📄 session.c
字号:
/****************************************************************************
* *
* cryptlib Session Support Routines *
* Copyright Peter Gutmann 1998-2005 *
* *
****************************************************************************/
#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#if defined( INC_ALL )
#include "crypt.h"
#include "session.h"
#elif defined( INC_CHILD )
#include "../crypt.h"
#include "session.h"
#else
#include "crypt.h"
#include "session/session.h"
#endif /* Compiler-specific includes */
#ifdef USE_SESSIONS
/****************************************************************************
* *
* Utility Functions *
* *
****************************************************************************/
/* Initialise network connection information based on the contents of the
session object */
void initSessionNetConnectInfo( const SESSION_INFO *sessionInfoPtr,
NET_CONNECT_INFO *connectInfo )
{
const ATTRIBUTE_LIST *attributeListPtr;
initNetConnectInfo( connectInfo, sessionInfoPtr->ownerHandle,
sessionInfoPtr->readTimeout, sessionInfoPtr->connectTimeout,
( sessionInfoPtr->transportSession != CRYPT_ERROR ) ? \
NET_OPTION_TRANSPORTSESSION : \
( sessionInfoPtr->networkSocket != CRYPT_ERROR ) ? \
NET_OPTION_NETWORKSOCKET : \
( sessionInfoPtr->flags & SESSION_USEHTTPTUNNEL ) ? \
NET_OPTION_HOSTNAME_TUNNEL : \
NET_OPTION_HOSTNAME );
/* If there's an explicit server name set, connect to it if we're the
client or bind to the named interface if we're the server */
if( ( attributeListPtr = \
findSessionAttribute( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_NAME ) ) != NULL )
{
connectInfo->name = attributeListPtr->value;
connectInfo->nameLength = attributeListPtr->valueLength;
}
/* If there's an explicit port set, connect/bind to it, otherwise use the
default port for the protocol */
if( ( attributeListPtr = \
findSessionAttribute( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_PORT ) ) != NULL )
connectInfo->port = attributeListPtr->intValue;
else
connectInfo->port = sessionInfoPtr->protocolInfo->port;
/* Set the user-supplied transport session or socket if required */
connectInfo->iCryptSession = sessionInfoPtr->transportSession;
connectInfo->networkSocket = sessionInfoPtr->networkSocket;
}
/****************************************************************************
* *
* Session Activation Functions *
* *
****************************************************************************/
/* Check client/server-specific required values */
static CRYPT_ATTRIBUTE_TYPE checkClientParameters( const SESSION_INFO *sessionInfoPtr )
{
/* Make sure that the network comms parameters are present */
if( sessionInfoPtr->transportSession == CRYPT_ERROR && \
sessionInfoPtr->networkSocket == CRYPT_ERROR && \
findSessionAttribute( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_NAME ) == NULL )
return( CRYPT_SESSINFO_SERVER_NAME );
/* Make sure that the username + password and/or user private key are
present if required */
if( ( sessionInfoPtr->clientReqAttrFlags & SESSION_NEEDS_USERID ) && \
findSessionAttribute( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_USERNAME ) == NULL )
return( CRYPT_SESSINFO_USERNAME );
if( ( sessionInfoPtr->clientReqAttrFlags & SESSION_NEEDS_PASSWORD ) && \
findSessionAttribute( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_PASSWORD ) == NULL )
{
/* There's no password present, see if we can use a private key as
an alternative */
if( !( sessionInfoPtr->clientReqAttrFlags & \
SESSION_NEEDS_KEYORPASSWORD ) || \
sessionInfoPtr->privateKey == CRYPT_ERROR )
return( CRYPT_SESSINFO_PASSWORD );
}
if( ( sessionInfoPtr->clientReqAttrFlags & SESSION_NEEDS_PRIVATEKEY ) && \
sessionInfoPtr->privateKey == CRYPT_ERROR )
{
/* There's no private key present, see if we can use a password as
