64(uint8_t *p, sslUint64 value) +SSLEncodeUInt64(uint8_t *p, uint64_t value) { - p = SSLEncodeInt(p, value.high, 4); - return SSLEncodeInt(p, value.low, 4); -} - - -uint8_t * -SSLEncodeHandshakeHeader(SSLContext *ctx, SSLRecord *rec, SSLHandshakeType type, size_t msglen) -{ - uint8_t *charPtr; - - charPtr = rec->contents.data; - *charPtr++ = type; - charPtr = SSLEncodeSize(charPtr, msglen, 3); - - if(rec->protocolVersion == DTLS_Version_1_0) { - charPtr = SSLEncodeInt(charPtr, ctx->hdskMessageSeq, 2); - /* fragmentation -- we encode header as if unfragmented, - actual fragmentation happens at lower layer. */ - charPtr = SSLEncodeInt(charPtr, 0, 3); - charPtr = SSLEncodeSize(charPtr, msglen, 3); - } - - return charPtr; + p = SSLEncodeInt(p, (value>>32)&0xffffffff, 4); + return SSLEncodeInt(p, value&0xffffffff, 4); } void IncrementUInt64(sslUint64 *v) -{ if (++v->low == 0) /* Must have just rolled over */ - ++v->high; +{ + (*v)++; } -#if ENABLE_DTLS void -SSLDecodeUInt64(const uint8_t *p, size_t length, sslUint64 *v) +SSLDecodeUInt64(const uint8_t *p, size_t length, uint64_t *v) { - assert(length > 0 && length <= 8); + check(length > 0 && length <= 8); if(length<=4) { - v->low=SSLDecodeInt(p, length); - v->high=0; + *v=SSLDecodeInt(p, length); } else { - v->high=SSLDecodeInt(p, length-4); - v->low=SSLDecodeInt(p+length-4, 4); + *v=((uint64_t)SSLDecodeInt(p, length-4))<<32 | SSLDecodeInt(p+length-4, 4); } } -#endif -#ifdef USE_SSLCERTIFICATE -size_t -SSLGetCertificateChainLength(const SSLCertificate *c) -{ - size_t rtn = 0; - - while (c) - { - rtn++; - c = c->next; - } - return rtn; -} - -OSStatus sslDeleteCertificateChain( - SSLCertificate *certs, - SSLContext *ctx) -{ - SSLCertificate *cert; - SSLCertificate *nextCert; - - assert(ctx != NULL); - cert=certs; - while(cert != NULL) { - nextCert = cert->next; - SSLFreeBuffer(&cert->derCert, ctx); - sslFree(cert); - cert = nextCert; - } - return noErr; -} -#endif /* USE_SSLCERTIFICATE */ - -Boolean sslIsSessionActive(const SSLContext *ctx) -{ - assert(ctx != NULL); - switch(ctx->state) { - case SSL_HdskStateUninit: - case SSL_HdskStateServerUninit: - case SSL_HdskStateClientUninit: - case SSL_HdskStateGracefulClose: - case SSL_HdskStateErrorClose: - return false; - default: - return true; - } -} #if SSL_DEBUG const char *protocolVersStr(SSLProtocolVersion prot) { switch(prot) { - case SSL_Version_Undetermined: return "SSL_Version_Undetermined"; - case SSL_Version_2_0: return "SSL_Version_2_0"; - case SSL_Version_3_0: return "SSL_Version_3_0"; - case TLS_Version_1_0: return "TLS_Version_1_0"; - case TLS_Version_1_1: return "TLS_Version_1_1"; - case TLS_Version_1_2: return "TLS_Version_1_2"; - default: sslErrorLog("protocolVersStr: bad prot\n"); return "BAD PROTOCOL"; + case SSL_Version_Undetermined: return "SSL_Version_Undetermined"; + case SSL_Version_2_0: return "SSL_Version_2_0"; + case SSL_Version_3_0: return "SSL_Version_3_0"; + case TLS_Version_1_0: return "TLS_Version_1_0"; + case TLS_Version_1_1: return "TLS_Version_1_1"; + case TLS_Version_1_2: return "TLS_Version_1_2"; + default: sslErrorLog("protocolVersStr: bad prot\n"); return "BAD PROTOCOL"; } return NULL; /* NOT REACHED */ } #endif /* SSL_DEBUG */ -/* - * Redirect SSLBuffer-based I/O call to user-supplied I/O. - */ -OSStatus sslIoRead( - SSLBuffer buf, - size_t *actualLength, - SSLContext *ctx) -{ - size_t dataLength = buf.length; - OSStatus ortn; - - *actualLength = 0; - ortn = (ctx->ioCtx.read)(ctx->ioCtx.ioRef, - buf.data, - &dataLength); - *actualLength = dataLength; - return ortn; -} - -OSStatus sslIoWrite( - SSLBuffer buf, - size_t *actualLength, - SSLContext *ctx) -{ - size_t dataLength = buf.length; - OSStatus ortn; - - *actualLength = 0; - ortn = (ctx->ioCtx.write)(ctx->ioCtx.ioRef, - buf.data, - &dataLength); - *actualLength = dataLength; - return ortn; -} -OSStatus sslTime(uint32_t *tim) -{ - time_t t; - time(&t); - *tim = (uint32_t)t; - return noErr; -} - -/* - * Common RNG function. - */ -OSStatus sslRand(SSLContext *ctx, SSLBuffer *buf) -{ - assert(buf != NULL); - assert(buf->data != NULL); - - if(buf->length == 0) { - sslErrorLog("sslRand: zero buf->length\n"); - return noErr; - } - - return SecRandomCopyBytes(kSecRandomDefault, buf->length, buf->data) ? errSSLCrypto : noErr; -} -/* - * Given a protocol version sent by peer, determine if we accept that version - * and downgrade if appropriate (which can not be done for the client side). - */ -OSStatus sslVerifyProtVersion( - SSLContext *ctx, - SSLProtocolVersion peerVersion, // sent by peer - SSLProtocolVersion *negVersion) // final negotiated version if return success -{ - if ((ctx->isDTLS) - ? peerVersion > ctx->minProtocolVersion - : peerVersion < ctx->minProtocolVersion) { - return errSSLNegotiation; - } - if ((ctx->isDTLS) - ? peerVersion < ctx->maxProtocolVersion - : peerVersion > ctx->maxProtocolVersion) { - if (ctx->protocolSide == kSSLClientSide) { - return errSSLNegotiation; - } - *negVersion = ctx->maxProtocolVersion; - } else { - *negVersion = peerVersion; - } - - return noErr; -} - -/* - * Determine max enabled protocol, i.e., the one we try to negotiate for. - * Only returns an error (paramErr) if NO protocols are enabled, which can - * in fact happen by malicious or ignorant use of SSLSetProtocolVersionEnabled(). - */ -OSStatus sslGetMaxProtVersion( - SSLContext *ctx, - SSLProtocolVersion *version) // RETURNED -{ - /* This check is here until SSLSetProtocolVersionEnabled() is gone .*/ - if (ctx->maxProtocolVersion == SSL_Version_Undetermined) - return badReqErr; - - *version = ctx->maxProtocolVersion; - return noErr; -}