[openssl] master update
Matt Caswell
matt at openssl.org
Fri May 14 09:13:13 UTC 2021
The branch master has been updated
via f04bb0bce490de847ed0482b8ec9eabedd173852 (commit)
via 56bd17830f2d5855b533d923d4e0649d3ed61d11 (commit)
from 8a0f65f06b0b0fa0411175bcd764c818d9c52469 (commit)
- Log -----------------------------------------------------------------
commit f04bb0bce490de847ed0482b8ec9eabedd173852
Author: Rich Salz <rsalz at akamai.com>
Date: Tue May 11 13:09:24 2021 -0400
Slightly reformat ssl.h.in
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15230)
commit 56bd17830f2d5855b533d923d4e0649d3ed61d11
Author: Rich Salz <rsalz at akamai.com>
Date: Tue May 11 10:51:13 2021 -0400
Convert SSL_{CTX}_[gs]et_options to 64
Less tersely: converted SSL_get_options, SSL_set_options,
SSL_CTX_get_options and SSL_CTX_get_options to take and return uint64_t
since we were running out of 32 bits.
Fixes: 15145
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15230)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 6 +
doc/man3/OSSL_CORE_MAKE_FUNC.pod | 5 +-
doc/man3/SSL_CTX_set_options.pod | 12 +-
include/openssl/ssl.h.in | 231 +++++++++++++++++----------------------
ssl/ssl_conf.c | 16 ++-
ssl/ssl_lib.c | 17 +--
ssl/ssl_local.h | 4 +-
util/other.syms | 1 +
8 files changed, 137 insertions(+), 155 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index e4e33e4e88..8c72ac33d0 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -23,6 +23,12 @@ OpenSSL 3.0
### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * The signatures of the functions to get and set options on SSL and
+ SSL_CTX objects changed from "unsigned long" to "uint64_t" type.
+ Some source code changes may be required.
+
+ * Rich Salz *
+
* Add "abspath" and "includedir" pragma's to config files, to prevent,
or modify relative pathname inclusion.
diff --git a/doc/man3/OSSL_CORE_MAKE_FUNC.pod b/doc/man3/OSSL_CORE_MAKE_FUNC.pod
index 409c19db62..751a01fc57 100644
--- a/doc/man3/OSSL_CORE_MAKE_FUNC.pod
+++ b/doc/man3/OSSL_CORE_MAKE_FUNC.pod
@@ -2,13 +2,16 @@
=head1 NAME
-OSSL_CORE_MAKE_FUNC - OpenSSL reserved symbols
+OSSL_CORE_MAKE_FUNC,
+SSL_OP_BIT
+- OpenSSL reserved symbols
=head1 SYNOPSIS
#include <openssl/core_dispatch.h>
#define OSSL_CORE_MAKE_FUNC(type,name,args)
+ #define SSL_OP_BIT(n)
=head1 DESCRIPTION
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index e84aaac8a8..7b179099e1 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -10,14 +10,14 @@ SSL_get_secure_renegotiation_support - manipulate SSL options
#include <openssl/ssl.h>
- long SSL_CTX_set_options(SSL_CTX *ctx, long options);
- long SSL_set_options(SSL *ssl, long options);
+ uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t options);
+ uint64_t SSL_set_options(SSL *ssl, uint64_t options);
- long SSL_CTX_clear_options(SSL_CTX *ctx, long options);
- long SSL_clear_options(SSL *ssl, long options);
+ uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t options);
+ uint64_t SSL_clear_options(SSL *ssl, uint64_t options);
- long SSL_CTX_get_options(SSL_CTX *ctx);
- long SSL_get_options(SSL *ssl);
+ uint64_t SSL_CTX_get_options(SSL_CTX *ctx);
+ uint64_t SSL_get_options(SSL *ssl);
long SSL_get_secure_renegotiation_support(SSL *ssl);
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 5dd473c9bd..a227090263 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -316,158 +316,131 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
/* Typedef for SSL async callback */
typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
-/* Disable Extended master secret */
-# define SSL_OP_NO_EXTENDED_MASTER_SECRET 0x00000001U
-
-/* Cleanse plaintext copies of data delivered to the application */
-# define SSL_OP_CLEANSE_PLAINTEXT 0x00000002U
-
-/* Allow initial connection to servers that don't support RI */
-# define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U
