diff options
Diffstat (limited to 'src/include')
27 files changed, 513 insertions, 500 deletions
diff --git a/src/include/openssl/asn1t.h b/src/include/openssl/asn1t.h index 6c91134..0f2560b 100644 --- a/src/include/openssl/asn1t.h +++ b/src/include/openssl/asn1t.h @@ -149,19 +149,19 @@ extern "C" { ASN1_SEQUENCE_cb(tname, cb) #define ASN1_SEQUENCE_cb(tname, cb) \ - static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \ + static const ASN1_AUX tname##_aux = {NULL, 0, 0, cb, 0}; \ ASN1_SEQUENCE(tname) #define ASN1_BROKEN_SEQUENCE(tname) \ - static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_BROKEN, 0, 0, 0, 0}; \ + static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_BROKEN, 0, 0, 0}; \ ASN1_SEQUENCE(tname) -#define ASN1_SEQUENCE_ref(tname, cb, lck) \ - static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), lck, cb, 0}; \ +#define ASN1_SEQUENCE_ref(tname, cb) \ + static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), cb, 0}; \ ASN1_SEQUENCE(tname) #define ASN1_SEQUENCE_enc(tname, enc, cb) \ - static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc)}; \ + static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, cb, offsetof(tname, enc)}; \ ASN1_SEQUENCE(tname) #define ASN1_NDEF_SEQUENCE_END(tname) \ @@ -233,7 +233,7 @@ extern "C" { static const ASN1_TEMPLATE tname##_ch_tt[] #define ASN1_CHOICE_cb(tname, cb) \ - static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \ + static const ASN1_AUX tname##_aux = {NULL, 0, 0, cb, 0}; \ ASN1_CHOICE(tname) #define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname) @@ -670,7 +670,6 @@ typedef struct ASN1_AUX_st { void *app_data; int flags; int ref_offset; /* Offset of reference value */ - int ref_lock; /* Lock type to use */ ASN1_aux_cb *asn1_cb; int enc_offset; /* Offset of ASN1_ENCODING structure */ } ASN1_AUX; @@ -894,7 +893,8 @@ ASN1_VALUE ** asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt); const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr); -int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it); +void asn1_refcount_set_one(ASN1_VALUE **pval, const ASN1_ITEM *it); +int asn1_refcount_dec_and_test_zero(ASN1_VALUE **pval, const ASN1_ITEM *it); void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it); void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it); diff --git a/src/include/openssl/bio.h b/src/include/openssl/bio.h index a37077c..8724657 100644 --- a/src/include/openssl/bio.h +++ b/src/include/openssl/bio.h @@ -64,6 +64,7 @@ #include <openssl/err.h> /* for ERR_print_errors_fp */ #include <openssl/ex_data.h> #include <openssl/stack.h> +#include <openssl/thread.h> #if defined(__cplusplus) extern "C" { @@ -799,7 +800,7 @@ struct bio_st { /* num is a BIO-specific value. For example, in fd BIOs it's used to store a * file descriptor. */ int num; - int references; + CRYPTO_refcount_t references; void *ptr; /* next_bio points to the next |BIO| in a chain. This |BIO| owns a reference * to |next_bio|. */ @@ -887,6 +888,7 @@ struct bio_st { #define BIO_F_file_ctrl 115 #define BIO_F_file_read 116 #define BIO_F_mem_write 117 +#define BIO_F_BIO_printf 118 #define BIO_R_BAD_FOPEN_MODE 100 #define BIO_R_BROKEN_PIPE 101 #define BIO_R_CONNECT_ERROR 102 diff --git a/src/include/openssl/bn.h b/src/include/openssl/bn.h index 2cd0224..ec1c8ff 100644 --- a/src/include/openssl/bn.h +++ b/src/include/openssl/bn.h @@ -548,15 +548,15 @@ OPENSSL_EXPORT BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, /* Random and prime number generation. */ -/* BN_rand sets |rnd| to a random number of length |bits|. If |top| is zero, - * the most-significant bit will be set. If |top| is one, the two most - * significant bits will be set. +/* BN_rand sets |rnd| to a random number of length |bits|. If |top| is zero, the + * most-significant bit, if any, will be set. If |top| is one, the two most + * significant bits, if any, will be set. * * If |top| is -1 then no extra action will be taken and |BN_num_bits(rnd)| may * not equal |bits| if the most significant bits randomly ended up as zeros. * - * If |bottom| is non-zero, the least-significant bit will be set. The function - * returns one on success or zero otherwise. */ + * If |bottom| is non-zero, the least-significant bit, if any, will be set. The + * function returns one on success or zero otherwise. */ OPENSSL_EXPORT int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); /* BN_pseudo_rand is an alias for |BN_rand|. */ @@ -852,6 +852,8 @@ OPENSSL_EXPORT BIGNUM *get_rfc3526_prime_1536(BIGNUM *bn); #define BN_F_BN_usub 122 #define BN_F_bn_wexpand 123 #define BN_F_mod_exp_recp 124 +#define BN_F_BN_lshift 125 +#define BN_F_BN_rshift 126 #define BN_R_ARG2_LT_ARG3 100 #define BN_R_BAD_RECIPROCAL 101 #define BN_R_BIGNUM_TOO_LONG 102 diff --git a/src/include/openssl/buffer.h b/src/include/openssl/buffer.h new file mode 100644 index 0000000..c6b721c --- /dev/null +++ b/src/include/openssl/buffer.h @@ -0,0 +1,18 @@ +/* Copyright (c) 2015, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +/* This header is provided in order to make compiling against code that expects + OpenSSL easier. */ + +#include "buf.h" diff --git a/src/include/openssl/bytestring.h b/src/include/openssl/bytestring.h index e10621a..9963426 100644 --- a/src/include/openssl/bytestring.h +++ b/src/include/openssl/bytestring.h @@ -150,10 +150,8 @@ OPENSSL_EXPORT int CBS_peek_asn1_tag(const CBS *cbs, unsigned tag_value); /* CBS_get_any_asn1_element sets |*out| to contain the next ASN.1 element from * |*cbs| (including header bytes) and advances |*cbs|. It sets |*out_tag| to - * the tag number and |*out_header_len| to the length of the ASN.1 header. If - * the element has indefinite length then |*out| will only contain the - * header. Each of |out|, |out_tag|, and |out_header_len| may be NULL to ignore - * the value. + * the tag number and |*out_header_len| to the length of the ASN.1 header. Each + * of |out|, |out_tag|, and |out_header_len| may be NULL to ignore the value. * * Tag numbers greater than 30 are not supported (i.e. short form only). */ OPENSSL_EXPORT int CBS_get_any_asn1_element(CBS *cbs, CBS *out, diff --git a/src/include/openssl/cipher.h b/src/include/openssl/cipher.h index f1469a0..7f5fe04 100644 --- a/src/include/openssl/cipher.h +++ b/src/include/openssl/cipher.h @@ -520,6 +520,9 @@ struct evp_cipher_st { int (*cipher)(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t inl); + /* cleanup, if non-NULL, releases memory associated with the context. It is + * called if |EVP_CTRL_INIT| succeeds. Note that |init| may not have been + * called at this point. */ void (*cleanup)(EVP_CIPHER_CTX *); int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr); diff --git a/src/include/openssl/des.h b/src/include/openssl/des.h index f3804c3..6e1b0cf 100644 --- a/src/include/openssl/des.h +++ b/src/include/openssl/des.h @@ -131,6 +131,16 @@ OPENSSL_EXPORT void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, const DES_key_schedule *ks3, DES_cblock *ivec, int enc); +/* DES_ede2_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len| + * bytes from |in| to |out| with 3DES in CBC mode. With this keying option, the + * first and third 3DES keys are identical. Thus, this function takes only two + * different |DES_key_schedule|s. */ +OPENSSL_EXPORT void DES_ede2_cbc_encrypt(const uint8_t *in, uint8_t *out, + size_t len, + const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + DES_cblock *ivec, int enc); + #if defined(__cplusplus) } /* extern C */ diff --git a/src/include/openssl/dh.h b/src/include/openssl/dh.h index 60a030d..17574d5 100644 --- a/src/include/openssl/dh.h +++ b/src/include/openssl/dh.h @@ -137,6 +137,10 @@ OPENSSL_EXPORT int DH_compute_key(uint8_t *out, const BIGNUM *peers_key, /* DH_size returns the number of bytes in the DH group's prime. */ OPENSSL_EXPORT int DH_size(const DH *dh); +/* DH_num_bits returns the minimum number of bits needed to represent the + * absolute value of the DH group's prime. */ +OPENSSL_EXPORT unsigned DH_num_bits(const DH *dh); + #define DH_CHECK_P_NOT_PRIME 0x01 #define DH_CHECK_P_NOT_SAFE_PRIME 0x02 #define DH_CHECK_UNABLE_TO_CHECK_GENERATOR 0x04 @@ -249,7 +253,7 @@ struct dh_st { BIGNUM *counter; int flags; - int references; + CRYPTO_refcount_t references; CRYPTO_EX_DATA ex_data; }; diff --git a/src/include/openssl/digest.h b/src/include/openssl/digest.h index 8285dce..2ea4ec4 100644 --- a/src/include/openssl/digest.h +++ b/src/include/openssl/digest.h @@ -134,7 +134,7 @@ OPENSSL_EXPORT int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, OPENSSL_EXPORT int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); /* EVP_DigestUpdate hashes |len| bytes from |data| into the hashing operation - * in |ctx|. It returns one on success and zero otherwise. */ + * in |ctx|. It returns one. */ OPENSSL_EXPORT int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t len); @@ -144,10 +144,9 @@ OPENSSL_EXPORT int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, /* EVP_DigestFinal_ex finishes the digest in |ctx| and writes the output to * |md_out|. At most |EVP_MAX_MD_SIZE| bytes are written. If |out_size| is not - * NULL then |*out_size| is set to the number of bytes written. It returns one - * on success and zero otherwise. After this call, the hash cannot be updated - * or finished again until |EVP_DigestInit_ex| is called to start another - * hashing operation. */ + * NULL then |*out_size| is set to the number of bytes written. It returns one. + * After this call, the hash cannot be updated or finished again until + * |EVP_DigestInit_ex| is called to start another hashing operation. */ OPENSSL_EXPORT int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, uint8_t *md_out, unsigned int *out_size); @@ -205,6 +204,10 @@ OPENSSL_EXPORT int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in); * compatibility with OpenSSL. */ OPENSSL_EXPORT