# define SSL_TXT_HIGH "HIGH"
# define SSL_TXT_FIPS "FIPS"
-# define SSL_TXT_kFZA "kFZA"/* unused! */
-# define SSL_TXT_aFZA "aFZA"/* unused! */
-# define SSL_TXT_eFZA "eFZA"/* unused! */
-# define SSL_TXT_FZA "FZA"/* unused! */
-
# define SSL_TXT_aNULL "aNULL"
# define SSL_TXT_eNULL "eNULL"
# define SSL_TXT_NULL "NULL"
# endif
-# ifndef OPENSSL_NO_SSL_INTERN
-
-/* used to hold info on the particular ciphers used */
-struct ssl_cipher_st {
- int valid;
- const char *name; /* text name */
- unsigned long id; /* id, 4 bytes, first is version */
- /*
- * changed in 0.9.9: these four used to be portions of a single value
- * 'algorithms'
- */
- unsigned long algorithm_mkey; /* key exchange algorithm */
- unsigned long algorithm_auth; /* server authentication */
- unsigned long algorithm_enc; /* symmetric encryption */
- unsigned long algorithm_mac; /* symmetric authentication */
- unsigned long algorithm_ssl; /* (major) protocol version */
- unsigned long algo_strength; /* strength and export flags */
- unsigned long algorithm2; /* Extra flags */
- int strength_bits; /* Number of bits really used */
- int alg_bits; /* Number of bits for algorithm */
-};
-
-/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
-struct ssl_method_st {
- int version;
- int (*ssl_new) (SSL *s);
- void (*ssl_clear) (SSL *s);
- void (*ssl_free) (SSL *s);
- int (*ssl_accept) (SSL *s);
- int (*ssl_connect) (SSL *s);
- int (*ssl_read) (SSL *s, void *buf, int len);
- int (*ssl_peek) (SSL *s, void *buf, int len);
- int (*ssl_write) (SSL *s, const void *buf, int len);
- int (*ssl_shutdown) (SSL *s);
- int (*ssl_renegotiate) (SSL *s);
- int (*ssl_renegotiate_check) (SSL *s);
- long (*ssl_get_message) (SSL *s, int st1, int stn, int mt, long
- max, int *ok);
- int (*ssl_read_bytes) (SSL *s, int type, unsigned char *buf, int len,
- int peek);
- int (*ssl_write_bytes) (SSL *s, int type, const void *buf_, int len);
- int (*ssl_dispatch_alert) (SSL *s);
- long (*ssl_ctrl) (SSL *s, int cmd, long larg, void *parg);
- long (*ssl_ctx_ctrl) (SSL_CTX *ctx, int cmd, long larg, void *parg);
- const SSL_CIPHER *(*get_cipher_by_char) (const unsigned char *ptr);
- int (*put_cipher_by_char) (const SSL_CIPHER *cipher, unsigned char *ptr);
- int (*ssl_pending) (const SSL *s);
- int (*num_ciphers) (void);
- const SSL_CIPHER *(*get_cipher) (unsigned ncipher);
- const struct ssl_method_st *(*get_ssl_method) (int version);
- long (*get_timeout) (void);
- const struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
- int (*ssl_version) (void);
- long (*ssl_callback_ctrl) (SSL *s, int cb_id, void (*fp) (void));
- long (*ssl_ctx_callback_ctrl) (SSL_CTX *s, int cb_id, void (*fp) (void));
-};
-
-/*-
- * Lets make this into an ASN.1 type structure as follows
- * SSL_SESSION_ID ::= SEQUENCE {
- * version INTEGER, -- structure version number
- * SSLversion INTEGER, -- SSL version number
- * Cipher OCTET STRING, -- the 3 byte cipher ID
- * Session_ID OCTET STRING, -- the Session ID
- * Master_key OCTET STRING, -- the master key
- * KRB5_principal OCTET STRING -- optional Kerberos principal
- * Key_Arg [ 0 ] IMPLICIT OCTET STRING, -- the optional Key argument
- * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
- * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
- * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
- * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context
- * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer'
- * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension
- * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
- * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity
- * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
- * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only)
- * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method
- * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
- * }
- * Look in ssl/ssl_asn1.c for more details
- * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
- */
-struct ssl_session_st {
- int ssl_version; /* what ssl version session info is being
- * kept in here? */
- int master_key_length;
- unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
- /* session_id - valid? */
- unsigned int session_id_length;
- unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
- /*
- * this is used to determine whether the session is being reused in the
- * appropriate context. It is up to the application to set this, via
- * SSL_new
- */
- unsigned int sid_ctx_length;
- unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-# ifndef OPENSSL_NO_KRB5
- unsigned int krb5_client_princ_len;
- unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
-# endif /* OPENSSL_NO_KRB5 */
-# ifndef OPENSSL_NO_PSK
- char *psk_identity_hint;
- char *psk_identity;
-# endif
- /*
- * Used to indicate that session resumption is not allowed. Applications
- * can also set this bit for a new session via not_resumable_session_cb
- * to disable session caching and tickets.
