* Hudson (tjh@cryptsoft.com).
*
*/
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
+ */
#ifndef HEADER_SSL_H
#define HEADER_SSL_H
/* VRS Additional Kerberos5 entries
*/
+#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
+#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
+#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA
+#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
+#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
+#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
+#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5
+#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
+
+#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
+#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA
+#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA
+#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
+#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5
+#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5
+
#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
#define SSL_TXT_SSLV3 "SSLv3"
#define SSL_TXT_TLSV1 "TLSv1"
#define SSL_TXT_ALL "ALL"
+#define SSL_TXT_ECC "ECCdraft" /* ECC ciphersuites are not yet official */
+
+/*
+ * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
+ * ciphers normally not being used.
+ * Example: "RC4" will activate all ciphers using RC4 including ciphers
+ * without authentication, which would normally disabled by DEFAULT (due
+ * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
+ * will make sure that it is also disabled in the specific selection.
+ * COMPLEMENTOF* identifiers are portable between version, as adjustments
+ * to the default cipher setup will also be included here.
+ *
+ * COMPLEMENTOFDEFAULT does not experience the same special treatment that
+ * DEFAULT gets, as only selection is being done and no sorting as needed
+ * for DEFAULT.
+ */
+#define SSL_TXT_CMPALL "COMPLEMENTOFALL"
+#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
/* The following cipher list is used by default.
* It also is substituted when an application-defined cipher list string
#include <openssl/crypto.h>
#include <openssl/lhash.h>
#include <openssl/buffer.h>
-#include <openssl/bio.h>
#include <openssl/pem.h>
-#include <openssl/x509.h>
#ifdef __cplusplus
extern "C" {
/* As server, disallow session resumption on renegotiation */
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
+/* If set, always create a new key when using tmp_ecdh parameters */
+#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
/* If set, always create a new key when using tmp_dh parameters */
#define SSL_OP_SINGLE_DH_USE 0x00100000L
/* Set to always use the tmp_rsa key when doing RSA operations,
/* Never bother the application with retries if the transport
* is blocking: */
#define SSL_MODE_AUTO_RETRY 0x00000004L
+/* Don't attempt to automatically build certificate chain */
+#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
typedef struct ssl_comp_st
{
int id;
- char *name;
+ const char *name;
#ifndef OPENSSL_NO_COMP
COMP_METHOD *method;
#else
#define SSL_SESS_CACHE_SERVER 0x0002
#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
-/* This one, when set, makes the server session-id lookup not look
- * in the cache. If there is an application get_session callback
- * defined, this will still get called. */
+/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
+#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
+#define SSL_SESS_CACHE_NO_INTERNAL \
+ (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
#define SSL_CTX_sess_number(ctx) \
#define SSL_CTRL_NEED_TMP_RSA 1
#define SSL_CTRL_SET_TMP_RSA 2
#define SSL_CTRL_SET_TMP_DH 3
-#define SSL_CTRL_SET_TMP_RSA_CB 4
-#define SSL_CTRL_SET_TMP_DH_CB 5
-
-#define SSL_CTRL_GET_SESSION_REUSED 6
-#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 7
-#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 8
-#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 9
-#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 10
-#define SSL_CTRL_GET_FLAGS 11
-#define SSL_CTRL_EXTRA_CHAIN_CERT 12
-
-#define SSL_CTRL_SET_MSG_CALLBACK 13
-#define SSL_CTRL_SET_MSG_CALLBACK_ARG 14
+#define SSL_CTRL_SET_TMP_ECDH 4
+#define SSL_CTRL_SET_TMP_RSA_CB 5
+#define SSL_CTRL_SET_TMP_DH_CB 6
+#define SSL_CTRL_SET_TMP_ECDH_CB 7
+
+#define SSL_CTRL_GET_SESSION_REUSED 8
+#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
+#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
+#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
+#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12
+#define SSL_CTRL_GET_FLAGS 13
+#define SSL_CTRL_EXTRA_CHAIN_CERT 14
+
+#define SSL_CTRL_SET_MSG_CALLBACK 15
+#define SSL_CTRL_SET_MSG_CALLBACK_ARG 16
/* Stats */
#define SSL_CTRL_SESS_NUMBER 20
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
#define SSL_CTX_set_tmp_dh(ctx,dh) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
+#define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
#define SSL_need_tmp_RSA(ssl) \
SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
#define SSL_set_tmp_dh(ssl,dh) \
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
+#define SSL_set_tmp_ecdh(ssl,ecdh) \
+ SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
char * SSL_CIPHER_get_version(SSL_CIPHER *c);
const char * SSL_CIPHER_get_name(SSL_CIPHER *c);
+const COMP_METHOD *SSL_get_current_compression(SSL *s);
+const COMP_METHOD *SSL_get_current_expansion(SSL *s);
+const char *SSL_COMP_get_name(const COMP_METHOD *comp);
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
+
