external/boringssl: Sync to ab20cec1c1de815de8da6cc74c2503460efd6e1c.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/b2ff2623a88a65fd4db42d3820f3d8c64e8ab180..ab20cec1c1de815de8da6cc74c2503460efd6e1c
Change-Id: I68612cda7addda1a39f13abcee78c39ebb0ee361
Test: Libcore CTS presubmit
diff --git a/src/ssl/internal.h b/src/ssl/internal.h
index 544259c..a90294e 100644
--- a/src/ssl/internal.h
+++ b/src/ssl/internal.h
@@ -502,6 +502,8 @@
/* Custom extensions */
+typedef struct ssl_handshake_st SSL_HANDSHAKE;
+
/* ssl_custom_extension (a.k.a. SSL_CUSTOM_EXTENSION) is a structure that
* contains information about custom-extension callbacks. */
struct ssl_custom_extension {
@@ -1683,6 +1685,169 @@
unsigned timeout_duration_ms;
} DTLS1_STATE;
+struct ssl_st {
+ /* method is the method table corresponding to the current protocol (DTLS or
+ * TLS). */
+ const SSL_PROTOCOL_METHOD *method;
+
+ /* version is the protocol version. */
+ int version;
+
+ /* max_version is the maximum acceptable protocol version. Note this version
+ * is normalized in DTLS. */
+ uint16_t max_version;
+
+ /* min_version is the minimum acceptable protocol version. Note this version
+ * is normalized in DTLS. */
+ uint16_t min_version;
+
+ uint16_t max_send_fragment;
+
+ /* There are 2 BIO's even though they are normally both the same. This is so
+ * data can be read and written to different handlers */
+
+ BIO *rbio; /* used by SSL_read */
+ BIO *wbio; /* used by SSL_write */
+
+ int (*handshake_func)(SSL_HANDSHAKE *hs);
+
+ BUF_MEM *init_buf; /* buffer used during init */
+
+ /* init_msg is a pointer to the current handshake message body. */
+ const uint8_t *init_msg;
+ /* init_num is the length of the current handshake message body. */
+ uint32_t init_num;
+
+ struct ssl3_state_st *s3; /* SSLv3 variables */
+ struct dtls1_state_st *d1; /* DTLSv1 variables */
+
+ /* callback that allows applications to peek at protocol messages */
+ void (*msg_callback)(int write_p, int version, int content_type,
+ const void *buf, size_t len, SSL *ssl, void *arg);
+ void *msg_callback_arg;
+
+ X509_VERIFY_PARAM *param;
+
+ /* crypto */
+ struct ssl_cipher_preference_list_st *cipher_list;
+
+ /* session info */
+
+ /* client cert? */
+ /* This is used to hold the server certificate used */
+ struct cert_st /* CERT */ *cert;
+
+ /* This holds a variable that indicates what we were doing when a 0 or -1 is
+ * returned. This is needed for non-blocking IO so we know what request
+ * needs re-doing when in SSL_accept or SSL_connect */
+ int rwstate;
+
+ /* initial_timeout_duration_ms is the default DTLS timeout duration in
+ * milliseconds. It's used to initialize the timer any time it's restarted. */
+ unsigned initial_timeout_duration_ms;
+
+ /* the session_id_context is used to ensure sessions are only reused
+ * in the appropriate context */
+ uint8_t sid_ctx_length;
+ uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+
+ /* session is the configured session to be offered by the client. This session
+ * is immutable. */
+ SSL_SESSION *session;
+
+ int (*verify_callback)(int ok,
+ X509_STORE_CTX *ctx); /* fail if callback returns 0 */
+
+ void (*info_callback)(const SSL *ssl, int type, int value);
+
+ /* Server-only: psk_identity_hint is the identity hint to send in
+ * PSK-based key exchanges. */
+ char *psk_identity_hint;
+
+ unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
+ char *identity,
+ unsigned int max_identity_len,
+ uint8_t *psk, unsigned int max_psk_len);
+ unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
+ uint8_t *psk, unsigned int max_psk_len);
+
+ SSL_CTX *ctx;
+
+ /* extra application data */
+ CRYPTO_EX_DATA ex_data;
+
+ /* for server side, keep the list of CA_dn we can use */
+ STACK_OF(X509_NAME) *client_CA;
+
+ uint32_t options; /* protocol behaviour */
+ uint32_t mode; /* API behaviour */
+ uint32_t max_cert_list;
+ char *tlsext_hostname;
+ size_t supported_group_list_len;
+ uint16_t *supported_group_list; /* our list */
+
+ SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */
+
+ /* srtp_profiles is the list of configured SRTP protection profiles for
+ * DTLS-SRTP. */
+ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+
+ /* srtp_profile is the selected SRTP protection profile for
+ * DTLS-SRTP. */
+ const SRTP_PROTECTION_PROFILE *srtp_profile;
+
+ /* The client's Channel ID private key. */
+ EVP_PKEY *tlsext_channel_id_private;
+
+ /* For a client, this contains the list of supported protocols in wire
+ * format. */
+ uint8_t *alpn_client_proto_list;
+ unsigned alpn_client_proto_list_len;
+
+ /* renegotiate_mode controls how peer renegotiation attempts are handled. */
+ enum ssl_renegotiate_mode_t renegotiate_mode;
+
+ /* verify_mode is a bitmask of |SSL_VERIFY_*| values. */
+ uint8_t verify_mode;
+
+ /* server is true iff the this SSL* is the server half. Note: before the SSL*
+ * is initialized by either SSL_set_accept_state or SSL_set_connect_state,
+ * the side is not determined. In this state, server is always false. */
+ unsigned server:1;
+
+ /* quiet_shutdown is true if the connection should not send a close_notify on
+ * shutdown. */
+ unsigned quiet_shutdown:1;
+
+ /* Enable signed certificate time stamps. Currently client only. */
+ unsigned signed_cert_timestamps_enabled:1;
+
+ /* ocsp_stapling_enabled is only used by client connections and indicates
+ * whether OCSP stapling will be requested. */
+ unsigned ocsp_stapling_enabled:1;
+
+ /* tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server,
+ * means that we'll accept Channel IDs from clients. For a client, means that
+ * we'll advertise support. */
+ unsigned tlsext_channel_id_enabled:1;
+
+ /* retain_only_sha256_of_client_certs is true if we should compute the SHA256
+ * hash of the peer's certificate and then discard it to save memory and
+ * session space. Only effective on the server side. */
+ unsigned retain_only_sha256_of_client_certs:1;
+
+ /* session_timeout is the default lifetime in seconds of the session
+ * created in this connection at TLS 1.2 and earlier. */
+ long session_timeout;
+
+ /* session_psk_dhe_timeout is the default lifetime in seconds of sessions
+ * created in this connection at TLS 1.3. */
+ long session_psk_dhe_timeout;
+
+ /* OCSP response to be sent to the client, if requested. */
+ CRYPTO_BUFFER *ocsp_response;
+};
+
extern const SSL3_ENC_METHOD TLSv1_enc_data;
extern const SSL3_ENC_METHOD SSLv3_enc_data;