1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core@openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay@cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh@cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. 140 */ 141 142 #ifndef OPENSSL_HEADER_SSL_H 143 #define OPENSSL_HEADER_SSL_H 144 145 #include <openssl/base.h> 146 147 #include <openssl/bio.h> 148 #include <openssl/buf.h> 149 #include <openssl/hmac.h> 150 #include <openssl/lhash.h> 151 #include <openssl/pem.h> 152 #include <openssl/ssl3.h> 153 #include <openssl/thread.h> 154 #include <openssl/tls1.h> 155 #include <openssl/x509.h> 156 157 #if !defined(OPENSSL_WINDOWS) 158 #include <sys/time.h> 159 #endif 160 161 /* Forward-declare struct timeval. On Windows, it is defined in winsock2.h and 162 * Windows headers define too many macros to be included in public headers. 163 * However, only a forward declaration is needed. */ 164 struct timeval; 165 166 #if defined(__cplusplus) 167 extern "C" { 168 #endif 169 170 171 /* SSL implementation. */ 172 173 174 /* SSL contexts. 175 * 176 * |SSL_CTX| objects manage shared state and configuration between multiple TLS 177 * or DTLS connections. Whether the connections are TLS or DTLS is selected by 178 * an |SSL_METHOD| on creation. 179 * 180 * |SSL_CTX| are reference-counted and may be shared by connections across 181 * multiple threads. Once shared, functions which change the |SSL_CTX|'s 182 * configuration may not be used. */ 183 184 /* TLS_method is the |SSL_METHOD| used for TLS (and SSLv3) connections. */ 185 OPENSSL_EXPORT const SSL_METHOD *TLS_method(void); 186 187 /* DTLS_method is the |SSL_METHOD| used for DTLS connections. */ 188 OPENSSL_EXPORT const SSL_METHOD *DTLS_method(void); 189 190 /* TLS_with_buffers_method is like |TLS_method|, but avoids all use of 191 * crypto/x509. */ 192 OPENSSL_EXPORT const SSL_METHOD *TLS_with_buffers_method(void); 193 194 /* SSL_CTX_new returns a newly-allocated |SSL_CTX| with default settings or NULL 195 * on error. */ 196 OPENSSL_EXPORT SSL_CTX *SSL_CTX_new(const SSL_METHOD *method); 197 198 /* SSL_CTX_up_ref increments the reference count of |ctx|. It returns one. */ 199 OPENSSL_EXPORT int SSL_CTX_up_ref(SSL_CTX *ctx); 200 201 /* SSL_CTX_free releases memory associated with |ctx|. */ 202 OPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *ctx); 203 204 205 /* SSL connections. 206 * 207 * An |SSL| object represents a single TLS or DTLS connection. Although the 208 * shared |SSL_CTX| is thread-safe, an |SSL| is not thread-safe and may only be 209 * used on one thread at a time. */ 210 211 /* SSL_new returns a newly-allocated |SSL| using |ctx| or NULL on error. The new 212 * connection inherits settings from |ctx| at the time of creation. Settings may 213 * also be individually configured on the connection. 214 * 215 * On creation, an |SSL| is not configured to be either a client or server. Call 216 * |SSL_set_connect_state| or |SSL_set_accept_state| to set this. */ 217 OPENSSL_EXPORT SSL *SSL_new(SSL_CTX *ctx); 218 219 /* SSL_free releases memory associated with |ssl|. */ 220 OPENSSL_EXPORT void SSL_free(SSL *ssl); 221 222 /* SSL_get_SSL_CTX returns the |SSL_CTX| associated with |ssl|. If 223 * |SSL_set_SSL_CTX| is called, it returns the new |SSL_CTX|, not the initial 224 * one. */ 225 OPENSSL_EXPORT SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl); 226 227 /* SSL_set_connect_state configures |ssl| to be a client. */ 228 OPENSSL_EXPORT void SSL_set_connect_state(SSL *ssl); 229 230 /* SSL_set_accept_state configures |ssl| to be a server. */ 231 OPENSSL_EXPORT void SSL_set_accept_state(SSL *ssl); 232 233 /* SSL_is_server returns one if |ssl| is configured as a server and zero 234 * otherwise. */ 235 OPENSSL_EXPORT int SSL_is_server(const SSL *ssl); 236 237 /* SSL_is_dtls returns one if |ssl| is a DTLS connection and zero otherwise. */ 238 OPENSSL_EXPORT int SSL_is_dtls(const SSL *ssl); 239 240 /* SSL_set_bio configures |ssl| to read from |rbio| and write to |wbio|. |ssl| 241 * takes ownership of the two |BIO|s. If |rbio| and |wbio| are the same, |ssl| 242 * only takes ownership of one reference. 243 * 244 * In DTLS, |rbio| must be non-blocking to properly handle timeouts and 245 * retransmits. 246 * 247 * If |rbio| is the same as the currently configured |BIO| for reading, that 248 * side is left untouched and is not freed. 249 * 250 * If |wbio| is the same as the currently configured |BIO| for writing AND |ssl| 251 * is not currently configured to read from and write to the same |BIO|, that 252 * side is left untouched and is not freed. This asymmetry is present for 253 * historical reasons. 254 * 255 * Due to the very complex historical behavior of this function, calling this 256 * function if |ssl| already has |BIO|s configured is deprecated. Prefer 257 * |SSL_set0_rbio| and |SSL_set0_wbio| instead. */ 258 OPENSSL_EXPORT void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio); 259 260 /* SSL_set0_rbio configures |ssl| to write to |rbio|. It takes ownership of 261 * |rbio|. 262 * 263 * Note that, although this function and |SSL_set0_wbio| may be called on the 264 * same |BIO|, each call takes a reference. Use |BIO_up_ref| to balance this. */ 265 OPENSSL_EXPORT void SSL_set0_rbio(SSL *ssl, BIO *rbio); 266 267 /* SSL_set0_wbio configures |ssl| to write to |wbio|. It takes ownership of 268 * |wbio|. 269 * 270 * Note that, although this function and |SSL_set0_rbio| may be called on the 271 * same |BIO|, each call takes a reference. Use |BIO_up_ref| to balance this. */ 272 OPENSSL_EXPORT void SSL_set0_wbio(SSL *ssl, BIO *wbio); 273 274 /* SSL_get_rbio returns the |BIO| that |ssl| reads from. */ 275 OPENSSL_EXPORT BIO *SSL_get_rbio(const SSL *ssl); 276 277 /* SSL_get_wbio returns the |BIO| that |ssl| writes to. */ 278 OPENSSL_EXPORT BIO *SSL_get_wbio(const SSL *ssl); 279 280 /* SSL_get_fd calls |SSL_get_rfd|. */ 281 OPENSSL_EXPORT int SSL_get_fd(const SSL *ssl); 282 283 /* SSL_get_rfd returns the file descriptor that |ssl| is configured to read 284 * from. If |ssl|'s read |BIO| is not configured or doesn't wrap a file 285 * descriptor then it returns -1. 286 * 287 * Note: On Windows, this may return either a file descriptor or a socket (cast 288 * to int), depending on whether |ssl| was configured with a file descriptor or 289 * socket |BIO|. */ 290 OPENSSL_EXPORT int SSL_get_rfd(const SSL *ssl); 291 292 /* SSL_get_wfd returns the file descriptor that |ssl| is configured to write 293 * to. If |ssl|'s write |BIO| is not configured or doesn't wrap a file 294 * descriptor then it returns -1. 295 * 296 * Note: On Windows, this may return either a file descriptor or a socket (cast 297 * to int), depending on whether |ssl| was configured with a file descriptor or 298 * socket |BIO|. */ 299 OPENSSL_EXPORT int SSL_get_wfd(const SSL *ssl); 300 301 /* SSL_set_fd configures |ssl| to read from and write to |fd|. It returns one 302 * on success and zero on allocation error. The caller retains ownership of 303 * |fd|. 304 * 305 * On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs. */ 306 OPENSSL_EXPORT int SSL_set_fd(SSL *ssl, int fd); 307 308 /* SSL_set_rfd configures |ssl| to read from |fd|. It returns one on success and 309 * zero on allocation error. The caller retains ownership of |fd|. 310 * 311 * On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs. */ 312 OPENSSL_EXPORT int SSL_set_rfd(SSL *ssl, int fd); 313 314 /* SSL_set_wfd configures |ssl| to write to |fd|. It returns one on success and 315 * zero on allocation error. The caller retains ownership of |fd|. 316 * 317 * On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs. */ 318 OPENSSL_EXPORT int SSL_set_wfd(SSL *ssl, int fd); 319 320 /* SSL_do_handshake continues the current handshake. If there is none or the 321 * handshake has completed or False Started, it returns one. Otherwise, it 322 * returns <= 0. The caller should pass the value into |SSL_get_error| to 323 * determine how to proceed. 324 * 325 * In DTLS, the caller must drive retransmissions. Whenever |SSL_get_error| 326 * signals |SSL_ERROR_WANT_READ|, use |DTLSv1_get_timeout| to determine the 327 * current timeout. If it expires before the next retry, call 328 * |DTLSv1_handle_timeout|. Note that DTLS handshake retransmissions use fresh 329 * sequence numbers, so it is not sufficient to replay packets at the transport. 330 * 331 * TODO(davidben): Ensure 0 is only returned on transport EOF. 332 * https://crbug.com/466303. */ 333 OPENSSL_EXPORT int SSL_do_handshake(SSL *ssl); 334 335 /* SSL_connect configures |ssl| as a client, if unconfigured, and calls 336 * |SSL_do_handshake|. */ 337 OPENSSL_EXPORT int SSL_connect(SSL *ssl); 338 339 /* SSL_accept configures |ssl| as a server, if unconfigured, and calls 340 * |SSL_do_handshake|. */ 341 OPENSSL_EXPORT int SSL_accept(SSL *ssl); 342 343 /* SSL_read reads up to |num| bytes from |ssl| into |buf|. It implicitly runs 344 * any pending handshakes, including renegotiations when enabled. On success, it 345 * returns the number of bytes read. Otherwise, it returns <= 0. The caller 346 * should pass the value into |SSL_get_error| to determine how to proceed. 347 * 348 * TODO(davidben): Ensure 0 is only returned on transport EOF. 349 * https://crbug.com/466303. */ 350 OPENSSL_EXPORT int SSL_read(SSL *ssl, void *buf, int num); 351 352 /* SSL_peek behaves like |SSL_read| but does not consume any bytes returned. */ 353 OPENSSL_EXPORT int SSL_peek(SSL *ssl, void *buf, int num); 354 355 /* SSL_pending returns the number of bytes available in |ssl|. It does not read 356 * from the transport. */ 357 OPENSSL_EXPORT int SSL_pending(const SSL *ssl); 358 359 /* SSL_write writes up to |num| bytes from |buf| into |ssl|. It implicitly runs 360 * any pending handshakes, including renegotiations when enabled. On success, it 361 * returns the number of bytes written. Otherwise, it returns <= 0. The caller 362 * should pass the value into |SSL_get_error| to determine how to proceed. 363 * 364 * In TLS, a non-blocking |SSL_write| differs from non-blocking |write| in that 365 * a failed |SSL_write| still commits to the data passed in. When retrying, the 366 * caller must supply the original write buffer (or a larger one containing the 367 * original as a prefix). By default, retries will fail if they also do not 368 * reuse the same |buf| pointer. This may be relaxed with 369 * |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, but the buffer contents still must be 370 * unchanged. 371 * 372 * By default, in TLS, |SSL_write| will not return success until all |num| bytes 373 * are written. This may be relaxed with |SSL_MODE_ENABLE_PARTIAL_WRITE|. It 374 * allows |SSL_write| to complete with a partial result when only part of the 375 * input was written in a single record. 376 * 377 * In DTLS, neither |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| and 378 * |SSL_MODE_ENABLE_PARTIAL_WRITE| do anything. The caller may retry with a 379 * different buffer freely. A single call to |SSL_write| only ever writes a 380 * single record in a single packet, so |num| must be at most 381 * |SSL3_RT_MAX_PLAIN_LENGTH|. 382 * 383 * TODO(davidben): Ensure 0 is only returned on transport EOF. 384 * https://crbug.com/466303. */ 385 OPENSSL_EXPORT int SSL_write(SSL *ssl, const void *buf, int num); 386 387 /* SSL_shutdown shuts down |ssl|. On success, it completes in two stages. First, 388 * it returns 0 if |ssl| completed uni-directional shutdown; close_notify has 389 * been sent, but the peer's close_notify has not been received. Most callers 390 * may stop at this point. For bi-directional shutdown, call |SSL_shutdown| 391 * again. It returns 1 if close_notify has been both sent and received. 392 * 393 * If the peer's close_notify arrived first, the first stage is skipped. 394 * |SSL_shutdown| will return 1 once close_notify is sent and skip 0. Callers 395 * only interested in uni-directional shutdown must therefore allow for the 396 * first stage returning either 0 or 1. 397 * 398 * |SSL_shutdown| returns -1 on failure. The caller should pass the return value 399 * into |SSL_get_error| to determine how to proceed. If the underlying |BIO| is 400 * non-blocking, both stages may require retry. */ 401 OPENSSL_EXPORT int SSL_shutdown(SSL *ssl); 402 403 /* SSL_CTX_set_quiet_shutdown sets quiet shutdown on |ctx| to |mode|. If 404 * enabled, |SSL_shutdown| will not send a close_notify alert or wait for one 405 * from the peer. It will instead synchronously return one. */ 406 OPENSSL_EXPORT void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode); 407 408 /* SSL_CTX_get_quiet_shutdown returns whether quiet shutdown is enabled for 409 * |ctx|. */ 410 OPENSSL_EXPORT int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx); 411 412 /* SSL_set_quiet_shutdown sets quiet shutdown on |ssl| to |mode|. If enabled, 413 * |SSL_shutdown| will not send a close_notify alert or wait for one from the 414 * peer. It will instead synchronously return one. */ 415 OPENSSL_EXPORT void SSL_set_quiet_shutdown(SSL *ssl, int mode); 416 417 /* SSL_get_quiet_shutdown returns whether quiet shutdown is enabled for 418 * |ssl|. */ 419 OPENSSL_EXPORT int SSL_get_quiet_shutdown(const SSL *ssl); 420 421 /* SSL_get_error returns a |SSL_ERROR_*| value for the most recent operation on 422 * |ssl|. It should be called after an operation failed to determine whether the 423 * error was fatal and, if not, when to retry. */ 424 OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code); 425 426 /* SSL_ERROR_NONE indicates the operation succeeded. */ 427 #define SSL_ERROR_NONE 0 428 429 /* SSL_ERROR_SSL indicates the operation failed within the library. The caller 430 * may inspect the error queue for more information. */ 431 #define SSL_ERROR_SSL 1 432 433 /* SSL_ERROR_WANT_READ indicates the operation failed attempting to read from 434 * the transport. The caller may retry the operation when the transport is ready 435 * for reading. 436 * 437 * If signaled by a DTLS handshake, the caller must also call 438 * |DTLSv1_get_timeout| and |DTLSv1_handle_timeout| as appropriate. See 439 * |SSL_do_handshake|. */ 440 #define SSL_ERROR_WANT_READ 2 441 442 /* SSL_ERROR_WANT_WRITE indicates the operation failed attempting to write to 443 * the transport. The caller may retry the operation when the transport is ready 444 * for writing. */ 445 #define SSL_ERROR_WANT_WRITE 3 446 447 /* SSL_ERROR_WANT_X509_LOOKUP indicates the operation failed in calling the 448 * |cert_cb| or |client_cert_cb|. The caller may retry the operation when the 449 * callback is ready to return a certificate or one has been configured 450 * externally. 451 * 452 * See also |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb|. */ 453 #define SSL_ERROR_WANT_X509_LOOKUP 4 454 455 /* SSL_ERROR_SYSCALL indicates the operation failed externally to the library. 456 * The caller should consult the system-specific error mechanism. This is 457 * typically |errno| but may be something custom if using a custom |BIO|. It 458 * may also be signaled if the transport returned EOF, in which case the 459 * operation's return value will be zero. */ 460 #define SSL_ERROR_SYSCALL 5 461 462 /* SSL_ERROR_ZERO_RETURN indicates the operation failed because the connection 463 * was cleanly shut down with a close_notify alert. */ 464 #define SSL_ERROR_ZERO_RETURN 6 465 466 /* SSL_ERROR_WANT_CONNECT indicates the operation failed attempting to connect 467 * the transport (the |BIO| signaled |BIO_RR_CONNECT|). The caller may retry the 468 * operation when the transport is ready. */ 469 #define SSL_ERROR_WANT_CONNECT 7 470 471 /* SSL_ERROR_WANT_ACCEPT indicates the operation failed attempting to accept a 472 * connection from the transport (the |BIO| signaled |BIO_RR_ACCEPT|). The 473 * caller may retry the operation when the transport is ready. 474 * 475 * TODO(davidben): Remove this. It's used by accept BIOs which are bizarre. */ 476 #define SSL_ERROR_WANT_ACCEPT 8 477 478 /* SSL_ERROR_WANT_CHANNEL_ID_LOOKUP indicates the operation failed looking up 479 * the Channel ID key. The caller may retry the operation when |channel_id_cb| 480 * is ready to return a key or one has been configured with 481 * |SSL_set1_tls_channel_id|. 482 * 483 * See also |SSL_CTX_set_channel_id_cb|. */ 484 #define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9 485 486 /* SSL_ERROR_PENDING_SESSION indicates the operation failed because the session 487 * lookup callback indicated the session was unavailable. The caller may retry 488 * the operation when lookup has completed. 489 * 490 * See also |SSL_CTX_sess_set_get_cb| and |SSL_magic_pending_session_ptr|. */ 491 #define SSL_ERROR_PENDING_SESSION 11 492 493 /* SSL_ERROR_PENDING_CERTIFICATE indicates the operation failed because the 494 * early callback indicated certificate lookup was incomplete. The caller may 495 * retry the operation when lookup has completed. 496 * 497 * See also |SSL_CTX_set_select_certificate_cb|. */ 498 #define SSL_ERROR_PENDING_CERTIFICATE 12 499 500 /* SSL_ERROR_WANT_PRIVATE_KEY_OPERATION indicates the operation failed because 501 * a private key operation was unfinished. The caller may retry the operation 502 * when the private key operation is complete. 503 * 504 * See also |SSL_set_private_key_method| and 505 * |SSL_CTX_set_private_key_method|. */ 506 #define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION 13 507 508 /* SSL_ERROR_PENDING_TICKET indicates that a ticket decryption is pending. The 509 * caller may retry the operation when the decryption is ready. 510 * 511 * See also |SSL_CTX_set_ticket_aead_method|. */ 512 #define SSL_ERROR_PENDING_TICKET 14 513 514 /* SSL_ERROR_EARLY_DATA_REJECTED indicates that early data was rejected. The 515 * caller should treat this as a connection failure and retry any operations 516 * associated with the rejected early data. |SSL_reset_early_data_reject| may be 517 * used to reuse the underlying connection for the retry. */ 518 #define SSL_ERROR_EARLY_DATA_REJECTED 15 519 520 /* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success 521 * and zero on failure. */ 522 OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu); 523 524 /* DTLSv1_set_initial_timeout_duration sets the initial duration for a DTLS 525 * handshake timeout. 526 * 527 * This duration overrides the default of 1 second, which is the strong 528 * recommendation of RFC 6347 (see section 4.2.4.1). However, there may exist 529 * situations where a shorter timeout would be beneficial, such as for 530 * time-sensitive applications. */ 531 OPENSSL_EXPORT void DTLSv1_set_initial_timeout_duration(SSL *ssl, 532 unsigned duration_ms); 533 534 /* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a 535 * timeout in progress, it sets |*out| to the time remaining and returns one. 536 * Otherwise, it returns zero. 537 * 538 * When the timeout expires, call |DTLSv1_handle_timeout| to handle the 539 * retransmit behavior. 540 * 541 * NOTE: This function must be queried again whenever the handshake state 542 * machine changes, including when |DTLSv1_handle_timeout| is called. */ 543 OPENSSL_EXPORT int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out); 544 545 /* DTLSv1_handle_timeout is called when a DTLS handshake timeout expires. If no 546 * timeout had expired, it returns 0. Otherwise, it retransmits the previous 547 * flight of handshake messages and returns 1. If too many timeouts had expired 548 * without progress or an error occurs, it returns -1. 549 * 550 * The caller's external timer should be compatible with the one |ssl| queries 551 * within some fudge factor. Otherwise, the call will be a no-op, but 552 * |DTLSv1_get_timeout| will return an updated timeout. 553 * 554 * If the function returns -1, checking if |SSL_get_error| returns 555 * |SSL_ERROR_WANT_WRITE| may be used to determine if the retransmit failed due 556 * to a non-fatal error at the write |BIO|. However, the operation may not be 557 * retried until the next timeout fires. 558 * 559 * WARNING: This function breaks the usual return value convention. 