int SSL_get_fd(SSL *s);
int SSL_get_rfd(SSL *s);
int SSL_get_wfd(SSL *s);
#endif
int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
-int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
+int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len);
int SSL_use_certificate(SSL *ssl, X509 *x);
-int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
+int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
#ifndef OPENSSL_NO_STDIO
int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
const char *file);
-#ifndef OPENSSL_SYS_WIN32
#ifndef OPENSSL_SYS_VMS
#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
const char *dir);
#endif
#endif
-#endif
#endif
SSL_SESSION *SSL_SESSION_new(void);
unsigned long SSL_SESSION_hash(SSL_SESSION *a);
int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b);
+const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len);
#ifndef OPENSSL_NO_FP_API
int SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses);
#endif
#ifndef OPENSSL_NO_RSA
int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
#endif
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx,
- unsigned char *d, long len);
+ const unsigned char *d, long len);
int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
const char *SSL_alert_desc_string_long(int value);
const char *SSL_alert_desc_string(int value);
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
+void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s);
int SSL_add_client_CA(SSL *ssl,X509 *x);
DH *(*dh)(SSL *ssl,int is_export,
int keylength));
#endif
+#ifndef OPENSSL_NO_ECDH
+void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
+ EC_KEY *(*ecdh)(SSL *ssl,int is_export,
+ int keylength));
+void SSL_set_tmp_ecdh_callback(SSL *ssl,
+ EC_KEY *(*ecdh)(SSL *ssl,int is_export,
+ int keylength));
+#endif
#ifndef OPENSSL_NO_COMP
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_method(void);
int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
#else
+void *SSL_COMP_get_compression_method(void);
int SSL_COMP_add_compression_method(int id,char *cm);
#endif
/* Function codes. */
#define SSL_F_CLIENT_CERTIFICATE 100
+#define SSL_F_CLIENT_FINISHED 238
#define SSL_F_CLIENT_HELLO 101
#define SSL_F_CLIENT_MASTER_KEY 102
#define SSL_F_D2I_SSL_SESSION 103
#define SSL_F_I2D_SSL_SESSION 111
#define SSL_F_READ_N 112
#define SSL_F_REQUEST_CERTIFICATE 113
+#define SSL_F_SERVER_FINISH 239
#define SSL_F_SERVER_HELLO 114
+#define SSL_F_SERVER_VERIFY 240
#define SSL_F_SSL23_ACCEPT 115
#define SSL_F_SSL23_CLIENT_HELLO 116
#define SSL_F_SSL23_CONNECT 117
#define SSL_F_SSL2_ACCEPT 122
#define SSL_F_SSL2_CONNECT 123
#define SSL_F_SSL2_ENC_INIT 124
+#define SSL_F_SSL2_GENERATE_KEY_MATERIAL 241
#define SSL_F_SSL2_PEEK 234
#define SSL_F_SSL2_READ 125
#define SSL_F_SSL2_READ_INTERNAL 236
#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154
+#define SSL_F_SSL3_SEND_SERVER_HELLO 242
#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155
#define SSL_F_SSL3_SETUP_BUFFERS 156
#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
#define SSL_R_BAD_DH_P_LENGTH 110
#define SSL_R_BAD_DIGEST_LENGTH 111
#define SSL_R_BAD_DSA_SIGNATURE 112
+#define SSL_R_BAD_ECC_CERT 1117
+#define SSL_R_BAD_ECDSA_SIGNATURE 1112
+#define SSL_R_BAD_ECPOINT 1113
#define SSL_R_BAD_HELLO_REQUEST 105
#define SSL_R_BAD_LENGTH 271
#define SSL_R_BAD_MAC_DECODE 113
#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
#define SSL_R_COMPRESSION_FAILURE 141
+#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 1120
#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143
#define SSL_R_CONNECTION_TYPE_NOT_SET 144
#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 1109
#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
#define SSL_R_DIGEST_CHECK_FAILED 149
+#define SSL_R_DUPLICATE_COMPRESSION_ID 1121
+#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 1119
#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 1092
#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
#define SSL_R_INVALID_COMMAND 280
#define SSL_R_INVALID_PURPOSE 278
#define SSL_R_INVALID_TRUST 279
+#define SSL_R_KEY_ARG_TOO_LONG 1112
#define SSL_R_KRB5 1104
#define SSL_R_KRB5_C_CC_PRINC 1094
#define SSL_R_KRB5_C_GET_CRED 1095
#define SSL_R_LENGTH_TOO_SHORT 160
#define SSL_R_LIBRARY_BUG 274
#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
+#define SSL_R_MASTER_KEY_TOO_LONG 1112
#define SSL_R_MESSAGE_TOO_LONG 1111
#define SSL_R_MISSING_DH_DSA_CERT 162
#define SSL_R_MISSING_DH_KEY 163
#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
#define SSL_R_MISSING_RSA_SIGNING_CERT 170
#define SSL_R_MISSING_TMP_DH_KEY 171
+#define SSL_R_MISSING_TMP_ECDH_KEY 1114
#define SSL_R_MISSING_TMP_RSA_KEY 172
#define SSL_R_MISSING_TMP_RSA_PKEY 173
#define SSL_R_MISSING_VERIFY_MESSAGE 174
#define SSL_R_SHORT_READ 219
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
+#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 1114
+#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113
#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
+#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 1115
#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
+#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 1116
#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
#define SSL_R_UNKNOWN_STATE 255
#define SSL_R_UNSUPPORTED_CIPHER 256
#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
+#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 1118
#define SSL_R_UNSUPPORTED_OPTION 1091
#define SSL_R_UNSUPPORTED_PROTOCOL 258
#define SSL_R_UNSUPPORTED_SSL_VERSION 259