an alternative */
if( !( sessionInfoPtr->clientReqAttrFlags & \
SESSION_NEEDS_KEYORPASSWORD ) || \
findSessionAttribute( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_PASSWORD ) == NULL )
return( CRYPT_SESSINFO_PRIVATEKEY );
}
/* Make sure that request/response protocol data is present if required */
if( ( sessionInfoPtr->clientReqAttrFlags & SESSION_NEEDS_REQUEST ) && \
sessionInfoPtr->iCertRequest == CRYPT_ERROR )
return( CRYPT_SESSINFO_REQUEST );
return( CRYPT_ATTRIBUTE_NONE );
}
static CRYPT_ATTRIBUTE_TYPE checkServerParameters( const SESSION_INFO *sessionInfoPtr )
{
/* Make sure that server key and keyset information is present if
required */
if( ( sessionInfoPtr->serverReqAttrFlags & SESSION_NEEDS_PRIVATEKEY ) && \
sessionInfoPtr->privateKey == CRYPT_ERROR )
{
/* There's no private key present, see if we can use a username +
password as an alternative. In the special case of password-
based SSL this isn't completely foolproof since the passwords are
entered into a pool from which they can be deleted explicitly if
the session is aborted in a non-resumable manner (but see the
note in ssl_rw.c) or implicitly over time as they're displaced by
other entries, however this is an extremely unlikely case and
it's too tricky trying to track what is and isn't still active to
handle this fully */
if( !( sessionInfoPtr->serverReqAttrFlags & \
SESSION_NEEDS_KEYORPASSWORD ) || \
findSessionAttribute( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_PASSWORD ) == NULL )
return( CRYPT_SESSINFO_PRIVATEKEY );
}
if( ( sessionInfoPtr->serverReqAttrFlags & SESSION_NEEDS_KEYSET ) && \
sessionInfoPtr->cryptKeyset == CRYPT_ERROR )
return( CRYPT_SESSINFO_KEYSET );
return( CRYPT_ATTRIBUTE_NONE );
}
/* Activate the network connection for a session */
static int activateConnection( SESSION_INFO *sessionInfoPtr )
{
CRYPT_ATTRIBUTE_TYPE errorAttribute;
int status;
/* Make sure that everything is set up ready to go */
errorAttribute = ( sessionInfoPtr->flags & SESSION_ISSERVER ) ? \
checkServerParameters( sessionInfoPtr ) : \
checkClientParameters( sessionInfoPtr );
if( errorAttribute != CRYPT_ATTRIBUTE_NONE )
{
setErrorInfo( sessionInfoPtr, errorAttribute,
CRYPT_ERRTYPE_ATTR_ABSENT );
return( CRYPT_ERROR_NOTINITED );
}
/* Allocate the send and receive buffers if necessary. The send buffer
isn't used for request-response session types that use the receive
buffer for both outgoing and incoming data, so we only allocate it if
it's actually required */
if( sessionInfoPtr->sendBuffer == NULL )
{
assert( sessionInfoPtr->receiveBufSize >= MIN_BUFFER_SIZE && \
( sessionInfoPtr->sendBufSize >= MIN_BUFFER_SIZE || \
sessionInfoPtr->sendBufSize == CRYPT_UNUSED ) );
if( ( sessionInfoPtr->receiveBuffer = \
clAlloc( "activateConnection", \
sessionInfoPtr->receiveBufSize ) ) == NULL )
return( CRYPT_ERROR_MEMORY );
if( sessionInfoPtr->sendBufSize != CRYPT_UNUSED )
{
/* When allocating the send buffer we use the size for the
receive buffer since the user may have overridden the default
buffer size */
if( ( sessionInfoPtr->sendBuffer = \
clAlloc( "activateConnection", \
sessionInfoPtr->receiveBufSize ) ) == NULL )
{
clFree( "activateConnection", sessionInfoPtr->receiveBuffer );
sessionInfoPtr->receiveBuffer = NULL;
return( CRYPT_ERROR_MEMORY );
}
sessionInfoPtr->sendBufSize = sessionInfoPtr->receiveBufSize;
}
}
assert( ( sessionInfoPtr->flags & SESSION_ISSERVER ) || \
findSessionAttribute( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_NAME ) != NULL || \
sessionInfoPtr->networkSocket != CRYPT_ERROR );
assert( findSessionAttribute( sessionInfoPtr->attributeList,
CRYPT_SESSINFO_SERVER_PORT ) != NULL || \
sessionInfoPtr->protocolInfo->port > 0 );
assert( sessionInfoPtr->receiveBuffer != NULL );
/* Set timeouts if they're not set yet */
