d6/d9c/cSSLConfig_8h_source.html

 //

 //

 #ifndef _INC_cSSLConfig_H

 #define _INC_cSSLConfig_H

 #ifndef NO_PRAGMA_ONCE

 #pragma once

 #endif


 #include "GraySSLInt.h"

 #include "GrayLib/include/SSL/cSSLSession.h"

 #include "GrayLib/include/SSL/cSSL.h"

 #include "GrayLib/include/Key/cECPGroupPrefs.h"

 #include "GrayLib/include/KeyEx/cKeyExDHM.h"

 #include "GrayLib/include/Cert/cX509Crl.h"

 #include "GrayLib/include/Cert/cX509Crt.h"


 namespace GraySSL

 {

         enum SSL_AUTHMODE_TYPE

         {


                 SSL_AUTHMODE_NONE = 0,

                 SSL_AUTHMODE_OPTIONAL = 1,

                 SSL_AUTHMODE_REQUIRED = 2,

         };


         enum SSL_RENO_LEGACY_TYPE

         {


                 SSL_RENO_LEGACY_NO_RENEGOTIATION = 0,

                 SSL_RENO_LEGACY_ALLOW_RENEGOTIATION = 1,

                 SSL_RENO_LEGACY_BREAK_HANDSHAKE = 2,

         };


         class GRAYSSL_LINK cSSLConfig : public cSSLSessionConfig, public cSSL

         {


         public:


                 cRangeT<SSL_VERSION_TYPE> m_VerRange;


                 bool m_bExtendedMasterSecret;


                 IRandomNoise* m_pRandom;


                 bool m_bAllowRC4;

                 const SSL_CipherSuite_t* m_pCipherSuiteList[SSL_VERSION_QTY];


                 cECPGroupPrefs m_ECPGroupsAllowed;


                 // extension RFC 7301 Application Layer Protocol Negotiation.

                 const char** m_ppAlpnList;


                 bool m_bFallbackSCSV;


                 SSL_RENO_LEGACY_TYPE m_eRenoLegacyType;


 #if defined(USE_SSL_RENEGOTIATION)

                 bool m_bRenegotiationEnable;

                 int m_nRenegotiationMaxRecords;

                 cSSLCtr m_renego_period;

 #endif


 #if defined(USE_SSL_SESSION_TICKETS)

                 bool m_bUseSessionTickets;

                 TIMESECD_t m_nTicketLifeSeconds;

 #endif


                 SSL_AUTHMODE_TYPE m_eAuthMode;


                 // TODO Replace Cert validation scheme!

                 IX509VerifyCert* m_pVerifyCert;


 #if defined(USE_SSL_X509_CRT_PARSE)

                 cRefPtr<cX509Crt> m_pCaChain;

                 cRefPtr<cX509Crl> m_pCaCrl;

 #endif


 #if defined(USE_SSL_DHM)

                 cBigUnsigned m_dhm_P;

                 cBigInteger m_dhm_G;

 #endif


         public:

                 cSSLConfig();

                 ~cSSLConfig();


                 bool CheckOpts();


                 void SetCipherSuiteList(const SSL_CipherSuite_t* ciphersuites, SSL_VERSION_TYPE v);

                 void put_AllowRC4(bool bAllowRC4);


                 bool IsECPGroupAllowed(const cECPGroup& grp) const;


                 void put_AuthMode(SSL_AUTHMODE_TYPE eAuthMode)

                 {

                         this->m_eAuthMode = eAuthMode;

                 }


                 void put_VerifyCert(IX509VerifyCert* pVerifyCert)

                 {

                         m_pVerifyCert = pVerifyCert;

                 }


                 HRESULT VerifyCrt(cX509Crt* pCrt, const char* pszPeerCN, OUT X509_Verify_t& eVerifyResults) const;


                 void put_RandomNoise(IRandomNoise* pRandom)

                 {

                         this->m_pRandom = pRandom;

                 }


                 void put_EncryptThenMac(bool etm);


                 void put_UseExtendedMasterSecret(bool ems);


                 void put_VersionMin(SSL_VERSION_TYPE v);

                 void put_VersionMax(SSL_VERSION_TYPE v);


                 HRESULT put_MaxFragLenCode(SSL_MAX_FRAG_TYPE eMaxFragLenCode);


                 void put_UseTruncatedHMAC(bool bTruncatedHMAC)

                 {

                         m_bTruncatedHMAC = bTruncatedHMAC;

                 }


                 void put_RenoLegacyType(SSL_RENO_LEGACY_TYPE allow_legacy)

                 {

                         //

                         //

                         //


                         this->m_eRenoLegacyType = allow_legacy;

                 }


                 void put_FallbackSCSV(bool fallback)

                 {

                         this->m_bFallbackSCSV = fallback;

                 }


                 HRESULT put_AlpnProtocols(const char** ppAlpnList);


                 const char* FindAlpn(const BYTE* pFind, StrLen_t nLenFind) const;


 #if defined(USE_SSL_RENEGOTIATION)

                 void put_RenegotiationEnable(bool enable_renegotiation)

                 {

                         this->m_bRenegotiationEnable = enable_renegotiation;

                 }


                 void put_RenegotiationMaxRecords(int max_records)

                 {

                         //

                         this->m_nRenegotiationMaxRecords = max_records;

                 }


                 void put_RenegotiationPeriod(cSSLCtr c)

                 {


                         this->m_renego_period = c;

                 }

 #endif // USE_SSL_RENEGOTIATION


 #if defined(USE_SSL_SESSION_TICKETS)

                 void put_UseSessionTickets(bool bUseTickets)

                 {

                         //

                         this->m_bUseSessionTickets = bUseTickets;

                 }


                 void put_SessionTicketLifetime(TIMESECD_t lifetime)

                 {

                         this->m_nTicketLifeSeconds = lifetime;  // Seconds

                 }

 #endif // USE_SSL_SESSION_TICKETS


 #if defined(USE_SSL_X509_CRT_PARSE)

                 void SetCAChain(cX509Crt* pCaChain, cX509Crl* pCaCrl)

                 {

                         this->m_pCaChain = pCaChain;

                         this->m_pCaCrl = pCaCrl;

                 }

 #endif // USE_SSL_X509_CRT_PARSE


 #if defined(USE_SSL_DHM)

                 HRESULT SetKeyExDHMParams(const char* dhm_P, const char* dhm_G);

                 HRESULT SetKeyExDHMParams(cKeyExDHM* dhm_ctx);

 #endif // USE_SSL_DHM


         };

 }


 #endif

GraySSLInt.h

GRAYSSL_LINK
#define GRAYSSL_LINK
Definition: GraySSLInt.h:25

HRESULT
INT32 HRESULT
_WIN32 style error codes. INT32
Definition: SysTypes.h:465

cECPGroupPrefs.h

cKeyExDHM.h

cSSLSession.h

cSSL.h

cX509Crl.h

cX509Crt.h

GrayLib::cBigInteger
Definition: cBigInteger.h:18

GrayLib::cBigUnsigned
Definition: cBigUnsigned.h:22

GrayLib::cECPGroupPrefs
Definition: cECPGroupPrefs.h:16

GrayLib::cECPGroup
Definition: cECPGroup.h:34

GrayLib::cKeyExDHM
Definition: cKeyExDHM.h:15

GrayLib::cSSLCtr
Definition: cSSLMsg.h:305

GrayLib::cSSLSessionConfig
Definition: cSSLSession.h:135

GrayLib::cX509Crl
Definition: cX509Crl.h:59

GrayLib::cX509Crt
Definition: cX509Crt.h:20

GraySSL::cSSLConfig
Definition: cSSLConfig.h:46

GraySSL::cSSLConfig::m_pCaChain
cRefPtr< cX509Crt > m_pCaChain
own trusted CA chain
Definition: cSSLConfig.h:87

GraySSL::cSSLConfig::put_UseTruncatedHMAC
void put_UseTruncatedHMAC(bool bTruncatedHMAC)
Definition: cSSLConfig.h:137

GraySSL::cSSLConfig::m_ppAlpnList
const char ** m_ppAlpnList
ordered list of supported protocols. nullptr terminated.
Definition: cSSLConfig.h:64

GraySSL::cSSLConfig::m_bAllowRC4
bool m_bAllowRC4
flag for enable/disabling SSL_Cipher_RC4_128. default = false. GET RID OF THIS using m_pCipherSuiteLi...
Definition: cSSLConfig.h:58

GraySSL::cSSLConfig::m_dhm_G
cBigInteger m_dhm_G
generator for DHM. cKeyExDHM
Definition: cSSLConfig.h:93

GraySSL::cSSLConfig::m_dhm_P
cBigUnsigned m_dhm_P
prime modulus for DHM. cKeyExDHM
Definition: cSSLConfig.h:92

GraySSL::cSSLConfig::m_pRandom
IRandomNoise * m_pRandom
random number generator. g_Rand.
Definition: cSSLConfig.h:56

GraySSL::cSSLConfig::m_eRenoLegacyType
SSL_RENO_LEGACY_TYPE m_eRenoLegacyType
Allow legacy renegotiation.
Definition: cSSLConfig.h:68

GraySSL::cSSLConfig::put_VerifyCert
void put_VerifyCert(IX509VerifyCert *pVerifyCert)
Definition: cSSLConfig.h:113

GraySSL::cSSLConfig::m_eAuthMode
SSL_AUTHMODE_TYPE m_eAuthMode
Verification mode for cert failures.
Definition: cSSLConfig.h:81

GraySSL::cSSLConfig::put_FallbackSCSV
void put_FallbackSCSV(bool fallback)
Definition: cSSLConfig.h:169

GraySSL::cSSLConfig::SetKeyExDHMParams
HRESULT SetKeyExDHMParams(const char *dhm_P, const char *dhm_G)

GraySSL::cSSLConfig::put_UseSessionTickets
void put_UseSessionTickets(bool bUseTickets)
Definition: cSSLConfig.h:235

GraySSL::cSSLConfig::m_bExtendedMasterSecret
bool m_bExtendedMasterSecret
flag for extended master secret. Extended Master Secret, aka Session Hash (draft-ietf-tls-session-has...
Definition: cSSLConfig.h:54

GraySSL::cSSLConfig::m_bUseSessionTickets
bool m_bUseSessionTickets
use session tickets? (default true for client)
Definition: cSSLConfig.h:77

GraySSL::cSSLConfig::put_AuthMode
void put_AuthMode(SSL_AUTHMODE_TYPE eAuthMode)
Definition: cSSLConfig.h:107

GraySSL::cSSLConfig::m_nTicketLifeSeconds
TIMESECD_t m_nTicketLifeSeconds
session ticket lifetime
Definition: cSSLConfig.h:78

GraySSL::cSSLConfig::m_pVerifyCert
IX509VerifyCert * m_pVerifyCert
Alternate mechanism to check certs.
Definition: cSSLConfig.h:84

GraySSL::cSSLConfig::SetKeyExDHMParams
HRESULT SetKeyExDHMParams(cKeyExDHM *dhm_ctx)

GraySSL::cSSLConfig::m_VerRange
cRangeT< SSL_VERSION_TYPE > m_VerRange
What range of versions do we support?
Definition: cSSLConfig.h:52

GraySSL::cSSLConfig::m_pCaCrl
cRefPtr< cX509Crl > m_pCaCrl
trusted CA CRLs
Definition: cSSLConfig.h:88

GraySSL::cSSLConfig::m_ECPGroupsAllowed
cECPGroupPrefs m_ECPGroupsAllowed
Allow only these ECPGroup_TYPE curves. 0 terminated array of ECPGroup_TYPE.
Definition: cSSLConfig.h:61

