| OLD | NEW |
| 1 /* | 1 /* |
| 2 * This file contains prototypes for the public SSL functions. | 2 * This file contains prototypes for the public SSL functions. |
| 3 * | 3 * |
| 4 * ***** BEGIN LICENSE BLOCK ***** | 4 * ***** BEGIN LICENSE BLOCK ***** |
| 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| 6 * | 6 * |
| 7 * The contents of this file are subject to the Mozilla Public License Version | 7 * The contents of this file are subject to the Mozilla Public License Version |
| 8 * 1.1 (the "License"); you may not use this file except in compliance with | 8 * 1.1 (the "License"); you may not use this file except in compliance with |
| 9 * the License. You may obtain a copy of the License at | 9 * the License. You may obtain a copy of the License at |
| 10 * http://www.mozilla.org/MPL/ | 10 * http://www.mozilla.org/MPL/ |
| (...skipping 18 matching lines...) Expand all Loading... |
| 29 * in which case the provisions of the GPL or the LGPL are applicable instead | 29 * in which case the provisions of the GPL or the LGPL are applicable instead |
| 30 * of those above. If you wish to allow use of your version of this file only | 30 * of those above. If you wish to allow use of your version of this file only |
| 31 * under the terms of either the GPL or the LGPL, and not to allow others to | 31 * under the terms of either the GPL or the LGPL, and not to allow others to |
| 32 * use your version of this file under the terms of the MPL, indicate your | 32 * use your version of this file under the terms of the MPL, indicate your |
| 33 * decision by deleting the provisions above and replace them with the notice | 33 * decision by deleting the provisions above and replace them with the notice |
| 34 * and other provisions required by the GPL or the LGPL. If you do not delete | 34 * and other provisions required by the GPL or the LGPL. If you do not delete |
| 35 * the provisions above, a recipient may use your version of this file under | 35 * the provisions above, a recipient may use your version of this file under |
| 36 * the terms of any one of the MPL, the GPL or the LGPL. | 36 * the terms of any one of the MPL, the GPL or the LGPL. |
| 37 * | 37 * |
| 38 * ***** END LICENSE BLOCK ***** */ | 38 * ***** END LICENSE BLOCK ***** */ |
| 39 /* $Id: ssl.h,v 1.49 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ | 39 /* $Id: ssl.h,v 1.54 2012/03/18 00:31:19 wtc%google.com Exp $ */ |
| 40 | 40 |
| 41 #ifndef __ssl_h_ | 41 #ifndef __ssl_h_ |
| 42 #define __ssl_h_ | 42 #define __ssl_h_ |
| 43 | 43 |
| 44 #include "prtypes.h" | 44 #include "prtypes.h" |
| 45 #include "prerror.h" | 45 #include "prerror.h" |
| 46 #include "prio.h" | 46 #include "prio.h" |
| 47 #include "seccomon.h" | 47 #include "seccomon.h" |
| 48 #include "cert.h" | 48 #include "cert.h" |
| 49 #include "keyt.h" | 49 #include "keyt.h" |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 93 ** require a certificate during secure connect | 93 ** require a certificate during secure connect |
| 94 */ | 94 */ |
| 95 /* options */ | 95 /* options */ |
| 96 #define SSL_SECURITY 1 /* (on by default) */ | 96 #define SSL_SECURITY 1 /* (on by default) */ |
| 97 #define SSL_SOCKS 2 /* (off by default) */ | 97 #define SSL_SOCKS 2 /* (off by default) */ |
| 98 #define SSL_REQUEST_CERTIFICATE 3 /* (off by default) */ | 98 #define SSL_REQUEST_CERTIFICATE 3 /* (off by default) */ |