560 * 561 * TODO(davidben): This |SSL_ERROR_WANT_WRITE| behavior is kind of bizarre. */ 562 OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl); 563 564 565 /* Protocol versions. */ 566 567 #define DTLS1_VERSION_MAJOR 0xfe 568 #define SSL3_VERSION_MAJOR 0x03 569 570 #define SSL3_VERSION 0x0300 571 #define TLS1_VERSION 0x0301 572 #define TLS1_1_VERSION 0x0302 573 #define TLS1_2_VERSION 0x0303 574 #define TLS1_3_VERSION 0x0304 575 576 #define DTLS1_VERSION 0xfeff 577 #define DTLS1_2_VERSION 0xfefd 578 579 #define TLS1_3_DRAFT_VERSION 0x7f12 580 #define TLS1_3_EXPERIMENT_VERSION 0x7e01 581 #define TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION 0x7a12 582 583 /* SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to 584 * |version|. If |version| is zero, the default minimum version is used. It 585 * returns one on success and zero if |version| is invalid. */ 586 OPENSSL_EXPORT int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, 587 uint16_t version); 588 589 /* SSL_CTX_set_max_proto_version sets the maximum protocol version for |ctx| to 590 * |version|. If |version| is zero, the default maximum version is used. It 591 * returns one on success and zero if |version| is invalid. */ 592 OPENSSL_EXPORT int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, 593 uint16_t version); 594 595 /* SSL_set_min_proto_version sets the minimum protocol version for |ssl| to 596 * |version|. If |version| is zero, the default minimum version is used. It 597 * returns one on success and zero if |version| is invalid. */ 598 OPENSSL_EXPORT int SSL_set_min_proto_version(SSL *ssl, uint16_t version); 599 600 /* SSL_set_max_proto_version sets the maximum protocol version for |ssl| to 601 * |version|. If |version| is zero, the default maximum version is used. It 602 * returns one on success and zero if |version| is invalid. */ 603 OPENSSL_EXPORT int SSL_set_max_proto_version(SSL *ssl, uint16_t version); 604 605 /* SSL_version returns the TLS or DTLS protocol version used by |ssl|, which is 606 * one of the |*_VERSION| values. (E.g. |TLS1_2_VERSION|.) Before the version 607 * is negotiated, the result is undefined. */ 608 OPENSSL_EXPORT int SSL_version(const SSL *ssl); 609 610 611 /* Options. 612 * 613 * Options configure protocol behavior. */ 614 615 /* SSL_OP_NO_QUERY_MTU, in DTLS, disables querying the MTU from the underlying 616 * |BIO|. Instead, the MTU is configured with |SSL_set_mtu|. */ 617 #define SSL_OP_NO_QUERY_MTU 0x00001000L 618 619 /* SSL_OP_NO_TICKET disables session ticket support (RFC 5077). */ 620 #define SSL_OP_NO_TICKET 0x00004000L 621 622 /* SSL_OP_CIPHER_SERVER_PREFERENCE configures servers to select ciphers and 623 * ECDHE curves according to the server's preferences instead of the 624 * client's. */ 625 #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L 626 627 /* The following flags toggle individual protocol versions. This is deprecated. 628 * Use |SSL_CTX_set_min_proto_version| and |SSL_CTX_set_max_proto_version| 629 * instead. */ 630 #define SSL_OP_NO_SSLv3 0x02000000L 631 #define SSL_OP_NO_TLSv1 0x04000000L 632 #define SSL_OP_NO_TLSv1_2 0x08000000L 633 #define SSL_OP_NO_TLSv1_1 0x10000000L 634 #define SSL_OP_NO_TLSv1_3 0x20000000L 635 #define SSL_OP_NO_DTLSv1 SSL_OP_NO_TLSv1 636 #define SSL_OP_NO_DTLSv1_2 SSL_OP_NO_TLSv1_2 637 638 /* SSL_CTX_set_options enables all options set in |options| (which should be one 639 * or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a 640 * bitmask representing the resulting enabled options. */ 641 OPENSSL_EXPORT uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options); 642 643 /* SSL_CTX_clear_options disables all options set in |options| (which should be 644 * one or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a 645 * bitmask representing the resulting enabled options. */ 646 OPENSSL_EXPORT uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options); 647 648 /* SSL_CTX_get_options returns a bitmask of |SSL_OP_*| values that represent all 649 * the options enabled for |ctx|. */ 650 OPENSSL_EXPORT uint32_t SSL_CTX_get_options(const SSL_CTX *ctx); 651 652 /* SSL_set_options enables all options set in |options| (which should be one or 653 * more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a bitmask 654 * representing the resulting enabled options. */ 655 OPENSSL_EXPORT uint32_t SSL_set_options(SSL *ssl, uint32_t options); 656 657 /* SSL_clear_options disables all options set in |options| (which should be one 658 * or more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a 659 * bitmask representing the resulting enabled options. */ 660 OPENSSL_EXPORT uint32_t SSL_clear_options(SSL *ssl, uint32_t options); 661 662 /* SSL_get_options returns a bitmask of |SSL_OP_*| values that represent all the 663 * options enabled for |ssl|. */ 664 OPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl); 665 666 667 /* Modes. 668 * 669 * Modes configure API behavior. */ 670 671 /* SSL_MODE_ENABLE_PARTIAL_WRITE, in TLS, allows |SSL_write| to complete with a 672 * partial result when the only part of the input was written in a single 673 * record. In DTLS, it does nothing. */ 674 #define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L 675 676 /* SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, in TLS, allows retrying an incomplete 677 * |SSL_write| with a different buffer. However, |SSL_write| still assumes the 678 * buffer contents are unchanged. This is not the default to avoid the 679 * misconception that non-blocking |SSL_write| behaves like non-blocking 680 * |write|. In DTLS, it does nothing. */ 681 #define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L 682 683 /* SSL_MODE_NO_AUTO_CHAIN disables automatically building a certificate chain 684 * before sending certificates to the peer. This flag is set (and the feature 685 * disabled) by default. 686 * TODO(davidben): Remove this behavior. https://crbug.com/boringssl/42. */ 687 #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L 688 689 /* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before 690 * receipt of ChangeCipherSpec and Finished. This mode enables full handshakes 691 * to 'complete' in one RTT. See RFC 7918. 692 * 693 * When False Start is enabled, |SSL_do_handshake| may succeed before the 694 * handshake has completely finished. |SSL_write| will function at this point, 695 * and |SSL_read| will transparently wait for the final handshake leg before 696 * returning application data. To determine if False Start occurred or when the 697 * handshake is completely finished, see |SSL_in_false_start|, |SSL_in_init|, 698 * and |SSL_CB_HANDSHAKE_DONE| from |SSL_CTX_set_info_callback|. */ 699 #define SSL_MODE_ENABLE_FALSE_START 0x00000080L 700 701 /* SSL_MODE_CBC_RECORD_SPLITTING causes multi-byte CBC records in SSL 3.0 and 702 * TLS 1.0 to be split in two: the first record will contain a single byte and 703 * the second will contain the remainder. This effectively randomises the IV and 704 * prevents BEAST attacks. */ 705 #define SSL_MODE_CBC_RECORD_SPLITTING 0x00000100L 706 707 /* SSL_MODE_NO_SESSION_CREATION will cause any attempts to create a session to 708 * fail with SSL_R_SESSION_MAY_NOT_BE_CREATED. This can be used to enforce that 709 * session resumption is used for a given SSL*. */ 710 #define SSL_MODE_NO_SESSION_CREATION 0x00000200L 711 712 /* SSL_MODE_SEND_FALLBACK_SCSV sends TLS_FALLBACK_SCSV in the ClientHello. 713 * To be set only by applications that reconnect with a downgraded protocol 714 * version; see RFC 7507 for details. 715 * 716 * DO NOT ENABLE THIS if your application attempts a normal handshake. Only use 717 * this in explicit fallback retries, following the guidance in RFC 7507. */ 718 #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L 719 720 /* SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more 721 * of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask 722 * representing the resulting enabled modes. */ 723 OPENSSL_EXPORT uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode); 724 725 /* SSL_CTX_clear_mode disables all modes set in |mode| (which should be one or 726 * more of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a 727 * bitmask representing the resulting enabled modes. */ 728 OPENSSL_EXPORT uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode); 729 730 /* SSL_CTX_get_mode returns a bitmask of |SSL_MODE_*| values that represent all 731 * the modes enabled for |ssl|. */ 732 OPENSSL_EXPORT uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx); 733 734 /* SSL_set_mode enables all modes set in |mode| (which should be one or more of 735 * the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask 736 * representing the resulting enabled modes. */ 737 OPENSSL_EXPORT uint32_t SSL_set_mode(SSL *ssl, uint32_t mode); 738 739 /* SSL_clear_mode disables all modes set in |mode| (which should be one or more 740 * of the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask 741 * representing the resulting enabled modes. */ 742 OPENSSL_EXPORT uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode); 743 744 /* SSL_get_mode returns a bitmask of |SSL_MODE_*| values that represent all the 745 * modes enabled for |ssl|. */ 746 OPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl); 747 748 /* SSL_CTX_set0_buffer_pool sets a |CRYPTO_BUFFER_POOL| that will be used to 749 * store certificates. This can allow multiple connections to share 750 * certificates and thus save memory. 751 * 752 * The SSL_CTX does not take ownership of |pool| and the caller must ensure 753 * that |pool| outlives |ctx| and all objects linked to it, including |SSL|, 754 * |X509| and |SSL_SESSION| objects. Basically, don't ever free |pool|. */ 755 OPENSSL_EXPORT void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, 756 CRYPTO_BUFFER_POOL *pool); 757 758 759 /* Configuring certificates and private keys. 760 * 761 * These functions configure the connection's leaf certificate, private key, and 762 * certificate chain. The certificate chain is ordered leaf to root (as sent on 763 * the wire) but does not include the leaf. Both client and server certificates 764 * use these functions. 765 * 766 * Certificates and keys may be configured before the handshake or dynamically 767 * in the early callback and certificate callback. */ 768 769 /* SSL_CTX_use_certificate sets |ctx|'s leaf certificate to |x509|. It returns 770 * one on success and zero on failure. */ 771 OPENSSL_EXPORT int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x509); 772 773 /* SSL_use_certificate sets |ssl|'s leaf certificate to |x509|. It returns one 774 * on success and zero on failure. */ 775 OPENSSL_EXPORT int SSL_use_certificate(SSL *ssl, X509 *x509); 776 777 /* SSL_CTX_use_PrivateKey sets |ctx|'s private key to |pkey|. It returns one on 778 * success and zero on failure. */ 779 OPENSSL_EXPORT int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); 780 781 /* SSL_use_PrivateKey sets |ssl|'s private key to |pkey|. It returns one on 782 * success and zero on failure. */ 783 OPENSSL_EXPORT int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); 784 785 /* SSL_CTX_set0_chain sets |ctx|'s certificate chain, excluding the leaf, to 786 * |chain|. On success, it returns one and takes ownership of |chain|. 787 * Otherwise, it returns zero. */ 788 OPENSSL_EXPORT int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain); 789 790 /* SSL_CTX_set1_chain sets |ctx|'s certificate chain, excluding the leaf, to 791 * |chain|. It returns one on success and zero on failure. The caller retains 792 * ownership of |chain| and may release it freely. */ 793 OPENSSL_EXPORT int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain); 794 795 /* SSL_set0_chain sets |ssl|'s certificate chain, excluding the leaf, to 796 * |chain|. On success, it returns one and takes ownership of |chain|. 797 * Otherwise, it returns zero. */ 798 OPENSSL_EXPORT int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain); 799 800 /* SSL_set1_chain sets |ssl|'s certificate chain, excluding the leaf, to 801 * |chain|. It returns one on success and zero on failure. The caller retains 802 * ownership of |chain| and may release it freely. */ 803 OPENSSL_EXPORT int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain); 804 805 /* SSL_CTX_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On 806 * success, it returns one and takes ownership of |x509|. Otherwise, it returns 807 * zero. */ 808 OPENSSL_EXPORT int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509); 809 810 /* SSL_CTX_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It 811 * returns one on success and zero on failure. The caller retains ownership of 812 * |x509| and may release it freely. */ 813 OPENSSL_EXPORT int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509); 814 815 /* SSL_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On success, 816 * it returns one and takes ownership of |x509|. Otherwise, it returns zero. */ 817 OPENSSL_EXPORT int SSL_add0_chain_cert(SSL *ssl, X509 *x509); 818 819 /* SSL_CTX_add_extra_chain_cert calls |SSL_CTX_add0_chain_cert|. */ 820 OPENSSL_EXPORT int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509); 821 822 /* SSL_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It returns 823 * one on success and zero on failure. The caller retains ownership of |x509| 824 * and may release it freely. */ 825 OPENSSL_EXPORT int SSL_add1_chain_cert(SSL *ssl, X509 *x509); 826 827 /* SSL_CTX_clear_chain_certs clears |ctx|'s certificate chain and returns 828 * one. */ 829 OPENSSL_EXPORT int SSL_CTX_clear_chain_certs(SSL_CTX *ctx); 830 831 /* SSL_CTX_clear_extra_chain_certs calls |SSL_CTX_clear_chain_certs|. */ 832 OPENSSL_EXPORT int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx); 833 834 /* SSL_clear_chain_certs clears |ssl|'s certificate chain and returns one. */ 835 OPENSSL_EXPORT int SSL_clear_chain_certs(SSL *ssl); 836 837 /* SSL_CTX_set_cert_cb sets a callback that is called to select a certificate. 838 * The callback returns one on success, zero on internal error, and a negative 839 * number on failure or to pause the handshake. If the handshake is paused, 840 * |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|. 841 * 842 * On the client, the callback may call |SSL_get0_certificate_types| and 843 * |SSL_get_client_CA_list| for information on the server's certificate 844 * request. 845 * 846 * On the server, the callback will be called on non-resumption handshakes, 847 * after extensions have been processed. */ 848 OPENSSL_EXPORT void SSL_CTX_set_cert_cb(SSL_CTX *ctx, 849 int (*cb)(SSL *ssl, void *arg), 850 void *arg); 851 852 /* SSL_set_cert_cb sets a callback that is called to select a certificate. The 853 * callback returns one on success, zero on internal error, and a negative 854 * number on failure or to pause the handshake. If the handshake is paused, 855 * |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|. 856 * 857 * On the client, the callback may call |SSL_get0_certificate_types| and 858 * |SSL_get_client_CA_list| for information on the server's certificate 859 * request. */ 860 OPENSSL_EXPORT void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), 861 void *arg); 862 863 /* SSL_get0_certificate_types, for a client, sets |*out_types| to an array 864 * containing the client certificate types requested by a server. It returns the 865 * length of the array. 866 * 867 * The behavior of this function is undefined except during the callbacks set by 868 * by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or when the 869 * handshake is paused because of them. */ 870 OPENSSL_EXPORT size_t SSL_get0_certificate_types(SSL *ssl, 871 const uint8_t **out_types); 872 873 /* SSL_certs_clear resets the private key, leaf certificate, and certificate 874 * chain of |ssl|. */ 875 OPENSSL_EXPORT void SSL_certs_clear(SSL *ssl); 876 877 /* SSL_CTX_check_private_key returns one if the certificate and private key 878 * configured in |ctx| are consistent and zero otherwise. */ 879 OPENSSL_EXPORT int SSL_CTX_check_private_key(const SSL_CTX *ctx); 880 881 /* SSL_check_private_key returns one if the certificate and private key 882 * configured in |ssl| are consistent and zero otherwise. */ 883 OPENSSL_EXPORT int SSL_check_private_key(const SSL *ssl); 884 885 /* SSL_CTX_get0_certificate returns |ctx|'s leaf certificate. */ 886 OPENSSL_EXPORT X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx); 887 888 /* SSL_get_certificate returns |ssl|'s leaf certificate. */ 889 OPENSSL_EXPORT X509 *SSL_get_certificate(const SSL *ssl); 890 891 /* SSL_CTX_get0_privatekey returns |ctx|'s private key. */ 892 OPENSSL_EXPORT EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx); 893 894 /* SSL_get_privatekey returns |ssl|'s private key. */ 895 OPENSSL_EXPORT EVP_PKEY *SSL_get_privatekey(const SSL *ssl); 896 897 /* SSL_CTX_get0_chain_certs sets |*out_chain| to |ctx|'s certificate chain and 898 * returns one. */ 899 OPENSSL_EXPORT int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, 900 STACK_OF(X509) **out_chain); 901 902 /* SSL_CTX_get_extra_chain_certs calls |SSL_CTX_get0_chain_certs|. */ 903 OPENSSL_EXPORT int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx, 904 STACK_OF(X509) **out_chain); 905 906 /* SSL_get0_chain_certs sets |*out_chain| to |ssl|'s certificate chain and 907 * returns one. */ 908 OPENSSL_EXPORT int SSL_get0_chain_certs(const SSL *ssl, 909 STACK_OF(X509) **out_chain); 910 911 /* SSL_CTX_set_signed_cert_timestamp_list sets the list of signed certificate 912 * timestamps that is sent to clients that request it. The |list| argument must 913 * contain one or more SCT structures serialised as a SignedCertificateTimestamp 914 * List (see https://tools.ietf.org/html/rfc6962#section-3.3) – i.e. each SCT 915 * is prefixed by a big-endian, uint16 length and the concatenation of one or 916 * more such prefixed SCTs are themselves also prefixed by a uint16 length. It 917 * returns one on success and zero on error. The caller retains ownership of 918 * |list|. */ 919 OPENSSL_EXPORT int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, 920 const uint8_t *list, 921 size_t list_len); 922 923 /* SSL_set_signed_cert_timestamp_list sets the list of signed certificate 924 * timestamps that is sent to clients that request is. The same format as the 925 * one used for |SSL_CTX_set_signed_cert_timestamp_list| applies. The caller 926 * retains ownership of |list|. */ 927 OPENSSL_EXPORT int SSL_set_signed_cert_timestamp_list(SSL *ctx, 928 const uint8_t *list, 929 size_t list_len); 930 931 /* SSL_CTX_set_ocsp_response sets the OCSP response that is sent to clients 932 * which request it. It returns one on success and zero on error. The caller 933 * retains ownership of |response|. */ 934 OPENSSL_EXPORT int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, 935 const uint8_t *response, 936 size_t response_len); 937 938 /* SSL_set_ocsp_response sets the OCSP response that is sent to clients which 939 * request it. It returns one on success and zero on error. The caller retains 940 * ownership of |response|. */ 941 OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl, 942 const uint8_t *response, 943 size_t response_len); 944 945 /* SSL_SIGN_* are signature algorithm values as defined in TLS 1.3. */ 946 #define SSL_SIGN_RSA_PKCS1_SHA1 0x0201 947 #define SSL_SIGN_RSA_PKCS1_SHA256 0x0401 948 #define SSL_SIGN_RSA_PKCS1_SHA384 0x0501 949 #define SSL_SIGN_RSA_PKCS1_SHA512 0x0601 950 #define SSL_SIGN_ECDSA_SHA1 0x0203 951 #define SSL_SIGN_ECDSA_SECP256R1_SHA256 0x0403 952 #define SSL_SIGN_ECDSA_SECP384R1_SHA384 0x0503 953 #define SSL_SIGN_ECDSA_SECP521R1_SHA512 0x0603 954 #define SSL_SIGN_RSA_PSS_SHA256 0x0804 955 #define SSL_SIGN_RSA_PSS_SHA384 0x0805 956 #define SSL_SIGN_RSA_PSS_SHA512 0x0806 957 #define SSL_SIGN_ED25519 0x0807 958 959 /* SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal signature algorithm used to 960 * specify raw RSASSA-PKCS1-v1_5 with an MD5/SHA-1 concatenation, as used in TLS 961 * before TLS 1.2. */ 962 #define SSL_SIGN_RSA_PKCS1_MD5_SHA1 0xff01 963 964 /* SSL_CTX_set_signing_algorithm_prefs configures |ctx| to use |prefs| as the 965 * preference list when signing with |ctx|'s private key. It returns one on 966 * success and zero on error. |prefs| should not include the internal-only value 967 * |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */ 968 OPENSSL_EXPORT int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, 969 const uint16_t *prefs, 970 size_t num_prefs); 971 972 /* SSL_set_signing_algorithm_prefs configures |ssl| to use |prefs| as the 973 * preference list when signing with |ssl|'s private key. It returns one on 974 * success and zero on error. |prefs| should not include the internal-only value 975 * |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */ 976 OPENSSL_EXPORT int SSL_set_signing_algorithm_prefs(SSL *ssl, 977 const uint16_t *prefs, 978 size_t num_prefs); 979 980 981 /* Certificate and private key convenience functions. */ 982 983 /* SSL_CTX_set_chain_and_key sets the certificate chain and private key for a 984 * TLS client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY| 985 * objects are added as needed. Exactly one of |privkey| or |privkey_method| 986 * may be non-NULL. Returns one on success and zero on error. */ 987 OPENSSL_EXPORT int SSL_CTX_set_chain_and_key( 988 SSL_CTX *ctx, CRYPTO_BUFFER *const *certs, size_t num_certs, 989 EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method); 990 991 /* SSL_set_chain_and_key sets the certificate chain and private key for a TLS 992 * client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY| 993 * objects are added as needed. Exactly one of |privkey| or |privkey_method| 994 * may be non-NULL. Returns one on success and zero on error. */ 995 OPENSSL_EXPORT int SSL_set_chain_and_key( 996 SSL *ssl, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey, 997 const SSL_PRIVATE_KEY_METHOD *privkey_method); 998 999 /* SSL_CTX_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one 1000 * on success and zero on failure. */ 1001 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); 1002 1003 /* SSL_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one on 1004 * success and zero on failure. */ 1005 OPENSSL_EXPORT int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); 1006 1007 /* The following functions configure certificates or private keys but take as 1008 * input DER-encoded structures. They return one on success and zero on 1009 * failure. */ 1010 1011 OPENSSL_EXPORT int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len, 1012 const uint8_t *der); 1013 OPENSSL_EXPORT int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, 1014 size_t der_len); 1015 1016 OPENSSL_EXPORT int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, 1017 const uint8_t *der, 1018 size_t der_len); 1019 OPENSSL_EXPORT int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, 1020 const uint8_t *der, size_t der_len); 1021 1022 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, 1023 const uint8_t *der, 1024 size_t der_len); 1025 OPENSSL_EXPORT int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, 1026 size_t der_len); 1027 1028 /* The following functions configure certificates or private keys but take as 1029 * input files to read from. They return one on success and zero on failure. The 1030 * |type| parameter is one of the |SSL_FILETYPE_*| values and determines whether 1031 * the file's contents are read as PEM or DER. */ 1032 1033 #define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 1034 #define SSL_FILETYPE_PEM X509_FILETYPE_PEM 1035 1036 OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, 1037 const char *file, 1038 int type); 1039 OPENSSL_EXPORT int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, 1040 int type); 1041 1042 OPENSSL_EXPORT int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, 1043 int type); 1044 OPENSSL_EXPORT int SSL_use_certificate_file(SSL *ssl, const char *file, 1045 int type); 1046 1047 OPENSSL_EXPORT int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, 1048 int type); 1049 OPENSSL_EXPORT int SSL_use_PrivateKey_file(SSL *ssl, const char *file, 1050 int type); 1051 1052 /* SSL_CTX_use_certificate_chain_file configures certificates for |ctx|. It 1053 * reads the contents of |file| as a PEM-encoded leaf certificate followed 1054 * optionally by the certificate chain to send to the peer. It returns one on 1055 * success and zero on failure. */ 1056 OPENSSL_EXPORT int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, 1057 const char *file); 1058 1059 /* SSL_CTX_set_default_passwd_cb sets the password callback for PEM-based 1060 * convenience functions called on |ctx|. */ 1061 OPENSSL_EXPORT void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, 1062 pem_password_cb *cb); 1063 1064 /* SSL_CTX_set_default_passwd_cb_userdata sets the userdata parameter for 1065 * |ctx|'s password callback. */ 1066 OPENSSL_EXPORT void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, 1067 void *data); 1068 1069 1070 /* Custom private keys. */ 1071 1072 enum ssl_private_key_result_t { 1073 ssl_private_key_success, 1074 ssl_private_key_retry, 1075 ssl_private_key_failure, 1076 }; 1077 1078 /* ssl_private_key_method_st (aka |SSL_PRIVATE_KEY_METHOD|) describes private 1079 * key hooks. This is used to off-load signing operations to a custom, 1080 * potentially asynchronous, backend. Metadata about the key such as the type 1081 * and size are parsed out of the certificate. 1082 * 1083 * TODO(davidben): This API has a number of legacy hooks. Remove the last 1084 * consumer of |sign_digest| and trim it. */ 1085 struct ssl_private_key_method_st { 1086 /* type is ignored and should be NULL. */ 1087 int (*type)(SSL *ssl); 1088 1089 /* max_signature_len is ignored and should be NULL. */ 1090 size_t (*max_signature_len)(SSL *ssl); 1091 1092 /* sign signs the message |in| in using the specified signature algorithm. On 1093 * success, it returns |ssl_private_key_success| and writes at most |max_out| 1094 * bytes of signature data to |out| and sets |*out_len| to the number of bytes 1095 * written. On failure, it returns |ssl_private_key_failure|. If the operation 1096 * has not completed, it returns |ssl_private_key_retry|. |sign| should 1097 * arrange for the high-level operation on |ssl| to be retried when the 1098 * operation is completed. This will result in a call to |complete|. 1099 * 1100 * |signature_algorithm| is one of the |SSL_SIGN_*| values, as defined in TLS 1101 * 1.3. Note that, in TLS 1.2, ECDSA algorithms do not require that curve 1102 * sizes match hash sizes, so the curve portion of |SSL_SIGN_ECDSA_*| values 1103 * must be ignored. BoringSSL will internally handle the curve matching logic 1104 * where appropriate. 1105 * 1106 * It is an error to call |sign| while another private key operation is in 1107 * progress on |ssl|. */ 1108 enum ssl_private_key_result_t (*sign)(SSL *ssl, uint8_t *out, size_t *out_len, 1109 size_t max_out, 1110 uint16_t signature_algorithm, 1111 const uint8_t *in, size_t in_len); 1112 1113 /* sign_digest signs |in_len| bytes of digest from |in|. |md| is the hash 1114 * function used to calculate |in|. On success, it returns 1115 * |ssl_private_key_success| and writes at most |max_out| bytes of signature 1116 * data to |out|. On failure, it returns |ssl_private_key_failure|. If the 1117 * operation has not completed, it returns |ssl_private_key_retry|. |sign| 1118 * should arrange for the high-level operation on |ssl| to be retried when the 1119 * operation is completed. This will result in a call to |complete|. 1120 * 1121 * If the key is an RSA key, implementations must use PKCS#1 padding. |in| is 1122 * the digest itself, so the DigestInfo prefix, if any, must be prepended by 1123 * |sign|. If |md| is |EVP_md5_sha1|, there is no prefix. 1124 * 1125 * It is an error to call |sign_digest| while another private key operation is 1126 * in progress on |ssl|. 1127 * 1128 * This function is deprecated. Implement |sign| instead. 1129 * 1130 * TODO(davidben): Remove this function. */ 1131 enum ssl_private_key_result_t (*sign_digest)(SSL *ssl, uint8_t *out, 1132 size_t *out_len, size_t max_out, 1133 const EVP_MD *md, 1134 const uint8_t *in, 1135 size_t in_len); 1136 1137 /* decrypt decrypts |in_len| bytes of encrypted data from |in|. On success it 1138 * returns |ssl_private_key_success|, writes at most |max_out| bytes of 1139 * decrypted data to |out| and sets |*out_len| to the actual number of bytes 1140 * written. On failure it returns |ssl_private_key_failure|. If the operation 1141 * has not completed, it returns |ssl_private_key_retry|. The caller should 1142 * arrange for the high-level operation on |ssl| to be retried when the 1143 * operation is completed, which will result in a call to |complete|. This 1144 * function only works with RSA keys and should perform a raw RSA decryption 1145 * operation with no padding. 1146 * 1147 * It is an error to call |decrypt| while another private key operation is in 1148 * progress on |ssl|. */ 1149 enum ssl_private_key_result_t (*decrypt)(SSL *ssl, uint8_t *out, 1150 size_t *out_len, size_t max_out, 1151 const uint8_t *in, size_t in_len); 1152 1153 /* complete completes a pending operation. If the operation has completed, it 1154 * returns |ssl_private_key_success| and writes the result to |out| as in 1155 * |sign|. Otherwise, it returns |ssl_private_key_failure| on failure and 1156 * |ssl_private_key_retry| if the operation is still in progress. 1157 * 1158 * |complete| may be called arbitrarily many times before completion, but it 1159 * is an error to call |complete| if there is no pending operation in progress 1160 * on |ssl|. */ 1161 enum ssl_private_key_result_t (*complete)(SSL *ssl, uint8_t *out, 1162 size_t *out_len, size_t max_out); 1163 }; 1164 1165 /* SSL_set_private_key_method configures a custom private key on |ssl|. 1166 * |key_method| must remain valid for the lifetime of |ssl|. */ 1167 OPENSSL_EXPORT void SSL_set_private_key_method( 1168 SSL *ssl, const SSL_PRIVATE_KEY_METHOD *key_method); 1169 1170 /* SSL_CTX_set_private_key_method configures a custom private key on |ctx|. 1171 * |key_method| must remain valid for the lifetime of |ctx|. */ 1172 OPENSSL_EXPORT void SSL_CTX_set_private_key_method( 1173 SSL_CTX *ctx, const SSL_PRIVATE_KEY_METHOD *key_method); 1174 1175 1176 /* Cipher suites. 1177 * 1178 * |SSL_CIPHER| objects represent cipher suites. */ 1179 1180 DEFINE_CONST_STACK_OF(SSL_CIPHER) 1181 1182 /* SSL_get_cipher_by_value returns the structure representing a TLS cipher 1183 * suite based on its assigned number, or NULL if unknown. See 1184 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4. */ 1185 OPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value); 1186 1187 /* SSL_CIPHER_get_id returns |cipher|'s id. It may be cast to a |uint16_t| to 1188 * get the cipher suite value. */ 1189 OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher); 1190 1191 /* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC 1192 * mode). */ 1193 OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher); 1194 1195 /* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. */ 1196 OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher); 1197 1198 /* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. */ 1199 OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher); 1200 1201 /* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. */ 1202 OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher); 1203 1204 /* SSL_CIPHER_is_AEAD returns one if |cipher| uses an AEAD cipher. */ 1205 OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher); 1206 1207 /* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. */ 1208 OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher); 1209 1210 /* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. */ 1211 OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher); 1212 1213 /* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC 1214 * mode. */ 1215 OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher); 1216 1217 /* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC 1218 * mode. */ 1219 OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher); 1220 1221 /* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses 1222 * CHACHA20_POLY1305. Note this includes both the RFC 7905 and 1223 * draft-agl-tls-chacha20poly1305-04 versions. */ 1224 OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher); 1225 1226 /* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. */ 1227 OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher); 1228 1229 /* SSL_CIPHER_is_block_cipher returns one if |cipher| is a block cipher. */ 1230 OPENSSL_EXPORT int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher); 1231 1232 /* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. */ 1233 OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher); 1234 1235 /* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. */ 1236 OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher); 1237 1238 /* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key 1239 * exchange. */ 1240 OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher); 1241 1242 /* SSL_CIPHER_get_min_version returns the minimum protocol version required 1243 * for |cipher|. */ 1244 OPENSSL_EXPORT uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher); 1245 1246 /* SSL_CIPHER_get_max_version returns the maximum protocol version that 1247 * supports |cipher|. */ 1248 OPENSSL_EXPORT uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher); 1249 1250 /* SSL_CIPHER_standard_name returns the standard IETF name for |cipher|. For 1251 * example, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". */ 1252 OPENSSL_EXPORT const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher); 1253 1254 /* SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. For example, 1255 * "ECDHE-RSA-AES128-GCM-SHA256". */ 1256 OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher); 1257 1258 /* SSL_CIPHER_get_kx_name returns a string that describes the key-exchange 1259 * method used by |cipher|. For example, "ECDHE_ECDSA". TLS 1.3 AEAD-only 1260 * ciphers return the string "GENERIC". */ 1261 OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher); 1262 1263 /* SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If 1264 * |out_alg_bits| is not NULL, it writes the number of bits consumed by the 1265 * symmetric algorithm to |*out_alg_bits|. */ 1266 OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, 1267 int *out_alg_bits); 1268 1269 1270 /* Cipher suite configuration. 1271 * 1272 * OpenSSL uses a mini-language to configure cipher suites. The language 1273 * maintains an ordered list of enabled ciphers, along with an ordered list of 1274 * disabled but available ciphers. Initially, all ciphers are disabled with a 1275 * default ordering. The cipher string is then interpreted as a sequence of 1276 * directives, separated by colons, each of which modifies this state. 1277 * 1278 * Most directives consist of a one character or empty opcode followed by a 1279 * selector which matches a subset of available ciphers. 1280 * 1281 * Available opcodes are: 1282 * 1283 * The empty opcode enables and appends all matching disabled ciphers to the 1284 * end of the enabled list. The newly appended ciphers are ordered relative to 1285 * each other matching their order in the disabled list. 1286 * 1287 * |-| disables all matching enabled ciphers and prepends them to the disabled 1288 * list, with relative order from the enabled list preserved. This means the 1289 * most recently disabled ciphers get highest preference relative to other 1290 * disabled ciphers if re-enabled. 1291 * 1292 * |+| moves all matching enabled ciphers to the end of the enabled list, with 1293 * relative order preserved. 1294 * 1295 * |!| deletes all matching ciphers, enabled or not, from either list. Deleted 1296 * ciphers will not matched by future operations. 1297 * 1298 * A selector may be a specific cipher (using either the standard or OpenSSL 1299 * name for the cipher) or one or more rules separated by |+|. The final 1300 * selector matches the intersection of each rule. For instance, |AESGCM+aECDSA| 1301 * matches ECDSA-authenticated AES-GCM ciphers. 1302 * 1303 * Available cipher rules are: 1304 * 1305 * |ALL| matches all ciphers. 1306 * 1307 * |kRSA|, |kDHE|, |kECDHE|, and |kPSK| match ciphers using plain RSA, DHE, 1308 * ECDHE, and plain PSK key exchanges, respectively. Note that ECDHE_PSK is 1309 * matched by |kECDHE| and not |kPSK|. 1310 * 1311 * |aRSA|, |aECDSA|, and |aPSK| match ciphers authenticated by RSA, ECDSA, and 1312 * a pre-shared key, respectively. 1313 * 1314 * |RSA|, |DHE|, |ECDHE|, |PSK|, |ECDSA|, and |PSK| are aliases for the 1315 * corresponding |k*| or |a*| cipher rule. |RSA| is an alias for |kRSA|, not 1316 * |aRSA|. 1317 * 1318 * |3DES|, |AES128|, |AES256|, |AES|, |AESGCM|, |CHACHA20| match ciphers 1319 * whose bulk cipher use the corresponding encryption scheme. Note that 1320 * |AES|, |AES128|, and |AES256| match both CBC and GCM ciphers. 1321 * 1322 * |SHA1|, |SHA256|, and |SHA384| match legacy cipher suites using the 1323 * corresponding hash function in their MAC. AEADs are matched by none of 1324 * these. 1325 * 1326 * |SHA| is an alias for |SHA1|. 1327 * 1328 * Although implemented, authentication-only ciphers match no rules and must be 1329 * explicitly selected by name. 1330 * 1331 * Deprecated cipher rules: 1332 * 1333 * |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|, 1334 * |kECDHE|, and |ECDHE|, respectively. 1335 * 1336 * |HIGH| is an alias for |ALL|. 1337 * 1338 * |FIPS| is an alias for |HIGH|. 1339 * 1340 * |SSLv3| and |TLSv1| match ciphers available in TLS 1.1 or earlier. 1341 * |TLSv1_2| matches ciphers new in TLS 1.2. This is confusing and should not 1342 * be used. 1343 * 1344 * Unknown rules are silently ignored by legacy APIs, and rejected by APIs with 1345 * "strict" in the name, which should be preferred. Cipher lists can be long and 1346 * it's easy to commit typos. 1347 * 1348 * The special |@STRENGTH| directive will sort all enabled ciphers by strength. 1349 * 1350 * The |DEFAULT| directive, when appearing at the front of the string, expands 1351 * to the default ordering of available ciphers. 1352 * 1353 * If configuring a server, one may also configure equal-preference groups to 1354 * partially respect the client's preferences when 1355 * |SSL_OP_CIPHER_SERVER_PREFERENCE| is enabled. Ciphers in an equal-preference 1356 * group have equal priority and use the client order. This may be used to 1357 * enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305 1358 * based on client preferences. An equal-preference is specified with square 1359 * brackets, combining multiple selectors separated by |. For example: 1360 * 1361 * [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256] 1362 * 1363 * Once an equal-preference group is used, future directives must be 1364 * opcode-less. 1365 * 1366 * TLS 1.3 ciphers do not participate in this mechanism and instead have a 1367 * built-in preference order. Functions to set cipher lists do not affect TLS 1368 * 1.3, and functions to query the cipher list do not include TLS 1.3 1369 * ciphers. */ 1370 1371 /* SSL_DEFAULT_CIPHER_LIST is the default cipher suite configuration. It is 1372 * substituted when a cipher string starts with 'DEFAULT'. */ 1373 #define SSL_DEFAULT_CIPHER_LIST "ALL" 1374 1375 /* SSL_CTX_set_strict_cipher_list configures the cipher list for |ctx|, 1376 * evaluating |str| as a cipher string and returning error if |str| contains 1377 * anything meaningless. It returns one on success and zero on failure. */ 1378 OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, 1379 const char *str); 1380 1381 /* SSL_CTX_set_cipher_list configures the cipher list for |ctx|, evaluating 1382 * |str| as a cipher string. It returns one on success and zero on failure. 1383 * 1384 * Prefer to use |SSL_CTX_set_strict_cipher_list|. This function tolerates 1385 * garbage inputs, unless an empty cipher list results. */ 1386 OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str); 1387 1388 /* SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating 1389 * |str| as a cipher string and returning error if |str| contains anything 1390 * meaningless. It returns one on success and zero on failure. */ 1391 OPENSSL_EXPORT int SSL_set_strict_cipher_list(SSL *ssl, const char *str); 1392 1393 /* SSL_set_cipher_list configures the cipher list for |ssl|, evaluating |str| as 1394 * a cipher string. It returns one on success and zero on failure. 