1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core@openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay@cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh@cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. 140 */ 141 142 #ifndef OPENSSL_HEADER_SSL_H 143 #define OPENSSL_HEADER_SSL_H 144 145 #include <openssl/base.h> 146 147 #include <openssl/bio.h> 148 #include <openssl/buf.h> 149 #include <openssl/hmac.h> 150 #include <openssl/lhash.h> 151 #include <openssl/pem.h> 152 #include <openssl/ssl3.h> 153 #include <openssl/thread.h> 154 #include <openssl/tls1.h> 155 #include <openssl/x509.h> 156 157 #if !defined(OPENSSL_WINDOWS) 158 #include <sys/time.h> 159 #endif 160 161 /* wpa_supplicant expects to get the version functions from ssl.h */ 162 #include <openssl/crypto.h> 163 164 /* Forward-declare struct timeval. On Windows, it is defined in winsock2.h and 165 * Windows headers define too many macros to be included in public headers. 166 * However, only a forward declaration is needed. */ 167 struct timeval; 168 169 #if defined(__cplusplus) 170 extern "C" { 171 #endif 172 173 174 /* SSL implementation. */ 175 176 177 /* SSL contexts. 178 * 179 * |SSL_CTX| objects manage shared state and configuration between multiple TLS 180 * or DTLS connections. Whether the connections are TLS or DTLS is selected by 181 * an |SSL_METHOD| on creation. 182 * 183 * |SSL_CTX| are reference-counted and may be shared by connections across 184 * multiple threads. Once shared, functions which change the |SSL_CTX|'s 185 * configuration may not be used. */ 186 187 /* TLS_method is the |SSL_METHOD| used for TLS (and SSLv3) connections. */ 188 OPENSSL_EXPORT const SSL_METHOD *TLS_method(void); 189 190 /* DTLS_method is the |SSL_METHOD| used for DTLS connections. */ 191 OPENSSL_EXPORT const SSL_METHOD *DTLS_method(void); 192 193 /* SSL_CTX_new returns a newly-allocated |SSL_CTX| with default settings or NULL 194 * on error. */ 195 OPENSSL_EXPORT SSL_CTX *SSL_CTX_new(const SSL_METHOD *method); 196 197 /* SSL_CTX_free releases memory associated with |ctx|. */ 198 OPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *ctx); 199 200 201 /* SSL connections. 202 * 203 * An |SSL| object represents a single TLS or DTLS connection. Although the 204 * shared |SSL_CTX| is thread-safe, an |SSL| is not thread-safe and may only be 205 * used on one thread at a time. */ 206 207 /* SSL_new returns a newly-allocated |SSL| using |ctx| or NULL on error. The new 208 * connection inherits settings from |ctx| at the time of creation. Settings may 209 * also be individually configured on the connection. 210 * 211 * On creation, an |SSL| is not configured to be either a client or server. Call 212 * |SSL_set_connect_state| or |SSL_set_accept_state| to set this. */ 213 OPENSSL_EXPORT SSL *SSL_new(SSL_CTX *ctx); 214 215 /* SSL_free releases memory associated with |ssl|. */ 216 OPENSSL_EXPORT void SSL_free(SSL *ssl); 217 218 /* SSL_get_SSL_CTX returns the |SSL_CTX| associated with |ssl|. If 219 * |SSL_set_SSL_CTX| is called, it returns the new |SSL_CTX|, not the initial 220 * one. */ 221 OPENSSL_EXPORT SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl); 222 223 /* SSL_set_connect_state configures |ssl| to be a client. */ 224 OPENSSL_EXPORT void SSL_set_connect_state(SSL *ssl); 225 226 /* SSL_set_accept_state configures |ssl| to be a server. */ 227 OPENSSL_EXPORT void SSL_set_accept_state(SSL *ssl); 228 229 /* SSL_is_server returns one if |ssl| is configured as a server and zero 230 * otherwise. */ 231 OPENSSL_EXPORT int SSL_is_server(SSL *ssl); 232 233 /* SSL_set_bio configures |ssl| to read from |rbio| and write to |wbio|. |ssl| 234 * takes ownership of the two |BIO|s. If |rbio| and |wbio| are the same, |ssl| 235 * only takes ownership of one reference. 236 * 237 * In DTLS, if |rbio| is blocking, it must handle 238 * |BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT| control requests to set read timeouts. 239 * 240 * Calling this function on an already-configured |ssl| is deprecated. */ 241 OPENSSL_EXPORT void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio); 242 243 /* SSL_get_rbio returns the |BIO| that |ssl| reads from. */ 244 OPENSSL_EXPORT BIO *SSL_get_rbio(const SSL *ssl); 245 246 /* SSL_get_wbio returns the |BIO| that |ssl| writes to. */ 247 OPENSSL_EXPORT BIO *SSL_get_wbio(const SSL *ssl); 248 249 /* SSL_get_fd calls |SSL_get_rfd|. */ 250 OPENSSL_EXPORT int SSL_get_fd(const SSL *ssl); 251 252 /* SSL_get_rfd returns the file descriptor that |ssl| is configured to read 253 * from. If |ssl|'s read |BIO| is not configured or doesn't wrap a file 254 * descriptor then it returns -1. */ 255 OPENSSL_EXPORT int SSL_get_rfd(const SSL *ssl); 256 257 /* SSL_get_wfd returns the file descriptor that |ssl| is configured to write 258 * to. If |ssl|'s write |BIO| is not configured or doesn't wrap a file 259 * descriptor then it returns -1. */ 260 OPENSSL_EXPORT int SSL_get_wfd(const SSL *ssl); 261 262 /* SSL_set_fd configures |ssl| to read from and write to |fd|. It returns one 263 * on success and zero on allocation error. The caller retains ownership of 264 * |fd|. */ 265 OPENSSL_EXPORT int SSL_set_fd(SSL *ssl, int fd); 266 267 /* SSL_set_rfd configures |ssl| to read from |fd|. It returns one on success and 268 * zero on allocation error. The caller retains ownership of |fd|. */ 269 OPENSSL_EXPORT int SSL_set_rfd(SSL *ssl, int fd); 270 271 /* SSL_set_wfd configures |ssl| to write to |fd|. It returns one on success and 272 * zero on allocation error. The caller retains ownership of |fd|. */ 273 OPENSSL_EXPORT int SSL_set_wfd(SSL *ssl, int fd); 274 275 /* SSL_do_handshake continues the current handshake. If there is none or the 276 * handshake has completed or False Started, it returns one. Otherwise, it 277 * returns <= 0. The caller should pass the value into |SSL_get_error| to 278 * determine how to proceed. 279 * 280 * In DTLS, if the read |BIO| is non-blocking, the caller must drive 281 * retransmissions. Whenever |SSL_get_error| signals |SSL_ERROR_WANT_READ|, use 282 * |DTLSv1_get_timeout| to determine the current timeout. If it expires before 283 * the next retry, call |DTLSv1_handle_timeout|. Note that DTLS handshake 284 * retransmissions use fresh sequence numbers, so it is not sufficient to replay 285 * packets at the transport. 286 * 287 * TODO(davidben): Ensure 0 is only returned on transport EOF. 288 * https://crbug.com/466303. */ 289 OPENSSL_EXPORT int SSL_do_handshake(SSL *ssl); 290 291 /* SSL_connect configures |ssl| as a client, if unconfigured, and calls 292 * |SSL_do_handshake|. */ 293 OPENSSL_EXPORT int SSL_connect(SSL *ssl); 294 295 /* SSL_accept configures |ssl| as a server, if unconfigured, and calls 296 * |SSL_do_handshake|. */ 297 OPENSSL_EXPORT int SSL_accept(SSL *ssl); 298 299 /* SSL_read reads up to |num| bytes from |ssl| into |buf|. It implicitly runs 300 * any pending handshakes, including renegotiations when enabled. On success, it 301 * returns the number of bytes read. Otherwise, it returns <= 0. The caller 302 * should pass the value into |SSL_get_error| to determine how to proceed. 303 * 304 * TODO(davidben): Ensure 0 is only returned on transport EOF. 305 * https://crbug.com/466303. */ 306 OPENSSL_EXPORT int SSL_read(SSL *ssl, void *buf, int num); 307 308 /* SSL_peek behaves like |SSL_read| but does not consume any bytes returned. */ 309 OPENSSL_EXPORT int SSL_peek(SSL *ssl, void *buf, int num); 310 311 /* SSL_pending returns the number of bytes available in |ssl|. It does not read 312 * from the transport. */ 313 OPENSSL_EXPORT int SSL_pending(const SSL *ssl); 314 315 /* SSL_write writes up to |num| bytes from |buf| into |ssl|. It implicitly runs 316 * any pending handshakes, including renegotiations when enabled. On success, it 317 * returns the number of bytes read. Otherwise, it returns <= 0. The caller 318 * should pass the value into |SSL_get_error| to determine how to proceed. 319 * 320 * In TLS, a non-blocking |SSL_write| differs from non-blocking |write| in that 321 * a failed |SSL_write| still commits to the data passed in. When retrying, the 322 * caller must supply the original write buffer (or a larger one containing the 323 * original as a prefix). By default, retries will fail if they also do not 324 * reuse the same |buf| pointer. This may be relaxed with 325 * |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, but the buffer contents still must be 326 * unchanged. 327 * 328 * By default, in TLS, |SSL_write| will not return success until all |num| bytes 329 * are written. This may be relaxed with |SSL_MODE_ENABLE_PARTIAL_WRITE|. It 330 * allows |SSL_write| to complete with a partial result when only part of the 331 * input was written in a single record. 332 * 333 * In DTLS, neither |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| and 334 * |SSL_MODE_ENABLE_PARTIAL_WRITE| do anything. The caller may retry with a 335 * different buffer freely. A single call to |SSL_write| only ever writes a 336 * single record in a single packet, so |num| must be at most 337 * |SSL3_RT_MAX_PLAIN_LENGTH|. 338 * 339 * TODO(davidben): Ensure 0 is only returned on transport EOF. 340 * https://crbug.com/466303. */ 341 OPENSSL_EXPORT int SSL_write(SSL *ssl, const void *buf, int num); 342 343 /* SSL_shutdown shuts down |ssl|. On success, it completes in two stages. First, 344 * it returns 0 if |ssl| completed uni-directional shutdown; close_notify has 345 * been sent, but the peer's close_notify has not been received. Most callers 346 * may stop at this point. For bi-directional shutdown, call |SSL_shutdown| 347 * again. It returns 1 if close_notify has been both sent and received. 348 * 349 * If the peer's close_notify arrived first, the first stage is skipped. 350 * |SSL_shutdown| will return 1 once close_notify is sent and skip 0. Callers 351 * only interested in uni-directional shutdown must therefore allow for the 352 * first stage returning either 0 or 1. 353 * 354 * |SSL_shutdown| returns -1 on failure. The caller should pass the return value 355 * into |SSL_get_error| to determine how to proceed. If the underlying |BIO| is 356 * non-blocking, both stages may require retry. 357 * 358 * |SSL_shutdown| must be called to retain |ssl|'s session in the session 359 * cache. Use |SSL_CTX_set_quiet_shutdown| to configure |SSL_shutdown| to 360 * neither send nor wait for close_notify but still retain the session. 361 * 362 * TODO(davidben): Is there any point in the session cache interaction? Remove 363 * it? */ 364 OPENSSL_EXPORT int SSL_shutdown(SSL *ssl); 365 366 /* SSL_CTX_set_quiet_shutdown sets quiet shutdown on |ctx| to |mode|. If 367 * enabled, |SSL_shutdown| will not send a close_notify alert or wait for one 368 * from the peer. It will instead synchronously return one. */ 369 OPENSSL_EXPORT void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode); 370 371 /* SSL_CTX_get_quiet_shutdown returns whether quiet shutdown is enabled for 372 * |ctx|. */ 373 OPENSSL_EXPORT int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx); 374 375 /* SSL_set_quiet_shutdown sets quiet shutdown on |ssl| to |mode|. If enabled, 376 * |SSL_shutdown| will not send a close_notify alert or wait for one from the 377 * peer. It will instead synchronously return one. */ 378 OPENSSL_EXPORT void SSL_set_quiet_shutdown(SSL *ssl, int mode); 379 380 /* SSL_get_quiet_shutdown returns whether quiet shutdown is enabled for 381 * |ssl|. */ 382 OPENSSL_EXPORT int SSL_get_quiet_shutdown(const SSL *ssl); 383 384 /* SSL_get_error returns a |SSL_ERROR_*| value for the most recent operation on 385 * |ssl|. It should be called after an operation failed to determine whether the 386 * error was fatal and, if not, when to retry. */ 387 OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code); 388 389 /* SSL_ERROR_NONE indicates the operation succeeded. */ 390 #define SSL_ERROR_NONE 0 391 392 /* SSL_ERROR_SSL indicates the operation failed within the library. The caller 393 * may inspect the error queue for more information. */ 394 #define SSL_ERROR_SSL 1 395 396 /* SSL_ERROR_WANT_READ indicates the operation failed attempting to read from 397 * the transport. The caller may retry the operation when the transport is ready 398 * for reading. 399 * 400 * If signaled by a DTLS handshake, the caller must also call 401 * |DTLSv1_get_timeout| and |DTLSv1_handle_timeout| as appropriate. See 402 * |SSL_do_handshake|. */ 403 #define SSL_ERROR_WANT_READ 2 404 405 /* SSL_ERROR_WANT_WRITE indicates the operation failed attempting to write to 406 * the transport. The caller may retry the operation when the transport is ready 407 * for writing. */ 408 #define SSL_ERROR_WANT_WRITE 3 409 410 /* SSL_ERROR_WANT_X509_LOOKUP indicates the operation failed in calling the 411 * |cert_cb| or |client_cert_cb|. The caller may retry the operation when the 412 * callback is ready to return a certificate or one has been configured 413 * externally. 414 * 415 * See also |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb|. */ 416 #define SSL_ERROR_WANT_X509_LOOKUP 4 417 418 /* SSL_ERROR_WANT_SYSCALL indicates the operation failed externally to the 419 * library. The caller should consult the system-specific error mechanism. This 420 * is typically |errno| but may be something custom if using a custom |BIO|. It 421 * may also be signaled if the transport returned EOF, in which case the 422 * operation's return value will be zero. */ 423 #define SSL_ERROR_SYSCALL 5 424 425 /* SSL_ERROR_ZERO_RETURN indicates the operation failed because the connection 426 * was cleanly shut down with a close_notify alert. */ 427 #define SSL_ERROR_ZERO_RETURN 6 428 429 /* SSL_ERROR_WANT_CONNECT indicates the operation failed attempting to connect 430 * the transport (the |BIO| signaled |BIO_RR_CONNECT|). The caller may retry the 431 * operation when the transport is ready. */ 432 #define SSL_ERROR_WANT_CONNECT 7 433 434 /* SSL_ERROR_WANT_ACCEPT indicates the operation failed attempting to accept a 435 * connection from the transport (the |BIO| signaled |BIO_RR_ACCEPT|). The 436 * caller may retry the operation when the transport is ready. 437 * 438 * TODO(davidben): Remove this. It's used by accept BIOs which are bizarre. */ 439 #define SSL_ERROR_WANT_ACCEPT 8 440 441 /* SSL_ERROR_WANT_CHANNEL_ID_LOOKUP indicates the operation failed looking up 442 * the Channel ID key. The caller may retry the operation when |channel_id_cb| 443 * is ready to return a key or one has been configured with 444 * |SSL_set1_tls_channel_id|. 445 * 446 * See also |SSL_CTX_set_channel_id_cb|. */ 447 #define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9 448 449 /* SSL_ERROR_PENDING_SESSION indicates the operation failed because the session 450 * lookup callback indicated the session was unavailable. The caller may retry 451 * the operation when lookup has completed. 452 * 453 * See also |SSL_CTX_sess_set_get_cb| and |SSL_magic_pending_session_ptr|. */ 454 #define SSL_ERROR_PENDING_SESSION 11 455 456 /* SSL_ERROR_PENDING_CERTIFICATE indicates the operation failed because the 457 * early callback indicated certificate lookup was incomplete. The caller may 458 * retry the operation when lookup has completed. Note: when the operation is 459 * retried, the early callback will not be called a second time. 460 * 461 * See also |SSL_CTX_set_select_certificate_cb|. */ 462 #define SSL_ERROR_PENDING_CERTIFICATE 12 463 464 /* SSL_ERROR_WANT_PRIVATE_KEY_OPERATION indicates the operation failed because 465 * a private key operation was unfinished. The caller may retry the operation 466 * when the private key operation is complete. 467 * 468 * See also |SSL_set_private_key_method|. */ 469 #define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION 13 470 471 /* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success 472 * and zero on failure. */ 473 OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu); 474 475 /* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a 476 * timeout in progress, it sets |*out| to the time remaining and returns one. 477 * Otherwise, it returns zero. 478 * 479 * When the timeout expires, call |DTLSv1_handle_timeout| to handle the 480 * retransmit behavior. 481 * 482 * NOTE: This function must be queried again whenever the handshake state 483 * machine changes, including when |DTLSv1_handle_timeout| is called. */ 484 OPENSSL_EXPORT int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out); 485 486 /* DTLSv1_handle_timeout is called when a DTLS handshake timeout expires. If no 487 * timeout had expired, it returns 0. Otherwise, it retransmits the previous 488 * flight of handshake messages and returns 1. If too many timeouts had expired 489 * without progress or an error occurs, it returns -1. 490 * 491 * The caller's external timer should be compatible with the one |ssl| queries 492 * within some fudge factor. Otherwise, the call will be a no-op, but 493 * |DTLSv1_get_timeout| will return an updated timeout. 494 * 495 * If the function returns -1, checking if |SSL_get_error| returns 496 * |SSL_ERROR_WANT_WRITE| may be used to determine if the retransmit failed due 497 * to a non-fatal error at the write |BIO|. However, the operation may not be 498 * retried until the next timeout fires. 499 * 500 * WARNING: This function breaks the usual return value convention. 501 * 502 * TODO(davidben): This |SSL_ERROR_WANT_WRITE| behavior is kind of bizarre. */ 503 OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl); 504 505 506 /* Protocol versions. */ 507 508 #define DTLS1_VERSION_MAJOR 0xfe 509 #define SSL3_VERSION_MAJOR 0x03 510 511 #define SSL3_VERSION 0x0300 512 #define TLS1_VERSION 0x0301 513 #define TLS1_1_VERSION 0x0302 514 #define TLS1_2_VERSION 0x0303 515 516 #define DTLS1_VERSION 0xfeff 517 #define DTLS1_2_VERSION 0xfefd 518 519 /* SSL_CTX_set_min_version sets the minimum protocol version for |ctx| to 520 * |version|. */ 521 OPENSSL_EXPORT void SSL_CTX_set_min_version(SSL_CTX *ctx, uint16_t version); 522 523 /* SSL_CTX_set_max_version sets the maximum protocol version for |ctx| to 524 * |version|. */ 525 OPENSSL_EXPORT void SSL_CTX_set_max_version(SSL_CTX *ctx, uint16_t version); 526 527 /* SSL_set_min_version sets the minimum protocol version for |ssl| to 528 * |version|. */ 529 OPENSSL_EXPORT void SSL_set_min_version(SSL *ssl, uint16_t version); 530 531 /* SSL_set_max_version sets the maximum protocol version for |ssl| to 532 * |version|. */ 533 OPENSSL_EXPORT void SSL_set_max_version(SSL *ssl, uint16_t version); 534 535 /* SSL_version returns the TLS or DTLS protocol version used by |ssl|, which is 536 * one of the |*_VERSION| values. (E.g. |TLS1_2_VERSION|.) Before the version 537 * is negotiated, the result is undefined. */ 538 OPENSSL_EXPORT int SSL_version(const SSL *ssl); 539 540 541 /* Options. 542 * 543 * Options configure protocol behavior. */ 544 545 /* SSL_OP_NO_QUERY_MTU, in DTLS, disables querying the MTU from the underlying 546 * |BIO|. Instead, the MTU is configured with |SSL_set_mtu|. */ 547 #define SSL_OP_NO_QUERY_MTU 0x00001000L 548 549 /* SSL_OP_NO_TICKET disables session ticket support (RFC 5077). */ 550 #define SSL_OP_NO_TICKET 0x00004000L 551 552 /* SSL_OP_CIPHER_SERVER_PREFERENCE configures servers to select ciphers and 553 * ECDHE curves according to the server's preferences instead of the 554 * client's. */ 555 #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L 556 557 /* SSL_OP_DISABLE_NPN configures an individual |SSL| to not advertise NPN, 558 * despite |SSL_CTX_set_next_proto_select_cb| being configured on the 559 * |SSL_CTX|. */ 560 #define SSL_OP_DISABLE_NPN 0x00800000L 561 562 /* SSL_CTX_set_options enables all options set in |options| (which should be one 563 * or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a 564 * bitmask representing the resulting enabled options. */ 565 OPENSSL_EXPORT uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options); 566 567 /* SSL_CTX_clear_options disables all options set in |options| (which should be 568 * one or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a 569 * bitmask representing the resulting enabled options. */ 570 OPENSSL_EXPORT uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options); 571 572 /* SSL_CTX_get_options returns a bitmask of |SSL_OP_*| values that represent all 573 * the options enabled for |ctx|. */ 574 OPENSSL_EXPORT uint32_t SSL_CTX_get_options(const SSL_CTX *ctx); 575 576 /* SSL_set_options enables all options set in |options| (which should be one or 577 * more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a bitmask 578 * representing the resulting enabled options. */ 579 OPENSSL_EXPORT uint32_t SSL_set_options(SSL *ssl, uint32_t options); 580 581 /* SSL_clear_options disables all options set in |options| (which should be one 582 * or more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a 583 * bitmask representing the resulting enabled options. */ 584 OPENSSL_EXPORT uint32_t SSL_clear_options(SSL *ssl, uint32_t options); 585 586 /* SSL_get_options returns a bitmask of |SSL_OP_*| values that represent all the 587 * options enabled for |ssl|. */ 588 OPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl); 589 590 591 /* Modes. 592 * 593 * Modes configure API behavior. */ 594 595 /* SSL_MODE_ENABLE_PARTIAL_WRITE, in TLS, allows |SSL_write| to complete with a 596 * partial result when the only part of the input was written in a single 597 * record. In DTLS, it does nothing. */ 598 #define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L 599 600 /* SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, in TLS, allows retrying an incomplete 601 * |SSL_write| with a different buffer. However, |SSL_write| still assumes the 602 * buffer contents are unchanged. This is not the default to avoid the 603 * misconception that non-blocking |SSL_write| behaves like non-blocking 604 * |write|. In DTLS, it does nothing. */ 605 #define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L 606 607 /* SSL_MODE_NO_AUTO_CHAIN disables automatically building a certificate chain 608 * before sending certificates to the peer. 609 * TODO(davidben): Remove this behavior. https://crbug.com/486295. */ 610 #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L 611 612 /* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before 613 * receipt of ChangeCipherSpec and Finished. This mode enables full-handshakes 614 * to 'complete' in one RTT. See draft-bmoeller-tls-falsestart-01. 615 * 616 * When False Start is enabled, |SSL_do_handshake| may succeed before the 617 * handshake has completely finished. |SSL_write| will function at this point, 618 * and |SSL_read| will transparently wait for the final handshake leg before 619 * returning application data. To determine if False Start occurred or when the 620 * handshake is completely finished, see |SSL_in_false_start|, |SSL_in_init|, 621 * and |SSL_CB_HANDSHAKE_DONE| from |SSL_CTX_set_info_callback|. */ 622 #define SSL_MODE_ENABLE_FALSE_START 0x00000080L 623 624 /* SSL_MODE_CBC_RECORD_SPLITTING causes multi-byte CBC records in SSL 3.0 and 625 * TLS 1.0 to be split in two: the first record will contain a single byte and 626 * the second will contain the remainder. This effectively randomises the IV and 627 * prevents BEAST attacks. */ 628 #define SSL_MODE_CBC_RECORD_SPLITTING 0x00000100L 629 630 /* SSL_MODE_NO_SESSION_CREATION will cause any attempts to create a session to 631 * fail with SSL_R_SESSION_MAY_NOT_BE_CREATED. This can be used to enforce that 632 * session resumption is used for a given SSL*. */ 633 #define SSL_MODE_NO_SESSION_CREATION 0x00000200L 634 635 /* SSL_MODE_SEND_FALLBACK_SCSV sends TLS_FALLBACK_SCSV in the ClientHello. 636 * To be set only by applications that reconnect with a downgraded protocol 637 * version; see RFC 7507 for details. 638 * 639 * DO NOT ENABLE THIS if your application attempts a normal handshake. Only use 640 * this in explicit fallback retries, following the guidance in RFC 7507. */ 641 #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L 642 643 /* SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more 644 * of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask 645 * representing the resulting enabled modes. */ 646 OPENSSL_EXPORT uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode); 647 648 /* SSL_CTX_clear_mode disables all modes set in |mode| (which should be one or 649 * more of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a 650 * bitmask representing the resulting enabled modes. */ 651 OPENSSL_EXPORT uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode); 652 653 /* SSL_CTX_get_mode returns a bitmask of |SSL_MODE_*| values that represent all 654 * the modes enabled for |ssl|. */ 655 OPENSSL_EXPORT uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx); 656 657 /* SSL_set_mode enables all modes set in |mode| (which should be one or more of 658 * the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask 659 * representing the resulting enabled modes. */ 660 OPENSSL_EXPORT uint32_t SSL_set_mode(SSL *ssl, uint32_t mode); 661 662 /* SSL_clear_mode disables all modes set in |mode| (which should be one or more 663 * of the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask 664 * representing the resulting enabled modes. */ 665 OPENSSL_EXPORT uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode); 666 667 /* SSL_get_mode returns a bitmask of |SSL_MODE_*| values that represent all the 668 * modes enabled for |ssl|. */ 669 OPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl); 670 671 672 /* Configuring certificates and private keys. 673 * 674 * These functions configure the connection's leaf certificate, private key, and 675 * certificate chain. The certificate chain is ordered leaf to root (as sent on 676 * the wire) but does not include the leaf. Both client and server certificates 677 * use these functions. 