| 99 #define SSL_HANDSHAKE_AS_CLIENT 5 /* force accept to hs as client */ | 99 #define SSL_HANDSHAKE_AS_CLIENT 5 /* force accept to hs as client */ |
| 100 /* (off by default) */ | 100 /* (off by default) */ |
| 101 #define SSL_HANDSHAKE_AS_SERVER 6 /* force connect to hs as server */ | 101 #define SSL_HANDSHAKE_AS_SERVER 6 /* force connect to hs as server */ |
| 102 /* (off by default) */ | 102 /* (off by default) */ |
| 103 |
| 104 /* OBSOLETE: SSL v2 is obsolete and may be removed soon. */ |
| 103 #define SSL_ENABLE_SSL2 7 /* enable ssl v2 (off by default) */ | 105 #define SSL_ENABLE_SSL2 7 /* enable ssl v2 (off by default) */ |
| 106 |
| 107 /* OBSOLETE: See "SSL Version Range API" below for the replacement and a |
| 108 ** description of the non-obvious semantics of using SSL_ENABLE_SSL3. |
| 109 */ |
| 104 #define SSL_ENABLE_SSL3 8 /* enable ssl v3 (on by default) */ | 110 #define SSL_ENABLE_SSL3 8 /* enable ssl v3 (on by default) */ |
| 111 |
| 105 #define SSL_NO_CACHE 9 /* don't use the session cache */ | 112 #define SSL_NO_CACHE 9 /* don't use the session cache */ |
| 106 /* (off by default) */ | 113 /* (off by default) */ |
| 107 #define SSL_REQUIRE_CERTIFICATE 10 /* (SSL_REQUIRE_FIRST_HANDSHAKE */ | 114 #define SSL_REQUIRE_CERTIFICATE 10 /* (SSL_REQUIRE_FIRST_HANDSHAKE */ |
| 108 /* by default) */ | 115 /* by default) */ |
| 109 #define SSL_ENABLE_FDX 11 /* permit simultaneous read/write */ | 116 #define SSL_ENABLE_FDX 11 /* permit simultaneous read/write */ |
| 110 /* (off by default) */ | 117 /* (off by default) */ |
| 118 |
| 119 /* OBSOLETE: SSL v2 compatible hellos are not accepted by some TLS servers |
| 120 ** and cannot negotiate extensions. SSL v2 is obsolete. This option may be |
| 121 ** removed soon. |
| 122 */ |
| 111 #define SSL_V2_COMPATIBLE_HELLO 12 /* send v3 client hello in v2 fmt */ | 123 #define SSL_V2_COMPATIBLE_HELLO 12 /* send v3 client hello in v2 fmt */ |
| 112 /* (off by default) */ | 124 /* (off by default) */ |
| 125 |
| 126 /* OBSOLETE: See "SSL Version Range API" below for the replacement and a |
| 127 ** description of the non-obvious semantics of using SSL_ENABLE_TLS. |
| 128 */ |
| 113 #define SSL_ENABLE_TLS 13 /* enable TLS (on by default) */ | 129 #define SSL_ENABLE_TLS 13 /* enable TLS (on by default) */ |
| 130 |
| 114 #define SSL_ROLLBACK_DETECTION 14 /* for compatibility, default: on */ | 131 #define SSL_ROLLBACK_DETECTION 14 /* for compatibility, default: on */ |
| 115 #define SSL_NO_STEP_DOWN 15 /* Disable export cipher suites */ | 132 #define SSL_NO_STEP_DOWN 15 /* Disable export cipher suites */ |
| 116 /* if step-down keys are needed. */ | 133 /* if step-down keys are needed. */ |
| 117 /* default: off, generate */ | 134 /* default: off, generate */ |
| 118 /* step-down keys if needed. */ | 135 /* step-down keys if needed. */ |
| 119 #define SSL_BYPASS_PKCS11 16 /* use PKCS#11 for pub key only */ | 136 #define SSL_BYPASS_PKCS11 16 /* use PKCS#11 for pub key only */ |
| 120 #define SSL_NO_LOCKS 17 /* Don't use locks for protection */ | 137 #define SSL_NO_LOCKS 17 /* Don't use locks for protection */ |
| 121 #define SSL_ENABLE_SESSION_TICKETS 18 /* Enable TLS SessionTicket */ | 138 #define SSL_ENABLE_SESSION_TICKETS 18 /* Enable TLS SessionTicket */ |
| 122 /* extension (off by default) */ | 139 /* extension (off by default) */ |
| 123 #define SSL_ENABLE_DEFLATE 19 /* Enable TLS compression with */ | 140 #define SSL_ENABLE_DEFLATE 19 /* Enable TLS compression with */ |
