Security protocol components for C
|
| RSA BSAFE SSL-C |
Security protocol components for C |
| Search |
Each SSL structure has an associated SSL_SESSION, SSL_METHOD, SSL_CIPHER and BIO structure.
The SSL structure contains:
When new SSL structures are created, values for certain flags are inherited from the corresponding SSL_CTX. Subsequent changes to flags for the SSL do not affect the default values set against the SSL_CTX.
The SSL structure stores dynamic information for the SSL handshake, including the ciphers and digests used in the connection. Symmetric cipher keys are generated from the shared secret (master secret). These connection-specific keys are contained in the SSL structure.
Although the private key/certificate pairs are normally specified in the SSL_CTX, they may also be specified in the SSL.
bio_client.c, cache_server.c, fips_client.c, nbio_client.c, PKCS11Client.c, simple.c, sock_client.c, sock_server.c, ssl_client.c, ssl_server.c, and verify_cb.c.
#include <ssl_st.h>
struct ssl_st { /* protocol version 2: SSLv2, 3: SSLv3, -3: SSLv3, but accept SSLv2 */ int version; /* type - client or server - SSL_ST_CONNECT or SSL_ST_ACCEPT */ int type; /* protocol version implementation - one of the method() functions */ SSL_METHOD *method; /* * There are two BIOs so data can be read and written to different * handlers. Typically these are both the same. */ /* BIO used for reading */ BIO *rbio; /* BIO used for writing */ BIO *wbio; BIO *bbio; /* used during session-id reuse to concatenate messages */ /* * Indicates the data layer operation that was being done when a 0 or -1 * is returned. This state is needed for non-blocking IO so the IO * operation is able to complete the current read or write in * SSL_accept or SSL_connect. The states are documented in SSL_want(); */ int rwstate; /* indicator that we are still handling the protocol handshake and have * not yet reached transfer of application data * - i.e. 1 when in SSL_accept() or SSL_connect(), otherwise 0 */ int in_handshake; /* the function that is handling the handshake protocol - this will * be set to the protocol version specific handshake function in the * underlying "method" that is being used and in SSLv23 this will not * be the same as the handshake field in the method structure after we * have determined which particular version is being negotiated. */ int (*handshake_func)(SSL *ssl); int server; /* indicates operating as the server side of the protocol */ int new_session; /* 1 if we are to use a new session */ int shutdown; /* SSL shutdown status, 0x01 sent, 0x02 for received */ int state; /* protocol state */ int cstate; /* current state that is used in debug mode */ int rstate; /* where we are when reading */ BUF_MEM *init_buf; /* buffer used during initialisation */ int init_num; /* amount read/written */ int init_off; /* amount read/written */ /* raw packet reference into the buffer */ unsigned char *packet; unsigned int packet_length; struct ssl2_ctx_st *s2; /* SSLv2 variables */ struct ssl3_ctx_st *s3; /* SSLv3 variables */ int read_ahead; /* flag: read as many input bytes as possible */ int hit; /* status: reuse of a session has occured (1=yes,0=no) */ STACK *cipher_list; /* list of ciphers in logical order */ STACK *cipher_list_by_id; /* list of ciphers ordered by protocol ids */ SSL_ENC read; SSL_ENC write; void (*mac_cleanup)(SSL_MAC_CTX *ptr); struct cert_st *cert; /* CERT - used to hold server certificate */ STACK *cert_chain; /* cert chain to send with client/server cert */ unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; SSL_SESSION *session; /* also in the session once established */ /* Used in SSL2 and SSL3 */ int verify_mode; /* 0 ignore verify failure, else fail */ int verify_depth; /* certificate verification depth (for mod_ssl) */ #ifndef SSLC_SMALL_CODE SSL_VERIFY_CB_T *verify_cb; /* fail if verification callback returns 0 */ #endif SSL_INFO_CB_T *info_cb; /* optional info cb */ #if (!defined(SSLC_SMALL_CODE) && !defined(SSL_INFO_CB_ONLY)) SSL_ALERT_INFO_CB_T *alert_info_cb; char *alert_info_arg; /* optional info callback */ #endif #ifndef SSLC_SMALL_CODE SSL_APP_DATA_CB_T *app_data_cb; char *app_data_arg; #endif /* SSLC_SMALL_CODE */ int error; /* flag to show that an SSLv2 error is to be written */ int error_code; /* actual code */ SSL_CTX *ctx; /* if compiled with PKT_DEBUG then for SSLv2 only an additional call * to sleep(1) is added to all SSL_read() and SSL_write() * calls to enable debugging of non-blocking I/O handling */ int debug; long verify_result; /* verification callback result */ #ifndef NO_EX_DATA CRYPTO_EX_DATA ex_data; /* extra application data */ #endif /* NO_EX_DATA */ #ifndef NO_CA_LIST /* for server side, keep the list of CA_dn we can use */ STACK *client_CA; /* SSLCERT_NAME for server, keep list CA_dn or use */ #endif /* NO_CA_LIST */ /* reference count */ int references; /* protocol options */ unsigned long options; unsigned long user_options; /* flag: processing the first packet - check for non-encrypted data * to report this clearly to the user (it is a common mistake * for users to send non-encrypted data to a secure server so * check for this and report an error but only on the first * packet) */ int first_packet; int client_version; /* what was passed, for SSLv3/TLS rollback check */ /* size of the internal buffers for handling protocol "records" */ int write_buf_size; int read_buf_size; /* maximum acceptable length of the certificate (including the chain) * that will be accepted as valid. The protocol itself does not specify * limits - there are practical reasons for rejecting values * beyond these limits - and these limits are configurable. */ long client_cert_sz; long server_cert_sz; int blinding; EVP_MD_CTX *tmp_md; R_LIB_CTX *lib_ctx; void *r_cr_switch; /* Allows the server to set how large the client certificate public key * can be * @note size is length in bits */ unsigned long max_rsa_n; unsigned long max_rsa_e; };