Newer
Older
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#ifndef HEADER_SSL_H
#define HEADER_SSL_H
#ifndef OPENSSL_NO_COMP
#include <openssl/comp.h>
#endif
#ifndef OPENSSL_NO_BIO
#include <openssl/bio.h>
#endif
#ifndef OPENSSL_NO_X509
#include <openssl/x509.h>
#endif
#ifndef OPENSSL_NO_KRB5
Richard Levitte
committed
#include <openssl/kssl.h>
#endif
#include <openssl/safestack.h>
#include <openssl/symhacks.h>
#ifdef __cplusplus
extern "C" {
#endif
/* SSLeay version number for ASN.1 encoding of the session information */
/* Version 0 - initial version
* Version 1 - added the optional peer certificate
*/
#define SSL_SESSION_ASN1_VERSION 0x0001
/* text strings for the ciphers */
#define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5
#define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5
#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5
#define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5
#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5
#define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5
#define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5
#define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA
#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
Richard Levitte
committed
/* VRS Additional Kerberos5 entries
*/
#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256
Richard Levitte
committed
#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
#define SSL_MAX_KEY_ARG_LENGTH 8
#define SSL_MAX_MASTER_KEY_LENGTH 48
/* These are used to specify which ciphers to use and not to use */
#define SSL_TXT_LOW "LOW"
#define SSL_TXT_MEDIUM "MEDIUM"
#define SSL_TXT_HIGH "HIGH"
#define SSL_TXT_kFZA "kFZA"
#define SSL_TXT_aFZA "aFZA"
#define SSL_TXT_eFZA "eFZA"
#define SSL_TXT_FZA "FZA"
#define SSL_TXT_aNULL "aNULL"
#define SSL_TXT_eNULL "eNULL"
#define SSL_TXT_NULL "NULL"
Richard Levitte
committed
#define SSL_TXT_kKRB5 "kKRB5"
#define SSL_TXT_aKRB5 "aKRB5"
#define SSL_TXT_KRB5 "KRB5"
#define SSL_TXT_kRSA "kRSA"
#define SSL_TXT_kDHr "kDHr"
#define SSL_TXT_kDHd "kDHd"
#define SSL_TXT_kEDH "kEDH"
#define SSL_TXT_aRSA "aRSA"
#define SSL_TXT_aDSS "aDSS"
#define SSL_TXT_aDH "aDH"
#define SSL_TXT_DSS "DSS"
#define SSL_TXT_DH "DH"
#define SSL_TXT_EDH "EDH"
#define SSL_TXT_ADH "ADH"
#define SSL_TXT_RSA "RSA"
#define SSL_TXT_DES "DES"
#define SSL_TXT_3DES "3DES"
#define SSL_TXT_RC4 "RC4"
#define SSL_TXT_RC2 "RC2"
#define SSL_TXT_IDEA "IDEA"
#define SSL_TXT_MD5 "MD5"
#define SSL_TXT_SHA1 "SHA1"
#define SSL_TXT_SHA "SHA"
#define SSL_TXT_EXP "EXP"
#define SSL_TXT_EXPORT "EXPORT"
#define SSL_TXT_EXP40 "EXPORT40"
#define SSL_TXT_SSLV2 "SSLv2"
#define SSL_TXT_SSLV3 "SSLv3"
#define SSL_TXT_TLSV1 "TLSv1"
#define SSL_TXT_ALL "ALL"
/* 'DEFAULT' at the start of the cipher list insert the following string
* in addition to this being the default cipher string */
#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
#define SSL_SENT_SHUTDOWN 1
#define SSL_RECEIVED_SHUTDOWN 2
#ifdef __cplusplus
}
#endif
#include <openssl/crypto.h>
#include <openssl/lhash.h>
#include <openssl/buffer.h>
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#ifdef __cplusplus
extern "C" {
#endif
#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
#define OPENSSL_NO_SSL2
#endif
#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
/* This is needed to stop compilers complaining about the
