Hide SSL struct.
BUG=6 Change-Id: I5383ad230f1fdc54f9536c9922bfbf991401a00c Reviewed-on: https://boringssl-review.googlesource.com/13632 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
parent
2f82a0e51b
commit
3f2611a98f
@ -4115,171 +4115,6 @@ struct ssl_ctx_st {
|
|||||||
int freelist_max_len;
|
int freelist_max_len;
|
||||||
};
|
};
|
||||||
|
|
||||||
typedef struct ssl_handshake_st SSL_HANDSHAKE;
|
|
||||||
|
|
||||||
struct ssl_st {
|
|
||||||
/* method is the method table corresponding to the current protocol (DTLS or
|
|
||||||
* TLS). */
|
|
||||||
const SSL_PROTOCOL_METHOD *method;
|
|
||||||
|
|
||||||
/* version is the protocol version. */
|
|
||||||
int version;
|
|
||||||
|
|
||||||
/* max_version is the maximum acceptable protocol version. Note this version
|
|
||||||
* is normalized in DTLS. */
|
|
||||||
uint16_t max_version;
|
|
||||||
|
|
||||||
/* min_version is the minimum acceptable protocol version. Note this version
|
|
||||||
* is normalized in DTLS. */
|
|
||||||
uint16_t min_version;
|
|
||||||
|
|
||||||
uint16_t max_send_fragment;
|
|
||||||
|
|
||||||
/* There are 2 BIO's even though they are normally both the same. This is so
|
|
||||||
* data can be read and written to different handlers */
|
|
||||||
|
|
||||||
BIO *rbio; /* used by SSL_read */
|
|
||||||
BIO *wbio; /* used by SSL_write */
|
|
||||||
|
|
||||||
int (*handshake_func)(SSL_HANDSHAKE *hs);
|
|
||||||
|
|
||||||
BUF_MEM *init_buf; /* buffer used during init */
|
|
||||||
|
|
||||||
/* init_msg is a pointer to the current handshake message body. */
|
|
||||||
const uint8_t *init_msg;
|
|
||||||
/* init_num is the length of the current handshake message body. */
|
|
||||||
uint32_t init_num;
|
|
||||||
|
|
||||||
struct ssl3_state_st *s3; /* SSLv3 variables */
|
|
||||||
struct dtls1_state_st *d1; /* DTLSv1 variables */
|
|
||||||
|
|
||||||
/* callback that allows applications to peek at protocol messages */
|
|
||||||
void (*msg_callback)(int write_p, int version, int content_type,
|
|
||||||
const void *buf, size_t len, SSL *ssl, void *arg);
|
|
||||||
void *msg_callback_arg;
|
|
||||||
|
|
||||||
X509_VERIFY_PARAM *param;
|
|
||||||
|
|
||||||
/* crypto */
|
|
||||||
struct ssl_cipher_preference_list_st *cipher_list;
|
|
||||||
|
|
||||||
/* session info */
|
|
||||||
|
|
||||||
/* client cert? */
|
|
||||||
/* This is used to hold the server certificate used */
|
|
||||||
struct cert_st /* CERT */ *cert;
|
|
||||||
|
|
||||||
/* This holds a variable that indicates what we were doing when a 0 or -1 is
|
|
||||||
* returned. This is needed for non-blocking IO so we know what request
|
|
||||||
* needs re-doing when in SSL_accept or SSL_connect */
|
|
||||||
int rwstate;
|
|
||||||
|
|
||||||
/* initial_timeout_duration_ms is the default DTLS timeout duration in
|
|
||||||
* milliseconds. It's used to initialize the timer any time it's restarted. */
|
|
||||||
unsigned initial_timeout_duration_ms;
|
|
||||||
|
|
||||||
/* the session_id_context is used to ensure sessions are only reused
|
|
||||||
* in the appropriate context */
|
|
||||||
uint8_t sid_ctx_length;
|
|
||||||
uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
|
|
||||||
|
|
||||||
/* session is the configured session to be offered by the client. This session
|
|
||||||
* is immutable. */
|
|
||||||
SSL_SESSION *session;
|
|
||||||
|
|
||||||
int (*verify_callback)(int ok,
|
|
||||||
X509_STORE_CTX *ctx); /* fail if callback returns 0 */
|
|
||||||
|
|
||||||
void (*info_callback)(const SSL *ssl, int type, int value);
|
|
||||||
|
|
||||||
/* Server-only: psk_identity_hint is the identity hint to send in
|
|
||||||
* PSK-based key exchanges. */
|
|
||||||
char *psk_identity_hint;
|
|
||||||
|
|
||||||
unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
|
|
||||||
char *identity,
|
|
||||||
unsigned int max_identity_len,
|
|
||||||
uint8_t *psk, unsigned int max_psk_len);
|
|
||||||
unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
|
|
||||||
uint8_t *psk, unsigned int max_psk_len);
|
|
||||||
|
|
||||||
SSL_CTX *ctx;
|
|
||||||
|
|
||||||
/* extra application data */
|
|
||||||
CRYPTO_EX_DATA ex_data;
|
|
||||||
|
|
||||||
/* for server side, keep the list of CA_dn we can use */
|
|
||||||
STACK_OF(X509_NAME) *client_CA;
|
|
||||||
|
|
||||||
uint32_t options; /* protocol behaviour */
|
|
||||||
uint32_t mode; /* API behaviour */
|
|
||||||
uint32_t max_cert_list;
|
|
||||||
char *tlsext_hostname;
|
|
||||||
size_t supported_group_list_len;
|
|
||||||
uint16_t *supported_group_list; /* our list */
|
|
||||||
|
|
||||||
SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */
|
|
||||||
|
|
||||||
/* srtp_profiles is the list of configured SRTP protection profiles for
|
|
||||||
* DTLS-SRTP. */
|
|
||||||
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
|
|
||||||
|
|
||||||
/* srtp_profile is the selected SRTP protection profile for
|
|
||||||
* DTLS-SRTP. */
|
|
||||||
const SRTP_PROTECTION_PROFILE *srtp_profile;
|
|
||||||
|
|
||||||
/* The client's Channel ID private key. */
|
|
||||||
EVP_PKEY *tlsext_channel_id_private;
|
|
||||||
|
|
||||||
/* For a client, this contains the list of supported protocols in wire
|
|
||||||
* format. */
|
|
||||||
uint8_t *alpn_client_proto_list;
|
|
||||||
unsigned alpn_client_proto_list_len;
|
|
||||||
|
|
||||||
/* renegotiate_mode controls how peer renegotiation attempts are handled. */
|
|
||||||
enum ssl_renegotiate_mode_t renegotiate_mode;
|
|
||||||
|
|
||||||
/* verify_mode is a bitmask of |SSL_VERIFY_*| values. */
|
|
||||||
uint8_t verify_mode;
|
|
||||||
|
|
||||||
/* server is true iff the this SSL* is the server half. Note: before the SSL*
|
|
||||||
* is initialized by either SSL_set_accept_state or SSL_set_connect_state,
|
|
||||||
* the side is not determined. In this state, server is always false. */
|
|
||||||
unsigned server:1;
|
|
||||||
|
|
||||||
/* quiet_shutdown is true if the connection should not send a close_notify on
|
|
||||||
* shutdown. */
|
|
||||||
unsigned quiet_shutdown:1;
|
|
||||||
|
|
||||||
/* Enable signed certificate time stamps. Currently client only. */
|
|
||||||
unsigned signed_cert_timestamps_enabled:1;
|
|
||||||
|
|
||||||
/* ocsp_stapling_enabled is only used by client connections and indicates
|
|
||||||
* whether OCSP stapling will be requested. */
|
|
||||||
unsigned ocsp_stapling_enabled:1;
|
|
||||||
|
|
||||||
/* tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server,
|
|
||||||
* means that we'll accept Channel IDs from clients. For a client, means that
|
|
||||||
* we'll advertise support. */
|
|
||||||
unsigned tlsext_channel_id_enabled:1;
|
|
||||||
|
|
||||||
/* retain_only_sha256_of_client_certs is true if we should compute the SHA256
|
|
||||||
* hash of the peer's certificate and then discard it to save memory and
|
|
||||||
* session space. Only effective on the server side. */
|
|
||||||
unsigned retain_only_sha256_of_client_certs:1;
|
|
||||||
|
|
||||||
/* session_timeout is the default lifetime in seconds of the session
|
|
||||||
* created in this connection at TLS 1.2 and earlier. */
|
|
||||||
long session_timeout;
|
|
||||||
|
|
||||||
/* session_psk_dhe_timeout is the default lifetime in seconds of sessions
|
|
||||||
* created in this connection at TLS 1.3. */
|
|
||||||
long session_psk_dhe_timeout;
|
|
||||||
|
|
||||||
/* OCSP response to be sent to the client, if requested. */
|
|
||||||
CRYPTO_BUFFER *ocsp_response;
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
/* Nodejs compatibility section (hidden).
|
/* Nodejs compatibility section (hidden).
|
||||||
*
|
*
|
||||||
|
165
ssl/internal.h
165
ssl/internal.h
@ -502,6 +502,8 @@ int ssl_public_key_verify(
|
|||||||
|
|
||||||
/* Custom extensions */
|
/* Custom extensions */
|
||||||
|
|
||||||
|
typedef struct ssl_handshake_st SSL_HANDSHAKE;
|
||||||
|
|
||||||
/* ssl_custom_extension (a.k.a. SSL_CUSTOM_EXTENSION) is a structure that
|
/* ssl_custom_extension (a.k.a. SSL_CUSTOM_EXTENSION) is a structure that
|
||||||
* contains information about custom-extension callbacks. */
|
* contains information about custom-extension callbacks. */
|
||||||
struct ssl_custom_extension {
|
struct ssl_custom_extension {
|
||||||
@ -1683,6 +1685,169 @@ typedef struct dtls1_state_st {
|
|||||||
unsigned timeout_duration_ms;
|
unsigned timeout_duration_ms;
|
||||||
} DTLS1_STATE;
|
} DTLS1_STATE;
|
||||||
|
|
||||||
|
struct ssl_st {
|
||||||
|
/* method is the method table corresponding to the current protocol (DTLS or
|
||||||
|
* TLS). */
|
||||||
|
const SSL_PROTOCOL_METHOD *method;
|
||||||
|
|
||||||
|
/* version is the protocol version. */
|
||||||
|
int version;
|
||||||
|
|
||||||
|
/* max_version is the maximum acceptable protocol version. Note this version
|
||||||
|
* is normalized in DTLS. */
|
||||||
|
uint16_t max_version;
|
||||||
|
|
||||||
|
/* min_version is the minimum acceptable protocol version. Note this version
|
||||||
|
* is normalized in DTLS. */
|
||||||
|
uint16_t min_version;
|
||||||
|
|
||||||
|
uint16_t max_send_fragment;
|
||||||
|
|
||||||
|
/* There are 2 BIO's even though they are normally both the same. This is so
|
||||||
|
* data can be read and written to different handlers */
|
||||||
|
|
||||||
|
BIO *rbio; /* used by SSL_read */
|
||||||
|
BIO *wbio; /* used by SSL_write */
|
||||||
|
|
||||||
|
int (*handshake_func)(SSL_HANDSHAKE *hs);
|
||||||
|
|
||||||
|
BUF_MEM *init_buf; /* buffer used during init */
|
||||||
|
|
||||||
|
/* init_msg is a pointer to the current handshake message body. */
|
||||||
|
const uint8_t *init_msg;
|
||||||
|
/* init_num is the length of the current handshake message body. */
|
||||||
|
uint32_t init_num;
|
||||||
|
|
||||||
|
struct ssl3_state_st *s3; /* SSLv3 variables */
|
||||||
|
struct dtls1_state_st *d1; /* DTLSv1 variables */
|
||||||
|
|
||||||
|
/* callback that allows applications to peek at protocol messages */
|
||||||
|
void (*msg_callback)(int write_p, int version, int content_type,
|
||||||
|
const void *buf, size_t len, SSL *ssl, void *arg);
|
||||||
|
void *msg_callback_arg;
|
||||||
|
|
||||||
|
X509_VERIFY_PARAM *param;
|
||||||
|
|
||||||
|
/* crypto */
|
||||||
|
struct ssl_cipher_preference_list_st *cipher_list;
|
||||||
|
|
||||||
|
/* session info */
|
||||||
|
|
||||||
|
/* client cert? */
|
||||||
|
/* This is used to hold the server certificate used */
|
||||||
|
struct cert_st /* CERT */ *cert;
|
||||||
|
|
||||||
|
/* This holds a variable that indicates what we were doing when a 0 or -1 is
|
||||||
|
* returned. This is needed for non-blocking IO so we know what request
|
||||||
|
* needs re-doing when in SSL_accept or SSL_connect */
|
||||||
|
int rwstate;
|
||||||
|
|
||||||
|
/* initial_timeout_duration_ms is the default DTLS timeout duration in
|
||||||
|
* milliseconds. It's used to initialize the timer any time it's restarted. */
|
||||||
|
unsigned initial_timeout_duration_ms;
|
||||||
|
|
||||||
|
/* the session_id_context is used to ensure sessions are only reused
|
||||||
|
* in the appropriate context */
|
||||||
|
uint8_t sid_ctx_length;
|
||||||
|
uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
|
||||||
|
|
||||||
|
/* session is the configured session to be offered by the client. This session
|
||||||
|
* is immutable. */
|
||||||
|
SSL_SESSION *session;
|
||||||
|
|
||||||
|
int (*verify_callback)(int ok,
|
||||||
|
X509_STORE_CTX *ctx); /* fail if callback returns 0 */
|
||||||
|
|
||||||
|
void (*info_callback)(const SSL *ssl, int type, int value);
|
||||||
|
|
||||||
|
/* Server-only: psk_identity_hint is the identity hint to send in
|
||||||
|
* PSK-based key exchanges. */