| (...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 254 #endif | 271 #endif |
| 255 | 272 |
| 256 /* New function names */ | 273 /* New function names */ |
| 257 SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool en
abled); | 274 SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool en
abled); |
| 258 SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *e
nabled); | 275 SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *e
nabled); |
| 259 SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); | 276 SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); |
| 260 SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); | 277 SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); |
| 261 SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); | 278 SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); |
| 262 SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); | 279 SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); |
| 263 | 280 |
| 281 /* SSL Version Range API |
| 282 ** |
| 283 ** This API should be used to control SSL 3.0 & TLS support instead of the |
| 284 ** older SSL_Option* API; however, the SSL_Option* API MUST still be used to |
| 285 ** control SSL 2.0 support. In this version of libssl, SSL 3.0 and TLS 1.0 are |
| 286 ** enabled by default. Future versions of libssl may change which versions of |
| 287 ** the protocol are enabled by default. |
| 288 ** |
| 289 ** The SSLProtocolVariant enum indicates whether the protocol is of type |
| 290 ** stream or datagram. This must be provided to the functions that do not |
| 291 ** take an fd. Functions which take an fd will get the variant from the fd, |
| 292 ** which is typed. |
| 293 ** |
| 294 ** Using the new version range API in conjunction with the older |
| 295 ** SSL_OptionSet-based API for controlling the enabled protocol versions may |
| 296 ** cause unexpected results. Going forward, we guarantee only the following: |
| 297 ** |
| 298 ** SSL_OptionGet(SSL_ENABLE_TLS) will return PR_TRUE if *ANY* versions of TLS |
| 299 ** are enabled. |
| 300 ** |
| 301 ** SSL_OptionSet(SSL_ENABLE_TLS, PR_FALSE) will disable *ALL* versions of TLS, |
| 302 ** including TLS 1.0 and later. |
| 303 ** |
| 304 ** The above two properties provide compatibility for applications that use |
| 305 ** SSL_OptionSet to implement the insecure fallback from TLS 1.x to SSL 3.0. |
| 306 ** |
| 307 ** SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) will enable TLS 1.0, and may also |
| 308 ** enable some later versions of TLS, if it is necessary to do so in order to |
| 309 ** keep the set of enabled versions contiguous. For example, if TLS 1.2 is |
| 310 ** enabled, then after SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE), TLS 1.0, |
| 311 ** TLS 1.1, and TLS 1.2 will be enabled, and the call will have no effect on |
| 312 ** whether SSL 3.0 is enabled. If no later versions of TLS are enabled at the |
| 313 ** time SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) is called, then no later |
| 314 ** versions of TLS will be enabled by the call. |
| 315 ** |
| 316 ** SSL_OptionSet(SSL_ENABLE_SSL3, PR_FALSE) will disable SSL 3.0, and will not |
| 317 ** change the set of TLS versions that are enabled. |
| 318 ** |
| 319 ** SSL_OptionSet(SSL_ENABLE_SSL3, PR_TRUE) will enable SSL 3.0, and may also |
