Slightly reformat ssl.h.in

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15230)
2025-03-19 19:50:42 +08:00 · 2021-05-11 13:09:24 -04:00 · 2021-05-11 13:09:24 -04:00 · f04bb0bce4
commit f04bb0bce4
parent 56bd17830f
6 changed files with 110 additions and 127 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -23,6 +23,12 @@ OpenSSL 3.0

 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]

+ * The signatures of the functions to get and set options on SSL and
+   SSL_CTX objects changed from "unsigned long" to "uint64_t" type.
+   Some source code changes may be required.
+
+   * Rich Salz *
+
 * Add "abspath" and "includedir" pragma's to config files, to prevent,
   or modify relative pathname inclusion.

--- a/doc/man3/OSSL_CORE_MAKE_FUNC.pod
+++ b/doc/man3/OSSL_CORE_MAKE_FUNC.pod
@ -2,13 +2,16 @@

 =head1 NAME

-OSSL_CORE_MAKE_FUNC - OpenSSL reserved symbols
+OSSL_CORE_MAKE_FUNC,
+SSL_OP_BIT
+- OpenSSL reserved symbols

 =head1 SYNOPSIS

 #include <openssl/core_dispatch.h>

 #define OSSL_CORE_MAKE_FUNC(type,name,args)
+ #define SSL_OP_BIT(n)

 =head1 DESCRIPTION

--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@ -14,7 +14,7 @@ SSL_get_secure_renegotiation_support - manipulate SSL options
 uint64_t SSL_set_options(SSL *ssl, uint64_t options);

 uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t options);
- uint64_t SSL_clear_options(SSL *ssuint64_t, long options);
+ uint64_t SSL_clear_options(SSL *ssl, uint64_t options);

 uint64_t SSL_CTX_get_options(SSL_CTX *ctx);
 uint64_t SSL_get_options(SSL *ssl);
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@ -316,158 +316,131 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
 /* Typedef for SSL async callback */
 typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);

-/* Disable Extended master secret */
-# define SSL_OP_NO_EXTENDED_MASTER_SECRET                (uint64_t)0x00000001
-
-/* Cleanse plaintext copies of data delivered to the application */
-# define SSL_OP_CLEANSE_PLAINTEXT                        (uint64_t)0x00000002
-
-/* Allow initial connection to servers that don't support RI */
-# define SSL_OP_LEGACY_SERVER_CONNECT                    (uint64_t)0x00000004
-
-/* Enable support for Kernel TLS */
-# define SSL_OP_ENABLE_KTLS                              (uint64_t)0x00000008
-
-# define SSL_OP_TLSEXT_PADDING                           (uint64_t)0x00000010
-# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   (uint64_t)0x00000040
-# define SSL_OP_IGNORE_UNEXPECTED_EOF                    (uint64_t)0x00000080
-
-# define SSL_OP_DISABLE_TLSEXT_CA_NAMES                  (uint64_t)0x00000200
-
-/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
-# define SSL_OP_ALLOW_NO_DHE_KEX                         (uint64_t)0x00000400
+#define SSL_OP_BIT(n)  ((uint64_t)1 << (uint64_t)n)

