*/
/* Bits for algorithm_mkey (key exchange algorithm) */
-#define SSL_kRSA 0x00000001L /* RSA key exchange */
-#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */
-#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */
-#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
-#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
-#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
-#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
-#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
-#define SSL_kPSK 0x00000100L /* PSK */
-#define SSL_kGOST 0x00000200L /* GOST key exchange */
-#define SSL_kSRP 0x00000400L /* SRP */
+/* RSA key exchange */
+#define SSL_kRSA 0x00000001L
+/* DH cert, RSA CA cert */
+#define SSL_kDHr 0x00000002L
+/* DH cert, DSA CA cert */
+#define SSL_kDHd 0x00000004L
+/* tmp DH key no DH cert */
+#define SSL_kEDH 0x00000008L
+/* forward-compatible synonym */
+#define SSL_kDHE SSL_kEDH
+/* Kerberos5 key exchange */
+#define SSL_kKRB5 0x00000010L
+/* ECDH cert, RSA CA cert */
+#define SSL_kECDHr 0x00000020L
+/* ECDH cert, ECDSA CA cert */
+#define SSL_kECDHe 0x00000040L
+/* ephemeral ECDH */
+#define SSL_kEECDH 0x00000080L
+/* forward-compatible synonym */
+#define SSL_kECDHE SSL_kEECDH
+/* PSK */
+#define SSL_kPSK 0x00000100L
+/* GOST key exchange */
+#define SSL_kGOST 0x00000200L
+/* SRP */
+#define SSL_kSRP 0x00000400L
/* Bits for algorithm_auth (server authentication) */
-#define SSL_aRSA 0x00000001L /* RSA auth */
-#define SSL_aDSS 0x00000002L /* DSS auth */
-#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */
-#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
-#define SSL_aKRB5 0x00000020L /* KRB5 auth */
-#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
-#define SSL_aPSK 0x00000080L /* PSK auth */
-#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
-#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
-#define SSL_aSRP 0x00000400L /* SRP auth */
+/* RSA auth */
+#define SSL_aRSA 0x00000001L
+/* DSS auth */
+#define SSL_aDSS 0x00000002L
+/* no auth (i.e. use ADH or AECDH) */
+#define SSL_aNULL 0x00000004L
+/* Fixed DH auth (kDHd or kDHr) */
+#define SSL_aDH 0x00000008L
+/* Fixed ECDH auth (kECDHe or kECDHr) */
+#define SSL_aECDH 0x00000010L
+/* KRB5 auth */
+#define SSL_aKRB5 0x00000020L
+/* ECDSA auth*/
+#define SSL_aECDSA 0x00000040L
+/* PSK auth */
+#define SSL_aPSK 0x00000080L
+/* GOST R 34.10-94 signature auth */
+#define SSL_aGOST94 0x00000100L
+/* GOST R 34.10-2001 signature auth */
+#define SSL_aGOST01 0x00000200L
+/* SRP auth */
+#define SSL_aSRP 0x00000400L
/* Bits for algorithm_enc (symmetric encryption) */
/* we have used 000001ff - 23 bits left to go */
-/*
+/*-
* Macros to check the export status and cipher strength for export ciphers.
