#include "aglobal.h"#include "bsafe.h"Go to the source code of this file.
Data Structures | |
| struct | SSLRecord |
| struct | SSLServer |
| struct | SSLConn |
Defines | |
| #define | SSL_PROTOCOL_VERSION "2" |
| #define | SSL_SERVER_VERSION 2 |
| #define | SSL_MT_ERROR 0 |
| #define | SSL_MT_CLIENT_HELLO 1 |
| #define | SSL_MT_CLIENT_MASTER_KEY 2 |
| #define | SSL_MT_CLIENT_FINISHED_V2 3 |
| #define | SSL_MT_SERVER_HELLO 4 |
| #define | SSL_MT_SERVER_VERIFY 5 |
| #define | SSL_MT_SERVER_FINISHED_V2 6 |
| #define | SSL_MT_REQUEST_CERTIFICATE 7 |
| #define | SSL_MT_CLIENT_CERTIFICATE 8 |
| #define | SSL_MT_CLIENT_DH_KEY 9 |
| #define | SSL_MT_CLIENT_SESSION_KEY 10 |
| #define | SSL_MT_CLIENT_FINISHED 11 |
| #define | SSL_MT_SERVER_FINISHED 12 |
| #define | SSL_CK_RC4_128_WITH_MD5 0x01010080 |
| #define | SSL_CK_RC4_128_EXPORT40_WITH_MD5 0x01020080 |
| #define | SSL_CK_RC2_128_CBC_WITH_MD5 0x01030080 |
| #define | SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x01040080 |
| #define | SSL_CK_IDEA_128_CBC_WITH_MD5 0x01050080 |
| #define | SSL_CK_DES_64_CBC_WITH_MD5 0x01060040 |
| #define | SSL_CK_DES_192_EDE3_CBC_WITH_MD5 0x010700C0 |
| #define | SSL_CK_NULL_WITH_MD5 0x01000000 |
| #define | SSL_CK_DES_64_CBC_WITH_SHA 0x01060140 |
| #define | SSL_CK_DES_192_EDE3_WITH_SHA 0x010701C0 |
| #define | NSEEDS 4 |
| #define | SSL_SESSION_ID_LENGTH 16 |
| #define | SSL_CT_X509_CERTIFICATE 1 |
| #define | SSL_CT_PKCS7_CERTIFICATE 2 |
| #define | SSL_PE_NO_CIPHER 0x0001 |
| #define | SSL_PE_NO_CERTIFICATE 0x0002 |
| #define | SSL_PE_BAD_CERTIFICATE 0x0004 |
| #define | SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006 |
| #define | SSL_AT_MD5_WITH_RSA_ENCRYPTION 0x01 |
| #define | SSL_MAX_RECORD_LENGTH_2_BYTE_HEADER 16383 |
| #define | SSL_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 |
| #define | SSL_MACSIZE 16 |
| #define | SSL_MAXRECSIZE 32767 |
| #define | SSL_MAXPADDING 8 |
| #define | EOLSTRING "\n" |
Functions | |
| int | NsSSLGenerateKeypair (unsigned int modulusBits, ITEM *publicExponent, B_KEY_OBJ *publicKey, B_KEY_OBJ *privateKey) |
| int | NsSSLInitialize (char *server, char *module) |
| void * | NsSSLCreateServer (char *cert, char *key) |
| void | NsSSLDestroyServer (void *server) |
| void * | NsSSLCreateConn (SOCKET socket, int timeout, void *server) |
| void | NsSSLDestroyConn (void *conn) |
| int | NsSSLSend (void *conn, void *vbuf, int towrite) |
| int | NsSSLRecv (void *conn, void *vbuf, int toread) |
| int | NsSSLFlush (void *conn) |
| void * | SSLCreateServer (char *cert, char *key) |
| void | SSLDestroyServer (void *server) |
| void * | SSLCreateConn (SOCKET sock, int timeout, void *server) |
| void | SSLDestroyConn (void *conn) |
| int | SSLFlush (void *conn) |
| int | SSLRecv (void *conn, void *vbuf, int toread) |
| int | SSLSend (void *conn, void *vbuf, int tosend) |
Variables | |
| B_ALGORITHM_METHOD * | ALGORITHM_CHOOSER [] |
| B_ALGORITHM_METHOD * | DIGEST_CHOOSER [] |
| #define EOLSTRING "\n" |
| #define NSEEDS 4 |
| #define SSL_AT_MD5_WITH_RSA_ENCRYPTION 0x01 |
SSL authentication Type Codes.
