X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/Security/libsecurity_ssl/lib/sslHandshake.h diff --git a/Security/libsecurity_ssl/lib/sslHandshake.h b/Security/libsecurity_ssl/lib/sslHandshake.h new file mode 100644 index 00000000..dd296557 --- /dev/null +++ b/Security/libsecurity_ssl/lib/sslHandshake.h @@ -0,0 +1,223 @@ +/* + * Copyright (c) 2000-2001,2005-2007,2010-2013 Apple Inc. All Rights Reserved. + * + * The contents of this file constitute Original Code as defined in and are + * subject to the Apple Public Source License Version 1.2 (the 'License'). + * You may not use this file except in compliance with the License. Please obtain + * a copy of the License at http://www.apple.com/publicsource and read it before + * using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS + * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT + * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the + * specific language governing rights and limitations under the License. + */ + +/* + * sslHandshake.h - SSL Handshake Layer + */ + +#ifndef _SSLHANDSHAKE_H_ +#define _SSLHANDSHAKE_H_ + +#include "sslRecord.h" + +#ifdef __cplusplus +extern "C" { +#endif + +typedef enum +{ SSL_HdskHelloRequest = 0, + SSL_HdskClientHello = 1, + SSL_HdskServerHello = 2, +#if ENABLE_DTLS + SSL_HdskHelloVerifyRequest = 3, +#endif /* ENABLE_DTLS */ + SSL_HdskCert = 11, + SSL_HdskServerKeyExchange = 12, + SSL_HdskCertRequest = 13, + SSL_HdskServerHelloDone = 14, + SSL_HdskCertVerify = 15, + SSL_HdskClientKeyExchange = 16, + SSL_HdskFinished = 20, + SSL_HdskNPNEncryptedExtension = 67 +} SSLHandshakeType; + +/* Hello Extensions per RFC 3546 */ +typedef enum +{ + SSL_HE_ServerName = 0, + SSL_HE_MaxFragmentLength = 1, + SSL_HE_ClientCertificateURL = 2, + SSL_HE_TrustedCAKeys = 3, + SSL_HE_TruncatedHMAC = 4, + SSL_HE_StatusReguest = 5, + + /* ECDSA, RFC 4492 */ + SSL_HE_EllipticCurves = 10, + SSL_HE_EC_PointFormats = 11, + + /* TLS 1.2 */ + SSL_HE_SignatureAlgorithms = 13, + + /* RFC 5746 */ + SSL_HE_SecureRenegotation = 0xff01, + + /* + * This one is suggested but not formally defined in + * I.D.salowey-tls-ticket-07 + */ + SSL_HE_SessionTicket = 35, + + /* + * NPN support for SPDY + * WARNING: This is NOT an extension registered with the IANA + */ + SSL_HE_NPN = 13172 +} SSLHelloExtensionType; + +/* SSL_HE_ServerName NameType values */ +typedef enum +{ + SSL_NT_HostName = 0 +} SSLServerNameType; + +/* + * The number of curves we support + */ +#define SSL_ECDSA_NUM_CURVES 3 + +/* SSL_HE_EC_PointFormats - point formats */ +typedef enum +{ + SSL_PointFormatUncompressed = 0, + SSL_PointFormatCompressedPrime = 1, + SSL_PointFormatCompressedChar2 = 2, +} SSL_ECDSA_PointFormats; + +/* CurveTypes in a Server Key Exchange msg */ +typedef enum +{ + SSL_CurveTypeExplicitPrime = 1, + SSL_CurveTypeExplicitChar2 = 2, + SSL_CurveTypeNamed = 3 /* the only one we support */ +} SSL_ECDSA_CurveTypes; + +typedef enum +{ SSL_read, + SSL_write +} CipherSide; + +typedef enum +{ + SSL_HdskStateUninit = 0, /* only valid within SSLContextAlloc */ + SSL_HdskStateServerUninit, /* no handshake yet */ + SSL_HdskStateClientUninit, /* no handshake yet */ + SSL_HdskStateGracefulClose, + SSL_HdskStateErrorClose, + SSL_HdskStateNoNotifyClose, /* server disconnected with no + * notify msg */ + /* remainder must be consecutive */ + SSL_HdskStateServerHello, /* must get server hello; client hello sent */ + SSL_HdskStateKeyExchange, /* must get key exchange; cipher spec + * requires it */ + SSL_HdskStateCert, /* may get certificate or certificate + * request (if no cert request received yet) */ + SSL_HdskStateHelloDone, /* must get server hello done; after key + * exchange or fixed DH parameters */ + SSL_HdskStateClientCert, /* must get certificate or no cert alert + * from client */ + SSL_HdskStateClientKeyExchange, /* must get client key exchange */ + SSL_HdskStateClientCertVerify, /* must get certificate verify