# include <errno.h>
# include "e_os.h"
+# if defined(__unix) || defined(__unix__)
+# include <sys/time.h> /* struct timeval for DTLS */
+# endif
# include <openssl/buffer.h>
-# ifndef OPENSSL_NO_COMP
-# include <openssl/comp.h>
-# endif
+# include <openssl/comp.h>
# include <openssl/bio.h>
# include <openssl/stack.h>
-# ifndef OPENSSL_NO_RSA
-# include <openssl/rsa.h>
-# endif
-# ifndef OPENSSL_NO_DSA
-# include <openssl/dsa.h>
-# endif
+# include <openssl/rsa.h>
+# include <openssl/dsa.h>
# include <openssl/err.h>
# include <openssl/ssl.h>
# include <openssl/async.h>
# include <openssl/symhacks.h>
-# ifndef OPENSSL_NO_CT
-# include <openssl/ct.h>
-# endif
+# include <openssl/ct.h>
#include "record/record.h"
#include "statem/statem.h"
#include "packet_locl.h"
*/
# define TLS1_STREAM_MAC 0x10000
+# define SSL_STRONG_MASK 0x0000001FU
# define SSL_DEFAULT_MASK 0X00000020U
# define SSL_STRONG_NONE 0x00000001U
# define SSL_CLIENT_USE_TLS1_2_CIPHERS(s) \
((!SSL_IS_DTLS(s) && s->client_version >= TLS1_2_VERSION) || \
(SSL_IS_DTLS(s) && DTLS_VERSION_GE(s->client_version, DTLS1_2_VERSION)))
+/*
+ * Determine if a client should send signature algorithms extension:
+ * as with TLS1.2 cipher we can't rely on method flags.
+ */
+# define SSL_CLIENT_USE_SIGALGS(s) \
+ SSL_CLIENT_USE_TLS1_2_CIPHERS(s)
# ifdef TLSEXT_TYPE_encrypt_then_mac
# define SSL_USE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
int (*ssl_pending) (const SSL *s);
int (*num_ciphers) (void);
const SSL_CIPHER *(*get_cipher) (unsigned ncipher);
- const struct ssl_method_st *(*get_ssl_method) (int version);
long (*get_timeout) (void);
const struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
int (*ssl_version) (void);
* Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
* If they are not, the connection should be aborted.
*/
- ct_validation_cb ct_validation_callback;
+ ssl_ct_validation_cb ct_validation_callback;
void *ct_validation_callback_arg;
# endif
void *tlsext_servername_arg;
/* RFC 4507 session ticket keys */
unsigned char tlsext_tick_key_name[16];
- unsigned char tlsext_tick_hmac_key[16];
- unsigned char tlsext_tick_aes_key[16];
+ unsigned char tlsext_tick_hmac_key[32];
+ unsigned char tlsext_tick_aes_key[32];
/* Callback to support customisation of ticket key setting */
int (*tlsext_ticket_key_cb) (SSL *ssl,
unsigned char *name, unsigned char *iv,
size_t tlsext_ellipticcurvelist_length;
unsigned char *tlsext_ellipticcurvelist;
# endif /* OPENSSL_NO_EC */
+
+ /* ext status type used for CSR extension (OCSP Stapling) */
+ int tlsext_status_type;
+
CRYPTO_RWLOCK *lock;
};
X509_VERIFY_PARAM *param;
/* Per connection DANE state */
- struct dane_st dane;
+ SSL_DANE dane;
/* crypto */
STACK_OF(SSL_CIPHER) *cipher_list;
* Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
* If they are not, the connection should be aborted.
*/
- ct_validation_cb ct_validation_callback;
+ ssl_ct_validation_cb ct_validation_callback;
/* User-supplied argument tha tis passed to the ct_validation_callback */
void *ct_validation_callback_arg;
/*
pitem *pqueue_find(pqueue *pq, unsigned char *prio64be);
pitem *pqueue_iterator(pqueue *pq);
pitem *pqueue_next(piterator *iter);
-void pqueue_print(pqueue *pq);
int pqueue_size(pqueue *pq);
typedef struct dtls1_state_st {
#define SSL_METHOD_NO_SUITEB (1U<<1)
# define IMPLEMENT_tls_meth_func(version, flags, mask, func_name, s_accept, \
- s_connect, s_get_meth, enc_data) \
+ s_connect, enc_data) \
const SSL_METHOD *func_name(void) \
{ \
static const SSL_METHOD func_name##_data= { \
ssl3_pending, \
ssl3_num_ciphers, \
ssl3_get_cipher, \
- s_get_meth, \
tls1_default_timeout, \
&enc_data, \
ssl_undefined_void_function, \
return &func_name##_data; \
}
-# define IMPLEMENT_ssl3_meth_func(func_name, s_accept, s_connect, s_get_meth) \
+# define IMPLEMENT_ssl3_meth_func(func_name, s_accept, s_connect) \
const SSL_METHOD *func_name(void) \
{ \
static const SSL_METHOD func_name##_data= { \
ssl3_pending, \
ssl3_num_ciphers, \
ssl3_get_cipher, \
- s_get_meth, \
ssl3_default_timeout, \
&SSLv3_enc_data, \
ssl_undefined_void_function, \
}
# define IMPLEMENT_dtls1_meth_func(version, flags, mask, func_name, s_accept, \
- s_connect, s_get_meth, enc_data) \
+ s_connect, enc_data) \
const SSL_METHOD *func_name(void) \
{ \
static const SSL_METHOD func_name##_data= { \
ssl3_pending, \
ssl3_num_ciphers, \
ssl3_get_cipher, \
- s_get_meth, \
dtls1_default_timeout, \
&enc_data, \
ssl_undefined_void_function, \
__owur int ssl_allow_compression(SSL *s);
+__owur int ssl_version_supported(const SSL *s, int version);
+
__owur int ssl_set_client_hello_version(SSL *s);
__owur int ssl_check_version_downgrade(SSL *s);
__owur int ssl_set_version_bound(int method_version, int version, int *bound);
__owur int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src);
void custom_exts_free(custom_ext_methods *exts);
+void ssl_comp_free_compression_methods_int(void);
+
# else
# define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer