# define SSL_CLIENT_USE_SIGALGS(s) \
SSL_CLIENT_USE_TLS1_2_CIPHERS(s)
+# define IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value) \
+ (((value) >= TLSEXT_max_fragment_length_512) && \
+ ((value) <= TLSEXT_max_fragment_length_4096))
+# define USE_MAX_FRAGMENT_LENGTH_EXT(session) \
+ IS_MAX_FRAGMENT_LENGTH_EXT_VALID(session->ext.max_fragment_len_mode)
+# define GET_MAX_FRAGMENT_LENGTH(session) \
+ (512U << (session->ext.max_fragment_len_mode - 1))
+
# define SSL_READ_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_READ)
# define SSL_WRITE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE)
# ifndef OPENSSL_NO_EC
size_t ecpointformats_len;
unsigned char *ecpointformats; /* peer's list */
+# endif /* OPENSSL_NO_EC */
size_t supportedgroups_len;
uint16_t *supportedgroups; /* peer's list */
-# endif /* OPENSSL_NO_EC */
/* RFC4507 info */
unsigned char *tick; /* Session ticket */
size_t ticklen; /* Session ticket length */
/* The ALPN protocol selected for this session */
unsigned char *alpn_selected;
size_t alpn_selected_len;
+ /*
+ * Maximum Fragment Length as per RFC 4366.
+ * If this value does not contain RFC 4366 allowed values (1-4) then
+ * either the Maximum Fragment Length Negotiation failed or was not
+ * performed at all.
+ */
+ uint8_t max_fragment_len_mode;
} ext;
# ifndef OPENSSL_NO_SRP
char *srp_username;
typedef enum tlsext_index_en {
TLSEXT_IDX_renegotiate,
TLSEXT_IDX_server_name,
+ TLSEXT_IDX_max_fragment_length,
TLSEXT_IDX_srp,
TLSEXT_IDX_ec_point_formats,
TLSEXT_IDX_supported_groups,
void *status_arg;
/* ext status type used for CSR extension (OCSP Stapling) */
int status_type;
+ /* RFC 4366 Maximum Fragment Length Negotiation */
+ uint8_t max_fragment_len_mode;
# ifndef OPENSSL_NO_EC
/* EC extension values inherited by SSL structure */
size_t ecpointformats_len;
/* our list */
unsigned char *ecpointformats;
+# endif /* OPENSSL_NO_EC */
size_t supportedgroups_len;
/* our list */
uint16_t *supportedgroups;
-# endif /* OPENSSL_NO_EC */
/* TLS Session Ticket extension override */
TLS_SESSION_TICKET_EXT *session_ticket;
/* TLS Session Ticket extension callback */
/* May be sent by a server in HRR. Must be echoed back in ClientHello */
unsigned char *tls13_cookie;
size_t tls13_cookie_len;
+ /*
+ * Maximum Fragment Length as per RFC 4366.
+ * If this member contains one of the allowed values (1-4)
+ * then we should include Maximum Fragment Length Negotiation
+ * extension in Client Hello.
+ * Please note that value of this member does not have direct
+ * effect. The actual (binding) value is stored in SSL_SESSION,
+ * as this extension is optional on server side.
+ */
+ uint8_t max_fragment_len_mode;
} ext;
/*
uint16_t *peer_sigalgs;
/* Size of above array */
size_t peer_sigalgslen;
- /* Sigalg peer actualy uses */
+ /* Sigalg peer actually uses */
const SIGALG_LOOKUP *peer_sigalg;
/*
* Set if corresponding CERT_PKEY can be used with current
&& s->cert->pkeys[idx].privatekey != NULL;
}
+static ossl_inline void tls1_get_peer_groups(SSL *s, const uint16_t **pgroups,
+ size_t *pgroupslen)
+{
+ *pgroups = s->session->ext.supportedgroups;
+ *pgroupslen = s->session->ext.supportedgroups_len;
+}
+
# ifndef OPENSSL_UNIT_TEST
__owur int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes);
__owur int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey,
int genmaster);
__owur EVP_PKEY *ssl_dh_to_pkey(DH *dh);
+__owur unsigned int ssl_get_max_send_fragment(const SSL *ssl);
+__owur unsigned int ssl_get_split_send_fragment(const SSL *ssl);
__owur const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id);
__owur const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname);
# ifndef OPENSSL_NO_EC
__owur const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id);
-__owur int tls1_check_curve(SSL *s, const unsigned char *p, size_t len);
+__owur int tls1_check_group_id(SSL *s, uint16_t group_id);
__owur uint16_t tls1_shared_group(SSL *s, int nmatch);
__owur int tls1_set_groups(uint16_t **pext, size_t *pextlen,
int *curves, size_t ncurves);
# endif /* OPENSSL_NO_EC */
__owur int tls_curve_allowed(SSL *s, uint16_t curve, int op);
-void tls1_get_grouplist(SSL *s, int sess, const uint16_t **pcurves,
- size_t *num_curves);
+void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
+ size_t *pgroupslen);
__owur int tls1_set_server_sigalgs(SSL *s);