678 * 679 * Certificates and keys may be configured before the handshake or dynamically 680 * in the early callback and certificate callback. */ 681 682 /* SSL_CTX_use_certificate sets |ctx|'s leaf certificate to |x509|. It returns 683 * one on success and zero on failure. */ 684 OPENSSL_EXPORT int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x509); 685 686 /* SSL_use_certificate sets |ssl|'s leaf certificate to |x509|. It returns one 687 * on success and zero on failure. */ 688 OPENSSL_EXPORT int SSL_use_certificate(SSL *ssl, X509 *x509); 689 690 /* SSL_CTX_use_PrivateKey sets |ctx|'s private key to |pkey|. It returns one on 691 * success and zero on failure. */ 692 OPENSSL_EXPORT int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); 693 694 /* SSL_use_PrivateKey sets |ssl|'s private key to |pkey|. It returns one on 695 * success and zero on failure. */ 696 OPENSSL_EXPORT int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); 697 698 /* SSL_CTX_set0_chain sets |ctx|'s certificate chain, excluding the leaf, to 699 * |chain|. On success, it returns one and takes ownership of |chain|. 700 * Otherwise, it returns zero. */ 701 OPENSSL_EXPORT int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain); 702 703 /* SSL_CTX_set1_chain sets |ctx|'s certificate chain, excluding the leaf, to 704 * |chain|. It returns one on success and zero on failure. The caller retains 705 * ownership of |chain| and may release it freely. */ 706 OPENSSL_EXPORT int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain); 707 708 /* SSL_set0_chain sets |ssl|'s certificate chain, excluding the leaf, to 709 * |chain|. On success, it returns one and takes ownership of |chain|. 710 * Otherwise, it returns zero. */ 711 OPENSSL_EXPORT int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain); 712 713 /* SSL_set1_chain sets |ssl|'s certificate chain, excluding the leaf, to 714 * |chain|. It returns one on success and zero on failure. The caller retains 715 * ownership of |chain| and may release it freely. */ 716 OPENSSL_EXPORT int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain); 717 718 /* SSL_CTX_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On 719 * success, it returns one and takes ownership of |x509|. Otherwise, it returns 720 * zero. */ 721 OPENSSL_EXPORT int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509); 722 723 /* SSL_CTX_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It 724 * returns one on success and zero on failure. The caller retains ownership of 725 * |x509| and may release it freely. */ 726 OPENSSL_EXPORT int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509); 727 728 /* SSL_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On success, 729 * it returns one and takes ownership of |x509|. Otherwise, it returns zero. */ 730 OPENSSL_EXPORT int SSL_add0_chain_cert(SSL *ssl, X509 *x509); 731 732 /* SSL_CTX_add_extra_chain_cert calls |SSL_CTX_add0_chain_cert|. */ 733 OPENSSL_EXPORT int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509); 734 735 /* SSL_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It returns 736 * one on success and zero on failure. The caller retains ownership of |x509| 737 * and may release it freely. */ 738 OPENSSL_EXPORT int SSL_add1_chain_cert(SSL *ssl, X509 *x509); 739 740 /* SSL_CTX_clear_chain_certs clears |ctx|'s certificate chain and returns 741 * one. */ 742 OPENSSL_EXPORT int SSL_CTX_clear_chain_certs(SSL_CTX *ctx); 743 744 /* SSL_CTX_clear_extra_chain_certs calls |SSL_CTX_clear_chain_certs|. */ 745 OPENSSL_EXPORT int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx); 746 747 /* SSL_clear_chain_certs clears |ssl|'s certificate chain and returns one. */ 748 OPENSSL_EXPORT int SSL_clear_chain_certs(SSL *ssl); 749 750 /* SSL_CTX_set_cert_cb sets a callback that is called to select a certificate. 751 * The callback returns one on success, zero on internal error, and a negative 752 * number on failure or to pause the handshake. If the handshake is paused, 753 * |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|. 754 * 755 * On the client, the callback may call |SSL_get0_certificate_types| and 756 * |SSL_get_client_CA_list| for information on the server's certificate 757 * request. */ 758 OPENSSL_EXPORT void SSL_CTX_set_cert_cb(SSL_CTX *ctx, 759 int (*cb)(SSL *ssl, void *arg), 760 void *arg); 761 762 /* SSL_set_cert_cb sets a callback that is called to select a certificate. The 763 * callback returns one on success, zero on internal error, and a negative 764 * number on failure or to pause the handshake. If the handshake is paused, 765 * |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|. 766 * 767 * On the client, the callback may call |SSL_get0_certificate_types| and 768 * |SSL_get_client_CA_list| for information on the server's certificate 769 * request. */ 770 OPENSSL_EXPORT void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), 771 void *arg); 772 773 /* SSL_get0_certificate_types, for a client, sets |*out_types| to an array 774 * containing the client certificate types requested by a server. It returns the 775 * length of the array. 776 * 777 * The behavior of this function is undefined except during the callbacks set by 778 * by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or when the 779 * handshake is paused because of them. */ 780 OPENSSL_EXPORT size_t SSL_get0_certificate_types(SSL *ssl, 781 const uint8_t **out_types); 782 783 /* SSL_certs_clear resets the private key, leaf certificate, and certificate 784 * chain of |ssl|. */ 785 OPENSSL_EXPORT void SSL_certs_clear(SSL *ssl); 786 787 /* SSL_CTX_check_private_key returns one if the certificate and private key 788 * configured in |ctx| are consistent and zero otherwise. */ 789 OPENSSL_EXPORT int SSL_CTX_check_private_key(const SSL_CTX *ctx); 790 791 /* SSL_check_private_key returns one if the certificate and private key 792 * configured in |ssl| are consistent and zero otherwise. */ 793 OPENSSL_EXPORT int SSL_check_private_key(const SSL *ssl); 794 795 /* SSL_CTX_get0_certificate returns |ctx|'s leaf certificate. */ 796 OPENSSL_EXPORT X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx); 797 798 /* SSL_get_certificate returns |ssl|'s leaf certificate. */ 799 OPENSSL_EXPORT X509 *SSL_get_certificate(const SSL *ssl); 800 801 /* SSL_CTX_get0_privatekey returns |ctx|'s private key. */ 802 OPENSSL_EXPORT EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx); 803 804 /* SSL_get_privatekey returns |ssl|'s private key. */ 805 OPENSSL_EXPORT EVP_PKEY *SSL_get_privatekey(const SSL *ssl); 806 807 /* SSL_CTX_get0_chain_certs sets |*out_chain| to |ctx|'s certificate chain and 808 * returns one. */ 809 OPENSSL_EXPORT int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, 810 STACK_OF(X509) **out_chain); 811 812 /* SSL_CTX_get_extra_chain_certs calls |SSL_CTX_get0_chain_certs|. */ 813 OPENSSL_EXPORT int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx, 814 STACK_OF(X509) **out_chain); 815 816 /* SSL_get0_chain_certs sets |*out_chain| to |ssl|'s certificate chain and 817 * returns one. */ 818 OPENSSL_EXPORT int SSL_get0_chain_certs(const SSL *ssl, 819 STACK_OF(X509) **out_chain); 820 821 /* SSL_CTX_set_signed_cert_timestamp_list sets the list of signed certificate 822 * timestamps that is sent to clients that request it. The |list| argument must 823 * contain one or more SCT structures serialised as a SignedCertificateTimestamp 824 * List (see https://tools.ietf.org/html/rfc6962#section-3.3) – i.e. each SCT 825 * is prefixed by a big-endian, uint16 length and the concatenation of one or 826 * more such prefixed SCTs are themselves also prefixed by a uint16 length. It 827 * returns one on success and zero on error. The caller retains ownership of 828 * |list|. */ 829 OPENSSL_EXPORT int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, 830 const uint8_t *list, 831 size_t list_len); 832 833 /* SSL_CTX_set_ocsp_response sets the OCSP reponse that is sent to clients 834 * which request it. It returns one on success and zero on error. The caller 835 * retains ownership of |response|. */ 836 OPENSSL_EXPORT int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, 837 const uint8_t *response, 838 size_t response_len); 839 840 /* SSL_set_private_key_digest_prefs copies |num_digests| NIDs from |digest_nids| 841 * into |ssl|. These digests will be used, in decreasing order of preference, 842 * when signing with |ssl|'s private key. It returns one on success and zero on 843 * error. */ 844 OPENSSL_EXPORT int SSL_set_private_key_digest_prefs(SSL *ssl, 845 const int *digest_nids, 846 size_t num_digests); 847 848 849 /* Certificate and private key convenience functions. */ 850 851 /* SSL_CTX_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one 852 * on success and zero on failure. */ 853 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); 854 855 /* SSL_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one on 856 * success and zero on failure. */ 857 OPENSSL_EXPORT int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); 858 859 /* The following functions configure certificates or private keys but take as 860 * input DER-encoded structures. They return one on success and zero on 861 * failure. */ 862 863 OPENSSL_EXPORT int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len, 864 const uint8_t *der); 865 OPENSSL_EXPORT int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, 866 size_t der_len); 867 868 OPENSSL_EXPORT int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, 869 const uint8_t *der, 870 size_t der_len); 871 OPENSSL_EXPORT int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, 872 const uint8_t *der, size_t der_len); 873 874 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, 875 const uint8_t *der, 876 size_t der_len); 877 OPENSSL_EXPORT int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, 878 size_t der_len); 879 880 /* The following functions configure certificates or private keys but take as 881 * input files to read from. They return one on success and zero on failure. The 882 * |type| parameter is one of the |SSL_FILETYPE_*| values and determines whether 883 * the file's contents are read as PEM or DER. */ 884 885 #define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 886 #define SSL_FILETYPE_PEM X509_FILETYPE_PEM 887 888 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, 889 const char *file, 890 int type); 891 OPENSSL_EXPORT int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, 892 int type); 893 894 OPENSSL_EXPORT int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, 895 int type); 896 OPENSSL_EXPORT int SSL_use_certificate_file(SSL *ssl, const char *file, 897 int type); 898 899 OPENSSL_EXPORT int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, 900 int type); 901 OPENSSL_EXPORT int SSL_use_PrivateKey_file(SSL *ssl, const char *file, 902 int type); 903 904 /* SSL_CTX_use_certificate_chain_file configures certificates for |ctx|. It 905 * reads the contents of |file| as a PEM-encoded leaf certificate followed 906 * optionally by the certificate chain to send to the peer. It returns one on 907 * success and zero on failure. */ 908 OPENSSL_EXPORT int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, 909 const char *file); 910 911 /* SSL_CTX_set_default_passwd_cb sets the password callback for PEM-based 912 * convenience functions called on |ctx|. */ 913 OPENSSL_EXPORT void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, 914 pem_password_cb *cb); 915 916 /* SSL_CTX_set_default_passwd_cb_userdata sets the userdata parameter for 917 * |ctx|'s password callback. */ 918 OPENSSL_EXPORT void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, 919 void *data); 920 921 922 /* Custom private keys. */ 923 924 enum ssl_private_key_result_t { 925 ssl_private_key_success, 926 ssl_private_key_retry, 927 ssl_private_key_failure, 928 }; 929 930 /* SSL_PRIVATE_KEY_METHOD describes private key hooks. This is used to off-load 931 * signing operations to a custom, potentially asynchronous, backend. */ 932 typedef struct ssl_private_key_method_st { 933 /* type returns either |EVP_PKEY_RSA| or |EVP_PKEY_EC| to denote the type of 934 * key used by |ssl|. */ 935 int (*type)(SSL *ssl); 936 937 /* max_signature_len returns the maximum length of a signature signed by the 938 * key used by |ssl|. This must be a constant value for a given |ssl|. */ 939 size_t (*max_signature_len)(SSL *ssl); 940 941 /* sign signs |in_len| bytes of digest from |in|. |md| is the hash function 942 * used to calculate |in|. On success, it returns |ssl_private_key_success| 943 * and writes at most |max_out| bytes of signature data to |out|. On failure, 944 * it returns |ssl_private_key_failure|. If the operation has not completed, 945 * it returns |ssl_private_key_retry|. |sign| should arrange for the 946 * high-level operation on |ssl| to be retried when the operation is 947 * completed. This will result in a call to |sign_complete|. 948 * 949 * If the key is an RSA key, implementations must use PKCS#1 padding. |in| is 950 * the digest itself, so the DigestInfo prefix, if any, must be prepended by 951 * |sign|. If |md| is |EVP_md5_sha1|, there is no prefix. 952 * 953 * It is an error to call |sign| while another private key operation is in 954 * progress on |ssl|. */ 955 enum ssl_private_key_result_t (*sign)(SSL *ssl, uint8_t *out, size_t *out_len, 956 size_t max_out, const EVP_MD *md, 957 const uint8_t *in, size_t in_len); 958 959 /* sign_complete completes a pending |sign| operation. If the operation has 960 * completed, it returns |ssl_private_key_success| and writes the result to 961 * |out| as in |sign|. Otherwise, it returns |ssl_private_key_failure| on 962 * failure and |ssl_private_key_retry| if the operation is still in progress. 963 * 964 * |sign_complete| may be called arbitrarily many times before completion, but 965 * it is an error to call |sign_complete| if there is no pending |sign| 966 * operation in progress on |ssl|. */ 967 enum ssl_private_key_result_t (*sign_complete)(SSL *ssl, uint8_t *out, 968 size_t *out_len, 969 size_t max_out); 970 971 /* decrypt decrypts |in_len| bytes of encrypted data from |in|. On success it 972 * returns |ssl_private_key_success|, writes at most |max_out| bytes of 973 * decrypted data to |out| and sets |*out_len| to the actual number of bytes 974 * written. On failure it returns |ssl_private_key_failure|. If the operation 975 * has not completed, it returns |ssl_private_key_retry|. The caller should 976 * arrange for the high-level operation on |ssl| to be retried when the 977 * operation is completed, which will result in a call to |decrypt_complete|. 978 * This function only works with RSA keys and should perform a raw RSA 979 * decryption operation with no padding. 980 * 981 * It is an error to call |decrypt| while another private key operation is in 982 * progress on |ssl|. */ 983 enum ssl_private_key_result_t (*decrypt)(SSL *ssl, uint8_t *out, 984 size_t *out_len, size_t max_out, 985 const uint8_t *in, size_t in_len); 986 987 /* decrypt_complete completes a pending |decrypt| operation. If the operation 988 * has completed, it returns |ssl_private_key_success| and writes the result 989 * to |out| as in |decrypt|. Otherwise, it returns |ssl_private_key_failure| 990 * on failure and |ssl_private_key_retry| if the operation is still in 991 * progress. 992 * 993 * |decrypt_complete| may be called arbitrarily many times before completion, 994 * but it is an error to call |decrypt_complete| if there is no pending 995 * |decrypt| operation in progress on |ssl|. */ 996 enum ssl_private_key_result_t (*decrypt_complete)(SSL *ssl, uint8_t *out, 997 size_t *out_len, 998 size_t max_out); 999 } SSL_PRIVATE_KEY_METHOD; 1000 1001 /* SSL_set_private_key_method configures a custom private key on |ssl|. 1002 * |key_method| must remain valid for the lifetime of |ssl|. */ 1003 OPENSSL_EXPORT void SSL_set_private_key_method( 1004 SSL *ssl, const SSL_PRIVATE_KEY_METHOD *key_method); 1005 1006 1007 /* Cipher suites. 1008 * 1009 * |SSL_CIPHER| objects represent cipher suites. */ 1010 1011 DECLARE_STACK_OF(SSL_CIPHER) 1012 1013 /* SSL_get_cipher_by_value returns the structure representing a TLS cipher 1014 * suite based on its assigned number, or NULL if unknown. See 1015 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4. */ 1016 OPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value); 1017 1018 /* SSL_CIPHER_get_id returns |cipher|'s id. It may be cast to a |uint16_t| to 1019 * get the cipher suite value. */ 1020 OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher); 1021 1022 /* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC 1023 * mode). */ 1024 OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher); 1025 1026 /* SSL_CIPHER_has_MD5_HMAC returns one if |cipher| uses HMAC-MD5. */ 1027 OPENSSL_EXPORT int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher); 1028 1029 /* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. */ 1030 OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher); 1031 1032 /* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. */ 1033 OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher); 1034 1035 /* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. */ 1036 OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher); 1037 1038 /* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC 1039 * mode. */ 1040 OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher); 1041 1042 /* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC 1043 * mode. */ 1044 OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher); 1045 1046 /* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses 1047 * CHACHA20_POLY1305. Note this includes both the 1048 * draft-ietf-tls-chacha20-poly1305-04 and draft-agl-tls-chacha20poly1305-04 1049 * versions. */ 1050 OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher); 1051 1052 /* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. */ 1053 OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher); 1054 1055 /* SSL_CIPHER_is_RC4 returns one if |cipher| uses RC4. */ 1056 OPENSSL_EXPORT int SSL_CIPHER_is_RC4(const SSL_CIPHER *cipher); 1057 1058 /* SSL_CIPHER_is_block_cipher returns one if |cipher| is a block cipher. */ 1059 OPENSSL_EXPORT int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher); 1060 1061 /* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. */ 1062 OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher); 1063 1064 /* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. */ 1065 OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher); 1066 1067 /* SSL_CIPHER_get_min_version returns the minimum protocol version required 1068 * for |cipher|. */ 1069 OPENSSL_EXPORT uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher); 1070 1071 /* SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. */ 1072 OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher); 1073 1074 /* SSL_CIPHER_get_kx_name returns a string that describes the key-exchange 1075 * method used by |cipher|. For example, "ECDHE_ECDSA". */ 1076 OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher); 1077 1078 /* SSL_CIPHER_get_rfc_name returns a newly-allocated string with the standard 1079 * name for |cipher| or NULL on error. For example, 1080 * "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". The caller is responsible for 1081 * calling |OPENSSL_free| on the result. */ 1082 OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher); 1083 1084 /* SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If 1085 * |out_alg_bits| is not NULL, it writes the number of bits consumed by the 1086 * symmetric algorithm to |*out_alg_bits|. */ 1087 OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, 1088 int *out_alg_bits); 1089 1090 1091 /* Cipher suite configuration. 1092 * 1093 * OpenSSL uses a mini-language to configure cipher suites. The language 1094 * maintains an ordered list of enabled ciphers, along with an ordered list of 1095 * disabled but available ciphers. Initially, all ciphers are disabled with a 1096 * default ordering. The cipher string is then interpreted as a sequence of 1097 * directives, separated by colons, each of which modifies this state. 1098 * 1099 * Most directives consist of a one character or empty opcode followed by a 1100 * selector which matches a subset of available ciphers. 1101 * 1102 * Available opcodes are: 1103 * 1104 * The empty opcode enables and appends all matching disabled ciphers to the 1105 * end of the enabled list. The newly appended ciphers are ordered relative to 1106 * each other matching their order in the disabled list. 1107 * 1108 * |-| disables all matching enabled ciphers and prepends them to the disabled 1109 * list, with relative order from the enabled list preserved. This means the 1110 * most recently disabled ciphers get highest preference relative to other 1111 * disabled ciphers if re-enabled. 1112 * 1113 * |+| moves all matching enabled ciphers to the end of the enabled list, with 1114 * relative order preserved. 1115 * 1116 * |!| deletes all matching ciphers, enabled or not, from either list. Deleted 1117 * ciphers will not matched by future operations. 1118 * 1119 * A selector may be a specific cipher (using the OpenSSL name for the cipher) 1120 * or one or more rules separated by |+|. The final selector matches the 1121 * intersection of each rule. For instance, |AESGCM+aECDSA| matches 1122 * ECDSA-authenticated AES-GCM ciphers. 1123 * 1124 * Available cipher rules are: 1125 * 1126 * |ALL| matches all ciphers. 1127 * 1128 * |kRSA|, |kDHE|, |kECDHE|, and |kPSK| match ciphers using plain RSA, DHE, 1129 * ECDHE, and plain PSK key exchanges, respectively. Note that ECDHE_PSK is 1130 * matched by |kECDHE| and not |kPSK|. 1131 * 1132 * |aRSA|, |aECDSA|, and |aPSK| match ciphers authenticated by RSA, ECDSA, and 1133 * a pre-shared key, respectively. 1134 * 1135 * |RSA|, |DHE|, |ECDHE|, |PSK|, |ECDSA|, and |PSK| are aliases for the 1136 * corresponding |k*| or |a*| cipher rule. |RSA| is an alias for |kRSA|, not 1137 * |aRSA|. 1138 * 1139 * |3DES|, |RC4|, |AES128|, |AES256|, |AES|, |AESGCM|, |CHACHA20| match 1140 * ciphers whose bulk cipher use the corresponding encryption scheme. Note 1141 * that |AES|, |AES128|, and |AES256| match both CBC and GCM ciphers. 1142 * 1143 * |MD5|, |SHA1|, |SHA256|, and |SHA384| match legacy cipher suites using the 1144 * corresponding hash function in their MAC. AEADs are matched by none of 1145 * these. 1146 * 1147 * |SHA| is an alias for |SHA1|. 1148 * 1149 * Although implemented, authentication-only ciphers match no rules and must be 1150 * explicitly selected by name. 1151 * 1152 * Deprecated cipher rules: 1153 * 1154 * |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|, 1155 * |kECDHE|, and |ECDHE|, respectively. 1156 * 1157 * |MEDIUM| and |HIGH| match RC4-based ciphers and all others, respectively. 1158 * 1159 * |FIPS| is an alias for |HIGH|. 1160 * 1161 * |SSLv3| and |TLSv1| match ciphers available in TLS 1.1 or earlier. 1162 * |TLSv1_2| matches ciphers new in TLS 1.2. This is confusing and should not 1163 * be used. 1164 * 1165 * Unknown rules silently match nothing. 1166 * 1167 * The special |@STRENGTH| directive will sort all enabled ciphers by strength. 1168 * 1169 * The |DEFAULT| directive, when appearing at the front of the string, expands 1170 * to the default ordering of available ciphers. 1171 * 1172 * If configuring a server, one may also configure equal-preference groups to 1173 * partially respect the client's preferences when 1174 * |SSL_OP_CIPHER_SERVER_PREFERENCE| is enabled. Ciphers in an equal-preference 1175 * group have equal priority and use the client order. This may be used to 1176 * enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305 1177 * based on client preferences. An equal-preference is specified with square 1178 * brackets, combining multiple selectors separated by |. For example: 1179 * 1180 * [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256] 1181 * 1182 * Once an equal-preference group is used, future directives must be 1183 * opcode-less. */ 1184 1185 /* SSL_DEFAULT_CIPHER_LIST is the default cipher suite configuration. It is 1186 * substituted when a cipher string starts with 'DEFAULT'. */ 1187 #define SSL_DEFAULT_CIPHER_LIST "ALL" 1188 1189 /* SSL_CTX_set_cipher_list configures the cipher list for |ctx|, evaluating 1190 * |str| as a cipher string. It returns one on success and zero on failure. */ 1191 OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str); 1192 1193 /* SSL_CTX_set_cipher_list_tls10 configures the TLS 1.0+ cipher list for |ctx|, 1194 * evaluating |str| as a cipher string. It returns one on success and zero on 1195 * failure. If set, servers will use this cipher suite list for TLS 1.0 or 1196 * higher. */ 1197 OPENSSL_EXPORT int SSL_CTX_set_cipher_list_tls10(SSL_CTX *ctx, const char *str); 1198 1199 /* SSL_CTX_set_cipher_list_tls11 configures the TLS 1.1+ cipher list for |ctx|, 1200 * evaluating |str| as a cipher string. It returns one on success and zero on 1201 * failure. If set, servers will use this cipher suite list for TLS 1.1 or 1202 * higher. */ 1203 OPENSSL_EXPORT int SSL_CTX_set_cipher_list_tls11(SSL_CTX *ctx, const char *str); 1204 1205 /* SSL_set_cipher_list configures the cipher list for |ssl|, evaluating |str| as 1206 * a cipher string. It returns one on success and zero on failure. */ 1207 OPENSSL_EXPORT int SSL_set_cipher_list(SSL *ssl, const char *str); 1208 1209 /* SSL_get_ciphers returns the cipher list for |ssl|, in order of preference. If 1210 * |SSL_CTX_set_cipher_list_tls10| or |SSL_CTX_set_cipher_list_tls11| has been 1211 * used, the corresponding list for the current version is returned. */ 1212 OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl); 1213 1214 1215 /* Connection information. */ 1216 1217 /* SSL_is_init_finished returns one if |ssl| has completed its initial handshake 1218 * and has no pending handshake. It returns zero otherwise. */ 1219 OPENSSL_EXPORT int SSL_is_init_finished(const SSL *ssl); 1220 1221 /* SSL_in_init returns one if |ssl| has a pending handshake and zero 1222 * otherwise. */ 1223 OPENSSL_EXPORT int SSL_in_init(const SSL *ssl); 1224 1225 /* SSL_in_false_start returns one if |ssl| has a pending handshake that is in 1226 * False Start. |SSL_write| may be called at this point without waiting for the 1227 * peer, but |SSL_read| will complete the handshake before accepting application 1228 * data. 1229 * 1230 * See also |SSL_MODE_ENABLE_FALSE_START|. */ 1231 OPENSSL_EXPORT int SSL_in_false_start(const SSL *ssl); 1232 1233 /* SSL_get_peer_certificate returns the peer's leaf certificate or NULL if the 1234 * peer did not use certificates. The caller must call |X509_free| on the 1235 * result to release it. */ 1236 OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl); 1237 1238 /* SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if 1239 * unavailable or the peer did not use certificates. This is the unverified 1240 * list of certificates as sent by the peer, not the final chain built during 1241 * verification. For historical reasons, this value may not be available if 1242 * resuming a serialized |SSL_SESSION|. The caller does not take ownership of 1243 * the result. 