Don't disable rollback attack detection as a recommended bug workaround.

[openssl.git] / ssl / ssl.h

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 216afd917fe4fce6f19ac6c1b500b2370c753ae8..8f5d0a4d4754c8d00146490613d9ef4888e75402 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -106,6 +106,7 @@ extern "C" {
 #define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5
 #define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
 #define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
+#define SSL_MAX_KRB5_PRINCIPAL_LENGTH  256
 
 #define SSL_MAX_SSL_SESSION_ID_LENGTH          32
 #define SSL_MAX_SID_CTX_LENGTH                 32
@@ -283,6 +284,11 @@ typedef struct ssl_session_st
        unsigned int sid_ctx_length;
        unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
 
+#ifndef OPENSSL_NO_KRB5
+        unsigned int krb5_client_princ_len;
+        unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
+#endif /* OPENSSL_NO_KRB5 */
+
        int not_resumable;
 
        /* The cert is the certificate used to establish this connection */
@@ -326,7 +332,6 @@ typedef struct ssl_session_st
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                        0x00000080L
 #define SSL_OP_TLS_D5_BUG                              0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                   0x00000200L
-#define SSL_OP_TLS_ROLLBACK_BUG                                0x00000400L
 
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE                           0x00100000L
@@ -335,15 +340,18 @@ typedef struct ssl_session_st
 /* Set on servers to choose the cipher according to the server's
  * preferences */
 #define SSL_OP_CIPHER_SERVER_PREFERENCE                        0x00400000L
+/* If set, a server will allow a client to issue a SSLv3.0 version number
+ * as latest version supported in the premaster secret, even when TLSv1.0
+ * (version 3.1) was announced in the client hello. Normally this is
+ * forbidden to prevent version rollback attacks. */
+#define SSL_OP_TLS_ROLLBACK_BUG                                0x00800000L
 
 /* The next flag deliberately changes the ciphertest, this is a check
  * for the PKCS#1 attack */
 #define SSL_OP_PKCS1_CHECK_1                           0x08000000L
 #define SSL_OP_PKCS1_CHECK_2                           0x10000000L
 #define SSL_OP_NETSCAPE_CA_DN_BUG                      0x20000000L
-/* SSL_OP_NON_EXPORT_FIRST looks utterly broken .. */
-#define SSL_OP_NON_EXPORT_FIRST                        0x40000000L
-#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG         0x80000000L
+#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG         0x40000000L
 #define SSL_OP_ALL                                     0x000FFFFFL
 
 #define SSL_OP_NO_SSLv2                                        0x01000000L
@@ -973,6 +981,8 @@ char *      SSL_CIPHER_get_version(SSL_CIPHER *c);
 const char *   SSL_CIPHER_get_name(SSL_CIPHER *c);
 
 int    SSL_get_fd(SSL *s);
+int    SSL_get_rfd(SSL *s);
+int    SSL_get_wfd(SSL *s);
 const char  * SSL_get_cipher_list(SSL *s,int n);
 char * SSL_get_shared_ciphers(SSL *s, char *buf, int len);
 int    SSL_get_read_ahead(SSL * s);