X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=include%2Fopenssl%2Fssl.h;h=a810da7759553b1f965ab66a91cdfb9e8bd05bbe;hp=6b6560dc755ae82b268dc0eb50ac8a32b015b4f7;hb=7c8b53571698f32219a912e05bc71df4017094c1;hpb=0096d8f7e01d2c0616f9a916145b62a2d8d7acdf diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 6b6560dc75..a810da7759 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -245,6 +245,8 @@ extern "C" { # define SSL_TXT_AES256 "AES256" # define SSL_TXT_AES "AES" # define SSL_TXT_AES_GCM "AESGCM" +# define SSL_TXT_AES_CCM "AESCCM" +# define SSL_TXT_AES_CCM_8 "AESCCM8" # define SSL_TXT_CAMELLIA128 "CAMELLIA128" # define SSL_TXT_CAMELLIA256 "CAMELLIA256" # define SSL_TXT_CAMELLIA "CAMELLIA" @@ -288,7 +290,7 @@ extern "C" { * The following cipher list is used by default. It also is substituted when * an application-defined cipher list string starts with 'DEFAULT'. */ -# define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL" +# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" /* * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is @@ -357,6 +359,7 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, /* Allow initial connection to servers that don't support RI */ # define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L /* Removed from OpenSSL 0.9.8q and 1.0.0c */ +/* Dead forever, see CVE-2010-4180. */ # define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0L # define SSL_OP_TLSEXT_PADDING 0x00000010L # define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L @@ -747,7 +750,7 @@ void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, *cookie_len)); void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb) (SSL *ssl, - unsigned char + const unsigned char *cookie, unsigned int cookie_len)); @@ -917,22 +920,76 @@ extern "C" { # define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0)) # define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg)) + +/* + * The valid handshake states (one for each type message sent and one for each + * type of message received). There are also two "special" states: + * TLS = TLS or DTLS state + * DTLS = DTLS specific state + * CR/SR = Client Read/Server Read + * CW/SW = Client Write/Server Write + * + * The "special" states are: + * TLS_ST_BEFORE = No handshake has been initiated yet + * TLS_ST_OK = A handshake has been successfully completed + */ +typedef enum { + TLS_ST_BEFORE, + TLS_ST_OK, + DTLS_ST_CR_HELLO_VERIFY_REQUEST, + TLS_ST_CR_SRVR_HELLO, + TLS_ST_CR_CERT, + TLS_ST_CR_CERT_STATUS, + TLS_ST_CR_KEY_EXCH, + TLS_ST_CR_CERT_REQ, + TLS_ST_CR_SRVR_DONE, + TLS_ST_CR_SESSION_TICKET, + TLS_ST_CR_CHANGE, + TLS_ST_CR_FINISHED, + TLS_ST_CW_CLNT_HELLO, + TLS_ST_CW_CERT, + TLS_ST_CW_KEY_EXCH, + TLS_ST_CW_CERT_VRFY, + TLS_ST_CW_CHANGE, + TLS_ST_CW_NEXT_PROTO, + TLS_ST_CW_FINISHED, + TLS_ST_SW_HELLO_REQ, + TLS_ST_SR_CLNT_HELLO, + DTLS_ST_SW_HELLO_VERIFY_REQUEST, + TLS_ST_SW_SRVR_HELLO, + TLS_ST_SW_CERT, + TLS_ST_SW_KEY_EXCH, + TLS_ST_SW_CERT_REQ, + TLS_ST_SW_SRVR_DONE, + TLS_ST_SR_CERT, + TLS_ST_SR_KEY_EXCH, + TLS_ST_SR_CERT_VRFY, + TLS_ST_SR_NEXT_PROTO, + TLS_ST_SR_CHANGE, + TLS_ST_SR_FINISHED, + TLS_ST_SW_SESSION_TICKET, + TLS_ST_SW_CERT_STATUS, + TLS_ST_SW_CHANGE, + TLS_ST_SW_FINISHED +} OSSL_HANDSHAKE_STATE; + /* - * The following are the possible values for ssl->state are are used to - * indicate where we are up to in the SSL connection establishment. The - * macros that follow are about the only things you should need to use and - * even then, only when using non-blocking IO. It can also be useful to work - * out where you were when the connection failed + * Most of the following state values are no longer used and are defined to be + * the closest equivalent value in the current state machine code. Not all + * defines have an equivalent and are set to a dummy value (-1). SSL_ST_CONNECT + * and SSL_ST_ACCEPT are still in use in the definition of SSL_CB_ACCEPT_LOOP, + * SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP and SSL_CB_CONNECT_EXIT. */ # define SSL_ST_CONNECT 0x1000 # define SSL_ST_ACCEPT 0x2000 + # define SSL_ST_MASK 0x0FFF -# define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT) -# define SSL_ST_BEFORE 0x4000 -# define SSL_ST_OK 0x03 -# define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT) -# define SSL_ST_ERR 0x05 +# define SSL_ST_INIT (-1) +# define SSL_ST_BEFORE TLS_ST_BEFORE +# define SSL_ST_OK TLS_ST_OK +# define SSL_ST_RENEGOTIATE (-1) +# define SSL_ST_ERR (-1) # define SSL_CB_LOOP 0x01 # define SSL_CB_EXIT 0x02 @@ -950,11 +1007,11 @@ extern "C" { /* Is the SSL_connection established? */ # define SSL_get_state(a) SSL_state(a) -# define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK) -# define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT) -# define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE) -# define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT) -# define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT) +# define SSL_in_connect_init(a) (SSL_in_init(a) && !SSL_is_server(a)) +# define SSL_in_accept_init(a) (SSL_in_init(a) && SSL_is_server(a)) +int SSL_in_init(SSL *s); +int SSL_in_before(SSL *s); +int SSL_is_init_finished(SSL *s); /* * The following 3 states are kept in ssl->rlayer.rstate when reads fail, you @@ -1384,11 +1441,8 @@ __owur int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); /* Set serverinfo data for the current active cert. */ __owur int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, size_t serverinfo_length); -# ifndef OPENSSL_NO_STDIO __owur int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file); -# endif /* NO_STDIO */ -# ifndef OPENSSL_NO_STDIO __owur int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); __owur int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); __owur int SSL_use_certificate_file(SSL *ssl, const char *file, int type); @@ -1401,11 +1455,9 @@ __owur int SSL_use_certificate_chain_file(SSL *ssl, const char *file); __owur STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); __owur int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, const char *file); -# ifndef OPENSSL_SYS_VMS +# ifndef OPENSSL_SYS_VMS int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, const char *dir); -# endif - # endif void SSL_load_error_strings(void); @@ -1635,6 +1687,8 @@ void SSL_set_shutdown(SSL *ssl, int mode); __owur int SSL_get_shutdown(const SSL *ssl); __owur int SSL_version(const SSL *ssl); __owur int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); +__owur int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx); +__owur int SSL_CTX_set_default_verify_file(SSL_CTX *ctx); __owur int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); # define SSL_get0_session SSL_get_session/* just peek at pointer */ @@ -1646,8 +1700,8 @@ void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val)); void (*SSL_get_info_callback(const SSL *ssl)) (const SSL *ssl, int type, int val); -__owur int SSL_state(const SSL *ssl); -void SSL_set_state(SSL *ssl, int state); +__owur OSSL_HANDSHAKE_STATE SSL_state(const SSL *ssl); +void SSL_set_state(SSL *ssl, OSSL_HANDSHAKE_STATE state); void SSL_set_verify_result(SSL *ssl, long v); __owur long SSL_get_verify_result(const SSL *ssl); @@ -1882,6 +1936,8 @@ __owur void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx); __owur const struct openssl_ssl_test_functions *SSL_test_functions(void); # endif +extern const char SSL_version_str[]; + /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes @@ -1909,6 +1965,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_DTLS1_GET_RECORD 254 # define SSL_F_DTLS1_HANDLE_TIMEOUT 297 # define SSL_F_DTLS1_HEARTBEAT 305 +# define SSL_F_DTLS1_LISTEN 350 # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255 # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288 # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256 @@ -1925,6 +1982,11 @@ void ERR_load_SSL_strings(void); # define SSL_F_DTLS1_SEND_SERVER_HELLO 266 # define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 267 # define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 268 +# define SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC 371 +# define SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST 385 +# define SSL_F_DTLS_GET_REASSEMBLED_MESSAGE 370 +# define SSL_F_DTLS_PROCESS_HELLO_VERIFY 386 +# define SSL_F_READ_STATE_MACHINE 352 # define SSL_F_SSL3_ACCEPT 128 # define SSL_F_SSL3_ADD_CERT_TO_BUF 296 # define SSL_F_SSL3_CALLBACK_CTRL 233 @@ -1943,6 +2005,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135 # define SSL_F_SSL3_GET_CERT_STATUS 289 # define SSL_F_SSL3_GET_CERT_VERIFY 136 +# define SSL_F_SSL3_GET_CHANGE_CIPHER_SPEC 349 # define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137 # define SSL_F_SSL3_GET_CLIENT_HELLO 138 # define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139 @@ -2015,7 +2078,6 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL_CTX_SET_TRUST 229 # define SSL_F_SSL_CTX_USE_CERTIFICATE 171 # define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172 -# define SSL_F_USE_CERTIFICATE_CHAIN_FILE 220 # define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173 # define SSL_F_SSL_CTX_USE_PRIVATEKEY 174 # define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175 @@ -2082,6 +2144,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 # define SSL_F_SSL_VERIFY_CERT_CHAIN 207 # define SSL_F_SSL_WRITE 208 +# define SSL_F_STATE_MACHINE 353 # define SSL_F_TLS12_CHECK_PEER_SIGALG 333 # define SSL_F_TLS1_CERT_VERIFY_MAC 286 # define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 @@ -2096,6 +2159,38 @@ void ERR_load_SSL_strings(void); # define SSL_F_TLS1_PROCESS_HEARTBEAT 341 # define SSL_F_TLS1_SETUP_KEY_BLOCK 211 # define SSL_F_TLS1_SET_SERVER_SIGALGS 335 +# define SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK 354 +# define SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST 372 +# define SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE 355 +# define SSL_F_TLS_CONSTRUCT_CLIENT_HELLO 356 +# define SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE 357 +# define SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY 358 +# define SSL_F_TLS_CONSTRUCT_FINISHED 359 +# define SSL_F_TLS_CONSTRUCT_HELLO_REQUEST 373 +# define SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE 374 +# define SSL_F_TLS_CONSTRUCT_SERVER_DONE 375 +# define SSL_F_TLS_CONSTRUCT_SERVER_HELLO 376 +# define SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE 377 +# define SSL_F_TLS_GET_MESSAGE_BODY 351 +# define SSL_F_TLS_GET_MESSAGE_HEADER 350 +# define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO 378 +# define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE 384 +# define SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE 360 +# define SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST 361 +# define SSL_F_TLS_PROCESS_CERT_STATUS 362 +# define SSL_F_TLS_PROCESS_CERT_VERIFY 379 +# define SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC 363 +# define SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE 380 +# define SSL_F_TLS_PROCESS_CLIENT_HELLO 381 +# define SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE 382 +# define SSL_F_TLS_PROCESS_FINISHED 364 +# define SSL_F_TLS_PROCESS_KEY_EXCHANGE 365 +# define SSL_F_TLS_PROCESS_NEW_SESSION_TICKET 366 +# define SSL_F_TLS_PROCESS_NEXT_PROTO 383 +# define SSL_F_TLS_PROCESS_SERVER_CERTIFICATE 367 +# define SSL_F_TLS_PROCESS_SERVER_DONE 368 +# define SSL_F_TLS_PROCESS_SERVER_HELLO 369 +# define SSL_F_USE_CERTIFICATE_CHAIN_FILE 220 /* Reason codes. */ # define SSL_R_APP_DATA_IN_HANDSHAKE 100 @@ -2106,8 +2201,12 @@ void ERR_load_SSL_strings(void); # define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106 # define SSL_R_BAD_DECOMPRESSION 107 # define SSL_R_BAD_DH_G_LENGTH 108 +# define SSL_R_BAD_DH_G_VALUE 375 # define SSL_R_BAD_DH_PUB_KEY_LENGTH 109 +# define SSL_R_BAD_DH_PUB_KEY_VALUE 393 # define SSL_R_BAD_DH_P_LENGTH 110 +# define SSL_R_BAD_DH_P_VALUE 395 +# define SSL_R_BAD_DH_VALUE 102 # define SSL_R_BAD_DIGEST_LENGTH 111 # define SSL_R_BAD_DSA_SIGNATURE 112 # define SSL_R_BAD_ECC_CERT 304 @@ -2158,6 +2257,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307 # define SSL_R_COMPRESSION_LIBRARY_ERROR 142 # define SSL_R_CONNECTION_TYPE_NOT_SET 144 +# define SSL_R_COOKIE_GEN_CALLBACK_FAILURE 400 # define SSL_R_COOKIE_MISMATCH 308 # define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 # define SSL_R_DATA_LENGTH_TOO_LONG 146 @@ -2181,6 +2281,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 # define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 # define SSL_R_EXTRA_DATA_IN_MESSAGE 153 +# define SSL_R_FRAGMENTED_CLIENT_HELLO 401 # define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 # define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355 # define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356 @@ -2193,12 +2294,14 @@ void ERR_load_SSL_strings(void); # define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 # define SSL_R_INVALID_NULL_CMD_NAME 385 # define SSL_R_INVALID_PURPOSE 278 +# define SSL_R_INVALID_SEQUENCE_NUMBER 402 # define SSL_R_INVALID_SERVERINFO_DATA 388 # define SSL_R_INVALID_SRP_USERNAME 357 # define SSL_R_INVALID_STATUS_RESPONSE 328 # define SSL_R_INVALID_TICKET_KEYS_LENGTH 325 # define SSL_R_INVALID_TRUST 279 # define SSL_R_LENGTH_MISMATCH 159 +# define SSL_R_LENGTH_TOO_LONG 102 # define SSL_R_LENGTH_TOO_SHORT 160 # define SSL_R_LIBRARY_BUG 274 # define SSL_R_LIBRARY_HAS_NO_CIPHERS 161 @@ -2242,6 +2345,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_NO_SHARED_SIGATURE_ALGORITHMS 376 # define SSL_R_NO_SRTP_PROFILES 359 # define SSL_R_NO_VERIFY_CALLBACK 194 +# define SSL_R_NO_VERIFY_COOKIE_CALLBACK 403 # define SSL_R_NULL_SSL_CTX 195 # define SSL_R_NULL_SSL_METHOD_PASSED 196 # define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197