1244 * 1245 * WARNING: This function behaves differently between client and server. If 1246 * |ssl| is a server, the returned chain does not include the leaf certificate. 1247 * If a client, it does. */ 1248 OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); 1249 1250 /* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to 1251 * |*out_len| bytes of SCT information from the server. This is only valid if 1252 * |ssl| is a client. The SCT information is a SignedCertificateTimestampList 1253 * (including the two leading length bytes). 1254 * See https://tools.ietf.org/html/rfc6962#section-3.3 1255 * If no SCT was received then |*out_len| will be zero on return. 1256 * 1257 * WARNING: the returned data is not guaranteed to be well formed. */ 1258 OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, 1259 const uint8_t **out, 1260 size_t *out_len); 1261 1262 /* SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len| 1263 * bytes of an OCSP response from the server. This is the DER encoding of an 1264 * OCSPResponse type as defined in RFC 2560. 1265 * 1266 * WARNING: the returned data is not guaranteed to be well formed. */ 1267 OPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, 1268 size_t *out_len); 1269 1270 /* SSL_get_tls_unique writes at most |max_out| bytes of the tls-unique value 1271 * for |ssl| to |out| and sets |*out_len| to the number of bytes written. It 1272 * returns one on success or zero on error. In general |max_out| should be at 1273 * least 12. 1274 * 1275 * This function will always fail if the initial handshake has not completed. 1276 * The tls-unique value will change after a renegotiation but, since 1277 * renegotiations can be initiated by the server at any point, the higher-level 1278 * protocol must either leave them disabled or define states in which the 1279 * tls-unique value can be read. 1280 * 1281 * The tls-unique value is defined by 1282 * https://tools.ietf.org/html/rfc5929#section-3.1. Due to a weakness in the 1283 * TLS protocol, tls-unique is broken for resumed connections unless the 1284 * Extended Master Secret extension is negotiated. Thus this function will 1285 * return zero if |ssl| performed session resumption unless EMS was used when 1286 * negotiating the original session. */ 1287 OPENSSL_EXPORT int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, 1288 size_t *out_len, size_t max_out); 1289 1290 /* SSL_get_extms_support returns one if the Extended Master Secret 1291 * extension was negotiated. Otherwise, it returns zero. */ 1292 OPENSSL_EXPORT int SSL_get_extms_support(const SSL *ssl); 1293 1294 /* SSL_get_current_cipher returns the cipher used in the current outgoing 1295 * connection state, or NULL if the null cipher is active. */ 1296 OPENSSL_EXPORT const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl); 1297 1298 /* SSL_session_reused returns one if |ssl| performed an abbreviated handshake 1299 * and zero otherwise. 1300 * 1301 * TODO(davidben): Hammer down the semantics of this API while a handshake, 1302 * initial or renego, is in progress. */ 1303 OPENSSL_EXPORT int SSL_session_reused(const SSL *ssl); 1304 1305 /* SSL_get_secure_renegotiation_support returns one if the peer supports secure 1306 * renegotiation (RFC 5746) and zero otherwise. */ 1307 OPENSSL_EXPORT int SSL_get_secure_renegotiation_support(const SSL *ssl); 1308 1309 /* SSL_export_keying_material exports a value derived from the master secret, as 1310 * specified in RFC 5705. It writes |out_len| bytes to |out| given a label and 1311 * optional context. (Since a zero length context is allowed, the |use_context| 1312 * flag controls whether a context is included.) 1313 * 1314 * It returns one on success and zero otherwise. */ 1315 OPENSSL_EXPORT int SSL_export_keying_material( 1316 SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len, 1317 const uint8_t *context, size_t context_len, int use_context); 1318 1319 1320 /* Custom extensions. 1321 * 1322 * The custom extension functions allow TLS extensions to be added to 1323 * ClientHello and ServerHello messages. */ 1324 1325 /* SSL_custom_ext_add_cb is a callback function that is called when the 1326 * ClientHello (for clients) or ServerHello (for servers) is constructed. In 1327 * the case of a server, this callback will only be called for a given 1328 * extension if the ClientHello contained that extension – it's not possible to 1329 * inject extensions into a ServerHello that the client didn't request. 1330 * 1331 * When called, |extension_value| will contain the extension number that is 1332 * being considered for addition (so that a single callback can handle multiple 1333 * extensions). If the callback wishes to include the extension, it must set 1334 * |*out| to point to |*out_len| bytes of extension contents and return one. In 1335 * this case, the corresponding |SSL_custom_ext_free_cb| callback will later be 1336 * called with the value of |*out| once that data has been copied. 1337 * 1338 * If the callback does not wish to add an extension it must return zero. 1339 * 1340 * Alternatively, the callback can abort the connection by setting 1341 * |*out_alert_value| to a TLS alert number and returning -1. */ 1342 typedef int (*SSL_custom_ext_add_cb)(SSL *ssl, unsigned extension_value, 1343 const uint8_t **out, size_t *out_len, 1344 int *out_alert_value, void *add_arg); 1345 1346 /* SSL_custom_ext_free_cb is a callback function that is called by OpenSSL iff 1347 * an |SSL_custom_ext_add_cb| callback previously returned one. In that case, 1348 * this callback is called and passed the |out| pointer that was returned by 1349 * the add callback. This is to free any dynamically allocated data created by 1350 * the add callback. */ 1351 typedef void (*SSL_custom_ext_free_cb)(SSL *ssl, unsigned extension_value, 1352 const uint8_t *out, void *add_arg); 1353 1354 /* SSL_custom_ext_parse_cb is a callback function that is called by OpenSSL to 1355 * parse an extension from the peer: that is from the ServerHello for a client 1356 * and from the ClientHello for a server. 1357 * 1358 * When called, |extension_value| will contain the extension number and the 1359 * contents of the extension are |contents_len| bytes at |contents|. 1360 * 1361 * The callback must return one to continue the handshake. Otherwise, if it 1362 * returns zero, a fatal alert with value |*out_alert_value| is sent and the 1363 * handshake is aborted. */ 1364 typedef int (*SSL_custom_ext_parse_cb)(SSL *ssl, unsigned extension_value, 1365 const uint8_t *contents, 1366 size_t contents_len, 1367 int *out_alert_value, void *parse_arg); 1368 1369 /* SSL_extension_supported returns one iff OpenSSL internally handles 1370 * extensions of type |extension_value|. This can be used to avoid registering 1371 * custom extension handlers for extensions that a future version of OpenSSL 1372 * may handle internally. */ 1373 OPENSSL_EXPORT int SSL_extension_supported(unsigned extension_value); 1374 1375 /* SSL_CTX_add_client_custom_ext registers callback functions for handling 1376 * custom TLS extensions for client connections. 1377 * 1378 * If |add_cb| is NULL then an empty extension will be added in each 1379 * ClientHello. Otherwise, see the comment for |SSL_custom_ext_add_cb| about 1380 * this callback. 1381 * 1382 * The |free_cb| may be NULL if |add_cb| doesn't dynamically allocate data that 1383 * needs to be freed. 1384 * 1385 * It returns one on success or zero on error. It's always an error to register 1386 * callbacks for the same extension twice, or to register callbacks for an 1387 * extension that OpenSSL handles internally. See |SSL_extension_supported| to 1388 * discover, at runtime, which extensions OpenSSL handles internally. */ 1389 OPENSSL_EXPORT int SSL_CTX_add_client_custom_ext( 1390 SSL_CTX *ctx, unsigned extension_value, SSL_custom_ext_add_cb add_cb, 1391 SSL_custom_ext_free_cb free_cb, void *add_arg, 1392 SSL_custom_ext_parse_cb parse_cb, void *parse_arg); 1393 1394 /* SSL_CTX_add_server_custom_ext is the same as 1395 * |SSL_CTX_add_client_custom_ext|, but for server connections. 1396 * 1397 * Unlike on the client side, if |add_cb| is NULL no extension will be added. 1398 * The |add_cb|, if any, will only be called if the ClientHello contained a 1399 * matching extension. */ 1400 OPENSSL_EXPORT int SSL_CTX_add_server_custom_ext( 1401 SSL_CTX *ctx, unsigned extension_value, SSL_custom_ext_add_cb add_cb, 1402 SSL_custom_ext_free_cb free_cb, void *add_arg, 1403 SSL_custom_ext_parse_cb parse_cb, void *parse_arg); 1404 1405 1406 /* Sessions. 1407 * 1408 * An |SSL_SESSION| represents an SSL session that may be resumed in an 1409 * abbreviated handshake. It is reference-counted and immutable. Once 1410 * established, an |SSL_SESSION| may be shared by multiple |SSL| objects on 1411 * different threads and must not be modified. */ 1412 1413 DECLARE_LHASH_OF(SSL_SESSION) 1414 DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 1415 1416 /* SSL_SESSION_new returns a newly-allocated blank |SSL_SESSION| or NULL on 1417 * error. This may be useful in writing tests but otherwise should not be 1418 * used outside the library. */ 1419 OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_new(void); 1420 1421 /* SSL_SESSION_up_ref, if |session| is not NULL, increments the reference count 1422 * of |session|. It then returns |session|. */ 1423 OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_up_ref(SSL_SESSION *session); 1424 1425 /* SSL_SESSION_free decrements the reference count of |session|. If it reaches 1426 * zero, all data referenced by |session| and |session| itself are released. */ 1427 OPENSSL_EXPORT void SSL_SESSION_free(SSL_SESSION *session); 1428 1429 /* SSL_SESSION_to_bytes serializes |in| into a newly allocated buffer and sets 1430 * |*out_data| to that buffer and |*out_len| to its length. The caller takes 1431 * ownership of the buffer and must call |OPENSSL_free| when done. It returns 1432 * one on success and zero on error. */ 1433 OPENSSL_EXPORT int SSL_SESSION_to_bytes(const SSL_SESSION *in, 1434 uint8_t **out_data, size_t *out_len); 1435 1436 /* SSL_SESSION_to_bytes_for_ticket serializes |in|, but excludes the session 1437 * identification information, namely the session ID and ticket. */ 1438 OPENSSL_EXPORT int SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION *in, 1439 uint8_t **out_data, 1440 size_t *out_len); 1441 1442 /* SSL_SESSION_from_bytes parses |in_len| bytes from |in| as an SSL_SESSION. It 1443 * returns a newly-allocated |SSL_SESSION| on success or NULL on error. */ 1444 OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in, 1445 size_t in_len); 1446 1447 /* SSL_SESSION_get_version returns a string describing the TLS version |session| 1448 * was established at. For example, "TLSv1.2" or "SSLv3". */ 1449 OPENSSL_EXPORT const char *SSL_SESSION_get_version(const SSL_SESSION *session); 1450 1451 /* SSL_SESSION_get_id returns a pointer to a buffer containg |session|'s session 1452 * ID and sets |*out_len| to its length. */ 1453 OPENSSL_EXPORT const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session, 1454 unsigned *out_len); 1455 1456 /* SSL_SESSION_get_time returns the time at which |session| was established in 1457 * seconds since the UNIX epoch. */ 1458 OPENSSL_EXPORT long SSL_SESSION_get_time(const SSL_SESSION *session); 1459 1460 /* SSL_SESSION_get_timeout returns the lifetime of |session| in seconds. */ 1461 OPENSSL_EXPORT long SSL_SESSION_get_timeout(const SSL_SESSION *session); 1462 1463 /* SSL_SESSION_get_key_exchange_info returns a value that describes the 1464 * strength of the asymmetric operation that provides confidentiality to 1465 * |session|. Its interpretation depends on the operation used. See the 1466 * documentation for this value in the |SSL_SESSION| structure. */ 1467 OPENSSL_EXPORT uint32_t SSL_SESSION_get_key_exchange_info( 1468 const SSL_SESSION *session); 1469 1470 /* SSL_SESSION_get0_peer return's the peer leaf certificate stored in 1471 * |session|. 1472 * 1473 * TODO(davidben): This should return a const X509 *. */ 1474 OPENSSL_EXPORT X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session); 1475 1476 /* SSL_SESSION_set_time sets |session|'s creation time to |time| and returns 1477 * |time|. This function may be useful in writing tests but otherwise should not 1478 * be used. */ 1479 OPENSSL_EXPORT long SSL_SESSION_set_time(SSL_SESSION *session, long time); 1480 1481 /* SSL_SESSION_set_timeout sets |session|'s timeout to |timeout| and returns 1482 * one. This function may be useful in writing tests but otherwise should not 1483 * be used. */ 1484 OPENSSL_EXPORT long SSL_SESSION_set_timeout(SSL_SESSION *session, long timeout); 1485 1486 /* SSL_SESSION_set1_id_context sets |session|'s session ID context (see 1487 * |SSL_CTX_set_session_id_context|) to |sid_ctx|. It returns one on success and 1488 * zero on error. This function may be useful in writing tests but otherwise 1489 * should not be used. */ 1490 OPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session, 1491 const uint8_t *sid_ctx, 1492 unsigned sid_ctx_len); 1493 1494 1495 /* Session caching. 1496 * 1497 * Session caching allows clients to reconnect to a server based on saved 1498 * parameters from a previous connection. 1499 * 1500 * For a server, the library implements a built-in internal session cache as an 1501 * in-memory hash table. One may also register callbacks to implement a custom 1502 * external session cache. An external cache may be used in addition to or 1503 * instead of the internal one. Use |SSL_CTX_set_session_cache_mode| to toggle 1504 * the internal cache. 1505 * 1506 * For a client, the only option is an external session cache. Prior to 1507 * handshaking, the consumer should look up a session externally (keyed, for 1508 * instance, by hostname) and use |SSL_set_session| to configure which session 1509 * to offer. The callbacks may be used to determine when new sessions are 1510 * available. 1511 * 1512 * Note that offering or accepting a session short-circuits most parameter 1513 * negotiation. Resuming sessions across different configurations may result in 1514 * surprising behavor. So, for instance, a client implementing a version 1515 * fallback should shard its session cache by maximum protocol version. */ 1516 1517 /* SSL_SESS_CACHE_OFF disables all session caching. */ 1518 #define SSL_SESS_CACHE_OFF 0x0000 1519 1520 /* SSL_SESS_CACHE_CLIENT enables session caching for a client. The internal 1521 * cache is never used on a client, so this only enables the callbacks. */ 1522 #define SSL_SESS_CACHE_CLIENT 0x0001 1523 1524 /* SSL_SESS_CACHE_SERVER enables session caching for a server. */ 1525 #define SSL_SESS_CACHE_SERVER 0x0002 1526 1527 /* SSL_SESS_CACHE_SERVER enables session caching for both client and server. */ 1528 #define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_SERVER) 1529 1530 /* SSL_SESS_CACHE_NO_AUTO_CLEAR disables automatically calling 1531 * |SSL_CTX_flush_sessions| every 255 connections. */ 1532 #define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080 1533 1534 /* SSL_SESS_CACHE_NO_INTERNAL_LOOKUP, on a server, disables looking up a session 1535 * from the internal session cache. */ 1536 #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 1537 1538 /* SSL_SESS_CACHE_NO_INTERNAL_STORE, on a server, disables storing sessions in 1539 * the internal session cache. */ 1540 #define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200 1541 1542 /* SSL_SESS_CACHE_NO_INTERNAL, on a server, disables the internal session 1543 * cache. */ 1544 #define SSL_SESS_CACHE_NO_INTERNAL \ 1545 (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE) 1546 1547 /* SSL_CTX_set_session_cache_mode sets the session cache mode bits for |ctx| to 1548 * |mode|. It returns the previous value. */ 1549 OPENSSL_EXPORT int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode); 1550 1551 /* SSL_CTX_get_session_cache_mode returns the session cache mode bits for 1552 * |ctx| */ 1553 OPENSSL_EXPORT int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx); 1554 1555 /* SSL_set_session, for a client, configures |ssl| to offer to resume |session| 1556 * in the initial handshake and returns one. The caller retains ownership of 1557 * |session|. */ 1558 OPENSSL_EXPORT int SSL_set_session(SSL *ssl, SSL_SESSION *session); 1559 1560 /* SSL_get_session returns a non-owning pointer to |ssl|'s session. Prior to the 1561 * initial handshake beginning, this is the session to be offered, set by 1562 * |SSL_set_session|. After a handshake has finished, this is the currently 1563 * active session. Its behavior is undefined while a handshake is progress. */ 1564 OPENSSL_EXPORT SSL_SESSION *SSL_get_session(const SSL *ssl); 1565 1566 /* SSL_get0_session is an alias for |SSL_get_session|. */ 1567 #define SSL_get0_session SSL_get_session 1568 1569 /* SSL_get1_session acts like |SSL_get_session| but returns a new reference to 1570 * the session. */ 1571 OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl); 1572 1573 /* SSL_DEFAULT_SESSION_TIMEOUT is the default lifetime, in seconds, of a 1574 * session. */ 1575 #define SSL_DEFAULT_SESSION_TIMEOUT (2 * 60 * 60) 1576 1577 /* SSL_CTX_set_timeout sets the lifetime, in seconds, of sessions created in 1578 * |ctx| to |timeout|. */ 1579 OPENSSL_EXPORT long SSL_CTX_set_timeout(SSL_CTX *ctx, long timeout); 1580 1581 /* SSL_CTX_get_timeout returns the lifetime, in seconds, of sessions created in 1582 * |ctx|. */ 1583 OPENSSL_EXPORT long SSL_CTX_get_timeout(const SSL_CTX *ctx); 1584 1585 /* SSL_CTX_set_session_id_context sets |ctx|'s session ID context to |sid_ctx|. 1586 * It returns one on success and zero on error. The session ID context is an 1587 * application-defined opaque byte string. A session will not be used in a 1588 * connection without a matching session ID context. 1589 * 1590 * For a server, if |SSL_VERIFY_PEER| is enabled, it is an error to not set a 1591 * session ID context. 1592 * 1593 * TODO(davidben): Is that check needed? That seems a special case of taking 1594 * care not to cross-resume across configuration changes, and this is only 1595 * relevant if a server requires client auth. */ 1596 OPENSSL_EXPORT int SSL_CTX_set_session_id_context(SSL_CTX *ctx, 1597 const uint8_t *sid_ctx, 1598 unsigned sid_ctx_len); 1599 1600 /* SSL_set_session_id_context sets |ssl|'s session ID context to |sid_ctx|. It 1601 * returns one on success and zero on error. See also 1602 * |SSL_CTX_set_session_id_context|. */ 1603 OPENSSL_EXPORT int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, 1604 unsigned sid_ctx_len); 1605 1606 /* SSL_SESSION_CACHE_MAX_SIZE_DEFAULT is the default maximum size of a session 1607 * cache. */ 1608 #define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024 * 20) 1609 1610 /* SSL_CTX_sess_set_cache_size sets the maximum size of |ctx|'s internal session 1611 * cache to |size|. It returns the previous value. */ 1612 OPENSSL_EXPORT unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, 1613 unsigned long size); 1614 1615 /* SSL_CTX_sess_get_cache_size returns the maximum size of |ctx|'s internal 1616 * session cache. */ 1617 OPENSSL_EXPORT unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx); 1618 1619 /* SSL_CTX_sessions returns |ctx|'s internal session cache. */ 1620 OPENSSL_EXPORT LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx); 1621 1622 /* SSL_CTX_sess_number returns the number of sessions in |ctx|'s internal 1623 * session cache. */ 1624 OPENSSL_EXPORT size_t SSL_CTX_sess_number(const SSL_CTX *ctx); 1625 1626 /* SSL_CTX_add_session inserts |session| into |ctx|'s internal session cache. It 1627 * returns one on success and zero on error or if |session| is already in the 1628 * cache. The caller retains its reference to |session|. */ 1629 OPENSSL_EXPORT int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session); 1630 1631 /* SSL_CTX_remove_session removes |session| from |ctx|'s internal session cache. 1632 * It returns one on success and zero if |session| was not in the cache. */ 1633 OPENSSL_EXPORT int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session); 1634 1635 /* SSL_CTX_flush_sessions removes all sessions from |ctx| which have expired as 1636 * of time |time|. If |time| is zero, all sessions are removed. */ 1637 OPENSSL_EXPORT void SSL_CTX_flush_sessions(SSL_CTX *ctx, long time); 1638 1639 /* SSL_CTX_sess_set_new_cb sets the callback to be called when a new session is 1640 * established and ready to be cached. If the session cache is disabled (the 1641 * appropriate one of |SSL_SESS_CACHE_CLIENT| or |SSL_SESS_CACHE_SERVER| is 1642 * unset), the callback is not called. 1643 * 1644 * The callback is passed a reference to |session|. It returns one if it takes 1645 * ownership and zero otherwise. 1646 * 1647 * Note: For a client, the callback may be called on abbreviated handshakes if a 1648 * ticket is renewed. Further, it may not be called until some time after 1649 * |SSL_do_handshake| or |SSL_connect| completes if False Start is enabled. Thus 1650 * it's recommended to use this callback over checking |SSL_session_reused| on 1651 * handshake completion. 1652 * 1653 * TODO(davidben): Conditioning callbacks on |SSL_SESS_CACHE_CLIENT| or 1654 * |SSL_SESS_CACHE_SERVER| doesn't make any sense when one could just as easily 1655 * not supply the callbacks. Removing that condition and the client internal 1656 * cache would simplify things. */ 1657 OPENSSL_EXPORT void SSL_CTX_sess_set_new_cb( 1658 SSL_CTX *ctx, int (*new_session_cb)(SSL *ssl, SSL_SESSION *session)); 1659 1660 /* SSL_CTX_sess_get_new_cb returns the callback set by 1661 * |SSL_CTX_sess_set_new_cb|. */ 1662 OPENSSL_EXPORT int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))( 1663 SSL *ssl, SSL_SESSION *session); 1664 1665 /* SSL_CTX_sess_set_remove_cb sets a callback which is called when a session is 1666 * removed from the internal session cache. 1667 * 1668 * TODO(davidben): What is the point of this callback? It seems useless since it 1669 * only fires on sessions in the internal cache. */ 1670 OPENSSL_EXPORT void SSL_CTX_sess_set_remove_cb( 1671 SSL_CTX *ctx, 1672 void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *session)); 1673 1674 /* SSL_CTX_sess_get_remove_cb returns the callback set by 1675 * |SSL_CTX_sess_set_remove_cb|. */ 1676 OPENSSL_EXPORT void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))( 1677 SSL_CTX *ctx, SSL_SESSION *session); 1678 1679 /* SSL_CTX_sess_set_get_cb sets a callback to look up a session by ID for a 1680 * server. The callback is passed the session ID and should return a matching 1681 * |SSL_SESSION| or NULL if not found. It should set |*out_copy| to zero and 1682 * return a new reference to the session. This callback is not used for a 1683 * client. 1684 * 1685 * For historical reasons, if |*out_copy| is set to one (default), the SSL 1686 * library will take a new reference to the returned |SSL_SESSION|, expecting 1687 * the callback to return a non-owning pointer. This is not recommended. If 1688 * |ctx| and thus the callback is used on multiple threads, the session may be 1689 * removed and invalidated before the SSL library calls |SSL_SESSION_up_ref|, 1690 * whereas the callback may synchronize internally. 1691 * 1692 * To look up a session asynchronously, the callback may return 1693 * |SSL_magic_pending_session_ptr|. See the documentation for that function and 1694 * |SSL_ERROR_PENDING_SESSION|. 1695 * 1696 * If the internal session cache is enabled, the callback is only consulted if 1697 * the internal cache does not return a match. 