#ifndef _SSLCONTEXT_H_
#define _SSLCONTEXT_H_ 1
#include "SecureTransport.h"
#include "sslBuildFlags.h"
#ifdef USE_CDSA_CRYPTO
#include <Security/cssmtype.h>
#else
#if TARGET_OS_IPHONE
#include <Security/SecDH.h>
#include <Security/SecKeyInternal.h>
#else
#include "../sec/Security/SecDH.h" // hack to get SecDH.
#endif
#include <corecrypto/ccec.h>
#endif
#include <CoreFoundation/CFRuntime.h>
#include <AssertMacros.h>
#include "sslPriv.h"
#include "tls_ssl.h"
#include "sslDigests.h"
#include "sslRecord.h"
#include "cipherSpecs.h"
#ifdef __cplusplus
extern "C" {
#endif
typedef struct
{ SSLReadFunc read;
SSLWriteFunc write;
SSLConnectionRef ioRef;
} IOContext;
#ifdef USE_SSLCERTIFICATE
typedef struct SSLCertificate
{
struct SSLCertificate *next;
SSLBuffer derCert;
} SSLCertificate;
size_t SSLGetCertificateChainLength(
const SSLCertificate *c);
OSStatus sslDeleteCertificateChain(
SSLCertificate *certs,
SSLContext *ctx);
#endif
#include "sslHandshake.h"
typedef struct WaitingMessage
{
struct WaitingMessage *next;
SSLRecord rec;
} WaitingMessage;
typedef struct DNListElem
{ struct DNListElem *next;
SSLBuffer derDN;
} DNListElem;
#ifdef USE_CDSA_CRYPTO
typedef struct SSLPubKey
{
CSSM_KEY key;
CSSM_CSP_HANDLE csp;
} SSLPubKey;
typedef struct SSLPrivKey
{
SecKeyRef key;
} SSLPrivKey;
#else
#if TARGET_OS_IPHONE
typedef struct __SecKey SSLPubKey;
typedef struct __SecKey SSLPrivKey;
#else
typedef struct OpaqueSecKeyRef SSLPubKey;
typedef struct OpaqueSecKeyRef SSLPrivKey;
#endif
#define SECKEYREF(sslkey) (sslkey)
#endif
typedef struct {
SSLCipherSuite cipherSpec;
KeyExchangeMethod keyExchangeMethod;
uint8_t keySize;
uint8_t ivSize;
uint8_t blockSize;
uint8_t macSize;
HMAC_Algs macAlg;
} SSLCipherSpecParams;
struct SSLContext
{
CFRuntimeBase _base;
IOContext ioCtx;
const struct SSLRecordFuncs *recFuncs;
SSLRecordContextRef recCtx;
SSLProtocolVersion negProtocolVersion;
SSLProtocolVersion clientReqProtocol;
SSLProtocolVersion minProtocolVersion;
SSLProtocolVersion maxProtocolVersion;
Boolean isDTLS;
SSLProtocolSide protocolSide;
const struct _SslTlsCallouts *sslTslCalls;
SSLPrivKey *signingPrivKeyRef;
SSLPubKey *signingPubKey;
SSLPrivKey *encryptPrivKeyRef;
SSLPubKey *encryptPubKey;
SSLPubKey *peerPubKey;
#ifdef USE_SSLCERTIFICATE
SSLCertificate *localCert;
SSLCertificate *encryptCert;
SSLCertificate *peerCert;
CSSM_ALGORITHMS ourSignerAlg;
#else
CFArrayRef localCert;
CFArrayRef encryptCert;
CFArrayRef peerCert;
CFIndex ourSignerAlg;
#endif
CFArrayRef localCertArray;
CFArrayRef encryptCertArray;
SecTrustRef peerSecTrust;
#ifdef USE_CDSA_CRYPTO
CFArrayRef trustedCerts;
CSSM_CSP_HANDLE cspHand;
CSSM_TP_HANDLE tpHand;
CSSM_CL_HANDLE clHand;
#else
#ifdef USE_SSLCERTIFICATE
size_t numTrustedCerts;
SSLCertificate *trustedCerts;
#else
CFMutableArrayRef trustedCerts;
Boolean trustedCertsOnly;
#endif
#endif
CFArrayRef trustedLeafCerts;
#if APPLE_DH
SSLBuffer dhPeerPublic;
SSLBuffer dhExchangePublic;
SSLBuffer dhParamsEncoded;
#ifdef USE_CDSA_CRYPTO
CSSM_KEY_PTR dhPrivate;
#else
SecDHContext secDHContext;
#endif
#endif
SSL_ECDSA_NamedCurve ecdhCurves[SSL_ECDSA_NUM_CURVES];
unsigned ecdhNumCurves;