-
-/* Enable support for Kernel TLS */
-# define SSL_OP_ENABLE_KTLS 0x00000008U
-
-# define SSL_OP_TLSEXT_PADDING 0x00000010U
-# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U
-# define SSL_OP_IGNORE_UNEXPECTED_EOF 0x00000080U
-
-# define SSL_OP_DISABLE_TLSEXT_CA_NAMES 0x00000200U
-
-/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
-# define SSL_OP_ALLOW_NO_DHE_KEX 0x00000400U
+#define SSL_OP_BIT(n) ((uint64_t)1 << (uint64_t)n)
/*
- * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in
- * OpenSSL 0.9.6d. Usually (depending on the application protocol) the
- * workaround is not needed. Unfortunately some broken SSL/TLS
- * implementations cannot handle it at all, which is why we include it in
- * SSL_OP_ALL. Added in 0.9.6e
+ * SSL/TLS connection options.
*/
-# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800U
-
-/* DTLS options */
-# define SSL_OP_NO_QUERY_MTU 0x00001000U
-/* Turn on Cookie Exchange (on relevant for servers) */
-# define SSL_OP_COOKIE_EXCHANGE 0x00002000U
-/* Don't use RFC4507 ticket extension */
-# define SSL_OP_NO_TICKET 0x00004000U
+ /* Disable Extended master secret */
+# define SSL_OP_NO_EXTENDED_MASTER_SECRET SSL_OP_BIT(0)
+ /* Cleanse plaintext copies of data delivered to the application */
+# define SSL_OP_CLEANSE_PLAINTEXT SSL_OP_BIT(1)
+ /* Allow initial connection to servers that don't support RI */
+# define SSL_OP_LEGACY_SERVER_CONNECT SSL_OP_BIT(2)
+ /* Enable support for Kernel TLS */
+# define SSL_OP_ENABLE_KTLS SSL_OP_BIT(3)
+# define SSL_OP_TLSEXT_PADDING SSL_OP_BIT(4)
+# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG SSL_OP_BIT(6)
+# define SSL_OP_IGNORE_UNEXPECTED_EOF SSL_OP_BIT(7)
+# define SSL_OP_ALLOW_CLIENT_RENEGOTIATION SSL_OP_BIT(8)
+# define SSL_OP_DISABLE_TLSEXT_CA_NAMES SSL_OP_BIT(9)
+ /* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
+# define SSL_OP_ALLOW_NO_DHE_KEX SSL_OP_BIT(10)
+ /*
+ * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
+ * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
+ * the workaround is not needed. Unfortunately some broken SSL/TLS
+ * implementations cannot handle it at all, which is why we include it
+ * in SSL_OP_ALL. Added in 0.9.6e
+ */
+# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_BIT(11)
+ /* DTLS options */
+# define SSL_OP_NO_QUERY_MTU SSL_OP_BIT(12)
+ /* Turn on Cookie Exchange (on relevant for servers) */
+# define SSL_OP_COOKIE_EXCHANGE SSL_OP_BIT(13)
+ /* Don't use RFC4507 ticket extension */
+# define SSL_OP_NO_TICKET SSL_OP_BIT(14)
# ifndef OPENSSL_NO_DTLS1_METHOD
-/* Use Cisco's "speshul" version of DTLS_BAD_VER
- * (only with deprecated DTLSv1_client_method()) */
-# define SSL_OP_CISCO_ANYCONNECT 0x00008000U
+ /*
+ * Use Cisco's version identifier of DTLS_BAD_VER
+ * (only with deprecated DTLSv1_client_method())
+ */
+# define SSL_OP_CISCO_ANYCONNECT SSL_OP_BIT(15)
# endif
-
-/* As server, disallow session resumption on renegotiation */
-# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000U
-/* Don't use compression even if supported */
-# define SSL_OP_NO_COMPRESSION 0x00020000U
-/* Permit unsafe legacy renegotiation */
-# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U
-/* Disable encrypt-then-mac */
-# define SSL_OP_NO_ENCRYPT_THEN_MAC 0x00080000U
+ /* As server, disallow session resumption on renegotiation */
+# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_BIT(16)
+ /* Don't use compression even if supported */
+# define SSL_OP_NO_COMPRESSION SSL_OP_BIT(17)
+ /* Permit unsafe legacy renegotiation */
+# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_BIT(18)
+ /* Disable encrypt-then-mac */
+# define SSL_OP_NO_ENCRYPT_THEN_MAC SSL_OP_BIT(19)
+ /*
+ * Enable TLSv1.3 Compatibility mode. This is on by default. A future
+ * version of OpenSSL may have this disabled by default.
+ */
+# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT SSL_OP_BIT(20)
+ /*
+ * Prioritize Chacha20Poly1305 when client does.
+ * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE
+ */
+# define SSL_OP_PRIORITIZE_CHACHA SSL_OP_BIT(21)
+ /*
+ * Set on servers to choose the cipher according to server's preferences.
+ */
+# define SSL_OP_CIPHER_SERVER_PREFERENCE SSL_OP_BIT(22)
+ /*
+ * If set, a server will allow a client to issue a SSLv3.0 version
+ * number as latest version supported in the premaster secret, even when
+ * TLSv1.0 (version 3.1) was announced in the client hello. Normally
+ * this is forbidden to prevent version rollback attacks.
+ */
+# define SSL_OP_TLS_ROLLBACK_BUG SSL_OP_BIT(23)
+ /*
+ * Switches off automatic TLSv1.3 anti-replay protection for early data.
+ * This is a server-side option only (no effect on the client).
+ */
+# define SSL_OP_NO_ANTI_REPLAY SSL_OP_BIT(24)
+# define SSL_OP_NO_SSLv3 SSL_OP_BIT(25)
+# define SSL_OP_NO_TLSv1 SSL_OP_BIT(26)
+# define SSL_OP_NO_TLSv1_2 SSL_OP_BIT(27)
+# define SSL_OP_NO_TLSv1_1 SSL_OP_BIT(28)
+# define SSL_OP_NO_TLSv1_3 SSL_OP_BIT(29)
+# define SSL_OP_NO_DTLSv1 SSL_OP_BIT(26)
+# define SSL_OP_NO_DTLSv1_2 SSL_OP_BIT(27)
+ /* Disallow all renegotiation */
+# define SSL_OP_NO_RENEGOTIATION SSL_OP_BIT(30)
+ /*
+ * Make server add server-hello extension from early version of
+ * cryptopro draft, when GOST ciphersuite is negotiated. Required for
+ * interoperability with CryptoPro CSP 3.x
+ */
+# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
/*
- * Enable TLSv1.3 Compatibility mode. This is on by default. A future version
- * of OpenSSL may have this disabled by default.
+ * Option "collections."
*/
-# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0x00100000U
-
-/* Prioritize Chacha20Poly1305 when client does.
- * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE */
-# define SSL_OP_PRIORITIZE_CHACHA 0x00200000U
+# define SSL_OP_NO_SSL_MASK \
+ ( SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 \
+ | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3 )
+# define SSL_OP_NO_DTLS_MASK \
+ ( SSL_OP_NO_DTLSv1 | SSL_OP_NO_DTLSv1_2 )
-/*
- * Set on servers to choose the cipher according to the server's preferences
- */
-# define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000U
-/*
- * If set, a server will allow a client to issue a SSLv3.0 version number as
- * latest version supported in the premaster secret, even when TLSv1.0
- * (version 3.1) was announced in the client hello. Normally this is
- * forbidden to prevent version rollback attacks.