1698 * 1699 * The callback's |id| parameter is not const for historical reasons, but the 1700 * contents may not be modified. */ 1701 OPENSSL_EXPORT void SSL_CTX_sess_set_get_cb( 1702 SSL_CTX *ctx, 1703 SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *id, int id_len, 1704 int *out_copy)); 1705 1706 /* SSL_CTX_sess_get_get_cb returns the callback set by 1707 * |SSL_CTX_sess_set_get_cb|. */ 1708 OPENSSL_EXPORT SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))( 1709 SSL *ssl, uint8_t *id, int id_len, int *out_copy); 1710 1711 /* SSL_magic_pending_session_ptr returns a magic |SSL_SESSION|* which indicates 1712 * that the session isn't currently unavailable. |SSL_get_error| will then 1713 * return |SSL_ERROR_PENDING_SESSION| and the handshake can be retried later 1714 * when the lookup has completed. */ 1715 OPENSSL_EXPORT SSL_SESSION *SSL_magic_pending_session_ptr(void); 1716 1717 1718 /* Session tickets. 1719 * 1720 * Session tickets, from RFC 5077, allow session resumption without server-side 1721 * state. Session tickets are supported in by default but may be disabled with 1722 * |SSL_OP_NO_TICKET|. 1723 * 1724 * On the client, ticket-based sessions use the same APIs as ID-based tickets. 1725 * Callers do not need to handle them differently. 1726 * 1727 * On the server, tickets are encrypted and authenticated with a secret key. By 1728 * default, an |SSL_CTX| generates a key on creation. Tickets are minted and 1729 * processed transparently. The following functions may be used to configure a 1730 * persistent key or implement more custom behavior. */ 1731 1732 /* SSL_CTX_get_tlsext_ticket_keys writes |ctx|'s session ticket key material to 1733 * |len| bytes of |out|. It returns one on success and zero if |len| is not 1734 * 48. If |out| is NULL, it returns 48 instead. */ 1735 OPENSSL_EXPORT int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, 1736 size_t len); 1737 1738 /* SSL_CTX_set_tlsext_ticket_keys sets |ctx|'s session ticket key material to 1739 * |len| bytes of |in|. It returns one on success and zero if |len| is not 1740 * 48. If |in| is NULL, it returns 48 instead. */ 1741 OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, 1742 size_t len); 1743 1744 /* SSL_TICKET_KEY_NAME_LEN is the length of the key name prefix of a session 1745 * ticket. */ 1746 #define SSL_TICKET_KEY_NAME_LEN 16 1747 1748 /* SSL_CTX_set_tlsext_ticket_key_cb sets the ticket callback to |callback| and 1749 * returns one. |callback| will be called when encrypting a new ticket and when 1750 * decrypting a ticket from the client. 1751 * 1752 * In both modes, |ctx| and |hmac_ctx| will already have been initialized with 1753 * |EVP_CIPHER_CTX_init| and |HMAC_CTX_init|, respectively. |callback| 1754 * configures |hmac_ctx| with an HMAC digest and key, and configures |ctx| 1755 * for encryption or decryption, based on the mode. 1756 * 1757 * When encrypting a new ticket, |encrypt| will be one. It writes a public 1758 * 16-byte key name to |key_name| and a fresh IV to |iv|. The output IV length 1759 * must match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode, 1760 * |callback| returns 1 on success and -1 on error. 1761 * 1762 * When decrypting a ticket, |encrypt| will be zero. |key_name| will point to a 1763 * 16-byte key name and |iv| points to an IV. The length of the IV consumed must 1764 * match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode, 1765 * |callback| returns -1 to abort the handshake, 0 if decrypting the ticket 1766 * failed, and 1 or 2 on success. If it returns 2, the ticket will be renewed. 1767 * This may be used to re-key the ticket. 1768 * 1769 * WARNING: |callback| wildly breaks the usual return value convention and is 1770 * called in two different modes. */ 1771 OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_key_cb( 1772 SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv, 1773 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, 1774 int encrypt)); 1775 1776 1777 /* Elliptic curve Diffie-Hellman. 1778 * 1779 * Cipher suites using an ECDHE key exchange perform Diffie-Hellman over an 1780 * elliptic curve negotiated by both endpoints. See RFC 4492. Only named curves 1781 * are supported. ECDHE is always enabled, but the curve preferences may be 1782 * configured with these functions. 1783 * 1784 * A client may use |SSL_SESSION_get_key_exchange_info| to determine the curve 1785 * selected. */ 1786 1787 /* SSL_CTX_set1_curves sets the preferred curves for |ctx| to be |curves|. Each 1788 * element of |curves| should be a curve nid. It returns one on success and 1789 * zero on failure. */ 1790 OPENSSL_EXPORT int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, 1791 size_t curves_len); 1792 1793 /* SSL_set1_curves sets the preferred curves for |ssl| to be |curves|. Each 1794 * element of |curves| should be a curve nid. It returns one on success and 1795 * zero on failure. */ 1796 OPENSSL_EXPORT int SSL_set1_curves(SSL *ssl, const int *curves, 1797 size_t curves_len); 1798 1799 /* SSL_get_curve_name returns a human-readable name for the elliptic curve 1800 * specified by the given TLS curve id, or NULL if the curve if unknown. */ 1801 OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id); 1802 1803 1804 /* Multiplicative Diffie-Hellman. 1805 * 1806 * Cipher suites using a DHE key exchange perform Diffie-Hellman over a 1807 * multiplicative group selected by the server. These ciphers are disabled for a 1808 * server unless a group is chosen with one of these functions. 1809 * 1810 * A client may use |SSL_SESSION_get_key_exchange_info| to determine the size of 1811 * the selected group's prime, but note that servers may select degenerate 1812 * groups. */ 1813 1814 /* SSL_CTX_set_tmp_dh configures |ctx| to use the group from |dh| as the group 1815 * for DHE. Only the group is used, so |dh| needn't have a keypair. It returns 1816 * one on success and zero on error. */ 1817 OPENSSL_EXPORT int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh); 1818 1819 /* SSL_set_tmp_dh configures |ssl| to use the group from |dh| as the group for 1820 * DHE. Only the group is used, so |dh| needn't have a keypair. It returns one 1821 * on success and zero on error. */ 1822 OPENSSL_EXPORT int SSL_set_tmp_dh(SSL *ssl, const DH *dh); 1823 1824 /* SSL_CTX_set_tmp_dh_callback configures |ctx| to use |callback| to determine 1825 * the group for DHE ciphers. |callback| should ignore |is_export| and 1826 * |keylength| and return a |DH| of the selected group or NULL on error. Only 1827 * the parameters are used, so the |DH| needn't have a generated keypair. 1828 * 1829 * WARNING: The caller does not take ownership of the resulting |DH|, so 1830 * |callback| must save and release the object elsewhere. */ 1831 OPENSSL_EXPORT void SSL_CTX_set_tmp_dh_callback( 1832 SSL_CTX *ctx, DH *(*callback)(SSL *ssl, int is_export, int keylength)); 1833 1834 /* SSL_set_tmp_dh_callback configures |ssl| to use |callback| to determine the 1835 * group for DHE ciphers. |callback| should ignore |is_export| and |keylength| 1836 * and return a |DH| of the selected group or NULL on error. Only the 1837 * parameters are used, so the |DH| needn't have a generated keypair. 1838 * 1839 * WARNING: The caller does not take ownership of the resulting |DH|, so 1840 * |callback| must save and release the object elsewhere. */ 1841 OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl, 1842 DH *(*dh)(SSL *ssl, int is_export, 1843 int keylength)); 1844 1845 1846 /* Certificate verification. 1847 * 1848 * SSL may authenticate either endpoint with an X.509 certificate. Typically 1849 * this is used to authenticate the server to the client. These functions 1850 * configure certificate verification. 1851 * 1852 * WARNING: By default, certificate verification errors on a client are not 1853 * fatal. See |SSL_VERIFY_NONE| This may be configured with 1854 * |SSL_CTX_set_verify|. 1855 * 1856 * By default clients are anonymous but a server may request a certificate from 1857 * the client by setting |SSL_VERIFY_PEER|. 1858 * 1859 * Many of these functions use OpenSSL's legacy X.509 stack which is 1860 * underdocumented and deprecated, but the replacement isn't ready yet. For 1861 * now, consumers may use the existing stack or bypass it by performing 1862 * certificate verification externally. This may be done with 1863 * |SSL_CTX_set_cert_verify_callback| or by extracting the chain with 1864 * |SSL_get_peer_cert_chain| after the handshake. In the future, functions will 1865 * be added to use the SSL stack without dependency on any part of the legacy 1866 * X.509 and ASN.1 stack. 1867 * 1868 * To augment certificate verification, a client may also enable OCSP stapling 1869 * (RFC 6066) and Certificate Transparency (RFC 6962) extensions. */ 1870 1871 /* SSL_VERIFY_NONE, on a client, verifies the server certificate but does not 1872 * make errors fatal. The result may be checked with |SSL_get_verify_result|. On 1873 * a server it does not request a client certificate. This is the default. */ 1874 #define SSL_VERIFY_NONE 0x00 1875 1876 /* SSL_VERIFY_PEER, on a client, makes server certificate errors fatal. On a 1877 * server it requests a client certificate and makes errors fatal. However, 1878 * anonymous clients are still allowed. See 1879 * |SSL_VERIFY_FAIL_IF_NO_PEER_CERT|. */ 1880 #define SSL_VERIFY_PEER 0x01 1881 1882 /* SSL_VERIFY_FAIL_IF_NO_PEER_CERT configures a server to reject connections if 1883 * the client declines to send a certificate. Otherwise |SSL_VERIFY_PEER| still 1884 * allows anonymous clients. */ 1885 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 1886 1887 /* SSL_VERIFY_PEER_IF_NO_OBC configures a server to request a client certificate 1888 * if and only if Channel ID is not negotiated. */ 1889 #define SSL_VERIFY_PEER_IF_NO_OBC 0x04 1890 1891 /* SSL_CTX_set_verify configures certificate verification behavior. |mode| is 1892 * one of the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is 1893 * used to customize certificate verification. See the behavior of 1894 * |X509_STORE_CTX_set_verify_cb|. 1895 * 1896 * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with 1897 * |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. */ 1898 OPENSSL_EXPORT void SSL_CTX_set_verify( 1899 SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx)); 1900 1901 /* SSL_set_verify configures certificate verification behavior. |mode| is one of 1902 * the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is used to 1903 * customize certificate verification. See the behavior of 1904 * |X509_STORE_CTX_set_verify_cb|. 1905 * 1906 * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with 1907 * |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. */ 1908 OPENSSL_EXPORT void SSL_set_verify(SSL *ssl, int mode, 1909 int (*callback)(int ok, 1910 X509_STORE_CTX *store_ctx)); 1911 1912 /* SSL_CTX_get_verify_mode returns |ctx|'s verify mode, set by 1913 * |SSL_CTX_set_verify|. */ 1914 OPENSSL_EXPORT int SSL_CTX_get_verify_mode(const SSL_CTX *ctx); 1915 1916 /* SSL_get_verify_mode returns |ssl|'s verify mode, set by |SSL_CTX_set_verify| 1917 * or |SSL_set_verify|. */ 1918 OPENSSL_EXPORT int SSL_get_verify_mode(const SSL *ssl); 1919 1920 /* SSL_CTX_get_verify_callback returns the callback set by 1921 * |SSL_CTX_set_verify|. */ 1922 OPENSSL_EXPORT int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))( 1923 int ok, X509_STORE_CTX *store_ctx); 1924 1925 /* SSL_get_verify_callback returns the callback set by |SSL_CTX_set_verify| or 1926 * |SSL_set_verify|. */ 1927 OPENSSL_EXPORT int (*SSL_get_verify_callback(const SSL *ssl))( 1928 int ok, X509_STORE_CTX *store_ctx); 1929 1930 /* SSL_CTX_set_verify_depth sets the maximum depth of a certificate chain 1931 * accepted in verification. This number does not include the leaf, so a depth 1932 * of 1 allows the leaf and one CA certificate. */ 1933 OPENSSL_EXPORT void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); 1934 1935 /* SSL_set_verify_depth sets the maximum depth of a certificate chain accepted 1936 * in verification. This number does not include the leaf, so a depth of 1 1937 * allows the leaf and one CA certificate. */ 1938 OPENSSL_EXPORT void SSL_set_verify_depth(SSL *ssl, int depth); 1939 1940 /* SSL_CTX_get_verify_depth returns the maximum depth of a certificate accepted 1941 * in verification. */ 1942 OPENSSL_EXPORT int SSL_CTX_get_verify_depth(const SSL_CTX *ctx); 1943 1944 /* SSL_get_verify_depth returns the maximum depth of a certificate accepted in 1945 * verification. */ 1946 OPENSSL_EXPORT int SSL_get_verify_depth(const SSL *ssl); 1947 1948 /* SSL_CTX_set1_param sets verification parameters from |param|. It returns one 1949 * on success and zero on failure. The caller retains ownership of |param|. */ 1950 OPENSSL_EXPORT int SSL_CTX_set1_param(SSL_CTX *ctx, 1951 const X509_VERIFY_PARAM *param); 1952 1953 /* SSL_set1_param sets verification parameters from |param|. It returns one on 1954 * success and zero on failure. The caller retains ownership of |param|. */ 1955 OPENSSL_EXPORT int SSL_set1_param(SSL *ssl, 1956 const X509_VERIFY_PARAM *param); 1957 1958 /* SSL_CTX_get0_param returns |ctx|'s |X509_VERIFY_PARAM| for certificate 1959 * verification. The caller must not release the returned pointer but may call 1960 * functions on it to configure it. */ 1961 OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx); 1962 1963 /* SSL_get0_param returns |ssl|'s |X509_VERIFY_PARAM| for certificate 1964 * verification. The caller must not release the returned pointer but may call 1965 * functions on it to configure it. */ 1966 OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl); 1967 1968 /* SSL_CTX_set_purpose sets |ctx|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to 1969 * |purpose|. It returns one on success and zero on error. */ 1970 OPENSSL_EXPORT int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose); 1971 1972 /* SSL_set_purpose sets |ssl|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to 1973 * |purpose|. It returns one on success and zero on error. */ 1974 OPENSSL_EXPORT int SSL_set_purpose(SSL *ssl, int purpose); 1975 1976 /* SSL_CTX_set_trust sets |ctx|'s |X509_VERIFY_PARAM|'s 'trust' parameter to 1977 * |trust|. It returns one on success and zero on error. */ 1978 OPENSSL_EXPORT int SSL_CTX_set_trust(SSL_CTX *ctx, int trust); 1979 1980 /* SSL_set_trust sets |ssl|'s |X509_VERIFY_PARAM|'s 'trust' parameter to 1981 * |trust|. It returns one on success and zero on error. */ 1982 OPENSSL_EXPORT int SSL_set_trust(SSL *ssl, int trust); 1983 1984 /* SSL_CTX_set_cert_store sets |ctx|'s certificate store to |store|. It takes 1985 * ownership of |store|. The store is used for certificate verification. 1986 * 1987 * The store is also used for the auto-chaining feature, but this is deprecated. 1988 * See also |SSL_MODE_NO_AUTO_CHAIN|. */ 1989 OPENSSL_EXPORT void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store); 1990 1991 /* SSL_CTX_get_cert_store returns |ctx|'s certificate store. */ 1992 OPENSSL_EXPORT X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx); 1993 1994 /* SSL_CTX_set_default_verify_paths loads the OpenSSL system-default trust 1995 * anchors into |ctx|'s store. It returns one on success and zero on failure. */ 1996 OPENSSL_EXPORT int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); 1997 1998 /* SSL_CTX_load_verify_locations loads trust anchors into |ctx|'s store from 1999 * |ca_file| and |ca_dir|, either of which may be NULL. If |ca_file| is passed, 2000 * it is opened and PEM-encoded CA certificates are read. If |ca_dir| is passed, 2001 * it is treated as a directory in OpenSSL's hashed directory format. It returns 2002 * one on success and zero on failure. 2003 * 2004 * See 2005 * https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html 2006 * for documentation on the directory format. */ 2007 OPENSSL_EXPORT int SSL_CTX_load_verify_locations(SSL_CTX *ctx, 2008 const char *ca_file, 2009 const char *ca_dir); 2010 2011 /* SSL_get_verify_result returns the result of certificate verification. It is 2012 * either |X509_V_OK| or a |X509_V_ERR_*| value. */ 2013 OPENSSL_EXPORT long SSL_get_verify_result(const SSL *ssl); 2014 2015 /* SSL_set_verify_result overrides the result of certificate verification. */ 2016 OPENSSL_EXPORT void SSL_set_verify_result(SSL *ssl, long result); 2017 2018 /* SSL_get_ex_data_X509_STORE_CTX_idx returns the ex_data index used to look up 2019 * the |SSL| associated with an |X509_STORE_CTX| in the verify callback. */ 2020 OPENSSL_EXPORT int SSL_get_ex_data_X509_STORE_CTX_idx(void); 2021 2022 /* SSL_CTX_set_cert_verify_callback sets a custom callback to be called on 2023 * certificate verification rather than |X509_verify_cert|. |store_ctx| contains 2024 * the verification parameters. The callback should return one on success and 2025 * zero on fatal error. It may use |X509_STORE_CTX_set_error| to set a 2026 * verification result. 2027 * 2028 * The callback may use either the |arg| parameter or 2029 * |SSL_get_ex_data_X509_STORE_CTX_idx| to recover the associated |SSL| 2030 * object. */ 2031 OPENSSL_EXPORT void SSL_CTX_set_cert_verify_callback( 2032 SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *store_ctx, void *arg), 2033 void *arg); 2034 2035 /* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end 2036 * of a connection) to request SCTs from the server. See 2037 * https://tools.ietf.org/html/rfc6962. It returns one. 2038 * 2039 * Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the 2040 * handshake. */ 2041 OPENSSL_EXPORT int SSL_enable_signed_cert_timestamps(SSL *ssl); 2042 2043 /* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL 2044 * objects created from |ctx|. 2045 * 2046 * Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the 2047 * handshake. */ 2048 OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx); 2049 2050 /* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a 2051 * connection) to request a stapled OCSP response from the server. It returns 2052 * one. 2053 * 2054 * Call |SSL_get0_ocsp_response| to recover the OCSP response after the 2055 * handshake. */ 2056 OPENSSL_EXPORT int SSL_enable_ocsp_stapling(SSL *ssl); 2057 2058 /* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects 2059 * created from |ctx|. 2060 * 2061 * Call |SSL_get0_ocsp_response| to recover the OCSP response after the 2062 * handshake. */ 2063 OPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx); 2064 2065 2066 /* Client certificate CA list. 2067 * 2068 * When requesting a client certificate, a server may advertise a list of 2069 * certificate authorities which are accepted. These functions may be used to 2070 * configure this list. */ 2071 2072 /* SSL_set_client_CA_list sets |ssl|'s client certificate CA list to 2073 * |name_list|. It takes ownership of |name_list|. */ 2074 OPENSSL_EXPORT void SSL_set_client_CA_list(SSL *ssl, 2075 STACK_OF(X509_NAME) *name_list); 2076 2077 /* SSL_CTX_set_client_CA_list sets |ctx|'s client certificate CA list to 2078 * |name_list|. It takes ownership of |name_list|. */ 2079 OPENSSL_EXPORT void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, 2080 STACK_OF(X509_NAME) *name_list); 2081 2082 /* SSL_get_client_CA_list returns |ssl|'s client certificate CA list. If |ssl| 2083 * has not been configured as a client, this is the list configured by 2084 * |SSL_CTX_set_client_CA_list|. 2085 * 2086 * If configured as a client, it returns the client certificate CA list sent by 2087 * the server. In this mode, the behavior is undefined except during the 2088 * callbacks set by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or 2089 * when the handshake is paused because of them. */ 2090 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl); 2091 2092 /* SSL_CTX_get_client_CA_list returns |ctx|'s client certificate CA list. */ 2093 OPENSSL_EXPORT STACK_OF(X509_NAME) * 2094 SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); 2095 2096 /* SSL_add_client_CA appends |x509|'s subject to the client certificate CA list. 2097 * It returns one on success or zero on error. The caller retains ownership of 2098 * |x509|. */ 2099 OPENSSL_EXPORT int SSL_add_client_CA(SSL *ssl, X509 *x509); 2100 2101 /* SSL_CTX_add_client_CA appends |x509|'s subject to the client certificate CA 2102 * list. It returns one on success or zero on error. The caller retains 2103 * ownership of |x509|. */ 2104 OPENSSL_EXPORT int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509); 2105 2106 /* SSL_load_client_CA_file opens |file| and reads PEM-encoded certificates from 2107 * it. It returns a newly-allocated stack of the certificate subjects or NULL 2108 * on error. */ 2109 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); 2110 2111 /* SSL_dup_CA_list makes a deep copy of |list|. It returns the new list on 2112 * success or NULL on allocation error. */ 2113 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list); 2114 2115 /* SSL_add_file_cert_subjects_to_stack behaves like |SSL_load_client_CA_file| 2116 * but appends the result to |out|. It returns one on success or zero on 2117 * error. */ 2118 OPENSSL_EXPORT int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, 2119 const char *file); 2120 2121 /* SSL_add_dir_cert_subjects_to_stack lists files in directory |dir|. It calls 2122 * |SSL_add_file_cert_subjects_to_stack| on each file and returns one on success 2123 * or zero on error. */ 2124 OPENSSL_EXPORT int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, 2125 const char *dir); 2126 2127 2128 /* Server name indication. 2129 * 2130 * The server_name extension (RFC 3546) allows the client to advertise the name 2131 * of the server it is connecting to. This is used in virtual hosting 2132 * deployments to select one of a several certificates on a single IP. Only the 2133 * host_name name type is supported. */ 2134 2135 #define TLSEXT_NAMETYPE_host_name 0 2136 2137 /* SSL_set_tlsext_host_name, for a client, configures |ssl| to advertise |name| 2138 * in the server_name extension. It returns one on success and zero on error. */ 2139 OPENSSL_EXPORT int SSL_set_tlsext_host_name(SSL *ssl, const char *name); 2140 2141 /* SSL_get_servername, for a server, returns the hostname supplied by the 2142 * client or NULL if there was none. The |type| argument must be 2143 * |TLSEXT_NAMETYPE_host_name|. */ 2144 OPENSSL_EXPORT const char *SSL_get_servername(const SSL *ssl, const int type); 2145 2146 /* SSL_get_servername_type, for a server, returns |TLSEXT_NAMETYPE_host_name| 2147 * if the client sent a hostname and -1 otherwise. */ 2148 OPENSSL_EXPORT int SSL_get_servername_type(const SSL *ssl); 2149 2150 /* SSL_CTX_set_tlsext_servername_callback configures |callback| to be called on 2151 * the server after ClientHello extensions have been parsed and returns one. 2152 * The callback may use |SSL_get_servername| to examine the server_name extension 2153 * and returns a |SSL_TLSEXT_ERR_*| value. The value of |arg| may be set by 2154 * calling |SSL_CTX_set_tlsext_servername_arg|. 2155 * 2156 * If the callback returns |SSL_TLSEXT_ERR_NOACK|, the server_name extension is 2157 * not acknowledged in the ServerHello. If the return value is 2158 * |SSL_TLSEXT_ERR_ALERT_FATAL| or |SSL_TLSEXT_ERR_ALERT_WARNING| then 2159 * |*out_alert| must be set to the alert value to send. */ 2160 OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback( 2161 SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)); 2162 2163 /* SSL_CTX_set_tlsext_servername_arg sets the argument to the servername 2164 * callback and returns one. See |SSL_CTX_set_tlsext_servername_callback|. */ 2165 OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg); 2166 2167 /* SSL_TLSEXT_ERR_* are values returned by some extension-related callbacks. */ 2168 #define SSL_TLSEXT_ERR_OK 0 2169 #define SSL_TLSEXT_ERR_ALERT_WARNING 1 2170 #define SSL_TLSEXT_ERR_ALERT_FATAL 2 2171 #define SSL_TLSEXT_ERR_NOACK 3 2172 2173 2174 /* Application-layer protocol negotation. 2175 * 2176 * The ALPN extension (RFC 7301) allows negotiating different application-layer 2177 * protocols over a single port. This is used, for example, to negotiate 2178 * HTTP/2. */ 2179 2180 /* SSL_CTX_set_alpn_protos sets the client ALPN protocol list on |ctx| to 2181 * |protos|. |protos| must be in wire-format (i.e. a series of non-empty, 8-bit 2182 * length-prefixed strings). It returns zero on success and one on failure. 2183 * Configuring this list enables ALPN on a client. 2184 * 2185 * WARNING: this function is dangerous because it breaks the usual return value 2186 * convention. */ 2187 OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos, 2188 unsigned protos_len); 2189 2190 /* SSL_set_alpn_protos sets the client ALPN protocol list on |ssl| to |protos|. 2191 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit 2192 * length-prefixed strings). It returns zero on success and one on failure. 2193 * Configuring this list enables ALPN on a client. 2194 * 2195 * WARNING: this function is dangerous because it breaks the usual return value 2196 * convention. */ 2197 OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, 2198 unsigned protos_len); 2199 2200 /* SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called 2201 * during ClientHello processing in order to select an ALPN protocol from the 2202 * client's list of offered protocols. Configuring this callback enables ALPN on 2203 * a server. 2204 * 2205 * The callback is passed a wire-format (i.e. a series of non-empty, 8-bit 2206 * length-prefixed strings) ALPN protocol list in |in|. It should set |*out| and 2207 * |*out_len| to the selected protocol and return |SSL_TLSEXT_ERR_OK| on 2208 * success. It does not pass ownership of the buffer. Otherwise, it should 2209 * return |SSL_TLSEXT_ERR_NOACK|. Other |SSL_TLSEXT_ERR_*| values are 2210 * unimplemented and will be treated as |SSL_TLSEXT_ERR_NOACK|. */ 2211 OPENSSL_EXPORT void SSL_CTX_set_alpn_select_cb( 2212 SSL_CTX *ctx, int (*cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len, 2213 const uint8_t *in, unsigned in_len, void *arg), 2214 void *arg); 2215 2216 /* SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|. 