#include <tls_handshake.h>
#include <tls_record.h>
#include <tls_stream_parser.h>
+#include <tls_cache.h>
#ifdef USE_CDSA_CRYPTO
#include <Security/cssmtype.h>
SSL_HdskStateReady, /* Handshake is done */
SSL_HdskStateGracefulClose,
SSL_HdskStateErrorClose,
- SSL_HdskStateNoNotifyClose, /* server disconnected with no
- * notify msg */
+ SSL_HdskStateNoNotifyClose, /* Server disconnected with no notify msg */
+ SSL_HdskStateOutOfBandError, /* The caller encountered an error with out-of-band message processing */
} SSLHandshakeState;
#define SSLChangeHdskState(ctx, newState) { ctx->state=newState; }
CFRuntimeBase _base;
IOContext ioCtx;
-
const struct SSLRecordFuncs *recFuncs;
SSLRecordContextRef recCtx;
tls_handshake_t hdsk;
-
+ tls_cache_t cache;
int readCipher_ready;
int writeCipher_ready;
SSLHandshakeState state;
+ OSStatus outOfBandError;
/*
* Prior to successful protocol negotiation, negProtocolVersion
uint16_t selectedCipher; /* currently selected */
-
- tls_private_key_t signingPrivKeyRef; /* our private key */
-
-
/* Server DH Parameters */
SSLBuffer dhParamsEncoded; /* PKCS3 encoded blob - prime + generator */
- /*
- * Local and Peer cert chains.
- * For both, the root is the last in the chain.
- */
- SSLCertificate *localCert;
- CFArrayRef peerCert;
-
/*
* The arrays we are given via SSLSetCertificate() and SSLSetEncryptionCertificate().
* We keep them here, refcounted, solely for the associated getter.
CFMutableArrayRef trustedCerts;
Boolean trustedCertsOnly;
+#if !TARGET_OS_IPHONE
/*
* trusted leaf certs as specified in SSLSetTrustedLeafCertificates()
*/
CFArrayRef trustedLeafCerts;
+#endif
Boolean allowExpiredCerts;
Boolean allowExpiredRoots;
SSLBuffer peerID;
SSLBuffer resumableSession; /* We keep a copy for now - but eventually this should go away if we get refcounted SSLBuffers */
-
-
uint16_t *ecdhCurves;
unsigned ecdhNumCurves;
/* server-side only */
SSLAuthenticate clientAuth; /* kNeverAuthenticate, etc. */
- //Boolean tryClientAuth;
/* client and server */
SSLClientCertificateState clientCertState;
Boolean signalCertRequest;
Boolean signalClientAuth;
Boolean breakOnClientHello;
+ Boolean allowServerIdentityChange;
+ Boolean allowRenegotiation;
+ Boolean enableSessionTickets;
+
+ /* cached configuration buffer */
+ SSLBuffer contextConfigurationBuffer;
/* List of peer-specified supported_signature_algorithms */
unsigned numPeerSigAlgs;
unsigned numAuthTypes;
const tls_client_auth_type *clientAuthTypes;
- /* client auth type actually negotiated */
- tls_client_auth_type negAuthType;
-
/* Timeout for DTLS retransmit */
CFAbsoluteTime timeout_deadline;
CFAbsoluteTime timeout_duration;
return ctx->isDTLS ? ctx->negProtocolVersion > DTLS_Version_1_0 : ctx->negProtocolVersion >= TLS_Version_1_2;
}
+OSStatus SSLGetSessionConfigurationIdentifier(SSLContext *ctx, SSLBuffer *buffer);
+
/* This is implemented in tls_callbacks.c */
- int sslGetSessionID(SSLContext *myCtx, SSLBuffer *sessionID);
+int sslGetSessionID(SSLContext *myCtx, SSLBuffer *sessionID);
#ifdef __cplusplus
}
projects / apple / security.git / blobdiff