Move structs to a 'Private structures' section in ssl.h.
To be consistent with some of the other headers and because SSL_METHOD
no longer has a place to anchor documentation, move the type
documentation up to the corresponding section headers, rather than
attached to a convenient function.
Also document thread-safety properties of SSL and SSL_CTX.
Change-Id: I7109d704d28dda3f5d83c72d86fe31bc302b816e
Reviewed-on: https://boringssl-review.googlesource.com/5876
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/base.h b/include/openssl/base.h
index 8468b77..9679c2f 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@@ -231,8 +231,10 @@
typedef struct sha256_state_st SHA256_CTX;
typedef struct sha512_state_st SHA512_CTX;
typedef struct sha_state_st SHA_CTX;
+typedef struct ssl_cipher_st SSL_CIPHER;
typedef struct ssl_ctx_st SSL_CTX;
typedef struct ssl_custom_extension SSL_CUSTOM_EXTENSION;
+typedef struct ssl_method_st SSL_METHOD;
typedef struct ssl_st SSL;
typedef struct st_ERR_FNS ERR_FNS;
typedef struct v3_ext_ctx X509V3_CTX;
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 06a32df..4498249 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -179,30 +179,9 @@
OPENSSL_EXPORT int SSL_library_init(void);
-/* Cipher suites. */
-
-/* An SSL_CIPHER represents a cipher suite. */
-typedef struct ssl_cipher_st {
- /* name is the OpenSSL name for the cipher. */
- const char *name;
- /* id is the cipher suite value bitwise OR-d with 0x03000000. */
- uint32_t id;
-
- /* The following are internal fields. See ssl/internal.h for their values. */
-
- uint32_t algorithm_mkey;
- uint32_t algorithm_auth;
- uint32_t algorithm_enc;
- uint32_t algorithm_mac;
- uint32_t algorithm_ssl;
- uint32_t algo_strength;
- uint32_t algorithm_prf;
-
- /* strength_bits is the strength of the cipher in bits. */
- int strength_bits;
- /* alg_bits is the number of bits of key material used by the algorithm. */
- int alg_bits;
-} SSL_CIPHER;
+/* Cipher suites.
+ *
+ * |SSL_CIPHER| objects represent cipher suites. */
DECLARE_STACK_OF(SSL_CIPHER)
@@ -255,10 +234,15 @@
int *out_alg_bits);
-/* SSL contexts. */
-
-/* An SSL_METHOD selects whether to use TLS or DTLS. */
-typedef struct ssl_method_st SSL_METHOD;
+/* SSL contexts.
+ *
+ * |SSL_CTX| objects manage shared state and configuration between multiple TLS
+ * or DTLS connections. Whether the connections are TLS or DTLS is selected by
+ * an |SSL_METHOD| on creation.
+ *
+ * |SSL_CTX| are reference-counted and may be shared by connections across
+ * multiple threads. Once shared, functions which change the |SSL_CTX|'s
+ * configuration may not be used. */
/* TLS_method is the |SSL_METHOD| used for TLS (and SSLv3) connections. */
OPENSSL_EXPORT const SSL_METHOD *TLS_method(void);
@@ -267,20 +251,22 @@
OPENSSL_EXPORT const SSL_METHOD *DTLS_method(void);
/* SSL_CTX_new returns a newly-allocated |SSL_CTX| with default settings or NULL
- * on error. An |SSL_CTX| manages shared state and configuration between
- * multiple TLS or DTLS connections. */
+ * on error. */
OPENSSL_EXPORT SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
/* SSL_CTX_free releases memory associated with |ctx|. */
OPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *ctx);
-/* SSL connections. */
+/* SSL connections.
+ *
+ * An |SSL| object represents a single TLS or DTLS connection. Although the
+ * shared |SSL_CTX| is thread-safe, an |SSL| is not thread-safe and may only be
+ * used on one thread at a time. */
-/* SSL_new returns a newly-allocated |SSL| using |ctx| or NULL on error. An
- * |SSL| object represents a single TLS or DTLS connection. It inherits settings
- * from |ctx| at the time of creation. Settings may also be individually
- * configured on the connection.
+/* SSL_new returns a newly-allocated |SSL| using |ctx| or NULL on error. The new
+ * connection inherits settings from |ctx| at the time of creation. Settings may
+ * also be individually configured on the connection.
*
* On creation, an |SSL| is not configured to be either a client or server. Call
* |SSL_set_connect_state| or |SSL_set_accept_state| to set this. */
@@ -1200,7 +1186,11 @@
#define SSL_RECEIVED_SHUTDOWN 2
typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD;
+
+/* An SSL_SESSION represents an SSL session that may be resumed in an
+ * abbreviated handshake. */
typedef struct ssl_session_st SSL_SESSION;
+
typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
typedef struct ssl3_enc_method SSL3_ENC_METHOD;
@@ -1212,93 +1202,6 @@
DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
-/* An SSL_SESSION represents an SSL session that may be resumed in an
- * abbreviated handshake. */
-struct ssl_session_st {
- int ssl_version; /* what ssl version session info is being kept in here? */
-
- int master_key_length;
- uint8_t master_key[SSL_MAX_MASTER_KEY_LENGTH];
- /* session_id - valid? */
- unsigned int session_id_length;
- uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
- /* this is used to determine whether the session is being reused in
- * the appropriate context. It is up to the application to set this,
- * via SSL_new */
- unsigned int sid_ctx_length;
- uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-
- char *psk_identity;
- /* Used to indicate that session resumption is not allowed. Applications can
- * also set this bit for a new session via not_resumable_session_cb to
- * disable session caching and tickets. */
- int not_resumable;
-
- /* peer is the peer's certificate. */
- X509 *peer;
-
- /* cert_chain is the certificate chain sent by the peer. NOTE: for historical
- * reasons, when a client (so the peer is a server), the chain includes
- * |peer|, but when a server it does not. */
- STACK_OF(X509) *cert_chain;
-
- /* when app_verify_callback accepts a session where the peer's certificate is
- * not ok, we must remember the error for session reuse: */
- long verify_result; /* only for servers */
-
- CRYPTO_refcount_t references;
- long timeout;
- long time;
-
- const SSL_CIPHER *cipher;
-
- /* key_exchange_info contains an indication of the size of the asymmetric
- * primitive used in the handshake that created this session. In the event
- * that two asymmetric operations are used, this value applies to the one
- * that controls the confidentiality of the connection. Its interpretation
- * depends on the primitive that was used; as specified by the cipher suite:
- * DHE: the size, in bits, of the multiplicative group.
- * RSA: the size, in bits, of the modulus.
- * ECDHE: the TLS id for the curve.
- *
- * A zero indicates that the value is unknown. */
- uint32_t key_exchange_info;
-
- CRYPTO_EX_DATA ex_data; /* application specific data */
-
- /* These are used to make removal of session-ids more efficient and to
- * implement a maximum cache size. */
- SSL_SESSION *prev, *next;
- char *tlsext_hostname;
- /* RFC4507 info */
- uint8_t *tlsext_tick; /* Session ticket */
- size_t tlsext_ticklen; /* Session ticket length */
- uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
-
- size_t tlsext_signed_cert_timestamp_list_length;
- uint8_t *tlsext_signed_cert_timestamp_list; /* Server's list. */
-
- /* The OCSP response that came with the session. */
- size_t ocsp_response_length;
- uint8_t *ocsp_response;
-
- char peer_sha256_valid; /* Non-zero if peer_sha256 is valid */
- uint8_t
- peer_sha256[SHA256_DIGEST_LENGTH]; /* SHA256 of peer certificate */
-
- /* original_handshake_hash contains the handshake hash (either SHA-1+MD5 or
- * SHA-2, depending on TLS version) for the original, full handshake that
- * created a session. This is used by Channel IDs during resumption. */
- uint8_t original_handshake_hash[EVP_MAX_MD_SIZE];
- unsigned int original_handshake_hash_len;
-
- /* extended_master_secret is true if the master secret in this session was
- * generated using EMS and thus isn't vulnerable to the Triple Handshake
- * attack. */
- char extended_master_secret;
-};
-
-
/* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
* and zero on failure. */
OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);
@@ -1409,290 +1312,6 @@
DECLARE_STACK_OF(SSL_COMP)
DECLARE_LHASH_OF(SSL_SESSION)
-/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
- * equal-preference groups. For TLS clients, the groups are moot because the
- * server picks the cipher and groups cannot be expressed on the wire. However,
- * for servers, the equal-preference groups allow the client's preferences to
- * be partially respected. (This only has an effect with
- * SSL_OP_CIPHER_SERVER_PREFERENCE).
- *
- * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
- * All elements of a group have the same priority: no ordering is expressed
- * within a group.
- *
- * The values in |ciphers| are in one-to-one correspondence with
- * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
- * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
- * indicate that the corresponding SSL_CIPHER is not the last element of a
- * group, or 0 to indicate that it is.
- *
- * For example, if |in_group_flags| contains all zeros then that indicates a
- * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
- * of the group (i.e. they are all in a one-element group).
- *
- * For a more complex example, consider:
- * ciphers: A B C D E F
- * in_group_flags: 1 1 0 0 1 0
- *
- * That would express the following, order:
- *
- * A E
- * B -> D -> F
- * C
- */
-struct ssl_cipher_preference_list_st {
- STACK_OF(SSL_CIPHER) *ciphers;
- uint8_t *in_group_flags;
-};
-
-struct ssl_ctx_st {
- const SSL_PROTOCOL_METHOD *method;
-
- /* lock is used to protect various operations on this object. */
- CRYPTO_MUTEX lock;
-
- /* max_version is the maximum acceptable protocol version. If zero, the
- * maximum supported version, currently (D)TLS 1.2, is used. */
- uint16_t max_version;
-
- /* min_version is the minimum acceptable protocl version. If zero, the
- * minimum supported version, currently SSL 3.0 and DTLS 1.0, is used */
- uint16_t min_version;
-
- struct ssl_cipher_preference_list_st *cipher_list;
- /* same as above but sorted for lookup */
- STACK_OF(SSL_CIPHER) *cipher_list_by_id;
-
- /* cipher_list_tls10 is the list of ciphers when TLS 1.0 or greater is in
- * use. This only applies to server connections as, for clients, the version
- * number is known at connect time and so the cipher list can be set then. If
- * |cipher_list_tls11| is non-NULL then this applies only to TLS 1.0
- * connections.
- *
- * TODO(agl): this exists to assist in the death of SSLv3. It can hopefully
- * be removed after that. */
- struct ssl_cipher_preference_list_st *cipher_list_tls10;
-
- /* cipher_list_tls11 is the list of ciphers when TLS 1.1 or greater is in
- * use. This only applies to server connections as, for clients, the version
- * number is known at connect time and so the cipher list can be set then. */
- struct ssl_cipher_preference_list_st *cipher_list_tls11;
-
- X509_STORE *cert_store;
- LHASH_OF(SSL_SESSION) *sessions;
- /* Most session-ids that will be cached, default is
- * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
- unsigned long session_cache_size;
- SSL_SESSION *session_cache_head;
- SSL_SESSION *session_cache_tail;
-
- /* handshakes_since_cache_flush is the number of successful handshakes since
- * the last cache flush. */
- int handshakes_since_cache_flush;
-
- /* This can have one of 2 values, ored together,
- * SSL_SESS_CACHE_CLIENT,
- * SSL_SESS_CACHE_SERVER,
- * Default is SSL_SESSION_CACHE_SERVER, which means only
- * SSL_accept which cache SSL_SESSIONS. */
- int session_cache_mode;
-
- /* If timeout is not 0, it is the default timeout value set when SSL_new() is
- * called. This has been put in to make life easier to set things up */
- long session_timeout;
-
- /* If this callback is not null, it will be called each time a session id is
- * added to the cache. If this function returns 1, it means that the
- * callback will do a SSL_SESSION_free() when it has finished using it.