GraySSL::cSSLConfig::SetCAChain
void SetCAChain(cX509Crt *pCaChain, cX509Crl *pCaCrl)
Definition: cSSLConfig.h:256

GraySSL::cSSLConfig::m_bFallbackSCSV
bool m_bFallbackSCSV
flag for allowing fallback connections SSL_FALLBACK_SCSV cipher suite ? (Client only)
Definition: cSSLConfig.h:66

GraySSL::cSSLConfig::put_RenoLegacyType
void put_RenoLegacyType(SSL_RENO_LEGACY_TYPE allow_legacy)
Definition: cSSLConfig.h:144

GraySSL::cSSLConfig::put_RandomNoise
void put_RandomNoise(IRandomNoise *pRandom)
Definition: cSSLConfig.h:122

GraySSL::cSSLConfig::put_SessionTicketLifetime
void put_SessionTicketLifetime(TIMESECD_t lifetime)
Definition: cSSLConfig.h:247

Gray::cRangeT< SSL_VERSION_TYPE >

Gray::cRefPtr
Definition: cRefPtr.h:225

IX509VerifyCert
Definition: cX509.h:119

GrayLib::X509_Verify_t
X509_Verify_t
Definition: cX509.h:41

GrayLib::SSL_MAX_FRAG_TYPE
SSL_MAX_FRAG_TYPE
Definition: SSLTypes.h:170

GrayLib::SSL_VERSION_TYPE
SSL_VERSION_TYPE
Definition: SSLTypes.h:66

GrayLib::SSL_VERSION_QTY
@ SSL_VERSION_QTY
Definition: SSLTypes.h:75

GrayLib::SSL_CipherSuite_t
WORD SSL_CipherSuite_t
SSL_CipherSuite_TYPE stored as 2 bytes.
Definition: SSLTypes.h:110

GraySSL
Definition: GraySSL.cpp:11

GraySSL::SSL_RENO_LEGACY_TYPE
SSL_RENO_LEGACY_TYPE
Definition: cSSLConfig.h:36

GraySSL::SSL_RENO_LEGACY_BREAK_HANDSHAKE
@ SSL_RENO_LEGACY_BREAK_HANDSHAKE
Definition: cSSLConfig.h:42

GraySSL::SSL_RENO_LEGACY_ALLOW_RENEGOTIATION
@ SSL_RENO_LEGACY_ALLOW_RENEGOTIATION
Definition: cSSLConfig.h:41

GraySSL::SSL_RENO_LEGACY_NO_RENEGOTIATION
@ SSL_RENO_LEGACY_NO_RENEGOTIATION
Definition: cSSLConfig.h:40

GraySSL::SSL_AUTHMODE_TYPE
SSL_AUTHMODE_TYPE
Definition: cSSLConfig.h:21

GraySSL::SSL_AUTHMODE_REQUIRED
@ SSL_AUTHMODE_REQUIRED
peer must present a valid certificate, handshake is aborted if verification failed.
Definition: cSSLConfig.h:32

GraySSL::SSL_AUTHMODE_OPTIONAL
@ SSL_AUTHMODE_OPTIONAL
peer certificate is checked, Allow to continue even if CA doesn't validate. Just warn.
Definition: cSSLConfig.h:31

GraySSL::SSL_AUTHMODE_NONE
@ SSL_AUTHMODE_NONE
Don't bother checking at all. peer certificate is not checked. this is insecure and SHOULD be avoided...
Definition: cSSLConfig.h:30

Gray::StrLen_t
int StrLen_t
the length of a string in chars (bytes for UTF8, wchar_t for UNICODE). or offset in characters....
Definition: StrConst.h:32

Gray::TIMESECD_t
int TIMESECD_t
signed delta seconds. like TIMESEC_t. redefined in TimeUnits.h.
Definition: cTimeSys.h:19

GrayLib::cSSL
Definition: SSLTypes.h:270

Gray::IRandomNoise
Definition: cRandom.h:19