Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)

[openssl.git] / ssl / ssl.h
diff --git a/ssl/ssl.h b/ssl/ssl.h

index 7f15173f0e9d9c6a519a4bb65a8e960f13a037d0..9ce2684f4eaa6bb543eb525e0f1ee9bfa83d7e7f 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -369,6 +369,15 @@ typedef struct ssl_session_st SSL_SESSION;
  
  DECLARE_STACK_OF(SSL_CIPHER)
  
+/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
+typedef struct srtp_protection_profile_st
+       {
+       const char *name;
+       unsigned long id;
+       } SRTP_PROTECTION_PROFILE;
+
+DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
+
  typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
  typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
  
@@ -667,6 +676,11 @@ struct ssl_session_st
  #define SSL_get_secure_renegotiation_support(ssl) \
         SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
  
+#ifndef OPENSSL_NO_HEARTBEATS
+#define SSL_heartbeat(ssl) \
+        SSL_ctrl((ssl),SSL_CTRL_TLS_EXT_SEND_HEARTBEAT,0,NULL)
+#endif
+
  void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
  void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
  #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
@@ -686,8 +700,6 @@ typedef struct srp_ctx_st
         int (*SRP_verify_param_callback)(SSL *, void *);
         /* set SRP client passwd callback */
         char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
-       /* set SRP client username callback */
-       char *(*SRP_TLS_ext_missing_srp_client_username_callback)(SSL *, void *);
  
         char *login;
         BIGNUM *N,*g,*s,*B,*A;
@@ -709,7 +721,6 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad);
  int SRP_generate_server_master_secret(SSL *s,unsigned char *master_key);
  int SRP_Calc_A_param(SSL *s);
  int SRP_generate_client_master_secret(SSL *s,unsigned char *master_key);
-int SRP_have_to_put_srp_username(SSL *s);
  
  #endif
  
@@ -966,6 +977,11 @@ struct ssl_ctx_st
  #ifndef OPENSSL_NO_SRP
         SRP_CTX srp_ctx; /* ctx for SRP authentication */
  #endif
+
+#ifndef OPENSSL_NO_TLSEXT
+        /* SRTP profiles we are willing to do from RFC 5764 */
+        STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;  
+#endif
         };
  
  #endif
@@ -1327,6 +1343,17 @@ struct ssl_st
  #endif
  
  #define session_ctx initial_ctx
+
+       STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;  /* What we'll do */
+       SRTP_PROTECTION_PROFILE *srtp_profile;            /* What's been chosen */
+
+       unsigned int tlsext_heartbeat;  /* Is use of the Heartbeat extension negotiated?
+                                          0: disabled
+                                          1: enabled
+                                          2: enabled, but not allowed to send Requests
+                                        */
+       unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
+       unsigned int tlsext_hb_seq;     /* HeartbeatRequest sequence number */
  #else
  #define session_ctx ctx
  #endif /* OPENSSL_NO_TLSEXT */
@@ -1343,6 +1370,7 @@ struct ssl_st
  #include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
  #include <openssl/dtls1.h> /* Datagram TLS */
  #include <openssl/ssl23.h>
+#include <openssl/srtp.h>  /* Support for the use_srtp extension */
  
  #ifdef  __cplusplus
  extern "C" {
@@ -1476,8 +1504,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
  #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
  #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
  #define SSL_AD_UNKNOWN_PSK_IDENTITY     TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
-#define SSL_AD_UNKNOWN_SRP_USERNAME    TLS1_AD_UNKNOWN_SRP_USERNAME
-#define SSL_AD_MISSING_SRP_USERNAME    TLS1_AD_MISSING_SRP_USERNAME
  
  #define SSL_ERROR_NONE                 0
  #define SSL_ERROR_SSL                  1
@@ -1565,11 +1591,16 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
  #define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB   75
  #define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB               76
  #define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB            77
-#define SSL_CTRL_SET_TLS_EXT_SRP_MISSING_CLIENT_USERNAME_CB            78
-#define SSL_CTRL_SET_SRP_ARG           79
-#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME              80
-#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH              81
-#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD              82
+
+#define SSL_CTRL_SET_SRP_ARG           78
+#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME              79
+#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH              80
+#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD              81
+#ifndef OPENSSL_NO_HEARTBEATS
+#define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT                                85
+#define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING         86
+#define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS     87
+#endif
  #endif
  
