diff options
author | Matt Caswell <matt@openssl.org> | 2015-01-22 02:47:42 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-01-22 09:52:55 +0000 |
commit | 40720ce3caf44294b5b87a18856b7aef06123314 (patch) | |
tree | 30d57dec407c05fe6ea57275517805e8c79a7dcc /ssl/ssl.h | |
parent | 9d03aabea3ead1fe6a194297ddffd4a87f89b93c (diff) |
Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'ssl/ssl.h')
-rw-r--r-- | ssl/ssl.h | 3517 |
1 files changed, 1781 insertions, 1736 deletions
@@ -5,21 +5,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -63,7 +63,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -116,7 +116,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -163,35 +163,35 @@ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by + * ECC cipher suite support in OpenSSL originally developed by * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ -#ifndef HEADER_SSL_H -#define HEADER_SSL_H - -#include <openssl/e_os2.h> - -#ifndef OPENSSL_NO_COMP -#include <openssl/comp.h> -#endif -#ifndef OPENSSL_NO_BIO -#include <openssl/bio.h> -#endif -#ifndef OPENSSL_NO_DEPRECATED -#ifndef OPENSSL_NO_X509 -#include <openssl/x509.h> -#endif -#include <openssl/crypto.h> -#include <openssl/lhash.h> -#include <openssl/buffer.h> -#endif -#include <openssl/pem.h> -#include <openssl/hmac.h> - -#include <openssl/kssl.h> -#include <openssl/safestack.h> -#include <openssl/symhacks.h> +#ifndef HEADER_SSL_H +# define HEADER_SSL_H + +# include <openssl/e_os2.h> + +# ifndef OPENSSL_NO_COMP +# include <openssl/comp.h> +# endif +# ifndef OPENSSL_NO_BIO +# include <openssl/bio.h> +# endif +# ifndef OPENSSL_NO_DEPRECATED +# ifndef OPENSSL_NO_X509 +# include <openssl/x509.h> +# endif +# include <openssl/crypto.h> +# include <openssl/lhash.h> +# include <openssl/buffer.h> +# endif +# include <openssl/pem.h> +# include <openssl/hmac.h> + +# include <openssl/kssl.h> +# include <openssl/safestack.h> +# include <openssl/symhacks.h> #ifdef __cplusplus extern "C" { @@ -202,103 +202,105 @@ extern "C" { * Version 0 - initial version * Version 1 - added the optional peer certificate */ -#define SSL_SESSION_ASN1_VERSION 0x0001 +# define SSL_SESSION_ASN1_VERSION 0x0001 /* text strings for the ciphers */ -#define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5 -#define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5 -#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 -#define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5 -#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 -#define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5 -#define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5 -#define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA -#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 -#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA - -/* VRS Additional Kerberos5 entries +# define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5 +# define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5 +# define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 +# define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5 +# define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 +# define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5 +# define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5 +# define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA +# define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 +# define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA + +/* + * VRS Additional Kerberos5 entries */ -#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA -#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA -#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA -#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA -#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 -#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 -#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5 -#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5 - -#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA -#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA -#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA -#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 -#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5 -#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5 - -#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA -#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 -#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA -#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 -#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA -#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 -#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256 - -#define SSL_MAX_SSL_SESSION_ID_LENGTH 32 -#define SSL_MAX_SID_CTX_LENGTH 32 - -#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8) -#define SSL_MAX_KEY_ARG_LENGTH 8 -#define SSL_MAX_MASTER_KEY_LENGTH 48 +# define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA +# define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA +# define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA +# define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA +# define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 +# define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 +# define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5 +# define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5 + +# define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA +# define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA +# define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA +# define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 +# define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5 +# define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5 + +# define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA +# define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 +# define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA +# define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 +# define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA +# define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 +# define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256 + +# define SSL_MAX_SSL_SESSION_ID_LENGTH 32 +# define SSL_MAX_SID_CTX_LENGTH 32 + +# define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8) +# define SSL_MAX_KEY_ARG_LENGTH 8 +# define SSL_MAX_MASTER_KEY_LENGTH 48 /* These are used to specify which ciphers to use and not to use */ -#define SSL_TXT_LOW "LOW" -#define SSL_TXT_MEDIUM "MEDIUM" -#define SSL_TXT_HIGH "HIGH" -#define SSL_TXT_FIPS "FIPS" -#define SSL_TXT_kFZA "kFZA" -#define SSL_TXT_aFZA "aFZA" -#define SSL_TXT_eFZA "eFZA" -#define SSL_TXT_FZA "FZA" - -#define SSL_TXT_aNULL "aNULL" -#define SSL_TXT_eNULL "eNULL" -#define SSL_TXT_NULL "NULL" - -#define SSL_TXT_kKRB5 "kKRB5" -#define SSL_TXT_aKRB5 "aKRB5" -#define SSL_TXT_KRB5 "KRB5" - -#define SSL_TXT_kRSA "kRSA" -#define SSL_TXT_kDHr "kDHr" -#define SSL_TXT_kDHd "kDHd" -#define SSL_TXT_kEDH "kEDH" -#define SSL_TXT_aRSA "aRSA" -#define SSL_TXT_aDSS "aDSS" -#define SSL_TXT_aDH "aDH" -#define SSL_TXT_DSS "DSS" -#define SSL_TXT_DH "DH" -#define SSL_TXT_EDH "EDH" -#define SSL_TXT_ADH "ADH" -#define SSL_TXT_RSA "RSA" -#define SSL_TXT_DES "DES" -#define SSL_TXT_3DES "3DES" -#define SSL_TXT_RC4 "RC4" -#define SSL_TXT_RC2 "RC2" -#define SSL_TXT_IDEA "IDEA" -#define SSL_TXT_SEED "SEED" -#define SSL_TXT_AES "AES" -#define SSL_TXT_CAMELLIA "CAMELLIA" -#define SSL_TXT_MD5 "MD5" -#define SSL_TXT_SHA1 "SHA1" -#define SSL_TXT_SHA "SHA" -#define SSL_TXT_EXP "EXP" -#define SSL_TXT_EXPORT "EXPORT" -#define SSL_TXT_EXP40 "EXPORT40" -#define SSL_TXT_EXP56 "EXPORT56" -#define SSL_TXT_SSLV2 "SSLv2" -#define SSL_TXT_SSLV3 "SSLv3" -#define SSL_TXT_TLSV1 "TLSv1" -#define SSL_TXT_ALL "ALL" -#define SSL_TXT_ECC "ECCdraft" /* ECC ciphersuites are not yet official */ +# define SSL_TXT_LOW "LOW" +# define SSL_TXT_MEDIUM "MEDIUM" +# define SSL_TXT_HIGH "HIGH" +# define SSL_TXT_FIPS "FIPS" +# define SSL_TXT_kFZA "kFZA" +# define SSL_TXT_aFZA "aFZA" +# define SSL_TXT_eFZA "eFZA" +# define SSL_TXT_FZA "FZA" + +# define SSL_TXT_aNULL "aNULL" +# define SSL_TXT_eNULL "eNULL" +# define SSL_TXT_NULL "NULL" + +# define SSL_TXT_kKRB5 "kKRB5" +# define SSL_TXT_aKRB5 "aKRB5" +# define SSL_TXT_KRB5 "KRB5" + +# define SSL_TXT_kRSA "kRSA" +# define SSL_TXT_kDHr "kDHr" +# define SSL_TXT_kDHd "kDHd" +# define SSL_TXT_kEDH "kEDH" +# define SSL_TXT_aRSA "aRSA" +# define SSL_TXT_aDSS "aDSS" +# define SSL_TXT_aDH "aDH" +# define SSL_TXT_DSS "DSS" +# define SSL_TXT_DH "DH" +# define SSL_TXT_EDH "EDH" +# define SSL_TXT_ADH "ADH" +# define SSL_TXT_RSA "RSA" +# define SSL_TXT_DES "DES" +# define SSL_TXT_3DES "3DES" +# define SSL_TXT_RC4 "RC4" +# define SSL_TXT_RC2 "RC2" +# define SSL_TXT_IDEA "IDEA" +# define SSL_TXT_SEED "SEED" +# define SSL_TXT_AES "AES" +# define SSL_TXT_CAMELLIA "CAMELLIA" +# define SSL_TXT_MD5 "MD5" +# define SSL_TXT_SHA1 "SHA1" +# define SSL_TXT_SHA "SHA" +# define SSL_TXT_EXP "EXP" +# define SSL_TXT_EXPORT "EXPORT" +# define SSL_TXT_EXP40 "EXPORT40" +# define SSL_TXT_EXP56 "EXPORT56" +# define SSL_TXT_SSLV2 "SSLv2" +# define SSL_TXT_SSLV3 "SSLv3" +# define SSL_TXT_TLSV1 "TLSv1" +# define SSL_TXT_ALL "ALL" +# define SSL_TXT_ECC "ECCdraft"/* ECC ciphersuites are not yet + * official */ /*- * COMPLEMENTOF* definitions. These identifiers are used to (de-select) @@ -314,18 +316,19 @@ extern "C" { * DEFAULT gets, as only selection is being done and no sorting as needed * for DEFAULT. */ -#define SSL_TXT_CMPALL "COMPLEMENTOFALL" -#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" +# define SSL_TXT_CMPALL "COMPLEMENTOFALL" +# define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" -/* The following cipher list is used by default. - * It also is substituted when an application-defined cipher list string - * starts with 'DEFAULT'. */ +/* + * The following cipher list is used by default. It also is substituted when + * an application-defined cipher list string starts with 'DEFAULT'. + */ /* low priority for RC4 */ -#define SSL_DEFAULT_CIPHER_LIST "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" +# define SSL_DEFAULT_CIPHER_LIST "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ -#define SSL_SENT_SHUTDOWN 1 -#define SSL_RECEIVED_SHUTDOWN 2 +# define SSL_SENT_SHUTDOWN 1 +# define SSL_RECEIVED_SHUTDOWN 2 #ifdef __cplusplus } @@ -335,834 +338,859 @@ extern "C" { extern "C" { #endif -#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2) -#define OPENSSL_NO_SSL2 -#endif +# if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2) +# define OPENSSL_NO_SSL2 +# endif -#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 -#define SSL_FILETYPE_PEM X509_FILETYPE_PEM +# define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 +# define SSL_FILETYPE_PEM X509_FILETYPE_PEM -/* This is needed to stop compilers complaining about the - * 'struct ssl_st *' function parameters used to prototype callbacks - * in SSL_CTX. */ +/* + * This is needed to stop compilers complaining about the 'struct ssl_st *' + * function parameters used to prototype callbacks in SSL_CTX. + */ typedef struct ssl_st *ssl_crock_st; /* used to hold info on the particular ciphers used */ -typedef struct ssl_cipher_st - { - int valid; - const char *name; /* text name */ - unsigned long id; /* id, 4 bytes, first is version */ - unsigned long algorithms; /* what ciphers are used */ - unsigned long algo_strength; /* strength and export flags */ - unsigned long algorithm2; /* Extra flags */ - int strength_bits; /* Number of bits really used */ - int alg_bits; /* Number of bits for algorithm */ - unsigned long mask; /* used for matching */ - unsigned long mask_strength; /* also used for matching */ - } SSL_CIPHER; +typedef struct ssl_cipher_st { + int valid; + const char *name; /* text name */ + unsigned long id; /* id, 4 bytes, first is version */ + unsigned long algorithms; /* what ciphers are used */ + unsigned long algo_strength; /* strength and export flags */ + unsigned long algorithm2; /* Extra flags */ + int strength_bits; /* Number of bits really used */ + int alg_bits; /* Number of bits for algorithm */ + unsigned long mask; /* used for matching */ + unsigned long mask_strength; /* also used for matching */ +} SSL_CIPHER; DECLARE_STACK_OF(SSL_CIPHER) /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ -typedef struct ssl_method_st - { - int version; - int (*ssl_new)(SSL *s); - void (*ssl_clear)(SSL *s); - void (*ssl_free)(SSL *s); - int (*ssl_accept)(SSL *s); - int (*ssl_connect)(SSL *s); - int (*ssl_read)(SSL *s,void *buf,int len); - int (*ssl_peek)(SSL *s,void *buf,int len); - int (*ssl_write)(SSL *s,const void *buf,int len); - int (*ssl_shutdown)(SSL *s); - int (*ssl_renegotiate)(SSL *s); - int (*ssl_renegotiate_check)(SSL *s); - long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, long - max, int *ok); - int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len, - int peek); - int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len); - int (*ssl_dispatch_alert)(SSL *s); - long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg); - long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg); - SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); - int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr); - int (*ssl_pending)(const SSL *s); - int (*num_ciphers)(void); - SSL_CIPHER *(*get_cipher)(unsigned ncipher); - struct ssl_method_st *(*get_ssl_method)(int version); - long (*get_timeout)(void); - struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ - int (*ssl_version)(void); - long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void)); - long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void)); - } SSL_METHOD; +typedef struct ssl_method_st { + int version; + int (*ssl_new) (SSL *s); + void (*ssl_clear) (SSL *s); + void (*ssl_free) (SSL *s); + int (*ssl_accept) (SSL *s); + int (*ssl_connect) (SSL *s); + int (*ssl_read) (SSL *s, void *buf, int len); + int (*ssl_peek) (SSL *s, void *buf, int len); + int (*ssl_write) (SSL *s, const void *buf, int len); + int (*ssl_shutdown) (SSL *s); + int (*ssl_renegotiate) (SSL *s); + int (*ssl_renegotiate_check) (SSL *s); + long (*ssl_get_message) (SSL *s, int st1, int stn, int mt, long + max, int *ok); + int (*ssl_read_bytes) (SSL *s, int type, unsigned char *buf, int len, + int peek); + int (*ssl_write_bytes) (SSL *s, int type, const void *buf_, int len); + int (*ssl_dispatch_alert) (SSL *s); + long (*ssl_ctrl) (SSL *s, int cmd, long larg, void *parg); + long (*ssl_ctx_ctrl) (SSL_CTX *ctx, int cmd, long larg, void *parg); + SSL_CIPHER *(*get_cipher_by_char) (const unsigned char *ptr); + int (*put_cipher_by_char) (const SSL_CIPHER *cipher, unsigned char *ptr); + int (*ssl_pending) (const SSL *s); + int (*num_ciphers) (void); + SSL_CIPHER *(*get_cipher) (unsigned ncipher); + struct ssl_method_st *(*get_ssl_method) (int version); + long (*get_timeout) (void); + struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ + int (*ssl_version) (void); + long (*ssl_callback_ctrl) (SSL *s, int cb_id, void (*fp) (void)); + long (*ssl_ctx_callback_ctrl) (SSL_CTX *s, int cb_id, void (*fp) (void)); +} SSL_METHOD; /*- * Lets make this into an ASN.1 type structure as follows * SSL_SESSION_ID ::= SEQUENCE { - * version INTEGER, -- structure version number - * SSLversion INTEGER, -- SSL version number - * Cipher OCTET_STRING, -- the 3 byte cipher ID - * Session_ID OCTET_STRING, -- the Session ID - * Master_key OCTET_STRING, -- the master key - * KRB5_principal OCTET_STRING -- optional Kerberos principal - * Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument - * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time - * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds - * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate - * Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context - * Verify_result [ 5 ] EXPLICIT INTEGER -- X509_V_... code for `Peer' - * Compression [6] IMPLICIT ASN1_OBJECT -- compression OID XXXXX - * } + * version INTEGER, -- structure version number + * SSLversion INTEGER, -- SSL version number + * Cipher OCTET_STRING, -- the 3 byte cipher ID + * Session_ID OCTET_STRING, -- the Session ID + * Master_key OCTET_STRING, -- the master key + * KRB5_principal OCTET_STRING -- optional Kerberos principal + * Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument + * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time + * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds + * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate + * Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context + * Verify_result [ 5 ] EXPLICIT INTEGER -- X509_V_... code for `Peer' + * Compression [6] IMPLICIT ASN1_OBJECT -- compression OID XXXXX + * } * Look in ssl/ssl_asn1.c for more details * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). */ -typedef struct ssl_session_st - { - int ssl_version; /* what ssl version session info is - * being kept in here? */ - - /* only really used in SSLv2 */ - unsigned int key_arg_length; - unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH]; - int master_key_length; - unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; - /* session_id - valid? */ - unsigned int session_id_length; - unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; - /* this is used to determine whether the session is being reused in - * the appropriate context. It is up to the application to set this, - * via SSL_new */ - unsigned int sid_ctx_length; - unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - -#ifndef OPENSSL_NO_KRB5 - unsigned int krb5_client_princ_len; - unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH]; -#endif /* OPENSSL_NO_KRB5 */ - - int not_resumable; - - /* The cert is the certificate used to establish this connection */ - struct sess_cert_st /* SESS_CERT */ *sess_cert; - - /* This is the cert for the other end. - * On clients, it will be the same as