#ifndef _SSLCONTEXT_H_
#define _SSLCONTEXT_H_ 1
#include "ssl.h"
#include "SecureTransport.h"
#include "sslBuildFlags.h"
#ifdef USE_CDSA_CRYPTO
#include <Security/cssmtype.h>
#else
#if TARGET_OS_IOS
#include <Security/SecDH.h>
#include <Security/SecKeyInternal.h>
#else
typedef struct OpaqueSecDHContext *SecDHContext;
#endif
#include <corecrypto/ccec.h>
#endif
#include <CommonCrypto/CommonCryptor.h>
#include <CoreFoundation/CFRuntime.h>
#include "sslPriv.h"
#include "tls_ssl.h"
#include "sslDigests.h"
#ifdef __cplusplus
extern "C" {
#endif
typedef struct
{ SSLReadFunc read;
SSLWriteFunc write;
SSLConnectionRef ioRef;
} IOContext;
#ifdef USE_SSLCERTIFICATE
typedef struct SSLCertificate
{
struct SSLCertificate *next;
SSLBuffer derCert;
} SSLCertificate;
#endif
#include "cryptType.h"
struct CipherContext
{
const HashHmacReference *macRef;
const SSLSymmetricCipher *symCipher;
HashHmacContext macCtx;
CCCryptorRef cryptorRef;
uint8_t encrypting;
sslUint64 sequenceNum;
uint8_t ready;
uint8_t macSecret[SSL_MAX_DIGEST_LEN];
};
#include "sslHandshake.h"
typedef struct WaitingRecord
{ struct WaitingRecord *next;
size_t sent;
size_t length;
UInt8 data[1];
} WaitingRecord;
typedef struct WaitingMessage
{
struct WaitingMessage *next;
SSLRecord rec;
} WaitingMessage;
typedef struct DNListElem
{ struct DNListElem *next;
SSLBuffer derDN;
} DNListElem;
#ifdef USE_CDSA_CRYPTO
typedef struct SSLPubKey
{
CSSM_KEY key;
CSSM_CSP_HANDLE csp;
} SSLPubKey;
typedef struct SSLPrivKey
{
SecKeyRef key;
} SSLPrivKey;
#else
#if TARGET_OS_IOS
typedef struct __SecKey SSLPubKey;
typedef struct __SecKey SSLPrivKey;
#else
typedef struct OpaqueSecKeyRef SSLPubKey;
typedef struct OpaqueSecKeyRef SSLPrivKey;
#endif
#define SECKEYREF(sslkey) (sslkey)
#endif
struct SSLContext
{
CFRuntimeBase _base;
IOContext ioCtx;
SSLProtocolVersion negProtocolVersion;
SSLProtocolVersion clientReqProtocol;
SSLProtocolVersion minProtocolVersion;
SSLProtocolVersion maxProtocolVersion;
Boolean isDTLS;
SSLProtocolSide protocolSide;
const struct _SslTlsCallouts *sslTslCalls;
SSLPrivKey *signingPrivKeyRef;
SSLPubKey *signingPubKey;
SSLPrivKey *encryptPrivKeyRef;
SSLPubKey *encryptPubKey;
SSLPubKey *peerPubKey;
#ifdef USE_SSLCERTIFICATE
SSLCertificate *localCert;
SSLCertificate *encryptCert;
SSLCertificate *peerCert;
CSSM_ALGORITHMS ourSignerAlg;
#else
CFArrayRef localCert;
CFArrayRef encryptCert;
CFArrayRef peerCert;
CFIndex ourSignerAlg;
#endif
CFArrayRef localCertArray;
CFArrayRef encryptCertArray;
SecTrustRef peerSecTrust;
#ifdef USE_CDSA_CRYPTO
CFArrayRef trustedCerts;
CSSM_CSP_HANDLE cspHand;
CSSM_TP_HANDLE tpHand;
CSSM_CL_HANDLE clHand;
#else
#ifdef USE_SSLCERTIFICATE
size_t numTrustedCerts;
SSLCertificate *trustedCerts;
#else
CFMutableArrayRef trustedCerts;
Boolean trustedCertsOnly;
#endif
#endif
CFArrayRef trustedLeafCerts;
#if APPLE_DH
SSLBuffer dhPeerPublic;
SSLBuffer dhExchangePublic;
SSLBuffer dhParamsEncoded;
#ifdef USE_CDSA_CRYPTO
CSSM_KEY_PTR dhPrivate;
#else
