#define SSL_TXT_AES128 "AES128"
#define SSL_TXT_AES256 "AES256"
#define SSL_TXT_AES "AES"
+#define SSL_TXT_AES_GCM "AESGCM"
#define SSL_TXT_CAMELLIA128 "CAMELLIA128"
#define SSL_TXT_CAMELLIA256 "CAMELLIA256"
#define SSL_TXT_CAMELLIA "CAMELLIA"
DECLARE_STACK_OF(SSL_CIPHER)
+/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
+typedef struct srtp_protection_profile_st
+ {
+ const char *name;
+ unsigned long id;
+ } SRTP_PROTECTION_PROFILE;
+
+DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
+
typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
* Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context
* Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer'
* HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension
- * ECPointFormatList [ 7 ] OCTET STRING, -- optional EC point format list from TLS extension
- * PSK_identity_hint [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
- * PSK_identity [ 9 ] EXPLICIT OCTET STRING -- optional PSK identity
- * SRP_username [ 11 ] EXPLICIT OCTET STRING -- optional SRP username
+ * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
+ * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity
+ * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
+ * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only)
+ * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method
+ * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
* }
* Look in ssl/ssl_asn1.c for more details
* I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
int (*tlsext_status_cb)(SSL *ssl, void *arg);
void *tlsext_status_arg;
+# ifndef OPENSSL_NO_NEXTPROTONEG
+ /* Next protocol negotiation information */
+ /* (for experimental NPN extension). */
+
+ /* For a server, this contains a callback function by which the set of
+ * advertised protocols can be provided. */
+ int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
+ unsigned int *len, void *arg);
+ void *next_protos_advertised_cb_arg;
+ /* For a client, this contains a callback function that selects the
+ * next protocol from the list provided by the server. */
+ int (*next_proto_select_cb)(SSL *s, unsigned char **out,
+ unsigned char *outlen,
+ const unsigned char *in,
+ unsigned int inlen,
+ void *arg);
+ void *next_proto_select_cb_arg;
+
/* draft-rescorla-tls-opaque-prf-input-00.txt information */
int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
void *tlsext_opaque_prf_input_callback_arg;
+# endif
#endif
#ifndef OPENSSL_NO_PSK
#ifndef OPENSSL_NO_SRP
SRP_CTX srp_ctx; /* ctx for SRP authentication */
#endif
+
+#ifndef OPENSSL_NO_TLSEXT
+ /* SRTP profiles we are willing to do from RFC 5764 */
+ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+#endif
};
#endif
#endif
void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
+#ifndef OPENSSL_NO_NEXTPROTONEG
+void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
+ int (*cb) (SSL *ssl,
+ const unsigned char **out,
+ unsigned int *outlen,
+ void *arg),
+ void *arg);
+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
+ int (*cb) (SSL *ssl,
+ unsigned char **out,
+ unsigned char *outlen,
+ const unsigned char *in,
+ unsigned int inlen,
+ void *arg),
+ void *arg);
+
+int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
+ const unsigned char *in, unsigned int inlen,
+ const unsigned char *client, unsigned int client_len);
+void SSL_get0_next_proto_negotiated(const SSL *s,
+ const unsigned char **data, unsigned *len);
+
+#define OPENSSL_NPN_UNSUPPORTED 0
+#define OPENSSL_NPN_NEGOTIATED 1
+#define OPENSSL_NPN_NO_OVERLAP 2
+#endif
#ifndef OPENSSL_NO_PSK
/* the maximum length of the buffer given to callbacks containing the
int server; /* are we the server side? - mostly used by SSL_clear*/
int new_session;/* Generate a new session or reuse an old one.
- * NB: For servers, the 'new' session may actually be a previously
- * cached session or even the previous session unless
- * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
+ * NB: For servers, the 'new' session may actually be a previously
+ * cached session or even the previous session unless
+ * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
int renegotiate;/* 1 if we are renegotiating.
- * 2 if we are a server and are inside a handshake
- * (i.e. not just sending a HelloRequest) */
+ * 2 if we are a server and are inside a handshake
+ * (i.e. not just sending a HelloRequest) */
int quiet_shutdown;/* don't send shutdown packets */
int shutdown; /* we have shut things down, 0x01 sent, 0x02
void *tls_session_secret_cb_arg;
SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ /* Next protocol negotiation. For the client, this is the protocol that
+ * we sent in NextProtocol and is set when handling ServerHello
+ * extensions.
+ *
+ * For a server, this is the client's selected_protocol from
+ * NextProtocol and is set when handling the NextProtocol message,
+ * before the Finished message. */
+ unsigned char *next_proto_negotiated;
+ unsigned char next_proto_negotiated_len;
+#endif
+
#define session_ctx initial_ctx
+
+ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */
+ SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */
#else
#define session_ctx ctx
#endif /* OPENSSL_NO_TLSEXT */
#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
#include <openssl/dtls1.h> /* Datagram TLS */
#include <openssl/ssl23.h>
+#include <openssl/srtp.h> /* Support for the use_srtp extension */
#ifdef __cplusplus
extern "C" {
#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
#define SSL_F_SSL3_GET_MESSAGE 142
#define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283
+#define SSL_F_SSL3_GET_NEXT_PROTO 305
#define SSL_F_SSL3_GET_RECORD 143
#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
#define SSL_F_SSL3_GET_SERVER_DONE 145
#define SSL_F_SSL3_WRITE_PENDING 159
#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 298
#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 277
+#define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT 307
#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 299
#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 278
+#define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT 308
#define SSL_F_SSL_BAD_METHOD 160
#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
#define SSL_F_SSL_CERT_DUP 221
#define SSL_F_SSL_CREATE_CIPHER_LIST 166
#define SSL_F_SSL_CTRL 232
#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
+#define SSL_F_SSL_CTX_MAKE_PROFILES 309
#define SSL_F_SSL_CTX_NEW 169
#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269
#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 290
#define SSL_F_SSL_NEW 186
#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
+#define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT 310
#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
+#define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT 311
#define SSL_F_SSL_PEEK 270
#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274
#define SSL_F_TLS1_ENC 210
+#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 312
#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275
#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276
#define SSL_F_TLS1_PRF 284
#define SSL_R_BAD_SRP_G_LENGTH 348
#define SSL_R_BAD_SRP_N_LENGTH 349
#define SSL_R_BAD_SRP_S_LENGTH 350
+#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 360
#define SSL_R_BAD_SSL_FILETYPE 124
#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
#define SSL_R_BAD_STATE 126
#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322
#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323
#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310
+#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 361
#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
+#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355
+#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356
#define SSL_R_HTTPS_PROXY_REQUEST 155
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_ILLEGAL_PADDING 283
#define SSL_R_NO_RENEGOTIATION 339
#define SSL_R_NO_REQUIRED_DIGEST 324
#define SSL_R_NO_SHARED_CIPHER 193
+#define SSL_R_NO_SRTP_PROFILES 362
#define SSL_R_NO_VERIFY_CALLBACK 194
#define SSL_R_NULL_SSL_CTX 195
#define SSL_R_NULL_SSL_METHOD_PASSED 196
#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 359
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
#define SSL_R_SRP_A_CALC 354
+#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 363
+#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 364
+#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 365
#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299
#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 321
#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
+#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
#define SSL_R_UNSUPPORTED_PROTOCOL 258
#define SSL_R_UNSUPPORTED_SSL_VERSION 259
#define SSL_R_UNSUPPORTED_STATUS_TYPE 329
+#define SSL_R_USE_SRTP_NOT_NEGOTIATED 366
#define SSL_R_WRITE_BIO_NOT_SET 260
#define SSL_R_WRONG_CIPHER_RETURNED 261
#define SSL_R_WRONG_MESSAGE_TYPE 262