]> git.saurik.com Git - apple/security.git/blob - SecureTransport/privateInc/sslContext.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-54.1.3.tar.gz
[apple/security.git] / SecureTransport / privateInc / sslContext.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 /*
20 File: sslContext.h
21
22 Contains: Private SSL typedefs: SSLContext and its components
23
24 Written by: Doug Mitchell
25
26 Copyright: (c) 1999 by Apple Computer, Inc., all rights reserved.
27
28 */
29
30 #ifndef _SSLCONTEXT_H_
31 #define _SSLCONTEXT_H_ 1
32
33 #include <Security/SecureTransport.h>
34 #include "sslBuildFlags.h"
35 #include <Security/cssmtype.h>
36
37 #include "sslPriv.h"
38 #include "tls_ssl.h"
39
40 #ifdef __cplusplus
41 extern "C" {
42 #endif
43
44 typedef struct
45 { SSLReadFunc read;
46 SSLWriteFunc write;
47 SSLConnectionRef ioRef;
48 } IOContext;
49
50 /*
51 * An element in a certificate chain.
52 */
53 typedef struct SSLCertificate
54 {
55 struct SSLCertificate *next;
56 SSLBuffer derCert;
57 } SSLCertificate;
58
59 #include "cryptType.h"
60
61 /*
62 * An SSLContext contains four of these - one for each of {read,write} and for
63 * {current, pending}.
64 */
65 struct CipherContext
66 {
67
68 const HashHmacReference *macRef; /* HMAC (TLS) or digest (SSL) */
69 const SSLSymmetricCipher *symCipher;
70
71 /* this is a context which is reused once per record */
72 HashHmacContext macCtx;
73
74 /*
75 * symKey is obtained from the CSP at cspHand. Normally this
76 * cspHand is the same as ctx->cspHand; some day they might differ.
77 * Code which deals with this struct doesn't ever have to
78 * attach or detach from cspHand - that's taken care of at the
79 * SSLContext level.
80 */
81 CSSM_KEY_PTR symKey;
82 CSSM_CSP_HANDLE cspHand;
83 CSSM_CC_HANDLE ccHand;
84
85 /* needed in CDSASymmInit */
86 uint8 encrypting;
87
88 sslUint64 sequenceNum;
89 uint8 ready;
90
91 /* in SSL2 mode, the macSecret is the same size as the
92 * cipher key - which is 24 bytes in the 3DES case. */
93 uint8 macSecret[MAX_SYMKEY_SIZE];
94 };
95 /* typedef in cryptType.h */
96
97 #include "sslHandshake.h"
98
99 typedef struct WaitingRecord
100 { struct WaitingRecord *next;
101 SSLBuffer data;
102 uint32 sent;
103 } WaitingRecord;
104
105 typedef struct DNListElem
106 { struct DNListElem *next;
107 SSLBuffer derDN;
108 } DNListElem;
109
110 struct SSLContext
111 {
112 IOContext ioCtx;
113
114 /*
115 * For the first two, SSL_Version_Undetermined means "get the best we
116 * can, up to macProtocolVersion".
117 */
118 SSLProtocolVersion reqProtocolVersion; /* requested by app */
119 SSLProtocolVersion negProtocolVersion; /* negotiated */
120 SSLProtocolVersion maxProtocolVersion; /* max allowed by app */
121 SSLProtocolSide protocolSide;
122 const struct _SslTlsCallouts *sslTslCalls; /* selects between SSLv3 and TLSv1 */
123
124 /* crypto state in CDSA-centric terms */
125
126 CSSM_KEY_PTR signingPrivKey;/* our private signing key */
127 CSSM_KEY_PTR signingPubKey; /* our public signing key */
128 CSSM_CSP_HANDLE signingKeyCsp; /* associated DL/CSP */
129 #if ST_KC_KEYS_NEED_REF
130 SecKeychainRef signingKeyRef; /* for signingPrivKey */
131 #else
132 void *signingKeyRef; /* TBD */
133 #endif /* ST_KC_KEYS_NEED_REF */
134
135 CSSM_KEY_PTR encryptPrivKey;/* our private encrypt key, for
136 * server-initiated key exchange */
137 CSSM_KEY_PTR encryptPubKey; /* public version of above */
138 CSSM_CSP_HANDLE encryptKeyCsp;
139 #if ST_KC_KEYS_NEED_REF
140 SecKeychainRef encryptKeyRef; /* for signingPrivKey */
141 #else
142 void *encryptKeyRef; /* TBD */
143 #endif /* ST_KC_KEYS_NEED_REF */
144
145 CSSM_KEY_PTR peerPubKey;
146 CSSM_CSP_HANDLE peerPubKeyCsp; /* may not be needed, we figure this
147 * one out by trial&error, right? */
148
149 /*
150 * Various cert chains.
151 * For all three, the root is the first in the chain.
152 */
153 SSLCertificate *localCert;
154 SSLCertificate *encryptCert;
155 SSLCertificate *peerCert;
156
157 /*
158 * trusted root certs; specific to this implementation, we'll store
159 * them conveniently...these will be used as AnchorCerts in a TP
160 * call.
161 */
162 uint32 numTrustedCerts;
163 CSSM_DATA_PTR trustedCerts;
164
165 /*
166 * Keychain to which newly encountered root certs are attempted
167 * to be added. AccessCreds untyped for now.
168 */
169 #if ST_MANAGES_TRUSTED_ROOTS
170 SecKeychainRef newRootCertKc;
171 void *accessCreds;
172 #endif /* ST_MANAGES_TRUSTED_ROOTS */
173
174 /* for symmetric cipher and RNG */
175 CSSM_CSP_HANDLE cspHand;
176
177 /* session-wide handles for Apple TP, CL */
178 CSSM_TP_HANDLE tpHand;
179 CSSM_CL_HANDLE clHand;
180
181 /* FIXME - how will we represent this? */
182 void *dhAnonParams;
183 void *peerDHParams;
184
185 Boolean allowExpiredCerts;
186 Boolean allowExpiredRoots;
187 Boolean enableCertVerify;
188
189 SSLBuffer sessionID;
190
191 SSLBuffer dhPeerPublic;
192 SSLBuffer dhExchangePublic;
193 SSLBuffer dhPrivate;
194
195 SSLBuffer peerID;
196 SSLBuffer resumableSession;
197
198 char *peerDomainName;
199 UInt32 peerDomainNameLen;
200
201 CipherContext readCipher;
202 CipherContext writeCipher;
203 CipherContext readPending;
204 CipherContext writePending;
205
206 uint16 selectedCipher; /* currently selected */
207 const SSLCipherSpec *selectedCipherSpec; /* ditto */
208 SSLCipherSpec *validCipherSpecs; /* context's valid specs */
209 unsigned numValidCipherSpecs; /* size of validCipherSpecs */
210 SSLHandshakeState state;
211
212 /* server-side only */
213 SSLAuthenticate clientAuth; /* kNeverAuthenticate, etc. */
214 Boolean tryClientAuth;
215
216 /* client and server */
217 SSLClientCertificateState clientCertState;
218
219 DNListElem *acceptableDNList;
220
221 int certRequested;
222 int certSent;
223 int certReceived;
224 int x509Requested;
225
226 uint8 clientRandom[SSL_CLIENT_SRVR_RAND_SIZE];
227 uint8 serverRandom[SSL_CLIENT_SRVR_RAND_SIZE];
228 SSLBuffer preMasterSecret;
229 uint8 masterSecret[SSL_MASTER_SECRET_SIZE];
230
231 /* running digests of all handshake messages */
232 SSLBuffer shaState, md5State;
233
234 SSLBuffer fragmentedMessageCache;
235
236 unsigned ssl2ChallengeLength;
237 unsigned ssl2ConnectionIDLength;
238 unsigned ssl2SessionMatch;
239
240 /* Record layer fields */
241 SSLBuffer partialReadBuffer;
242 uint32 amountRead;
243
244 /* Transport layer fields */
245 WaitingRecord *recordWriteQueue;
246 SSLBuffer receivedDataBuffer;
247 uint32 receivedDataPos;
248
249 Boolean allowAnyRoot; // don't require known roots
250 };
251
252 #ifdef __cplusplus
253 }
254 #endif
255
256 #endif /* _SSLCONTEXT_H_ */
mirror of Security