projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Move ALPN processing into an extension finalisation function
[openssl.git]
/
ssl
/
ssl_locl.h
diff --git
a/ssl/ssl_locl.h
b/ssl/ssl_locl.h
index 88b2f8b575598dfca2b89e0f30107efaf0c830ab..e068fd102ef9a2951556e5bb3a94b2ea2963c83e 100644
(file)
--- a/
ssl/ssl_locl.h
+++ b/
ssl/ssl_locl.h
@@
-66,6
+66,7
@@
# include "statem/statem.h"
# include "packet_locl.h"
# include "internal/dane.h"
# include "statem/statem.h"
# include "packet_locl.h"
# include "internal/dane.h"
+# include "internal/refcount.h"
# ifdef OPENSSL_BUILD_SHLIBSSL
# undef OPENSSL_EXTERN
# ifdef OPENSSL_BUILD_SHLIBSSL
# undef OPENSSL_EXTERN
@@
-351,7
+352,9
@@
# define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
/* Check if we are using TLSv1.3 */
# define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
/* Check if we are using TLSv1.3 */
-# define SSL_IS_TLS13(s) (!SSL_IS_DTLS(s) && (s)->version >= TLS1_3_VERSION)
+# define SSL_IS_TLS13(s) (!SSL_IS_DTLS(s) \
+ && (s)->method->version >= TLS1_3_VERSION \
+ && (s)->method->version != TLS_ANY_VERSION)
/* See if we need explicit IV */
# define SSL_USE_EXPLICIT_IV(s) \
/* See if we need explicit IV */
# define SSL_USE_EXPLICIT_IV(s) \
@@
-536,7
+539,7
@@
struct ssl_session_st {
* certificate is not ok, we must remember the error for session reuse:
*/
long verify_result; /* only for servers */
* certificate is not ok, we must remember the error for session reuse:
*/
long verify_result; /* only for servers */
-
int
references;
+
CRYPTO_REF_COUNT
references;
long timeout;
long time;
unsigned int compress_meth; /* Need to lookup the method */
long timeout;
long time;
unsigned int compress_meth; /* Need to lookup the method */
@@
-663,7
+666,7
@@
struct ssl_ctx_st {
* :-) */
} stats;
* :-) */
} stats;
-
int
references;
+
CRYPTO_REF_COUNT
references;
/* if defined, these override the X509_verify_cert() calls */
int (*app_verify_callback) (X509_STORE_CTX *, void *);
/* if defined, these override the X509_verify_cert() calls */
int (*app_verify_callback) (X509_STORE_CTX *, void *);
@@
-954,11
+957,15
@@
struct ssl_st {
*/
unsigned char early_secret[EVP_MAX_MD_SIZE];
unsigned char handshake_secret[EVP_MAX_MD_SIZE];
*/
unsigned char early_secret[EVP_MAX_MD_SIZE];
unsigned char handshake_secret[EVP_MAX_MD_SIZE];
+ unsigned char client_finished_secret[EVP_MAX_MD_SIZE];
+ unsigned char server_finished_secret[EVP_MAX_MD_SIZE];
EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
+ unsigned char read_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static read IV */
EVP_MD_CTX *read_hash; /* used for mac generation */
COMP_CTX *compress; /* compression */
COMP_CTX *expand; /* uncompress */
EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
EVP_MD_CTX *read_hash; /* used for mac generation */
COMP_CTX *compress; /* compression */
COMP_CTX *expand; /* uncompress */
EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
+ unsigned char write_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static write IV */
EVP_MD_CTX *write_hash; /* used for mac generation */
/* session info */
/* client cert? */
EVP_MD_CTX *write_hash; /* used for mac generation */
/* session info */
/* client cert? */
@@
-1006,7
+1013,7
@@
struct ssl_st {
CRYPTO_EX_DATA ex_data;
/* for server side, keep the list of CA_dn we can use */
STACK_OF(X509_NAME) *client_CA;
CRYPTO_EX_DATA ex_data;
/* for server side, keep the list of CA_dn we can use */
STACK_OF(X509_NAME) *client_CA;
-
int
references;
+
CRYPTO_REF_COUNT
references;
/* protocol behaviour */
uint32_t options;
/* API behaviour */
/* protocol behaviour */
uint32_t options;
/* API behaviour */
@@
-1015,7
+1022,10
@@
struct ssl_st {
int max_proto_version;
size_t max_cert_list;
int first_packet;
int max_proto_version;
size_t max_cert_list;
int first_packet;
- /* what was passed, used for SSLv3/TLS rollback check */
+ /*
+ * What was passed in ClientHello.legacy_version. Used for RSA pre-master
+ * secret and SSLv3/TLS (<=1.2) rollback check
+ */
int client_version;
/*
* If we're using more than one pipeline how should we divide the data
int client_version;
/*
* If we're using more than one pipeline how should we divide the data
@@
-1543,7
+1553,7
@@
typedef struct cert_st {
/* If not NULL psk identity hint to use for servers */
char *psk_identity_hint;
# endif
/* If not NULL psk identity hint to use for servers */
char *psk_identity_hint;
# endif
-
int
references; /* >1 only if SSL_copy_session_id is used */
+
CRYPTO_REF_COUNT
references; /* >1 only if SSL_copy_session_id is used */
CRYPTO_RWLOCK *lock;
} CERT;
CRYPTO_RWLOCK *lock;
} CERT;
@@
-1626,8
+1636,12
@@
typedef struct ssl3_comp_st {
# endif
typedef struct raw_extension_st {
# endif
typedef struct raw_extension_st {
+ /* The type of the extension */
unsigned int type;
unsigned int type;
+ /* Raw packet data for the extension */
PACKET data;
PACKET data;
+ /* Set to 1 if we have already parsed the extension or 0 otherwise */
+ int parsed;
} RAW_EXTENSION;
#define MAX_COMPRESSIONS_SIZE 255
} RAW_EXTENSION;
#define MAX_COMPRESSIONS_SIZE 255
@@
-2002,6
+2016,10
@@
__owur size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen,
__owur int tls1_generate_master_secret(SSL *s, unsigned char *out,
unsigned char *p, size_t len,
size_t *secret_size);
__owur int tls1_generate_master_secret(SSL *s, unsigned char *out,
unsigned char *p, size_t len,
size_t *secret_size);
+__owur int tls13_setup_key_block(SSL *s);
+__owur size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
+ unsigned char *p);
+__owur int tls13_change_cipher_state(SSL *s, int which);
__owur int tls13_derive_secret(SSL *s, const unsigned char *insecret,
const unsigned char *label, size_t labellen,
unsigned char *secret);
__owur int tls13_derive_secret(SSL *s, const unsigned char *insecret,
const unsigned char *label, size_t labellen,
unsigned char *secret);
@@
-2046,6
+2064,8
@@
__owur int tls1_set_groups(unsigned char **pext, size_t *pextlen,
int *curves, size_t ncurves);
__owur int tls1_set_groups_list(unsigned char **pext, size_t *pextlen,
const char *str);
int *curves, size_t ncurves);
__owur int tls1_set_groups_list(unsigned char **pext, size_t *pextlen,
const char *str);
+void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
+ size_t *num_formats);
__owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
__owur EVP_PKEY *ssl_generate_pkey_curve(int id);
# endif /* OPENSSL_NO_EC */
__owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
__owur EVP_PKEY *ssl_generate_pkey_curve(int id);
# endif /* OPENSSL_NO_EC */
@@
-2053,21
+2073,20
@@
__owur EVP_PKEY *ssl_generate_pkey_curve(int id);
__owur int tls1_shared_list(SSL *s,
const unsigned char *l1, size_t l1len,
const unsigned char *l2, size_t l2len, int nmatch);
__owur int tls1_shared_list(SSL *s,
const unsigned char *l1, size_t l1len,
const unsigned char *l2, size_t l2len, int nmatch);
-__owur int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al);
-__owur int ssl_add_serverhello_tlsext(SSL *s, WPACKET *pkt, int *al);
-__owur int ssl_parse_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello);
+__owur int tls_curve_allowed(SSL *s, const unsigned char *curve, int op);
+__owur int tls1_get_curvelist(SSL *s, int sess, const unsigned char **pcurves,
+ size_t *num_curves);
+
void ssl_set_default_md(SSL *s);
__owur int tls1_set_server_sigalgs(SSL *s);
__owur int ssl_check_clienthello_tlsext_late(SSL *s, int *al);
__owur int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt);
void ssl_set_default_md(SSL *s);
__owur int tls1_set_server_sigalgs(SSL *s);
__owur int ssl_check_clienthello_tlsext_late(SSL *s, int *al);
__owur int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt);
-__owur int ssl_prepare_clienthello_tlsext(SSL *s);
-__owur int ssl_prepare_serverhello_tlsext(SSL *s);
__owur RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts,
size_t numexts,
unsigned int type);
__owur int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
SSL_SESSION **ret);
__owur RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts,
size_t numexts,
unsigned int type);
__owur int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
SSL_SESSION **ret);
-__owur int tls_
check_client_ems_support(SSL *s, const CLIENTHELLO_MSG *hello
);
+__owur int tls_
use_ticket(SSL *s
);
__owur int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk,
const EVP_MD *md);
__owur int tls12_get_sigandhash(WPACKET *pkt, const EVP_PKEY *pk,
const EVP_MD *md);
@@
-2096,9
+2115,6
@@
__owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex,
__owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md);
void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
__owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md);
void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
-__owur int ssl_add_serverhello_renegotiate_ext(SSL *s, WPACKET *pkt);
-__owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al);
-__owur int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al);
__owur long ssl_get_algorithm2(SSL *s);
__owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
const unsigned char *psig, size_t psiglen);
__owur long ssl_get_algorithm2(SSL *s);
__owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
const unsigned char *psig, size_t psiglen);
@@
-2110,9
+2126,6
@@
__owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
void ssl_set_client_disabled(SSL *s);
__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op);
void ssl_set_client_disabled(SSL *s);
__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op);
-__owur int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al);
-__owur int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al);
-
__owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
size_t *hashlen);
__owur const EVP_MD *ssl_md(int idx);
__owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
size_t *hashlen);
__owur const EVP_MD *ssl_md(int idx);