  #define DTLS_CTRL_GET_TIMEOUT          73
@@ -1581,6 +1612,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
  #define SSL_CTRL_CLEAR_MODE                    78
  #define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB     79
  
+#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS         82
+#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS       83
+
  #define DTLSv1_get_timeout(ssl, arg) \
         SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
  #define DTLSv1_handle_timeout(ssl) \
@@ -1617,6 +1651,10 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
  
  #define SSL_CTX_add_extra_chain_cert(ctx,x509) \
         SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
+#define SSL_CTX_get_extra_chain_certs(ctx,px509) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
+#define SSL_CTX_clear_extra_chain_certs(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
  
  #ifndef OPENSSL_NO_BIO
  BIO_METHOD *BIO_f_ssl(void);
@@ -1710,8 +1748,6 @@ long      SSL_SESSION_set_time(SSL_SESSION *s, long t);
  long   SSL_SESSION_get_timeout(const SSL_SESSION *s);
  long   SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
  void   SSL_copy_session_id(SSL *to,const SSL *from);
-unsigned int SSL_SESSION_get_id_len(SSL_SESSION *s);
-const unsigned char *SSL_SESSION_get0_id(SSL_SESSION *s);
  X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
  int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
                                unsigned int sid_ctx_len);
@@ -1719,6 +1755,7 @@ int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
  SSL_SESSION *SSL_SESSION_new(void);
  const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
                                         unsigned int *len);
+unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
  #ifndef OPENSSL_NO_FP_API
  int    SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
  #endif
@@ -1791,8 +1828,6 @@ int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
                                           int (*cb)(SSL *,void *));
  int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
                                       int (*cb)(SSL *,int *,void *));
-int SSL_CTX_set_srp_missing_srp_username_callback(SSL_CTX *ctx,
-                                                 char *(*cb)(SSL *,void *));
  int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
  
  int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
@@ -2012,10 +2047,6 @@ int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
  /* Pre-shared secret session resumption functions */
  int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
  
-int SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
-                           unsigned char *context, int context_len,
-                           unsigned char *out, int olen);
-
  void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
         int (*cb)(SSL *ssl, int is_forward_secure));
  