- * Otherwise, on 0, it means the callback has finished with it. If
- * remove_session_cb is not null, it will be called when a session-id is
- * removed from the cache. After the call, OpenSSL will SSL_SESSION_free()
- * it. */
- int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess);
- void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess);
- SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *data, int len,
- int *copy);
-
- CRYPTO_refcount_t references;
-
- /* if defined, these override the X509_verify_cert() calls */
- int (*app_verify_callback)(X509_STORE_CTX *, void *);
- void *app_verify_arg;
- /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored ('app_verify_callback'
- * was called with just one argument) */
-
- /* Default password callback. */
- pem_password_cb *default_passwd_callback;
-
- /* Default password callback user data. */
- void *default_passwd_callback_userdata;
-
- /* get client cert callback */
- int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
-
- /* get channel id callback */
- void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey);
-
- CRYPTO_EX_DATA ex_data;
-
- /* custom_*_extensions stores any callback sets for custom extensions. Note
- * that these pointers will be NULL if the stack would otherwise be empty. */
- STACK_OF(SSL_CUSTOM_EXTENSION) *client_custom_extensions;
- STACK_OF(SSL_CUSTOM_EXTENSION) *server_custom_extensions;
-
- /* Default values used when no per-SSL value is defined follow */
-
- void (*info_callback)(const SSL *ssl, int type,
- int val); /* used if SSL's info_callback is NULL */
-
- /* what we put in client cert requests */
- STACK_OF(X509_NAME) *client_CA;
-
-
- /* Default values to use in SSL structures follow (these are copied by
- * SSL_new) */
-
- uint32_t options;
- uint32_t mode;
- uint32_t max_cert_list;
-
- struct cert_st /* CERT */ *cert;
-
- /* callback that allows applications to peek at protocol messages */
- void (*msg_callback)(int write_p, int version, int content_type,
- const void *buf, size_t len, SSL *ssl, void *arg);
- void *msg_callback_arg;
-
- int verify_mode;
- unsigned int sid_ctx_length;
- uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
- int (*default_verify_callback)(
- int ok, X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
-
- /* Default generate session ID callback. */
- GEN_SESSION_CB generate_session_id;
-
- X509_VERIFY_PARAM *param;
-
- /* select_certificate_cb is called before most ClientHello processing and
- * before the decision whether to resume a session is made. It may return one
- * to continue the handshake or zero to cause the handshake loop to return
- * with an error and cause SSL_get_error to return
- * SSL_ERROR_PENDING_CERTIFICATE. Note: when the handshake loop is resumed, it
- * will not call the callback a second time. */
- int (*select_certificate_cb)(const struct ssl_early_callback_ctx *);
-
- /* dos_protection_cb is called once the resumption decision for a ClientHello
- * has been made. It returns one to continue the handshake or zero to
- * abort. */
- int (*dos_protection_cb) (const struct ssl_early_callback_ctx *);
-
- /* quiet_shutdown is true if the connection should not send a close_notify on
- * shutdown. */
- int quiet_shutdown;
-
- /* Maximum amount of data to send in one fragment. actual record size can be
- * more than this due to padding and MAC overheads. */
- uint16_t max_send_fragment;
-
- /* TLS extensions servername callback */
- int (*tlsext_servername_callback)(SSL *, int *, void *);
- void *tlsext_servername_arg;
- /* RFC 4507 session ticket keys */
- uint8_t tlsext_tick_key_name[SSL_TICKET_KEY_NAME_LEN];
- uint8_t tlsext_tick_hmac_key[16];
- uint8_t tlsext_tick_aes_key[16];
- /* Callback to support customisation of ticket key setting */
- int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv,
- EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
-
- /* Server-only: psk_identity_hint is the default identity hint to send in
- * PSK-based key exchanges. */
- char *psk_identity_hint;
-
- unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
- char *identity,
- unsigned int max_identity_len,
- uint8_t *psk, unsigned int max_psk_len);
- unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
- uint8_t *psk, unsigned int max_psk_len);
-
-
- /* retain_only_sha256_of_client_certs is true if we should compute the SHA256
- * hash of the peer's certifiate and then discard it to save memory and
- * session space. Only effective on the server side. */
- char retain_only_sha256_of_client_certs;
-
- /* Next protocol negotiation information */
- /* (for experimental NPN extension). */
-
- /* For a server, this contains a callback function by which the set of
- * advertised protocols can be provided. */
- int (*next_protos_advertised_cb)(SSL *s, const uint8_t **buf,
- unsigned int *len, void *arg);
- void *next_protos_advertised_cb_arg;
- /* For a client, this contains a callback function that selects the
- * next protocol from the list provided by the server. */
- int (*next_proto_select_cb)(SSL *s, uint8_t **out, uint8_t *outlen,
- const uint8_t *in, unsigned int inlen, void *arg);
- void *next_proto_select_cb_arg;
-
- /* ALPN information
- * (we are in the process of transitioning from NPN to ALPN.) */
-
- /* For a server, this contains a callback function that allows the
- * server to select the protocol for the connection.
- * out: on successful return, this must point to the raw protocol
- * name (without the length prefix).
- * outlen: on successful return, this contains the length of |*out|.
- * in: points to the client's list of supported protocols in
- * wire-format.
