X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl3.h;h=74274771ff8aab39f17faee8974b314932114136;hp=ea0c8542dbe975ac46f59101df1df00aa49dd799;hb=be681e123c3582f7bef18ed41b5ffa4793e8c4f7;hpb=7409d7ad517650db332ae528915a570e4e0ab88b diff --git a/ssl/ssl3.h b/ssl/ssl3.h index ea0c8542db..74274771ff 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -322,6 +322,7 @@ extern "C" { #define SSL3_RT_ALERT 21 #define SSL3_RT_HANDSHAKE 22 #define SSL3_RT_APPLICATION_DATA 23 +#define TLS1_RT_HEARTBEAT 24 #define SSL3_AL_WARNING 1 #define SSL3_AL_FATAL 2 @@ -339,6 +340,9 @@ extern "C" { #define SSL3_AD_CERTIFICATE_UNKNOWN 46 #define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */ +#define TLS1_HB_REQUEST 1 +#define TLS1_HB_RESPONSE 2 + #ifndef OPENSSL_NO_SSL_INTERN typedef struct ssl3_record_st @@ -383,6 +387,18 @@ typedef struct ssl3_buffer_st #define SSL3_FLAGS_POP_BUFFER 0x0004 #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 +#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 + +/* SSL3_FLAGS_SGC_RESTART_DONE is set when we + * restart a handshake because of MS SGC and so prevents us + * from restarting the handshake in a loop. It's reset on a + * renegotiation, so effectively limits the client to one restart + * per negotiation. This limits the possibility of a DDoS + * attack where the client handshakes in a loop using SGC to + * restart. Servers which permit renegotiation can still be + * effected, but we can't prevent that. + */ +#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040 #ifndef OPENSSL_NO_SSL_INTERN @@ -461,12 +477,6 @@ typedef struct ssl3_state_st void *server_opaque_prf_input; size_t server_opaque_prf_input_len; -#ifndef OPENSSL_NO_NEXTPROTONEG - /* Set if we saw the Next Protocol Negotiation extension from - our peer. */ - int next_proto_neg_seen; -#endif - struct { /* actually only needs to be 16+20 */ unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2]; @@ -524,6 +534,27 @@ typedef struct ssl3_state_st unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; unsigned char previous_server_finished_len; int send_connection_binding; /* TODOEKR */ + +#ifndef OPENSSL_NO_NEXTPROTONEG + /* Set if we saw the Next Protocol Negotiation extension from our peer. */ + int next_proto_neg_seen; +#endif + +#ifndef OPENSSL_NO_TLSEXT + /* tlsext_authz_client_types contains an array of supported authz + * types, as advertised by the client. The array is sorted and + * does not contain any duplicates. */ + unsigned char *tlsext_authz_client_types; + size_t tlsext_authz_client_types_len; + /* tlsext_authz_promised_to_client is true iff we're a server and we + * echoed the client's supplemental data extension and therefore must + * send a supplemental data handshake message. */ + char tlsext_authz_promised_to_client; + /* tlsext_authz_server_promised is true iff we're a client and the + * server echoed our server_authz extension and therefore must send us + * a supplemental data handshake message. */ + char tlsext_authz_server_promised; +#endif } SSL3_STATE; #endif @@ -532,6 +563,10 @@ typedef struct ssl3_state_st /*client */ /* extra state */ #define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT) +#ifndef OPENSSL_NO_SCTP +#define DTLS1_SCTP_ST_CW_WRITE_SOCK (0x310|SSL_ST_CONNECT) +#define DTLS1_SCTP_ST_CR_READ_SOCK (0x320|SSL_ST_CONNECT) +#endif /* write to server */ #define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT) #define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT) @@ -548,6 +583,8 @@ typedef struct ssl3_state_st #define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT) #define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT) #define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT) +#define SSL3_ST_CR_SUPPLEMENTAL_DATA_A (0x210|SSL_ST_CONNECT) +#define SSL3_ST_CR_SUPPLEMENTAL_DATA_B (0x211|SSL_ST_CONNECT) /* write to server */ #define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT) #define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT) @@ -578,13 +615,15 @@ typedef struct ssl3_state_st /* server */ /* extra state */ #define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT) +#ifndef OPENSSL_NO_SCTP +#define DTLS1_SCTP_ST_SW_WRITE_SOCK (0x310|SSL_ST_ACCEPT) +#define DTLS1_SCTP_ST_SR_READ_SOCK (0x320|SSL_ST_ACCEPT) +#endif /* read from client */ /* Do not change the number values, they do matter */ #define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT) #define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT) #define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT) -/* a new state to remember that we have already receive a ClientHello without srp username extension */ -#define SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME (0x1E2|SSL_ST_ACCEPT) /* write to client */ #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT) #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT) @@ -625,6 +664,8 @@ typedef struct ssl3_state_st #define SSL3_ST_SW_SESSION_TICKET_B (0x1F1|SSL_ST_ACCEPT) #define SSL3_ST_SW_CERT_STATUS_A (0x200|SSL_ST_ACCEPT) #define SSL3_ST_SW_CERT_STATUS_B (0x201|SSL_ST_ACCEPT) +#define SSL3_ST_SW_SUPPLEMENTAL_DATA_A (0x220|SSL_ST_ACCEPT) +#define SSL3_ST_SW_SUPPLEMENTAL_DATA_B (0x221|SSL_ST_ACCEPT) #define SSL3_MT_HELLO_REQUEST 0 #define SSL3_MT_CLIENT_HELLO 1 @@ -638,6 +679,7 @@ typedef struct ssl3_state_st #define SSL3_MT_CLIENT_KEY_EXCHANGE 16 #define SSL3_MT_FINISHED 20 #define SSL3_MT_CERTIFICATE_STATUS 22 +#define SSL3_MT_SUPPLEMENTAL_DATA 23 #ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_MT_NEXT_PROTO 67 #endif @@ -660,4 +702,3 @@ typedef struct ssl3_state_st } #endif #endif -