X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl.h;h=92840cdb663fb98de5c2d9b0950befe7d13ebe56;hp=2964111a5336f428d32bd50e2c41bbaf48451260;hb=19eedffcafe5e703f28e015bad417bc50266c19b;hpb=fe9ce2b7d663ee791ba6aebd8c236ba89076e824 diff --git a/ssl/ssl.h b/ssl/ssl.h index 2964111a53..92840cdb66 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -536,11 +536,18 @@ struct ssl_session_st #endif /* OPENSSL_NO_EC */ /* RFC4507 info */ unsigned char *tlsext_tick; /* Session ticket */ - size_t tlsext_ticklen; /* Session ticket length */ + size_t tlsext_ticklen; /* Session ticket length */ long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ #endif #ifndef OPENSSL_NO_SRP char *srp_username; +#endif +#ifndef OPENSSL_NO_TLSEXT + /* Used by client: the proof for this session. + * We store it outside the sess_cert structure, since the proof + * is received before the certificate. */ + unsigned char *audit_proof; + size_t audit_proof_length; #endif }; @@ -557,7 +564,6 @@ struct ssl_session_st #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L -#define SSL_OP_NO_TLSv1_1 0x00000400L /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) @@ -605,6 +611,7 @@ struct ssl_session_st #define SSL_OP_NO_SSLv3 0x02000000L #define SSL_OP_NO_TLSv1 0x04000000L #define SSL_OP_NO_TLSv1_2 0x08000000L +#define SSL_OP_NO_TLSv1_1 0x10000000L /* These next two were never actually used for anything since SSLeay * zap so we have some more flags. @@ -972,7 +979,7 @@ struct ssl_ctx_st void *next_proto_select_cb_arg; # endif /* SRTP profiles we are willing to do from RFC 5764 */ - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; + STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; # ifndef OPENSSL_NO_EC /* EC extension values inherited by SSL structure */ size_t tlsext_ecpointformatlist_length; @@ -980,6 +987,8 @@ struct ssl_ctx_st size_t tlsext_ellipticcurvelist_length; unsigned char *tlsext_ellipticcurvelist; # endif /* OPENSSL_NO_EC */ + int (*tlsext_authz_server_audit_proof_cb)(SSL *s, void *arg); + void *tlsext_authz_server_audit_proof_cb_arg; #endif }; @@ -1599,7 +1608,10 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86 #define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87 #endif -#endif +/* Callback for verifying audit proofs (client only) */ +#define SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB 95 +#define SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB_ARG 96 +#endif /* OPENSSL_NO_TLSEXT */ #define DTLS_CTRL_GET_TIMEOUT 73 #define DTLS_CTRL_HANDLE_TIMEOUT 74 @@ -1758,6 +1770,11 @@ int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len); int SSL_use_certificate(SSL *ssl, X509 *x); int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); +#ifndef OPENSSL_NO_TLSEXT +int SSL_CTX_use_authz(SSL_CTX *ctx, unsigned char *authz, size_t authz_length); +int SSL_use_authz(SSL *ssl, unsigned char *authz, size_t authz_length); +#endif + #ifndef OPENSSL_NO_STDIO int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); @@ -1802,6 +1819,10 @@ int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses); #ifndef OPENSSL_NO_BIO int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses); #endif +#ifndef OPENSSL_NO_TLSEXT +unsigned char *SSL_SESSION_get_tlsext_authz_server_audit_proof(SSL_SESSION *s, + size_t *proof_length); +#endif void SSL_SESSION_free(SSL_SESSION *ses); int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); int SSL_set_session(SSL *to, SSL_SESSION *session); @@ -2099,6 +2120,7 @@ void ERR_load_SSL_strings(void); /* Error codes for the SSL functions. */ /* Function codes. */ +#define SSL_F_AUTHZ_VALIDATE 323 #define SSL_F_CLIENT_CERTIFICATE 100 #define SSL_F_CLIENT_FINISHED 167 #define SSL_F_CLIENT_HELLO 101 @@ -2244,6 +2266,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219 #define SSL_F_SSL_CTX_SET_SSL_VERSION 170 #define SSL_F_SSL_CTX_SET_TRUST 229 +#define SSL_F_SSL_CTX_USE_AUTHZ 324 #define SSL_F_SSL_CTX_USE_CERTIFICATE 171 #define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172 #define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220 @@ -2258,6 +2281,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_DO_HANDSHAKE 180 #define SSL_F_SSL_GET_NEW_SESSION 181 #define SSL_F_SSL_GET_PREV_SESSION 217 +#define SSL_F_SSL_GET_SERVER_CERT_INDEX 322 #define SSL_F_SSL_GET_SERVER_SEND_CERT 182 #define SSL_F_SSL_GET_SERVER_SEND_PKEY 319 #define SSL_F_SSL_GET_SIGN_PKEY 183 @@ -2282,6 +2306,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_SESSION_PRINT_FP 190 #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 #define SSL_F_SSL_SESS_CERT_NEW 225 +#define SSL_F_SSL_SET_AUTHZ 325 #define SSL_F_SSL_SET_CERT 191 #define SSL_F_SSL_SET_CIPHER_LIST 271 #define SSL_F_SSL_SET_FD 192 @@ -2298,6 +2323,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243 #define SSL_F_SSL_UNDEFINED_FUNCTION 197 #define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244 +#define SSL_F_SSL_USE_AUTHZ 328 #define SSL_F_SSL_USE_CERTIFICATE 198 #define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 #define SSL_F_SSL_USE_CERTIFICATE_FILE 200 @@ -2315,16 +2341,19 @@ void ERR_load_SSL_strings(void); #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274 #define SSL_F_TLS1_ENC 210 #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314 +#define SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA 326 #define SSL_F_TLS1_HEARTBEAT 315 #define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275 #define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276 #define SSL_F_TLS1_PRF 284 +#define SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA 327 #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 #define SSL_F_WRITE_PENDING 212 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 +#define SSL_R_AUTHZ_DATA_TOO_LARGE 375 #define SSL_R_BAD_ALERT_RECORD 101 #define SSL_R_BAD_AUTHENTICATION_TYPE 102 #define SSL_R_BAD_CHANGE_CIPHER_SPEC 103 @@ -2413,6 +2442,8 @@ void ERR_load_SSL_strings(void); #define SSL_R_HTTP_REQUEST 156 #define SSL_R_ILLEGAL_PADDING 283 #define SSL_R_INCONSISTENT_COMPRESSION 340 +#define SSL_R_INVALID_AUDIT_PROOF 371 +#define SSL_R_INVALID_AUTHZ_DATA 374 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 @@ -2592,6 +2623,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNEXPECTED_RECORD 245 #define SSL_R_UNINITIALIZED 276 #define SSL_R_UNKNOWN_ALERT_TYPE 246 +#define SSL_R_UNKNOWN_AUTHZ_DATA_TYPE 372 #define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247 #define SSL_R_UNKNOWN_CIPHER_RETURNED 248 #define SSL_R_UNKNOWN_CIPHER_TYPE 249 @@ -2602,6 +2634,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 #define SSL_R_UNKNOWN_SSL_VERSION 254 #define SSL_R_UNKNOWN_STATE 255 +#define SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE 373 #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338 #define SSL_R_UNSUPPORTED_CIPHER 256 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257