# include <openssl/ssl.h>
# include <openssl/async.h>
# include <openssl/symhacks.h>
-
+# ifndef OPENSSL_NO_CT
+# include <openssl/ct.h>
+# endif
#include "record/record.h"
#include "statem/statem.h"
#include "packet_locl.h"
# define SSL_kDHE 0x00000002U
/* synonym */
# define SSL_kEDH SSL_kDHE
-/* ECDH cert, RSA CA cert */
-# define SSL_kECDHr 0x00000004U
-/* ECDH cert, ECDSA CA cert */
-# define SSL_kECDHe 0x00000008U
/* ephemeral ECDH */
-# define SSL_kECDHE 0x00000010U
+# define SSL_kECDHE 0x00000004U
/* synonym */
# define SSL_kEECDH SSL_kECDHE
/* PSK */
-# define SSL_kPSK 0x00000020U
+# define SSL_kPSK 0x00000008U
/* GOST key exchange */
-# define SSL_kGOST 0x00000040U
+# define SSL_kGOST 0x00000010U
/* SRP */
-# define SSL_kSRP 0x00000080U
+# define SSL_kSRP 0x00000020U
-# define SSL_kRSAPSK 0x00000100U
-# define SSL_kECDHEPSK 0x00000200U
-# define SSL_kDHEPSK 0x00000400U
+# define SSL_kRSAPSK 0x00000040U
+# define SSL_kECDHEPSK 0x00000080U
+# define SSL_kDHEPSK 0x00000100U
/* all PSK */
# define SSL_aDSS 0x00000002U
/* no auth (i.e. use ADH or AECDH) */
# define SSL_aNULL 0x00000004U
-/* Fixed ECDH auth (kECDHe or kECDHr) */
-# define SSL_aECDH 0x00000008U
/* ECDSA auth*/
-# define SSL_aECDSA 0x00000010U
+# define SSL_aECDSA 0x00000008U
/* PSK auth */
-# define SSL_aPSK 0x00000020U
+# define SSL_aPSK 0x00000010U
/* GOST R 34.10-2001 signature auth */
-# define SSL_aGOST01 0x00000040U
+# define SSL_aGOST01 0x00000020U
/* SRP auth */
-# define SSL_aSRP 0x00000080U
+# define SSL_aSRP 0x00000040U
/* GOST R 34.10-2012 signature auth */
-# define SSL_aGOST12 0x00000100U
+# define SSL_aGOST12 0x00000080U
/* Bits for algorithm_enc (symmetric encryption) */
# define SSL_DES 0x00000001U
# define SSL_eGOST2814789CNT12 0x00040000U
# define SSL_CHACHA20POLY1305 0x00080000U
-# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM|SSL_AES128CCM|SSL_AES256CCM|SSL_AES128CCM8|SSL_AES256CCM8)
+# define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
+# define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
+# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)
# define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
# define SSL_CHACHA20 (SSL_CHACHA20POLY1305)
};
DEFINE_LHASH_OF(SSL_SESSION);
-
+/* Needed in ssl_cert.c */
+DEFINE_LHASH_OF(X509_NAME);
struct ssl_ctx_st {
const SSL_METHOD *method;
int quiet_shutdown;
+# ifndef OPENSSL_NO_CT
+ CTLOG_STORE *ctlog_store; /* CT Log Store */
+ /*
+ * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
+ * If they are not, the connection should be aborted.
+ */
+ ct_validation_cb ct_validation_callback;
+ void *ct_validation_callback_arg;
+# endif
+
+ /*
+ * If we're using more than one pipeline how should we divide the data
+ * up between the pipes?
+ */
+ unsigned int split_send_fragment;
/*
* Maximum amount of data to send in one fragment. actual record size can
* be more than this due to padding and MAC overheads.
*/
unsigned int max_send_fragment;
+ /* Up to how many pipelines should we use? If 0 then 1 is assumed */
+ unsigned int max_pipelines;
+
+ /* The default read buffer length to use (0 means not set) */
+ size_t default_read_buf_len;
+
# ifndef OPENSSL_NO_ENGINE
/*
* Engine to pass requests for client certs to
# ifndef OPENSSL_NO_NEXTPROTONEG
/* Next protocol negotiation information */
- /* (for experimental NPN extension). */
/*
* For a server, this contains a callback function by which the set of
int first_packet;
/* what was passed, used for SSLv3/TLS rollback check */
int client_version;
+
+ /*
+ * If we're using more than one pipeline how should we divide the data
+ * up between the pipes?
+ */
+ unsigned int split_send_fragment;
+ /*
+ * Maximum amount of data to send in one fragment. actual record size can
+ * be more than this due to padding and MAC overheads.
+ */
unsigned int max_send_fragment;
+ /* Up to how many pipelines should we use? If 0 then 1 is assumed */
+ unsigned int max_pipelines;
+
/* TLS extension debug callback */
void (*tlsext_debug_cb) (SSL *s, int client_server, int type,
const unsigned char *data, int len, void *arg);
/* certificate status request info */
/* Status type or -1 if no status type */
int tlsext_status_type;
+# ifndef OPENSSL_NO_CT
+ /*
+ * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
+ * If they are not, the connection should be aborted.
