1: /* ssl/ssl.h */ 2: /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3: * All rights reserved. 4: * 5: * This package is an SSL implementation written 6: * by Eric Young (eay@cryptsoft.com). 7: * The implementation was written so as to conform with Netscapes SSL. 8: * 9: * This library is free for commercial and non-commercial use as long as 10: * the following conditions are aheared to. The following conditions 11: * apply to all code found in this distribution, be it the RC4, RSA, 12: * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13: * included with this distribution is covered by the same copyright terms 14: * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15: * 16: * Copyright remains Eric Young's, and as such any Copyright notices in 17: * the code are not to be removed. 18: * If this package is used in a product, Eric Young should be given attribution 19: * as the author of the parts of the library used. 20: * This can be in the form of a textual message at program startup or 21: * in documentation (online or textual) provided with the package. 22: * 23: * Redistribution and use in source and binary forms, with or without 24: * modification, are permitted provided that the following conditions 25: * are met: 26: * 1. Redistributions of source code must retain the copyright 27: * notice, this list of conditions and the following disclaimer. 28: * 2. Redistributions in binary form must reproduce the above copyright 29: * notice, this list of conditions and the following disclaimer in the 30: * documentation and/or other materials provided with the distribution. 31: * 3. All advertising materials mentioning features or use of this software 32: * must display the following acknowledgement: 33: * "This product includes cryptographic software written by 34: * Eric Young (eay@cryptsoft.com)" 35: * The word 'cryptographic' can be left out if the rouines from the library 36: * being used are not cryptographic related :-). 37: * 4. If you include any Windows specific code (or a derivative thereof) from 38: * the apps directory (application code) you must include an acknowledgement: 39: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40: * 41: * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44: * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51: * SUCH DAMAGE. 52: * 53: * The licence and distribution terms for any publically available version or 54: * derivative of this code cannot be changed. i.e. this code cannot simply be 55: * copied and put under another distribution licence 56: * [including the GNU Public Licence.] 57: */ 58: /* ==================================================================== 59: * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 60: * 61: * Redistribution and use in source and binary forms, with or without 62: * modification, are permitted provided that the following conditions 63: * are met: 64: * 65: * 1. Redistributions of source code must retain the above copyright 66: * notice, this list of conditions and the following disclaimer. 67: * 68: * 2. Redistributions in binary form must reproduce the above copyright 69: * notice, this list of conditions and the following disclaimer in 70: * the documentation and/or other materials provided with the 71: * distribution. 72: * 73: * 3. All advertising materials mentioning features or use of this 74: * software must display the following acknowledgment: 75: * "This product includes software developed by the OpenSSL Project 76: * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77: * 78: * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79: * endorse or promote products derived from this software without 80: * prior written permission. For written permission, please contact 81: * openssl-core@openssl.org. 82: * 83: * 5. Products derived from this software may not be called "OpenSSL" 84: * nor may "OpenSSL" appear in their names without prior written 85: * permission of the OpenSSL Project. 86: * 87: * 6. Redistributions of any form whatsoever must retain the following 88: * acknowledgment: 89: * "This product includes software developed by the OpenSSL Project 90: * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91: * 92: * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93: * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95: * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96: * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97: * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99: * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101: * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102: * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103: * OF THE POSSIBILITY OF SUCH DAMAGE. 104: * ==================================================================== 105: * 106: * This product includes cryptographic software written by Eric Young 107: * (eay@cryptsoft.com). This product includes software written by Tim 108: * Hudson (tjh@cryptsoft.com). 109: * 110: */ 111: /* ==================================================================== 112: * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 113: * 114: * Redistribution and use in source and binary forms, with or without 115: * modification, are permitted provided that the following conditions 116: * are met: 117: * 118: * 1. Redistributions of source code must retain the above copyright 119: * notice, this list of conditions and the following disclaimer. 120: * 121: * 2. Redistributions in binary form must reproduce the above copyright 122: * notice, this list of conditions and the following disclaimer in 123: * the documentation and/or other materials provided with the 124: * distribution. 125: * 126: * 3. All advertising materials mentioning features or use of this 127: * software must display the following acknowledgment: 128: * "This product includes software developed by the OpenSSL Project 129: * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 130: * 131: * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 132: * endorse or promote products derived from this software without 133: * prior written permission. For written permission, please contact 134: * openssl-core@openssl.org. 135: * 136: * 5. Products derived from this software may not be called "OpenSSL" 137: * nor may "OpenSSL" appear in their names without prior written 138: * permission of the OpenSSL Project. 139: * 140: * 6. Redistributions of any form whatsoever must retain the following 141: * acknowledgment: 142: * "This product includes software developed by the OpenSSL Project 143: * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 144: * 145: * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 146: * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 147: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 148: * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 149: * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 150: * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 151: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 152: * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 153: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 154: * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 155: * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 156: * OF THE POSSIBILITY OF SUCH DAMAGE. 157: * ==================================================================== 158: * 159: * This product includes cryptographic software written by Eric Young 160: * (eay@cryptsoft.com). This product includes software written by Tim 161: * Hudson (tjh@cryptsoft.com). 162: * 163: */ 164: /* ==================================================================== 165: * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 166: * ECC cipher suite support in OpenSSL originally developed by 167: * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 168: */ 169: 170: #ifndef HEADER_SSL_H 171: #define HEADER_SSL_H 172: 173: #include <openssl/e_os2.h> 174: 175: #ifndef OPENSSL_NO_COMP 176: #include <openssl/comp.h> 177: #endif 178: #ifndef OPENSSL_NO_BIO 179: #include <openssl/bio.h> 180: #endif 181: #ifndef OPENSSL_NO_DEPRECATED 182: #ifndef OPENSSL_NO_X509 183: #include <openssl/x509.h> 184: #endif 185: #include <openssl/crypto.h> 186: #include <openssl/lhash.h> 187: #include <openssl/buffer.h> 188: #endif 189: #include <openssl/pem.h> 190: 191: #include <openssl/kssl.h> 192: #include <openssl/safestack.h> 193: #include <openssl/symhacks.h> 194: 195: #ifdef __cplusplus 196: extern "C" { 197: #endif 198: 199: /* SSLeay version number for ASN.1 encoding of the session information */ 200: /* Version 0 - initial version 201: * Version 1 - added the optional peer certificate 202: */ 203: #define SSL_SESSION_ASN1_VERSION 0x0001 204: 205: /* text strings for the ciphers */ 206: #define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5 207: #define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5 208: #define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 209: #define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5 210: #define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 211: #define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5 212: #define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5 213: #define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA 214: #define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 215: #define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA 216: 217: /* VRS Additional Kerberos5 entries 218: */ 219: #define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA 220: #define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA 221: #define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA 222: #define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA 223: #define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 224: #define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 225: #define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5 226: #define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5 227: 228: #define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA 229: #define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA 230: #define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA 231: #define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 232: #define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5 233: #define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5 234: 235: #define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA 236: #define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 237: #define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA 238: #define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 239: #define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA 240: #define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 241: #define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256 242: 243: #define SSL_MAX_SSL_SESSION_ID_LENGTH 32 244: #define SSL_MAX_SID_CTX_LENGTH 32 245: 246: #define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8) 247: #define SSL_MAX_KEY_ARG_LENGTH 8 248: #define SSL_MAX_MASTER_KEY_LENGTH 48 