X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=include%2Fopenssl%2Fssl.h;h=8459c93e0547e17a32eb6ae43854ea3a306ced40;hp=cc2a47f42a0cba1d1aeeee4a4e674e9202128765;hb=b9aec69ace2ae84b2b4494cc49725945805d5a29;hpb=b11836a63a8973c2b61f8ccd10a085361bced2ea diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index cc2a47f42a..8459c93e05 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -144,7 +144,6 @@ # include # include - # include # include # if OPENSSL_API_COMPAT < 0x10100000L @@ -159,9 +158,7 @@ # include # include -# ifndef OPENSSL_NO_CT -# include -# endif +# include #ifdef __cplusplus extern "C" { @@ -646,13 +643,8 @@ __owur int SRP_Calc_A_param(SSL *s); # endif -# if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) -# define SSL_MAX_CERT_LIST_DEFAULT 1024*30 - /* 30k max cert list :-) */ -# else -# define SSL_MAX_CERT_LIST_DEFAULT 1024*100 - /* 100k max cert list :-) */ -# endif +/* 100k max cert list */ +# define SSL_MAX_CERT_LIST_DEFAULT 1024*100 # define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20) @@ -1375,7 +1367,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl(s, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) -__owur BIO_METHOD *BIO_f_ssl(void); +__owur const BIO_METHOD *BIO_f_ssl(void); __owur BIO *BIO_new_ssl(SSL_CTX *ctx, int client); __owur BIO *BIO_new_ssl_connect(SSL_CTX *ctx); __owur BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx); @@ -1586,7 +1578,7 @@ __owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, * Bridge opacity barrier between libcrypt and libssl, also needed to support * offline testing in test/danetest.c */ -struct dane_st *SSL_get0_dane(SSL *ssl); +SSL_DANE *SSL_get0_dane(SSL *ssl); __owur int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); __owur int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm); @@ -1642,9 +1634,9 @@ __owur const char *SSL_get_version(const SSL *s); __owur int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); # ifndef OPENSSL_NO_SSL3_METHOD -__owur const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ -__owur const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ -__owur const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_method(void)) /* SSLv3 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_server_method(void)) /* SSLv3 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_client_method(void)) /* SSLv3 */ # endif #define SSLv23_method TLS_method @@ -1656,25 +1648,35 @@ __owur const SSL_METHOD *TLS_method(void); __owur const SSL_METHOD *TLS_server_method(void); __owur const SSL_METHOD *TLS_client_method(void); -__owur const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ -__owur const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ -__owur const SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */ +# ifndef OPENSSL_NO_TLS1_METHOD +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_method(void)) /* TLSv1.0 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_server_method(void)) /* TLSv1.0 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_client_method(void)) /* TLSv1.0 */ +# endif -__owur const SSL_METHOD *TLSv1_1_method(void); /* TLSv1.1 */ -__owur const SSL_METHOD *TLSv1_1_server_method(void); /* TLSv1.1 */ -__owur const SSL_METHOD *TLSv1_1_client_method(void); /* TLSv1.1 */ +# ifndef OPENSSL_NO_TLS1_1_METHOD +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_method(void)) /* TLSv1.1 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_server_method(void)) /* TLSv1.1 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_client_method(void)) /* TLSv1.1 */ +# endif -__owur const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */ -__owur const SSL_METHOD *TLSv1_2_server_method(void); /* TLSv1.2 */ -__owur const SSL_METHOD *TLSv1_2_client_method(void); /* TLSv1.2 */ +# ifndef OPENSSL_NO_TLS1_2_METHOD +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_server_method(void)) /* TLSv1.2 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_client_method(void)) /* TLSv1.2 */ +# endif -__owur const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */ -__owur const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */ -__owur const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */ +# ifndef OPENSSL_NO_DTLS1_METHOD +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_method(void)) /* DTLSv1.0 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_server_method(void)) /* DTLSv1.0 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_client_method(void)) /* DTLSv1.0 */ +# endif -__owur const SSL_METHOD *DTLSv1_2_method(void); /* DTLSv1.2 */ -__owur const SSL_METHOD *DTLSv1_2_server_method(void); /* DTLSv1.2 */ -__owur const SSL_METHOD *DTLSv1_2_client_method(void); /* DTLSv1.2 */ +# ifndef OPENSSL_NO_DTLS1_2_METHOD +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_2_method(void)) /* DTLSv1.2 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_2_server_method(void)) /* DTLSv1.2 */ +DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_2_client_method(void)) /* DTLSv1.2 */ +#endif __owur const SSL_METHOD *DTLS_method(void); /* DTLS 1.0 and 1.2 */ __owur const SSL_METHOD *DTLS_server_method(void); /* DTLS 1.0 and 1.2 */ @@ -1762,15 +1764,15 @@ __owur size_t SSL_SESSION_get_master_key(const SSL_SESSION *ssl, unsigned char *out, size_t outlen); #define SSL_get_ex_new_index(l, p, newf, dupf, freef) \ - CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, l, p, newf, dupf, freef) + CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, l, p, newf, dupf, freef) __owur int SSL_set_ex_data(SSL *ssl, int idx, void *data); void *SSL_get_ex_data(const SSL *ssl, int idx); #define SSL_SESSION_get_ex_new_index(l, p, newf, dupf, freef) \ - CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, l, p, newf, dupf, freef) + CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, l, p, newf, dupf, freef) __owur int SSL_SESSION_set_ex_data(SSL_SESSION *ss, int idx, void *data); void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss, int idx); #define SSL_CTX_get_ex_new_index(l, p, newf, dupf, freef) \ - CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, l, p, newf, dupf, freef) + CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, l, p, newf, dupf, freef) __owur int SSL_CTX_set_ex_data(SSL_CTX *ssl, int idx, void *data); void *SSL_CTX_get_ex_data(const SSL_CTX *ssl, int idx); @@ -1890,10 +1892,21 @@ void SSL_trace(int write_p, int version, int content_type, __owur const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c); # endif +# ifndef OPENSSL_NO_SOCK int DTLSv1_listen(SSL *s, BIO_ADDR *client); +# endif # ifndef OPENSSL_NO_CT +/* + * A callback for verifying that the received SCTs are sufficient. + * Expected to return 1 if they are sufficient, otherwise 0. + * May return a negative integer if an error occurs. + * A connection should be aborted if the SCTs are deemed insufficient. + */ +typedef int(*ssl_ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx, + const STACK_OF(SCT) *scts, void *arg); + /* * Sets a |callback| that is invoked upon receipt of ServerHelloDone to validate * the received SCTs. @@ -1906,27 +1919,79 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client); * NOTE: A side-effect of setting a CT callback is that an OCSP stapled response * will be requested. */ -__owur int SSL_set_ct_validation_callback(SSL *s, - ct_validation_cb callback, - void *arg); -__owur int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, - ct_validation_cb callback, - void *arg); +int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback, + void *arg); +int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, + ssl_ct_validation_cb callback, + void *arg); +#define SSL_disable_ct(s) \ + ((void) SSL_set_validation_callback((s), NULL, NULL)) +#define SSL_CTX_disable_ct(ctx) \ + ((void) SSL_CTX_set_validation_callback((ctx), NULL, NULL)) + +/* + * The validation type enumerates the available behaviours of the built-in SSL + * CT validation callback selected via SSL_enable_ct() and SSL_CTX_enable_ct(). + * The underlying callback is a static function in libssl. + */ +enum { + SSL_CT_VALIDATION_PERMISSIVE = 0, + SSL_CT_VALIDATION_STRICT +}; + +/* + * Enable CT by setting up a callback that implements one of the built-in + * validation variants. The SSL_CT_VALIDATION_PERMISSIVE variant always + * continues the handshake, the application can make appropriate decisions at + * handshake completion. The SSL_CT_VALIDATION_STRICT variant requires at + * least one valid SCT, or else handshake termination will be requested. The + * handshake may continue anyway if SSL_VERIFY_NONE is