sess_cert->peer_key->x509 - * (the latter is not enough as sess_cert is not retained - * in the external representation of sessions, see ssl_asn1.c). */ - X509 *peer; - /* when app_verify_callback accepts a session where the peer's certificate - * is not ok, we must remember the error for session reuse: */ - long verify_result; /* only for servers */ - - int references; - long timeout; - long time; - - int compress_meth; /* Need to lookup the method */ - - SSL_CIPHER *cipher; - unsigned long cipher_id; /* when ASN.1 loaded, this - * needs to be used to load - * the 'cipher' structure */ - - STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ - - CRYPTO_EX_DATA ex_data; /* application specific data */ - - /* These are used to make removal of session-ids more - * efficient and to implement a maximum cache size. */ - struct ssl_session_st *prev,*next; -#ifndef OPENSSL_NO_TLSEXT - char *tlsext_hostname; - /* RFC4507 info */ - unsigned char *tlsext_tick; /* Session ticket */ - size_t tlsext_ticklen; /* Session ticket length */ - long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ -#endif - } SSL_SESSION; - - -#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L -#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L +typedef struct ssl_session_st { + int ssl_version; /* what ssl version session info is being + * kept in here? */ + /* only really used in SSLv2 */ + unsigned int key_arg_length; + unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH]; + int master_key_length; + unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; + /* session_id - valid? */ + unsigned int session_id_length; + unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; + /* + * this is used to determine whether the session is being reused in the + * appropriate context. It is up to the application to set this, via + * SSL_new + */ + unsigned int sid_ctx_length; + unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; +# ifndef OPENSSL_NO_KRB5 + unsigned int krb5_client_princ_len; + unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH]; +# endif /* OPENSSL_NO_KRB5 */ + int not_resumable; + /* The cert is the certificate used to establish this connection */ + struct sess_cert_st /* SESS_CERT */ *sess_cert; + /* + * This is the cert for the other end. On clients, it will be the same as + * sess_cert->peer_key->x509 (the latter is not enough as sess_cert is + * not retained in the external representation of sessions, see + * ssl_asn1.c). + */ + X509 *peer; + /* + * when app_verify_callback accepts a session where the peer's + * certificate is not ok, we must remember the error for session reuse: + */ + long verify_result; /* only for servers */ + int references; + long timeout; + long time; + int compress_meth; /* Need to lookup the method */ + SSL_CIPHER *cipher; + unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used + * to load the 'cipher' structure */ + STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ + CRYPTO_EX_DATA ex_data; /* application specific data */ + /* + * These are used to make removal of session-ids more efficient and to + * implement a maximum cache size. + */ + struct ssl_session_st *prev, *next; +# ifndef OPENSSL_NO_TLSEXT + char *tlsext_hostname; + /* RFC4507 info */ + unsigned char *tlsext_tick; /* Session ticket */ + size_t tlsext_ticklen; /* Session ticket length */ + long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ +# endif +} SSL_SESSION; + +# define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L +# define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L /* Allow initial connection to servers that don't support RI */ -#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L -#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L -#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L -#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L -#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L -#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L -#define SSL_OP_TLS_D5_BUG 0x00000100L -#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L +# define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L +# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L +# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L +# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L +# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L +# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L +# define SSL_OP_TLS_D5_BUG 0x00000100L +# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ -#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 - -/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added - * in OpenSSL 0.9.6d. Usually (depending on the application protocol) - * the workaround is not needed. Unfortunately some broken SSL/TLS - * implementations cannot handle it at all, which is why we include - * it in SSL_OP_ALL. */ +# define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 + +/* + * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in + * OpenSSL 0.9.6d. Usually (depending on the application protocol) the + * workaround is not needed. Unfortunately some broken SSL/TLS + * implementations cannot handle it at all, which is why we include it in + * SSL_OP_ALL. + */ /* added in 0.9.6e */ -#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L +# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L -/* SSL_OP_ALL: various bug workarounds that should be rather harmless. - * This used to be 0x000FFFFFL before 0.9.7. */ -#define SSL_OP_ALL 0x00000FFFL +/* + * SSL_OP_ALL: various bug workarounds that should be rather harmless. This + * used to be 0x000FFFFFL before 0.9.7. + */ +# define SSL_OP_ALL 0x00000FFFL /* DTLS options */ -#define SSL_OP_NO_QUERY_MTU 0x00001000L +# define SSL_OP_NO_QUERY_MTU 0x00001000L /* Turn on Cookie Exchange (on relevant for servers) */ -#define SSL_OP_COOKIE_EXCHANGE 0x00002000L +# define SSL_OP_COOKIE_EXCHANGE 0x00002000L /* Don't use RFC4507 ticket extension */ -#define SSL_OP_NO_TICKET 0x00004000L +# define SSL_OP_NO_TICKET 0x00004000L /* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */ -#define SSL_OP_CISCO_ANYCONNECT 0x00008000L +# define SSL_OP_CISCO_ANYCONNECT 0x00008000L /* As server, disallow session resumption on renegotiation */ -#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L +# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L /* Permit unsafe legacy renegotiation */ -#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L +# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L /* If set, always create a new key when using tmp_ecdh parameters */ -#define SSL_OP_SINGLE_ECDH_USE 0x00080000L +# define SSL_OP_SINGLE_ECDH_USE 0x00080000L /* If set, always create a new key when using tmp_dh parameters */ -#define SSL_OP_SINGLE_DH_USE 0x00100000L +# define SSL_OP_SINGLE_DH_USE 0x00100000L /* Does nothing: retained for compatibiity */ -#define SSL_OP_EPHEMERAL_RSA 0x0 -/* Set on servers to choose the cipher according to the server's - * preferences */ -#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L -/* If set, a server will allow a client to issue a SSLv3.0 version number - * as latest version supported in the premaster secret, even when TLSv1.0 +# define SSL_OP_EPHEMERAL_RSA 0x0 +/* + * Set on servers to choose the cipher according to the server's preferences + */ +# define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L +/* + * If set, a server will allow a client to issue a SSLv3.0 version number as + * latest version supported in the premaster secret, even when TLSv1.0 * (version 3.1) was announced in the client hello. Normally this is - * forbidden to prevent version rollback attacks. */ -#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L - -#define SSL_OP_NO_SSLv2 0x01000000L -#define SSL_OP_NO_SSLv3 0x02000000L -#define SSL_OP_NO_TLSv1 0x04000000L - -/* The next flag deliberately changes the ciphertest, this is a check - * for the PKCS#1 attack */ -#define SSL_OP_PKCS1_CHECK_1 0x08000000L -#define SSL_OP_PKCS1_CHECK_2 0x10000000L -#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L -#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L - - -/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success - * when just a single record has been written): */ -#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L -/* Make it possible to retry SSL_write() with changed buffer location - * (buffer contents must stay the same!); this is not the default to avoid - * the misconception that non-blocking SSL_write() behaves like - * non-blocking write(): */ -#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L -/* Never bother the application with retries if the transport - * is blocking: */ -#define SSL_MODE_AUTO_RETRY 0x00000004L + * forbidden to prevent version rollback attacks. + */ +# define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L + +# define SSL_OP_NO_SSLv2 0x01000000L +# define SSL_OP_NO_SSLv3 0x02000000L +# define SSL_OP_NO_TLSv1 0x04000000L + +/* + * The next flag deliberately changes the ciphertest, this