- */
- int not_resumable;
- /* The cert is the certificate used to establish this connection */
- struct sess_cert_st /* SESS_CERT */ *sess_cert;
- /*
- * This is the cert for the other end. On clients, it will be the same as
- * sess_cert->peer_key->x509 (the latter is not enough as sess_cert is
- * not retained in the external representation of sessions, see
- * ssl_asn1.c).
- */
- X509 *peer;
- /*
- * when app_verify_callback accepts a session where the peer's
- * certificate is not ok, we must remember the error for session reuse:
- */
- long verify_result; /* only for servers */
- int references;
- long timeout;
- long time;
- unsigned int compress_meth; /* Need to lookup the method */
- const SSL_CIPHER *cipher;
- unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used
- * to load the 'cipher' structure */
- STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
- CRYPTO_EX_DATA ex_data; /* application specific data */
- /*
- * These are used to make removal of session-ids more efficient and to
- * implement a maximum cache size.
- */
- struct ssl_session_st *prev, *next;
-# ifndef OPENSSL_NO_TLSEXT
- char *tlsext_hostname;
-# ifndef OPENSSL_NO_EC
- size_t tlsext_ecpointformatlist_length;
- unsigned char *tlsext_ecpointformatlist; /* peer's list */
- size_t tlsext_ellipticcurvelist_length;
- unsigned char *tlsext_ellipticcurvelist; /* peer's list */
-# endif /* OPENSSL_NO_EC */
- /* RFC4507 info */
- unsigned char *tlsext_tick; /* Session ticket */
- size_t tlsext_ticklen; /* Session ticket length */
- long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
-# endif
-# ifndef OPENSSL_NO_SRP
- char *srp_username;
-# endif
-};
-
-# endif
-
/* Allow initial connection to servers that don't support RI */
# define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
# define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
# define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
-# ifndef OPENSSL_NO_SRP
+# define SSL_get_extms_support(s) \
+ SSL_ctrl((s),SSL_CTRL_GET_EXTMS_SUPPORT,0,NULL)
-# ifndef OPENSSL_NO_SSL_INTERN
-
-typedef struct srp_ctx_st {
- /* param for all the callbacks */
- void *SRP_cb_arg;
- /* set client Hello login callback */
- int (*TLS_ext_srp_username_callback) (SSL *, int *, void *);
- /* set SRP N/g param callback for verification */
- int (*SRP_verify_param_callback) (SSL *, void *);
- /* set SRP client passwd callback */
- char *(*SRP_give_srp_client_pwd_callback) (SSL *, void *);
- char *login;
- BIGNUM *N, *g, *s, *B, *A;
- BIGNUM *a, *b, *v;
- char *info;
- int strength;
- unsigned long srp_Mask;
-} SRP_CTX;
-
-# endif
+# ifndef OPENSSL_NO_SRP
/* see tls_srp.c */
int SSL_SRP_CTX_init(SSL *s);
typedef struct ssl_comp_st SSL_COMP;
-# ifndef OPENSSL_NO_SSL_INTERN
-
-struct ssl_comp_st {
- int id;
- const char *name;
-# ifndef OPENSSL_NO_COMP
- COMP_METHOD *method;
-# else
- char *method;
-# endif
-};
-
-DECLARE_STACK_OF(SSL_COMP)
-DECLARE_LHASH_OF(SSL_SESSION);
-
-struct ssl_ctx_st {
- const SSL_METHOD *method;
- STACK_OF(SSL_CIPHER) *cipher_list;
- /* same as above but sorted for lookup */
- STACK_OF(SSL_CIPHER) *cipher_list_by_id;
- struct x509_store_st /* X509_STORE */ *cert_store;
- LHASH_OF(SSL_SESSION) *sessions;
- /*
- * Most session-ids that will be cached, default is
- * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited.