from client */ + SSL_HdskStateChangeCipherSpec, /* time to change the cipher spec */ + SSL_HdskStateFinished, /* must get a finished message in the + * new cipher spec */ + SSL_HdskStateServerReady, /* ready for I/O; server side */ + SSL_HdskStateClientReady /* ready for I/O; client side */ +} SSLHandshakeState; + +typedef struct +{ SSLHandshakeType type; + SSLBuffer contents; +} SSLHandshakeMsg; + + +uint8_t *SSLEncodeHandshakeHeader( + SSLContext *ctx, + SSLRecord *rec, + SSLHandshakeType type, + size_t msglen); + + +#define SSL_Finished_Sender_Server 0x53525652 +#define SSL_Finished_Sender_Client 0x434C4E54 + +/** sslHandshake.c **/ +typedef OSStatus (*EncodeMessageFunc)(SSLRecord *rec, SSLContext *ctx); +OSStatus SSLProcessHandshakeRecord(SSLRecord rec, SSLContext *ctx); +OSStatus SSLPrepareAndQueueMessage(EncodeMessageFunc msgFunc, SSLContext *ctx); +OSStatus SSLAdvanceHandshake(SSLHandshakeType processed, SSLContext *ctx); +OSStatus SSL3ReceiveSSL2ClientHello(SSLRecord rec, SSLContext *ctx); +OSStatus DTLSProcessHandshakeRecord(SSLRecord rec, SSLContext *ctx); +OSStatus DTLSRetransmit(SSLContext *ctx); +OSStatus SSLResetFlight(SSLContext *ctx); +OSStatus SSLSendFlight(SSLContext *ctx); + +OSStatus sslGetMaxProtVersion(SSLContext *ctx, SSLProtocolVersion *version); // RETURNED + +#ifdef NDEBUG +#define SSLChangeHdskState(ctx, newState) { ctx->state=newState; } +#define SSLLogHdskMsg(msg, sent) +#else +void SSLChangeHdskState(SSLContext *ctx, SSLHandshakeState newState); +void SSLLogHdskMsg(SSLHandshakeType msg, char sent); +char *hdskStateToStr(SSLHandshakeState state); +#endif + +/** sslChangeCipher.c **/ +OSStatus SSLEncodeChangeCipherSpec(SSLRecord *rec, SSLContext *ctx); +OSStatus SSLProcessChangeCipherSpec(SSLRecord rec, SSLContext *ctx); + +/** sslCert.c **/ +OSStatus SSLEncodeCertificate(SSLRecord *certificate, SSLContext *ctx); +OSStatus SSLProcessCertificate(SSLBuffer message, SSLContext *ctx); +OSStatus SSLEncodeCertificateRequest(SSLRecord *request, SSLContext *ctx); +OSStatus SSLProcessCertificateRequest(SSLBuffer message, SSLContext *ctx); +OSStatus SSLEncodeCertificateVerify(SSLRecord *verify, SSLContext *ctx); +OSStatus SSLProcessCertificateVerify(SSLBuffer message, SSLContext *ctx); + +/** sslHandshakeHello.c **/ +OSStatus SSLEncodeServerHello(SSLRecord *serverHello, SSLContext *ctx); +OSStatus SSLProcessServerHello(SSLBuffer message, SSLContext *ctx); +OSStatus SSLEncodeClientHello(SSLRecord *clientHello, SSLContext *ctx); +OSStatus SSLProcessClientHello(SSLBuffer message, SSLContext *ctx); +OSStatus SSLInitMessageHashes(SSLContext *ctx); +OSStatus SSLEncodeRandom(unsigned char *p, SSLContext *ctx); +#if ENABLE_DTLS +OSStatus SSLEncodeServerHelloVerifyRequest(SSLRecord *helloVerifyRequest, SSLContext *ctx); +OSStatus SSLProcessServerHelloVerifyRequest(SSLBuffer message, SSLContext *ctx); +#endif + +/** sslKeyExchange.c **/ +OSStatus SSLEncodeServerKeyExchange(SSLRecord *keyExch, SSLContext *ctx); +OSStatus SSLProcessServerKeyExchange(SSLBuffer message, SSLContext *ctx); +OSStatus SSLEncodeKeyExchange(SSLRecord *keyExchange, SSLContext *ctx); +OSStatus SSLProcessKeyExchange(SSLBuffer keyExchange, SSLContext *ctx); +OSStatus SSLInitPendingCiphers(SSLContext *ctx); + +/** sslHandshakeFinish.c **/ +OSStatus SSLEncodeFinishedMessage(SSLRecord *finished, SSLContext *ctx); +OSStatus SSLProcessFinished(SSLBuffer message, SSLContext *ctx); +OSStatus SSLEncodeServerHelloDone(SSLRecord *helloDone, SSLContext *ctx); +OSStatus SSLProcessServerHelloDone(SSLBuffer message, SSLContext *ctx); +OSStatus SSLCalculateFinishedMessage(SSLBuffer finished, SSLBuffer shaMsgState, SSLBuffer md5MsgState, UInt32 senderID, SSLContext *ctx); +OSStatus SSLEncodeNPNEncryptedExtensionMessage(SSLRecord *rec, SSLContext *ctx); +OSStatus SSLProcessEncryptedExtension(SSLBuffer message, SSLContext *ctx); + +#ifdef __cplusplus +} +#endif + +#endif /* _SSLHANDSHAKE_H_ */