• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.]
56  */
57 /* ====================================================================
58  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
59  *
60  * Redistribution and use in source and binary forms, with or without
61  * modification, are permitted provided that the following conditions
62  * are met:
63  *
64  * 1. Redistributions of source code must retain the above copyright
65  *    notice, this list of conditions and the following disclaimer.
66  *
67  * 2. Redistributions in binary form must reproduce the above copyright
68  *    notice, this list of conditions and the following disclaimer in
69  *    the documentation and/or other materials provided with the
70  *    distribution.
71  *
72  * 3. All advertising materials mentioning features or use of this
73  *    software must display the following acknowledgment:
74  *    "This product includes software developed by the OpenSSL Project
75  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76  *
77  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78  *    endorse or promote products derived from this software without
79  *    prior written permission. For written permission, please contact
80  *    openssl-core@openssl.org.
81  *
82  * 5. Products derived from this software may not be called "OpenSSL"
83  *    nor may "OpenSSL" appear in their names without prior written
84  *    permission of the OpenSSL Project.
85  *
86  * 6. Redistributions of any form whatsoever must retain the following
87  *    acknowledgment:
88  *    "This product includes software developed by the OpenSSL Project
89  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90  *
91  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
95  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102  * OF THE POSSIBILITY OF SUCH DAMAGE.
103  * ====================================================================
104  *
105  * This product includes cryptographic software written by Eric Young
106  * (eay@cryptsoft.com).  This product includes software written by Tim
107  * Hudson (tjh@cryptsoft.com).
108  *
109  */
110 /* ====================================================================
111  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112  * ECC cipher suite support in OpenSSL originally developed by
113  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114  */
115 /* ====================================================================
116  * Copyright 2005 Nokia. All rights reserved.
117  *
118  * The portions of the attached software ("Contribution") is developed by
119  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120  * license.
121  *
122  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124  * support (see RFC 4279) to OpenSSL.
125  *
126  * No patent licenses or other rights except those expressly stated in
127  * the OpenSSL open source license shall be deemed granted or received
128  * expressly, by implication, estoppel, or otherwise.
129  *
130  * No assurances are provided by Nokia that the Contribution does not
131  * infringe the patent or other intellectual property rights of any third
132  * party or that the license provides you with all the necessary rights
133  * to make use of the Contribution.
134  *
135  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139  * OTHERWISE.
140  */
141 
142 #ifndef OPENSSL_HEADER_SSL_H
143 #define OPENSSL_HEADER_SSL_H
144 
145 #include <openssl/base.h>
146 
147 #include <openssl/bio.h>
148 #include <openssl/buf.h>
149 #include <openssl/hmac.h>
150 #include <openssl/lhash.h>
151 #include <openssl/pem.h>
152 #include <openssl/ssl3.h>
153 #include <openssl/thread.h>
154 #include <openssl/tls1.h>
155 #include <openssl/x509.h>
156 
157 #if !defined(OPENSSL_WINDOWS)
158 #include <sys/time.h>
159 #endif
160 
161 /* Forward-declare struct timeval. On Windows, it is defined in winsock2.h and
162  * Windows headers define too many macros to be included in public headers.
163  * However, only a forward declaration is needed. */
164 struct timeval;
165 
166 #if defined(__cplusplus)
167 extern "C" {
168 #endif
169 
170 
171 /* SSL implementation. */
172 
173 
174 /* SSL contexts.
175  *
176  * |SSL_CTX| objects manage shared state and configuration between multiple TLS
177  * or DTLS connections. Whether the connections are TLS or DTLS is selected by
178  * an |SSL_METHOD| on creation.
179  *
180  * |SSL_CTX| are reference-counted and may be shared by connections across
181  * multiple threads. Once shared, functions which change the |SSL_CTX|'s
182  * configuration may not be used. */
183 
184 /* TLS_method is the |SSL_METHOD| used for TLS (and SSLv3) connections. */
185 OPENSSL_EXPORT const SSL_METHOD *TLS_method(void);
186 
187 /* DTLS_method is the |SSL_METHOD| used for DTLS connections. */
188 OPENSSL_EXPORT const SSL_METHOD *DTLS_method(void);
189 
190 /* TLS_with_buffers_method is like |TLS_method|, but avoids all use of
191  * crypto/x509. */
192 OPENSSL_EXPORT const SSL_METHOD *TLS_with_buffers_method(void);
193 
194 /* SSL_CTX_new returns a newly-allocated |SSL_CTX| with default settings or NULL
195  * on error. */
196 OPENSSL_EXPORT SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
197 
198 /* SSL_CTX_up_ref increments the reference count of |ctx|. It returns one. */
199 OPENSSL_EXPORT int SSL_CTX_up_ref(SSL_CTX *ctx);
200 
201 /* SSL_CTX_free releases memory associated with |ctx|. */
202 OPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *ctx);
203 
204 
205 /* SSL connections.
206  *
207  * An |SSL| object represents a single TLS or DTLS connection. Although the
208  * shared |SSL_CTX| is thread-safe, an |SSL| is not thread-safe and may only be
209  * used on one thread at a time. */
210 
211 /* SSL_new returns a newly-allocated |SSL| using |ctx| or NULL on error. The new
212  * connection inherits settings from |ctx| at the time of creation. Settings may
213  * also be individually configured on the connection.
214  *
215  * On creation, an |SSL| is not configured to be either a client or server. Call
216  * |SSL_set_connect_state| or |SSL_set_accept_state| to set this. */
217 OPENSSL_EXPORT SSL *SSL_new(SSL_CTX *ctx);
218 
219 /* SSL_free releases memory associated with |ssl|. */
220 OPENSSL_EXPORT void SSL_free(SSL *ssl);
221 
222 /* SSL_get_SSL_CTX returns the |SSL_CTX| associated with |ssl|. If
223  * |SSL_set_SSL_CTX| is called, it returns the new |SSL_CTX|, not the initial
224  * one. */
225 OPENSSL_EXPORT SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
226 
227 /* SSL_set_connect_state configures |ssl| to be a client. */
228 OPENSSL_EXPORT void SSL_set_connect_state(SSL *ssl);
229 
230 /* SSL_set_accept_state configures |ssl| to be a server. */
231 OPENSSL_EXPORT void SSL_set_accept_state(SSL *ssl);
232 
233 /* SSL_is_server returns one if |ssl| is configured as a server and zero
234  * otherwise. */
235 OPENSSL_EXPORT int SSL_is_server(const SSL *ssl);
236 
237 /* SSL_is_dtls returns one if |ssl| is a DTLS connection and zero otherwise. */
238 OPENSSL_EXPORT int SSL_is_dtls(const SSL *ssl);
239 
240 /* SSL_set_bio configures |ssl| to read from |rbio| and write to |wbio|. |ssl|
241  * takes ownership of the two |BIO|s. If |rbio| and |wbio| are the same, |ssl|
242  * only takes ownership of one reference.
243  *
244  * In DTLS, |rbio| must be non-blocking to properly handle timeouts and
245  * retransmits.
246  *
247  * If |rbio| is the same as the currently configured |BIO| for reading, that
248  * side is left untouched and is not freed.
249  *
250  * If |wbio| is the same as the currently configured |BIO| for writing AND |ssl|
251  * is not currently configured to read from and write to the same |BIO|, that
252  * side is left untouched and is not freed. This asymmetry is present for
253  * historical reasons.
254  *
255  * Due to the very complex historical behavior of this function, calling this
256  * function if |ssl| already has |BIO|s configured is deprecated. Prefer
257  * |SSL_set0_rbio| and |SSL_set0_wbio| instead. */
258 OPENSSL_EXPORT void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);
259 
260 /* SSL_set0_rbio configures |ssl| to write to |rbio|. It takes ownership of
261  * |rbio|.
262  *
263  * Note that, although this function and |SSL_set0_wbio| may be called on the
264  * same |BIO|, each call takes a reference. Use |BIO_up_ref| to balance this. */
265 OPENSSL_EXPORT void SSL_set0_rbio(SSL *ssl, BIO *rbio);
266 
267 /* SSL_set0_wbio configures |ssl| to write to |wbio|. It takes ownership of
268  * |wbio|.
269  *
270  * Note that, although this function and |SSL_set0_rbio| may be called on the
271  * same |BIO|, each call takes a reference. Use |BIO_up_ref| to balance this. */
272 OPENSSL_EXPORT void SSL_set0_wbio(SSL *ssl, BIO *wbio);
273 
274 /* SSL_get_rbio returns the |BIO| that |ssl| reads from. */
275 OPENSSL_EXPORT BIO *SSL_get_rbio(const SSL *ssl);
276 
277 /* SSL_get_wbio returns the |BIO| that |ssl| writes to. */
278 OPENSSL_EXPORT BIO *SSL_get_wbio(const SSL *ssl);
279 
280 /* SSL_get_fd calls |SSL_get_rfd|. */
281 OPENSSL_EXPORT int SSL_get_fd(const SSL *ssl);
282 
283 /* SSL_get_rfd returns the file descriptor that |ssl| is configured to read
284  * from. If |ssl|'s read |BIO| is not configured or doesn't wrap a file
285  * descriptor then it returns -1.
286  *
287  * Note: On Windows, this may return either a file descriptor or a socket (cast
288  * to int), depending on whether |ssl| was configured with a file descriptor or
289  * socket |BIO|. */
290 OPENSSL_EXPORT int SSL_get_rfd(const SSL *ssl);
291 
292 /* SSL_get_wfd returns the file descriptor that |ssl| is configured to write
293  * to. If |ssl|'s write |BIO| is not configured or doesn't wrap a file
294  * descriptor then it returns -1.
295  *
296  * Note: On Windows, this may return either a file descriptor or a socket (cast
297  * to int), depending on whether |ssl| was configured with a file descriptor or
298  * socket |BIO|. */
299 OPENSSL_EXPORT int SSL_get_wfd(const SSL *ssl);
300 
301 /* SSL_set_fd configures |ssl| to read from and write to |fd|. It returns one
302  * on success and zero on allocation error. The caller retains ownership of
303  * |fd|.
304  *
305  * On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs. */
306 OPENSSL_EXPORT int SSL_set_fd(SSL *ssl, int fd);
307 
308 /* SSL_set_rfd configures |ssl| to read from |fd|. It returns one on success and
309  * zero on allocation error. The caller retains ownership of |fd|.
310  *
311  * On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs. */
312 OPENSSL_EXPORT int SSL_set_rfd(SSL *ssl, int fd);
313 
314 /* SSL_set_wfd configures |ssl| to write to |fd|. It returns one on success and
315  * zero on allocation error. The caller retains ownership of |fd|.
316  *
317  * On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs. */
318 OPENSSL_EXPORT int SSL_set_wfd(SSL *ssl, int fd);
319 
320 /* SSL_do_handshake continues the current handshake. If there is none or the
321  * handshake has completed or False Started, it returns one. Otherwise, it
322  * returns <= 0. The caller should pass the value into |SSL_get_error| to
323  * determine how to proceed.
324  *
325  * In DTLS, the caller must drive retransmissions. Whenever |SSL_get_error|
326  * signals |SSL_ERROR_WANT_READ|, use |DTLSv1_get_timeout| to determine the
327  * current timeout. If it expires before the next retry, call
328  * |DTLSv1_handle_timeout|. Note that DTLS handshake retransmissions use fresh
329  * sequence numbers, so it is not sufficient to replay packets at the transport.
330  *
331  * TODO(davidben): Ensure 0 is only returned on transport EOF.
332  * https://crbug.com/466303. */
333 OPENSSL_EXPORT int SSL_do_handshake(SSL *ssl);
334 
335 /* SSL_connect configures |ssl| as a client, if unconfigured, and calls
336  * |SSL_do_handshake|. */
337 OPENSSL_EXPORT int SSL_connect(SSL *ssl);
338 
339 /* SSL_accept configures |ssl| as a server, if unconfigured, and calls
340  * |SSL_do_handshake|. */
341 OPENSSL_EXPORT int SSL_accept(SSL *ssl);
342 
343 /* SSL_read reads up to |num| bytes from |ssl| into |buf|. It implicitly runs
344  * any pending handshakes, including renegotiations when enabled. On success, it
345  * returns the number of bytes read. Otherwise, it returns <= 0. The caller
346  * should pass the value into |SSL_get_error| to determine how to proceed.
347  *
348  * TODO(davidben): Ensure 0 is only returned on transport EOF.
349  * https://crbug.com/466303. */
350 OPENSSL_EXPORT int SSL_read(SSL *ssl, void *buf, int num);
351 
352 /* SSL_peek behaves like |SSL_read| but does not consume any bytes returned. */
353 OPENSSL_EXPORT int SSL_peek(SSL *ssl, void *buf, int num);
354 
355 /* SSL_pending returns the number of bytes available in |ssl|. It does not read
356  * from the transport. */
357 OPENSSL_EXPORT int SSL_pending(const SSL *ssl);
358 
359 /* SSL_write writes up to |num| bytes from |buf| into |ssl|. It implicitly runs
360  * any pending handshakes, including renegotiations when enabled. On success, it
361  * returns the number of bytes written. Otherwise, it returns <= 0. The caller
362  * should pass the value into |SSL_get_error| to determine how to proceed.
363  *
364  * In TLS, a non-blocking |SSL_write| differs from non-blocking |write| in that
365  * a failed |SSL_write| still commits to the data passed in. When retrying, the
366  * caller must supply the original write buffer (or a larger one containing the
367  * original as a prefix). By default, retries will fail if they also do not
368  * reuse the same |buf| pointer. This may be relaxed with
369  * |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, but the buffer contents still must be
370  * unchanged.
371  *
372  * By default, in TLS, |SSL_write| will not return success until all |num| bytes
373  * are written. This may be relaxed with |SSL_MODE_ENABLE_PARTIAL_WRITE|. It
374  * allows |SSL_write| to complete with a partial result when only part of the
375  * input was written in a single record.
376  *
377  * In DTLS, neither |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| and
378  * |SSL_MODE_ENABLE_PARTIAL_WRITE| do anything. The caller may retry with a
379  * different buffer freely. A single call to |SSL_write| only ever writes a
380  * single record in a single packet, so |num| must be at most
381  * |SSL3_RT_MAX_PLAIN_LENGTH|.
382  *
383  * TODO(davidben): Ensure 0 is only returned on transport EOF.
384  * https://crbug.com/466303. */
385 OPENSSL_EXPORT int SSL_write(SSL *ssl, const void *buf, int num);
386 
387 /* SSL_shutdown shuts down |ssl|. On success, it completes in two stages. First,
388  * it returns 0 if |ssl| completed uni-directional shutdown; close_notify has
389  * been sent, but the peer's close_notify has not been received. Most callers
390  * may stop at this point. For bi-directional shutdown, call |SSL_shutdown|
391  * again. It returns 1 if close_notify has been both sent and received.
392  *
393  * If the peer's close_notify arrived first, the first stage is skipped.
394  * |SSL_shutdown| will return 1 once close_notify is sent and skip 0. Callers
395  * only interested in uni-directional shutdown must therefore allow for the
396  * first stage returning either 0 or 1.
397  *
398  * |SSL_shutdown| returns -1 on failure. The caller should pass the return value
399  * into |SSL_get_error| to determine how to proceed. If the underlying |BIO| is
400  * non-blocking, both stages may require retry. */
401 OPENSSL_EXPORT int SSL_shutdown(SSL *ssl);
402 
403 /* SSL_CTX_set_quiet_shutdown sets quiet shutdown on |ctx| to |mode|. If
404  * enabled, |SSL_shutdown| will not send a close_notify alert or wait for one
405  * from the peer. It will instead synchronously return one. */
406 OPENSSL_EXPORT void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
407 
408 /* SSL_CTX_get_quiet_shutdown returns whether quiet shutdown is enabled for
409  * |ctx|. */
410 OPENSSL_EXPORT int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
411 
412 /* SSL_set_quiet_shutdown sets quiet shutdown on |ssl| to |mode|. If enabled,
413  * |SSL_shutdown| will not send a close_notify alert or wait for one from the
414  * peer. It will instead synchronously return one. */
415 OPENSSL_EXPORT void SSL_set_quiet_shutdown(SSL *ssl, int mode);
416 
417 /* SSL_get_quiet_shutdown returns whether quiet shutdown is enabled for
418  * |ssl|. */
419 OPENSSL_EXPORT int SSL_get_quiet_shutdown(const SSL *ssl);
420 
421 /* SSL_get_error returns a |SSL_ERROR_*| value for the most recent operation on
422  * |ssl|. It should be called after an operation failed to determine whether the
423  * error was fatal and, if not, when to retry. */
424 OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code);
425 
426 /* SSL_ERROR_NONE indicates the operation succeeded. */
427 #define SSL_ERROR_NONE 0
428 
429 /* SSL_ERROR_SSL indicates the operation failed within the library. The caller
430  * may inspect the error queue for more information. */
431 #define SSL_ERROR_SSL 1
432 
433 /* SSL_ERROR_WANT_READ indicates the operation failed attempting to read from
434  * the transport. The caller may retry the operation when the transport is ready
435  * for reading.
436  *
437  * If signaled by a DTLS handshake, the caller must also call
438  * |DTLSv1_get_timeout| and |DTLSv1_handle_timeout| as appropriate. See
439  * |SSL_do_handshake|. */
440 #define SSL_ERROR_WANT_READ 2
441 
442 /* SSL_ERROR_WANT_WRITE indicates the operation failed attempting to write to
443  * the transport. The caller may retry the operation when the transport is ready
444  * for writing. */
445 #define SSL_ERROR_WANT_WRITE 3
446 
447 /* SSL_ERROR_WANT_X509_LOOKUP indicates the operation failed in calling the
448  * |cert_cb| or |client_cert_cb|. The caller may retry the operation when the
449  * callback is ready to return a certificate or one has been configured
450  * externally.
451  *
452  * See also |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb|. */
453 #define SSL_ERROR_WANT_X509_LOOKUP 4
454 
455 /* SSL_ERROR_SYSCALL indicates the operation failed externally to the library.
456  * The caller should consult the system-specific error mechanism. This is
457  * typically |errno| but may be something custom if using a custom |BIO|. It
458  * may also be signaled if the transport returned EOF, in which case the
459  * operation's return value will be zero. */
460 #define SSL_ERROR_SYSCALL 5
461 
462 /* SSL_ERROR_ZERO_RETURN indicates the operation failed because the connection
463  * was cleanly shut down with a close_notify alert. */
464 #define SSL_ERROR_ZERO_RETURN 6
465 
466 /* SSL_ERROR_WANT_CONNECT indicates the operation failed attempting to connect
467  * the transport (the |BIO| signaled |BIO_RR_CONNECT|). The caller may retry the
468  * operation when the transport is ready. */
469 #define SSL_ERROR_WANT_CONNECT 7
470 
471 /* SSL_ERROR_WANT_ACCEPT indicates the operation failed attempting to accept a
472  * connection from the transport (the |BIO| signaled |BIO_RR_ACCEPT|). The
473  * caller may retry the operation when the transport is ready.
474  *
475  * TODO(davidben): Remove this. It's used by accept BIOs which are bizarre. */
476 #define SSL_ERROR_WANT_ACCEPT 8
477 
478 /* SSL_ERROR_WANT_CHANNEL_ID_LOOKUP indicates the operation failed looking up
479  * the Channel ID key. The caller may retry the operation when |channel_id_cb|
480  * is ready to return a key or one has been configured with
481  * |SSL_set1_tls_channel_id|.
482  *
483  * See also |SSL_CTX_set_channel_id_cb|. */
484 #define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9
485 
486 /* SSL_ERROR_PENDING_SESSION indicates the operation failed because the session
487  * lookup callback indicated the session was unavailable. The caller may retry
488  * the operation when lookup has completed.
489  *
490  * See also |SSL_CTX_sess_set_get_cb| and |SSL_magic_pending_session_ptr|. */
491 #define SSL_ERROR_PENDING_SESSION 11
492 
493 /* SSL_ERROR_PENDING_CERTIFICATE indicates the operation failed because the
494  * early callback indicated certificate lookup was incomplete. The caller may
495  * retry the operation when lookup has completed.
496  *
497  * See also |SSL_CTX_set_select_certificate_cb|. */
498 #define SSL_ERROR_PENDING_CERTIFICATE 12
499 
500 /* SSL_ERROR_WANT_PRIVATE_KEY_OPERATION indicates the operation failed because
501  * a private key operation was unfinished. The caller may retry the operation
502  * when the private key operation is complete.
503  *
504  * See also |SSL_set_private_key_method| and
505  * |SSL_CTX_set_private_key_method|. */
506 #define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION 13
507 
508 /* SSL_ERROR_PENDING_TICKET indicates that a ticket decryption is pending. The
509  * caller may retry the operation when the decryption is ready.
510  *
511  * See also |SSL_CTX_set_ticket_aead_method|. */
512 #define SSL_ERROR_PENDING_TICKET 14
513 
514 /* SSL_ERROR_EARLY_DATA_REJECTED indicates that early data was rejected. The
515  * caller should treat this as a connection failure and retry any operations
516  * associated with the rejected early data. |SSL_reset_early_data_reject| may be
517  * used to reuse the underlying connection for the retry. */
518 #define SSL_ERROR_EARLY_DATA_REJECTED 15
519 
520 /* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
521  * and zero on failure. */
522 OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);
523 
524 /* DTLSv1_set_initial_timeout_duration sets the initial duration for a DTLS
525  * handshake timeout.
526  *
527  * This duration overrides the default of 1 second, which is the strong
528  * recommendation of RFC 6347 (see section 4.2.4.1). However, there may exist
529  * situations where a shorter timeout would be beneficial, such as for
530  * time-sensitive applications. */
531 OPENSSL_EXPORT void DTLSv1_set_initial_timeout_duration(SSL *ssl,
532                                                         unsigned duration_ms);
533 
534 /* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
535  * timeout in progress, it sets |*out| to the time remaining and returns one.
536  * Otherwise, it returns zero.
537  *
538  * When the timeout expires, call |DTLSv1_handle_timeout| to handle the
539  * retransmit behavior.
540  *
541  * NOTE: This function must be queried again whenever the handshake state
542  * machine changes, including when |DTLSv1_handle_timeout| is called. */
543 OPENSSL_EXPORT int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out);
544 
545 /* DTLSv1_handle_timeout is called when a DTLS handshake timeout expires. If no
546  * timeout had expired, it returns 0. Otherwise, it retransmits the previous
547  * flight of handshake messages and returns 1. If too many timeouts had expired
548  * without progress or an error occurs, it returns -1.
549  *
550  * The caller's external timer should be compatible with the one |ssl| queries
551  * within some fudge factor. Otherwise, the call will be a no-op, but
552  * |DTLSv1_get_timeout| will return an updated timeout.
553  *
554  * If the function returns -1, checking if |SSL_get_error| returns
555  * |SSL_ERROR_WANT_WRITE| may be used to determine if the retransmit failed due
556  * to a non-fatal error at the write |BIO|. However, the operation may not be
557  * retried until the next timeout fires.
558  *
559  * WARNING: This function breaks the usual return value convention.
560  *
561  * TODO(davidben): This |SSL_ERROR_WANT_WRITE| behavior is kind of bizarre. */
562 OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl);
563 
564 
565 /* Protocol versions. */
566 
567 #define DTLS1_VERSION_MAJOR 0xfe
568 #define SSL3_VERSION_MAJOR 0x03
569 
570 #define SSL3_VERSION 0x0300
571 #define TLS1_VERSION 0x0301
572 #define TLS1_1_VERSION 0x0302
573 #define TLS1_2_VERSION 0x0303
574 #define TLS1_3_VERSION 0x0304
575 
576 #define DTLS1_VERSION 0xfeff
577 #define DTLS1_2_VERSION 0xfefd
578 
579 #define TLS1_3_DRAFT_VERSION 0x7f12
580 #define TLS1_3_EXPERIMENT_VERSION 0x7e01
581 #define TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION 0x7a12
582 
583 /* SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to
584  * |version|. If |version| is zero, the default minimum version is used. It
585  * returns one on success and zero if |version| is invalid. */
586 OPENSSL_EXPORT int SSL_CTX_set_min_proto_version(SSL_CTX *ctx,
587                                                  uint16_t version);
588 
589 /* SSL_CTX_set_max_proto_version sets the maximum protocol version for |ctx| to
590  * |version|. If |version| is zero, the default maximum version is used. It
591  * returns one on success and zero if |version| is invalid. */
592 OPENSSL_EXPORT int SSL_CTX_set_max_proto_version(SSL_CTX *ctx,
593                                                  uint16_t version);
594 
595 /* SSL_set_min_proto_version sets the minimum protocol version for |ssl| to
596  * |version|. If |version| is zero, the default minimum version is used. It
597  * returns one on success and zero if |version| is invalid. */
598 OPENSSL_EXPORT int SSL_set_min_proto_version(SSL *ssl, uint16_t version);
599 
600 /* SSL_set_max_proto_version sets the maximum protocol version for |ssl| to
601  * |version|. If |version| is zero, the default maximum version is used. It
602  * returns one on success and zero if |version| is invalid. */
603 OPENSSL_EXPORT int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
604 
605 /* SSL_version returns the TLS or DTLS protocol version used by |ssl|, which is
606  * one of the |*_VERSION| values. (E.g. |TLS1_2_VERSION|.) Before the version
607  * is negotiated, the result is undefined. */
608 OPENSSL_EXPORT int SSL_version(const SSL *ssl);
609 
610 
611 /* Options.
612  *
613  * Options configure protocol behavior. */
614 
615 /* SSL_OP_NO_QUERY_MTU, in DTLS, disables querying the MTU from the underlying
616  * |BIO|. Instead, the MTU is configured with |SSL_set_mtu|. */
617 #define SSL_OP_NO_QUERY_MTU 0x00001000L
618 
619 /* SSL_OP_NO_TICKET disables session ticket support (RFC 5077). */
620 #define SSL_OP_NO_TICKET 0x00004000L
621 
622 /* SSL_OP_CIPHER_SERVER_PREFERENCE configures servers to select ciphers and
623  * ECDHE curves according to the server's preferences instead of the
624  * client's. */
625 #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
626 
627 /* The following flags toggle individual protocol versions. This is deprecated.
628  * Use |SSL_CTX_set_min_proto_version| and |SSL_CTX_set_max_proto_version|
629  * instead. */
630 #define SSL_OP_NO_SSLv3 0x02000000L
631 #define SSL_OP_NO_TLSv1 0x04000000L
632 #define SSL_OP_NO_TLSv1_2 0x08000000L
633 #define SSL_OP_NO_TLSv1_1 0x10000000L
634 #define SSL_OP_NO_TLSv1_3 0x20000000L
635 #define SSL_OP_NO_DTLSv1 SSL_OP_NO_TLSv1
636 #define SSL_OP_NO_DTLSv1_2 SSL_OP_NO_TLSv1_2
637 
638 /* SSL_CTX_set_options enables all options set in |options| (which should be one
639  * or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a
640  * bitmask representing the resulting enabled options. */
641 OPENSSL_EXPORT uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options);
642 
643 /* SSL_CTX_clear_options disables all options set in |options| (which should be
644  * one or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a
645  * bitmask representing the resulting enabled options. */
646 OPENSSL_EXPORT uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options);
647 
648 /* SSL_CTX_get_options returns a bitmask of |SSL_OP_*| values that represent all
649  * the options enabled for |ctx|. */
650 OPENSSL_EXPORT uint32_t SSL_CTX_get_options(const SSL_CTX *ctx);
651 
652 /* SSL_set_options enables all options set in |options| (which should be one or
653  * more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a bitmask
654  * representing the resulting enabled options. */
655 OPENSSL_EXPORT uint32_t SSL_set_options(SSL *ssl, uint32_t options);
656 
657 /* SSL_clear_options disables all options set in |options| (which should be one
658  * or more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a
659  * bitmask representing the resulting enabled options. */
660 OPENSSL_EXPORT uint32_t SSL_clear_options(SSL *ssl, uint32_t options);
661 
662 /* SSL_get_options returns a bitmask of |SSL_OP_*| values that represent all the
663  * options enabled for |ssl|. */
664 OPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl);
665 
666 
667 /* Modes.
668  *
669  * Modes configure API behavior. */
670 
671 /* SSL_MODE_ENABLE_PARTIAL_WRITE, in TLS, allows |SSL_write| to complete with a
672  * partial result when the only part of the input was written in a single
673  * record. In DTLS, it does nothing. */
674 #define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L
675 
676 /* SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, in TLS, allows retrying an incomplete
677  * |SSL_write| with a different buffer. However, |SSL_write| still assumes the
678  * buffer contents are unchanged. This is not the default to avoid the
679  * misconception that non-blocking |SSL_write| behaves like non-blocking
680  * |write|. In DTLS, it does nothing. */
681 #define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
682 
683 /* SSL_MODE_NO_AUTO_CHAIN disables automatically building a certificate chain
684  * before sending certificates to the peer. This flag is set (and the feature
685  * disabled) by default.
686  * TODO(davidben): Remove this behavior. https://crbug.com/boringssl/42. */
687 #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
688 
689 /* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before
690  * receipt of ChangeCipherSpec and Finished. This mode enables full handshakes
691  * to 'complete' in one RTT. See RFC 7918.