- */
- unsigned long session_cache_size;
- struct ssl_session_st *session_cache_head;
- struct ssl_session_st *session_cache_tail;
- /*
- * This can have one of 2 values, ored together, SSL_SESS_CACHE_CLIENT,
- * SSL_SESS_CACHE_SERVER, Default is SSL_SESSION_CACHE_SERVER, which
- * means only SSL_accept which cache SSL_SESSIONS.
- */
- int session_cache_mode;
- /*
- * If timeout is not 0, it is the default timeout value set when
- * SSL_new() is called. This has been put in to make life easier to set
- * things up
- */
- long session_timeout;
- /*
- * If this callback is not null, it will be called each time a session id
- * is added to the cache. If this function returns 1, it means that the
- * callback will do a SSL_SESSION_free() when it has finished using it.
- * Otherwise, on 0, it means the callback has finished with it. If
- * remove_session_cb is not null, it will be called when a session-id is
- * removed from the cache. After the call, OpenSSL will
- * SSL_SESSION_free() it.
- */
- int (*new_session_cb) (struct ssl_st *ssl, SSL_SESSION *sess);
- void (*remove_session_cb) (struct ssl_ctx_st *ctx, SSL_SESSION *sess);
- SSL_SESSION *(*get_session_cb) (struct ssl_st *ssl,
- unsigned char *data, int len, int *copy);
- struct {
- int sess_connect; /* SSL new conn - started */
- int sess_connect_renegotiate; /* SSL reneg - requested */
- int sess_connect_good; /* SSL new conne/reneg - finished */
- int sess_accept; /* SSL new accept - started */
- int sess_accept_renegotiate; /* SSL reneg - requested */
- int sess_accept_good; /* SSL accept/reneg - finished */
- int sess_miss; /* session lookup misses */
- int sess_timeout; /* reuse attempt on timeouted session */
- int sess_cache_full; /* session removed due to full cache */
- int sess_hit; /* session reuse actually done */
- int sess_cb_hit; /* session-id that was not in the cache was
- * passed back via the callback. This
- * indicates that the application is
- * supplying session-id's from other
- * processes - spooky :-) */
- } stats;
-
- int references;
-
- /* if defined, these override the X509_verify_cert() calls */
- int (*app_verify_callback) (X509_STORE_CTX *, void *);
- void *app_verify_arg;
- /*
- * before OpenSSL 0.9.7, 'app_verify_arg' was ignored
- * ('app_verify_callback' was called with just one argument)
- */
-
- /* Default password callback. */
- pem_password_cb *default_passwd_callback;
-
- /* Default password callback user data. */
- void *default_passwd_callback_userdata;
-
- /* get client cert callback */
- int (*client_cert_cb) (SSL *ssl, X509 **x509, EVP_PKEY **pkey);
-
- /* cookie generate callback */
- int (*app_gen_cookie_cb) (SSL *ssl, unsigned char *cookie,
- unsigned int *cookie_len);
-
- /* verify cookie callback */
- int (*app_verify_cookie_cb) (SSL *ssl, unsigned char *cookie,
- unsigned int cookie_len);
-
- CRYPTO_EX_DATA ex_data;
-
- const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
- const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
-
- STACK_OF(X509) *extra_certs;
- STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
-
- /* Default values used when no per-SSL value is defined follow */
-
- /* used if SSL's info_callback is NULL */
- void (*info_callback) (const SSL *ssl, int type, int val);
-
- /* what we put in client cert requests */
- STACK_OF(X509_NAME) *client_CA;
-
- /*
