Squashed 'Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/' changes from 275cf80efb..7db7a009b0

7db7a009b0 proto: Client complains about stub compressors 390154d0e4 Update Build instructions for OSX 1b92069834 deps: Update to mbedtls-2.7.12 8cab79540d compression: Extend compression alert to include server pushes 67b4641a99 CompressContext: Add is_any_stub() method cdf9e7bece compression: Issue an Event if compression is activated fa38064403 build script: added a new PROF type "auto" that tries to automatically determine the local platform 7ce7b52b7c MTRand: added OPENVPN_INSECURE_RANDOM compile flag that allows MTRand to masquerade as a secure RNG 85e7e49f72 MTRand: added constructor accepting an initialization seed 1fa3229a10 IPv4, IPv6: added #include <openvpn/common/hash.hpp> 48e9217d26 vcxproj: add missing header file d2a2601b2f Wintun: unmap ring buffers e320bc63ff openssl: Improve OpenSSLContext fencing against multiple declarations 2f8fe2d318 openssl: Missing inline keyword in a couple of compat functions 32b984c0ff enum_dir: use a function template 725ee04593 VPNServerNetblock::Netblock::to_string(): show prefix_len 409d1c52b8 ManClientInstance::Send::describe_user(): added bool show_userprop parameter e05fc16b20 string::indent(): try to fix all the corner cases 4e1645ea80 RunContext: mark virtual Stop* async_stop() with override attribute e8b31c5454 cli: advertise "openurl" as supported SSO method 80b45731eb ICMPv6: added DEST_UNREACH code 679003094d AsioTimerSafe: refactor to allow as drop-in replacement for AsioTimer f7845578f1 RunContext: check for halt in timer closure 84483eda25 AsioPolySock: add support for socket shutdown 1b3402aec3 tcplinkcommon.hpp: added missing include 2e26c7565c time: added nanotime_t typedef c3c8ab7f6b string: added additional detail to split() comment 95ce4f22c8 string: added to_delim() method then redefined first_line() method to use it 448218b1e1 string: added add_leading() method e3b0bf4f5c MSF iterator: allow conversion from ordinary iterator and added exists() method 11412ac50a AsioPolySock: in remote_endpoint_str() method, test for alt_routing_enabled() 9fb4e705f9 Added TimeSkew to skew a time duration by a random flux 7496383002 write_binary_atomic: reduce the length of the temporary filename b31d9c0191 auth-token-user: increase size limit to 340 chars c82644c03a Added BufferLineIterator 115cb656b6 RandomAPI: added randbyte() and randbool() methods 4fa8348689 RunContext: ASIO SIGNAL message now shows signal name rather than number ebfce58513 Added StaticBuffer, a constant-length Buffer for writing that cannot be extended c8f9cb88a4 string::split(): call reserve() on return vector f15e566065 read_binary_unix_fast: should return an int (i.e. errno), not a bool 60501b4513 random: factor out rand32_distribute() from RandomAPI::randrange32() 90123495a5 wintun: get device interfaces list only once ec790df73b wintun: read packets in bulk 0f85d3f729 wintun: use correct io_context when performing initial read a6151cdeab wintun: use auto-reset events 29acfd95f3 libs: update ASIO to 1.14.0 438a0ef287 Remove outdated and unused android build files e9df57969f Merge remote-tracking branch 'origin/released' 44725ad094 ssl: Fix building with OpenSSL 1.0.2 efe3f1f635 version: Reset version reference for git master 8c79c06d94 Make tls-crypt/tls-cryptv2 compile with multiple compilation units 4d18aaeb88 Fix LLVM warnings reported during OS X build 8c9496bb4d Use const_cast for SSL_session_reused 33be562a39 Add missing override keywords to openssl/sslctx.hpp 2c5435a000 dcocli: use compile time define for Tun methods instead of hardcoded iproute 7c39088f00 Allow overriding reported HW_ADDR and support IV_PLAT_VER 7bb1ea19ee Move sending IV_UI_VER and IV_SSO to build_peer_info 23959fa705 Add reporting of IV_SSL_VER 63ab5b5e46 Only initialise static member in OpenSSLContext once ecebb40304 Merge remote-tracking branch 'origin/qa' 52c9702502 wintun: replace volatiles with atomics d720c7104c appveyor: install Strawberry perl 60a253a7ef appveyor: update to VS2019 48f2b5100b wintun: support for privilege separation 6f266be3d8 wintun: ring buffers support baa1ce2ccf vcxproj: bump VS version to 2019 98bfd037e3 tun/win: factor out ClientConfig into separate header aeb5ce0ad7 wintun: open device with SetupAPI 3998d303ce Finalizing the OpenVPN 3 Core library 3.3 release 728733aee7 deps/mbedtls: rebase "enable unsupported critical extensions" patch 43e36ca45a lib-version: update to mbedtls-2.7.11 4dbcd85e50 openssl/cipher.hpp: add missing include <compat.hpp> 69d72ed64f DCOTransport: Fix server side