#ifndef HEADER_SSL_LOCL_H
# define HEADER_SSL_LOCL_H
+
+# include "e_os.h" /* struct timeval for DTLS */
# include <stdlib.h>
# include <time.h>
# include <string.h>
# include <errno.h>
-# include "e_os.h"
-# if defined(__unix) || defined(__unix__)
-# include <sys/time.h> /* struct timeval for DTLS */
-# endif
-
# include <openssl/buffer.h>
# include <openssl/comp.h>
# include <openssl/bio.h>
-# include <openssl/stack.h>
# include <openssl/rsa.h>
# include <openssl/dsa.h>
# include <openssl/err.h>
# define SSL_AES256CCM8 0x00020000U
# define SSL_eGOST2814789CNT12 0x00040000U
# define SSL_CHACHA20POLY1305 0x00080000U
+# define SSL_ARIA128GCM 0x00100000U
+# define SSL_ARIA256GCM 0x00200000U
# define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
# define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)
# define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
# define SSL_CHACHA20 (SSL_CHACHA20POLY1305)
+# define SSL_ARIAGCM (SSL_ARIA128GCM | SSL_ARIA256GCM)
+# define SSL_ARIA (SSL_ARIAGCM)
/* Bits for algorithm_mac (symmetric authentication) */
/* Mostly for SSLv3 */
# define SSL_PKEY_RSA 0
-# define SSL_PKEY_DSA_SIGN 1
-# define SSL_PKEY_ECC 2
-# define SSL_PKEY_GOST01 3
-# define SSL_PKEY_GOST12_256 4
-# define SSL_PKEY_GOST12_512 5
-# define SSL_PKEY_ED25519 6
-# define SSL_PKEY_NUM 7
+# define SSL_PKEY_RSA_PSS_SIGN 1
+# define SSL_PKEY_DSA_SIGN 2
+# define SSL_PKEY_ECC 3
+# define SSL_PKEY_GOST01 4
+# define SSL_PKEY_GOST12_256 5
+# define SSL_PKEY_GOST12_512 6
+# define SSL_PKEY_ED25519 7
+# define SSL_PKEY_NUM 8
/*
* Pseudo-constant. GOST cipher suites can use different certs for 1
* SSL_CIPHER. So let's see which one we have in fact.
*/
# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1
-/*
- * TODO(TLS1.3) for now use SSL_PKEY_RSA keys for PSS
- */
-
-#define SSL_PKEY_RSA_PSS_SIGN SSL_PKEY_RSA
-
/*-
* SSL_kRSA <- RSA_ENC
* SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
# ifndef OPENSSL_NO_EC
size_t ecpointformats_len;
unsigned char *ecpointformats; /* peer's list */
- size_t supportedgroups_len;
- unsigned char *supportedgroups; /* peer's list */
# endif /* OPENSSL_NO_EC */
+ size_t supportedgroups_len;
+ uint16_t *supportedgroups; /* peer's list */
/* RFC4507 info */
unsigned char *tick; /* Session ticket */
size_t ticklen; /* Session ticket length */
TLSEXT_IDX_ec_point_formats,
TLSEXT_IDX_supported_groups,
TLSEXT_IDX_session_ticket,
- TLSEXT_IDX_signature_algorithms,
TLSEXT_IDX_status_request,
TLSEXT_IDX_next_proto_neg,
TLSEXT_IDX_application_layer_protocol_negotiation,
TLSEXT_IDX_encrypt_then_mac,
TLSEXT_IDX_signed_certificate_timestamp,
TLSEXT_IDX_extended_master_secret,
+ TLSEXT_IDX_signature_algorithms,
TLSEXT_IDX_supported_versions,
TLSEXT_IDX_psk_kex_modes,
TLSEXT_IDX_key_share,
ENGINE *client_cert_engine;
# endif
- /* Early callback. Mostly for extensions, but not entirely. */
- SSL_early_cb_fn early_cb;
- void *early_cb_arg;
+ /* ClientHello callback. Mostly for extensions, but not entirely. */
+ SSL_client_hello_cb_fn client_hello_cb;
+ void *client_hello_cb_arg;
/* TLS extensions. */
struct {
size_t ecpointformats_len;
unsigned char *ecpointformats;
size_t supportedgroups_len;
- unsigned char *supportedgroups;
+ uint16_t *supportedgroups;
# endif /* OPENSSL_NO_EC */
/*
SSL_SESSION *session;
/* TLSv1.3 PSK session */
SSL_SESSION *psksession;
+ unsigned char *psksession_id;
+ size_t psksession_id_len;
/* Default generate session ID callback. */
GEN_SESSION_CB generate_session_id;
/* Used in SSL3 */
size_t ecpointformats_len;
/* our list */
unsigned char *ecpointformats;
+# endif /* OPENSSL_NO_EC */
size_t supportedgroups_len;
/* our list */
- unsigned char *supportedgroups;
-# endif /* OPENSSL_NO_EC */
+ uint16_t *supportedgroups;
/* TLS Session Ticket extension override */
TLS_SESSION_TICKET_EXT *session_ticket;
/* TLS Session Ticket extension callback */
size_t tls13_cookie_len;
} ext;
- /* Parsed form of the ClientHello, kept around across early_cb calls. */
+ /*
+ * Parsed form of the ClientHello, kept around across client_hello_cb
+ * calls.