int EVP_add_digest(const EVP_MD *digest); +/* EVP_get_cipherbyname returns an |EVP_MD| given a human readable name in + * |name|, or NULL if the name is unknown. */ +OPENSSL_EXPORT const EVP_MD *EVP_get_digestbyname(const char *); + /* Digest operation accessors. */ @@ -225,18 +228,6 @@ OPENSSL_EXPORT unsigned EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx); * |ctx|. */ OPENSSL_EXPORT int EVP_MD_CTX_type(const EVP_MD_CTX *ctx); -/* EVP_MD_CTX_set_flags ORs |flags| into the flags member of |ctx|. */ -OPENSSL_EXPORT void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, uint32_t flags); - -/* EVP_MD_CTX_clear_flags clears any bits from the flags member of |ctx| that - * are set in |flags|. */ -OPENSSL_EXPORT void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, uint32_t flags); - -/* EVP_MD_CTX_test_flags returns the AND of |flags| and the flags member of - * |ctx|. */ -OPENSSL_EXPORT uint32_t EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, - uint32_t flags); - struct evp_md_pctx_ops; @@ -251,7 +242,7 @@ struct env_md_ctx_st { /* update is usually copied from |digest->update| but can differ in some * cases, i.e. HMAC. * TODO(davidben): Remove this hook once |EVP_PKEY_HMAC| is gone. */ - int (*update)(EVP_MD_CTX *ctx, const void *data, size_t count); + void (*update)(EVP_MD_CTX *ctx, const void *data, size_t count); /* pctx is an opaque (at this layer) pointer to additional context that * EVP_PKEY functions may store in this object. */ @@ -262,11 +253,6 @@ struct env_md_ctx_st { const struct evp_md_pctx_ops *pctx_ops; } /* EVP_MD_CTX */; -/* EVP_MD_CTX_FLAG_NO_INIT causes the |EVP_MD|'s |init| function not to be - * called, the |update| member not to be copied from the |EVP_MD| in - * |EVP_DigestInit_ex| and for |md_data| not to be initialised. */ -#define EVP_MD_CTX_FLAG_NO_INIT 1 - #if defined(__cplusplus) } /* extern C */ diff --git a/src/include/openssl/dsa.h b/src/include/openssl/dsa.h index 2271915..7274e4c 100644 --- a/src/include/openssl/dsa.h +++ b/src/include/openssl/dsa.h @@ -354,7 +354,7 @@ struct dsa_st { /* Normally used to cache montgomery values */ CRYPTO_MUTEX method_mont_p_lock; BN_MONT_CTX *method_mont_p; - int references; + CRYPTO_refcount_t references; CRYPTO_EX_DATA ex_data; DSA_METHOD *meth; /* functional reference if 'meth' is ENGINE-provided */ diff --git a/src/include/openssl/ec.h b/src/include/openssl/ec.h index 617cb19..25b4551 100644 --- a/src/include/openssl/ec.h +++ b/src/include/openssl/ec.h @@ -288,7 +288,11 @@ OPENSSL_EXPORT int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, /* EC_GROUP_new_curve_GFp creates a new, arbitrary elliptic curve group based * on the equation y² = x³ + a·x + b. It returns the new group or NULL on - * error. */ + * error. + * + * |EC_GROUP|s returned by this function will always compare as unequal via + * |EC_GROUP_cmp| (even to themselves). |EC_GROUP_get_curve_name| will always + * return |NID_undef|. */ OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); diff --git a/src/include/openssl/engine.h b/src/include/openssl/engine.h index da242f6..d3d278a 100644 --- a/src/include/openssl/engine.h +++ b/src/include/openssl/engine.h @@ -93,7 +93,7 @@ void METHOD_unref(void *method); /* openssl_method_common_st contains the common part of all method structures. * This must be the first member of all method structures. */ struct openssl_method_common_st { - int references; + int references; /* dummy – not used. */ char is_static; }; diff --git a/src/include/openssl/err.h b/src/include/openssl/err.h index e591534..30dc4af 100644 --- a/src/include/openssl/err.h +++ b/src/include/openssl/err.h @@ -269,11 +269,11 @@ OPENSSL_EXPORT void ERR_print_errors_fp(FILE *file); OPENSSL_EXPORT void ERR_clear_error(void); /* ERR_remove_thread_state clears the error queue for the current thread if - * |tid| is NULL. Otherwise it does nothing because it's no longer possible to - * delete the error queue for other threads. + * |tid| is NULL. Otherwise it calls |assert(0)|, because it's no longer + * possible to delete the error queue for other threads. * * Error queues are thread-local data and are deleted automatically. You do not - * need to call this function. See |ERR_clear_error|. */ + * need to call this function. Use |ERR_clear_error|. */ OPENSSL_EXPORT void ERR_remove_thread_state(const CRYPTO_THREADID *tid); @@ -285,6 +285,12 @@ OPENSSL_EXPORT void ERR_remove_thread_state(const CRYPTO_THREADID *tid); OPENSSL_EXPORT int ERR_get_next_error_library(void); +/* Deprecated functions. */ + +/* |ERR_remove_state| calls |ERR_clear_error|. */ +OPENSSL_EXPORT void ERR_remove_state(unsigned long pid); + + /* Private functions. */ /* ERR_clear_system_error clears the system's error value (i.e. errno). */ @@ -496,15 +502,6 @@ enum { #define OPENSSL_DECLARE_ERROR_FUNCTION(lib, function_name) -/* Android compatibility section. - * - * These functions are declared, temporarily, for Android because - * wpa_supplicant will take a little time to sync with upstream. Outside of - * Android they'll have no definition. */ - -OPENSSL_EXPORT void ERR_remove_state(unsigned long pid); - - #if defined(__cplusplus) } /* extern C */ #endif diff --git a/src/include/openssl/evp.h b/src/include/openssl/evp.h index 54ad4be..490a951 100644 --- a/src/include/openssl/evp.h +++ b/src/include/openssl/evp.h @@ -59,6 +59,8 @@ #include <openssl/base.h> +#include <openssl/thread.h> + /* OpenSSL included digest and cipher functions in this header so we include * them for users that still expect that. * @@ -239,8 +241,7 @@ OPENSSL_EXPORT int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, EVP_PKEY *pkey); /* EVP_DigestSignUpdate appends |len| bytes from |data| to the data which will - * be signed in |EVP_DigestSignFinal|. It returns one on success and zero - * otherwise. */ + * be signed in |EVP_DigestSignFinal|. It returns one. */ OPENSSL_EXPORT int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t len); @@ -291,8 +292,7 @@ OPENSSL_EXPORT int EVP_DigestVerifyInitFromAlgorithm(EVP_MD_CTX *ctx, EVP_PKEY *pkey); /* EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which - * will be verified by |EVP_DigestVerifyFinal|. It returns one on success and - * zero otherwise. */ + * will be verified by |EVP_DigestVerifyFinal|. It returns one. */ OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t len); @@ -664,6 +664,12 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey); /* OpenSSL_add_all_algorithms does nothing. */ OPENSSL_EXPORT void OpenSSL_add_all_algorithms(void); +/* OpenSSL_add_all_ciphers does nothing. */ +OPENSSL_EXPORT void OpenSSL_add_all_ciphers(void); + +/* OpenSSL_add_all_digests does nothing. */ +OPENSSL_EXPORT void OpenSSL_add_all_digests(void); + /* EVP_cleanup does nothing. */ OPENSSL_EXPORT void EVP_cleanup(void); @@ -678,7 +684,7 @@ OPENSSL_EXPORT const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str( ENGINE **pengine, const char *name, size_t len); struct evp_pkey_st { - int references; + CRYPTO_refcount_t references; /* type contains one of the EVP_PKEY_* values or NID_undef and determines * which element (if any) of the |pkey| union is valid. */ diff --git a/src/include/openssl/hmac.h b/src/include/openssl/hmac.h index 89cdf8f..e521212 100644 --- a/src/include/openssl/hmac.h +++ b/src/include/openssl/hmac.h @@ -106,7 +106,7 @@ OPENSSL_EXPORT int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len, const EVP_MD *md, ENGINE *impl); /* HMAC_Update hashes |data_len| bytes from |data| into the current HMAC - * operation in |ctx|. It returns one on success and zero on error. */ + * operation in |ctx|. It returns one. */ OPENSSL_EXPORT int HMAC_Update(HMAC_CTX *ctx, const uint8_t *data, size_t data_len); @@ -129,13 +129,6 @@ OPENSSL_EXPORT size_t HMAC_size(const HMAC_CTX *ctx); * on error. */ OPENSSL_EXPORT int HMAC_CTX_copy_ex(HMAC_CTX *dest, const HMAC_CTX *src); -/* HMAC_CTX_set_flags ORs |flags| into the flags of the underlying digests of - * |ctx|, which must have been setup by a call to |HMAC_Init_ex|. See - * |EVP_MD_CTX_set_flags|. - * - * TODO(fork): remove? */ -OPENSSL_EXPORT void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags); - /* Deprecated functions. */ diff --git a/src/include/openssl/obj_mac.h b/src/include/openssl/obj_mac.h index b028c00..55e1cba 100644 --- a/src/include/openssl/obj_mac.h +++ b/src/include/openssl/obj_mac.h @@ -2351,7 +2351,7 @@ #define OBJ_delta_crl OBJ_id_ce,27L #define SN_issuing_distribution_point "issuingDistributionPoint" -#define LN_issuing_distribution_point "X509v3 Issuing Distrubution Point" +#define LN_issuing_distribution_point "X509v3 Issuing Distribution Point" #define NID_issuing_distribution_point 770 #define OBJ_issuing_distribution_point OBJ_id_ce,28L @@ -2576,11 +2576,6 @@ #define NID_id_hex_multipart_message 508 #define OBJ_id_hex_multipart_message OBJ_mime_mhs_headings,2L -#define SN_rle_compression "RLE" -#define LN_rle_compression "run length compression" -#define NID_rle_compression 124 -#define OBJ_rle_compression 1L,1L,1L,1L,666L,1L - #define SN_zlib_compression "ZLIB" #define LN_zlib_compression "zlib compression" #define NID_zlib_compression 125 diff --git a/src/include/openssl/opensslv.h b/src/include/openssl/opensslv.h index 22f7e25..a3555d4 100644 --- a/src/include/openssl/opensslv.h +++ b/src/include/openssl/opensslv.h @@ -15,4 +15,4 @@ /* This header is provided in order to make compiling against code that expects OpenSSL easier. */ -#include "ssl.h" +#include "crypto.h" diff --git a/src/include/openssl/pem.h b/src/include/openssl/pem.h index adc8d86..7756e45 100644 --- a/src/include/openssl/pem.h +++ b/src/include/openssl/pem.h @@ -381,13 +381,8 @@ OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, DECLARE_PEM_read(name, type) \ DECLARE_PEM_write_cb(name, type) -#if 1 /* "userdata": new with OpenSSL 0.9.4 */ typedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata); -#else -/* OpenSSL 0.9.3, 0.9.3a */ -typedef int pem_password_cb(char *buf, int size, int rwflag); -#endif OPENSSL_EXPORT int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher); OPENSSL_EXPORT int PEM_do_header (EVP_CIPHER_INFO *cipher, unsigned char *data,long *len, pem_password_cb *callback,void *u); @@ -415,7 +410,12 @@ OPENSSL_EXPORT void PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type); OPENSSL_EXPORT void PEM_SignUpdate(EVP_MD_CTX *ctx,unsigned char *d,unsigned int cnt); OPENSSL_EXPORT int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen, EVP_PKEY *pkey); -OPENSSL_EXPORT int PEM_def_callback(char *buf, int num, int w, void *key); +/* |PEM_def_callback| treats |userdata| as a string and copies it into |buf|, + * assuming its |size| is sufficient. Returns the length of the string, or 0 + * if there is not enough room. If either |buf| or |userdata| is NULL, 0 is + * returned. Note that this is different from OpenSSL, which prompts for a + * password. */ +OPENSSL_EXPORT int PEM_def_callback(char *buf, int size, int rwflag, void *userdata); OPENSSL_EXPORT void PEM_proc_type(char *buf, int type); OPENSSL_EXPORT void PEM_dek_info(char *buf, const char *type, int len, char *str); diff --git a/src/include/openssl/rand.h b/src/include/openssl/rand.h index 01ef4f8..300bf42 100644 --- a/src/include/openssl/rand.h +++ b/src/include/openssl/rand.h @@ -41,6 +41,9 @@ OPENSSL_EXPORT int RAND_pseudo_bytes(uint8_t *buf, size_t len); /* RAND_seed does nothing. */ OPENSSL_EXPORT void RAND_seed(const void *buf, int num); +/* RAND_load_file returns a nonnegative number. */ +OPENSSL_EXPORT int RAND_load_file(const char *path, long num); + /* RAND_add does nothing. */ OPENSSL_EXPORT void RAND_add(const void *buf, int num, double entropy); diff --git a/src/include/openssl/rsa.h b/src/include/openssl/rsa.h index 2e24231..9b415d7 100644 --- a/src/include/openssl/rsa.h +++ b/src/include/openssl/rsa.h @@ -475,7 +475,7 @@ struct rsa_st { BIGNUM *iqmp; /* be careful using this if the RSA structure is shared */ CRYPTO_EX_DATA ex_data; - int references; + CRYPTO_refcount_t references; int flags; CRYPTO_MUTEX lock; diff --git a/src/include/openssl/sha.h b/src/include/openssl/sha.h index 0e37c45..ac2ab75 100644 --- a/src/include/openssl/sha.h +++ b/src/include/openssl/sha.h @@ -120,7 +120,8 @@ OPENSSL_EXPORT int SHA224_Init(SHA256_CTX *sha); OPENSSL_EXPORT int SHA224_Update(SHA256_CTX *sha, const void *data, size_t len); /* SHA224_Final adds the final padding to |sha| and writes the resulting digest - * to |md|, which must have at least |SHA224_DIGEST_LENGTH| bytes of space. */ + * to |md|, which must have at least |SHA224_DIGEST_LENGTH| bytes of space. It + * returns one on success and zero on programmer error. */ OPENSSL_EXPORT int SHA224_Final(uint8_t *md, SHA256_CTX *sha); /* SHA224 writes the digest of |len| bytes from |data| to |out| and returns @@ -144,7 +145,8 @@ OPENSSL_EXPORT int SHA256_Init(SHA256_CTX *sha); OPENSSL_EXPORT int SHA256_Update(SHA256_CTX *sha, const void *data, size_t len); /* SHA256_Final adds the final padding to |sha| and writes the resulting digest - * to |md|, which must have at least |SHA256_DIGEST_LENGTH| bytes of space. */ + * to |md|, which must have at least |SHA256_DIGEST_LENGTH| bytes of space. It + * returns one on success and zero on programmer error. */ OPENSSL_EXPORT int SHA256_Final(uint8_t *md, SHA256_CTX *sha); /* SHA256 writes the digest of |len| bytes from |data| to |out| and returns @@ -179,7 +181,8 @@ OPENSSL_EXPORT int SHA384_Init(SHA512_CTX *sha); OPENSSL_EXPORT int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len); /* SHA384_Final adds the final padding to |sha| and writes the resulting digest - * to |md|, which must have at least |SHA384_DIGEST_LENGTH| bytes of space. */ + * to |md|, which must have at least |SHA384_DIGEST_LENGTH| bytes of space. It + * returns one on success and zero on programmer error. */ OPENSSL_EXPORT int SHA384_Final(uint8_t *md, SHA512_CTX *sha); /* SHA384 writes the digest of |len| bytes from |data| to |out| and returns @@ -207,7 +210,8 @@ OPENSSL_EXPORT int SHA512_Init(SHA512_CTX *sha); OPENSSL_EXPORT int SHA512_Update(SHA512_CTX *sha, const void *data, size_t len); /* SHA512_Final adds the final padding to |sha| and writes the resulting digest - * to |md|, which must have at least |SHA512_DIGEST_LENGTH| bytes of space. */ + * to |md|, which must have at least |SHA512_DIGEST_LENGTH| bytes of space. It + * returns one on success and zero on programmer error. */ OPENSSL_EXPORT int SHA512_Final(uint8_t *md, SHA512_CTX *sha); /* SHA512 writes the digest of |len| bytes from |data| to |out| and returns diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h index b746007..217dbaf 100644 --- a/src/include/openssl/ssl.h +++ b/src/include/openssl/ssl.h @@ -150,15 +150,13 @@ #include <openssl/hmac.h> #include <openssl/lhash.h> #include <openssl/pem.h> +#include <openssl/thread.h> #include <openssl/x509.h> #if !defined(OPENSSL_WINDOWS) #include <sys/time.h> #endif -/* Some code expected to get the threading functions by including ssl.h. */ -#include <openssl/thread.h> - /* wpa_supplicant expects to get the version functions from ssl.h */ #include <openssl/crypto.h> @@ -181,28 +179,6 @@ extern "C" { OPENSSL_EXPORT int SSL_library_init(void); -/* Protocol version constants */ - -#define SSL3_VERSION 0x0300 -#define SSL3_VERSION_MAJOR 0x03 -#define SSL3_VERSION_MINOR 0x00 - -#define TLS1_2_VERSION 0x0303 -#define TLS1_2_VERSION_MAJOR 0x03 -#define TLS1_2_VERSION_MINOR 0x03 - -#define TLS1_1_VERSION 0x0302 -#define TLS1_1_VERSION_MAJOR 0x03 -#define TLS1_1_VERSION_MINOR 0x02 - -#define TLS1_VERSION 0x0301 -#define TLS1_VERSION_MAJOR 0x03 -#define TLS1_VERSION_MINOR 0x01 - -#define DTLS1_VERSION 0xFEFF -#define DTLS1_2_VERSION 0xFEFD - - /* Cipher suites. */ /* An SSL_CIPHER represents a cipher suite. */ @@ -263,8 +239,9 @@ OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher); OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher); /* SSL_CIPHER_get_rfc_name returns a newly-allocated string with the standard - * name for |cipher|. For example, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". The - * caller is responsible for calling |OPENSSL_free| on the result. */ + * name for |cipher| or NULL on error. For example, + * "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". The caller is responsible for + * calling |OPENSSL_free| on the result. */ OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher); /* SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If @@ -274,6 +251,273 @@ OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits); +/* SSL contexts. */ + +/* An SSL_METHOD selects whether to use TLS or DTLS. */ +typedef struct ssl_method_st SSL_METHOD; + +/* TLS_method is the |SSL_METHOD| used for TLS (and SSLv3) connections. */ +OPENSSL_EXPORT const SSL_METHOD *TLS_method(void); + +/* DTLS_method is the |SSL_METHOD| used for DTLS connections. */ +OPENSSL_EXPORT const SSL_METHOD *DTLS_method(void); + +/* SSL_CTX_new returns a newly-allocated |SSL_CTX| with default settings or NULL + * on error. An |SSL_CTX| manages shared state and configuration between + * multiple TLS or DTLS connections. */ +OPENSSL_EXPORT SSL_CTX *SSL_CTX_new(const SSL_METHOD *method); + +/* SSL_CTX_free releases memory associated with |ctx|. */ +OPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *ctx); + + +/* SSL connections. */ + +/* SSL_new returns a newly-allocated |SSL| using |ctx| or NULL on error. An + * |SSL| object represents a single TLS or DTLS connection. It inherits settings + * from |ctx| at the time of creation. Settings may also be individually + * configured on the connection. + * + * On creation, an |SSL| is not configured to be either a client or server. Call + * |SSL_set_connect_state| or |SSL_set_accept_state| to set this. */ +OPENSSL_EXPORT SSL *SSL_new(SSL_CTX *ctx); + +/* SSL_free releases memory associated with |ssl|. */ +OPENSSL_EXPORT void SSL_free(SSL *ssl); + +/* SSL_set_connect_state configures |ssl| to be a client. */ +OPENSSL_EXPORT void SSL_set_connect_state(SSL *ssl); + +/* SSL_set_accept_state configures |ssl| to be a server. */ +OPENSSL_EXPORT void SSL_set_accept_state(SSL *ssl); + + +/* Protocol versions. */ + +#define SSL3_VERSION_MAJOR 0x03 + +#define SSL3_VERSION 0x0300 +#define TLS1_VERSION 0x0301 +#define TLS1_1_VERSION 0x0302 +#define TLS1_2_VERSION 0x0303 + +#define DTLS1_VERSION 0xfeff +#define DTLS1_2_VERSION 0xfefd + +/* SSL_CTX_set_min_version sets the minimum protocol version for |ctx| to + * |version|. */ +OPENSSL_EXPORT void SSL_CTX_set_min_version(SSL_CTX *ctx, uint16_t version); + +/* SSL_CTX_set_max_version sets the maximum protocol version for |ctx| to + * |version|. */ +OPENSSL_EXPORT void SSL_CTX_set_max_version(SSL_CTX *ctx, uint16_t version); + +/* SSL_set_min_version sets the minimum protocol version for |ssl| to + * |version|. */ +OPENSSL_EXPORT void SSL_set_min_version(SSL *ssl, uint16_t version); + +/* SSL_set_max_version sets the maximum protocol version for |ssl| to + * |version|. */ +OPENSSL_EXPORT void SSL_set_max_version(SSL *ssl, uint16_t version); + + +/* Options. + * + * Options configure protocol behavior. */ + +/* SSL_OP_LEGACY_SERVER_CONNECT allows initial connections to servers that don't + * support the renegotiation_info extension (RFC 5746). It is on by default. */ +#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L + +/* SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER allows for record sizes |SSL3_RT_MAX_EXTRA| + * bytes above the maximum record size. */ +#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L + +/* SSL_OP_TLS_D5_BUG accepts an RSAClientKeyExchange in TLS encoded as in SSL3 + * (i.e. without a length prefix). */ +#define SSL_OP_TLS_D5_BUG 0x00000100L + +/* SSL_OP_ALL enables the above bug workarounds that are