- * inlen: the length of |in|. */
- int (*alpn_select_cb)(SSL *s, const uint8_t **out, uint8_t *outlen,
- const uint8_t *in, unsigned int inlen, void *arg);
- void *alpn_select_cb_arg;
-
- /* For a client, this contains the list of supported protocols in wire
- * format. */
- uint8_t *alpn_client_proto_list;
- unsigned alpn_client_proto_list_len;
-
- /* SRTP profiles we are willing to do from RFC 5764 */
- STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
-
- /* EC extension values inherited by SSL structure */
- size_t tlsext_ellipticcurvelist_length;
- uint16_t *tlsext_ellipticcurvelist;
-
- /* If true, a client will advertise the Channel ID extension and a server
- * will echo it. */
- char tlsext_channel_id_enabled;
- /* The client's Channel ID private key. */
- EVP_PKEY *tlsext_channel_id_private;
-
- /* If true, a client will request certificate timestamps. */
- char signed_cert_timestamps_enabled;
-
- /* Signed certificate timestamp list to be sent to the client, if requested */
- uint8_t *signed_cert_timestamp_list;
- size_t signed_cert_timestamp_list_length;
-
- /* If true, a client will request a stapled OCSP response. */
- char ocsp_stapling_enabled;
-
- /* OCSP response to be sent to the client, if requested. */
- uint8_t *ocsp_response;
- size_t ocsp_response_length;
-
- /* If not NULL, session key material will be logged to this BIO for debugging
- * purposes. The format matches NSS's and is readable by Wireshark. */
- BIO *keylog_bio;
-
- /* current_time_cb, if not NULL, is the function to use to get the current
- * time. It sets |*out_clock| to the current time. */
- void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock);
-};
-
OPENSSL_EXPORT LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
/* SSL_CTX_sess_number returns the number of sessions in |ctx|'s internal
@@ -1878,193 +1497,6 @@
#define SSL_want_private_key_operation(s) \
(SSL_want(s) == SSL_PRIVATE_KEY_OPERATION)
-struct ssl_st {
- /* version is the protocol version. */
- int version;
-
- /* method is the method table corresponding to the current protocol (DTLS or
- * TLS). */
- const SSL_PROTOCOL_METHOD *method;
-
- /* enc_method is the method table corresponding to the current protocol
- * version. */
- const SSL3_ENC_METHOD *enc_method;
-
- /* max_version is the maximum acceptable protocol version. If zero, the
- * maximum supported version, currently (D)TLS 1.2, is used. */
- uint16_t max_version;
-
- /* min_version is the minimum acceptable protocl version. If zero, the
- * minimum supported version, currently SSL 3.0 and DTLS 1.0, is used */
- uint16_t min_version;
-
- /* There are 2 BIO's even though they are normally both the same. This is so
- * data can be read and written to different handlers */
-
- BIO *rbio; /* used by SSL_read */
- BIO *wbio; /* used by SSL_write */
- BIO *bbio; /* used during session-id reuse to concatenate
- * messages */
-
- /* This holds a variable that indicates what we were doing when a 0 or -1 is
- * returned. This is needed for non-blocking IO so we know what request
- * needs re-doing when in SSL_accept or SSL_connect */
- int rwstate;
-
- /* true when we are actually in SSL_accept() or SSL_connect() */
- int in_handshake;
- int (*handshake_func)(SSL *);
-
- /* Imagine that here's a boolean member "init" that is switched as soon as
- * SSL_set_{accept/connect}_state is called for the first time, so that
- * "state" and "handshake_func" are properly initialized. But as
- * handshake_func is == 0 until then, we use this test instead of an "init"
- * member. */
-
- /* server is true iff the this SSL* is the server half. Note: before the SSL*
- * is initialized by either SSL_set_accept_state or SSL_set_connect_state,
- * the side is not determined. In this state, server is always false. */
- int server;
-
- /* quiet_shutdown is true if the connection should not send a close_notify on
- * shutdown. */
- int quiet_shutdown;
-
- int shutdown; /* we have shut things down, 0x01 sent, 0x02
- * for received */
- int state; /* where we are */
-
- BUF_MEM *init_buf; /* buffer used during init */
- uint8_t *init_msg; /* pointer to handshake message body, set by
- ssl3_get_message() */
- int init_num; /* amount read/written */
- int init_off; /* amount read/written */
-
- struct ssl3_state_st *s3; /* SSLv3 variables */
- struct dtls1_state_st *d1; /* DTLSv1 variables */
-
- /* callback that allows applications to peek at protocol messages */
- void (*msg_callback)(int write_p, int version, int content_type,
- const void *buf, size_t len, SSL *ssl, void *arg);
- void *msg_callback_arg;
-
- int hit; /* reusing a previous session */
-
- X509_VERIFY_PARAM *param;
-
- /* crypto */
- struct ssl_cipher_preference_list_st *cipher_list;
- STACK_OF(SSL_CIPHER) *cipher_list_by_id;
-
- SSL_AEAD_CTX *aead_read_ctx;
- SSL_AEAD_CTX *aead_write_ctx;
-
- /* session info */
-
- /* client cert? */
- /* This is used to hold the server certificate used */
- struct cert_st /* CERT */ *cert;
-
- /* the session_id_context is used to ensure sessions are only reused
- * in the appropriate context */
- unsigned int sid_ctx_length;
- uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-
- /* This can also be in the session once a session is established */
- SSL_SESSION *session;
-
- /* Default generate session ID callback. */
- GEN_SESSION_CB generate_session_id;
-
- /* Used in SSL2 and SSL3 */
- int verify_mode; /* 0 don't care about verify failure.
- * 1 fail if verify fails */
- int (*verify_callback)(int ok,
- X509_STORE_CTX *ctx); /* fail if callback returns 0 */
-
- void (*info_callback)(const SSL *ssl, int type,
- int val); /* optional informational callback */
-
- /* Server-only: psk_identity_hint is the identity hint to send in
- * PSK-based key exchanges. */
- char *psk_identity_hint;
-
- unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
- char *identity,
- unsigned int max_identity_len,
- uint8_t *psk, unsigned int max_psk_len);
- unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
- uint8_t *psk, unsigned int max_psk_len);
-
- SSL_CTX *ctx;
-
- /* extra application data */
- long verify_result;
- CRYPTO_EX_DATA ex_data;
-
- /* for server side, keep the list of CA_dn we can use */
- STACK_OF(X509_NAME) *client_CA;
-
- uint32_t options; /* protocol behaviour */
- uint32_t mode; /* API behaviour */
- uint32_t max_cert_list;
- int client_version; /* what was passed, used for
- * SSLv3/TLS rollback check */
- uint16_t max_send_fragment;
- char *tlsext_hostname;
- /* RFC4507 session ticket expected to be received or sent */
- int tlsext_ticket_expected;
- size_t tlsext_ellipticcurvelist_length;
- uint16_t *tlsext_ellipticcurvelist; /* our list */
-
- SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */
-
- /* Next protocol negotiation. For the client, this is the protocol that we
- * sent in NextProtocol and is set when handling ServerHello extensions.