 /*
- * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in
- * OpenSSL 0.9.6d.  Usually (depending on the application protocol) the
- * workaround is not needed.  Unfortunately some broken SSL/TLS
- * implementations cannot handle it at all, which is why we include it in
- * SSL_OP_ALL. Added in 0.9.6e
+ * SSL/TLS connection options.
 */
-# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              (uint64_t)0x00000800
-
-/* DTLS options */
-# define SSL_OP_NO_QUERY_MTU                             (uint64_t)0x00001000
-/* Turn on Cookie Exchange (on relevant for servers) */
-# define SSL_OP_COOKIE_EXCHANGE                          (uint64_t)0x00002000
-/* Don't use RFC4507 ticket extension */
-# define SSL_OP_NO_TICKET                                (uint64_t)0x00004000
+    /* Disable Extended master secret */
+# define SSL_OP_NO_EXTENDED_MASTER_SECRET                SSL_OP_BIT(0)
+    /* Cleanse plaintext copies of data delivered to the application */
+# define SSL_OP_CLEANSE_PLAINTEXT                        SSL_OP_BIT(1)
+    /* Allow initial connection to servers that don't support RI */
+# define SSL_OP_LEGACY_SERVER_CONNECT                    SSL_OP_BIT(2)
+    /* Enable support for Kernel TLS */
+# define SSL_OP_ENABLE_KTLS                              SSL_OP_BIT(3)
+# define SSL_OP_TLSEXT_PADDING                           SSL_OP_BIT(4)
+# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   SSL_OP_BIT(6)
+# define SSL_OP_IGNORE_UNEXPECTED_EOF                    SSL_OP_BIT(7)
+# define SSL_OP_ALLOW_CLIENT_RENEGOTIATION               SSL_OP_BIT(8)
+# define SSL_OP_DISABLE_TLSEXT_CA_NAMES                  SSL_OP_BIT(9)
+    /* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
+# define SSL_OP_ALLOW_NO_DHE_KEX                         SSL_OP_BIT(10)
+    /*
+     * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
+     * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
+     * the workaround is not needed.  Unfortunately some broken SSL/TLS
+     * implementations cannot handle it at all, which is why we include it
+     * in SSL_OP_ALL. Added in 0.9.6e
+     */
+# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              SSL_OP_BIT(11)
+    /* DTLS options */
+# define SSL_OP_NO_QUERY_MTU                             SSL_OP_BIT(12)
+    /* Turn on Cookie Exchange (on relevant for servers) */
+# define SSL_OP_COOKIE_EXCHANGE                          SSL_OP_BIT(13)
+    /* Don't use RFC4507 ticket extension */
+# define SSL_OP_NO_TICKET                                SSL_OP_BIT(14)
 # ifndef OPENSSL_NO_DTLS1_METHOD
-/* Use Cisco's "speshul" version of DTLS_BAD_VER
- * (only with deprecated DTLSv1_client_method())  */
-#  define SSL_OP_CISCO_ANYCONNECT                        (uint64_t)0x00008000
+    /*
+     * Use Cisco's version identifier of DTLS_BAD_VER
+     * (only with deprecated DTLSv1_client_method())
+     */
+#  define SSL_OP_CISCO_ANYCONNECT                        SSL_OP_BIT(15)
 # endif
-
-/* As server, disallow session resumption on renegotiation */
-# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   (uint64_t)0x00010000
-/* Don't use compression even if supported */
-# define SSL_OP_NO_COMPRESSION                           (uint64_t)0x00020000
-/* Permit unsafe legacy renegotiation */
-# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        (uint64_t)0x00040000
-/* Disable encrypt-then-mac */
-# define SSL_OP_NO_ENCRYPT_THEN_MAC                      (uint64_t)0x00080000
+    /* As server, disallow session resumption on renegotiation */
+# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   SSL_OP_BIT(16)
+    /* Don't use compression even if supported */
+# define SSL_OP_NO_COMPRESSION                           SSL_OP_BIT(17)
+    /* Permit unsafe legacy renegotiation */
+# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        SSL_OP_BIT(18)
+    /* Disable encrypt-then-mac */
+# define SSL_OP_NO_ENCRYPT_THEN_MAC                      SSL_OP_BIT(19)
+    /*
+     * Enable TLSv1.3 Compatibility mode. This is on by default. A future
+     * version of OpenSSL may have this disabled by default.
+     */
+# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT                  SSL_OP_BIT(20)
+    /*
+     * Prioritize Chacha20Poly1305 when client does.
+     * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE
+     */
+# define SSL_OP_PRIORITIZE_CHACHA                        SSL_OP_BIT(21)
+    /*
+     * Set on servers to choose the cipher according to server's preferences.
+     */
+# define SSL_OP_CIPHER_SERVER_PREFERENCE                 SSL_OP_BIT(22)
+    /*
+     * If set, a server will allow a client to issue a SSLv3.0 version
+     * number as latest version supported in the premaster secret, even when
+     * TLSv1.0 (version 3.1) was announced in the client hello. Normally
+     * this is forbidden to prevent version rollback attacks.
+     */
+# define SSL_OP_TLS_ROLLBACK_BUG                         SSL_OP_BIT(23)
+    /*
+     * Switches off automatic TLSv1.3 anti-replay protection for early data.
+     * This is a server-side option only (no effect on the client).
+     */
+# define SSL_OP_NO_ANTI_REPLAY                           SSL_OP_BIT(24)
+# define SSL_OP_NO_SSLv3                                 SSL_OP_BIT(25)
+# define SSL_OP_NO_TLSv1                                 SSL_OP_BIT(26)
+# define SSL_OP_NO_TLSv1_2                               SSL_OP_BIT(27)
+# define SSL_OP_NO_TLSv1_1                               SSL_OP_BIT(28)
+# define SSL_OP_NO_TLSv1_3                               SSL_OP_BIT(29)
+# define SSL_OP_NO_DTLSv1                                SSL_OP_BIT(26)
+# define SSL_OP_NO_DTLSv1_2                              SSL_OP_BIT(27)
+    /* Disallow all renegotiation */
+# define SSL_OP_NO_RENEGOTIATION                         SSL_OP_BIT(30)
+    /*
+     * Make server add server-hello extension from early version of
+     * cryptopro draft, when GOST ciphersuite is negotiated. Required for
+     * interoperability with CryptoPro CSP 3.x
+     */
+# define SSL_OP_CRYPTOPRO_TLSEXT_BUG                     SSL_OP_BIT(31)

