Function tls1_check_ec_server_key is now redundant as we make

[openssl.git] / ssl / ssl_locl.h

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index cc15a5d411e9c675e88624d18cabbf52792e1782..c2547ad47f6083c9ee075bb88fae8f6e6c94347e 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -466,6 +466,14 @@
 #define NAMED_CURVE_TYPE           3
 #endif  /* OPENSSL_NO_EC */
 
 #define NAMED_CURVE_TYPE           3
 #endif  /* OPENSSL_NO_EC */
 

+/* Values for valid_flags in CERT_PKEY structure */
+/* Certificate inconsistent with session, key missing etc */
+#define CERT_PKEY_INVALID      0x0
+/* Certificate can be used with this sesstion */
+#define CERT_PKEY_VALID                0x1
+/* Certificate can also be used for signing */
+#define CERT_PKEY_SIGN         0x2
+

 typedef struct cert_pkey_st
        {
        X509 *x509;
 typedef struct cert_pkey_st
        {
        X509 *x509;


@@ -474,6 +482,20 @@ typedef struct cert_pkey_st
        const EVP_MD *digest;
        /* Chain for this certificate */
        STACK_OF(X509) *chain;
        const EVP_MD *digest;
        /* Chain for this certificate */
        STACK_OF(X509) *chain;

+#ifndef OPENSSL_NO_TLSEXT
+       /* authz/authz_length contain authz data for this certificate. The data
+        * is in wire format, specifically it's a series of records like:
+        *   uint8_t authz_type;  // (RFC 5878, AuthzDataFormat)
+        *   uint16_t length;
+        *   uint8_t data[length]; */
+       unsigned char *authz;
+       size_t authz_length;
+#endif
+       /* Set if CERT_PKEY can be used with current SSL session: e.g.
+        * appropriate curve, signature algorithms etc. If zero it can't be
+        * used at all.
+        */
+       int valid_flags;

        } CERT_PKEY;
 
 typedef struct cert_st
        } CERT_PKEY;
 
 typedef struct cert_st


@@ -505,22 +527,28 @@ typedef struct cert_st
        /* Select ECDH parameters automatically */
        int ecdh_tmp_auto;
 #endif
        /* Select ECDH parameters automatically */
        int ecdh_tmp_auto;
 #endif

-
+       /* Flags related to certificates */
+       unsigned int cert_flags;

        CERT_PKEY pkeys[SSL_PKEY_NUM];
 
        CERT_PKEY pkeys[SSL_PKEY_NUM];
 

-       /* Array of pairs of NIDs for signature algorithm extension */
-       TLS_SIGALGS *sigalgs;
+       /* signature algorithms peer reports: e.g. supported signature
+        * algorithms extension for server or as part of a certificate
+        * request for client.
+        */
+       unsigned char *peer_sigalgs;
+       /* Size of above array */
+       size_t peer_sigalgslen;
+       /* configured signature algorithms (can be NULL for default).
+        * sent in signature algorithms extension or certificate request.
+        */
+       unsigned char *conf_sigalgs;

        /* Size of above array */
        /* Size of above array */

-       size_t sigalgslen;
-       /* Certificate setup callback: if set is called whenever a
-        * certificate may be required (client or server). the callback
-        * can then examine any appropriate parameters and setup any
-        * certificates required. This allows advanced applications
-        * to select certificates on the fly: for example based on
-        * supported signature algorithms or curves.
+       size_t conf_sigalgslen;
+       /* Signature algorithms shared by client and server: cached
+        * because these are used most often

         */
         */

-       int (*cert_cb)(SSL *ssl, void *arg);
-       void *cert_cb_arg;
+       TLS_SIGALGS *shared_sigalgs;
+       size_t shared_sigalgslen;

 
        int references; /* >1 only if SSL_copy_session_id is used */
        } CERT;
 
        int references; /* >1 only if SSL_copy_session_id is used */
        } CERT;


@@ -602,8 +630,8 @@ typedef struct ssl3_enc_method
        int (*export_keying_material)(SSL *, unsigned char *, size_t,
                                      const char *, size_t,
                                      const unsigned char *, size_t,
        int (*export_keying_material)(SSL *, unsigned char *, size_t,
                                      const char *, size_t,
                                      const unsigned char *, size_t,

