X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_locl.h;h=75128751c9b97bcfa7621840ccc18838050e3277;hp=91169da52371b9216d230044a3b0d739b5eb4d67;hb=9f27b1eec3175305e62eed87faa80e231f319ca0;hpb=d0595f170c225b918a980f49c5d16ec53545a6ad diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 91169da523..75128751c9 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -466,6 +466,14 @@ #define NAMED_CURVE_TYPE 3 #endif /* OPENSSL_NO_EC */ +/* Values for valid_flags in CERT_PKEY structure */ +/* Certificate inconsistent with session, key missing etc */ +#define CERT_PKEY_INVALID 0x0 +/* Certificate can be used with this sesstion */ +#define CERT_PKEY_VALID 0x1 +/* Certificate can also be used for signing */ +#define CERT_PKEY_SIGN 0x2 + typedef struct cert_pkey_st { X509 *x509; @@ -474,6 +482,20 @@ typedef struct cert_pkey_st const EVP_MD *digest; /* Chain for this certificate */ STACK_OF(X509) *chain; +#ifndef OPENSSL_NO_TLSEXT + /* authz/authz_length contain authz data for this certificate. The data + * is in wire format, specifically it's a series of records like: + * uint8_t authz_type; // (RFC 5878, AuthzDataFormat) + * uint16_t length; + * uint8_t data[length]; */ + unsigned char *authz; + size_t authz_length; +#endif + /* Set if CERT_PKEY can be used with current SSL session: e.g. + * appropriate curve, signature algorithms etc. If zero it can't be + * used at all. + */ + int valid_flags; } CERT_PKEY; typedef struct cert_st @@ -502,14 +524,59 @@ typedef struct cert_st EC_KEY *ecdh_tmp; /* Callback for generating ephemeral ECDH keys */ EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize); + /* Select ECDH parameters automatically */ + int ecdh_tmp_auto; #endif - + /* Flags related to certificates */ + unsigned int cert_flags; CERT_PKEY pkeys[SSL_PKEY_NUM]; - /* Array of pairs of NIDs for signature algorithm extension */ - TLS_SIGALGS *sigalgs; + /* Certificate types (received or sent) in certificate request + * message. On receive this is only set if number of certificate + * types exceeds SSL3_CT_NUMBER. + */ + unsigned char *ctypes; + size_t ctype_num; + + /* signature algorithms peer reports: e.g. supported signature + * algorithms extension for server or as part of a certificate + * request for client. + */ + unsigned char *peer_sigalgs; /* Size of above array */ - size_t sigalgslen; + size_t peer_sigalgslen; + /* suppported signature algorithms. + * When set on a client this is sent in the client hello as the + * supported signature algorithms extension. For servers + * it represents the signature algorithms we are willing to use. + */ + unsigned char *conf_sigalgs; + /* Size of above array */ + size_t conf_sigalgslen; + /* Client authentication signature algorithms, if not set then + * uses conf_sigalgs. On servers these will be the signature + * algorithms sent to the client in a cerificate request for TLS 1.2. + * On a client this represents the signature algortithms we are + * willing to use for client authentication. + */ + unsigned char *client_sigalgs; + /* Size of above array */ + size_t client_sigalgslen; + /* Signature algorithms shared by client and server: cached + * because these are used most often. + */ + TLS_SIGALGS *shared_sigalgs; + size_t shared_sigalgslen; + + /* Certificate setup callback: if set is called whenever a + * certificate may be required (client or server). the callback + * can then examine any appropriate parameters and setup any + * certificates required. This allows advanced applications + * to select certificates on the fly: for example based on + * supported signature algorithms or curves. + */ + int (*cert_cb)(SSL *ssl, void *arg); + void *cert_cb_arg; int references; /* >1 only if SSL_copy_session_id is used */ } CERT; @@ -591,8 +658,8 @@ typedef struct ssl3_enc_method int (*export_keying_material)(SSL *, unsigned char *, size_t, const char *, size_t, const unsigned char *, size_t, - int use_context); - } SSL3_ENC_METHOD; + int use_context); + } SSL3_ENC_METHOD; #ifndef OPENSSL_NO_COMP /* Used for holding the relevant compression methods loaded into SSL_CTX */ @@ -819,7 +886,9 @@ void ssl_clear_cipher_ctx(SSL *s); int ssl_clear_bad_session(SSL *s); CERT *ssl_cert_new(void); CERT *ssl_cert_dup(CERT *cert); +void ssl_cert_set_default_md(CERT *cert); int ssl_cert_inst(CERT **o); +void ssl_cert_clear_certs(CERT *c); void ssl_cert_free(CERT *c); SESS_CERT *ssl_sess_cert_new(void); void ssl_sess_cert_free(SESS_CERT *sc); @@ -847,6 +916,7 @@ int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain); int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain); int ssl_cert_add0_chain_cert(CERT *c, X509 *x); int ssl_cert_add1_chain_cert(CERT *c, X509 *x); +void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg); int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l); @@ -854,6 +924,7 @@ int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); CERT_PKEY *ssl_get_server_send_pkey(SSL *); +unsigned char *ssl_get_authz_data(SSL *s, size_t *authz_length); EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); @@ -1107,6 +1178,7 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen, int *curves, size_t ncurves); int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str); +int tls1_check_ec_tmp_key(SSL *s); #endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_TLSEXT @@ -1116,12 +1188,15 @@ int tls1_shared_list(SSL *s, int nmatch); unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); -int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); -int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); +int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n); +int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n); int ssl_prepare_clienthello_tlsext(SSL *s); int ssl_prepare_serverhello_tlsext(SSL *s); -int ssl_check_clienthello_tlsext(SSL *s); -int ssl_check_serverhello_tlsext(SSL *s); + +/* server only */ +int tls1_send_server_supplemental_data(SSL *s); +/* client only */ +int tls1_get_server_supplemental_data(SSL *s); #ifndef OPENSSL_NO_HEARTBEATS int tls1_heartbeat(SSL *s); @@ -1143,6 +1218,12 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, int tls12_get_sigid(const EVP_PKEY *pk); const EVP_MD *tls12_get_hash(unsigned char hash_alg); +int tls1_set_sigalgs_list(CERT *c, const char *str, int client); +int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, int client); +int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, + int idx); +void tls1_set_cert_validity(SSL *s); + #endif EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ; void ssl_clear_hash_ctx(EVP_MD_CTX **hash); @@ -1156,7 +1237,7 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, int *al); long ssl_get_algorithm2(SSL *s); int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize); -int tls12_get_req_sig_algs(SSL *s, unsigned char *p); +size_t tls12_get_sig_algs(SSL *s, unsigned char *p); int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);