X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fssl3.h;h=b0b6539d5e55930ff4090f917ea82839e737b032;hb=d47c01a31a67ff4370b1883a58cabd0279752bb4;hp=93f9ead3059b807c2d4e78122f551326d9a3bd3f;hpb=4817504d069b4c5082161b02a22116ad75f822b1;p=oweals%2Fopenssl.git diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 93f9ead305..b0b6539d5e 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -324,6 +324,20 @@ extern "C" { #define SSL3_RT_APPLICATION_DATA 23 #define TLS1_RT_HEARTBEAT 24 +/* Pseudo content types to indicate additional parameters */ +#define TLS1_RT_CRYPTO 0x1000 +#define TLS1_RT_CRYPTO_PREMASTER (TLS1_RT_CRYPTO | 0x1) +#define TLS1_RT_CRYPTO_CLIENT_RANDOM (TLS1_RT_CRYPTO | 0x2) +#define TLS1_RT_CRYPTO_SERVER_RANDOM (TLS1_RT_CRYPTO | 0x3) +#define TLS1_RT_CRYPTO_MASTER (TLS1_RT_CRYPTO | 0x4) + +#define TLS1_RT_CRYPTO_READ 0x0000 +#define TLS1_RT_CRYPTO_WRITE 0x0100 +#define TLS1_RT_CRYPTO_MAC (TLS1_RT_CRYPTO | 0x5) +#define TLS1_RT_CRYPTO_KEY (TLS1_RT_CRYPTO | 0x6) +#define TLS1_RT_CRYPTO_IV (TLS1_RT_CRYPTO | 0x7) +#define TLS1_RT_CRYPTO_FIXED_IV (TLS1_RT_CRYPTO | 0x8) + #define SSL3_AL_WARNING 1 #define SSL3_AL_FATAL 2 @@ -388,6 +402,17 @@ typedef struct ssl3_buffer_st #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 + +/* SSL3_FLAGS_SGC_RESTART_DONE is set when we + * restart a handshake because of MS SGC and so prevents us + * from restarting the handshake in a loop. It's reset on a + * renegotiation, so effectively limits the client to one restart + * per negotiation. This limits the possibility of a DDoS + * attack where the client handshakes in a loop using SGC to + * restart. Servers which permit renegotiation can still be + * effected, but we can't prevent that. + */ +#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040 #ifndef OPENSSL_NO_SSL_INTERN @@ -466,12 +491,6 @@ typedef struct ssl3_state_st void *server_opaque_prf_input; size_t server_opaque_prf_input_len; -#ifndef OPENSSL_NO_NEXTPROTONEG - /* Set if we saw the Next Protocol Negotiation extension from - our peer. */ - int next_proto_neg_seen; -#endif - struct { /* actually only needs to be 16+20 */ unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2]; @@ -529,6 +548,27 @@ typedef struct ssl3_state_st unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; unsigned char previous_server_finished_len; int send_connection_binding; /* TODOEKR */ + +#ifndef OPENSSL_NO_NEXTPROTONEG + /* Set if we saw the Next Protocol Negotiation extension from our peer. */ + int next_proto_neg_seen; +#endif + +#ifndef OPENSSL_NO_TLSEXT + /* tlsext_authz_client_types contains an array of supported authz + * types, as advertised by the client. The array is sorted and + * does not contain any duplicates. */ + unsigned char *tlsext_authz_client_types; + size_t tlsext_authz_client_types_len; + /* tlsext_authz_promised_to_client is true iff we're a server and we + * echoed the client's supplemental data extension and therefore must + * send a supplemental data handshake message. */ + char tlsext_authz_promised_to_client; + /* tlsext_authz_server_promised is true iff we're a client and the + * server echoed our server_authz extension and therefore must send us + * a supplemental data handshake message. */ + char tlsext_authz_server_promised; +#endif } SSL3_STATE; #endif @@ -557,6 +597,8 @@ typedef struct ssl3_state_st #define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT) #define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT) #define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT) +#define SSL3_ST_CR_SUPPLEMENTAL_DATA_A (0x210|SSL_ST_CONNECT) +#define SSL3_ST_CR_SUPPLEMENTAL_DATA_B (0x211|SSL_ST_CONNECT) /* write to server */ #define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT) #define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT) @@ -636,6 +678,8 @@ typedef struct ssl3_state_st #define SSL3_ST_SW_SESSION_TICKET_B (0x1F1|SSL_ST_ACCEPT) #define SSL3_ST_SW_CERT_STATUS_A (0x200|SSL_ST_ACCEPT) #define SSL3_ST_SW_CERT_STATUS_B (0x201|SSL_ST_ACCEPT) +#define SSL3_ST_SW_SUPPLEMENTAL_DATA_A (0x220|SSL_ST_ACCEPT) +#define SSL3_ST_SW_SUPPLEMENTAL_DATA_B (0x221|SSL_ST_ACCEPT) #define SSL3_MT_HELLO_REQUEST 0 #define SSL3_MT_CLIENT_HELLO 1 @@ -649,6 +693,7 @@ typedef struct ssl3_state_st #define SSL3_MT_CLIENT_KEY_EXCHANGE 16 #define SSL3_MT_FINISHED 20 #define SSL3_MT_CERTIFICATE_STATUS 22 +#define SSL3_MT_SUPPLEMENTAL_DATA 23 #ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_MT_NEXT_PROTO 67 #endif @@ -671,4 +716,3 @@ typedef struct ssl3_state_st } #endif #endif -