-                                     int use_context);
-       } SSL3_ENC_METHOD;
+                                     int use_context);
+       } SSL3_ENC_METHOD;

 
 #ifndef OPENSSL_NO_COMP
 /* Used for holding the relevant compression methods loaded into SSL_CTX */
 
 #ifndef OPENSSL_NO_COMP
 /* Used for holding the relevant compression methods loaded into SSL_CTX */


@@ -830,6 +858,7 @@ void ssl_clear_cipher_ctx(SSL *s);
 int ssl_clear_bad_session(SSL *s);
 CERT *ssl_cert_new(void);
 CERT *ssl_cert_dup(CERT *cert);
 int ssl_clear_bad_session(SSL *s);
 CERT *ssl_cert_new(void);
 CERT *ssl_cert_dup(CERT *cert);

+void ssl_cert_set_default_md(CERT *cert);

 int ssl_cert_inst(CERT **o);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);
 int ssl_cert_inst(CERT **o);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);


@@ -859,7 +888,6 @@ int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain);
 int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain);
 int ssl_cert_add0_chain_cert(CERT *c, X509 *x);
 int ssl_cert_add1_chain_cert(CERT *c, X509 *x);
 int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain);
 int ssl_cert_add0_chain_cert(CERT *c, X509 *x);
 int ssl_cert_add1_chain_cert(CERT *c, X509 *x);

-void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg);

 
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);
 
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);


@@ -867,6 +895,7 @@ int ssl_undefined_function(SSL *s);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
 CERT_PKEY *ssl_get_server_send_pkey(SSL *);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
 CERT_PKEY *ssl_get_server_send_pkey(SSL *);

+unsigned char *ssl_get_authz_data(SSL *s, size_t *authz_length);

 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
 void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
 void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);


@@ -1120,7 +1149,6 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen,
                        int *curves, size_t ncurves);
 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
                                const char *str);
                        int *curves, size_t ncurves);
 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
                                const char *str);

-int tls1_check_ec_server_key(SSL *s);

 int tls1_check_ec_tmp_key(SSL *s);
 #endif /* OPENSSL_NO_EC */
 
 int tls1_check_ec_tmp_key(SSL *s);
 #endif /* OPENSSL_NO_EC */
 


@@ -1132,11 +1160,14 @@ int tls1_shared_list(SSL *s,
 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);
 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);

-int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);

 int ssl_prepare_clienthello_tlsext(SSL *s);
 int ssl_prepare_serverhello_tlsext(SSL *s);
 int ssl_prepare_clienthello_tlsext(SSL *s);
 int ssl_prepare_serverhello_tlsext(SSL *s);

-int ssl_check_clienthello_tlsext(SSL *s);
-int ssl_check_serverhello_tlsext(SSL *s);
+
+/* server only */
+int tls1_send_server_supplemental_data(SSL *s);
+/* client only */
+int tls1_get_server_supplemental_data(SSL *s);

 
 #ifndef OPENSSL_NO_HEARTBEATS
 int tls1_heartbeat(SSL *s);
 
 #ifndef OPENSSL_NO_HEARTBEATS
 int tls1_heartbeat(SSL *s);


@@ -1158,6 +1189,12 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
 int tls12_get_sigid(const EVP_PKEY *pk);
 const EVP_MD *tls12_get_hash(unsigned char hash_alg);
 
 int tls12_get_sigid(const EVP_PKEY *pk);
 const EVP_MD *tls12_get_hash(unsigned char hash_alg);
 

+int tls1_set_sigalgs_list(CERT *c, const char *str);
+int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen);
+int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
+                                                               int idx);
+void tls1_set_cert_validity(SSL *s);
+

 #endif
 EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ;
 void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
 #endif
 EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ;
 void ssl_clear_hash_ctx(EVP_MD_CTX **hash);


@@ -1171,7 +1208,7 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
                                          int *al);
 long ssl_get_algorithm2(SSL *s);
 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
                                          int *al);
 long ssl_get_algorithm2(SSL *s);
 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);

-int tls12_get_req_sig_algs(SSL *s, unsigned char *p);
+size_t tls12_get_sig_algs(SSL *s, unsigned char *p);

 
 int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
 int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
 
 int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
 int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);