- * Default values to use in SSL structures follow (these are copied by
- * SSL_new)
- */
-
- unsigned long options;
- unsigned long mode;
- long max_cert_list;
-
- struct cert_st /* CERT */ *cert;
- int read_ahead;
-
- /* callback that allows applications to peek at protocol messages */
- void (*msg_callback) (int write_p, int version, int content_type,
- const void *buf, size_t len, SSL *ssl, void *arg);
- void *msg_callback_arg;
-
- int verify_mode;
- unsigned int sid_ctx_length;
- unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
- /* called 'verify_callback' in the SSL */
- int (*default_verify_callback) (int ok, X509_STORE_CTX *ctx);
-
- /* Default generate session ID callback. */
- GEN_SESSION_CB generate_session_id;
-
- X509_VERIFY_PARAM *param;
-
-# if 0
- int purpose; /* Purpose setting */
- int trust; /* Trust setting */
-# endif
-
- int quiet_shutdown;
-
- /*
- * Maximum amount of data to send in one fragment. actual record size can
- * be more than this due to padding and MAC overheads.
- */
- unsigned int max_send_fragment;
-
-# ifndef OPENSSL_NO_ENGINE
- /*
- * Engine to pass requests for client certs to
- */
- ENGINE *client_cert_engine;
-# endif
-
-# ifndef OPENSSL_NO_TLSEXT
- /* TLS extensions servername callback */
- int (*tlsext_servername_callback) (SSL *, int *, void *);
- void *tlsext_servername_arg;
- /* RFC 4507 session ticket keys */
- unsigned char tlsext_tick_key_name[16];
- unsigned char tlsext_tick_hmac_key[16];
- unsigned char tlsext_tick_aes_key[16];
- /* Callback to support customisation of ticket key setting */
- int (*tlsext_ticket_key_cb) (SSL *ssl,
- unsigned char *name, unsigned char *iv,
- EVP_CIPHER_CTX *ectx,
- HMAC_CTX *hctx, int enc);
-
- /* certificate status request info */
- /* Callback for status request */
- int (*tlsext_status_cb) (SSL *ssl, void *arg);
- void *tlsext_status_arg;
-
- /* draft-rescorla-tls-opaque-prf-input-00.txt information */
- int (*tlsext_opaque_prf_input_callback) (SSL *, void *peerinput,
- size_t len, void *arg);
- void *tlsext_opaque_prf_input_callback_arg;
-# endif
-
-# ifndef OPENSSL_NO_PSK
- char *psk_identity_hint;
- unsigned int (*psk_client_callback) (SSL *ssl, const char *hint,
- char *identity,
- unsigned int max_identity_len,
- unsigned char *psk,
- unsigned int max_psk_len);
- unsigned int (*psk_server_callback) (SSL *ssl, const char *identity,
- unsigned char *psk,
- unsigned int max_psk_len);
-# endif
-
-# ifndef OPENSSL_NO_SRP
- SRP_CTX srp_ctx; /* ctx for SRP authentication */
-# endif
-
-# ifndef OPENSSL_NO_TLSEXT
-
-# ifndef OPENSSL_NO_NEXTPROTONEG
- /* Next protocol negotiation information */
- /* (for experimental NPN extension). */
-
- /*
- * For a server, this contains a callback function by which the set of
- * advertised protocols can be provided.
- */
- int (*next_protos_advertised_cb) (SSL *s, const unsigned char **buf,
- unsigned int *len, void *arg);
- void *next_protos_advertised_cb_arg;
- /*
- * For a client, this contains a callback function that selects the next
- * protocol from the list provided by the server.
- */
- int (*next_proto_select_cb) (SSL *s, unsigned char **out,
- unsigned char *outlen,
- const unsigned char *in,
- unsigned int inlen, void *arg);
- void *next_proto_select_cb_arg;
-# endif
-
- /*
- * ALPN information (we are in the process of transitioning from NPN to
- * ALPN.)