specific trunk handling ff732e3b5d Fix OpenVPN Core build with OpenSSL 1.1.0 0da42f393f Do not use deprecated OpenSSL 1.1.0 methods 35062c0b60 travis.yml: update environment 47046cf6d2 Merge branch 'qa' 6933c395a4 [OVPN3-423] cliconnect.hpp: fix reconnect on Windows after sleep 462c36c813 random_subnet(): added comment ac1d447156 IP::Addr::from_byte_string(): fixed bug for IPv6 case d6eaea3468 string::split(): minor implementation tweaks ca15b7cdf4 hexstr: added dump_hex() variant accepting void * 0e61a2afd7 SessionIDType::find_weak: added conflict parameter 089aec00b1 DCOTransport: new routing code for trunk links 5befbd430f build: added CAP=1 -- build with libcap eb85ada21e signals: added trivial signal_name() function f89013ef92 RunContext: don't try to catch SIGQUIT by default e0ee540135 SessionIDType: added hash() method f0e1f8aa42 logging: added basic components for logrotate fbb0c81f29 UMask: added UMaskDaemon, a umask context object appropriate for daemons 1c7bac90d9 build script: when building with DEBUG=1 on Linux, use -ggdb instead of -g 73cce80e43 OpenSSL: added openssl_reseed_rng() function 25780cf798 OpenSSL: fixed some memory leaks in CipherContextGCM and TokenEncrypt 168dba95f5 OpenSSL: define OPENSSL_SERVER_SNI when OpenSSL version is at least 1.1 84e78d8fed SNI: added OpenVPN client support for SNI (currently OpenSSL only) 310766b270 build: added MTLS_DIST setting 4eaa46a879 MbedTLS: added MBEDTLS_DISABLE_NAME_CONSTRAINTS preprocessor flag 16226d1b05 OpenSSLSign: updated for OpenSSL 1.1 aed0678c96 SSL: added SNI::Metadata, an abstract base class for packaging app-specific SNI metadata in AuthCert 001b731fe2 SNI: create SNI namespace and rename SNIHandlerBase -> SNI::HandlerBase 4bd5869305 README.rst: Make Windows-specific build steps up to date. ac365ee977 wintun: support for 0.4 9245056a2a wintun: support for 0.3 b73d484950 mbedtls: throw exception on unsupported SSL:Const::PEER_CERT_OPTIONAL option 1d6bae4b5b tcplinkcommon: bubble up real exception error c18c8bd156 tcpcli: ensure SSL Factory survives as long as TLS link 4192193087 tls: parse and load TLS specific CA 2a19b7fcff win/tuncli.hpp: fix Wintun padding calculation 44cb9f44da appveyor: make ReleaseOpenSSL default configuration 5485de19a2 win/impersonate: refactor impersonate logic 29a655147b win/tunsetup.hpp: remove unneeded parameter 61794b0efd win: link OpenSSL dynamically e569b84465 win/tuncli.hpp: fix indentation 374c57e708 frame_init.hpp: tweak wintun read buf size c3c45c9b38 tun: added Error::TUN_HALT for tun_error() signaling acd7af5e9a RandomAPI: added randrange32() method c1a7f8cc68 std::clamp() is useful but only available in C++17 and up, so we add our own clamp() f8c71ef1ce Minor change to Error::INACTIVE_TIMEOUT handler 3202ab5fce OpenSSLSign: renamed OpenSSLPKI::X509Base to OpenSSLPKI::X509 to conform to changes in OpenSSLPKI 8d767febb5 ReachabilityBase: added virtual destructor 6a4826965f MbedTLS: update json_override() prototype bee0d8d187 SSL: added SSLConst::SEND_CLIENT_CA_LIST server-side flag and implemented for OpenSSL 5eb39c1dea AuthCert: save the SNI name 3b34449d0e SSLAPI: auth_cert() can now be const a672e91631 SNI server-side: support additional JSON configuration settings 95e761f3cc OpenSSL PKI cleanup d5eb77c53c AuthCert::Fail cleanup 6e98b9aadc SSLAPI: move PKType from SSLConfigAPI into standalone header to avoid dependency inversion bbae814864 OpenSSL: added SNI implementation 5def1d23ab OpenSSLContext: in constructor, removed redundant if statement 1a0747e783 OpenSSLContext: in constructor, consolidate sslopt fixed flags eef9868816 OpenSSLContext::SSL::ssl_handshake_details(): include leaf-cert CN in details f9631cd90f AuthCert::Fail: use std::string for the reason string (instead of const char *) a17b77641f OpenSSLPKI::X509: copy constructor doesn't need erase() and define X509::Ptr 78cae5bb52 OpenSSLPKI::DH: copy constructor doesn't need erase() c0d43a4153 RCPtr: added static_pointer_cast() method 34a3f264f5 [OVPN-314] Add support for signalling SSO support via IV_SSO 7d112eb3e5 cli: enable utf8 console output 980ef1eff8 win/call.hpp: re-encode command output to utf8 fddb440e99 unicode.hpp: customize utf16 conversion routine 4d7c12ac4d [OVPN3-405] Support for non-ASCII profile path on Windows git-subtree-dir: Sources/OpenVPNAdapter/Libraries/Vendors/openvpn git-subtree-split: 7db7a009b0b4eca0fc3733c99c50aff7f7c2556f
2026-04-24 00:00:05 +08:00 · 2019-10-12 15:50:02 +03:00
parent 5edb23a7ab
commit 8e87aecebf
124 changed files with 3202 additions and 1291 deletions
@@ -65,6 +65,23 @@ namespace openvpn {
 	}
    }