+ */
+ ct_validation_cb ct_validation_callback;
+ /* User-supplied argument tha tis passed to the ct_validation_callback */
+ void *ct_validation_callback_arg;
+ /*
+ * Consolidated stack of SCTs from all sources.
+ * Lazily populated by CT_get_peer_scts(SSL*)
+ */
+ STACK_OF(SCT) *scts;
+ /* Raw extension data, if seen */
+ unsigned char *tlsext_scts;
+ /* Length of raw extension data, if seen */
+ uint16_t tlsext_scts_len;
+ /* Have we attempted to find/parse SCTs yet? */
+ int scts_parsed;
+# endif
/* Expect OCSP CertificateStatus message */
int tlsext_status_expected;
/* OCSP status request only */
* basis, depending on the chosen cipher.
*/
int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
-
+
RECORD_LAYER rlayer;
/* Default password callback. */
/* Async Job info */
ASYNC_JOB *job;
+ ASYNC_WAIT_CTX *waitctx;
};
* that the server selected once the ServerHello has been processed.
*/
unsigned char *alpn_selected;
- unsigned alpn_selected_len;
+ size_t alpn_selected_len;
+ /* used by the server to know what options were proposed */
+ unsigned char *alpn_proposed;
+ size_t alpn_proposed_len;
+ /* used by the client to know if it actually sent alpn */
+ int alpn_sent;
# ifndef OPENSSL_NO_EC
/*
unsigned char rhash;
};
-/*
- * #define MAC_DEBUG
- */
-
-/*
- * #define ERR_DEBUG
- */
-/*
- * #define ABORT_DEBUG
- */
-/*
- * #define PKT_DEBUG 1
- */
-/*
- * #define DES_DEBUG
- */
-/*
- * #define DES_OFB_DEBUG
- */
-/*
- * #define SSL_DEBUG
- */
-/*
- * #define RSA_DEBUG
- */
-/*
- * #define IDEA_DEBUG
- */
-
# define FP_ICC (int (*)(const void *,const void *))
/*
* of a mess of functions, but hell, think of it as an opaque structure :-)
*/
typedef struct ssl3_enc_method {
- int (*enc) (SSL *, int);
- int (*mac) (SSL *, unsigned char *, int);
+ int (*enc) (SSL *, SSL3_RECORD *, unsigned int, int);
+ int (*mac) (SSL *, SSL3_RECORD *, unsigned char *, int);
int (*setup_key_block) (SSL *);
int (*generate_master_secret) (SSL *, unsigned char *, unsigned char *,
int);
# endif
extern SSL3_ENC_METHOD ssl3_undef_enc_method;
-OPENSSL_EXTERN const SSL_CIPHER ssl3_ciphers[];
SSL_METHOD *ssl_bad_method(int ver);
struct openssl_ssl_test_functions {
int (*p_ssl_init_wbio_buffer) (SSL *s, int push);
int (*p_ssl3_setup_buffers) (SSL *s);
- int (*p_tls1_process_heartbeat) (SSL *s,
- unsigned char *p, unsigned int length);
+# ifndef OPENSSL_NO_HEARTBEATS
int (*p_dtls1_process_heartbeat) (SSL *s,
unsigned char *p, unsigned int length);
+# endif
};
# ifndef OPENSSL_UNIT_TEST
size_t *serverinfo_length);
__owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd);
__owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
-void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher);
+void ssl_set_masks(SSL *s);
__owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
__owur int ssl_verify_alarm_type(long type);
void ssl_load_ciphers(void);
__owur long tls1_default_timeout(void);
__owur int dtls1_do_write(SSL *s, int type);
void dtls1_set_message_header(SSL *s,
- unsigned char *p, unsigned char mt,
+ unsigned char mt,
unsigned long len,
unsigned long frag_off,
unsigned long frag_len);
__owur int dtls1_read_failed(SSL *s, int code);
__owur int dtls1_buffer_message(SSL *s, int ccs);
-__owur int dtls1_retransmit_message(SSL *s, unsigned short seq,
- unsigned long frag_off, int *found);
+__owur int dtls1_retransmit_message(SSL *s, unsigned short seq, int *found);
__owur int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
int dtls1_retransmit_buffered_messages(SSL *s);
void dtls1_clear_record_buffer(SSL *s);
__owur int ssl_prepare_serverhello_tlsext(SSL *s);
# ifndef OPENSSL_NO_HEARTBEATS
-__owur int tls1_heartbeat(SSL *s);
__owur int dtls1_heartbeat(SSL *s);
-__owur int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length);
__owur int dtls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length);
# endif
int idx);
void tls1_set_cert_validity(SSL *s);
+#ifndef OPENSSL_NO_CT
+__owur int ssl_validate_ct(SSL *s);
+#endif
+
# ifndef OPENSSL_NO_DH
__owur DH *ssl_get_auto_dh(SSL *s);
# endif
# define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer
# define ssl3_setup_buffers SSL_test_functions()->p_ssl3_setup_buffers
-# define tls1_process_heartbeat SSL_test_functions()->p_tls1_process_heartbeat
# define dtls1_process_heartbeat SSL_test_functions()->p_dtls1_process_heartbeat
# endif