- */
-
- /*-
- * For a server, this contains a callback function that allows the
- * server to select the protocol for the connection.
- * out: on successful return, this must point to the raw protocol
- * name (without the length prefix).
- * outlen: on successful return, this contains the length of |*out|.
- * in: points to the client's list of supported protocols in
- * wire-format.
- * inlen: the length of |in|.
- */
- int (*alpn_select_cb) (SSL *s,
- const unsigned char **out,
- unsigned char *outlen,
- const unsigned char *in,
- unsigned int inlen, void *arg);
- void *alpn_select_cb_arg;
-
- /*
- * For a client, this contains the list of supported protocols in wire
- * format.
- */
- unsigned char *alpn_client_proto_list;
- unsigned alpn_client_proto_list_len;
-
- /* SRTP profiles we are willing to do from RFC 5764 */
- STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
-# endif
- /*
- * Callback for disabling session caching and ticket support on a session
- * basis, depending on the chosen cipher.
- */
- int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
-# ifndef OPENSSL_NO_EC
- /* EC extension values inherited by SSL structure */
- size_t tlsext_ecpointformatlist_length;
- unsigned char *tlsext_ecpointformatlist;
- size_t tlsext_ellipticcurvelist_length;
- unsigned char *tlsext_ellipticcurvelist;
-# endif /* OPENSSL_NO_EC */
-};
-
-# endif
# define SSL_SESS_CACHE_OFF 0x0000
# define SSL_SESS_CACHE_CLIENT 0x0001
# define SSL_MAC_FLAG_READ_MAC_STREAM 1
# define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
-# ifndef OPENSSL_NO_SSL_INTERN
-
-struct ssl_st {
- /*
- * protocol version (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION,
- * DTLS1_VERSION)
- */
- int version;
- /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
- int type;
- /* SSLv3 */
- const SSL_METHOD *method;
- /*
- * There are 2 BIO's even though they are normally both the same. This
- * is so data can be read and written to different handlers
- */
- /* used by SSL_read */
- BIO *rbio;
- /* used by SSL_write */
- BIO *wbio;
- /* used during session-id reuse to concatenate messages */
- BIO *bbio;
- /*
- * This holds a variable that indicates what we were doing when a 0 or -1
- * is returned. This is needed for non-blocking IO so we know what
- * request needs re-doing when in SSL_accept or SSL_connect
- */
- int rwstate;
- /* true when we are actually in SSL_accept() or SSL_connect() */
- int in_handshake;
- int (*handshake_func) (SSL *);
- /*
- * Imagine that here's a boolean member "init" that is switched as soon
- * as SSL_set_{accept/connect}_state is called for the first time, so
- * that "state" and "handshake_func" are properly initialized. But as
- * handshake_func is == 0 until then, we use this test instead of an
- * "init" member.
- */
- /* are we the server side? - mostly used by SSL_clear */
- int server;
- /*
- * Generate a new session or reuse an old one.