2217 * On return it sets |*out_data| to point to |*out_len| bytes of protocol name 2218 * (not including the leading length-prefix byte). If the server didn't respond 2219 * with a negotiated protocol then |*out_len| will be zero. */ 2220 OPENSSL_EXPORT void SSL_get0_alpn_selected(const SSL *ssl, 2221 const uint8_t **out_data, 2222 unsigned *out_len); 2223 2224 2225 /* Next protocol negotiation. 2226 * 2227 * The NPN extension (draft-agl-tls-nextprotoneg-03) is the predecessor to ALPN 2228 * and deprecated in favor of it. */ 2229 2230 /* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a 2231 * TLS server needs a list of supported protocols for Next Protocol 2232 * Negotiation. The returned list must be in wire format. The list is returned 2233 * by setting |*out| to point to it and |*out_len| to its length. This memory 2234 * will not be modified, but one should assume that |ssl| keeps a reference to 2235 * it. 2236 * 2237 * The callback should return |SSL_TLSEXT_ERR_OK| if it wishes to advertise. 2238 * Otherwise, no such extension will be included in the ServerHello. */ 2239 OPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb( 2240 SSL_CTX *ctx, 2241 int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg), 2242 void *arg); 2243 2244 /* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a client 2245 * needs to select a protocol from the server's provided list. |*out| must be 2246 * set to point to the selected protocol (which may be within |in|). The length 2247 * of the protocol name must be written into |*out_len|. The server's advertised 2248 * protocols are provided in |in| and |in_len|. The callback can assume that 2249 * |in| is syntactically valid. 2250 * 2251 * The client must select a protocol. It is fatal to the connection if this 2252 * callback returns a value other than |SSL_TLSEXT_ERR_OK|. 2253 * 2254 * Configuring this callback enables NPN on a client. */ 2255 OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb( 2256 SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, 2257 const uint8_t *in, unsigned in_len, void *arg), 2258 void *arg); 2259 2260 /* SSL_get0_next_proto_negotiated sets |*out_data| and |*out_len| to point to 2261 * the client's requested protocol for this connection. If the client didn't 2262 * request any protocol, then |*out_data| is set to NULL. 2263 * 2264 * Note that the client can request any protocol it chooses. The value returned 2265 * from this function need not be a member of the list of supported protocols 2266 * provided by the server. */ 2267 OPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *ssl, 2268 const uint8_t **out_data, 2269 unsigned *out_len); 2270 2271 /* SSL_select_next_proto implements the standard protocol selection. It is 2272 * expected that this function is called from the callback set by 2273 * |SSL_CTX_set_next_proto_select_cb|. 2274 * 2275 * The protocol data is assumed to be a vector of 8-bit, length prefixed byte 2276 * strings. The length byte itself is not included in the length. A byte 2277 * string of length 0 is invalid. No byte string may be truncated. 2278 * 2279 * The current, but experimental algorithm for selecting the protocol is: 2280 * 2281 * 1) If the server doesn't support NPN then this is indicated to the 2282 * callback. In this case, the client application has to abort the connection 2283 * or have a default application level protocol. 2284 * 2285 * 2) If the server supports NPN, but advertises an empty list then the 2286 * client selects the first protcol in its list, but indicates via the 2287 * API that this fallback case was enacted. 2288 * 2289 * 3) Otherwise, the client finds the first protocol in the server's list 2290 * that it supports and selects this protocol. This is because it's 2291 * assumed that the server has better information about which protocol 2292 * a client should use. 2293 * 2294 * 4) If the client doesn't support any of the server's advertised 2295 * protocols, then this is treated the same as case 2. 2296 * 2297 * It returns either |OPENSSL_NPN_NEGOTIATED| if a common protocol was found, or 2298 * |OPENSSL_NPN_NO_OVERLAP| if the fallback case was reached. */ 2299 OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, 2300 const uint8_t *server, 2301 unsigned server_len, 2302 const uint8_t *client, 2303 unsigned client_len); 2304 2305 #define OPENSSL_NPN_UNSUPPORTED 0 2306 #define OPENSSL_NPN_NEGOTIATED 1 2307 #define OPENSSL_NPN_NO_OVERLAP 2 2308 2309 2310 /* Channel ID. 2311 * 2312 * See draft-balfanz-tls-channelid-01. */ 2313 2314 /* SSL_CTX_enable_tls_channel_id either configures a TLS server to accept TLS 2315 * Channel IDs from clients, or configures a client to send TLS Channel IDs to 2316 * a server. It returns one. */ 2317 OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx); 2318 2319 /* SSL_enable_tls_channel_id either configures a TLS server to accept TLS 2320 * Channel IDs from clients, or configures a client to send TLS Channel IDs to 2321 * server. It returns one. */ 2322 OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl); 2323 2324 /* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID 2325 * to compatible servers. |private_key| must be a P-256 EC key. It returns one 2326 * on success and zero on error. */ 2327 OPENSSL_EXPORT int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, 2328 EVP_PKEY *private_key); 2329 2330 /* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to 2331 * compatible servers. |private_key| must be a P-256 EC key. It returns one on 2332 * success and zero on error. */ 2333 OPENSSL_EXPORT int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key); 2334 2335 /* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server |SSL*| 2336 * and copies up to the first |max_out| bytes into |out|. The Channel ID 2337 * consists of the client's P-256 public key as an (x,y) pair where each is a 2338 * 32-byte, big-endian field element. It returns 0 if the client didn't offer a 2339 * Channel ID and the length of the complete Channel ID otherwise. */ 2340 OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, 2341 size_t max_out); 2342 2343 /* SSL_CTX_set_channel_id_cb sets a callback to be called when a TLS Channel ID 2344 * is requested. The callback may set |*out_pkey| to a key, passing a reference 2345 * to the caller. If none is returned, the handshake will pause and 2346 * |SSL_get_error| will return |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|. 2347 * 2348 * See also |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|. */ 2349 OPENSSL_EXPORT void SSL_CTX_set_channel_id_cb( 2350 SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey)); 2351 2352 /* SSL_CTX_get_channel_id_cb returns the callback set by 2353 * |SSL_CTX_set_channel_id_cb|. */ 2354 OPENSSL_EXPORT void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))( 2355 SSL *ssl, EVP_PKEY **out_pkey); 2356 2357 2358 /* DTLS-SRTP. 2359 * 2360 * See RFC 5764. */ 2361 2362 /* An SRTP_PROTECTION_PROFILE is an SRTP profile for use with the use_srtp 2363 * extension. */ 2364 struct srtp_protection_profile_st { 2365 const char *name; 2366 unsigned long id; 2367 } /* SRTP_PROTECTION_PROFILE */; 2368 2369 DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE) 2370 2371 /* SRTP_* define constants for SRTP profiles. */ 2372 #define SRTP_AES128_CM_SHA1_80 0x0001 2373 #define SRTP_AES128_CM_SHA1_32 0x0002 2374 #define SRTP_AES128_F8_SHA1_80 0x0003 2375 #define SRTP_AES128_F8_SHA1_32 0x0004 2376 #define SRTP_NULL_SHA1_80 0x0005 2377 #define SRTP_NULL_SHA1_32 0x0006 2378 #define SRTP_AEAD_AES_128_GCM 0x0007 2379 #define SRTP_AEAD_AES_256_GCM 0x0008 2380 2381 /* SSL_CTX_set_srtp_profiles enables SRTP for all SSL objects created from 2382 * |ctx|. |profile| contains a colon-separated list of profile names. It returns 2383 * one on success and zero on failure. */ 2384 OPENSSL_EXPORT int SSL_CTX_set_srtp_profiles(SSL_CTX *ctx, 2385 const char *profiles); 2386 2387 /* SSL_set_srtp_profiles enables SRTP for |ssl|. |profile| contains a 2388 * colon-separated list of profile names. It returns one on success and zero on 2389 * failure. */ 2390 OPENSSL_EXPORT int SSL_set_srtp_profiles(SSL *ssl, const char *profiles); 2391 2392 /* SSL_get_srtp_profiles returns the SRTP profiles supported by |ssl|. */ 2393 OPENSSL_EXPORT STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles( 2394 SSL *ssl); 2395 2396 /* SSL_get_selected_srtp_profile returns the selected SRTP profile, or NULL if 2397 * SRTP was not negotiated. */ 2398 OPENSSL_EXPORT const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile( 2399 SSL *ssl); 2400 2401 2402 /* Pre-shared keys. 2403 * 2404 * Connections may be configured with PSK (Pre-Shared Key) cipher suites. These 2405 * authenticate using out-of-band pre-shared keys rather than certificates. See 2406 * RFC 4279. 2407 * 2408 * This implementation uses NUL-terminated C strings for identities and identity 2409 * hints, so values with a NUL character are not supported. (RFC 4279 does not 2410 * specify the format of an identity.) */ 2411 2412 /* PSK_MAX_IDENTITY_LEN is the maximum supported length of a PSK identity, 2413 * excluding the NUL terminator. */ 2414 #define PSK_MAX_IDENTITY_LEN 128 2415 2416 /* PSK_MAX_PSK_LEN is the maximum supported length of a pre-shared key. */ 2417 #define PSK_MAX_PSK_LEN 256 2418 2419 /* SSL_CTX_set_psk_client_callback sets the callback to be called when PSK is 2420 * negotiated on the client. This callback must be set to enable PSK cipher 2421 * suites on the client. 2422 * 2423 * The callback is passed the identity hint in |hint| or NULL if none was 2424 * provided. It should select a PSK identity and write the identity and the 2425 * corresponding PSK to |identity| and |psk|, respectively. The identity is 2426 * written as a NUL-terminated C string of length (excluding the NUL terminator) 2427 * at most |max_identity_len|. The PSK's length must be at most |max_psk_len|. 2428 * The callback returns the length of the PSK or 0 if no suitable identity was 2429 * found. */ 2430 OPENSSL_EXPORT void SSL_CTX_set_psk_client_callback( 2431 SSL_CTX *ctx, 2432 unsigned (*psk_client_callback)( 2433 SSL *ssl, const char *hint, char *identity, 2434 unsigned max_identity_len, uint8_t *psk, unsigned max_psk_len)); 2435 2436 /* SSL_set_psk_client_callback sets the callback to be called when PSK is 2437 * negotiated on the client. This callback must be set to enable PSK cipher 2438 * suites on the client. See also |SSL_CTX_set_psk_client_callback|. */ 2439 OPENSSL_EXPORT void SSL_set_psk_client_callback( 2440 SSL *ssl, unsigned (*psk_client_callback)(SSL *ssl, const char *hint, 2441 char *identity, 2442 unsigned max_identity_len, 2443 uint8_t *psk, 2444 unsigned max_psk_len)); 2445 2446 /* SSL_CTX_set_psk_server_callback sets the callback to be called when PSK is 2447 * negotiated on the server. This callback must be set to enable PSK cipher 2448 * suites on the server. 2449 * 2450 * The callback is passed the identity in |identity|. It should write a PSK of 2451 * length at most |max_psk_len| to |psk| and return the number of bytes written 2452 * or zero if the PSK identity is unknown. */ 2453 OPENSSL_EXPORT void SSL_CTX_set_psk_server_callback( 2454 SSL_CTX *ctx, 2455 unsigned (*psk_server_callback)(SSL *ssl, const char *identity, 2456 uint8_t *psk, 2457 unsigned max_psk_len)); 2458 2459 /* SSL_set_psk_server_callback sets the callback to be called when PSK is 2460 * negotiated on the server. This callback must be set to enable PSK cipher 2461 * suites on the server. See also |SSL_CTX_set_psk_server_callback|. */ 2462 OPENSSL_EXPORT void SSL_set_psk_server_callback( 2463 SSL *ssl, 2464 unsigned (*psk_server_callback)(SSL *ssl, const char *identity, 2465 uint8_t *psk, 2466 unsigned max_psk_len)); 2467 2468 /* SSL_CTX_use_psk_identity_hint configures server connections to advertise an 2469 * identity hint of |identity_hint|. It returns one on success and zero on 2470 * error. */ 2471 OPENSSL_EXPORT int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, 2472 const char *identity_hint); 2473 2474 /* SSL_use_psk_identity_hint configures server connections to advertise an 2475 * identity hint of |identity_hint|. It returns one on success and zero on 2476 * error. */ 2477 OPENSSL_EXPORT int SSL_use_psk_identity_hint(SSL *ssl, 2478 const char *identity_hint); 2479 2480 /* SSL_get_psk_identity_hint returns the PSK identity hint advertised for |ssl| 2481 * or NULL if there is none. */ 2482 OPENSSL_EXPORT const char *SSL_get_psk_identity_hint(const SSL *ssl); 2483 2484 /* SSL_get_psk_identity, after the handshake completes, returns the PSK identity 2485 * that was negotiated by |ssl| or NULL if PSK was not used. */ 2486 OPENSSL_EXPORT const char *SSL_get_psk_identity(const SSL *ssl); 2487 2488 2489 /* Alerts. 2490 * 2491 * TLS and SSL 3.0 use alerts to signal error conditions. Alerts have a type 2492 * (warning or fatal) and description. OpenSSL internally handles fatal alerts 2493 * with dedicated error codes (see |SSL_AD_REASON_OFFSET|). Except for 2494 * close_notify, warning alerts are silently ignored and may only be surfaced 2495 * with |SSL_CTX_set_info_callback|. */ 2496 2497 /* SSL_AD_REASON_OFFSET is the offset between error reasons and |SSL_AD_*| 2498 * values. Any error code under |ERR_LIB_SSL| with an error reason above this 2499 * value corresponds to an alert description. Consumers may add or subtract 2500 * |SSL_AD_REASON_OFFSET| to convert between them. 2501 * 2502 * make_errors.go reserves error codes above 1000 for manually-assigned errors. 2503 * This value must be kept in sync with reservedReasonCode in make_errors.h */ 2504 #define SSL_AD_REASON_OFFSET 1000 2505 2506 /* SSL_AD_* are alert descriptions for SSL 3.0 and TLS. */ 2507 #define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY 2508 #define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE 2509 #define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC 2510 #define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED 2511 #define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW 2512 #define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE 2513 #define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE 2514 #define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not used in TLS */ 2515 #define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE 2516 #define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE 2517 #define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED 2518 #define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED 2519 #define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN 2520 #define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER 2521 #define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA 2522 #define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED 2523 #define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR 2524 #define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR 2525 #define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION 2526 #define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION 2527 #define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY 2528 #define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR 2529 #define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED 2530 #define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION 2531 #define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION 2532 #define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE 2533 #define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME 2534 #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE \ 2535 TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 2536 #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 2537 #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY 2538 #define SSL_AD_INAPPROPRIATE_FALLBACK SSL3_AD_INAPPROPRIATE_FALLBACK 2539 2540 /* SSL_alert_type_string_long returns a string description of |value| as an 2541 * alert type (warning or fatal). */ 2542 OPENSSL_EXPORT const char *SSL_alert_type_string_long(int value); 2543 2544 /* SSL_alert_desc_string_long returns a string description of |value| as an 2545 * alert description or "unknown" if unknown. */ 2546 OPENSSL_EXPORT const char *SSL_alert_desc_string_long(int value); 2547 2548 2549 /* ex_data functions. 2550 * 2551 * See |ex_data.h| for details. */ 2552 2553 OPENSSL_EXPORT int SSL_set_ex_data(SSL *ssl, int idx, void *data); 2554 OPENSSL_EXPORT void *SSL_get_ex_data(const SSL *ssl, int idx); 2555 OPENSSL_EXPORT int SSL_get_ex_new_index(long argl, void *argp, 2556 CRYPTO_EX_unused *unused, 2557 CRYPTO_EX_dup *dup_func, 2558 CRYPTO_EX_free *free_func); 2559 2560 OPENSSL_EXPORT int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, 2561 void *data); 2562 OPENSSL_EXPORT void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, 2563 int idx); 2564 OPENSSL_EXPORT int SSL_SESSION_get_ex_new_index(long argl, void *argp, 2565 CRYPTO_EX_unused *unused, 2566 CRYPTO_EX_dup *dup_func, 2567 CRYPTO_EX_free *free_func); 2568 2569 OPENSSL_EXPORT int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data); 2570 OPENSSL_EXPORT void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx); 2571 OPENSSL_EXPORT int SSL_CTX_get_ex_new_index(long argl, void *argp, 2572 CRYPTO_EX_unused *unused, 2573 CRYPTO_EX_dup *dup_func, 2574 CRYPTO_EX_free *free_func); 2575 2576 2577 /* Obscure functions. */ 2578 2579 /* SSL_get_rc4_state sets |*read_key| and |*write_key| to the RC4 states for 2580 * the read and write directions. It returns one on success or zero if |ssl| 2581 * isn't using an RC4-based cipher suite. */ 2582 OPENSSL_EXPORT int SSL_get_rc4_state(const SSL *ssl, const RC4_KEY **read_key, 2583 const RC4_KEY **write_key); 2584 2585 /* SSL_get_ivs sets |*out_iv_len| to the length of the IVs for the ciphers 2586 * underlying |ssl| and sets |*out_read_iv| and |*out_write_iv| to point to the 2587 * current IVs for the read and write directions. This is only meaningful for 2588 * connections with implicit IVs (i.e. CBC mode with SSLv3 or TLS 1.0). 2589 * 2590 * It returns one on success or zero on error. */ 2591 OPENSSL_EXPORT int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv, 2592 const uint8_t **out_write_iv, 2593 size_t *out_iv_len); 2594 2595 /* SSL_get_structure_sizes returns the sizes of the SSL, SSL_CTX and 2596 * SSL_SESSION structures so that a test can ensure that outside code agrees on 2597 * these values. */ 2598 OPENSSL_EXPORT void SSL_get_structure_sizes(size_t *ssl_size, 2599 size_t *ssl_ctx_size, 2600 size_t *ssl_session_size); 2601 2602 /* SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|. 2603 * This callback will be called when sending or receiving low-level record 2604 * headers, complete handshake messages, ChangeCipherSpec, and alerts. 2605 * |write_p| is one for outgoing messages and zero for incoming messages. 2606 * 2607 * For each record header, |cb| is called with |version| = 0 and |content_type| 2608 * = |SSL3_RT_HEADER|. The |len| bytes from |buf| contain the header. Note that 2609 * this does not include the record body. If the record is sealed, the length 2610 * in the header is the length of the ciphertext. 2611 * 2612 * For each handshake message, ChangeCipherSpec, and alert, |version| is the 2613 * protocol version and |content_type| is the corresponding record type. The 2614 * |len| bytes from |buf| contain the handshake message, one-byte 2615 * ChangeCipherSpec body, and two-byte alert, respectively. */ 2616 OPENSSL_EXPORT void SSL_CTX_set_msg_callback( 2617 SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, 2618 const void *buf, size_t len, SSL *ssl, void *arg)); 2619 2620 /* SSL_CTX_set_msg_callback_arg sets the |arg| parameter of the message 2621 * callback. */ 2622 OPENSSL_EXPORT void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg); 2623 2624 /* SSL_set_msg_callback installs |cb| as the message callback of |ssl|. See 2625 * |SSL_CTX_set_msg_callback| for when this callback is called. */ 2626 OPENSSL_EXPORT void SSL_set_msg_callback( 2627 SSL *ssl, void (*cb)(int write_p, int version, int content_type, 2628 const void *buf, size_t len, SSL *ssl, void *arg)); 2629 2630 /* SSL_set_msg_callback_arg sets the |arg| parameter of the message callback. */ 2631 OPENSSL_EXPORT void SSL_set_msg_callback_arg(SSL *ssl, void *arg); 2632 2633 /* SSL_CTX_set_keylog_callback configures a callback to log key material. This 2634 * is intended for debugging use with tools like Wireshark. The |cb| function 2635 * should log |line| followed by a newline, synchronizing with any concurrent 2636 * access to the log. 2637 * 2638 * The format is described in 2639 * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. */ 2640 OPENSSL_EXPORT void SSL_CTX_set_keylog_callback( 2641 SSL_CTX *ctx, void (*cb)(const SSL *ssl, const char *line)); 2642 2643 enum ssl_renegotiate_mode_t { 2644 ssl_renegotiate_never = 0, 2645 ssl_renegotiate_once, 2646 ssl_renegotiate_freely, 2647 ssl_renegotiate_ignore, 2648 }; 2649 2650 /* SSL_set_renegotiate_mode configures how |ssl|, a client, reacts to 2651 * renegotiation attempts by a server. If |ssl| is a server, peer-initiated 2652 * renegotiations are *always* rejected and this function does nothing. 2653 * 2654 * The renegotiation mode defaults to |ssl_renegotiate_never|, but may be set 2655 * at any point in a connection's lifetime. Set it to |ssl_renegotiate_once| to 2656 * allow one renegotiation, |ssl_renegotiate_freely| to allow all 2657 * renegotiations or |ssl_renegotiate_ignore| to ignore HelloRequest messages. 2658 * Note that ignoring HelloRequest messages may cause the connection to stall 2659 * if the server waits for the renegotiation to complete. 2660 * 2661 * There is no support in BoringSSL for initiating renegotiations as a client 2662 * or server. */ 2663 OPENSSL_EXPORT void SSL_set_renegotiate_mode(SSL *ssl, 2664 enum ssl_renegotiate_mode_t mode); 2665 2666 /* SSL_renegotiate_pending returns one if |ssl| is in the middle of a 2667 * renegotiation. */ 2668 OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *ssl); 2669 2670 /* SSL_total_renegotiations returns the total number of renegotiation handshakes 2671 * peformed by |ssl|. This includes the pending renegotiation, if any. */ 2672 OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl); 2673 2674 /* SSL_MAX_CERT_LIST_DEFAULT is the default maximum length, in bytes, of a peer 2675 * certificate chain. */ 2676 #define SSL_MAX_CERT_LIST_DEFAULT 1024 * 100 2677 2678 /* SSL_CTX_get_max_cert_list returns the maximum length, in bytes, of a peer 2679 * certificate chain accepted by |ctx|. */ 2680 OPENSSL_EXPORT size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx); 2681 2682 /* SSL_CTX_set_max_cert_list sets the maximum length, in bytes, of a peer 2683 * certificate chain to |max_cert_list|. This affects how much memory may be 2684 * consumed during the handshake. */ 2685 OPENSSL_EXPORT void SSL_CTX_set_max_cert_list(SSL_CTX *ctx, 2686 size_t max_cert_list); 2687 2688 /* SSL_get_max_cert_list returns the maximum length, in bytes, of a peer 2689 * certificate chain accepted by |ssl|. */ 2690 OPENSSL_EXPORT size_t SSL_get_max_cert_list(const SSL *ssl); 2691 2692 /* SSL_set_max_cert_list sets the maximum length, in bytes, of a peer 2693 * certificate chain to |max_cert_list|. This affects how much memory may be 2694 * consumed during the handshake. */ 2695 OPENSSL_EXPORT void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list); 2696 2697 /* SSL_CTX_set_max_send_fragment sets the maximum length, in bytes, of records 2698 * sent by |ctx|. Beyond this length, handshake messages and application data 2699 * will be split into multiple records. */ 2700 OPENSSL_EXPORT void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, 2701 size_t max_send_fragment); 2702 2703 /* SSL_set_max_send_fragment sets the maximum length, in bytes, of records 2704 * sent by |ssl|. Beyond this length, handshake messages and application data 2705 * will be split into multiple records. */ 2706 OPENSSL_EXPORT void SSL_set_max_send_fragment(SSL *ssl, 2707 size_t max_send_fragment); 2708 2709 /* ssl_early_callback_ctx is passed to certain callbacks that are called very 2710 * early on during the server handshake. At this point, much of the SSL* hasn't 2711 * been filled out and only the ClientHello can be depended on. */ 2712 struct ssl_early_callback_ctx { 2713 SSL *ssl; 2714 const uint8_t *client_hello; 2715 size_t client_hello_len; 2716 const uint8_t *session_id; 2717 size_t session_id_len; 2718 const uint8_t *cipher_suites; 2719 size_t cipher_suites_len; 2720 const uint8_t *compression_methods; 2721 size_t compression_methods_len; 2722 const uint8_t *extensions; 2723 size_t extensions_len; 2724 }; 2725 2726 /* SSL_early_callback_ctx_extension_get searches the extensions in |ctx| for an 2727 * extension of the given type. If not found, it returns zero. Otherwise it 2728 * sets |out_data| to point to the extension contents (not including the type 2729 * and length bytes), sets |out_len| to the length of the extension contents 2730 * and returns one. */ 2731 OPENSSL_EXPORT int SSL_early_callback_ctx_extension_get( 2732 const struct ssl_early_callback_ctx *ctx, uint16_t extension_type, 2733 const uint8_t **out_data, size_t *out_len); 2734 2735 /* SSL_CTX_set_select_certificate_cb sets a callback that is called before most 2736 * ClientHello processing and before the decision whether to resume a session 2737 * is made. The callback may inspect the ClientHello and configure the 2738 * connection. It may then return one to continue the handshake or zero to 2739 * pause the handshake to perform an asynchronous operation. If paused, 2740 * |SSL_get_error| will return |SSL_ERROR_PENDING_CERTIFICATE|. 