?? ssl.h
字號:
* 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */typedef struct ssl_st *ssl_crock_st;/* used to hold info on the particular ciphers used */typedef struct ssl_cipher_st { int valid; const char *name; /* text name */ unsigned long id; /* id, 4 bytes, first is version */ unsigned long algorithms; /* what ciphers are used */ unsigned long algo_strength; /* strength and export flags */ unsigned long algorithm2; /* Extra flags */ int strength_bits; /* Number of bits really used */ int alg_bits; /* Number of bits for algorithm */ unsigned long mask; /* used for matching */ unsigned long mask_strength; /* also used for matching */ } SSL_CIPHER;DECLARE_STACK_OF(SSL_CIPHER)typedef struct ssl_st SSL;typedef struct ssl_ctx_st SSL_CTX;/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */typedef struct ssl_method_st { int version; int (*ssl_new)(SSL *s); void (*ssl_clear)(SSL *s); void (*ssl_free)(SSL *s); int (*ssl_accept)(SSL *s); int (*ssl_connect)(SSL *s); int (*ssl_read)(SSL *s,void *buf,int len); int (*ssl_peek)(SSL *s,void *buf,int len); int (*ssl_write)(SSL *s,const void *buf,int len); int (*ssl_shutdown)(SSL *s); int (*ssl_renegotiate)(SSL *s); int (*ssl_renegotiate_check)(SSL *s); long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg); long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg); SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr); int (*ssl_pending)(SSL *s); int (*num_ciphers)(void); SSL_CIPHER *(*get_cipher)(unsigned ncipher); struct ssl_method_st *(*get_ssl_method)(int version); long (*get_timeout)(void); struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ int (*ssl_version)(); long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)()); long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)()); } SSL_METHOD;/* Lets make this into an ASN.1 type structure as follows * SSL_SESSION_ID ::= SEQUENCE { * version INTEGER, -- structure version number * SSLversion INTEGER, -- SSL version number * Cipher OCTET_STRING, -- the 3 byte cipher ID * Session_ID OCTET_STRING, -- the Session ID * Master_key OCTET_STRING, -- the master key * KRB5_principal OCTET_STRING -- optional Kerberos principal * Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate * Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context * Verify_result [ 5 ] EXPLICIT INTEGER -- X509_V_... code for `Peer' * Compression [6] IMPLICIT ASN1_OBJECT -- compression OID XXXXX * } * Look in ssl/ssl_asn1.c for more details * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). */typedef struct ssl_session_st { int ssl_version; /* what ssl version session info is * being kept in here? */ /* only really used in SSLv2 */ unsigned int key_arg_length; unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH]; int master_key_length; unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; /* session_id - valid? */ unsigned int session_id_length; unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; /* this is used to determine whether the session is being reused in * the appropriate context. It is up to the application to set this, * via SSL_new */ unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];#ifndef OPENSSL_NO_KRB5 unsigned int krb5_client_princ_len; unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];#endif /* OPENSSL_NO_KRB5 */ int not_resumable; /* The cert is the certificate used to establish this connection */ struct sess_cert_st /* SESS_CERT */ *sess_cert; /* This is the cert for the other end. * On clients, it will be the same as sess_cert->peer_key->x509 * (the latter is not enough as sess_cert is not retained * in the external representation of sessions, see ssl_asn1.c). */ X509 *peer; /* when app_verify_callback accepts a session where the peer's certificate * is not ok, we must remember the error for session reuse: */ long verify_result; /* only for servers */ int references; long timeout; long time; int compress_meth; /* Need to lookup the method */ SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this * needs to be used to load * the 'cipher' structure */ STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ CRYPTO_EX_DATA ex_data; /* application specific data */ /* These are used to make removal of session-ids more * efficient and to implement a maximum cache size. */ struct ssl_session_st *prev,*next; } SSL_SESSION;#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L#define SSL_OP_TLS_D5_BUG 0x00000100L#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) * the workaround is not needed. Unfortunately some broken SSL/TLS * implementations cannot handle it at all, which is why we include * it in SSL_OP_ALL. */#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e *//* SSL_OP_ALL: various bug workarounds that should be rather harmless. * This used to be 0x000FFFFFL before 0.9.7. */#define SSL_OP_ALL 0x00000FFFL/* As server, disallow session resumption on renegotiation */#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L/* If set, always create a new key when using tmp_dh parameters */#define SSL_OP_SINGLE_DH_USE 0x00100000L/* Set to always use the tmp_rsa key when doing RSA operations, * even when this violates protocol specs */#define SSL_OP_EPHEMERAL_RSA 0x00200000L/* Set on servers to choose the cipher according to the server's * preferences */#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L/* If set, a server will allow a client to issue a SSLv3.0 version number * as latest version supported in the premaster secret, even when TLSv1.0 * (version 3.1) was announced in the client hello. Normally this is * forbidden