* 'struct ssl_st *' function parameters used to prototype callbacks
* in SSL_CTX. */
typedef struct ssl_st *ssl_crock_st;
/* used to hold info on the particular ciphers used */
typedef struct ssl_cipher_st
{
int valid;
unsigned long id; /* id, 4 bytes, first is version */
unsigned long algorithms; /* what ciphers are used */
unsigned long algo_strength; /* strength and export flags */
unsigned long algorithm2; /* Extra flags */
int strength_bits; /* Number of bits really used */
int alg_bits; /* Number of bits for algorithm */
unsigned long mask; /* used for matching */
unsigned long mask_strength; /* also used for matching */
typedef struct ssl_st SSL;
typedef struct ssl_ctx_st SSL_CTX;
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
typedef struct ssl_method_st
{
int version;
int (*ssl_new)(SSL *s);
void (*ssl_clear)(SSL *s);
void (*ssl_free)(SSL *s);
int (*ssl_accept)(SSL *s);
int (*ssl_connect)(SSL *s);
int (*ssl_peek)(SSL *s,void *buf,int len);
int (*ssl_shutdown)(SSL *s);
int (*ssl_renegotiate)(SSL *s);
int (*ssl_renegotiate_check)(SSL *s);
long (*ssl_ctrl)(SSL *s,int cmd,long larg,char *parg);
long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,char *parg);
SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
int (*ssl_pending)(SSL *s);
int (*num_ciphers)(void);
SSL_CIPHER *(*get_cipher)(unsigned ncipher);
struct ssl_method_st *(*get_ssl_method)(int version);
long (*get_timeout)(void);
struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)());
long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)());
} SSL_METHOD;
/* Lets make this into an ASN.1 type structure as follows
* SSL_SESSION_ID ::= SEQUENCE {
* version INTEGER, -- structure version number
* SSLversion INTEGER, -- SSL version number
* Cipher OCTET_STRING, -- the 3 byte cipher ID
* Session_ID OCTET_STRING, -- the Session ID
* Master_key OCTET_STRING, -- the master key
* Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument
* Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
* Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
* Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
* Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context
* Verify_result [ 5 ] EXPLICIT INTEGER -- X509_V_... code for `Peer'
* Compression [6] IMPLICIT ASN1_OBJECT -- compression OID XXXXX
* }
* Look in ssl/ssl_asn1.c for more details
* I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
*/
typedef struct ssl_session_st
{
int ssl_version; /* what ssl version session info is
* being kept in here? */
/* only really used in SSLv2 */
unsigned int key_arg_length;
unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
int master_key_length;
unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
/* session_id - valid? */
unsigned int session_id_length;
unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
/* this is used to determine whether the session is being reused in
* the appropriate context. It is up to the application to set this,
* via SSL_new */
unsigned int sid_ctx_length;
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
#ifndef OPENSSL_NO_KRB5
unsigned int krb5_client_princ_len;
unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
#endif /* OPENSSL_NO_KRB5 */
int not_resumable;
/* The cert is the certificate used to establish this connection */
struct sess_cert_st /* SESS_CERT */ *sess_cert;
/* This is the cert for the other end.
* On clients, it will be the same as sess_cert->peer_key->x509
* (the latter is not enough as sess_cert is not retained
* in the external representation of sessions, see ssl_asn1.c). */
/* when app_verify_callback accepts a session where the peer's certificate
* is not ok, we must remember the error for session reuse: */
long verify_result; /* only for servers */
int references;
long timeout;
long time;
int compress_meth; /* Need to lookup the method */
SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this
* needs to be used to load
* the 'cipher' structure */
STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
CRYPTO_EX_DATA ex_data; /* application specific data */
/* These are used to make removal of session-ids more
* efficient and to implement a maximum cache size. */
struct ssl_session_st *prev,*next;
} SSL_SESSION;
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
/* If set, always create a new key when using tmp_dh parameters */
#define SSL_OP_SINGLE_DH_USE 0x00100000L
/* Set to also use the tmp_rsa key when doing RSA operations. */
#define SSL_OP_EPHEMERAL_RSA 0x00200000L
Lutz Jänicke
committed
/* Set on servers to choose the cipher according to the server's
* preferences */
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
/* If set, a server will allow a client to issue a SSLv3.0 version number
* as latest version supported in the premaster secret, even when TLSv1.0
* (version 3.1) was announced in the client hello. Normally this is
* forbidden to prevent version rollback attacks. */
#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L
/* The next flag deliberately changes the ciphertest, this is a check
* for the PKCS#1 attack */
#define SSL_OP_PKCS1_CHECK_1 0x08000000L
#define SSL_OP_PKCS1_CHECK_2 0x10000000L
#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
#define SSL_OP_ALL 0x000FFFFFL
#define SSL_OP_NO_SSLv2 0x01000000L
#define SSL_OP_NO_SSLv3 0x02000000L
#define SSL_OP_NO_TLSv1 0x04000000L
/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
* when just a single record has been written): */
#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L
/* Make it possible to retry SSL_write() with changed buffer location
* (buffer contents must stay the same!); this is not the default to avoid
* the misconception that non-blocking SSL_write() behaves like
* non-blocking write(): */
#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
/* Never bother the application with retries if the transport
* is blocking: */
#define SSL_MODE_AUTO_RETRY 0x00000004L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
#define SSL_CTX_set_options(ctx,op) \
SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,op,NULL)
#define SSL_CTX_get_options(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL)
#define SSL_set_options(ssl,op) \
SSL_ctrl(ssl,SSL_CTRL_OPTIONS,op,NULL)
#define SSL_CTX_set_mode(ctx,op) \
SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,op,NULL)
#define SSL_CTX_get_mode(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,0,NULL)
#define SSL_set_mode(ssl,op) \
SSL_ctrl(ssl,SSL_CTRL_MODE,op,NULL)
#define SSL_get_mode(ssl) \
SSL_ctrl(ssl,SSL_CTRL_MODE,0,NULL)
#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
#else
#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
#endif
#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
/* This callback type is used inside SSL_CTX, SSL, and in the functions that set
* them. It is used to override the generation of SSL/TLS session IDs in a
* server. Return value should be zero on an error, non-zero to proceed. Also,
* callbacks should themselves check if the id they generate is unique otherwise
* the SSL handshake will fail with an error - callbacks can do this using the
* 'ssl' value they're passed by;
* SSL_has_matching_session_id(ssl, id, *id_len)
* The length value passed in is set at the maximum size the session ID can be.
* In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
* can alter this length to be less if desired, but under SSLv2 session IDs are
* supposed to be fixed at 16 bytes so the id will be padded after the callback
* returns in this case. It is also an error for the callback to set the size to
* zero. */
typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
unsigned int *id_len);
#ifndef OPENSSL_NO_COMP
{
SSL_METHOD *method;
unsigned long options;
unsigned long mode;
long max_cert_list;
/* same as above but sorted for lookup */
struct x509_store_st /* X509_STORE */ *cert_store;
struct lhash_st /* LHASH */ *sessions; /* a set of SSL_SESSIONs */
/* Most session-ids that will be cached, default is
* SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
unsigned long session_cache_size;
struct ssl_session_st *session_cache_head;
struct ssl_session_st *session_cache_tail;
/* This can have one of 2 values, ored together,
* SSL_SESS_CACHE_CLIENT,
* SSL_SESS_CACHE_SERVER,
* Default is SSL_SESSION_CACHE_SERVER, which means only
* SSL_accept which cache SSL_SESSIONS. */
int session_cache_mode;
/* If timeout is not 0, it is the default timeout value set
* when SSL_new() is called. This has been put in to make
* life easier to set things up */
long session_timeout;
/* If this callback is not null, it will be called each
* time a session id is added to the cache. If this function
* returns 1, it means that the callback will do a
* SSL_SESSION_free() when it has finished using it. Otherwise,
* on 0, it means the callback has finished with it.