is a check for the + * PKCS#1 attack + */ +# define SSL_OP_PKCS1_CHECK_1 0x08000000L +# define SSL_OP_PKCS1_CHECK_2 0x10000000L +# define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L +# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L + +/* + * Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success + * when just a single record has been written): + */ +# define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L +/* + * Make it possible to retry SSL_write() with changed buffer location (buffer + * contents must stay the same!); this is not the default to avoid the + * misconception that non-blocking SSL_write() behaves like non-blocking + * write(): + */ +# define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L +/* + * Never bother the application with retries if the transport is blocking: + */ +# define SSL_MODE_AUTO_RETRY 0x00000004L /* Don't attempt to automatically build certificate chain */ -#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L -/* Send TLS_FALLBACK_SCSV in the ClientHello. - * To be set only by applications that reconnect with a downgraded protocol - * version; see draft-ietf-tls-downgrade-scsv-00 for details. - * - * DO NOT ENABLE THIS if your application attempts a normal handshake. - * Only use this in explicit fallback retries, following the guidance - * in draft-ietf-tls-downgrade-scsv-00. +# define SSL_MODE_NO_AUTO_CHAIN 0x00000008L +/* + * Send TLS_FALLBACK_SCSV in the ClientHello. To be set only by applications + * that reconnect with a downgraded protocol version; see + * draft-ietf-tls-downgrade-scsv-00 for details. DO NOT ENABLE THIS if your + * application attempts a normal handshake. Only use this in explicit + * fallback retries, following the guidance in + * draft-ietf-tls-downgrade-scsv-00. + */ +# define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L + +/* + * Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they + * cannot be used to clear bits. */ -#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L - - -/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, - * they cannot be used to clear bits. */ - -#define SSL_CTX_set_options(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) -#define SSL_CTX_clear_options(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) -#define SSL_CTX_get_options(ctx) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL) -#define SSL_set_options(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL) -#define SSL_clear_options(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) -#define SSL_get_options(ssl) \ + +# define SSL_CTX_set_options(ctx,op) \ + SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) +# define SSL_CTX_clear_options(ctx,op) \ + SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) +# define SSL_CTX_get_options(ctx) \ + SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL) +# define SSL_set_options(ssl,op) \ + SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL) +# define SSL_clear_options(ssl,op) \ + SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) +# define SSL_get_options(ssl) \ SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL) -#define SSL_CTX_set_mode(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) -#define SSL_CTX_clear_mode(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL) -#define SSL_CTX_get_mode(ctx) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL) -#define SSL_clear_mode(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL) -#define SSL_set_mode(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL) -#define SSL_get_mode(ssl) \ +# define SSL_CTX_set_mode(ctx,op) \ + SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) +# define SSL_CTX_clear_mode(ctx,op) \ + SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL) +# define SSL_CTX_get_mode(ctx) \ + SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL) +# define SSL_clear_mode(ssl,op) \ + SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL) +# define SSL_set_mode(ssl,op) \ + SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL) +# define SSL_get_mode(ssl) \ SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL) -#define SSL_set_mtu(ssl, mtu) \ +# define SSL_set_mtu(ssl, mtu) \ SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL) -#define SSL_get_secure_renegotiation_support(ssl) \ - SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL) - -void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); -void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); |