| #define SSL_CK_DES_192_EDE3_CBC_WITH_MD5 0x010700C0 |
| #define SSL_CK_DES_192_EDE3_WITH_SHA 0x010701C0 |
| #define SSL_CK_DES_64_CBC_WITH_MD5 0x01060040 |
| #define SSL_CK_DES_64_CBC_WITH_SHA 0x01060140 |
| #define SSL_CK_IDEA_128_CBC_WITH_MD5 0x01050080 |
| #define SSL_CK_NULL_WITH_MD5 0x01000000 |
| #define SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x01040080 |
| #define SSL_CK_RC2_128_CBC_WITH_MD5 0x01030080 |
| #define SSL_CK_RC4_128_EXPORT40_WITH_MD5 0x01020080 |
| #define SSL_CK_RC4_128_WITH_MD5 0x01010080 |
SSL version 2 ciphers.
| #define SSL_CT_PKCS7_CERTIFICATE 2 |
| #define SSL_CT_X509_CERTIFICATE 1 |
SSL certificate types.
| #define SSL_MACSIZE 16 |
| #define SSL_MAX_RECORD_LENGTH_2_BYTE_HEADER 16383 |
SSL data length limits. Note: SSL_MAX_RECORD_LENGTH_2_BYTE_HEADER may be set to 32767.
| #define SSL_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 |
| #define SSL_MAXPADDING 8 |
| #define SSL_MAXRECSIZE 32767 |
| #define SSL_MT_CLIENT_CERTIFICATE 8 |
| #define SSL_MT_CLIENT_DH_KEY 9 |
| #define SSL_MT_CLIENT_FINISHED 11 |
| #define SSL_MT_CLIENT_FINISHED_V2 3 |
| #define SSL_MT_CLIENT_HELLO 1 |
| #define SSL_MT_CLIENT_MASTER_KEY 2 |
| #define SSL_MT_CLIENT_SESSION_KEY 10 |
| #define SSL_MT_ERROR 0 |
SSL message types.
| #define SSL_MT_REQUEST_CERTIFICATE 7 |
| #define SSL_MT_SERVER_FINISHED 12 |
| #define SSL_MT_SERVER_FINISHED_V2 6 |
| #define SSL_MT_SERVER_HELLO 4 |
| #define SSL_MT_SERVER_VERIFY 5 |
| #define SSL_PE_BAD_CERTIFICATE 0x0004 |
| #define SSL_PE_NO_CERTIFICATE 0x0002 |
| #define SSL_PE_NO_CIPHER 0x0001 |
SSL error messages.
| #define SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006 |
| #define SSL_PROTOCOL_VERSION "2" |
SSL version information.
| #define SSL_SERVER_VERSION 2 |
| #define SSL_SESSION_ID_LENGTH 16 |
| void* NsSSLCreateConn | ( | SOCKET | socket, | |
| int | timeout, | |||
| void * | server | |||
| ) |
----------------------------------------------------------------------
NsSSLCreateConn --
Create the ubiquitous conn structure for a new SSL connection. In order to create a conn for SSL, lots of work is done for public key exchange, private session key exchange, and random number generation. Note that RSA is only used for the private session key exchange, after which a conventional cipher with a message digest (if requested) is used.
Results: Pointer to the conn.
Side effects: The conn is created. Encryption objects are created and (hopefully) destroyed.
----------------------------------------------------------------------
At the moment we don't do client certificates. (I think that's why this variable is disabled.)
unsigned char certificateChallengeData[32];
Get CLIENT-HELLO.
This is not something to get concerned about.
This is not something to get worried about. If the browser is that messed up it will drop the connection, anyway.
Get a new session id (a random number).
Make the SERVER-HELLO.
Send the SERVER-HELLO.
Get the CLIENT-MASTER-KEY.
Decode CLIENT-MASTER-KEY.
Decrypt secret session key. You know the BSAFE drill by now.
Get the KEY-ARG-DATA if there is any.
Figure out the cipher block size.
Send the SERVER-VERIFY message.
Get the CLIENT-FINISHED-V2 or CLIENT-FINISHED message.
We probably should verify that the CLIENT-FINISHED message is correct at this point but we don't because it doesn't really matter once the connection was closed.
Create a new session ID.
Send the SERVER-FINISHED-V2 message.