enabled by many + * consumers. + * TODO(davidben): Determine which of the remaining may be removed now. */ +#define SSL_OP_ALL 0x00000BFFL + +/* SSL_OP_NO_QUERY_MTU, in DTLS, disables querying the MTU from the underlying + * |BIO|. Instead, the MTU is configured with |SSL_set_mtu|. */ +#define SSL_OP_NO_QUERY_MTU 0x00001000L + +/* SSL_OP_NO_TICKET disables session ticket support (RFC 4507). */ +#define SSL_OP_NO_TICKET 0x00004000L + +/* SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION permits unsafe legacy renegotiation + * without renegotiation_info (RFC 5746) support. */ +#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L + +/* SSL_OP_CIPHER_SERVER_PREFERENCE configures servers to select ciphers and + * ECDHE curves according to the server's preferences instead of the + * client's. */ +#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L + +/* The following flags toggle individual protocol versions. This is deprecated. + * Use |SSL_CTX_set_min_version| and |SSL_CTX_set_max_version| instead. */ +#define SSL_OP_NO_SSLv3 0x02000000L +#define SSL_OP_NO_TLSv1 0x04000000L +#define SSL_OP_NO_TLSv1_2 0x08000000L +#define SSL_OP_NO_TLSv1_1 0x10000000L +#define SSL_OP_NO_DTLSv1 SSL_OP_NO_TLSv1 +#define SSL_OP_NO_DTLSv1_2 SSL_OP_NO_TLSv1_2 + +/* The following flags do nothing and are included only to make it easier to + * compile code with BoringSSL. */ +#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0 +#define SSL_OP_MICROSOFT_SESS_ID_BUG 0 +#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0 +#define SSL_OP_NO_COMPRESSION 0 +#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 +#define SSL_OP_NO_SSLv2 0 +#define SSL_OP_SINGLE_DH_USE 0 +#define SSL_OP_SINGLE_ECDH_USE 0 +#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0 +#define SSL_OP_TLS_BLOCK_PADDING_BUG 0 +#define SSL_OP_TLS_ROLLBACK_BUG 0 + +/* SSL_CTX_set_options enables all options set in |options| (which should be one + * or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a + * bitmask representing the resulting enabled options. */ +OPENSSL_EXPORT uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options); + +/* SSL_CTX_clear_options disables all options set in |options| (which should be + * one or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a + * bitmask representing the resulting enabled options. */ +OPENSSL_EXPORT uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options); + +/* SSL_CTX_get_options returns a bitmask of |SSL_OP_*| values that represent all + * the options enabled for |ctx|. */ +OPENSSL_EXPORT uint32_t SSL_CTX_get_options(const SSL_CTX *ctx); + +/* SSL_set_options enables all options set in |options| (which should be one or + * more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a bitmask + * representing the resulting enabled options. */ +OPENSSL_EXPORT uint32_t SSL_set_options(SSL *ssl, uint32_t options); + +/* SSL_clear_options disables all options set in |options| (which should be one + * or more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a + * bitmask representing the resulting enabled options. */ +OPENSSL_EXPORT uint32_t SSL_clear_options(SSL *ssl, uint32_t options); + +/* SSL_get_options returns a bitmask of |SSL_OP_*| values that represent all the + * options enabled for |ssl|. */ +OPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl); + + +/* Modes. + * + * Modes configure API behavior. */ + +/* SSL_MODE_ENABLE_PARTIAL_WRITE allows |SSL_write| to complete with a partial + * result when the only part of the input was written in a single record. */ +#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L + +/* SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER allows retrying an incomplete |SSL_write| + * with a different buffer. However, |SSL_write| still assumes the buffer + * contents are unchanged. This is not the default to avoid the misconception + * that non-blocking |SSL_write| behaves like non-blocking |write|. */ +#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L + +/* SSL_MODE_NO_AUTO_CHAIN disables automatically building a certificate chain + * before sending certificates to the peer. + * TODO(davidben): Remove this behavior. https://crbug.com/486295. */ +#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L + +/* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before + * receipt of CCS and Finished. This mode enables full-handshakes to 'complete' + * in one RTT. See draft-bmoeller-tls-falsestart-01. */ +#define SSL_MODE_ENABLE_FALSE_START 0x00000080L + +/* Deprecated: SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as + * SSL_MODE_ENABLE_FALSE_START. */ +#define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START + +/* SSL_MODE_CBC_RECORD_SPLITTING causes multi-byte CBC records in SSL 3.0 and + * TLS 1.0 to be split in two: the first record will contain a single byte and + * the second will contain the remainder. This effectively randomises the IV and + * prevents BEAST attacks. */ +#define SSL_MODE_CBC_RECORD_SPLITTING 0x00000100L + +/* SSL_MODE_NO_SESSION_CREATION will cause any attempts to create a session to + * fail with SSL_R_SESSION_MAY_NOT_BE_CREATED. This can be used to enforce that + * session resumption is used for a given SSL*. */ +#define SSL_MODE_NO_SESSION_CREATION 0x00000200L + +/* SSL_MODE_SEND_FALLBACK_SCSV sends TLS_FALLBACK_SCSV in the ClientHello. + * To be set only by applications that reconnect with a downgraded protocol + * version; see https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-05 + * for details. + * + * DO NOT ENABLE THIS if your application attempts a normal handshake. Only use + * this in explicit fallback retries, following the guidance in + * draft-ietf-tls-downgrade-scsv-05. */ +#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L + +/* The following flags do nothing and are included only to make it easier to + * compile code with BoringSSL. */ +#define SSL_MODE_AUTO_RETRY 0 +#define SSL_MODE_RELEASE_BUFFERS 0 +#define SSL_MODE_SEND_CLIENTHELLO_TIME 0 +#define SSL_MODE_SEND_SERVERHELLO_TIME 0 + +/* SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more + * of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask + * representing the resulting enabled modes. */ +OPENSSL_EXPORT uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode); + +/* SSL_CTX_clear_mode disables all modes set in |mode| (which should be one or + * more of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a + * bitmask representing the resulting enabled modes. */ +OPENSSL_EXPORT uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode); + +/* SSL_CTX_get_mode returns a bitmask of |SSL_MODE_*| values that represent all + * the modes enabled for |ssl|. */ +OPENSSL_EXPORT uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx); + +/* SSL_set_mode enables all modes set in |mode| (which should be one or more of + * the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask + * representing the resulting enabled modes. */ +OPENSSL_EXPORT uint32_t SSL_set_mode(SSL *ssl, uint32_t mode); + +/* SSL_clear_mode disables all modes set in |mode| (which should be one or more + * of the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask + * representing the resulting enabled modes. */ +OPENSSL_EXPORT uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode); + +/* SSL_get_mode returns a bitmask of |SSL_MODE_*| values that represent all the + * modes enabled for |ssl|. */ +OPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl); + + +/* Connection information. */ + +/* SSL_get_tls_unique writes at most |max_out| bytes of the tls-unique value + * for |ssl| to |out| and sets |*out_len| to the number of bytes written. It + * returns one on success or zero on error. In general |max_out| should be at + * least 12. + * + * This function will always fail if the initial handshake has not completed. + * The tls-unique value will change after a renegotiation but, since + * renegotiations can be initiated by the server at any point, the higher-level + * protocol must either leave them disabled or define states in which the + * tls-unique value can be read. + * + * The tls-unique value is defined by + * https://tools.ietf.org/html/rfc5929#section-3.1. Due to a weakness in the + * TLS protocol, tls-unique is broken for resumed connections unless the + * Extended Master Secret extension is negotiated. Thus this function will + * return zero if |ssl| performed session resumption unless EMS was used when + * negotiating the original session. */ +OPENSSL_EXPORT int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, + size_t *out_len, size_t max_out); + + /* Underdocumented functions. * * Functions below here haven't been touched up and may be underdocumented. */ @@ -366,7 +610,6 @@ OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, #define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 #define SSL_FILETYPE_PEM X509_FILETYPE_PEM -typedef struct ssl_method_st SSL_METHOD; typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD; typedef struct ssl_session_st SSL_SESSION; typedef struct tls_sigalgs_st TLS_SIGALGS; @@ -414,7 +657,7 @@ struct ssl_session_st { * not ok, we must remember the error for session reuse: */ long verify_result; /* only for servers */ - int references; + CRYPTO_refcount_t references; long timeout; long time; @@ -424,7 +667,7 @@ struct ssl_session_st { /* These are used to make removal of session-ids more efficient and to * implement a maximum cache size. */ - struct ssl_session_st *prev, *next; + SSL_SESSION *prev, *next; char *tlsext_hostname; /* RFC4507 info */ uint8_t *tlsext_tick; /* Session ticket */ @@ -454,86 +697,6 @@ struct ssl_session_st { char extended_master_secret; }; -/* SSL_OP_LEGACY_SERVER_CONNECT allows initial connection to servers that don't - * support RI */ -#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L - -/* SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER allows for record sizes SSL3_RT_MAX_EXTRA - * bytes above the maximum record size. */ -#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L - -/* SSL_OP_TLS_D5_BUG accepts an RSAClientKeyExchange in TLS encoded as SSL3, - * without a length prefix. */ -#define SSL_OP_TLS_D5_BUG 0x00000100L - -/* SSL_OP_ALL enables the above bug workarounds that should be rather harmless. - * */ -#define SSL_OP_ALL 0x00000BFFL - -/* DTLS options */ -#define SSL_OP_NO_QUERY_MTU 0x00001000L -/* Don't use RFC4507 ticket extension */ -#define SSL_OP_NO_TICKET 0x00004000L - -/* As server, disallow session resumption on renegotiation */ -#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L -/* Don't use compression even if supported */ -#define SSL_OP_NO_COMPRESSION 0x00020000L -/* Permit unsafe legacy renegotiation */ -#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L -/* SSL_OP_SINGLE_ECDH_USE does nothing. */ -#define SSL_OP_SINGLE_ECDH_USE 0x00080000L -/* SSL_OP_SINGLE_DH_USE does nothing. */ -#define SSL_OP_SINGLE_DH_USE 0x00100000L -/* Set on servers to choose the cipher according to the server's preferences */ -#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L -/* SSL_OP_TLS_ROLLBACK_BUG does nothing. */ -#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L - -/* Deprecated: Use SSL_CTX_set_min_version and SSL_CTX_set_max_version - * instead. */ -#define SSL_OP_NO_SSLv2 0x01000000L -#define SSL_OP_NO_SSLv3 0x02000000L -#define SSL_OP_NO_TLSv1 0x04000000L -#define SSL_OP_NO_TLSv1_2 0x08000000L -#define SSL_OP_NO_TLSv1_1 0x10000000L - -#define SSL_OP_NO_DTLSv1 SSL_OP_NO_TLSv1 -#define SSL_OP_NO_DTLSv1_2 SSL_OP_NO_TLSv1_2 - -#define SSL_OP_NO_SSL_MASK \ - (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \ - SSL_OP_NO_TLSv1_2) - -/* The following flags do nothing and are included only to make it easier to - * compile code with BoringSSL. */ -#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0 -#define SSL_OP_MICROSOFT_SESS_ID_BUG 0 -#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0 -#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0 -#define SSL_OP_TLS_BLOCK_PADDING_BUG 0 - -/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success when - * just a single record has been written): */ -#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L -/* Make it possible to retry SSL_write() with changed buffer location (buffer - * contents must stay the same!); this is not the default to avoid the - * misconception that non-blocking SSL_write() behaves like non-blocking - * write(): */ -#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L -/* Don't attempt to automatically build certificate chain */ -#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L - -/* The following flags do nothing and are included only to make it easier to - * compile code with BoringSSL. */ -#define SSL_MODE_AUTO_RETRY 0 -#define SSL_MODE_RELEASE_BUFFERS 0 - -/* Send the current time in the Random fields of the ClientHello and - * ServerHello records for compatibility with hypothetical implementations that - * require it. */ -#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L -#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L /* Cert related flags */ /* Many implementations ignore some aspects of the TLS standards such as @@ -552,92 +715,6 @@ struct ssl_session_st { /* Clear verification errors from queue */ #define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10 -/* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before - * receipt of CCS and Finished. This mode enables full-handshakes to 'complete' - * in one RTT. See draft-bmoeller-tls-falsestart-01. */ -#define SSL_MODE_ENABLE_FALSE_START 0x00000080L - -/* Deprecated: SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as - * SSL_MODE_ENABLE_FALSE_START. */ -#define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START - -/* When set, TLS 1.0 and SSLv3, multi-byte, CBC records will be split in two: - * the first record will contain a single byte and the second will contain the - * rest of the bytes. This effectively randomises the IV and prevents BEAST - * attacks. */ -#define SSL_MODE_CBC_RECORD_SPLITTING 0x00000100L - -/* SSL_MODE_NO_SESSION_CREATION will cause any attempts to create a session to - * fail with SSL_R_SESSION_MAY_NOT_BE_CREATED. This can be used to enforce that - * session resumption is used for a given SSL*. */ -#define SSL_MODE_NO_SESSION_CREATION 0x00000200L - -/* SSL_MODE_SEND_FALLBACK_SCSV sends TLS_FALLBACK_SCSV in the ClientHello. - * To be set only by applications that reconnect with a downgraded protocol - * version; see https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-05 - * for details. - * - * DO NOT ENABLE THIS if your application attempts a normal handshake. Only use - * this in explicit fallback retries, following the guidance in - * draft-ietf-tls-downgrade-scsv-05. */ -#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L - -/* SSL_CTX_set_options enables all options set in |options| (which should be one - * or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a - * bitmask representing the resulting enabled options. */ -OPENSSL_EXPORT uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options); - -/* SSL_CTX_clear_options disables all options set in |options| (which should be - * one or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a - * bitmask representing the resulting enabled options. */ -OPENSSL_EXPORT uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options); - -/* SSL_CTX_get_options returns a bitmask of |SSL_OP_*| values that represent all - * the options enabled for |ctx|. */ -OPENSSL_EXPORT uint32_t SSL_CTX_get_options(const SSL_CTX *ctx); - -/* SSL_set_options enables all options set in |options| (which should be one or - * more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a bitmask - * representing the resulting enabled options. */ -OPENSSL_EXPORT uint32_t SSL_set_options(SSL *ssl, uint32_t options); - -/* SSL_clear_options disables all options set in |options| (which should be one - * or more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a - * bitmask representing the resulting enabled options. */ -OPENSSL_EXPORT uint32_t SSL_clear_options(SSL *ssl, uint32_t options); - -/* SSL_get_options returns a bitmask of |SSL_OP_*| values that represent all the - * options enabled for |ssl|. */ -OPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl); - -/* SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more - * of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask - * representing the resulting enabled modes. */ -OPENSSL_EXPORT uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode); - -/* SSL_CTX_clear_mode disables all modes set in |mode| (which should be one or - * more of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a - * bitmask representing the resulting enabled modes. */ -OPENSSL_EXPORT uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode); - -/* SSL_CTX_get_mode returns a bitmask of |SSL_MODE_*| values that represent all - * the modes enabled for |ssl|. */ -OPENSSL_EXPORT uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx); - -/* SSL_set_mode enables all modes set in |mode| (which should be one or more of - * the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask - * representing the resulting enabled modes. */ -OPENSSL_EXPORT uint32_t SSL_set_mode(SSL *ssl, uint32_t mode); - -/* SSL_clear_mode disables all modes set in |mode| (which should be one or more - * of the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask - * representing the resulting enabled modes. */ -OPENSSL_EXPORT uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode); - -/* SSL_get_mode returns a bitmask of |SSL_MODE_*| values that represent all the - * modes enabled for |ssl|. */ -OPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl); - /* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success * and zero on failure. */ OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu); @@ -646,22 +723,6 @@ OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu); * renegotiation (RFC 5746) and zero otherwise. */ OPENSSL_EXPORT int SSL_get_secure_renegotiation_support(const SSL *ssl); -/* SSL_CTX_set_min_version sets the minimum protocol version for |ctx| to - * |version|. */ -OPENSSL_EXPORT void SSL_CTX_set_min_version(SSL_CTX *ctx, uint16_t version); - -/* SSL_CTX_set_max_version sets the maximum protocol version for |ctx| to - * |version|. */ -OPENSSL_EXPORT void SSL_CTX_set_max_version(SSL_CTX *ctx, uint16_t version); - -/* SSL_set_min_version sets the minimum protocol version for |ssl| to - * |version|. */ -OPENSSL_EXPORT void SSL_set_min_version(SSL *ssl, uint16_t version); - -/* SSL_set_max_version sets the maximum protocol version for |ssl| to - * |version|. */ -OPENSSL_EXPORT void SSL_set_max_version(SSL *ssl, uint16_t version); - /* SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|. * This callback will be called when sending or receiving low-level record * headers, complete handshake messages, ChangeCipherSpec, and alerts. @@ -690,7 +751,7 @@ OPENSSL_EXPORT void SSL_set_msg_callback( SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); -/* set_msg_callback_arg sets the |arg| parameter of the message callback. */ +/* SSL_set_msg_callback_arg sets the |arg| parameter of the message callback. */ OPENSSL_EXPORT void SSL_set_msg_callback_arg(SSL *ssl, void *arg); /* SSL_CTX_set_keylog_bio sets configures all SSL objects attached to |ctx| to @@ -762,7 +823,7 @@ struct ssl_comp_st { }; DECLARE_STACK_OF(SSL_COMP) -DECLARE_LHASH_OF(SSL_SESSION); +DECLARE_LHASH_OF(SSL_SESSION) /* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with * equal-preference groups. For TLS clients, the groups are moot because the @@ -803,6 +864,9 @@ struct ssl_cipher_preference_list_st { struct ssl_ctx_st { const