1395 * 1396 * Prefer to use |SSL_set_strict_cipher_list|. This function tolerates garbage 1397 * inputs, unless an empty cipher list results. */ 1398 OPENSSL_EXPORT int SSL_set_cipher_list(SSL *ssl, const char *str); 1399 1400 /* SSL_CTX_get_ciphers returns the cipher list for |ctx|, in order of 1401 * preference. */ 1402 OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx); 1403 1404 /* SSL_get_ciphers returns the cipher list for |ssl|, in order of preference. */ 1405 OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl); 1406 1407 1408 /* Connection information. */ 1409 1410 /* SSL_is_init_finished returns one if |ssl| has completed its initial handshake 1411 * and has no pending handshake. It returns zero otherwise. */ 1412 OPENSSL_EXPORT int SSL_is_init_finished(const SSL *ssl); 1413 1414 /* SSL_in_init returns one if |ssl| has a pending handshake and zero 1415 * otherwise. */ 1416 OPENSSL_EXPORT int SSL_in_init(const SSL *ssl); 1417 1418 /* SSL_in_false_start returns one if |ssl| has a pending handshake that is in 1419 * False Start. |SSL_write| may be called at this point without waiting for the 1420 * peer, but |SSL_read| will complete the handshake before accepting application 1421 * data. 1422 * 1423 * See also |SSL_MODE_ENABLE_FALSE_START|. */ 1424 OPENSSL_EXPORT int SSL_in_false_start(const SSL *ssl); 1425 1426 /* SSL_get_peer_certificate returns the peer's leaf certificate or NULL if the 1427 * peer did not use certificates. The caller must call |X509_free| on the 1428 * result to release it. */ 1429 OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl); 1430 1431 /* SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if 1432 * unavailable or the peer did not use certificates. This is the unverified list 1433 * of certificates as sent by the peer, not the final chain built during 1434 * verification. The caller does not take ownership of the result. 1435 * 1436 * WARNING: This function behaves differently between client and server. If 1437 * |ssl| is a server, the returned chain does not include the leaf certificate. 1438 * If a client, it does. */ 1439 OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); 1440 1441 /* SSL_get_peer_full_cert_chain returns the peer's certificate chain, or NULL if 1442 * unavailable or the peer did not use certificates. This is the unverified list 1443 * of certificates as sent by the peer, not the final chain built during 1444 * verification. The caller does not take ownership of the result. 1445 * 1446 * This is the same as |SSL_get_peer_cert_chain| except that this function 1447 * always returns the full chain, i.e. the first element of the return value 1448 * (if any) will be the leaf certificate. In constrast, 1449 * |SSL_get_peer_cert_chain| returns only the intermediate certificates if the 1450 * |ssl| is a server. */ 1451 OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl); 1452 1453 /* SSL_get0_peer_certificates returns the peer's certificate chain, or NULL if 1454 * unavailable or the peer did not use certificates. This is the unverified list 1455 * of certificates as sent by the peer, not the final chain built during 1456 * verification. The caller does not take ownership of the result. 1457 * 1458 * This is the |CRYPTO_BUFFER| variant of |SSL_get_peer_full_cert_chain|. */ 1459 OPENSSL_EXPORT STACK_OF(CRYPTO_BUFFER) * 1460 SSL_get0_peer_certificates(const SSL *ssl); 1461 1462 /* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to 1463 * |*out_len| bytes of SCT information from the server. This is only valid if 1464 * |ssl| is a client. The SCT information is a SignedCertificateTimestampList 1465 * (including the two leading length bytes). 1466 * See https://tools.ietf.org/html/rfc6962#section-3.3 1467 * If no SCT was received then |*out_len| will be zero on return. 1468 * 1469 * WARNING: the returned data is not guaranteed to be well formed. */ 1470 OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, 1471 const uint8_t **out, 1472 size_t *out_len); 1473 1474 /* SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len| 1475 * bytes of an OCSP response from the server. This is the DER encoding of an 1476 * OCSPResponse type as defined in RFC 2560. 1477 * 1478 * WARNING: the returned data is not guaranteed to be well formed. */ 1479 OPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, 1480 size_t *out_len); 1481 1482 /* SSL_get_tls_unique writes at most |max_out| bytes of the tls-unique value 1483 * for |ssl| to |out| and sets |*out_len| to the number of bytes written. It 1484 * returns one on success or zero on error. In general |max_out| should be at 1485 * least 12. 1486 * 1487 * This function will always fail if the initial handshake has not completed. 1488 * The tls-unique value will change after a renegotiation but, since 1489 * renegotiations can be initiated by the server at any point, the higher-level 1490 * protocol must either leave them disabled or define states in which the 1491 * tls-unique value can be read. 1492 * 1493 * The tls-unique value is defined by 1494 * https://tools.ietf.org/html/rfc5929#section-3.1. Due to a weakness in the 1495 * TLS protocol, tls-unique is broken for resumed connections unless the 1496 * Extended Master Secret extension is negotiated. Thus this function will 1497 * return zero if |ssl| performed session resumption unless EMS was used when 1498 * negotiating the original session. */ 1499 OPENSSL_EXPORT int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, 1500 size_t *out_len, size_t max_out); 1501 1502 /* SSL_get_extms_support returns one if the Extended Master Secret extension or 1503 * TLS 1.3 was negotiated. Otherwise, it returns zero. */ 1504 OPENSSL_EXPORT int SSL_get_extms_support(const SSL *ssl); 1505 1506 /* SSL_get_current_cipher returns the cipher used in the current outgoing 1507 * connection state, or NULL if the null cipher is active. */ 1508 OPENSSL_EXPORT const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl); 1509 1510 /* SSL_session_reused returns one if |ssl| performed an abbreviated handshake 1511 * and zero otherwise. 1512 * 1513 * TODO(davidben): Hammer down the semantics of this API while a handshake, 1514 * initial or renego, is in progress. */ 1515 OPENSSL_EXPORT int SSL_session_reused(const SSL *ssl); 1516 1517 /* SSL_get_secure_renegotiation_support returns one if the peer supports secure 1518 * renegotiation (RFC 5746) or TLS 1.3. Otherwise, it returns zero. */ 1519 OPENSSL_EXPORT int SSL_get_secure_renegotiation_support(const SSL *ssl); 1520 1521 /* SSL_export_keying_material exports a value derived from the master secret, as 1522 * specified in RFC 5705. It writes |out_len| bytes to |out| given a label and 1523 * optional context. (Since a zero length context is allowed, the |use_context| 1524 * flag controls whether a context is included.) 1525 * 1526 * It returns one on success and zero otherwise. */ 1527 OPENSSL_EXPORT int SSL_export_keying_material( 1528 SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len, 1529 const uint8_t *context, size_t context_len, int use_context); 1530 1531 1532 /* Custom extensions. 1533 * 1534 * The custom extension functions allow TLS extensions to be added to 1535 * ClientHello and ServerHello messages. */ 1536 1537 /* SSL_custom_ext_add_cb is a callback function that is called when the 1538 * ClientHello (for clients) or ServerHello (for servers) is constructed. In 1539 * the case of a server, this callback will only be called for a given 1540 * extension if the ClientHello contained that extension – it's not possible to 1541 * inject extensions into a ServerHello that the client didn't request. 1542 * 1543 * When called, |extension_value| will contain the extension number that is 1544 * being considered for addition (so that a single callback can handle multiple 1545 * extensions). If the callback wishes to include the extension, it must set 1546 * |*out| to point to |*out_len| bytes of extension contents and return one. In 1547 * this case, the corresponding |SSL_custom_ext_free_cb| callback will later be 1548 * called with the value of |*out| once that data has been copied. 1549 * 1550 * If the callback does not wish to add an extension it must return zero. 1551 * 1552 * Alternatively, the callback can abort the connection by setting 1553 * |*out_alert_value| to a TLS alert number and returning -1. */ 1554 typedef int (*SSL_custom_ext_add_cb)(SSL *ssl, unsigned extension_value, 1555 const uint8_t **out, size_t *out_len, 1556 int *out_alert_value, void *add_arg); 1557 1558 /* SSL_custom_ext_free_cb is a callback function that is called by OpenSSL iff 1559 * an |SSL_custom_ext_add_cb| callback previously returned one. In that case, 1560 * this callback is called and passed the |out| pointer that was returned by 1561 * the add callback. This is to free any dynamically allocated data created by 1562 * the add callback. */ 1563 typedef void (*SSL_custom_ext_free_cb)(SSL *ssl, unsigned extension_value, 1564 const uint8_t *out, void *add_arg); 1565 1566 /* SSL_custom_ext_parse_cb is a callback function that is called by OpenSSL to 1567 * parse an extension from the peer: that is from the ServerHello for a client 1568 * and from the ClientHello for a server. 1569 * 1570 * When called, |extension_value| will contain the extension number and the 1571 * contents of the extension are |contents_len| bytes at |contents|. 1572 * 1573 * The callback must return one to continue the handshake. Otherwise, if it 1574 * returns zero, a fatal alert with value |*out_alert_value| is sent and the 1575 * handshake is aborted. */ 1576 typedef int (*SSL_custom_ext_parse_cb)(SSL *ssl, unsigned extension_value, 1577 const uint8_t *contents, 1578 size_t contents_len, 1579 int *out_alert_value, void *parse_arg); 1580 1581 /* SSL_extension_supported returns one iff OpenSSL internally handles 1582 * extensions of type |extension_value|. This can be used to avoid registering 1583 * custom extension handlers for extensions that a future version of OpenSSL 1584 * may handle internally. */ 1585 OPENSSL_EXPORT int SSL_extension_supported(unsigned extension_value); 1586 1587 /* SSL_CTX_add_client_custom_ext registers callback functions for handling 1588 * custom TLS extensions for client connections. 1589 * 1590 * If |add_cb| is NULL then an empty extension will be added in each 1591 * ClientHello. Otherwise, see the comment for |SSL_custom_ext_add_cb| about 1592 * this callback. 1593 * 1594 * The |free_cb| may be NULL if |add_cb| doesn't dynamically allocate data that 1595 * needs to be freed. 1596 * 1597 * It returns one on success or zero on error. It's always an error to register 1598 * callbacks for the same extension twice, or to register callbacks for an 1599 * extension that OpenSSL handles internally. See |SSL_extension_supported| to 1600 * discover, at runtime, which extensions OpenSSL handles internally. */ 1601 OPENSSL_EXPORT int SSL_CTX_add_client_custom_ext( 1602 SSL_CTX *ctx, unsigned extension_value, SSL_custom_ext_add_cb add_cb, 1603 SSL_custom_ext_free_cb free_cb, void *add_arg, 1604 SSL_custom_ext_parse_cb parse_cb, void *parse_arg); 1605 1606 /* SSL_CTX_add_server_custom_ext is the same as 1607 * |SSL_CTX_add_client_custom_ext|, but for server connections. 1608 * 1609 * Unlike on the client side, if |add_cb| is NULL no extension will be added. 1610 * The |add_cb|, if any, will only be called if the ClientHello contained a 1611 * matching extension. */ 1612 OPENSSL_EXPORT int SSL_CTX_add_server_custom_ext( 1613 SSL_CTX *ctx, unsigned extension_value, SSL_custom_ext_add_cb add_cb, 1614 SSL_custom_ext_free_cb free_cb, void *add_arg, 1615 SSL_custom_ext_parse_cb parse_cb, void *parse_arg); 1616 1617 1618 /* Sessions. 1619 * 1620 * An |SSL_SESSION| represents an SSL session that may be resumed in an 1621 * abbreviated handshake. It is reference-counted and immutable. Once 1622 * established, an |SSL_SESSION| may be shared by multiple |SSL| objects on 1623 * different threads and must not be modified. */ 1624 1625 DECLARE_LHASH_OF(SSL_SESSION) 1626 DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 1627 1628 /* SSL_SESSION_new returns a newly-allocated blank |SSL_SESSION| or NULL on 1629 * error. This may be useful when writing tests but should otherwise not be 1630 * used. */ 1631 OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_new(const SSL_CTX *ctx); 1632 1633 /* SSL_SESSION_up_ref increments the reference count of |session| and returns 1634 * one. */ 1635 OPENSSL_EXPORT int SSL_SESSION_up_ref(SSL_SESSION *session); 1636 1637 /* SSL_SESSION_free decrements the reference count of |session|. If it reaches 1638 * zero, all data referenced by |session| and |session| itself are released. */ 1639 OPENSSL_EXPORT void SSL_SESSION_free(SSL_SESSION *session); 1640 1641 /* SSL_SESSION_to_bytes serializes |in| into a newly allocated buffer and sets 1642 * |*out_data| to that buffer and |*out_len| to its length. The caller takes 1643 * ownership of the buffer and must call |OPENSSL_free| when done. It returns 1644 * one on success and zero on error. */ 1645 OPENSSL_EXPORT int SSL_SESSION_to_bytes(const SSL_SESSION *in, 1646 uint8_t **out_data, size_t *out_len); 1647 1648 /* SSL_SESSION_to_bytes_for_ticket serializes |in|, but excludes the session 1649 * identification information, namely the session ID and ticket. */ 1650 OPENSSL_EXPORT int SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION *in, 1651 uint8_t **out_data, 1652 size_t *out_len); 1653 1654 /* SSL_SESSION_from_bytes parses |in_len| bytes from |in| as an SSL_SESSION. It 1655 * returns a newly-allocated |SSL_SESSION| on success or NULL on error. */ 1656 OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_from_bytes( 1657 const uint8_t *in, size_t in_len, const SSL_CTX *ctx); 1658 1659 /* SSL_SESSION_get_version returns a string describing the TLS version |session| 1660 * was established at. For example, "TLSv1.2" or "SSLv3". */ 1661 OPENSSL_EXPORT const char *SSL_SESSION_get_version(const SSL_SESSION *session); 1662 1663 /* SSL_SESSION_get_id returns a pointer to a buffer containing |session|'s 1664 * session ID and sets |*out_len| to its length. */ 1665 OPENSSL_EXPORT const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session, 1666 unsigned *out_len); 1667 1668 /* SSL_SESSION_get_time returns the time at which |session| was established in 1669 * seconds since the UNIX epoch. */ 1670 OPENSSL_EXPORT uint64_t SSL_SESSION_get_time(const SSL_SESSION *session); 1671 1672 /* SSL_SESSION_get_timeout returns the lifetime of |session| in seconds. */ 1673 OPENSSL_EXPORT uint32_t SSL_SESSION_get_timeout(const SSL_SESSION *session); 1674 1675 /* SSL_SESSION_get0_peer returns the peer leaf certificate stored in 1676 * |session|. 1677 * 1678 * TODO(davidben): This should return a const X509 *. */ 1679 OPENSSL_EXPORT X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session); 1680 1681 /* SSL_SESSION_get_master_key writes up to |max_out| bytes of |session|'s master 1682 * secret to |out| and returns the number of bytes written. If |max_out| is 1683 * zero, it returns the size of the master secret. */ 1684 OPENSSL_EXPORT size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, 1685 uint8_t *out, size_t max_out); 1686 1687 /* SSL_SESSION_set_time sets |session|'s creation time to |time| and returns 1688 * |time|. This function may be useful in writing tests but otherwise should not 1689 * be used. */ 1690 OPENSSL_EXPORT uint64_t SSL_SESSION_set_time(SSL_SESSION *session, 1691 uint64_t time); 1692 1693 /* SSL_SESSION_set_timeout sets |session|'s timeout to |timeout| and returns 1694 * one. This function may be useful in writing tests but otherwise should not 1695 * be used. */ 1696 OPENSSL_EXPORT uint32_t SSL_SESSION_set_timeout(SSL_SESSION *session, 1697 uint32_t timeout); 1698 1699 /* SSL_SESSION_set1_id_context sets |session|'s session ID context (see 1700 * |SSL_CTX_set_session_id_context|) to |sid_ctx|. It returns one on success and 1701 * zero on error. This function may be useful in writing tests but otherwise 1702 * should not be used. */ 1703 OPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session, 1704 const uint8_t *sid_ctx, 1705 size_t sid_ctx_len); 1706 1707 1708 /* Session caching. 1709 * 1710 * Session caching allows connections to be established more efficiently based 1711 * on saved parameters from a previous connection, called a session (see 1712 * |SSL_SESSION|). The client offers a saved session, using an opaque identifier 1713 * from a previous connection. The server may accept the session, if it has the 1714 * parameters available. Otherwise, it will decline and continue with a full 1715 * handshake. 1716 * 1717 * This requires both the client and the server to retain session state. A 1718 * client does so with a stateful session cache. A server may do the same or, if 1719 * supported by both sides, statelessly using session tickets. For more 1720 * information on the latter, see the next section. 1721 * 1722 * For a server, the library implements a built-in internal session cache as an 1723 * in-memory hash table. Servers may also use |SSL_CTX_sess_set_get_cb| and 1724 * |SSL_CTX_sess_set_new_cb| to implement a custom external session cache. In 1725 * particular, this may be used to share a session cache between multiple 1726 * servers in a large deployment. An external cache may be used in addition to 1727 * or instead of the internal one. Use |SSL_CTX_set_session_cache_mode| to 1728 * toggle the internal cache. 1729 * 1730 * For a client, the only option is an external session cache. Clients may use 1731 * |SSL_CTX_sess_set_new_cb| to register a callback for when new sessions are 1732 * available. These may be cached and, in subsequent compatible connections, 1733 * configured with |SSL_set_session|. 1734 * 1735 * Note that offering or accepting a session short-circuits certificate 1736 * verification and most parameter negotiation. Resuming sessions across 1737 * different contexts may result in security failures and surprising 1738 * behavior. For a typical client, this means sessions for different hosts must 1739 * be cached under different keys. A client that connects to the same host with, 1740 * e.g., different cipher suite settings or client certificates should also use 1741 * separate session caches between those contexts. Servers should also partition 1742 * session caches between SNI hosts with |SSL_CTX_set_session_id_context|. */ 1743 1744 /* SSL_SESS_CACHE_OFF disables all session caching. */ 1745 #define SSL_SESS_CACHE_OFF 0x0000 1746 1747 /* SSL_SESS_CACHE_CLIENT enables session caching for a client. The internal 1748 * cache is never used on a client, so this only enables the callbacks. */ 1749 #define SSL_SESS_CACHE_CLIENT 0x0001 1750 1751 /* SSL_SESS_CACHE_SERVER enables session caching for a server. */ 1752 #define SSL_SESS_CACHE_SERVER 0x0002 1753 1754 /* SSL_SESS_CACHE_BOTH enables session caching for both client and server. */ 1755 #define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_SERVER) 1756 1757 /* SSL_SESS_CACHE_NO_AUTO_CLEAR disables automatically calling 1758 * |SSL_CTX_flush_sessions| every 255 connections. */ 1759 #define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080 1760 1761 /* SSL_SESS_CACHE_NO_INTERNAL_LOOKUP, on a server, disables looking up a session 1762 * from the internal session cache. */ 1763 #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 1764 1765 /* SSL_SESS_CACHE_NO_INTERNAL_STORE, on a server, disables storing sessions in 1766 * the internal session cache. */ 1767 #define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200 1768 1769 /* SSL_SESS_CACHE_NO_INTERNAL, on a server, disables the internal session 1770 * cache. */ 1771 #define SSL_SESS_CACHE_NO_INTERNAL \ 1772 (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE) 1773 1774 /* SSL_CTX_set_session_cache_mode sets the session cache mode bits for |ctx| to 1775 * |mode|. It returns the previous value. */ 1776 OPENSSL_EXPORT int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode); 1777 1778 /* SSL_CTX_get_session_cache_mode returns the session cache mode bits for 1779 * |ctx| */ 1780 OPENSSL_EXPORT int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx); 1781 1782 /* SSL_set_session, for a client, configures |ssl| to offer to resume |session| 1783 * in the initial handshake and returns one. The caller retains ownership of 1784 * |session|. 