SSLBuffer ecdhPeerPublic;
SSL_ECDSA_NamedCurve ecdhPeerCurve;
SSLBuffer ecdhExchangePublic;
#ifdef USE_CDSA_CRYPTO
CSSM_KEY_PTR ecdhPrivate;
CSSM_CSP_HANDLE ecdhPrivCspHand;
#else
ccec_full_ctx_decl(ccn_sizeof(521), ecdhContext); #endif
Boolean allowExpiredCerts;
Boolean allowExpiredRoots;
Boolean enableCertVerify;
SSLBuffer dtlsCookie;
Boolean cookieVerified;
uint16_t hdskMessageSeq;
uint32_t hdskMessageRetryCount;
uint16_t hdskMessageSeqNext;
SSLHandshakeMsg hdskMessageCurrent;
uint16_t hdskMessageCurrentOfs;
SSLBuffer sessionID;
SSLBuffer peerID;
SSLBuffer resumableSession;
char *peerDomainName;
size_t peerDomainNameLen;
uint8_t readCipher_ready;
uint8_t writeCipher_ready;
uint8_t readPending_ready;
uint8_t writePending_ready;
uint8_t prevCipher_ready;
uint16_t selectedCipher;
SSLCipherSpecParams selectedCipherSpecParams;
SSLCipherSuite *validCipherSuites;
size_t numValidCipherSuites;
#if ENABLE_SSLV2
unsigned numValidNonSSLv2Suites;
#endif
SSLHandshakeState state;
SSLAuthenticate clientAuth;
Boolean tryClientAuth;
SSLClientCertificateState clientCertState;
DNListElem *acceptableDNList;
CFMutableArrayRef acceptableCAs;
bool certRequested;
bool certSent;
bool certReceived;
bool x509Requested;
uint8_t clientRandom[SSL_CLIENT_SRVR_RAND_SIZE];
uint8_t serverRandom[SSL_CLIENT_SRVR_RAND_SIZE];
SSLBuffer preMasterSecret;
uint8_t masterSecret[SSL_MASTER_SECRET_SIZE];
SSLBuffer shaState, md5State, sha256State, sha512State;
SSLBuffer fragmentedMessageCache;
unsigned ssl2ChallengeLength;
unsigned ssl2ConnectionIDLength;
unsigned sessionMatch;
WaitingMessage *messageWriteQueue;
Boolean messageQueueContainsChangeCipherSpec;
SSLBuffer receivedDataBuffer;
size_t receivedDataPos;
Boolean allowAnyRoot; Boolean sentFatalAlert; Boolean rsaBlindingEnable;
Boolean oneByteRecordEnable;
Boolean wroteAppData;
uint32_t sessionCacheTimeout;
SSLBuffer sessionTicket;
SSLInternalMasterSecretFunction masterSecretCallback;
const void *masterSecretArg;
#if SSL_PAC_SERVER_ENABLE
uint8_t serverRandomValid;
#endif
Boolean anonCipherEnable;
Boolean breakOnServerAuth;
Boolean breakOnCertRequest;
Boolean breakOnClientAuth;
Boolean signalServerAuth;
Boolean signalCertRequest;
Boolean signalClientAuth;
Boolean ecdsaEnable;
unsigned numAuthTypes;
SSLClientAuthenticationType *clientAuthTypes;
SSLClientAuthenticationType negAuthType;
unsigned numClientSigAlgs;
SSLSignatureAndHashAlgorithm *clientSigAlgs;
unsigned numServerSigAlgs;
SSLSignatureAndHashAlgorithm *serverSigAlgs;
CFAbsoluteTime timeout_deadline;
CFAbsoluteTime timeout_duration;
size_t mtu;
Boolean secure_renegotiation;
Boolean secure_renegotiation_received;
SSLBuffer ownVerifyData;
SSLBuffer peerVerifyData;
SSLBuffer pskSharedSecret;
SSLBuffer pskIdentity;
Boolean falseStartEnabled; };
OSStatus SSLUpdateNegotiatedClientAuthType(SSLContextRef ctx);
Boolean sslIsSessionActive(const SSLContext *ctx);
static inline bool sslVersionIsLikeTls12(SSLContext *ctx)
{
check(ctx->negProtocolVersion!=SSL_Version_Undetermined);
return ctx->isDTLS ? ctx->negProtocolVersion > DTLS_Version_1_0 : ctx->negProtocolVersion >= TLS_Version_1_2;
}
#ifdef __cplusplus
}
#endif
#endif