692  *
693  * When False Start is enabled, |SSL_do_handshake| may succeed before the
694  * handshake has completely finished. |SSL_write| will function at this point,
695  * and |SSL_read| will transparently wait for the final handshake leg before
696  * returning application data. To determine if False Start occurred or when the
697  * handshake is completely finished, see |SSL_in_false_start|, |SSL_in_init|,
698  * and |SSL_CB_HANDSHAKE_DONE| from |SSL_CTX_set_info_callback|. */
699 #define SSL_MODE_ENABLE_FALSE_START 0x00000080L
700 
701 /* SSL_MODE_CBC_RECORD_SPLITTING causes multi-byte CBC records in SSL 3.0 and
702  * TLS 1.0 to be split in two: the first record will contain a single byte and
703  * the second will contain the remainder. This effectively randomises the IV and
704  * prevents BEAST attacks. */
705 #define SSL_MODE_CBC_RECORD_SPLITTING 0x00000100L
706 
707 /* SSL_MODE_NO_SESSION_CREATION will cause any attempts to create a session to
708  * fail with SSL_R_SESSION_MAY_NOT_BE_CREATED. This can be used to enforce that
709  * session resumption is used for a given SSL*. */
710 #define SSL_MODE_NO_SESSION_CREATION 0x00000200L
711 
712 /* SSL_MODE_SEND_FALLBACK_SCSV sends TLS_FALLBACK_SCSV in the ClientHello.
713  * To be set only by applications that reconnect with a downgraded protocol
714  * version; see RFC 7507 for details.
715  *
716  * DO NOT ENABLE THIS if your application attempts a normal handshake. Only use
717  * this in explicit fallback retries, following the guidance in RFC 7507. */
718 #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L
719 
720 /* SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more
721  * of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask
722  * representing the resulting enabled modes. */
723 OPENSSL_EXPORT uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode);
724 
725 /* SSL_CTX_clear_mode disables all modes set in |mode| (which should be one or
726  * more of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a
727  * bitmask representing the resulting enabled modes. */
728 OPENSSL_EXPORT uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode);
729 
730 /* SSL_CTX_get_mode returns a bitmask of |SSL_MODE_*| values that represent all
731  * the modes enabled for |ssl|. */
732 OPENSSL_EXPORT uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx);
733 
734 /* SSL_set_mode enables all modes set in |mode| (which should be one or more of
735  * the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask
736  * representing the resulting enabled modes. */
737 OPENSSL_EXPORT uint32_t SSL_set_mode(SSL *ssl, uint32_t mode);
738 
739 /* SSL_clear_mode disables all modes set in |mode| (which should be one or more
740  * of the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask
741  * representing the resulting enabled modes. */
742 OPENSSL_EXPORT uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode);
743 
744 /* SSL_get_mode returns a bitmask of |SSL_MODE_*| values that represent all the
745  * modes enabled for |ssl|. */
746 OPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl);
747 
748 /* SSL_CTX_set0_buffer_pool sets a |CRYPTO_BUFFER_POOL| that will be used to
749  * store certificates. This can allow multiple connections to share
750  * certificates and thus save memory.
751  *
752  * The SSL_CTX does not take ownership of |pool| and the caller must ensure
753  * that |pool| outlives |ctx| and all objects linked to it, including |SSL|,
754  * |X509| and |SSL_SESSION| objects. Basically, don't ever free |pool|. */
755 OPENSSL_EXPORT void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx,
756                                              CRYPTO_BUFFER_POOL *pool);
757 
758 
759 /* Configuring certificates and private keys.
760  *
761  * These functions configure the connection's leaf certificate, private key, and
762  * certificate chain. The certificate chain is ordered leaf to root (as sent on
763  * the wire) but does not include the leaf. Both client and server certificates
764  * use these functions.
765  *
766  * Certificates and keys may be configured before the handshake or dynamically
767  * in the early callback and certificate callback. */
768 
769 /* SSL_CTX_use_certificate sets |ctx|'s leaf certificate to |x509|. It returns
770  * one on success and zero on failure. */
771 OPENSSL_EXPORT int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x509);
772 
773 /* SSL_use_certificate sets |ssl|'s leaf certificate to |x509|. It returns one
774  * on success and zero on failure. */
775 OPENSSL_EXPORT int SSL_use_certificate(SSL *ssl, X509 *x509);
776 
777 /* SSL_CTX_use_PrivateKey sets |ctx|'s private key to |pkey|. It returns one on
778  * success and zero on failure. */
779 OPENSSL_EXPORT int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
780 
781 /* SSL_use_PrivateKey sets |ssl|'s private key to |pkey|. It returns one on
782  * success and zero on failure. */
783 OPENSSL_EXPORT int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
784 
785 /* SSL_CTX_set0_chain sets |ctx|'s certificate chain, excluding the leaf, to
786  * |chain|. On success, it returns one and takes ownership of |chain|.
787  * Otherwise, it returns zero. */
788 OPENSSL_EXPORT int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);
789 
790 /* SSL_CTX_set1_chain sets |ctx|'s certificate chain, excluding the leaf, to
791  * |chain|. It returns one on success and zero on failure. The caller retains
792  * ownership of |chain| and may release it freely. */
793 OPENSSL_EXPORT int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);
794 
795 /* SSL_set0_chain sets |ssl|'s certificate chain, excluding the leaf, to
796  * |chain|. On success, it returns one and takes ownership of |chain|.
797  * Otherwise, it returns zero. */
798 OPENSSL_EXPORT int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain);
799 
800 /* SSL_set1_chain sets |ssl|'s certificate chain, excluding the leaf, to
801  * |chain|. It returns one on success and zero on failure. The caller retains
802  * ownership of |chain| and may release it freely. */
803 OPENSSL_EXPORT int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain);
804 
805 /* SSL_CTX_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On
806  * success, it returns one and takes ownership of |x509|. Otherwise, it returns
807  * zero. */
808 OPENSSL_EXPORT int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509);
809 
810 /* SSL_CTX_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It
811  * returns one on success and zero on failure. The caller retains ownership of
812  * |x509| and may release it freely. */
813 OPENSSL_EXPORT int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509);
814 
815 /* SSL_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On success,
816  * it returns one and takes ownership of |x509|. Otherwise, it returns zero. */
817 OPENSSL_EXPORT int SSL_add0_chain_cert(SSL *ssl, X509 *x509);
818 
819 /* SSL_CTX_add_extra_chain_cert calls |SSL_CTX_add0_chain_cert|. */
820 OPENSSL_EXPORT int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
821 
822 /* SSL_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It returns
823  * one on success and zero on failure. The caller retains ownership of |x509|
824  * and may release it freely. */
825 OPENSSL_EXPORT int SSL_add1_chain_cert(SSL *ssl, X509 *x509);
826 
827 /* SSL_CTX_clear_chain_certs clears |ctx|'s certificate chain and returns
828  * one. */
829 OPENSSL_EXPORT int SSL_CTX_clear_chain_certs(SSL_CTX *ctx);
830 
831 /* SSL_CTX_clear_extra_chain_certs calls |SSL_CTX_clear_chain_certs|. */
832 OPENSSL_EXPORT int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);
833 
834 /* SSL_clear_chain_certs clears |ssl|'s certificate chain and returns one. */
835 OPENSSL_EXPORT int SSL_clear_chain_certs(SSL *ssl);
836 
837 /* SSL_CTX_set_cert_cb sets a callback that is called to select a certificate.
838  * The callback returns one on success, zero on internal error, and a negative
839  * number on failure or to pause the handshake. If the handshake is paused,
840  * |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|.
841  *
842  * On the client, the callback may call |SSL_get0_certificate_types| and
843  * |SSL_get_client_CA_list| for information on the server's certificate
844  * request.
845  *
846  * On the server, the callback will be called on non-resumption handshakes,
847  * after extensions have been processed. */
848 OPENSSL_EXPORT void SSL_CTX_set_cert_cb(SSL_CTX *ctx,
849                                         int (*cb)(SSL *ssl, void *arg),
850                                         void *arg);
851 
852 /* SSL_set_cert_cb sets a callback that is called to select a certificate. The
853  * callback returns one on success, zero on internal error, and a negative
854  * number on failure or to pause the handshake. If the handshake is paused,
855  * |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|.
856  *
857  * On the client, the callback may call |SSL_get0_certificate_types| and
858  * |SSL_get_client_CA_list| for information on the server's certificate
859  * request. */
860 OPENSSL_EXPORT void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg),
861                                     void *arg);
862 
863 /* SSL_get0_certificate_types, for a client, sets |*out_types| to an array
864  * containing the client certificate types requested by a server. It returns the
865  * length of the array.
866  *
867  * The behavior of this function is undefined except during the callbacks set by
868  * by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or when the
869  * handshake is paused because of them. */
870 OPENSSL_EXPORT size_t SSL_get0_certificate_types(SSL *ssl,
871                                                  const uint8_t **out_types);
872 
873 /* SSL_certs_clear resets the private key, leaf certificate, and certificate
874  * chain of |ssl|. */
875 OPENSSL_EXPORT void SSL_certs_clear(SSL *ssl);
876 
877 /* SSL_CTX_check_private_key returns one if the certificate and private key
878  * configured in |ctx| are consistent and zero otherwise. */
879 OPENSSL_EXPORT int SSL_CTX_check_private_key(const SSL_CTX *ctx);
880 
881 /* SSL_check_private_key returns one if the certificate and private key
882  * configured in |ssl| are consistent and zero otherwise. */
883 OPENSSL_EXPORT int SSL_check_private_key(const SSL *ssl);
884 
885 /* SSL_CTX_get0_certificate returns |ctx|'s leaf certificate. */
886 OPENSSL_EXPORT X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
887 
888 /* SSL_get_certificate returns |ssl|'s leaf certificate. */
889 OPENSSL_EXPORT X509 *SSL_get_certificate(const SSL *ssl);
890 
891 /* SSL_CTX_get0_privatekey returns |ctx|'s private key. */
892 OPENSSL_EXPORT EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
893 
894 /* SSL_get_privatekey returns |ssl|'s private key. */
895 OPENSSL_EXPORT EVP_PKEY *SSL_get_privatekey(const SSL *ssl);
896 
897 /* SSL_CTX_get0_chain_certs sets |*out_chain| to |ctx|'s certificate chain and
898  * returns one. */
899 OPENSSL_EXPORT int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx,
900                                             STACK_OF(X509) **out_chain);
901 
902 /* SSL_CTX_get_extra_chain_certs calls |SSL_CTX_get0_chain_certs|. */
903 OPENSSL_EXPORT int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx,
904                                                  STACK_OF(X509) **out_chain);
905 
906 /* SSL_get0_chain_certs sets |*out_chain| to |ssl|'s certificate chain and
907  * returns one. */
908 OPENSSL_EXPORT int SSL_get0_chain_certs(const SSL *ssl,
909                                         STACK_OF(X509) **out_chain);
910 
911 /* SSL_CTX_set_signed_cert_timestamp_list sets the list of signed certificate
912  * timestamps that is sent to clients that request it. The |list| argument must
913  * contain one or more SCT structures serialised as a SignedCertificateTimestamp
914  * List (see https://tools.ietf.org/html/rfc6962#section-3.3) – i.e. each SCT
915  * is prefixed by a big-endian, uint16 length and the concatenation of one or
916  * more such prefixed SCTs are themselves also prefixed by a uint16 length. It
917  * returns one on success and zero on error. The caller retains ownership of
918  * |list|. */
919 OPENSSL_EXPORT int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx,
920                                                           const uint8_t *list,
921                                                           size_t list_len);
922 
923 /* SSL_set_signed_cert_timestamp_list sets the list of signed certificate
924  * timestamps that is sent to clients that request is. The same format as the
925  * one used for |SSL_CTX_set_signed_cert_timestamp_list| applies. The caller
926  * retains ownership of |list|. */
927 OPENSSL_EXPORT int SSL_set_signed_cert_timestamp_list(SSL *ctx,
928                                                       const uint8_t *list,
929                                                       size_t list_len);
930 
931 /* SSL_CTX_set_ocsp_response sets the OCSP response that is sent to clients
932  * which request it. It returns one on success and zero on error. The caller
933  * retains ownership of |response|. */
934 OPENSSL_EXPORT int SSL_CTX_set_ocsp_response(SSL_CTX *ctx,
935                                              const uint8_t *response,
936                                              size_t response_len);
937 
938 /* SSL_set_ocsp_response sets the OCSP response that is sent to clients which
939  * request it. It returns one on success and zero on error. The caller retains
940  * ownership of |response|. */
941 OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl,
942                                          const uint8_t *response,
943                                          size_t response_len);
944 
945 /* SSL_SIGN_* are signature algorithm values as defined in TLS 1.3. */
946 #define SSL_SIGN_RSA_PKCS1_SHA1 0x0201
947 #define SSL_SIGN_RSA_PKCS1_SHA256 0x0401
948 #define SSL_SIGN_RSA_PKCS1_SHA384 0x0501
949 #define SSL_SIGN_RSA_PKCS1_SHA512 0x0601
950 #define SSL_SIGN_ECDSA_SHA1 0x0203
951 #define SSL_SIGN_ECDSA_SECP256R1_SHA256 0x0403
952 #define SSL_SIGN_ECDSA_SECP384R1_SHA384 0x0503
953 #define SSL_SIGN_ECDSA_SECP521R1_SHA512 0x0603
954 #define SSL_SIGN_RSA_PSS_SHA256 0x0804
955 #define SSL_SIGN_RSA_PSS_SHA384 0x0805
956 #define SSL_SIGN_RSA_PSS_SHA512 0x0806
957 #define SSL_SIGN_ED25519 0x0807
958 
959 /* SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal signature algorithm used to
960  * specify raw RSASSA-PKCS1-v1_5 with an MD5/SHA-1 concatenation, as used in TLS
961  * before TLS 1.2. */
962 #define SSL_SIGN_RSA_PKCS1_MD5_SHA1 0xff01
963 
964 /* SSL_CTX_set_signing_algorithm_prefs configures |ctx| to use |prefs| as the
965  * preference list when signing with |ctx|'s private key. It returns one on
966  * success and zero on error. |prefs| should not include the internal-only value
967  * |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */
968 OPENSSL_EXPORT int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx,
969                                                        const uint16_t *prefs,
970                                                        size_t num_prefs);
971 
972 /* SSL_set_signing_algorithm_prefs configures |ssl| to use |prefs| as the
973  * preference list when signing with |ssl|'s private key. It returns one on
974  * success and zero on error. |prefs| should not include the internal-only value
975  * |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */
976 OPENSSL_EXPORT int SSL_set_signing_algorithm_prefs(SSL *ssl,
977                                                    const uint16_t *prefs,
978                                                    size_t num_prefs);
979 
980 
981 /* Certificate and private key convenience functions. */
982 
983 /* SSL_CTX_set_chain_and_key sets the certificate chain and private key for a
984  * TLS client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY|
985  * objects are added as needed. Exactly one of |privkey| or |privkey_method|
986  * may be non-NULL. Returns one on success and zero on error. */
987 OPENSSL_EXPORT int SSL_CTX_set_chain_and_key(
988     SSL_CTX *ctx, CRYPTO_BUFFER *const *certs, size_t num_certs,
989     EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method);
990 
991 /* SSL_set_chain_and_key sets the certificate chain and private key for a TLS
992  * client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY|
993  * objects are added as needed. Exactly one of |privkey| or |privkey_method|
994  * may be non-NULL. Returns one on success and zero on error. */
995 OPENSSL_EXPORT int SSL_set_chain_and_key(
996     SSL *ssl, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey,
997     const SSL_PRIVATE_KEY_METHOD *privkey_method);
998 
999 /* SSL_CTX_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one
1000  * on success and zero on failure. */
1001 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1002 
1003 /* SSL_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one on
1004  * success and zero on failure. */
1005 OPENSSL_EXPORT int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1006 
1007 /* The following functions configure certificates or private keys but take as
1008  * input DER-encoded structures. They return one on success and zero on
1009  * failure. */
1010 
1011 OPENSSL_EXPORT int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,
1012                                                 const uint8_t *der);
1013 OPENSSL_EXPORT int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der,
1014                                             size_t der_len);
1015 
1016 OPENSSL_EXPORT int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx,
1017                                                const uint8_t *der,
1018                                                size_t der_len);
1019 OPENSSL_EXPORT int SSL_use_PrivateKey_ASN1(int type, SSL *ssl,
1020                                            const uint8_t *der, size_t der_len);
1021 
1022 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx,
1023                                                   const uint8_t *der,
1024                                                   size_t der_len);
1025 OPENSSL_EXPORT int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der,
1026                                               size_t der_len);
1027 
1028 /* The following functions configure certificates or private keys but take as
1029  * input files to read from. They return one on success and zero on failure. The
1030  * |type| parameter is one of the |SSL_FILETYPE_*| values and determines whether
1031  * the file's contents are read as PEM or DER. */
1032 
1033 #define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
1034 #define SSL_FILETYPE_PEM X509_FILETYPE_PEM
1035 
1036 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx,
1037                                                   const char *file,
1038                                                   int type);
1039 OPENSSL_EXPORT int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file,
1040                                               int type);
1041 
1042 OPENSSL_EXPORT int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file,
1043                                                 int type);
1044 OPENSSL_EXPORT int SSL_use_certificate_file(SSL *ssl, const char *file,
1045                                             int type);
1046 
1047 OPENSSL_EXPORT int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file,
1048                                                int type);
1049 OPENSSL_EXPORT int SSL_use_PrivateKey_file(SSL *ssl, const char *file,
1050                                            int type);
1051 
1052 /* SSL_CTX_use_certificate_chain_file configures certificates for |ctx|. It
1053  * reads the contents of |file| as a PEM-encoded leaf certificate followed
1054  * optionally by the certificate chain to send to the peer. It returns one on
1055  * success and zero on failure. */
1056 OPENSSL_EXPORT int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx,
1057                                                       const char *file);
1058 
1059 /* SSL_CTX_set_default_passwd_cb sets the password callback for PEM-based
1060  * convenience functions called on |ctx|. */
1061 OPENSSL_EXPORT void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx,
1062                                                   pem_password_cb *cb);
1063 
1064 /* SSL_CTX_set_default_passwd_cb_userdata sets the userdata parameter for
1065  * |ctx|'s password callback. */
1066 OPENSSL_EXPORT void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,
1067                                                            void *data);
1068 
1069 
1070 /* Custom private keys. */
1071 
1072 enum ssl_private_key_result_t {
1073   ssl_private_key_success,
1074   ssl_private_key_retry,
1075   ssl_private_key_failure,
1076 };
1077 
1078 /* ssl_private_key_method_st (aka |SSL_PRIVATE_KEY_METHOD|) describes private
1079  * key hooks. This is used to off-load signing operations to a custom,
1080  * potentially asynchronous, backend. Metadata about the key such as the type
1081  * and size are parsed out of the certificate.
1082  *
1083  * TODO(davidben): This API has a number of legacy hooks. Remove the last
1084  * consumer of |sign_digest| and trim it. */
1085 struct ssl_private_key_method_st {
1086   /* type is ignored and should be NULL. */
1087   int (*type)(SSL *ssl);
1088 
1089   /* max_signature_len is ignored and should be NULL. */
1090   size_t (*max_signature_len)(SSL *ssl);
1091 
1092   /* sign signs the message |in| in using the specified signature algorithm. On
1093    * success, it returns |ssl_private_key_success| and writes at most |max_out|
1094    * bytes of signature data to |out| and sets |*out_len| to the number of bytes
1095    * written. On failure, it returns |ssl_private_key_failure|. If the operation
1096    * has not completed, it returns |ssl_private_key_retry|. |sign| should
1097    * arrange for the high-level operation on |ssl| to be retried when the
1098    * operation is completed. This will result in a call to |complete|.
1099    *
1100    * |signature_algorithm| is one of the |SSL_SIGN_*| values, as defined in TLS
1101    * 1.3. Note that, in TLS 1.2, ECDSA algorithms do not require that curve
1102    * sizes match hash sizes, so the curve portion of |SSL_SIGN_ECDSA_*| values
1103    * must be ignored. BoringSSL will internally handle the curve matching logic
1104    * where appropriate.
1105    *
1106    * It is an error to call |sign| while another private key operation is in
1107    * progress on |ssl|. */
1108   enum ssl_private_key_result_t (*sign)(SSL *ssl, uint8_t *out, size_t *out_len,
1109                                         size_t max_out,
1110                                         uint16_t signature_algorithm,
1111                                         const uint8_t *in, size_t in_len);
1112 
1113   /* sign_digest signs |in_len| bytes of digest from |in|. |md| is the hash
1114    * function used to calculate |in|. On success, it returns
1115    * |ssl_private_key_success| and writes at most |max_out| bytes of signature
1116    * data to |out|. On failure, it returns |ssl_private_key_failure|. If the
1117    * operation has not completed, it returns |ssl_private_key_retry|. |sign|
1118    * should arrange for the high-level operation on |ssl| to be retried when the
1119    * operation is completed. This will result in a call to |complete|.
1120    *
1121    * If the key is an RSA key, implementations must use PKCS#1 padding. |in| is
1122    * the digest itself, so the DigestInfo prefix, if any, must be prepended by
1123    * |sign|. If |md| is |EVP_md5_sha1|, there is no prefix.
1124    *
1125    * It is an error to call |sign_digest| while another private key operation is
1126    * in progress on |ssl|.
1127    *
1128    * This function is deprecated. Implement |sign| instead.
1129    *
1130    * TODO(davidben): Remove this function. */
1131   enum ssl_private_key_result_t (*sign_digest)(SSL *ssl, uint8_t *out,
1132                                                size_t *out_len, size_t max_out,
1133                                                const EVP_MD *md,
1134                                                const uint8_t *in,
1135                                                size_t in_len);
1136 
1137   /* decrypt decrypts |in_len| bytes of encrypted data from |in|. On success it
1138    * returns |ssl_private_key_success|, writes at most |max_out| bytes of
1139    * decrypted data to |out| and sets |*out_len| to the actual number of bytes
1140    * written. On failure it returns |ssl_private_key_failure|. If the operation
1141    * has not completed, it returns |ssl_private_key_retry|. The caller should
1142    * arrange for the high-level operation on |ssl| to be retried when the
1143    * operation is completed, which will result in a call to |complete|. This
1144    * function only works with RSA keys and should perform a raw RSA decryption
1145    * operation with no padding.
1146    *
1147    * It is an error to call |decrypt| while another private key operation is in
1148    * progress on |ssl|. */
1149   enum ssl_private_key_result_t (*decrypt)(SSL *ssl, uint8_t *out,
1150                                            size_t *out_len, size_t max_out,
1151                                            const uint8_t *in, size_t in_len);
1152 
1153   /* complete completes a pending operation. If the operation has completed, it
1154    * returns |ssl_private_key_success| and writes the result to |out| as in
1155    * |sign|. Otherwise, it returns |ssl_private_key_failure| on failure and
1156    * |ssl_private_key_retry| if the operation is still in progress.
1157    *
1158    * |complete| may be called arbitrarily many times before completion, but it
1159    * is an error to call |complete| if there is no pending operation in progress
1160    * on |ssl|. */
1161   enum ssl_private_key_result_t (*complete)(SSL *ssl, uint8_t *out,
1162                                             size_t *out_len, size_t max_out);
1163 };
1164 
1165 /* SSL_set_private_key_method configures a custom private key on |ssl|.
1166  * |key_method| must remain valid for the lifetime of |ssl|. */
1167 OPENSSL_EXPORT void SSL_set_private_key_method(
1168     SSL *ssl, const SSL_PRIVATE_KEY_METHOD *key_method);
1169 
1170 /* SSL_CTX_set_private_key_method configures a custom private key on |ctx|.
1171  * |key_method| must remain valid for the lifetime of |ctx|. */
1172 OPENSSL_EXPORT void SSL_CTX_set_private_key_method(
1173     SSL_CTX *ctx, const SSL_PRIVATE_KEY_METHOD *key_method);
1174 
1175 
1176 /* Cipher suites.
1177  *
1178  * |SSL_CIPHER| objects represent cipher suites. */
1179 
1180 DEFINE_CONST_STACK_OF(SSL_CIPHER)
1181 
1182 /* SSL_get_cipher_by_value returns the structure representing a TLS cipher
1183  * suite based on its assigned number, or NULL if unknown. See
1184  * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4. */
1185 OPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value);
1186 
1187 /* SSL_CIPHER_get_id returns |cipher|'s id. It may be cast to a |uint16_t| to
1188  * get the cipher suite value. */
1189 OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher);
1190 
1191 /* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
1192  * mode). */
1193 OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);
1194 
1195 /* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. */
1196 OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher);
1197 
1198 /* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. */
1199 OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher);
1200 
1201 /* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. */
1202 OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher);
1203 
1204 /* SSL_CIPHER_is_AEAD returns one if |cipher| uses an AEAD cipher. */
1205 OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher);
1206 
1207 /* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. */
1208 OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);
1209 
1210 /* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. */
1211 OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher);
1212 
1213 /* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC
1214  * mode. */
1215 OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher);
1216 
1217 /* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC
1218  * mode. */
1219 OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher);
1220 
1221 /* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
1222  * CHACHA20_POLY1305. Note this includes both the RFC 7905 and
1223  * draft-agl-tls-chacha20poly1305-04 versions. */
1224 OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);
1225 
1226 /* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. */
1227 OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher);
1228 
1229 /* SSL_CIPHER_is_block_cipher returns one if |cipher| is a block cipher. */
1230 OPENSSL_EXPORT int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher);
1231 
1232 /* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. */
1233 OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher);
1234 
1235 /* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. */
1236 OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher);
1237 
1238 /* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key
1239  * exchange. */
1240 OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher);
1241 
1242 /* SSL_CIPHER_get_min_version returns the minimum protocol version required
1243  * for |cipher|. */
1244 OPENSSL_EXPORT uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher);
1245 
1246 /* SSL_CIPHER_get_max_version returns the maximum protocol version that
1247  * supports |cipher|. */
1248 OPENSSL_EXPORT uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher);
1249 
1250 /* SSL_CIPHER_standard_name returns the standard IETF name for |cipher|. For
1251  * example, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". */
1252 OPENSSL_EXPORT const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher);
1253 
1254 /* SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. For example,
1255  * "ECDHE-RSA-AES128-GCM-SHA256". */
1256 OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
1257 
1258 /* SSL_CIPHER_get_kx_name returns a string that describes the key-exchange
1259  * method used by |cipher|. For example, "ECDHE_ECDSA". TLS 1.3 AEAD-only
1260  * ciphers return the string "GENERIC". */
1261 OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher);
1262 
1263 /* SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If
1264  * |out_alg_bits| is not NULL, it writes the number of bits consumed by the
1265  * symmetric algorithm to |*out_alg_bits|. */
1266 OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher,
1267                                        int *out_alg_bits);
1268 
1269 
1270 /* Cipher suite configuration.
1271  *
1272  * OpenSSL uses a mini-language to configure cipher suites. The language
1273  * maintains an ordered list of enabled ciphers, along with an ordered list of
1274  * disabled but available ciphers. Initially, all ciphers are disabled with a
1275  * default ordering. The cipher string is then interpreted as a sequence of
1276  * directives, separated by colons, each of which modifies this state.
1277  *
1278  * Most directives consist of a one character or empty opcode followed by a
1279  * selector which matches a subset of available ciphers.
1280  *
1281  * Available opcodes are:
1282  *
1283  *   The empty opcode enables and appends all matching disabled ciphers to the
1284  *   end of the enabled list. The newly appended ciphers are ordered relative to
1285  *   each other matching their order in the disabled list.
1286  *
1287  *   |-| disables all matching enabled ciphers and prepends them to the disabled
1288  *   list, with relative order from the enabled list preserved. This means the
1289  *   most recently disabled ciphers get highest preference relative to other
1290  *   disabled ciphers if re-enabled.
1291  *
1292  *   |+| moves all matching enabled ciphers to the end of the enabled list, with
1293  *   relative order preserved.
1294  *
1295  *   |!| deletes all matching ciphers, enabled or not, from either list. Deleted
1296  *   ciphers will not matched by future operations.
1297  *
1298  * A selector may be a specific cipher (using either the standard or OpenSSL
1299  * name for the cipher) or one or more rules separated by |+|. The final
1300  * selector matches the intersection of each rule. For instance, |AESGCM+aECDSA|
1301  * matches ECDSA-authenticated AES-GCM ciphers.
1302  *
1303  * Available cipher rules are:
1304  *
1305  *   |ALL| matches all ciphers.
1306  *
1307  *   |kRSA|, |kDHE|, |kECDHE|, and |kPSK| match ciphers using plain RSA, DHE,
1308  *   ECDHE, and plain PSK key exchanges, respectively. Note that ECDHE_PSK is
1309  *   matched by |kECDHE| and not |kPSK|.
1310  *
1311  *   |aRSA|, |aECDSA|, and |aPSK| match ciphers authenticated by RSA, ECDSA, and
1312  *   a pre-shared key, respectively.
1313  *
1314  *   |RSA|, |DHE|, |ECDHE|, |PSK|, |ECDSA|, and |PSK| are aliases for the
1315  *   corresponding |k*| or |a*| cipher rule. |RSA| is an alias for |kRSA|, not
1316  *   |aRSA|.