Clean up the RSA object if it hasn't been cleaned up already.
| void* NsSSLCreateServer | ( | char * | cert, | |
| char * | key | |||
| ) |
----------------------------------------------------------------------
NsSSLCreateServer --
Sets up SSL data structures at server startup. The server's private key and certificate are loaded
Results: The SSLServer context (sPtr).
Side effects: SSLServer context is created.
----------------------------------------------------------------------
| void NsSSLDestroyConn | ( | void * | conn | ) |
----------------------------------------------------------------------
NsSSLDestroyConn --
Destroy the ubiquitous conn structure for the SSL connection. This code enters a critical section at the beginning to update the random number so it isn't used again in another session.
Results: None
Side effects: The conn and all its data structures are (hopefully) freed. Encryption objects are created and (hopefully) destroyed.
----------------------------------------------------------------------
Make a new random number.
Burn all the algorithm objects for the digester, encryptor, and decryptor if they haven't been destroyed already.
Burn the key objects so they can't be found in memory again if something hasn't already done so.
| void NsSSLDestroyServer | ( | void * | server | ) |
----------------------------------------------------------------------
NsSSLDestroyServer --
Cleans up after the server and frees up the SSLServer context. This is only called when AOLserver is shutting down.
Results: None.
Side effects: SSLServer context is freed.
----------------------------------------------------------------------
| int NsSSLFlush | ( | void * | conn | ) |
----------------------------------------------------------------------
NsSSLFlush --
Flush data waiting to be sent.
Results: NS_OK or NS_ERROR.
Side effects:
----------------------------------------------------------------------
Note: macSize % blockSize == 0
| int NsSSLGenerateKeypair | ( | unsigned int | modulusBits, | |
| ITEM * | publicExponent, | |||
| B_KEY_OBJ * | publicKey, | |||
| B_KEY_OBJ * | privateKey | |||
| ) |
----------------------------------------------------------------------
NsSSLGenerateKeypair --
Generates an RSA key pair of modulusBits size. If publicExponent!=NULL it will use it instead of the normal F4 prime.
input: &publicKey, &privateKey (uninitialized key objects)
Note: This is used in stand-alone mode (keygen.tcl) only. See readme.txt for more information.
Results: A keypair is created and placed in publicKey, privateKey.
Side effects: Memory is allocated to hold the publicKey, privateKey.
----------------------------------------------------------------------
| int NsSSLInitialize | ( | char * | server, | |
| char * | module | |||
| ) |
----------------------------------------------------------------------
NsSSLInitialize --
Set up SSL data structures at server startup. Random number is generated, shutdown handle is registered, Tcl commands (if any) are registered.
Results: NS_OK
Side effects: See Ns_GenSeeds, RandomCleanup, and NSSSLInterpInit.
Variable "initialized" is global.
----------------------------------------------------------------------
| int NsSSLRecv | ( | void * | conn, | |
| void * | vbuf, | |||
| int | toread | |||
| ) |
----------------------------------------------------------------------
NsSSLRecv --
Read data from the connection.
Results: The number of bytes received.
Notice: -1 is returned on error.
Side effects: vbuf contains the data read.
----------------------------------------------------------------------
Note that we're returning -1 here.
| int NsSSLSend | ( | void * | conn, | |
| void * | vbuf, | |||
| int | towrite | |||
| ) |
----------------------------------------------------------------------
NsSSLSend --
Send data out to the connection.
Results: The number of bytes sent.
Notice: -1 is returned on error.
Side effects: None.
----------------------------------------------------------------------
Note: macSize % blockSize == 0
Note that we're returning -1 here.
| void* SSLCreateConn | ( | SOCKET | sock, | |
| int | timeout, | |||
| void * | server | |||
| ) |
| void* SSLCreateServer | ( | char * | cert, | |
| char * | key | |||
| ) |
| void SSLDestroyConn | ( | void * | conn | ) |
| void SSLDestroyServer | ( | void * | server | ) |
| int SSLFlush | ( | void * | conn | ) |
| int SSLRecv | ( | void * | conn, | |
| void * | vbuf, | |||
| int | toread | |||
| ) |
| int SSLSend | ( | void * | conn, | |
| void * | vbuf, | |||
| int | tosend | |||
| ) |
| B_ALGORITHM_METHOD* ALGORITHM_CHOOSER[] |
BSAFE algorithm chooser
| B_ALGORITHM_METHOD* DIGEST_CHOOSER[] |
BSAFE message digest chooser
1.5.1