| 320 ** enable some versions of TLS if TLS 1.1 or later is enabled at the time of |
| 321 ** the call, the same way SSL_OptionSet(SSL_ENABLE_TLS, PR_TRUE) works, in |
| 322 ** order to keep the set of enabled versions contiguous. |
| 323 */ |
| 324 |
| 325 /* Returns, in |*vrange|, the range of SSL3/TLS versions supported for the |
| 326 ** given protocol variant by the version of libssl linked-to at runtime. |
| 327 */ |
| 328 SSL_IMPORT SECStatus SSL_VersionRangeGetSupported( |
| 329 SSLProtocolVariant protocolVariant, SSLVersionRange *vrange); |
| 330 |
| 331 /* Returns, in |*vrange|, the range of SSL3/TLS versions enabled by default |
| 332 ** for the given protocol variant. |
| 333 */ |
| 334 SSL_IMPORT SECStatus SSL_VersionRangeGetDefault( |
| 335 SSLProtocolVariant protocolVariant, SSLVersionRange *vrange); |
| 336 |
| 337 /* Sets the range of enabled-by-default SSL3/TLS versions for the given |
| 338 ** protocol variant to |*vrange|. |
| 339 */ |
| 340 SSL_IMPORT SECStatus SSL_VersionRangeSetDefault( |
| 341 SSLProtocolVariant protocolVariant, const SSLVersionRange *vrange); |
| 342 |
| 343 /* Returns, in |*vrange|, the range of enabled SSL3/TLS versions for |fd|. */ |
| 344 SSL_IMPORT SECStatus SSL_VersionRangeGet(PRFileDesc *fd, |
| 345 SSLVersionRange *vrange); |
| 346 |
| 347 /* Sets the range of enabled SSL3/TLS versions for |fd| to |*vrange|. */ |
| 348 SSL_IMPORT SECStatus SSL_VersionRangeSet(PRFileDesc *fd, |
| 349 const SSLVersionRange *vrange); |
| 350 |
| 351 |
| 264 /* Values for "policy" argument to SSL_PolicySet */ | 352 /* Values for "policy" argument to SSL_PolicySet */ |
| 265 /* Values returned by SSL_CipherPolicyGet. */ | 353 /* Values returned by SSL_CipherPolicyGet. */ |
| 266 #define SSL_NOT_ALLOWED 0 /* or invalid or unimplemented */ | 354 #define SSL_NOT_ALLOWED 0 /* or invalid or unimplemented */ |
| 267 #define SSL_ALLOWED 1 | 355 #define SSL_ALLOWED 1 |
| 268 #define SSL_RESTRICTED 2 /* only with "Step-Up" certs. */ | 356 #define SSL_RESTRICTED 2 /* only with "Step-Up" certs. */ |
| 269 | 357 |
| 270 /* Values for "on" with SSL_REQUIRE_CERTIFICATE. */ | 358 /* Values for "on" with SSL_REQUIRE_CERTIFICATE. */ |
| 271 #define SSL_REQUIRE_NEVER ((PRBool)0) | 359 #define SSL_REQUIRE_NEVER ((PRBool)0) |
| 272 #define SSL_REQUIRE_ALWAYS ((PRBool)1) | 360 #define SSL_REQUIRE_ALWAYS ((PRBool)1) |
| 273 #define SSL_REQUIRE_FIRST_HANDSHAKE ((PRBool)2) | 361 #define SSL_REQUIRE_FIRST_HANDSHAKE ((PRBool)2) |
| (...skipping 655 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 929 * should continue using the connection. If the application passes a non-zero | 1017 * should continue using the connection. If the application passes a non-zero |
| 930 * value for second argument (error), or if SSL_AuthCertificateComplete returns | 1018 * value for second argument (error), or if SSL_AuthCertificateComplete returns |
| 931 * anything other than SECSuccess, then the application should close the | 1019 * anything other than SECSuccess, then the application should close the |
| 932 * connection. | 1020 * connection. |
| 933 */ | 1021 */ |
| 934 SSL_IMPORT SECStatus SSL_AuthCertificateComplete(PRFileDesc *fd, | 1022 SSL_IMPORT SECStatus SSL_AuthCertificateComplete(PRFileDesc *fd, |
| 935 PRErrorCode error); | 1023 PRErrorCode error); |
| 936 SEC_END_PROTOS | 1024 SEC_END_PROTOS |
| 937 | 1025 |
| 938 #endif /* __ssl_h_ */ | 1026 #endif /* __ssl_h_ */ |
| OLD | NEW |