+    inline TLSWebType remote_cert_type(const std::string& ct)
+    {
+      if (ct == "server")
+	return TLS_WEB_SERVER;
+      else if (ct == "client")
+	return TLS_WEB_CLIENT;
+      else
+	throw option_error("remote-cert-tls must be 'client' or 'server'");
+    }
+
+    inline void remote_cert_tls(const std::string& ct,
+				std::vector<unsigned int>& ku,
+				std::string& eku)
+    {
+      remote_cert_tls(remote_cert_type(ct), ku, eku);
+    }
+
    inline void remote_cert_tls(const OptionList& opt,
 				const std::string& relay_prefix,
 				std::vector<unsigned int>& ku,
@@ -75,12 +92,7 @@ namespace openvpn {
      if (o)
 	{
 	  const std::string ct = o->get_optional(1, 16);
-	  if (ct == "server")
-	    wt = TLS_WEB_SERVER;
-	  else if (ct == "client")
-	    wt = TLS_WEB_CLIENT;
-	  else
-	    throw option_error("remote-cert-tls must be 'client' or 'server'");	      
+	  wt = remote_cert_type(ct);
 	}
      remote_cert_tls(wt, ku, eku);
    }
@@ -38,17 +38,23 @@ namespace openvpn {
      SERVER
    };