1785 * 1786 * It is an error to call this function after the handshake has begun. */ 1787 OPENSSL_EXPORT int SSL_set_session(SSL *ssl, SSL_SESSION *session); 1788 1789 /* SSL_DEFAULT_SESSION_TIMEOUT is the default lifetime, in seconds, of a 1790 * session in TLS 1.2 or earlier. This is how long we are willing to use the 1791 * secret to encrypt traffic without fresh key material. */ 1792 #define SSL_DEFAULT_SESSION_TIMEOUT (2 * 60 * 60) 1793 1794 /* SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT is the default lifetime, in seconds, of a 1795 * session for TLS 1.3 psk_dhe_ke. This is how long we are willing to use the 1796 * secret as an authenticator. */ 1797 #define SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT (2 * 24 * 60 * 60) 1798 1799 /* SSL_DEFAULT_SESSION_AUTH_TIMEOUT is the default non-renewable lifetime, in 1800 * seconds, of a TLS 1.3 session. This is how long we are willing to trust the 1801 * signature in the initial handshake. */ 1802 #define SSL_DEFAULT_SESSION_AUTH_TIMEOUT (7 * 24 * 60 * 60) 1803 1804 /* SSL_CTX_set_timeout sets the lifetime, in seconds, of TLS 1.2 (or earlier) 1805 * sessions created in |ctx| to |timeout|. */ 1806 OPENSSL_EXPORT uint32_t SSL_CTX_set_timeout(SSL_CTX *ctx, uint32_t timeout); 1807 1808 /* SSL_CTX_set_session_psk_dhe_timeout sets the lifetime, in seconds, of TLS 1.3 1809 * sessions created in |ctx| to |timeout|. */ 1810 OPENSSL_EXPORT void SSL_CTX_set_session_psk_dhe_timeout(SSL_CTX *ctx, 1811 uint32_t timeout); 1812 1813 /* SSL_CTX_get_timeout returns the lifetime, in seconds, of TLS 1.2 (or earlier) 1814 * sessions created in |ctx|. */ 1815 OPENSSL_EXPORT uint32_t SSL_CTX_get_timeout(const SSL_CTX *ctx); 1816 1817 /* SSL_CTX_set_session_id_context sets |ctx|'s session ID context to |sid_ctx|. 1818 * It returns one on success and zero on error. The session ID context is an 1819 * application-defined opaque byte string. A session will not be used in a 1820 * connection without a matching session ID context. 1821 * 1822 * For a server, if |SSL_VERIFY_PEER| is enabled, it is an error to not set a 1823 * session ID context. */ 1824 OPENSSL_EXPORT int SSL_CTX_set_session_id_context(SSL_CTX *ctx, 1825 const uint8_t *sid_ctx, 1826 size_t sid_ctx_len); 1827 1828 /* SSL_set_session_id_context sets |ssl|'s session ID context to |sid_ctx|. It 1829 * returns one on success and zero on error. See also 1830 * |SSL_CTX_set_session_id_context|. */ 1831 OPENSSL_EXPORT int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx, 1832 size_t sid_ctx_len); 1833 1834 /* SSL_get0_session_id_context returns a pointer to |ssl|'s session ID context 1835 * and sets |*out_len| to its length. */ 1836 OPENSSL_EXPORT const uint8_t *SSL_get0_session_id_context(const SSL *ssl, 1837 size_t *out_len); 1838 1839 /* SSL_SESSION_CACHE_MAX_SIZE_DEFAULT is the default maximum size of a session 1840 * cache. */ 1841 #define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024 * 20) 1842 1843 /* SSL_CTX_sess_set_cache_size sets the maximum size of |ctx|'s internal session 1844 * cache to |size|. It returns the previous value. */ 1845 OPENSSL_EXPORT unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, 1846 unsigned long size); 1847 1848 /* SSL_CTX_sess_get_cache_size returns the maximum size of |ctx|'s internal 1849 * session cache. */ 1850 OPENSSL_EXPORT unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx); 1851 1852 /* SSL_CTX_sessions returns |ctx|'s internal session cache. */ 1853 OPENSSL_EXPORT LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx); 1854 1855 /* SSL_CTX_sess_number returns the number of sessions in |ctx|'s internal 1856 * session cache. */ 1857 OPENSSL_EXPORT size_t SSL_CTX_sess_number(const SSL_CTX *ctx); 1858 1859 /* SSL_CTX_add_session inserts |session| into |ctx|'s internal session cache. It 1860 * returns one on success and zero on error or if |session| is already in the 1861 * cache. The caller retains its reference to |session|. */ 1862 OPENSSL_EXPORT int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session); 1863 1864 /* SSL_CTX_remove_session removes |session| from |ctx|'s internal session cache. 1865 * It returns one on success and zero if |session| was not in the cache. */ 1866 OPENSSL_EXPORT int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session); 1867 1868 /* SSL_CTX_flush_sessions removes all sessions from |ctx| which have expired as 1869 * of time |time|. If |time| is zero, all sessions are removed. */ 1870 OPENSSL_EXPORT void SSL_CTX_flush_sessions(SSL_CTX *ctx, uint64_t time); 1871 1872 /* SSL_CTX_sess_set_new_cb sets the callback to be called when a new session is 1873 * established and ready to be cached. If the session cache is disabled (the 1874 * appropriate one of |SSL_SESS_CACHE_CLIENT| or |SSL_SESS_CACHE_SERVER| is 1875 * unset), the callback is not called. 1876 * 1877 * The callback is passed a reference to |session|. It returns one if it takes 1878 * ownership (and then calls |SSL_SESSION_free| when done) and zero otherwise. A 1879 * consumer which places |session| into an in-memory cache will likely return 1880 * one, with the cache calling |SSL_SESSION_free|. A consumer which serializes 1881 * |session| with |SSL_SESSION_to_bytes| may not need to retain |session| and 1882 * will likely return zero. Returning one is equivalent to calling 1883 * |SSL_SESSION_up_ref| and then returning zero. 1884 * 1885 * Note: For a client, the callback may be called on abbreviated handshakes if a 1886 * ticket is renewed. Further, it may not be called until some time after 1887 * |SSL_do_handshake| or |SSL_connect| completes if False Start is enabled. Thus 1888 * it's recommended to use this callback over calling |SSL_get_session| on 1889 * handshake completion. */ 1890 OPENSSL_EXPORT void SSL_CTX_sess_set_new_cb( 1891 SSL_CTX *ctx, int (*new_session_cb)(SSL *ssl, SSL_SESSION *session)); 1892 1893 /* SSL_CTX_sess_get_new_cb returns the callback set by 1894 * |SSL_CTX_sess_set_new_cb|. */ 1895 OPENSSL_EXPORT int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))( 1896 SSL *ssl, SSL_SESSION *session); 1897 1898 /* SSL_CTX_sess_set_remove_cb sets a callback which is called when a session is 1899 * removed from the internal session cache. 1900 * 1901 * TODO(davidben): What is the point of this callback? It seems useless since it 1902 * only fires on sessions in the internal cache. */ 1903 OPENSSL_EXPORT void SSL_CTX_sess_set_remove_cb( 1904 SSL_CTX *ctx, 1905 void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *session)); 1906 1907 /* SSL_CTX_sess_get_remove_cb returns the callback set by 1908 * |SSL_CTX_sess_set_remove_cb|. */ 1909 OPENSSL_EXPORT void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))( 1910 SSL_CTX *ctx, SSL_SESSION *session); 1911 1912 /* SSL_CTX_sess_set_get_cb sets a callback to look up a session by ID for a 1913 * server. The callback is passed the session ID and should return a matching 1914 * |SSL_SESSION| or NULL if not found. It should set |*out_copy| to zero and 1915 * return a new reference to the session. This callback is not used for a 1916 * client. 1917 * 1918 * For historical reasons, if |*out_copy| is set to one (default), the SSL 1919 * library will take a new reference to the returned |SSL_SESSION|, expecting 1920 * the callback to return a non-owning pointer. This is not recommended. If 1921 * |ctx| and thus the callback is used on multiple threads, the session may be 1922 * removed and invalidated before the SSL library calls |SSL_SESSION_up_ref|, 1923 * whereas the callback may synchronize internally. 1924 * 1925 * To look up a session asynchronously, the callback may return 1926 * |SSL_magic_pending_session_ptr|. See the documentation for that function and 1927 * |SSL_ERROR_PENDING_SESSION|. 1928 * 1929 * If the internal session cache is enabled, the callback is only consulted if 1930 * the internal cache does not return a match. 1931 * 1932 * The callback's |id| parameter is not const for historical reasons, but the 1933 * contents may not be modified. */ 1934 OPENSSL_EXPORT void SSL_CTX_sess_set_get_cb( 1935 SSL_CTX *ctx, 1936 SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *id, int id_len, 1937 int *out_copy)); 1938 1939 /* SSL_CTX_sess_get_get_cb returns the callback set by 1940 * |SSL_CTX_sess_set_get_cb|. */ 1941 OPENSSL_EXPORT SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))( 1942 SSL *ssl, uint8_t *id, int id_len, int *out_copy); 1943 1944 /* SSL_magic_pending_session_ptr returns a magic |SSL_SESSION|* which indicates 1945 * that the session isn't currently unavailable. |SSL_get_error| will then 1946 * return |SSL_ERROR_PENDING_SESSION| and the handshake can be retried later 1947 * when the lookup has completed. */ 1948 OPENSSL_EXPORT SSL_SESSION *SSL_magic_pending_session_ptr(void); 1949 1950 1951 /* Session tickets. 1952 * 1953 * Session tickets, from RFC 5077, allow session resumption without server-side 1954 * state. The server maintains a secret ticket key and sends the client opaque 1955 * encrypted session parameters, called a ticket. When offering the session, the 1956 * client sends the ticket which the server decrypts to recover session state. 1957 * Session tickets are enabled by default but may be disabled with 1958 * |SSL_OP_NO_TICKET|. 1959 * 1960 * On the client, ticket-based sessions use the same APIs as ID-based tickets. 1961 * Callers do not need to handle them differently. 1962 * 1963 * On the server, tickets are encrypted and authenticated with a secret key. By 1964 * default, an |SSL_CTX| generates a key on creation and uses it for the 1965 * lifetime of the |SSL_CTX|. Tickets are minted and processed 1966 * transparently. The following functions may be used to configure a persistent 1967 * key or implement more custom behavior, including key rotation and sharing 1968 * keys between multiple servers in a large deployment. There are three levels 1969 * of customisation possible: 1970 * 1971 * 1) One can simply set the keys with |SSL_CTX_set_tlsext_ticket_keys|. 1972 * 2) One can configure an |EVP_CIPHER_CTX| and |HMAC_CTX| directly for 1973 * encryption and authentication. 1974 * 3) One can configure an |SSL_TICKET_ENCRYPTION_METHOD| to have more control 1975 * and the option of asynchronous decryption. 1976 * 1977 * An attacker that compromises a server's session ticket key can impersonate 1978 * the server and, prior to TLS 1.3, retroactively decrypt all application 1979 * traffic from sessions using that ticket key. Thus ticket keys must be 1980 * regularly rotated for forward secrecy. Note the default key is currently not 1981 * rotated. 1982 * 1983 * TODO(davidben): This is silly. Rotate the default key automatically. */ 1984 1985 /* SSL_CTX_get_tlsext_ticket_keys writes |ctx|'s session ticket key material to 1986 * |len| bytes of |out|. It returns one on success and zero if |len| is not 1987 * 48. If |out| is NULL, it returns 48 instead. */ 1988 OPENSSL_EXPORT int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, 1989 size_t len); 1990 1991 /* SSL_CTX_set_tlsext_ticket_keys sets |ctx|'s session ticket key material to 1992 * |len| bytes of |in|. It returns one on success and zero if |len| is not 1993 * 48. If |in| is NULL, it returns 48 instead. */ 1994 OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, 1995 size_t len); 1996 1997 /* SSL_TICKET_KEY_NAME_LEN is the length of the key name prefix of a session 1998 * ticket. */ 1999 #define SSL_TICKET_KEY_NAME_LEN 16 2000 2001 /* SSL_CTX_set_tlsext_ticket_key_cb sets the ticket callback to |callback| and 2002 * returns one. |callback| will be called when encrypting a new ticket and when 2003 * decrypting a ticket from the client. 2004 * 2005 * In both modes, |ctx| and |hmac_ctx| will already have been initialized with 2006 * |EVP_CIPHER_CTX_init| and |HMAC_CTX_init|, respectively. |callback| 2007 * configures |hmac_ctx| with an HMAC digest and key, and configures |ctx| 2008 * for encryption or decryption, based on the mode. 2009 * 2010 * When encrypting a new ticket, |encrypt| will be one. It writes a public 2011 * 16-byte key name to |key_name| and a fresh IV to |iv|. The output IV length 2012 * must match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode, 2013 * |callback| returns 1 on success and -1 on error. 2014 * 2015 * When decrypting a ticket, |encrypt| will be zero. |key_name| will point to a 2016 * 16-byte key name and |iv| points to an IV. The length of the IV consumed must 2017 * match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode, 2018 * |callback| returns -1 to abort the handshake, 0 if decrypting the ticket 2019 * failed, and 1 or 2 on success. If it returns 2, the ticket will be renewed. 2020 * This may be used to re-key the ticket. 2021 * 2022 * WARNING: |callback| wildly breaks the usual return value convention and is 2023 * called in two different modes. */ 2024 OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_key_cb( 2025 SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv, 2026 EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, 2027 int encrypt)); 2028 2029 /* ssl_ticket_aead_result_t enumerates the possible results from decrypting a 2030 * ticket with an |SSL_TICKET_AEAD_METHOD|. */ 2031 enum ssl_ticket_aead_result_t { 2032 /* ssl_ticket_aead_success indicates that the ticket was successfully 2033 * decrypted. */ 2034 ssl_ticket_aead_success, 2035 /* ssl_ticket_aead_retry indicates that the operation could not be 2036 * immediately completed and must be reattempted, via |open|, at a later 2037 * point. */ 2038 ssl_ticket_aead_retry, 2039 /* ssl_ticket_aead_ignore_ticket indicates that the ticket should be ignored 2040 * (i.e. is corrupt or otherwise undecryptable). */ 2041 ssl_ticket_aead_ignore_ticket, 2042 /* ssl_ticket_aead_error indicates that a fatal error occured and the 2043 * handshake should be terminated. */ 2044 ssl_ticket_aead_error, 2045 }; 2046 2047 /* ssl_ticket_aead_method_st (aka |SSL_TICKET_ENCRYPTION_METHOD|) contains 2048 * methods for encrypting and decrypting session tickets. */ 2049 struct ssl_ticket_aead_method_st { 2050 /* max_overhead returns the maximum number of bytes of overhead that |seal| 2051 * may add. */ 2052 size_t (*max_overhead)(SSL *ssl); 2053 2054 /* seal encrypts and authenticates |in_len| bytes from |in|, writes, at most, 2055 * |max_out_len| bytes to |out|, and puts the number of bytes written in 2056 * |*out_len|. The |in| and |out| buffers may be equal but will not otherwise 2057 * alias. It returns one on success or zero on error. */ 2058 int (*seal)(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len, 2059 const uint8_t *in, size_t in_len); 2060 2061 /* open authenticates and decrypts |in_len| bytes from |in|, writes, at most, 2062 * |max_out_len| bytes of plaintext to |out|, and puts the number of bytes 2063 * written in |*out_len|. The |in| and |out| buffers may be equal but will 2064 * not otherwise alias. See |ssl_ticket_aead_result_t| for details of the 2065 * return values. In the case that a retry is indicated, the caller should 2066 * arrange for the high-level operation on |ssl| to be retried when the 2067 * operation is completed, which will result in another call to |open|. */ 2068 enum ssl_ticket_aead_result_t (*open)(SSL *ssl, uint8_t *out, size_t *out_len, 2069 size_t max_out_len, const uint8_t *in, 2070 size_t in_len); 2071 }; 2072 2073 /* SSL_CTX_set_ticket_aead_method configures a custom ticket AEAD method table 2074 * on |ctx|. |aead_method| must remain valid for the lifetime of |ctx|. */ 2075 OPENSSL_EXPORT void SSL_CTX_set_ticket_aead_method( 2076 SSL_CTX *ctx, const SSL_TICKET_AEAD_METHOD *aead_method); 2077 2078 2079 /* Elliptic curve Diffie-Hellman. 2080 * 2081 * Cipher suites using an ECDHE key exchange perform Diffie-Hellman over an 2082 * elliptic curve negotiated by both endpoints. See RFC 4492. Only named curves 2083 * are supported. ECDHE is always enabled, but the curve preferences may be 2084 * configured with these functions. 2085 * 2086 * Note that TLS 1.3 renames these from curves to groups. For consistency, we 2087 * currently use the TLS 1.2 name in the API. */ 2088 2089 /* SSL_CTX_set1_curves sets the preferred curves for |ctx| to be |curves|. Each 2090 * element of |curves| should be a curve nid. It returns one on success and 2091 * zero on failure. 2092 * 2093 * Note that this API uses nid values from nid.h and not the |SSL_CURVE_*| 2094 * values defined below. */ 2095 OPENSSL_EXPORT int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, 2096 size_t curves_len); 2097 2098 /* SSL_set1_curves sets the preferred curves for |ssl| to be |curves|. Each 2099 * element of |curves| should be a curve nid. It returns one on success and 2100 * zero on failure. 2101 * 2102 * Note that this API uses nid values from nid.h and not the |SSL_CURVE_*| 2103 * values defined below. */ 2104 OPENSSL_EXPORT int SSL_set1_curves(SSL *ssl, const int *curves, 2105 size_t curves_len); 2106 2107 /* SSL_CTX_set1_curves_list sets the preferred curves for |ctx| to be the 2108 * colon-separated list |curves|. Each element of |curves| should be a curve 2109 * name (e.g. P-256, X25519, ...). It returns one on success and zero on 2110 * failure. */ 2111 OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves); 2112 2113 /* SSL_set1_curves_list sets the preferred curves for |ssl| to be the 2114 * colon-separated list |curves|. Each element of |curves| should be a curve 2115 * name (e.g. P-256, X25519, ...). It returns one on success and zero on 2116 * failure. */ 2117 OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); 2118 2119 /* SSL_CURVE_* define TLS curve IDs. */ 2120 #define SSL_CURVE_SECP224R1 21 2121 #define SSL_CURVE_SECP256R1 23 2122 #define SSL_CURVE_SECP384R1 24 2123 #define SSL_CURVE_SECP521R1 25 2124 #define SSL_CURVE_X25519 29 2125 2126 /* SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently 2127 * completed handshake or 0 if not applicable. 2128 * 2129 * TODO(davidben): This API currently does not work correctly if there is a 2130 * renegotiation in progress. Fix this. */ 2131 OPENSSL_EXPORT uint16_t SSL_get_curve_id(const SSL *ssl); 2132 2133 /* SSL_get_curve_name returns a human-readable name for the curve specified by 2134 * the given TLS curve id, or NULL if the curve is unknown. */ 2135 OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id); 2136 2137 2138 /* Certificate verification. 2139 * 2140 * SSL may authenticate either endpoint with an X.509 certificate. Typically 2141 * this is used to authenticate the server to the client. These functions 2142 * configure certificate verification. 2143 * 2144 * WARNING: By default, certificate verification errors on a client are not 2145 * fatal. See |SSL_VERIFY_NONE| This may be configured with 2146 * |SSL_CTX_set_verify|. 2147 * 2148 * By default clients are anonymous but a server may request a certificate from 2149 * the client by setting |SSL_VERIFY_PEER|. 2150 * 2151 * Many of these functions use OpenSSL's legacy X.509 stack which is 2152 * underdocumented and deprecated, but the replacement isn't ready yet. For 2153 * now, consumers may use the existing stack or bypass it by performing 2154 * certificate verification externally. This may be done with 2155 * |SSL_CTX_set_cert_verify_callback| or by extracting the chain with 2156 * |SSL_get_peer_cert_chain| after the handshake. In the future, functions will 2157 * be added to use the SSL stack without dependency on any part of the legacy 2158 * X.509 and ASN.1 stack. 2159 * 2160 * To augment certificate verification, a client may also enable OCSP stapling 2161 * (RFC 6066) and Certificate Transparency (RFC 6962) extensions. */ 2162 2163 /* SSL_VERIFY_NONE, on a client, verifies the server certificate but does not 2164 * make errors fatal. The result may be checked with |SSL_get_verify_result|. On 2165 * a server it does not request a client certificate. This is the default. */ 2166 #define SSL_VERIFY_NONE 0x00 2167 2168 /* SSL_VERIFY_PEER, on a client, makes server certificate errors fatal. On a 2169 * server it requests a client certificate and makes errors fatal. However, 2170 * anonymous clients are still allowed. See 2171 * |SSL_VERIFY_FAIL_IF_NO_PEER_CERT|. */ 2172 #define SSL_VERIFY_PEER 0x01 2173 2174 /* SSL_VERIFY_FAIL_IF_NO_PEER_CERT configures a server to reject connections if 2175 * the client declines to send a certificate. This flag must be used together 2176 * with |SSL_VERIFY_PEER|, otherwise it won't work. */ 2177 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 2178 2179 /* SSL_VERIFY_PEER_IF_NO_OBC configures a server to request a client certificate 2180 * if and only if Channel ID is not negotiated. */ 2181 #define SSL_VERIFY_PEER_IF_NO_OBC 0x04 2182 2183 /* SSL_CTX_set_verify configures certificate verification behavior. |mode| is 2184 * one of the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is 2185 * used to customize certificate verification. See the behavior of 2186 * |X509_STORE_CTX_set_verify_cb|. 