249: 250: /* These are used to specify which ciphers to use and not to use */ 251: #define SSL_TXT_LOW "LOW" 252: #define SSL_TXT_MEDIUM "MEDIUM" 253: #define SSL_TXT_HIGH "HIGH" 254: #define SSL_TXT_kFZA "kFZA" 255: #define SSL_TXT_aFZA "aFZA" 256: #define SSL_TXT_eFZA "eFZA" 257: #define SSL_TXT_FZA "FZA" 258: 259: #define SSL_TXT_aNULL "aNULL" 260: #define SSL_TXT_eNULL "eNULL" 261: #define SSL_TXT_NULL "NULL" 262: 263: #define SSL_TXT_kKRB5 "kKRB5" 264: #define SSL_TXT_aKRB5 "aKRB5" 265: #define SSL_TXT_KRB5 "KRB5" 266: 267: #define SSL_TXT_kRSA "kRSA" 268: #define SSL_TXT_kDHr "kDHr" 269: #define SSL_TXT_kDHd "kDHd" 270: #define SSL_TXT_kEDH "kEDH" 271: #define SSL_TXT_aRSA "aRSA" 272: #define SSL_TXT_aDSS "aDSS" 273: #define SSL_TXT_aDH "aDH" 274: #define SSL_TXT_DSS "DSS" 275: #define SSL_TXT_DH "DH" 276: #define SSL_TXT_EDH "EDH" 277: #define SSL_TXT_ADH "ADH" 278: #define SSL_TXT_RSA "RSA" 279: #define SSL_TXT_DES "DES" 280: #define SSL_TXT_3DES "3DES" 281: #define SSL_TXT_RC4 "RC4" 282: #define SSL_TXT_RC2 "RC2" 283: #define SSL_TXT_IDEA "IDEA" 284: #define SSL_TXT_SEED "SEED" 285: #define SSL_TXT_AES "AES" 286: #define SSL_TXT_CAMELLIA "CAMELLIA" 287: #define SSL_TXT_MD5 "MD5" 288: #define SSL_TXT_SHA1 "SHA1" 289: #define SSL_TXT_SHA "SHA" 290: #define SSL_TXT_EXP "EXP" 291: #define SSL_TXT_EXPORT "EXPORT" 292: #define SSL_TXT_EXP40 "EXPORT40" 293: #define SSL_TXT_EXP56 "EXPORT56" 294: #define SSL_TXT_SSLV2 "SSLv2" 295: #define SSL_TXT_SSLV3 "SSLv3" 296: #define SSL_TXT_TLSV1 "TLSv1" 297: #define SSL_TXT_ALL "ALL" 298: #define SSL_TXT_ECC "ECCdraft" /* ECC ciphersuites are not yet official */ 299: 300: /* 301: * COMPLEMENTOF* definitions. These identifiers are used to (de-select) 302: * ciphers normally not being used. 303: * Example: "RC4" will activate all ciphers using RC4 including ciphers 304: * without authentication, which would normally disabled by DEFAULT (due 305: * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT" 306: * will make sure that it is also disabled in the specific selection. 307: * COMPLEMENTOF* identifiers are portable between version, as adjustments 308: * to the default cipher setup will also be included here. 309: * 310: * COMPLEMENTOFDEFAULT does not experience the same special treatment that 311: * DEFAULT gets, as only selection is being done and no sorting as needed 312: * for DEFAULT. 313: */ 314: #define SSL_TXT_CMPALL "COMPLEMENTOFALL" 315: #define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" 316: 317: /* The following cipher list is used by default. 318: * It also is substituted when an application-defined cipher list string 319: * starts with 'DEFAULT'. */ 320: #define SSL_DEFAULT_CIPHER_LIST "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */ 321: 322: /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ 323: #define SSL_SENT_SHUTDOWN 1 324: #define SSL_RECEIVED_SHUTDOWN 2 325: 326: #ifdef __cplusplus 327: } 328: #endif 329: 330: #ifdef __cplusplus 331: extern "C" { 332: #endif 333: 334: #if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2) 335: #define OPENSSL_NO_SSL2 336: #endif 337: 338: #define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 339: #define SSL_FILETYPE_PEM X509_FILETYPE_PEM 340: 341: /* This is needed to stop compilers complaining about the 342: * 'struct ssl_st *' function parameters used to prototype callbacks 343: * in SSL_CTX. */ 344: typedef struct ssl_st *ssl_crock_st; 345: 346: /* used to hold info on the particular ciphers used */ 347: typedef struct ssl_cipher_st 348: { 349: int valid; 350: const char *name; /* text name */ 351: unsigned long id; /* id, 4 bytes, first is version */ 352: unsigned long algorithms; /* what ciphers are used */ 353: unsigned long algo_strength; /* strength and export flags */ 354: unsigned long algorithm2; /* Extra flags */ 355: int strength_bits; /* Number of bits really used */ 356: int alg_bits; /* Number of bits for algorithm */ 357: unsigned long mask; /* used for matching */ 358: unsigned long mask_strength; /* also used for matching */ 359: } SSL_CIPHER; 360: 361: DECLARE_STACK_OF(SSL_CIPHER) 362: 363: typedef struct ssl_st SSL; 364: typedef struct ssl_ctx_st SSL_CTX; 365: 366: /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ 367: typedef struct ssl_method_st 368: { 369: int version; 370: int (*ssl_new)(SSL *s); 371: void (*ssl_clear)(SSL *s); 372: void (*ssl_free)(SSL *s); 373: int (*ssl_accept)(SSL *s); 374: int (*ssl_connect)(SSL *s); 375: int (*ssl_read)(SSL *s,void *buf,int len); 376: int (*ssl_peek)(SSL *s,void *buf,int len); 377: int (*ssl_write)(SSL *s,const void *buf,int len); 378: int (*ssl_shutdown)(SSL *s); 379: int (*ssl_renegotiate)(SSL *s); 380: int (*ssl_renegotiate_check)(SSL *s); 381: long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, long 382: max, int *ok); 383: int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len, 384: int peek); 385: int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len); 386: int (*ssl_dispatch_alert)(SSL *s); 387: long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg); 388: long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg); 389: SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); 390: int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr); 391: int (*ssl_pending)(const SSL *s); 392: int (*num_ciphers)(void); 393: SSL_CIPHER *(*get_cipher)(unsigned ncipher); 394: struct ssl_method_st *(*get_ssl_method)(int version); 395: long (*get_timeout)(void); 396: struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ 397: int (*ssl_version)(void); 398: long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void)); 399: long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void)); 400: } SSL_METHOD; 401: 402: /* Lets make this into an ASN.1 type structure as follows 403: * SSL_SESSION_ID ::= SEQUENCE { 404: * version INTEGER, -- structure version number 405: * SSLversion INTEGER, -- SSL version number 406: * Cipher OCTET_STRING, -- the 3 byte cipher ID 407: * Session_ID OCTET_STRING, -- the Session ID 408: * Master_key OCTET_STRING, -- the master key 409: * KRB5_principal OCTET_STRING -- optional Kerberos principal 410: * Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument 411: * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time 412: * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds 413: * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate 414: * Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context 415: * Verify_result [ 5 ] EXPLICIT INTEGER -- X509_V_... code for `Peer' 416: * Compression [6] IMPLICIT ASN1_OBJECT -- compression OID XXXXX 417: * } 418: * Look in ssl/ssl_asn1.c for more details 419: * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). 420: */ 421: typedef struct ssl_session_st 422: { 423: int ssl_version; /* what ssl version session info is 424: * being kept in here? */ 425: 426: /* only really used in SSLv2 */ 427: unsigned int key_arg_length; 428: unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH]; 429: int master_key_length; 430: unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; 431: /* session_id - valid? */ 432: unsigned int session_id_length; 433: unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; 434: /* this is used to determine whether the session is being reused in 435: * the appropriate context. It is up to the application to set this, 436: * via SSL_new */ 437: unsigned int sid_ctx_length; 438: unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; 439: 440: #ifndef OPENSSL_NO_KRB5 441: unsigned int krb5_client_princ_len; 442: unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH]; 443: #endif /* OPENSSL_NO_KRB5 */ 444: 445: int not_resumable; 446: 447: /* The cert is the certificate used to establish this connection */ 448: struct sess_cert_st /* SESS_CERT */ *sess_cert; 449: 450: /* This is the cert for the other end. 451: * On clients, it will be the same as sess_cert->peer_key->x509 452: * (the latter is not enough as sess_cert is not retained 453: * in the external representation of sessions, see ssl_asn1.c). */ 454: X509 *peer; 455: /* when app_verify_callback accepts a session where the peer's certificate 456: * is not ok, we must remember the error for session reuse: */ 457: long verify_result; /* only for servers */ 458: 459: int references; 460: long timeout; 461: long time; 462: 463: int compress_meth; /* Need to lookup the method */ 464: 465: SSL_CIPHER *cipher; 466: unsigned long cipher_id; /* when ASN.1 loaded, this 467: * needs to be used to load 468: * the 'cipher' structure */ 469: 470: STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ 471: 472: CRYPTO_EX_DATA ex_data; /* application specific data */ 473: 474: /* These are used to make removal of session-ids more 475: * efficient and to implement a maximum cache size. */ 476: struct ssl_session_st *prev,*next; 477: #ifndef OPENSSL_NO_TLSEXT 478: char *tlsext_hostname; 479: /* RFC4507 info */ 480: unsigned char *tlsext_tick; /* Session ticket */ 481: size_t tlsext_ticklen; /* Session ticket length */ 482: long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ 483: #endif 484: } SSL_SESSION; 485: 486: 487: #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L 488: #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L 489: #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L 490: #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L 491: #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L 492: #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ 493: #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L 494: #define SSL_OP_TLS_D5_BUG 0x00000100L 495: #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L 496: 497: /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added 498: * in OpenSSL 0.9.6d. Usually (depending on the application protocol) 499: * the workaround is not needed. Unfortunately some broken SSL/TLS 500: * implementations cannot handle it at all, which is why we include 501: * it in SSL_OP_ALL. */ 502: #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */ 503: 504: /* SSL_OP_ALL: various bug workarounds that should be rather harmless. 505: * This used to be 0x000FFFFFL before 0.9.7. */ 506: #define SSL_OP_ALL 0x00000FFFL 507: 508: /* DTLS options */ 509: #define SSL_OP_NO_QUERY_MTU 0x00001000L 510: /* Turn on Cookie Exchange (on relevant for servers) */ 511: #define SSL_OP_COOKIE_EXCHANGE 0x00002000L 512: /* Don't use RFC4507 ticket extension */ 513: #define SSL_OP_NO_TICKET 0x00004000L 514: 515: /* As server, disallow session resumption on renegotiation */ 516: #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L 517: /* If set, always create a new key when using tmp_ecdh parameters */ 518: #define SSL_OP_SINGLE_ECDH_USE 0x00080000L 519: /* If set, always create a new key when using tmp_dh parameters */ 520: #define SSL_OP_SINGLE_DH_USE 0x00100000L 521: /* Set to always use the tmp_rsa key when doing RSA operations, 522: * even when this violates protocol specs */ 523: #define SSL_OP_EPHEMERAL_RSA 0x00200000L 524: /* Set on servers to choose the cipher according to the server's 525: * preferences */ 526: #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L