-#if defined(SSL_MODE_HANDSHAKE_CUTTHROUGH) && \
- FOLLY_SSLCONTEXT_USE_TLS_FALSE_START
-SSLContext::SSLFalseStartChecker::SSLFalseStartChecker() :
- /**
- * The list was generated as follows:
- * grep "_CK_" openssl-1.0.1e/ssl/s3_lib.c -A 4 |
- * while read A && read B && read C && read D && read E && read F; do
- * echo $A $B $C $D $E; done |
- * grep "\(SSL_kDHr\|SSL_kDHd\|SSL_kEDH\|SSL_kECDHr\|
- * SSL_kECDHe\|SSL_kEECDH\)" | grep -v SSL_aNULL | grep SSL_AES |
- * awk -F, '{ print $1"," }'
- */
- ciphers_{
- TLS1_CK_DH_DSS_WITH_AES_128_SHA,
- TLS1_CK_DH_RSA_WITH_AES_128_SHA,
- TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
- TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
- TLS1_CK_DH_DSS_WITH_AES_256_SHA,
- TLS1_CK_DH_RSA_WITH_AES_256_SHA,
- TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
- TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
- TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
- TLS1_CK_DH_RSA_WITH_AES_128_SHA256,
- TLS1_CK_DHE_DSS_WITH_AES_128_SHA256,
- TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
- TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
- TLS1_CK_DH_RSA_WITH_AES_256_SHA256,
- TLS1_CK_DHE_DSS_WITH_AES_256_SHA256,
- TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
- TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
- TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
- TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
- TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
- TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
- TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
- TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
- TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
- TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256,
- TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384,
- TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
- TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
- TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
- TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
- } {
- length_ = sizeof(ciphers_)/sizeof(ciphers_[0]);
- width_ = sizeof(ciphers_[0]);
- qsort(ciphers_, length_, width_, compare_ulong);
-}
-
-bool SSLContext::SSLFalseStartChecker::canUseFalseStartWithCipher(
- const SSL_CIPHER *cipher) {
- unsigned long cid = cipher->id;
- unsigned long *r =
- (unsigned long*)bsearch(&cid, ciphers_, length_, width_, compare_ulong);
- return r != nullptr;
-}
-
-int
-SSLContext::SSLFalseStartChecker::compare_ulong(const void *x, const void *y) {
- if (*(unsigned long *)x < *(unsigned long *)y) {
- return -1;
- }
- if (*(unsigned long *)x > *(unsigned long *)y) {
- return 1;
- }
- return 0;
-};
-
-bool SSLContext::canUseFalseStartWithCipher(const SSL_CIPHER *cipher) {
- return falseStartChecker_.canUseFalseStartWithCipher(cipher);
-}
-#endif
-
-int SSLContext::selectNextProtocolCallback(
- SSL* ssl, unsigned char **out, unsigned char *outlen,
- const unsigned char *server, unsigned int server_len, void *data) {
-