2187 * 2188 * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with 2189 * |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. */ 2190 OPENSSL_EXPORT void SSL_CTX_set_verify( 2191 SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx)); 2192 2193 /* SSL_set_verify configures certificate verification behavior. |mode| is one of 2194 * the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is used to 2195 * customize certificate verification. See the behavior of 2196 * |X509_STORE_CTX_set_verify_cb|. 2197 * 2198 * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with 2199 * |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. */ 2200 OPENSSL_EXPORT void SSL_set_verify(SSL *ssl, int mode, 2201 int (*callback)(int ok, 2202 X509_STORE_CTX *store_ctx)); 2203 2204 /* SSL_CTX_get_verify_mode returns |ctx|'s verify mode, set by 2205 * |SSL_CTX_set_verify|. */ 2206 OPENSSL_EXPORT int SSL_CTX_get_verify_mode(const SSL_CTX *ctx); 2207 2208 /* SSL_get_verify_mode returns |ssl|'s verify mode, set by |SSL_CTX_set_verify| 2209 * or |SSL_set_verify|. */ 2210 OPENSSL_EXPORT int SSL_get_verify_mode(const SSL *ssl); 2211 2212 /* SSL_CTX_get_verify_callback returns the callback set by 2213 * |SSL_CTX_set_verify|. */ 2214 OPENSSL_EXPORT int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))( 2215 int ok, X509_STORE_CTX *store_ctx); 2216 2217 /* SSL_get_verify_callback returns the callback set by |SSL_CTX_set_verify| or 2218 * |SSL_set_verify|. */ 2219 OPENSSL_EXPORT int (*SSL_get_verify_callback(const SSL *ssl))( 2220 int ok, X509_STORE_CTX *store_ctx); 2221 2222 /* SSL_CTX_set_verify_depth sets the maximum depth of a certificate chain 2223 * accepted in verification. This number does not include the leaf, so a depth 2224 * of 1 allows the leaf and one CA certificate. */ 2225 OPENSSL_EXPORT void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); 2226 2227 /* SSL_set_verify_depth sets the maximum depth of a certificate chain accepted 2228 * in verification. This number does not include the leaf, so a depth of 1 2229 * allows the leaf and one CA certificate. */ 2230 OPENSSL_EXPORT void SSL_set_verify_depth(SSL *ssl, int depth); 2231 2232 /* SSL_CTX_get_verify_depth returns the maximum depth of a certificate accepted 2233 * in verification. */ 2234 OPENSSL_EXPORT int SSL_CTX_get_verify_depth(const SSL_CTX *ctx); 2235 2236 /* SSL_get_verify_depth returns the maximum depth of a certificate accepted in 2237 * verification. */ 2238 OPENSSL_EXPORT int SSL_get_verify_depth(const SSL *ssl); 2239 2240 /* SSL_CTX_set1_param sets verification parameters from |param|. It returns one 2241 * on success and zero on failure. The caller retains ownership of |param|. */ 2242 OPENSSL_EXPORT int SSL_CTX_set1_param(SSL_CTX *ctx, 2243 const X509_VERIFY_PARAM *param); 2244 2245 /* SSL_set1_param sets verification parameters from |param|. It returns one on 2246 * success and zero on failure. The caller retains ownership of |param|. */ 2247 OPENSSL_EXPORT int SSL_set1_param(SSL *ssl, 2248 const X509_VERIFY_PARAM *param); 2249 2250 /* SSL_CTX_get0_param returns |ctx|'s |X509_VERIFY_PARAM| for certificate 2251 * verification. The caller must not release the returned pointer but may call 2252 * functions on it to configure it. */ 2253 OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx); 2254 2255 /* SSL_get0_param returns |ssl|'s |X509_VERIFY_PARAM| for certificate 2256 * verification. The caller must not release the returned pointer but may call 2257 * functions on it to configure it. */ 2258 OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl); 2259 2260 /* SSL_CTX_set_purpose sets |ctx|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to 2261 * |purpose|. It returns one on success and zero on error. */ 2262 OPENSSL_EXPORT int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose); 2263 2264 /* SSL_set_purpose sets |ssl|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to 2265 * |purpose|. It returns one on success and zero on error. */ 2266 OPENSSL_EXPORT int SSL_set_purpose(SSL *ssl, int purpose); 2267 2268 /* SSL_CTX_set_trust sets |ctx|'s |X509_VERIFY_PARAM|'s 'trust' parameter to 2269 * |trust|. It returns one on success and zero on error. */ 2270 OPENSSL_EXPORT int SSL_CTX_set_trust(SSL_CTX *ctx, int trust); 2271 2272 /* SSL_set_trust sets |ssl|'s |X509_VERIFY_PARAM|'s 'trust' parameter to 2273 * |trust|. It returns one on success and zero on error. */ 2274 OPENSSL_EXPORT int SSL_set_trust(SSL *ssl, int trust); 2275 2276 /* SSL_CTX_set_cert_store sets |ctx|'s certificate store to |store|. It takes 2277 * ownership of |store|. The store is used for certificate verification. 2278 * 2279 * The store is also used for the auto-chaining feature, but this is deprecated. 2280 * See also |SSL_MODE_NO_AUTO_CHAIN|. */ 2281 OPENSSL_EXPORT void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store); 2282 2283 /* SSL_CTX_get_cert_store returns |ctx|'s certificate store. */ 2284 OPENSSL_EXPORT X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx); 2285 2286 /* SSL_CTX_set_default_verify_paths loads the OpenSSL system-default trust 2287 * anchors into |ctx|'s store. It returns one on success and zero on failure. */ 2288 OPENSSL_EXPORT int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); 2289 2290 /* SSL_CTX_load_verify_locations loads trust anchors into |ctx|'s store from 2291 * |ca_file| and |ca_dir|, either of which may be NULL. If |ca_file| is passed, 2292 * it is opened and PEM-encoded CA certificates are read. If |ca_dir| is passed, 2293 * it is treated as a directory in OpenSSL's hashed directory format. It returns 2294 * one on success and zero on failure. 2295 * 2296 * See 2297 * https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html 2298 * for documentation on the directory format. */ 2299 OPENSSL_EXPORT int SSL_CTX_load_verify_locations(SSL_CTX *ctx, 2300 const char *ca_file, 2301 const char *ca_dir); 2302 2303 /* SSL_get_verify_result returns the result of certificate verification. It is 2304 * either |X509_V_OK| or a |X509_V_ERR_*| value. */ 2305 OPENSSL_EXPORT long SSL_get_verify_result(const SSL *ssl); 2306 2307 /* SSL_get_ex_data_X509_STORE_CTX_idx returns the ex_data index used to look up 2308 * the |SSL| associated with an |X509_STORE_CTX| in the verify callback. */ 2309 OPENSSL_EXPORT int SSL_get_ex_data_X509_STORE_CTX_idx(void); 2310 2311 /* SSL_CTX_set_cert_verify_callback sets a custom callback to be called on 2312 * certificate verification rather than |X509_verify_cert|. |store_ctx| contains 2313 * the verification parameters. The callback should return one on success and 2314 * zero on fatal error. It may use |X509_STORE_CTX_set_error| to set a 2315 * verification result. 2316 * 2317 * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| to recover the 2318 * |SSL| object from |store_ctx|. */ 2319 OPENSSL_EXPORT void SSL_CTX_set_cert_verify_callback( 2320 SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *store_ctx, void *arg), 2321 void *arg); 2322 2323 /* SSL_CTX_i_promise_to_verify_certs_after_the_handshake indicates that the 2324 * caller understands that the |CRYPTO_BUFFER|-based methods currently require 2325 * post-handshake verification of certificates and thus it's ok to accept any 2326 * certificates during the handshake. */ 2327 OPENSSL_EXPORT void SSL_CTX_i_promise_to_verify_certs_after_the_handshake( 2328 SSL_CTX *ctx); 2329 2330 /* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end 2331 * of a connection) to request SCTs from the server. See 2332 * https://tools.ietf.org/html/rfc6962. 2333 * 2334 * Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the 2335 * handshake. */ 2336 OPENSSL_EXPORT void SSL_enable_signed_cert_timestamps(SSL *ssl); 2337 2338 /* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL 2339 * objects created from |ctx|. 2340 * 2341 * Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the 2342 * handshake. */ 2343 OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx); 2344 2345 /* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a 2346 * connection) to request a stapled OCSP response from the server. 2347 * 2348 * Call |SSL_get0_ocsp_response| to recover the OCSP response after the 2349 * handshake. */ 2350 OPENSSL_EXPORT void SSL_enable_ocsp_stapling(SSL *ssl); 2351 2352 /* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects 2353 * created from |ctx|. 2354 * 2355 * Call |SSL_get0_ocsp_response| to recover the OCSP response after the 2356 * handshake. */ 2357 OPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx); 2358 2359 /* SSL_CTX_set0_verify_cert_store sets an |X509_STORE| that will be used 2360 * exclusively for certificate verification and returns one. Ownership of 2361 * |store| is transferred to the |SSL_CTX|. */ 2362 OPENSSL_EXPORT int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, 2363 X509_STORE *store); 2364 2365 /* SSL_CTX_set1_verify_cert_store sets an |X509_STORE| that will be used 2366 * exclusively for certificate verification and returns one. An additional 2367 * reference to |store| will be taken. */ 2368 OPENSSL_EXPORT int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, 2369 X509_STORE *store); 2370 2371 /* SSL_set0_verify_cert_store sets an |X509_STORE| that will be used 2372 * exclusively for certificate verification and returns one. Ownership of 2373 * |store| is transferred to the |SSL|. */ 2374 OPENSSL_EXPORT int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store); 2375 2376 /* SSL_set1_verify_cert_store sets an |X509_STORE| that will be used 2377 * exclusively for certificate verification and returns one. An additional 2378 * reference to |store| will be taken. */ 2379 OPENSSL_EXPORT int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store); 2380 2381 /* SSL_CTX_set_ed25519_enabled configures whether |ctx| advertises support for 2382 * the Ed25519 signature algorithm when using the default preference list. */ 2383 OPENSSL_EXPORT void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled); 2384 2385 /* SSL_CTX_set_verify_algorithm_prefs confingures |ctx| to use |prefs| as the 2386 * preference list when verifying signature's from the peer's long-term key. It 2387 * returns one on zero on error. |prefs| should not include the internal-only 2388 * value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */ 2389 OPENSSL_EXPORT int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, 2390 const uint16_t *prefs, 2391 size_t num_prefs); 2392 2393 2394 /* Client certificate CA list. 2395 * 2396 * When requesting a client certificate, a server may advertise a list of 2397 * certificate authorities which are accepted. These functions may be used to 2398 * configure this list. */ 2399 2400 /* SSL_set_client_CA_list sets |ssl|'s client certificate CA list to 2401 * |name_list|. It takes ownership of |name_list|. */ 2402 OPENSSL_EXPORT void SSL_set_client_CA_list(SSL *ssl, 2403 STACK_OF(X509_NAME) *name_list); 2404 2405 /* SSL_CTX_set_client_CA_list sets |ctx|'s client certificate CA list to 2406 * |name_list|. It takes ownership of |name_list|. */ 2407 OPENSSL_EXPORT void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, 2408 STACK_OF(X509_NAME) *name_list); 2409 2410 /* SSL_get_client_CA_list returns |ssl|'s client certificate CA list. If |ssl| 2411 * has not been configured as a client, this is the list configured by 2412 * |SSL_CTX_set_client_CA_list|. 2413 * 2414 * If configured as a client, it returns the client certificate CA list sent by 2415 * the server. In this mode, the behavior is undefined except during the 2416 * callbacks set by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or 2417 * when the handshake is paused because of them. */ 2418 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl); 2419 2420 /* SSL_get0_server_requested_CAs returns the CAs sent by a server to guide a 2421 * client in certificate selection. They are a series of DER-encoded X.509 2422 * names. This function may only be called during a callback set by 2423 * |SSL_CTX_set_cert_cb| or when the handshake is paused because of it. 2424 * 2425 * The returned stack is owned by |ssl|, as are its contents. It should not be 2426 * used past the point where the handshake is restarted after the callback. */ 2427 OPENSSL_EXPORT STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs( 2428 const SSL *ssl); 2429 2430 /* SSL_CTX_get_client_CA_list returns |ctx|'s client certificate CA list. */ 2431 OPENSSL_EXPORT STACK_OF(X509_NAME) * 2432 SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); 2433 2434 /* SSL_add_client_CA appends |x509|'s subject to the client certificate CA list. 2435 * It returns one on success or zero on error. The caller retains ownership of 2436 * |x509|. */ 2437 OPENSSL_EXPORT int SSL_add_client_CA(SSL *ssl, X509 *x509); 2438 2439 /* SSL_CTX_add_client_CA appends |x509|'s subject to the client certificate CA 2440 * list. It returns one on success or zero on error. The caller retains 2441 * ownership of |x509|. */ 2442 OPENSSL_EXPORT int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509); 2443 2444 /* SSL_load_client_CA_file opens |file| and reads PEM-encoded certificates from 2445 * it. It returns a newly-allocated stack of the certificate subjects or NULL 2446 * on error. */ 2447 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); 2448 2449 /* SSL_dup_CA_list makes a deep copy of |list|. It returns the new list on 2450 * success or NULL on allocation error. */ 2451 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list); 2452 2453 /* SSL_add_file_cert_subjects_to_stack behaves like |SSL_load_client_CA_file| 2454 * but appends the result to |out|. It returns one on success or zero on 2455 * error. */ 2456 OPENSSL_EXPORT int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, 2457 const char *file); 2458 2459 2460 /* Server name indication. 2461 * 2462 * The server_name extension (RFC 3546) allows the client to advertise the name 2463 * of the server it is connecting to. This is used in virtual hosting 2464 * deployments to select one of a several certificates on a single IP. Only the 2465 * host_name name type is supported. */ 2466 2467 #define TLSEXT_NAMETYPE_host_name 0 2468 2469 /* SSL_set_tlsext_host_name, for a client, configures |ssl| to advertise |name| 2470 * in the server_name extension. It returns one on success and zero on error. */ 2471 OPENSSL_EXPORT int SSL_set_tlsext_host_name(SSL *ssl, const char *name); 2472 2473 /* SSL_get_servername, for a server, returns the hostname supplied by the 2474 * client or NULL if there was none. The |type| argument must be 2475 * |TLSEXT_NAMETYPE_host_name|. */ 2476 OPENSSL_EXPORT const char *SSL_get_servername(const SSL *ssl, const int type); 2477 2478 /* SSL_get_servername_type, for a server, returns |TLSEXT_NAMETYPE_host_name| 2479 * if the client sent a hostname and -1 otherwise. */ 2480 OPENSSL_EXPORT int SSL_get_servername_type(const SSL *ssl); 2481 2482 /* SSL_CTX_set_tlsext_servername_callback configures |callback| to be called on 2483 * the server after ClientHello extensions have been parsed and returns one. 2484 * The callback may use |SSL_get_servername| to examine the server_name 2485 * extension and returns a |SSL_TLSEXT_ERR_*| value. The value of |arg| may be 2486 * set by calling |SSL_CTX_set_tlsext_servername_arg|. 2487 * 2488 * If the callback returns |SSL_TLSEXT_ERR_NOACK|, the server_name extension is 2489 * not acknowledged in the ServerHello. If the return value is 2490 * |SSL_TLSEXT_ERR_ALERT_FATAL|, then |*out_alert| is the alert to send, 2491 * defaulting to |SSL_AD_UNRECOGNIZED_NAME|. |SSL_TLSEXT_ERR_ALERT_WARNING| is 2492 * ignored and treated as |SSL_TLSEXT_ERR_OK|. */ 2493 OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback( 2494 SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)); 2495 2496 /* SSL_CTX_set_tlsext_servername_arg sets the argument to the servername 2497 * callback and returns one. See |SSL_CTX_set_tlsext_servername_callback|. */ 2498 OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg); 2499 2500 /* SSL_TLSEXT_ERR_* are values returned by some extension-related callbacks. */ 2501 #define SSL_TLSEXT_ERR_OK 0 2502 #define SSL_TLSEXT_ERR_ALERT_WARNING 1 2503 #define SSL_TLSEXT_ERR_ALERT_FATAL 2 2504 #define SSL_TLSEXT_ERR_NOACK 3 2505 2506 /* SSL_set_SSL_CTX changes |ssl|'s |SSL_CTX|. |ssl| will use the 2507 * certificate-related settings from |ctx|, and |SSL_get_SSL_CTX| will report 2508 * |ctx|. This function may be used during the callbacks registered by 2509 * |SSL_CTX_set_select_certificate_cb|, 2510 * |SSL_CTX_set_tlsext_servername_callback|, and |SSL_CTX_set_cert_cb| or when 2511 * the handshake is paused from them. It is typically used to switch 2512 * certificates based on SNI. 2513 * 2514 * Note the session cache and related settings will continue to use the initial 2515 * |SSL_CTX|. Callers should use |SSL_CTX_set_session_id_context| to partition 2516 * the session cache between different domains. 2517 * 2518 * TODO(davidben): Should other settings change after this call? */ 2519 OPENSSL_EXPORT SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx); 2520 2521 2522 /* Application-layer protocol negotiation. 2523 * 2524 * The ALPN extension (RFC 7301) allows negotiating different application-layer 2525 * protocols over a single port. This is used, for example, to negotiate 2526 * HTTP/2. */ 2527 2528 /* SSL_CTX_set_alpn_protos sets the client ALPN protocol list on |ctx| to 2529 * |protos|. |protos| must be in wire-format (i.e. a series of non-empty, 8-bit 2530 * length-prefixed strings). It returns zero on success and one on failure. 2531 * Configuring this list enables ALPN on a client. 2532 * 2533 * WARNING: this function is dangerous because it breaks the usual return value 2534 * convention. */ 2535 OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos, 2536 unsigned protos_len); 2537 2538 /* SSL_set_alpn_protos sets the client ALPN protocol list on |ssl| to |protos|. 2539 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit 2540 * length-prefixed strings). It returns zero on success and one on failure. 2541 * Configuring this list enables ALPN on a client. 2542 * 2543 * WARNING: this function is dangerous because it breaks the usual return value 2544 * convention. */ 2545 OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, 2546 unsigned protos_len); 2547 2548 /* SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called 2549 * during ClientHello processing in order to select an ALPN protocol from the 2550 * client's list of offered protocols. Configuring this callback enables ALPN on 2551 * a server. 2552 * 2553 * The callback is passed a wire-format (i.e. a series of non-empty, 8-bit 2554 * length-prefixed strings) ALPN protocol list in |in|. It should set |*out| and 2555 * |*out_len| to the selected protocol and return |SSL_TLSEXT_ERR_OK| on 2556 * success. It does not pass ownership of the buffer. Otherwise, it should 2557 * return |SSL_TLSEXT_ERR_NOACK|. Other |SSL_TLSEXT_ERR_*| values are 2558 * unimplemented and will be treated as |SSL_TLSEXT_ERR_NOACK|. 2559 * 2560 * The cipher suite is selected before negotiating ALPN. The callback may use 2561 * |SSL_get_pending_cipher| to query the cipher suite. */ 2562 OPENSSL_EXPORT void SSL_CTX_set_alpn_select_cb( 2563 SSL_CTX *ctx, int (*cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len, 2564 const uint8_t *in, unsigned in_len, void *arg), 2565 void *arg); 2566 2567 /* SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|. 