update NEWS file

[openssl.git] / ssl / ssl3.h
diff --git a/ssl/ssl3.h b/ssl/ssl3.h

index 0543cb287ebc5a7b41875069ce310c114cbb669f..9b5a9b96d58cffec75e04b0494a3dcfea3e7321d 100644 (file)
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -128,6 +128,22 @@
  extern "C" {
  #endif
  
  extern "C" {
  #endif
  
+<<<<<<< ssl3.h
+/* Magic Cipher Suite Value. NB: bogus value used for testing */
+<<<<<<< ssl3.h
+#ifndef SSL3_CK_MCSV
+#define SSL3_CK_MCSV                           0x03000FEC
+#endif
+=======
+#ifndef SSL3_CK_SCSV
+#define SSL3_CK_SCSV                           0x03000FEC
+#endif
+>>>>>>> 1.50
+=======
+/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
+#define SSL3_CK_SCSV                           0x030000FF
+>>>>>>> 1.51
+
  #define SSL3_CK_RSA_NULL_MD5                   0x03000001
  #define SSL3_CK_RSA_NULL_SHA                   0x03000002
  #define SSL3_CK_RSA_RC4_40_MD5                         0x03000003
  #define SSL3_CK_RSA_NULL_MD5                   0x03000001
  #define SSL3_CK_RSA_NULL_SHA                   0x03000002
  #define SSL3_CK_RSA_RC4_40_MD5                         0x03000003
@@ -368,13 +384,14 @@ typedef struct ssl3_buffer_st
   * enough to contain all of the cert types defined either for
   * SSLv3 and TLSv1.
   */
   * enough to contain all of the cert types defined either for
   * SSLv3 and TLSv1.
   */
-#define SSL3_CT_NUMBER                 7
+#define SSL3_CT_NUMBER                 9
  
  
  #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS      0x0001
  #define SSL3_FLAGS_DELAY_CLIENT_FINISHED       0x0002
  #define SSL3_FLAGS_POP_BUFFER                  0x0004
  #define TLS1_FLAGS_TLS_PADDING_BUG             0x0008
  
  
  #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS      0x0001
  #define SSL3_FLAGS_DELAY_CLIENT_FINISHED       0x0002
  #define SSL3_FLAGS_POP_BUFFER                  0x0004
  #define TLS1_FLAGS_TLS_PADDING_BUG             0x0008
+#define TLS1_FLAGS_SKIP_CERT_VERIFY            0x0010
  
  typedef struct ssl3_state_st
         {
  
  typedef struct ssl3_state_st
         {
@@ -443,6 +460,14 @@ typedef struct ssl3_state_st
  
         int in_read_app_data;
  
  
         int in_read_app_data;
  
+       /* Opaque PRF input as used for the current handshake.
+        * These fields are used only if TLSEXT_TYPE_opaque_prf_input is defined
+        * (otherwise, they are merely present to improve binary compatibility) */
+       void *client_opaque_prf_input;
+       size_t client_opaque_prf_input_len;
+       void *server_opaque_prf_input;
+       size_t server_opaque_prf_input_len;
+
         struct  {
                 /* actually only needs to be 16+20 */
                 unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
         struct  {
                 /* actually only needs to be 16+20 */
                 unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
@@ -457,7 +482,7 @@ typedef struct ssl3_state_st
                 int message_type;
  
                 /* used to hold the new cipher we are going to use */
                 int message_type;
  
                 /* used to hold the new cipher we are going to use */
-               SSL_CIPHER *new_cipher;
+               const SSL_CIPHER *new_cipher;
  #ifndef OPENSSL_NO_DH
                 DH *dh;
  #endif
  #ifndef OPENSSL_NO_DH
                 DH *dh;
  #endif
@@ -494,6 +519,12 @@ typedef struct ssl3_state_st
                 int cert_request;
                 } tmp;
  
                 int cert_request;
                 } tmp;
  
+        /* Connection binding to prevent renegotiation attacks */
+        unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
+        unsigned char previous_client_finished_len;
+        unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
+        unsigned char previous_server_finished_len;
+        int send_connection_binding; /* TODOEKR */
         } SSL3_STATE;
  
  
         } SSL3_STATE;
  
  
@@ -537,6 +568,8 @@ typedef struct ssl3_state_st
  #define SSL3_ST_CR_FINISHED_B          (0x1D1|SSL_ST_CONNECT)
  #define SSL3_ST_CR_SESSION_TICKET_A    (0x1E0|SSL_ST_CONNECT)
  #define SSL3_ST_CR_SESSION_TICKET_B    (0x1E1|SSL_ST_CONNECT)
  #define SSL3_ST_CR_FINISHED_B          (0x1D1|SSL_ST_CONNECT)
  #define SSL3_ST_CR_SESSION_TICKET_A    (0x1E0|SSL_ST_CONNECT)
  #define SSL3_ST_CR_SESSION_TICKET_B    (0x1E1|SSL_ST_CONNECT)
+#define SSL3_ST_CR_CERT_STATUS_A       (0x1F0|SSL_ST_CONNECT)
+#define SSL3_ST_CR_CERT_STATUS_B       (0x1F1|SSL_ST_CONNECT)
  
  /* server */
  /* extra state */
  
  /* server */
  /* extra state */
@@ -578,8 +611,10 @@ typedef struct ssl3_state_st
  #define SSL3_ST_SW_CHANGE_B            (0x1D1|SSL_ST_ACCEPT)
  #define SSL3_ST_SW_FINISHED_A          (0x1E0|SSL_ST_ACCEPT)
  #define SSL3_ST_SW_FINISHED_B          (0x1E1|SSL_ST_ACCEPT)
  #define SSL3_ST_SW_CHANGE_B            (0x1D1|SSL_ST_ACCEPT)
  #define SSL3_ST_SW_FINISHED_A          (0x1E0|SSL_ST_ACCEPT)
  #define SSL3_ST_SW_FINISHED_B          (0x1E1|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SESSION_TICKET_A    (0x1F0|SSL_ST_CONNECT)
-#define SSL3_ST_SW_SESSION_TICKET_B    (0x1F1|SSL_ST_CONNECT)
+#define SSL3_ST_SW_SESSION_TICKET_A    (0x1F0|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_SESSION_TICKET_B    (0x1F1|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_CERT_STATUS_A       (0x200|SSL_ST_ACCEPT)
+#define SSL3_ST_SW_CERT_STATUS_B       (0x201|SSL_ST_ACCEPT)
  
  #define SSL3_MT_HELLO_REQUEST                  0
  #define SSL3_MT_CLIENT_HELLO                   1
  
  #define SSL3_MT_HELLO_REQUEST                  0
  #define SSL3_MT_CLIENT_HELLO                   1
@@ -592,6 +627,7 @@ typedef struct ssl3_state_st
  #define SSL3_MT_CERTIFICATE_VERIFY             15
  #define SSL3_MT_CLIENT_KEY_EXCHANGE            16
  #define SSL3_MT_FINISHED                       20
  #define SSL3_MT_CERTIFICATE_VERIFY             15
  #define SSL3_MT_CLIENT_KEY_EXCHANGE            16
  #define SSL3_MT_FINISHED                       20
+#define SSL3_MT_CERTIFICATE_STATUS             22
  #define DTLS1_MT_HELLO_VERIFY_REQUEST    3
  
  
  #define DTLS1_MT_HELLO_VERIFY_REQUEST    3