2741 * 2742 * Note: The |ssl_early_callback_ctx| is only valid for the duration of the 2743 * callback and is not valid while the handshake is paused. Further, unlike with 2744 * most callbacks, when the handshake loop is resumed, it will not call the 2745 * callback a second time. The caller must finish reconfiguring the connection 2746 * before resuming the handshake. */ 2747 OPENSSL_EXPORT void SSL_CTX_set_select_certificate_cb( 2748 SSL_CTX *ctx, int (*cb)(const struct ssl_early_callback_ctx *)); 2749 2750 /* SSL_CTX_set_dos_protection_cb sets a callback that is called once the 2751 * resumption decision for a ClientHello has been made. It can return one to 2752 * allow the handshake to continue or zero to cause the handshake to abort. */ 2753 OPENSSL_EXPORT void SSL_CTX_set_dos_protection_cb( 2754 SSL_CTX *ctx, int (*cb)(const struct ssl_early_callback_ctx *)); 2755 2756 /* SSL_ST_* are possible values for |SSL_state| and the bitmasks that make them 2757 * up. */ 2758 #define SSL_ST_CONNECT 0x1000 2759 #define SSL_ST_ACCEPT 0x2000 2760 #define SSL_ST_MASK 0x0FFF 2761 #define SSL_ST_INIT (SSL_ST_CONNECT | SSL_ST_ACCEPT) 2762 #define SSL_ST_OK 0x03 2763 #define SSL_ST_RENEGOTIATE (0x04 | SSL_ST_INIT) 2764 2765 /* SSL_CB_* are possible values for the |type| parameter in the info 2766 * callback and the bitmasks that make them up. */ 2767 #define SSL_CB_LOOP 0x01 2768 #define SSL_CB_EXIT 0x02 2769 #define SSL_CB_READ 0x04 2770 #define SSL_CB_WRITE 0x08 2771 #define SSL_CB_ALERT 0x4000 2772 #define SSL_CB_READ_ALERT (SSL_CB_ALERT | SSL_CB_READ) 2773 #define SSL_CB_WRITE_ALERT (SSL_CB_ALERT | SSL_CB_WRITE) 2774 #define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT | SSL_CB_LOOP) 2775 #define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT | SSL_CB_EXIT) 2776 #define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT | SSL_CB_LOOP) 2777 #define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT | SSL_CB_EXIT) 2778 #define SSL_CB_HANDSHAKE_START 0x10 2779 #define SSL_CB_HANDSHAKE_DONE 0x20 2780 2781 /* SSL_CTX_set_info_callback configures a callback to be run when various 2782 * events occur during a connection's lifetime. The |type| argumentj determines 2783 * the type of event and the meaning of the |value| argument. Callbacks must 2784 * ignore unexpected |type| values. 2785 * 2786 * |SSL_CB_READ_ALERT| is signaled for each alert received, warning or fatal. 2787 * The |value| argument is a 16-bit value where the alert level (either 2788 * |SSL3_AL_WARNING| or |SSL3_AL_FATAL|) is in the most-significant eight bits and 2789 * the alert type (one of |SSL_AD_*|) is in the least-significant eight. 2790 * 2791 * |SSL_CB_WRITE_ALERT| is signaled for each alert sent. The |value| argument 2792 * is constructed as with |SSL_CB_READ_ALERT|. 2793 * 2794 * |SSL_CB_HANDSHAKE_START| is signaled when a handshake begins. The |value| 2795 * argument is always one. 2796 * 2797 * |SSL_CB_HANDSHAKE_DONE| is signaled when a handshake completes successfully. 2798 * The |value| argument is always one. If a handshake False Starts, this event 2799 * may be used to determine when the Finished message is received. 2800 * 2801 * The following event types expose implementation details of the handshake 2802 * state machine. Consuming them is deprecated. 2803 * 2804 * |SSL_CB_ACCEPT_LOOP| (respectively, |SSL_CB_CONNECT_LOOP|) is signaled when 2805 * a server (respectively, client) handshake progresses. The |value| argument 2806 * is always one. For the duration of the callback, |SSL_state| will return the 2807 * previous state. 2808 * 2809 * |SSL_CB_ACCEPT_EXIT| (respectively, |SSL_CB_CONNECT_EXIT|) is signaled when 2810 * a server (respectively, client) handshake completes, fails, or is paused. 2811 * The |value| argument is one if the handshake succeeded and <= 0 2812 * otherwise. */ 2813 OPENSSL_EXPORT void SSL_CTX_set_info_callback( 2814 SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int value)); 2815 2816 /* SSL_CTX_get_info_callback returns the callback set by 2817 * |SSL_CTX_set_info_callback|. */ 2818 OPENSSL_EXPORT void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, 2819 int type, 2820 int value); 2821 2822 /* SSL_set_info_callback configures a callback to be run at various events 2823 * during a connection's lifetime. See |SSL_CTX_set_info_callback|. */ 2824 OPENSSL_EXPORT void SSL_set_info_callback( 2825 SSL *ssl, void (*cb)(const SSL *ssl, int type, int value)); 2826 2827 /* SSL_get_info_callback returns the callback set by |SSL_set_info_callback|. */ 2828 OPENSSL_EXPORT void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, 2829 int type, 2830 int value); 2831 2832 /* SSL_state_string_long returns the current state of the handshake state 2833 * machine as a string. This may be useful for debugging and logging. */ 2834 OPENSSL_EXPORT const char *SSL_state_string_long(const SSL *ssl); 2835 2836 /* SSL_set_SSL_CTX partially changes |ssl|'s |SSL_CTX|. |ssl| will use the 2837 * certificate and session_id_context from |ctx|, and |SSL_get_SSL_CTX| will 2838 * report |ctx|. However most settings and the session cache itself will 2839 * continue to use the initial |SSL_CTX|. It is often used as part of SNI. 2840 * 2841 * TODO(davidben): Make a better story here and get rid of this API. Also 2842 * determine if there's anything else affected by |SSL_set_SSL_CTX| that 2843 * matters. Not as many values are affected as one might initially think. The 2844 * session cache explicitly selects the initial |SSL_CTX|. Most settings are 2845 * copied at |SSL_new| so |ctx|'s versions don't apply. This, notably, has some 2846 * consequences for any plans to make |SSL| copy-on-write most of its 2847 * configuration. */ 2848 OPENSSL_EXPORT SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx); 2849 2850 #define SSL_SENT_SHUTDOWN 1 2851 #define SSL_RECEIVED_SHUTDOWN 2 2852 2853 /* SSL_get_shutdown returns a bitmask with a subset of |SSL_SENT_SHUTDOWN| and 2854 * |SSL_RECEIVED_SHUTDOWN| to query whether close_notify was sent or received, 2855 * respectively. */ 2856 OPENSSL_EXPORT int SSL_get_shutdown(const SSL *ssl); 2857 2858 /* SSL_get_server_key_exchange_hash, on a client, returns the hash the server 2859 * used to sign the ServerKeyExchange in TLS 1.2. If not applicable, it returns 2860 * |TLSEXT_hash_none|. */ 2861 OPENSSL_EXPORT uint8_t SSL_get_server_key_exchange_hash(const SSL *ssl); 2862 2863 2864 /* Deprecated functions. */ 2865 2866 /* SSL_library_init calls |CRYPTO_library_init| and returns one. */ 2867 OPENSSL_EXPORT int SSL_library_init(void); 2868 2869 /* SSL_set_reject_peer_renegotiations calls |SSL_set_renegotiate_mode| with 2870 * |ssl_never_renegotiate| if |reject| is one and |ssl_renegotiate_freely| if 2871 * zero. */ 2872 OPENSSL_EXPORT void SSL_set_reject_peer_renegotiations(SSL *ssl, int reject); 2873 2874 /* SSL_CIPHER_description writes a description of |cipher| into |buf| and 2875 * returns |buf|. If |buf| is NULL, it returns a newly allocated string, to be 2876 * freed with |OPENSSL_free|, or NULL on error. 2877 * 2878 * The description includes a trailing newline and has the form: 2879 * AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 2880 * 2881 * Consider |SSL_CIPHER_get_name| or |SSL_CIPHER_get_rfc_name| instead. */ 2882 OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, 2883 char *buf, int len); 2884 2885 /* SSL_CIPHER_get_version returns the string "TLSv1/SSLv3". */ 2886 OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher); 2887 2888 typedef void COMP_METHOD; 2889 2890 /* SSL_COMP_get_compression_methods returns NULL. */ 2891 OPENSSL_EXPORT COMP_METHOD *SSL_COMP_get_compression_methods(void); 2892 2893 /* SSL_COMP_add_compression_method returns one. */ 2894 OPENSSL_EXPORT int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm); 2895 2896 /* SSL_COMP_get_name returns NULL. */ 2897 OPENSSL_EXPORT const char *SSL_COMP_get_name(const COMP_METHOD *comp); 2898 2899 /* SSLv23_method calls |TLS_method|. */ 2900 OPENSSL_EXPORT const SSL_METHOD *SSLv23_method(void); 2901 2902 /* These version-specific methods behave exactly like |TLS_method| and 2903 * |DTLS_method| except they also call |SSL_CTX_set_min_version| and 2904 * |SSL_CTX_set_max_version| to lock connections to that protocol version. */ 2905 OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void); 2906 OPENSSL_EXPORT const SSL_METHOD *TLSv1_method(void); 2907 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_method(void); 2908 OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void); 2909 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void); 2910 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void); 2911 2912 /* These client- and server-specific methods call their corresponding generic 2913 * methods. */ 2914 OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void); 2915 OPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void); 2916 OPENSSL_EXPORT const SSL_METHOD *SSLv3_server_method(void); 2917 OPENSSL_EXPORT const SSL_METHOD *SSLv3_client_method(void); 2918 OPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void); 2919 OPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void); 2920 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void); 2921 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_client_method(void); 2922 OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_server_method(void); 2923 OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_client_method(void); 2924 OPENSSL_EXPORT const SSL_METHOD *DTLS_server_method(void); 2925 OPENSSL_EXPORT const SSL_METHOD *DTLS_client_method(void); 2926 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_server_method(void); 2927 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_client_method(void); 2928 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_server_method(void); 2929 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_client_method(void); 2930 2931 /* SSL_clear resets |ssl| to allow another connection and returns one on success 2932 * or zero on failure. It returns most configuration state but releases memory 2933 * associated with the current connection. 2934 * 2935 * Free |ssl| and create a new one instead. */ 2936 OPENSSL_EXPORT int SSL_clear(SSL *ssl); 2937 2938 /* SSL_CTX_set_tmp_rsa_callback does nothing. */ 2939 OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback( 2940 SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, int keylength)); 2941 2942 /* SSL_set_tmp_rsa_callback does nothing. */ 2943 OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl, 2944 RSA *(*cb)(SSL *ssl, int is_export, 2945 int keylength)); 2946 2947 /* SSL_CTX_sess_connect returns zero. */ 2948 OPENSSL_EXPORT int SSL_CTX_sess_connect(const SSL_CTX *ctx); 2949 2950 /* SSL_CTX_sess_connect_good returns zero. */ 2951 OPENSSL_EXPORT int SSL_CTX_sess_connect_good(const SSL_CTX *ctx); 2952 2953 /* SSL_CTX_sess_connect_renegotiate returns zero. */ 2954 OPENSSL_EXPORT int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx); 2955 2956 /* SSL_CTX_sess_accept returns zero. */ 2957 OPENSSL_EXPORT int SSL_CTX_sess_accept(const SSL_CTX *ctx); 2958 2959 /* SSL_CTX_sess_accept_renegotiate returns zero. */ 2960 OPENSSL_EXPORT int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx); 2961 2962 /* SSL_CTX_sess_accept_good returns zero. */ 2963 OPENSSL_EXPORT int SSL_CTX_sess_accept_good(const SSL_CTX *ctx); 2964 2965 /* SSL_CTX_sess_hits returns zero. */ 2966 OPENSSL_EXPORT int SSL_CTX_sess_hits(const SSL_CTX *ctx); 2967 2968 /* SSL_CTX_sess_cb_hits returns zero. */ 2969 OPENSSL_EXPORT int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx); 2970 2971 /* SSL_CTX_sess_misses returns zero. */ 2972 OPENSSL_EXPORT int SSL_CTX_sess_misses(const SSL_CTX *ctx); 2973 2974 /* SSL_CTX_sess_timeouts returns zero. */ 2975 OPENSSL_EXPORT int SSL_CTX_sess_timeouts(const SSL_CTX *ctx); 2976 2977 /* SSL_CTX_sess_cache_full returns zero. */ 2978 OPENSSL_EXPORT int SSL_CTX_sess_cache_full(const SSL_CTX *ctx); 2979 2980 /* SSL_cutthrough_complete calls |SSL_in_false_start|. */ 2981 OPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *s); 2982 2983 /* SSL_num_renegotiations calls |SSL_total_renegotiations|. */ 2984 OPENSSL_EXPORT int SSL_num_renegotiations(const SSL *ssl); 2985 2986 /* SSL_CTX_need_tmp_RSA returns zero. */ 2987 OPENSSL_EXPORT int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx); 2988 2989 /* SSL_need_tmp_RSA returns zero. */ 2990 OPENSSL_EXPORT int SSL_need_tmp_RSA(const SSL *ssl); 2991 2992 /* SSL_CTX_set_tmp_rsa returns one. */ 2993 OPENSSL_EXPORT int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa); 2994 2995 /* SSL_set_tmp_rsa returns one. */ 2996 OPENSSL_EXPORT int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa); 2997 2998 /* SSL_CTX_get_read_ahead returns zero. */ 2999 OPENSSL_EXPORT int SSL_CTX_get_read_ahead(const SSL_CTX *ctx); 3000 3001 /* SSL_CTX_set_read_ahead does nothing. */ 3002 OPENSSL_EXPORT void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes); 3003 3004 /* SSL_get_read_ahead returns zero. */ 3005 OPENSSL_EXPORT int SSL_get_read_ahead(const SSL *s); 3006 3007 /* SSL_set_read_ahead does nothing. */ 3008 OPENSSL_EXPORT void SSL_set_read_ahead(SSL *s, int yes); 3009 3010 /* SSL_renegotiate put an error on the error queue and returns zero. */ 3011 OPENSSL_EXPORT int SSL_renegotiate(SSL *ssl); 3012 3013 /* SSL_set_state does nothing. */ 3014 OPENSSL_EXPORT void SSL_set_state(SSL *ssl, int state); 3015 3016 /* SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as SSL_MODE_ENABLE_FALSE_START. */ 3017 #define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START 3018 3019 /* i2d_SSL_SESSION serializes |in| to the bytes pointed to by |*pp|. On success, 3020 * it returns the number of bytes written and advances |*pp| by that many bytes. 3021 * On failure, it returns -1. If |pp| is NULL, no bytes are written and only the 3022 * length is returned. 3023 * 3024 * Use |SSL_SESSION_to_bytes| instead. */ 3025 OPENSSL_EXPORT int i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp); 3026 3027 /* d2i_SSL_SESSION parses a serialized session from the |length| bytes pointed 3028 * to by |*pp|. It returns the new |SSL_SESSION| and advances |*pp| by the 3029 * number of bytes consumed on success and NULL on failure. The caller takes 3030 * ownership of the new session and must call |SSL_SESSION_free| when done. 3031 * 3032 * If |a| is non-NULL, |*a| is released and set the new |SSL_SESSION|. 3033 * 3034 * Use |SSL_SESSION_from_bytes| instead. */ 3035 OPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, 3036 long length); 3037 3038 /* i2d_SSL_SESSION_bio serializes |session| and writes the result to |bio|. It 3039 * returns the number of bytes written on success and <= 0 on error. */ 3040 OPENSSL_EXPORT int i2d_SSL_SESSION_bio(BIO *bio, const SSL_SESSION *session); 3041 3042 /* d2i_SSL_SESSION_bio reads a serialized |SSL_SESSION| from |bio| and returns a 3043 * newly-allocated |SSL_SESSION| or NULL on error. If |out| is not NULL, it also 3044 * frees |*out| and sets |*out| to the new |SSL_SESSION|. */ 3045 OPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION_bio(BIO *bio, SSL_SESSION **out); 3046 3047 /* ERR_load_SSL_strings does nothing. */ 3048 OPENSSL_EXPORT void ERR_load_SSL_strings(void); 3049 3050 /* SSL_load_error_strings does nothing. */ 3051 OPENSSL_EXPORT void SSL_load_error_strings(void); 3052 3053 /* SSL_CTX_set_tlsext_use_srtp calls |SSL_CTX_set_srtp_profiles|. It returns 3054 * zero on success and one on failure. 3055 * 3056 * WARNING: this function is dangerous because it breaks the usual return value 3057 * convention. Use |SSL_CTX_set_srtp_profiles| instead. */ 3058 OPENSSL_EXPORT int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, 3059 const char *profiles); 3060 3061 /* SSL_set_tlsext_use_srtp calls |SSL_set_srtp_profiles|. It returns zero on 3062 * success and one on failure. 3063 * 3064 * WARNING: this function is dangerous because it breaks the usual return value 3065 * convention. Use |SSL_set_srtp_profiles| instead. */ 3066 OPENSSL_EXPORT int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles); 3067 3068 /* SSL_get_current_compression returns NULL. */ 3069 OPENSSL_EXPORT const COMP_METHOD *SSL_get_current_compression(SSL *s); 3070 3071 /* SSL_get_current_expansion returns NULL. */ 3072 OPENSSL_EXPORT const COMP_METHOD *SSL_get_current_expansion(SSL *s); 3073 3074 #define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)arg)) 3075 #define SSL_get_app_data(s) (SSL_get_ex_data(s, 0)) 3076 #define SSL_SESSION_set_app_data(s, a) \ 3077 (SSL_SESSION_set_ex_data(s, 0, (char *)a)) 3078 #define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s, 0)) 3079 #define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx, 0)) 3080 #define SSL_CTX_set_app_data(ctx, arg) \ 3081 (SSL_CTX_set_ex_data(ctx, 0, (char *)arg)) 3082 3083 #define OpenSSL_add_ssl_algorithms() SSL_library_init() 3084 #define SSLeay_add_ssl_algorithms() SSL_library_init() 3085 3086 #define SSL_get_cipher(ssl) SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)) 3087 #define SSL_get_cipher_bits(ssl, out_alg_bits) \ 3088 SSL_CIPHER_get_bits(SSL_get_current_cipher(ssl), out_alg_bits) 3089 #define SSL_get_cipher_version(ssl) \ 3090 SSL_CIPHER_get_version(SSL_get_current_cipher(ssl)) 3091 #define SSL_get_cipher_name(ssl) \ 3092 SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)) 3093 #define SSL_get_time(session) SSL_SESSION_get_time(session) 3094 #define SSL_set_time(session, time) SSL_SESSION_set_time((session), (time)) 3095 #define SSL_get_timeout(session) SSL_SESSION_get_timeout(session) 3096 #define SSL_set_timeout(session, timeout) \ 3097 SSL_SESSION_set_timeout((session), (timeout)) 3098 3099 typedef struct ssl_comp_st SSL_COMP; 3100 3101 struct ssl_comp_st { 3102 int id; 3103 const char *name; 3104 char *method; 3105 }; 3106 3107 DECLARE_STACK_OF(SSL_COMP) 3108 3109 /* The following flags toggle individual protocol versions. This is deprecated. 3110 * Use |SSL_CTX_set_min_version| and |SSL_CTX_set_max_version| instead. */ 3111 #define SSL_OP_NO_SSLv3 0x02000000L 3112 #define SSL_OP_NO_TLSv1 0x04000000L 3113 #define SSL_OP_NO_TLSv1_2 0x08000000L 3114 #define SSL_OP_NO_TLSv1_1 0x10000000L 3115 #define SSL_OP_NO_DTLSv1 SSL_OP_NO_TLSv1 3116 #define SSL_OP_NO_DTLSv1_2 SSL_OP_NO_TLSv1_2 3117 3118 /* The following flags do nothing and are included only to make it easier to 3119 * compile code with BoringSSL. */ 3120 #define SSL_MODE_AUTO_RETRY 0 3121 #define SSL_MODE_RELEASE_BUFFERS 0 3122 #define SSL_MODE_SEND_CLIENTHELLO_TIME 0 3123 #define SSL_MODE_SEND_SERVERHELLO_TIME 0 3124 #define SSL_OP_ALL 0 3125 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0 3126 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0 3127 #define SSL_OP_EPHEMERAL_RSA 0 3128 #define SSL_OP_LEGACY_SERVER_CONNECT 0 3129 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0 3130 #define SSL_OP_MICROSOFT_SESS_ID_BUG 0 3131 #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0 3132 #define SSL_OP_NETSCAPE_CA_DN_BUG 0 3133 #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0 3134 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0 3135 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0 3136 #define SSL_OP_NO_COMPRESSION 0 3137 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 3138 #define SSL_OP_NO_SSLv2 0 3139 #define SSL_OP_PKCS1_CHECK_1 0 3140 #define SSL_OP_PKCS1_CHECK_2 0 3141 #define SSL_OP_SINGLE_DH_USE 0 3142 #define SSL_OP_SINGLE_ECDH_USE 0 3143 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0 3144 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0 3145 #define SSL_OP_TLS_BLOCK_PADDING_BUG 0 3146 #define SSL_OP_TLS_D5_BUG 0 3147 #define SSL_OP_TLS_ROLLBACK_BUG 0 3148 #define SSL_VERIFY_CLIENT_ONCE 0 3149 3150 /* SSL_cache_hit calls |SSL_session_resumed|. */ 3151 OPENSSL_EXPORT int SSL_cache_hit(SSL *ssl); 3152 3153 /* SSL_get_default_timeout returns |SSL_DEFAULT_SESSION_TIMEOUT|. */ 3154 OPENSSL_EXPORT long SSL_get_default_timeout(const SSL *ssl); 3155 3156 /* SSL_get_version returns a string describing the TLS version used by |ssl|. 3157 * For example, "TLSv1.2" or "SSLv3". */ 3158 OPENSSL_EXPORT const char *SSL_get_version(const SSL *ssl); 3159 3160 /* SSL_get_cipher_list returns the name of the |n|th cipher in the output of 3161 * |SSL_get_ciphers| or NULL if out of range. Use |SSL_get_ciphers| insteads. */ 3162 OPENSSL_EXPORT const char *SSL_get_cipher_list(const SSL *ssl, int n); 3163 3164 /* SSL_CTX_set_client_cert_cb sets a callback which is called on the client if 3165 * the server requests a client certificate and none is configured. On success, 3166 * the callback should return one and set |*out_x509| to |*out_pkey| to a leaf 3167 * certificate and private key, respectively, passing ownership. It should 3168 * return zero to send no certificate and -1 to fail or pause the handshake. If 3169 * the handshake is paused, |SSL_get_error| will return 3170 * |SSL_ERROR_WANT_X509_LOOKUP|. 3171 * 3172 * The callback may call |SSL_get0_certificate_types| and 3173 * |SSL_get_client_CA_list| for information on the server's certificate request. 3174 * 3175 * Use |SSL_CTX_set_cert_cb| instead. Configuring intermediate certificates with 3176 * this function is confusing. */ 3177 OPENSSL_EXPORT void SSL_CTX_set_client_cert_cb( 3178 SSL_CTX *ctx, 3179 int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey)); 3180 3181 /* SSL_CTX_get_client_cert_cb returns the callback set by 3182 * |SSL_CTX_set_client_cert_cb|. */ 3183 OPENSSL_EXPORT int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))( 3184 SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey); 3185 3186 #define SSL_NOTHING 1 3187 #define SSL_WRITING 2 3188 #define SSL_READING 3 3189 #define SSL_X509_LOOKUP 4 3190 #define SSL_CHANNEL_ID_LOOKUP 5 3191 #define SSL_PENDING_SESSION 7 3192 #define SSL_CERTIFICATE_SELECTION_PENDING 8 3193 #define SSL_PRIVATE_KEY_OPERATION 9 3194 3195 /* SSL_want returns one of the above values to determine what the most recent 3196 * operation on |ssl| was blocked on. Use |SSL_get_error| instead. */ 3197 OPENSSL_EXPORT int SSL_want(const SSL *ssl); 3198 3199 #define SSL_want_nothing(ssl) (SSL_want(ssl) == SSL_NOTHING) 3200 #define SSL_want_read(ssl) (SSL_want(ssl) == SSL_READING) 3201 #define SSL_want_write(ssl) (SSL_want(ssl) == SSL_WRITING) 3202 #define SSL_want_x509_lookup(ssl) (SSL_want(ssl) == SSL_X509_LOOKUP) 3203 #define SSL_want_channel_id_lookup(ssl) (SSL_want(ssl) == SSL_CHANNEL_ID_LOOKUP) 3204 #define SSL_want_session(ssl) (SSL_want(ssl) == SSL_PENDING_SESSION) 3205 #define SSL_want_certificate(ssl) \ 3206 (SSL_want(ssl) == SSL_CERTIFICATE_SELECTION_PENDING) 3207 #define SSL_want_private_key_operation(ssl) \ 3208 (SSL_want(ssl) == SSL_PRIVATE_KEY_OPERATION) 3209 3210 /* SSL_get_finished writes up to |count| bytes of the Finished message sent by 3211 * |ssl| to |buf|. It returns the total untruncated length or zero if none has 3212 * been sent yet. 3213 * 3214 * Use |SSL_get_tls_unique| instead. */ 3215 OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count); 3216 3217 /* SSL_get_peer_finished writes up to |count| bytes of the Finished message 3218 * received from |ssl|'s peer to |buf|. It returns the total untruncated length 3219 * or zero if none has been received yet. 3220 * 3221 * Use |SSL_get_tls_unique| instead. */ 3222 OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf, 3223 size_t count); 3224 3225 /* SSL_alert_type_string returns "!". Use |SSL_alert_type_string_long| 3226 * instead. */ 3227 OPENSSL_EXPORT const char *SSL_alert_type_string(int value); 3228 3229 /* SSL_alert_desc_string returns "!!". Use |SSL_alert_desc_string_long| 3230 * instead. */ 3231 OPENSSL_EXPORT const char *SSL_alert_desc_string(int value); 3232 3233 /* SSL_TXT_* expand to strings. */ 3234 #define SSL_TXT_MEDIUM "MEDIUM" 3235 #define SSL_TXT_HIGH "HIGH" 3236 #define SSL_TXT_FIPS "FIPS" 3237 #define SSL_TXT_kRSA "kRSA" 3238 #define SSL_TXT_kDHE "kDHE" 3239 #define SSL_TXT_kEDH "kEDH" 3240 #define SSL_TXT_kECDHE "kECDHE" 3241 #define SSL_TXT_kEECDH "kEECDH" 3242 #define SSL_TXT_kPSK "kPSK" 3243 #define SSL_TXT_aRSA "aRSA" 3244 #define SSL_TXT_aECDSA "aECDSA" 3245 #define SSL_TXT_aPSK "aPSK" 3246 #define SSL_TXT_DH "DH" 3247 #define SSL_TXT_DHE "DHE" 3248 #define SSL_TXT_EDH "EDH" 3249 #define SSL_TXT_RSA "RSA" 3250 #define SSL_TXT_ECDH "ECDH" 3251 #define SSL_TXT_ECDHE "ECDHE" 3252 #define SSL_TXT_EECDH "EECDH" 3253 #define SSL_TXT_ECDSA "ECDSA" 3254 #define SSL_TXT_PSK "PSK" 3255 #define SSL_TXT_3DES "3DES" 3256 #define SSL_TXT_RC4 "RC4" 3257 #define SSL_TXT_AES128 "AES128" 3258 #define SSL_TXT_AES256 "AES256" 3259 #define SSL_TXT_AES "AES" 3260 #define SSL_TXT_AES_GCM "AESGCM" 3261 #define SSL_TXT_CHACHA20 "CHACHA20" 3262 #define SSL_TXT_MD5 "MD5" 3263 #define SSL_TXT_SHA1 "SHA1" 3264 #define SSL_TXT_SHA "SHA" 3265 #define SSL_TXT_SHA256 "SHA256" 3266 #define SSL_TXT_SHA384 "SHA384" 3267 #define SSL_TXT_SSLV3 "SSLv3" 3268 #define SSL_TXT_TLSV1 "TLSv1" 3269 #define SSL_TXT_TLSV1_1 "TLSv1.1" 3270 #define SSL_TXT_TLSV1_2 "TLSv1.2" 3271 #define SSL_TXT_ALL "ALL" 3272 #define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" 3273 3274 typedef struct ssl_conf_ctx_st SSL_CONF_CTX; 3275 3276 /* SSL_state returns the current state of the handshake state machine. */ 3277 OPENSSL_EXPORT int SSL_state(const SSL *ssl); 3278 3279 #define SSL_get_state(ssl) SSL_state(ssl) 3280 3281 /* SSL_state_string returns the current state of the handshake state machine as 3282 * a six-letter string. Use |SSL_state_string_long| for a more intelligible 3283 * string. */ 3284 OPENSSL_EXPORT const char *SSL_state_string(const SSL *ssl); 3285 3286 /* SSL_set_shutdown causes |ssl| to behave as if the shutdown bitmask (see 3287 * |SSL_get_shutdown|) were |mode|. This may be used to skip sending or 3288 * receiving close_notify in |SSL_shutdown| by causing the implementation to 3289 * believe the events already happened. 