2568 * On return it sets |*out_data| to point to |*out_len| bytes of protocol name 2569 * (not including the leading length-prefix byte). If the server didn't respond 2570 * with a negotiated protocol then |*out_len| will be zero. */ 2571 OPENSSL_EXPORT void SSL_get0_alpn_selected(const SSL *ssl, 2572 const uint8_t **out_data, 2573 unsigned *out_len); 2574 2575 /* SSL_CTX_set_allow_unknown_alpn_protos configures client connections on |ctx| 2576 * to allow unknown ALPN protocols from the server. Otherwise, by default, the 2577 * client will require that the protocol be advertised in 2578 * |SSL_CTX_set_alpn_protos|. */ 2579 OPENSSL_EXPORT void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx, 2580 int enabled); 2581 2582 2583 /* Next protocol negotiation. 2584 * 2585 * The NPN extension (draft-agl-tls-nextprotoneg-03) is the predecessor to ALPN 2586 * and deprecated in favor of it. */ 2587 2588 /* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a 2589 * TLS server needs a list of supported protocols for Next Protocol 2590 * Negotiation. The returned list must be in wire format. The list is returned 2591 * by setting |*out| to point to it and |*out_len| to its length. This memory 2592 * will not be modified, but one should assume that |ssl| keeps a reference to 2593 * it. 2594 * 2595 * The callback should return |SSL_TLSEXT_ERR_OK| if it wishes to advertise. 2596 * Otherwise, no such extension will be included in the ServerHello. */ 2597 OPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb( 2598 SSL_CTX *ctx, 2599 int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg), 2600 void *arg); 2601 2602 /* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a client 2603 * needs to select a protocol from the server's provided list. |*out| must be 2604 * set to point to the selected protocol (which may be within |in|). The length 2605 * of the protocol name must be written into |*out_len|. The server's advertised 2606 * protocols are provided in |in| and |in_len|. The callback can assume that 2607 * |in| is syntactically valid. 2608 * 2609 * The client must select a protocol. It is fatal to the connection if this 2610 * callback returns a value other than |SSL_TLSEXT_ERR_OK|. 2611 * 2612 * Configuring this callback enables NPN on a client. */ 2613 OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb( 2614 SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, 2615 const uint8_t *in, unsigned in_len, void *arg), 2616 void *arg); 2617 2618 /* SSL_get0_next_proto_negotiated sets |*out_data| and |*out_len| to point to 2619 * the client's requested protocol for this connection. If the client didn't 2620 * request any protocol, then |*out_data| is set to NULL. 2621 * 2622 * Note that the client can request any protocol it chooses. The value returned 2623 * from this function need not be a member of the list of supported protocols 2624 * provided by the server. */ 2625 OPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *ssl, 2626 const uint8_t **out_data, 2627 unsigned *out_len); 2628 2629 /* SSL_select_next_proto implements the standard protocol selection. It is 2630 * expected that this function is called from the callback set by 2631 * |SSL_CTX_set_next_proto_select_cb|. 2632 * 2633 * |peer| and |supported| must be vectors of 8-bit, length-prefixed byte strings 2634 * containing the peer and locally-configured protocols, respectively. The 2635 * length byte itself is not included in the length. A byte string of length 0 2636 * is invalid. No byte string may be truncated. |supported| is assumed to be 2637 * non-empty. 2638 * 2639 * This function finds the first protocol in |peer| which is also in 2640 * |supported|. If one was found, it sets |*out| and |*out_len| to point to it 2641 * and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns 2642 * |OPENSSL_NPN_NO_OVERLAP| and sets |*out| and |*out_len| to the first 2643 * supported protocol. */ 2644 OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, 2645 const uint8_t *peer, unsigned peer_len, 2646 const uint8_t *supported, 2647 unsigned supported_len); 2648 2649 #define OPENSSL_NPN_UNSUPPORTED 0 2650 #define OPENSSL_NPN_NEGOTIATED 1 2651 #define OPENSSL_NPN_NO_OVERLAP 2 2652 2653 2654 /* Channel ID. 2655 * 2656 * See draft-balfanz-tls-channelid-01. */ 2657 2658 /* SSL_CTX_set_tls_channel_id_enabled configures whether connections associated 2659 * with |ctx| should enable Channel ID. */ 2660 OPENSSL_EXPORT void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, 2661 int enabled); 2662 2663 /* SSL_set_tls_channel_id_enabled configures whether |ssl| should enable Channel 2664 * ID. */ 2665 OPENSSL_EXPORT void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled); 2666 2667 /* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID 2668 * to compatible servers. |private_key| must be a P-256 EC key. It returns one 2669 * on success and zero on error. */ 2670 OPENSSL_EXPORT int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, 2671 EVP_PKEY *private_key); 2672 2673 /* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to 2674 * compatible servers. |private_key| must be a P-256 EC key. It returns one on 2675 * success and zero on error. */ 2676 OPENSSL_EXPORT int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key); 2677 2678 /* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server |SSL*| 2679 * and copies up to the first |max_out| bytes into |out|. The Channel ID 2680 * consists of the client's P-256 public key as an (x,y) pair where each is a 2681 * 32-byte, big-endian field element. It returns 0 if the client didn't offer a 2682 * Channel ID and the length of the complete Channel ID otherwise. */ 2683 OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, 2684 size_t max_out); 2685 2686 /* SSL_CTX_set_channel_id_cb sets a callback to be called when a TLS Channel ID 2687 * is requested. The callback may set |*out_pkey| to a key, passing a reference 2688 * to the caller. If none is returned, the handshake will pause and 2689 * |SSL_get_error| will return |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|. 2690 * 2691 * See also |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|. */ 2692 OPENSSL_EXPORT void SSL_CTX_set_channel_id_cb( 2693 SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey)); 2694 2695 /* SSL_CTX_get_channel_id_cb returns the callback set by 2696 * |SSL_CTX_set_channel_id_cb|. */ 2697 OPENSSL_EXPORT void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))( 2698 SSL *ssl, EVP_PKEY **out_pkey); 2699 2700 2701 /* DTLS-SRTP. 2702 * 2703 * See RFC 5764. */ 2704 2705 /* srtp_protection_profile_st (aka |SRTP_PROTECTION_PROFILE|) is an SRTP 2706 * profile for use with the use_srtp extension. */ 2707 struct srtp_protection_profile_st { 2708 const char *name; 2709 unsigned long id; 2710 } /* SRTP_PROTECTION_PROFILE */; 2711 2712 DEFINE_CONST_STACK_OF(SRTP_PROTECTION_PROFILE) 2713 2714 /* SRTP_* define constants for SRTP profiles. */ 2715 #define SRTP_AES128_CM_SHA1_80 0x0001 2716 #define SRTP_AES128_CM_SHA1_32 0x0002 2717 #define SRTP_AES128_F8_SHA1_80 0x0003 2718 #define SRTP_AES128_F8_SHA1_32 0x0004 2719 #define SRTP_NULL_SHA1_80 0x0005 2720 #define SRTP_NULL_SHA1_32 0x0006 2721 #define SRTP_AEAD_AES_128_GCM 0x0007 2722 #define SRTP_AEAD_AES_256_GCM 0x0008 2723 2724 /* SSL_CTX_set_srtp_profiles enables SRTP for all SSL objects created from 2725 * |ctx|. |profile| contains a colon-separated list of profile names. It returns 2726 * one on success and zero on failure. */ 2727 OPENSSL_EXPORT int SSL_CTX_set_srtp_profiles(SSL_CTX *ctx, 2728 const char *profiles); 2729 2730 /* SSL_set_srtp_profiles enables SRTP for |ssl|. |profile| contains a 2731 * colon-separated list of profile names. It returns one on success and zero on 2732 * failure. */ 2733 OPENSSL_EXPORT int SSL_set_srtp_profiles(SSL *ssl, const char *profiles); 2734 2735 /* SSL_get_srtp_profiles returns the SRTP profiles supported by |ssl|. */ 2736 OPENSSL_EXPORT STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles( 2737 SSL *ssl); 2738 2739 /* SSL_get_selected_srtp_profile returns the selected SRTP profile, or NULL if 2740 * SRTP was not negotiated. */ 2741 OPENSSL_EXPORT const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile( 2742 SSL *ssl); 2743 2744 2745 /* Pre-shared keys. 2746 * 2747 * Connections may be configured with PSK (Pre-Shared Key) cipher suites. These 2748 * authenticate using out-of-band pre-shared keys rather than certificates. See 2749 * RFC 4279. 2750 * 2751 * This implementation uses NUL-terminated C strings for identities and identity 2752 * hints, so values with a NUL character are not supported. (RFC 4279 does not 2753 * specify the format of an identity.) */ 2754 2755 /* PSK_MAX_IDENTITY_LEN is the maximum supported length of a PSK identity, 2756 * excluding the NUL terminator. */ 2757 #define PSK_MAX_IDENTITY_LEN 128 2758 2759 /* PSK_MAX_PSK_LEN is the maximum supported length of a pre-shared key. */ 2760 #define PSK_MAX_PSK_LEN 256 2761 2762 /* SSL_CTX_set_psk_client_callback sets the callback to be called when PSK is 2763 * negotiated on the client. This callback must be set to enable PSK cipher 2764 * suites on the client. 2765 * 2766 * The callback is passed the identity hint in |hint| or NULL if none was 2767 * provided. It should select a PSK identity and write the identity and the 2768 * corresponding PSK to |identity| and |psk|, respectively. The identity is 2769 * written as a NUL-terminated C string of length (excluding the NUL terminator) 2770 * at most |max_identity_len|. The PSK's length must be at most |max_psk_len|. 2771 * The callback returns the length of the PSK or 0 if no suitable identity was 2772 * found. */ 2773 OPENSSL_EXPORT void SSL_CTX_set_psk_client_callback( 2774 SSL_CTX *ctx, 2775 unsigned (*psk_client_callback)( 2776 SSL *ssl, const char *hint, char *identity, 2777 unsigned max_identity_len, uint8_t *psk, unsigned max_psk_len)); 2778 2779 /* SSL_set_psk_client_callback sets the callback to be called when PSK is 2780 * negotiated on the client. This callback must be set to enable PSK cipher 2781 * suites on the client. See also |SSL_CTX_set_psk_client_callback|. */ 2782 OPENSSL_EXPORT void SSL_set_psk_client_callback( 2783 SSL *ssl, unsigned (*psk_client_callback)(SSL *ssl, const char *hint, 2784 char *identity, 2785 unsigned max_identity_len, 2786 uint8_t *psk, 2787 unsigned max_psk_len)); 2788 2789 /* SSL_CTX_set_psk_server_callback sets the callback to be called when PSK is 2790 * negotiated on the server. This callback must be set to enable PSK cipher 2791 * suites on the server. 2792 * 2793 * The callback is passed the identity in |identity|. It should write a PSK of 2794 * length at most |max_psk_len| to |psk| and return the number of bytes written 2795 * or zero if the PSK identity is unknown. */ 2796 OPENSSL_EXPORT void SSL_CTX_set_psk_server_callback( 2797 SSL_CTX *ctx, 2798 unsigned (*psk_server_callback)(SSL *ssl, const char *identity, 2799 uint8_t *psk, 2800 unsigned max_psk_len)); 2801 2802 /* SSL_set_psk_server_callback sets the callback to be called when PSK is 2803 * negotiated on the server. This callback must be set to enable PSK cipher 2804 * suites on the server. See also |SSL_CTX_set_psk_server_callback|. */ 2805 OPENSSL_EXPORT void SSL_set_psk_server_callback( 2806 SSL *ssl, 2807 unsigned (*psk_server_callback)(SSL *ssl, const char *identity, 2808 uint8_t *psk, 2809 unsigned max_psk_len)); 2810 2811 /* SSL_CTX_use_psk_identity_hint configures server connections to advertise an 2812 * identity hint of |identity_hint|. It returns one on success and zero on 2813 * error. */ 2814 OPENSSL_EXPORT int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, 2815 const char *identity_hint); 2816 2817 /* SSL_use_psk_identity_hint configures server connections to advertise an 2818 * identity hint of |identity_hint|. It returns one on success and zero on 2819 * error. */ 2820 OPENSSL_EXPORT int SSL_use_psk_identity_hint(SSL *ssl, 2821 const char *identity_hint); 2822 2823 /* SSL_get_psk_identity_hint returns the PSK identity hint advertised for |ssl| 2824 * or NULL if there is none. */ 2825 OPENSSL_EXPORT const char *SSL_get_psk_identity_hint(const SSL *ssl); 2826 2827 /* SSL_get_psk_identity, after the handshake completes, returns the PSK identity 2828 * that was negotiated by |ssl| or NULL if PSK was not used. */ 2829 OPENSSL_EXPORT const char *SSL_get_psk_identity(const SSL *ssl); 2830 2831 2832 /* Early data. 2833 * 2834 * WARNING: 0-RTT support in BoringSSL is currently experimental and not fully 2835 * implemented. It may cause interoperability or security failures when used. 2836 * 2837 * Early data, or 0-RTT, is a feature in TLS 1.3 which allows clients to send 2838 * data on the first flight during a resumption handshake. This can save a 2839 * round-trip in some application protocols. 2840 * 2841 * WARNING: A 0-RTT handshake has different security properties from normal 2842 * handshake, so it is off by default unless opted in. In particular, early data 2843 * is replayable by a network attacker. Callers must account for this when 2844 * sending or processing data before the handshake is confirmed. See 2845 * draft-ietf-tls-tls13-18 for more information. 2846 * 2847 * As a server, if early data is accepted, |SSL_do_handshake| will complete as 2848 * soon as the ClientHello is processed and server flight sent. |SSL_write| may 2849 * be used to send half-RTT data. |SSL_read| will consume early data and 2850 * transition to 1-RTT data as appropriate. Prior to the transition, 2851 * |SSL_in_init| will report the handshake is still in progress. Callers may use 2852 * it or |SSL_in_early_data| to defer or reject requests as needed. 2853 * 2854 * Early data as a client is more complex. If the offered session (see 2855 * |SSL_set_session|) is 0-RTT-capable, the handshake will return after sending 2856 * the ClientHello. The predicted peer certificate and ALPN protocol will be 2857 * available via the usual APIs. |SSL_write| will write early data, up to the 2858 * session's limit. Writes past this limit and |SSL_read| will complete the 2859 * handshake before continuing. Callers may also call |SSL_do_handshake| again 2860 * to complete the handshake sooner. 2861 * 2862 * If the server accepts early data, the handshake will succeed. |SSL_read| and 2863 * |SSL_write| will then act as in a 1-RTT handshake. The peer certificate and 2864 * ALPN protocol will be as predicted and need not be re-queried. 2865 * 2866 * If the server rejects early data, |SSL_do_handshake| (and thus |SSL_read| and 2867 * |SSL_write|) will then fail with |SSL_get_error| returning 2868 * |SSL_ERROR_EARLY_DATA_REJECTED|. The caller should treat this as a connection 2869 * error and most likely perform a high-level retry. Note the server may still 2870 * have processed the early data due to attacker replays. 2871 * 2872 * To then continue the handshake on the original connection, use 2873 * |SSL_reset_early_data_reject|. This allows a faster retry than making a fresh 2874 * connection. |SSL_do_handshake| will the complete the full handshake as in a 2875 * fresh connection. Once reset, the peer certificate, ALPN protocol, and other 2876 * properties may change so the caller must query them again. 2877 * 2878 * Finally, to implement the fallback described in draft-ietf-tls-tls13-18 2879 * appendix C.3, retry on a fresh connection without 0-RTT if the handshake 2880 * fails with |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. */ 2881 2882 /* SSL_CTX_set_early_data_enabled sets whether early data is allowed to be used 2883 * with resumptions using |ctx|. */ 2884 OPENSSL_EXPORT void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled); 2885 2886 /* SSL_set_early_data_enabled sets whether early data is allowed to be used 2887 * with resumptions using |ssl|. See |SSL_CTX_set_early_data_enabled| for more 2888 * information. */ 2889 OPENSSL_EXPORT void SSL_set_early_data_enabled(SSL *ssl, int enabled); 2890 2891 /* SSL_in_early_data returns one if |ssl| has a pending handshake that has 2892 * progressed enough to send or receive early data. Clients may call |SSL_write| 2893 * to send early data, but |SSL_read| will complete the handshake before 2894 * accepting application data. Servers may call |SSL_read| to read early data 2895 * and |SSL_write| to send half-RTT data. */ 2896 OPENSSL_EXPORT int SSL_in_early_data(const SSL *ssl); 2897 2898 /* SSL_early_data_accepted returns whether early data was accepted on the 2899 * handshake performed by |ssl|. */ 2900 OPENSSL_EXPORT int SSL_early_data_accepted(const SSL *ssl); 2901 2902 /* SSL_reset_early_data_reject resets |ssl| after an early data reject. All 2903 * 0-RTT state is discarded, including any pending |SSL_write| calls. The caller 2904 * should treat |ssl| as a logically fresh connection, usually by driving the 2905 * handshake to completion using |SSL_do_handshake|. 2906 * 2907 * It is an error to call this function on an |SSL| object that is not signaling 2908 * |SSL_ERROR_EARLY_DATA_REJECTED|. */ 2909 OPENSSL_EXPORT void SSL_reset_early_data_reject(SSL *ssl); 2910 2911 2912 /* Alerts. 2913 * 2914 * TLS and SSL 3.0 use alerts to signal error conditions. Alerts have a type 2915 * (warning or fatal) and description. OpenSSL internally handles fatal alerts 2916 * with dedicated error codes (see |SSL_AD_REASON_OFFSET|). Except for 2917 * close_notify, warning alerts are silently ignored and may only be surfaced 2918 * with |SSL_CTX_set_info_callback|. */ 2919 2920 /* SSL_AD_REASON_OFFSET is the offset between error reasons and |SSL_AD_*| 2921 * values. Any error code under |ERR_LIB_SSL| with an error reason above this 2922 * value corresponds to an alert description. Consumers may add or subtract 2923 * |SSL_AD_REASON_OFFSET| to convert between them. 2924 * 2925 * make_errors.go reserves error codes above 1000 for manually-assigned errors. 2926 * This value must be kept in sync with reservedReasonCode in make_errors.h */ 2927 #define SSL_AD_REASON_OFFSET 1000 2928 2929 /* SSL_AD_* are alert descriptions for SSL 3.0 and TLS. */ 2930 #define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY 2931 #define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE 2932 #define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC 2933 #define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED 2934 #define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW 2935 #define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE 2936 #define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE 2937 #define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not used in TLS */ 2938 #define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE 2939 #define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE 2940 #define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED 2941 #define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED 2942 #define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN 2943 #define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER 2944 #define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA 2945 #define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED 2946 #define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR 2947 #define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR 2948 #define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION 2949 #define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION 2950 #define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY 2951 #define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR 2952 #define SSL_AD_INAPPROPRIATE_FALLBACK SSL3_AD_INAPPROPRIATE_FALLBACK 2953 #define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED 2954 #define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION 2955 #define SSL_AD_MISSING_EXTENSION TLS1_AD_MISSING_EXTENSION 2956 #define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION 2957 #define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE 2958 #define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME 2959 #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE \ 2960 TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 2961 #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 2962 #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY 2963 #define SSL_AD_CERTIFICATE_REQUIRED TLS1_AD_CERTIFICATE_REQUIRED 2964 2965 /* SSL_alert_type_string_long returns a string description of |value| as an 2966 * alert type (warning or fatal). */ 2967 OPENSSL_EXPORT const char *SSL_alert_type_string_long(int value); 2968 2969 /* SSL_alert_desc_string_long returns a string description of |value| as an 2970 * alert description or "unknown" if unknown. */ 2971 OPENSSL_EXPORT const char *SSL_alert_desc_string_long(int value); 2972 2973 /* SSL_send_fatal_alert sends a fatal alert over |ssl| of the specified type, 2974 * which should be one of the |SSL_AD_*| constants. It returns one on success 2975 * and <= 0 on error. The caller should pass the return value into 2976 * |SSL_get_error| to determine how to proceed. Once this function has been 2977 * called, future calls to |SSL_write| will fail. 2978 * 2979 * If retrying a failed operation due to |SSL_ERROR_WANT_WRITE|, subsequent 2980 * calls must use the same |alert| parameter. */ 2981 OPENSSL_EXPORT int SSL_send_fatal_alert(SSL *ssl, uint8_t alert); 2982 2983 2984 /* ex_data functions. 