1/*
2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 * Copyright 2005 Nokia. All rights reserved.
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12#ifndef OPENSSL_SSL_H
13# define OPENSSL_SSL_H
14# pragma once
15
16# include <openssl/macros.h>
17# ifndef OPENSSL_NO_DEPRECATED_3_0
18# define HEADER_SSL_H
19# endif
20
21# include <openssl/e_os2.h>
22# include <openssl/opensslconf.h>
23# include <openssl/comp.h>
24# include <openssl/bio.h>
25# ifndef OPENSSL_NO_DEPRECATED_1_1_0
26# include <openssl/x509.h>
27# include <openssl/crypto.h>
28# include <openssl/buffer.h>
29# endif
30# include <openssl/lhash.h>
31# include <openssl/pem.h>
32# include <openssl/hmac.h>
33# include <openssl/async.h>
34
35# include <openssl/safestack.h>
36# include <openssl/symhacks.h>
37# include <openssl/ct.h>
38# include <openssl/sslerr.h>
39
40#ifdef __cplusplus
41extern "C" {
42#endif
43
44/* OpenSSL version number for ASN.1 encoding of the session information */
45/*-
46 * Version 0 - initial version
47 * Version 1 - added the optional peer certificate
48 */
49# define SSL_SESSION_ASN1_VERSION 0x0001
50
51# define SSL_MAX_SSL_SESSION_ID_LENGTH 32
52# define SSL_MAX_SID_CTX_LENGTH 32
53
54# define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
55# define SSL_MAX_KEY_ARG_LENGTH 8
56# define SSL_MAX_MASTER_KEY_LENGTH 48
57
58/* The maximum number of encrypt/decrypt pipelines we can support */
59# define SSL_MAX_PIPELINES 32
60
61/* text strings for the ciphers */
62
63/* These are used to specify which ciphers to use and not to use */
64
65# define SSL_TXT_LOW "LOW"
66# define SSL_TXT_MEDIUM "MEDIUM"
67# define SSL_TXT_HIGH "HIGH"
68# define SSL_TXT_FIPS "FIPS"
69
70# define SSL_TXT_aNULL "aNULL"
71# define SSL_TXT_eNULL "eNULL"
72# define SSL_TXT_NULL "NULL"
73
74# define SSL_TXT_kRSA "kRSA"
75# define SSL_TXT_kDHr "kDHr"/* this cipher class has been removed */
76# define SSL_TXT_kDHd "kDHd"/* this cipher class has been removed */
77# define SSL_TXT_kDH "kDH"/* this cipher class has been removed */
78# define SSL_TXT_kEDH "kEDH"/* alias for kDHE */
79# define SSL_TXT_kDHE "kDHE"
80# define SSL_TXT_kECDHr "kECDHr"/* this cipher class has been removed */
81# define SSL_TXT_kECDHe "kECDHe"/* this cipher class has been removed */
82# define SSL_TXT_kECDH "kECDH"/* this cipher class has been removed */
83# define SSL_TXT_kEECDH "kEECDH"/* alias for kECDHE */
84# define SSL_TXT_kECDHE "kECDHE"
85# define SSL_TXT_kPSK "kPSK"
86# define SSL_TXT_kRSAPSK "kRSAPSK"
87# define SSL_TXT_kECDHEPSK "kECDHEPSK"
88# define SSL_TXT_kDHEPSK "kDHEPSK"
89# define SSL_TXT_kGOST "kGOST"
90# define SSL_TXT_kSRP "kSRP"
91
92# define SSL_TXT_aRSA "aRSA"
93# define SSL_TXT_aDSS "aDSS"
94# define SSL_TXT_aDH "aDH"/* this cipher class has been removed */
95# define SSL_TXT_aECDH "aECDH"/* this cipher class has been removed */
96# define SSL_TXT_aECDSA "aECDSA"
97# define SSL_TXT_aPSK "aPSK"
98# define SSL_TXT_aGOST94 "aGOST94"
99# define SSL_TXT_aGOST01 "aGOST01"
100# define SSL_TXT_aGOST12 "aGOST12"
101# define SSL_TXT_aGOST "aGOST"
102# define SSL_TXT_aSRP "aSRP"
103
104# define SSL_TXT_DSS "DSS"
105# define SSL_TXT_DH "DH"
106# define SSL_TXT_DHE "DHE"/* same as "kDHE:-ADH" */
107# define SSL_TXT_EDH "EDH"/* alias for DHE */
108# define SSL_TXT_ADH "ADH"
109# define SSL_TXT_RSA "RSA"
110# define SSL_TXT_ECDH "ECDH"
111# define SSL_TXT_EECDH "EECDH"/* alias for ECDHE" */
112# define SSL_TXT_ECDHE "ECDHE"/* same as "kECDHE:-AECDH" */
113# define SSL_TXT_AECDH "AECDH"
114# define SSL_TXT_ECDSA "ECDSA"
115# define SSL_TXT_PSK "PSK"
116# define SSL_TXT_SRP "SRP"
117
118# define SSL_TXT_DES "DES"
119# define SSL_TXT_3DES "3DES"
120# define SSL_TXT_RC4 "RC4"
121# define SSL_TXT_RC2 "RC2"
122# define SSL_TXT_IDEA "IDEA"
123# define SSL_TXT_SEED "SEED"
124# define SSL_TXT_AES128 "AES128"
125# define SSL_TXT_AES256 "AES256"
126# define SSL_TXT_AES "AES"
127# define SSL_TXT_AES_GCM "AESGCM"
128# define SSL_TXT_AES_CCM "AESCCM"
129# define SSL_TXT_AES_CCM_8 "AESCCM8"
130# define SSL_TXT_CAMELLIA128 "CAMELLIA128"
131# define SSL_TXT_CAMELLIA256 "CAMELLIA256"
132# define SSL_TXT_CAMELLIA "CAMELLIA"
133# define SSL_TXT_CHACHA20 "CHACHA20"
134# define SSL_TXT_GOST "GOST89"
135# define SSL_TXT_ARIA "ARIA"
136# define SSL_TXT_ARIA_GCM "ARIAGCM"
137# define SSL_TXT_ARIA128 "ARIA128"
138# define SSL_TXT_ARIA256 "ARIA256"
139
140# define SSL_TXT_MD5 "MD5"
141# define SSL_TXT_SHA1 "SHA1"
142# define SSL_TXT_SHA "SHA"/* same as "SHA1" */
143# define SSL_TXT_GOST94 "GOST94"
144# define SSL_TXT_GOST89MAC "GOST89MAC"
145# define SSL_TXT_GOST12 "GOST12"
146# define SSL_TXT_GOST89MAC12 "GOST89MAC12"
147# define SSL_TXT_SHA256 "SHA256"
148# define SSL_TXT_SHA384 "SHA384"
149
150# define SSL_TXT_SSLV3 "SSLv3"
151# define SSL_TXT_TLSV1 "TLSv1"
152# define SSL_TXT_TLSV1_1 "TLSv1.1"
153# define SSL_TXT_TLSV1_2 "TLSv1.2"
154
155# define SSL_TXT_ALL "ALL"
156
157/*-
158 * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
159 * ciphers normally not being used.
160 * Example: "RC4" will activate all ciphers using RC4 including ciphers
161 * without authentication, which would normally disabled by DEFAULT (due
162 * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
163 * will make sure that it is also disabled in the specific selection.
164 * COMPLEMENTOF* identifiers are portable between version, as adjustments
165 * to the default cipher setup will also be included here.
166 *
167 * COMPLEMENTOFDEFAULT does not experience the same special treatment that
168 * DEFAULT gets, as only selection is being done and no sorting as needed
169 * for DEFAULT.
170 */
171# define SSL_TXT_CMPALL "COMPLEMENTOFALL"
172# define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
173
174/*
175 * The following cipher list is used by default. It also is substituted when
176 * an application-defined cipher list string starts with 'DEFAULT'.
177 * This applies to ciphersuites for TLSv1.2 and below.
178 * DEPRECATED IN 3.0.0, in favor of OSSL_default_cipher_list()
179 * Update both macro and function simultaneously
180 */
181# ifndef OPENSSL_NO_DEPRECATED_3_0
182# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
183/*
184 * This is the default set of TLSv1.3 ciphersuites
185 * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
186 * Update both macro and function simultaneously
187 */
188# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
189# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
190 "TLS_CHACHA20_POLY1305_SHA256:" \
191 "TLS_AES_128_GCM_SHA256"
192# else
193# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
194 "TLS_AES_128_GCM_SHA256"
195# endif
196# endif
197/*
198 * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
199 * starts with a reasonable order, and all we have to do for DEFAULT is
200 * throwing out anonymous and unencrypted ciphersuites! (The latter are not
201 * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
202 */
203
204/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
205# define SSL_SENT_SHUTDOWN 1
206# define SSL_RECEIVED_SHUTDOWN 2
207
208#ifdef __cplusplus
209}
210#endif
211
212#ifdef __cplusplus
213extern "C" {
214#endif
215
216# define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
217# define SSL_FILETYPE_PEM X509_FILETYPE_PEM
218
219/*
220 * This is needed to stop compilers complaining about the 'struct ssl_st *'
221 * function parameters used to prototype callbacks in SSL_CTX.
222 */
223typedef struct ssl_st *ssl_crock_st;
224typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
225typedef struct ssl_method_st SSL_METHOD;
226typedef struct ssl_cipher_st SSL_CIPHER;
227typedef struct ssl_session_st SSL_SESSION;
228typedef struct tls_sigalgs_st TLS_SIGALGS;
229typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
230typedef struct ssl_comp_st SSL_COMP;
231
232STACK_OF(SSL_CIPHER);
233STACK_OF(SSL_COMP);
234
235/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
236typedef struct srtp_protection_profile_st {
237 const char *name;
238 unsigned long id;
239} SRTP_PROTECTION_PROFILE;
240
241DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
242
243typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data,
244 int len, void *arg);
245typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
246 STACK_OF(SSL_CIPHER) *peer_ciphers,
247 const SSL_CIPHER **cipher, void *arg);
248
249/* Extension context codes */
250/* This extension is only allowed in TLS */
251#define SSL_EXT_TLS_ONLY 0x0001
252/* This extension is only allowed in DTLS */
253#define SSL_EXT_DTLS_ONLY 0x0002
254/* Some extensions may be allowed in DTLS but we don't implement them for it */
255#define SSL_EXT_TLS_IMPLEMENTATION_ONLY 0x0004
256/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */
257#define SSL_EXT_SSL3_ALLOWED 0x0008
258/* Extension is only defined for TLS1.2 and below */
259#define SSL_EXT_TLS1_2_AND_BELOW_ONLY 0x0010
260/* Extension is only defined for TLS1.3 and above */
261#define SSL_EXT_TLS1_3_ONLY 0x0020
262/* Ignore this extension during parsing if we are resuming */
263#define SSL_EXT_IGNORE_ON_RESUMPTION 0x0040
264#define SSL_EXT_CLIENT_HELLO 0x0080
265/* Really means TLS1.2 or below */
266#define SSL_EXT_TLS1_2_SERVER_HELLO 0x0100
267#define SSL_EXT_TLS1_3_SERVER_HELLO 0x0200
268#define SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 0x0400
269#define SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST 0x0800
270#define SSL_EXT_TLS1_3_CERTIFICATE 0x1000
271#define SSL_EXT_TLS1_3_NEW_SESSION_TICKET 0x2000
272#define SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 0x4000
273
274/* Typedefs for handling custom extensions */
275
276typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type,
277 const unsigned char **out, size_t *outlen,
278 int *al, void *add_arg);
279
280typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type,
281 const unsigned char *out, void *add_arg);
282
283typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type,
284 const unsigned char *in, size_t inlen,
285 int *al, void *parse_arg);
286
287
288typedef int (*SSL_custom_ext_add_cb_ex)(SSL *s, unsigned int ext_type,
289 unsigned int context,
290 const unsigned char **out,
291 size_t *outlen, X509 *x,
292 size_t chainidx,
293 int *al, void *add_arg);
294
295typedef void (*SSL_custom_ext_free_cb_ex)(SSL *s, unsigned int ext_type,
296 unsigned int context,
297 const unsigned char *out,
298 void *add_arg);
299
300typedef int (*SSL_custom_ext_parse_cb_ex)(SSL *s, unsigned int ext_type,
301 unsigned int context,
302 const unsigned char *in,
303 size_t inlen, X509 *x,
304 size_t chainidx,
305 int *al, void *parse_arg);
306
307/* Typedef for verification callback */
308typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
309
310/* Typedef for SSL async callback */
311typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
312
313/*
314 * Some values are reserved until OpenSSL 3.0.0 because they were previously
315 * included in SSL_OP_ALL in a 1.1.x release.
