X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl.h;h=0fe313490350e794eb89db763e71a32bbd04c328;hp=c5695c7fe1ba4687c6f32f5a60974558c9af3be9;hb=c74b3a6037b329dbd9dfbaf1a103e2cc707ecdbc;hpb=a06c602e6f8069bf5e12c8880565f81d35d078e4 diff --git a/ssl/ssl.h b/ssl/ssl.h index c5695c7fe1..0fe3134903 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1,15 +1,3 @@ -#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb)) -#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb) -#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb)) -#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb) -#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb)) -#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb) -#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb)) -#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback) - -#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb)) -#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb) - /* ssl/ssl.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. @@ -75,6 +63,8 @@ extern "C" { #endif +#include + /* SSLeay version number for ASN.1 encoding of the session information */ /* Version 0 - initial version * Version 1 - added the optional peer certificate @@ -94,6 +84,7 @@ extern "C" { #define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA #define SSL_MAX_SSL_SESSION_ID_LENGTH 32 +#define SSL_MAX_SID_CTX_LENGTH 32 #define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8) #define SSL_MAX_KEY_ARG_LENGTH 8 @@ -153,11 +144,11 @@ extern "C" { #define SSL_SENT_SHUTDOWN 1 #define SSL_RECEIVED_SHUTDOWN 2 -#include "crypto.h" -#include "lhash.h" -#include "buffer.h" -#include "bio.h" -#include "x509.h" +#include +#include +#include +#include +#include #define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 #define SSL_FILETYPE_PEM X509_FILETYPE_PEM @@ -171,13 +162,15 @@ typedef struct ssl_st *ssl_crock_st; typedef struct ssl_cipher_st { int valid; - char *name; /* text name */ + const char *name; /* text name */ unsigned long id; /* id, 4 bytes, first is version */ unsigned long algorithms; /* what ciphers are used */ unsigned long algorithm2; /* Extra flags */ unsigned long mask; /* used for matching */ } SSL_CIPHER; +DECLARE_STACK_OF(SSL_CIPHER) + typedef struct ssl_st SSL; typedef struct ssl_ctx_st SSL_CTX; @@ -190,9 +183,9 @@ typedef struct ssl_method_st void (*ssl_free)(SSL *s); int (*ssl_accept)(SSL *s); int (*ssl_connect)(SSL *s); - int (*ssl_read)(SSL *s,char *buf,int len); + int (*ssl_read)(SSL *s,void *buf,int len); int (*ssl_peek)(SSL *s,char *buf,int len); - int (*ssl_write)(SSL *s,const char *buf,int len); + int (*ssl_write)(SSL *s,const void *buf,int len); int (*ssl_shutdown)(SSL *s); int (*ssl_renegotiate)(SSL *s); int (*ssl_renegotiate_check)(SSL *s); @@ -220,7 +213,8 @@ typedef struct ssl_method_st * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate - * Compression [4] IMPLICIT ASN1_OBJECT -- compression OID XXXXX + * Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context + * Compression [5] IMPLICIT ASN1_OBJECT -- compression OID XXXXX * } * Look in ssl/ssl_asn1.c for more details * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). @@ -238,6 +232,11 @@ typedef struct ssl_session_st /* session_id - valid? */ unsigned int session_id_length; unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; + /* this is used to determine whether the session is being reused in + * the appropriate context. It is up to the application to set this, + * via SSL_new */ + unsigned int sid_ctx_length; + unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; int not_resumable; @@ -259,7 +258,7 @@ typedef struct ssl_session_st * needs to be used to load * the 'cipher' structure */ - STACK /* SSL_CIPHER */ *ciphers; /* shared ciphers? */ + STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ CRYPTO_EX_DATA ex_data; /* application specific data */ @@ -298,9 +297,9 @@ typedef struct ssl_session_st #define SSL_CTX_get_options(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL) #define SSL_set_options(ssl,op) \ - SSL_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL) + SSL_ctrl(ssl,SSL_CTRL_OPTIONS,0,NULL) #define SSL_get_options(ssl) \ - SSL_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL) + SSL_ctrl(ssl,SSL_CTRL_OPTIONS,0,NULL) #define SSL_OP_NO_SSLv2 0x01000000L #define SSL_OP_NO_SSLv3 0x02000000L @@ -319,14 +318,16 @@ typedef struct ssl_comp_st #endif } SSL_COMP; +DECLARE_STACK_OF(SSL_COMP) + struct ssl_ctx_st { SSL_METHOD *method; unsigned long options; - STACK /* SSL_CIPHER */ *cipher_list; + STACK_OF(SSL_CIPHER) *cipher_list; /* same as above but sorted for lookup */ - STACK /* SSL_CIPHER */ *cipher_list_by_id; + STACK_OF(SSL_CIPHER) *cipher_list_by_id; struct x509_store_st /* X509_STORE */ *cert_store; struct lhash_st /* LHASH */ *sessions; /* a set of SSL_SESSION's */ @@ -409,18 +410,18 @@ struct ssl_ctx_st /**/ int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */); /* what we put in client requests */ - STACK *client_CA; + STACK_OF(X509_NAME) *client_CA; /**/ int quiet_shutdown; CRYPTO_EX_DATA ex_data; - EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */ - EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ - EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ + const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */ + const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ + const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ - STACK *extra_certs; - STACK *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ + STACK_OF(X509) *extra_certs; + STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ }; #define SSL_SESS_CACHE_OFF 0x0000 @@ -458,6 +459,17 @@ struct ssl_ctx_st #define SSL_CTX_sess_cache_full(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) +#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb)) +#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb) +#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb)) +#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb) +#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb)) +#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb) +#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb)) +#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback) +#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb)) +#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb) + #define SSL_NOTHING 1 #define SSL_WRITING 2 #define SSL_READING 3 @@ -471,10 +483,9 @@ struct ssl_ctx_st struct ssl_st { - /* procol version - * 2 for SSLv2 - * 3 for SSLv3 - * -3 for SSLv3 but accept SSLv2 */ + /* protocol version + * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION) + */ int version; int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ @@ -528,14 +539,14 @@ struct ssl_st int hit; /* reusing a previous session */ /* crypto */ - STACK /* SSL_CIPHER */ *cipher_list; - STACK /* SSL_CIPHER */ *cipher_list_by_id; + STACK_OF(SSL_CIPHER) *cipher_list; + STACK_OF(SSL_CIPHER) *cipher_list_by_id; /* These are the ones being used, the ones is SSL_SESSION are * the ones to be 'copied' into these ones */ EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */ - EVP_MD *read_hash; /* used for mac generation */ + const EVP_MD *read_hash; /* used for mac generation */ #ifdef HEADER_COMP_H COMP_CTX *expand; /* uncompress */ #else @@ -543,7 +554,7 @@ struct ssl_st #endif EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ - EVP_MD *write_hash; /* used for mac generation */ + const EVP_MD *write_hash; /* used for mac generation */ #ifdef HEADER_COMP_H COMP_CTX *compress; /* compression */ #else @@ -556,6 +567,11 @@ struct ssl_st /* This is used to hold the server certificate used */ struct cert_st /* CERT */ *cert; + /* the session_id_context is used to ensure sessions are only reused + * in the appropriate context */ + unsigned int sid_ctx_length; + unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; + /* This can also be in the session once a session is established */ SSL_SESSION *session; @@ -578,7 +594,7 @@ struct ssl_st CRYPTO_EX_DATA ex_data; /* for server side, keep the list of CA_dn we can use */ - STACK /* X509_NAME */ *client_CA; + STACK_OF(X509_NAME) *client_CA; int references; unsigned long options; @@ -587,10 +603,10 @@ struct ssl_st * SSLv3/TLS rolback check */ }; -#include "ssl2.h" -#include "ssl3.h" -#include "tls1.h" /* This is mostly sslv3 with a few tweaks */ -#include "ssl23.h" +#include +#include +#include /* This is mostly sslv3 with a few tweaks */ +#include /* compatablity */ #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) @@ -821,10 +837,10 @@ void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm); SSL_CIPHER *SSL_get_current_cipher(SSL *s); int SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits); char * SSL_CIPHER_get_version(SSL_CIPHER *c); -char * SSL_CIPHER_get_name(SSL_CIPHER *c); +const char * SSL_CIPHER_get_name(SSL_CIPHER *c); int SSL_get_fd(SSL *s); -char * SSL_get_cipher_list(SSL *s,int n); +const char * SSL_get_cipher_list(SSL *s,int n); char * SSL_get_shared_ciphers(SSL *s, char *buf, int len); int SSL_get_read_ahead(SSL * s); int SSL_pending(SSL *s); @@ -858,9 +874,11 @@ int SSL_use_certificate_file(SSL *ssl, char *file, int type); int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, char *file, int type); int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, char *file, int type); int SSL_CTX_use_certificate_file(SSL_CTX *ctx, char *file, int type); -STACK * SSL_load_client_CA_file(char *file); -int SSL_add_cert_file_to_stack(STACK *stackCAs,const char *file); -int SSL_add_cert_dir_to_stack(STACK *stackCAs,const char *dir); +STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); +int SSL_add_file_cert_subjects_to_stack(STACK *stackCAs, + const char *file); +int SSL_add_dir_cert_subjects_to_stack(STACK *stackCAs, + const char *dir); #endif void ERR_load_SSL_strings(void ); @@ -895,7 +913,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length); X509 * SSL_get_peer_certificate(SSL *s); #endif -STACK * SSL_get_peer_cert_chain(SSL *s); +STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s); int SSL_CTX_get_verify_mode(SSL_CTX *ctx); int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *); @@ -916,6 +934,8 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx); int SSL_check_private_key(SSL *ctx); SSL * SSL_new(SSL_CTX *ctx); +int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx, + unsigned int sid_ctx_len); void SSL_free(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); @@ -947,7 +967,7 @@ SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */ -STACK *SSL_get_ciphers(SSL *s); +STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s); int SSL_do_handshake(SSL *s); int SSL_renegotiate(SSL *s); @@ -960,10 +980,10 @@ char *SSL_alert_type_string(int value); char *SSL_alert_desc_string_long(int value); char *SSL_alert_desc_string(int value); -void SSL_set_client_CA_list(SSL *s, STACK *list); -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK *list); -STACK *SSL_get_client_CA_list(SSL *s); -STACK *SSL_CTX_get_client_CA_list(SSL_CTX *s); +void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); +void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); +STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); +STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s); int SSL_add_client_CA(SSL *ssl,X509 *x); int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x); @@ -1097,6 +1117,7 @@ int SSL_set_cipher_list(); void SSL_set_read_ahead(); int SSL_get_verify_mode(); +int (*SSL_get_verify_callback())(); void SSL_set_verify(); int SSL_use_RSAPrivateKey(); int SSL_use_RSAPrivateKey_ASN1(); @@ -1113,8 +1134,8 @@ int SSL_CTX_use_RSAPrivateKey_file(); int SSL_CTX_use_PrivateKey_file(); int SSL_CTX_use_certificate_file(); STACK * SSL_load_client_CA_file(); -int SSL_add_cert_file_to_stack(); -int SSL_add_cert_dir_to_stack(); +int SSL_add_file_cert_subjects_to_stack(); +int SSL_add_dir_cert_subjects_to_stack(); #endif void ERR_load_SSL_strings(); @@ -1168,6 +1189,7 @@ int SSL_CTX_check_private_key(); int SSL_check_private_key(); SSL * SSL_new(); +int SSL_set_session_id_context(); void SSL_clear(); void SSL_free(); int SSL_accept(); @@ -1285,6 +1307,10 @@ void SSL_set_tmp_dh_callback(); #endif /* BEGIN ERROR CODES */ +/* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. + */ + /* Error codes for the SSL functions. */ /* Function codes. */ @@ -1349,8 +1375,8 @@ void SSL_set_tmp_dh_callback(); #define SSL_F_SSL3_SETUP_KEY_BLOCK 157 #define SSL_F_SSL3_WRITE_BYTES 158 #define SSL_F_SSL3_WRITE_PENDING 159 -#define SSL_F_SSL_ADD_CERT_DIR_TO_STACK 215 -#define SSL_F_SSL_ADD_CERT_FILE_TO_STACK 216 +#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215 +#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216 #define SSL_F_SSL_BAD_METHOD 160 #define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 #define SSL_F_SSL_CERT_INSTANTIATE 214 @@ -1373,6 +1399,7 @@ void SSL_set_tmp_dh_callback(); #define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179 #define SSL_F_SSL_DO_HANDSHAKE 180 #define SSL_F_SSL_GET_NEW_SESSION 181 +#define SSL_F_SSL_GET_PREV_SESSION 217 #define SSL_F_SSL_GET_SERVER_SEND_CERT 182 #define SSL_F_SSL_GET_SIGN_PKEY 183 #define SSL_F_SSL_INIT_WBIO_BUFFER 184 @@ -1387,6 +1414,7 @@ void SSL_set_tmp_dh_callback(); #define SSL_F_SSL_SET_PKEY 193 #define SSL_F_SSL_SET_RFD 194 #define SSL_F_SSL_SET_SESSION 195 +#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218 #define SSL_F_SSL_SET_WFD 196 #define SSL_F_SSL_UNDEFINED_FUNCTION 197 #define SSL_F_SSL_USE_CERTIFICATE 198 @@ -1407,6 +1435,7 @@ void SSL_set_tmp_dh_callback(); /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 +#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 #define SSL_R_BAD_ALERT_RECORD 101 #define SSL_R_BAD_AUTHENTICATION_TYPE 102 #define SSL_R_BAD_CHANGE_CIPHER_SPEC 103 @@ -1419,6 +1448,7 @@ void SSL_set_tmp_dh_callback(); #define SSL_R_BAD_DH_P_LENGTH 110 #define SSL_R_BAD_DIGEST_LENGTH 111 #define SSL_R_BAD_DSA_SIGNATURE 112 +#define SSL_R_BAD_LENGTH 271 #define SSL_R_BAD_MAC_DECODE 113 #define SSL_R_BAD_MESSAGE_TYPE 114 #define SSL_R_BAD_PACKET_LENGTH 115 @@ -1549,6 +1579,7 @@ void SSL_set_tmp_dh_callback(); #define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 #define SSL_R_SSL_HANDSHAKE_FAILURE 229 #define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230 +#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 #define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 @@ -1600,7 +1631,7 @@ void SSL_set_tmp_dh_callback(); #define SSL_R_WRONG_VERSION_NUMBER 267 #define SSL_R_X509_LIB 268 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 - + #ifdef __cplusplus } #endif