- *
- * For a server, this is the client's selected_protocol from NextProtocol and
- * is set when handling the NextProtocol message, before the Finished
- * message. */
- uint8_t *next_proto_negotiated;
- size_t next_proto_negotiated_len;
-
- /* srtp_profiles is the list of configured SRTP protection profiles for
- * DTLS-SRTP. */
- STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
-
- /* srtp_profile is the selected SRTP protection profile for
- * DTLS-SRTP. */
- const SRTP_PROTECTION_PROFILE *srtp_profile;
-
- /* Copied from the SSL_CTX. For a server, means that we'll accept Channel IDs
- * from clients. For a client, means that we'll advertise support. */
- char tlsext_channel_id_enabled;
- /* The client's Channel ID private key. */
- EVP_PKEY *tlsext_channel_id_private;
-
- /* Enable signed certificate time stamps. Currently client only. */
- char signed_cert_timestamps_enabled;
-
- /* ocsp_stapling_enabled is only used by client connections and indicates
- * whether OCSP stapling will be requested. */
- char ocsp_stapling_enabled;
-
- /* For a client, this contains the list of supported protocols in wire
- * format. */
- uint8_t *alpn_client_proto_list;
- unsigned alpn_client_proto_list_len;
-
- /* accept_peer_renegotiations, if one, accepts renegotiation attempts from the
- * peer. Otherwise, they will be rejected with a fatal error. */
- char accept_peer_renegotiations;
-
- /* These fields are always NULL and exist only to keep wpa_supplicant happy
- * about the change to EVP_AEAD. They are only needed for EAP-FAST, which we
- * don't support. */
- EVP_CIPHER_CTX *enc_read_ctx;
- EVP_MD_CTX *read_hash;
-};
-
/* compatibility */
#define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)arg))
#define SSL_get_app_data(s) (SSL_get_ex_data(s, 0))
@@ -2826,6 +2258,589 @@
OPENSSL_EXPORT void SSL_load_error_strings(void);
+/* Private structures.
+ *
+ * This structures are exposed for historical reasons, but access to them is
+ * deprecated. */
+
+struct ssl_cipher_st {
+ /* name is the OpenSSL name for the cipher. */
+ const char *name;
+ /* id is the cipher suite value bitwise OR-d with 0x03000000. */
+ uint32_t id;
+
+ /* The following are internal fields. See ssl/internal.h for their values. */
+
+ uint32_t algorithm_mkey;
+ uint32_t algorithm_auth;
+ uint32_t algorithm_enc;
+ uint32_t algorithm_mac;
+ uint32_t algorithm_ssl;
+ uint32_t algo_strength;
+ uint32_t algorithm_prf;
+
+ /* strength_bits is the strength of the cipher in bits. */
+ int strength_bits;
+ /* alg_bits is the number of bits of key material used by the algorithm. */
+ int alg_bits;
+};
+
+struct ssl_session_st {
+ int ssl_version; /* what ssl version session info is being kept in here? */
+
+ int master_key_length;
+ uint8_t master_key[SSL_MAX_MASTER_KEY_LENGTH];
+ /* session_id - valid? */
+ unsigned int session_id_length;
+ uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+ /* this is used to determine whether the session is being reused in
+ * the appropriate context. It is up to the application to set this,
+ * via SSL_new */
+ unsigned int sid_ctx_length;
+ uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+
+ char *psk_identity;
+ /* Used to indicate that session resumption is not allowed. Applications can
+ * also set this bit for a new session via not_resumable_session_cb to
+ * disable session caching and tickets. */
+ int not_resumable;
+
+ /* peer is the peer's certificate. */
+ X509 *peer;
+
+ /* cert_chain is the certificate chain sent by the peer. NOTE: for historical
+ * reasons, when a client (so the peer is a server), the chain includes
+ * |peer|, but when a server it does not. */
+ STACK_OF(X509) *cert_chain;
+
+ /* when app_verify_callback accepts a session where the peer's certificate is
+ * not ok, we must remember the error for session reuse: */
+ long verify_result; /* only for servers */
+
+ CRYPTO_refcount_t references;
+ long timeout;
+ long time;
+
+ const SSL_CIPHER *cipher;
+
+ /* key_exchange_info contains an indication of the size of the asymmetric
+ * primitive used in the handshake that created this session. In the event
+ * that two asymmetric operations are used, this value applies to the one
+ * that controls the confidentiality of the connection. Its interpretation
+ * depends on the primitive that was used; as specified by the cipher suite:
+ * DHE: the size, in bits, of the multiplicative group.
+ * RSA: the size, in bits, of the modulus.
+ * ECDHE: the TLS id for the curve.
+ *
+ * A zero indicates that the value is unknown. */
+ uint32_t key_exchange_info;
+
+ CRYPTO_EX_DATA ex_data; /* application specific data */
+
+ /* These are used to make removal of session-ids more efficient and to
+ * implement a maximum cache size. */
+ SSL_SESSION *prev, *next;
+ char *tlsext_hostname;
+ /* RFC4507 info */
+ uint8_t *tlsext_tick; /* Session ticket */
+ size_t tlsext_ticklen; /* Session ticket length */
+ uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
+
+ size_t tlsext_signed_cert_timestamp_list_length;
+ uint8_t *tlsext_signed_cert_timestamp_list; /* Server's list. */
+
+ /* The OCSP response that came with the session. */
+ size_t ocsp_response_length;
+ uint8_t *ocsp_response;
+
+ char peer_sha256_valid; /* Non-zero if peer_sha256 is valid */
+ uint8_t
+ peer_sha256[SHA256_DIGEST_LENGTH]; /* SHA256 of peer certificate */
+
+ /* original_handshake_hash contains the handshake hash (either SHA-1+MD5 or
+ * SHA-2, depending on TLS version) for the original, full handshake that
+ * created a session. This is used by Channel IDs during resumption. */
+ uint8_t original_handshake_hash[EVP_MAX_MD_SIZE];
+ unsigned int original_handshake_hash_len;
+
+ /* extended_master_secret is true if the master secret in this session was
+ * generated using EMS and thus isn't vulnerable to the Triple Handshake
+ * attack. */
+ char extended_master_secret;
+};
+
+/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
+ * equal-preference groups. For TLS clients, the groups are moot because the
+ * server picks the cipher and groups cannot be expressed on the wire. However,
+ * for servers, the equal-preference groups allow the client's preferences to
+ * be partially respected. (This only has an effect with
+ * SSL_OP_CIPHER_SERVER_PREFERENCE).