316 */
317
318/* Disable Extended master secret */
319# define SSL_OP_NO_EXTENDED_MASTER_SECRET 0x00000001U
320
321/* Reserved value (until OpenSSL 3.0.0) 0x00000002U */
322
323/* Allow initial connection to servers that don't support RI */
324# define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U
325
326/* Reserved value (until OpenSSL 3.0.0) 0x00000008U */
327# define SSL_OP_TLSEXT_PADDING 0x00000010U
328/* Reserved value (until OpenSSL 3.0.0) 0x00000020U */
329# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U
330/*
331 * Reserved value (until OpenSSL 3.0.0) 0x00000080U
332 * Reserved value (until OpenSSL 3.0.0) 0x00000100U
333 * Reserved value (until OpenSSL 3.0.0) 0x00000200U
334 */
335
336/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
337# define SSL_OP_ALLOW_NO_DHE_KEX 0x00000400U
338
339/*
340 * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in
341 * OpenSSL 0.9.6d. Usually (depending on the application protocol) the
342 * workaround is not needed. Unfortunately some broken SSL/TLS
343 * implementations cannot handle it at all, which is why we include it in
344 * SSL_OP_ALL. Added in 0.9.6e
345 */
346# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800U
347
348/* DTLS options */
349# define SSL_OP_NO_QUERY_MTU 0x00001000U
350/* Turn on Cookie Exchange (on relevant for servers) */
351# define SSL_OP_COOKIE_EXCHANGE 0x00002000U
352/* Don't use RFC4507 ticket extension */
353# define SSL_OP_NO_TICKET 0x00004000U
354# ifndef OPENSSL_NO_DTLS1_METHOD
355/* Use Cisco's "speshul" version of DTLS_BAD_VER
356 * (only with deprecated DTLSv1_client_method()) */
357# define SSL_OP_CISCO_ANYCONNECT 0x00008000U
358# endif
359
360/* As server, disallow session resumption on renegotiation */
361# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000U
362/* Don't use compression even if supported */
363# define SSL_OP_NO_COMPRESSION 0x00020000U
364/* Permit unsafe legacy renegotiation */
365# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U
366/* Disable encrypt-then-mac */
367# define SSL_OP_NO_ENCRYPT_THEN_MAC 0x00080000U
368
369/*
370 * Enable TLSv1.3 Compatibility mode. This is on by default. A future version
371 * of OpenSSL may have this disabled by default.
372 */
373# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0x00100000U
374
375/* Prioritize Chacha20Poly1305 when client does.
376 * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE */
377# define SSL_OP_PRIORITIZE_CHACHA 0x00200000U
378
379/*
380 * Set on servers to choose the cipher according to the server's preferences
381 */
382# define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000U
383/*
384 * If set, a server will allow a client to issue a SSLv3.0 version number as
385 * latest version supported in the premaster secret, even when TLSv1.0
386 * (version 3.1) was announced in the client hello. Normally this is
387 * forbidden to prevent version rollback attacks.
388 */
389# define SSL_OP_TLS_ROLLBACK_BUG 0x00800000U
390
391/*
392 * Switches off automatic TLSv1.3 anti-replay protection for early data. This
393 * is a server-side option only (no effect on the client).
394 */
395# define SSL_OP_NO_ANTI_REPLAY 0x01000000U
396
397# define SSL_OP_NO_SSLv3 0x02000000U
398# define SSL_OP_NO_TLSv1 0x04000000U
399# define SSL_OP_NO_TLSv1_2 0x08000000U
400# define SSL_OP_NO_TLSv1_1 0x10000000U
401# define SSL_OP_NO_TLSv1_3 0x20000000U
402
403# define SSL_OP_NO_DTLSv1 0x04000000U
404# define SSL_OP_NO_DTLSv1_2 0x08000000U
405
406# define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv3|\
407 SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2|SSL_OP_NO_TLSv1_3)
408# define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
409
410/* Disallow all renegotiation */
411# define SSL_OP_NO_RENEGOTIATION 0x40000000U
412
413/*
414 * Make server add server-hello extension from early version of cryptopro
415 * draft, when GOST ciphersuite is negotiated. Required for interoperability
416 * with CryptoPro CSP 3.x
417 */
418# define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000U
419
420/*
421 * SSL_OP_ALL: various bug workarounds that should be rather harmless.
422 * This used to be 0x000FFFFFL before 0.9.7.
423 * This used to be 0x80000BFFU before 1.1.1.
424 */
425# define SSL_OP_ALL (SSL_OP_CRYPTOPRO_TLSEXT_BUG|\
426 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|\
427 SSL_OP_LEGACY_SERVER_CONNECT|\
428 SSL_OP_TLSEXT_PADDING|\
429 SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
430
431/* OBSOLETE OPTIONS: retained for compatibility */
432
433/* Removed from OpenSSL 1.1.0. Was 0x00000001L */
434/* Related to removed SSLv2. */
435# define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0
436/* Removed from OpenSSL 1.1.0. Was 0x00000002L */
437/* Related to removed SSLv2. */
438# define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0
439/* Removed from OpenSSL 0.9.8q and 1.0.0c. Was 0x00000008L */
440/* Dead forever, see CVE-2010-4180 */
441# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0
442/* Removed from OpenSSL 1.0.1h and 1.0.2. Was 0x00000010L */
443/* Refers to ancient SSLREF and SSLv2. */
444# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
445/* Removed from OpenSSL 1.1.0. Was 0x00000020 */
446# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0
447/* Removed from OpenSSL 0.9.7h and 0.9.8b. Was 0x00000040L */
448# define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
449/* Removed from OpenSSL 1.1.0. Was 0x00000080 */
450/* Ancient SSLeay version. */
451# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
452/* Removed from OpenSSL 1.1.0. Was 0x00000100L */
453# define SSL_OP_TLS_D5_BUG 0x0
454/* Removed from OpenSSL 1.1.0. Was 0x00000200L */
455# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0
456/* Removed from OpenSSL 1.1.0. Was 0x00080000L */
457# define SSL_OP_SINGLE_ECDH_USE 0x0
458/* Removed from OpenSSL 1.1.0. Was 0x00100000L */
459# define SSL_OP_SINGLE_DH_USE 0x0
460/* Removed from OpenSSL 1.0.1k and 1.0.2. Was 0x00200000L */
461# define SSL_OP_EPHEMERAL_RSA 0x0
462/* Removed from OpenSSL 1.1.0. Was 0x01000000L */
463# define SSL_OP_NO_SSLv2 0x0
464/* Removed from OpenSSL 1.0.1. Was 0x08000000L */
465# define SSL_OP_PKCS1_CHECK_1 0x0
466/* Removed from OpenSSL 1.0.1. Was 0x10000000L */
467# define SSL_OP_PKCS1_CHECK_2 0x0
468/* Removed from OpenSSL 1.1.0. Was 0x20000000L */
469# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
470/* Removed from OpenSSL 1.1.0. Was 0x40000000L */
471# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0
472
473/*
474 * Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
475 * when just a single record has been written):
476 */
477# define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001U
478/*
479 * Make it possible to retry SSL_write() with changed buffer location (buffer
480 * contents must stay the same!); this is not the default to avoid the
481 * misconception that non-blocking SSL_write() behaves like non-blocking
482 * write():
483 */
484# define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002U
485/*
486 * Never bother the application with retries if the transport is blocking:
487 */
488# define SSL_MODE_AUTO_RETRY 0x00000004U
489/* Don't attempt to automatically build certificate chain */
490# define SSL_MODE_NO_AUTO_CHAIN 0x00000008U
491/*
492 * Save RAM by releasing read and write buffers when they're empty. (SSL3 and
493 * TLS only.) Released buffers are freed.
494 */
495# define SSL_MODE_RELEASE_BUFFERS 0x00000010U
496/*
497 * Send the current time in the Random fields of the ClientHello and
498 * ServerHello records for compatibility with hypothetical implementations
499 * that require it.
500 */
501# define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020U
502# define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040U
503/*
504 * Send TLS_FALLBACK_SCSV in the ClientHello. To be set only by applications
505 * that reconnect with a downgraded protocol version; see
506 * draft-ietf-tls-downgrade-scsv-00 for details. DO NOT ENABLE THIS if your
507 * application attempts a normal handshake. Only use this in explicit
508 * fallback retries, following the guidance in
509 * draft-ietf-tls-downgrade-scsv-00.
510 */
511# define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080U
512/*
513 * Support Asynchronous operation
514 */
515# define SSL_MODE_ASYNC 0x00000100U
516/*
517 * Don't use the kernel TLS data-path for sending.
518 */
519# define SSL_MODE_NO_KTLS_TX 0x00000200U
520/*
521 * When using DTLS/SCTP, include the terminating zero in the label
522 * used for computing the endpoint-pair shared secret. Required for
523 * interoperability with implementations having this bug like these
524 * older version of OpenSSL:
525 * - OpenSSL 1.0.0 series
526 * - OpenSSL 1.0.1 series
527 * - OpenSSL 1.0.2 series
528 * - OpenSSL 1.1.0 series
529 * - OpenSSL 1.1.1 and 1.1.1a
530 */
531# define SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 0x00000400U
532/*
533 * Don't use the kernel TLS data-path for receiving.
534 */
535# define SSL_MODE_NO_KTLS_RX 0x00000800U
536
537/* Cert related flags */
538/*
539 * Many implementations ignore some aspects of the TLS standards such as
540 * enforcing certificate chain algorithms. When this is set we enforce them.
541 */
542# define SSL_CERT_FLAG_TLS_STRICT 0x00000001U
543
544/* Suite B modes, takes same values as certificate verify flags */
545# define SSL_CERT_FLAG_SUITEB_128_LOS_ONLY 0x10000
546/* Suite B 192 bit only mode */
547# define SSL_CERT_FLAG_SUITEB_192_LOS 0x20000
548/* Suite B 128 bit mode allowing 192 bit algorithms */
549# define SSL_CERT_FLAG_SUITEB_128_LOS 0x30000
550
551/* Perform all sorts of protocol violations for testing purposes */
552# define SSL_CERT_FLAG_BROKEN_PROTOCOL 0x10000000
553
554/* Flags for building certificate chains */
555/* Treat any existing certificates as untrusted CAs */
556# define SSL_BUILD_CHAIN_FLAG_UNTRUSTED 0x1
557/* Don't include root CA in chain */
558# define SSL_BUILD_CHAIN_FLAG_NO_ROOT 0x2
559/* Just check certificates already there */
560# define SSL_BUILD_CHAIN_FLAG_CHECK 0x4
561/* Ignore verification errors */
562# define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR 0x8
563/* Clear verification errors from queue */
564# define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10
565
566/* Flags returned by SSL_check_chain */
567/* Certificate can be used with this session */
568# define CERT_PKEY_VALID 0x1
569/* Certificate can also be used for signing */
570# define CERT_PKEY_SIGN 0x2
571/* EE certificate signing algorithm OK */
572# define CERT_PKEY_EE_SIGNATURE 0x10
573/* CA signature algorithms OK */
574# define CERT_PKEY_CA_SIGNATURE 0x20
575/* EE certificate parameters OK */
576# define CERT_PKEY_EE_PARAM 0x40
577/* CA certificate parameters OK */
578# define CERT_PKEY_CA_PARAM 0x80
579/* Signing explicitly allowed as opposed to SHA1 fallback */
580# define CERT_PKEY_EXPLICIT_SIGN 0x100
581/* Client CA issuer names match (always set for server cert) */
582# define CERT_PKEY_ISSUER_NAME 0x200
583/* Cert type matches client types (always set for server cert) */
584# define CERT_PKEY_CERT_TYPE 0x400
585/* Cert chain suitable to Suite B */
586# define CERT_PKEY_SUITEB 0x800
587
588# define SSL_CONF_FLAG_CMDLINE 0x1
589# define SSL_CONF_FLAG_FILE 0x2
590# define SSL_CONF_FLAG_CLIENT 0x4
591# define SSL_CONF_FLAG_SERVER 0x8
592# define SSL_CONF_FLAG_SHOW_ERRORS 0x10
593# define SSL_CONF_FLAG_CERTIFICATE 0x20
594# define SSL_CONF_FLAG_REQUIRE_PRIVATE 0x40
595/* Configuration value types */
596# define SSL_CONF_TYPE_UNKNOWN 0x0
597# define SSL_CONF_TYPE_STRING 0x1
598# define SSL_CONF_TYPE_FILE 0x2
599# define SSL_CONF_TYPE_DIR 0x3
600# define SSL_CONF_TYPE_NONE 0x4
601# define SSL_CONF_TYPE_STORE 0x5
602
603/* Maximum length of the application-controlled segment of a a TLSv1.3 cookie */
604# define SSL_COOKIE_LENGTH 4096
605
606/*
607 * Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they
608 * cannot be used to clear bits.