if( sessionInfoPtr->connectTimeout == CRYPT_ERROR )
{
int timeout;
status = krnlSendMessage( sessionInfoPtr->ownerHandle,
IMESSAGE_GETATTRIBUTE, &timeout,
CRYPT_OPTION_NET_CONNECTTIMEOUT );
sessionInfoPtr->connectTimeout = cryptStatusOK( status ) ? \
timeout : 30;
}
if( sessionInfoPtr->readTimeout == CRYPT_ERROR )
{
int timeout;
status = krnlSendMessage( sessionInfoPtr->ownerHandle,
IMESSAGE_GETATTRIBUTE, &timeout,
CRYPT_OPTION_NET_READTIMEOUT );
sessionInfoPtr->readTimeout = cryptStatusOK( status ) ? \
timeout : 30;
}
if( sessionInfoPtr->writeTimeout == CRYPT_ERROR )
{
int timeout;
status = krnlSendMessage( sessionInfoPtr->ownerHandle,
IMESSAGE_GETATTRIBUTE, &timeout,
CRYPT_OPTION_NET_WRITETIMEOUT );
sessionInfoPtr->writeTimeout = cryptStatusOK( status ) ? \
timeout : 30;
}
/* Wait for any async driver binding to complete. We can delay this
until this very late stage because no networking functionality is
used until this point */
if( !krnlWaitSemaphore( SEMAPHORE_DRIVERBIND ) )
/* The kernel is shutting down, bail out */
return( CRYPT_ERROR_PERMISSION );
/* If this is the first time we've got here, activate the session */
if( !( sessionInfoPtr->flags & SESSION_PARTIALOPEN ) )
{
status = sessionInfoPtr->connectFunction( sessionInfoPtr );
if( cryptStatusError( status ) )
return( status );
}
assert( !sIsNullStream( &sessionInfoPtr->stream ) );
/* If it's a secure data transport session, complete the session state
setup. Note that some sessions dynamically change the protocol info
during the handshake to accommodate parameters negotiated during the
handshake, so we can only access the protocol info after the handshake
has completed */
if( !sessionInfoPtr->protocolInfo->isReqResp )
{
/* Complete the session handshake to set up the secure state */
status = sessionInfoPtr->transactFunction( sessionInfoPtr );
if( cryptStatusError( status ) )
{
/* If we need a check of a resource (for example a user name and
password or cert supplied by the other side) before we can
complete the handshake, we remain in the handshake state so
the user can re-activate the session after confirming (or
denying) the resource */
if( status == CRYPT_ENVELOPE_RESOURCE )
sessionInfoPtr->flags |= SESSION_PARTIALOPEN;
return( status );
}
/* Notify the kernel that the session key context is attached to the
session object. Note that we increment its reference count even
though it's an internal object used only by the session, because
otherwise it'll be automatically destroyed by the kernel as a
zero-reference dependent object when the session object is
destroyed (but before the session object itself, since it's a
dependent object). This automatic cleanup could cause problems
for lower-level session management code that tries to work with
the (apparently still-valid) handle, for example protocols that
need to encrypt a close-channel message on shutdown */
krnlSendMessage( sessionInfoPtr->objectHandle, IMESSAGE_SETDEPENDENT,
&sessionInfoPtr->iCryptInContext,
SETDEP_OPTION_INCREF );
/* Set up the buffer management variables */
sessionInfoPtr->receiveBufPos = sessionInfoPtr->receiveBufEnd = 0;
sessionInfoPtr->sendBufPos = sessionInfoPtr->sendBufStartOfs;
/* For data transport sessions, partial reads and writes (that is,
sending and receiving partial packets in the presence of
timeouts) are permitted */
sioctl( &sessionInfoPtr->stream, STREAM_IOCTL_PARTIALREAD, NULL, 0 );
sioctl( &sessionInfoPtr->stream, STREAM_IOCTL_PARTIALWRITE, NULL, 0 );
}
/* The handshake has been completed, switch from the handshake timeout
to the data transfer timeout and remember that the session has been
successfully established */
sioctl( &sessionInfoPtr->stream, STREAM_IOCTL_HANDSHAKECOMPLETE, NULL, 0 );
sessionInfoPtr->flags &= ~SESSION_PARTIALOPEN;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -