typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
#ifndef OPENSSL_NO_TLSEXT
-/* Callbacks and structures for handling custom TLS Extensions:
- * cli_ext_first_cb - sends data for ClientHello TLS Extension
- * cli_ext_second_cb - receives data from ServerHello TLS Extension
- * srv_ext_first_cb - receives data from ClientHello TLS Extension
- * srv_ext_second_cb - sends data for ServerHello TLS Extension
- *
- * All these functions return nonzero on success. Zero will terminate
- * the handshake (and return a specific TLS Fatal alert, if the function
- * declaration has an "al" parameter). -1 for the "sending" functions
- * will cause the TLS Extension to be omitted.
- *
- * "ext_type" is a TLS "ExtensionType" from 0-65535.
- * "in" is a pointer to TLS "extension_data" being provided to the cb.
- * "out" is used by the callback to return a pointer to "extension data"
- * which OpenSSL will later copy into the TLS handshake. The contents
- * of this buffer should not be changed until the handshake is complete.
- * "inlen" and "outlen" are TLS Extension lengths from 0-65535.
- * "al" is a TLS "AlertDescription" from 0-255 which WILL be sent as a
- * fatal TLS alert, if the callback returns zero.
- */
-typedef int (*custom_cli_ext_first_cb_fn)(SSL *s, unsigned short ext_type,
- const unsigned char **out,
- unsigned short *outlen, int *al, void *arg);
-typedef int (*custom_cli_ext_second_cb_fn)(SSL *s, unsigned short ext_type,
- const unsigned char *in,
- unsigned short inlen, int *al,
- void *arg);
-
-typedef int (*custom_srv_ext_first_cb_fn)(SSL *s, unsigned short ext_type,
- const unsigned char *in,
- unsigned short inlen, int *al,
- void *arg);
-typedef int (*custom_srv_ext_second_cb_fn)(SSL *s, unsigned short ext_type,
- const unsigned char **out,
- unsigned short *outlen, int *al, void *arg);
-typedef struct {
- unsigned short ext_type;
- custom_cli_ext_first_cb_fn fn1;
- custom_cli_ext_second_cb_fn fn2;
- void *arg;
-} custom_cli_ext_record;
+/* Typedefs for handling custom extensions */
+
+typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type,
+ const unsigned char **out,
+ size_t *outlen, int *al,
+ void *add_arg);
+
+typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type,
+ const unsigned char *out,
+ void *add_arg);
+
+typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type,
+ const unsigned char *in,
+ size_t inlen, int *al,
+ void *parse_arg);
-typedef struct {
- unsigned short ext_type;
- custom_srv_ext_first_cb_fn fn1;
- custom_srv_ext_second_cb_fn fn2;
- void *arg;
-} custom_srv_ext_record;
#endif
*/
#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
+/* Send TLS_FALLBACK_SCSV in the ClientHello.
+ * To be set only by applications that reconnect with a downgraded protocol
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details.
+ *
+ * DO NOT ENABLE THIS if your application attempts a normal handshake.
+ * Only use this in explicit fallback retries, following the guidance
+ * in draft-ietf-tls-downgrade-scsv-00.
+ */
+#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
/* Cert related flags */
/* Many implementations ignore some aspects of the TLS standards such as
size_t tlsext_ellipticcurvelist_length;
unsigned char *tlsext_ellipticcurvelist;
# endif /* OPENSSL_NO_EC */
- /* Arrays containing the callbacks for custom TLS Extensions. */
- custom_cli_ext_record *custom_cli_ext_records;
- size_t custom_cli_ext_records_count;
- custom_srv_ext_record *custom_srv_ext_records;
- size_t custom_srv_ext_records_count;
};
#endif
#endif
#ifndef OPENSSL_NO_TLSEXT
-/* Register callbacks to handle custom TLS Extensions as client or server.
- *
- * Returns nonzero on success. You cannot register twice for the same
- * extension number, and registering for an extension number already
- * handled by OpenSSL will succeed, but the callbacks will not be invoked.
- *
- * NULL can be registered for any callback function. For the client
- * functions, a NULL custom_cli_ext_first_cb_fn sends an empty ClientHello
- * Extension, and a NULL custom_cli_ext_second_cb_fn ignores the ServerHello
- * response (if any).
- *
- * For the server functions, a NULL custom_srv_ext_first_cb_fn means the
- * ClientHello extension's data will be ignored, but the extension will still
- * be noted and custom_srv_ext_second_cb_fn will still be invoked. A NULL
- * custom_srv_ext_second_cb doesn't send a ServerHello extension.
- */
-int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned short ext_type,
- custom_cli_ext_first_cb_fn fn1,
- custom_cli_ext_second_cb_fn fn2, void *arg);
+/* Register callbacks to handle custom TLS Extensions for client or server. */
+
+int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
+ custom_ext_add_cb add_cb,
+ custom_ext_free_cb free_cb,
+ void *add_arg,
+ custom_ext_parse_cb parse_cb,
+ void *parse_arg);
+
+int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
+ custom_ext_add_cb add_cb,
+ custom_ext_free_cb free_cb,
+ void *add_arg,
+ custom_ext_parse_cb parse_cb,
+ void *parse_arg);
-int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
- custom_srv_ext_first_cb_fn fn1,
- custom_srv_ext_second_cb_fn fn2, void *arg);
+int SSL_extension_supported(unsigned int ext_type);
#endif
#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
#define SSL_CTRL_SELECT_CURRENT_CERT 116
#define SSL_CTRL_SET_CURRENT_CERT 117
+#define SSL_CTRL_SET_DH_AUTO 118
+#define SSL_CTRL_CHECK_PROTO_VERSION 119
+
+
#define SSL_CERT_SET_FIRST 1
#define SSL_CERT_SET_NEXT 2
#define SSL_CERT_SET_SERVER 3
-#define SSL_CTRL_SET_DH_AUTO 118
#define DTLSv1_get_timeout(ssl, arg) \
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
const char *file);
#ifndef OPENSSL_SYS_VMS
-#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
const char *dir);
#endif
-#endif
#endif
#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276
#define SSL_F_TLS1_PRF 284
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
+#define SSL_F_TLS1_SET_SERVER_SIGALGS 335
#define SSL_F_WRITE_PENDING 212
/* Reason codes. */
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_ILLEGAL_PADDING 283
#define SSL_R_ILLEGAL_SUITEB_DIGEST 380
+#define SSL_R_INAPPROPRIATE_FALLBACK 373
#define SSL_R_INCONSISTENT_COMPRESSION 340
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
#define SSL_R_INVALID_COMMAND 280
#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
-#define SSL_R_TOO_MANY_EMPTY_FRAGMENTS 393
#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313