瀏覽代碼
OCSP stapling and SCT extensions go under certificate verification.
This mirrors how the server halves fall under configuring certificates. Change-Id: I9bde85eecfaff6487eeb887c88cb8bb0c36b83d8 Reviewed-on: https://boringssl-review.googlesource.com/5961 Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15
David Benjamin
9 年之前
committed by
Adam Langley
Adam Langley
共有 1 個文件被更改,包括 43 次插入 和 39 次删除
分割檢視
Diff Options
-
+43 -39include/openssl/ssl.h
+ 43
- 39
include/openssl/ssl.h
查看文件
| @@ -1583,8 +1583,11 @@ OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl, | |||
| * certificate verification externally. This may be done with | |||
| * |SSL_CTX_set_cert_verify_callback| or by extracting the chain with | |||
| * |SSL_get_peer_cert_chain| after the handshake. In the future, functions will | |||
| * be added to use the SSL stack without depending on any part of the legacy | |||
| * X.509 and ASN.1 stack. */ | |||
| * be added to use the SSL stack without dependency on any part of the legacy | |||
| * X.509 and ASN.1 stack. | |||
| * | |||
| * To augment certificate verification, a client may also enable OCSP stapling | |||
| * (RFC 6066) and Certificate Transparency (RFC 6962) extensions. */ | |||
| /* SSL_VERIFY_NONE, on a client, verifies the server certificate but does not | |||
| * make errors fatal. The result may be checked with |SSL_get_verify_result|. On | |||
| @@ -1750,6 +1753,44 @@ OPENSSL_EXPORT void SSL_CTX_set_cert_verify_callback( | |||
| SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *store_ctx, void *arg), | |||
| void *arg); | |||
| /* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end | |||
| * of a connection) to request SCTs from the server. See | |||
| * https://tools.ietf.org/html/rfc6962. It returns one. */ | |||
| OPENSSL_EXPORT int SSL_enable_signed_cert_timestamps(SSL *ssl); | |||
| /* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL | |||
| * objects created from |ctx|. */ | |||
| OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx); | |||
| /* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to | |||
| * |*out_len| bytes of SCT information from the server. This is only valid if | |||
| * |ssl| is a client. The SCT information is a SignedCertificateTimestampList | |||
| * (including the two leading length bytes). | |||
| * See https://tools.ietf.org/html/rfc6962#section-3.3 | |||
| * If no SCT was received then |*out_len| will be zero on return. | |||
| * | |||
| * WARNING: the returned data is not guaranteed to be well formed. */ | |||
| OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, | |||
| const uint8_t **out, | |||
| size_t *out_len); | |||
| /* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a | |||
| * connection) to request a stapled OCSP response from the server. It returns | |||
| * one. */ | |||
| OPENSSL_EXPORT int SSL_enable_ocsp_stapling(SSL *ssl); | |||
| /* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects | |||
| * created from |ctx|. */ | |||
| OPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx); | |||
| /* SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len| | |||
| * bytes of an OCSP response from the server. This is the DER encoding of an | |||
| * OCSPResponse type as defined in RFC 2560. | |||
| * | |||
| * WARNING: the returned data is not guaranteed to be well formed. */ | |||
| OPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, | |||
| size_t *out_len); | |||
| /* Client certificate CA list. | |||
| * | |||
| @@ -2348,43 +2389,6 @@ OPENSSL_EXPORT void SSL_CTX_set_client_cert_cb( | |||
| OPENSSL_EXPORT int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, | |||
| X509 **x509, | |||
| EVP_PKEY **pkey); | |||
| /* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end | |||
| * of a connection) to request SCTs from the server. See | |||
| * https://tools.ietf.org/html/rfc6962. It returns one. */ | |||
| OPENSSL_EXPORT int SSL_enable_signed_cert_timestamps(SSL *ssl); | |||
| /* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL | |||
| * objects created from |ctx|. */ | |||
| OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx); | |||
| /* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a | |||
| * connection) to request a stapled OCSP response from the server. It returns | |||
| * one. */ | |||
| OPENSSL_EXPORT int SSL_enable_ocsp_stapling(SSL *ssl); | |||
| /* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects | |||
| * created from |ctx|. */ | |||
| OPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx); | |||
| /* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to | |||
| * |*out_len| bytes of SCT information from the server. This is only valid if | |||
| * |ssl| is a client. The SCT information is a SignedCertificateTimestampList | |||
| * (including the two leading length bytes). | |||
| * See https://tools.ietf.org/html/rfc6962#section-3.3 | |||
| * If no SCT was received then |*out_len| will be zero on return. | |||
| * | |||
| * WARNING: the returned data is not guaranteed to be well formed. */ | |||
| OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, | |||
| const uint8_t **out, | |||
| size_t *out_len); | |||
| /* SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len| | |||
| * bytes of an OCSP response from the server. This is the DER encoding of an | |||
| * OCSPResponse type as defined in RFC 2560. | |||
| * | |||
| * WARNING: the returned data is not guaranteed to be well formed. */ | |||
| OPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, | |||
| size_t *out_len); | |||
| #define SSL_NOTHING 1 | |||
| #define SSL_WRITING 2 | |||