in effect. + */ +int SSL_enable_ct(SSL *s, int validation_mode); +int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode); + /* - * Gets the callback being used to validate SCTs. - * This will return NULL if SCTs are neither being requested nor validated. + * Report whether a non-NULL callback is enabled. */ -__owur ct_validation_cb SSL_get_ct_validation_callback(const SSL *s); -__owur ct_validation_cb SSL_CTX_get_ct_validation_callback(const SSL_CTX *ctx); +int SSL_ct_is_enabled(const SSL *s); +int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx); /* Gets the SCTs received from a connection */ const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s); -/* Load the CT log list from the default location */ +/* + * Loads the CT log list from the default location. + * If a CTLOG_STORE has previously been set using SSL_CTX_set_ctlog_store, + * the log information loaded from this file will be appended to the + * CTLOG_STORE. + * Returns 1 on success, 0 otherwise. + */ int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx); -/* Load the CT log list from the specified file path */ + +/* + * Loads the CT log list from the specified file path. + * If a CTLOG_STORE has previously been set using SSL_CTX_set_ctlog_store, + * the log information loaded from this file will be appended to the + * CTLOG_STORE. + * Returns 1 on success, 0 otherwise. + */ int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path); +/* + * Sets the CT log list used by all SSL connections created from this SSL_CTX. + * Ownership of the CTLOG_STORE is transferred to the SSL_CTX. + */ +void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE *logs); + +/* + * Gets the CT log list used by all SSL connections created from this SSL_CTX. + * This will be NULL unless one of the following functions has been called: + * - SSL_CTX_set_default_ctlog_list_file + * - SSL_CTX_set_ctlog_list_file + * - SSL_CTX_set_ctlog_store + */ +const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx); + # endif /* OPENSSL_NO_CT */ /* What the "other" parameter contains in security callback */ @@ -2041,6 +2106,7 @@ void ERR_load_SSL_strings(void); /* Function codes. */ # define SSL_F_CHECK_SUITEB_CIPHER_LIST 331 # define SSL_F_CT_MOVE_SCTS 345 +# define SSL_F_CT_STRICT 349 # define SSL_F_D2I_SSL_SESSION 103 # define SSL_F_DANE_CTX_ENABLE 347 # define SSL_F_DANE_MTYPE_SET 393 @@ -2123,7 +2189,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL_CREATE_CIPHER_LIST 166 # define SSL_F_SSL_CTRL 232 # define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 -# define SSL_F_SSL_CTX_GET_CT_VALIDATION_CALLBACK 349 +# define SSL_F_SSL_CTX_ENABLE_CT 398 # define SSL_F_SSL_CTX_MAKE_PROFILES 309 # define SSL_F_SSL_CTX_NEW 169 # define SSL_F_SSL_CTX_SET_ALPN_PROTOS 343 @@ -2149,8 +2215,8 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL_DANE_ENABLE 395 # define SSL_F_SSL_DO_CONFIG 391 # define SSL_F_SSL_DO_HANDSHAKE 180 +# define SSL_F_SSL_ENABLE_CT 402 # define SSL_F_SSL_GET0_PEER_SCTS 397 -# define SSL_F_SSL_GET_CT_VALIDATION_CALLBACK 398 # define SSL_F_SSL_GET_NEW_SESSION 181 # define SSL_F_SSL_GET_PREV_SESSION 217 # define SSL_F_SSL_GET_SERVER_CERT_INDEX 322 @@ -2373,6 +2439,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_INVALID_COMMAND 280 # define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 # define SSL_R_INVALID_CONFIGURATION_NAME 113 +# define SSL_R_INVALID_CT_VALIDATION_TYPE 212 # define SSL_R_INVALID_NULL_CMD_NAME 385 # define SSL_R_INVALID_PURPOSE 278 # define SSL_R_INVALID_SEQUENCE_NUMBER 402 @@ -2421,6 +2488,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_NO_SHARED_CIPHER 193 # define SSL_R_NO_SHARED_SIGATURE_ALGORITHMS 376 # define SSL_R_NO_SRTP_PROFILES 359 +# define SSL_R_NO_VALID_SCTS 216 # define SSL_R_NO_VERIFY_CALLBACK 194 # define SSL_R_NO_VERIFY_COOKIE_CALLBACK 403 # define SSL_R_NULL_SSL_CTX 195 @@ -2479,6 +2547,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_SSL_SESSION_ID_CONFLICT 302 # define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 # define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303 +# define SSL_R_SSL_SESSION_VERSION_MISMATCH 210 # define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 # define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 365 # define SSL_R_TLS_HEARTBEAT_PENDING 366