to prevent version rollback attacks. */#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L#define SSL_OP_NO_SSLv2 0x01000000L#define SSL_OP_NO_SSLv3 0x02000000L#define SSL_OP_NO_TLSv1 0x04000000L/* The next flag deliberately changes the ciphertest, this is a check * for the PKCS#1 attack */#define SSL_OP_PKCS1_CHECK_1 0x08000000L#define SSL_OP_PKCS1_CHECK_2 0x10000000L#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success * when just a single record has been written): */#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L/* Make it possible to retry SSL_write() with changed buffer location * (buffer contents must stay the same!); this is not the default to avoid * the misconception that non-blocking SSL_write() behaves like * non-blocking write(): */#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L/* Never bother the application with retries if the transport * is blocking: */#define SSL_MODE_AUTO_RETRY 0x00000004L/* Don't attempt to automatically build certificate chain */#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */#define SSL_CTX_set_options(ctx,op) \ SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)#define SSL_CTX_get_options(ctx) \ SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)#define SSL_set_options(ssl,op) \ SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)#define SSL_get_options(ssl) \ SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)#define SSL_CTX_set_mode(ctx,op) \ SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)#define SSL_CTX_get_mode(ctx) \ SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)#define SSL_set_mode(ssl,op) \ SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)#define SSL_get_mode(ssl) \ SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */#else#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */#endif#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)/* This callback type is used inside SSL_CTX, SSL, and in the functions that set * them. It is used to override the generation of SSL/TLS session IDs in a * server. Return value should be zero on an error, non-zero to proceed. Also, * callbacks should themselves check if the id they generate is unique otherwise * the SSL handshake will fail with an error - callbacks can do this using the * 'ssl' value they're passed by; * SSL_has_matching_session_id(ssl, id, *id_len) * The length value passed in is set at the maximum size the session ID can be. * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback * can alter this length to be less if desired, but under SSLv2 session IDs are * supposed to be fixed at 16 bytes so the id will be padded after the callback * returns in this case. It is also an error for the callback to set the size to * zero. */typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id, unsigned int *id_len);typedef struct ssl_comp_st { int id; char *name;#ifndef OPENSSL_NO_COMP COMP_METHOD *method;#else char *method;#endif } SSL_COMP;DECLARE_STACK_OF(SSL_COMP)struct ssl_ctx_st { SSL_METHOD *method; STACK_OF(SSL_CIPHER) *cipher_list; /* same as above but sorted for lookup */ STACK_OF(SSL_CIPHER) *cipher_list_by_id; struct x509_store_st /* X509_STORE */ *cert_store; struct lhash_st /* LHASH */ *sessions; /* a set of SSL_SESSIONs */ /* Most session-ids that will be cached, default is * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ unsigned long session_cache_size; struct ssl_session_st *session_cache_head; struct ssl_session_st *session_cache_tail; /* This can have one of 2 values, ored together, * SSL_SESS_CACHE_CLIENT, * SSL_SESS_CACHE_SERVER, * Default is SSL_SESSION_CACHE_SERVER, which means only * SSL_accept which cache SSL_SESSIONS. */ int session_cache_mode; /* If timeout is not 0, it is the default timeout value set * when SSL_new() is called. This has been put in to make * life easier to set things up */ long session_timeout; /* If this callback is not null, it will be called each * time a session id is added to the cache. If this function * returns 1, it means that the callback will do a * SSL_SESSION_free() when it has finished using it. Otherwise, * on 0, it means the callback has finished with it. * If remove_session_cb is not null, it will be called when * a session-id is removed from the cache. After the call, * OpenSSL will SSL_SESSION_free() it. */ int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess); void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess); SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy); struct { int sess_connect; /* SSL new conn - started */ int sess_connect_renegotiate;/* SSL reneg - requested */ int sess_connect_good; /* SSL new conne/reneg - finished */ int sess_accept; /* SSL new accept - started */ int sess_accept_renegotiate;/* SSL reneg - requested */ int sess_accept_good; /* SSL accept/reneg - finished */ int sess_miss; /* session lookup misses */ int sess_timeout; /* reuse attempt on timeouted session */ int sess_cache_full; /* session removed due to full cache */ int sess_hit; /* session reuse actually done */ int sess_cb_hit; /* session-id that was not * in the cache was * passed back via the callback. This * indicates that the application is * supplying session-id's from other * processes - spooky :-) */ } stats; int references; /* if defined, these override the X509_verify_cert() calls */ int (*app_verify_callback)(X509_STORE_CTX *, void *); void *app_verify_arg; /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored * ('app_verify_callback' was called with just one argument) */?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -