From f1fd4544a3747682010ed89ac908713fe90b8304 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Tue, 3 Jan 2006 03:27:19 +0000 Subject: [PATCH] Various changes in the new TLS extension code, including the following: - fix indentation - rename some functions and macros - fix up confusion between SSL_ERROR_... and SSL_AD_... values --- CHANGES | 31 +++++-- Configure | 4 + apps/s_client.c | 4 +- apps/s_server.c | 23 ++--- ssl/s23_clnt.c | 62 +++++++++++-- ssl/s23_srvr.c | 17 ++-- ssl/s3_clnt.c | 26 +++--- ssl/s3_lib.c | 31 ++++--- ssl/s3_srvr.c | 46 ++++------ ssl/ssl.h | 29 +++---- ssl/ssl_lib.c | 36 ++++---- ssl/ssl_locl.h | 12 +-- ssl/ssl_sess.c | 56 +++++++++++- ssl/t1_lib.c | 226 +++++++++++++++++++++++++++++++++--------------- ssl/tls1.h | 98 ++++++++++++++++----- 15 files changed, 486 insertions(+), 215 deletions(-) diff --git a/CHANGES b/CHANGES index 8023667d75..33d90e8fcf 100644 --- a/CHANGES +++ b/CHANGES @@ -4,16 +4,33 @@ Changes between 0.9.8a and 0.9.9 [xx XXX xxxx] - *) Add support for TLS extensions, specifically for the HostName extension. - The SSL_SESSION, SSL_CTX, and SSL data structures now have new members - for HostName support. + *) Add support for TLS extensions, specifically for the HostName extension + so far. The SSL_SESSION, SSL_CTX, and SSL data structures now have new + members for HostName support. + + New functions (subject to change): + + SSL_get_servername() + SSL_get_servername_type() + SSL_set_SSL_CTX() + + New CTRL codes and macros (subject to change): + + SSL_CTRL_SET_TLSEXT_SERVERNAME_CB + - SSL_CTX_set_tlsext_servername_callback() + SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG + - SSL_CTX_set_tlsext_servername_arg() + SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_hostname() + SSL_CTRL_GET_TLSEXT_HOSTNAME [similar to SSL_get_servername()] + SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE + - SSL_set_tlsext_servername_done() openssl s_client has a new '-servername' option. - openssl s_server has new options '-servername', '-cert2', and '-key2'; - this allows testing the HostName extension for a specific single - host name ('-cert' and '-key' remain fallbacks for handshakes without - HostName negotiation). + openssl s_server has new options '-servername', '-cert2', and '-key2' + (subject to change); this allows testing the HostName extension for a + specific single host name ('-cert' and '-key' remain fallbacks for + handshakes without HostName negotiation). [Peter Sylvester] diff --git a/Configure b/Configure index c9a30751aa..a8e9bda150 100755 --- a/Configure +++ b/Configure @@ -836,6 +836,10 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"}) $disabled{"tls1"} = "forced"; } +if (defined($disabled{"tls1"})) + { + $disabled{"tlsext"} = "forced"; + } if ($target eq "TABLE") { foreach $target (sort keys %table) { diff --git a/apps/s_client.c b/apps/s_client.c index b5c044bfa7..181cb3f15b 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -239,11 +239,11 @@ typedef struct tlsextctx_st { static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) { tlsextctx * p = (tlsextctx *) arg; - const unsigned char * hn= SSL_get_servername(s, TLSEXT_TYPE_SERVER_host); + const unsigned char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); if (SSL_get_servername_type(s) != -1) p->ack = !SSL_session_reused(s) && hn != NULL; else - BIO_printf(bio_err,"SSL_get_tlsext_hostname does not work\n"); + BIO_printf(bio_err,"Can't use SSL_get_servername\n"); return SSL_ERROR_NONE; } diff --git a/apps/s_server.c b/apps/s_server.c index 068e0c54b1..6c106f7f02 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -539,7 +539,7 @@ typedef struct tlsextctx_st { static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) { tlsextctx * p = (tlsextctx *) arg; - const char * servername = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host); + const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); if (servername) BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername); @@ -1257,12 +1257,14 @@ bad: #endif #endif - if (cipher != NULL) { - if(!SSL_CTX_set_cipher_list(ctx,cipher)) { + if (cipher != NULL) + { + if(!SSL_CTX_set_cipher_list(ctx,cipher)) + { BIO_printf(bio_err,"error setting cipher list\n"); ERR_print_errors(bio_err); goto end; - } + } #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher)) { @@ -1271,7 +1273,7 @@ bad: goto end; } #endif - } + } SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); @@ -1283,13 +1285,14 @@ bad: SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); + tlsextcbp.biodebug = bio_s_out; + SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb); + SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp); + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); + SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); } - tlsextcbp.biodebug = bio_s_out; - SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb); - SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp); - SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); - SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); #endif + if (CAfile != NULL) { SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 5a07db158f..3bb5adfa48 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include "ssl_locl.h" @@ -352,7 +405,6 @@ static int ssl23_client_hello(SSL *s) #ifdef OPENSSL_NO_COMP *(p++)=1; #else - if ((s->options & SSL_OP_NO_COMPRESSION) || !s->ctx->comp_methods) j=0; @@ -366,16 +418,16 @@ static int ssl23_client_hello(SSL *s) } #endif *(p++)=0; /* Add the NULL method */ + #ifndef OPENSSL_NO_TLSEXT - if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) - { + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + { SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); return -1; - } + } #endif l = p-d; - *p = 42; /* fill in 4-byte handshake header */ d=&(buf[5]); diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 8bf044e15f..4da169eb31 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -140,7 +140,7 @@ IMPLEMENT_ssl23_meth_func(SSLv23_server_method, int ssl23_accept(SSL *s) { BUF_MEM *buf; - unsigned long Time=time(NULL); + unsigned long Time=(unsigned long)time(NULL); void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; int new_state,state; @@ -416,7 +416,9 @@ int ssl23_get_client_hello(SSL *s) n2s(p,sil); n2s(p,cl); d=(unsigned char *)s->init_buf->data; - if ((csl+sil+cl+11) > s->packet_length) + if ((csl+sil+cl+11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format + * Client Hello, can we? Error condition should be + * '>' otherweise */ { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH); goto err; @@ -459,11 +461,14 @@ int ssl23_get_client_hello(SSL *s) *(d++)=1; *(d++)=0; +#if 0 /* copy any remaining data with may be extensions */ - p = p+csl+sil+cl ; - while (p < s->packet+s->packet_length) { + p = p+csl+sil+cl; + while (p < s->packet+s->packet_length) + { *(d++)=*(p++); - } + } +#endif i = (d-(unsigned char *)s->init_buf->data) - 4; l2n3((long)i, d_len); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 7a4f256642..578285230d 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -257,12 +257,14 @@ int ssl3_connect(SSL *s) if (ret <= 0) goto end; #ifndef OPENSSL_NO_TLSEXT { - int extension_error = 0,al; - if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){ - ret = -1; + int al; + if (ssl_check_tlsext(s,&al) <= 0) + { + ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */ SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT); + ret = -1; goto end; - } + } } #endif if (s->hit) @@ -613,11 +615,11 @@ int ssl3_client_hello(SSL *s) #endif *(p++)=0; /* Add the NULL method */ #ifndef OPENSSL_NO_TLSEXT - if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) - { + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + { SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); goto err; - } + } #endif l=(p-d); @@ -806,12 +808,14 @@ int ssl3_get_server_hello(SSL *s) #ifndef OPENSSL_NO_TLSEXT /* TLS extensions*/ if (s->version > SSL3_VERSION) - { - if ((al = ssl_parse_ServerHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){ + { + if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) + { + /* 'al' set by ssl_parse_serverhello_tlsext */ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT); goto f_err; + } } - } #endif if (p != (d+n)) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 845e5a16c5..c3bedf20ff 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1645,16 +1645,21 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #endif /* !OPENSSL_NO_ECDH */ #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_GET_TLSEXT_HOSTNAME: - if (larg != TLSEXT_TYPE_SERVER_host) + if (larg != TLSEXT_NAMETYPE_host_name) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); return(0); } - *((char **) parg) = s->session&&s->session->tlsext_hostname?s->session->tlsext_hostname:s->tlsext_hostname; + /* XXX cf. SSL_get_servername() (ssl_lib.c) */ + if (s->session && s->session->tlsext_hostname) + *((char **) parg) = s->session->tlsext_hostname; + else + *((char **) parg) = s->tlsext_hostname; ret = 1; - break; + break; case SSL_CTRL_SET_TLSEXT_HOSTNAME: - if (larg == TLSEXT_TYPE_SERVER_host) { + if (larg == TLSEXT_NAMETYPE_host_name) + { if (s->tlsext_hostname != NULL) OPENSSL_free(s->tlsext_hostname); s->tlsext_hostname = NULL; @@ -1662,19 +1667,23 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = 1; if (parg == NULL) break; - if (strlen((char *)parg) > 255) { + if (strlen((char *)parg) > 255) + { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; - } - if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) { + } + if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) + { SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR); return 0; + } } - } else { + else + { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); return 0; - } - s->options |= SSL_OP_NO_SSLv2; + } + s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */ break; case SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE: s->servername_done = larg; diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 25b56fa6fa..954959404a 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -283,13 +283,14 @@ int ssl3_accept(SSL *s) if (ret <= 0) goto end; #ifndef OPENSSL_NO_TLSEXT { - int extension_error = 0,al; - if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){ - ret = -1; + int al; + if (ssl_check_tlsext(s,&al) <= 0) + { + ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */ SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT); - ssl3_send_alert(s,al,extension_error); + ret = -1; goto end; - } + } } #endif s->new_session = 2; @@ -937,32 +938,17 @@ int ssl3_get_client_hello(SSL *s) } #endif - /* TLS does not mind if there is extra stuff */ -#if 0 /* SSL 3.0 does not mind either, so we should disable this test - * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, - * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ - if (s->version == SSL3_VERSION) - { - if (p < (d+n)) - { - /* wrong number of bytes, - * there could be more to follow */ - al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); - goto f_err; - } - } -#endif #ifndef OPENSSL_NO_TLSEXT /* TLS extensions*/ if (s->version > SSL3_VERSION) - { - if ((al = ssl_parse_ClientHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){ + { + if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) + { + /* 'al' set by ssl_parse_clienthello_tlsext */ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT); - ssl3_send_alert(s,SSL3_AL_WARNING,al); - return (ret = al); + goto f_err; + } } - } #endif /* Given s->session->ciphers and SSL_get_ciphers, we must @@ -1109,11 +1095,11 @@ int ssl3_send_server_hello(SSL *s) *(p++)=s->s3->tmp.new_compression->id; #endif #ifndef OPENSSL_NO_TLSEXT - if ((p = ssl_add_ServerHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) - { + if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + { SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); return -1; - } + } #endif /* do the header */ diff --git a/ssl/ssl.h b/ssl/ssl.h index 29f1e0beec..17d2103aac 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -109,7 +109,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -172,11 +172,6 @@ #include -#ifdef OPENSSL_NO_TLS1 -# ifndef OPENSSL_NO_TLSEXT -# define OPENSSL_NO_TLSEXT -# endif -#endif #ifndef OPENSSL_NO_COMP #include #endif @@ -765,11 +760,10 @@ struct ssl_ctx_st unsigned int max_send_fragment; #ifndef OPENSSL_NO_TLSEXT - /* TLS extensions servername callback */ + /* TLS extensions servername callback */ int (*tlsext_servername_callback)(SSL*, int *, void *); void *tlsext_servername_arg; #endif - }; #define SSL_SESS_CACHE_OFF 0x0000 @@ -994,11 +988,11 @@ struct ssl_st unsigned int max_send_fragment; #ifndef OPENSSL_NO_TLSEXT char *tlsext_hostname; - int servername_done; /* no