# include "internal/common.h" /* for HAS_PREFIX */
# include <openssl/buffer.h>
-# include <openssl/comp.h>
# include <openssl/bio.h>
+# include <openssl/comp.h>
# include <openssl/dsa.h>
# include <openssl/err.h>
# include <openssl/ssl.h>
# define DTLS_VERSION_LT(v1, v2) (dtls_ver_ordinal(v1) > dtls_ver_ordinal(v2))
# define DTLS_VERSION_LE(v1, v2) (dtls_ver_ordinal(v1) >= dtls_ver_ordinal(v2))
+# define SSL_AD_NO_ALERT -1
/*
* Define the Bitmasks for SSL_CIPHER.algorithms.
size_t (*ssl_pending) (const SSL *s);
int (*num_ciphers) (void);
const SSL_CIPHER *(*get_cipher) (unsigned ncipher);
- long (*get_timeout) (void);
+ OSSL_TIME (*get_timeout) (void);
const struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
int (*ssl_version) (void);
long (*ssl_callback_ctrl) (SSL *s, int cb_id, void (*fp) (void));
*/
long verify_result; /* only for servers */
CRYPTO_REF_COUNT references;
- time_t timeout;
- time_t time;
+ OSSL_TIME timeout;
+ OSSL_TIME time;
OSSL_TIME calc_timeout;
unsigned int compress_meth; /* Need to lookup the method */
const SSL_CIPHER *cipher;
/*
* The allowance we have between the client's calculated ticket age and our own.
- * We allow for 10 seconds (units are in ms). If a ticket is presented and the
+ * We allow for 10 seconds. If a ticket is presented and the
* client's age calculation is different by more than this than our own then we
* do not allow that ticket for early_data.
*/
-# define TICKET_AGE_ALLOWANCE (10 * 1000)
+# define TICKET_AGE_ALLOWANCE ossl_seconds2time(10)
#define MAX_COMPRESSIONS_SIZE 255
TLSEXT_IDX_key_share,
TLSEXT_IDX_cookie,
TLSEXT_IDX_cryptopro_bug,
+ TLSEXT_IDX_compress_certificate,
TLSEXT_IDX_early_data,
TLSEXT_IDX_certificate_authorities,
TLSEXT_IDX_padding,
* SSL_new() is called. This has been put in to make life easier to set
* things up
*/
- long session_timeout;
+ OSSL_TIME session_timeout;
/*
* If this callback is not null, it will be called each time a session id
* is added to the cache. If this function returns 1, it means that the
uint32_t disabled_mac_mask;
uint32_t disabled_mkey_mask;
uint32_t disabled_auth_mask;
+
+#ifndef OPENSSL_NO_COMP_ALG
+ /* certificate compression preferences */
+ int cert_comp_prefs[TLSEXT_comp_cert_limit];
+#endif
};
typedef struct cert_pkey_st CERT_PKEY;
unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
unsigned char server_random[SSL3_RANDOM_SIZE];
unsigned char client_random[SSL3_RANDOM_SIZE];
- /* flags for countermeasure against known-IV weakness */
- int need_empty_fragments;
- int empty_fragment_done;
+
/* used during startup, digest all incoming/outgoing packets */
BIO *handshake_buffer;
/*
* selected.
*/
int tick_identity;
+
+ /* This is the list of algorithms the peer supports that we also support */
+ int compress_certificate_from_peer[TLSEXT_comp_cert_limit];
+ /* indicate that we sent the extension, so we'll accept it */
+ int compress_certificate_sent;
} ext;
/*
*/
uint32_t early_data_count;
- /* TLS1.3 padding callback */
- size_t (*record_padding_cb)(SSL *s, int type, size_t len, void *arg);
- void *record_padding_arg;
- size_t block_padding;
-
/* The number of TLS1.3 tickets to automatically send */
size_t num_tickets;
/* The number of TLS1.3 tickets actually sent so far */
*/
const struct sigalg_lookup_st **shared_sigalgs;
size_t shared_sigalgslen;
+
+#ifndef OPENSSL_NO_COMP_ALG
+ /* certificate compression preferences */
+ int cert_comp_prefs[TLSEXT_comp_cert_limit];
+#endif
};
# define SSL_CONNECTION_FROM_SSL_ONLY_int(ssl, c) \
# define DTLS1_SKIP_RECORD_HEADER 2
struct dtls1_retransmit_state {
- EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
- EVP_MD_CTX *write_hash; /* used for mac generation */
- COMP_CTX *compress; /* compression */
- SSL_SESSION *session;
- uint16_t epoch;
+ const OSSL_RECORD_METHOD *wrlmethod;
+ OSSL_RECORD_LAYER *wrl;
};
struct hm_header_st {
/*
* Indicates when the last handshake msg sent will timeout
*/
- struct timeval next_timeout;
+ OSSL_TIME next_timeout;
/* Timeout duration */
unsigned int timeout_duration_us;
# define EXPLICIT_CHAR2_CURVE_TYPE 2
# define NAMED_CURVE_TYPE 3
+# ifndef OPENSSL_NO_COMP_ALG
+struct ossl_comp_cert_st {
+ unsigned char *data;
+ size_t len;
+ size_t orig_len;
+ CRYPTO_REF_COUNT references;
+ CRYPTO_RWLOCK *lock;
+ int alg;
+};
+typedef struct ossl_comp_cert_st OSSL_COMP_CERT;
+
+void OSSL_COMP_CERT_free(OSSL_COMP_CERT *c);