609 */
610
611unsigned long SSL_CTX_get_options(const SSL_CTX *ctx);
612unsigned long SSL_get_options(const SSL *s);
613unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
614unsigned long SSL_clear_options(SSL *s, unsigned long op);
615unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);
616unsigned long SSL_set_options(SSL *s, unsigned long op);
617
618# define SSL_CTX_set_mode(ctx,op) \
619 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
620# define SSL_CTX_clear_mode(ctx,op) \
621 SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
622# define SSL_CTX_get_mode(ctx) \
623 SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
624# define SSL_clear_mode(ssl,op) \
625 SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
626# define SSL_set_mode(ssl,op) \
627 SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
628# define SSL_get_mode(ssl) \
629 SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
630# define SSL_set_mtu(ssl, mtu) \
631 SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
632# define DTLS_set_link_mtu(ssl, mtu) \
633 SSL_ctrl((ssl),DTLS_CTRL_SET_LINK_MTU,(mtu),NULL)
634# define DTLS_get_link_min_mtu(ssl) \
635 SSL_ctrl((ssl),DTLS_CTRL_GET_LINK_MIN_MTU,0,NULL)
636
637# define SSL_get_secure_renegotiation_support(ssl) \
638 SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
639
640# define SSL_CTX_set_cert_flags(ctx,op) \
641 SSL_CTX_ctrl((ctx),SSL_CTRL_CERT_FLAGS,(op),NULL)
642# define SSL_set_cert_flags(s,op) \
643 SSL_ctrl((s),SSL_CTRL_CERT_FLAGS,(op),NULL)
644# define SSL_CTX_clear_cert_flags(ctx,op) \
645 SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_CERT_FLAGS,(op),NULL)
646# define SSL_clear_cert_flags(s,op) \
647 SSL_ctrl((s),SSL_CTRL_CLEAR_CERT_FLAGS,(op),NULL)
648
649void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
650 void (*cb) (int write_p, int version,
651 int content_type, const void *buf,
652 size_t len, SSL *ssl, void *arg));
653void SSL_set_msg_callback(SSL *ssl,
654 void (*cb) (int write_p, int version,
655 int content_type, const void *buf,
656 size_t len, SSL *ssl, void *arg));
657# define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
658# define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
659
660# define SSL_get_extms_support(s) \
661 SSL_ctrl((s),SSL_CTRL_GET_EXTMS_SUPPORT,0,NULL)
662
663# ifndef OPENSSL_NO_SRP
664
665/* see tls_srp.c */
666__owur int SSL_SRP_CTX_init(SSL *s);
667__owur int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
668int SSL_SRP_CTX_free(SSL *ctx);
669int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
670__owur int SSL_srp_server_param_with_username(SSL *s, int *ad);
671__owur int SRP_Calc_A_param(SSL *s);
672
673# endif
674
675/* 100k max cert list */
676# define SSL_MAX_CERT_LIST_DEFAULT 1024*100
677
678# define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
679
680/*
681 * This callback type is used inside SSL_CTX, SSL, and in the functions that
682 * set them. It is used to override the generation of SSL/TLS session IDs in
683 * a server. Return value should be zero on an error, non-zero to proceed.
684 * Also, callbacks should themselves check if the id they generate is unique
685 * otherwise the SSL handshake will fail with an error - callbacks can do
686 * this using the 'ssl' value they're passed by;
687 * SSL_has_matching_session_id(ssl, id, *id_len) The length value passed in
688 * is set at the maximum size the session ID can be. In SSLv3/TLSv1 it is 32
689 * bytes. The callback can alter this length to be less if desired. It is
690 * also an error for the callback to set the size to zero.
691 */
692typedef int (*GEN_SESSION_CB) (SSL *ssl, unsigned char *id,
693 unsigned int *id_len);
694
695# define SSL_SESS_CACHE_OFF 0x0000
696# define SSL_SESS_CACHE_CLIENT 0x0001
697# define SSL_SESS_CACHE_SERVER 0x0002
698# define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
699# define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
700/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
701# define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
702# define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
703# define SSL_SESS_CACHE_NO_INTERNAL \
704 (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
705
706LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
707# define SSL_CTX_sess_number(ctx) \
708 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
709# define SSL_CTX_sess_connect(ctx) \
710 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
711# define SSL_CTX_sess_connect_good(ctx) \
712 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
713# define SSL_CTX_sess_connect_renegotiate(ctx) \
714 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
715# define SSL_CTX_sess_accept(ctx) \
716 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
717# define SSL_CTX_sess_accept_renegotiate(ctx) \
718 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
719# define SSL_CTX_sess_accept_good(ctx) \
720 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
721# define SSL_CTX_sess_hits(ctx) \
722 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
723# define SSL_CTX_sess_cb_hits(ctx) \
724 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
725# define SSL_CTX_sess_misses(ctx) \
726 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
727# define SSL_CTX_sess_timeouts(ctx) \
728 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
729# define SSL_CTX_sess_cache_full(ctx) \
730 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
731
732void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
733 int (*new_session_cb) (struct ssl_st *ssl,
734 SSL_SESSION *sess));
735int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)) (struct ssl_st *ssl,
736 SSL_SESSION *sess);
737void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
738 void (*remove_session_cb) (struct ssl_ctx_st
739 *ctx,
740 SSL_SESSION *sess));
741void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)) (struct ssl_ctx_st *ctx,
742 SSL_SESSION *sess);
743void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
744 SSL_SESSION *(*get_session_cb) (struct ssl_st
745 *ssl,
746 const unsigned char
747 *data, int len,
748 int *copy));
749SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx)) (struct ssl_st *ssl,
750 const unsigned char *data,
751 int len, int *copy);
752void SSL_CTX_set_info_callback(SSL_CTX *ctx,
753 void (*cb) (const SSL *ssl, int type, int val));
754void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type,
755 int val);
756void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
757 int (*client_cert_cb) (SSL *ssl, X509 **x509,
758 EVP_PKEY **pkey));
759int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx)) (SSL *ssl, X509 **x509,
760 EVP_PKEY **pkey);
761# ifndef OPENSSL_NO_ENGINE
762__owur int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
763# endif
764void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
765 int (*app_gen_cookie_cb) (SSL *ssl,
766 unsigned char
767 *cookie,
768 unsigned int
769 *cookie_len));
770void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
771 int (*app_verify_cookie_cb) (SSL *ssl,
772 const unsigned
773 char *cookie,
774 unsigned int
775 cookie_len));
776
777void SSL_CTX_set_stateless_cookie_generate_cb(
778 SSL_CTX *ctx,
779 int (*gen_stateless_cookie_cb) (SSL *ssl,
780 unsigned char *cookie,
781 size_t *cookie_len));
782void SSL_CTX_set_stateless_cookie_verify_cb(
783 SSL_CTX *ctx,
784 int (*verify_stateless_cookie_cb) (SSL *ssl,
785 const unsigned char *cookie,
786 size_t cookie_len));
787# ifndef OPENSSL_NO_NEXTPROTONEG
788
789typedef int (*SSL_CTX_npn_advertised_cb_func)(SSL *ssl,
790 const unsigned char **out,
791 unsigned int *outlen,
792 void *arg);
793void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
794 SSL_CTX_npn_advertised_cb_func cb,
795 void *arg);
796# define SSL_CTX_set_npn_advertised_cb SSL_CTX_set_next_protos_advertised_cb
797
798typedef int (*SSL_CTX_npn_select_cb_func)(SSL *s,
799 unsigned char **out,
800 unsigned char *outlen,
801 const unsigned char *in,
802 unsigned int inlen,
803 void *arg);
804void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
805 SSL_CTX_npn_select_cb_func cb,
806 void *arg);
807# define SSL_CTX_set_npn_select_cb SSL_CTX_set_next_proto_select_cb
808
809void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
810 unsigned *len);
811# define SSL_get0_npn_negotiated SSL_get0_next_proto_negotiated
812# endif
813
814__owur int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
815 const unsigned char *in, unsigned int inlen,
816 const unsigned char *client,
817 unsigned int client_len);
818
819# define OPENSSL_NPN_UNSUPPORTED 0
820# define OPENSSL_NPN_NEGOTIATED 1
821# define OPENSSL_NPN_NO_OVERLAP 2
822
823__owur int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
824 unsigned int protos_len);
825__owur int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
826 unsigned int protos_len);
827typedef int (*SSL_CTX_alpn_select_cb_func)(SSL *ssl,
828 const unsigned char **out,
829 unsigned char *outlen,
830 const unsigned char *in,
831 unsigned int inlen,
832 void *arg);
833void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
834 SSL_CTX_alpn_select_cb_func cb,
835 void *arg);
836void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
837 unsigned int *len);
838
839# ifndef OPENSSL_NO_PSK
840/*
841 * the maximum length of the buffer given to callbacks containing the
842 * resulting identity/psk
843 */
844# define PSK_MAX_IDENTITY_LEN 128
845# define PSK_MAX_PSK_LEN 256
846typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl,
847 const char *hint,
848 char *identity,
849 unsigned int max_identity_len,
850 unsigned char *psk,
851 unsigned int max_psk_len);
852void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb);
853void SSL_set_psk_client_callback(SSL *ssl, SSL_psk_client_cb_func cb);
854
855typedef unsigned int (*SSL_psk_server_cb_func)(SSL *ssl,
856 const char *identity,
857 unsigned char *psk,
858 unsigned int max_psk_len);
859void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb);
860void SSL_set_psk_server_callback(SSL *ssl, SSL_psk_server_cb_func cb);
861
862__owur int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint);
863__owur int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint);
864const char *SSL_get_psk_identity_hint(const SSL *s);
865const char *SSL_get_psk_identity(const SSL *s);
866# endif
867
868typedef int (*SSL_psk_find_session_cb_func)(SSL *ssl,
869 const unsigned char *identity,
870 size_t identity_len,
871 SSL_SESSION **sess);
872typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md,
873 const unsigned char **id,
874 size_t *idlen,
875 SSL_SESSION **sess);
876
877void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb);
878void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx,
879 SSL_psk_find_session_cb_func cb);
880void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb);
881void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx,
882 SSL_psk_use_session_cb_func cb);
883
884/* Register callbacks to handle custom TLS Extensions for client or server. */
885
886__owur int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx,
887 unsigned int ext_type);
888
889__owur int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx,
890 unsigned int ext_type,
891 custom_ext_add_cb add_cb,
892 custom_ext_free_cb free_cb,
893 void *add_arg,
894 custom_ext_parse_cb parse_cb,
895 void *parse_arg);
896
897__owur int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx,
898 unsigned int ext_type,
899 custom_ext_add_cb add_cb,
900 custom_ext_free_cb free_cb,
901 void *add_arg,
902 custom_ext_parse_cb parse_cb,
903 void *parse_arg);
904
905__owur int SSL_CTX_add_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
906 unsigned int context,
907 SSL_custom_ext_add_cb_ex add_cb,
908 SSL_custom_ext_free_cb_ex free_cb,
909 void *add_arg,
910 SSL_custom_ext_parse_cb_ex parse_cb,
911 void *parse_arg);
912
913__owur int SSL_extension_supported(unsigned int ext_type);
914
915# define SSL_NOTHING 1
916# define SSL_WRITING 2
917# define SSL_READING 3
918# define SSL_X509_LOOKUP 4
919# define SSL_ASYNC_PAUSED 5
920# define SSL_ASYNC_NO_JOBS 6
921# define SSL_CLIENT_HELLO_CB 7
922
923/* These will only be used when doing non-blocking IO */
924# define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
925# define SSL_want_read(s) (SSL_want(s) == SSL_READING)
926# define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
927# define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
928# define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED)
929# define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS)
930# define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB)
931
932# define SSL_MAC_FLAG_READ_MAC_STREAM 1
933# define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
934
935/*
936 * A callback for logging out TLS key material. This callback should log out
937 * |line| followed by a newline.
938 */
939typedef void (*SSL_CTX_keylog_cb_func)(const SSL *ssl, const char *line);
940
941/*
942 * SSL_CTX_set_keylog_callback configures a callback to log key material. This
943 * is intended for debugging use with tools like Wireshark. The cb function
944 * should log line followed by a newline.
945 */
946void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb);
947
948/*
949 * SSL_CTX_get_keylog_callback returns the callback configured by
950 * SSL_CTX_set_keylog_callback.