- */
-# define SSL_OP_TLS_ROLLBACK_BUG 0x00800000U
+/* Various bug workarounds that should be rather harmless. */
+# define SSL_OP_ALL \
+ ( SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS \
+ | SSL_OP_TLSEXT_PADDING | SSL_OP_SAFARI_ECDHE_ECDSA_BUG )
/*
- * Switches off automatic TLSv1.3 anti-replay protection for early data. This
- * is a server-side option only (no effect on the client).
+ * OBSOLETE OPTIONS retained for compatibility
*/
-# define SSL_OP_NO_ANTI_REPLAY 0x01000000U
-
-# define SSL_OP_NO_SSLv3 0x02000000U
-# define SSL_OP_NO_TLSv1 0x04000000U
-# define SSL_OP_NO_TLSv1_2 0x08000000U
-# define SSL_OP_NO_TLSv1_1 0x10000000U
-# define SSL_OP_NO_TLSv1_3 0x20000000U
-
-# define SSL_OP_NO_DTLSv1 0x04000000U
-# define SSL_OP_NO_DTLSv1_2 0x08000000U
-
-# define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv3|\
- SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2|SSL_OP_NO_TLSv1_3)
-# define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
-
-/* Disallow all renegotiation */
-# define SSL_OP_NO_RENEGOTIATION 0x40000000U
-
-/*
- * Make server add server-hello extension from early version of cryptopro
- * draft, when GOST ciphersuite is negotiated. Required for interoperability
- * with CryptoPro CSP 3.x
- */
-# define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000U
-
-/*
- * SSL_OP_ALL: various bug workarounds that should be rather harmless.
- * This used to be 0x000FFFFFL before 0.9.7.
- * This used to be 0x80000BFFU before 1.1.1.
- */
-# define SSL_OP_ALL (SSL_OP_CRYPTOPRO_TLSEXT_BUG|\
- SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|\
- SSL_OP_TLSEXT_PADDING|\
- SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-
-/* OBSOLETE OPTIONS: retained for compatibility */
-/* Removed from OpenSSL 1.1.0. Was 0x00000001L */
-/* Related to removed SSLv2. */
# define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000002L */
-/* Related to removed SSLv2. */
# define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0
-/* Removed from OpenSSL 0.9.8q and 1.0.0c. Was 0x00000008L */
-/* Dead forever, see CVE-2010-4180 */
# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0
-/* Removed from OpenSSL 1.0.1h and 1.0.2. Was 0x00000010L */
-/* Refers to ancient SSLREF and SSLv2. */
# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000020 */
# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0
-/* Removed from OpenSSL 0.9.7h and 0.9.8b. Was 0x00000040L */
# define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000080 */
-/* Ancient SSLeay version. */
# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000100L */
# define SSL_OP_TLS_D5_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00000200L */
# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00080000L */
# define SSL_OP_SINGLE_ECDH_USE 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x00100000L */
# define SSL_OP_SINGLE_DH_USE 0x0
-/* Removed from OpenSSL 1.0.1k and 1.0.2. Was 0x00200000L */
# define SSL_OP_EPHEMERAL_RSA 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x01000000L */
# define SSL_OP_NO_SSLv2 0x0
-/* Removed from OpenSSL 1.0.1. Was 0x08000000L */
# define SSL_OP_PKCS1_CHECK_1 0x0
-/* Removed from OpenSSL 1.0.1. Was 0x10000000L */
# define SSL_OP_PKCS1_CHECK_2 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x20000000L */
# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
-/* Removed from OpenSSL 1.1.0. Was 0x40000000L */
# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0
/*
@@ -601,12 +574,12 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
* cannot be used to clear bits.
