ssl.h

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C头文件 代码 · 共 424 行 · 第 1/2 页

 *	fd - the file descriptor for the connection in question
 *	a - pkcs11 application specific data
 */
extern int SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a);

/*
** This is a callback for dealing with server certs that are not authenticated
** by the client.  The client app can decide that it actually likes the
** cert by some external means and restart the connection.
*/
typedef int (*SSLBadCertHandler)(void *arg, PRFileDesc *fd);
extern int SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg);

/*
** Configure ssl for running a secure server. Needs the
** certificate for the server and the servers private key. The arguments
** are copied.
*/
/* Key Exchange values */
typedef enum {
    kt_null = 0,
    kt_rsa,
    kt_dh,
    kt_fortezza,
    kt_kea_size
} SSLKEAType;

extern SECStatus SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
				SECKEYPrivateKey *key, SSLKEAType kea);

/*
** Configure a secure servers session-id cache. Define the maximum number
** of entries in the cache, the longevity of the entires, and the directory
** where the cache files will be placed.  These values can be zero, and 
** if so, the implementation will choose defaults.
** This version of the function is for use in applications that have only one 
** process that uses the cache (even if that process has multiple threads).
*/
extern int SSL_ConfigServerSessionIDCache(int      maxCacheEntries,
					  PRUint32 timeout,
					  PRUint32 ssl3_timeout,
				    const char *   directory);
/*
** Like SSL_ConfigServerSessionIDCache, with one important difference.
** If the application will run multiple processes (as opposed to, or in 
** addition to multiple threads), then it must call this function, instead
** of calling SSL_ConfigServerSessionIDCache().
** This has nothing to do with the number of processORs, only processEs.
** This function sets up a Server Session ID (SID) cache that is safe for
** access by multiple processes on the same system.
*/
extern int SSL_ConfigMPServerSIDCache(int      maxCacheEntries, 
				      PRUint32 timeout,
			       	      PRUint32 ssl3_timeout, 
		                const char *   directory);

/* environment variable set by SSL_ConfigMPServerSIDCache, and queried by
 * SSL_InheritMPServerSIDCache when envString is NULL.
 */
#define SSL_ENV_VAR_NAME            "SSL_INHERITANCE"

/* called in child to inherit SID Cache variables. 
 * If envString is NULL, this function will use the value of the environment
 * variable "SSL_INHERITANCE", otherwise the string value passed in will be 
 * used.
 */
extern SECStatus SSL_InheritMPServerSIDCache(const char * envString);

/*
** Set the callback on a particular socket that gets called when we finish
** performing a handshake.
*/
typedef void (*SSLHandshakeCallback)(PRFileDesc *fd, void *client_data);
extern int SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb,
				 void *client_data);

/*
** For the server, request a new handshake.  For the client, begin a new
** handshake.  If flushCache is non-zero, the SSL3 cache entry will be 
** flushed first, ensuring that a full SSL handshake will be done.
** If flushCache is zero, and an SSL connection is established, it will 
** do the much faster session restart handshake.  This will change the 
** session keys without doing another private key operation.
*/
extern int SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache);

/*
** For the server, request a new handshake.  For the client, begin a new
** handshake.  Flushes SSL3 session cache entry first, ensuring that a 
** full handshake will be done.  
** This call is equivalent to SSL_ReHandshake(fd, PR_TRUE)
*/
extern int SSL_RedoHandshake(PRFileDesc *fd);

/*
** Return 1 if the socket is direct, 0 if not, -1 on error
*/
extern int SSL_CheckDirectSock(PRFileDesc *s);

/*
** A cousin to SSL_Bind, this takes an extra arg: dsthost, so we can
** set up sockd connection. This should be used with socks enabled.
*/
extern int SSL_BindForSockd(PRFileDesc *s, PRNetAddr *sa, long dsthost);

/*
** Configure ssl for using socks.
*/
extern SECStatus SSL_ConfigSockd(PRFileDesc *fd, PRUint32 host, PRUint16 port);

/*
 * Allow the application to pass a URL or hostname into the SSL library
 */
extern int SSL_SetURL(PRFileDesc *fd, const char *url);

/*
** Return the number of bytes that SSL has waiting in internal buffers.
** Return 0 if security is not enabled.
*/
extern int SSL_DataPending(PRFileDesc *fd);

/*
** Invalidate the SSL session associated with fd.
*/
extern int SSL_InvalidateSession(PRFileDesc *fd);

/*
** Return a SECItem containing the SSL session ID associated with the fd.
*/
extern SECItem *SSL_GetSessionID(PRFileDesc *fd);

/*
** Clear out the SSL session cache.
*/
extern void SSL_ClearSessionCache(void);

/*
** Set peer information so we can correctly look up SSL session later.
** You only have to do this if you're tunneling through a proxy.
*/
extern int SSL_SetSockPeerID(PRFileDesc *fd, char *peerID);

/*
** Read the socks config file.  You must do this before doing anything with
** socks.
*/
extern int SSL_ReadSocksConfFile(PRFileDesc *fp);

/*
** Reveal the security information for the peer. 
*/
extern CERTCertificate * SSL_RevealCert(PRFileDesc * socket);
extern void * SSL_RevealPinArg(PRFileDesc * socket);
extern char * SSL_RevealURL(PRFileDesc * socket);


/* This callback may be passed to the SSL library via a call to
 * SSL_GetClientAuthDataHook() for each SSL client socket.
 * It will be invoked when SSL needs to know what certificate and private key
 * (if any) to use to respond to a request for client authentication.
 * If arg is non-NULL, it is a pointer to a NULL-terminated string containing
 * the nickname of the cert/key pair to use.
 * If arg is NULL, this function will search the cert and key databases for 
 * a suitable match and send it if one is found.
 */
extern SECStatus
NSS_GetClientAuthData(void *                       arg,
                      PRFileDesc *                 socket,
                      struct CERTDistNamesStr *    caNames,
                      struct CERTCertificateStr ** pRetCert,
                      struct SECKEYPrivateKeyStr **pRetKey);

/*
 * Look to see if any of the signers in the cert chain for "cert" are found
 * in the list of caNames.  
 * Returns SECSuccess if so, SECFailure if not.
 * Used by NSS_GetClientAuthData.  May be used by other callback functions.
 */
extern SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, 
                                          CERTDistNames *caNames);

/* 
 * Returns key exchange type of the keys in an SSL server certificate.
 */
extern SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert);

/* Set cipher policies to a predefined Domestic (U.S.A.) policy.
 * This essentially enables all supported ciphers.
 */
extern SECStatus NSS_SetDomesticPolicy(void);

/* Set cipher policies to a predefined Policy that is exportable from the USA
 *   according to present U.S. policies as we understand them.
 * See documentation for the list.
 * Note that your particular application program may be able to obtain
 *   an export license with more or fewer capabilities than those allowed
 *   by this function.  In that case, you should use SSL_SetPolicy()
 *   to explicitly allow those ciphers you may legally export.
 */
extern SECStatus NSS_SetExportPolicy(void);

/* Set cipher policies to a predefined Policy that is exportable from the USA
 *   according to present U.S. policies as we understand them, and that the 
 *   nation of France will permit to be imported into their country.
 * See documentation for the list.
 */
extern SECStatus NSS_SetFrancePolicy(void);

SEC_END_PROTOS

#endif /* __ssl_h_ */