3290 * 3291 * It is an error to use |SSL_set_shutdown| to unset a bit that has already been 3292 * set. Doing so will trigger an |assert| in debug builds and otherwise be 3293 * ignored. 3294 * 3295 * Use |SSL_CTX_set_quiet_shutdown| instead. */ 3296 OPENSSL_EXPORT void SSL_set_shutdown(SSL *ssl, int mode); 3297 3298 /* SSL_CTX_set_tmp_ecdh calls |SSL_CTX_set1_curves| with a one-element list 3299 * containing |ec_key|'s curve. */ 3300 OPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key); 3301 3302 /* SSL_set_tmp_ecdh calls |SSL_set1_curves| with a one-element list containing 3303 * |ec_key|'s curve. */ 3304 OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key); 3305 3306 3307 /* Private structures. 3308 * 3309 * This structures are exposed for historical reasons, but access to them is 3310 * deprecated. */ 3311 3312 typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD; 3313 typedef struct ssl3_enc_method SSL3_ENC_METHOD; 3314 typedef struct ssl_aead_ctx_st SSL_AEAD_CTX; 3315 3316 struct ssl_cipher_st { 3317 /* name is the OpenSSL name for the cipher. */ 3318 const char *name; 3319 /* id is the cipher suite value bitwise OR-d with 0x03000000. */ 3320 uint32_t id; 3321 3322 /* algorithm_* are internal fields. See ssl/internal.h for their values. */ 3323 uint32_t algorithm_mkey; 3324 uint32_t algorithm_auth; 3325 uint32_t algorithm_enc; 3326 uint32_t algorithm_mac; 3327 uint32_t algorithm_prf; 3328 }; 3329 3330 typedef struct ssl_ecdh_method_st SSL_ECDH_METHOD; 3331 typedef struct ssl_ecdh_ctx_st { 3332 const SSL_ECDH_METHOD *method; 3333 void *data; 3334 } SSL_ECDH_CTX; 3335 3336 #define SSL_MAX_SSL_SESSION_ID_LENGTH 32 3337 #define SSL_MAX_SID_CTX_LENGTH 32 3338 #define SSL_MAX_MASTER_KEY_LENGTH 48 3339 3340 struct ssl_session_st { 3341 CRYPTO_refcount_t references; 3342 int ssl_version; /* what ssl version session info is being kept in here? */ 3343 3344 /* key_exchange_info contains an indication of the size of the asymmetric 3345 * primitive used in the handshake that created this session. In the event 3346 * that two asymmetric operations are used, this value applies to the one 3347 * that controls the confidentiality of the connection. Its interpretation 3348 * depends on the primitive that was used; as specified by the cipher suite: 3349 * DHE: the size, in bits, of the multiplicative group. 3350 * RSA: the size, in bits, of the modulus. 3351 * ECDHE: the TLS id for the curve. 3352 * 3353 * A zero indicates that the value is unknown. */ 3354 uint32_t key_exchange_info; 3355 3356 int master_key_length; 3357 uint8_t master_key[SSL_MAX_MASTER_KEY_LENGTH]; 3358 3359 /* session_id - valid? */ 3360 unsigned int session_id_length; 3361 uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; 3362 /* this is used to determine whether the session is being reused in 3363 * the appropriate context. It is up to the application to set this, 3364 * via SSL_new */ 3365 unsigned int sid_ctx_length; 3366 uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH]; 3367 3368 char *psk_identity; 3369 /* peer is the peer's certificate. */ 3370 X509 *peer; 3371 3372 /* cert_chain is the certificate chain sent by the peer. NOTE: for historical 3373 * reasons, when a client (so the peer is a server), the chain includes 3374 * |peer|, but when a server it does not. */ 3375 STACK_OF(X509) *cert_chain; 3376 3377 /* when app_verify_callback accepts a session where the peer's certificate is 3378 * not ok, we must remember the error for session reuse: */ 3379 long verify_result; /* only for servers */ 3380 3381 long timeout; 3382 long time; 3383 3384 const SSL_CIPHER *cipher; 3385 3386 CRYPTO_EX_DATA ex_data; /* application specific data */ 3387 3388 /* These are used to make removal of session-ids more efficient and to 3389 * implement a maximum cache size. */ 3390 SSL_SESSION *prev, *next; 3391 char *tlsext_hostname; 3392 3393 /* RFC4507 info */ 3394 uint8_t *tlsext_tick; /* Session ticket */ 3395 size_t tlsext_ticklen; /* Session ticket length */ 3396 3397 size_t tlsext_signed_cert_timestamp_list_length; 3398 uint8_t *tlsext_signed_cert_timestamp_list; /* Server's list. */ 3399 3400 /* The OCSP response that came with the session. */ 3401 size_t ocsp_response_length; 3402 uint8_t *ocsp_response; 3403 3404 /* peer_sha256 contains the SHA-256 hash of the peer's certificate if 3405 * |peer_sha256_valid| is true. */ 3406 uint8_t peer_sha256[SHA256_DIGEST_LENGTH]; 3407 3408 /* original_handshake_hash contains the handshake hash (either SHA-1+MD5 or 3409 * SHA-2, depending on TLS version) for the original, full handshake that 3410 * created a session. This is used by Channel IDs during resumption. */ 3411 uint8_t original_handshake_hash[EVP_MAX_MD_SIZE]; 3412 unsigned original_handshake_hash_len; 3413 3414 uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ 3415 3416 /* extended_master_secret is true if the master secret in this session was 3417 * generated using EMS and thus isn't vulnerable to the Triple Handshake 3418 * attack. */ 3419 unsigned extended_master_secret:1; 3420 3421 /* peer_sha256_valid is non-zero if |peer_sha256| is valid. */ 3422 unsigned peer_sha256_valid:1; /* Non-zero if peer_sha256 is valid */ 3423 3424 /* not_resumable is used to indicate that session resumption is not allowed. 3425 * Applications can also set this bit for a new session via 3426 * not_resumable_session_cb to disable session caching and tickets. */ 3427 unsigned not_resumable:1; 3428 }; 3429 3430 /* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with 3431 * equal-preference groups. For TLS clients, the groups are moot because the 3432 * server picks the cipher and groups cannot be expressed on the wire. However, 3433 * for servers, the equal-preference groups allow the client's preferences to 3434 * be partially respected. (This only has an effect with 3435 * SSL_OP_CIPHER_SERVER_PREFERENCE). 3436 * 3437 * The equal-preference groups are expressed by grouping SSL_CIPHERs together. 3438 * All elements of a group have the same priority: no ordering is expressed 3439 * within a group. 3440 * 3441 * The values in |ciphers| are in one-to-one correspondence with 3442 * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of 3443 * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to 3444 * indicate that the corresponding SSL_CIPHER is not the last element of a 3445 * group, or 0 to indicate that it is. 3446 * 3447 * For example, if |in_group_flags| contains all zeros then that indicates a 3448 * traditional, fully-ordered preference. Every SSL_CIPHER is the last element 3449 * of the group (i.e. they are all in a one-element group). 3450 * 3451 * For a more complex example, consider: 3452 * ciphers: A B C D E F 3453 * in_group_flags: 1 1 0 0 1 0 3454 * 3455 * That would express the following, order: 3456 * 3457 * A E 3458 * B -> D -> F 3459 * C 3460 */ 3461 struct ssl_cipher_preference_list_st { 3462 STACK_OF(SSL_CIPHER) *ciphers; 3463 uint8_t *in_group_flags; 3464 }; 3465 3466 struct ssl_ctx_st { 3467 const SSL_PROTOCOL_METHOD *method; 3468 3469 /* lock is used to protect various operations on this object. */ 3470 CRYPTO_MUTEX lock; 3471 3472 /* max_version is the maximum acceptable protocol version. If zero, the 3473 * maximum supported version, currently (D)TLS 1.2, is used. */ 3474 uint16_t max_version; 3475 3476 /* min_version is the minimum acceptable protocl version. If zero, the 3477 * minimum supported version, currently SSL 3.0 and DTLS 1.0, is used */ 3478 uint16_t min_version; 3479 3480 struct ssl_cipher_preference_list_st *cipher_list; 3481 /* same as above but sorted for lookup */ 3482 STACK_OF(SSL_CIPHER) *cipher_list_by_id; 3483 3484 /* cipher_list_tls10 is the list of ciphers when TLS 1.0 or greater is in 3485 * use. This only applies to server connections as, for clients, the version 3486 * number is known at connect time and so the cipher list can be set then. If 3487 * |cipher_list_tls11| is non-NULL then this applies only to TLS 1.0 3488 * connections. 3489 * 3490 * TODO(agl): this exists to assist in the death of SSLv3. It can hopefully 3491 * be removed after that. */ 3492 struct ssl_cipher_preference_list_st *cipher_list_tls10; 3493 3494 /* cipher_list_tls11 is the list of ciphers when TLS 1.1 or greater is in 3495 * use. This only applies to server connections as, for clients, the version 3496 * number is known at connect time and so the cipher list can be set then. */ 3497 struct ssl_cipher_preference_list_st *cipher_list_tls11; 3498 3499 X509_STORE *cert_store; 3500 LHASH_OF(SSL_SESSION) *sessions; 3501 /* Most session-ids that will be cached, default is 3502 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ 3503 unsigned long session_cache_size; 3504 SSL_SESSION *session_cache_head; 3505 SSL_SESSION *session_cache_tail; 3506 3507 /* handshakes_since_cache_flush is the number of successful handshakes since 3508 * the last cache flush. */ 3509 int handshakes_since_cache_flush; 3510 3511 /* This can have one of 2 values, ored together, 3512 * SSL_SESS_CACHE_CLIENT, 3513 * SSL_SESS_CACHE_SERVER, 3514 * Default is SSL_SESSION_CACHE_SERVER, which means only 3515 * SSL_accept which cache SSL_SESSIONS. */ 3516 int session_cache_mode; 3517 3518 /* If timeout is not 0, it is the default timeout value set when SSL_new() is 3519 * called. This has been put in to make life easier to set things up */ 3520 long session_timeout; 3521 3522 /* If this callback is not null, it will be called each time a session id is 3523 * added to the cache. If this function returns 1, it means that the 3524 * callback will do a SSL_SESSION_free() when it has finished using it. 3525 * Otherwise, on 0, it means the callback has finished with it. If 3526 * remove_session_cb is not null, it will be called when a session-id is 3527 * removed from the cache. After the call, OpenSSL will SSL_SESSION_free() 3528 * it. */ 3529 int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess); 3530 void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess); 3531 SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *data, int len, 3532 int *copy); 3533 3534 CRYPTO_refcount_t references; 3535 3536 /* if defined, these override the X509_verify_cert() calls */ 3537 int (*app_verify_callback)(X509_STORE_CTX *store_ctx, void *arg); 3538 void *app_verify_arg; 3539 3540 /* Default password callback. */ 3541 pem_password_cb *default_passwd_callback; 3542 3543 /* Default password callback user data. */ 3544 void *default_passwd_callback_userdata; 3545 3546 /* get client cert callback */ 3547 int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey); 3548 3549 /* get channel id callback */ 3550 void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey); 3551 3552 CRYPTO_EX_DATA ex_data; 3553 3554 /* custom_*_extensions stores any callback sets for custom extensions. Note 3555 * that these pointers will be NULL if the stack would otherwise be empty. */ 3556 STACK_OF(SSL_CUSTOM_EXTENSION) *client_custom_extensions; 3557 STACK_OF(SSL_CUSTOM_EXTENSION) *server_custom_extensions; 3558 3559 /* Default values used when no per-SSL value is defined follow */ 3560 3561 void (*info_callback)(const SSL *ssl, int type, int value); 3562 3563 /* what we put in client cert requests */ 3564 STACK_OF(X509_NAME) *client_CA; 3565 3566 3567 /* Default values to use in SSL structures follow (these are copied by 3568 * SSL_new) */ 3569 3570 uint32_t options; 3571 uint32_t mode; 3572 uint32_t max_cert_list; 3573 3574 struct cert_st /* CERT */ *cert; 3575 3576 /* callback that allows applications to peek at protocol messages */ 3577 void (*msg_callback)(int write_p, int version, int content_type, 3578 const void *buf, size_t len, SSL *ssl, void *arg); 3579 void *msg_callback_arg; 3580 3581 int verify_mode; 3582 unsigned int sid_ctx_length; 3583 uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH]; 3584 int (*default_verify_callback)( 3585 int ok, X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ 3586 3587 X509_VERIFY_PARAM *param; 3588 3589 /* select_certificate_cb is called before most ClientHello processing and 3590 * before the decision whether to resume a session is made. It may return one 3591 * to continue the handshake or zero to cause the handshake loop to return 3592 * with an error and cause SSL_get_error to return 3593 * SSL_ERROR_PENDING_CERTIFICATE. Note: when the handshake loop is resumed, it 3594 * will not call the callback a second time. */ 3595 int (*select_certificate_cb)(const struct ssl_early_callback_ctx *); 3596 3597 /* dos_protection_cb is called once the resumption decision for a ClientHello 3598 * has been made. It returns one to continue the handshake or zero to 3599 * abort. */ 3600 int (*dos_protection_cb) (const struct ssl_early_callback_ctx *); 3601 3602 /* Maximum amount of data to send in one fragment. actual record size can be 3603 * more than this due to padding and MAC overheads. */ 3604 uint16_t max_send_fragment; 3605 3606 /* TLS extensions servername callback */ 3607 int (*tlsext_servername_callback)(SSL *, int *, void *); 3608 void *tlsext_servername_arg; 3609 /* RFC 4507 session ticket keys */ 3610 uint8_t tlsext_tick_key_name[SSL_TICKET_KEY_NAME_LEN]; 3611 uint8_t tlsext_tick_hmac_key[16]; 3612 uint8_t tlsext_tick_aes_key[16]; 3613 /* Callback to support customisation of ticket key setting */ 3614 int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv, 3615 EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); 3616 3617 /* Server-only: psk_identity_hint is the default identity hint to send in 3618 * PSK-based key exchanges. */ 3619 char *psk_identity_hint; 3620 3621 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, 3622 char *identity, 3623 unsigned int max_identity_len, 3624 uint8_t *psk, unsigned int max_psk_len); 3625 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, 3626 uint8_t *psk, unsigned int max_psk_len); 3627 3628 3629 /* retain_only_sha256_of_client_certs is true if we should compute the SHA256 3630 * hash of the peer's certifiate and then discard it to save memory and 3631 * session space. Only effective on the server side. */ 3632 char retain_only_sha256_of_client_certs; 3633 3634 /* Next protocol negotiation information */ 3635 /* (for experimental NPN extension). */ 3636 3637 /* For a server, this contains a callback function by which the set of 3638 * advertised protocols can be provided. */ 3639 int (*next_protos_advertised_cb)(SSL *ssl, const uint8_t **out, 3640 unsigned *out_len, void *arg); 3641 void *next_protos_advertised_cb_arg; 3642 /* For a client, this contains a callback function that selects the 3643 * next protocol from the list provided by the server. */ 3644 int (*next_proto_select_cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, 3645 const uint8_t *in, unsigned in_len, void *arg); 3646 void *next_proto_select_cb_arg; 3647 3648 /* ALPN information 3649 * (we are in the process of transitioning from NPN to ALPN.) */ 3650 3651 /* For a server, this contains a callback function that allows the 3652 * server to select the protocol for the connection. 3653 * out: on successful return, this must point to the raw protocol 3654 * name (without the length prefix). 3655 * outlen: on successful return, this contains the length of |*out|. 3656 * in: points to the client's list of supported protocols in 3657 * wire-format. 3658 * inlen: the length of |in|. */ 3659 int (*alpn_select_cb)(SSL *s, const uint8_t **out, uint8_t *out_len, 3660 const uint8_t *in, unsigned in_len, void *arg); 3661 void *alpn_select_cb_arg; 3662 3663 /* For a client, this contains the list of supported protocols in wire 3664 * format. */ 3665 uint8_t *alpn_client_proto_list; 3666 unsigned alpn_client_proto_list_len; 3667 3668 /* SRTP profiles we are willing to do from RFC 5764 */ 3669 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; 3670 3671 /* EC extension values inherited by SSL structure */ 3672 size_t tlsext_ellipticcurvelist_length; 3673 uint16_t *tlsext_ellipticcurvelist; 3674 3675 /* The client's Channel ID private key. */ 3676 EVP_PKEY *tlsext_channel_id_private; 3677 3678 /* Signed certificate timestamp list to be sent to the client, if requested */ 3679 uint8_t *signed_cert_timestamp_list; 3680 size_t signed_cert_timestamp_list_length; 3681 3682 /* OCSP response to be sent to the client, if requested. */ 3683 uint8_t *ocsp_response; 3684 size_t ocsp_response_length; 3685 3686 /* keylog_callback, if not NULL, is the key logging callback. See 3687 * |SSL_CTX_set_keylog_callback|. */ 3688 void (*keylog_callback)(const SSL *ssl, const char *line); 3689 3690 /* current_time_cb, if not NULL, is the function to use to get the current 3691 * time. It sets |*out_clock| to the current time. */ 3692 void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock); 3693 3694 /* quiet_shutdown is true if the connection should not send a close_notify on 3695 * shutdown. */ 3696 unsigned quiet_shutdown:1; 3697 3698 /* ocsp_stapling_enabled is only used by client connections and indicates 3699 * whether OCSP stapling will be requested. */ 3700 unsigned ocsp_stapling_enabled:1; 3701 3702 /* If true, a client will request certificate timestamps. */ 3703 unsigned signed_cert_timestamps_enabled:1; 3704 3705 /* tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server, 3706 * means that we'll accept Channel IDs from clients. For a client, means that 3707 * we'll advertise support. */ 3708 unsigned tlsext_channel_id_enabled:1; 3709 }; 3710 3711 struct ssl_st { 3712 /* version is the protocol version. */ 3713 int version; 3714 3715 /* max_version is the maximum acceptable protocol version. If zero, the 3716 * maximum supported version, currently (D)TLS 1.2, is used. */ 3717 uint16_t max_version; 3718 3719 /* min_version is the minimum acceptable protocl version. If zero, the 3720 * minimum supported version, currently SSL 3.0 and DTLS 1.0, is used */ 3721 uint16_t min_version; 3722 3723 /* method is the method table corresponding to the current protocol (DTLS or 3724 * TLS). */ 3725 const SSL_PROTOCOL_METHOD *method; 3726 3727 /* enc_method is the method table corresponding to the current protocol 3728 * version. */ 3729 const SSL3_ENC_METHOD *enc_method; 3730 3731 /* There are 2 BIO's even though they are normally both the same. This is so 3732 * data can be read and written to different handlers */ 3733 3734 BIO *rbio; /* used by SSL_read */ 3735 BIO *wbio; /* used by SSL_write */ 3736 3737 /* bbio, if non-NULL, is a buffer placed in front of |wbio| to pack handshake 3738 * messages within one flight into a single |BIO_write|. 3739 * 3740 * TODO(davidben): This does not work right for DTLS. It assumes the MTU is 3741 * smaller than the buffer size so that the buffer's internal flushing never 3742 * kicks in. It also doesn't kick in for DTLS retransmission. Replace this 3743 * with a better mechanism. */ 3744 BIO *bbio; 3745 3746 int (*handshake_func)(SSL *); 3747 3748 /* Imagine that here's a boolean member "init" that is switched as soon as 3749 * SSL_set_{accept/connect}_state is called for the first time, so that 3750 * "state" and "handshake_func" are properly initialized. But as 3751 * handshake_func is == 0 until then, we use this test instead of an "init" 3752 * member. */ 3753 3754 int shutdown; /* we have shut things down, 0x01 sent, 0x02 3755 * for received */ 3756 int state; /* where we are */ 3757 3758 BUF_MEM *init_buf; /* buffer used during init */ 3759 uint8_t *init_msg; /* pointer to handshake message body, set by 3760 ssl3_get_message() */ 3761 int init_num; /* amount read/written */ 3762 int init_off; /* amount read/written */ 3763 3764 struct ssl3_state_st *s3; /* SSLv3 variables */ 3765 struct dtls1_state_st *d1; /* DTLSv1 variables */ 3766 3767 /* callback that allows applications to peek at protocol messages */ 3768 void (*msg_callback)(int write_p, int version, int content_type, 3769 const void *buf, size_t len, SSL *ssl, void *arg); 3770 void *msg_callback_arg; 3771 3772 X509_VERIFY_PARAM *param; 3773 3774 /* crypto */ 3775 struct ssl_cipher_preference_list_st *cipher_list; 3776 STACK_OF(SSL_CIPHER) *cipher_list_by_id; 3777 3778 SSL_AEAD_CTX *aead_read_ctx; 3779 SSL_AEAD_CTX *aead_write_ctx; 3780 3781 /* session info */ 3782 3783 /* client cert? */ 3784 /* This is used to hold the server certificate used */ 3785 struct cert_st /* CERT */ *cert; 3786 3787 /* This holds a variable that indicates what we were doing when a 0 or -1 is 3788 * returned. This is needed for non-blocking IO so we know what request 3789 * needs re-doing when in SSL_accept or SSL_connect */ 3790 int rwstate; 3791 3792 /* the session_id_context is used to ensure sessions are only reused 3793 * in the appropriate context */ 3794 unsigned int sid_ctx_length; 3795 uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH]; 3796 3797 /* This can also be in the session once a session is established */ 3798 SSL_SESSION *session; 3799 3800 int (*verify_callback)(int ok, 3801 X509_STORE_CTX *ctx); /* fail if callback returns 0 */ 3802 3803 void (*info_callback)(const SSL *ssl, int type, int value); 3804 3805 /* Server-only: psk_identity_hint is the identity hint to send in 3806 * PSK-based key exchanges. */ 3807 char *psk_identity_hint; 3808 3809 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, 3810 char *identity, 3811 unsigned int max_identity_len, 3812 uint8_t *psk, unsigned int max_psk_len); 3813 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, 3814 uint8_t *psk, unsigned int max_psk_len); 3815 3816 SSL_CTX *ctx; 3817 3818 /* extra application data */ 3819 long verify_result; 3820 CRYPTO_EX_DATA ex_data; 3821 3822 /* for server side, keep the list of CA_dn we can use */ 3823 STACK_OF(X509_NAME) *client_CA; 3824 3825 uint32_t options; /* protocol behaviour */ 3826 uint32_t mode; /* API behaviour */ 3827 uint32_t max_cert_list; 3828 int client_version; /* what was passed, used for 3829 * SSLv3/TLS rollback check */ 3830 uint16_t max_send_fragment; 3831 char *tlsext_hostname; 3832 /* RFC4507 session ticket expected to be received or sent */ 3833 int tlsext_ticket_expected; 3834 size_t tlsext_ellipticcurvelist_length; 3835 uint16_t *tlsext_ellipticcurvelist; /* our list */ 3836 3837 SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */ 3838 3839 /* Next protocol negotiation. For the client, this is the protocol that we 3840 * sent in NextProtocol and is set when handling ServerHello extensions. 3841 * 3842 * For a server, this is the client's selected_protocol from NextProtocol and 3843 * is set when handling the NextProtocol message, before the Finished 3844 * message. */ 3845 uint8_t *next_proto_negotiated; 3846 size_t next_proto_negotiated_len; 3847 3848 /* srtp_profiles is the list of configured SRTP protection profiles for 3849 * DTLS-SRTP. */ 3850 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; 3851 3852 /* srtp_profile is the selected SRTP protection profile for 3853 * DTLS-SRTP. */ 3854 const SRTP_PROTECTION_PROFILE *srtp_profile; 3855 3856 /* The client's Channel ID private key. */ 3857 EVP_PKEY *tlsext_channel_id_private; 3858 3859 /* For a client, this contains the list of supported protocols in wire 3860 * format. */ 3861 uint8_t *alpn_client_proto_list; 3862 unsigned alpn_client_proto_list_len; 3863 3864 /* renegotiate_mode controls how peer renegotiation attempts are handled. */ 3865 enum ssl_renegotiate_mode_t renegotiate_mode; 3866 3867 /* These fields are always NULL and exist only to keep wpa_supplicant happy 3868 * about the change to EVP_AEAD. They are only needed for EAP-FAST, which we 3869 * don't support. */ 3870 EVP_CIPHER_CTX *enc_read_ctx; 3871 EVP_MD_CTX *read_hash; 3872 3873 /* in_handshake is non-zero when we are actually in SSL_accept() or 3874 * SSL_connect() */ 3875 int in_handshake; 3876 3877 /* verify_mode is a bitmask of |SSL_VERIFY_*| values. */ 3878 uint8_t verify_mode; 3879 3880 /* hit is true if this connection is resuming a previous session. */ 3881 unsigned hit:1; 3882 3883 /* server is true iff the this SSL* is the server half. Note: before the SSL* 3884 * is initialized by either SSL_set_accept_state or SSL_set_connect_state, 3885 * the side is not determined. In this state, server is always false. */ 3886 unsigned server:1; 3887 3888 /* quiet_shutdown is true if the connection should not send a close_notify on 3889 * shutdown. */ 3890 unsigned quiet_shutdown:1; 3891 3892 /* Enable signed certificate time stamps. Currently client only. */ 3893 unsigned signed_cert_timestamps_enabled:1; 3894 3895 /* ocsp_stapling_enabled is only used by client connections and indicates 3896 * whether OCSP stapling will be requested. */ 3897 unsigned ocsp_stapling_enabled:1; 3898 3899 /* tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server, 3900 * means that we'll accept Channel IDs from clients. For a client, means that 3901 * we'll advertise support. */ 3902 unsigned tlsext_channel_id_enabled:1; 3903 }; 3904 3905 typedef struct ssl3_record_st { 3906 /* type is the record type. */ 3907 uint8_t type; 3908 /* length is the number of unconsumed bytes in the record. */ 3909 uint16_t length; 3910 /* data is a non-owning pointer to the first unconsumed byte of the record. */ 3911 uint8_t *data; 3912 } SSL3_RECORD; 3913 3914 typedef struct ssl3_buffer_st { 3915 /* buf is the memory allocated for this buffer. */ 3916 uint8_t *buf; 3917 /* offset is the offset into |buf| which the buffer contents start at. */ 3918 uint16_t offset; 3919 /* len is the length of the buffer contents from |buf| + |offset|. */ 3920 uint16_t len; 3921 /* cap is how much memory beyond |buf| + |offset| is available. */ 3922 uint16_t cap; 3923 } SSL3_BUFFER; 3924 3925 typedef struct ssl3_state_st { 3926 uint8_t read_sequence[8]; 3927 uint8_t write_sequence[8]; 3928 3929 uint8_t server_random[SSL3_RANDOM_SIZE]; 3930 uint8_t client_random[SSL3_RANDOM_SIZE]; 3931 3932 /* have_version is true if the connection's final version is known. Otherwise 3933 * the version has not been negotiated yet. */ 3934 char have_version; 3935 3936 /* initial_handshake_complete is true if the initial handshake has 3937 * completed. */ 3938 char initial_handshake_complete; 3939 3940 /* read_buffer holds data from the transport to be processed. */ 3941 SSL3_BUFFER read_buffer; 3942 /* write_buffer holds data to be written to the transport. */ 3943 SSL3_BUFFER write_buffer; 3944 3945 SSL3_RECORD rrec; /* each decoded record goes in here */ 3946 3947 /* hello_request_len is the number of bytes of HelloRequest received, possibly 3948 * split over multiple records. */ 3949 uint8_t hello_request_len; 3950 3951 /* partial write - check the numbers match */ 3952 unsigned int wnum; /* number of bytes sent so far */ 3953 int wpend_tot; /* number bytes written */ 3954 int wpend_type; 3955 int wpend_ret; /* number of bytes submitted */ 3956 const uint8_t *wpend_buf; 3957 3958 /* handshake_buffer, if non-NULL, contains the handshake transcript. */ 3959 BUF_MEM *handshake_buffer; 3960 /* handshake_hash, if initialized with an |EVP_MD|, maintains the handshake 3961 * hash. For TLS 1.1 and below, it is the SHA-1 half. */ 3962 EVP_MD_CTX handshake_hash; 3963 /* handshake_md5, if initialized with an |EVP_MD|, maintains the MD5 half of 3964 * the handshake hash for TLS 1.1 and below. */ 3965 EVP_MD_CTX handshake_md5; 3966 3967 int warn_alert; 3968 int fatal_alert; 3969 /* we allow one fatal and one warning alert to be outstanding, send close 3970 * alert via the warning alert */ 3971 int alert_dispatch; 3972 uint8_t send_alert[2]; 3973 3974 int total_renegotiations; 3975 3976 /* empty_record_count is the number of consecutive empty records received. */ 3977 uint8_t empty_record_count; 3978 3979 /* warning_alert_count is the number of consecutive warning alerts 3980 * received. */ 3981 uint8_t warning_alert_count; 3982 3983 /* State pertaining to the pending handshake. 3984 * 3985 * TODO(davidben): State is current spread all over the place. Move 3986 * pending handshake state here so it can be managed separately from 3987 * established connection state in case of renegotiations. */ 3988 struct { 3989 uint8_t finish_md[EVP_MAX_MD_SIZE]; 3990 int finish_md_len; 3991 uint8_t peer_finish_md[EVP_MAX_MD_SIZE]; 3992 int peer_finish_md_len; 3993 3994 unsigned long message_size; 3995 int message_type; 3996 3997 /* used to hold the new cipher we are going to use */ 3998 const SSL_CIPHER *new_cipher; 3999 4000 /* used when SSL_ST_FLUSH_DATA is entered */ 4001 int next_state; 4002 4003 int reuse_message; 4004 4005 union { 4006 /* sent is a bitset where the bits correspond to elements of kExtensions 4007 * in t1_lib.c. Each bit is set if that extension was sent in a 4008 * ClientHello. It's not used by servers. */ 4009 uint32_t sent; 4010 /* received is a bitset, like |sent|, but is used by servers to record 4011 * which extensions were received from a client. */ 4012 uint32_t received; 4013 } extensions; 4014 4015 union { 4016 /* sent is a bitset where the bits correspond to elements of 4017 * |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that 4018 * extension was sent in a ClientHello. It's not used by servers. */ 4019 uint16_t sent; 4020 /* received is a bitset, like |sent|, but is used by servers to record 4021 * which custom extensions were received from a client. The bits here 4022 * correspond to |server_custom_extensions|. */ 4023 uint16_t received; 4024 } custom_extensions; 4025 4026 /* SNI extension */ 4027 4028 /* should_ack_sni is used by a server and indicates that the SNI extension 4029 * should be echoed in the ServerHello. */ 4030 unsigned should_ack_sni:1; 4031 4032 4033 /* Client-only: cert_req determines if a client certificate is to be sent. 4034 * This is 0 if no client Certificate message is to be sent, 1 if there is 4035 * a client certificate, and 2 to send an empty client Certificate 4036 * message. */ 4037 int cert_req; 4038 4039 /* Client-only: ca_names contains the list of CAs received in a 4040 * CertificateRequest message. */ 4041 STACK_OF(X509_NAME) *ca_names; 4042 4043 /* Client-only: certificate_types contains the set of certificate types 4044 * received in a CertificateRequest message. */ 4045 uint8_t *certificate_types; 4046 size_t num_certificate_types; 4047 4048 int key_block_length; 4049 uint8_t *key_block; 4050 4051 const EVP_AEAD *new_aead; 4052 uint8_t new_mac_secret_len; 4053 uint8_t new_fixed_iv_len; 4054 uint8_t new_variable_iv_len; 4055 4056 /* Server-only: cert_request is true if a client certificate was 4057 * requested. */ 4058 int cert_request; 4059 4060 /* certificate_status_expected is true if OCSP stapling was negotiated and 4061 * the server is expected to send a CertificateStatus message. (This is 4062 * used on both the client and server sides.) */ 4063 unsigned certificate_status_expected:1; 4064 4065 /* ocsp_stapling_requested is true if a client requested OCSP stapling. */ 4066 unsigned ocsp_stapling_requested:1; 4067 4068 /* Server-only: peer_ellipticcurvelist contains the EC curve IDs advertised 4069 * by the peer. This is only set on the server's end. The server does not 4070 * advertise this extension to the client. */ 4071 uint16_t *peer_ellipticcurvelist; 4072 size_t peer_ellipticcurvelist_length; 4073 4074 /* extended_master_secret indicates whether the extended master secret 4075 * computation is used in this handshake. Note that this is different from 4076 * whether it was used for the current session. If this is a resumption 4077 * handshake then EMS might be negotiated in the client and server hello 4078 * messages, but it doesn't matter if the session that's being resumed 4079 * didn't use it to create the master secret initially. */ 4080 char extended_master_secret; 4081 4082 /* Client-only: peer_psk_identity_hint is the psk_identity_hint sent by the 4083 * server when using a PSK key exchange. */ 4084 char *peer_psk_identity_hint; 4085 4086 /* new_mac_secret_size is unused and exists only until wpa_supplicant can 4087 * be updated. It is only needed for EAP-FAST, which we don't support. */ 4088 uint8_t new_mac_secret_size; 4089 4090 /* Client-only: in_false_start is one if there is a pending handshake in 4091 * False Start. The client may write data at this point. */ 4092 char in_false_start; 4093 4094 /* server_key_exchange_hash, on a client, is the hash the server used to 4095 * sign the ServerKeyExchange in TLS 1.2. If not applicable, it is 4096 * |TLSEXT_hash_none|. */ 4097 uint8_t server_key_exchange_hash; 4098 4099 /* ecdh_ctx is the current ECDH instance. */ 4100 SSL_ECDH_CTX ecdh_ctx; 4101 4102 /* peer_key is the peer's ECDH key. */ 4103 uint8_t *peer_key; 4104 uint16_t peer_key_len; 4105 } tmp; 4106 4107 /* Connection binding to prevent renegotiation attacks */ 4108 uint8_t previous_client_finished[EVP_MAX_MD_SIZE]; 4109 uint8_t previous_client_finished_len; 4110 uint8_t previous_server_finished[EVP_MAX_MD_SIZE]; 4111 uint8_t previous_server_finished_len; 4112 int send_connection_binding; /* TODOEKR */ 4113 4114 /* Set if we saw the Next Protocol Negotiation extension from our peer. */ 4115 int next_proto_neg_seen; 4116 4117 /* ALPN information 4118 * (we are in the process of transitioning from NPN to ALPN.) */ 4119 4120 /* In a server these point to the selected ALPN protocol after the 4121 * ClientHello has been processed. In a client these contain the protocol 4122 * that the server selected once the ServerHello has been processed. */ 4123 uint8_t *alpn_selected; 4124 size_t alpn_selected_len; 4125 4126 /* In a client, this means that the server supported Channel ID and that a 4127 * Channel ID was sent. In a server it means that we echoed support for 4128 * Channel IDs and that tlsext_channel_id will be valid after the 4129 * handshake. */ 4130 char tlsext_channel_id_valid; 4131 /* For a server: 4132 * If |tlsext_channel_id_valid| is true, then this contains the 4133 * verified Channel ID from the client: a P256 point, (x,y), where 4134 * each are big-endian values. */ 4135 uint8_t tlsext_channel_id[64]; 4136 } SSL3_STATE; 4137 4138 4139 /* Android compatibility section (hidden). 4140 * 4141 * These functions are declared, temporarily, for Android because 4142 * wpa_supplicant will take a little time to sync with upstream. Outside of 4143 * Android they'll have no definition. */ 4144 4145 #define SSL_F_SSL_SET_SESSION_TICKET_EXT doesnt_exist 4146 4147 OPENSSL_EXPORT int SSL_set_session_ticket_ext(SSL *s, void *ext_data, 4148 int ext_len); 4149 OPENSSL_EXPORT int SSL_set_session_secret_cb(SSL *s, void *cb, void *arg); 4150 OPENSSL_EXPORT int SSL_set_session_ticket_ext_cb(SSL *s, void *cb, void *arg); 4151 OPENSSL_EXPORT int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method); 4152 4153 4154 /* Preprocessor compatibility section (hidden). 4155 * 4156 * Historically, a number of APIs were implemented in OpenSSL as macros and 4157 * constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this 4158 * section defines a number of legacy macros. 4159 * 4160 * Although using either the CTRL values or their wrapper macros in #ifdefs is 4161 * still supported, the CTRL values may not be passed to |SSL_ctrl| and 4162 * |SSL_CTX_ctrl|. Call the functions (previously wrapper macros) instead. */ 4163 4164 #define DTLS_CTRL_GET_TIMEOUT doesnt_exist 4165 #define DTLS_CTRL_HANDLE_TIMEOUT doesnt_exist 4166 #define SSL_CTRL_CHAIN doesnt_exist 4167 #define SSL_CTRL_CHAIN_CERT doesnt_exist 4168 #define SSL_CTRL_CHANNEL_ID doesnt_exist 4169 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS doesnt_exist 4170 #define SSL_CTRL_CLEAR_MODE doesnt_exist 4171 #define SSL_CTRL_CLEAR_OPTIONS doesnt_exist 4172 #define SSL_CTRL_EXTRA_CHAIN_CERT doesnt_exist 4173 #define SSL_CTRL_GET_CHAIN_CERTS doesnt_exist 4174 #define SSL_CTRL_GET_CHANNEL_ID doesnt_exist 4175 #define SSL_CTRL_GET_CLIENT_CERT_TYPES doesnt_exist 4176 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS doesnt_exist 4177 #define SSL_CTRL_GET_MAX_CERT_LIST doesnt_exist 4178 #define SSL_CTRL_GET_NUM_RENEGOTIATIONS doesnt_exist 4179 #define SSL_CTRL_GET_READ_AHEAD doesnt_exist 4180 #define SSL_CTRL_GET_RI_SUPPORT doesnt_exist 4181 #define SSL_CTRL_GET_SESSION_REUSED doesnt_exist 4182 #define SSL_CTRL_GET_SESS_CACHE_MODE doesnt_exist 4183 #define SSL_CTRL_GET_SESS_CACHE_SIZE doesnt_exist 4184 #define SSL_CTRL_GET_TLSEXT_TICKET_KEYS doesnt_exist 4185 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS doesnt_exist 4186 #define SSL_CTRL_MODE doesnt_exist 4187 #define SSL_CTRL_NEED_TMP_RSA doesnt_exist 4188 #define SSL_CTRL_OPTIONS doesnt_exist 4189 #define SSL_CTRL_SESS_NUMBER doesnt_exist 4190 #define SSL_CTRL_SET_CHANNEL_ID doesnt_exist 4191 #define SSL_CTRL_SET_CURVES doesnt_exist 4192 #define SSL_CTRL_SET_MAX_CERT_LIST doesnt_exist 4193 #define SSL_CTRL_SET_MAX_SEND_FRAGMENT doesnt_exist 4194 #define SSL_CTRL_SET_MSG_CALLBACK doesnt_exist 4195 #define SSL_CTRL_SET_MSG_CALLBACK_ARG doesnt_exist 4196 #define SSL_CTRL_SET_MTU doesnt_exist 4197 #define SSL_CTRL_SET_READ_AHEAD doesnt_exist 4198 #define SSL_CTRL_SET_SESS_CACHE_MODE doesnt_exist 4199 #define SSL_CTRL_SET_SESS_CACHE_SIZE doesnt_exist 4200 #define SSL_CTRL_SET_TLSEXT_HOSTNAME doesnt_exist 4201 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG doesnt_exist 4202 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB doesnt_exist 4203 #define SSL_CTRL_SET_TLSEXT_TICKET_KEYS doesnt_exist 4204 #define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB doesnt_exist 4205 #define SSL_CTRL_SET_TMP_DH doesnt_exist 4206 #define SSL_CTRL_SET_TMP_DH_CB doesnt_exist 4207 #define SSL_CTRL_SET_TMP_ECDH doesnt_exist 4208 #define SSL_CTRL_SET_TMP_ECDH_CB doesnt_exist 4209 #define SSL_CTRL_SET_TMP_RSA doesnt_exist 4210 #define SSL_CTRL_SET_TMP_RSA_CB doesnt_exist 4211 4212 #define DTLSv1_get_timeout DTLSv1_get_timeout 4213 #define DTLSv1_handle_timeout DTLSv1_handle_timeout 4214 #define SSL_CTX_add0_chain_cert SSL_CTX_add0_chain_cert 4215 #define SSL_CTX_add1_chain_cert SSL_CTX_add1_chain_cert 4216 #define SSL_CTX_add_extra_chain_cert SSL_CTX_add_extra_chain_cert 4217 #define SSL_CTX_clear_extra_chain_certs SSL_CTX_clear_extra_chain_certs 4218 #define SSL_CTX_clear_chain_certs SSL_CTX_clear_chain_certs 4219 #define SSL_CTX_clear_mode SSL_CTX_clear_mode 4220 #define SSL_CTX_clear_options SSL_CTX_clear_options 4221 #define SSL_CTX_enable_tls_channel_id SSL_CTX_enable_tls_channel_id 4222 #define SSL_CTX_get0_chain_certs SSL_CTX_get0_chain_certs 4223 #define SSL_CTX_get_extra_chain_certs SSL_CTX_get_extra_chain_certs 4224 #define SSL_CTX_get_max_cert_list SSL_CTX_get_max_cert_list 4225 #define SSL_CTX_get_mode SSL_CTX_get_mode 4226 #define SSL_CTX_get_options SSL_CTX_get_options 4227 #define SSL_CTX_get_read_ahead SSL_CTX_get_read_ahead 4228 #define SSL_CTX_get_session_cache_mode SSL_CTX_get_session_cache_mode 4229 #define SSL_CTX_get_tlsext_ticket_keys SSL_CTX_get_tlsext_ticket_keys 4230 #define SSL_CTX_need_tmp_RSA SSL_CTX_need_tmp_RSA 4231 #define SSL_CTX_sess_get_cache_size SSL_CTX_sess_get_cache_size 4232 #define SSL_CTX_sess_number SSL_CTX_sess_number 4233 #define SSL_CTX_sess_set_cache_size SSL_CTX_sess_set_cache_size 4234 #define SSL_CTX_set0_chain SSL_CTX_set0_chain 4235 #define SSL_CTX_set1_chain SSL_CTX_set1_chain 4236 #define SSL_CTX_set1_curves SSL_CTX_set1_curves 4237 #define SSL_CTX_set1_tls_channel_id SSL_CTX_set1_tls_channel_id 4238 #define SSL_CTX_set_max_cert_list SSL_CTX_set_max_cert_list 4239 #define SSL_CTX_set_max_send_fragment SSL_CTX_set_max_send_fragment 4240 #define SSL_CTX_set_mode SSL_CTX_set_mode 4241 #define SSL_CTX_set_msg_callback_arg SSL_CTX_set_msg_callback_arg 4242 #define SSL_CTX_set_options SSL_CTX_set_options 4243 #define SSL_CTX_set_read_ahead SSL_CTX_set_read_ahead 4244 #define SSL_CTX_set_session_cache_mode SSL_CTX_set_session_cache_mode 4245 #define SSL_CTX_set_tlsext_servername_arg SSL_CTX_set_tlsext_servername_arg 4246 #define SSL_CTX_set_tlsext_servername_callback \ 4247 SSL_CTX_set_tlsext_servername_callback 4248 #define SSL_CTX_set_tlsext_ticket_key_cb SSL_CTX_set_tlsext_ticket_key_cb 4249 #define SSL_CTX_set_tlsext_ticket_keys SSL_CTX_set_tlsext_ticket_keys 4250 #define SSL_CTX_set_tmp_dh SSL_CTX_set_tmp_dh 4251 #define SSL_CTX_set_tmp_ecdh SSL_CTX_set_tmp_ecdh 4252 #define SSL_CTX_set_tmp_rsa SSL_CTX_set_tmp_rsa 4253 #define SSL_add0_chain_cert SSL_add0_chain_cert 4254 #define SSL_add1_chain_cert SSL_add1_chain_cert 4255 #define SSL_clear_chain_certs SSL_clear_chain_certs 4256 #define SSL_clear_mode SSL_clear_mode 4257 #define SSL_clear_options SSL_clear_options 4258 #define SSL_enable_tls_channel_id SSL_enable_tls_channel_id 4259 #define SSL_get0_certificate_types SSL_get0_certificate_types 4260 #define SSL_get0_chain_certs SSL_get0_chain_certs 4261 #define SSL_get_max_cert_list SSL_get_max_cert_list 4262 #define SSL_get_mode SSL_get_mode 4263 #define SSL_get_options SSL_get_options 4264 #define SSL_get_secure_renegotiation_support \ 4265 SSL_get_secure_renegotiation_support 4266 #define SSL_get_tls_channel_id SSL_get_tls_channel_id 4267 #define SSL_need_tmp_RSA SSL_need_tmp_RSA 4268 #define SSL_num_renegotiations SSL_num_renegotiations 4269 #define SSL_session_reused SSL_session_reused 4270 #define SSL_set0_chain SSL_set0_chain 4271 #define SSL_set1_chain SSL_set1_chain 4272 #define SSL_set1_curves SSL_set1_curves 4273 #define SSL_set1_tls_channel_id SSL_set1_tls_channel_id 4274 #define SSL_set_max_cert_list SSL_set_max_cert_list 4275 #define SSL_set_max_send_fragment SSL_set_max_send_fragment 4276 #define SSL_set_mode SSL_set_mode 4277 #define SSL_set_msg_callback_arg SSL_set_msg_callback_arg 4278 #define SSL_set_mtu SSL_set_mtu 4279 #define SSL_set_options SSL_set_options 4280 #define SSL_set_tlsext_host_name SSL_set_tlsext_host_name 4281 #define SSL_set_tmp_dh SSL_set_tmp_dh 4282 #define SSL_set_tmp_ecdh SSL_set_tmp_ecdh 4283 #define SSL_set_tmp_rsa SSL_set_tmp_rsa 4284 #define SSL_total_renegotiations SSL_total_renegotiations 4285 4286 4287 #if defined(__cplusplus) 4288 } /* extern C */ 4289 #endif 4290 4291 #define SSL_R_APP_DATA_IN_HANDSHAKE 100 4292 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101 4293 #define SSL_R_BAD_ALERT 102 4294 #define SSL_R_BAD_CHANGE_CIPHER_SPEC 103 4295 #define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 104 4296 #define SSL_R_BAD_DH_P_LENGTH 105 4297 #define SSL_R_BAD_DIGEST_LENGTH 106 4298 #define SSL_R_BAD_ECC_CERT 107 4299 #define SSL_R_BAD_ECPOINT 108 4300 #define SSL_R_BAD_HANDSHAKE_RECORD 109 4301 #define SSL_R_BAD_HELLO_REQUEST 110 4302 #define SSL_R_BAD_LENGTH 111 4303 #define SSL_R_BAD_PACKET_LENGTH 112 4304 #define SSL_R_BAD_RSA_ENCRYPT 113 4305 #define SSL_R_BAD_SIGNATURE 114 4306 #define SSL_R_BAD_SRTP_MKI_VALUE 115 4307 #define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 116 4308 #define SSL_R_BAD_SSL_FILETYPE 117 4309 #define SSL_R_BAD_WRITE_RETRY 118 4310 #define SSL_R_BIO_NOT_SET 119 4311 #define SSL_R_BN_LIB 120 4312 #define SSL_R_BUFFER_TOO_SMALL 121 4313 #define SSL_R_CA_DN_LENGTH_MISMATCH 122 4314 #define SSL_R_CA_DN_TOO_LONG 123 4315 #define SSL_R_CCS_RECEIVED_EARLY 124 4316 #define SSL_R_CERTIFICATE_VERIFY_FAILED 125 4317 #define SSL_R_CERT_CB_ERROR 126 4318 #define SSL_R_CERT_LENGTH_MISMATCH 127 4319 #define SSL_R_CHANNEL_ID_NOT_P256 128 4320 #define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 129 4321 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 130 4322 #define SSL_R_CLIENTHELLO_PARSE_FAILED 131 4323 #define SSL_R_CLIENTHELLO_TLSEXT 132 4324 #define SSL_R_CONNECTION_REJECTED 133 4325 #define SSL_R_CONNECTION_TYPE_NOT_SET 134 4326 #define SSL_R_CUSTOM_EXTENSION_ERROR 135 4327 #define SSL_R_DATA_LENGTH_TOO_LONG 136 4328 #define SSL_R_DECODE_ERROR 137 4329 #define SSL_R_DECRYPTION_FAILED 138 4330 #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 139 4331 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 140 4332 #define SSL_R_DH_P_TOO_LONG 141 4333 #define SSL_R_DIGEST_CHECK_FAILED 142 4334 #define SSL_R_DTLS_MESSAGE_TOO_BIG 143 4335 #define SSL_R_ECC_CERT_NOT_FOR_SIGNING 144 4336 #define SSL_R_EMS_STATE_INCONSISTENT 145 4337 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 146 4338 #define SSL_R_ERROR_ADDING_EXTENSION 147 4339 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 148 4340 #define SSL_R_ERROR_PARSING_EXTENSION 149 4341 #define SSL_R_EXCESSIVE_MESSAGE_SIZE 150 4342 #define SSL_R_EXTRA_DATA_IN_MESSAGE 151 4343 #define SSL_R_FRAGMENT_MISMATCH 152 4344 #define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 153 4345 #define SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO 154 4346 #define SSL_R_HTTPS_PROXY_REQUEST 155 4347 #define SSL_R_HTTP_REQUEST 156 4348 #define SSL_R_INAPPROPRIATE_FALLBACK 157 4349 #define SSL_R_INVALID_COMMAND 158 4350 #define SSL_R_INVALID_MESSAGE 159 4351 #define SSL_R_INVALID_SSL_SESSION 160 4352 #define SSL_R_INVALID_TICKET_KEYS_LENGTH 161 4353 #define SSL_R_LENGTH_MISMATCH 162 4354 #define SSL_R_LIBRARY_HAS_NO_CIPHERS 163 4355 #define SSL_R_MISSING_EXTENSION 164 4356 #define SSL_R_MISSING_RSA_CERTIFICATE 165 4357 #define SSL_R_MISSING_TMP_DH_KEY 166 4358 #define SSL_R_MISSING_TMP_ECDH_KEY 167 4359 #define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 168 4360 #define SSL_R_MTU_TOO_SMALL 169 4361 #define SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN 170 4362 #define SSL_R_NESTED_GROUP 171 4363 #define SSL_R_NO_CERTIFICATES_RETURNED 172 4364 #define SSL_R_NO_CERTIFICATE_ASSIGNED 173 4365 #define SSL_R_NO_CERTIFICATE_SET 174 4366 #define SSL_R_NO_CIPHERS_AVAILABLE 175 4367 #define SSL_R_NO_CIPHERS_PASSED 176 4368 #define SSL_R_NO_CIPHER_MATCH 177 4369 #define SSL_R_NO_COMPRESSION_SPECIFIED 178 4370 #define SSL_R_NO_METHOD_SPECIFIED 179 4371 #define SSL_R_NO_P256_SUPPORT 180 4372 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 181 4373 #define SSL_R_NO_RENEGOTIATION 182 4374 #define SSL_R_NO_REQUIRED_DIGEST 183 4375 #define SSL_R_NO_SHARED_CIPHER 184 4376 #define SSL_R_NULL_SSL_CTX 185 4377 #define SSL_R_NULL_SSL_METHOD_PASSED 186 4378 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 187 4379 #define SSL_R_OLD_SESSION_VERSION_NOT_RETURNED 188 4380 #define SSL_R_OUTPUT_ALIASES_INPUT 189 4381 #define SSL_R_PARSE_TLSEXT 190 4382 #define SSL_R_PATH_TOO_LONG 191 4383 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 192 4384 #define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 193 4385 #define SSL_R_PROTOCOL_IS_SHUTDOWN 194 4386 #define SSL_R_PSK_IDENTITY_NOT_FOUND 195 4387 #define SSL_R_PSK_NO_CLIENT_CB 196 4388 #define SSL_R_PSK_NO_SERVER_CB 197 4389 #define SSL_R_READ_TIMEOUT_EXPIRED 198 4390 #define SSL_R_RECORD_LENGTH_MISMATCH 199 4391 #define SSL_R_RECORD_TOO_LARGE 200 4392 #define SSL_R_RENEGOTIATION_ENCODING_ERR 201 4393 #define SSL_R_RENEGOTIATION_MISMATCH 202 4394 #define SSL_R_REQUIRED_CIPHER_MISSING 203 4395 #define SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION 204 4396 #define SSL_R_RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION 205 4397 #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 206 4398 #define SSL_R_SERVERHELLO_TLSEXT 207 4399 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 208 4400 #define SSL_R_SESSION_MAY_NOT_BE_CREATED 209 4401 #define SSL_R_SIGNATURE_ALGORITHMS_EXTENSION_SENT_BY_SERVER 210 4402 #define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 211 4403 #define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 212 4404 #define SSL_R_SSL3_EXT_INVALID_SERVERNAME 213 4405 #define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 214 4406 #define SSL_R_SSL_HANDSHAKE_FAILURE 215 4407 #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 216 4408 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 217 4409 #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 218 4410 #define SSL_R_TOO_MANY_EMPTY_FRAGMENTS 219 4411 #define SSL_R_TOO_MANY_WARNING_ALERTS 220 4412 #define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 221 4413 #define SSL_R_UNEXPECTED_EXTENSION 222 4414 #define SSL_R_UNEXPECTED_MESSAGE 223 4415 #define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 224 4416 #define SSL_R_UNEXPECTED_RECORD 225 4417 #define SSL_R_UNINITIALIZED 226 4418 #define SSL_R_UNKNOWN_ALERT_TYPE 227 4419 #define SSL_R_UNKNOWN_CERTIFICATE_TYPE 228 4420 #define SSL_R_UNKNOWN_CIPHER_RETURNED 229 4421 #define SSL_R_UNKNOWN_CIPHER_TYPE 230 4422 #define SSL_R_UNKNOWN_DIGEST 231 4423 #define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 232 4424 #define SSL_R_UNKNOWN_PROTOCOL 233 4425 #define SSL_R_UNKNOWN_SSL_VERSION 234 4426 #define SSL_R_UNKNOWN_STATE 235 4427 #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 236 4428 #define SSL_R_UNSUPPORTED_CIPHER 237 4429 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 238 4430 #define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 239 4431 #define SSL_R_UNSUPPORTED_PROTOCOL 240 4432 #define SSL_R_WRONG_CERTIFICATE_TYPE 241 4433 #define SSL_R_WRONG_CIPHER_RETURNED 242 4434 #define SSL_R_WRONG_CURVE 243 4435 #define SSL_R_WRONG_MESSAGE_TYPE 244 4436 #define SSL_R_WRONG_SIGNATURE_TYPE 245 4437 #define SSL_R_WRONG_SSL_VERSION 246 4438 #define SSL_R_WRONG_VERSION_NUMBER 247 4439 #define SSL_R_X509_LIB 248 4440 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 249 4441 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000 4442 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 4443 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 4444 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 4445 #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 4446 #define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030 4447 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 4448 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 4449 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 4450 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 4451 #define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044 4452 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 4453 #define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046 4454 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 4455 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 4456 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 4457 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 4458 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 4459 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 4460 #define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 4461 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 4462 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 4463 #define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 4464 #define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 4465 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 4466 #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 4467 #define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 4468 #define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 4469 #define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 4470 #define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 4471 4472 #endif /* OPENSSL_HEADER_SSL_H */ 4473