1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
|
/*____________________________________________________________________________
Copyright (C) 1997-1999 Network Associates, Inc.
All rights reserved.
$Id: pgpTLS.h,v 1.32 1999/01/25 11:31:49 wprice Exp $
____________________________________________________________________________*/
#ifndef Included_PGPtls_h /* [ */
#define Included_PGPtls_h
#include "pgpPubTypes.h"
PGP_BEGIN_C_DECLARATIONS
#if PRAGMA_IMPORT_SUPPORTED
#pragma import on
#endif
typedef struct PGPtlsContext * PGPtlsContextRef;
typedef const struct PGPtlsContext * PGPtlsConstContextRef;
#define kInvalidPGPtlsContextRef ((PGPtlsContextRef) NULL)
#define PGPtlsContextRefIsValid( ref ) ( (ref) != kInvalidPGPtlsContextRef )
typedef struct PGPtlsSession * PGPtlsSessionRef;
typedef const struct PGPtlsSession * PGPtlsConstSessionRef;
#define kInvalidPGPtlsSessionRef ((PGPtlsSessionRef) NULL)
#define PGPtlsSessionRefIsValid( ref ) ( (ref) != kInvalidPGPtlsSessionRef )
typedef PGPFlags PGPtlsFlags;
#define kPGPtlsFlags_ServerSide 0x01
#define kPGPtlsFlags_ClientSide 0x02
#define kPGPtlsFlags_RequestClientCert 0x04
#define kPGPtlsFlags_NonBlockingIO 0x08
enum PGPtlsCipherSuiteNum_
{
kPGPtls_TLS_NULL_WITH_NULL_NULL = 0,
kPGPtls_TLS_PGP_DHE_DSS_WITH_CAST_CBC_SHA = 1,
kPGPtls_TLS_PGP_DHE_RSA_WITH_CAST_CBC_SHA = 2,
kPGPtls_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 3,
kPGPtls_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 4,
kPGPtls_TLS_RSA_WITH_3DES_EDE_CBC_SHA = 5,
kPGPtls_TLS_RSA_WITH_IDEA_CBC_SHA = 6,
kPGPtls_TLS_PGP_RSA_WITH_CAST_CBC_SHA = 7,
kPGPtls_TLS_PGP_DHE_DSS_WITH_NULL_SHA = 8,
kPGPtls_TLS_DHE_DSS_WITH_NULL_SHA = 9,
PGP_ENUM_FORCE( PGPtlsCipherSuiteNum_ )
};
PGPENUM_TYPEDEF( PGPtlsCipherSuiteNum_, PGPtlsCipherSuiteNum );
enum PGPtlsProtocolState_
{
kPGPtls_IdleState = 0,
kPGPtls_FatalErrorState = 1,
kPGPtls_ClosedState = 2,
kPGPtls_HandshakeState = 3,
kPGPtls_ReadyState = 4,
PGP_ENUM_FORCE( PGPtlsProtocolState_ )
};
PGPENUM_TYPEDEF( PGPtlsProtocolState_, PGPtlsProtocolState );
enum PGPtlsPrime_
{
kPGPtls_DHPrime1024 = 0,
kPGPtls_DHPrime1536 = 1,
kPGPtls_DHPrime2048 = 2,
kPGPtls_DHPrime3072 = 3,
kPGPtls_DHPrime4096 = 4,
PGP_ENUM_FORCE( PGPtlsPrime_ )
};
PGPENUM_TYPEDEF( PGPtlsPrime_, PGPtlsPrime );
enum PGPtlsAlert_
{
kPGPtls_AT_CloseNotify = 0,
kPGPtls_AT_UnexpectedMessage = 10, /* FATAL */
kPGPtls_AT_BadRecordMAC = 20, /* FATAL */
kPGPtls_AT_DecryptionFailed = 21, /* FATAL */
kPGPtls_AT_RecordOverflow = 22, /* FATAL */
kPGPtls_AT_DecompressionFailure = 30, /* FATAL */
kPGPtls_AT_HandshakeFailure = 40, /* FATAL */
kPGPtls_AT_NoCertificate = 41, /* SSL3 */
kPGPtls_AT_BadCertificate = 42,
kPGPtls_AT_UnsupportedCert = 43,
kPGPtls_AT_CertRevoked = 44,
kPGPtls_AT_CertExpired = 45,
kPGPtls_AT_CertUnknown = 46,
kPGPtls_AT_IllegalParameter = 47, /* FATAL */
kPGPtls_AT_UnknownCA = 48, /* FATAL */
kPGPtls_AT_AccessDenied = 49, /* FATAL */
kPGPtls_AT_DecodeError = 50, /* FATAL */
kPGPtls_AT_DecryptError = 51,
kPGPtls_AT_ExportRestriction = 60, /* FATAL */
kPGPtls_AT_ProtocolVersion = 70, /* FATAL */
kPGPtls_AT_InsufficientSecurity = 71, /* FATAL */
kPGPtls_AT_InternalError = 80, /* FATAL */
kPGPtls_AT_UserCancelled = 90,
kPGPtls_AT_NoRenegotiation = 100,
kPGPtls_AT_None = 255,
PGP_ENUM_FORCE( PGPtlsAlert_ )
};
PGPENUM_TYPEDEF( PGPtlsAlert_, PGPtlsAlert );
/* The Send and Receive function pointers should return
kPGPError_TLSWouldBlock when the socket is non-blocking and the
call would block. The Send and Receive functions passed in will
need to translate the platform-specific socket error in appropriate
cases by using calls such as WSAGetLastError() on Win32. Remember
