X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/822b670c6f91d089ccb51b77e24b6ac80406b337..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_ssl/lib/sslContext.h?ds=inline diff --git a/OSX/libsecurity_ssl/lib/sslContext.h b/OSX/libsecurity_ssl/lib/sslContext.h index 10579dc6..84486c2c 100644 --- a/OSX/libsecurity_ssl/lib/sslContext.h +++ b/OSX/libsecurity_ssl/lib/sslContext.h @@ -34,6 +34,7 @@ #include #include #include +#include #ifdef USE_CDSA_CRYPTO #include @@ -75,8 +76,8 @@ typedef enum SSL_HdskStateReady, /* Handshake is done */ SSL_HdskStateGracefulClose, SSL_HdskStateErrorClose, - SSL_HdskStateNoNotifyClose, /* server disconnected with no - * notify msg */ + SSL_HdskStateNoNotifyClose, /* Server disconnected with no notify msg */ + SSL_HdskStateOutOfBandError, /* The caller encountered an error with out-of-band message processing */ } SSLHandshakeState; #define SSLChangeHdskState(ctx, newState) { ctx->state=newState; } @@ -86,16 +87,16 @@ struct SSLContext CFRuntimeBase _base; IOContext ioCtx; - const struct SSLRecordFuncs *recFuncs; SSLRecordContextRef recCtx; tls_handshake_t hdsk; - + tls_cache_t cache; int readCipher_ready; int writeCipher_ready; SSLHandshakeState state; + OSStatus outOfBandError; /* * Prior to successful protocol negotiation, negProtocolVersion @@ -123,20 +124,9 @@ struct SSLContext uint16_t selectedCipher; /* currently selected */ - - tls_private_key_t signingPrivKeyRef; /* our private key */ - - /* Server DH Parameters */ SSLBuffer dhParamsEncoded; /* PKCS3 encoded blob - prime + generator */ - /* - * Local and Peer cert chains. - * For both, the root is the last in the chain. - */ - SSLCertificate *localCert; - CFArrayRef peerCert; - /* * The arrays we are given via SSLSetCertificate() and SSLSetEncryptionCertificate(). * We keep them here, refcounted, solely for the associated getter. @@ -150,10 +140,12 @@ struct SSLContext CFMutableArrayRef trustedCerts; Boolean trustedCertsOnly; +#if !TARGET_OS_IPHONE /* * trusted leaf certs as specified in SSLSetTrustedLeafCertificates() */ CFArrayRef trustedLeafCerts; +#endif Boolean allowExpiredCerts; Boolean allowExpiredRoots; @@ -163,14 +155,11 @@ struct SSLContext SSLBuffer peerID; SSLBuffer resumableSession; /* We keep a copy for now - but eventually this should go away if we get refcounted SSLBuffers */ - - uint16_t *ecdhCurves; unsigned ecdhNumCurves; /* server-side only */ SSLAuthenticate clientAuth; /* kNeverAuthenticate, etc. */ - //Boolean tryClientAuth; /* client and server */ SSLClientCertificateState clientCertState; @@ -220,6 +209,12 @@ struct SSLContext Boolean signalCertRequest; Boolean signalClientAuth; Boolean breakOnClientHello; + Boolean allowServerIdentityChange; + Boolean allowRenegotiation; + Boolean enableSessionTickets; + + /* cached configuration buffer */ + SSLBuffer contextConfigurationBuffer; /* List of peer-specified supported_signature_algorithms */ unsigned numPeerSigAlgs; @@ -229,9 +224,6 @@ struct SSLContext unsigned numAuthTypes; const tls_client_auth_type *clientAuthTypes; - /* client auth type actually negotiated */ - tls_client_auth_type negAuthType; - /* Timeout for DTLS retransmit */ CFAbsoluteTime timeout_deadline; CFAbsoluteTime timeout_duration; @@ -270,14 +262,10 @@ OSStatus SSLUpdateNegotiatedClientAuthType(SSLContextRef ctx); Boolean sslIsSessionActive(const SSLContext *ctx); -static inline bool sslVersionIsLikeTls12(SSLContext *ctx) -{ - check(ctx->negProtocolVersion!=SSL_Version_Undetermined); - return ctx->isDTLS ? ctx->negProtocolVersion > DTLS_Version_1_0 : ctx->negProtocolVersion >= TLS_Version_1_2; -} +OSStatus SSLGetSessionConfigurationIdentifier(SSLContext *ctx, SSLBuffer *buffer); /* This is implemented in tls_callbacks.c */ - int sslGetSessionID(SSLContext *myCtx, SSLBuffer *sessionID); +int sslGetSessionID(SSLContext *myCtx, SSLBuffer *sessionID); #ifdef __cplusplus }