* If remove_session_cb is not null, it will be called when
* a session-id is removed from the cache. After the call,
* OpenSSL will SSL_SESSION_free() it. */
int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
unsigned char *data,int len,int *copy);
struct
{
int sess_connect; /* SSL new conn - started */
int sess_connect_renegotiate;/* SSL reneg - requested */
int sess_connect_good; /* SSL new conne/reneg - finished */
int sess_accept; /* SSL new accept - started */
int sess_accept_renegotiate;/* SSL reneg - requested */
int sess_accept_good; /* SSL accept/reneg - finished */
int sess_miss; /* session lookup misses */
int sess_timeout; /* reuse attempt on timeouted session */
int sess_cache_full; /* session removed due to full cache */
int sess_hit; /* session reuse actually done */
int sess_cb_hit; /* session-id that was not
* in the cache was
* passed back via the callback. This
* indicates that the application is
* supplying session-id's from other
* processes - spooky :-) */
} stats;
int references;
/* if defined, these override the X509_verify_cert() calls */
/**/ int (*app_verify_callback)();
/* default values to use in SSL structures */
/**/ struct cert_st /* CERT */ *cert;
/**/ int read_ahead;
/**/ int verify_mode;
/**/ int verify_depth;
/**/ unsigned int sid_ctx_length;
/**/ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
/**/ int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
Dr. Stephen Henson
committed
int purpose; /* Purpose setting */
int trust; /* Trust setting */
/* Default generate session ID callback. */
GEN_SESSION_CB generate_session_id;
/* Default password callback. */
/**/ pem_password_cb *default_passwd_callback;
/* Default password callback user data. */
/**/ void *default_passwd_callback_userdata;
/* get client cert callback */
/**/ int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
/* what we put in client cert requests */
CRYPTO_EX_DATA ex_data;
const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
STACK_OF(X509) *extra_certs;
STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
#define SSL_SESS_CACHE_OFF 0x0000
#define SSL_SESS_CACHE_CLIENT 0x0001
#define SSL_SESS_CACHE_SERVER 0x0002
#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
/* This one, when set, makes the server session-id lookup not look
* in the cache. If there is an application get_session callback
* defined, this will still get called. */
#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
#define SSL_CTX_sess_number(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
#define SSL_CTX_sess_connect(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
#define SSL_CTX_sess_connect_good(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
#define SSL_CTX_sess_connect_renegotiate(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
#define SSL_CTX_sess_accept(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
#define SSL_CTX_sess_accept_renegotiate(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
#define SSL_CTX_sess_accept_good(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
#define SSL_CTX_sess_hits(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
#define SSL_CTX_sess_cb_hits(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
#define SSL_CTX_sess_misses(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
#define SSL_CTX_sess_timeouts(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
#define SSL_CTX_sess_cache_full(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
Ralf S. Engelschall
committed
#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb))
#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb)
#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb))
#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb)
#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb))
#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb)
#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb))
#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback)
#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb))
#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb)
#define SSL_NOTHING 1
#define SSL_WRITING 2
#define SSL_READING 3
#define SSL_X509_LOOKUP 4
/* These will only be used when doing non-blocking IO */
#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
#define SSL_want_read(s) (SSL_want(s) == SSL_READING)
#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
/* protocol version
* (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION)
*/
int version;
int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
SSL_METHOD *method; /* SSLv3 */
/* There are 2 BIO's even though they are normally both the
* same. This is so data can be read and written to different
* handlers */
#ifndef OPENSSL_NO_BIO
BIO *rbio; /* used by SSL_read */
BIO *wbio; /* used by SSL_write */
BIO *bbio; /* used during session-id reuse to concatenate
* messages */
#else
char *rbio; /* used by SSL_read */
char *wbio; /* used by SSL_write */
char *bbio;
#endif
/* This holds a variable that indicates what we were doing
* when a 0 or -1 is returned. This is needed for
* non-blocking IO so we know what request needs re-doing when
* in SSL_accept or SSL_connect */
int rwstate;
/* true when we are actually in SSL_accept() or SSL_connect() */
int in_handshake;
int (*handshake_func)();
/* Imagine that here's a boolean member "init" that is
* switched as soon as SSL_set_{accept/connect}_state
* is called for the first time, so that "state" and
* "handshake_func" are properly initialized. But as
* handshake_func is == 0 until then, we use this
* test instead of an "init" member.
