# include <openssl/ssl.h>
# include <openssl/async.h>
# include <openssl/symhacks.h>
-
+# ifndef OPENSSL_NO_CT
+# include <openssl/ct.h>
+# endif
#include "record/record.h"
#include "statem/statem.h"
#include "packet_locl.h"
# define SSL_eGOST2814789CNT12 0x00040000U
# define SSL_CHACHA20POLY1305 0x00080000U
-# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM|SSL_AES128CCM|SSL_AES256CCM|SSL_AES128CCM8|SSL_AES256CCM8)
+# define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
+# define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
+# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)
# define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
# define SSL_CHACHA20 (SSL_CHACHA20POLY1305)
char *srp_username;
# endif
uint32_t flags;
+ CRYPTO_RWLOCK *lock;
};
/* Extended master secret support */
int quiet_shutdown;
+# ifndef OPENSSL_NO_CT
+ CTLOG_STORE *ctlog_store; /* CT Log Store */
+ /*
+ * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
+ * If they are not, the connection should be aborted.
+ */
+ ct_validation_cb ct_validation_callback;
+ void *ct_validation_callback_arg;
+# endif
+
+ /*
+ * If we're using more than one pipeline how should we divide the data
+ * up between the pipes?
+ */
+ unsigned int split_send_fragment;
/*
* Maximum amount of data to send in one fragment. actual record size can
* be more than this due to padding and MAC overheads.
*/
unsigned int max_send_fragment;
+ /* Up to how many pipelines should we use? If 0 then 1 is assumed */
+ unsigned int max_pipelines;
+
+ /* The default read buffer length to use (0 means not set) */
+ size_t default_read_buf_len;
+
# ifndef OPENSSL_NO_ENGINE
/*
* Engine to pass requests for client certs to
size_t tlsext_ellipticcurvelist_length;
unsigned char *tlsext_ellipticcurvelist;
# endif /* OPENSSL_NO_EC */
+ CRYPTO_RWLOCK *lock;
};
int first_packet;
/* what was passed, used for SSLv3/TLS rollback check */
int client_version;
+
+ /*
+ * If we're using more than one pipeline how should we divide the data
+ * up between the pipes?
+ */
+ unsigned int split_send_fragment;
+ /*
+ * Maximum amount of data to send in one fragment. actual record size can
+ * be more than this due to padding and MAC overheads.
+ */
unsigned int max_send_fragment;
+ /* Up to how many pipelines should we use? If 0 then 1 is assumed */
+ unsigned int max_pipelines;
+
/* TLS extension debug callback */
void (*tlsext_debug_cb) (SSL *s, int client_server, int type,
const unsigned char *data, int len, void *arg);
/* certificate status request info */
/* Status type or -1 if no status type */
int tlsext_status_type;
+# ifndef OPENSSL_NO_CT
+ /*
+ * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
+ * If they are not, the connection should be aborted.
+ */
+ ct_validation_cb ct_validation_callback;
+ /* User-supplied argument tha tis passed to the ct_validation_callback */
+ void *ct_validation_callback_arg;
+ /*
+ * Consolidated stack of SCTs from all sources.
+ * Lazily populated by CT_get_peer_scts(SSL*)
+ */
+ STACK_OF(SCT) *scts;
+ /* Raw extension data, if seen */
+ unsigned char *tlsext_scts;
+ /* Length of raw extension data, if seen */
+ uint16_t tlsext_scts_len;
+ /* Have we attempted to find/parse SCTs yet? */
+ int scts_parsed;
+# endif
/* Expect OCSP CertificateStatus message */
int tlsext_status_expected;
/* OCSP status request only */
/* Async Job info */
ASYNC_JOB *job;
+ ASYNC_WAIT_CTX *waitctx;
+
+ CRYPTO_RWLOCK *lock;
};
* that the server selected once the ServerHello has been processed.
*/
unsigned char *alpn_selected;
- unsigned alpn_selected_len;
+ size_t alpn_selected_len;
+ /* used by the server to know what options were proposed */
+ unsigned char *alpn_proposed;
+ size_t alpn_proposed_len;
+ /* used by the client to know if it actually sent alpn */
+ int alpn_sent;
# ifndef OPENSSL_NO_EC
/*
char *psk_identity_hint;
#endif
int references; /* >1 only if SSL_copy_session_id is used */
+ CRYPTO_RWLOCK *lock;
} CERT;
/* Structure containing decoded values of signature algorithms extension */
unsigned char rhash;
};
-/*
- * #define MAC_DEBUG
- */
-
-/*
- * #define ERR_DEBUG
- */
-/*
- * #define ABORT_DEBUG
- */
-/*
- * #define PKT_DEBUG 1
- */
-/*
- * #define DES_DEBUG
- */
-/*
- * #define DES_OFB_DEBUG
- */
-/*
- * #define SSL_DEBUG
- */
-/*
- * #define RSA_DEBUG
- */
-/*
- * #define IDEA_DEBUG
- */
-
# define FP_ICC (int (*)(const void *,const void *))
/*
* of a mess of functions, but hell, think of it as an opaque structure :-)
*/
typedef struct ssl3_enc_method {
- int (*enc) (SSL *, int);
- int (*mac) (SSL *, unsigned char *, int);
+ int (*enc) (SSL *, SSL3_RECORD *, unsigned int, int);
+ int (*mac) (SSL *, SSL3_RECORD *, unsigned char *, int);
int (*setup_key_block) (SSL *);
int (*generate_master_secret) (SSL *, unsigned char *, unsigned char *,
int);
size_t *serverinfo_length);
__owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd);
__owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
-void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher);
+void ssl_set_masks(SSL *s);
__owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
__owur int ssl_verify_alarm_type(long type);
void ssl_load_ciphers(void);
__owur long tls1_default_timeout(void);
__owur int dtls1_do_write(SSL *s, int type);
void dtls1_set_message_header(SSL *s,
- unsigned char *p, unsigned char mt,
+ unsigned char mt,
unsigned long len,
unsigned long frag_off,
unsigned long frag_len);
__owur int dtls1_read_failed(SSL *s, int code);
__owur int dtls1_buffer_message(SSL *s, int ccs);
-__owur int dtls1_retransmit_message(SSL *s, unsigned short seq,
- unsigned long frag_off, int *found);
+__owur int dtls1_retransmit_message(SSL *s, unsigned short seq, int *found);
__owur int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
int dtls1_retransmit_buffered_messages(SSL *s);
void dtls1_clear_record_buffer(SSL *s);
int idx);
void tls1_set_cert_validity(SSL *s);
+#ifndef OPENSSL_NO_CT
+__owur int ssl_validate_ct(SSL *s);
+#endif
+
# ifndef OPENSSL_NO_DH
__owur DH *ssl_get_auto_dh(SSL *s);
# endif