diff options
| author | Arne Schwabe <arne@rfc2549.org> | 2014-10-28 23:07:58 +0100 |
|---|---|---|
| committer | Arne Schwabe <arne@rfc2549.org> | 2014-10-28 23:07:58 +0100 |
| commit | 192f5b50e32ed14945317325a5465f40abfcc587 (patch) | |
| tree | c58aa6ba75e3c0acaa4f9d91ab62efecf8d838bc /main/openssl/include | |
| parent | 22feeb602f32f1d58f4aa5168b5fc139e086e85d (diff) | |
Update Openssl to aosp/master (includes useless (for OpenVPN)) SSLv3 Fallback fix
--HG--
extra : rebase_source : 4ec3b7a7844aa1ca198c4538ecdf28f027ceb1b1
Diffstat (limited to 'main/openssl/include')
| -rw-r--r-- | main/openssl/include/openssl/dtls1.h | 3 | ||||
| -rw-r--r-- | main/openssl/include/openssl/ssl.h | 10 | ||||
| -rw-r--r-- | main/openssl/include/openssl/ssl3.h | 7 | ||||
| -rw-r--r-- | main/openssl/include/openssl/tls1.h | 15 |
4 files changed, 27 insertions, 8 deletions
diff --git a/main/openssl/include/openssl/dtls1.h b/main/openssl/include/openssl/dtls1.h index e65d5011..192c5def 100644 --- a/main/openssl/include/openssl/dtls1.h +++ b/main/openssl/include/openssl/dtls1.h @@ -84,6 +84,8 @@ extern "C" { #endif #define DTLS1_VERSION 0xFEFF +#define DTLS_MAX_VERSION DTLS1_VERSION + #define DTLS1_BAD_VER 0x0100 #if 0 @@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st } #endif #endif - diff --git a/main/openssl/include/openssl/ssl.h b/main/openssl/include/openssl/ssl.h index 7566f2df..a89ab237 100644 --- a/main/openssl/include/openssl/ssl.h +++ b/main/openssl/include/openssl/ssl.h @@ -676,6 +676,11 @@ struct ssl_session_st * attacks. */ #define SSL_MODE_CBC_RECORD_SPLITTING 0x00000100L +/* Send TLS_FALLBACK_SCSV in the ClientHello. + * To be set by applications that reconnect with a downgraded protocol + * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ +#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000200L + /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ @@ -1615,6 +1620,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ +#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */ #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 @@ -1729,6 +1735,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 +#define SSL_CTRL_CHECK_PROTO_VERSION 119 + #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) #define DTLSv1_handle_timeout(ssl) \ @@ -2519,6 +2527,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_HTTPS_PROXY_REQUEST 155 #define SSL_R_HTTP_REQUEST 156 #define SSL_R_ILLEGAL_PADDING 283 +#define SSL_R_INAPPROPRIATE_FALLBACK 380 #define SSL_R_INCONSISTENT_COMPRESSION 340 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 @@ -2668,6 +2677,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 +#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 diff --git a/main/openssl/include/openssl/ssl3.h b/main/openssl/include/openssl/ssl3.h index 83d59bff..cba94345 100644 --- a/main/openssl/include/openssl/ssl3.h +++ b/main/openssl/include/openssl/ssl3.h @@ -128,9 +128,14 @@ extern "C" { #endif -/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ +/* Signalling cipher suite value from RFC 5746 + * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */ #define SSL3_CK_SCSV 0x030000FF +/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00 + * (TLS_FALLBACK_SCSV) */ +#define SSL3_CK_FALLBACK_SCSV 0x03005600 + #define SSL3_CK_RSA_NULL_MD5 0x03000001 #define SSL3_CK_RSA_NULL_SHA 0x03000002 #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 diff --git a/main/openssl/include/openssl/tls1.h b/main/openssl/include/openssl/tls1.h index b9a0899e..dc36f79f 100644 --- a/main/openssl/include/openssl/tls1.h +++ b/main/openssl/include/openssl/tls1.h @@ -159,17 +159,19 @@ extern "C" { #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 +#define TLS1_VERSION 0x0301 +#define TLS1_1_VERSION 0x0302 #define TLS1_2_VERSION 0x0303 -#define TLS1_2_VERSION_MAJOR 0x03 -#define TLS1_2_VERSION_MINOR 0x03 +#define TLS_MAX_VERSION TLS1_2_VERSION + +#define TLS1_VERSION_MAJOR 0x03 +#define TLS1_VERSION_MINOR 0x01 -#define TLS1_1_VERSION 0x0302 #define TLS1_1_VERSION_MAJOR 0x03 #define TLS1_1_VERSION_MINOR 0x02 -#define TLS1_VERSION 0x0301 -#define TLS1_VERSION_MAJOR 0x03 -#define TLS1_VERSION_MINOR 0x01 +#define TLS1_2_VERSION_MAJOR 0x03 +#define TLS1_2_VERSION_MINOR 0x03 #define TLS1_get_version(s) \ ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) @@ -187,6 +189,7 @@ extern "C" { #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */ #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */ #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ +#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ #define TLS1_AD_USER_CANCELLED 90 #define TLS1_AD_NO_RENEGOTIATION 100 /* codes 110-114 are from RFC3546 */ |