1317  *
1318  *   |3DES|, |AES128|, |AES256|, |AES|, |AESGCM|, |CHACHA20| match ciphers
1319  *   whose bulk cipher use the corresponding encryption scheme. Note that
1320  *   |AES|, |AES128|, and |AES256| match both CBC and GCM ciphers.
1321  *
1322  *   |SHA1|, |SHA256|, and |SHA384| match legacy cipher suites using the
1323  *   corresponding hash function in their MAC. AEADs are matched by none of
1324  *   these.
1325  *
1326  *   |SHA| is an alias for |SHA1|.
1327  *
1328  * Although implemented, authentication-only ciphers match no rules and must be
1329  * explicitly selected by name.
1330  *
1331  * Deprecated cipher rules:
1332  *
1333  *   |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|,
1334  *   |kECDHE|, and |ECDHE|, respectively.
1335  *
1336  *   |HIGH| is an alias for |ALL|.
1337  *
1338  *   |FIPS| is an alias for |HIGH|.
1339  *
1340  *   |SSLv3| and |TLSv1| match ciphers available in TLS 1.1 or earlier.
1341  *   |TLSv1_2| matches ciphers new in TLS 1.2. This is confusing and should not
1342  *   be used.
1343  *
1344  * Unknown rules are silently ignored by legacy APIs, and rejected by APIs with
1345  * "strict" in the name, which should be preferred. Cipher lists can be long and
1346  * it's easy to commit typos.
1347  *
1348  * The special |@STRENGTH| directive will sort all enabled ciphers by strength.
1349  *
1350  * The |DEFAULT| directive, when appearing at the front of the string, expands
1351  * to the default ordering of available ciphers.
1352  *
1353  * If configuring a server, one may also configure equal-preference groups to
1354  * partially respect the client's preferences when
1355  * |SSL_OP_CIPHER_SERVER_PREFERENCE| is enabled. Ciphers in an equal-preference
1356  * group have equal priority and use the client order. This may be used to
1357  * enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
1358  * based on client preferences. An equal-preference is specified with square
1359  * brackets, combining multiple selectors separated by |. For example:
1360  *
1361  *   [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
1362  *
1363  * Once an equal-preference group is used, future directives must be
1364  * opcode-less.
1365  *
1366  * TLS 1.3 ciphers do not participate in this mechanism and instead have a
1367  * built-in preference order. Functions to set cipher lists do not affect TLS
1368  * 1.3, and functions to query the cipher list do not include TLS 1.3
1369  * ciphers. */
1370 
1371 /* SSL_DEFAULT_CIPHER_LIST is the default cipher suite configuration. It is
1372  * substituted when a cipher string starts with 'DEFAULT'. */
1373 #define SSL_DEFAULT_CIPHER_LIST "ALL"
1374 
1375 /* SSL_CTX_set_strict_cipher_list configures the cipher list for |ctx|,
1376  * evaluating |str| as a cipher string and returning error if |str| contains
1377  * anything meaningless. It returns one on success and zero on failure. */
1378 OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx,
1379                                                   const char *str);
1380 
1381 /* SSL_CTX_set_cipher_list configures the cipher list for |ctx|, evaluating
1382  * |str| as a cipher string. It returns one on success and zero on failure.
1383  *
1384  * Prefer to use |SSL_CTX_set_strict_cipher_list|. This function tolerates
1385  * garbage inputs, unless an empty cipher list results. */
1386 OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
1387 
1388 /* SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating
1389  * |str| as a cipher string and returning error if |str| contains anything
1390  * meaningless. It returns one on success and zero on failure. */
1391 OPENSSL_EXPORT int SSL_set_strict_cipher_list(SSL *ssl, const char *str);
1392 
1393 /* SSL_set_cipher_list configures the cipher list for |ssl|, evaluating |str| as
1394  * a cipher string. It returns one on success and zero on failure.
1395  *
1396  * Prefer to use |SSL_set_strict_cipher_list|. This function tolerates garbage
1397  * inputs, unless an empty cipher list results. */
1398 OPENSSL_EXPORT int SSL_set_cipher_list(SSL *ssl, const char *str);
1399 
1400 /* SSL_CTX_get_ciphers returns the cipher list for |ctx|, in order of
1401  * preference. */
1402 OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
1403 
1404 /* SSL_get_ciphers returns the cipher list for |ssl|, in order of preference. */
1405 OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl);
1406 
1407 
1408 /* Connection information. */
1409 
1410 /* SSL_is_init_finished returns one if |ssl| has completed its initial handshake
1411  * and has no pending handshake. It returns zero otherwise. */
1412 OPENSSL_EXPORT int SSL_is_init_finished(const SSL *ssl);
1413 
1414 /* SSL_in_init returns one if |ssl| has a pending handshake and zero
1415  * otherwise. */
1416 OPENSSL_EXPORT int SSL_in_init(const SSL *ssl);
1417 
1418 /* SSL_in_false_start returns one if |ssl| has a pending handshake that is in
1419  * False Start. |SSL_write| may be called at this point without waiting for the
1420  * peer, but |SSL_read| will complete the handshake before accepting application
1421  * data.
1422  *
1423  * See also |SSL_MODE_ENABLE_FALSE_START|. */
1424 OPENSSL_EXPORT int SSL_in_false_start(const SSL *ssl);
1425 
1426 /* SSL_get_peer_certificate returns the peer's leaf certificate or NULL if the
1427  * peer did not use certificates. The caller must call |X509_free| on the
1428  * result to release it. */
1429 OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl);
1430 
1431 /* SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if
1432  * unavailable or the peer did not use certificates. This is the unverified list
1433  * of certificates as sent by the peer, not the final chain built during
1434  * verification. The caller does not take ownership of the result.
1435  *
1436  * WARNING: This function behaves differently between client and server. If
1437  * |ssl| is a server, the returned chain does not include the leaf certificate.
1438  * If a client, it does. */
1439 OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
1440 
1441 /* SSL_get_peer_full_cert_chain returns the peer's certificate chain, or NULL if
1442  * unavailable or the peer did not use certificates. This is the unverified list
1443  * of certificates as sent by the peer, not the final chain built during
1444  * verification. The caller does not take ownership of the result.
1445  *
1446  * This is the same as |SSL_get_peer_cert_chain| except that this function
1447  * always returns the full chain, i.e. the first element of the return value
1448  * (if any) will be the leaf certificate. In constrast,
1449  * |SSL_get_peer_cert_chain| returns only the intermediate certificates if the
1450  * |ssl| is a server. */
1451 OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl);
1452 
1453 /* SSL_get0_peer_certificates returns the peer's certificate chain, or NULL if
1454  * unavailable or the peer did not use certificates. This is the unverified list
1455  * of certificates as sent by the peer, not the final chain built during
1456  * verification. The caller does not take ownership of the result.
1457  *
1458  * This is the |CRYPTO_BUFFER| variant of |SSL_get_peer_full_cert_chain|. */
1459 OPENSSL_EXPORT STACK_OF(CRYPTO_BUFFER) *
1460     SSL_get0_peer_certificates(const SSL *ssl);
1461 
1462 /* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to
1463  * |*out_len| bytes of SCT information from the server. This is only valid if
1464  * |ssl| is a client. The SCT information is a SignedCertificateTimestampList
1465  * (including the two leading length bytes).
1466  * See https://tools.ietf.org/html/rfc6962#section-3.3
1467  * If no SCT was received then |*out_len| will be zero on return.
1468  *
1469  * WARNING: the returned data is not guaranteed to be well formed. */
1470 OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl,
1471                                                         const uint8_t **out,
1472                                                         size_t *out_len);
1473 
1474 /* SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len|
1475  * bytes of an OCSP response from the server. This is the DER encoding of an
1476  * OCSPResponse type as defined in RFC 2560.
1477  *
1478  * WARNING: the returned data is not guaranteed to be well formed. */
1479 OPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
1480                                            size_t *out_len);
1481 
1482 /* SSL_get_tls_unique writes at most |max_out| bytes of the tls-unique value
1483  * for |ssl| to |out| and sets |*out_len| to the number of bytes written. It
1484  * returns one on success or zero on error. In general |max_out| should be at
1485  * least 12.
1486  *
1487  * This function will always fail if the initial handshake has not completed.
1488  * The tls-unique value will change after a renegotiation but, since
1489  * renegotiations can be initiated by the server at any point, the higher-level
1490  * protocol must either leave them disabled or define states in which the
1491  * tls-unique value can be read.
1492  *
1493  * The tls-unique value is defined by
1494  * https://tools.ietf.org/html/rfc5929#section-3.1. Due to a weakness in the
1495  * TLS protocol, tls-unique is broken for resumed connections unless the
1496  * Extended Master Secret extension is negotiated. Thus this function will
1497  * return zero if |ssl| performed session resumption unless EMS was used when
1498  * negotiating the original session. */
1499 OPENSSL_EXPORT int SSL_get_tls_unique(const SSL *ssl, uint8_t *out,
1500                                       size_t *out_len, size_t max_out);
1501 
1502 /* SSL_get_extms_support returns one if the Extended Master Secret extension or
1503  * TLS 1.3 was negotiated. Otherwise, it returns zero. */
1504 OPENSSL_EXPORT int SSL_get_extms_support(const SSL *ssl);
1505 
1506 /* SSL_get_current_cipher returns the cipher used in the current outgoing
1507  * connection state, or NULL if the null cipher is active. */
1508 OPENSSL_EXPORT const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);
1509 
1510 /* SSL_session_reused returns one if |ssl| performed an abbreviated handshake
1511  * and zero otherwise.
1512  *
1513  * TODO(davidben): Hammer down the semantics of this API while a handshake,
1514  * initial or renego, is in progress. */
1515 OPENSSL_EXPORT int SSL_session_reused(const SSL *ssl);
1516 
1517 /* SSL_get_secure_renegotiation_support returns one if the peer supports secure
1518  * renegotiation (RFC 5746) or TLS 1.3. Otherwise, it returns zero. */
1519 OPENSSL_EXPORT int SSL_get_secure_renegotiation_support(const SSL *ssl);
1520 
1521 /* SSL_export_keying_material exports a value derived from the master secret, as
1522  * specified in RFC 5705. It writes |out_len| bytes to |out| given a label and
1523  * optional context. (Since a zero length context is allowed, the |use_context|
1524  * flag controls whether a context is included.)
1525  *
1526  * It returns one on success and zero otherwise. */
1527 OPENSSL_EXPORT int SSL_export_keying_material(
1528     SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len,
1529     const uint8_t *context, size_t context_len, int use_context);
1530 
1531 
1532 /* Custom extensions.
1533  *
1534  * The custom extension functions allow TLS extensions to be added to
1535  * ClientHello and ServerHello messages. */
1536 
1537 /* SSL_custom_ext_add_cb is a callback function that is called when the
1538  * ClientHello (for clients) or ServerHello (for servers) is constructed. In
1539  * the case of a server, this callback will only be called for a given
1540  * extension if the ClientHello contained that extension – it's not possible to
1541  * inject extensions into a ServerHello that the client didn't request.
1542  *
1543  * When called, |extension_value| will contain the extension number that is
1544  * being considered for addition (so that a single callback can handle multiple
1545  * extensions). If the callback wishes to include the extension, it must set
1546  * |*out| to point to |*out_len| bytes of extension contents and return one. In
1547  * this case, the corresponding |SSL_custom_ext_free_cb| callback will later be
1548  * called with the value of |*out| once that data has been copied.
1549  *
1550  * If the callback does not wish to add an extension it must return zero.
1551  *
1552  * Alternatively, the callback can abort the connection by setting
1553  * |*out_alert_value| to a TLS alert number and returning -1. */
1554 typedef int (*SSL_custom_ext_add_cb)(SSL *ssl, unsigned extension_value,
1555                                      const uint8_t **out, size_t *out_len,
1556                                      int *out_alert_value, void *add_arg);
1557 
1558 /* SSL_custom_ext_free_cb is a callback function that is called by OpenSSL iff
1559  * an |SSL_custom_ext_add_cb| callback previously returned one. In that case,
1560  * this callback is called and passed the |out| pointer that was returned by
1561  * the add callback. This is to free any dynamically allocated data created by
1562  * the add callback. */
1563 typedef void (*SSL_custom_ext_free_cb)(SSL *ssl, unsigned extension_value,
1564                                        const uint8_t *out, void *add_arg);
1565 
1566 /* SSL_custom_ext_parse_cb is a callback function that is called by OpenSSL to
1567  * parse an extension from the peer: that is from the ServerHello for a client
1568  * and from the ClientHello for a server.
1569  *
1570  * When called, |extension_value| will contain the extension number and the
1571  * contents of the extension are |contents_len| bytes at |contents|.
1572  *
1573  * The callback must return one to continue the handshake. Otherwise, if it
1574  * returns zero, a fatal alert with value |*out_alert_value| is sent and the
1575  * handshake is aborted. */
1576 typedef int (*SSL_custom_ext_parse_cb)(SSL *ssl, unsigned extension_value,
1577                                        const uint8_t *contents,
1578                                        size_t contents_len,
1579                                        int *out_alert_value, void *parse_arg);
1580 
1581 /* SSL_extension_supported returns one iff OpenSSL internally handles
1582  * extensions of type |extension_value|. This can be used to avoid registering
1583  * custom extension handlers for extensions that a future version of OpenSSL
1584  * may handle internally. */
1585 OPENSSL_EXPORT int SSL_extension_supported(unsigned extension_value);
1586 
1587 /* SSL_CTX_add_client_custom_ext registers callback functions for handling
1588  * custom TLS extensions for client connections.
1589  *
1590  * If |add_cb| is NULL then an empty extension will be added in each
1591  * ClientHello. Otherwise, see the comment for |SSL_custom_ext_add_cb| about
1592  * this callback.
1593  *
1594  * The |free_cb| may be NULL if |add_cb| doesn't dynamically allocate data that
1595  * needs to be freed.
1596  *
1597  * It returns one on success or zero on error. It's always an error to register
1598  * callbacks for the same extension twice, or to register callbacks for an
1599  * extension that OpenSSL handles internally. See |SSL_extension_supported| to
1600  * discover, at runtime, which extensions OpenSSL handles internally. */
1601 OPENSSL_EXPORT int SSL_CTX_add_client_custom_ext(
1602     SSL_CTX *ctx, unsigned extension_value, SSL_custom_ext_add_cb add_cb,
1603     SSL_custom_ext_free_cb free_cb, void *add_arg,
1604     SSL_custom_ext_parse_cb parse_cb, void *parse_arg);
1605 
1606 /* SSL_CTX_add_server_custom_ext is the same as
1607  * |SSL_CTX_add_client_custom_ext|, but for server connections.
1608  *
1609  * Unlike on the client side, if |add_cb| is NULL no extension will be added.
1610  * The |add_cb|, if any, will only be called if the ClientHello contained a
1611  * matching extension. */
1612 OPENSSL_EXPORT int SSL_CTX_add_server_custom_ext(
1613     SSL_CTX *ctx, unsigned extension_value, SSL_custom_ext_add_cb add_cb,
1614     SSL_custom_ext_free_cb free_cb, void *add_arg,
1615     SSL_custom_ext_parse_cb parse_cb, void *parse_arg);
1616 
1617 
1618 /* Sessions.
1619  *
1620  * An |SSL_SESSION| represents an SSL session that may be resumed in an
1621  * abbreviated handshake. It is reference-counted and immutable. Once
1622  * established, an |SSL_SESSION| may be shared by multiple |SSL| objects on
1623  * different threads and must not be modified. */
1624 
1625 DECLARE_LHASH_OF(SSL_SESSION)
1626 DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
1627 
1628 /* SSL_SESSION_new returns a newly-allocated blank |SSL_SESSION| or NULL on
1629  * error. This may be useful when writing tests but should otherwise not be
1630  * used. */
1631 OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_new(const SSL_CTX *ctx);
1632 
1633 /* SSL_SESSION_up_ref increments the reference count of |session| and returns
1634  * one. */
1635 OPENSSL_EXPORT int SSL_SESSION_up_ref(SSL_SESSION *session);
1636 
1637 /* SSL_SESSION_free decrements the reference count of |session|. If it reaches
1638  * zero, all data referenced by |session| and |session| itself are released. */
1639 OPENSSL_EXPORT void SSL_SESSION_free(SSL_SESSION *session);
1640 
1641 /* SSL_SESSION_to_bytes serializes |in| into a newly allocated buffer and sets
1642  * |*out_data| to that buffer and |*out_len| to its length. The caller takes
1643  * ownership of the buffer and must call |OPENSSL_free| when done. It returns
1644  * one on success and zero on error. */
1645 OPENSSL_EXPORT int SSL_SESSION_to_bytes(const SSL_SESSION *in,
1646                                         uint8_t **out_data, size_t *out_len);
1647 
1648 /* SSL_SESSION_to_bytes_for_ticket serializes |in|, but excludes the session
1649  * identification information, namely the session ID and ticket. */
1650 OPENSSL_EXPORT int SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION *in,
1651                                                    uint8_t **out_data,
1652                                                    size_t *out_len);
1653 
1654 /* SSL_SESSION_from_bytes parses |in_len| bytes from |in| as an SSL_SESSION. It
1655  * returns a newly-allocated |SSL_SESSION| on success or NULL on error. */
1656 OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_from_bytes(
1657     const uint8_t *in, size_t in_len, const SSL_CTX *ctx);
1658 
1659 /* SSL_SESSION_get_version returns a string describing the TLS version |session|
1660  * was established at. For example, "TLSv1.2" or "SSLv3". */
1661 OPENSSL_EXPORT const char *SSL_SESSION_get_version(const SSL_SESSION *session);
1662 
1663 /* SSL_SESSION_get_id returns a pointer to a buffer containing |session|'s
1664  * session ID and sets |*out_len| to its length. */
1665 OPENSSL_EXPORT const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session,
1666                                                  unsigned *out_len);
1667 
1668 /* SSL_SESSION_get_time returns the time at which |session| was established in
1669  * seconds since the UNIX epoch. */
1670 OPENSSL_EXPORT uint64_t SSL_SESSION_get_time(const SSL_SESSION *session);
1671 
1672 /* SSL_SESSION_get_timeout returns the lifetime of |session| in seconds. */
1673 OPENSSL_EXPORT uint32_t SSL_SESSION_get_timeout(const SSL_SESSION *session);
1674 
1675 /* SSL_SESSION_get0_peer returns the peer leaf certificate stored in
1676  * |session|.
1677  *
1678  * TODO(davidben): This should return a const X509 *. */
1679 OPENSSL_EXPORT X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session);
1680 
1681 /* SSL_SESSION_get_master_key writes up to |max_out| bytes of |session|'s master
1682  * secret to |out| and returns the number of bytes written. If |max_out| is
1683  * zero, it returns the size of the master secret. */
1684 OPENSSL_EXPORT size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
1685                                                  uint8_t *out, size_t max_out);
1686 
1687 /* SSL_SESSION_set_time sets |session|'s creation time to |time| and returns
1688  * |time|. This function may be useful in writing tests but otherwise should not
1689  * be used. */
1690 OPENSSL_EXPORT uint64_t SSL_SESSION_set_time(SSL_SESSION *session,
1691                                              uint64_t time);
1692 
1693 /* SSL_SESSION_set_timeout sets |session|'s timeout to |timeout| and returns
1694  * one. This function may be useful in writing tests but otherwise should not
1695  * be used. */
1696 OPENSSL_EXPORT uint32_t SSL_SESSION_set_timeout(SSL_SESSION *session,
1697                                                 uint32_t timeout);
1698 
1699 /* SSL_SESSION_set1_id_context sets |session|'s session ID context (see
1700  * |SSL_CTX_set_session_id_context|) to |sid_ctx|. It returns one on success and
1701  * zero on error. This function may be useful in writing tests but otherwise
1702  * should not be used. */
1703 OPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session,
1704                                                const uint8_t *sid_ctx,
1705                                                size_t sid_ctx_len);
1706 
1707 
1708 /* Session caching.
1709  *
1710  * Session caching allows connections to be established more efficiently based
1711  * on saved parameters from a previous connection, called a session (see
1712  * |SSL_SESSION|). The client offers a saved session, using an opaque identifier
1713  * from a previous connection. The server may accept the session, if it has the
1714  * parameters available. Otherwise, it will decline and continue with a full
1715  * handshake.
1716  *
1717  * This requires both the client and the server to retain session state. A
1718  * client does so with a stateful session cache. A server may do the same or, if
1719  * supported by both sides, statelessly using session tickets. For more
1720  * information on the latter, see the next section.
1721  *
1722  * For a server, the library implements a built-in internal session cache as an
1723  * in-memory hash table. Servers may also use |SSL_CTX_sess_set_get_cb| and
1724  * |SSL_CTX_sess_set_new_cb| to implement a custom external session cache. In
1725  * particular, this may be used to share a session cache between multiple
1726  * servers in a large deployment. An external cache may be used in addition to
1727  * or instead of the internal one. Use |SSL_CTX_set_session_cache_mode| to
1728  * toggle the internal cache.
1729  *
1730  * For a client, the only option is an external session cache. Clients may use
1731  * |SSL_CTX_sess_set_new_cb| to register a callback for when new sessions are
1732  * available. These may be cached and, in subsequent compatible connections,
1733  * configured with |SSL_set_session|.
1734  *
1735  * Note that offering or accepting a session short-circuits certificate
1736  * verification and most parameter negotiation. Resuming sessions across
1737  * different contexts may result in security failures and surprising
1738  * behavior. For a typical client, this means sessions for different hosts must
1739  * be cached under different keys. A client that connects to the same host with,
1740  * e.g., different cipher suite settings or client certificates should also use
1741  * separate session caches between those contexts. Servers should also partition
1742  * session caches between SNI hosts with |SSL_CTX_set_session_id_context|.  */
1743 
1744 /* SSL_SESS_CACHE_OFF disables all session caching. */
1745 #define SSL_SESS_CACHE_OFF 0x0000
1746 
1747 /* SSL_SESS_CACHE_CLIENT enables session caching for a client. The internal
1748  * cache is never used on a client, so this only enables the callbacks. */
1749 #define SSL_SESS_CACHE_CLIENT 0x0001
1750 
1751 /* SSL_SESS_CACHE_SERVER enables session caching for a server. */
1752 #define SSL_SESS_CACHE_SERVER 0x0002
1753 
1754 /* SSL_SESS_CACHE_BOTH enables session caching for both client and server. */
1755 #define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_SERVER)
1756 
1757 /* SSL_SESS_CACHE_NO_AUTO_CLEAR disables automatically calling
1758  * |SSL_CTX_flush_sessions| every 255 connections. */
1759 #define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
1760 
1761 /* SSL_SESS_CACHE_NO_INTERNAL_LOOKUP, on a server, disables looking up a session
1762  * from the internal session cache. */
1763 #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
1764 
1765 /* SSL_SESS_CACHE_NO_INTERNAL_STORE, on a server, disables storing sessions in
1766  * the internal session cache. */
1767 #define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
1768 
1769 /* SSL_SESS_CACHE_NO_INTERNAL, on a server, disables the internal session
1770  * cache. */
1771 #define SSL_SESS_CACHE_NO_INTERNAL \
1772     (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE)
1773 
1774 /* SSL_CTX_set_session_cache_mode sets the session cache mode bits for |ctx| to
1775  * |mode|. It returns the previous value. */
1776 OPENSSL_EXPORT int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode);
1777 
1778 /* SSL_CTX_get_session_cache_mode returns the session cache mode bits for
1779  * |ctx| */
1780 OPENSSL_EXPORT int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx);
1781 
1782 /* SSL_set_session, for a client, configures |ssl| to offer to resume |session|
1783  * in the initial handshake and returns one. The caller retains ownership of
1784  * |session|.
1785  *
1786  * It is an error to call this function after the handshake has begun. */
1787 OPENSSL_EXPORT int SSL_set_session(SSL *ssl, SSL_SESSION *session);
1788 
1789 /* SSL_DEFAULT_SESSION_TIMEOUT is the default lifetime, in seconds, of a
1790  * session in TLS 1.2 or earlier. This is how long we are willing to use the
1791  * secret to encrypt traffic without fresh key material. */
1792 #define SSL_DEFAULT_SESSION_TIMEOUT (2 * 60 * 60)
1793 
1794 /* SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT is the default lifetime, in seconds, of a
1795  * session for TLS 1.3 psk_dhe_ke. This is how long we are willing to use the
1796  * secret as an authenticator. */
1797 #define SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT (2 * 24 * 60 * 60)
1798 
1799 /* SSL_DEFAULT_SESSION_AUTH_TIMEOUT is the default non-renewable lifetime, in
1800  * seconds, of a TLS 1.3 session. This is how long we are willing to trust the
1801  * signature in the initial handshake. */
1802 #define SSL_DEFAULT_SESSION_AUTH_TIMEOUT (7 * 24 * 60 * 60)
1803 
1804 /* SSL_CTX_set_timeout sets the lifetime, in seconds, of TLS 1.2 (or earlier)
1805  * sessions created in |ctx| to |timeout|. */
1806 OPENSSL_EXPORT uint32_t SSL_CTX_set_timeout(SSL_CTX *ctx, uint32_t timeout);
1807 
1808 /* SSL_CTX_set_session_psk_dhe_timeout sets the lifetime, in seconds, of TLS 1.3
1809  * sessions created in |ctx| to |timeout|. */
1810 OPENSSL_EXPORT void SSL_CTX_set_session_psk_dhe_timeout(SSL_CTX *ctx,
1811                                                         uint32_t timeout);
1812 
1813 /* SSL_CTX_get_timeout returns the lifetime, in seconds, of TLS 1.2 (or earlier)
1814  * sessions created in |ctx|. */
1815 OPENSSL_EXPORT uint32_t SSL_CTX_get_timeout(const SSL_CTX *ctx);
1816 
1817 /* SSL_CTX_set_session_id_context sets |ctx|'s session ID context to |sid_ctx|.
1818  * It returns one on success and zero on error. The session ID context is an
1819  * application-defined opaque byte string. A session will not be used in a
1820  * connection without a matching session ID context.
1821  *
1822  * For a server, if |SSL_VERIFY_PEER| is enabled, it is an error to not set a
1823  * session ID context. */
1824 OPENSSL_EXPORT int SSL_CTX_set_session_id_context(SSL_CTX *ctx,
1825                                                   const uint8_t *sid_ctx,
1826                                                   size_t sid_ctx_len);
1827 
1828 /* SSL_set_session_id_context sets |ssl|'s session ID context to |sid_ctx|. It
1829  * returns one on success and zero on error. See also
1830  * |SSL_CTX_set_session_id_context|. */
1831 OPENSSL_EXPORT int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx,
1832                                               size_t sid_ctx_len);
1833 
1834 /* SSL_get0_session_id_context returns a pointer to |ssl|'s session ID context
1835  * and sets |*out_len| to its length. */
1836 OPENSSL_EXPORT const uint8_t *SSL_get0_session_id_context(const SSL *ssl,
1837                                                           size_t *out_len);
1838 
1839 /* SSL_SESSION_CACHE_MAX_SIZE_DEFAULT is the default maximum size of a session
1840  * cache. */
1841 #define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024 * 20)
1842 
1843 /* SSL_CTX_sess_set_cache_size sets the maximum size of |ctx|'s internal session
1844  * cache to |size|. It returns the previous value. */
1845 OPENSSL_EXPORT unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx,
1846                                                          unsigned long size);
1847 
1848 /* SSL_CTX_sess_get_cache_size returns the maximum size of |ctx|'s internal
1849  * session cache. */
1850 OPENSSL_EXPORT unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx);
1851 
1852 /* SSL_CTX_sessions returns |ctx|'s internal session cache. */
1853 OPENSSL_EXPORT LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
1854 
1855 /* SSL_CTX_sess_number returns the number of sessions in |ctx|'s internal
1856  * session cache. */
1857 OPENSSL_EXPORT size_t SSL_CTX_sess_number(const SSL_CTX *ctx);
1858 
1859 /* SSL_CTX_add_session inserts |session| into |ctx|'s internal session cache. It
1860  * returns one on success and zero on error or if |session| is already in the
1861  * cache. The caller retains its reference to |session|. */
1862 OPENSSL_EXPORT int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session);
1863 
1864 /* SSL_CTX_remove_session removes |session| from |ctx|'s internal session cache.
1865  * It returns one on success and zero if |session| was not in the cache. */
1866 OPENSSL_EXPORT int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session);
1867 
1868 /* SSL_CTX_flush_sessions removes all sessions from |ctx| which have expired as
1869  * of time |time|. If |time| is zero, all sessions are removed. */
1870 OPENSSL_EXPORT void SSL_CTX_flush_sessions(SSL_CTX *ctx, uint64_t time);
1871 
1872 /* SSL_CTX_sess_set_new_cb sets the callback to be called when a new session is
1873  * established and ready to be cached. If the session cache is disabled (the
1874  * appropriate one of |SSL_SESS_CACHE_CLIENT| or |SSL_SESS_CACHE_SERVER| is
1875  * unset), the callback is not called.
1876  *
1877  * The callback is passed a reference to |session|. It returns one if it takes
1878  * ownership (and then calls |SSL_SESSION_free| when done) and zero otherwise. A
1879  * consumer which places |session| into an in-memory cache will likely return
1880  * one, with the cache calling |SSL_SESSION_free|. A consumer which serializes
1881  * |session| with |SSL_SESSION_to_bytes| may not need to retain |session| and
1882  * will likely return zero. Returning one is equivalent to calling
1883  * |SSL_SESSION_up_ref| and then returning zero.
1884  *
1885  * Note: For a client, the callback may be called on abbreviated handshakes if a
1886  * ticket is renewed. Further, it may not be called until some time after
1887  * |SSL_do_handshake| or |SSL_connect| completes if False Start is enabled. Thus
1888  * it's recommended to use this callback over calling |SSL_get_session| on
1889  * handshake completion. */
1890 OPENSSL_EXPORT void SSL_CTX_sess_set_new_cb(
1891     SSL_CTX *ctx, int (*new_session_cb)(SSL *ssl, SSL_SESSION *session));
1892 
1893 /* SSL_CTX_sess_get_new_cb returns the callback set by
1894  * |SSL_CTX_sess_set_new_cb|. */
1895 OPENSSL_EXPORT int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(
1896     SSL *ssl, SSL_SESSION *session);
1897 
1898 /* SSL_CTX_sess_set_remove_cb sets a callback which is called when a session is
1899  * removed from the internal session cache.
1900  *
1901  * TODO(davidben): What is the point of this callback? It seems useless since it
1902  * only fires on sessions in the internal cache. */
1903 OPENSSL_EXPORT void SSL_CTX_sess_set_remove_cb(
1904     SSL_CTX *ctx,
1905     void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *session));
1906 
1907 /* SSL_CTX_sess_get_remove_cb returns the callback set by
1908  * |SSL_CTX_sess_set_remove_cb|. */
1909 OPENSSL_EXPORT void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(
1910     SSL_CTX *ctx, SSL_SESSION *session);
1911 
1912 /* SSL_CTX_sess_set_get_cb sets a callback to look up a session by ID for a
1913  * server. The callback is passed the session ID and should return a matching
1914  * |SSL_SESSION| or NULL if not found. It should set |*out_copy| to zero and
1915  * return a new reference to the session. This callback is not used for a
1916  * client.
1917  *
1918  * For historical reasons, if |*out_copy| is set to one (default), the SSL
1919  * library will take a new reference to the returned |SSL_SESSION|, expecting
1920  * the callback to return a non-owning pointer. This is not recommended. If
1921  * |ctx| and thus the callback is used on multiple threads, the session may be
1922  * removed and invalidated before the SSL library calls |SSL_SESSION_up_ref|,
1923  * whereas the callback may synchronize internally.
1924  *
1925  * To look up a session asynchronously, the callback may return
1926  * |SSL_magic_pending_session_ptr|. See the documentation for that function and
1927  * |SSL_ERROR_PENDING_SESSION|.
1928  *
1929  * If the internal session cache is enabled, the callback is only consulted if
1930  * the internal cache does not return a match.
1931  *
1932  * The callback's |id| parameter is not const for historical reasons, but the
1933  * contents may not be modified. */
1934 OPENSSL_EXPORT void SSL_CTX_sess_set_get_cb(
1935     SSL_CTX *ctx,
1936     SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *id, int id_len,
1937                                    int *out_copy));
1938 
1939 /* SSL_CTX_sess_get_get_cb returns the callback set by
1940  * |SSL_CTX_sess_set_get_cb|. */
1941 OPENSSL_EXPORT SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(
1942     SSL *ssl, uint8_t *id, int id_len, int *out_copy);
1943 
1944 /* SSL_magic_pending_session_ptr returns a magic |SSL_SESSION|* which indicates
1945  * that the session isn't currently unavailable. |SSL_get_error| will then
1946  * return |SSL_ERROR_PENDING_SESSION| and the handshake can be retried later
1947  * when the lookup has completed. */
1948 OPENSSL_EXPORT SSL_SESSION *SSL_magic_pending_session_ptr(void);
1949 
1950 
1951 /* Session tickets.
1952  *
1953  * Session tickets, from RFC 5077, allow session resumption without server-side
1954  * state. The server maintains a secret ticket key and sends the client opaque
1955  * encrypted session parameters, called a ticket. When offering the session, the
1956  * client sends the ticket which the server decrypts to recover session state.
1957  * Session tickets are enabled by default but may be disabled with
1958  * |SSL_OP_NO_TICKET|.
1959  *
1960  * On the client, ticket-based sessions use the same APIs as ID-based tickets.
1961  * Callers do not need to handle them differently.
1962  *
1963  * On the server, tickets are encrypted and authenticated with a secret key. By
1964  * default, an |SSL_CTX| generates a key on creation and uses it for the
1965  * lifetime of the |SSL_CTX|. Tickets are minted and processed
1966  * transparently. The following functions may be used to configure a persistent
1967  * key or implement more custom behavior, including key rotation and sharing
1968  * keys between multiple servers in a large deployment. There are three levels
1969  * of customisation possible:
1970  *
1971  * 1) One can simply set the keys with |SSL_CTX_set_tlsext_ticket_keys|.
1972  * 2) One can configure an |EVP_CIPHER_CTX| and |HMAC_CTX| directly for
1973  *    encryption and authentication.
1974  * 3) One can configure an |SSL_TICKET_ENCRYPTION_METHOD| to have more control
1975  *    and the option of asynchronous decryption.
1976  *
1977  * An attacker that compromises a server's session ticket key can impersonate
1978  * the server and, prior to TLS 1.3, retroactively decrypt all application
1979  * traffic from sessions using that ticket key. Thus ticket keys must be
1980  * regularly rotated for forward secrecy. Note the default key is currently not
1981  * rotated.
1982  *
1983  * TODO(davidben): This is silly. Rotate the default key automatically. */
1984 
1985 /* SSL_CTX_get_tlsext_ticket_keys writes |ctx|'s session ticket key material to
1986  * |len| bytes of |out|. It returns one on success and zero if |len| is not
1987  * 48. If |out| is NULL, it returns 48 instead. */
1988 OPENSSL_EXPORT int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out,
1989                                                   size_t len);
1990 
1991 /* SSL_CTX_set_tlsext_ticket_keys sets |ctx|'s session ticket key material to
1992  * |len| bytes of |in|. It returns one on success and zero if |len| is not
1993  * 48. If |in| is NULL, it returns 48 instead. */
1994 OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in,
1995                                                   size_t len);
1996 
1997 /* SSL_TICKET_KEY_NAME_LEN is the length of the key name prefix of a session
1998  * ticket. */
1999 #define SSL_TICKET_KEY_NAME_LEN 16
2000 
2001 /* SSL_CTX_set_tlsext_ticket_key_cb sets the ticket callback to |callback| and
2002  * returns one. |callback| will be called when encrypting a new ticket and when
2003  * decrypting a ticket from the client.
2004  *
2005  * In both modes, |ctx| and |hmac_ctx| will already have been initialized with
2006  * |EVP_CIPHER_CTX_init| and |HMAC_CTX_init|, respectively. |callback|
2007  * configures |hmac_ctx| with an HMAC digest and key, and configures |ctx|
2008  * for encryption or decryption, based on the mode.
2009  *
2010  * When encrypting a new ticket, |encrypt| will be one. It writes a public
2011  * 16-byte key name to |key_name| and a fresh IV to |iv|. The output IV length
2012  * must match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,
2013  * |callback| returns 1 on success and -1 on error.
2014  *
2015  * When decrypting a ticket, |encrypt| will be zero. |key_name| will point to a
2016  * 16-byte key name and |iv| points to an IV. The length of the IV consumed must
2017  * match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,
2018  * |callback| returns -1 to abort the handshake, 0 if decrypting the ticket
2019  * failed, and 1 or 2 on success. If it returns 2, the ticket will be renewed.
2020  * This may be used to re-key the ticket.
2021  *
2022  * WARNING: |callback| wildly breaks the usual return value convention and is
2023  * called in two different modes. */
2024 OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_key_cb(
2025     SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
2026                                   EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
2027                                   int encrypt));
2028 
2029 /* ssl_ticket_aead_result_t enumerates the possible results from decrypting a
2030  * ticket with an |SSL_TICKET_AEAD_METHOD|. */
2031 enum ssl_ticket_aead_result_t {
2032   /* ssl_ticket_aead_success indicates that the ticket was successfully
2033    * decrypted. */
2034   ssl_ticket_aead_success,
2035   /* ssl_ticket_aead_retry indicates that the operation could not be
2036    * immediately completed and must be reattempted, via |open|, at a later
2037    * point. */
2038   ssl_ticket_aead_retry,
2039   /* ssl_ticket_aead_ignore_ticket indicates that the ticket should be ignored
2040    * (i.e. is corrupt or otherwise undecryptable). */
2041   ssl_ticket_aead_ignore_ticket,
2042   /* ssl_ticket_aead_error indicates that a fatal error occured and the
2043    * handshake should be terminated. */
2044   ssl_ticket_aead_error,
2045 };
2046 
2047 /* ssl_ticket_aead_method_st (aka |SSL_TICKET_ENCRYPTION_METHOD|) contains
2048  * methods for encrypting and decrypting session tickets. */
2049 struct ssl_ticket_aead_method_st {
2050   /* max_overhead returns the maximum number of bytes of overhead that |seal|
2051    * may add. */
2052   size_t (*max_overhead)(SSL *ssl);
2053 
2054   /* seal encrypts and authenticates |in_len| bytes from |in|, writes, at most,
2055    * |max_out_len| bytes to |out|, and puts the number of bytes written in
2056    * |*out_len|. The |in| and |out| buffers may be equal but will not otherwise
2057    * alias. It returns one on success or zero on error. */
2058   int (*seal)(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
2059               const uint8_t *in, size_t in_len);
2060 
2061   /* open authenticates and decrypts |in_len| bytes from |in|, writes, at most,
2062    * |max_out_len| bytes of plaintext to |out|, and puts the number of bytes
2063    * written in |*out_len|. The |in| and |out| buffers may be equal but will
2064    * not otherwise alias. See |ssl_ticket_aead_result_t| for details of the
2065    * return values. In the case that a retry is indicated, the caller should
2066    * arrange for the high-level operation on |ssl| to be retried when the
2067    * operation is completed, which will result in another call to |open|. */
2068   enum ssl_ticket_aead_result_t (*open)(SSL *ssl, uint8_t *out, size_t *out_len,
2069                                         size_t max_out_len, const uint8_t *in,
2070                                         size_t in_len);
2071 };
2072 
2073 /* SSL_CTX_set_ticket_aead_method configures a custom ticket AEAD method table
2074  * on |ctx|. |aead_method| must remain valid for the lifetime of |ctx|. */
2075 OPENSSL_EXPORT void SSL_CTX_set_ticket_aead_method(
2076     SSL_CTX *ctx, const SSL_TICKET_AEAD_METHOD *aead_method);
2077 
2078 
2079 /* Elliptic curve Diffie-Hellman.
2080  *
2081  * Cipher suites using an ECDHE key exchange perform Diffie-Hellman over an
2082  * elliptic curve negotiated by both endpoints. See RFC 4492. Only named curves
2083  * are supported. ECDHE is always enabled, but the curve preferences may be
2084  * configured with these functions.
2085  *
2086  * Note that TLS 1.3 renames these from curves to groups. For consistency, we
2087  * currently use the TLS 1.2 name in the API. */
2088 
2089 /* SSL_CTX_set1_curves sets the preferred curves for |ctx| to be |curves|. Each
2090  * element of |curves| should be a curve nid. It returns one on success and
2091  * zero on failure.
2092  *
2093  * Note that this API uses nid values from nid.h and not the |SSL_CURVE_*|
2094  * values defined below. */
2095 OPENSSL_EXPORT int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves,
2096                                        size_t curves_len);
2097 
2098 /* SSL_set1_curves sets the preferred curves for |ssl| to be |curves|. Each
2099  * element of |curves| should be a curve nid. It returns one on success and
2100  * zero on failure.
2101  *
2102  * Note that this API uses nid values from nid.h and not the |SSL_CURVE_*|
2103  * values defined below. */
2104 OPENSSL_EXPORT int SSL_set1_curves(SSL *ssl, const int *curves,
2105                                    size_t curves_len);
2106 
2107 /* SSL_CTX_set1_curves_list sets the preferred curves for |ctx| to be the
2108  * colon-separated list |curves|. Each element of |curves| should be a curve
2109  * name (e.g. P-256, X25519, ...). It returns one on success and zero on
2110  * failure. */
2111 OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves);
2112 
2113 /* SSL_set1_curves_list sets the preferred curves for |ssl| to be the
2114  * colon-separated list |curves|. Each element of |curves| should be a curve
2115  * name (e.g. P-256, X25519, ...). It returns one on success and zero on
2116  * failure. */
2117 OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
2118 
2119 /* SSL_CURVE_* define TLS curve IDs. */
2120 #define SSL_CURVE_SECP224R1 21
2121 #define SSL_CURVE_SECP256R1 23
2122 #define SSL_CURVE_SECP384R1 24
2123 #define SSL_CURVE_SECP521R1 25
2124 #define SSL_CURVE_X25519 29
2125 
2126 /* SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
2127  * completed handshake or 0 if not applicable.
2128  *
2129  * TODO(davidben): This API currently does not work correctly if there is a
2130  * renegotiation in progress. Fix this. */
2131 OPENSSL_EXPORT uint16_t SSL_get_curve_id(const SSL *ssl);
2132 
2133 /* SSL_get_curve_name returns a human-readable name for the curve specified by
2134  * the given TLS curve id, or NULL if the curve is unknown. */
2135 OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id);
2136 
2137 
2138 /* Certificate verification.
2139  *
2140  * SSL may authenticate either endpoint with an X.509 certificate. Typically
2141  * this is used to authenticate the server to the client. These functions
2142  * configure certificate verification.
2143  *
2144  * WARNING: By default, certificate verification errors on a client are not
2145  * fatal. See |SSL_VERIFY_NONE| This may be configured with
2146  * |SSL_CTX_set_verify|.
2147  *
2148  * By default clients are anonymous but a server may request a certificate from
2149  * the client by setting |SSL_VERIFY_PEER|.
2150  *
2151  * Many of these functions use OpenSSL's legacy X.509 stack which is
2152  * underdocumented and deprecated, but the replacement isn't ready yet. For
2153  * now, consumers may use the existing stack or bypass it by performing
2154  * certificate verification externally. This may be done with
2155  * |SSL_CTX_set_cert_verify_callback| or by extracting the chain with
2156  * |SSL_get_peer_cert_chain| after the handshake. In the future, functions will
2157  * be added to use the SSL stack without dependency on any part of the legacy
2158  * X.509 and ASN.1 stack.
2159  *
2160  * To augment certificate verification, a client may also enable OCSP stapling
2161  * (RFC 6066) and Certificate Transparency (RFC 6962) extensions. */
2162 
2163 /* SSL_VERIFY_NONE, on a client, verifies the server certificate but does not
2164  * make errors fatal. The result may be checked with |SSL_get_verify_result|. On
2165  * a server it does not request a client certificate. This is the default. */
2166 #define SSL_VERIFY_NONE 0x00
2167 
2168 /* SSL_VERIFY_PEER, on a client, makes server certificate errors fatal. On a
2169  * server it requests a client certificate and makes errors fatal. However,
2170  * anonymous clients are still allowed. See
2171  * |SSL_VERIFY_FAIL_IF_NO_PEER_CERT|. */
2172 #define SSL_VERIFY_PEER 0x01
2173 
2174 /* SSL_VERIFY_FAIL_IF_NO_PEER_CERT configures a server to reject connections if
2175  * the client declines to send a certificate. This flag must be used together
2176  * with |SSL_VERIFY_PEER|, otherwise it won't work. */
2177 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
2178 
2179 /* SSL_VERIFY_PEER_IF_NO_OBC configures a server to request a client certificate
2180  * if and only if Channel ID is not negotiated. */
2181 #define SSL_VERIFY_PEER_IF_NO_OBC 0x04
2182 
2183 /* SSL_CTX_set_verify configures certificate verification behavior. |mode| is
2184  * one of the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is
2185  * used to customize certificate verification. See the behavior of
2186  * |X509_STORE_CTX_set_verify_cb|.
2187  *
2188  * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with
2189  * |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. */
2190 OPENSSL_EXPORT void SSL_CTX_set_verify(
2191     SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx));
2192 
2193 /* SSL_set_verify configures certificate verification behavior. |mode| is one of
2194  * the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is used to
2195  * customize certificate verification. See the behavior of
2196  * |X509_STORE_CTX_set_verify_cb|.
2197  *
2198  * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with
2199  * |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. */
2200 OPENSSL_EXPORT void SSL_set_verify(SSL *ssl, int mode,
2201                                    int (*callback)(int ok,
2202                                                    X509_STORE_CTX *store_ctx));
2203 
2204 /* SSL_CTX_get_verify_mode returns |ctx|'s verify mode, set by
2205  * |SSL_CTX_set_verify|. */
2206 OPENSSL_EXPORT int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
2207 
2208 /* SSL_get_verify_mode returns |ssl|'s verify mode, set by |SSL_CTX_set_verify|
2209  * or |SSL_set_verify|. */
2210 OPENSSL_EXPORT int SSL_get_verify_mode(const SSL *ssl);
2211 
2212 /* SSL_CTX_get_verify_callback returns the callback set by
2213  * |SSL_CTX_set_verify|. */
2214 OPENSSL_EXPORT int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(
2215     int ok, X509_STORE_CTX *store_ctx);
2216 
2217 /* SSL_get_verify_callback returns the callback set by |SSL_CTX_set_verify| or
2218  * |SSL_set_verify|. */
2219 OPENSSL_EXPORT int (*SSL_get_verify_callback(const SSL *ssl))(
2220     int ok, X509_STORE_CTX *store_ctx);
2221 
2222 /* SSL_CTX_set_verify_depth sets the maximum depth of a certificate chain
2223  * accepted in verification. This number does not include the leaf, so a depth
2224  * of 1 allows the leaf and one CA certificate. */
2225 OPENSSL_EXPORT void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
2226 
2227 /* SSL_set_verify_depth sets the maximum depth of a certificate chain accepted
2228  * in verification. This number does not include the leaf, so a depth of 1
2229  * allows the leaf and one CA certificate. */
2230 OPENSSL_EXPORT void SSL_set_verify_depth(SSL *ssl, int depth);
2231 
2232 /* SSL_CTX_get_verify_depth returns the maximum depth of a certificate accepted
2233  * in verification. */
2234 OPENSSL_EXPORT int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
2235 
2236 /* SSL_get_verify_depth returns the maximum depth of a certificate accepted in
2237  * verification. */
2238 OPENSSL_EXPORT int SSL_get_verify_depth(const SSL *ssl);
2239 
2240 /* SSL_CTX_set1_param sets verification parameters from |param|. It returns one
2241  * on success and zero on failure. The caller retains ownership of |param|. */
2242 OPENSSL_EXPORT int SSL_CTX_set1_param(SSL_CTX *ctx,
2243                                       const X509_VERIFY_PARAM *param);
2244 
2245 /* SSL_set1_param sets verification parameters from |param|. It returns one on
2246  * success and zero on failure. The caller retains ownership of |param|. */
2247 OPENSSL_EXPORT int SSL_set1_param(SSL *ssl,
2248                                   const X509_VERIFY_PARAM *param);
2249 
2250 /* SSL_CTX_get0_param returns |ctx|'s |X509_VERIFY_PARAM| for certificate
2251  * verification. The caller must not release the returned pointer but may call
2252  * functions on it to configure it. */
2253 OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);
2254 
2255 /* SSL_get0_param returns |ssl|'s |X509_VERIFY_PARAM| for certificate
2256  * verification. The caller must not release the returned pointer but may call
2257  * functions on it to configure it. */
2258 OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
2259 
2260 /* SSL_CTX_set_purpose sets |ctx|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to
2261  * |purpose|. It returns one on success and zero on error. */
2262 OPENSSL_EXPORT int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose);
2263 
2264 /* SSL_set_purpose sets |ssl|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to
2265  * |purpose|. It returns one on success and zero on error. */
2266 OPENSSL_EXPORT int SSL_set_purpose(SSL *ssl, int purpose);
2267 
2268 /* SSL_CTX_set_trust sets |ctx|'s |X509_VERIFY_PARAM|'s 'trust' parameter to
2269  * |trust|. It returns one on success and zero on error. */
2270 OPENSSL_EXPORT int SSL_CTX_set_trust(SSL_CTX *ctx, int trust);
2271 
2272 /* SSL_set_trust sets |ssl|'s |X509_VERIFY_PARAM|'s 'trust' parameter to
2273  * |trust|. It returns one on success and zero on error. */
2274 OPENSSL_EXPORT int SSL_set_trust(SSL *ssl, int trust);
2275 
2276 /* SSL_CTX_set_cert_store sets |ctx|'s certificate store to |store|. It takes
2277  * ownership of |store|. The store is used for certificate verification.
2278  *
2279  * The store is also used for the auto-chaining feature, but this is deprecated.
2280  * See also |SSL_MODE_NO_AUTO_CHAIN|. */
2281 OPENSSL_EXPORT void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
2282 
2283 /* SSL_CTX_get_cert_store returns |ctx|'s certificate store. */
2284 OPENSSL_EXPORT X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
2285 
2286 /* SSL_CTX_set_default_verify_paths loads the OpenSSL system-default trust
2287  * anchors into |ctx|'s store. It returns one on success and zero on failure. */
2288 OPENSSL_EXPORT int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
2289 
2290 /* SSL_CTX_load_verify_locations loads trust anchors into |ctx|'s store from
2291  * |ca_file| and |ca_dir|, either of which may be NULL. If |ca_file| is passed,
2292  * it is opened and PEM-encoded CA certificates are read. If |ca_dir| is passed,
2293  * it is treated as a directory in OpenSSL's hashed directory format. It returns
2294  * one on success and zero on failure.
2295  *
2296  * See
2297  * https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html
2298  * for documentation on the directory format. */
2299 OPENSSL_EXPORT int SSL_CTX_load_verify_locations(SSL_CTX *ctx,
2300                                                  const char *ca_file,
2301                                                  const char *ca_dir);
2302 
2303 /* SSL_get_verify_result returns the result of certificate verification. It is
2304  * either |X509_V_OK| or a |X509_V_ERR_*| value. */
2305 OPENSSL_EXPORT long SSL_get_verify_result(const SSL *ssl);
2306 
2307 /* SSL_get_ex_data_X509_STORE_CTX_idx returns the ex_data index used to look up
2308  * the |SSL| associated with an |X509_STORE_CTX| in the verify callback. */
2309 OPENSSL_EXPORT int SSL_get_ex_data_X509_STORE_CTX_idx(void);
2310 
2311 /* SSL_CTX_set_cert_verify_callback sets a custom callback to be called on
2312  * certificate verification rather than |X509_verify_cert|. |store_ctx| contains
2313  * the verification parameters. The callback should return one on success and
2314  * zero on fatal error. It may use |X509_STORE_CTX_set_error| to set a
2315  * verification result.
2316  *
2317  * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| to recover the
2318  * |SSL| object from |store_ctx|. */
2319 OPENSSL_EXPORT void SSL_CTX_set_cert_verify_callback(
2320     SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *store_ctx, void *arg),
2321     void *arg);
2322 
2323 /* SSL_CTX_i_promise_to_verify_certs_after_the_handshake indicates that the
2324  * caller understands that the |CRYPTO_BUFFER|-based methods currently require
2325  * post-handshake verification of certificates and thus it's ok to accept any
2326  * certificates during the handshake. */
2327 OPENSSL_EXPORT void SSL_CTX_i_promise_to_verify_certs_after_the_handshake(
2328     SSL_CTX *ctx);
2329 
2330 /* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end
2331  * of a connection) to request SCTs from the server. See
2332  * https://tools.ietf.org/html/rfc6962.
2333  *
2334  * Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the
2335  * handshake. */
2336 OPENSSL_EXPORT void SSL_enable_signed_cert_timestamps(SSL *ssl);
2337 
2338 /* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL
2339  * objects created from |ctx|.
2340  *
2341  * Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the
2342  * handshake. */
2343 OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx);
2344 
2345 /* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a
2346  * connection) to request a stapled OCSP response from the server.
2347  *
2348  * Call |SSL_get0_ocsp_response| to recover the OCSP response after the
2349  * handshake. */
2350 OPENSSL_EXPORT void SSL_enable_ocsp_stapling(SSL *ssl);
2351 
2352 /* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects
2353  * created from |ctx|.
2354  *
2355  * Call |SSL_get0_ocsp_response| to recover the OCSP response after the
2356  * handshake. */
2357 OPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx);
2358 
2359 /* SSL_CTX_set0_verify_cert_store sets an |X509_STORE| that will be used
2360  * exclusively for certificate verification and returns one. Ownership of
2361  * |store| is transferred to the |SSL_CTX|. */
2362 OPENSSL_EXPORT int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx,
2363                                                   X509_STORE *store);
2364 
2365 /* SSL_CTX_set1_verify_cert_store sets an |X509_STORE| that will be used
2366  * exclusively for certificate verification and returns one. An additional
2367  * reference to |store| will be taken. */
2368 OPENSSL_EXPORT int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx,
2369                                                   X509_STORE *store);
2370 
2371 /* SSL_set0_verify_cert_store sets an |X509_STORE| that will be used
2372  * exclusively for certificate verification and returns one. Ownership of
2373  * |store| is transferred to the |SSL|. */
2374 OPENSSL_EXPORT int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store);
2375 
2376 /* SSL_set1_verify_cert_store sets an |X509_STORE| that will be used
2377  * exclusively for certificate verification and returns one. An additional
2378  * reference to |store| will be taken. */
2379 OPENSSL_EXPORT int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store);
2380 
2381 /* SSL_CTX_set_ed25519_enabled configures whether |ctx| advertises support for
2382  * the Ed25519 signature algorithm when using the default preference list. */
2383 OPENSSL_EXPORT void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled);
2384 
2385 /* SSL_CTX_set_verify_algorithm_prefs confingures |ctx| to use |prefs| as the
2386  * preference list when verifying signature's from the peer's long-term key. It
2387  * returns one on zero on error. |prefs| should not include the internal-only
2388  * value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */
2389 OPENSSL_EXPORT int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx,
2390                                                       const uint16_t *prefs,
2391                                                       size_t num_prefs);
2392 
2393 
2394 /* Client certificate CA list.
2395  *
2396  * When requesting a client certificate, a server may advertise a list of
2397  * certificate authorities which are accepted. These functions may be used to
2398  * configure this list. */
2399 
2400 /* SSL_set_client_CA_list sets |ssl|'s client certificate CA list to
2401  * |name_list|. It takes ownership of |name_list|. */
2402 OPENSSL_EXPORT void SSL_set_client_CA_list(SSL *ssl,
2403                                            STACK_OF(X509_NAME) *name_list);
2404 
2405 /* SSL_CTX_set_client_CA_list sets |ctx|'s client certificate CA list to
2406  * |name_list|. It takes ownership of |name_list|. */
2407 OPENSSL_EXPORT void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,
2408                                                STACK_OF(X509_NAME) *name_list);
2409 
2410 /* SSL_get_client_CA_list returns |ssl|'s client certificate CA list. If |ssl|
2411  * has not been configured as a client, this is the list configured by
2412  * |SSL_CTX_set_client_CA_list|.
2413  *
2414  * If configured as a client, it returns the client certificate CA list sent by
2415  * the server. In this mode, the behavior is undefined except during the
2416  * callbacks set by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or
2417  * when the handshake is paused because of them. */
2418 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl);
2419 
2420 /* SSL_get0_server_requested_CAs returns the CAs sent by a server to guide a
2421  * client in certificate selection. They are a series of DER-encoded X.509
2422  * names. This function may only be called during a callback set by
2423  * |SSL_CTX_set_cert_cb| or when the handshake is paused because of it.
2424  *
2425  * The returned stack is owned by |ssl|, as are its contents. It should not be
2426  * used past the point where the handshake is restarted after the callback. */
2427 OPENSSL_EXPORT STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(
2428     const SSL *ssl);
2429 
2430 /* SSL_CTX_get_client_CA_list returns |ctx|'s client certificate CA list. */
2431 OPENSSL_EXPORT STACK_OF(X509_NAME) *
2432     SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
2433 
2434 /* SSL_add_client_CA appends |x509|'s subject to the client certificate CA list.
2435  * It returns one on success or zero on error. The caller retains ownership of
2436  * |x509|. */
2437 OPENSSL_EXPORT int SSL_add_client_CA(SSL *ssl, X509 *x509);
2438 
2439 /* SSL_CTX_add_client_CA appends |x509|'s subject to the client certificate CA
2440  * list. It returns one on success or zero on error. The caller retains
2441  * ownership of |x509|. */
2442 OPENSSL_EXPORT int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509);
2443 
2444 /* SSL_load_client_CA_file opens |file| and reads PEM-encoded certificates from
2445  * it. It returns a newly-allocated stack of the certificate subjects or NULL
2446  * on error. */
2447 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
2448 
2449 /* SSL_dup_CA_list makes a deep copy of |list|. It returns the new list on
2450  * success or NULL on allocation error. */
2451 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list);
2452 
2453 /* SSL_add_file_cert_subjects_to_stack behaves like |SSL_load_client_CA_file|
2454  * but appends the result to |out|. It returns one on success or zero on
2455  * error. */
2456 OPENSSL_EXPORT int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
2457                                                        const char *file);
2458 
2459 
2460 /* Server name indication.
2461  *
2462  * The server_name extension (RFC 3546) allows the client to advertise the name
2463  * of the server it is connecting to. This is used in virtual hosting
2464  * deployments to select one of a several certificates on a single IP. Only the
2465  * host_name name type is supported. */
2466 
2467 #define TLSEXT_NAMETYPE_host_name 0
2468 
2469 /* SSL_set_tlsext_host_name, for a client, configures |ssl| to advertise |name|
2470  * in the server_name extension. It returns one on success and zero on error. */
2471 OPENSSL_EXPORT int SSL_set_tlsext_host_name(SSL *ssl, const char *name);
2472 
2473 /* SSL_get_servername, for a server, returns the hostname supplied by the
2474  * client or NULL if there was none. The |type| argument must be
2475  * |TLSEXT_NAMETYPE_host_name|. */
2476 OPENSSL_EXPORT const char *SSL_get_servername(const SSL *ssl, const int type);
2477 
2478 /* SSL_get_servername_type, for a server, returns |TLSEXT_NAMETYPE_host_name|
2479  * if the client sent a hostname and -1 otherwise. */
2480 OPENSSL_EXPORT int SSL_get_servername_type(const SSL *ssl);
2481 
2482 /* SSL_CTX_set_tlsext_servername_callback configures |callback| to be called on
2483  * the server after ClientHello extensions have been parsed and returns one.
2484  * The callback may use |SSL_get_servername| to examine the server_name
2485  * extension and returns a |SSL_TLSEXT_ERR_*| value. The value of |arg| may be
2486  * set by calling |SSL_CTX_set_tlsext_servername_arg|.
2487  *
2488  * If the callback returns |SSL_TLSEXT_ERR_NOACK|, the server_name extension is
2489  * not acknowledged in the ServerHello. If the return value is
2490  * |SSL_TLSEXT_ERR_ALERT_FATAL|, then |*out_alert| is the alert to send,
2491  * defaulting to |SSL_AD_UNRECOGNIZED_NAME|. |SSL_TLSEXT_ERR_ALERT_WARNING| is
2492  * ignored and treated as |SSL_TLSEXT_ERR_OK|. */
2493 OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
2494     SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg));
2495 
2496 /* SSL_CTX_set_tlsext_servername_arg sets the argument to the servername
2497  * callback and returns one. See |SSL_CTX_set_tlsext_servername_callback|. */
2498 OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg);
2499 
2500 /* SSL_TLSEXT_ERR_* are values returned by some extension-related callbacks. */
2501 #define SSL_TLSEXT_ERR_OK 0
2502 #define SSL_TLSEXT_ERR_ALERT_WARNING 1
2503 #define SSL_TLSEXT_ERR_ALERT_FATAL 2
2504 #define SSL_TLSEXT_ERR_NOACK 3
2505 
2506 /* SSL_set_SSL_CTX changes |ssl|'s |SSL_CTX|. |ssl| will use the
2507  * certificate-related settings from |ctx|, and |SSL_get_SSL_CTX| will report
2508  * |ctx|. This function may be used during the callbacks registered by
2509  * |SSL_CTX_set_select_certificate_cb|,
2510  * |SSL_CTX_set_tlsext_servername_callback|, and |SSL_CTX_set_cert_cb| or when
2511  * the handshake is paused from them. It is typically used to switch
2512  * certificates based on SNI.
2513  *
2514  * Note the session cache and related settings will continue to use the initial
2515  * |SSL_CTX|. Callers should use |SSL_CTX_set_session_id_context| to partition
2516  * the session cache between different domains.
2517  *
2518  * TODO(davidben): Should other settings change after this call? */
2519 OPENSSL_EXPORT SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);
2520 
2521 
2522 /* Application-layer protocol negotiation.
2523  *
2524  * The ALPN extension (RFC 7301) allows negotiating different application-layer
2525  * protocols over a single port. This is used, for example, to negotiate
2526  * HTTP/2. */
2527 
2528 /* SSL_CTX_set_alpn_protos sets the client ALPN protocol list on |ctx| to
2529  * |protos|. |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
2530  * length-prefixed strings). It returns zero on success and one on failure.
2531  * Configuring this list enables ALPN on a client.
2532  *
2533  * WARNING: this function is dangerous because it breaks the usual return value
2534  * convention. */
2535 OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
2536                                            unsigned protos_len);
2537 
2538 /* SSL_set_alpn_protos sets the client ALPN protocol list on |ssl| to |protos|.
2539  * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
2540  * length-prefixed strings). It returns zero on success and one on failure.
2541  * Configuring this list enables ALPN on a client.
2542  *
2543  * WARNING: this function is dangerous because it breaks the usual return value
2544  * convention. */
2545 OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,
2546                                        unsigned protos_len);
2547 
2548 /* SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called
2549  * during ClientHello processing in order to select an ALPN protocol from the
2550  * client's list of offered protocols. Configuring this callback enables ALPN on
2551  * a server.
2552  *
2553  * The callback is passed a wire-format (i.e. a series of non-empty, 8-bit
2554  * length-prefixed strings) ALPN protocol list in |in|. It should set |*out| and
2555  * |*out_len| to the selected protocol and return |SSL_TLSEXT_ERR_OK| on
2556  * success. It does not pass ownership of the buffer. Otherwise, it should
2557  * return |SSL_TLSEXT_ERR_NOACK|. Other |SSL_TLSEXT_ERR_*| values are
2558  * unimplemented and will be treated as |SSL_TLSEXT_ERR_NOACK|.
2559  *
2560  * The cipher suite is selected before negotiating ALPN. The callback may use
2561  * |SSL_get_pending_cipher| to query the cipher suite. */
2562 OPENSSL_EXPORT void SSL_CTX_set_alpn_select_cb(
2563     SSL_CTX *ctx, int (*cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len,
2564                             const uint8_t *in, unsigned in_len, void *arg),
2565     void *arg);
2566 
2567 /* SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.
2568  * On return it sets |*out_data| to point to |*out_len| bytes of protocol name
2569  * (not including the leading length-prefix byte). If the server didn't respond
2570  * with a negotiated protocol then |*out_len| will be zero. */
2571 OPENSSL_EXPORT void SSL_get0_alpn_selected(const SSL *ssl,
2572                                            const uint8_t **out_data,
2573                                            unsigned *out_len);
2574 
2575 /* SSL_CTX_set_allow_unknown_alpn_protos configures client connections on |ctx|
2576  * to allow unknown ALPN protocols from the server. Otherwise, by default, the
2577  * client will require that the protocol be advertised in
2578  * |SSL_CTX_set_alpn_protos|. */
2579 OPENSSL_EXPORT void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx,
2580                                                           int enabled);
2581 
2582 
2583 /* Next protocol negotiation.
2584  *
2585  * The NPN extension (draft-agl-tls-nextprotoneg-03) is the predecessor to ALPN
2586  * and deprecated in favor of it. */
2587 
2588 /* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
2589  * TLS server needs a list of supported protocols for Next Protocol
2590  * Negotiation. The returned list must be in wire format. The list is returned
2591  * by setting |*out| to point to it and |*out_len| to its length. This memory
2592  * will not be modified, but one should assume that |ssl| keeps a reference to
2593  * it.
2594  *
2595  * The callback should return |SSL_TLSEXT_ERR_OK| if it wishes to advertise.
2596  * Otherwise, no such extension will be included in the ServerHello. */
2597 OPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb(
2598     SSL_CTX *ctx,
2599     int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg),
2600     void *arg);
2601 
2602 /* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a client
2603  * needs to select a protocol from the server's provided list. |*out| must be
2604  * set to point to the selected protocol (which may be within |in|). The length
2605  * of the protocol name must be written into |*out_len|. The server's advertised
2606  * protocols are provided in |in| and |in_len|. The callback can assume that
2607  * |in| is syntactically valid.
2608  *
2609  * The client must select a protocol. It is fatal to the connection if this
2610  * callback returns a value other than |SSL_TLSEXT_ERR_OK|.
2611  *
2612  * Configuring this callback enables NPN on a client. */
2613 OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb(
2614     SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
2615                             const uint8_t *in, unsigned in_len, void *arg),
2616     void *arg);
2617 
2618 /* SSL_get0_next_proto_negotiated sets |*out_data| and |*out_len| to point to
2619  * the client's requested protocol for this connection. If the client didn't
2620  * request any protocol, then |*out_data| is set to NULL.
2621  *
2622  * Note that the client can request any protocol it chooses. The value returned
2623  * from this function need not be a member of the list of supported protocols
2624  * provided by the server. */
2625 OPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *ssl,
2626                                                    const uint8_t **out_data,
2627                                                    unsigned *out_len);
2628 
2629 /* SSL_select_next_proto implements the standard protocol selection. It is
2630  * expected that this function is called from the callback set by
2631  * |SSL_CTX_set_next_proto_select_cb|.
2632  *
2633  * |peer| and |supported| must be vectors of 8-bit, length-prefixed byte strings
2634  * containing the peer and locally-configured protocols, respectively. The
2635  * length byte itself is not included in the length. A byte string of length 0
2636  * is invalid. No byte string may be truncated. |supported| is assumed to be
2637  * non-empty.
2638  *
2639  * This function finds the first protocol in |peer| which is also in
2640  * |supported|. If one was found, it sets |*out| and |*out_len| to point to it
2641  * and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns
2642  * |OPENSSL_NPN_NO_OVERLAP| and sets |*out| and |*out_len| to the first
2643  * supported protocol. */
2644 OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
2645                                          const uint8_t *peer, unsigned peer_len,
2646                                          const uint8_t *supported,
2647                                          unsigned supported_len);
2648 
2649 #define OPENSSL_NPN_UNSUPPORTED 0
2650 #define OPENSSL_NPN_NEGOTIATED 1
2651 #define OPENSSL_NPN_NO_OVERLAP 2
2652 
2653 
2654 /* Channel ID.
2655  *
2656  * See draft-balfanz-tls-channelid-01. */
2657 
2658 /* SSL_CTX_set_tls_channel_id_enabled configures whether connections associated
2659  * with |ctx| should enable Channel ID. */
2660 OPENSSL_EXPORT void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx,
2661                                                        int enabled);
2662 
2663 /* SSL_set_tls_channel_id_enabled configures whether |ssl| should enable Channel
2664  * ID. */
2665 OPENSSL_EXPORT void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled);
2666 
2667 /* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
2668  * to compatible servers. |private_key| must be a P-256 EC key. It returns one
2669  * on success and zero on error. */
2670 OPENSSL_EXPORT int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx,
2671                                                EVP_PKEY *private_key);
2672 
2673 /* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to
2674  * compatible servers. |private_key| must be a P-256 EC key. It returns one on
2675  * success and zero on error. */
2676 OPENSSL_EXPORT int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key);
2677 
2678 /* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server |SSL*|
2679  * and copies up to the first |max_out| bytes into |out|. The Channel ID
2680  * consists of the client's P-256 public key as an (x,y) pair where each is a
2681  * 32-byte, big-endian field element. It returns 0 if the client didn't offer a
2682  * Channel ID and the length of the complete Channel ID otherwise. */
2683 OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,
2684                                              size_t max_out);
2685 
2686 /* SSL_CTX_set_channel_id_cb sets a callback to be called when a TLS Channel ID
2687  * is requested. The callback may set |*out_pkey| to a key, passing a reference
2688  * to the caller. If none is returned, the handshake will pause and
2689  * |SSL_get_error| will return |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|.
2690  *
2691  * See also |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|. */
2692 OPENSSL_EXPORT void SSL_CTX_set_channel_id_cb(
2693     SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey));
2694 
2695 /* SSL_CTX_get_channel_id_cb returns the callback set by
2696  * |SSL_CTX_set_channel_id_cb|. */
2697 OPENSSL_EXPORT void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(
2698     SSL *ssl, EVP_PKEY **out_pkey);
2699 
2700 
2701 /* DTLS-SRTP.
2702  *
2703  * See RFC 5764. */
2704 
2705 /* srtp_protection_profile_st (aka |SRTP_PROTECTION_PROFILE|) is an SRTP
2706  * profile for use with the use_srtp extension. */
2707 struct srtp_protection_profile_st {
2708   const char *name;
2709   unsigned long id;
2710 } /* SRTP_PROTECTION_PROFILE */;
2711 
2712 DEFINE_CONST_STACK_OF(SRTP_PROTECTION_PROFILE)
2713 
2714 /* SRTP_* define constants for SRTP profiles. */
2715 #define SRTP_AES128_CM_SHA1_80 0x0001
2716 #define SRTP_AES128_CM_SHA1_32 0x0002
2717 #define SRTP_AES128_F8_SHA1_80 0x0003
2718 #define SRTP_AES128_F8_SHA1_32 0x0004
2719 #define SRTP_NULL_SHA1_80      0x0005
2720 #define SRTP_NULL_SHA1_32      0x0006
2721 #define SRTP_AEAD_AES_128_GCM  0x0007
2722 #define SRTP_AEAD_AES_256_GCM  0x0008
2723 
2724 /* SSL_CTX_set_srtp_profiles enables SRTP for all SSL objects created from
2725  * |ctx|. |profile| contains a colon-separated list of profile names. It returns
2726  * one on success and zero on failure. */
2727 OPENSSL_EXPORT int SSL_CTX_set_srtp_profiles(SSL_CTX *ctx,
2728                                              const char *profiles);
2729 
2730 /* SSL_set_srtp_profiles enables SRTP for |ssl|.  |profile| contains a
2731  * colon-separated list of profile names. It returns one on success and zero on
2732  * failure. */
2733 OPENSSL_EXPORT int SSL_set_srtp_profiles(SSL *ssl, const char *profiles);
2734 
2735 /* SSL_get_srtp_profiles returns the SRTP profiles supported by |ssl|. */
2736 OPENSSL_EXPORT STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(
2737     SSL *ssl);
2738 
2739 /* SSL_get_selected_srtp_profile returns the selected SRTP profile, or NULL if
2740  * SRTP was not negotiated. */
2741 OPENSSL_EXPORT const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(
2742     SSL *ssl);
2743 
2744 
2745 /* Pre-shared keys.
2746  *
2747  * Connections may be configured with PSK (Pre-Shared Key) cipher suites. These
2748  * authenticate using out-of-band pre-shared keys rather than certificates. See
2749  * RFC 4279.
2750  *
2751  * This implementation uses NUL-terminated C strings for identities and identity
2752  * hints, so values with a NUL character are not supported. (RFC 4279 does not
2753  * specify the format of an identity.) */
2754 
2755 /* PSK_MAX_IDENTITY_LEN is the maximum supported length of a PSK identity,
2756  * excluding the NUL terminator. */
2757 #define PSK_MAX_IDENTITY_LEN 128
2758 
2759 /* PSK_MAX_PSK_LEN is the maximum supported length of a pre-shared key. */
2760 #define PSK_MAX_PSK_LEN 256
2761 
2762 /* SSL_CTX_set_psk_client_callback sets the callback to be called when PSK is
2763  * negotiated on the client. This callback must be set to enable PSK cipher
2764  * suites on the client.
2765  *
2766  * The callback is passed the identity hint in |hint| or NULL if none was
2767  * provided. It should select a PSK identity and write the identity and the
2768  * corresponding PSK to |identity| and |psk|, respectively. The identity is
2769  * written as a NUL-terminated C string of length (excluding the NUL terminator)
2770  * at most |max_identity_len|. The PSK's length must be at most |max_psk_len|.
2771  * The callback returns the length of the PSK or 0 if no suitable identity was
2772  * found. */
2773 OPENSSL_EXPORT void SSL_CTX_set_psk_client_callback(
2774     SSL_CTX *ctx,
2775     unsigned (*psk_client_callback)(
2776         SSL *ssl, const char *hint, char *identity,
2777         unsigned max_identity_len, uint8_t *psk, unsigned max_psk_len));
2778 
2779 /* SSL_set_psk_client_callback sets the callback to be called when PSK is
2780  * negotiated on the client. This callback must be set to enable PSK cipher
2781  * suites on the client. See also |SSL_CTX_set_psk_client_callback|. */
2782 OPENSSL_EXPORT void SSL_set_psk_client_callback(
2783     SSL *ssl, unsigned (*psk_client_callback)(SSL *ssl, const char *hint,
2784                                               char *identity,
2785                                               unsigned max_identity_len,
2786                                               uint8_t *psk,
2787                                               unsigned max_psk_len));
2788 
2789 /* SSL_CTX_set_psk_server_callback sets the callback to be called when PSK is
2790  * negotiated on the server. This callback must be set to enable PSK cipher
2791  * suites on the server.
2792  *
2793  * The callback is passed the identity in |identity|. It should write a PSK of
2794  * length at most |max_psk_len| to |psk| and return the number of bytes written
2795  * or zero if the PSK identity is unknown. */
2796 OPENSSL_EXPORT void SSL_CTX_set_psk_server_callback(
2797     SSL_CTX *ctx,
2798     unsigned (*psk_server_callback)(SSL *ssl, const char *identity,
2799                                     uint8_t *psk,
2800                                     unsigned max_psk_len));
2801 
2802 /* SSL_set_psk_server_callback sets the callback to be called when PSK is
2803  * negotiated on the server. This callback must be set to enable PSK cipher
2804  * suites on the server. See also |SSL_CTX_set_psk_server_callback|. */
2805 OPENSSL_EXPORT void SSL_set_psk_server_callback(
2806     SSL *ssl,
2807     unsigned (*psk_server_callback)(SSL *ssl, const char *identity,
2808                                     uint8_t *psk,
2809                                     unsigned max_psk_len));
2810 
2811 /* SSL_CTX_use_psk_identity_hint configures server connections to advertise an
2812  * identity hint of |identity_hint|. It returns one on success and zero on
2813  * error. */
2814 OPENSSL_EXPORT int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx,
2815                                                  const char *identity_hint);
2816 
2817 /* SSL_use_psk_identity_hint configures server connections to advertise an
2818  * identity hint of |identity_hint|. It returns one on success and zero on
2819  * error. */
2820 OPENSSL_EXPORT int SSL_use_psk_identity_hint(SSL *ssl,
2821                                              const char *identity_hint);
2822 
2823 /* SSL_get_psk_identity_hint returns the PSK identity hint advertised for |ssl|
2824  * or NULL if there is none. */
2825 OPENSSL_EXPORT const char *SSL_get_psk_identity_hint(const SSL *ssl);
2826 
2827 /* SSL_get_psk_identity, after the handshake completes, returns the PSK identity
2828  * that was negotiated by |ssl| or NULL if PSK was not used. */
2829 OPENSSL_EXPORT const char *SSL_get_psk_identity(const SSL *ssl);
2830 
2831 
2832 /* Early data.
2833  *
2834  * WARNING: 0-RTT support in BoringSSL is currently experimental and not fully
2835  * implemented. It may cause interoperability or security failures when used.
2836  *
2837  * Early data, or 0-RTT, is a feature in TLS 1.3 which allows clients to send
2838  * data on the first flight during a resumption handshake. This can save a
2839  * round-trip in some application protocols.
2840  *
2841  * WARNING: A 0-RTT handshake has different security properties from normal
2842  * handshake, so it is off by default unless opted in. In particular, early data
2843  * is replayable by a network attacker. Callers must account for this when
2844  * sending or processing data before the handshake is confirmed. See
2845  * draft-ietf-tls-tls13-18 for more information.
2846  *
2847  * As a server, if early data is accepted, |SSL_do_handshake| will complete as
2848  * soon as the ClientHello is processed and server flight sent. |SSL_write| may
2849  * be used to send half-RTT data. |SSL_read| will consume early data and
2850  * transition to 1-RTT data as appropriate. Prior to the transition,
2851  * |SSL_in_init| will report the handshake is still in progress. Callers may use
2852  * it or |SSL_in_early_data| to defer or reject requests as needed.
2853  *
2854  * Early data as a client is more complex. If the offered session (see
2855  * |SSL_set_session|) is 0-RTT-capable, the handshake will return after sending
2856  * the ClientHello. The predicted peer certificate and ALPN protocol will be
2857  * available via the usual APIs. |SSL_write| will write early data, up to the
2858  * session's limit. Writes past this limit and |SSL_read| will complete the
2859  * handshake before continuing. Callers may also call |SSL_do_handshake| again
2860  * to complete the handshake sooner.
2861  *
2862  * If the server accepts early data, the handshake will succeed. |SSL_read| and
2863  * |SSL_write| will then act as in a 1-RTT handshake. The peer certificate and
2864  * ALPN protocol will be as predicted and need not be re-queried.
2865  *
2866  * If the server rejects early data, |SSL_do_handshake| (and thus |SSL_read| and
2867  * |SSL_write|) will then fail with |SSL_get_error| returning
2868  * |SSL_ERROR_EARLY_DATA_REJECTED|. The caller should treat this as a connection
2869  * error and most likely perform a high-level retry. Note the server may still
2870  * have processed the early data due to attacker replays.
2871  *
2872  * To then continue the handshake on the original connection, use
2873  * |SSL_reset_early_data_reject|. This allows a faster retry than making a fresh
2874  * connection. |SSL_do_handshake| will the complete the full handshake as in a
2875  * fresh connection. Once reset, the peer certificate, ALPN protocol, and other
2876  * properties may change so the caller must query them again.
2877  *
2878  * Finally, to implement the fallback described in draft-ietf-tls-tls13-18
2879  * appendix C.3, retry on a fresh connection without 0-RTT if the handshake
2880  * fails with |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. */
2881 
2882 /* SSL_CTX_set_early_data_enabled sets whether early data is allowed to be used
2883  * with resumptions using |ctx|. */
2884 OPENSSL_EXPORT void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled);
2885 
2886 /* SSL_set_early_data_enabled sets whether early data is allowed to be used
2887  * with resumptions using |ssl|. See |SSL_CTX_set_early_data_enabled| for more
2888  * information. */
2889 OPENSSL_EXPORT void SSL_set_early_data_enabled(SSL *ssl, int enabled);
2890 
2891 /* SSL_in_early_data returns one if |ssl| has a pending handshake that has
2892  * progressed enough to send or receive early data. Clients may call |SSL_write|
2893  * to send early data, but |SSL_read| will complete the handshake before
2894  * accepting application data. Servers may call |SSL_read| to read early data
2895  * and |SSL_write| to send half-RTT data. */
2896 OPENSSL_EXPORT int SSL_in_early_data(const SSL *ssl);
2897 
2898 /* SSL_early_data_accepted returns whether early data was accepted on the
2899  * handshake performed by |ssl|. */
2900 OPENSSL_EXPORT int SSL_early_data_accepted(const SSL *ssl);
2901 
2902 /* SSL_reset_early_data_reject resets |ssl| after an early data reject. All
2903  * 0-RTT state is discarded, including any pending |SSL_write| calls. The caller
2904  * should treat |ssl| as a logically fresh connection, usually by driving the
2905  * handshake to completion using |SSL_do_handshake|.
2906  *
2907  * It is an error to call this function on an |SSL| object that is not signaling
2908  * |SSL_ERROR_EARLY_DATA_REJECTED|. */
2909 OPENSSL_EXPORT void SSL_reset_early_data_reject(SSL *ssl);
2910 
2911 
2912 /* Alerts.
2913  *
2914  * TLS and SSL 3.0 use alerts to signal error conditions. Alerts have a type
2915  * (warning or fatal) and description. OpenSSL internally handles fatal alerts
2916  * with dedicated error codes (see |SSL_AD_REASON_OFFSET|). Except for
2917  * close_notify, warning alerts are silently ignored and may only be surfaced
2918  * with |SSL_CTX_set_info_callback|. */
2919 
2920 /* SSL_AD_REASON_OFFSET is the offset between error reasons and |SSL_AD_*|
2921  * values. Any error code under |ERR_LIB_SSL| with an error reason above this
2922  * value corresponds to an alert description. Consumers may add or subtract
2923  * |SSL_AD_REASON_OFFSET| to convert between them.
2924  *
2925  * make_errors.go reserves error codes above 1000 for manually-assigned errors.
2926  * This value must be kept in sync with reservedReasonCode in make_errors.h */
2927 #define SSL_AD_REASON_OFFSET 1000
2928 
2929 /* SSL_AD_* are alert descriptions for SSL 3.0 and TLS. */
2930 #define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
2931 #define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE
2932 #define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC
2933 #define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED
2934 #define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW
2935 #define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE
2936 #define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE
2937 #define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not used in TLS */
2938 #define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
2939 #define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE
2940 #define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED
2941 #define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED
2942 #define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN
2943 #define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER
2944 #define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA
2945 #define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED
2946 #define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR
2947 #define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR
2948 #define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION
2949 #define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION
2950 #define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY
2951 #define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR
2952 #define SSL_AD_INAPPROPRIATE_FALLBACK SSL3_AD_INAPPROPRIATE_FALLBACK
2953 #define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
2954 #define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
2955 #define SSL_AD_MISSING_EXTENSION TLS1_AD_MISSING_EXTENSION
2956 #define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION
2957 #define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
2958 #define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
2959 #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE \
2960   TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
2961 #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
2962 #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY
2963 #define SSL_AD_CERTIFICATE_REQUIRED TLS1_AD_CERTIFICATE_REQUIRED
2964 
2965 /* SSL_alert_type_string_long returns a string description of |value| as an
2966  * alert type (warning or fatal). */
2967 OPENSSL_EXPORT const char *SSL_alert_type_string_long(int value);
2968 
2969 /* SSL_alert_desc_string_long returns a string description of |value| as an
2970  * alert description or "unknown" if unknown. */
2971 OPENSSL_EXPORT const char *SSL_alert_desc_string_long(int value);
2972 
2973 /* SSL_send_fatal_alert sends a fatal alert over |ssl| of the specified type,
2974  * which should be one of the |SSL_AD_*| constants. It returns one on success
2975  * and <= 0 on error. The caller should pass the return value into
2976  * |SSL_get_error| to determine how to proceed. Once this function has been
2977  * called, future calls to |SSL_write| will fail.
2978  *
2979  * If retrying a failed operation due to |SSL_ERROR_WANT_WRITE|, subsequent
2980  * calls must use the same |alert| parameter. */
2981 OPENSSL_EXPORT int SSL_send_fatal_alert(SSL *ssl, uint8_t alert);
2982 
2983 
2984 /* ex_data functions.
2985  *
2986  * See |ex_data.h| for details. */
2987 
2988 OPENSSL_EXPORT int SSL_set_ex_data(SSL *ssl, int idx, void *data);
2989 OPENSSL_EXPORT void *SSL_get_ex_data(const SSL *ssl, int idx);
2990 OPENSSL_EXPORT int SSL_get_ex_new_index(long argl, void *argp,
2991                                         CRYPTO_EX_unused *unused,
2992                                         CRYPTO_EX_dup *dup_unused,
2993                                         CRYPTO_EX_free *free_func);
2994 
2995 OPENSSL_EXPORT int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx,
2996                                            void *data);
2997 OPENSSL_EXPORT void *SSL_SESSION_get_ex_data(const SSL_SESSION *session,
2998                                              int idx);
2999 OPENSSL_EXPORT int SSL_SESSION_get_ex_new_index(long argl, void *argp,
3000                                                 CRYPTO_EX_unused *unused,
3001                                                 CRYPTO_EX_dup *dup_unused,
3002                                                 CRYPTO_EX_free *free_func);
3003 
3004 OPENSSL_EXPORT int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data);
3005 OPENSSL_EXPORT void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx);
3006 OPENSSL_EXPORT int SSL_CTX_get_ex_new_index(long argl, void *argp,
3007                                             CRYPTO_EX_unused *unused,
3008                                             CRYPTO_EX_dup *dup_unused,
3009                                             CRYPTO_EX_free *free_func);
3010 
3011 
3012 /* Low-level record-layer state. */
3013 
3014 /* SSL_get_ivs sets |*out_iv_len| to the length of the IVs for the ciphers
3015  * underlying |ssl| and sets |*out_read_iv| and |*out_write_iv| to point to the
3016  * current IVs for the read and write directions. This is only meaningful for
3017  * connections with implicit IVs (i.e. CBC mode with SSLv3 or TLS 1.0).
3018  *
3019  * It returns one on success or zero on error. */
3020 OPENSSL_EXPORT int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
3021                                const uint8_t **out_write_iv,
3022                                size_t *out_iv_len);
3023 
3024 /* SSL_get_key_block_len returns the length of |ssl|'s key block. */
3025 OPENSSL_EXPORT size_t SSL_get_key_block_len(const SSL *ssl);
3026 
3027 /* SSL_generate_key_block generates |out_len| bytes of key material for |ssl|'s
3028  * current connection state. */
3029 OPENSSL_EXPORT int SSL_generate_key_block(const SSL *ssl, uint8_t *out,
3030                                           size_t out_len);
3031 
3032 /* SSL_get_read_sequence returns, in TLS, the expected sequence number of the
3033  * next incoming record in the current epoch. In DTLS, it returns the maximum
3034  * sequence number received in the current epoch and includes the epoch number
3035  * in the two most significant bytes. */
3036 OPENSSL_EXPORT uint64_t SSL_get_read_sequence(const SSL *ssl);
3037 
3038 /* SSL_get_write_sequence returns the sequence number of the next outgoing
3039  * record in the current epoch. In DTLS, it includes the epoch number in the
3040  * two most significant bytes. */
3041 OPENSSL_EXPORT uint64_t SSL_get_write_sequence(const SSL *ssl);
3042 
3043 
3044 /* Obscure functions. */
3045 
3046 /* SSL_get_structure_sizes returns the sizes of the SSL, SSL_CTX and
3047  * SSL_SESSION structures so that a test can ensure that outside code agrees on
3048  * these values. */
3049 OPENSSL_EXPORT void SSL_get_structure_sizes(size_t *ssl_size,
3050                                             size_t *ssl_ctx_size,
3051                                             size_t *ssl_session_size);
3052 
3053 /* SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|.
3054  * This callback will be called when sending or receiving low-level record
3055  * headers, complete handshake messages, ChangeCipherSpec, and alerts.
3056  * |write_p| is one for outgoing messages and zero for incoming messages.
3057  *
3058  * For each record header, |cb| is called with |version| = 0 and |content_type|
3059  * = |SSL3_RT_HEADER|. The |len| bytes from |buf| contain the header. Note that
3060  * this does not include the record body. If the record is sealed, the length
3061  * in the header is the length of the ciphertext.
3062  *
3063  * For each handshake message, ChangeCipherSpec, and alert, |version| is the
3064  * protocol version and |content_type| is the corresponding record type. The
3065  * |len| bytes from |buf| contain the handshake message, one-byte
3066  * ChangeCipherSpec body, and two-byte alert, respectively.
3067  *
3068  * For a V2ClientHello, |version| is |SSL2_VERSION|, |content_type| is zero, and
3069  * the |len| bytes from |buf| contain the V2ClientHello structure. */
3070 OPENSSL_EXPORT void SSL_CTX_set_msg_callback(
3071     SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type,
3072                              const void *buf, size_t len, SSL *ssl, void *arg));
3073 
3074 /* SSL_CTX_set_msg_callback_arg sets the |arg| parameter of the message
3075  * callback. */
3076 OPENSSL_EXPORT void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
3077 
3078 /* SSL_set_msg_callback installs |cb| as the message callback of |ssl|. See
3079  * |SSL_CTX_set_msg_callback| for when this callback is called. */
3080 OPENSSL_EXPORT void SSL_set_msg_callback(
3081     SSL *ssl, void (*cb)(int write_p, int version, int content_type,
3082                          const void *buf, size_t len, SSL *ssl, void *arg));
3083 
3084 /* SSL_set_msg_callback_arg sets the |arg| parameter of the message callback. */
3085 OPENSSL_EXPORT void SSL_set_msg_callback_arg(SSL *ssl, void *arg);
3086 
3087 /* SSL_CTX_set_keylog_callback configures a callback to log key material. This
3088  * is intended for debugging use with tools like Wireshark. The |cb| function
3089  * should log |line| followed by a newline, synchronizing with any concurrent
3090  * access to the log.
3091  *
3092  * The format is described in
3093  * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. */
3094 OPENSSL_EXPORT void SSL_CTX_set_keylog_callback(
3095     SSL_CTX *ctx, void (*cb)(const SSL *ssl, const char *line));
3096 
3097 /* SSL_CTX_get_keylog_callback returns the callback configured by
3098  * |SSL_CTX_set_keylog_callback|. */
3099 OPENSSL_EXPORT void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(
3100     const SSL *ssl, const char *line);
3101 
3102 /* SSL_CTX_set_current_time_cb configures a callback to retrieve the current
3103  * time, which should be set in |*out_clock|. This can be used for testing
3104  * purposes; for example, a callback can be configured that returns a time
3105  * set explicitly by the test. */
3106 OPENSSL_EXPORT void SSL_CTX_set_current_time_cb(
3107     SSL_CTX *ctx, void (*cb)(const SSL *ssl, struct timeval *out_clock));
3108 
3109 enum ssl_renegotiate_mode_t {
3110   ssl_renegotiate_never = 0,
3111   ssl_renegotiate_once,
3112   ssl_renegotiate_freely,
3113   ssl_renegotiate_ignore,
3114 };
3115 
3116 /* SSL_set_renegotiate_mode configures how |ssl|, a client, reacts to
3117  * renegotiation attempts by a server. If |ssl| is a server, peer-initiated
3118  * renegotiations are *always* rejected and this function does nothing.
3119  *
3120  * The renegotiation mode defaults to |ssl_renegotiate_never|, but may be set
3121  * at any point in a connection's lifetime. Set it to |ssl_renegotiate_once| to
3122  * allow one renegotiation, |ssl_renegotiate_freely| to allow all
3123  * renegotiations or |ssl_renegotiate_ignore| to ignore HelloRequest messages.
3124  * Note that ignoring HelloRequest messages may cause the connection to stall
3125  * if the server waits for the renegotiation to complete.
3126  *
3127  * There is no support in BoringSSL for initiating renegotiations as a client
3128  * or server. */
3129 OPENSSL_EXPORT void SSL_set_renegotiate_mode(SSL *ssl,
3130                                              enum ssl_renegotiate_mode_t mode);
3131 
3132 /* SSL_renegotiate_pending returns one if |ssl| is in the middle of a
3133  * renegotiation. */
3134 OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *ssl);
3135 
3136 /* SSL_total_renegotiations returns the total number of renegotiation handshakes
3137  * performed by |ssl|. This includes the pending renegotiation, if any. */
3138 OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);
3139 
3140 enum tls13_variant_t {
3141   tls13_default = 0,
3142   tls13_experiment = 1,
3143   tls13_record_type_experiment = 2,
3144 };
3145 
3146 /* SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the
3147  * server, if |variant| is not |tls13_default|, all variants are enabled. On the
3148  * client, only the configured variant is enabled. */
3149 OPENSSL_EXPORT void SSL_CTX_set_tls13_variant(SSL_CTX *ctx,
3150                                               enum tls13_variant_t variant);
3151 
3152 /* SSL_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the
3153  * server, if |variant| is not |tls13_default|, all variants are enabled. On the
3154  * client, only the configured variant is enabled. */
3155 OPENSSL_EXPORT void SSL_set_tls13_variant(SSL *ssl,
3156                                           enum tls13_variant_t variant);
3157 
3158 /* SSL_MAX_CERT_LIST_DEFAULT is the default maximum length, in bytes, of a peer
3159  * certificate chain. */
3160 #define SSL_MAX_CERT_LIST_DEFAULT (1024 * 100)
3161 
3162 /* SSL_CTX_get_max_cert_list returns the maximum length, in bytes, of a peer
3163  * certificate chain accepted by |ctx|. */
3164 OPENSSL_EXPORT size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx);
3165 
3166 /* SSL_CTX_set_max_cert_list sets the maximum length, in bytes, of a peer
3167  * certificate chain to |max_cert_list|. This affects how much memory may be
3168  * consumed during the handshake. */
3169 OPENSSL_EXPORT void SSL_CTX_set_max_cert_list(SSL_CTX *ctx,
3170                                               size_t max_cert_list);
3171 
3172 /* SSL_get_max_cert_list returns the maximum length, in bytes, of a peer
3173  * certificate chain accepted by |ssl|. */
3174 OPENSSL_EXPORT size_t SSL_get_max_cert_list(const SSL *ssl);
3175 
3176 /* SSL_set_max_cert_list sets the maximum length, in bytes, of a peer
3177  * certificate chain to |max_cert_list|. This affects how much memory may be
3178  * consumed during the handshake. */
3179 OPENSSL_EXPORT void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list);
3180 
3181 /* SSL_CTX_set_max_send_fragment sets the maximum length, in bytes, of records
3182  * sent by |ctx|. Beyond this length, handshake messages and application data
3183  * will be split into multiple records. It returns one on success or zero on
3184  * error. */
3185 OPENSSL_EXPORT int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx,
3186                                                  size_t max_send_fragment);
3187 
3188 /* SSL_set_max_send_fragment sets the maximum length, in bytes, of records sent
3189  * by |ssl|. Beyond this length, handshake messages and application data will
3190  * be split into multiple records. It returns one on success or zero on
3191  * error. */
3192 OPENSSL_EXPORT int SSL_set_max_send_fragment(SSL *ssl,
3193                                              size_t max_send_fragment);
3194 
3195 /* ssl_early_callback_ctx (aka |SSL_CLIENT_HELLO|) is passed to certain
3196  * callbacks that are called very early on during the server handshake. At this
3197  * point, much of the SSL* hasn't been filled out and only the ClientHello can
3198  * be depended on. */
3199 typedef struct ssl_early_callback_ctx {
3200   SSL *ssl;
3201   const uint8_t *client_hello;
3202   size_t client_hello_len;
3203   uint16_t version;
3204   const uint8_t *random;
3205   size_t random_len;
3206   const uint8_t *session_id;
3207   size_t session_id_len;
3208   const uint8_t *cipher_suites;
3209   size_t cipher_suites_len;
3210   const uint8_t *compression_methods;
3211   size_t compression_methods_len;
3212   const uint8_t *extensions;
3213   size_t extensions_len;
3214 } SSL_CLIENT_HELLO;
3215 
3216 /* ssl_select_cert_result_t enumerates the possible results from selecting a
3217  * certificate with |select_certificate_cb|. */
3218 enum ssl_select_cert_result_t {
3219   /* ssl_select_cert_success indicates that the certificate selection was
3220    * successful. */
3221   ssl_select_cert_success = 1,
3222   /* ssl_select_cert_retry indicates that the operation could not be
3223    * immediately completed and must be reattempted at a later point. */
3224   ssl_select_cert_retry = 0,
3225   /* ssl_select_cert_error indicates that a fatal error occured and the
3226    * handshake should be terminated. */
3227   ssl_select_cert_error = -1,
3228 };
3229 
3230 /* SSL_early_callback_ctx_extension_get searches the extensions in
3231  * |client_hello| for an extension of the given type. If not found, it returns
3232  * zero. Otherwise it sets |out_data| to point to the extension contents (not
3233  * including the type and length bytes), sets |out_len| to the length of the
3234  * extension contents and returns one. */
3235 OPENSSL_EXPORT int SSL_early_callback_ctx_extension_get(
3236     const SSL_CLIENT_HELLO *client_hello, uint16_t extension_type,
3237     const uint8_t **out_data, size_t *out_len);
3238 
3239 /* SSL_CTX_set_select_certificate_cb sets a callback that is called before most
3240  * ClientHello processing and before the decision whether to resume a session
3241  * is made. The callback may inspect the ClientHello and configure the
3242  * connection. See |ssl_select_cert_result_t| for details of the return values.
3243  *
3244  * In the case that a retry is indicated, |SSL_get_error| will return
3245  * |SSL_ERROR_PENDING_CERTIFICATE| and the caller should arrange for the
3246  * high-level operation on |ssl| to be retried at a later time, which will
3247  * result in another call to |cb|.
3248  *
3249  * Note: The |SSL_CLIENT_HELLO| is only valid for the duration of the callback
3250  * and is not valid while the handshake is paused. */
3251 OPENSSL_EXPORT void SSL_CTX_set_select_certificate_cb(
3252     SSL_CTX *ctx,
3253     enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *));
3254 
3255 /* SSL_CTX_set_dos_protection_cb sets a callback that is called once the
3256  * resumption decision for a ClientHello has been made. It can return one to
3257  * allow the handshake to continue or zero to cause the handshake to abort. */
3258 OPENSSL_EXPORT void SSL_CTX_set_dos_protection_cb(
3259     SSL_CTX *ctx, int (*cb)(const SSL_CLIENT_HELLO *));
3260 
3261 /* SSL_ST_* are possible values for |SSL_state| and the bitmasks that make them
3262  * up. */
3263 #define SSL_ST_CONNECT 0x1000
3264 #define SSL_ST_ACCEPT 0x2000
3265 #define SSL_ST_MASK 0x0FFF
3266 #define SSL_ST_INIT (SSL_ST_CONNECT | SSL_ST_ACCEPT)
3267 #define SSL_ST_OK 0x03
3268 #define SSL_ST_RENEGOTIATE (0x04 | SSL_ST_INIT)
3269 #define SSL_ST_TLS13 (0x05 | SSL_ST_INIT)
3270 
3271 /* SSL_CB_* are possible values for the |type| parameter in the info
3272  * callback and the bitmasks that make them up. */
3273 #define SSL_CB_LOOP 0x01
3274 #define SSL_CB_EXIT 0x02
3275 #define SSL_CB_READ 0x04
3276 #define SSL_CB_WRITE 0x08
3277 #define SSL_CB_ALERT 0x4000
3278 #define SSL_CB_READ_ALERT (SSL_CB_ALERT | SSL_CB_READ)
3279 #define SSL_CB_WRITE_ALERT (SSL_CB_ALERT | SSL_CB_WRITE)
3280 #define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT | SSL_CB_LOOP)
3281 #define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT | SSL_CB_EXIT)
3282 #define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT | SSL_CB_LOOP)
3283 #define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT | SSL_CB_EXIT)
3284 #define SSL_CB_HANDSHAKE_START 0x10
3285 #define SSL_CB_HANDSHAKE_DONE 0x20
3286 
3287 /* SSL_CTX_set_info_callback configures a callback to be run when various
3288  * events occur during a connection's lifetime. The |type| argument determines
3289  * the type of event and the meaning of the |value| argument. Callbacks must
3290  * ignore unexpected |type| values.
3291  *
3292  * |SSL_CB_READ_ALERT| is signaled for each alert received, warning or fatal.
3293  * The |value| argument is a 16-bit value where the alert level (either
3294  * |SSL3_AL_WARNING| or |SSL3_AL_FATAL|) is in the most-significant eight bits
3295  * and the alert type (one of |SSL_AD_*|) is in the least-significant eight.
3296  *
3297  * |SSL_CB_WRITE_ALERT| is signaled for each alert sent. The |value| argument
3298  * is constructed as with |SSL_CB_READ_ALERT|.
3299  *
3300  * |SSL_CB_HANDSHAKE_START| is signaled when a handshake begins. The |value|
3301  * argument is always one.
3302  *
3303  * |SSL_CB_HANDSHAKE_DONE| is signaled when a handshake completes successfully.
3304  * The |value| argument is always one. If a handshake False Starts, this event
3305  * may be used to determine when the Finished message is received.
3306  *
3307  * The following event types expose implementation details of the handshake
3308  * state machine. Consuming them is deprecated.
3309  *
3310  * |SSL_CB_ACCEPT_LOOP| (respectively, |SSL_CB_CONNECT_LOOP|) is signaled when
3311  * a server (respectively, client) handshake progresses. The |value| argument
3312  * is always one.
3313  *
3314  * |SSL_CB_ACCEPT_EXIT| (respectively, |SSL_CB_CONNECT_EXIT|) is signaled when
3315  * a server (respectively, client) handshake completes, fails, or is paused.
3316  * The |value| argument is one if the handshake succeeded and <= 0
3317  * otherwise. */
3318 OPENSSL_EXPORT void SSL_CTX_set_info_callback(
3319     SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int value));
3320 
3321 /* SSL_CTX_get_info_callback returns the callback set by
3322  * |SSL_CTX_set_info_callback|. */
3323 OPENSSL_EXPORT void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,
3324                                                                int type,
3325                                                                int value);
3326 
3327 /* SSL_set_info_callback configures a callback to be run at various events
3328  * during a connection's lifetime. See |SSL_CTX_set_info_callback|. */
3329 OPENSSL_EXPORT void SSL_set_info_callback(
3330     SSL *ssl, void (*cb)(const SSL *ssl, int type, int value));
3331 
3332 /* SSL_get_info_callback returns the callback set by |SSL_set_info_callback|. */
3333 OPENSSL_EXPORT void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,
3334                                                              int type,
3335                                                              int value);
3336 
3337 /* SSL_state_string_long returns the current state of the handshake state
3338  * machine as a string. This may be useful for debugging and logging. */
3339 OPENSSL_EXPORT const char *SSL_state_string_long(const SSL *ssl);
3340 
3341 #define SSL_SENT_SHUTDOWN 1
3342 #define SSL_RECEIVED_SHUTDOWN 2
3343 
3344 /* SSL_get_shutdown returns a bitmask with a subset of |SSL_SENT_SHUTDOWN| and
3345  * |SSL_RECEIVED_SHUTDOWN| to query whether close_notify was sent or received,
3346  * respectively. */
3347 OPENSSL_EXPORT int SSL_get_shutdown(const SSL *ssl);
3348 
3349 /* SSL_get_peer_signature_algorithm returns the signature algorithm used by the
3350  * peer. If not applicable, it returns zero. */
3351 OPENSSL_EXPORT uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl);
3352 
3353 /* SSL_get_client_random writes up to |max_out| bytes of the most recent
3354  * handshake's client_random to |out| and returns the number of bytes written.
3355  * If |max_out| is zero, it returns the size of the client_random. */
3356 OPENSSL_EXPORT size_t SSL_get_client_random(const SSL *ssl, uint8_t *out,
3357                                             size_t max_out);
3358 
3359 /* SSL_get_server_random writes up to |max_out| bytes of the most recent
3360  * handshake's server_random to |out| and returns the number of bytes written.
3361  * If |max_out| is zero, it returns the size of the server_random. */
3362 OPENSSL_EXPORT size_t SSL_get_server_random(const SSL *ssl, uint8_t *out,
3363                                             size_t max_out);
3364 
3365 /* SSL_get_pending_cipher returns the cipher suite for the current handshake or
3366  * NULL if one has not been negotiated yet or there is no pending handshake. */
3367 OPENSSL_EXPORT const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl);
3368 
3369 /* SSL_set_retain_only_sha256_of_client_certs, on a server, sets whether only
3370  * the SHA-256 hash of peer's certificate should be saved in memory and in the
3371  * session. This can save memory, ticket size and session cache space. If
3372  * enabled, |SSL_get_peer_certificate| will return NULL after the handshake
3373  * completes. See the |peer_sha256| field of |SSL_SESSION| for the hash. */
3374 OPENSSL_EXPORT void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl,
3375                                                                int enable);
3376 
3377 /* SSL_CTX_set_retain_only_sha256_of_client_certs, on a server, sets whether
3378  * only the SHA-256 hash of peer's certificate should be saved in memory and in
3379  * the session. This can save memory, ticket size and session cache space. If
3380  * enabled, |SSL_get_peer_certificate| will return NULL after the handshake
3381  * completes. See the |peer_sha256| field of |SSL_SESSION| for the hash. */
3382 OPENSSL_EXPORT void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx,
3383                                                                    int enable);
3384 
3385 /* SSL_CTX_set_grease_enabled configures whether sockets on |ctx| should enable
3386  * GREASE. See draft-davidben-tls-grease-01. */
3387 OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);
3388 
3389 /* SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
3390  * record with |ssl|. */
3391 OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl);
3392 
3393 /* SSL_get_ticket_age_skew returns the difference, in seconds, between the
3394  * client-sent ticket age and the server-computed value in TLS 1.3 server
3395  * connections which resumed a session. */
3396 OPENSSL_EXPORT int32_t SSL_get_ticket_age_skew(const SSL *ssl);
3397 
3398 
3399 /* Deprecated functions. */
3400 
3401 /* SSL_library_init calls |CRYPTO_library_init| and returns one. */
3402 OPENSSL_EXPORT int SSL_library_init(void);
3403 
3404 /* SSL_CIPHER_description writes a description of |cipher| into |buf| and
3405  * returns |buf|. If |buf| is NULL, it returns a newly allocated string, to be
3406  * freed with |OPENSSL_free|, or NULL on error.
3407  *
3408  * The description includes a trailing newline and has the form:
3409  * AES128-SHA              Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
3410  *
3411  * Consider |SSL_CIPHER_standard_name| or |SSL_CIPHER_get_name| instead. */
3412 OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *cipher,
3413                                                   char *buf, int len);
3414 
3415 /* SSL_CIPHER_get_version returns the string "TLSv1/SSLv3". */
3416 OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
3417 
3418 /* SSL_CIPHER_get_rfc_name returns a newly-allocated string containing the
3419  * result of |SSL_CIPHER_standard_name| or NULL on error. The caller is
3420  * responsible for calling |OPENSSL_free| on the result.
3421  *
3422  * Use |SSL_CIPHER_standard_name| instead. */
3423 OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher);
3424 
3425 typedef void COMP_METHOD;
3426 
3427 /* SSL_COMP_get_compression_methods returns NULL. */
3428 OPENSSL_EXPORT STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
3429 
3430 /* SSL_COMP_add_compression_method returns one. */
3431 OPENSSL_EXPORT int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
3432 
3433 /* SSL_COMP_get_name returns NULL. */
3434 OPENSSL_EXPORT const char *SSL_COMP_get_name(const COMP_METHOD *comp);
3435 
3436 /* SSL_COMP_free_compression_methods does nothing. */
3437 OPENSSL_EXPORT void SSL_COMP_free_compression_methods(void);
3438 
3439 /* SSLv23_method calls |TLS_method|. */
3440 OPENSSL_EXPORT const SSL_METHOD *SSLv23_method(void);
3441 
3442 /* These version-specific methods behave exactly like |TLS_method| and
3443  * |DTLS_method| except they also call |SSL_CTX_set_min_proto_version| and
3444  * |SSL_CTX_set_max_proto_version| to lock connections to that protocol
3445  * version. */
3446 OPENSSL_EXPORT const SSL_METHOD *TLSv1_method(void);
3447 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_method(void);
3448 OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void);
3449 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);
3450 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);
3451 
3452 /* SSLv3_method returns an |SSL_METHOD| with no versions enabled. */
3453 OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
3454 
3455 /* These client- and server-specific methods call their corresponding generic
3456  * methods. */
3457 OPENSSL_EXPORT const SSL_METHOD *TLS_server_method(void);
3458 OPENSSL_EXPORT const SSL_METHOD *TLS_client_method(void);
3459 OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void);
3460 OPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void);
3461 OPENSSL_EXPORT const SSL_METHOD *SSLv3_server_method(void);
3462 OPENSSL_EXPORT const SSL_METHOD *SSLv3_client_method(void);
3463 OPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void);
3464 OPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void);
3465 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void);
3466 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_client_method(void);
3467 OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_server_method(void);
3468 OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_client_method(void);
3469 OPENSSL_EXPORT const SSL_METHOD *DTLS_server_method(void);
3470 OPENSSL_EXPORT const SSL_METHOD *DTLS_client_method(void);
3471 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_server_method(void);
3472 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_client_method(void);
3473 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_server_method(void);
3474 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_client_method(void);
3475 
3476 /* SSL_clear resets |ssl| to allow another connection and returns one on success
3477  * or zero on failure. It returns most configuration state but releases memory
3478  * associated with the current connection.
3479  *
3480  * Free |ssl| and create a new one instead. */
3481 OPENSSL_EXPORT int SSL_clear(SSL *ssl);
3482 
3483 /* SSL_CTX_set_tmp_rsa_callback does nothing. */
3484 OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback(
3485     SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, int keylength));
3486 
3487 /* SSL_set_tmp_rsa_callback does nothing. */
3488 OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl,
3489                                              RSA *(*cb)(SSL *ssl, int is_export,
3490                                                         int keylength));
3491 
3492 /* SSL_CTX_sess_connect returns zero. */
3493 OPENSSL_EXPORT int SSL_CTX_sess_connect(const SSL_CTX *ctx);
3494 
3495 /* SSL_CTX_sess_connect_good returns zero. */
3496 OPENSSL_EXPORT int SSL_CTX_sess_connect_good(const SSL_CTX *ctx);
3497 
3498 /* SSL_CTX_sess_connect_renegotiate returns zero. */
3499 OPENSSL_EXPORT int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx);
3500 
3501 /* SSL_CTX_sess_accept returns zero. */
3502 OPENSSL_EXPORT int SSL_CTX_sess_accept(const SSL_CTX *ctx);
3503 
3504 /* SSL_CTX_sess_accept_renegotiate returns zero. */
3505 OPENSSL_EXPORT int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx);
3506 
3507 /* SSL_CTX_sess_accept_good returns zero. */
3508 OPENSSL_EXPORT int SSL_CTX_sess_accept_good(const SSL_CTX *ctx);
3509 
3510 /* SSL_CTX_sess_hits returns zero. */
3511 OPENSSL_EXPORT int SSL_CTX_sess_hits(const SSL_CTX *ctx);
3512 
3513 /* SSL_CTX_sess_cb_hits returns zero. */
3514 OPENSSL_EXPORT int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx);
3515 
3516 /* SSL_CTX_sess_misses returns zero. */
3517 OPENSSL_EXPORT int SSL_CTX_sess_misses(const SSL_CTX *ctx);
3518 
3519 /* SSL_CTX_sess_timeouts returns zero. */
3520 OPENSSL_EXPORT int SSL_CTX_sess_timeouts(const SSL_CTX *ctx);
3521 
3522 /* SSL_CTX_sess_cache_full returns zero. */
3523 OPENSSL_EXPORT int SSL_CTX_sess_cache_full(const SSL_CTX *ctx);
3524 
3525 /* SSL_cutthrough_complete calls |SSL_in_false_start|. */
3526 OPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *s);
3527 
3528 /* SSL_num_renegotiations calls |SSL_total_renegotiations|. */
3529 OPENSSL_EXPORT int SSL_num_renegotiations(const SSL *ssl);
3530 
3531 /* SSL_CTX_need_tmp_RSA returns zero. */
3532 OPENSSL_EXPORT int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx);
3533 
3534 /* SSL_need_tmp_RSA returns zero. */
3535 OPENSSL_EXPORT int SSL_need_tmp_RSA(const SSL *ssl);
3536 
3537 /* SSL_CTX_set_tmp_rsa returns one. */
3538 OPENSSL_EXPORT int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa);
3539 
3540 /* SSL_set_tmp_rsa returns one. */
3541 OPENSSL_EXPORT int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa);
3542 
3543 /* SSL_CTX_get_read_ahead returns zero. */
3544 OPENSSL_EXPORT int SSL_CTX_get_read_ahead(const SSL_CTX *ctx);
3545 
3546 /* SSL_CTX_set_read_ahead does nothing. */
3547 OPENSSL_EXPORT void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes);
3548 
3549 /* SSL_get_read_ahead returns zero. */
3550 OPENSSL_EXPORT int SSL_get_read_ahead(const SSL *s);
3551 
3552 /* SSL_set_read_ahead does nothing. */
3553 OPENSSL_EXPORT void SSL_set_read_ahead(SSL *s, int yes);
3554 
3555 /* SSL_renegotiate put an error on the error queue and returns zero. */
3556 OPENSSL_EXPORT int SSL_renegotiate(SSL *ssl);
3557 
3558 /* SSL_set_state does nothing. */
3559 OPENSSL_EXPORT void SSL_set_state(SSL *ssl, int state);
3560 
3561 /* SSL_get_shared_ciphers writes an empty string to |buf| and returns a
3562  * pointer to |buf|, or NULL if |len| is less than or equal to zero. */
3563 OPENSSL_EXPORT char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len);
3564 
3565 /* SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as SSL_MODE_ENABLE_FALSE_START. */
3566 #define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START
3567 
3568 /* i2d_SSL_SESSION serializes |in| to the bytes pointed to by |*pp|. On success,
3569  * it returns the number of bytes written and advances |*pp| by that many bytes.
3570  * On failure, it returns -1. If |pp| is NULL, no bytes are written and only the
3571  * length is returned.
3572  *
3573  * Use |SSL_SESSION_to_bytes| instead. */
3574 OPENSSL_EXPORT int i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp);
3575 
3576 /* d2i_SSL_SESSION parses a serialized session from the |length| bytes pointed
3577  * to by |*pp|. It returns the new |SSL_SESSION| and advances |*pp| by the
3578  * number of bytes consumed on success and NULL on failure. The caller takes
3579  * ownership of the new session and must call |SSL_SESSION_free| when done.
3580  *
3581  * If |a| is non-NULL, |*a| is released and set the new |SSL_SESSION|.
3582  *
3583  * Use |SSL_SESSION_from_bytes| instead. */
3584 OPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp,
3585                                             long length);
3586 
3587 /* i2d_SSL_SESSION_bio serializes |session| and writes the result to |bio|. It
3588  * returns the number of bytes written on success and <= 0 on error. */
3589 OPENSSL_EXPORT int i2d_SSL_SESSION_bio(BIO *bio, const SSL_SESSION *session);
3590 
3591 /* d2i_SSL_SESSION_bio reads a serialized |SSL_SESSION| from |bio| and returns a
3592  * newly-allocated |SSL_SESSION| or NULL on error. If |out| is not NULL, it also
3593  * frees |*out| and sets |*out| to the new |SSL_SESSION|.  */
3594 OPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION_bio(BIO *bio, SSL_SESSION **out);
3595 
3596 /* ERR_load_SSL_strings does nothing. */
3597 OPENSSL_EXPORT void ERR_load_SSL_strings(void);
3598 
3599 /* SSL_load_error_strings does nothing. */
3600 OPENSSL_EXPORT void SSL_load_error_strings(void);
3601 
3602 /* SSL_CTX_set_tlsext_use_srtp calls |SSL_CTX_set_srtp_profiles|. It returns
3603  * zero on success and one on failure.
3604  *
3605  * WARNING: this function is dangerous because it breaks the usual return value
3606  * convention. Use |SSL_CTX_set_srtp_profiles| instead. */
3607 OPENSSL_EXPORT int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx,
3608                                                const char *profiles);
3609 
3610 /* SSL_set_tlsext_use_srtp calls |SSL_set_srtp_profiles|. It returns zero on
3611  * success and one on failure.
3612  *
3613  * WARNING: this function is dangerous because it breaks the usual return value
3614  * convention. Use |SSL_set_srtp_profiles| instead. */
3615 OPENSSL_EXPORT int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles);
3616 
3617 /* SSL_get_current_compression returns NULL. */
3618 OPENSSL_EXPORT const COMP_METHOD *SSL_get_current_compression(SSL *s);
3619 
3620 /* SSL_get_current_expansion returns NULL. */
3621 OPENSSL_EXPORT const COMP_METHOD *SSL_get_current_expansion(SSL *s);
3622 
3623 /* SSL_get_server_tmp_key returns zero. */
3624 OPENSSL_EXPORT int *SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key);
3625 
3626 /* SSL_CTX_set_tmp_dh returns 1. */
3627 OPENSSL_EXPORT int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh);
3628 
3629 /* SSL_set_tmp_dh returns 1. */
3630 OPENSSL_EXPORT int SSL_set_tmp_dh(SSL *ssl, const DH *dh);
3631 
3632 /* SSL_CTX_set_tmp_dh_callback does nothing. */
3633 OPENSSL_EXPORT void SSL_CTX_set_tmp_dh_callback(
3634     SSL_CTX *ctx, DH *(*callback)(SSL *ssl, int is_export, int keylength));
3635 
3636 /* SSL_set_tmp_dh_callback does nothing. */
3637 OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl,
3638                                             DH *(*dh)(SSL *ssl, int is_export,
3639                                                       int keylength));
3640 
3641 
3642 #define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)(arg)))
3643 #define SSL_get_app_data(s) (SSL_get_ex_data(s, 0))
3644 #define SSL_SESSION_set_app_data(s, a) \
3645   (SSL_SESSION_set_ex_data(s, 0, (char *)(a)))
3646 #define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s, 0))
3647 #define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx, 0))
3648 #define SSL_CTX_set_app_data(ctx, arg) \
3649   (SSL_CTX_set_ex_data(ctx, 0, (char *)(arg)))
3650 
3651 #define OpenSSL_add_ssl_algorithms() SSL_library_init()
3652 #define SSLeay_add_ssl_algorithms() SSL_library_init()
3653 
3654 #define SSL_get_cipher(ssl) SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))
3655 #define SSL_get_cipher_bits(ssl, out_alg_bits) \
3656     SSL_CIPHER_get_bits(SSL_get_current_cipher(ssl), out_alg_bits)
3657 #define SSL_get_cipher_version(ssl) \
3658     SSL_CIPHER_get_version(SSL_get_current_cipher(ssl))
3659 #define SSL_get_cipher_name(ssl) \
3660     SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))
3661 #define SSL_get_time(session) SSL_SESSION_get_time(session)
3662 #define SSL_set_time(session, time) SSL_SESSION_set_time((session), (time))
3663 #define SSL_get_timeout(session) SSL_SESSION_get_timeout(session)
3664 #define SSL_set_timeout(session, timeout) \
3665     SSL_SESSION_set_timeout((session), (timeout))
3666 
3667 typedef struct ssl_comp_st SSL_COMP;
3668 
3669 struct ssl_comp_st {
3670   int id;
3671   const char *name;
3672   char *method;
3673 };
3674 
3675 DEFINE_STACK_OF(SSL_COMP)
3676 
3677 /* The following flags do nothing and are included only to make it easier to
3678  * compile code with BoringSSL. */
3679 #define SSL_MODE_AUTO_RETRY 0
3680 #define SSL_MODE_RELEASE_BUFFERS 0
3681 #define SSL_MODE_SEND_CLIENTHELLO_TIME 0
3682 #define SSL_MODE_SEND_SERVERHELLO_TIME 0
3683 #define SSL_OP_ALL 0
3684 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0
3685 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0
3686 #define SSL_OP_EPHEMERAL_RSA 0
3687 #define SSL_OP_LEGACY_SERVER_CONNECT 0
3688 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0
3689 #define SSL_OP_MICROSOFT_SESS_ID_BUG 0
3690 #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0
3691 #define SSL_OP_NETSCAPE_CA_DN_BUG 0
3692 #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0
3693 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0
3694 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0
3695 #define SSL_OP_NO_COMPRESSION 0
3696 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
3697 #define SSL_OP_NO_SSLv2 0
3698 #define SSL_OP_PKCS1_CHECK_1 0
3699 #define SSL_OP_PKCS1_CHECK_2 0
3700 #define SSL_OP_SINGLE_DH_USE 0
3701 #define SSL_OP_SINGLE_ECDH_USE 0
3702 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0
3703 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0
3704 #define SSL_OP_TLS_BLOCK_PADDING_BUG 0
3705 #define SSL_OP_TLS_D5_BUG 0
3706 #define SSL_OP_TLS_ROLLBACK_BUG 0
3707 #define SSL_VERIFY_CLIENT_ONCE 0
3708 
3709 /* SSL_cache_hit calls |SSL_session_reused|. */
3710 OPENSSL_EXPORT int SSL_cache_hit(SSL *ssl);
3711 
3712 /* SSL_get_default_timeout returns |SSL_DEFAULT_SESSION_TIMEOUT|. */
3713 OPENSSL_EXPORT long SSL_get_default_timeout(const SSL *ssl);
3714 
3715 /* SSL_get_version returns a string describing the TLS version used by |ssl|.
3716  * For example, "TLSv1.2" or "SSLv3". */
3717 OPENSSL_EXPORT const char *SSL_get_version(const SSL *ssl);
3718 
3719 /* SSL_get_cipher_list returns the name of the |n|th cipher in the output of
3720  * |SSL_get_ciphers| or NULL if out of range. Use |SSL_get_ciphers| instead. */
3721 OPENSSL_EXPORT const char *SSL_get_cipher_list(const SSL *ssl, int n);
3722 
3723 /* SSL_CTX_set_client_cert_cb sets a callback which is called on the client if
3724  * the server requests a client certificate and none is configured. On success,
3725  * the callback should return one and set |*out_x509| to |*out_pkey| to a leaf
3726  * certificate and private key, respectively, passing ownership. It should
3727  * return zero to send no certificate and -1 to fail or pause the handshake. If
3728  * the handshake is paused, |SSL_get_error| will return
3729  * |SSL_ERROR_WANT_X509_LOOKUP|.
3730  *
3731  * The callback may call |SSL_get0_certificate_types| and
3732  * |SSL_get_client_CA_list| for information on the server's certificate request.
3733  *
3734  * Use |SSL_CTX_set_cert_cb| instead. Configuring intermediate certificates with
3735  * this function is confusing. This callback may not be registered concurrently
3736  * with |SSL_CTX_set_cert_cb| or |SSL_set_cert_cb|. */
3737 OPENSSL_EXPORT void SSL_CTX_set_client_cert_cb(
3738     SSL_CTX *ctx,
3739     int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey));
3740 
3741 #define SSL_NOTHING 1
3742 #define SSL_WRITING 2
3743 #define SSL_READING 3
3744 #define SSL_X509_LOOKUP 4
3745 #define SSL_CHANNEL_ID_LOOKUP 5
3746 #define SSL_PENDING_SESSION 7
3747 #define SSL_CERTIFICATE_SELECTION_PENDING 8
3748 #define SSL_PRIVATE_KEY_OPERATION 9
3749 #define SSL_PENDING_TICKET 10
3750 #define SSL_EARLY_DATA_REJECTED 11
3751 
3752 /* SSL_want returns one of the above values to determine what the most recent
3753  * operation on |ssl| was blocked on. Use |SSL_get_error| instead. */
3754 OPENSSL_EXPORT int SSL_want(const SSL *ssl);
3755 
3756 #define SSL_want_read(ssl) (SSL_want(ssl) == SSL_READING)
3757 #define SSL_want_write(ssl) (SSL_want(ssl) == SSL_WRITING)
3758 
3759  /* SSL_get_finished writes up to |count| bytes of the Finished message sent by
3760   * |ssl| to |buf|. It returns the total untruncated length or zero if none has
3761   * been sent yet. At SSL 3.0 or TLS 1.3 and later, it returns zero.
3762   *
3763   * Use |SSL_get_tls_unique| instead. */
3764 OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count);
3765 
3766  /* SSL_get_peer_finished writes up to |count| bytes of the Finished message
3767   * received from |ssl|'s peer to |buf|. It returns the total untruncated length
3768   * or zero if none has been received yet. At SSL 3.0 or TLS 1.3 and later, it
3769   * returns zero.
3770   *
3771   * Use |SSL_get_tls_unique| instead. */
3772 OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf,
3773                                             size_t count);
3774 
3775 /* SSL_alert_type_string returns "!". Use |SSL_alert_type_string_long|
3776  * instead. */
3777 OPENSSL_EXPORT const char *SSL_alert_type_string(int value);
3778 
3779 /* SSL_alert_desc_string returns "!!". Use |SSL_alert_desc_string_long|
3780  * instead. */
3781 OPENSSL_EXPORT const char *SSL_alert_desc_string(int value);
3782 
3783 /* SSL_TXT_* expand to strings. */
3784 #define SSL_TXT_MEDIUM "MEDIUM"
3785 #define SSL_TXT_HIGH "HIGH"
3786 #define SSL_TXT_FIPS "FIPS"
3787 #define SSL_TXT_kRSA "kRSA"
3788 #define SSL_TXT_kDHE "kDHE"
3789 #define SSL_TXT_kEDH "kEDH"
3790 #define SSL_TXT_kECDHE "kECDHE"
3791 #define SSL_TXT_kEECDH "kEECDH"
3792 #define SSL_TXT_kPSK "kPSK"
3793 #define SSL_TXT_aRSA "aRSA"
3794 #define SSL_TXT_aECDSA "aECDSA"
3795 #define SSL_TXT_aPSK "aPSK"
3796 #define SSL_TXT_DH "DH"
3797 #define SSL_TXT_DHE "DHE"
3798 #define SSL_TXT_EDH "EDH"
3799 #define SSL_TXT_RSA "RSA"
3800 #define SSL_TXT_ECDH "ECDH"
3801 #define SSL_TXT_ECDHE "ECDHE"
3802 #define SSL_TXT_EECDH "EECDH"
3803 #define SSL_TXT_ECDSA "ECDSA"
3804 #define SSL_TXT_PSK "PSK"
3805 #define SSL_TXT_3DES "3DES"
3806 #define SSL_TXT_RC4 "RC4"
3807 #define SSL_TXT_AES128 "AES128"
3808 #define SSL_TXT_AES256 "AES256"
3809 #define SSL_TXT_AES "AES"
3810 #define SSL_TXT_AES_GCM "AESGCM"
3811 #define SSL_TXT_CHACHA20 "CHACHA20"
3812 #define SSL_TXT_MD5 "MD5"
3813 #define SSL_TXT_SHA1 "SHA1"
3814 #define SSL_TXT_SHA "SHA"
3815 #define SSL_TXT_SHA256 "SHA256"
3816 #define SSL_TXT_SHA384 "SHA384"
3817 #define SSL_TXT_SSLV3 "SSLv3"
3818 #define SSL_TXT_TLSV1 "TLSv1"
3819 #define SSL_TXT_TLSV1_1 "TLSv1.1"
3820 #define SSL_TXT_TLSV1_2 "TLSv1.2"
3821 #define SSL_TXT_TLSV1_3 "TLSv1.3"
3822 #define SSL_TXT_ALL "ALL"
3823 #define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
3824 
3825 typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
3826 
3827 /* SSL_state returns |SSL_ST_INIT| if a handshake is in progress and |SSL_ST_OK|
3828  * otherwise.
3829  *
3830  * Use |SSL_is_init| instead. */
3831 OPENSSL_EXPORT int SSL_state(const SSL *ssl);
3832 
3833 #define SSL_get_state(ssl) SSL_state(ssl)
3834 
3835 /* SSL_state_string returns the current state of the handshake state machine as
3836  * a six-letter string. Use |SSL_state_string_long| for a more intelligible
3837  * string. */
3838 OPENSSL_EXPORT const char *SSL_state_string(const SSL *ssl);
3839 
3840 /* SSL_set_shutdown causes |ssl| to behave as if the shutdown bitmask (see
3841  * |SSL_get_shutdown|) were |mode|. This may be used to skip sending or
3842  * receiving close_notify in |SSL_shutdown| by causing the implementation to
3843  * believe the events already happened.
3844  *
3845  * It is an error to use |SSL_set_shutdown| to unset a bit that has already been
3846  * set. Doing so will trigger an |assert| in debug builds and otherwise be
3847  * ignored.
3848  *
3849  * Use |SSL_CTX_set_quiet_shutdown| instead. */
3850 OPENSSL_EXPORT void SSL_set_shutdown(SSL *ssl, int mode);
3851 
3852 /* SSL_CTX_set_tmp_ecdh calls |SSL_CTX_set1_curves| with a one-element list
3853  * containing |ec_key|'s curve. */
3854 OPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key);
3855 
3856 /* SSL_set_tmp_ecdh calls |SSL_set1_curves| with a one-element list containing
3857  * |ec_key|'s curve. */
3858 OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key);
3859 
3860 /* SSL_add_dir_cert_subjects_to_stack lists files in directory |dir|. It calls
3861  * |SSL_add_file_cert_subjects_to_stack| on each file and returns one on success
3862  * or zero on error. This function is only available from the libdecrepit
3863  * library. */
3864 OPENSSL_EXPORT int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
3865                                                       const char *dir);
3866 
3867 /* SSL_set_private_key_digest_prefs copies |num_digests| NIDs from |digest_nids|
3868  * into |ssl|. These digests will be used, in decreasing order of preference,
3869  * when signing with |ssl|'s private key. It returns one on success and zero on
3870  * error.
3871  *
3872  * Use |SSL_set_signing_algorithm_prefs| instead.
3873  *
3874  * TODO(davidben): Remove this API when callers have been updated. */
3875 OPENSSL_EXPORT int SSL_set_private_key_digest_prefs(SSL *ssl,
3876                                                     const int *digest_nids,
3877                                                     size_t num_digests);
3878 
3879 /* SSL_set_verify_result calls |abort| unless |result| is |X509_V_OK|.
3880  *
3881  * TODO(davidben): Remove this function once it has been removed from
3882  * netty-tcnative. */
3883 OPENSSL_EXPORT void SSL_set_verify_result(SSL *ssl, long result);
3884 
3885 /* SSL_CTX_enable_tls_channel_id calls |SSL_CTX_set_tls_channel_id_enabled|. */
3886 OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
3887 
3888 /* SSL_enable_tls_channel_id calls |SSL_set_tls_channel_id_enabled|. */
3889 OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
3890 
3891 /* BIO_f_ssl returns a |BIO_METHOD| that can wrap an |SSL*| in a |BIO*|. Note
3892  * that this has quite different behaviour from the version in OpenSSL (notably
3893  * that it doesn't try to auto renegotiate).
3894  *
3895  * IMPORTANT: if you are not curl, don't use this. */
3896 OPENSSL_EXPORT const BIO_METHOD *BIO_f_ssl(void);
3897 
3898 /* BIO_set_ssl sets |ssl| as the underlying connection for |bio|, which must
3899  * have been created using |BIO_f_ssl|. If |take_owership| is true, |bio| will
3900  * call |SSL_free| on |ssl| when closed. It returns one on success or something
3901  * other than one on error. */
3902 OPENSSL_EXPORT long BIO_set_ssl(BIO *bio, SSL *ssl, int take_owership);
3903 
3904 /* SSL_CTX_set_ecdh_auto returns one. */
3905 #define SSL_CTX_set_ecdh_auto(ctx, onoff) 1
3906 
3907 /* SSL_set_ecdh_auto returns one. */
3908 #define SSL_set_ecdh_auto(ssl, onoff) 1
3909 
3910 /* SSL_get_session returns a non-owning pointer to |ssl|'s session. For
3911  * historical reasons, which session it returns depends on |ssl|'s state.
3912  *
3913  * Prior to the start of the initial handshake, it returns the session the
3914  * caller set with |SSL_set_session|. After the initial handshake has finished
3915  * and if no additional handshakes are in progress, it returns the currently
3916  * active session. Its behavior is undefined while a handshake is in progress.
3917  *
3918  * If trying to add new sessions to an external session cache, use
3919  * |SSL_CTX_sess_set_new_cb| instead. In particular, using the callback is
3920  * required as of TLS 1.3. For compatibility, this function will return an
3921  * unresumable session which may be cached, but will never be resumed.
3922  *
3923  * If querying properties of the connection, use APIs on the |SSL| object. */
3924 OPENSSL_EXPORT SSL_SESSION *SSL_get_session(const SSL *ssl);
3925 
3926 /* SSL_get0_session is an alias for |SSL_get_session|. */
3927 #define SSL_get0_session SSL_get_session
3928 
3929 /* SSL_get1_session acts like |SSL_get_session| but returns a new reference to
3930  * the session. */
3931 OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);
3932 
3933 
3934 /* Private structures.
3935  *
3936  * This structures are exposed for historical reasons, but access to them is
3937  * deprecated. */
3938 
3939 typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD;
3940 typedef struct ssl_x509_method_st SSL_X509_METHOD;
3941 
3942 struct ssl_cipher_st {
3943   /* name is the OpenSSL name for the cipher. */
3944   const char *name;
3945   /* standard_name is the IETF name for the cipher. */
3946   const char *standard_name;
3947   /* id is the cipher suite value bitwise OR-d with 0x03000000. */
3948   uint32_t id;
3949 
3950   /* algorithm_* are internal fields. See ssl/internal.h for their values. */
3951   uint32_t algorithm_mkey;
3952   uint32_t algorithm_auth;
3953   uint32_t algorithm_enc;
3954   uint32_t algorithm_mac;
3955   uint32_t algorithm_prf;
3956 };
3957 
3958 #define SSL_MAX_SSL_SESSION_ID_LENGTH 32
3959 #define SSL_MAX_SID_CTX_LENGTH 32
3960 #define SSL_MAX_MASTER_KEY_LENGTH 48
3961 
3962 struct ssl_session_st {
3963   CRYPTO_refcount_t references;
3964   int ssl_version; /* what ssl version session info is being kept in here? */
3965 
3966   /* group_id is the ID of the ECDH group used to establish this session or zero
3967    * if not applicable or unknown. */
3968   uint16_t group_id;
3969 
3970   /* peer_signature_algorithm is the signature algorithm used to authenticate
3971    * the peer, or zero if not applicable or unknown. */
3972   uint16_t peer_signature_algorithm;
3973 
3974   /* master_key, in TLS 1.2 and below, is the master secret associated with the
3975    * session. In TLS 1.3 and up, it is the resumption secret. */
3976   int master_key_length;
3977   uint8_t master_key[SSL_MAX_MASTER_KEY_LENGTH];
3978 
3979   /* session_id - valid? */
3980   unsigned int session_id_length;
3981   uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
3982   /* this is used to determine whether the session is being reused in
3983    * the appropriate context. It is up to the application to set this,
3984    * via SSL_new */
3985   uint8_t sid_ctx_length;
3986   uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
3987 
3988   char *psk_identity;
3989 
3990   /* certs contains the certificate chain from the peer, starting with the leaf
3991    * certificate. */
3992   STACK_OF(CRYPTO_BUFFER) *certs;
3993 
3994   const SSL_X509_METHOD *x509_method;
3995 
3996   /* x509_peer is the peer's certificate. */
3997   X509 *x509_peer;
3998 
3999   /* x509_chain is the certificate chain sent by the peer. NOTE: for historical
4000    * reasons, when a client (so the peer is a server), the chain includes
4001    * |peer|, but when a server it does not. */
4002   STACK_OF(X509) *x509_chain;
4003 
4004   /* x509_chain_without_leaf is a lazily constructed copy of |x509_chain| that
4005    * omits the leaf certificate. This exists because OpenSSL, historically,
4006    * didn't include the leaf certificate in the chain for a server, but did for
4007    * a client. The |x509_chain| always includes it and, if an API call requires
4008    * a chain without, it is stored here. */
4009   STACK_OF(X509) *x509_chain_without_leaf;
4010 
4011   /* verify_result is the result of certificate verification in the case of
4012    * non-fatal certificate errors. */
4013   long verify_result;
4014 
4015   /* timeout is the lifetime of the session in seconds, measured from |time|.
4016    * This is renewable up to |auth_timeout|. */
4017   uint32_t timeout;
4018 
4019   /* auth_timeout is the non-renewable lifetime of the session in seconds,
4020    * measured from |time|. */
4021   uint32_t auth_timeout;
4022 
4023   /* time is the time the session was issued, measured in seconds from the UNIX
4024    * epoch. */
4025   uint64_t time;
4026 
4027   const SSL_CIPHER *cipher;
4028 
4029   CRYPTO_EX_DATA ex_data; /* application specific data */
4030 
4031   /* These are used to make removal of session-ids more efficient and to
4032    * implement a maximum cache size. */
4033   SSL_SESSION *prev, *next;
4034   char *tlsext_hostname;
4035 
4036   /* RFC4507 info */
4037   uint8_t *tlsext_tick;               /* Session ticket */
4038   size_t tlsext_ticklen;              /* Session ticket length */
4039 
4040   size_t tlsext_signed_cert_timestamp_list_length;
4041   uint8_t *tlsext_signed_cert_timestamp_list; /* Server's list. */
4042 
4043   /* The OCSP response that came with the session. */
4044   size_t ocsp_response_length;
4045   uint8_t *ocsp_response;
4046 
4047   /* peer_sha256 contains the SHA-256 hash of the peer's certificate if
4048    * |peer_sha256_valid| is true. */
4049   uint8_t peer_sha256[SHA256_DIGEST_LENGTH];
4050 
4051   /* original_handshake_hash contains the handshake hash (either SHA-1+MD5 or
4052    * SHA-2, depending on TLS version) for the original, full handshake that
4053    * created a session. This is used by Channel IDs during resumption. */
4054   uint8_t original_handshake_hash[EVP_MAX_MD_SIZE];
4055   uint8_t original_handshake_hash_len;
4056 
4057   uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
4058 
4059   uint32_t ticket_age_add;
4060 
4061   /* ticket_max_early_data is the maximum amount of data allowed to be sent as
4062    * early data. If zero, 0-RTT is disallowed. */
4063   uint32_t ticket_max_early_data;
4064 
4065   /* early_alpn is the ALPN protocol from the initial handshake. This is only
4066    * stored for TLS 1.3 and above in order to enforce ALPN matching for 0-RTT
4067    * resumptions. */
4068   uint8_t *early_alpn;
4069   size_t early_alpn_len;
4070 
4071   /* extended_master_secret is true if the master secret in this session was
4072    * generated using EMS and thus isn't vulnerable to the Triple Handshake
4073    * attack. */
4074   unsigned extended_master_secret:1;
4075 
4076   /* peer_sha256_valid is non-zero if |peer_sha256| is valid. */
4077   unsigned peer_sha256_valid:1; /* Non-zero if peer_sha256 is valid */
4078 
4079   /* not_resumable is used to indicate that session resumption is disallowed. */
4080   unsigned not_resumable:1;
4081 
4082   /* ticket_age_add_valid is non-zero if |ticket_age_add| is valid. */
4083   unsigned ticket_age_add_valid:1;
4084 
4085   /* is_server is true if this session was created by a server. */
4086   unsigned is_server:1;
4087 };
4088 
4089 /* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
4090  * equal-preference groups. For TLS clients, the groups are moot because the
4091  * server picks the cipher and groups cannot be expressed on the wire. However,
4092  * for servers, the equal-preference groups allow the client's preferences to
4093  * be partially respected. (This only has an effect with
4094  * SSL_OP_CIPHER_SERVER_PREFERENCE).
4095  *
4096  * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
4097  * All elements of a group have the same priority: no ordering is expressed
4098  * within a group.
4099  *
4100  * The values in |ciphers| are in one-to-one correspondence with
4101  * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
4102  * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
4103  * indicate that the corresponding SSL_CIPHER is not the last element of a
4104  * group, or 0 to indicate that it is.
4105  *
4106  * For example, if |in_group_flags| contains all zeros then that indicates a
4107  * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
4108  * of the group (i.e. they are all in a one-element group).
4109  *
4110  * For a more complex example, consider:
4111  *   ciphers:        A  B  C  D  E  F
4112  *   in_group_flags: 1  1  0  0  1  0
4113  *
4114  * That would express the following, order:
4115  *
4116  *    A         E
4117  *    B -> D -> F
4118  *    C
4119  */
4120 struct ssl_cipher_preference_list_st {
4121   STACK_OF(SSL_CIPHER) *ciphers;
4122   uint8_t *in_group_flags;
4123 };
4124 
4125 DECLARE_STACK_OF(SSL_CUSTOM_EXTENSION)
4126 
4127 /* ssl_ctx_st (aka |SSL_CTX|) contains configuration common to several SSL
4128  * connections. */
4129 struct ssl_ctx_st {
4130   const SSL_PROTOCOL_METHOD *method;
4131   const SSL_X509_METHOD *x509_method;
4132 
4133   /* lock is used to protect various operations on this object. */
4134   CRYPTO_MUTEX lock;
4135 
4136   /* conf_max_version is the maximum acceptable protocol version configured by
4137    * |SSL_CTX_set_max_proto_version|. Note this version is normalized in DTLS
4138    * and is further constrainted by |SSL_OP_NO_*|. */
4139   uint16_t conf_max_version;
4140 
4141   /* conf_min_version is the minimum acceptable protocol version configured by
4142    * |SSL_CTX_set_min_proto_version|. Note this version is normalized in DTLS
4143    * and is further constrainted by |SSL_OP_NO_*|. */
4144   uint16_t conf_min_version;
4145 
4146   /* tls13_variant is the variant of TLS 1.3 we are using for this
4147    * configuration. */
4148   enum tls13_variant_t tls13_variant;
4149 
4150   struct ssl_cipher_preference_list_st *cipher_list;
4151 
4152   X509_STORE *cert_store;
4153   LHASH_OF(SSL_SESSION) *sessions;
4154   /* Most session-ids that will be cached, default is
4155    * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
4156   unsigned long session_cache_size;
4157   SSL_SESSION *session_cache_head;
4158   SSL_SESSION *session_cache_tail;
4159 
4160   /* handshakes_since_cache_flush is the number of successful handshakes since
4161    * the last cache flush. */
4162   int handshakes_since_cache_flush;
4163 
4164   /* This can have one of 2 values, ored together,
4165    * SSL_SESS_CACHE_CLIENT,
4166    * SSL_SESS_CACHE_SERVER,
4167    * Default is SSL_SESSION_CACHE_SERVER, which means only
4168    * SSL_accept which cache SSL_SESSIONS. */
4169   int session_cache_mode;
4170 
4171   /* session_timeout is the default lifetime for new sessions in TLS 1.2 and
4172    * earlier, in seconds. */
4173   uint32_t session_timeout;
4174 
4175   /* session_psk_dhe_timeout is the default lifetime for new sessions in TLS
4176    * 1.3, in seconds. */
4177   uint32_t session_psk_dhe_timeout;
4178 
4179   /* If this callback is not null, it will be called each time a session id is
4180    * added to the cache.  If this function returns 1, it means that the
4181    * callback will do a SSL_SESSION_free() when it has finished using it.
4182    * Otherwise, on 0, it means the callback has finished with it. If
4183    * remove_session_cb is not null, it will be called when a session-id is
4184    * removed from the cache.  After the call, OpenSSL will SSL_SESSION_free()
4185    * it. */
4186   int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess);
4187   void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess);
4188   SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *data, int len,
4189                                  int *copy);
4190 
4191   CRYPTO_refcount_t references;
4192 
4193   /* if defined, these override the X509_verify_cert() calls */
4194   int (*app_verify_callback)(X509_STORE_CTX *store_ctx, void *arg);
4195   void *app_verify_arg;
4196 
4197   /* Default password callback. */
4198   pem_password_cb *default_passwd_callback;
4199 
4200   /* Default password callback user data. */
4201   void *default_passwd_callback_userdata;
4202 
4203   /* get client cert callback */
4204   int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey);
4205 
4206   /* get channel id callback */
4207   void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey);
4208 
4209   CRYPTO_EX_DATA ex_data;
4210 
4211   /* custom_*_extensions stores any callback sets for custom extensions. Note
4212    * that these pointers will be NULL if the stack would otherwise be empty. */
4213   STACK_OF(SSL_CUSTOM_EXTENSION) *client_custom_extensions;
4214   STACK_OF(SSL_CUSTOM_EXTENSION) *server_custom_extensions;
4215 
4216   /* Default values used when no per-SSL value is defined follow */
4217 
4218   void (*info_callback)(const SSL *ssl, int type, int value);
4219 
4220   /* what we put in client cert requests */
4221   STACK_OF(CRYPTO_BUFFER) *client_CA;
4222 
4223   /* cached_x509_client_CA is a cache of parsed versions of the elements of
4224    * |client_CA|. */
4225   STACK_OF(X509_NAME) *cached_x509_client_CA;
4226 
4227 
4228   /* Default values to use in SSL structures follow (these are copied by
4229    * SSL_new) */
4230 
4231   uint32_t options;
4232   uint32_t mode;
4233   uint32_t max_cert_list;
4234 
4235   struct cert_st /* CERT */ *cert;
4236 
4237   /* callback that allows applications to peek at protocol messages */
4238   void (*msg_callback)(int write_p, int version, int content_type,
4239                        const void *buf, size_t len, SSL *ssl, void *arg);
4240   void *msg_callback_arg;
4241 
4242   int verify_mode;
4243   int (*default_verify_callback)(
4244       int ok, X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
4245 
4246   X509_VERIFY_PARAM *param;
4247 
4248   /* select_certificate_cb is called before most ClientHello processing and
4249    * before the decision whether to resume a session is made. See
4250    * |ssl_select_cert_result_t| for details of the return values. */
4251   enum ssl_select_cert_result_t (*select_certificate_cb)(
4252       const SSL_CLIENT_HELLO *);
4253 
4254   /* dos_protection_cb is called once the resumption decision for a ClientHello
4255    * has been made. It returns one to continue the handshake or zero to
4256    * abort. */
4257   int (*dos_protection_cb) (const SSL_CLIENT_HELLO *);
4258 
4259   /* Maximum amount of data to send in one fragment. actual record size can be
4260    * more than this due to padding and MAC overheads. */
4261   uint16_t max_send_fragment;
4262 
4263   /* TLS extensions servername callback */
4264   int (*tlsext_servername_callback)(SSL *, int *, void *);
4265   void *tlsext_servername_arg;
4266   /* RFC 4507 session ticket keys */
4267   uint8_t tlsext_tick_key_name[SSL_TICKET_KEY_NAME_LEN];
4268   uint8_t tlsext_tick_hmac_key[16];
4269   uint8_t tlsext_tick_aes_key[16];
4270   /* Callback to support customisation of ticket key setting */
4271   int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv,
4272                               EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
4273 
4274   /* Server-only: psk_identity_hint is the default identity hint to send in
4275    * PSK-based key exchanges. */
4276   char *psk_identity_hint;
4277 
4278   unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
4279                                       char *identity,
4280                                       unsigned int max_identity_len,
4281                                       uint8_t *psk, unsigned int max_psk_len);
4282   unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
4283                                       uint8_t *psk, unsigned int max_psk_len);
4284 
4285 
4286   /* retain_only_sha256_of_client_certs is true if we should compute the SHA256
4287    * hash of the peer's certificate and then discard it to save memory and
4288    * session space. Only effective on the server side. */
4289   char retain_only_sha256_of_client_certs;
4290 
4291   /* Next protocol negotiation information */
4292   /* (for experimental NPN extension). */
4293 
4294   /* For a server, this contains a callback function by which the set of
4295    * advertised protocols can be provided. */
4296   int (*next_protos_advertised_cb)(SSL *ssl, const uint8_t **out,
4297                                    unsigned *out_len, void *arg);
4298   void *next_protos_advertised_cb_arg;
4299   /* For a client, this contains a callback function that selects the
4300    * next protocol from the list provided by the server. */
4301   int (*next_proto_select_cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
4302                               const uint8_t *in, unsigned in_len, void *arg);
4303   void *next_proto_select_cb_arg;
4304 
4305   /* ALPN information
4306    * (we are in the process of transitioning from NPN to ALPN.) */
4307 
4308   /* For a server, this contains a callback function that allows the
4309    * server to select the protocol for the connection.
4310    *   out: on successful return, this must point to the raw protocol
4311    *        name (without the length prefix).
4312    *   outlen: on successful return, this contains the length of |*out|.
4313    *   in: points to the client's list of supported protocols in
4314    *       wire-format.
4315    *   inlen: the length of |in|. */
4316   int (*alpn_select_cb)(SSL *s, const uint8_t **out, uint8_t *out_len,
4317                         const uint8_t *in, unsigned in_len, void *arg);
4318   void *alpn_select_cb_arg;
4319 
4320   /* For a client, this contains the list of supported protocols in wire
4321    * format. */
4322   uint8_t *alpn_client_proto_list;
4323   unsigned alpn_client_proto_list_len;
4324 
4325   /* SRTP profiles we are willing to do from RFC 5764 */
4326   STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
4327 
4328   /* Supported group values inherited by SSL structure */
4329   size_t supported_group_list_len;
4330   uint16_t *supported_group_list;
4331 
4332   /* The client's Channel ID private key. */
4333   EVP_PKEY *tlsext_channel_id_private;
4334 
4335   /* keylog_callback, if not NULL, is the key logging callback. See
4336    * |SSL_CTX_set_keylog_callback|. */
4337   void (*keylog_callback)(const SSL *ssl, const char *line);
4338 
4339   /* current_time_cb, if not NULL, is the function to use to get the current
4340    * time. It sets |*out_clock| to the current time. See
4341    * |SSL_CTX_set_current_time_cb|. */
4342   void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock);
4343 
4344   /* pool is used for all |CRYPTO_BUFFER|s in case we wish to share certificate
4345    * memory. */
4346   CRYPTO_BUFFER_POOL *pool;
4347 
4348   /* ticket_aead_method contains function pointers for opening and sealing
4349    * session tickets. */
4350   const SSL_TICKET_AEAD_METHOD *ticket_aead_method;
4351 
4352   /* verify_sigalgs, if not empty, is the set of signature algorithms
4353    * accepted from the peer in decreasing order of preference. */
4354   uint16_t *verify_sigalgs;
4355   size_t num_verify_sigalgs;
4356 
4357   /* quiet_shutdown is true if the connection should not send a close_notify on
4358    * shutdown. */
4359   unsigned quiet_shutdown:1;
4360 
4361   /* ocsp_stapling_enabled is only used by client connections and indicates
4362    * whether OCSP stapling will be requested. */
4363   unsigned ocsp_stapling_enabled:1;
4364 
4365   /* If true, a client will request certificate timestamps. */
4366   unsigned signed_cert_timestamps_enabled:1;
4367 
4368   /* tlsext_channel_id_enabled is one if Channel ID is enabled and zero
4369    * otherwise. For a server, means that we'll accept Channel IDs from clients.
4370    * For a client, means that we'll advertise support. */
4371   unsigned tlsext_channel_id_enabled:1;
4372 
4373   /* grease_enabled is one if draft-davidben-tls-grease-01 is enabled and zero
4374    * otherwise. */
4375   unsigned grease_enabled:1;
4376 
4377   /* i_promise_to_verify_certs_after_the_handshake indicates that the
4378    * application is using the |CRYPTO_BUFFER|-based methods and understands
4379    * that this currently requires post-handshake verification of
4380    * certificates. */
4381   unsigned i_promise_to_verify_certs_after_the_handshake:1;
4382 
4383   /* allow_unknown_alpn_protos is one if the client allows unsolicited ALPN
4384    * protocols from the peer. */
4385   unsigned allow_unknown_alpn_protos:1;
4386 
4387   /* ed25519_enabled is one if Ed25519 is advertised in the handshake. */
4388   unsigned ed25519_enabled:1;
4389 };
4390 
4391 
4392 /* Nodejs compatibility section (hidden).
4393  *
4394  * These defines exist for node.js, with the hope that we can eliminate the
4395  * need for them over time. */
4396 #define SSLerr(function, reason) \
4397   ERR_put_error(ERR_LIB_SSL, 0, reason, __FILE__, __LINE__)
4398 
4399 
4400 /* Preprocessor compatibility section (hidden).
4401  *
4402  * Historically, a number of APIs were implemented in OpenSSL as macros and
4403  * constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this
4404  * section defines a number of legacy macros.
4405  *
4406  * Although using either the CTRL values or their wrapper macros in #ifdefs is
4407  * still supported, the CTRL values may not be passed to |SSL_ctrl| and
4408  * |SSL_CTX_ctrl|. Call the functions (previously wrapper macros) instead.
4409  *
4410  * See PORTING.md in the BoringSSL source tree for a table of corresponding
4411  * functions.
4412  * https://boringssl.googlesource.com/boringssl/+/master/PORTING.md#Replacements-for-values
4413  */
4414 
4415 #define DTLS_CTRL_GET_TIMEOUT doesnt_exist
4416 #define DTLS_CTRL_HANDLE_TIMEOUT doesnt_exist
4417 #define SSL_CTRL_CHAIN doesnt_exist
4418 #define SSL_CTRL_CHAIN_CERT doesnt_exist
4419 #define SSL_CTRL_CHANNEL_ID doesnt_exist
4420 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS doesnt_exist
4421 #define SSL_CTRL_CLEAR_MODE doesnt_exist
4422 #define SSL_CTRL_CLEAR_OPTIONS doesnt_exist
4423 #define SSL_CTRL_EXTRA_CHAIN_CERT doesnt_exist
4424 #define SSL_CTRL_GET_CHAIN_CERTS doesnt_exist
4425 #define SSL_CTRL_GET_CHANNEL_ID doesnt_exist
4426 #define SSL_CTRL_GET_CLIENT_CERT_TYPES doesnt_exist
4427 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS doesnt_exist
4428 #define SSL_CTRL_GET_MAX_CERT_LIST doesnt_exist
4429 #define SSL_CTRL_GET_NUM_RENEGOTIATIONS doesnt_exist
4430 #define SSL_CTRL_GET_READ_AHEAD doesnt_exist
4431 #define SSL_CTRL_GET_RI_SUPPORT doesnt_exist
4432 #define SSL_CTRL_GET_SESSION_REUSED doesnt_exist
4433 #define SSL_CTRL_GET_SESS_CACHE_MODE doesnt_exist
4434 #define SSL_CTRL_GET_SESS_CACHE_SIZE doesnt_exist
4435 #define SSL_CTRL_GET_TLSEXT_TICKET_KEYS doesnt_exist
4436 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS doesnt_exist
4437 #define SSL_CTRL_MODE doesnt_exist
4438 #define SSL_CTRL_NEED_TMP_RSA doesnt_exist
4439 #define SSL_CTRL_OPTIONS doesnt_exist
4440 #define SSL_CTRL_SESS_NUMBER doesnt_exist
4441 #define SSL_CTRL_SET_CURVES doesnt_exist
4442 #define SSL_CTRL_SET_CURVES_LIST doesnt_exist
4443 #define SSL_CTRL_SET_ECDH_AUTO doesnt_exist
4444 #define SSL_CTRL_SET_MAX_CERT_LIST doesnt_exist
4445 #define SSL_CTRL_SET_MAX_SEND_FRAGMENT doesnt_exist
4446 #define SSL_CTRL_SET_MSG_CALLBACK doesnt_exist
4447 #define SSL_CTRL_SET_MSG_CALLBACK_ARG doesnt_exist
4448 #define SSL_CTRL_SET_MTU doesnt_exist
4449 #define SSL_CTRL_SET_READ_AHEAD doesnt_exist
4450 #define SSL_CTRL_SET_SESS_CACHE_MODE doesnt_exist
4451 #define SSL_CTRL_SET_SESS_CACHE_SIZE doesnt_exist
4452 #define SSL_CTRL_SET_TLSEXT_HOSTNAME doesnt_exist
4453 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG doesnt_exist
4454 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB doesnt_exist
4455 #define SSL_CTRL_SET_TLSEXT_TICKET_KEYS doesnt_exist
4456 #define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB doesnt_exist
4457 #define SSL_CTRL_SET_TMP_DH doesnt_exist
4458 #define SSL_CTRL_SET_TMP_DH_CB doesnt_exist
4459 #define SSL_CTRL_SET_TMP_ECDH doesnt_exist
4460 #define SSL_CTRL_SET_TMP_ECDH_CB doesnt_exist
4461 #define SSL_CTRL_SET_TMP_RSA doesnt_exist
4462 #define SSL_CTRL_SET_TMP_RSA_CB doesnt_exist
4463 
4464 #define DTLSv1_get_timeout DTLSv1_get_timeout
4465 #define DTLSv1_handle_timeout DTLSv1_handle_timeout
4466 #define SSL_CTX_add0_chain_cert SSL_CTX_add0_chain_cert
4467 #define SSL_CTX_add1_chain_cert SSL_CTX_add1_chain_cert
4468 #define SSL_CTX_add_extra_chain_cert SSL_CTX_add_extra_chain_cert
4469 #define SSL_CTX_clear_extra_chain_certs SSL_CTX_clear_extra_chain_certs
4470 #define SSL_CTX_clear_chain_certs SSL_CTX_clear_chain_certs
4471 #define SSL_CTX_clear_mode SSL_CTX_clear_mode
4472 #define SSL_CTX_clear_options SSL_CTX_clear_options
4473 #define SSL_CTX_get0_chain_certs SSL_CTX_get0_chain_certs
4474 #define SSL_CTX_get_extra_chain_certs SSL_CTX_get_extra_chain_certs
4475 #define SSL_CTX_get_max_cert_list SSL_CTX_get_max_cert_list
4476 #define SSL_CTX_get_mode SSL_CTX_get_mode
4477 #define SSL_CTX_get_options SSL_CTX_get_options
4478 #define SSL_CTX_get_read_ahead SSL_CTX_get_read_ahead
4479 #define SSL_CTX_get_session_cache_mode SSL_CTX_get_session_cache_mode
4480 #define SSL_CTX_get_tlsext_ticket_keys SSL_CTX_get_tlsext_ticket_keys
4481 #define SSL_CTX_need_tmp_RSA SSL_CTX_need_tmp_RSA
4482 #define SSL_CTX_sess_get_cache_size SSL_CTX_sess_get_cache_size
4483 #define SSL_CTX_sess_number SSL_CTX_sess_number
4484 #define SSL_CTX_sess_set_cache_size SSL_CTX_sess_set_cache_size
4485 #define SSL_CTX_set0_chain SSL_CTX_set0_chain
4486 #define SSL_CTX_set1_chain SSL_CTX_set1_chain
4487 #define SSL_CTX_set1_curves SSL_CTX_set1_curves
4488 #define SSL_CTX_set_max_cert_list SSL_CTX_set_max_cert_list
4489 #define SSL_CTX_set_max_send_fragment SSL_CTX_set_max_send_fragment
4490 #define SSL_CTX_set_mode SSL_CTX_set_mode
4491 #define SSL_CTX_set_msg_callback_arg SSL_CTX_set_msg_callback_arg
4492 #define SSL_CTX_set_options SSL_CTX_set_options
4493 #define SSL_CTX_set_read_ahead SSL_CTX_set_read_ahead
4494 #define SSL_CTX_set_session_cache_mode SSL_CTX_set_session_cache_mode
4495 #define SSL_CTX_set_tlsext_servername_arg SSL_CTX_set_tlsext_servername_arg
4496 #define SSL_CTX_set_tlsext_servername_callback \
4497     SSL_CTX_set_tlsext_servername_callback
4498 #define SSL_CTX_set_tlsext_ticket_key_cb SSL_CTX_set_tlsext_ticket_key_cb
4499 #define SSL_CTX_set_tlsext_ticket_keys SSL_CTX_set_tlsext_ticket_keys
4500 #define SSL_CTX_set_tmp_dh SSL_CTX_set_tmp_dh
4501 #define SSL_CTX_set_tmp_ecdh SSL_CTX_set_tmp_ecdh
4502 #define SSL_CTX_set_tmp_rsa SSL_CTX_set_tmp_rsa
4503 #define SSL_add0_chain_cert SSL_add0_chain_cert
4504 #define SSL_add1_chain_cert SSL_add1_chain_cert
4505 #define SSL_clear_chain_certs SSL_clear_chain_certs
4506 #define SSL_clear_mode SSL_clear_mode
4507 #define SSL_clear_options SSL_clear_options
4508 #define SSL_get0_certificate_types SSL_get0_certificate_types
4509 #define SSL_get0_chain_certs SSL_get0_chain_certs
4510 #define SSL_get_max_cert_list SSL_get_max_cert_list
4511 #define SSL_get_mode SSL_get_mode
4512 #define SSL_get_options SSL_get_options
4513 #define SSL_get_secure_renegotiation_support \
4514     SSL_get_secure_renegotiation_support
4515 #define SSL_need_tmp_RSA SSL_need_tmp_RSA
4516 #define SSL_num_renegotiations SSL_num_renegotiations
4517 #define SSL_session_reused SSL_session_reused
4518 #define SSL_set0_chain SSL_set0_chain
4519 #define SSL_set1_chain SSL_set1_chain
4520 #define SSL_set1_curves SSL_set1_curves
4521 #define SSL_set_max_cert_list SSL_set_max_cert_list
4522 #define SSL_set_max_send_fragment SSL_set_max_send_fragment
4523 #define SSL_set_mode SSL_set_mode
4524 #define SSL_set_msg_callback_arg SSL_set_msg_callback_arg
4525 #define SSL_set_mtu SSL_set_mtu
4526 #define SSL_set_options SSL_set_options
4527 #define SSL_set_tlsext_host_name SSL_set_tlsext_host_name
4528 #define SSL_set_tmp_dh SSL_set_tmp_dh
4529 #define SSL_set_tmp_ecdh SSL_set_tmp_ecdh
4530 #define SSL_set_tmp_rsa SSL_set_tmp_rsa
4531 #define SSL_total_renegotiations SSL_total_renegotiations
4532 
4533 
4534 #if defined(__cplusplus)
4535 } /* extern C */
4536 
4537 extern "C++" {
4538 
4539 namespace bssl {
4540 
4541 BORINGSSL_MAKE_DELETER(SSL, SSL_free)
4542 BORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free)
4543 BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)
4544 
4545 }  // namespace bssl
4546 
4547 }  /* extern C++ */
4548 
4549 #endif
4550 
4551 #define SSL_R_APP_DATA_IN_HANDSHAKE 100
4552 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101
4553 #define SSL_R_BAD_ALERT 102
4554 #define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
4555 #define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 104
4556 #define SSL_R_BAD_DH_P_LENGTH 105
4557 #define SSL_R_BAD_DIGEST_LENGTH 106
4558 #define SSL_R_BAD_ECC_CERT 107
4559 #define SSL_R_BAD_ECPOINT 108
4560 #define SSL_R_BAD_HANDSHAKE_RECORD 109
4561 #define SSL_R_BAD_HELLO_REQUEST 110
4562 #define SSL_R_BAD_LENGTH 111
4563 #define SSL_R_BAD_PACKET_LENGTH 112
4564 #define SSL_R_BAD_RSA_ENCRYPT 113
4565 #define SSL_R_BAD_SIGNATURE 114
4566 #define SSL_R_BAD_SRTP_MKI_VALUE 115
4567 #define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 116
4568 #define SSL_R_BAD_SSL_FILETYPE 117
4569 #define SSL_R_BAD_WRITE_RETRY 118
4570 #define SSL_R_BIO_NOT_SET 119
4571 #define SSL_R_BN_LIB 120
4572 #define SSL_R_BUFFER_TOO_SMALL 121
4573 #define SSL_R_CA_DN_LENGTH_MISMATCH 122
4574 #define SSL_R_CA_DN_TOO_LONG 123
4575 #define SSL_R_CCS_RECEIVED_EARLY 124
4576 #define SSL_R_CERTIFICATE_VERIFY_FAILED 125
4577 #define SSL_R_CERT_CB_ERROR 126
4578 #define SSL_R_CERT_LENGTH_MISMATCH 127
4579 #define SSL_R_CHANNEL_ID_NOT_P256 128
4580 #define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 129
4581 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 130
4582 #define SSL_R_CLIENTHELLO_PARSE_FAILED 131
4583 #define SSL_R_CLIENTHELLO_TLSEXT 132
4584 #define SSL_R_CONNECTION_REJECTED 133
4585 #define SSL_R_CONNECTION_TYPE_NOT_SET 134
4586 #define SSL_R_CUSTOM_EXTENSION_ERROR 135
4587 #define SSL_R_DATA_LENGTH_TOO_LONG 136
4588 #define SSL_R_DECODE_ERROR 137
4589 #define SSL_R_DECRYPTION_FAILED 138
4590 #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 139
4591 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 140
4592 #define SSL_R_DH_P_TOO_LONG 141
4593 #define SSL_R_DIGEST_CHECK_FAILED 142
4594 #define SSL_R_DTLS_MESSAGE_TOO_BIG 143
4595 #define SSL_R_ECC_CERT_NOT_FOR_SIGNING 144
4596 #define SSL_R_EMS_STATE_INCONSISTENT 145
4597 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 146
4598 #define SSL_R_ERROR_ADDING_EXTENSION 147
4599 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 148
4600 #define SSL_R_ERROR_PARSING_EXTENSION 149
4601 #define SSL_R_EXCESSIVE_MESSAGE_SIZE 150
4602 #define SSL_R_EXTRA_DATA_IN_MESSAGE 151
4603 #define SSL_R_FRAGMENT_MISMATCH 152
4604 #define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 153
4605 #define SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO 154
4606 #define SSL_R_HTTPS_PROXY_REQUEST 155
4607 #define SSL_R_HTTP_REQUEST 156
4608 #define SSL_R_INAPPROPRIATE_FALLBACK 157
4609 #define SSL_R_INVALID_COMMAND 158
4610 #define SSL_R_INVALID_MESSAGE 159
4611 #define SSL_R_INVALID_SSL_SESSION 160
4612 #define SSL_R_INVALID_TICKET_KEYS_LENGTH 161
4613 #define SSL_R_LENGTH_MISMATCH 162
4614 #define SSL_R_MISSING_EXTENSION 164
4615 #define SSL_R_MISSING_RSA_CERTIFICATE 165
4616 #define SSL_R_MISSING_TMP_DH_KEY 166
4617 #define SSL_R_MISSING_TMP_ECDH_KEY 167
4618 #define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 168
4619 #define SSL_R_MTU_TOO_SMALL 169
4620 #define SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN 170
4621 #define SSL_R_NESTED_GROUP 171
4622 #define SSL_R_NO_CERTIFICATES_RETURNED 172
4623 #define SSL_R_NO_CERTIFICATE_ASSIGNED 173
4624 #define SSL_R_NO_CERTIFICATE_SET 174
4625 #define SSL_R_NO_CIPHERS_AVAILABLE 175
4626 #define SSL_R_NO_CIPHERS_PASSED 176
4627 #define SSL_R_NO_CIPHER_MATCH 177
4628 #define SSL_R_NO_COMPRESSION_SPECIFIED 178
4629 #define SSL_R_NO_METHOD_SPECIFIED 179
4630 #define SSL_R_NO_P256_SUPPORT 180
4631 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 181
4632 #define SSL_R_NO_RENEGOTIATION 182
4633 #define SSL_R_NO_REQUIRED_DIGEST 183
4634 #define SSL_R_NO_SHARED_CIPHER 184
4635 #define SSL_R_NULL_SSL_CTX 185
4636 #define SSL_R_NULL_SSL_METHOD_PASSED 186
4637 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 187
4638 #define SSL_R_OLD_SESSION_VERSION_NOT_RETURNED 188
4639 #define SSL_R_OUTPUT_ALIASES_INPUT 189
4640 #define SSL_R_PARSE_TLSEXT 190
4641 #define SSL_R_PATH_TOO_LONG 191
4642 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 192
4643 #define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 193
4644 #define SSL_R_PROTOCOL_IS_SHUTDOWN 194
4645 #define SSL_R_PSK_IDENTITY_NOT_FOUND 195
4646 #define SSL_R_PSK_NO_CLIENT_CB 196
4647 #define SSL_R_PSK_NO_SERVER_CB 197
4648 #define SSL_R_READ_TIMEOUT_EXPIRED 198
4649 #define SSL_R_RECORD_LENGTH_MISMATCH 199
4650 #define SSL_R_RECORD_TOO_LARGE 200
4651 #define SSL_R_RENEGOTIATION_ENCODING_ERR 201
4652 #define SSL_R_RENEGOTIATION_MISMATCH 202
4653 #define SSL_R_REQUIRED_CIPHER_MISSING 203
4654 #define SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION 204
4655 #define SSL_R_RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION 205
4656 #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 206
4657 #define SSL_R_SERVERHELLO_TLSEXT 207
4658 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 208
4659 #define SSL_R_SESSION_MAY_NOT_BE_CREATED 209
4660 #define SSL_R_SIGNATURE_ALGORITHMS_EXTENSION_SENT_BY_SERVER 210
4661 #define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 211
4662 #define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 212
4663 #define SSL_R_SSL3_EXT_INVALID_SERVERNAME 213
4664 #define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 214
4665 #define SSL_R_SSL_HANDSHAKE_FAILURE 215
4666 #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 216
4667 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 217
4668 #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 218
4669 #define SSL_R_TOO_MANY_EMPTY_FRAGMENTS 219
4670 #define SSL_R_TOO_MANY_WARNING_ALERTS 220
4671 #define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 221
4672 #define SSL_R_UNEXPECTED_EXTENSION 222
4673 #define SSL_R_UNEXPECTED_MESSAGE 223
4674 #define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 224
4675 #define SSL_R_UNEXPECTED_RECORD 225
4676 #define SSL_R_UNINITIALIZED 226
4677 #define SSL_R_UNKNOWN_ALERT_TYPE 227
4678 #define SSL_R_UNKNOWN_CERTIFICATE_TYPE 228
4679 #define SSL_R_UNKNOWN_CIPHER_RETURNED 229
4680 #define SSL_R_UNKNOWN_CIPHER_TYPE 230
4681 #define SSL_R_UNKNOWN_DIGEST 231
4682 #define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 232
4683 #define SSL_R_UNKNOWN_PROTOCOL 233
4684 #define SSL_R_UNKNOWN_SSL_VERSION 234
4685 #define SSL_R_UNKNOWN_STATE 235
4686 #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 236
4687 #define SSL_R_UNSUPPORTED_CIPHER 237
4688 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 238
4689 #define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 239
4690 #define SSL_R_UNSUPPORTED_PROTOCOL 240
4691 #define SSL_R_WRONG_CERTIFICATE_TYPE 241
4692 #define SSL_R_WRONG_CIPHER_RETURNED 242
4693 #define SSL_R_WRONG_CURVE 243
4694 #define SSL_R_WRONG_MESSAGE_TYPE 244
4695 #define SSL_R_WRONG_SIGNATURE_TYPE 245
4696 #define SSL_R_WRONG_SSL_VERSION 246
4697 #define SSL_R_WRONG_VERSION_NUMBER 247
4698 #define SSL_R_X509_LIB 248
4699 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 249
4700 #define SSL_R_SHUTDOWN_WHILE_IN_INIT 250
4701 #define SSL_R_INVALID_OUTER_RECORD_TYPE 251
4702 #define SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY 252
4703 #define SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS 253
4704 #define SSL_R_DOWNGRADE_DETECTED 254
4705 #define SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE 255
4706 #define SSL_R_INVALID_COMPRESSION_LIST 256
4707 #define SSL_R_DUPLICATE_EXTENSION 257
4708 #define SSL_R_MISSING_KEY_SHARE 258
4709 #define SSL_R_INVALID_ALPN_PROTOCOL 259
4710 #define SSL_R_TOO_MANY_KEY_UPDATES 260
4711 #define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 261
4712 #define SSL_R_NO_CIPHERS_SPECIFIED 262
4713 #define SSL_R_RENEGOTIATION_EMS_MISMATCH 263
4714 #define SSL_R_DUPLICATE_KEY_SHARE 264
4715 #define SSL_R_NO_GROUPS_SPECIFIED 265
4716 #define SSL_R_NO_SHARED_GROUP 266
4717 #define SSL_R_PRE_SHARED_KEY_MUST_BE_LAST 267
4718 #define SSL_R_OLD_SESSION_PRF_HASH_MISMATCH 268
4719 #define SSL_R_INVALID_SCT_LIST 269
4720 #define SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA 270
4721 #define SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH 271
4722 #define SSL_R_CANNOT_PARSE_LEAF_CERT 272
4723 #define SSL_R_SERVER_CERT_CHANGED 273
4724 #define SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH 274
4725 #define SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD 275
4726 #define SSL_R_TICKET_ENCRYPTION_FAILED 276
4727 #define SSL_R_ALPN_MISMATCH_ON_EARLY_DATA 277
4728 #define SSL_R_WRONG_VERSION_ON_EARLY_DATA 278
4729 #define SSL_R_CHANNEL_ID_ON_EARLY_DATA 279
4730 #define SSL_R_NO_SUPPORTED_VERSIONS_ENABLED 280
4731 #define SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE 281
4732 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
4733 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
4734 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
4735 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
4736 #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
4737 #define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030
4738 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
4739 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
4740 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
4741 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
4742 #define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044
4743 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
4744 #define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046
4745 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
4746 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
4747 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
4748 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
4749 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
4750 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
4751 #define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
4752 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
4753 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
4754 #define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
4755 #define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
4756 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
4757 #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
4758 #define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
4759 #define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
4760 #define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
4761 #define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
4762 #define SSL_R_TLSV1_UNKNOWN_PSK_IDENTITY 1115
4763 #define SSL_R_TLSV1_CERTIFICATE_REQUIRED 1116
4764 #define SSL_R_TOO_MUCH_READ_EARLY_DATA 1117
4765 
4766 #endif /* OPENSSL_HEADER_SSL_H */
4767