to call PGPtlsSendQueueIdle for non-blocking sockets also if
kPGPError_TLSWouldBlock is returned from a send on a non-blocking
socket. */
typedef PGPInt32 (* PGPtlsReceiveProcPtr)(void *inData, void *outBuffer,
PGPInt32 inBufferSize);
typedef PGPInt32 (* PGPtlsSendProcPtr)(void *inData, const void *inBuffer,
PGPInt32 inBufferLength);
PGPError PGPNewTLSContext( PGPContextRef context,
PGPtlsContextRef *outRef );
PGPError PGPFreeTLSContext( PGPtlsContextRef ref );
/*____________________________________________________________________________
The following function activates or deactivates the session key cache
for TLS sessions. This defaults to on but can be deactivated with this
function to force all connections to proceed through the entire
handshake.
____________________________________________________________________________*/
PGPError PGPtlsSetCache( PGPtlsContextRef ref, PGPBoolean useCache );
PGPError PGPtlsClearCache( PGPtlsContextRef ref );
PGPError PGPNewTLSSession( PGPtlsContextRef ref,
PGPtlsSessionRef *outRef );
PGPError PGPFreeTLSSession( PGPtlsSessionRef ref );
PGPError PGPCopyTLSSession( PGPtlsSessionRef ref, PGPtlsSessionRef *outRef );
/* Default options are client side and no client cert request */
PGPError PGPtlsSetProtocolOptions( PGPtlsSessionRef ref,
PGPtlsFlags options );
/*____________________________________________________________________________
The following function must be called to cleanly close a TLS
connection. If it is not called, the session will not be able
to be resumed from the session cache.
In the event the application determines any problem with the
connection such as the remote key not being valid, call this
function with dontCache set to true in order to not cache the
session keys.
____________________________________________________________________________*/
PGPError PGPtlsClose( PGPtlsSessionRef ref,
PGPBoolean dontCache );
/*____________________________________________________________________________
The following function must be called to initiate the PGPtls session.
Once a TLS session has been assigned to a socket, no data can be sent
over that socket by the application until the handshake is completed.
Handshake completion is indicated by completion of this call without
error or by checking the state of the PGPtlsSession. It will be
kPGPtls_ReadyState when the application layer may send and receive
data securely.
This function performs all negotiation of the TLS connection.
____________________________________________________________________________*/
PGPError PGPtlsHandshake( PGPtlsSessionRef ref );
/*____________________________________________________________________________
The following function should be called before PGPtlsHandshake.
In the general case, the remoteID will be an IP address. This
is provided to PGPtls in order to allow it to cache the current
session and be able to look it up later. If the remoteID passed
into a future session is the same as a previously cached session,
PGPtls will attempt to resume the session.
____________________________________________________________________________*/
PGPError PGPtlsSetRemoteUniqueID( PGPtlsSessionRef ref,
PGPUInt32 remoteID );
/*____________________________________________________________________________
The following function sets the local private authenticating key.
The passphrase and key are retained in memory. By default, no
key is specified and a client side session will return no key in the
client key exchange message to the server.
It is an error not to specify a key on a server side TLS session.
This function must be passed either PGPOPassphrase or PGPOPasskeyBuffer.