951 */
952SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx);
953
954int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data);
955uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx);
956int SSL_set_max_early_data(SSL *s, uint32_t max_early_data);
957uint32_t SSL_get_max_early_data(const SSL *s);
958int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data);
959uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx);
960int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data);
961uint32_t SSL_get_recv_max_early_data(const SSL *s);
962
963#ifdef __cplusplus
964}
965#endif
966
967# include <openssl/ssl2.h>
968# include <openssl/ssl3.h>
969# include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
970# include <openssl/dtls1.h> /* Datagram TLS */
971# include <openssl/srtp.h> /* Support for the use_srtp extension */
972
973#ifdef __cplusplus
974extern "C" {
975#endif
976
977/*
978 * These need to be after the above set of includes due to a compiler bug
979 * in VisualStudio 2015
980 */
981DEFINE_STACK_OF_CONST(SSL_CIPHER)
982DEFINE_STACK_OF(SSL_COMP)
983
984/* compatibility */
985# define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)(arg)))
986# define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
987# define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0, \
988 (char *)(a)))
989# define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0))
990# define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0))
991# define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0, \
992 (char *)(arg)))
993DEPRECATEDIN_1_1_0(void SSL_set_debug(SSL *s, int debug))
994
995/* TLSv1.3 KeyUpdate message types */
996/* -1 used so that this is an invalid value for the on-the-wire protocol */
997#define SSL_KEY_UPDATE_NONE -1
998/* Values as defined for the on-the-wire protocol */
999#define SSL_KEY_UPDATE_NOT_REQUESTED 0
1000#define SSL_KEY_UPDATE_REQUESTED 1
1001
1002/*
1003 * The valid handshake states (one for each type message sent and one for each
1004 * type of message received). There are also two "special" states:
1005 * TLS = TLS or DTLS state
1006 * DTLS = DTLS specific state
1007 * CR/SR = Client Read/Server Read
1008 * CW/SW = Client Write/Server Write
1009 *
1010 * The "special" states are:
1011 * TLS_ST_BEFORE = No handshake has been initiated yet
1012 * TLS_ST_OK = A handshake has been successfully completed
1013 */
1014typedef enum {
1015 TLS_ST_BEFORE,
1016 TLS_ST_OK,
1017 DTLS_ST_CR_HELLO_VERIFY_REQUEST,
1018 TLS_ST_CR_SRVR_HELLO,
1019 TLS_ST_CR_CERT,
1020 TLS_ST_CR_CERT_STATUS,
1021 TLS_ST_CR_KEY_EXCH,
1022 TLS_ST_CR_CERT_REQ,
1023 TLS_ST_CR_SRVR_DONE,
1024 TLS_ST_CR_SESSION_TICKET,
1025 TLS_ST_CR_CHANGE,
1026 TLS_ST_CR_FINISHED,
1027 TLS_ST_CW_CLNT_HELLO,
1028 TLS_ST_CW_CERT,
1029 TLS_ST_CW_KEY_EXCH,
1030 TLS_ST_CW_CERT_VRFY,
1031 TLS_ST_CW_CHANGE,
1032 TLS_ST_CW_NEXT_PROTO,
1033 TLS_ST_CW_FINISHED,
1034 TLS_ST_SW_HELLO_REQ,
1035 TLS_ST_SR_CLNT_HELLO,
1036 DTLS_ST_SW_HELLO_VERIFY_REQUEST,
1037 TLS_ST_SW_SRVR_HELLO,
1038 TLS_ST_SW_CERT,
1039 TLS_ST_SW_KEY_EXCH,
1040 TLS_ST_SW_CERT_REQ,
1041 TLS_ST_SW_SRVR_DONE,
1042 TLS_ST_SR_CERT,
1043 TLS_ST_SR_KEY_EXCH,
1044 TLS_ST_SR_CERT_VRFY,
1045 TLS_ST_SR_NEXT_PROTO,
1046 TLS_ST_SR_CHANGE,
1047 TLS_ST_SR_FINISHED,
1048 TLS_ST_SW_SESSION_TICKET,
1049 TLS_ST_SW_CERT_STATUS,
1050 TLS_ST_SW_CHANGE,
1051 TLS_ST_SW_FINISHED,
1052 TLS_ST_SW_ENCRYPTED_EXTENSIONS,
1053 TLS_ST_CR_ENCRYPTED_EXTENSIONS,
1054 TLS_ST_CR_CERT_VRFY,
1055 TLS_ST_SW_CERT_VRFY,
1056 TLS_ST_CR_HELLO_REQ,
1057 TLS_ST_SW_KEY_UPDATE,
1058 TLS_ST_CW_KEY_UPDATE,
1059 TLS_ST_SR_KEY_UPDATE,
1060 TLS_ST_CR_KEY_UPDATE,
1061 TLS_ST_EARLY_DATA,
1062 TLS_ST_PENDING_EARLY_DATA_END,
1063 TLS_ST_CW_END_OF_EARLY_DATA,
1064 TLS_ST_SR_END_OF_EARLY_DATA
1065} OSSL_HANDSHAKE_STATE;
1066
1067/*
1068 * Most of the following state values are no longer used and are defined to be
1069 * the closest equivalent value in the current state machine code. Not all
1070 * defines have an equivalent and are set to a dummy value (-1). SSL_ST_CONNECT
1071 * and SSL_ST_ACCEPT are still in use in the definition of SSL_CB_ACCEPT_LOOP,
1072 * SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP and SSL_CB_CONNECT_EXIT.
1073 */
1074
1075# define SSL_ST_CONNECT 0x1000
1076# define SSL_ST_ACCEPT 0x2000
1077
1078# define SSL_ST_MASK 0x0FFF
1079
1080# define SSL_CB_LOOP 0x01
1081# define SSL_CB_EXIT 0x02
1082# define SSL_CB_READ 0x04
1083# define SSL_CB_WRITE 0x08
1084# define SSL_CB_ALERT 0x4000/* used in callback */
1085# define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)
1086# define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)
1087# define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)
1088# define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)
1089# define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)
1090# define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)
1091# define SSL_CB_HANDSHAKE_START 0x10
1092# define SSL_CB_HANDSHAKE_DONE 0x20
1093
1094/* Is the SSL_connection established? */
1095# define SSL_in_connect_init(a) (SSL_in_init(a) && !SSL_is_server(a))
1096# define SSL_in_accept_init(a) (SSL_in_init(a) && SSL_is_server(a))
1097int SSL_in_init(const SSL *s);
1098int SSL_in_before(const SSL *s);
1099int SSL_is_init_finished(const SSL *s);
1100
1101/*
1102 * The following 3 states are kept in ssl->rlayer.rstate when reads fail, you
1103 * should not need these
1104 */
1105# define SSL_ST_READ_HEADER 0xF0
1106# define SSL_ST_READ_BODY 0xF1
1107# define SSL_ST_READ_DONE 0xF2
1108
1109/*-
1110 * Obtain latest Finished message
1111 * -- that we sent (SSL_get_finished)
1112 * -- that we expected from peer (SSL_get_peer_finished).
1113 * Returns length (0 == no Finished so far), copies up to 'count' bytes.
1114 */
1115size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
1116size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
1117
1118/*
1119 * use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 3 options are
1120 * 'ored' with SSL_VERIFY_PEER if they are desired
1121 */
1122# define SSL_VERIFY_NONE 0x00
1123# define SSL_VERIFY_PEER 0x01
1124# define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
1125# define SSL_VERIFY_CLIENT_ONCE 0x04
1126# define SSL_VERIFY_POST_HANDSHAKE 0x08
1127
1128# ifndef OPENSSL_NO_DEPRECATED_1_1_0
1129# define OpenSSL_add_ssl_algorithms() SSL_library_init()
1130# define SSLeay_add_ssl_algorithms() SSL_library_init()
1131# endif
1132
1133/* More backward compatibility */
1134# define SSL_get_cipher(s) \
1135 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1136# define SSL_get_cipher_bits(s,np) \
1137 SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
1138# define SSL_get_cipher_version(s) \
1139 SSL_CIPHER_get_version(SSL_get_current_cipher(s))
1140# define SSL_get_cipher_name(s) \
1141 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
1142# define SSL_get_time(a) SSL_SESSION_get_time(a)
1143# define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b))
1144# define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
1145# define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b))
1146
1147# define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
1148# define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
1149
1150DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
1151# define SSL_AD_REASON_OFFSET 1000/* offset to get SSL_R_... value
1152 * from SSL_AD_... */
1153/* These alert types are for SSLv3 and TLSv1 */
1154# define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
1155/* fatal */
1156# define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE
1157/* fatal */
1158# define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC
1159# define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED
1160# define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW
1161/* fatal */
1162# define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE
1163/* fatal */
1164# define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE
1165/* Not for TLS */
1166# define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE
1167# define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
1168# define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE
1169# define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED
1170# define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED
1171# define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN
1172/* fatal */
1173# define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER
1174/* fatal */
1175# define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA
1176/* fatal */
1177# define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED
1178/* fatal */
1179# define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR
1180# define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR
1181/* fatal */
1182# define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION
1183/* fatal */
1184# define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION
1185/* fatal */
1186# define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY
1187/* fatal */
1188# define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR
1189# define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
1190# define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
1191# define SSL_AD_MISSING_EXTENSION TLS13_AD_MISSING_EXTENSION
1192# define SSL_AD_CERTIFICATE_REQUIRED TLS13_AD_CERTIFICATE_REQUIRED
1193# define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION
1194# define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
1195# define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
1196# define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
1197# define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
1198/* fatal */
1199# define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY
1200/* fatal */
1201# define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK
1202# define SSL_AD_NO_APPLICATION_PROTOCOL TLS1_AD_NO_APPLICATION_PROTOCOL
1203# define SSL_ERROR_NONE 0
1204# define SSL_ERROR_SSL 1
1205# define SSL_ERROR_WANT_READ 2
1206# define SSL_ERROR_WANT_WRITE 3
1207# define SSL_ERROR_WANT_X509_LOOKUP 4
1208# define SSL_ERROR_SYSCALL 5/* look at error stack/return
1209 * value/errno */
1210# define SSL_ERROR_ZERO_RETURN 6
1211# define SSL_ERROR_WANT_CONNECT 7
1212# define SSL_ERROR_WANT_ACCEPT 8
1213# define SSL_ERROR_WANT_ASYNC 9
1214# define SSL_ERROR_WANT_ASYNC_JOB 10
1215# define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
1216# define SSL_CTRL_SET_TMP_DH 3
1217# define SSL_CTRL_SET_TMP_ECDH 4
1218# define SSL_CTRL_SET_TMP_DH_CB 6
1219# define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
1220# define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
1221# define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
1222# define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12
1223# define SSL_CTRL_GET_FLAGS 13
1224# define SSL_CTRL_EXTRA_CHAIN_CERT 14
1225# define SSL_CTRL_SET_MSG_CALLBACK 15
1226# define SSL_CTRL_SET_MSG_CALLBACK_ARG 16
1227/* only applies to datagram connections */
1228# define SSL_CTRL_SET_MTU 17
1229/* Stats */
1230# define SSL_CTRL_SESS_NUMBER 20
1231# define SSL_CTRL_SESS_CONNECT 21
1232# define SSL_CTRL_SESS_CONNECT_GOOD 22
1233# define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
1234# define SSL_CTRL_SESS_ACCEPT 24
1235# define SSL_CTRL_SESS_ACCEPT_GOOD 25
1236# define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
1237# define SSL_CTRL_SESS_HIT 27
1238# define SSL_CTRL_SESS_CB_HIT 28
1239# define SSL_CTRL_SESS_MISSES 29
1240# define SSL_CTRL_SESS_TIMEOUTS 30
1241# define SSL_CTRL_SESS_CACHE_FULL 31
1242# define SSL_CTRL_MODE 33
1243# define SSL_CTRL_GET_READ_AHEAD 40
1244# define SSL_CTRL_SET_READ_AHEAD 41
1245# define SSL_CTRL_SET_SESS_CACHE_SIZE 42
1246# define SSL_CTRL_GET_SESS_CACHE_SIZE 43
1247# define SSL_CTRL_SET_SESS_CACHE_MODE 44
1248# define SSL_CTRL_GET_SESS_CACHE_MODE 45
1249# define SSL_CTRL_GET_MAX_CERT_LIST 50
1250# define SSL_CTRL_SET_MAX_CERT_LIST 51
1251# define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
1252/* see tls1.h for macros based on these */
1253# define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
1254# define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
1255# define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
1256# define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56
1257# define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57
1258# define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
1259# define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
1260/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60 */
1261/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61 */
1262/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62 */
1263# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