+ *
+ * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
+ * All elements of a group have the same priority: no ordering is expressed
+ * within a group.
+ *
+ * The values in |ciphers| are in one-to-one correspondence with
+ * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
+ * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
+ * indicate that the corresponding SSL_CIPHER is not the last element of a
+ * group, or 0 to indicate that it is.
+ *
+ * For example, if |in_group_flags| contains all zeros then that indicates a
+ * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
+ * of the group (i.e. they are all in a one-element group).
+ *
+ * For a more complex example, consider:
+ * ciphers: A B C D E F
+ * in_group_flags: 1 1 0 0 1 0
+ *
+ * That would express the following, order:
+ *
+ * A E
+ * B -> D -> F
+ * C
+ */
+struct ssl_cipher_preference_list_st {
+ STACK_OF(SSL_CIPHER) *ciphers;
+ uint8_t *in_group_flags;
+};
+
+struct ssl_ctx_st {
+ const SSL_PROTOCOL_METHOD *method;
+
+ /* lock is used to protect various operations on this object. */
+ CRYPTO_MUTEX lock;
+
+ /* max_version is the maximum acceptable protocol version. If zero, the
+ * maximum supported version, currently (D)TLS 1.2, is used. */
+ uint16_t max_version;
+
+ /* min_version is the minimum acceptable protocl version. If zero, the
+ * minimum supported version, currently SSL 3.0 and DTLS 1.0, is used */
+ uint16_t min_version;
+
+ struct ssl_cipher_preference_list_st *cipher_list;
+ /* same as above but sorted for lookup */
+ STACK_OF(SSL_CIPHER) *cipher_list_by_id;
+
+ /* cipher_list_tls10 is the list of ciphers when TLS 1.0 or greater is in
+ * use. This only applies to server connections as, for clients, the version
+ * number is known at connect time and so the cipher list can be set then. If
+ * |cipher_list_tls11| is non-NULL then this applies only to TLS 1.0
+ * connections.
+ *
+ * TODO(agl): this exists to assist in the death of SSLv3. It can hopefully
+ * be removed after that. */
+ struct ssl_cipher_preference_list_st *cipher_list_tls10;
+
+ /* cipher_list_tls11 is the list of ciphers when TLS 1.1 or greater is in
+ * use. This only applies to server connections as, for clients, the version
+ * number is known at connect time and so the cipher list can be set then. */
+ struct ssl_cipher_preference_list_st *cipher_list_tls11;
+
+ X509_STORE *cert_store;
+ LHASH_OF(SSL_SESSION) *sessions;
+ /* Most session-ids that will be cached, default is
+ * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
+ unsigned long session_cache_size;
+ SSL_SESSION *session_cache_head;
+ SSL_SESSION *session_cache_tail;
+
+ /* handshakes_since_cache_flush is the number of successful handshakes since
+ * the last cache flush. */
+ int handshakes_since_cache_flush;
+
+ /* This can have one of 2 values, ored together,
+ * SSL_SESS_CACHE_CLIENT,
+ * SSL_SESS_CACHE_SERVER,
+ * Default is SSL_SESSION_CACHE_SERVER, which means only
+ * SSL_accept which cache SSL_SESSIONS. */
+ int session_cache_mode;
+
+ /* If timeout is not 0, it is the default timeout value set when SSL_new() is
+ * called. This has been put in to make life easier to set things up */
+ long session_timeout;
+
+ /* If this callback is not null, it will be called each time a session id is
+ * added to the cache. If this function returns 1, it means that the
+ * callback will do a SSL_SESSION_free() when it has finished using it.
+ * Otherwise, on 0, it means the callback has finished with it. If
+ * remove_session_cb is not null, it will be called when a session-id is
+ * removed from the cache. After the call, OpenSSL will SSL_SESSION_free()
+ * it. */
+ int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess);
+ void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess);
+ SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *data, int len,
+ int *copy);
+
+ CRYPTO_refcount_t references;
+
+ /* if defined, these override the X509_verify_cert() calls */
+ int (*app_verify_callback)(X509_STORE_CTX *, void *);
+ void *app_verify_arg;
+ /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored ('app_verify_callback'
+ * was called with just one argument) */
+
+ /* Default password callback. */
+ pem_password_cb *default_passwd_callback;
+
+ /* Default password callback user data. */
+ void *default_passwd_callback_userdata;
+
+ /* get client cert callback */
+ int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+
+ /* get channel id callback */
+ void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey);
+
+ CRYPTO_EX_DATA ex_data;
+
+ /* custom_*_extensions stores any callback sets for custom extensions. Note
+ * that these pointers will be NULL if the stack would otherwise be empty. */
+ STACK_OF(SSL_CUSTOM_EXTENSION) *client_custom_extensions;
+ STACK_OF(SSL_CUSTOM_EXTENSION) *server_custom_extensions;
+
+ /* Default values used when no per-SSL value is defined follow */
+
+ void (*info_callback)(const SSL *ssl, int type,
+ int val); /* used if SSL's info_callback is NULL */
+
+ /* what we put in client cert requests */
+ STACK_OF(X509_NAME) *client_CA;
+
+
+ /* Default values to use in SSL structures follow (these are copied by
+ * SSL_new) */
+
+ uint32_t options;
+ uint32_t mode;
+ uint32_t max_cert_list;
+
+ struct cert_st /* CERT */ *cert;
+
+ /* callback that allows applications to peek at protocol messages */
+ void (*msg_callback)(int write_p, int version, int content_type,
+ const void *buf, size_t len, SSL *ssl, void *arg);
+ void *msg_callback_arg;
+
+ int verify_mode;
+ unsigned int sid_ctx_length;
+ uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+ int (*default_verify_callback)(
+ int ok, X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
+
+ /* Default generate session ID callback. */
+ GEN_SESSION_CB generate_session_id;
+