SSL_PROTOCOL_METHOD *method; + /* lock is used to protect various operations on this object. */ + CRYPTO_MUTEX lock; + /* max_version is the maximum acceptable protocol version. If zero, the * maximum supported version, currently (D)TLS 1.2, is used. */ uint16_t max_version; @@ -819,13 +883,13 @@ struct ssl_ctx_st { * number is known at connect time and so the cipher list can be set then. */ struct ssl_cipher_preference_list_st *cipher_list_tls11; - struct x509_store_st /* X509_STORE */ *cert_store; + X509_STORE *cert_store; LHASH_OF(SSL_SESSION) *sessions; /* Most session-ids that will be cached, default is * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ unsigned long session_cache_size; - struct ssl_session_st *session_cache_head; - struct ssl_session_st *session_cache_tail; + SSL_SESSION *session_cache_head; + SSL_SESSION *session_cache_tail; /* handshakes_since_cache_flush is the number of successful handshakes since * the last cache flush. */ @@ -849,12 +913,12 @@ struct ssl_ctx_st { * remove_session_cb is not null, it will be called when a session-id is * removed from the cache. After the call, OpenSSL will SSL_SESSION_free() * it. */ - int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); - void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); - SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, uint8_t *data, int len, + int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess); + void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess); + SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *data, int len, int *copy); - int references; + CRYPTO_refcount_t references; /* if defined, these override the X509_verify_cert() calls */ int (*app_verify_callback)(X509_STORE_CTX *, void *); @@ -896,7 +960,6 @@ struct ssl_ctx_st { uint32_t max_cert_list; struct cert_st /* CERT */ *cert; - int read_ahead; /* callback that allows applications to peek at protocol messages */ void (*msg_callback)(int write_p, int version, int content_type, @@ -1038,20 +1101,20 @@ OPENSSL_EXPORT LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx); OPENSSL_EXPORT size_t SSL_CTX_sess_number(const SSL_CTX *ctx); OPENSSL_EXPORT void SSL_CTX_sess_set_new_cb( - SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess)); -OPENSSL_EXPORT int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, + SSL_CTX *ctx, int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess)); +OPENSSL_EXPORT int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess); OPENSSL_EXPORT void SSL_CTX_sess_set_remove_cb( SSL_CTX *ctx, - void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess)); + void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess)); OPENSSL_EXPORT void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))( - struct ssl_ctx_st *ctx, SSL_SESSION *sess); + SSL_CTX *ctx, SSL_SESSION *sess); OPENSSL_EXPORT void SSL_CTX_sess_set_get_cb( SSL_CTX *ctx, - SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, uint8_t *data, int len, + SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *data, int len, int *copy)); OPENSSL_EXPORT SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))( - struct ssl_st *ssl, uint8_t *Data, int len, int *copy); + SSL *ssl, uint8_t *data, int len, int *copy); /* SSL_magic_pending_session_ptr returns a magic SSL_SESSION* which indicates * that the session isn't currently unavailable. SSL_get_error will then return * SSL_ERROR_PENDING_SESSION and the handshake can be retried later when the @@ -1076,16 +1139,16 @@ OPENSSL_EXPORT void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, /* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end * of a connection) to request SCTs from the server. See - * https://tools.ietf.org/html/rfc6962. Returns 1 on success. */ + * https://tools.ietf.org/html/rfc6962. It returns one. */ OPENSSL_EXPORT int SSL_enable_signed_cert_timestamps(SSL *ssl); /* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL * objects created from |ctx|. */ OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx); -/* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end - * of a connection) to request a stapled OCSP response from the server. Returns - * 1 on success. */ +/* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a + * connection) to request a stapled OCSP response from the server. It returns + * one. */ OPENSSL_EXPORT int SSL_enable_ocsp_stapling(SSL *ssl); /* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects @@ -1165,7 +1228,8 @@ OPENSSL_EXPORT void SSL_enable_fastradio_padding(SSL *ssl, char on_off); /* SSL_set_reject_peer_renegotiations controls whether renegotiation attempts by * the peer are rejected. It may be set at any point in a connection's lifetime - * to disallow future renegotiations programmatically. */ + * to control future renegotiations programmatically. By default, renegotiations + * are rejected. (Renegotiations requested by a client are always rejected.) */ OPENSSL_EXPORT void SSL_set_reject_peer_renegotiations(SSL *ssl, int reject); /* the maximum length of the buffer given to callbacks containing the resulting @@ -1198,8 +1262,6 @@ OPENSSL_EXPORT int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, OPENSSL_EXPORT int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint); OPENSSL_EXPORT const char *SSL_get_psk_identity_hint(const SSL *s); OPENSSL_EXPORT const char *SSL_get_psk_identity(const SSL *s); -OPENSSL_EXPORT void ssl_update_cache(SSL *s, int mode); -OPENSSL_EXPORT int ssl_get_new_session(SSL *s, int session); #define SSL_NOTHING 1 #define SSL_WRITING 2 @@ -1267,12 +1329,6 @@ struct ssl_st { * the side is not determined. In this state, server is always false. */ int server; - - /* Generate a new session or reuse an old one. NB: For servers, the 'new' - * session may actually be a previously cached session or even the previous - * session unless SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ - int new_session; - /* quiet_shutdown is true if the connection should not send a close_notify on * shutdown. */ int quiet_shutdown; @@ -1295,9 +1351,6 @@ struct ssl_st { struct ssl3_state_st *s3; /* SSLv3 variables */ struct dtls1_state_st *d1; /* DTLSv1 variables */ - int read_ahead; /* Read as many input bytes as possible - * (for non-blocking reads) */ - /* callback that allows applications to peek at protocol messages */ void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); @@ -1415,18 +1468,14 @@ struct ssl_st { uint8_t *alpn_client_proto_list; unsigned alpn_client_proto_list_len; - int renegotiate; /* 1 if we are renegotiating. - * 2 if we are a server and are inside a handshake - * (i.e. not just sending a HelloRequest) */ - /* fastradio_padding, if true, causes ClientHellos to be padded to 1024 * bytes. This ensures that the cellular radio is fast forwarded to DCH (high * data rate) state in 3G networks. */ char fastradio_padding; - /* reject_peer_renegotiations, if one, causes causes renegotiation attempts - * from the peer to be rejected with a fatal error. */ - char reject_peer_renegotiations; + /* accept_peer_renegotiations, if one, accepts renegotiation attempts from the + * peer. Otherwise, they will be rejected with a fatal error. */ + char accept_peer_renegotiations; /* These fields are always NULL and exist only to keep wpa_supplicant happy * about the change to EVP_AEAD. They are only needed for EAP-FAST, which we @@ -1455,7 +1504,6 @@ struct ssl_st { #define SSL_ST_ACCEPT 0x2000 #define SSL_ST_MASK 0x0FFF #define SSL_ST_INIT (SSL_ST_CONNECT | SSL_ST_ACCEPT) -#define SSL_ST_BEFORE 0x4000 #define SSL_ST_OK 0x03 #define SSL_ST_RENEGOTIATE (0x04 | SSL_ST_INIT) @@ -1477,7 +1525,6 @@ struct ssl_st { #define SSL_get_state(a) SSL_state(a) #define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK) #define SSL_in_init(a) (SSL_state(a) & SSL_ST_INIT) -#define SSL_in_before(a) (SSL_state(a) & SSL_ST_BEFORE) #define SSL_in_connect_init(a) (SSL_state(a) & SSL_ST_CONNECT) #define SSL_in_accept_init(a) (SSL_state(a) & SSL_ST_ACCEPT) @@ -1504,6 +1551,7 @@ OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t coun #define SSL_VERIFY_NONE 0x00 #define SSL_VERIFY_PEER 0x01 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 +/* SSL_VERIFY_CLIENT_ONCE does nothing. */ #define SSL_VERIFY_CLIENT_ONCE 0x04 #define SSL_VERIFY_PEER_IF_NO_OBC 0x08 @@ -1804,24 +1852,22 @@ OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); OPENSSL_EXPORT int SSL_CTX_set_cipher_list_tls11(SSL_CTX *, const char *str); -OPENSSL_EXPORT SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); -OPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *); OPENSSL_EXPORT long SSL_CTX_set_timeout(SSL_CTX *ctx, long t); OPENSSL_EXPORT long SSL_CTX_get_timeout(const SSL_CTX *ctx); OPENSSL_EXPORT X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); OPENSSL_EXPORT void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); OPENSSL_EXPORT int SSL_want(const SSL *s); -OPENSSL_EXPORT int SSL_clear(SSL *s); OPENSSL_EXPORT void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm); +/* SSL_get_current_cipher returns the cipher used in the current outgoing + * connection state, or NULL if the null cipher is active. */ OPENSSL_EXPORT const SSL_CIPHER *SSL_get_current_cipher(const SSL *s); OPENSSL_EXPORT int SSL_get_fd(const SSL *s); OPENSSL_EXPORT int SSL_get_rfd(const SSL *s); OPENSSL_EXPORT int SSL_get_wfd(const SSL *s); OPENSSL_EXPORT const char *SSL_get_cipher_list(const SSL *s, int n); -OPENSSL_EXPORT int SSL_get_read_ahead(const SSL *s); OPENSSL_EXPORT int SSL_pending(const SSL *s); OPENSSL_EXPORT int SSL_set_fd(SSL *s, int fd); OPENSSL_EXPORT int SSL_set_rfd(SSL *s, int fd); @@ -1830,7 +1876,6 @@ OPENSSL_EXPORT void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio); OPENSSL_EXPORT BIO *SSL_get_rbio(const SSL *s); OPENSSL_EXPORT BIO *SSL_get_wbio(const SSL *s); OPENSSL_EXPORT int SSL_set_cipher_list(SSL *s, const char *str); -OPENSSL_EXPORT void SSL_set_read_ahead(SSL *s, int yes); OPENSSL_EXPORT int SSL_get_verify_mode(const SSL *s); OPENSSL_EXPORT int SSL_get_verify_depth(const SSL *s); OPENSSL_EXPORT int (*SSL_get_verify_callback(const SSL *s))(int, @@ -1984,7 +2029,6 @@ OPENSSL_EXPORT int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx, unsigned int sid_ctx_len); -OPENSSL_EXPORT SSL *SSL_new(SSL_CTX *ctx); OPENSSL_EXPORT int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, unsigned int sid_ctx_len); @@ -2000,7 +2044,6 @@ OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx); OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl); OPENSSL_EXPORT void SSL_certs_clear(SSL *s); -OPENSSL_EXPORT void SSL_free(SSL *ssl); OPENSSL_EXPORT int SSL_accept(SSL *ssl); OPENSSL_EXPORT int SSL_connect(SSL *ssl); OPENSSL_EXPORT int SSL_read(SSL *ssl, void *buf, int num); @@ -2017,17 +2060,14 @@ OPENSSL_EXPORT const char *SSL_get_version(const SSL *s); * |sess|. For example, "TLSv1.2" or "SSLv3". */ OPENSSL_EXPORT const char *SSL_SESSION_get_version(const SSL_SESSION *sess); -/* TLS_method is the SSL_METHOD used for TLS (and SSLv3) connections. */ -OPENSSL_EXPORT const SSL_METHOD *TLS_method(void); - -/* DTLS_method is the SSL_METHOD used for DTLS connections. */ -OPENSSL_EXPORT const SSL_METHOD *DTLS_method(void); - OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s); OPENSSL_EXPORT int SSL_do_handshake(SSL *s); -OPENSSL_EXPORT int SSL_renegotiate(SSL *s); -OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *s); + +/* SSL_renegotiate_pending returns one if |ssl| is in the middle of a + * renegotiation. */ +OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *ssl); + OPENSSL_EXPORT int SSL_shutdown(SSL *s); OPENSSL_EXPORT const char *SSL_alert_type_string_long(int value); @@ -2045,16 +2085,12 @@ OPENSSL_EXPORT STACK_OF(X509_NAME) * OPENSSL_EXPORT int SSL_add_client_CA(SSL *ssl, X509 *x); OPENSSL_EXPORT int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x); -OPENSSL_EXPORT void SSL_set_connect_state(SSL *s); -OPENSSL_EXPORT void SSL_set_accept_state(SSL *s); - OPENSSL_EXPORT long SSL_get_default_timeout(const SSL *s); OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk); OPENSSL_EXPORT X509 *SSL_get_certificate(const SSL *ssl); -OPENSSL_EXPORT /* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey( - const SSL *ssl); +OPENSSL_EXPORT EVP_PKEY *SSL_get_privatekey(const SSL *ssl); OPENSSL_EXPORT X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx); OPENSSL_EXPORT EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx); @@ -2082,7 +2118,6 @@ OPENSSL_EXPORT void SSL_set_info_callback(SSL *ssl, OPENSSL_EXPORT void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val); OPENSSL_EXPORT int SSL_state(const SSL *ssl); -OPENSSL_EXPORT void SSL_set_state(SSL *ssl, int state); OPENSSL_EXPORT void SSL_set_verify_result(SSL *ssl, long v); OPENSSL_EXPORT long SSL_get_verify_result(const SSL *ssl); @@ -2116,7 +2151,7 @@ OPENSSL_EXPORT int SSL_get_ex_data_X509_STORE_CTX_idx(void); OPENSSL_EXPORT unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, unsigned long size); -/* SSL_CTX_sess_set_cache_size returns the maximum size of |ctx|'s session +/* SSL_CTX_sess_get_cache_size returns the maximum size of |ctx|'s session * cache. */ OPENSSL_EXPORT unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx); @@ -2140,11 +2175,6 @@ OPENSSL_EXPORT int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode); * |ctx| */ OPENSSL_EXPORT int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx); -/* TODO(davidben): Deprecate read_ahead functions after https://crbug.com/447431 - * is resolved. */ -OPENSSL_EXPORT int SSL_CTX_get_read_ahead(const SSL_CTX *ctx); -OPENSSL_EXPORT void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes); - /* SSL_CTX_get_max_cert_list returns the maximum length, in bytes, of a peer * certificate chain accepted by |ctx|. */ OPENSSL_EXPORT size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx); @@ -2310,6 +2340,13 @@ OPENSSL_EXPORT const SSL_METHOD *DTLSv1_client_method(void); OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_server_method(void); OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_client_method(void); +/* SSL_clear resets |ssl| to allow another connection and returns one on success + * or zero on failure. It returns most configuration state but releases memory + * associated with the current connection. + * + * Free |ssl| and create a new one instead. */ +OPENSSL_EXPORT int SSL_clear(SSL *ssl); + /* SSL_CTX_set_tmp_rsa_callback does nothing. */ OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback( SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, int keylength)); @@ -2370,6 +2407,24 @@ OPENSSL_EXPORT int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa); /* SSL_set_tmp_rsa returns one. */ OPENSSL_EXPORT int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa); +/* SSL_CTX_get_read_head returns zero. */ +OPENSSL_EXPORT int SSL_CTX_get_read_ahead(const SSL_CTX *ctx); + +/* SSL_CTX_set_read_ahead does nothing. */ +OPENSSL_EXPORT void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes); + +/* SSL_get_read_head returns zero. */ +OPENSSL_EXPORT int SSL_get_read_ahead(const SSL *s); + +/* SSL_set_read_ahead does nothing. */ +OPENSSL_EXPORT void SSL_set_read_ahead(SSL *s, int yes); + +/* SSL_renegotiate put an error on the error queue and returns zero. */ +OPENSSL_EXPORT int SSL_renegotiate(SSL *ssl); + +/* SSL_set_state does nothing. */ +OPENSSL_EXPORT void SSL_set_state(SSL *ssl, int state); + /* Android compatibility section. * @@ -2581,7 +2636,7 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused); #define SSL_F_dtls1_process_record 162 #define SSL_F_dtls1_read_bytes 163 #define SSL_F_dtls1_send_hello_verify_request 164 -#define SSL_F_dtls1_write_app_data_bytes 165 +#define SSL_F_dtls1_write_app_data 165 #define SSL_F_i2d_SSL_SESSION 166 #define SSL_F_ssl3_accept 167 #define SSL_F_ssl3_cert_verify_hash 169 @@ -2688,6 +2743,10 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused); #define SSL_F_SSL_set1_tls_channel_id 273 #define SSL_F_SSL_set_tlsext_host_name 274 #define SSL_F_ssl3_output_cert_chain 275 +#define SSL_F_SSL_AEAD_CTX_new 276 +#define SSL_F_SSL_AEAD_CTX_open 277 +#define SSL_F_SSL_AEAD_CTX_seal 278 +#define SSL_F_dtls1_seal_record 279 #define SSL_R_APP_DATA_IN_HANDSHAKE 100 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101 #define SSL_R_BAD_ALERT 102 @@ -2862,6 +2921,10 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused); #define SSL_R_FRAGMENT_MISMATCH 271 #define SSL_R_BUFFER_TOO_SMALL 272 #define SSL_R_OLD_SESSION_VERSION_NOT_RETURNED 273 +#define SSL_R_OUTPUT_ALIASES_INPUT 274 +#define SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION 275 +#define SSL_R_EMS_STATE_INCONSISTENT 276 +#define SSL_R_RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION 277 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 diff --git a/src/include/openssl/ssl3.h b/src/include/openssl/ssl3.h index 96f00cf..640a228 100644 --- a/src/include/openssl/ssl3.h +++ b/src/include/openssl/ssl3.h @@ -313,13 +313,23 @@ OPENSSL_COMPILE_ASSERT( #define SSL3_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ typedef struct ssl3_record_st { - /*r */ int type; /* type of record */ - /*rw*/ unsigned int length; /* How many bytes available */ - /*r */ unsigned int off; /* read/write offset into 'buf' */ - /*rw*/ uint8_t *data; /* pointer to the record data */ - /*rw*/ uint8_t *input; /* where the decode bytes are */ - /*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ - /*r */ uint8_t seq_num[8]; /* sequence number, needed by DTLS1 */ + /* type is the record type. */ + uint8_t type; + /* length is the number of unconsumed bytes of |data|. */ + uint16_t length; + /* off is the number of consumed bytes of |data|. */ + uint16_t off; + /* data is a non-owning pointer to the record contents. The total length of + * the buffer is |off| + |length|. */ + uint8_t *data; + /* epoch, in DTLS, is the epoch number of the record. */ + uint16_t epoch; + /* seq_num, in DTLS, is the sequence number of the record. The top two bytes + * are always zero. + * + * TODO(davidben): This is confusing. They should include the epoch or the + * field should be six bytes. */ + uint8_t seq_num[8]; } SSL3_RECORD; typedef struct ssl3_buffer_st { @@ -366,6 +376,10 @@ typedef struct ssl3_state_st { * the version has not been negotiated yet. */ char have_version; + /* initial_handshake_complete is true if the initial handshake has + * completed. */ + char initial_handshake_complete; + /* sniff_buffer is used by the server in the initial handshake to read a * V2ClientHello before the record layer is initialized. */ BUF_MEM *sniff_buffer; @@ -375,7 +389,6 @@ typedef struct ssl3_state_st { SSL3_BUFFER wbuf; /* write IO goes into here */ SSL3_RECORD rrec; /* each decoded record goes in here */ - SSL3_RECORD wrec; /* goes out from here */ /* storage for Handshake protocol data received but not yet processed by * ssl3_read_bytes: */ @@ -405,9 +418,6 @@ typedef struct ssl3_state_st { int alert_dispatch; uint8_t send_alert[2]; - /* This flag is set when we should renegotiate ASAP, basically when there is - * no more data in the read or write buffers */ - int renegotiate; int total_renegotiations; /* State pertaining to the pending handshake. diff --git a/src/include/openssl/thread.h b/src/include/openssl/thread.h index f6e7529..568a858 100644 --- a/src/include/openssl/thread.h +++ b/src/include/openssl/thread.h @@ -90,56 +90,42 @@ typedef union crypto_mutex_st { } CRYPTO_MUTEX; #endif - -/* Functions to support multithreading. - * - * OpenSSL can safely be used in multi-threaded applications provided that at - * least |CRYPTO_set_locking_callback| is set. +/* CRYPTO_refcount_t is the type of a reference count. * - * The locking callback performs mutual exclusion. Rather