1264# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
1265# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65
1266# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66
1267# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67
1268# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68
1269# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69
1270# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70
1271# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71
1272# define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
1273# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75
1274# define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76
1275# define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77
1276# define SSL_CTRL_SET_SRP_ARG 78
1277# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
1278# define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
1279# define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
1280# define DTLS_CTRL_GET_TIMEOUT 73
1281# define DTLS_CTRL_HANDLE_TIMEOUT 74
1282# define SSL_CTRL_GET_RI_SUPPORT 76
1283# define SSL_CTRL_CLEAR_MODE 78
1284# define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB 79
1285# define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
1286# define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
1287# define SSL_CTRL_CHAIN 88
1288# define SSL_CTRL_CHAIN_CERT 89
1289# define SSL_CTRL_GET_GROUPS 90
1290# define SSL_CTRL_SET_GROUPS 91
1291# define SSL_CTRL_SET_GROUPS_LIST 92
1292# define SSL_CTRL_GET_SHARED_GROUP 93
1293# define SSL_CTRL_SET_SIGALGS 97
1294# define SSL_CTRL_SET_SIGALGS_LIST 98
1295# define SSL_CTRL_CERT_FLAGS 99
1296# define SSL_CTRL_CLEAR_CERT_FLAGS 100
1297# define SSL_CTRL_SET_CLIENT_SIGALGS 101
1298# define SSL_CTRL_SET_CLIENT_SIGALGS_LIST 102
1299# define SSL_CTRL_GET_CLIENT_CERT_TYPES 103
1300# define SSL_CTRL_SET_CLIENT_CERT_TYPES 104
1301# define SSL_CTRL_BUILD_CERT_CHAIN 105
1302# define SSL_CTRL_SET_VERIFY_CERT_STORE 106
1303# define SSL_CTRL_SET_CHAIN_CERT_STORE 107
1304# define SSL_CTRL_GET_PEER_SIGNATURE_NID 108
1305# define SSL_CTRL_GET_PEER_TMP_KEY 109
1306# define SSL_CTRL_GET_RAW_CIPHERLIST 110
1307# define SSL_CTRL_GET_EC_POINT_FORMATS 111
1308# define SSL_CTRL_GET_CHAIN_CERTS 115
1309# define SSL_CTRL_SELECT_CURRENT_CERT 116
1310# define SSL_CTRL_SET_CURRENT_CERT 117
1311# define SSL_CTRL_SET_DH_AUTO 118
1312# define DTLS_CTRL_SET_LINK_MTU 120
1313# define DTLS_CTRL_GET_LINK_MIN_MTU 121
1314# define SSL_CTRL_GET_EXTMS_SUPPORT 122
1315# define SSL_CTRL_SET_MIN_PROTO_VERSION 123
1316# define SSL_CTRL_SET_MAX_PROTO_VERSION 124
1317# define SSL_CTRL_SET_SPLIT_SEND_FRAGMENT 125
1318# define SSL_CTRL_SET_MAX_PIPELINES 126
1319# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE 127
1320# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
1321# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
1322# define SSL_CTRL_GET_MIN_PROTO_VERSION 130
1323# define SSL_CTRL_GET_MAX_PROTO_VERSION 131
1324# define SSL_CTRL_GET_SIGNATURE_NID 132
1325# define SSL_CTRL_GET_TMP_KEY 133
1326# define SSL_CTRL_GET_NEGOTIATED_GROUP 134
1327# define SSL_CERT_SET_FIRST 1
1328# define SSL_CERT_SET_NEXT 2
1329# define SSL_CERT_SET_SERVER 3
1330# define DTLSv1_get_timeout(ssl, arg) \
1331 SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)(arg))
1332# define DTLSv1_handle_timeout(ssl) \
1333 SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL)
1334# define SSL_num_renegotiations(ssl) \
1335 SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
1336# define SSL_clear_num_renegotiations(ssl) \
1337 SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
1338# define SSL_total_renegotiations(ssl) \
1339 SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
1340# define SSL_CTX_set_tmp_dh(ctx,dh) \
1341 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
1342# define SSL_CTX_set_dh_auto(ctx, onoff) \
1343 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
1344# define SSL_set_dh_auto(s, onoff) \
1345 SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
1346# define SSL_set_tmp_dh(ssl,dh) \
1347 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
1348# ifndef OPENSSL_NO_DEPRECATED_3_0
1349# define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
1350 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
1351# define SSL_set_tmp_ecdh(ssl,ecdh) \
1352 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
1353# endif
1354# define SSL_CTX_add_extra_chain_cert(ctx,x509) \
1355 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)(x509))
1356# define SSL_CTX_get_extra_chain_certs(ctx,px509) \
1357 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
1358# define SSL_CTX_get_extra_chain_certs_only(ctx,px509) \
1359 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,1,px509)
1360# define SSL_CTX_clear_extra_chain_certs(ctx) \
1361 SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
1362# define SSL_CTX_set0_chain(ctx,sk) \
1363 SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN,0,(char *)(sk))
1364# define SSL_CTX_set1_chain(ctx,sk) \
1365 SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN,1,(char *)(sk))
1366# define SSL_CTX_add0_chain_cert(ctx,x509) \
1367 SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)(x509))
1368# define SSL_CTX_add1_chain_cert(ctx,x509) \
1369 SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)(x509))
1370# define SSL_CTX_get0_chain_certs(ctx,px509) \
1371 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERTS,0,px509)
1372# define SSL_CTX_clear_chain_certs(ctx) \
1373 SSL_CTX_set0_chain(ctx,NULL)
1374# define SSL_CTX_build_cert_chain(ctx, flags) \
1375 SSL_CTX_ctrl(ctx,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
1376# define SSL_CTX_select_current_cert(ctx,x509) \
1377 SSL_CTX_ctrl(ctx,SSL_CTRL_SELECT_CURRENT_CERT,0,(char *)(x509))
1378# define SSL_CTX_set_current_cert(ctx, op) \
1379 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CURRENT_CERT, op, NULL)
1380# define SSL_CTX_set0_verify_cert_store(ctx,st) \
1381 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))
1382# define SSL_CTX_set1_verify_cert_store(ctx,st) \
1383 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st))
1384# define SSL_CTX_set0_chain_cert_store(ctx,st) \
1385 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))
1386# define SSL_CTX_set1_chain_cert_store(ctx,st) \
1387 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))
1388# define SSL_set0_chain(s,sk) \
1389 SSL_ctrl(s,SSL_CTRL_CHAIN,0,(char *)(sk))
1390# define SSL_set1_chain(s,sk) \
1391 SSL_ctrl(s,SSL_CTRL_CHAIN,1,(char *)(sk))
1392# define SSL_add0_chain_cert(s,x509) \
1393 SSL_ctrl(s,SSL_CTRL_CHAIN_CERT,0,(char *)(x509))
1394# define SSL_add1_chain_cert(s,x509) \
1395 SSL_ctrl(s,SSL_CTRL_CHAIN_CERT,1,(char *)(x509))
1396# define SSL_get0_chain_certs(s,px509) \
1397 SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERTS,0,px509)
1398# define SSL_clear_chain_certs(s) \
1399 SSL_set0_chain(s,NULL)
1400# define SSL_build_cert_chain(s, flags) \
1401 SSL_ctrl(s,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
1402# define SSL_select_current_cert(s,x509) \
1403 SSL_ctrl(s,SSL_CTRL_SELECT_CURRENT_CERT,0,(char *)(x509))
1404# define SSL_set_current_cert(s,op) \
1405 SSL_ctrl(s,SSL_CTRL_SET_CURRENT_CERT, op, NULL)
1406# define SSL_set0_verify_cert_store(s,st) \
1407 SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))
1408# define SSL_set1_verify_cert_store(s,st) \
1409 SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st))
1410# define SSL_set0_chain_cert_store(s,st) \
1411 SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))
1412# define SSL_set1_chain_cert_store(s,st) \
1413 SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))
1414# define SSL_get1_groups(s, glist) \
1415 SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist))
1416# define SSL_CTX_set1_groups(ctx, glist, glistlen) \
1417 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist))
1418# define SSL_CTX_set1_groups_list(ctx, s) \
1419 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s))
1420# define SSL_set1_groups(s, glist, glistlen) \
1421 SSL_ctrl(s,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist))
1422# define SSL_set1_groups_list(s, str) \
1423 SSL_ctrl(s,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(str))
1424# define SSL_get_shared_group(s, n) \
1425 SSL_ctrl(s,SSL_CTRL_GET_SHARED_GROUP,n,NULL)
1426# define SSL_get_negotiated_group(s) \
1427 SSL_ctrl(s,SSL_CTRL_GET_NEGOTIATED_GROUP,0,NULL)
1428# define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \
1429 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist))
1430# define SSL_CTX_set1_sigalgs_list(ctx, s) \
1431 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(s))
1432# define SSL_set1_sigalgs(s, slist, slistlen) \
1433 SSL_ctrl(s,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist))
1434# define SSL_set1_sigalgs_list(s, str) \
1435 SSL_ctrl(s,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(str))
1436# define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \
1437 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)(slist))
1438# define SSL_CTX_set1_client_sigalgs_list(ctx, s) \
1439 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(s))
1440# define SSL_set1_client_sigalgs(s, slist, slistlen) \
1441 SSL_ctrl(s,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)(slist))
1442# define SSL_set1_client_sigalgs_list(s, str) \
1443 SSL_ctrl(s,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(str))
1444# define SSL_get0_certificate_types(s, clist) \
1445 SSL_ctrl(s, SSL_CTRL_GET_CLIENT_CERT_TYPES, 0, (char *)(clist))
1446# define SSL_CTX_set1_client_certificate_types(ctx, clist, clistlen) \
1447 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen, \
1448 (char *)(clist))
1449# define SSL_set1_client_certificate_types(s, clist, clistlen) \
1450 SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)(clist))
1451# define SSL_get_signature_nid(s, pn) \
1452 SSL_ctrl(s,SSL_CTRL_GET_SIGNATURE_NID,0,pn)
1453# define SSL_get_peer_signature_nid(s, pn) \
1454 SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
1455# define SSL_get_peer_tmp_key(s, pk) \
1456 SSL_ctrl(s,SSL_CTRL_GET_PEER_TMP_KEY,0,pk)
1457# define SSL_get_tmp_key(s, pk) \
1458 SSL_ctrl(s,SSL_CTRL_GET_TMP_KEY,0,pk)
1459# define SSL_get0_raw_cipherlist(s, plst) \
1460 SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst)
1461# define SSL_get0_ec_point_formats(s, plst) \
1462 SSL_ctrl(s,SSL_CTRL_GET_EC_POINT_FORMATS,0,plst)
1463# define SSL_CTX_set_min_proto_version(ctx, version) \
1464 SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
1465# define SSL_CTX_set_max_proto_version(ctx, version) \
1466 SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
1467# define SSL_CTX_get_min_proto_version(ctx) \
1468 SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MIN_PROTO_VERSION, 0, NULL)
1469# define SSL_CTX_get_max_proto_version(ctx) \
1470 SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL)
1471# define SSL_set_min_proto_version(s, version) \
1472 SSL_ctrl(s, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
1473# define SSL_set_max_proto_version(s, version) \
1474 SSL_ctrl(s, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
1475# define SSL_get_min_proto_version(s) \
1476 SSL_ctrl(s, SSL_CTRL_GET_MIN_PROTO_VERSION, 0, NULL)
1477# define SSL_get_max_proto_version(s) \
1478 SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL)
1479
1480/* Backwards compatibility, original 1.1.0 names */
1481# define SSL_CTRL_GET_SERVER_TMP_KEY \
1482 SSL_CTRL_GET_PEER_TMP_KEY
1483# define SSL_get_server_tmp_key(s, pk) \
1484 SSL_get_peer_tmp_key(s, pk)
1485
1486/*
1487 * The following symbol names are old and obsolete. They are kept
1488 * for compatibility reasons only and should not be used anymore.
1489 */
1490# define SSL_CTRL_GET_CURVES SSL_CTRL_GET_GROUPS
1491# define SSL_CTRL_SET_CURVES SSL_CTRL_SET_GROUPS
1492# define SSL_CTRL_SET_CURVES_LIST SSL_CTRL_SET_GROUPS_LIST
1493# define SSL_CTRL_GET_SHARED_CURVE SSL_CTRL_GET_SHARED_GROUP
1494
1495# define SSL_get1_curves SSL_get1_groups
1496# define SSL_CTX_set1_curves SSL_CTX_set1_groups
1497# define SSL_CTX_set1_curves_list SSL_CTX_set1_groups_list
1498# define SSL_set1_curves SSL_set1_groups
1499# define SSL_set1_curves_list SSL_set1_groups_list
1500# define SSL_get_shared_curve SSL_get_shared_group
1501
1502
1503# ifndef OPENSSL_NO_DEPRECATED_1_1_0
1504/* Provide some compatibility macros for removed functionality. */
1505# define SSL_CTX_need_tmp_RSA(ctx) 0
1506# define SSL_CTX_set_tmp_rsa(ctx,rsa) 1
1507# define SSL_need_tmp_RSA(ssl) 0
1508# define SSL_set_tmp_rsa(ssl,rsa) 1
1509# define SSL_CTX_set_ecdh_auto(dummy, onoff) ((onoff) != 0)
1510# define SSL_set_ecdh_auto(dummy, onoff) ((onoff) != 0)
1511/*
1512 * We "pretend" to call the callback to avoid warnings about unused static
1513 * functions.
1514 */
1515# define SSL_CTX_set_tmp_rsa_callback(ctx, cb) while(0) (cb)(NULL, 0, 0)
1516# define SSL_set_tmp_rsa_callback(ssl, cb) while(0) (cb)(NULL, 0, 0)
1517# endif
1518__owur const BIO_METHOD *BIO_f_ssl(void);
1519__owur BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
1520__owur BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
1521__owur BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
1522__owur int BIO_ssl_copy_session_id(BIO *to, BIO *from);
1523void BIO_ssl_shutdown(BIO *ssl_bio);
1524
1525__owur int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
1526__owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
1527int SSL_CTX_up_ref(SSL_CTX *ctx);
1528void SSL_CTX_free(SSL_CTX *);
1529__owur long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
1530__owur long SSL_CTX_get_timeout(const SSL_CTX *ctx);
1531__owur X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
1532void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
1533void SSL_CTX_set1_cert_store(SSL_CTX *, X509_STORE *);
1534__owur int SSL_want(const SSL *s);
1535__owur int SSL_clear(SSL *s);
1536
1537void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
1538
1539__owur const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1540__owur const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s);
1541__owur int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
1542__owur const char *SSL_CIPHER_get_version(const SSL_CIPHER *c);
1543__owur const char *SSL_CIPHER_get_name(const SSL_CIPHER *c);
1544__owur const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c);
1545__owur const char *OPENSSL_cipher_name(const char *rfc_name);
1546__owur uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
1547__owur uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c);
1548__owur int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
1549__owur int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
1550__owur const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c);
1551__owur int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
1552
1553__owur int SSL_get_fd(const SSL *s);
1554__owur int SSL_get_rfd(const SSL *s);
1555__owur int SSL_get_wfd(const SSL *s);
1556__owur const char *SSL_get_cipher_list(const SSL *s, int n);
1557__owur char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size);
1558__owur int SSL_get_read_ahead(const SSL *s);
1559__owur int SSL_pending(const SSL *s);
1560__owur int SSL_has_pending(const SSL *s);
1561# ifndef OPENSSL_NO_SOCK
1562__owur int SSL_set_fd(SSL *s, int fd);
1563__owur int SSL_set_rfd(SSL *s, int fd);
1564__owur int SSL_set_wfd(SSL *s, int fd);
1565# endif
1566void SSL_set0_rbio(SSL *s, BIO *rbio);
1567void SSL_set0_wbio(SSL *s, BIO *wbio);
1568void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio);
1569__owur BIO *SSL_get_rbio(const SSL *s);
1570__owur BIO *SSL_get_wbio(const SSL *s);
1571__owur int SSL_set_cipher_list(SSL *s, const char *str);
1572__owur int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str);
1573__owur int SSL_set_ciphersuites(SSL *s, const char *str);
1574void SSL_set_read_ahead(SSL *s, int yes);
1575__owur int SSL_get_verify_mode(const SSL *s);
1576__owur int SSL_get_verify_depth(const SSL *s);
1577__owur SSL_verify_cb SSL_get_verify_callback(const SSL *s);
1578void SSL_set_verify(SSL *s, int mode, SSL_verify_cb callback);
1579void SSL_set_verify_depth(SSL *s, int depth);
1580void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg);
1581# ifndef OPENSSL_NO_RSA
1582__owur int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1583__owur int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d,
1584 long len);
1585# endif
1586__owur int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
1587__owur int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d,
1588 long len);
1589__owur int SSL_use_certificate(SSL *ssl, X509 *x);
1590__owur int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
1591__owur int SSL_use_cert_and_key(SSL *ssl, X509 *x509, EVP_PKEY *privatekey,
1592 STACK_OF(X509) *chain, int override);
1593
1594
1595/* serverinfo file format versions */
1596# define SSL_SERVERINFOV1 1
1597# define SSL_SERVERINFOV2 2
1598
1599/* Set serverinfo data for the current active cert. */
1600__owur int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
1601 size_t serverinfo_length);
1602__owur int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version,
1603 const unsigned char *serverinfo,
1604 size_t serverinfo_length);
1605__owur int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file);
1606
1607#ifndef OPENSSL_NO_RSA
1608__owur int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
1609#endif
1610
1611__owur int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
1612__owur int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
1613
1614#ifndef OPENSSL_NO_RSA
1615__owur int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file,
1616 int type);
1617#endif
1618__owur int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file,
1619 int type);
1620__owur int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file,
1621 int type);
1622/* PEM type */
1623__owur int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
1624__owur int SSL_use_certificate_chain_file(SSL *ssl, const char *file);
1625__owur STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
1626__owur int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1627 const char *file);
1628int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1629 const char *dir);
1630int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1631 const char *uri);
1632
1633# ifndef OPENSSL_NO_DEPRECATED_1_1_0
1634# define SSL_load_error_strings() \
1635 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \
1636 | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL)
1637# endif
1638
1639__owur const char *SSL_state_string(const SSL *s);
1640__owur const char *SSL_rstate_string(const SSL *s);
1641__owur const char *SSL_state_string_long(const SSL *s);
1642__owur const char *SSL_rstate_string_long(const SSL *s);
1643__owur long SSL_SESSION_get_time(const SSL_SESSION *s);
1644__owur long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1645__owur long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1646__owur long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1647__owur int SSL_SESSION_get_protocol_version(const SSL_SESSION *s);
1648__owur int SSL_SESSION_set_protocol_version(SSL_SESSION *s, int version);
1649
1650__owur const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s);
1651__owur int SSL_SESSION_set1_hostname(SSL_SESSION *s, const char *hostname);
1652void SSL_SESSION_get0_alpn_selected(const SSL_SESSION *s,
1653 const unsigned char **alpn,
1654 size_t *len);
1655__owur int SSL_SESSION_set1_alpn_selected(SSL_SESSION *s,
1656 const unsigned char *alpn,
1657 size_t len);
1658__owur const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s);
1659__owur int SSL_SESSION_set_cipher(SSL_SESSION *s, const SSL_CIPHER *cipher);
1660__owur int SSL_SESSION_has_ticket(const SSL_SESSION *s);
1661__owur unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s);
1662void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick,
1663 size_t *len);
1664__owur uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *s);
1665__owur int SSL_SESSION_set_max_early_data(SSL_SESSION *s,
1666 uint32_t max_early_data);
1667__owur int SSL_copy_session_id(SSL *to, const SSL *from);
1668__owur X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
1669__owur int SSL_SESSION_set1_id_context(SSL_SESSION *s,
1670 const unsigned char *sid_ctx,
1671 unsigned int sid_ctx_len);
1672__owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
1673 unsigned int sid_len);
1674__owur int SSL_SESSION_is_resumable(const SSL_SESSION *s);
1675
1676__owur SSL_SESSION *SSL_SESSION_new(void);
1677__owur SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src);
1678const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
1679 unsigned int *len);
1680const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
1681 unsigned int *len);
1682__owur unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
1683# ifndef OPENSSL_NO_STDIO
1684int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
1685# endif
1686int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
1687int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
1688int SSL_SESSION_up_ref(SSL_SESSION *ses);
1689void SSL_SESSION_free(SSL_SESSION *ses);
1690__owur int i2d_SSL_SESSION(const SSL_SESSION *in, unsigned char **pp);
1691__owur int SSL_set_session(SSL *to, SSL_SESSION *session);
1692int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session);
1693int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session);
1694__owur int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb);
1695__owur int SSL_set_generate_session_id(SSL *s, GEN_SESSION_CB cb);
1696__owur int SSL_has_matching_session_id(const SSL *s,
1697 const unsigned char *id,
1698 unsigned int id_len);
1699SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
1700 long length);
1701
1702# ifdef OPENSSL_X509_H
1703__owur X509 *SSL_get_peer_certificate(const SSL *s);
1704# endif
1705
1706__owur STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
1707
1708__owur int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
1709__owur int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
1710__owur SSL_verify_cb SSL_CTX_get_verify_callback(const SSL_CTX *ctx);
1711void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb callback);
1712void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
1713void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
1714 int (*cb) (X509_STORE_CTX *, void *),
1715 void *arg);
1716void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg),
1717 void *arg);
1718# ifndef OPENSSL_NO_RSA
1719__owur int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1720__owur int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
1721 long len);
1722# endif
1723__owur int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
1724__owur int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx,
1725 const unsigned char *d, long len);
1726__owur int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
1727__owur int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
1728 const unsigned char *d);
1729__owur int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
1730 STACK_OF(X509) *chain, int override);
1731
1732void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
1733void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
1734pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx);
1735void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx);
1736void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
1737void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
1738pem_password_cb *SSL_get_default_passwd_cb(SSL *s);
1739void *SSL_get_default_passwd_cb_userdata(SSL *s);
1740
1741__owur int SSL_CTX_check_private_key(const SSL_CTX *ctx);
1742__owur int SSL_check_private_key(const SSL *ctx);
1743
1744__owur int SSL_CTX_set_session_id_context(SSL_CTX *ctx,
1745 const unsigned char *sid_ctx,
1746 unsigned int sid_ctx_len);
1747
1748SSL *SSL_new(SSL_CTX *ctx);
1749int SSL_up_ref(SSL *s);
1750int SSL_is_dtls(const SSL *s);
1751__owur int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
1752 unsigned int sid_ctx_len);
1753
1754__owur int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose);
1755__owur int SSL_set_purpose(SSL *ssl, int purpose);
1756__owur int SSL_CTX_set_trust(SSL_CTX *ctx, int trust);
1757__owur int SSL_set_trust(SSL *ssl, int trust);
1758
1759__owur int SSL_set1_host(SSL *s, const char *hostname);
1760__owur int SSL_add1_host(SSL *s, const char *hostname);
1761__owur const char *SSL_get0_peername(SSL *s);
1762void SSL_set_hostflags(SSL *s, unsigned int flags);
1763
1764__owur int SSL_CTX_dane_enable(SSL_CTX *ctx);
1765__owur int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md,
1766 uint8_t mtype, uint8_t ord);
1767__owur int SSL_dane_enable(SSL *s, const char *basedomain);
1768__owur int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
1769 uint8_t mtype, unsigned const char *data, size_t dlen);
1770__owur int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki);
1771__owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
1772 uint8_t *mtype, unsigned const char **data,
1773 size_t *dlen);
1774/*
1775 * Bridge opacity barrier between libcrypt and libssl, also needed to support
1776 * offline testing in test/danetest.c
1777 */
1778SSL_DANE *SSL_get0_dane(SSL *ssl);
1779/*
1780 * DANE flags
1781 */
1782unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags);
1783unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags);
1784unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags);
1785unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags);
1786
1787__owur int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
1788__owur int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
1789
1790__owur X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);
1791__owur X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
1792
1793# ifndef OPENSSL_NO_SRP
1794int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
1795int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
1796int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
1797int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
1798 char *(*cb) (SSL *, void *));
1799int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
1800 int (*cb) (SSL *, void *));
1801int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
1802 int (*cb) (SSL *, int *, void *));
1803int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
1804
1805int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
1806 BIGNUM *sa, BIGNUM *v, char *info);
1807int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
1808 const char *grp);
1809
1810__owur BIGNUM *SSL_get_srp_g(SSL *s);
1811__owur BIGNUM *SSL_get_srp_N(SSL *s);
1812
1813__owur char *SSL_get_srp_username(SSL *s);
1814__owur char *SSL_get_srp_userinfo(SSL *s);
1815# endif
1816
1817/*
1818 * ClientHello callback and helpers.
1819 */
1820
1821# define SSL_CLIENT_HELLO_SUCCESS 1
1822# define SSL_CLIENT_HELLO_ERROR 0
1823# define SSL_CLIENT_HELLO_RETRY (-1)
1824
1825typedef int (*SSL_client_hello_cb_fn) (SSL *s, int *al, void *arg);
1826void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
1827 void *arg);
1828int SSL_client_hello_isv2(SSL *s);
1829unsigned int SSL_client_hello_get0_legacy_version(SSL *s);
1830size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out);
1831size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out);
1832size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out);
1833size_t SSL_client_hello_get0_compression_methods(SSL *s,
1834 const unsigned char **out);
1835int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen);
1836int SSL_client_hello_get0_ext(SSL *s, unsigned int type,
1837 const unsigned char **out, size_t *outlen);
1838
1839void SSL_certs_clear(SSL *s);
1840void SSL_free(SSL *ssl);
1841# ifdef OSSL_ASYNC_FD
1842/*
1843 * Windows application developer has to include windows.h to use these.
