Streamlined security for mobile and embedded devices
|
| RSA BSAFE Micro Edition Suite |
Streamlined security for mobile and embedded devices |
|
|
Each application requires at least one SSL_CTX. Applications performing both the server and the client side of the SSL protocol (that is, managing both incoming connections and outgoing connections) may require multiple SSL contexts.
On the server side, the SSL protocol uses the SSL_CTX to determine the default values for the connection.
The SSL_CTX is also used for certificate verification operations. The SSL_CTX does not contain a session identifier cache, however the application may perform caching activities and supply the appropriate session identifier to the SSL_CTX via a callback.
The default values specified in the SSL_CTX may be over-ridden by the individual SSL connections required. Time-out values and maximum size parameters may also be specified.
The certificate/private key pairs are normally specified in the SSL_CTX. However, these values may also be specified for individual SSL structures when using client certificates, or for servers specifying certificates which depend on the network interface for the incoming connection. In either situation, a reference to the certificate is placed in the relevant session identifier structure.
app_cache.c, bio_client.c, bio_server.c, cache_server.c, nbio_client.c, nbio_server.c, p7ssl_client.c, p7ssl_server.c, simple.c, sock_client.c, sock_server.c, ssl_client.c, and ssl_server.c.
#include <sslctx_st.h>
struct ssl_ctx_st { SSL_METHOD *method; unsigned long options; unsigned long user_options; STACK *cipher_list; /* SSL_CIPHER */ STACK *cipher_list_by_id; /* SSL_CIPHER same as <tt>cipher_list</tt> * but sorted for lookup */ SSLCERT_STORE *cert_store; /* X509_STORE */ #ifndef NO_SESSION_CACHE #ifdef SSLC_SMALL_CODE /* SSL-C small code builds support a modified session cache */ int (*session_cache_cb)(SSL_CTX *ctx,int cmd,SSL_SESSION **sess,void *arg); void *session_cache_cb_arg; #else /* !SSLC_SMALL_CODE */ struct lhash_st *sessions; /* A set of SSL sessions */ /* * Maximum number of session-ids that will be cached, default is * SSL_SESSION_CACHE_SIZE_DEFAULT. 0 is unlimited. */ unsigned long session_cache_size; struct ssl_session_st *session_cache_head; struct ssl_session_st *session_cache_tail; /* * If this callback is not null, it will be called each * time a session id is added to the cache. If this function * returns 1, it means that the callback will do a * SSL_SESSION_free() when it has finished using it. Otherwise, * on 0, it means the callback has finished with it. * If remove_session_cb is not null, it will be called when * a session-id is removed from the cache. Again, a return * of 0 means that we should not SSL_SESSION_free() since * the application is doing something with it. */ SSL_SESS_NEW_CB_T *new_session_cb; SSL_SESS_REMOVE_CB_T *remove_session_cb; SSL_SESS_GET_CB_T *get_session_cb; struct { int sess_connect; /* SSL new conn - started */ int sess_connect_renegotiate; /* SSL reneg - requested */ int sess_connect_good; /* SSL new conne/reneg - finished */ int sess_accept; /* SSL new accept - started */ int sess_accept_renegotiate; /* SSL reneg - requested */ int sess_accept_good; /* SSL accept/reneg - finished */ int sess_miss; /* Session lookup misses */ int sess_timeout; /* Reuse attempt on time outed session */ int sess_cache_full; /* Session removed due to full cache */ int sess_hit; /* Session reuse actually done */ /* * This * indicates that the application is supplying * session-ids from other processes */ int sess_cb_hit; /* session id not in the cache passed back via * the callback */ } stats; /* Session id context is a grouping index for sessions */ unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; #endif /* !SSLC_SMALL_CODE */ int session_cache_mode; #endif /* NO_SESSION_CACHE */ long session_timeout; int references; SSL_INFO_CB_T *info_cb; #if (!defined(SSLC_SMALL_CODE) && !defined(SSL_INFO_CB_ONLY)) SSL_ALERT_INFO_CB_T *alert_info_cb; char *alert_info_arg; SSL_APP_DATA_CB_T *app_data_cb; char *app_data_arg; #endif /* (!defined(SSLC_SMALL_CODE) && !defined(SSL_INFO_CB_ONLY)) */ /* * There are two different mechanisms for application replacement * of certificate verification routines - one that the library does * most of the work for the user and one where the application gets * to handle everything. */ SSL_CTX_CERT_VERIFY_CB_T *app_verify_cb; char *app_verify_arg; SSL_CTX_APP_VERIFY_CB_T *application_verify_cb; char *application_verify_arg; /* Default values to use in SSL structures when they are created */ struct cert_st *default_cert; int read_ahead; int verify_depth; /* For mod_ssl */ int verify_mode; #ifndef SSLC_SMALL_CODE SSL_VERIFY_CB_T *default_verify_cb; #endif /* SSLC_SMALL_CODE */ /* Default password callback */ #ifndef NO_PEM PEM_PASSWORD_CB_T *default_passwd_cb; #endif /* NO_PEM */ /* Retrieve client cert callback */ SSL_CTX_CLIENT_CERT_CB_T *client_cert_cb; #ifndef NO_CA_LIST STACK *client_CA; /* Used for client requests */ #endif /* !NO_CA_LIST */ long client_cert_sz; long server_cert_sz; #ifndef SSLC_SMALL_CODE CRYPTO_EX_DATA ex_data; #endif /* SSLC_SMALL_CODE */ EVP_MD *rsa_md5; /* For SSLv2 - name is 'ssl2-md5' */ EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ EVP_MD *dss1; /* Name is 'DSA-SHA1' */ STACK *extra_certs; int write_buf_size; int read_buf_size; int blinding; int (*ocsi_server_callback)(); char *ocsi_server_callback_arg; R_LIB_CTX *lib_ctx; void *r_cr_switch; unsigned long max_rsa_n; unsigned long max_rsa_e; };
Data Fields | |
| int(* | session_cache_cb )(SSL_CTX *ctx, int cmd, SSL_SESSION **sess, void *arg) |
| A user-defined callback to provide session caching for the library. | |
| void* | session_cache_cb_arg |
| A user-defined pointer value that is passed to the session cache callback on each call. | |
| int | session_cache_mode |
| This can have any of four basic values:. More... | |
| long | session_timeout |
| If timeout is not 0, this is the default timeout value set when SSL_new() is called. | |
| int | references |
| The reference count, as the SSL_CTX can be shared between threads. | |
| SSL_INFO_CB_T* | info_cb |
| Information callback that reports SSL handshake state data. | |
| SSL_CTX_CERT_VERIFY_CB_T* | app_verify_cb |
| Indicates the application handles the replacement of certificate verification routines. | |
| SSL_CTX_APP_VERIFY_CB_T* | application_verify_cb |
| Indicates the library handles the replacement of certificate verification routines. | |
| struct cert_st* | default_cert |
| The default certificate. | |
| long | client_cert_sz |
| The maximum acceptable length of the certificate (including the chain) that will be accepted as valid. More... | |
| int | write_buf_size |
| The size of the internal write buffer for handling protocol "records". | |
| int | read_buf_size |
| The size of the internal read buffer for handling protocol "records". | |
| int(* | ocsi_server_callback )() |
| The OCSI server callback. | |
| unsigned long | max_rsa_n |
| Allows the server to set the maximum size of the client certificate public key. More... | |
|
|
The maximum acceptable length of the certificate (including the chain) that will be accepted as valid. The protocol itself does not specify limits - there are practical reasons for rejecting values beyond these limits - and these limits are configurable. |
|
|
Allows the server to set the maximum size of the client certificate public key.
|
|
|
This can have any of four basic values:.
SSL_SESSION_CACHE_SERVER, which means it is only SSL_accept() which caches SSL_SESSIONs. |