/* Typedef for SSL async callback */
typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
-/* Disable Extended master secret */
-# define SSL_OP_NO_EXTENDED_MASTER_SECRET (uint64_t)0x00000001
-
-/* Cleanse plaintext copies of data delivered to the application */
-# define SSL_OP_CLEANSE_PLAINTEXT (uint64_t)0x00000002
-
-/* Allow initial connection to servers that don't support RI */
-# define SSL_OP_LEGACY_SERVER_CONNECT (uint64_t)0x00000004
-
-/* Enable support for Kernel TLS */
-# define SSL_OP_ENABLE_KTLS (uint64_t)0x00000008
-
-# define SSL_OP_TLSEXT_PADDING (uint64_t)0x00000010
-# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG (uint64_t)0x00000040
-# define SSL_OP_IGNORE_UNEXPECTED_EOF (uint64_t)0x00000080
-
-# define SSL_OP_DISABLE_TLSEXT_CA_NAMES (uint64_t)0x00000200
-
-/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
-# define SSL_OP_ALLOW_NO_DHE_KEX (uint64_t)0x00000400
+#define SSL_OP_BIT(n) ((uint64_t)1 << (uint64_t)n)
/*
- * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in
- * OpenSSL 0.9.6d. Usually (depending on the application protocol) the
- * workaround is not needed. Unfortunately some broken SSL/TLS
- * implementations cannot handle it at all, which is why we include it in
- * SSL_OP_ALL. Added in 0.9.6e
+ * SSL/TLS connection options.
*/
-# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (uint64_t)0x00000800
-
-/* DTLS options */
-# define SSL_OP_NO_QUERY_MTU (uint64_t)0x00001000
-/* Turn on Cookie Exchange (on relevant for servers) */
-# define SSL_OP_COOKIE_EXCHANGE (uint64_t)0x00002000
-/* Don't use RFC4507 ticket extension */
-# define SSL_OP_NO_TICKET (uint64_t)0x00004000
+ /* Disable Extended master secret */
+# define SSL_OP_NO_EXTENDED_MASTER_SECRET SSL_OP_BIT(0)
+ /* Cleanse plaintext copies of data delivered to the application */
+# define SSL_OP_CLEANSE_PLAINTEXT SSL_OP_BIT(1)
+ /* Allow initial connection to servers that don't support RI */
+# define SSL_OP_LEGACY_SERVER_CONNECT SSL_OP_BIT(2)
+ /* Enable support for Kernel TLS */
+# define SSL_OP_ENABLE_KTLS SSL_OP_BIT(3)
+# define SSL_OP_TLSEXT_PADDING SSL_OP_BIT(4)
+# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG SSL_OP_BIT(6)
+# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)
+# define SSL_OP_ALLOW_CLIENT_RENEGOTIATION SSL_OP_BIT(8)
+# define SSL_OP_DISABLE_TLSEXT_CA_NAMES SSL_OP_BIT(9)
+ /* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
+# define SSL_OP_ALLOW_NO_DHE_KEX SSL_OP_BIT(10)
+ /*
+ * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
+ * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
+ * the workaround is not needed. Unfortunately some broken SSL/TLS
+ * implementations cannot handle it at all, which is why we include it
+ * in SSL_OP_ALL. Added in 0.9.6e
+ */
+# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_BIT(11)
+ /* DTLS options */
+# define SSL_OP_NO_QUERY_MTU SSL_OP_BIT(12)
+ /* Turn on Cookie Exchange (on relevant for servers) */
+# define SSL_OP_COOKIE_EXCHANGE SSL_OP_BIT(13)
+ /* Don't use RFC4507 ticket extension */
+# define SSL_OP_NO_TICKET SSL_OP_BIT(14)
# ifndef OPENSSL_NO_DTLS1_METHOD
-/* Use Cisco's "speshul" version of DTLS_BAD_VER
- * (only with deprecated DTLSv1_client_method()) */
-# define SSL_OP_CISCO_ANYCONNECT (uint64_t)0x00008000
+ /*
+ * Use Cisco's version identifier of DTLS_BAD_VER
+ * (only with deprecated DTLSv1_client_method())
+ */
+# define SSL_OP_CISCO_ANYCONNECT SSL_OP_BIT(15)
# endif
-
-/* As server, disallow session resumption on renegotiation */
-# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (uint64_t)0x00010000
-/* Don't use compression even if supported */
-# define SSL_OP_NO_COMPRESSION (uint64_t)0x00020000
-/* Permit unsafe legacy renegotiation */
-# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION (uint64_t)0x00040000
-/* Disable encrypt-then-mac */
-# define SSL_OP_NO_ENCRYPT_THEN_MAC (uint64_t)0x00080000
+ /* As server, disallow session resumption on renegotiation */
+# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_BIT(16)
+ /* Don't use compression even if supported */
+# define SSL_OP_NO_COMPRESSION SSL_OP_BIT(17)
+ /* Permit unsafe legacy renegotiation */
+# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_BIT(18)
+ /* Disable encrypt-then-mac */
+# define SSL_OP_NO_ENCRYPT_THEN_MAC SSL_OP_BIT(19)
+ /*
+ * Enable TLSv1.3 Compatibility mode. This is on by default. A future
+ * version of OpenSSL may have this disabled by default.
+ */
+# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT SSL_OP_BIT(20)
+ /*
+ * Prioritize Chacha20Poly1305 when client does.
+ * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE
+ */
+# define SSL_OP_PRIORITIZE_CHACHA SSL_OP_BIT(21)
+ /*
+ * Set on servers to choose the cipher according to server's preferences.
+ */
+# define SSL_OP_CIPHER_SERVER_PREFERENCE SSL_OP_BIT(22)
+ /*
+ * If set, a server will allow a client to issue a SSLv3.0 version
+ * number as latest version supported in the premaster secret, even when
+ * TLSv1.0 (version 3.1) was announced in the client hello. Normally
+ * this is forbidden to prevent version rollback attacks.
+ */
+# define SSL_OP_TLS_ROLLBACK_BUG SSL_OP_BIT(23)
+ /*
+ * Switches off automatic TLSv1.3 anti-replay protection for early data.
+ * This is a server-side option only (no effect on the client).
+ */
+# define SSL_OP_NO_ANTI_REPLAY SSL_OP_BIT(24)
+# define SSL_OP_NO_SSLv3 SSL_OP_BIT(25)
+# define SSL_OP_NO_TLSv1 SSL_OP_BIT(26)
+# define SSL_OP_NO_TLSv1_2 SSL_OP_BIT(27)
+# define SSL_OP_NO_TLSv1_1 SSL_OP_BIT(28)
+# define SSL_OP_NO_TLSv1_3 SSL_OP_BIT(29)
+# define SSL_OP_NO_DTLSv1 SSL_OP_BIT(26)
+# define SSL_OP_NO_DTLSv1_2 SSL_OP_BIT(27)
+ /* Disallow all renegotiation */
+# define SSL_OP_NO_RENEGOTIATION SSL_OP_BIT(30)
+ /*
+ * Make server add server-hello extension from early version of
+ * cryptopro draft, when GOST ciphersuite is negotiated. Required for
+ * interoperability with CryptoPro CSP 3.x
+ */
+# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
/*
- * Enable TLSv1.3 Compatibility mode. This is on by default. A future version
- * of OpenSSL may have this disabled by default.
+ * Option "collections."
*/
-# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT (uint64_t)0x00100000
-
-/* Prioritize Chacha20Poly1305 when client does.
- * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE */
-# define SSL_OP_PRIORITIZE_CHACHA (uint64_t)0x00200000
+# define SSL_OP_NO_SSL_MASK \
+ ( SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 \
+ | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3 )
+# define SSL_OP_NO_DTLS_MASK \
+ ( SSL_OP_NO_DTLSv1 | SSL_OP_NO_DTLSv1_2 )
-/*
- * Set on servers to choose the cipher according to the server's preferences
- */
-# define SSL_OP_CIPHER_SERVER_PREFERENCE (uint64_t)0x00400000
-/*
- * If set, a server will allow a client to issue a SSLv3.0 version number as
- * latest version supported in the premaster secret, even when TLSv1.0
- * (version 3.1) was announced in the client hello. Normally this is
- * forbidden to prevent version rollback attacks.
- */
-# define SSL_OP_TLS_ROLLBACK_BUG (uint64_t)0x00800000
+/* Various bug workarounds that should be rather harmless. */
+# define SSL_OP_ALL \
+ ( SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS \
+ | SSL_OP_TLSEXT_PADDING | SSL_OP_SAFARI_ECDHE_ECDSA_BUG )
/*
- * Switches off automatic TLSv1.3 anti-replay protection for early data. This
- * is a server-side option only (no effect on the client).
+ * OBSOLETE OPTIONS retained for compatibility
*/
-# define SSL_OP_NO_ANTI_REPLAY (uint64_t)0x01000000
-
-# define SSL_OP_NO_SSLv3 (uint64_t)0x02000000
-# define SSL_OP_NO_TLSv1 (uint64_t)0x04000000
-# define SSL_OP_NO_TLSv1_2 (uint64_t)0x08000000
-# define SSL_OP_NO_TLSv1_1 (uint64_t)0x10000000
-# define SSL_OP_NO_TLSv1_3 (uint64_t)0x20000000
-
-# define SSL_OP_NO_DTLSv1 (uint64_t)0x04000000
-# define SSL_OP_NO_DTLSv1_2 (uint64_t)0x08000000
-
-# define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv3|\
- SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2|SSL_OP_NO_TLSv1_3)
-# define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
-
-/* Disallow all renegotiation */
-# define SSL_OP_NO_RENEGOTIATION (uint64_t)0x40000000
-
-/*
- * Make server add server-hello extension from early version of cryptopro
- * draft, when GOST ciphersuite is negotiated. Required for interoperability
- * with CryptoPro CSP 3.x
- */
-# define SSL_OP_CRYPTOPRO_TLSEXT_BUG (uint64_t)0x80000000
-
-/*
- * SSL_OP_ALL: various bug workarounds that should be rather harmless.
- * This used to be 0x000FFFFFL before 0.9.7.
- * This used to be 0x80000BFFU before 1.1.1.
- */
-# define SSL_OP_ALL (SSL_OP_CRYPTOPRO_TLSEXT_BUG|\
- SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|\
- SSL_OP_TLSEXT_PADDING|\
- SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-
-/* OBSOLETE OPTIONS: retained for compatibility */
-/* Removed from OpenSSL 1.1.0. Was 0x00000001L */
-/* Related to removed SSLv2. */
# define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000002L */
-/* Related to removed SSLv2. */
# define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0
-/* Removed from OpenSSL 0.9.8q and 1.0.0c. Was 0x00000008L */
-/* Dead forever, see CVE-2010-4180 */
# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0
-/* Removed from OpenSSL 1.0.1h and 1.0.2. Was 0x00000010L */
-/* Refers to ancient SSLREF and SSLv2. */
# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000020 */
# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0
-/* Removed from OpenSSL 0.9.7h and 0.9.8b. Was 0x00000040L */
# define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000080 */
-/* Ancient SSLeay version. */
# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000100L */
# define SSL_OP_TLS_D5_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000200L */
# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00080000L */
# define SSL_OP_SINGLE_ECDH_USE 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00100000L */
# define SSL_OP_SINGLE_DH_USE 0x0
-/* Removed from OpenSSL 1.0.1k and 1.0.2. Was 0x00200000L */
# define SSL_OP_EPHEMERAL_RSA 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x01000000L */
# define SSL_OP_NO_SSLv2 0x0
-/* Removed from OpenSSL 1.0.1. Was 0x08000000L */
# define SSL_OP_PKCS1_CHECK_1 0x0
-/* Removed from OpenSSL 1.0.1. Was 0x10000000L */
# define SSL_OP_PKCS1_CHECK_2 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x20000000L */
# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x40000000L */
# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0
/*
projects / openssl.git / commitdiff