- * NB: For servers, the 'new' session may actually be a previously
- * cached session or even the previous session unless
- * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set
- */
- int new_session;
- /* don't send shutdown packets */
- int quiet_shutdown;
- /* we have shut things down, 0x01 sent, 0x02 for received */
- int shutdown;
- /* where we are */
- int state;
- /* where we are when reading */
- int rstate;
- BUF_MEM *init_buf; /* buffer used during init */
- void *init_msg; /* pointer to handshake message body, set by
- * ssl3_get_message() */
- int init_num; /* amount read/written */
- int init_off; /* amount read/written */
- /* used internally to point at a raw packet */
- unsigned char *packet;
- unsigned int packet_length;
- struct ssl3_state_st *s3; /* SSLv3 variables */
- struct dtls1_state_st *d1; /* DTLSv1 variables */
- int read_ahead; /* Read as many input bytes as possible (for
- * non-blocking reads) */
- /* callback that allows applications to peek at protocol messages */
- void (*msg_callback) (int write_p, int version, int content_type,
- const void *buf, size_t len, SSL *ssl, void *arg);
- void *msg_callback_arg;
- int hit; /* reusing a previous session */
- X509_VERIFY_PARAM *param;
-# if 0
- int purpose; /* Purpose setting */
- int trust; /* Trust setting */
-# endif
- /* crypto */
- STACK_OF(SSL_CIPHER) *cipher_list;
- STACK_OF(SSL_CIPHER) *cipher_list_by_id;
- /*
- * These are the ones being used, the ones in SSL_SESSION are the ones to
- * be 'copied' into these ones
- */
- int mac_flags;
- EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
- EVP_MD_CTX *read_hash; /* used for mac generation */
-# ifndef OPENSSL_NO_COMP
- COMP_CTX *expand; /* uncompress */
-# else
- char *expand;
-# endif
- EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
- EVP_MD_CTX *write_hash; /* used for mac generation */
-# ifndef OPENSSL_NO_COMP
- COMP_CTX *compress; /* compression */
-# else
- char *compress;
-# endif
- /* session info */
- /* client cert? */
- /* This is used to hold the server certificate used */
- struct cert_st /* CERT */ *cert;
- /*
- * the session_id_context is used to ensure sessions are only reused in
- * the appropriate context
- */
- unsigned int sid_ctx_length;
- unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
- /* This can also be in the session once a session is established */
- SSL_SESSION *session;
- /* Default generate session ID callback. */
- GEN_SESSION_CB generate_session_id;
- /* Used in SSL3 */
- /*
- * 0 don't care about verify failure.
- * 1 fail if verify fails
- */
- int verify_mode;
- /* fail if callback returns 0 */
- int (*verify_callback) (int ok, X509_STORE_CTX *ctx);
- /* optional informational callback */
- void (*info_callback) (const SSL *ssl, int type, int val);
- /* error bytes to be written */
- int error;
- /* actual code */
- int error_code;
-# ifndef OPENSSL_NO_KRB5
- /* Kerberos 5 context */
- KSSL_CTX *kssl_ctx;
-# endif /* OPENSSL_NO_KRB5 */
-# ifndef OPENSSL_NO_PSK
- unsigned int (*psk_client_callback) (SSL *ssl, const char *hint,
- char *identity,
- unsigned int max_identity_len,
- unsigned char *psk,
- unsigned int max_psk_len);
- unsigned int (*psk_server_callback) (SSL *ssl, const char *identity,
- unsigned char *psk,
- unsigned int max_psk_len);
-# endif
- SSL_CTX *ctx;
- /*
- * set this flag to 1 and a sleep(1) is put into all SSL_read() and
- * SSL_write() calls, good for nbio debuging :-)
- */
- int debug;
- /* extra application data */
- long verify_result;
- CRYPTO_EX_DATA ex_data;
- /* for server side, keep the list of CA_dn we can use */
- STACK_OF(X509_NAME) *client_CA;
- int references;
- /* protocol behaviour */
- unsigned long options;
- /* API behaviour */
- unsigned long mode;
- long max_cert_list;
- int first_packet;
- /* what was passed, used for SSLv3/TLS rollback check */
- int client_version;
- unsigned int max_send_fragment;
-# ifndef OPENSSL_NO_TLSEXT
- /* TLS extension debug callback */
- void (*tlsext_debug_cb) (SSL *s, int client_server, int type,
- unsigned char *data, int len, void *arg);
- void *tlsext_debug_arg;
- char *tlsext_hostname;
- /*-
- * no further mod of servername
- * 0 : call the servername extension callback.
- * 1 : prepare 2, allow last ack just after in server callback.