SecDHContext secDHContext;
#endif
#endif
SSL_ECDSA_NamedCurve ecdhCurves[SSL_ECDSA_NUM_CURVES];
unsigned ecdhNumCurves;
SSLBuffer ecdhPeerPublic;
SSL_ECDSA_NamedCurve ecdhPeerCurve;
SSLBuffer ecdhExchangePublic;
#ifdef USE_CDSA_CRYPTO
CSSM_KEY_PTR ecdhPrivate;
CSSM_CSP_HANDLE ecdhPrivCspHand;
#else
ccec_full_ctx_decl(ccn_sizeof(521), ecdhContext); #endif
Boolean allowExpiredCerts;
Boolean allowExpiredRoots;
Boolean enableCertVerify;
SSLBuffer dtlsCookie;
Boolean cookieVerified;
uint16_t hdskMessageSeq;
uint32_t hdskMessageRetryCount;
uint16_t hdskMessageSeqNext;
SSLHandshakeMsg hdskMessageCurrent;
uint16_t hdskMessageCurrentOfs;
SSLBuffer sessionID;
SSLBuffer peerID;
SSLBuffer resumableSession;
char *peerDomainName;
size_t peerDomainNameLen;
CipherContext readCipher;
CipherContext writeCipher;
CipherContext readPending;
CipherContext writePending;
CipherContext prevCipher;
uint16_t selectedCipher;
SSLCipherSpec selectedCipherSpec;
SSLCipherSuite *validCipherSuites;
size_t numValidCipherSuites;
#if ENABLE_SSLV2
unsigned numValidNonSSLv2Suites;
#endif
SSLHandshakeState state;
SSLAuthenticate clientAuth;
Boolean tryClientAuth;
SSLClientCertificateState clientCertState;
DNListElem *acceptableDNList;
CFMutableArrayRef acceptableCAs;
bool certRequested;
bool certSent;
bool certReceived;
bool x509Requested;
uint8_t clientRandom[SSL_CLIENT_SRVR_RAND_SIZE];
uint8_t serverRandom[SSL_CLIENT_SRVR_RAND_SIZE];
SSLBuffer preMasterSecret;
uint8_t masterSecret[SSL_MASTER_SECRET_SIZE];
SSLBuffer shaState, md5State, sha256State, sha512State;
SSLBuffer fragmentedMessageCache;
unsigned ssl2ChallengeLength;
unsigned ssl2ConnectionIDLength;
unsigned sessionMatch;
WaitingMessage *messageWriteQueue;
Boolean messageQueueContainsChangeCipherSpec;
SSLBuffer partialReadBuffer;
size_t amountRead;
WaitingRecord *recordWriteQueue;
SSLBuffer receivedDataBuffer;
size_t receivedDataPos;
Boolean allowAnyRoot; Boolean sentFatalAlert; Boolean rsaBlindingEnable;
Boolean oneByteRecordEnable;
Boolean wroteAppData;
uint32_t sessionCacheTimeout;
SSLBuffer sessionTicket;
SSLInternalMasterSecretFunction masterSecretCallback;
const void *masterSecretArg;
#if SSL_PAC_SERVER_ENABLE
uint8_t serverRandomValid;
#endif
Boolean anonCipherEnable;
Boolean breakOnServerAuth;
Boolean breakOnCertRequest;
Boolean breakOnClientAuth;
Boolean signalServerAuth;
Boolean signalCertRequest;
Boolean signalClientAuth;
Boolean ecdsaEnable;
unsigned numAuthTypes;
SSLClientAuthenticationType *clientAuthTypes;
SSLClientAuthenticationType negAuthType;
unsigned numClientSigAlgs;
SSLSignatureAndHashAlgorithm *clientSigAlgs;
unsigned numServerSigAlgs;
SSLSignatureAndHashAlgorithm *serverSigAlgs;
CFAbsoluteTime timeout_deadline;
CFAbsoluteTime timeout_duration;
size_t mtu;
Boolean secure_renegotiation;
Boolean secure_renegotiation_received;
SSLBuffer ownVerifyData;
SSLBuffer peerVerifyData;
};
OSStatus SSLUpdateNegotiatedClientAuthType(SSLContextRef ctx);
#ifdef __cplusplus
}
#endif
#endif