-    inline Type ns_cert_type(const OptionList& opt, const std::string& relay_prefix) {
+    inline Type ns_cert_type(const std::string& ct)
+    {
+      if (ct == "server")
+	return SERVER;
+      else if (ct == "client")
+	return CLIENT;
+      else
+	throw option_error("ns-cert-type must be 'client' or 'server'");
+    }
+
+    inline Type ns_cert_type(const OptionList& opt, const std::string& relay_prefix)
+    {
      const Option* o = opt.get_ptr(relay_prefix + "ns-cert-type");
      if (o)
 	{
 	  const std::string ct = o->get_optional(1, 16);
-	  if (ct == "server")
-	    return SERVER;
-	  else if (ct == "client")
-	    return CLIENT;
-	  else
-	    throw option_error("ns-cert-type must be 'client' or 'server'");
+	  return ns_cert_type(ct);
 	}
      return NONE;
    }
@@ -334,9 +334,6 @@ namespace openvpn {
      // extra peer info key/value pairs generated by client app
      PeerInfo::Set::Ptr extra_peer_info;

-      // GUI version, passed to server as IV_GUI_VER
-      std::string gui_version;
-
      // op header
      bool enable_op32 = false;
      int remote_peer_id = -1; // -1 to disable
@@ -627,7 +624,12 @@ namespace openvpn {
 		      // server pushes compression but client has compression disabled
 		      // degrade to asymmetric compression (downlink only)
 		      comp_ctx = CompressContext(meth, true);
-		      OPENVPN_LOG("Server has pushed compressor " << comp_ctx.str() << ", but client has disabled compression, switching to asymmetric");
+		      if (!comp_ctx.is_any_stub(meth))
+		        {
+			  OPENVPN_LOG("Server has pushed compressor "
+				      << comp_ctx.str()
+			              << ", but client has disabled compression, switching to asymmetric");
+		        }
 		    }
 		}
 	    }
@@ -803,8 +805,6 @@ namespace openvpn {
 	std::ostringstream out;
 	const char *compstr = nullptr;

-	if (!gui_version.empty())
-	  out << "IV_GUI_VER=" << gui_version << '\n';
 	out << "IV_VER=" << OPENVPN_VERSION << '\n';
 	out << "IV_PLAT=" << platform_name() << '\n';
 	if (!force_aes_cbc_ciphersuites)
@@ -3491,8 +3491,8 @@ namespace openvpn {
    bool is_client() const { return mode_.is_client(); }

    // tcp/udp mode
-    const bool is_tcp() { return config->protocol.is_tcp(); }
-    const bool is_udp() { return config->protocol.is_udp(); }
+    bool is_tcp() { return config->protocol.is_tcp(); }
+    bool is_udp() { return config->protocol.is_udp(); }

    // configuration
    const Config& conf() const { return *config; }
@@ -0,0 +1,52 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2019 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#pragma once
+
+#include <string>
+#include <memory>
+
+#include <openvpn/ssl/sslapi.hpp>
+#include <openvpn/ssl/sni_metadata.hpp>
+
+namespace openvpn {
+  namespace SNI {
+
+    // Abstract base class used to provide an SNI handler
+    class HandlerBase
+    {
+    public:
+      typedef std::unique_ptr<HandlerBase> UPtr;
+
+      // Return a new SSLFactoryAPI for this SNI name.
+      // Implementation may also set sni_metadata.
+      // Return SSLFactoryAPI::Ptr() if sni_name is not recognized.
+      // The caller guarantees that sni_name is valid UTF-8 and
+      // doesn't contain any control characters.
+      virtual SSLFactoryAPI::Ptr sni_hello(const std::string& sni_name,
+					   SNI::Metadata::UPtr& sni_metadata,
+					   SSLConfigAPI::Ptr default_factory) const = 0;
+
+      virtual ~HandlerBase() {}
+    };
+
+  }
+}
@@ -0,0 +1,44 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2019 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#pragma once
+
+#include <string>
+#include <memory>
+
+namespace openvpn {
+
+  class AuthCert;
+
+  namespace SNI {
+
+    class Metadata
+    {
+    public:
+      typedef std::unique_ptr<Metadata> UPtr;
+
+      virtual std::string sni_client_name(const AuthCert& ac) const = 0;
+
+      virtual ~Metadata() = default;
+    };
+
+  }
+}
@@ -32,10 +32,12 @@
 #include <openvpn/common/rc.hpp>
 #include <openvpn/common/options.hpp>
 #include <openvpn/common/mode.hpp>
+#include <openvpn/common/jsonlib.hpp>
 #include <openvpn/buffer/buffer.hpp>
 #include <openvpn/frame/frame.hpp>
 #include <openvpn/auth/authcert.hpp>
 #include <openvpn/pki/epkibase.hpp>
+#include <openvpn/pki/pktype.hpp>
 #include <openvpn/ssl/kuparse.hpp>
 #include <openvpn/ssl/nscert.hpp>
 #include <openvpn/ssl/tlsver.hpp>
@@ -46,6 +48,10 @@