*/
-unsigned long SSL_CTX_get_options(const SSL_CTX *ctx);
-unsigned long SSL_get_options(const SSL *s);
-unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
-unsigned long SSL_clear_options(SSL *s, unsigned long op);
-unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);
-unsigned long SSL_set_options(SSL *s, unsigned long op);
+uint64_t SSL_CTX_get_options(const SSL_CTX *ctx);
+uint64_t SSL_get_options(const SSL *s);
+uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op);
+uint64_t SSL_clear_options(SSL *s, uint64_t op);
+uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op);
+uint64_t SSL_set_options(SSL *s, uint64_t op);
# define SSL_CTX_set_mode(ctx,op) \
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 1f288b5e06..8d1663c0cc 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -24,12 +24,12 @@ typedef struct {
const char *name;
int namelen;
unsigned int name_flags;
- unsigned long option_value;
+ uint64_t option_value;
} ssl_flag_tbl;
/* Switch table: use for single command line switches like no_tls2 */
typedef struct {
- unsigned long option_value;
+ uint64_t option_value;
unsigned int name_flags;
} ssl_switch_tbl;
@@ -84,7 +84,7 @@ struct ssl_conf_ctx_st {
SSL_CTX *ctx;
SSL *ssl;
/* Pointer to SSL or SSL_CTX options field or NULL if none */
- uint32_t *poptions;
+ uint64_t *poptions;
/* Certificate filenames for each type */
char *cert_filename[SSL_PKEY_NUM];
/* Pointer to SSL or SSL_CTX cert_flags or NULL if none */
@@ -104,9 +104,10 @@ struct ssl_conf_ctx_st {
};
static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,
- unsigned long option_value, int onoff)
+ uint64_t option_value, int onoff)
{
uint32_t *pflags;
+
if (cctx->poptions == NULL)
return;
if (name_flags & SSL_TFLAG_INV)
@@ -122,8 +123,11 @@ static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,
break;
case SSL_TFLAG_OPTION:
- pflags = cctx->poptions;
- break;
+ if (onoff)
+ *cctx->poptions |= option_value;
+ else
+ *cctx->poptions &= ~option_value;
+ return;
default:
return;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index c9b49279c5..047fa1a07d 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -4874,37 +4874,32 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
return ctx->cert->sec_ex;
}
-/*
- * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that
- * can return unsigned long, instead of the generic long return value from the
- * control interface.
- */
-unsigned long SSL_CTX_get_options(const SSL_CTX *ctx)
+uint64_t SSL_CTX_get_options(const SSL_CTX *ctx)
{
return ctx->options;
}
-unsigned long SSL_get_options(const SSL *s)
+uint64_t SSL_get_options(const SSL *s)
{
return s->options;
}
-unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op)
+uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op)
{
return ctx->options |= op;
}
-unsigned long SSL_set_options(SSL *s, unsigned long op)
+uint64_t SSL_set_options(SSL *s, uint64_t op)
{
return s->options |= op;
}
-unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
+uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op)
{
return ctx->options &= ~op;
}
-unsigned long SSL_clear_options(SSL *s, unsigned long op)
+uint64_t SSL_clear_options(SSL *s, uint64_t op)
{
return s->options &= ~op;
}
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 023e6f4378..0a6c4bf9ec 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -957,7 +957,7 @@ struct ssl_ctx_st {
* SSL_new)
*/
- uint32_t options;
+ uint64_t options;
uint32_t mode;
int min_proto_version;
int max_proto_version;
@@ -1535,7 +1535,7 @@ struct ssl_st {
STACK_OF(X509_NAME) *client_ca_names;
CRYPTO_REF_COUNT references;
/* protocol behaviour */
- uint32_t options;
+ uint64_t options;
/* API behaviour */
uint32_t mode;
int min_proto_version;
diff --git a/util/other.syms b/util/other.syms
index f8fb0d52e2..466373ad7f 100644
--- a/util/other.syms
+++ b/util/other.syms
@@ -514,6 +514,7 @@ SSL_CTX_set_tlsext_ticket_key_cb define
SSL_CTX_set_tmp_dh define
SSL_CTX_set_tmp_ecdh define
SSL_DEFAULT_CIPHER_LIST define deprecated 3.0.0
+SSL_OP_BIT define
SSL_add0_chain_cert define
SSL_add1_chain_cert define
SSL_build_cert_chain define
More information about the openssl-commits
mailing list