- * 2 : don't call servername callback, no ack in server hello
- */
- int servername_done;
- /* certificate status request info */
- /* Status type or -1 if no status type */
- int tlsext_status_type;
- /* Expect OCSP CertificateStatus message */
- int tlsext_status_expected;
- /* OCSP status request only */
- STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
- X509_EXTENSIONS *tlsext_ocsp_exts;
- /* OCSP response received or to be sent */
- unsigned char *tlsext_ocsp_resp;
- int tlsext_ocsp_resplen;
- /* RFC4507 session ticket expected to be received or sent */
- int tlsext_ticket_expected;
-# ifndef OPENSSL_NO_EC
- size_t tlsext_ecpointformatlist_length;
- /* our list */
- unsigned char *tlsext_ecpointformatlist;
- size_t tlsext_ellipticcurvelist_length;
- /* our list */
- unsigned char *tlsext_ellipticcurvelist;
-# endif /* OPENSSL_NO_EC */
- /*
- * draft-rescorla-tls-opaque-prf-input-00.txt information to be used for
- * handshakes
- */
- void *tlsext_opaque_prf_input;
- size_t tlsext_opaque_prf_input_len;
- /* TLS Session Ticket extension override */
- TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
- /* TLS Session Ticket extension callback */
- tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
- void *tls_session_ticket_ext_cb_arg;
- /* TLS pre-shared secret session resumption */
- tls_session_secret_cb_fn tls_session_secret_cb;
- void *tls_session_secret_cb_arg;
- SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */
-# ifndef OPENSSL_NO_NEXTPROTONEG
- /*
- * Next protocol negotiation. For the client, this is the protocol that
- * we sent in NextProtocol and is set when handling ServerHello
- * extensions. For a server, this is the client's selected_protocol from
- * NextProtocol and is set when handling the NextProtocol message, before
- * the Finished message.
- */
- unsigned char *next_proto_negotiated;
- unsigned char next_proto_negotiated_len;
-# endif
-# define session_ctx initial_ctx
- /* What we'll do */
- STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
- /* What's been chosen */
- SRTP_PROTECTION_PROFILE *srtp_profile;
- /*-
- * Is use of the Heartbeat extension negotiated?
- * 0: disabled
- * 1: enabled
- * 2: enabled, but not allowed to send Requests
- */
- unsigned int tlsext_heartbeat;
- /* Indicates if a HeartbeatRequest is in flight */
- unsigned int tlsext_hb_pending;
- /* HeartbeatRequest sequence number */
- unsigned int tlsext_hb_seq;
- /*
- * For a client, this contains the list of supported protocols in wire
- * format.
- */
- unsigned char *alpn_client_proto_list;
- unsigned alpn_client_proto_list_len;
-# else
-# define session_ctx ctx
-# endif /* OPENSSL_NO_TLSEXT */
- /*-
- * 1 if we are renegotiating.
- * 2 if we are a server and are inside a handshake
- * (i.e. not just sending a HelloRequest)
- */
- int renegotiate;
-# ifndef OPENSSL_NO_SRP
- /* ctx for SRP authentication */
- SRP_CTX srp_ctx;
-# endif
- /*
- * Callback for disabling session caching and ticket support on a session
- * basis, depending on the chosen cipher.
- */
- int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
-};
-
-# endif
-
#ifdef __cplusplus
}
#endif
# define OpenSSL_add_ssl_algorithms() SSL_library_init()
# define SSLeay_add_ssl_algorithms() SSL_library_init()
-/* this is for backward compatibility */
-# if 0 /* NEW_SSLEAY */
-# define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
-# define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
-# define SSL_add_session(a,b) SSL_CTX_add_session((a),(b))
-# define SSL_remove_session(a,b) SSL_CTX_remove_session((a),(b))
-# define SSL_flush_sessions(a,b) SSL_CTX_flush_sessions((a),(b))
-# endif
/* More backward compatibility */
# define SSL_get_cipher(s) \
SSL_CIPHER_get_name(SSL_get_current_cipher(s))
# define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57
# define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
# define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
-# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60
-# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61
-# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62
+/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60 */
+/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61 */
+/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62 */
# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65
# define SSL_CTRL_CHECK_PROTO_VERSION 119
# define DTLS_CTRL_SET_LINK_MTU 120
# define DTLS_CTRL_GET_LINK_MIN_MTU 121
+# define SSL_CTRL_GET_EXTMS_SUPPORT 122
# define SSL_CERT_SET_FIRST 1
# define SSL_CERT_SET_NEXT 2
# define SSL_CERT_SET_SERVER 3
projects / openssl.git / blobdiff