+ X509_VERIFY_PARAM *param;
+
+ /* select_certificate_cb is called before most ClientHello processing and
+ * before the decision whether to resume a session is made. It may return one
+ * to continue the handshake or zero to cause the handshake loop to return
+ * with an error and cause SSL_get_error to return
+ * SSL_ERROR_PENDING_CERTIFICATE. Note: when the handshake loop is resumed, it
+ * will not call the callback a second time. */
+ int (*select_certificate_cb)(const struct ssl_early_callback_ctx *);
+
+ /* dos_protection_cb is called once the resumption decision for a ClientHello
+ * has been made. It returns one to continue the handshake or zero to
+ * abort. */
+ int (*dos_protection_cb) (const struct ssl_early_callback_ctx *);
+
+ /* quiet_shutdown is true if the connection should not send a close_notify on
+ * shutdown. */
+ int quiet_shutdown;
+
+ /* Maximum amount of data to send in one fragment. actual record size can be
+ * more than this due to padding and MAC overheads. */
+ uint16_t max_send_fragment;
+
+ /* TLS extensions servername callback */
+ int (*tlsext_servername_callback)(SSL *, int *, void *);
+ void *tlsext_servername_arg;
+ /* RFC 4507 session ticket keys */
+ uint8_t tlsext_tick_key_name[SSL_TICKET_KEY_NAME_LEN];
+ uint8_t tlsext_tick_hmac_key[16];
+ uint8_t tlsext_tick_aes_key[16];
+ /* Callback to support customisation of ticket key setting */
+ int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv,
+ EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
+
+ /* Server-only: psk_identity_hint is the default identity hint to send in
+ * PSK-based key exchanges. */
+ char *psk_identity_hint;
+
+ unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
+ char *identity,
+ unsigned int max_identity_len,
+ uint8_t *psk, unsigned int max_psk_len);
+ unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
+ uint8_t *psk, unsigned int max_psk_len);
+
+
+ /* retain_only_sha256_of_client_certs is true if we should compute the SHA256
+ * hash of the peer's certifiate and then discard it to save memory and
+ * session space. Only effective on the server side. */
+ char retain_only_sha256_of_client_certs;
+
+ /* Next protocol negotiation information */
+ /* (for experimental NPN extension). */
+
+ /* For a server, this contains a callback function by which the set of
+ * advertised protocols can be provided. */
+ int (*next_protos_advertised_cb)(SSL *s, const uint8_t **buf,
+ unsigned int *len, void *arg);
+ void *next_protos_advertised_cb_arg;
+ /* For a client, this contains a callback function that selects the
+ * next protocol from the list provided by the server. */
+ int (*next_proto_select_cb)(SSL *s, uint8_t **out, uint8_t *outlen,
+ const uint8_t *in, unsigned int inlen, void *arg);
+ void *next_proto_select_cb_arg;
+
+ /* ALPN information
+ * (we are in the process of transitioning from NPN to ALPN.) */
+
+ /* For a server, this contains a callback function that allows the
+ * server to select the protocol for the connection.
+ * out: on successful return, this must point to the raw protocol
+ * name (without the length prefix).
+ * outlen: on successful return, this contains the length of |*out|.
+ * in: points to the client's list of supported protocols in
+ * wire-format.
+ * inlen: the length of |in|. */
+ int (*alpn_select_cb)(SSL *s, const uint8_t **out, uint8_t *outlen,
+ const uint8_t *in, unsigned int inlen, void *arg);
+ void *alpn_select_cb_arg;
+
+ /* For a client, this contains the list of supported protocols in wire
+ * format. */
+ uint8_t *alpn_client_proto_list;
+ unsigned alpn_client_proto_list_len;
+
+ /* SRTP profiles we are willing to do from RFC 5764 */
+ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+
+ /* EC extension values inherited by SSL structure */
+ size_t tlsext_ellipticcurvelist_length;
+ uint16_t *tlsext_ellipticcurvelist;
+
+ /* If true, a client will advertise the Channel ID extension and a server
+ * will echo it. */
+ char tlsext_channel_id_enabled;
+ /* The client's Channel ID private key. */
+ EVP_PKEY *tlsext_channel_id_private;
+
+ /* If true, a client will request certificate timestamps. */
+ char signed_cert_timestamps_enabled;
+
+ /* Signed certificate timestamp list to be sent to the client, if requested */
+ uint8_t *signed_cert_timestamp_list;
+ size_t signed_cert_timestamp_list_length;
+
+ /* If true, a client will request a stapled OCSP response. */
+ char ocsp_stapling_enabled;
+
+ /* OCSP response to be sent to the client, if requested. */
+ uint8_t *ocsp_response;
+ size_t ocsp_response_length;
+
+ /* If not NULL, session key material will be logged to this BIO for debugging
+ * purposes. The format matches NSS's and is readable by Wireshark. */
+ BIO *keylog_bio;
+
+ /* current_time_cb, if not NULL, is the function to use to get the current
+ * time. It sets |*out_clock| to the current time. */
+ void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock);
+};
+
+struct ssl_st {
+ /* version is the protocol version. */
+ int version;
+
+ /* method is the method table corresponding to the current protocol (DTLS or
+ * TLS). */
+ const SSL_PROTOCOL_METHOD *method;
+
+ /* enc_method is the method table corresponding to the current protocol
+ * version. */
+ const SSL3_ENC_METHOD *enc_method;
+
+ /* max_version is the maximum acceptable protocol version. If zero, the
+ * maximum supported version, currently (D)TLS 1.2, is used. */
+ uint16_t max_version;
+
+ /* min_version is the minimum acceptable protocl version. If zero, the
+ * minimum supported version, currently SSL 3.0 and DTLS 1.0, is used */
+ uint16_t min_version;
+
+ /* There are 2 BIO's even though they are normally both the same. This is so
+ * data can be read and written to different handlers */
+
+ BIO *rbio; /* used by SSL_read */
+ BIO *wbio; /* used by SSL_write */
+ BIO *bbio; /* used during session-id reuse to concatenate
+ * messages */
+
+ /* This holds a variable that indicates what we were doing when a 0 or -1 is
+ * returned. This is needed for non-blocking IO so we know what request
+ * needs re-doing when in SSL_accept or SSL_connect */
+ int rwstate;
+
+ /* true when we are actually in SSL_accept() or SSL_connect() */
+ int in_handshake;
+ int (*handshake_func)(SSL *);
+
+ /* Imagine that here's a boolean member "init" that is switched as soon as
+ * SSL_set_{accept/connect}_state is called for the first time, so that
+ * "state" and "handshake_func" are properly initialized. But as
+ * handshake_func is == 0 until then, we use this test instead of an "init"
+ * member. */
+
+ /* server is true iff the this SSL* is the server half. Note: before the SSL*
+ * is initialized by either SSL_set_accept_state or SSL_set_connect_state,
+ * the side is not determined. In this state, server is always false. */
+ int server;
+
+ /* quiet_shutdown is true if the connection should not send a close_notify on
+ * shutdown. */
+ int quiet_shutdown;
+
+ int shutdown; /* we have shut things down, 0x01 sent, 0x02
+ * for received */
+ int state; /* where we are */
+
+ BUF_MEM *init_buf; /* buffer used during init */
+ uint8_t *init_msg; /* pointer to handshake message body, set by
+ ssl3_get_message() */
+ int init_num; /* amount read/written */
+ int init_off; /* amount read/written */
+
+ struct ssl3_state_st *s3; /* SSLv3 variables */
+ struct dtls1_state_st *d1; /* DTLSv1 variables */
+
+ /* callback that allows applications to peek at protocol messages */
+ void (*msg_callback)(int write_p, int version, int content_type,
+ const void *buf, size_t len, SSL *ssl, void *arg);
+ void *msg_callback_arg;
+
+ int hit; /* reusing a previous session */
+
+ X509_VERIFY_PARAM *param;
+
+ /* crypto */
+ struct ssl_cipher_preference_list_st *cipher_list;
+ STACK_OF(SSL_CIPHER) *cipher_list_by_id;
+
+ SSL_AEAD_CTX *aead_read_ctx;
+ SSL_AEAD_CTX *aead_write_ctx;
+
+ /* session info */
+
+ /* client cert? */
+ /* This is used to hold the server certificate used */
+ struct cert_st /* CERT */ *cert;
+
+ /* the session_id_context is used to ensure sessions are only reused
+ * in the appropriate context */
+ unsigned int sid_ctx_length;
+ uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+
+ /* This can also be in the session once a session is established */
+ SSL_SESSION *session;
+
+ /* Default generate session ID callback. */
+ GEN_SESSION_CB generate_session_id;
+
+ /* Used in SSL2 and SSL3 */
+ int verify_mode; /* 0 don't care about verify failure.
+ * 1 fail if verify fails */
+ int (*verify_callback)(int ok,
+ X509_STORE_CTX *ctx); /* fail if callback returns 0 */
+
+ void (*info_callback)(const SSL *ssl, int type,
+ int val); /* optional informational callback */
+
+ /* Server-only: psk_identity_hint is the identity hint to send in
+ * PSK-based key exchanges. */
+ char *psk_identity_hint;
+
+ unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
+ char *identity,
+ unsigned int max_identity_len,
+ uint8_t *psk, unsigned int max_psk_len);
+ unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
+ uint8_t *psk, unsigned int max_psk_len);
+
+ SSL_CTX *ctx;
+
+ /* extra application data */
+ long verify_result;
+ CRYPTO_EX_DATA ex_data;
+
+ /* for server side, keep the list of CA_dn we can use */
+ STACK_OF(X509_NAME) *client_CA;
+
+ uint32_t options; /* protocol behaviour */
+ uint32_t mode; /* API behaviour */
+ uint32_t max_cert_list;
+ int client_version; /* what was passed, used for
+ * SSLv3/TLS rollback check */
+ uint16_t max_send_fragment;
+ char *tlsext_hostname;
+ /* RFC4507 session ticket expected to be received or sent */
+ int tlsext_ticket_expected;
+ size_t tlsext_ellipticcurvelist_length;
+ uint16_t *tlsext_ellipticcurvelist; /* our list */
+
+ SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */
+
+ /* Next protocol negotiation. For the client, this is the protocol that we
+ * sent in NextProtocol and is set when handling ServerHello extensions.
+ *
+ * For a server, this is the client's selected_protocol from NextProtocol and
+ * is set when handling the NextProtocol message, before the Finished
+ * message. */
+ uint8_t *next_proto_negotiated;
+ size_t next_proto_negotiated_len;
+
+ /* srtp_profiles is the list of configured SRTP protection profiles for
+ * DTLS-SRTP. */
+ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+
+ /* srtp_profile is the selected SRTP protection profile for
+ * DTLS-SRTP. */
+ const SRTP_PROTECTION_PROFILE *srtp_profile;
+
+ /* Copied from the SSL_CTX. For a server, means that we'll accept Channel IDs
+ * from clients. For a client, means that we'll advertise support. */
+ char tlsext_channel_id_enabled;
+ /* The client's Channel ID private key. */
+ EVP_PKEY *tlsext_channel_id_private;
+
+ /* Enable signed certificate time stamps. Currently client only. */
+ char signed_cert_timestamps_enabled;
+
+ /* ocsp_stapling_enabled is only used by client connections and indicates
+ * whether OCSP stapling will be requested. */
+ char ocsp_stapling_enabled;
+
+ /* For a client, this contains the list of supported protocols in wire
+ * format. */
+ uint8_t *alpn_client_proto_list;
+ unsigned alpn_client_proto_list_len;
+
+ /* accept_peer_renegotiations, if one, accepts renegotiation attempts from the
+ * peer. Otherwise, they will be rejected with a fatal error. */
+ char accept_peer_renegotiations;
+
+ /* These fields are always NULL and exist only to keep wpa_supplicant happy
+ * about the change to EVP_AEAD. They are only needed for EAP-FAST, which we
+ * don't support. */
+ EVP_CIPHER_CTX *enc_read_ctx;
+ EVP_MD_CTX *read_hash;
+};
+
+
/* Android compatibility section.
*
* These functions are declared, temporarily, for Android because