*/
int server; /* are we the server side? - mostly used by SSL_clear*/
int new_session;/* 1 if we are to use a new session */
int quiet_shutdown;/* don't send shutdown packets */
int shutdown; /* we have shut things down, 0x01 sent, 0x02
* for received */
int state; /* where we are */
int rstate; /* where we are when reading */
BUF_MEM *init_buf; /* buffer used during init */
int init_num; /* amount read/written */
int init_off; /* amount read/written */
/* used internally to point at a raw packet */
unsigned char *packet;
unsigned int packet_length;
struct ssl2_state_st *s2; /* SSLv2 variables */
struct ssl3_state_st *s3; /* SSLv3 variables */
int read_ahead; /* Read as many input bytes as possible
* (for non-blocking reads) */
int hit; /* reusing a previous session */
Dr. Stephen Henson
committed
int purpose; /* Purpose setting */
int trust; /* Trust setting */
STACK_OF(SSL_CIPHER) *cipher_list;
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* These are the ones being used, the ones in SSL_SESSION are
* the ones to be 'copied' into these ones */
EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
const EVP_MD *read_hash; /* used for mac generation */
#ifndef OPENSSL_NO_COMP
COMP_CTX *expand; /* uncompress */
#else
char *expand;
#endif
EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
const EVP_MD *write_hash; /* used for mac generation */
#ifndef OPENSSL_NO_COMP
COMP_CTX *compress; /* compression */
#else
char *compress;
#endif
/* session info */
/* client cert? */
/* This is used to hold the server certificate used */
struct cert_st /* CERT */ *cert;
/* the session_id_context is used to ensure sessions are only reused
* in the appropriate context */
unsigned int sid_ctx_length;
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
/* This can also be in the session once a session is established */
SSL_SESSION *session;
/* Default generate session ID callback. */
GEN_SESSION_CB generate_session_id;
/* Used in SSL2 and SSL3 */
int verify_mode; /* 0 don't care about verify failure.
* 1 fail if verify fails */
int verify_depth;
int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
void (*info_callback)(); /* optional informational callback */
int error; /* error bytes to be written */
int error_code; /* actual code */
#ifndef OPENSSL_NO_KRB5
Richard Levitte
committed
KSSL_CTX *kssl_ctx; /* Kerberos 5 context */
#endif /* OPENSSL_NO_KRB5 */
Richard Levitte
committed
SSL_CTX *ctx;
/* set this flag to 1 and a sleep(1) is put into all SSL_read()
* and SSL_write() calls, good for nbio debuging :-) */
int debug;
/* extra application data */
long verify_result;
CRYPTO_EX_DATA ex_data;
/* for server side, keep the list of CA_dn we can use */
unsigned long options; /* protocol behaviour */
unsigned long mode; /* API behaviour */
long max_cert_list;
int client_version; /* what was passed, used for
#ifdef __cplusplus
}
#endif
#include <openssl/ssl2.h>
#include <openssl/ssl3.h>
#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
#include <openssl/ssl23.h>
#ifdef __cplusplus
extern "C" {
#endif
#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg))
#define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
#define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a))
#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0))
#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0))
#define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
/* The following are the possible values for ssl->state are are
* used to indicate where we are up to in the SSL connection establishment.