than using a single - * lock for all, shared data-structures, OpenSSL requires that the locking - * callback support a fixed (at run-time) number of different locks, given by - * |CRYPTO_num_locks|. */ + * Since some platforms use C11 atomics to access this, it should have the + * _Atomic qualifier. However, this header is included by C++ programs as well + * as C code that might not set -std=c11. So, in practice, it's not possible to + * do that. Instead we statically assert that the size and native alignment of + * a plain uint32_t and an _Atomic uint32_t are equal in refcount_c11.c. */ +typedef uint32_t CRYPTO_refcount_t; -/* CRYPTO_num_locks returns the number of static locks that the callback - * function passed to |CRYPTO_set_locking_callback| must be able to handle. */ +/* Deprecated functions */ + +/* These defines do nothing but are provided to make old code easier to + * compile. */ +#define CRYPTO_LOCK 1 +#define CRYPTO_UNLOCK 2 +#define CRYPTO_READ 4 +#define CRYPTO_WRITE 8 + +/* CRYPTO_num_locks returns one. (This is non-zero that callers who allocate + * sizeof(lock) times this value don't get zero and then fail because malloc(0) + * returned NULL.) */ OPENSSL_EXPORT int CRYPTO_num_locks(void); -/* CRYPTO_set_locking_callback sets a callback function that implements locking - * on behalf of OpenSSL. The callback is called whenever OpenSSL needs to lock - * or unlock a lock, and locks are specified as a number between zero and - * |CRYPTO_num_locks()-1|. - * - * The mode argument to the callback is a bitwise-OR of either CRYPTO_LOCK or - * CRYPTO_UNLOCK, to denote the action, and CRYPTO_READ or CRYPTO_WRITE, to - * indicate the type of lock. The |file| and |line| arguments give the location - * in the OpenSSL source where the locking action originated. */ +/* CRYPTO_set_locking_callback does nothing. */ OPENSSL_EXPORT void CRYPTO_set_locking_callback( void (*func)(int mode, int lock_num, const char *file, int line)); -/* CRYPTO_set_add_lock_callback sets an optional callback which is used when - * OpenSSL needs to add a fixed amount to an integer. For example, this is used - * when maintaining reference counts. Normally the reference counts are - * maintained by performing the addition under a lock but, if this callback - * has been set, the application is free to implement the operation using - * faster methods (i.e. atomic operations). - * - * The callback is given a pointer to the integer to be altered (|num|), the - * amount to add to the integer (|amount|, which may be negative), the number - * of the lock which would have been taken to protect the operation and the - * position in the OpenSSL code where the operation originated. */ +/* CRYPTO_set_add_lock_callback does nothing. */ OPENSSL_EXPORT void CRYPTO_set_add_lock_callback(int (*func)( int *num, int amount, int lock_num, const char *file, int line)); -/* CRYPTO_get_lock_name returns the name of the lock given by |lock_num|. This - * can be used in a locking callback for debugging purposes. */ +/* CRYPTO_get_lock_name returns a fixed, dummy string. */ OPENSSL_EXPORT const char *CRYPTO_get_lock_name(int lock_num); - -/* Deprecated functions */ - -/* CRYPTO_THREADID_set_callback does nothing. */ +/* CRYPTO_THREADID_set_callback returns one. */ OPENSSL_EXPORT int CRYPTO_THREADID_set_callback( void (*threadid_func)(CRYPTO_THREADID *threadid)); @@ -154,81 +140,6 @@ OPENSSL_EXPORT void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr); OPENSSL_EXPORT void CRYPTO_THREADID_current(CRYPTO_THREADID *id); -/* Private functions: */ - -/* CRYPTO_get_locking_callback returns the callback, if any, that was most - * recently set using |CRYPTO_set_locking_callback|. */ -void (*CRYPTO_get_locking_callback(void))(int mode, int lock_num, - const char *file, int line); - -/* CRYPTO_get_add_lock_callback returns the callback, if any, that was most - * recently set using |CRYPTO_set_add_lock_callback|. */ -int (*CRYPTO_get_add_lock_callback(void))(int *num, int amount, int lock_num, - const char *file, int line); - -/* CRYPTO_lock locks or unlocks the lock specified by |lock_num| (one of - * |CRYPTO_LOCK_*|). Don't call this directly, rather use one of the - * CRYPTO_[rw]_(un)lock macros. */ -OPENSSL_EXPORT void CRYPTO_lock(int mode, int lock_num, const char *file, - int line); - -/* CRYPTO_add_lock adds |amount| to |*pointer|, protected by the lock specified - * by |lock_num|. It returns the new value of |*pointer|. Don't call this - * function directly, rather use the |CRYPTO_add| macro. */ -OPENSSL_EXPORT int CRYPTO_add_lock(int *pointer, int amount, int lock_num, - const char *file, int line); - -/* Lock IDs start from 1. CRYPTO_LOCK_INVALID_LOCK is an unused placeholder - * used to ensure no lock has ID 0. */ -#define CRYPTO_LOCK_LIST \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_INVALID_LOCK), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_BIO), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_DH), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_DSA), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EC), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EC_PRE_COMP), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_ERR), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EVP_PKEY), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EX_DATA), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_OBJ), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_RAND), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_READDIR), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_RSA), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_RSA_BLINDING), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_SSL_CTX), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_SSL_SESSION), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_INFO), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_PKEY), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_CRL), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_REQ), \ - CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_STORE), \ - -#define CRYPTO_LOCK_ITEM(x) x - -enum { - CRYPTO_LOCK_LIST -}; - -#undef CRYPTO_LOCK_ITEM - -#define CRYPTO_LOCK 1 -#define CRYPTO_UNLOCK 2 -#define CRYPTO_READ 4 -#define CRYPTO_WRITE 8 - -#define CRYPTO_w_lock(lock_num) \ - CRYPTO_lock(CRYPTO_LOCK | CRYPTO_WRITE, lock_num, __FILE__, __LINE__) -#define CRYPTO_w_unlock(lock_num) \ - CRYPTO_lock(CRYPTO_UNLOCK | CRYPTO_WRITE, lock_num, __FILE__, __LINE__) -#define CRYPTO_r_lock(lock_num) \ - CRYPTO_lock(CRYPTO_LOCK | CRYPTO_READ, lock_num, __FILE__, __LINE__) -#define CRYPTO_r_unlock(lock_num) \ - CRYPTO_lock(CRYPTO_UNLOCK | CRYPTO_READ, lock_num, __FILE__, __LINE__) -#define CRYPTO_add(addr, amount, lock_num) \ - CRYPTO_add_lock(addr, amount, lock_num, __FILE__, __LINE__) - - /* Private functions. * * Some old code calls these functions and so no-op implementations are diff --git a/src/include/openssl/type_check.h b/src/include/openssl/type_check.h index dd59151..674913a 100644 --- a/src/include/openssl/type_check.h +++ b/src/include/openssl/type_check.h @@ -76,8 +76,12 @@ extern "C" { * was a pointer to |type|. */ #define CHECKED_PTR_OF(type, p) CHECKED_CAST(void*, type*, (p)) +#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L +#define OPENSSL_COMPILE_ASSERT(cond, msg) _Static_assert(cond, #msg) +#else #define OPENSSL_COMPILE_ASSERT(cond, msg) \ typedef char OPENSSL_COMPILE_ASSERT_##msg[((cond) ? 1 : -1)] +#endif #if defined(__cplusplus) diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h index ef1d7fb..69c7da6 100644 --- a/src/include/openssl/x509.h +++ b/src/include/openssl/x509.h @@ -73,13 +73,14 @@ #include <openssl/cipher.h> #include <openssl/dh.h> #include <openssl/dsa.h> -#include <openssl/ec.h> #include <openssl/ecdh.h> #include <openssl/ecdsa.h> +#include <openssl/ec.h> #include <openssl/evp.h> #include <openssl/rsa.h> #include <openssl/sha.h> #include <openssl/stack.h> +#include <openssl/thread.h> #ifdef __cplusplus extern "C" { @@ -204,7 +205,7 @@ typedef struct X509_req_st X509_REQ_INFO *req_info; X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; - int references; + CRYPTO_refcount_t references; } X509_REQ; typedef struct x509_cinf_st @@ -243,7 +244,7 @@ struct x509_st X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; int valid; - int references; + CRYPTO_refcount_t references; char *name; CRYPTO_EX_DATA ex_data; /* These contain copies of various extension values */ @@ -420,7 +421,7 @@ struct X509_crl_st X509_CRL_INFO *crl; X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; - int references; + CRYPTO_refcount_t references; int flags; /* Copies of various extensions */ AUTHORITY_KEYID *akid; @@ -457,8 +458,6 @@ typedef struct private_key_st /* expanded version of 'enc_algor' */ EVP_CIPHER_INFO cipher; - - int references; } X509_PKEY; #ifndef OPENSSL_NO_EVP @@ -472,7 +471,6 @@ typedef struct X509_info_st int enc_len; char *enc_data; - int references; } X509_INFO; DECLARE_STACK_OF(X509_INFO) diff --git a/src/include/openssl/x509_vfy.h b/src/include/openssl/x509_vfy.h index 299cad7..146e047 100644 --- a/src/include/openssl/x509_vfy.h +++ b/src/include/openssl/x509_vfy.h @@ -67,6 +67,7 @@ #include <openssl/bio.h> #include <openssl/lhash.h> +#include <openssl/thread.h> #ifdef __cplusplus extern "C" { @@ -183,6 +184,7 @@ struct x509_store_st /* The following is a cache of trusted certs */ int cache; /* if true, stash any hits */ STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ + CRYPTO_MUTEX objs_lock; /* These are external lookup methods */ STACK_OF(X509_LOOKUP) *get_cert_methods; @@ -202,7 +204,7 @@ struct x509_store_st STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); int (*cleanup)(X509_STORE_CTX *ctx); - int references; + CRYPTO_refcount_t references; } /* X509_STORE */; OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); |