X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=inc%2Fbearssl_ssl.h;h=3faf1bef4ca394f660525bc7ba4d4fbbe71df1ad;hp=24d773c9554894923ef75a9cb30fa7910792a966;hb=d16eee962a72a600c370f18f2ae25b36b4f532df;hpb=3210f38e0491b39aec1ef419cb4114e9483089fb diff --git a/inc/bearssl_ssl.h b/inc/bearssl_ssl.h index 24d773c..3faf1be 100644 --- a/inc/bearssl_ssl.h +++ b/inc/bearssl_ssl.h @@ -574,6 +574,11 @@ typedef struct { unsigned char reneg; unsigned char saved_finished[24]; + /* + * Behavioural flags. + */ + uint32_t flags; + /* * Context variables for the handshake processor. * The 'pad' must be large enough to accommodate an @@ -653,6 +658,45 @@ typedef struct { } br_ssl_engine_context; +/* + * Get currently defined engine behavioural flags. + */ +static inline uint32_t +br_ssl_engine_get_flags(br_ssl_engine_context *cc) +{ + return cc->flags; +} + +/* + * Set all engine flags. Flags which are not in the 'flags' argument + * are cleared. + */ +static inline void +br_ssl_engine_set_all_flags(br_ssl_engine_context *cc, uint32_t flags) +{ + cc->flags = flags; +} + +/* + * Add some engine flags. The provided flags are set in the engine context, + * but other flags are untouched. + */ +static inline void +br_ssl_engine_add_flags(br_ssl_engine_context *cc, uint32_t flags) +{ + cc->flags |= flags; +} + +/* + * Remove some engine flags. The provided flags are cleared from the + * engine context, but other flags are untouched. + */ +static inline void +br_ssl_engine_remove_flags(br_ssl_engine_context *cc, uint32_t flags) +{ + cc->flags &= ~flags; +} + /* * Set the minimum and maximum supported protocol versions. */ @@ -1020,6 +1064,14 @@ typedef struct { */ br_ssl_engine_context eng; + /* + * Minimum ClientHello length; padding with an extension (RFC + * 7685) is added if necessary to match at least that length. + * Such padding is nominally unnecessary, but it has been used + * to work around some server implementation bugs. + */ + uint16_t min_clienthello_len; + /* * Implementations. */ @@ -1081,6 +1133,15 @@ br_ssl_client_set_ecdsa(br_ssl_client_context *cc, br_ecdsa_vrfy iecdsa) cc->iecdsa = iecdsa; } +/* + * Set the minimum ClientHello length (RFC 7685 padding). + */ +static inline void +br_ssl_client_set_min_clienthello_len(br_ssl_client_context *cc, uint16_t len) +{ + cc->min_clienthello_len = len; +} + /* * Prepare or reset a client context for connecting with a server of * name 'server_name'. The 'server_name' parameter is used to fill the @@ -1353,11 +1414,6 @@ struct br_ssl_server_context_ { */ br_ssl_engine_context eng; - /* - * Flags. - */ - uint32_t flags; - /* * Maximum version from the client. */ @@ -1420,51 +1476,19 @@ struct br_ssl_server_context_ { */ }; -/* - * Get currently defined server behavioural flags. - */ -static inline uint32_t -br_ssl_server_get_flags(br_ssl_server_context *cc) -{ - return cc->flags; -} - -/* - * Set all server flags. Flags which are not in the 'flags' argument - * are cleared. - */ -static inline void -br_ssl_server_set_all_flags(br_ssl_server_context *cc, uint32_t flags) -{ - cc->flags = flags; -} - -/* - * Add some server flags. The provided flags are set in the server context, - * but other flags are untouched. - */ -static inline void -br_ssl_server_add_flags(br_ssl_server_context *cc, uint32_t flags) -{ - cc->flags |= flags; -} - -/* - * Remove some server flags. The provided flags are cleared from the - * server context, but other flags are untouched. - */ -static inline void -br_ssl_server_remove_flags(br_ssl_server_context *cc, uint32_t flags) -{ - cc->flags &= ~flags; -} - /* * If this flag is set, then the server will enforce its own cipher suite * preference order; otherwise, it follows the client preferences. */ #define BR_OPT_ENFORCE_SERVER_PREFERENCES ((uint32_t)1 << 0) +/* + * If this flag is set, then renegotiations are rejected unconditionally: + * they won't be honoured if asked for programmatically, and requests from + * the peer are rejected. + */ +#define BR_OPT_NO_RENEGOTIATION ((uint32_t)1 << 1) + /* * Each br_ssl_server_init_xxx() function sets the list of supported * cipher suites and used implementations, as specified by the profile