Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)

[openssl.git] / ssl / ssl.h
diff --git a/ssl/ssl.h b/ssl/ssl.h

index 92c1f43899d2c3ac781e000d043918e9f1591184..9ce2684f4eaa6bb543eb525e0f1ee9bfa83d7e7f 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -676,6 +676,11 @@ struct ssl_session_st
  #define SSL_get_secure_renegotiation_support(ssl) \
         SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
  
+#ifndef OPENSSL_NO_HEARTBEATS
+#define SSL_heartbeat(ssl) \
+        SSL_ctrl((ssl),SSL_CTRL_TLS_EXT_SEND_HEARTBEAT,0,NULL)
+#endif
+
  void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
  void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
  #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
@@ -695,8 +700,6 @@ typedef struct srp_ctx_st
         int (*SRP_verify_param_callback)(SSL *, void *);
         /* set SRP client passwd callback */
         char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
-       /* set SRP client username callback */
-       char *(*SRP_TLS_ext_missing_srp_client_username_callback)(SSL *, void *);
  
         char *login;
         BIGNUM *N,*g,*s,*B,*A;
@@ -718,7 +721,6 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad);
  int SRP_generate_server_master_secret(SSL *s,unsigned char *master_key);
  int SRP_Calc_A_param(SSL *s);
  int SRP_generate_client_master_secret(SSL *s,unsigned char *master_key);
-int SRP_have_to_put_srp_username(SSL *s);
  
  #endif
  
@@ -1342,8 +1344,16 @@ struct ssl_st
  
  #define session_ctx initial_ctx
  
-        STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;  /* What we'll do */
-        SRTP_PROTECTION_PROFILE *srtp_profile;            /* What's been chosen */
+       STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;  /* What we'll do */
+       SRTP_PROTECTION_PROFILE *srtp_profile;            /* What's been chosen */
+
+       unsigned int tlsext_heartbeat;  /* Is use of the Heartbeat extension negotiated?
+                                          0: disabled
+                                          1: enabled
+                                          2: enabled, but not allowed to send Requests
+                                        */
+       unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
+       unsigned int tlsext_hb_seq;     /* HeartbeatRequest sequence number */
  #else
  #define session_ctx ctx
  #endif /* OPENSSL_NO_TLSEXT */
@@ -1581,11 +1591,16 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
  #define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB   75
  #define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB               76
  #define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB            77
-#define SSL_CTRL_SET_TLS_EXT_SRP_MISSING_CLIENT_USERNAME_CB            78
-#define SSL_CTRL_SET_SRP_ARG           79
-#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME              80
-#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH              81
-#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD              82
+
+#define SSL_CTRL_SET_SRP_ARG           78
+#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME              79
+#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH              80
+#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD              81
+#ifndef OPENSSL_NO_HEARTBEATS
+#define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT                                85
+#define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING         86
+#define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS     87
+#endif
  #endif
  
  #define DTLS_CTRL_GET_TIMEOUT          73
@@ -1597,6 +1612,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
  #define SSL_CTRL_CLEAR_MODE                    78
  #define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB     79
  
+#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS         82
+#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS       83
+
  #define DTLSv1_get_timeout(ssl, arg) \
         SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
  #define DTLSv1_handle_timeout(ssl) \
@@ -1633,6 +1651,10 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
  
  #define SSL_CTX_add_extra_chain_cert(ctx,x509) \
         SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
+#define SSL_CTX_get_extra_chain_certs(ctx,px509) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
+#define SSL_CTX_clear_extra_chain_certs(ctx) \
+       SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
  
  #ifndef OPENSSL_NO_BIO
  BIO_METHOD *BIO_f_ssl(void);
@@ -1726,8 +1748,6 @@ long      SSL_SESSION_set_time(SSL_SESSION *s, long t);
  long   SSL_SESSION_get_timeout(const SSL_SESSION *s);
  long   SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
  void   SSL_copy_session_id(SSL *to,const SSL *from);
-unsigned int SSL_SESSION_get_id_len(SSL_SESSION *s);
-const unsigned char *SSL_SESSION_get0_id(SSL_SESSION *s);
  X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
  int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
                                unsigned int sid_ctx_len);
@@ -1735,6 +1755,7 @@ int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
  SSL_SESSION *SSL_SESSION_new(void);
  const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
                                         unsigned int *len);
+unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
  #ifndef OPENSSL_NO_FP_API
  int    SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
  #endif
@@ -1807,8 +1828,6 @@ int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
                                           int (*cb)(SSL *,void *));
  int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
                                       int (*cb)(SSL *,int *,void *));
-int SSL_CTX_set_srp_missing_srp_username_callback(SSL_CTX *ctx,
-                                                 char *(*cb)(SSL *,void *));
  int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
  
  int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
@@ -2064,6 +2083,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT                253
  #define SSL_F_DTLS1_GET_RECORD                          254
  #define SSL_F_DTLS1_HANDLE_TIMEOUT                      297
+#define SSL_F_DTLS1_HEARTBEAT                           314
  #define SSL_F_DTLS1_OUTPUT_CERT_CHAIN                   255
  #define SSL_F_DTLS1_PREPROCESS_FRAGMENT                         288
  #define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE          256
@@ -2113,6 +2133,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_F_SSL3_CALLBACK_CTRL                        233
  #define SSL_F_SSL3_CHANGE_CIPHER_STATE                  129
  #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM             130
+#define SSL_F_SSL3_CHECK_CLIENT_HELLO                   315
  #define SSL_F_SSL3_CLIENT_HELLO                                 131
  #define SSL_F_SSL3_CONNECT                              132
  #define SSL_F_SSL3_CTRL                                         213
@@ -2254,6 +2275,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT             274
  #define SSL_F_TLS1_ENC                                  210
  #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL               312
+#define SSL_F_TLS1_HEARTBEAT                            313
  #define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT           275
  #define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT           276
  #define SSL_F_TLS1_PRF                                  284
@@ -2391,6 +2413,7 @@ void ERR_load_SSL_strings(void);
  #define SSL_R_MISSING_TMP_RSA_KEY                       172
  #define SSL_R_MISSING_TMP_RSA_PKEY                      173
  #define SSL_R_MISSING_VERIFY_MESSAGE                    174
+#define SSL_R_MULTIPLE_SGC_RESTARTS                     370
  #define SSL_R_NON_SSLV2_INITIAL_PACKET                  175
  #define SSL_R_NO_CERTIFICATES_RETURNED                  176
  #define SSL_R_NO_CERTIFICATE_ASSIGNED                   177
@@ -2508,6 +2531,8 @@ void ERR_load_SSL_strings(void);
  #define SSL_R_TLSV1_UNRECOGNIZED_NAME                   1112
  #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION               1110
  #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER      232
+#define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT          368
+#define SSL_R_TLS_HEARTBEAT_PENDING                     369
  #define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL                367
  #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST            157
  #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233