further mod of servername - 0 : call the servername extension callback. - 1 : prepare 2, allow last ack just after in server callback. - 2 : don't call servername callback, no ack in server hello - */ + int servername_done; /* no further mod of servername + 0 : call the servername extension callback. + 1 : prepare 2, allow last ack just after in server callback. + 2 : don't call servername callback, no ack in server hello + */ #endif }; @@ -1145,9 +1139,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); #define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */ #define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED #define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION -#ifndef OPENSSL_NO_TLSEXT #define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME -#endif #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 @@ -1208,6 +1200,13 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); #define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52 +/* see tls.h for macros based on these */ +#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53 +#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54 +#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 +#define SSL_CTRL_GET_TLSEXT_HOSTNAME 56 +#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE 57 + #define SSL_session_reused(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL) #define SSL_num_renegotiations(ssl) \ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index afe7162ab7..841d75d585 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -58,7 +58,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1315,27 +1315,30 @@ err: return(NULL); } + #ifndef OPENSSL_TLSEXT -/** return a servername extension value if provided in CLIENT HELLO - * or NULL. - * For the moment, only hostname types are supported. +/** return a servername extension value if provided in Client Hello, or NULL. + * So far, only host_name types are defined (RFC 3546). */ -const char *SSL_get_servername(const SSL *s, const int type) { - - if (type != TLSEXT_TYPE_SERVER_host) +const char *SSL_get_servername(const SSL *s, const int type) + { + if (type != TLSEXT_NAMETYPE_host_name) return NULL; - return s->session /*&&s->session->tlsext_hostname*/?s->session->tlsext_hostname:s->tlsext_hostname; -} - -int SSL_get_servername_type(const SSL *s) { + /* XXX cf. SSL_CTRL_GET_TLSEXT_HOSTNAME case in ssl3_ctrl (s3_lib.c) */ + return s->session /*&&s->session->tlsext_hostname*/ ? + s->session->tlsext_hostname : + s->tlsext_hostname; + } - if (s->session &&s->session->tlsext_hostname ?s->session->tlsext_hostname:s->tlsext_hostname) - return TLSEXT_TYPE_SERVER_host; +int SSL_get_servername_type(const SSL *s) + { + if (s->session &&s->session->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname) + return TLSEXT_NAMETYPE_host_name; return -1; -} - + } #endif + unsigned long SSL_SESSION_hash(const SSL_SESSION *a) { unsigned long l; @@ -1488,7 +1491,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; #ifndef OPENSSL_NO_TLSEXT - ret->tlsext_servername_callback = NULL; + ret->tlsext_servername_callback = 0; ret->tlsext_servername_arg = NULL; #endif return(ret); @@ -2442,7 +2445,6 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) { - if (ssl->cert != NULL) ssl_cert_free(ssl->cert); ssl->cert = ssl_cert_dup(ctx->cert); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 26a062fdcd..ccc490aaf1 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -941,10 +941,10 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs); SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); #ifndef OPENSSL_NO_TLSEXT -unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit); -unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit); -int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n); -int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n); -int ssl_check_Hello_TLS_extensions(SSL *s,int *ad); +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); +int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); +int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); +int ssl_check_tlsext(SSL *s,int *al); #endif #endif diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 6c2c04bf0f..16162fa951 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include @@ -550,8 +603,7 @@ void SSL_SESSION_free(SSL_SESSION *ss) if (ss->peer != NULL) X509_free(ss->peer); if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); #ifndef OPENSSL_NO_TLSEXT - if (ss->tlsext_hostname != NULL) - OPENSSL_free(ss->tlsext_hostname); + if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname); #endif OPENSSL_cleanse(ss,sizeof(*ss)); OPENSSL_free(ss); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ff5bc58ce7..b248dab361 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include @@ -101,41 +154,43 @@ void tls1_clear(SSL *s) s->version=TLS1_VERSION; } + #ifndef OPENSSL_NO_TLSEXT -unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) { +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) + { int extdatalen=0; unsigned char *ret = p; ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ - if (s->servername_done == 0 && s->tlsext_hostname != NULL) { + if (s->servername_done == 0 && s->tlsext_hostname != NULL) + { /* Add TLS extension servername to the Client Hello message */ unsigned long size_str; long lenmax; if ((lenmax = limit - p - 7) < 0) return NULL; if ((size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) return NULL; - + s2n(TLSEXT_TYPE_server_name,ret); s2n(size_str+3,ret); - *(ret++) = (unsigned char) TLSEXT_TYPE_SERVER_host; + *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; s2n(size_str,ret); memcpy(ret, s->tlsext_hostname, size_str); ret+=size_str; - } + } - if ((extdatalen = ret-p-2)== 0) return p; s2n(extdatalen,p); return ret; - } -unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) { +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) + { int extdatalen=0; unsigned char *ret = p; if (s->hit || s->servername_done == 2) @@ -146,78 +201,92 @@ unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsi if (ret>=limit) return NULL; /* this really never occurs, but ... */ - if (s->session->tlsext_hostname != NULL) { - + if (s->session->tlsext_hostname != NULL) + { if (limit - p - 4 < 0) return NULL; s2n(TLSEXT_TYPE_server_name,ret); s2n(0,ret); - } - + } if ((extdatalen = ret-p-2)== 0) return p; s2n(extdatalen,p); return ret; - } -int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) { +int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) + { unsigned short type; unsigned short size; unsigned short len; - unsigned char * data = *p; + unsigned char *data = *p; if (data >= (d+n-2)) - return SSL_ERROR_NONE; + return 1; n2s(data,len); if (data > (d+n-len)) - return SSL_ERROR_NONE; + return 1; - while(data <= (d+n-4)){ + while (data <= (d+n-4)) + { n2s(data,type); n2s(data,size); if (data+size > (d+n)) - return SSL_ERROR_SSL; - - if (type == TLSEXT_TYPE_server_name) { + return 1; + + if (type == TLSEXT_TYPE_server_name) + { unsigned char *sdata = data; int servname_type; int dsize = size-3 ; - if (dsize > 0 ) { + if (dsize > 0 ) + { servname_type = *(sdata++); n2s(sdata,len); if (len != dsize) - return SSL_ERROR_SSL; + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } - switch (servname_type) { - case TLSEXT_TYPE_SERVER_host: - if (s->session->tlsext_hostname == NULL) { + switch (servname_type) + { + case TLSEXT_NAMETYPE_host_name: + if (s->session->tlsext_hostname == NULL) + { if (len > 255 || ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) - return SSL_ERROR_SSL; + { + *al = TLS1_AD_UNRECOGNIZED_NAME; + return 0; + } + memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; - } + } break; + default: break; - } + } + } } - } data+=size; - } - *p = data; + } - return SSL_ERROR_NONE; + *p = data; + return 1; } -int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) { + +int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) + { unsigned short type; unsigned short size; unsigned short len; @@ -226,61 +295,76 @@ int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha int tlsext_servername = 0; if (data >= (d+n-2)) - return SSL_ERROR_NONE; - + return 1; n2s(data,len); - while(data <= (d+n-4)){ + while(data <= (d+n-4)) + { n2s(data,type); n2s(data,size); if (data+size > (d+n)) - return SSL_ERROR_SSL; - - if (type == TLSEXT_TYPE_server_name) { - if ( s->tlsext_hostname == NULL || size > 0 ) { - return SSL_ERROR_SSL; - } + return 1; + + if (type == TLSEXT_TYPE_server_name) + { + if (s->tlsext_hostname == NULL || size > 0) + { + *al = TLS1_AD_UNRECOGNIZED_NAME; + return 0; + } tlsext_servername = 1; - } + } data+=size; - } - - + } if (data != d+n) - return SSL_ERROR_SSL; + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } - if (!s->hit && tlsext_servername == 1) { - if (s->tlsext_hostname) { - if (s->session->tlsext_hostname == NULL) { + if (!s->hit && tlsext_servername == 1) + { + if (s->tlsext_hostname) + { + if (s->session->tlsext_hostname == NULL) + { s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); if (!s->session->tlsext_hostname) - return SSL_ERROR_SSL; + { + *al = SSL_AD_UNRECOGNIZED_NAME; + return 0; + } + } + else + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } } - } else - return SSL_ERROR_SSL; - } - *p = data; + } - return SSL_ERROR_NONE; + *p = data; + return 1; } -int ssl_check_Hello_TLS_extensions(SSL *s,int *ad) -{ - int ret = SSL_ERROR_NONE; - - *ad = SSL_AD_UNRECOGNIZED_NAME; - if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != NULL) - && ((ret = s->ctx->tlsext_servername_callback(s, ad, s->ctx->tlsext_servername_arg))!= SSL_ERROR_NONE)) - return ret; - - else if (s->servername_done == 1) +int ssl_check_tlsext(SSL *s,int *al) + { + int ret; + + *al = SSL_AD_UNRECOGNIZED_NAME; + if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)) + { + ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg); + if (ret <= 0) + return ret; + } + if (s->servername_done == 1) s->servername_done = 2; - - return ret; -} + + return 1; + } #endif - diff --git a/ssl/tls1.h b/ssl/tls1.h index 4c8a5daa56..b5370f20fb 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -96,54 +149,55 @@ extern "C" { #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ #define TLS1_AD_USER_CANCELLED 90 #define TLS1_AD_NO_RENEGOTIATION 100 - -#ifndef OPENSSL_NO_TLSEXT #define TLS1_AD_UNRECOGNIZED_NAME 122 +/* ExtensionType values from RFC 3546 */ #define TLSEXT_TYPE_server_name 0 #define TLSEXT_TYPE_max_fragment_length 1 #define TLSEXT_TYPE_client_certificate_url 2 #define TLSEXT_TYPE_trusted_ca_keys 3 #define TLSEXT_TYPE_truncated_hmac 4 #define TLSEXT_TYPE_status_request 5 +#if 0 #define TLSEXT_TYPE_srp 6 +#endif + +/* NameType value from RFC 3546 */ +#define TLSEXT_NAMETYPE_host_name 0 -#define TLSEXT_TYPE_SERVER_host 0 -#define SSL_CTX_set_tlsext_hostname(ctx,name) \ -SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name) +#ifndef OPENSSL_NO_TLSEXT + +const char *SSL_get_servername(const SSL *s, const int type) ; +int SSL_get_servername_type(const SSL *s) ; + #define SSL_set_tlsext_hostname(s,name) \ -SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name) +SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name) #define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \ SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb) #define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg) - -const char *SSL_get_servername(const SSL *s, const int type) ; -int SSL_get_servername_type(const SSL *s) ; +#define SSL_set_tlsext_servername_done(s,t) \ +SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL) #if 0 +# if 0 + #define SSL_get_tlsext_hostname(s,psn) \ - SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host, (void *)psn) -#else + SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name, (void *)psn) +# else + /* XXX this looks weird for a macro, define a function instead? */ + * or just used SSL_get_servername() directly ... */ #define SSL_get_tlsext_hostname(s,psn) \ - (*psn = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host),*psn != NULL) + (*psn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name),*psn != NULL) +# endif #endif - #define SSL_set_tlsext_servername_done(s,t) \ - SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL) - -void SSL_set_ctx(SSL *s, SSL_CTX *ctx) ; - -#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53 -#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54 -#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 -#define SSL_CTRL_GET_TLSEXT_HOSTNAME 56 -#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE 57 #endif + /* Additional TLS ciphersuites from expired Internet Draft * draft-ietf-tls-56-bit-ciphersuites-01.txt * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see -- 2.25.1