 namespace openvpn {

+  namespace SNI {
+    class HandlerBase;
+  }
+
  class SSLAPI : public RC<thread_unsafe_refcount>
  {
  public:
@@ -67,7 +73,7 @@ namespace openvpn {
    virtual BufferPtr read_ciphertext() = 0;
    virtual std::string ssl_handshake_details() const = 0;
    virtual bool did_full_handshake() = 0;
-    virtual const AuthCert::Ptr& auth_cert() = 0;
+    virtual const AuthCert::Ptr& auth_cert() const = 0;
    virtual void mark_no_cache() = 0; // prevent caching of client-side session (only meaningful when client_session_tickets is enabled)
    uint32_t get_tls_warnings() const
    {
@@ -103,15 +109,6 @@ namespace openvpn {
  public:
    typedef RCPtr<SSLConfigAPI> Ptr;

-    enum PKType {
-      PK_UNKNOWN = 0,
-      PK_NONE,
-      PK_DSA,
-      PK_RSA,
-      PK_EC,
-      PK_ECDSA,
-    };
-
    enum LoadFlags {
      LF_PARSE_MODE                     = (1<<0),
      LF_ALLOW_CLIENT_CERT_NOT_REQUIRED = (1<<1),
@@ -121,21 +118,21 @@ namespace openvpn {

    std::string private_key_type_string() const
    {
-      PKType type = private_key_type();
+      PKType::Type type = private_key_type();

      switch (type)
      {
-      case PK_NONE:
+      case PKType::PK_NONE:
 	return "None";
-      case PK_DSA:
+      case PKType::PK_DSA:
 	return "DSA";
-      case PK_RSA:
+      case PKType::PK_RSA:
 	return "RSA";
-      case PK_EC:
+      case PKType::PK_EC:
 	return "EC";
-      case PK_ECDSA:
+      case PKType::PK_ECDSA:
 	return "ECDSA";
-      case PK_UNKNOWN:
+      case PKType::PK_UNKNOWN:
      default:
 	return "Unknown";
      }
@@ -146,6 +143,8 @@ namespace openvpn {
    virtual void set_external_pki_callback(ExternalPKIBase* external_pki_arg) = 0; // private key alternative
    virtual void set_session_ticket_handler(TLSSessionTicketBase* session_ticket_handler) = 0; // server side
    virtual void set_client_session_tickets(const bool v) = 0; // client side
+    virtual void set_sni_handler(SNI::HandlerBase* sni_handler) = 0; // server side
+    virtual void set_sni_name(const std::string& sni_name_arg) = 0; // client side
    virtual void set_private_key_password(const std::string& pwd) = 0;
    virtual void load_ca(const std::string& ca_txt, bool strict) = 0;
    virtual void load_crl(const std::string& crl_txt) = 0;
@@ -159,7 +158,7 @@ namespace openvpn {
    virtual std::vector<std::string> extract_extra_certs() const = 0;
    virtual std::string extract_private_key() const = 0;
    virtual std::string extract_dh() const = 0;
-    virtual PKType private_key_type() const = 0;
+    virtual PKType::Type private_key_type() const = 0;
    virtual size_t private_key_length() const = 0;
    virtual void set_frame(const Frame::Ptr& frame_arg) = 0;
    virtual void set_debug_level(const int debug_level) = 0;
@@ -177,6 +176,10 @@ namespace openvpn {
    virtual void set_rng(const RandomAPI::Ptr& rng_arg) = 0;
    virtual void load(const OptionList& opt, const unsigned int lflags) = 0;

+#ifdef HAVE_JSON
+    virtual SSLConfigAPI::Ptr json_override(const Json::Value& root, const bool load_cert_key) const = 0;
+#endif
+
    virtual std::string validate_cert(const std::string& cert_txt) const = 0;
    virtual std::string validate_cert_list(const std::string& certs_txt) const = 0;
    virtual std::string validate_crl(const std::string& crl_txt) const = 0;
@@ -185,6 +188,15 @@ namespace openvpn {

    virtual SSLFactoryAPI::Ptr new_factory() = 0;
  };
+
+  /**
+   * Reports a human readable string of the SSL library in use and its version.
+   * E.g. mbed TLS 1.2.4
+   *
+   * @return a human readable SSL library version string
+   */
+  inline const std::string get_ssl_library_version();
+
 }

 #endif
@@ -41,7 +41,7 @@
 #include <openvpn/mbedtls/crypto/api.hpp>
 #include <openvpn/mbedtls/ssl/sslctx.hpp>
 #include <openvpn/mbedtls/util/rand.hpp>
-#ifdef HAVE_OPENVPN_COMMON
+#if defined(HAVE_OPENVPN_COMMON) && !defined(MBEDTLS_DISABLE_NAME_CONSTRAINTS)
 #include <openvpn/mbedtls/ssl/sslctxnc.hpp>
 #endif
 #ifdef OPENVPN_PLATFORM_UWP
@@ -61,7 +61,7 @@ namespace openvpn {
 #if defined(USE_MBEDTLS)
 #define SSL_LIB_NAME "MbedTLS"
    typedef MbedTLSCryptoAPI CryptoAPI;
-    #ifdef HAVE_OPENVPN_COMMON
+    #if defined(HAVE_OPENVPN_COMMON) && !defined(MBEDTLS_DISABLE_NAME_CONSTRAINTS)
      typedef MbedTLSContextNameConstraints SSLAPI;
    #else
      typedef MbedTLSContext SSLAPI;
@@ -44,25 +44,33 @@ namespace openvpn {
      // Disable peer verification
      NO_VERIFY_PEER=(1<<1),

-      // Enable SNI (Server Name Indication) when hostname is provided
-      ENABLE_SNI=(1<<2),
+      // [client only] Enable client-side SNI (Server Name Indication)
+      // when hostname is provided
+      ENABLE_CLIENT_SNI=(1<<2),
+
+      // [client only] Don't require that the hostname matches
+      // the common name in the certificate.
+      NO_VERIFY_HOSTNAME=(1<<3),

      // [server only] Don't automatically fail connections on
      // bad peer cert.  Succeed the connection, but pass the
      // fail status data via AuthCert so the higher layers
      // can handle it.
-      DEFERRED_CERT_VERIFY=(1<<3),
+      DEFERRED_CERT_VERIFY=(1<<4),

      // [server only] When running as a server, require that
      // clients that connect to us have their certificate
      // purpose set to server.
-      SERVER_TO_SERVER=(1<<4),
+      SERVER_TO_SERVER=(1<<5),

      // Peer certificate is optional
-      PEER_CERT_OPTIONAL=(1<<5),
+      PEER_CERT_OPTIONAL=(1<<6),
+
+      // [server only] Send a list of client CAs to the client
+      SEND_CLIENT_CA_LIST=(1<<7),

      // last flag marker
-      LAST=(1<<6),
+      LAST=(1<<8)
    };

    // filter all but SSL flags