X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_locl.h;h=33a55fe699ac3d7ee82f0433969341ecf10bfa31;hp=fd6b88394359501085e92ee193585aad1a12ae6f;hb=feba02f3919495e1b960c33ba849e10e77d0785d;hpb=0f78819c8ccb7c526edbe90d5b619281366ce75c diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index fd6b883943..33a55fe699 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -313,6 +313,7 @@ #define SSL_aPSK 0x00000080L /* PSK auth */ #define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */ #define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ +#define SSL_aSRP 0x00000400L /* SRP auth */ /* Bits for algorithm_enc (symmetric encryption) */ @@ -347,7 +348,6 @@ #define SSL_AEAD 0x00000040L /* Bits for algorithm_ssl (protocol version) */ -#define SSL_SSLV2 0x00000001L #define SSL_SSLV3 0x00000002L #define SSL_TLSV1 SSL_SSLV3 /* for now */ #define SSL_TLSV1_2 0x00000004L @@ -413,7 +413,7 @@ /* we have used 000001ff - 23 bits left to go */ -/* +/*- * Macros to check the export status and cipher strength for export ciphers. * Even though the macros for EXPORT and EXPORT40/56 have similar names, * their meaning is different: @@ -479,7 +479,8 @@ #define SSL_PKEY_GOST01 7 #define SSL_PKEY_NUM 8 -/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) | +/*- + * SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) | * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN) * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN) * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN @@ -511,11 +512,13 @@ typedef struct cert_pkey_st /* Chain for this certificate */ STACK_OF(X509) *chain; #ifndef OPENSSL_NO_TLSEXT - /* serverinfo data for this certificate. The data is in TLS Extension + /*- + * serverinfo data for this certificate. The data is in TLS Extension * wire format, specifically it's a series of records like: * uint16_t extension_type; // (RFC 5246, 7.4.1.4, Extension) * uint16_t length; - * uint8_t data[length]; */ + * uint8_t data[length]; + */ unsigned char *serverinfo; size_t serverinfo_length; #endif @@ -531,6 +534,35 @@ typedef struct cert_pkey_st #define SSL_CERT_FLAGS_CHECK_TLS_STRICT \ (SSL_CERT_FLAG_SUITEB_128_LOS|SSL_CERT_FLAG_TLS_STRICT) +typedef struct { + unsigned short ext_type; + /* Per-connection flags relating to this extension type: not used + * if part of an SSL_CTX structure. + */ + unsigned short ext_flags; + custom_ext_add_cb add_cb; + custom_ext_free_cb free_cb; + void *add_arg; + custom_ext_parse_cb parse_cb; + void *parse_arg; +} custom_ext_method; + +/* ext_flags values */ + +/* Indicates an extension has been received. + * Used to check for unsolicited or duplicate extensions. + */ +#define SSL_EXT_FLAG_RECEIVED 0x1 +/* Indicates an extension has been sent: used to + * enable sending of corresponding ServerHello extension. + */ +#define SSL_EXT_FLAG_SENT 0x2 + +typedef struct { + custom_ext_method *meths; + size_t meths_count; +} custom_ext_methods; + typedef struct cert_st { /* Current active set */ @@ -557,6 +589,7 @@ typedef struct cert_st #ifndef OPENSSL_NO_DH DH *dh_tmp; DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize); + int dh_tmp_auto; #endif #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh_tmp; @@ -626,13 +659,23 @@ typedef struct cert_st unsigned char *ciphers_raw; size_t ciphers_rawlen; + /* Custom extension methods for server and client */ + custom_ext_methods cli_ext; + custom_ext_methods srv_ext; + /* Security callback */ + int (*sec_cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); + /* Security level */ + int sec_level; + + void *sec_ex; + int references; /* >1 only if SSL_copy_session_id is used */ } CERT; typedef struct sess_cert_st { - STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */ + STACK_OF(X509) *cert_chain; /* as received from peer */ /* The 'peer_...' members are used only by clients. */ int peer_cert_type; @@ -762,18 +805,17 @@ typedef struct ssl3_buf_freelist_entry_st #endif extern SSL3_ENC_METHOD ssl3_undef_enc_method; -OPENSSL_EXTERN const SSL_CIPHER ssl2_ciphers[]; -OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[]; +OPENSSL_EXTERN const SSL_CIPHER ssl3_ciphers[]; SSL_METHOD *ssl_bad_method(int ver); -extern SSL3_ENC_METHOD TLSv1_enc_data; -extern SSL3_ENC_METHOD TLSv1_1_enc_data; -extern SSL3_ENC_METHOD TLSv1_2_enc_data; -extern SSL3_ENC_METHOD SSLv3_enc_data; -extern SSL3_ENC_METHOD DTLSv1_enc_data; -extern SSL3_ENC_METHOD DTLSv1_2_enc_data; +extern const SSL3_ENC_METHOD TLSv1_enc_data; +extern const SSL3_ENC_METHOD TLSv1_1_enc_data; +extern const SSL3_ENC_METHOD TLSv1_2_enc_data; +extern const SSL3_ENC_METHOD SSLv3_enc_data; +extern const SSL3_ENC_METHOD DTLSv1_enc_data; +extern const SSL3_ENC_METHOD DTLSv1_2_enc_data; #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ s_get_meth, enc_data) \ @@ -887,43 +929,6 @@ const SSL_METHOD *func_name(void) \ return &func_name##_data; \ } -#define IMPLEMENT_ssl2_meth_func(func_name, s_accept, s_connect, s_get_meth) \ -const SSL_METHOD *func_name(void) \ - { \ - static const SSL_METHOD func_name##_data= { \ - SSL2_VERSION, \ - ssl2_new, /* local */ \ - ssl2_clear, /* local */ \ - ssl2_free, /* local */ \ - s_accept, \ - s_connect, \ - ssl2_read, \ - ssl2_peek, \ - ssl2_write, \ - ssl2_shutdown, \ - ssl_ok, /* NULL - renegotiate */ \ - ssl_ok, /* NULL - check renegotiate */ \ - NULL, /* NULL - ssl_get_message */ \ - NULL, /* NULL - ssl_get_record */ \ - NULL, /* NULL - ssl_write_bytes */ \ - NULL, /* NULL - dispatch_alert */ \ - ssl2_ctrl, /* local */ \ - ssl2_ctx_ctrl, /* local */ \ - ssl2_get_cipher_by_char, \ - ssl2_put_cipher_by_char, \ - ssl2_pending, \ - ssl2_num_ciphers, \ - ssl2_get_cipher, \ - s_get_meth, \ - ssl2_default_timeout, \ - &ssl3_undef_enc_method, \ - ssl_undefined_void_function, \ - ssl2_callback_ctrl, /* local */ \ - ssl2_ctx_callback_ctrl, /* local */ \ - }; \ - return &func_name##_data; \ - } - #define IMPLEMENT_dtls1_meth_func(version, func_name, s_accept, s_connect, \ s_get_meth, enc_data) \ const SSL_METHOD *func_name(void) \ @@ -962,6 +967,16 @@ const SSL_METHOD *func_name(void) \ return &func_name##_data; \ } +struct openssl_ssl_test_functions + { + int (*p_ssl_init_wbio_buffer)(SSL *s, int push); + int (*p_ssl3_setup_buffers)(SSL *s); + int (*p_tls1_process_heartbeat)(SSL *s); + int (*p_dtls1_process_heartbeat)(SSL *s); + }; + +#ifndef OPENSSL_UNIT_TEST + void ssl_clear_cipher_ctx(SSL *s); int ssl_clear_bad_session(SSL *s); CERT *ssl_cert_new(void); @@ -994,10 +1009,10 @@ int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc, int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md); int ssl_cipher_get_cert_index(const SSL_CIPHER *c); const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr); -int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain); -int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain); -int ssl_cert_add0_chain_cert(CERT *c, X509 *x); -int ssl_cert_add1_chain_cert(CERT *c, X509 *x); +int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain); +int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain); +int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x); +int ssl_cert_add1_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x); int ssl_cert_select_current(CERT *c, X509 *x); int ssl_cert_set_current(CERT *c, long arg); X509 *ssl_cert_get0_next_certificate(CERT *c, int first); @@ -1005,8 +1020,12 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg); int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l); -int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags); +int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags); int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref); + +int ssl_security(SSL *s, int op, int bits, int nid, void *other); +int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other); + int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); @@ -1023,35 +1042,6 @@ int ssl_verify_alarm_type(long type); void ssl_load_ciphers(void); int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len); -int ssl2_enc_init(SSL *s, int client); -int ssl2_generate_key_material(SSL *s); -void ssl2_enc(SSL *s,int send_data); -void ssl2_mac(SSL *s,unsigned char *mac,int send_data); -const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p); -int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p); -int ssl2_part_read(SSL *s, unsigned long f, int i); -int ssl2_do_write(SSL *s); -int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data); -void ssl2_return_error(SSL *s,int reason); -void ssl2_write_error(SSL *s); -int ssl2_num_ciphers(void); -const SSL_CIPHER *ssl2_get_cipher(unsigned int u); -int ssl2_new(SSL *s); -void ssl2_free(SSL *s); -int ssl2_accept(SSL *s); -int ssl2_connect(SSL *s); -int ssl2_read(SSL *s, void *buf, int len); -int ssl2_peek(SSL *s, void *buf, int len); -int ssl2_write(SSL *s, const void *buf, int len); -int ssl2_shutdown(SSL *s); -void ssl2_clear(SSL *s); -long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg); -long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg); -long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)(void)); -long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void)); -int ssl2_pending(const SSL *s); -long ssl2_default_timeout(void ); - const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p); void ssl3_init_finished_mac(SSL *s); @@ -1123,6 +1113,8 @@ int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p); long ssl23_default_timeout(void ); +int ssl_allow_compression(SSL *s); + long tls1_default_timeout(void); int dtls1_do_write(SSL *s,int type); int ssl3_read_n(SSL *s, int n, int max, int extend); @@ -1140,7 +1132,6 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, int len); int dtls1_send_change_cipher_spec(SSL *s, int a, int b); int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen); -unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk); int dtls1_read_failed(SSL *s, int code); int dtls1_buffer_message(SSL *s, int ccs); int dtls1_retransmit_message(SSL *s, unsigned short seq, @@ -1161,7 +1152,9 @@ void dtls1_stop_timer(SSL *s); int dtls1_is_timer_expired(SSL *s); void dtls1_double_timeout(SSL *s); int dtls1_send_newsession_ticket(SSL *s); -unsigned int dtls1_min_mtu(void); +unsigned int dtls1_min_mtu(SSL *s); +unsigned int dtls1_link_min_mtu(void); +void dtls1_hm_fragment_free(hm_fragment *frag); /* some client-only functions */ int ssl3_client_hello(SSL *s); @@ -1178,7 +1171,6 @@ int ssl3_get_key_exchange(SSL *s); int ssl3_get_server_certificate(SSL *s); int ssl3_check_cert_and_algorithm(SSL *s); #ifndef OPENSSL_NO_TLSEXT -int ssl3_check_finished(SSL *s); # ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s); # endif @@ -1193,7 +1185,6 @@ int ssl3_send_hello_request(SSL *s); int ssl3_send_server_key_exchange(SSL *s); int ssl3_send_certificate_request(SSL *s); int ssl3_send_server_done(SSL *s); -int ssl3_check_client_hello(SSL *s); int ssl3_get_client_certificate(SSL *s); int ssl3_get_client_key_exchange(SSL *s); int ssl3_get_cert_verify(SSL *s); @@ -1225,7 +1216,6 @@ int dtls1_get_record(SSL *s); int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragement); int dtls1_dispatch_alert(SSL *s); -int dtls1_enc(SSL *s, int snd); int ssl_init_wbio_buffer(SSL *s, int push); void ssl_free_wbio_buffer(SSL *s); @@ -1261,7 +1251,9 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen, int *curves, size_t ncurves); int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str); +#ifndef OPENSSL_NO_ECDH int tls1_check_ec_tmp_key(SSL *s, unsigned long id); +#endif /* OPENSSL_NO_ECDH */ #endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_TLSEXT @@ -1269,21 +1261,15 @@ int tls1_shared_list(SSL *s, const unsigned char *l1, size_t l1len, const unsigned char *l2, size_t l2len, int nmatch); -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al); +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al); int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n); +int tls1_set_server_sigalgs(SSL *s); int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n); int ssl_prepare_clienthello_tlsext(SSL *s); int ssl_prepare_serverhello_tlsext(SSL *s); -/* server only */ -int tls1_send_server_supplemental_data(SSL *s, int *skip); -int tls1_get_client_supplemental_data(SSL *s); -/* client only */ -int tls1_send_client_supplemental_data(SSL *s, int *skip); -int tls1_get_server_supplemental_data(SSL *s); - #ifndef OPENSSL_NO_HEARTBEATS int tls1_heartbeat(SSL *s); int dtls1_heartbeat(SSL *s); @@ -1303,6 +1289,7 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md); int tls12_get_sigid(const EVP_PKEY *pk); const EVP_MD *tls12_get_hash(unsigned char hash_alg); +void ssl_set_sig_mask(unsigned long *pmask_a, SSL *s, int op); int tls1_set_sigalgs_list(CERT *c, const char *str, int client); int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, int client); @@ -1311,6 +1298,13 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, void tls1_set_cert_validity(SSL *s); #endif +#ifndef OPENSSL_NO_DH +DH *ssl_get_auto_dh(SSL *s); +#endif + +int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee); +int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex, int vfy); + EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ; void ssl_clear_hash_ctx(EVP_MD_CTX **hash); int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, @@ -1322,11 +1316,15 @@ int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, int *al); long ssl_get_algorithm2(SSL *s); -int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize); +size_t tls12_copy_sigalgs(SSL *s, unsigned char *out, + const unsigned char *psig, size_t psiglen); +int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize); +int tls1_process_sigalgs(SSL *s); size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs); int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, const unsigned char *sig, EVP_PKEY *pkey); void ssl_set_client_disabled(SSL *s); +int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op); int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al); @@ -1362,4 +1360,31 @@ void tls_fips_digest_extra( const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, const unsigned char *data, size_t data_len, size_t orig_len); +int srp_verify_server_param(SSL *s, int *al); + +/* t1_ext.c */ + +void custom_ext_init(custom_ext_methods *meths); + +int custom_ext_parse(SSL *s, int server, + unsigned int ext_type, + const unsigned char *ext_data, + size_t ext_size, + int *al); +int custom_ext_add(SSL *s, int server, + unsigned char **pret, + unsigned char *limit, + int *al); + +int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src); +void custom_exts_free(custom_ext_methods *exts); + +#else + +#define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer +#define ssl3_setup_buffers SSL_test_functions()->p_ssl3_setup_buffers +#define tls1_process_heartbeat SSL_test_functions()->p_tls1_process_heartbeat +#define dtls1_process_heartbeat SSL_test_functions()->p_dtls1_process_heartbeat + +#endif #endif