|
||||||
|
char *psk_identity_hint;
|
||||||
|
|
||||||
|
unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
|
||||||
|
char *identity,
|
||||||
|
unsigned int max_identity_len,
|
||||||
|
uint8_t *psk, unsigned int max_psk_len);
|
||||||
|
unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
|
||||||
|
uint8_t *psk, unsigned int max_psk_len);
|
||||||
|
|
||||||
|
SSL_CTX *ctx;
|
||||||
|
|
||||||
|
/* extra application data */
|
||||||
|
CRYPTO_EX_DATA ex_data;
|
||||||
|
|
||||||
|
/* for server side, keep the list of CA_dn we can use */
|
||||||
|
STACK_OF(X509_NAME) *client_CA;
|
||||||
|
|
||||||
|
uint32_t options; /* protocol behaviour */
|
||||||
|
uint32_t mode; /* API behaviour */
|
||||||
|
uint32_t max_cert_list;
|
||||||
|
char *tlsext_hostname;
|
||||||
|
size_t supported_group_list_len;
|
||||||
|
uint16_t *supported_group_list; /* our list */
|
||||||
|
|
||||||
|
SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */
|
||||||
|
|
||||||
|
/* srtp_profiles is the list of configured SRTP protection profiles for
|
||||||
|
* DTLS-SRTP. */
|
||||||
|
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
|
||||||
|
|
||||||
|
/* srtp_profile is the selected SRTP protection profile for
|
||||||
|
* DTLS-SRTP. */
|
||||||
|
const SRTP_PROTECTION_PROFILE *srtp_profile;
|
||||||
|
|
||||||
|
/* The client's Channel ID private key. */
|
||||||
|
EVP_PKEY *tlsext_channel_id_private;
|
||||||
|
|
||||||
|
/* For a client, this contains the list of supported protocols in wire
|
||||||
|
* format. */
|
||||||
|
uint8_t *alpn_client_proto_list;
|
||||||
|
unsigned alpn_client_proto_list_len;
|
||||||
|
|
||||||
|
/* renegotiate_mode controls how peer renegotiation attempts are handled. */
|
||||||
|
enum ssl_renegotiate_mode_t renegotiate_mode;
|
||||||
|
|
||||||
|
/* verify_mode is a bitmask of |SSL_VERIFY_*| values. */
|
||||||
|
uint8_t verify_mode;
|
||||||
|
|
||||||
|
/* server is true iff the this SSL* is the server half. Note: before the SSL*
|
||||||
|
* is initialized by either SSL_set_accept_state or SSL_set_connect_state,
|
||||||
|
* the side is not determined. In this state, server is always false. */
|
||||||
|
unsigned server:1;
|
||||||
|
|
||||||
|
/* quiet_shutdown is true if the connection should not send a close_notify on
|
||||||
|
* shutdown. */
|
||||||
|
unsigned quiet_shutdown:1;
|
||||||
|
|
||||||
|
/* Enable signed certificate time stamps. Currently client only. */
|
||||||
|
unsigned signed_cert_timestamps_enabled:1;
|
||||||
|
|
||||||
|
/* ocsp_stapling_enabled is only used by client connections and indicates
|
||||||
|
* whether OCSP stapling will be requested. */
|
||||||
|
unsigned ocsp_stapling_enabled:1;
|
||||||
|
|
||||||
|
/* tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server,
|
||||||
|
* means that we'll accept Channel IDs from clients. For a client, means that
|
||||||
|
* we'll advertise support. */
|
||||||
|
unsigned tlsext_channel_id_enabled:1;
|
||||||
|
|
||||||
|
/* retain_only_sha256_of_client_certs is true if we should compute the SHA256
|
||||||
|
* hash of the peer's certificate and then discard it to save memory and
|
||||||
|
* session space. Only effective on the server side. */
|
||||||
|
unsigned retain_only_sha256_of_client_certs:1;
|
||||||
|
|
||||||
|
/* session_timeout is the default lifetime in seconds of the session
|
||||||
|
* created in this connection at TLS 1.2 and earlier. */
|
||||||
|
long session_timeout;
|
||||||
|
|
||||||
|
/* session_psk_dhe_timeout is the default lifetime in seconds of sessions
|
||||||
|
* created in this connection at TLS 1.3. */
|
||||||
|
long session_psk_dhe_timeout;
|
||||||
|
|
||||||
|
/* OCSP response to be sent to the client, if requested. */
|
||||||
|
CRYPTO_BUFFER *ocsp_response;
|
||||||
|
};
|
||||||
|
|
||||||
extern const SSL3_ENC_METHOD TLSv1_enc_data;
|
extern const SSL3_ENC_METHOD TLSv1_enc_data;
|
||||||
extern const SSL3_ENC_METHOD SSLv3_enc_data;
|
extern const SSL3_ENC_METHOD SSLv3_enc_data;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user