You may pass in just a PGP key, PGP w/ X.509 cert, or both -- and they
must be the same -- the cert must be from the key. For an X.509 cert,
the inCertChain keyset must contain the keys of all keys in the
certificate chain for that certificate up to the root. To disable X.509
certs, simply pass nothing (ie. kPGPInvalidSigRef). The inCertChain
keyset must remain valid for the lifetime of the TLS connection.
____________________________________________________________________________*/
PGPError PGPtlsSetLocalPrivateKey( PGPtlsSessionRef ref,
PGPKeyRef inKey,
PGPSigRef inX509Cert,
PGPKeySetRef inCertChain,
PGPOptionListRef firstOption, ... );
/*____________________________________________________________________________
The following function sets the preferred cipher suite.
There is no guarantee that cipher will actually be negotiated,
but it will be attempted in preference to others.
____________________________________________________________________________*/
PGPError PGPtlsSetPreferredCipherSuite( PGPtlsSessionRef ref,
PGPtlsCipherSuiteNum cipher );
/*____________________________________________________________________________
The following function sets the desired DH prime.
The requested primes are drawn from a set of primes hard-coded
into PGPtls. New primes can be added in a fully compatible
fashion since the server sends the prime to the client, but this
version of the API does not support passing in a desired prime. The
default prime if this function is not called is kPGPtls_DHPrime2048.
____________________________________________________________________________*/
PGPError PGPtlsSetDHPrime( PGPtlsSessionRef ref,
PGPtlsPrime prime );
/*____________________________________________________________________________
The following function gets the authenticated remote key after a
successful handshake. You must call this function after a successful
handshake to verify that the remote key is authorized to make the
connection.
____________________________________________________________________________*/
PGPError PGPtlsGetRemoteAuthenticatedKey( PGPtlsSessionRef ref,
PGPKeyRef * outKey,
PGPKeySetRef * outKeySet );
/*____________________________________________________________________________
The following function returns the negotiated symmetric cipher.
This function will return an error if called before a successful
handshake.
____________________________________________________________________________*/
PGPError PGPtlsGetNegotiatedCipherSuite( PGPtlsSessionRef ref,
PGPtlsCipherSuiteNum *outCipher );
PGPError PGPtlsGetState( PGPtlsSessionRef ref,
PGPtlsProtocolState *outState );
/*____________________________________________________________________________
The following two functions process data through TLS.
It is an error to call these functions without having set a
Read function pointer or Write function pointer. Most applications
will never need to use these functions as the function pointers
are automatically configured by PGPsockets, and these functions
are automatically called by the PGPsockets implementations of
PGPWrite and PGPRead whenever a PGPtlsSessionRef has been set for
a given socket.
____________________________________________________________________________*/
PGPError PGPtlsReceive( PGPtlsSessionRef ref,
void * outBuffer,
PGPSize * bufferSize );
PGPError PGPtlsSend( PGPtlsSessionRef ref,
const void * inBuffer,
PGPSize inBufferLength );
PGPError PGPtlsSetReceiveCallback( PGPtlsSessionRef ref,
PGPtlsReceiveProcPtr tlsReceiveProc,
void * inData );
PGPError PGPtlsSetSendCallback( PGPtlsSessionRef ref,
PGPtlsSendProcPtr tlsSendProc,
void * inData );
/*____________________________________________________________________________
The following function is necessary *only* on a non-blocking socket.
If a call to PGPtlsSend returns kPGPError_TLSWouldBlock, call
the following function repeatedly until that error is no longer
returned in order to make sure data is sent. Another call to
PGPtlsSend will also call this function automatically and queue
any new data if necessary.
____________________________________________________________________________*/
PGPError PGPtlsSendQueueIdle( PGPtlsSessionRef ref );
PGPSize PGPtlsReceiveBufferSize( PGPtlsSessionRef ref );
/*____________________________________________________________________________
The following function gets the ID of the fatal alert which caused
the TLS session to abort and go into the kPGPtls_FatalErrorState.
____________________________________________________________________________*/
PGPError PGPtlsGetAlert( PGPtlsSessionRef ref, PGPtlsAlert *outAlert );
#if PRAGMA_IMPORT_SUPPORTED
#pragma import reset
#endif
PGP_END_C_DECLARATIONS
#endif /* ] Included_PGPtls_h */
/*__Editor_settings____
Local Variables:
tab-width: 4
End:
vi: ts=4 sw=4
vim: si
_____________________*/
|
