# define SSL_GOST89MAC12 0x00000100U
# define SSL_GOST12_512 0x00000200U
-/* Bits for algorithm_ssl (protocol version) */
-# define SSL_SSLV3 0x00000002U
-# define SSL_TLSV1 0x00000004U
-# define SSL_TLSV1_2 0x00000008U
-
/*
* When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make
* sure to update this constant too
uint32_t algorithm_auth; /* server authentication */
uint32_t algorithm_enc; /* symmetric encryption */
uint32_t algorithm_mac; /* symmetric authentication */
- uint32_t algorithm_ssl; /* (major) protocol version */
+ int min_tls; /* minimum SSL/TLS protocol version */
+ int max_tls; /* maximum SSL/TLS protocol version */
+ int min_dtls; /* minimum DTLS protocol version */
+ int max_dtls; /* maximum DTLS protocol version */
uint32_t algo_strength; /* strength and export flags */
uint32_t algorithm2; /* Extra flags */
int32_t strength_bits; /* Number of bits really used */
char *srp_username;
# endif
uint32_t flags;
+ CRYPTO_RWLOCK *lock;
};
/* Extended master secret support */
/* Up to how many pipelines should we use? If 0 then 1 is assumed */
unsigned int max_pipelines;
+ /* The default read buffer length to use (0 means not set) */
+ size_t default_read_buf_len;
+
# ifndef OPENSSL_NO_ENGINE
/*
* Engine to pass requests for client certs to
size_t tlsext_ellipticcurvelist_length;
unsigned char *tlsext_ellipticcurvelist;
# endif /* OPENSSL_NO_EC */
+ CRYPTO_RWLOCK *lock;
};
/* Async Job info */
ASYNC_JOB *job;
ASYNC_WAIT_CTX *waitctx;
+
+ CRYPTO_RWLOCK *lock;
};
*/
uint32_t mask_k;
uint32_t mask_a;
- /* Client only */
- uint32_t mask_ssl;
+ /*
+ * The following are used by the client to see if a cipher is allowed or
+ * not. It contains the minimum and maximum version the client's using
+ * based on what it knows so far.
+ */
+ int min_ver;
+ int max_ver;
} tmp;
/* Connection binding to prevent renegotiation attacks */
* that the server selected once the ServerHello has been processed.
*/
unsigned char *alpn_selected;
- unsigned alpn_selected_len;
+ size_t alpn_selected_len;
+ /* used by the server to know what options were proposed */
+ unsigned char *alpn_proposed;
+ size_t alpn_proposed_len;
+ /* used by the client to know if it actually sent alpn */
+ int alpn_sent;
# ifndef OPENSSL_NO_EC
/*
custom_ext_methods cli_ext;
custom_ext_methods srv_ext;
/* Security callback */
- int (*sec_cb) (SSL *s, SSL_CTX *ctx, int op, int bits, int nid,
+ int (*sec_cb) (const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid,
void *other, void *ex);
/* Security level */
int sec_level;
char *psk_identity_hint;
#endif
int references; /* >1 only if SSL_copy_session_id is used */
+ CRYPTO_RWLOCK *lock;
} CERT;
/* Structure containing decoded values of signature algorithms extension */
extern SSL3_ENC_METHOD ssl3_undef_enc_method;
-SSL_METHOD *ssl_bad_method(int ver);
+__owur const SSL_METHOD *ssl_bad_method(int ver);
+__owur const SSL_METHOD *sslv3_method(void);
+__owur const SSL_METHOD *sslv3_server_method(void);
+__owur const SSL_METHOD *sslv3_client_method(void);
+__owur const SSL_METHOD *tlsv1_method(void);
+__owur const SSL_METHOD *tlsv1_server_method(void);
+__owur const SSL_METHOD *tlsv1_client_method(void);
+__owur const SSL_METHOD *tlsv1_1_method(void);
+__owur const SSL_METHOD *tlsv1_1_server_method(void);
+__owur const SSL_METHOD *tlsv1_1_client_method(void);
+__owur const SSL_METHOD *tlsv1_2_method(void);
+__owur const SSL_METHOD *tlsv1_2_server_method(void);
+__owur const SSL_METHOD *tlsv1_2_client_method(void);
+__owur const SSL_METHOD *dtlsv1_method(void);
+__owur const SSL_METHOD *dtlsv1_server_method(void);
+__owur const SSL_METHOD *dtlsv1_client_method(void);
+__owur const SSL_METHOD *dtlsv1_2_method(void);
+__owur const SSL_METHOD *dtlsv1_2_server_method(void);
+__owur const SSL_METHOD *dtlsv1_2_client_method(void);
extern const SSL3_ENC_METHOD TLSv1_enc_data;
extern const SSL3_ENC_METHOD TLSv1_1_enc_data;
ssl3_put_cipher_by_char, \
ssl3_pending, \
ssl3_num_ciphers, \
- dtls1_get_cipher, \
+ ssl3_get_cipher, \
s_get_meth, \
dtls1_default_timeout, \
&enc_data, \
# endif
};
+const char *ssl_protocol_to_string(int version);
+
# ifndef OPENSSL_UNIT_TEST
void ssl_clear_cipher_ctx(SSL *s);
__owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags);
__owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref);
-__owur int ssl_security(SSL *s, int op, int bits, int nid, void *other);
-__owur int ssl_ctx_security(SSL_CTX *ctx, int op, int bits, int nid, void *other);
+__owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
+__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other);
int ssl_undefined_function(SSL *s);
__owur int ssl_undefined_void_function(void);
__owur int ssl_set_version_bound(int method_version, int version, int *bound);
__owur int ssl_choose_server_version(SSL *s);
__owur int ssl_choose_client_version(SSL *s, int version);
+int ssl_get_client_min_max_version(const SSL *s, int *min_version, int *max_version);
__owur long tls1_default_timeout(void);
__owur int dtls1_do_write(SSL *s, int type);
__owur struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft);
__owur int dtls1_check_timeout_num(SSL *s);
__owur int dtls1_handle_timeout(SSL *s);
-__owur const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
void dtls1_start_timer(SSL *s);
void dtls1_stop_timer(SSL *s);
__owur int dtls1_is_timer_expired(SSL *s);