 /*
- * Enable TLSv1.3 Compatibility mode. This is on by default. A future version
- * of OpenSSL may have this disabled by default.
+ * Option "collections."
 */
-# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT                  (uint64_t)0x00100000
+# define SSL_OP_NO_SSL_MASK \
+        ( SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 \
+          | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3 )
+# define SSL_OP_NO_DTLS_MASK \
+        ( SSL_OP_NO_DTLSv1 | SSL_OP_NO_DTLSv1_2 )

-/* Prioritize Chacha20Poly1305 when client does.
- * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE */
-# define SSL_OP_PRIORITIZE_CHACHA                        (uint64_t)0x00200000
+/* Various bug workarounds that should be rather harmless. */
+# define SSL_OP_ALL \
+        ( SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS \
+          | SSL_OP_TLSEXT_PADDING | SSL_OP_SAFARI_ECDHE_ECDSA_BUG )

 /*
- * Set on servers to choose the cipher according to the server's preferences
+ * OBSOLETE OPTIONS retained for compatibility
 */
-# define SSL_OP_CIPHER_SERVER_PREFERENCE                 (uint64_t)0x00400000
-/*
- * If set, a server will allow a client to issue a SSLv3.0 version number as
- * latest version supported in the premaster secret, even when TLSv1.0
- * (version 3.1) was announced in the client hello. Normally this is
- * forbidden to prevent version rollback attacks.
- */
-# define SSL_OP_TLS_ROLLBACK_BUG                         (uint64_t)0x00800000