@@ -2052,6 +2083,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT                253
  #define SSL_F_DTLS1_GET_RECORD                          254
  #define SSL_F_DTLS1_HANDLE_TIMEOUT                      297
+#define SSL_F_DTLS1_HEARTBEAT                           314
  #define SSL_F_DTLS1_OUTPUT_CERT_CHAIN                   255
  #define SSL_F_DTLS1_PREPROCESS_FRAGMENT                         288
  #define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE          256
@@ -2101,6 +2133,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_F_SSL3_CALLBACK_CTRL                        233
  #define SSL_F_SSL3_CHANGE_CIPHER_STATE                  129
  #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM             130
+#define SSL_F_SSL3_CHECK_CLIENT_HELLO                   315
  #define SSL_F_SSL3_CLIENT_HELLO                                 131
  #define SSL_F_SSL3_CONNECT                              132
  #define SSL_F_SSL3_CTRL                                         213
@@ -2144,10 +2177,12 @@ void ERR_load_SSL_strings(void);
  #define SSL_F_SSL3_WRITE_PENDING                        159
  #define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT       298
  #define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT                277
+#define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT          307
  #define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK        215
  #define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK       216
  #define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT       299
  #define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT                278
+#define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT          308
  #define SSL_F_SSL_BAD_METHOD                            160
  #define SSL_F_SSL_BYTES_TO_CIPHER_LIST                  161
  #define SSL_F_SSL_CERT_DUP                              221
@@ -2164,6 +2199,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_F_SSL_CREATE_CIPHER_LIST                    166
  #define SSL_F_SSL_CTRL                                  232
  #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                         168
+#define SSL_F_SSL_CTX_MAKE_PROFILES                     309
  #define SSL_F_SSL_CTX_NEW                               169
  #define SSL_F_SSL_CTX_SET_CIPHER_LIST                   269
  #define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE            290
@@ -2192,8 +2228,10 @@ void ERR_load_SSL_strings(void);
  #define SSL_F_SSL_NEW                                   186
  #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT     300
  #define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT              302
+#define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT        310
  #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT     301
  #define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT              303
+#define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT        311
  #define SSL_F_SSL_PEEK                                  270
  #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT            281
  #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT            282
@@ -2236,6 +2274,8 @@ void ERR_load_SSL_strings(void);
  #define SSL_F_TLS1_CHANGE_CIPHER_STATE                  209
  #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT             274
  #define SSL_F_TLS1_ENC                                  210
+#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL               312
+#define SSL_F_TLS1_HEARTBEAT                            313
  #define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT           275
  #define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT           276
  #define SSL_F_TLS1_PRF                                  284
@@ -2280,6 +2320,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_R_BAD_SRP_G_LENGTH                          350
  #define SSL_R_BAD_SRP_N_LENGTH                          351
  #define SSL_R_BAD_SRP_S_LENGTH                          352
+#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST          360
  #define SSL_R_BAD_SSL_FILETYPE                          124
  #define SSL_R_BAD_SSL_SESSION_ID_LENGTH                         125
  #define SSL_R_BAD_STATE                                         126
@@ -2318,6 +2359,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE        322
  #define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE       323
  #define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER              310
+#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST        361
  #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG                         150
  #define SSL_R_ERROR_GENERATING_TMP_RSA_KEY              282
  #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST             151
@@ -2371,6 +2413,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_R_MISSING_TMP_RSA_KEY                       172
  #define SSL_R_MISSING_TMP_RSA_PKEY                      173
  #define SSL_R_MISSING_VERIFY_MESSAGE                    174
+#define SSL_R_MULTIPLE_SGC_RESTARTS                     370
  #define SSL_R_NON_SSLV2_INITIAL_PACKET                  175
  #define SSL_R_NO_CERTIFICATES_RETURNED                  176
  #define SSL_R_NO_CERTIFICATE_ASSIGNED                   177
@@ -2394,6 +2437,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_R_NO_RENEGOTIATION                          339
  #define SSL_R_NO_REQUIRED_DIGEST                        324
  #define SSL_R_NO_SHARED_CIPHER                          193
+#define SSL_R_NO_SRTP_PROFILES                          362
  #define SSL_R_NO_VERIFY_CALLBACK                        194
  #define SSL_R_NULL_SSL_CTX                              195
  #define SSL_R_NULL_SSL_METHOD_PASSED                    196
@@ -2440,6 +2484,9 @@ void ERR_load_SSL_strings(void);
  #define SSL_R_SIGNATURE_ALGORITHMS_ERROR                359
  #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE     220
  #define SSL_R_SRP_A_CALC                                356
+#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES          363
+#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG     364
+#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE           365
  #define SSL_R_SSL23_DOING_SESSION_ID_REUSE              221
  #define SSL_R_SSL2_CONNECTION_ID_TOO_LONG               299
  #define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT            321
@@ -2484,6 +2531,9 @@ void ERR_load_SSL_strings(void);
  #define SSL_R_TLSV1_UNRECOGNIZED_NAME                   1112
  #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION               1110
  #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER      232
+#define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT          368
+#define SSL_R_TLS_HEARTBEAT_PENDING                     369
+#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL                367
  #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST            157
  #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
  #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG   234
@@ -2520,6 +2570,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_R_UNSUPPORTED_PROTOCOL                      258
  #define SSL_R_UNSUPPORTED_SSL_VERSION                   259
  #define SSL_R_UNSUPPORTED_STATUS_TYPE                   329
+#define SSL_R_USE_SRTP_NOT_NEGOTIATED                   366
  #define SSL_R_WRITE_BIO_NOT_SET                                 260
  #define SSL_R_WRONG_CIPHER_RETURNED                     261
  #define SSL_R_WRONG_MESSAGE_TYPE                        262