1844 */
1845__owur int SSL_waiting_for_async(SSL *s);
1846__owur int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds);
1847__owur int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd,
1848 size_t *numaddfds, OSSL_ASYNC_FD *delfd,
1849 size_t *numdelfds);
1850__owur int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback);
1851__owur int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg);
1852__owur int SSL_set_async_callback(SSL *s, SSL_async_callback_fn callback);
1853__owur int SSL_set_async_callback_arg(SSL *s, void *arg);
1854__owur int SSL_get_async_status(SSL *s, int *status);
1855
1856# endif
1857__owur int SSL_accept(SSL *ssl);
1858__owur int SSL_stateless(SSL *s);
1859__owur int SSL_connect(SSL *ssl);
1860__owur int SSL_read(SSL *ssl, void *buf, int num);
1861__owur int SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
1862
1863# define SSL_READ_EARLY_DATA_ERROR 0
1864# define SSL_READ_EARLY_DATA_SUCCESS 1
1865# define SSL_READ_EARLY_DATA_FINISH 2
1866
1867__owur int SSL_read_early_data(SSL *s, void *buf, size_t num,
1868 size_t *readbytes);
1869__owur int SSL_peek(SSL *ssl, void *buf, int num);
1870__owur int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
1871__owur ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size,
1872 int flags);
1873__owur int SSL_write(SSL *ssl, const void *buf, int num);
1874__owur int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written);
1875__owur int SSL_write_early_data(SSL *s, const void *buf, size_t num,
1876 size_t *written);
1877long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
1878long SSL_callback_ctrl(SSL *, int, void (*)(void));
1879long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
1880long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
1881
1882# define SSL_EARLY_DATA_NOT_SENT 0
1883# define SSL_EARLY_DATA_REJECTED 1
1884# define SSL_EARLY_DATA_ACCEPTED 2
1885
1886__owur int SSL_get_early_data_status(const SSL *s);
1887
1888__owur int SSL_get_error(const SSL *s, int ret_code);
1889__owur const char *SSL_get_version(const SSL *s);
1890
1891/* This sets the 'default' SSL version that SSL_new() will create */
1892__owur int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
1893
1894# ifndef OPENSSL_NO_SSL3_METHOD
1895DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_method(void)) /* SSLv3 */
1896DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_server_method(void))
1897DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_client_method(void))
1898# endif
1899
1900#define SSLv23_method TLS_method
1901#define SSLv23_server_method TLS_server_method
1902#define SSLv23_client_method TLS_client_method
1903
1904/* Negotiate highest available SSL/TLS version */
1905__owur const SSL_METHOD *TLS_method(void);
1906__owur const SSL_METHOD *TLS_server_method(void);
1907__owur const SSL_METHOD *TLS_client_method(void);
1908
1909# ifndef OPENSSL_NO_TLS1_METHOD
1910DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_method(void)) /* TLSv1.0 */
1911DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_server_method(void))
1912DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_client_method(void))
1913# endif
1914
1915# ifndef OPENSSL_NO_TLS1_1_METHOD
1916DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_method(void)) /* TLSv1.1 */
1917DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_server_method(void))
1918DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_client_method(void))
1919# endif
1920
1921# ifndef OPENSSL_NO_TLS1_2_METHOD
1922DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */
1923DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_server_method(void))
1924DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_client_method(void))
1925# endif
1926
1927# ifndef OPENSSL_NO_DTLS1_METHOD
1928DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_method(void)) /* DTLSv1.0 */
1929DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_server_method(void))
1930DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_client_method(void))
1931# endif
1932
1933# ifndef OPENSSL_NO_DTLS1_2_METHOD
1934/* DTLSv1.2 */
1935DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_2_method(void))
1936DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_2_server_method(void))
1937DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_2_client_method(void))
1938# endif
1939
1940__owur const SSL_METHOD *DTLS_method(void); /* DTLS 1.0 and 1.2 */
1941__owur const SSL_METHOD *DTLS_server_method(void); /* DTLS 1.0 and 1.2 */
1942__owur const SSL_METHOD *DTLS_client_method(void); /* DTLS 1.0 and 1.2 */
1943
1944__owur size_t DTLS_get_data_mtu(const SSL *s);
1945
1946__owur STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1947__owur STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
1948__owur STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s);
1949__owur STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s);
1950
1951__owur int SSL_do_handshake(SSL *s);
1952int SSL_key_update(SSL *s, int updatetype);
1953int SSL_get_key_update_type(const SSL *s);
1954int SSL_renegotiate(SSL *s);
1955int SSL_renegotiate_abbreviated(SSL *s);
1956__owur int SSL_renegotiate_pending(const SSL *s);
1957int SSL_shutdown(SSL *s);
1958__owur int SSL_verify_client_post_handshake(SSL *s);
1959void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
1960void SSL_set_post_handshake_auth(SSL *s, int val);
1961
1962__owur const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx);
1963__owur const SSL_METHOD *SSL_get_ssl_method(const SSL *s);
1964__owur int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
1965__owur const char *SSL_alert_type_string_long(int value);
1966__owur const char *SSL_alert_type_string(int value);
1967__owur const char *SSL_alert_desc_string_long(int value);
1968__owur const char *SSL_alert_desc_string(int value);
1969
1970void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1971void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1972__owur const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s);
1973__owur const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx);
1974__owur int SSL_add1_to_CA_list(SSL *ssl, const X509 *x);
1975__owur int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x);
1976__owur const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s);
1977
1978void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1979void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1980__owur STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
1981__owur STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
1982__owur int SSL_add_client_CA(SSL *ssl, X509 *x);
1983__owur int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
1984
1985void SSL_set_connect_state(SSL *s);
1986void SSL_set_accept_state(SSL *s);
1987
1988__owur long SSL_get_default_timeout(const SSL *s);
1989
1990# ifndef OPENSSL_NO_DEPRECATED_1_1_0
1991# define SSL_library_init() OPENSSL_init_ssl(0, NULL)
1992# endif
1993
1994__owur char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf, int size);
1995__owur STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk);
1996
1997__owur SSL *SSL_dup(SSL *ssl);
1998
1999__owur X509 *SSL_get_certificate(const SSL *ssl);
2000/*
2001 * EVP_PKEY
2002 */
2003struct evp_pkey_st *SSL_get_privatekey(const SSL *ssl);
2004
2005__owur X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
2006__owur EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
2007
2008void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
2009__owur int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
2010void SSL_set_quiet_shutdown(SSL *ssl, int mode);
2011__owur int SSL_get_quiet_shutdown(const SSL *ssl);
2012void SSL_set_shutdown(SSL *ssl, int mode);
2013__owur int SSL_get_shutdown(const SSL *ssl);
2014__owur int SSL_version(const SSL *ssl);
2015__owur int SSL_client_version(const SSL *s);
2016__owur int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
2017__owur int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx);
2018__owur int SSL_CTX_set_default_verify_file(SSL_CTX *ctx);
2019__owur int SSL_CTX_set_default_verify_store(SSL_CTX *ctx);
2020__owur int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile);
2021__owur int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath);
2022__owur int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore);
2023DEPRECATEDIN_3_0(__owur int SSL_CTX_load_verify_locations(SSL_CTX *ctx,
2024 const char *CAfile,
2025 const char *CApath))
2026# define SSL_get0_session SSL_get_session/* just peek at pointer */
2027__owur SSL_SESSION *SSL_get_session(const SSL *ssl);
2028__owur SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
2029__owur SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
2030SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);
2031void SSL_set_info_callback(SSL *ssl,
2032 void (*cb) (const SSL *ssl, int type, int val));
2033void (*SSL_get_info_callback(const SSL *ssl)) (const SSL *ssl, int type,
2034 int val);
2035__owur OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);
2036
2037void SSL_set_verify_result(SSL *ssl, long v);
2038__owur long SSL_get_verify_result(const SSL *ssl);
2039__owur STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s);
2040
2041__owur size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
2042 size_t outlen);
2043__owur size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
2044 size_t outlen);
2045__owur size_t SSL_SESSION_get_master_key(const SSL_SESSION *sess,
2046 unsigned char *out, size_t outlen);
2047__owur int SSL_SESSION_set1_master_key(SSL_SESSION *sess,
2048 const unsigned char *in, size_t len);
2049uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *sess);
2050
2051#define SSL_get_ex_new_index(l, p, newf, dupf, freef) \
2052 CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, l, p, newf, dupf, freef)
2053__owur int SSL_set_ex_data(SSL *ssl, int idx, void *data);
2054void *SSL_get_ex_data(const SSL *ssl, int idx);
2055#define SSL_SESSION_get_ex_new_index(l, p, newf, dupf, freef) \
2056 CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, l, p, newf, dupf, freef)
2057__owur int SSL_SESSION_set_ex_data(SSL_SESSION *ss, int idx, void *data);
2058void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss, int idx);
2059#define SSL_CTX_get_ex_new_index(l, p, newf, dupf, freef) \
2060 CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, l, p, newf, dupf, freef)
2061__owur int SSL_CTX_set_ex_data(SSL_CTX *ssl, int idx, void *data);
2062void *SSL_CTX_get_ex_data(const SSL_CTX *ssl, int idx);
2063
2064__owur int SSL_get_ex_data_X509_STORE_CTX_idx(void);
2065
2066# define SSL_CTX_sess_set_cache_size(ctx,t) \
2067 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
2068# define SSL_CTX_sess_get_cache_size(ctx) \
2069 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
2070# define SSL_CTX_set_session_cache_mode(ctx,m) \
2071 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
2072# define SSL_CTX_get_session_cache_mode(ctx) \
2073 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
2074
2075# define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
2076# define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
2077# define SSL_CTX_get_read_ahead(ctx) \
2078 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
2079# define SSL_CTX_set_read_ahead(ctx,m) \
2080 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
2081# define SSL_CTX_get_max_cert_list(ctx) \
2082 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
2083# define SSL_CTX_set_max_cert_list(ctx,m) \
2084 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
2085# define SSL_get_max_cert_list(ssl) \
2086 SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
2087# define SSL_set_max_cert_list(ssl,m) \
2088 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
2089
2090# define SSL_CTX_set_max_send_fragment(ctx,m) \
2091 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
2092# define SSL_set_max_send_fragment(ssl,m) \
2093 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
2094# define SSL_CTX_set_split_send_fragment(ctx,m) \
2095 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SPLIT_SEND_FRAGMENT,m,NULL)
2096# define SSL_set_split_send_fragment(ssl,m) \
2097 SSL_ctrl(ssl,SSL_CTRL_SET_SPLIT_SEND_FRAGMENT,m,NULL)
2098# define SSL_CTX_set_max_pipelines(ctx,m) \
2099 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_PIPELINES,m,NULL)
2100# define SSL_set_max_pipelines(ssl,m) \
2101 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_PIPELINES,m,NULL)
2102
2103void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len);
2104void SSL_set_default_read_buffer_len(SSL *s, size_t len);
2105
2106# ifndef OPENSSL_NO_DH
2107/* NB: the |keylength| is only applicable when is_export is true */
2108void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
2109 DH *(*dh) (SSL *ssl, int is_export,
2110 int keylength));
2111void SSL_set_tmp_dh_callback(SSL *ssl,
2112 DH *(*dh) (SSL *ssl, int is_export,
2113 int keylength));
2114# endif
2115
2116__owur const COMP_METHOD *SSL_get_current_compression(const SSL *s);
2117__owur const COMP_METHOD *SSL_get_current_expansion(const SSL *s);
2118__owur const char *SSL_COMP_get_name(const COMP_METHOD *comp);
2119__owur const char *SSL_COMP_get0_name(const SSL_COMP *comp);
2120__owur int SSL_COMP_get_id(const SSL_COMP *comp);
2121STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
2122__owur STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
2123 *meths);
2124# ifndef OPENSSL_NO_DEPRECATED_1_1_0
2125# define SSL_COMP_free_compression_methods() while(0) continue
2126# endif
2127__owur int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
2128
2129const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
2130int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
2131int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
2132int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
2133 int isv2format, STACK_OF(SSL_CIPHER) **sk,
2134 STACK_OF(SSL_CIPHER) **scsvs);
2135
2136/* TLS extensions functions */
2137__owur int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
2138
2139__owur int SSL_set_session_ticket_ext_cb(SSL *s,
2140 tls_session_ticket_ext_cb_fn cb,
2141 void *arg);
2142
2143/* Pre-shared secret session resumption functions */
2144__owur int SSL_set_session_secret_cb(SSL *s,
2145 tls_session_secret_cb_fn session_secret_cb,
2146 void *arg);
2147
2148void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
2149 int (*cb) (SSL *ssl,
2150 int
2151 is_forward_secure));
2152
2153void SSL_set_not_resumable_session_callback(SSL *ssl,
2154 int (*cb) (SSL *ssl,
2155 int is_forward_secure));
2156
2157void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx,
2158 size_t (*cb) (SSL *ssl, int type,
2159 size_t len, void *arg));
2160void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg);
2161void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx);
2162int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size);
2163
2164void SSL_set_record_padding_callback(SSL *ssl,
2165 size_t (*cb) (SSL *ssl, int type,
2166 size_t len, void *arg));
2167void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg);
2168void *SSL_get_record_padding_callback_arg(const SSL *ssl);
2169int SSL_set_block_padding(SSL *ssl, size_t block_size);
2170
2171int SSL_set_num_tickets(SSL *s, size_t num_tickets);
2172size_t SSL_get_num_tickets(const SSL *s);
2173int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
2174size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
2175
2176# ifndef OPENSSL_NO_DEPRECATED_1_1_0
2177# define SSL_cache_hit(s) SSL_session_reused(s)
2178# endif
2179
2180__owur int SSL_session_reused(const SSL *s);
2181__owur int SSL_is_server(const SSL *s);
2182
2183__owur __owur SSL_CONF_CTX *SSL_CONF_CTX_new(void);
2184int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx);
2185void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx);
2186unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags);
2187__owur unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx,
2188 unsigned int flags);
2189__owur int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre);
2190
2191void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl);
2192void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx);
2193
2194__owur int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
2195__owur int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv);
2196__owur int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
2197
2198void SSL_add_ssl_module(void);
2199int SSL_config(SSL *s, const char *name);
2200int SSL_CTX_config(SSL_CTX *ctx, const char *name);
2201
2202# ifndef OPENSSL_NO_SSL_TRACE
2203void SSL_trace(int write_p, int version, int content_type,
2204 const void *buf, size_t len, SSL *ssl, void *arg);
2205# endif
2206
2207# ifndef OPENSSL_NO_SOCK
2208int DTLSv1_listen(SSL *s, BIO_ADDR *client);
2209# endif
2210
2211# ifndef OPENSSL_NO_CT
2212
2213/*
2214 * A callback for verifying that the received SCTs are sufficient.