-/*
- * Switches off automatic TLSv1.3 anti-replay protection for early data. This
- * is a server-side option only (no effect on the client).
- */
-# define SSL_OP_NO_ANTI_REPLAY                           (uint64_t)0x01000000
-
-# define SSL_OP_NO_SSLv3                                 (uint64_t)0x02000000
-# define SSL_OP_NO_TLSv1                                 (uint64_t)0x04000000
-# define SSL_OP_NO_TLSv1_2                               (uint64_t)0x08000000
-# define SSL_OP_NO_TLSv1_1                               (uint64_t)0x10000000
-# define SSL_OP_NO_TLSv1_3                               (uint64_t)0x20000000
-
-# define SSL_OP_NO_DTLSv1                                (uint64_t)0x04000000
-# define SSL_OP_NO_DTLSv1_2                              (uint64_t)0x08000000
-
-# define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv3|\
-        SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2|SSL_OP_NO_TLSv1_3)
-# define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
-
-/* Disallow all renegotiation */
-# define SSL_OP_NO_RENEGOTIATION                         (uint64_t)0x40000000
-
-/*
- * Make server add server-hello extension from early version of cryptopro
- * draft, when GOST ciphersuite is negotiated. Required for interoperability
- * with CryptoPro CSP 3.x
- */
-# define SSL_OP_CRYPTOPRO_TLSEXT_BUG                     (uint64_t)0x80000000
-
-/*
- * SSL_OP_ALL: various bug workarounds that should be rather harmless.
- * This used to be 0x000FFFFFL before 0.9.7.
- * This used to be 0x80000BFFU before 1.1.1.
- */
-# define SSL_OP_ALL        (SSL_OP_CRYPTOPRO_TLSEXT_BUG|\
-                            SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|\
-                            SSL_OP_TLSEXT_PADDING|\
-                            SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-
-/* OBSOLETE OPTIONS: retained for compatibility */
-
-/* Removed from OpenSSL 1.1.0. Was 0x00000001L */
-/* Related to removed SSLv2. */
 # define SSL_OP_MICROSOFT_SESS_ID_BUG                    0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000002L */
-/* Related to removed SSLv2. */
 # define SSL_OP_NETSCAPE_CHALLENGE_BUG                   0x0
-/* Removed from OpenSSL 0.9.8q and 1.0.0c. Was 0x00000008L */
-/* Dead forever, see CVE-2010-4180 */
 # define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x0
-/* Removed from OpenSSL 1.0.1h and 1.0.2. Was 0x00000010L */
-/* Refers to ancient SSLREF and SSLv2. */
 # define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000020 */
 # define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x0
-/* Removed from OpenSSL 0.9.7h and 0.9.8b. Was 0x00000040L */
 # define SSL_OP_MSIE_SSLV2_RSA_PADDING                   0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000080 */
-/* Ancient SSLeay version. */
 # define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000100L */
 # define SSL_OP_TLS_D5_BUG                               0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000200L */
 # define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00080000L */
 # define SSL_OP_SINGLE_ECDH_USE                          0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00100000L */
 # define SSL_OP_SINGLE_DH_USE                            0x0
-/* Removed from OpenSSL 1.0.1k and 1.0.2. Was 0x00200000L */
 # define SSL_OP_EPHEMERAL_RSA                            0x0
-/* Removed from OpenSSL 1.1.0. Was 0x01000000L */
 # define SSL_OP_NO_SSLv2                                 0x0
-/* Removed from OpenSSL 1.0.1. Was 0x08000000L */
 # define SSL_OP_PKCS1_CHECK_1                            0x0
-/* Removed from OpenSSL 1.0.1. Was 0x10000000L */
 # define SSL_OP_PKCS1_CHECK_2                            0x0
-/* Removed from OpenSSL 1.1.0. Was 0x20000000L */
 # define SSL_OP_NETSCAPE_CA_DN_BUG                       0x0
-/* Removed from OpenSSL 1.1.0. Was 0x40000000L */
 # define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x0

 /*
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@ -104,7 +104,7 @@ struct ssl_conf_ctx_st {
 };

 static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,
-                           unsigned long option_value, int onoff)
+                           uint64_t option_value, int onoff)
 {
    uint32_t *pflags;

@ -121,7 +121,7 @@ static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,
    case SSL_TFLAG_VFY:
        pflags = cctx->pvfy_flags;
        break;
-        
+
    case SSL_TFLAG_OPTION:
        if (onoff)
            *cctx->poptions |= option_value;
--- a/util/other.syms
+++ b/util/other.syms
@ -514,6 +514,7 @@ SSL_CTX_set_tlsext_ticket_key_cb        define
 SSL_CTX_set_tmp_dh                      define
 SSL_CTX_set_tmp_ecdh                    define
 SSL_DEFAULT_CIPHER_LIST                 define deprecated 3.0.0
+SSL_OP_BIT                              define
 SSL_add0_chain_cert                     define
 SSL_add1_chain_cert                     define
 SSL_build_cert_chain                    define