]> git.saurik.com Git - apple/security.git/blob - SecureTransport/privateInc/sslctx.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-54.tar.gz
[apple/security.git] / SecureTransport / privateInc / sslctx.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 /*
20 File: sslctx.h
21
22 Contains: Private SSL typedefs: SSLContext and its components
23
24 Written by: Doug Mitchell, based on Netscape SSLRef 3.0
25
26 Copyright: (c) 1999 by Apple Computer, Inc., all rights reserved.
27
28 */
29
30 /* *********************************************************************
31 File: sslctx.h
32
33 SSLRef 3.0 Final -- 11/19/96
34
35 Copyright (c)1996 by Netscape Communications Corp.
36
37 By retrieving this software you are bound by the licensing terms
38 disclosed in the file "LICENSE.txt". Please read it, and if you don't
39 accept the terms, delete this software.
40
41 SSLRef 3.0 was developed by Netscape Communications Corp. of Mountain
42 View, California <http://home.netscape.com/> and Consensus Development
43 Corporation of Berkeley, California <http://www.consensus.com/>.
44
45 *********************************************************************
46
47 File: sslctx.h Internal state of an SSL connection
48
49 Contains the SSLContext structure which encapsulates the state of the
50 connection at any time. Whenever SSLREF might have to return (mostly
51 when I/O is done), this structure must completely represent the
52 connection state
53
54 ****************************************************************** */
55
56 #ifndef _SSLCTX_H_
57 #define _SSLCTX_H_ 1
58
59 #include <Security/SecureTransport.h>
60 #include "sslBuildFlags.h"
61 #include <Security/cssmtype.h>
62
63 #include "sslerrs.h"
64 #include "sslPriv.h"
65 #include "tls_ssl.h"
66
67 typedef struct
68 { SSLReadFunc read;
69 SSLWriteFunc write;
70 SSLConnectionRef ioRef;
71 } IOContext;
72
73 struct SystemContext
74 {
75 /*
76 * This struct is a remnant of the original SSLRef implementation; it
77 * held things like caller-provided memory allocator callbacks.
78 * We'll keep the struct (and an instance of it in SSLContext, below)
79 * around in case we want to use it in SSLAllocBuffer and its siblings.
80 */
81 int foo;
82 };
83
84 typedef struct SystemContext SystemContext;
85
86 /*
87 * A carryover from original SSLRef 3.0 - we'll store the DER-encoded
88 * certs in an SSLCertificate this way for now; there's a lot of code
89 * which munges these lists.
90 */
91 typedef struct SSLCertificate
92 {
93 struct SSLCertificate *next;
94 SSLBuffer derCert;
95 } SSLCertificate;
96
97 #include "cryptType.h"
98
99 /*
100 * An SSLContext contains four of these - one for each of {read,write} and for
101 * {current, pending}.
102 */
103 struct CipherContext
104 {
105
106 const HashHmacReference *macRef; /* HMAC (TLS) or digest (SSL) */
107 const SSLSymmetricCipher *symCipher;
108
109 /* this is a context which is reused once per record */
110 HashHmacContext macCtx;
111
112 /*
113 * symKey is obtained from the CSP at cspHand. Normally this
114 * cspHand is the same as ctx->cspHand; some day they might differ.
115 * Code which deals with this struct doesn't ever have to
116 * attach or detach from cspHand - that's taken care of at the
117 * SSLContext level.
118 */
119 CSSM_KEY_PTR symKey;
120 CSSM_CSP_HANDLE cspHand;
121 CSSM_CC_HANDLE ccHand;
122
123 /* needed in CDSASymmInit */
124 uint8 encrypting;
125
126 sslUint64 sequenceNum;
127 uint8 ready;
128
129 /* in SSL2 mode, the macSecret is the same size as the
130 * cipher key - which is 24 bytes in the 3DES case. */
131 uint8 macSecret[MAX_SYMKEY_SIZE];
132 };
133 /* typedef in cryptType.h */
134
135 #include "sslhdshk.h"
136
137 typedef struct WaitingRecord
138 { struct WaitingRecord *next;
139 SSLBuffer data;
140 uint32 sent;
141 } WaitingRecord;
142
143 typedef struct DNListElem
144 { struct DNListElem *next;
145 SSLBuffer derDN;
146 } DNListElem;
147
148 struct SSLContext
149 {
150 /*
151 * For Apple CDSA version, SystemContext is empty; we'll leave it in for now
152 * because it gets passed around so often for SSLAllocBuffer().
153 */
154 SystemContext sysCtx;
155 IOContext ioCtx;
156
157 /*
158 * For the first two, SSL_Version_Undetermined means "get the best we
159 * can, up to macProtocolVersion".
160 */
161 SSLProtocolVersion reqProtocolVersion; /* requested by app */
162 SSLProtocolVersion negProtocolVersion; /* negotiated */
163 SSLProtocolVersion maxProtocolVersion; /* max allowed by app */
164 SSLProtocolSide protocolSide;
165 const struct _SslTlsCallouts *sslTslCalls; /* selects between SSLv3 and TLSv1 */
166
167 /* crypto state in CDSA-centric terms */
168
169 CSSM_KEY_PTR signingPrivKey;/* our private signing key */
170 CSSM_KEY_PTR signingPubKey; /* our public signing key */
171 CSSM_CSP_HANDLE signingKeyCsp; /* associated DL/CSP */
172 #if ST_KEYCHAIN_ENABLE
173 #if ST_KC_KEYS_NEED_REF
174 SecKeychainRef signingKeyRef; /* for signingPrivKey */
175 #else
176 void *signingKeyRef; /* TBD */
177 #endif /* ST_KC_KEYS_NEED_REF */
178 #endif
179
180 /* this stuff should probably be #if ST_SERVER_MODE_ENABLE.... */
181 CSSM_KEY_PTR encryptPrivKey;/* our private encrypt key, for
182 * server-initiated key exchange */
183 CSSM_KEY_PTR encryptPubKey; /* public version of above */
184 CSSM_CSP_HANDLE encryptKeyCsp;
185 #if ST_KEYCHAIN_ENABLE
186 #if ST_KC_KEYS_NEED_REF
187 SecKeychainRef encryptKeyRef; /* for signingPrivKey */
188 #else
189 void *encryptKeyRef; /* TBD */
190 #endif /* ST_KC_KEYS_NEED_REF */
191 #endif /* ST_KEYCHAIN_ENABLE */
192
193 CSSM_KEY_PTR peerPubKey;
194 CSSM_CSP_HANDLE peerPubKeyCsp; /* may not be needed, we figure this
195 * one out by trial&error, right? */
196
197 /*
198 * Various cert chains stored in an SSLRef-centric way for now
199 * (see comments above re: SSLCertificate).
200 * For all three, the root is the first in the chain.
201 */
202 SSLCertificate *localCert;
203 SSLCertificate *encryptCert;
204 SSLCertificate *peerCert;
205
206 /*
207 * trusted root certs; specific to this implementation, we'll store
208 * them conveniently...these will be used as AnchorCerts in a TP
209 * call.
210 */
211 UInt32 numTrustedCerts;
212 CSSM_DATA_PTR trustedCerts;
213
214 /*
215 * Keychain to which newly encountered root certs are attempted
216 * to be added. AccessCreds untyped for now.
217 */
218 #if ST_KEYCHAIN_ENABLE && ST_MANAGES_TRUSTED_ROOTS
219 SecKeychainRef newRootCertKc;
220 void *accessCreds;
221 #endif /* ST_KEYCHAIN_ENABLE && ST_MANAGES_TRUSTED_ROOTS */
222
223 /* for symmetric cipher and RNG */
224 CSSM_CSP_HANDLE cspHand;
225
226 /* session-wide handles for Apple TP, CL */
227 CSSM_TP_HANDLE tpHand;
228 CSSM_CL_HANDLE clHand;
229
230 #if ST_FAKE_KEYCHAIN || ST_FAKE_GET_CSPDL_HANDLE
231 /* we manually attach to this for now; eventually we get it from KC */
232 CSSM_CSP_HANDLE cspDlHand;
233 #endif
234
235 /* FIXME - how will we represent this? */
236 void *dhAnonParams;
237 void *peerDHParams;
238
239 Boolean allowExpiredCerts;
240
241 SSLBuffer sessionID;
242
243 SSLBuffer dhPeerPublic;
244 SSLBuffer dhExchangePublic;
245 SSLBuffer dhPrivate;
246
247 SSLBuffer peerID;
248 SSLBuffer resumableSession;
249
250 char *peerDomainName;
251 UInt32 peerDomainNameLen;
252
253 CipherContext readCipher;
254 CipherContext writeCipher;
255 CipherContext readPending;
256 CipherContext writePending;
257
258 uint16 selectedCipher; /* currently selected */
259 const SSLCipherSpec *selectedCipherSpec; /* ditto */
260 SSLCipherSpec *validCipherSpecs; /* context's valid specs */
261 unsigned numValidCipherSpecs; /* size of validCipherSpecs */
262 SSLHandshakeState state;
263
264 #if ST_SERVER_MODE_ENABLE
265 SSLAuthenticate clientAuth; /* kNeverAuthenticate, etc. */
266 Boolean tryClientAuth;
267 #endif /* ST_SERVER_MODE_ENABLE */
268 int certRequested;
269 int certSent;
270 int certReceived;
271 int x509Requested;
272 DNListElem *acceptableDNList;
273
274 uint8 clientRandom[SSL_CLIENT_SRVR_RAND_SIZE];
275 uint8 serverRandom[SSL_CLIENT_SRVR_RAND_SIZE];
276 SSLBuffer preMasterSecret;
277 uint8 masterSecret[48];
278
279 /* running digests of all handshake messages */
280 SSLBuffer shaState, md5State;
281
282 SSLBuffer fragmentedMessageCache;
283
284 int ssl2ChallengeLength;
285 int ssl2ConnectionIDLength;
286 int ssl2SessionMatch;
287
288 /* Record layer fields */
289 SSLBuffer partialReadBuffer;
290 uint32 amountRead;
291
292 /* Transport layer fields */
293 WaitingRecord *recordWriteQueue;
294 SSLBuffer receivedDataBuffer;
295 uint32 receivedDataPos;
296
297 Boolean allowAnyRoot; // don't require known roots
298 #if SSL_DEBUG
299 char *rootCertName; // if non-null, write root cert here
300 #endif /* SSL_DEBUG */
301
302 };
303
304 #endif /* _SSLCTX_H_ */
mirror of Security