2215 * Expected to return 1 if they are sufficient, otherwise 0.
2216 * May return a negative integer if an error occurs.
2217 * A connection should be aborted if the SCTs are deemed insufficient.
2218 */
2219typedef int (*ssl_ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx,
2220 const STACK_OF(SCT) *scts, void *arg);
2221
2222/*
2223 * Sets a |callback| that is invoked upon receipt of ServerHelloDone to validate
2224 * the received SCTs.
2225 * If the callback returns a non-positive result, the connection is terminated.
2226 * Call this function before beginning a handshake.
2227 * If a NULL |callback| is provided, SCT validation is disabled.
2228 * |arg| is arbitrary userdata that will be passed to the callback whenever it
2229 * is invoked. Ownership of |arg| remains with the caller.
2230 *
2231 * NOTE: A side-effect of setting a CT callback is that an OCSP stapled response
2232 * will be requested.
2233 */
2234int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
2235 void *arg);
2236int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
2237 ssl_ct_validation_cb callback,
2238 void *arg);
2239#define SSL_disable_ct(s) \
2240 ((void) SSL_set_validation_callback((s), NULL, NULL))
2241#define SSL_CTX_disable_ct(ctx) \
2242 ((void) SSL_CTX_set_validation_callback((ctx), NULL, NULL))
2243
2244/*
2245 * The validation type enumerates the available behaviours of the built-in SSL
2246 * CT validation callback selected via SSL_enable_ct() and SSL_CTX_enable_ct().
2247 * The underlying callback is a static function in libssl.
2248 */
2249enum {
2250 SSL_CT_VALIDATION_PERMISSIVE = 0,
2251 SSL_CT_VALIDATION_STRICT
2252};
2253
2254/*
2255 * Enable CT by setting up a callback that implements one of the built-in
2256 * validation variants. The SSL_CT_VALIDATION_PERMISSIVE variant always
2257 * continues the handshake, the application can make appropriate decisions at
2258 * handshake completion. The SSL_CT_VALIDATION_STRICT variant requires at
2259 * least one valid SCT, or else handshake termination will be requested. The
2260 * handshake may continue anyway if SSL_VERIFY_NONE is in effect.
2261 */
2262int SSL_enable_ct(SSL *s, int validation_mode);
2263int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode);
2264
2265/*
2266 * Report whether a non-NULL callback is enabled.
2267 */
2268int SSL_ct_is_enabled(const SSL *s);
2269int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx);
2270
2271/* Gets the SCTs received from a connection */
2272const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s);
2273
2274/*
2275 * Loads the CT log list from the default location.
2276 * If a CTLOG_STORE has previously been set using SSL_CTX_set_ctlog_store,
2277 * the log information loaded from this file will be appended to the
2278 * CTLOG_STORE.
2279 * Returns 1 on success, 0 otherwise.
2280 */
2281int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx);
2282
2283/*
2284 * Loads the CT log list from the specified file path.
2285 * If a CTLOG_STORE has previously been set using SSL_CTX_set_ctlog_store,
2286 * the log information loaded from this file will be appended to the
2287 * CTLOG_STORE.
2288 * Returns 1 on success, 0 otherwise.
2289 */
2290int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
2291
2292/*
2293 * Sets the CT log list used by all SSL connections created from this SSL_CTX.
2294 * Ownership of the CTLOG_STORE is transferred to the SSL_CTX.
2295 */
2296void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE *logs);
2297
2298/*
2299 * Gets the CT log list used by all SSL connections created from this SSL_CTX.
2300 * This will be NULL unless one of the following functions has been called:
2301 * - SSL_CTX_set_default_ctlog_list_file
2302 * - SSL_CTX_set_ctlog_list_file
2303 * - SSL_CTX_set_ctlog_store
2304 */
2305const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx);
2306
2307# endif /* OPENSSL_NO_CT */
2308
2309/* What the "other" parameter contains in security callback */
2310/* Mask for type */
2311# define SSL_SECOP_OTHER_TYPE 0xffff0000
2312# define SSL_SECOP_OTHER_NONE 0
2313# define SSL_SECOP_OTHER_CIPHER (1 << 16)
2314# define SSL_SECOP_OTHER_CURVE (2 << 16)
2315# define SSL_SECOP_OTHER_DH (3 << 16)
2316# define SSL_SECOP_OTHER_PKEY (4 << 16)
2317# define SSL_SECOP_OTHER_SIGALG (5 << 16)
2318# define SSL_SECOP_OTHER_CERT (6 << 16)
2319
2320/* Indicated operation refers to peer key or certificate */
2321# define SSL_SECOP_PEER 0x1000
2322
2323/* Values for "op" parameter in security callback */
2324
2325/* Called to filter ciphers */
2326/* Ciphers client supports */
2327# define SSL_SECOP_CIPHER_SUPPORTED (1 | SSL_SECOP_OTHER_CIPHER)
2328/* Cipher shared by client/server */
2329# define SSL_SECOP_CIPHER_SHARED (2 | SSL_SECOP_OTHER_CIPHER)
2330/* Sanity check of cipher server selects */
2331# define SSL_SECOP_CIPHER_CHECK (3 | SSL_SECOP_OTHER_CIPHER)
2332/* Curves supported by client */
2333# define SSL_SECOP_CURVE_SUPPORTED (4 | SSL_SECOP_OTHER_CURVE)
2334/* Curves shared by client/server */
2335# define SSL_SECOP_CURVE_SHARED (5 | SSL_SECOP_OTHER_CURVE)
2336/* Sanity check of curve server selects */
2337# define SSL_SECOP_CURVE_CHECK (6 | SSL_SECOP_OTHER_CURVE)
2338/* Temporary DH key */
2339# define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY)
2340/* SSL/TLS version */
2341# define SSL_SECOP_VERSION (9 | SSL_SECOP_OTHER_NONE)
2342/* Session tickets */
2343# define SSL_SECOP_TICKET (10 | SSL_SECOP_OTHER_NONE)
2344/* Supported signature algorithms sent to peer */
2345# define SSL_SECOP_SIGALG_SUPPORTED (11 | SSL_SECOP_OTHER_SIGALG)
2346/* Shared signature algorithm */
2347# define SSL_SECOP_SIGALG_SHARED (12 | SSL_SECOP_OTHER_SIGALG)
2348/* Sanity check signature algorithm allowed */
2349# define SSL_SECOP_SIGALG_CHECK (13 | SSL_SECOP_OTHER_SIGALG)
2350/* Used to get mask of supported public key signature algorithms */
2351# define SSL_SECOP_SIGALG_MASK (14 | SSL_SECOP_OTHER_SIGALG)
2352/* Use to see if compression is allowed */
2353# define SSL_SECOP_COMPRESSION (15 | SSL_SECOP_OTHER_NONE)
2354/* EE key in certificate */
2355# define SSL_SECOP_EE_KEY (16 | SSL_SECOP_OTHER_CERT)
2356/* CA key in certificate */
2357# define SSL_SECOP_CA_KEY (17 | SSL_SECOP_OTHER_CERT)
2358/* CA digest algorithm in certificate */
2359# define SSL_SECOP_CA_MD (18 | SSL_SECOP_OTHER_CERT)
2360/* Peer EE key in certificate */
2361# define SSL_SECOP_PEER_EE_KEY (SSL_SECOP_EE_KEY | SSL_SECOP_PEER)
2362/* Peer CA key in certificate */
2363# define SSL_SECOP_PEER_CA_KEY (SSL_SECOP_CA_KEY | SSL_SECOP_PEER)
2364/* Peer CA digest algorithm in certificate */
2365# define SSL_SECOP_PEER_CA_MD (SSL_SECOP_CA_MD | SSL_SECOP_PEER)
2366
2367void SSL_set_security_level(SSL *s, int level);
2368__owur int SSL_get_security_level(const SSL *s);
2369void SSL_set_security_callback(SSL *s,
2370 int (*cb) (const SSL *s, const SSL_CTX *ctx,
2371 int op, int bits, int nid,
2372 void *other, void *ex));
2373int (*SSL_get_security_callback(const SSL *s)) (const SSL *s,
2374 const SSL_CTX *ctx, int op,
2375 int bits, int nid, void *other,
2376 void *ex);
2377void SSL_set0_security_ex_data(SSL *s, void *ex);
2378__owur void *SSL_get0_security_ex_data(const SSL *s);
2379
2380void SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
2381__owur int SSL_CTX_get_security_level(const SSL_CTX *ctx);
2382void SSL_CTX_set_security_callback(SSL_CTX *ctx,
2383 int (*cb) (const SSL *s, const SSL_CTX *ctx,
2384 int op, int bits, int nid,
2385 void *other, void *ex));
2386int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
2387 const SSL_CTX *ctx,
2388 int op, int bits,
2389 int nid,
2390 void *other,
2391 void *ex);
2392void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex);
2393__owur void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx);
2394
2395/* OPENSSL_INIT flag 0x010000 reserved for internal use */
2396# define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L
2397# define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L
2398
2399# define OPENSSL_INIT_SSL_DEFAULT \
2400 (OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS)
2401
2402int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
2403
2404# ifndef OPENSSL_NO_UNIT_TEST
2405__owur const struct openssl_ssl_test_functions *SSL_test_functions(void);
2406# endif
2407
2408__owur int SSL_free_buffers(SSL *ssl);
2409__owur int SSL_alloc_buffers(SSL *ssl);
2410
2411/* Status codes passed to the decrypt session ticket callback. Some of these
2412 * are for internal use only and are never passed to the callback. */
2413typedef int SSL_TICKET_STATUS;
2414
2415/* Support for ticket appdata */
2416/* fatal error, malloc failure */
2417# define SSL_TICKET_FATAL_ERR_MALLOC 0
2418/* fatal error, either from parsing or decrypting the ticket */
2419# define SSL_TICKET_FATAL_ERR_OTHER 1
2420/* No ticket present */
2421# define SSL_TICKET_NONE 2
2422/* Empty ticket present */
2423# define SSL_TICKET_EMPTY 3
2424/* the ticket couldn't be decrypted */
2425# define SSL_TICKET_NO_DECRYPT 4
2426/* a ticket was successfully decrypted */
2427# define SSL_TICKET_SUCCESS 5
2428/* same as above but the ticket needs to be renewed */
2429# define SSL_TICKET_SUCCESS_RENEW 6
2430
2431/* Return codes for the decrypt session ticket callback */
2432typedef int SSL_TICKET_RETURN;
2433
2434/* An error occurred */
2435#define SSL_TICKET_RETURN_ABORT 0
2436/* Do not use the ticket, do not send a renewed ticket to the client */
2437#define SSL_TICKET_RETURN_IGNORE 1
2438/* Do not use the ticket, send a renewed ticket to the client */
2439#define SSL_TICKET_RETURN_IGNORE_RENEW 2
2440/* Use the ticket, do not send a renewed ticket to the client */
2441#define SSL_TICKET_RETURN_USE 3
2442/* Use the ticket, send a renewed ticket to the client */
2443#define SSL_TICKET_RETURN_USE_RENEW 4
2444
2445typedef int (*SSL_CTX_generate_session_ticket_fn)(SSL *s, void *arg);
2446typedef SSL_TICKET_RETURN (*SSL_CTX_decrypt_session_ticket_fn)(SSL *s, SSL_SESSION *ss,
2447 const unsigned char *keyname,
2448 size_t keyname_length,
2449 SSL_TICKET_STATUS status,
2450 void *arg);
2451int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx,
2452 SSL_CTX_generate_session_ticket_fn gen_cb,
2453 SSL_CTX_decrypt_session_ticket_fn dec_cb,
2454 void *arg);
2455int SSL_SESSION_set1_ticket_appdata(SSL_SESSION *ss, const void *data, size_t len);
2456int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len);
2457
2458typedef unsigned int (*DTLS_timer_cb)(SSL *s, unsigned int timer_us);
2459
2460void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb);
2461
2462
2463typedef int (*SSL_allow_early_data_cb_fn)(SSL *s, void *arg);
2464void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
2465 SSL_allow_early_data_cb_fn cb,
2466 void *arg);
2467void SSL_set_allow_early_data_cb(SSL *s,
2468 SSL_allow_early_data_cb_fn cb,
2469 void *arg);
2470
2471/* store the default cipher strings inside the library */
2472const char *OSSL_default_cipher_list(void);
2473const char *OSSL_default_ciphersuites(void);
2474
2475# ifdef __cplusplus
2476}
2477# endif
2478#endif
2479