* Even though the macros for EXPORT and EXPORT40/56 have similar names,
* their meaning is different:
#define SSL_PKEY_GOST01 7
#define SSL_PKEY_NUM 8
-/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
+/*-
+ * SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
* <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
* SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
* SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
* SSL_aDSS <- DSA_SIGN
*/
-/*
+/*-
#define CERT_INVALID 0
#define CERT_PUBLIC_KEY 1
#define CERT_PRIVATE_KEY 2
/* Chain for this certificate */
STACK_OF(X509) *chain;
#ifndef OPENSSL_NO_TLSEXT
- /* serverinfo data for this certificate. The data is in TLS Extension
+ /*-
+ * serverinfo data for this certificate. The data is in TLS Extension
* wire format, specifically it's a series of records like:
* uint16_t extension_type; // (RFC 5246, 7.4.1.4, Extension)
* uint16_t length;
- * uint8_t data[length]; */
+ * uint8_t data[length];
+ */
unsigned char *serverinfo;
size_t serverinfo_length;
#endif
*/
unsigned short ext_flags;
custom_ext_add_cb add_cb;
+ custom_ext_free_cb free_cb;
+ void *add_arg;
custom_ext_parse_cb parse_cb;
- void *arg;
+ void *parse_arg;
} custom_ext_method;
/* ext_flags values */
typedef struct cert_st
{
/* Current active set */
- CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
- * Probably it would make more sense to store
- * an index, not a pointer. */
+ /*
+ * ALWAYS points to an element of the pkeys array
+ * Probably it would make more sense to store
+ * an index, not a pointer.
+ */
+ CERT_PKEY *key;
/* For servers the following masks are for the key and auth
* algorithms that are supported by the certs below.
int ssl2_enc_init(SSL *s, int client);
int ssl2_generate_key_material(SSL *s);
-void ssl2_enc(SSL *s,int send_data);
+int ssl2_enc(SSL *s,int send_data);
void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk);
int dtls1_read_failed(SSL *s, int code);
int dtls1_buffer_message(SSL *s, int ccs);
int dtls1_retransmit_message(SSL *s, unsigned short seq,
int dtls1_is_timer_expired(SSL *s);
void dtls1_double_timeout(SSL *s);
int dtls1_send_newsession_ticket(SSL *s);
-unsigned int dtls1_min_mtu(void);
+unsigned int dtls1_min_mtu(SSL *s);
+unsigned int dtls1_link_min_mtu(void);
+void dtls1_hm_fragment_free(hm_fragment *frag);
/* some client-only functions */
int ssl3_client_hello(SSL *s);
int ssl3_get_server_certificate(SSL *s);
int ssl3_check_cert_and_algorithm(SSL *s);
#ifndef OPENSSL_NO_TLSEXT
-int ssl3_check_finished(SSL *s);
# ifndef OPENSSL_NO_NEXTPROTONEG
int ssl3_send_next_proto(SSL *s);
# endif
int ssl3_send_server_key_exchange(SSL *s);
int ssl3_send_certificate_request(SSL *s);
int ssl3_send_server_done(SSL *s);
-int ssl3_check_client_hello(SSL *s);
int ssl3_get_client_certificate(SSL *s);
int ssl3_get_client_key_exchange(SSL *s);
int ssl3_get_cert_verify(SSL *s);
int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
unsigned int len, int create_empty_fragement);
int dtls1_dispatch_alert(SSL *s);
-int dtls1_enc(SSL *s, int snd);
int ssl_init_wbio_buffer(SSL *s, int push);
void ssl_free_wbio_buffer(SSL *s);
int *curves, size_t ncurves);
int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
const char *str);
+#ifndef OPENSSL_NO_ECDH
int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
+#endif /* OPENSSL_NO_ECDH */
#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_TLSEXT
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al);
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al);
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);
+int tls1_set_server_sigalgs(SSL *s);
int ssl_check_clienthello_tlsext_late(SSL *s);
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);
int ssl_prepare_clienthello_tlsext(SSL *s);
int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
int *al);
long ssl_get_algorithm2(SSL *s);
-int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
+int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
+int tls1_process_sigalgs(SSL *s);
size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
const unsigned char *sig, EVP_PKEY *pkey);
void custom_ext_init(custom_ext_methods *meths);
int custom_ext_parse(SSL *s, int server,
- unsigned short ext_type,
+ unsigned int ext_type,
const unsigned char *ext_data,
- unsigned short ext_size,
+ size_t ext_size,
int *al);
int custom_ext_add(SSL *s, int server,
unsigned char **pret,
projects / openssl.git / blobdiff