+int OSSL_COMP_CERT_up_ref(OSSL_COMP_CERT *c);
+# endif
+
struct cert_pkey_st {
X509 *x509;
EVP_PKEY *privatekey;
*/
unsigned char *serverinfo;
size_t serverinfo_length;
+# ifndef OPENSSL_NO_COMP_ALG
+ /* Compressed certificate data - index 0 is unused */
+ OSSL_COMP_CERT *comp_cert[TLSEXT_comp_cert_limit];
+ int cert_comp_used;
+# endif
};
/* Retrieve Suite B flags */
# define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
size_t len);
void ssl3_free_digest_list(SSL_CONNECTION *s);
__owur unsigned long ssl3_output_cert_chain(SSL_CONNECTION *s, WPACKET *pkt,
- CERT_PKEY *cpk);
+ CERT_PKEY *cpk, int for_comp);
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL_CONNECTION *s,
STACK_OF(SSL_CIPHER) *clnt,
STACK_OF(SSL_CIPHER) *srvr);
__owur long ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp) (void));
__owur int ssl3_do_change_cipher_spec(SSL_CONNECTION *s);
-__owur long ssl3_default_timeout(void);
+__owur OSSL_TIME ssl3_default_timeout(void);
__owur int ssl3_set_handshake_header(SSL_CONNECTION *s, WPACKET *pkt,
int htype);
__owur int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version,
int *max_version, int *real_max);
-__owur long tls1_default_timeout(void);
+__owur OSSL_TIME tls1_default_timeout(void);
__owur int dtls1_do_write(SSL_CONNECTION *s, int type);
void dtls1_set_message_header(SSL_CONNECTION *s,
unsigned char mt,
void dtls1_clear_sent_buffer(SSL_CONNECTION *s);
void dtls1_get_message_header(unsigned char *data,
struct hm_header_st *msg_hdr);
-__owur long dtls1_default_timeout(void);
-__owur struct timeval *dtls1_get_timeout(SSL_CONNECTION *s,
- struct timeval *timeleft);
+__owur OSSL_TIME dtls1_default_timeout(void);
+__owur OSSL_TIME *dtls1_get_timeout(SSL_CONNECTION *s, OSSL_TIME *timeleft);
__owur int dtls1_check_timeout_num(SSL_CONNECTION *s);
__owur int dtls1_handle_timeout(SSL_CONNECTION *s);
void dtls1_start_timer(SSL_CONNECTION *s);
unsigned char *p);
__owur int tls13_change_cipher_state(SSL_CONNECTION *s, int which);
__owur int tls13_update_key(SSL_CONNECTION *s, int send);
-__owur int tls13_hkdf_expand(SSL_CONNECTION *s, const EVP_MD *md,
+__owur int tls13_hkdf_expand(SSL_CONNECTION *s,
+ const EVP_MD *md,
const unsigned char *secret,
const unsigned char *label, size_t labellen,
const unsigned char *data, size_t datalen,
unsigned char *out, size_t outlen, int fatal);
+__owur int tls13_hkdf_expand_ex(OSSL_LIB_CTX *libctx, const char *propq,
+ const EVP_MD *md,
+ const unsigned char *secret,
+ const unsigned char *label, size_t labellen,
+ const unsigned char *data, size_t datalen,
+ unsigned char *out, size_t outlen,
+ int raise_error);
__owur int tls13_derive_key(SSL_CONNECTION *s, const EVP_MD *md,
const unsigned char *secret, unsigned char *key,
size_t keylen);
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
-__owur uint16_t ssl_group_id_internal_to_tls13(uint16_t curve_id);
-__owur uint16_t ssl_group_id_tls13_to_internal(uint16_t curve_id);
__owur const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t curve_id);
__owur int tls1_group_id2nid(uint16_t group_id, int include_unknown);
__owur uint16_t tls1_nid2group_id(int nid);
#define CLIENT_HANDSHAKE_LABEL "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
#define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET"
#define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0"
+#define CLIENT_APPLICATION_N_LABEL "CLIENT_TRAFFIC_SECRET_N"
#define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0"
+#define SERVER_APPLICATION_N_LABEL "SERVER_TRAFFIC_SECRET_N"
#define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET"
#define EXPORTER_SECRET_LABEL "EXPORTER_SECRET"
-# ifndef OPENSSL_NO_KTLS
-/* ktls.c */
-int ktls_check_supported_cipher(const SSL_CONNECTION *s, const EVP_CIPHER *c,
- const EVP_MD *md, size_t taglen);
-int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version,
- const EVP_CIPHER *c, const EVP_MD *md,
- void *rl_sequence, ktls_crypto_info_t *crypto_info,
- int is_tx, unsigned char *iv, size_t ivlen,
- unsigned char *key, size_t keylen,
- unsigned char *mac_key, size_t mac_secret_size);
-# endif
-
__owur int srp_generate_server_master_secret(SSL_CONNECTION *s);
__owur int srp_generate_client_master_secret(SSL_CONNECTION *s);
__owur int srp_verify_server_param(SSL_CONNECTION *s);
}
}
+int ossl_comp_has_alg(int a);
+size_t ossl_calculate_comp_expansion(int alg, size_t length);
+
#endif