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
* The macros that follow are about the only things you should need to use
* and even then, only when using non-blocking IO.
* It can also be useful to work out where you were when the connection
* failed */
#define SSL_ST_CONNECT 0x1000
#define SSL_ST_ACCEPT 0x2000
#define SSL_ST_MASK 0x0FFF
#define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT)
#define SSL_ST_BEFORE 0x4000
#define SSL_ST_OK 0x03
#define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
#define SSL_CB_LOOP 0x01
#define SSL_CB_EXIT 0x02
#define SSL_CB_READ 0x04
#define SSL_CB_WRITE 0x08
#define SSL_CB_ALERT 0x4000 /* used in callback */
#define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)
#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)
#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)
#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)
#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)
#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)
#define SSL_CB_HANDSHAKE_START 0x10
#define SSL_CB_HANDSHAKE_DONE 0x20
/* Is the SSL_connection established? */
#define SSL_get_state(a) SSL_state(a)
#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT)
#define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE)
#define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT)
#define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT)
/* The following 2 states are kept in ssl->rstate when reads fail,
* you should not need these */
#define SSL_ST_READ_HEADER 0xF0
#define SSL_ST_READ_BODY 0xF1
#define SSL_ST_READ_DONE 0xF2
/* Obtain latest Finished message
* -- that we sent (SSL_get_finished)
* -- that we expected from peer (SSL_get_peer_finished).
* Returns length (0 == no Finished so far), copies up to 'count' bytes. */
size_t SSL_get_finished(SSL *s, void *buf, size_t count);
size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
* are 'ored' with SSL_VERIFY_PEER if they are desired */
#define SSL_VERIFY_NONE 0x00
#define SSL_VERIFY_PEER 0x01
#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
#define SSL_VERIFY_CLIENT_ONCE 0x04
#define OpenSSL_add_ssl_algorithms() SSL_library_init()
#define SSLeay_add_ssl_algorithms() SSL_library_init()
#if 0 /* NEW_SSLEAY */
#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
#define SSL_add_session(a,b) SSL_CTX_add_session((a),(b))
#define SSL_remove_session(a,b) SSL_CTX_remove_session((a),(b))
#define SSL_flush_sessions(a,b) SSL_CTX_flush_sessions((a),(b))
#endif
#define SSL_get_cipher(s) \
SSL_CIPHER_get_name(SSL_get_current_cipher(s))
#define SSL_get_cipher_bits(s,np) \
SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
#define SSL_get_cipher_version(s) \
SSL_CIPHER_get_version(SSL_get_current_cipher(s))
#define SSL_get_cipher_name(s) \
SSL_CIPHER_get_name(SSL_get_current_cipher(s))
#define SSL_get_time(a) SSL_SESSION_get_time(a)
#define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b))
#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
#define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b))
#if 1 /*SSLEAY_MACROS*/
#define d2i_SSL_SESSION_bio(bp,s_id) (SSL_SESSION *)ASN1_d2i_bio( \
(char *(*)())SSL_SESSION_new,(char *(*)())d2i_SSL_SESSION, \
(bp),(unsigned char **)(s_id))
#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio(i2d_SSL_SESSION, \
bp,(unsigned char *)s_id)
#define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( \
(char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb,u)
#define PEM_read_bio_SSL_SESSION(bp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read_bio( \
(char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb,u)
#define PEM_write_SSL_SESSION(fp,x) \
PEM_ASN1_write((int (*)())i2d_SSL_SESSION, \
PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL)
#define PEM_write_bio_SSL_SESSION(bp,x) \
PEM_ASN1_write_bio((int (*)())i2d_SSL_SESSION, \
PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL,NULL)
#define SSL_AD_REASON_OFFSET 1000
/* These alert types are for SSLv3 and TLSv1 */
#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC /* fatal */
#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED
#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW
#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE/* fatal */
#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not for TLS */
#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE
#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED
#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED
#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN
#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */
#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */
#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */
#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */
#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR
#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION/* fatal */
#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */
#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
#define SSL_ERROR_WANT_READ 2
#define SSL_ERROR_WANT_WRITE 3
#define SSL_ERROR_WANT_X509_LOOKUP 4
#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */
#define SSL_ERROR_ZERO_RETURN 6
#define SSL_ERROR_WANT_CONNECT 7
#define SSL_ERROR_WANT_ACCEPT 8
#define SSL_CTRL_NEED_TMP_RSA 1
#define SSL_CTRL_SET_TMP_RSA 2
#define SSL_CTRL_SET_TMP_DH 3
#define SSL_CTRL_SET_TMP_RSA_CB 4
#define SSL_CTRL_SET_TMP_DH_CB 5
/* Add these ones */
#define SSL_CTRL_GET_SESSION_REUSED 6
#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 7
#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 8
#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 9
#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 10
#define SSL_CTRL_GET_FLAGS 11
#define SSL_CTRL_EXTRA_CHAIN_CERT 12
/* Stats */
#define SSL_CTRL_SESS_NUMBER 20
#define SSL_CTRL_SESS_CONNECT 21
#define SSL_CTRL_SESS_CONNECT_GOOD 22
#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
#define SSL_CTRL_SESS_ACCEPT 24
#define SSL_CTRL_SESS_ACCEPT_GOOD 25
#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
#define SSL_CTRL_SESS_HIT 27
#define SSL_CTRL_SESS_CB_HIT 28
#define SSL_CTRL_SESS_MISSES 29
#define SSL_CTRL_SESS_TIMEOUTS 30
#define SSL_CTRL_SESS_CACHE_FULL 31
#define SSL_CTRL_OPTIONS 32
#define SSL_CTRL_MODE 33
#define SSL_CTRL_GET_READ_AHEAD 40
#define SSL_CTRL_SET_READ_AHEAD 41
#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
#define SSL_CTRL_SET_SESS_CACHE_MODE 44
#define SSL_CTRL_GET_SESS_CACHE_MODE 45
#define SSL_CTRL_GET_MAX_CERT_LIST 50
#define SSL_CTRL_SET_MAX_CERT_LIST 51
#define SSL_session_reused(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
#define SSL_num_renegotiations(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
#define SSL_clear_num_renegotiations(ssl) \
SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
#define SSL_total_renegotiations(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
#define SSL_CTX_need_tmp_RSA(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
#define SSL_CTX_set_tmp_dh(ctx,dh) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
Ralf S. Engelschall
committed
#define SSL_need_tmp_RSA(ssl) \
SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
#define SSL_set_tmp_rsa(ssl,rsa) \
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
#define SSL_set_tmp_dh(ssl,dh) \
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
#ifndef OPENSSL_NO_BIO
BIO_METHOD *BIO_f_ssl(void);
BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
int BIO_ssl_copy_session_id(BIO *to,BIO *from);
void BIO_ssl_shutdown(BIO *ssl_bio);
#endif
int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
void SSL_CTX_free(SSL_CTX *);
long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
long SSL_CTX_get_timeout(SSL_CTX *ctx);
X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
int SSL_want(SSL *s);
int SSL_clear(SSL *s);
void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
SSL_CIPHER *SSL_get_current_cipher(SSL *s);
int SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits);
char * SSL_CIPHER_get_version(SSL_CIPHER *c);
int SSL_get_fd(SSL *s);
int SSL_get_rfd(SSL *s);
int SSL_get_wfd(SSL *s);
char * SSL_get_shared_ciphers(SSL *s, char *buf, int len);
int SSL_get_read_ahead(SSL * s);
int SSL_pending(SSL *s);