#ifndef _SSLCONTEXT_H_
#define _SSLCONTEXT_H_ 1
#include "SecureTransport.h"
#include "sslBuildFlags.h"
#include <tls_handshake.h>
#include <tls_record.h>
#include <tls_stream_parser.h>
#include <tls_cache.h>
#ifdef USE_CDSA_CRYPTO
#include <Security/cssmtype.h>
#else
#if TARGET_OS_IPHONE
#include <Security/SecDH.h>
#include <Security/SecKeyInternal.h>
#else
#include "../sec/Security/SecDH.h" // hack to get SecDH.
#endif
#include <corecrypto/ccec.h>
#endif
#include <CoreFoundation/CFRuntime.h>
#include <AssertMacros.h>
#include "sslPriv.h"
#include "sslRecord.h"
#include "cipherSpecs.h"
#include <dispatch/dispatch.h>
#ifdef __cplusplus
extern "C" {
#endif
typedef struct
{ SSLReadFunc read;
SSLWriteFunc write;
SSLConnectionRef ioRef;
} IOContext;
typedef enum
{
SSL_HdskStateUninit = 0,
SSL_HdskStatePending,
SSL_HdskStateReady,
SSL_HdskStateGracefulClose,
SSL_HdskStateErrorClose,
SSL_HdskStateNoNotifyClose,
SSL_HdskStateOutOfBandError,
} SSLHandshakeState;
#define SSLChangeHdskState(ctx, newState) { ctx->state=newState; }
struct SSLContext
{
CFRuntimeBase _base;
IOContext ioCtx;
const struct SSLRecordFuncs *recFuncs;
SSLRecordContextRef recCtx;
tls_handshake_t hdsk;
tls_cache_t cache;
int readCipher_ready;
int writeCipher_ready;
SSLHandshakeState state;
OSStatus outOfBandError;
tls_protocol_version negProtocolVersion;
tls_protocol_version clientReqProtocol;
tls_protocol_version minProtocolVersion;
tls_protocol_version maxProtocolVersion;
Boolean isDTLS;
SSLProtocolSide protocolSide;
SSLBuffer dtlsCookie;
uint16_t selectedCipher;
SSLBuffer dhParamsEncoded;
CFArrayRef localCertArray;
CFArrayRef encryptCertArray;
SecTrustRef peerSecTrust;
CFMutableArrayRef trustedCerts;
Boolean trustedCertsOnly;
#if !TARGET_OS_IPHONE
CFArrayRef trustedLeafCerts;
#endif
Boolean allowExpiredCerts;
Boolean allowExpiredRoots;
Boolean enableCertVerify;
SSLBuffer sessionID;
SSLBuffer peerID;
SSLBuffer resumableSession;
uint16_t *ecdhCurves;
unsigned ecdhNumCurves;
SSLAuthenticate clientAuth;
SSLClientCertificateState clientCertState;
DNListElem *acceptableDNList;
CFMutableArrayRef acceptableCAs;
bool certRequested;
bool certSent;
bool certReceived;
bool x509Requested;
unsigned sessionMatch;
SSLBuffer receivedDataBuffer;
size_t receivedDataPos;
Boolean allowAnyRoot; Boolean sentFatalAlert; Boolean rsaBlindingEnable;
Boolean oneByteRecordEnable;
uint32_t sessionCacheTimeout;
SSLBuffer sessionTicket;
SSLInternalMasterSecretFunction masterSecretCallback;
const void *masterSecretArg;
#if SSL_PAC_SERVER_ENABLE
uint8_t serverRandomValid;
#endif
Boolean anonCipherEnable;
Boolean breakOnServerAuth;
Boolean breakOnCertRequest;
Boolean breakOnClientAuth;
Boolean signalServerAuth;
Boolean signalCertRequest;
Boolean signalClientAuth;
Boolean breakOnClientHello;
Boolean allowServerIdentityChange;
Boolean allowRenegotiation;
Boolean enableSessionTickets;
SSLBuffer contextConfigurationBuffer;
unsigned numPeerSigAlgs;
const tls_signature_and_hash_algorithm *peerSigAlgs;
unsigned numAuthTypes;
const tls_client_auth_type *clientAuthTypes;
CFAbsoluteTime timeout_deadline;
CFAbsoluteTime timeout_duration;
size_t mtu;
Boolean secure_renegotiation;
Boolean secure_renegotiation_received;
SSLBuffer ownVerifyData;
SSLBuffer peerVerifyData;
SSLBuffer pskSharedSecret;
SSLBuffer pskIdentity;
Boolean falseStartEnabled;
Boolean fallbackEnabled;
SSLNPNFunc npnFunc;
void *npnFuncInfo;
SSLALPNFunc alpnFunc;
void *alpnFuncInfo;
bool dheEnabled;
bool serverHelloReceived;
};
OSStatus SSLUpdateNegotiatedClientAuthType(SSLContextRef ctx);
Boolean sslIsSessionActive(const SSLContext *ctx);
OSStatus SSLGetSessionConfigurationIdentifier(SSLContext *ctx, SSLBuffer *buffer);
int sslGetSessionID(SSLContext *myCtx, SSLBuffer *sessionID);
#ifdef __cplusplus
}
#endif
#endif