+ */
CLIENTHELLO_MSG *clienthello;
/*-
int curve;
} SIGALG_LOOKUP;
+typedef struct tls_group_info_st {
+ int nid; /* Curve NID */
+ int secbits; /* Bits of security (from SP800-57) */
+ uint16_t flags; /* Flags: currently just group type */
+} TLS_GROUP_INFO;
+
+/* flags values */
+# define TLS_CURVE_TYPE 0x3 /* Mask for group type */
+# define TLS_CURVE_PRIME 0x0
+# define TLS_CURVE_CHAR2 0x1
+# define TLS_CURVE_CUSTOM 0x2
+
typedef struct cert_pkey_st CERT_PKEY;
/*
/* For clients: peer temporary key */
# if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
/* The group_id for the DH/ECDH key */
- unsigned int group_id;
+ uint16_t group_id;
EVP_PKEY *peer_tmp;
# endif
*/
struct timeval next_timeout;
/* Timeout duration */
- unsigned short timeout_duration;
+ unsigned int timeout_duration_us;
+
unsigned int retransmitting;
# ifndef OPENSSL_NO_SCTP
int shutdown_received;
# endif
+
+ DTLS_timer_cb timer_cb;
+
} DTLS1_STATE;
# ifndef OPENSSL_NO_EC
&& s->cert->pkeys[idx].privatekey != NULL;
}
+static ossl_inline void tls1_get_peer_groups(SSL *s, const uint16_t **pgroups,
+ size_t *pgroupslen)
+{
+ *pgroups = s->session->ext.supportedgroups;
+ *pgroupslen = s->session->ext.supportedgroups_len;
+}
+
# ifndef OPENSSL_UNIT_TEST
__owur int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes);
__owur CERT *ssl_cert_dup(CERT *cert);
void ssl_cert_clear_certs(CERT *c);
void ssl_cert_free(CERT *c);
+__owur int ssl_generate_session_id(SSL *s, SSL_SESSION *ss);
__owur int ssl_get_new_session(SSL *s, int session);
__owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al);
__owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
# ifndef OPENSSL_NO_EC
-/* Flags values from tls1_ec_curve_id2nid() */
-/* Mask for curve type */
-# define TLS_CURVE_TYPE 0x3
-# define TLS_CURVE_PRIME 0x0
-# define TLS_CURVE_CHAR2 0x1
-# define TLS_CURVE_CUSTOM 0x2
-
-#define bytestogroup(bytes) ((unsigned int)(bytes[0] << 8 | bytes[1]))
-__owur int tls1_ec_curve_id2nid(int curve_id, unsigned int *pflags);
-__owur int tls1_ec_nid2curve_id(int nid);
-__owur int tls1_check_curve(SSL *s, const unsigned char *p, size_t len);
-__owur int tls1_shared_group(SSL *s, int nmatch);
-__owur int tls1_set_groups(unsigned char **pext, size_t *pextlen,
+__owur const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id);
+__owur int tls1_check_group_id(SSL *s, uint16_t group_id);
+__owur uint16_t tls1_shared_group(SSL *s, int nmatch);
+__owur int tls1_set_groups(uint16_t **pext, size_t *pextlen,
int *curves, size_t ncurves);
-__owur int tls1_set_groups_list(unsigned char **pext, size_t *pextlen,
+__owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen,
const char *str);
void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
size_t *num_formats);
__owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
-__owur EVP_PKEY *ssl_generate_pkey_curve(int id);
+__owur EVP_PKEY *ssl_generate_pkey_group(uint16_t id);
+__owur EVP_PKEY *ssl_generate_param_group(uint16_t id);
# endif /* OPENSSL_NO_EC */
-__owur int tls_curve_allowed(SSL *s, const unsigned char *curve, int op);
-__owur int tls1_get_curvelist(SSL *s, int sess, const unsigned char **pcurves,
- size_t *num_curves);
+__owur int tls_curve_allowed(SSL *s, uint16_t curve, int op);
+void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups,
+ size_t *pgroupslen);
__owur int tls1_set_server_sigalgs(SSL *s);
__owur long ssl_get_algorithm2(SSL *s);
__owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
const uint16_t *psig, size_t psiglen);
+__owur int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen);
__owur int tls1_save_sigalgs(SSL *s, PACKET *pkt);
__owur int tls1_process_sigalgs(SSL *s);
__owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
projects / openssl.git / blobdiff