typedef struct ssl_cipher_st SSL_CIPHER;
typedef struct ssl_session_st SSL_SESSION;
typedef struct tls_sigalgs_st TLS_SIGALGS;
+typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
DECLARE_STACK_OF(SSL_CIPHER)
#define SSL_OP_NO_TLSv1_2 0x08000000L
#define SSL_OP_NO_TLSv1_1 0x10000000L
+#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|\
+ SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2)
+
/* These next two were never actually used for anything since SSLeay
* zap so we have some more flags.
*/
* or just freed (depending on the context's setting for freelist_max_len). */
#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
+/* Cert related flags */
+/* Many implementations ignore some aspects of the TLS standards such as
+ * enforcing certifcate chain algorithms. When this is set we enforce them.
+ */
+#define SSL_CERT_FLAG_TLS_STRICT 0x00000001L
+
+/* Suite B modes, takes same values as certificate verify flags */
+#define SSL_CERT_FLAG_SUITEB_128_LOS_ONLY 0x10000
+/* Suite B 192 bit only mode */
+#define SSL_CERT_FLAG_SUITEB_192_LOS 0x20000
+/* Suite B 128 bit mode allowing 192 bit algorithms */
+#define SSL_CERT_FLAG_SUITEB_128_LOS 0x30000
+
+/* Perform all sorts of protocol violations for testing purposes */
+#define SSL_CERT_FLAG_BROKEN_PROTOCOL 0x10000000
+
+/* Flags for building certificate chains */
+/* Treat any existing certificates as untrusted CAs */
+#define SSL_BUILD_CHAIN_FLAG_UNTRUSTED 0x1
+/* Con't include root CA in chain */
+#define SSL_BUILD_CHAIN_FLAG_NO_ROOT 0x2
+
+/* Flags returned by SSL_check_chain */
+/* Certificate can be used with this session */
+#define CERT_PKEY_VALID 0x1
+/* Certificate can also be used for signing */
+#define CERT_PKEY_SIGN 0x2
+/* EE certificate signing algorithm OK */
+#define CERT_PKEY_EE_SIGNATURE 0x10
+/* CA signature algorithms OK */
+#define CERT_PKEY_CA_SIGNATURE 0x20
+/* EE certificate parameters OK */
+#define CERT_PKEY_EE_PARAM 0x40
+/* CA certificate parameters OK */
+#define CERT_PKEY_CA_PARAM 0x80
+/* Signing explicitly allowed as opposed to SHA1 fallback */
+#define CERT_PKEY_EXPLICIT_SIGN 0x100
+/* Client CA issuer names match (always set for server cert) */
+#define CERT_PKEY_ISSUER_NAME 0x200
+/* Cert type matches client types (always set for server cert) */
+#define CERT_PKEY_CERT_TYPE 0x400
+/* Cert chain suitable to Suite B */
+#define CERT_PKEY_SUITEB 0x800
+
+#define SSL_CONF_FLAG_CMDLINE 0x1
+#define SSL_CONF_FLAG_FILE 0x2
+#define SSL_CONF_FLAG_CLIENT 0x4
+#define SSL_CONF_FLAG_SERVER 0x8
+#define SSL_CONF_FLAG_SHOW_ERRORS 0x10
+
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
SSL_ctrl((ssl),SSL_CTRL_TLS_EXT_SEND_HEARTBEAT,0,NULL)
#endif
+#define SSL_CTX_set_cert_flags(ctx,op) \
+ SSL_CTX_ctrl((ctx),SSL_CTRL_CERT_FLAGS,(op),NULL)
+#define SSL_set_cert_flags(s,op) \
+ SSL_ctrl((s),SSL_CTRL_CERT_FLAGS,(op),NULL)
+#define SSL_CTX_clear_cert_flags(ctx,op) \
+ SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_CERT_FLAGS,(op),NULL)
+#define SSL_clear_cert_flags(s,op) \
+ SSL_ctrl((s),SSL_CTRL_CLEAR_CERT_FLAGS,(op),NULL)
+
void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
#define SSL_CTRL_SET_CURVES_LIST 92
#define SSL_CTRL_GET_SHARED_CURVE 93
#define SSL_CTRL_SET_ECDH_AUTO 94
+#define SSL_CTRL_SET_SIGALGS 97
+#define SSL_CTRL_SET_SIGALGS_LIST 98
+#define SSL_CTRL_CERT_FLAGS 99
+#define SSL_CTRL_CLEAR_CERT_FLAGS 100
+#define SSL_CTRL_SET_CLIENT_SIGALGS 101
+#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST 102
+#define SSL_CTRL_GET_CLIENT_CERT_TYPES 103
+#define SSL_CTRL_SET_CLIENT_CERT_TYPES 104
+#define SSL_CTRL_BUILD_CERT_CHAIN 105
+#define SSL_CTRL_SET_VERIFY_CERT_STORE 106
+#define SSL_CTRL_SET_CHAIN_CERT_STORE 107
+#define SSL_CTRL_GET_PEER_SIGNATURE_NID 108
+#define SSL_CTRL_GET_SERVER_TMP_KEY 109
+#define SSL_CTRL_GET_RAW_CIPHERLIST 110
#define DTLSv1_get_timeout(ssl, arg) \
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)x509)
#define SSL_CTX_add1_chain_cert(ctx,x509) \
SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509)
+#define SSL_CTX_build_cert_chain(ctx, flags) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
+
+#define SSL_CTX_set0_verify_cert_store(ctx,st) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)st)
+#define SSL_CTX_set1_verify_cert_store(ctx,st) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)st)
+#define SSL_CTX_set0_chain_cert_store(ctx,st) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)st)
+#define SSL_CTX_set1_chain_cert_store(ctx,st) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)st)
#define SSL_set0_chain(ctx,sk) \
SSL_ctrl(ctx,SSL_CTRL_CHAIN,0,(char *)sk)
SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)x509)
#define SSL_add1_chain_cert(ctx,x509) \
SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)x509)
+#define SSL_build_cert_chain(s, flags) \
+ SSL_ctrl(s,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
+#define SSL_set0_verify_cert_store(s,st) \
+ SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)st)
+#define SSL_set1_verify_cert_store(s,st) \
+ SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)st)
+#define SSL_set0_chain_cert_store(s,st) \
+ SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)st)
+#define SSL_set1_chain_cert_store(s,st) \
+ SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)st)
+
#define SSL_get1_curves(ctx, s) \
SSL_ctrl(ctx,SSL_CTRL_GET_CURVES,0,(char *)s)
#define SSL_CTX_set1_curves(ctx, clist, clistlen) \
#define SSL_set_ecdh_auto(s, onoff) \
SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
+#define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)slist)
+#define SSL_CTX_set1_sigalgs_list(ctx, s) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)
+#define SSL_set1_sigalgs(ctx, slist, slistlen) \
+ SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,clistlen,(int *)slist)
+#define SSL_set1_sigalgs_list(ctx, s) \
+ SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)
+
+#define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)slist)
+#define SSL_CTX_set1_client_sigalgs_list(ctx, s) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)
+#define SSL_set1_client_sigalgs(ctx, slist, slistlen) \
+ SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,clistlen,(int *)slist)
+#define SSL_set1_client_sigalgs_list(ctx, s) \
+ SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)s)
+
+#define SSL_get0_certificate_types(s, clist) \
+ SSL_ctrl(s, SSL_CTRL_GET_CLIENT_CERT_TYPES, 0, (char *)clist)
+
+#define SSL_CTX_set1_client_certificate_types(ctx, clist, clistlen) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist)
+#define SSL_set1_client_certificate_types(s, clist, clistlen) \
+ SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)clist)
+
+#define SSL_get_peer_signature_nid(s, pn) \
+ SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
+
+#define SSL_get_server_tmp_key(s, pk) \
+ SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
+
+#define SSL_get0_raw_cipherlist(s, plst) \
+ SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst)
+
#ifndef OPENSSL_NO_BIO
BIO_METHOD *BIO_f_ssl(void);
BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
void SSL_set_verify(SSL *s, int mode,
int (*callback)(int ok,X509_STORE_CTX *ctx));
void SSL_set_verify_depth(SSL *s, int depth);
+void SSL_set_cert_cb(SSL *s, int (*cb)(SSL *ssl, void *arg), void *arg);
#ifndef OPENSSL_NO_RSA
int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
#endif
int (*callback)(int, X509_STORE_CTX *));
void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg);
+void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb)(SSL *ssl, void *arg), void *arg);
#ifndef OPENSSL_NO_RSA
int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
#endif
char *SSL_get_srp_userinfo(SSL *s);
#endif
+void SSL_certs_clear(SSL *s);
void SSL_free(SSL *ssl);
int SSL_accept(SSL *ssl);
int SSL_connect(SSL *ssl);
int SSL_COMP_add_compression_method(int id,void *cm);
#endif
+const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
+
/* TLS extensions functions */
int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
void SSL_set_debug(SSL *s, int debug);
int SSL_cache_hit(SSL *s);
+int SSL_is_server(SSL *s);
+
+SSL_CONF_CTX *SSL_CONF_CTX_new(void);
+void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx);
+unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags);
+unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags);
+int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre);
+
+void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl);
+void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx);
+
+int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
+int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv);
+
+#ifndef OPENSSL_NO_SSL_TRACE
+void SSL_trace(int write_p, int version, int content_type,
+ const void *buf, size_t len, SSL *ssl, void *arg);
+const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c);
+#endif
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 278
#define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT 308
#define SSL_F_SSL_BAD_METHOD 160
+#define SSL_F_SSL_BUILD_CERT_CHAIN 332
#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
#define SSL_F_SSL_CERT_DUP 221
#define SSL_F_SSL_CERT_INST 222
#define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
#define SSL_F_SSL_CLEAR 164
#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
+#define SSL_F_SSL_CONF_CTX_CMD 334
#define SSL_F_SSL_CREATE_CIPHER_LIST 166
#define SSL_F_SSL_CTRL 232
#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
#define SSL_F_SSL_DO_HANDSHAKE 180
#define SSL_F_SSL_GET_NEW_SESSION 181
#define SSL_F_SSL_GET_PREV_SESSION 217
-#define SSL_F_SSL_GET_SERVER_CERT_INDEX 329
+#define SSL_F_SSL_GET_SERVER_CERT_INDEX 331
#define SSL_F_SSL_GET_SERVER_SEND_PKEY 182
#define SSL_F_SSL_GET_SIGN_PKEY 183
#define SSL_F_SSL_INIT_WBIO_BUFFER 184
#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206
#define SSL_F_SSL_VERIFY_CERT_CHAIN 207
#define SSL_F_SSL_WRITE 208
+#define SSL_F_TLS12_CHECK_PEER_SIGALG 333
#define SSL_F_TLS1_CERT_VERIFY_MAC 286
#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274
#define SSL_R_BAD_SSL_FILETYPE 124
#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
#define SSL_R_BAD_STATE 126
+#define SSL_R_BAD_VALUE 384
#define SSL_R_BAD_WRITE_RETRY 127
#define SSL_R_BIO_NOT_SET 128
#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
#define SSL_R_CA_DN_TOO_LONG 132
#define SSL_R_CCS_RECEIVED_EARLY 133
#define SSL_R_CERTIFICATE_VERIFY_FAILED 134
+#define SSL_R_CERT_CB_ERROR 377
#define SSL_R_CERT_LENGTH_MISMATCH 135
#define SSL_R_CHALLENGE_IS_DIFFERENT 136
#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
#define SSL_R_HTTPS_PROXY_REQUEST 155
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_ILLEGAL_PADDING 283
+#define SSL_R_ILLEGAL_SUITEB_DIGEST 380
#define SSL_R_INCONSISTENT_COMPRESSION 340
#define SSL_R_INVALID_AUDIT_PROOF 371
#define SSL_R_INVALID_AUTHZ_DATA 374
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
#define SSL_R_INVALID_COMMAND 280
#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
+#define SSL_R_INVALID_NULL_CMD_NAME 385
#define SSL_R_INVALID_PURPOSE 278
#define SSL_R_INVALID_SRP_USERNAME 357
#define SSL_R_INVALID_STATUS_RESPONSE 328
#define SSL_R_MISSING_DH_KEY 163
#define SSL_R_MISSING_DH_RSA_CERT 164
#define SSL_R_MISSING_DSA_SIGNING_CERT 165
+#define SSL_R_MISSING_ECDH_CERT 382
+#define SSL_R_MISSING_ECDSA_SIGNING_CERT 381
#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166
#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167
#define SSL_R_MISSING_RSA_CERTIFICATE 168
#define SSL_R_NO_RENEGOTIATION 339
#define SSL_R_NO_REQUIRED_DIGEST 324
#define SSL_R_NO_SHARED_CIPHER 193
+#define SSL_R_NO_SHARED_SIGATURE_ALGORITHMS 376
#define SSL_R_NO_SRTP_PROFILES 359
#define SSL_R_NO_VERIFY_CALLBACK 194
#define SSL_R_NULL_SSL_CTX 195
#define SSL_R_NULL_SSL_METHOD_PASSED 196
#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
+#define SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE 379
#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
#define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 327
#define SSL_R_PACKET_LENGTH_TOO_LONG 198
#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
#define SSL_R_UNKNOWN_CIPHER_TYPE 249
+#define SSL_R_UNKNOWN_CMD_NAME 386
#define SSL_R_UNKNOWN_DIGEST 368
#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
#define SSL_R_UNKNOWN_PKEY_TYPE 251
#define SSL_R_UNSUPPORTED_STATUS_TYPE 329
#define SSL_R_USE_SRTP_NOT_NEGOTIATED 369
#define SSL_R_WRITE_BIO_NOT_SET 260
+#define SSL_R_WRONG_CERTIFICATE_TYPE 383
#define SSL_R_WRONG_CIPHER_RETURNED 261
+#define SSL_R_WRONG_CURVE 378
#define SSL_R_WRONG_MESSAGE_TYPE 262
#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
#define SSL_R_WRONG_SIGNATURE_LENGTH 264
projects / openssl.git / blobdiff