2985 * 2986 * See |ex_data.h| for details. */ 2987 2988 OPENSSL_EXPORT int SSL_set_ex_data(SSL *ssl, int idx, void *data); 2989 OPENSSL_EXPORT void *SSL_get_ex_data(const SSL *ssl, int idx); 2990 OPENSSL_EXPORT int SSL_get_ex_new_index(long argl, void *argp, 2991 CRYPTO_EX_unused *unused, 2992 CRYPTO_EX_dup *dup_unused, 2993 CRYPTO_EX_free *free_func); 2994 2995 OPENSSL_EXPORT int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, 2996 void *data); 2997 OPENSSL_EXPORT void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, 2998 int idx); 2999 OPENSSL_EXPORT int SSL_SESSION_get_ex_new_index(long argl, void *argp, 3000 CRYPTO_EX_unused *unused, 3001 CRYPTO_EX_dup *dup_unused, 3002 CRYPTO_EX_free *free_func); 3003 3004 OPENSSL_EXPORT int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data); 3005 OPENSSL_EXPORT void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx); 3006 OPENSSL_EXPORT int SSL_CTX_get_ex_new_index(long argl, void *argp, 3007 CRYPTO_EX_unused *unused, 3008 CRYPTO_EX_dup *dup_unused, 3009 CRYPTO_EX_free *free_func); 3010 3011 3012 /* Low-level record-layer state. */ 3013 3014 /* SSL_get_ivs sets |*out_iv_len| to the length of the IVs for the ciphers 3015 * underlying |ssl| and sets |*out_read_iv| and |*out_write_iv| to point to the 3016 * current IVs for the read and write directions. This is only meaningful for 3017 * connections with implicit IVs (i.e. CBC mode with SSLv3 or TLS 1.0). 3018 * 3019 * It returns one on success or zero on error. */ 3020 OPENSSL_EXPORT int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv, 3021 const uint8_t **out_write_iv, 3022 size_t *out_iv_len); 3023 3024 /* SSL_get_key_block_len returns the length of |ssl|'s key block. */ 3025 OPENSSL_EXPORT size_t SSL_get_key_block_len(const SSL *ssl); 3026 3027 /* SSL_generate_key_block generates |out_len| bytes of key material for |ssl|'s 3028 * current connection state. */ 3029 OPENSSL_EXPORT int SSL_generate_key_block(const SSL *ssl, uint8_t *out, 3030 size_t out_len); 3031 3032 /* SSL_get_read_sequence returns, in TLS, the expected sequence number of the 3033 * next incoming record in the current epoch. In DTLS, it returns the maximum 3034 * sequence number received in the current epoch and includes the epoch number 3035 * in the two most significant bytes. */ 3036 OPENSSL_EXPORT uint64_t SSL_get_read_sequence(const SSL *ssl); 3037 3038 /* SSL_get_write_sequence returns the sequence number of the next outgoing 3039 * record in the current epoch. In DTLS, it includes the epoch number in the 3040 * two most significant bytes. */ 3041 OPENSSL_EXPORT uint64_t SSL_get_write_sequence(const SSL *ssl); 3042 3043 3044 /* Obscure functions. */ 3045 3046 /* SSL_get_structure_sizes returns the sizes of the SSL, SSL_CTX and 3047 * SSL_SESSION structures so that a test can ensure that outside code agrees on 3048 * these values. */ 3049 OPENSSL_EXPORT void SSL_get_structure_sizes(size_t *ssl_size, 3050 size_t *ssl_ctx_size, 3051 size_t *ssl_session_size); 3052 3053 /* SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|. 3054 * This callback will be called when sending or receiving low-level record 3055 * headers, complete handshake messages, ChangeCipherSpec, and alerts. 3056 * |write_p| is one for outgoing messages and zero for incoming messages. 3057 * 3058 * For each record header, |cb| is called with |version| = 0 and |content_type| 3059 * = |SSL3_RT_HEADER|. The |len| bytes from |buf| contain the header. Note that 3060 * this does not include the record body. If the record is sealed, the length 3061 * in the header is the length of the ciphertext. 3062 * 3063 * For each handshake message, ChangeCipherSpec, and alert, |version| is the 3064 * protocol version and |content_type| is the corresponding record type. The 3065 * |len| bytes from |buf| contain the handshake message, one-byte 3066 * ChangeCipherSpec body, and two-byte alert, respectively. 3067 * 3068 * For a V2ClientHello, |version| is |SSL2_VERSION|, |content_type| is zero, and 3069 * the |len| bytes from |buf| contain the V2ClientHello structure. */ 3070 OPENSSL_EXPORT void SSL_CTX_set_msg_callback( 3071 SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, 3072 const void *buf, size_t len, SSL *ssl, void *arg)); 3073 3074 /* SSL_CTX_set_msg_callback_arg sets the |arg| parameter of the message 3075 * callback. */ 3076 OPENSSL_EXPORT void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg); 3077 3078 /* SSL_set_msg_callback installs |cb| as the message callback of |ssl|. See 3079 * |SSL_CTX_set_msg_callback| for when this callback is called. */ 3080 OPENSSL_EXPORT void SSL_set_msg_callback( 3081 SSL *ssl, void (*cb)(int write_p, int version, int content_type, 3082 const void *buf, size_t len, SSL *ssl, void *arg)); 3083 3084 /* SSL_set_msg_callback_arg sets the |arg| parameter of the message callback. */ 3085 OPENSSL_EXPORT void SSL_set_msg_callback_arg(SSL *ssl, void *arg); 3086 3087 /* SSL_CTX_set_keylog_callback configures a callback to log key material. This 3088 * is intended for debugging use with tools like Wireshark. The |cb| function 3089 * should log |line| followed by a newline, synchronizing with any concurrent 3090 * access to the log. 3091 * 3092 * The format is described in 3093 * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. */ 3094 OPENSSL_EXPORT void SSL_CTX_set_keylog_callback( 3095 SSL_CTX *ctx, void (*cb)(const SSL *ssl, const char *line)); 3096 3097 /* SSL_CTX_get_keylog_callback returns the callback configured by 3098 * |SSL_CTX_set_keylog_callback|. */ 3099 OPENSSL_EXPORT void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))( 3100 const SSL *ssl, const char *line); 3101 3102 /* SSL_CTX_set_current_time_cb configures a callback to retrieve the current 3103 * time, which should be set in |*out_clock|. This can be used for testing 3104 * purposes; for example, a callback can be configured that returns a time 3105 * set explicitly by the test. */ 3106 OPENSSL_EXPORT void SSL_CTX_set_current_time_cb( 3107 SSL_CTX *ctx, void (*cb)(const SSL *ssl, struct timeval *out_clock)); 3108 3109 enum ssl_renegotiate_mode_t { 3110 ssl_renegotiate_never = 0, 3111 ssl_renegotiate_once, 3112 ssl_renegotiate_freely, 3113 ssl_renegotiate_ignore, 3114 }; 3115 3116 /* SSL_set_renegotiate_mode configures how |ssl|, a client, reacts to 3117 * renegotiation attempts by a server. If |ssl| is a server, peer-initiated 3118 * renegotiations are *always* rejected and this function does nothing. 3119 * 3120 * The renegotiation mode defaults to |ssl_renegotiate_never|, but may be set 3121 * at any point in a connection's lifetime. Set it to |ssl_renegotiate_once| to 3122 * allow one renegotiation, |ssl_renegotiate_freely| to allow all 3123 * renegotiations or |ssl_renegotiate_ignore| to ignore HelloRequest messages. 3124 * Note that ignoring HelloRequest messages may cause the connection to stall 3125 * if the server waits for the renegotiation to complete. 3126 * 3127 * There is no support in BoringSSL for initiating renegotiations as a client 3128 * or server. */ 3129 OPENSSL_EXPORT void SSL_set_renegotiate_mode(SSL *ssl, 3130 enum ssl_renegotiate_mode_t mode); 3131 3132 /* SSL_renegotiate_pending returns one if |ssl| is in the middle of a 3133 * renegotiation. */ 3134 OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *ssl); 3135 3136 /* SSL_total_renegotiations returns the total number of renegotiation handshakes 3137 * performed by |ssl|. This includes the pending renegotiation, if any. */ 3138 OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl); 3139 3140 enum tls13_variant_t { 3141 tls13_default = 0, 3142 tls13_experiment = 1, 3143 tls13_record_type_experiment = 2, 3144 }; 3145 3146 /* SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the 3147 * server, if |variant| is not |tls13_default|, all variants are enabled. On the 3148 * client, only the configured variant is enabled. */ 3149 OPENSSL_EXPORT void SSL_CTX_set_tls13_variant(SSL_CTX *ctx, 3150 enum tls13_variant_t variant); 3151 3152 /* SSL_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the 3153 * server, if |variant| is not |tls13_default|, all variants are enabled. On the 3154 * client, only the configured variant is enabled. */ 3155 OPENSSL_EXPORT void SSL_set_tls13_variant(SSL *ssl, 3156 enum tls13_variant_t variant); 3157 3158 /* SSL_MAX_CERT_LIST_DEFAULT is the default maximum length, in bytes, of a peer 3159 * certificate chain. */ 3160 #define SSL_MAX_CERT_LIST_DEFAULT (1024 * 100) 3161 3162 /* SSL_CTX_get_max_cert_list returns the maximum length, in bytes, of a peer 3163 * certificate chain accepted by |ctx|. */ 3164 OPENSSL_EXPORT size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx); 3165 3166 /* SSL_CTX_set_max_cert_list sets the maximum length, in bytes, of a peer 3167 * certificate chain to |max_cert_list|. This affects how much memory may be 3168 * consumed during the handshake. */ 3169 OPENSSL_EXPORT void SSL_CTX_set_max_cert_list(SSL_CTX *ctx, 3170 size_t max_cert_list); 3171 3172 /* SSL_get_max_cert_list returns the maximum length, in bytes, of a peer 3173 * certificate chain accepted by |ssl|. */ 3174 OPENSSL_EXPORT size_t SSL_get_max_cert_list(const SSL *ssl); 3175 3176 /* SSL_set_max_cert_list sets the maximum length, in bytes, of a peer 3177 * certificate chain to |max_cert_list|. This affects how much memory may be 3178 * consumed during the handshake. */ 3179 OPENSSL_EXPORT void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list); 3180 3181 /* SSL_CTX_set_max_send_fragment sets the maximum length, in bytes, of records 3182 * sent by |ctx|. Beyond this length, handshake messages and application data 3183 * will be split into multiple records. It returns one on success or zero on 3184 * error. */ 3185 OPENSSL_EXPORT int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, 3186 size_t max_send_fragment); 3187 3188 /* SSL_set_max_send_fragment sets the maximum length, in bytes, of records sent 3189 * by |ssl|. Beyond this length, handshake messages and application data will 3190 * be split into multiple records. It returns one on success or zero on 3191 * error. */ 3192 OPENSSL_EXPORT int SSL_set_max_send_fragment(SSL *ssl, 3193 size_t max_send_fragment); 3194 3195 /* ssl_early_callback_ctx (aka |SSL_CLIENT_HELLO|) is passed to certain 3196 * callbacks that are called very early on during the server handshake. At this 3197 * point, much of the SSL* hasn't been filled out and only the ClientHello can 3198 * be depended on. */ 3199 typedef struct ssl_early_callback_ctx { 3200 SSL *ssl; 3201 const uint8_t *client_hello; 3202 size_t client_hello_len; 3203 uint16_t version; 3204 const uint8_t *random; 3205 size_t random_len; 3206 const uint8_t *session_id; 3207 size_t session_id_len; 3208 const uint8_t *cipher_suites; 3209 size_t cipher_suites_len; 3210 const uint8_t *compression_methods; 3211 size_t compression_methods_len; 3212 const uint8_t *extensions; 3213 size_t extensions_len; 3214 } SSL_CLIENT_HELLO; 3215 3216 /* ssl_select_cert_result_t enumerates the possible results from selecting a 3217 * certificate with |select_certificate_cb|. */ 3218 enum ssl_select_cert_result_t { 3219 /* ssl_select_cert_success indicates that the certificate selection was 3220 * successful. */ 3221 ssl_select_cert_success = 1, 3222 /* ssl_select_cert_retry indicates that the operation could not be 3223 * immediately completed and must be reattempted at a later point. */ 3224 ssl_select_cert_retry = 0, 3225 /* ssl_select_cert_error indicates that a fatal error occured and the 3226 * handshake should be terminated. */ 3227 ssl_select_cert_error = -1, 3228 }; 3229 3230 /* SSL_early_callback_ctx_extension_get searches the extensions in 3231 * |client_hello| for an extension of the given type. If not found, it returns 3232 * zero. Otherwise it sets |out_data| to point to the extension contents (not 3233 * including the type and length bytes), sets |out_len| to the length of the 3234 * extension contents and returns one. */ 3235 OPENSSL_EXPORT int SSL_early_callback_ctx_extension_get( 3236 const SSL_CLIENT_HELLO *client_hello, uint16_t extension_type, 3237 const uint8_t **out_data, size_t *out_len); 3238 3239 /* SSL_CTX_set_select_certificate_cb sets a callback that is called before most 3240 * ClientHello processing and before the decision whether to resume a session 3241 * is made. The callback may inspect the ClientHello and configure the 3242 * connection. See |ssl_select_cert_result_t| for details of the return values. 3243 * 3244 * In the case that a retry is indicated, |SSL_get_error| will return 3245 * |SSL_ERROR_PENDING_CERTIFICATE| and the caller should arrange for the 3246 * high-level operation on |ssl| to be retried at a later time, which will 3247 * result in another call to |cb|. 3248 * 3249 * Note: The |SSL_CLIENT_HELLO| is only valid for the duration of the callback 3250 * and is not valid while the handshake is paused. */ 3251 OPENSSL_EXPORT void SSL_CTX_set_select_certificate_cb( 3252 SSL_CTX *ctx, 3253 enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *)); 3254 3255 /* SSL_CTX_set_dos_protection_cb sets a callback that is called once the 3256 * resumption decision for a ClientHello has been made. It can return one to 3257 * allow the handshake to continue or zero to cause the handshake to abort. */ 3258 OPENSSL_EXPORT void SSL_CTX_set_dos_protection_cb( 3259 SSL_CTX *ctx, int (*cb)(const SSL_CLIENT_HELLO *)); 3260 3261 /* SSL_ST_* are possible values for |SSL_state| and the bitmasks that make them 3262 * up. */ 3263 #define SSL_ST_CONNECT 0x1000 3264 #define SSL_ST_ACCEPT 0x2000 3265 #define SSL_ST_MASK 0x0FFF 3266 #define SSL_ST_INIT (SSL_ST_CONNECT | SSL_ST_ACCEPT) 3267 #define SSL_ST_OK 0x03 3268 #define SSL_ST_RENEGOTIATE (0x04 | SSL_ST_INIT) 3269 #define SSL_ST_TLS13 (0x05 | SSL_ST_INIT) 3270 3271 /* SSL_CB_* are possible values for the |type| parameter in the info 3272 * callback and the bitmasks that make them up. */ 3273 #define SSL_CB_LOOP 0x01 3274 #define SSL_CB_EXIT 0x02 3275 #define SSL_CB_READ 0x04 3276 #define SSL_CB_WRITE 0x08 3277 #define SSL_CB_ALERT 0x4000 3278 #define SSL_CB_READ_ALERT (SSL_CB_ALERT | SSL_CB_READ) 3279 #define SSL_CB_WRITE_ALERT (SSL_CB_ALERT | SSL_CB_WRITE) 3280 #define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT | SSL_CB_LOOP) 3281 #define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT | SSL_CB_EXIT) 3282 #define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT | SSL_CB_LOOP) 3283 #define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT | SSL_CB_EXIT) 3284 #define SSL_CB_HANDSHAKE_START 0x10 3285 #define SSL_CB_HANDSHAKE_DONE 0x20 3286 3287 /* SSL_CTX_set_info_callback configures a callback to be run when various 3288 * events occur during a connection's lifetime. The |type| argument determines 3289 * the type of event and the meaning of the |value| argument. Callbacks must 3290 * ignore unexpected |type| values. 3291 * 3292 * |SSL_CB_READ_ALERT| is signaled for each alert received, warning or fatal. 3293 * The |value| argument is a 16-bit value where the alert level (either 3294 * |SSL3_AL_WARNING| or |SSL3_AL_FATAL|) is in the most-significant eight bits 3295 * and the alert type (one of |SSL_AD_*|) is in the least-significant eight. 3296 * 3297 * |SSL_CB_WRITE_ALERT| is signaled for each alert sent. The |value| argument 3298 * is constructed as with |SSL_CB_READ_ALERT|. 3299 * 3300 * |SSL_CB_HANDSHAKE_START| is signaled when a handshake begins. The |value| 3301 * argument is always one. 3302 * 3303 * |SSL_CB_HANDSHAKE_DONE| is signaled when a handshake completes successfully. 3304 * The |value| argument is always one. If a handshake False Starts, this event 3305 * may be used to determine when the Finished message is received. 3306 * 3307 * The following event types expose implementation details of the handshake 3308 * state machine. Consuming them is deprecated. 3309 * 3310 * |SSL_CB_ACCEPT_LOOP| (respectively, |SSL_CB_CONNECT_LOOP|) is signaled when 3311 * a server (respectively, client) handshake progresses. The |value| argument 3312 * is always one. 3313 * 3314 * |SSL_CB_ACCEPT_EXIT| (respectively, |SSL_CB_CONNECT_EXIT|) is signaled when 3315 * a server (respectively, client) handshake completes, fails, or is paused. 3316 * The |value| argument is one if the handshake succeeded and <= 0 3317 * otherwise. */ 3318 OPENSSL_EXPORT void SSL_CTX_set_info_callback( 3319 SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int value)); 3320 3321 /* SSL_CTX_get_info_callback returns the callback set by 3322 * |SSL_CTX_set_info_callback|. */ 3323 OPENSSL_EXPORT void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, 3324 int type, 3325 int value); 3326 3327 /* SSL_set_info_callback configures a callback to be run at various events 3328 * during a connection's lifetime. See |SSL_CTX_set_info_callback|. */ 3329 OPENSSL_EXPORT void SSL_set_info_callback( 3330 SSL *ssl, void (*cb)(const SSL *ssl, int type, int value)); 3331 3332 /* SSL_get_info_callback returns the callback set by |SSL_set_info_callback|. */ 3333 OPENSSL_EXPORT void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, 3334 int type, 3335 int value); 3336 3337 /* SSL_state_string_long returns the current state of the handshake state 3338 * machine as a string. This may be useful for debugging and logging. */ 3339 OPENSSL_EXPORT const char *SSL_state_string_long(const SSL *ssl); 3340 3341 #define SSL_SENT_SHUTDOWN 1 3342 #define SSL_RECEIVED_SHUTDOWN 2 3343 3344 /* SSL_get_shutdown returns a bitmask with a subset of |SSL_SENT_SHUTDOWN| and 3345 * |SSL_RECEIVED_SHUTDOWN| to query whether close_notify was sent or received, 3346 * respectively. */ 3347 OPENSSL_EXPORT int SSL_get_shutdown(const SSL *ssl); 3348 3349 /* SSL_get_peer_signature_algorithm returns the signature algorithm used by the 3350 * peer. If not applicable, it returns zero. */ 3351 OPENSSL_EXPORT uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl); 3352 3353 /* SSL_get_client_random writes up to |max_out| bytes of the most recent 3354 * handshake's client_random to |out| and returns the number of bytes written. 3355 * If |max_out| is zero, it returns the size of the client_random. */ 3356 OPENSSL_EXPORT size_t SSL_get_client_random(const SSL *ssl, uint8_t *out, 3357 size_t max_out); 3358 3359 /* SSL_get_server_random writes up to |max_out| bytes of the most recent 3360 * handshake's server_random to |out| and returns the number of bytes written. 3361 * If |max_out| is zero, it returns the size of the server_random. */ 3362 OPENSSL_EXPORT size_t SSL_get_server_random(const SSL *ssl, uint8_t *out, 3363 size_t max_out); 3364 3365 /* SSL_get_pending_cipher returns the cipher suite for the current handshake or 3366 * NULL if one has not been negotiated yet or there is no pending handshake. */ 3367 OPENSSL_EXPORT const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl); 3368 3369 /* SSL_set_retain_only_sha256_of_client_certs, on a server, sets whether only 3370 * the SHA-256 hash of peer's certificate should be saved in memory and in the 3371 * session. This can save memory, ticket size and session cache space. If 3372 * enabled, |SSL_get_peer_certificate| will return NULL after the handshake 3373 * completes. See the |peer_sha256| field of |SSL_SESSION| for the hash. */ 3374 OPENSSL_EXPORT void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, 3375 int enable); 3376 3377 /* SSL_CTX_set_retain_only_sha256_of_client_certs, on a server, sets whether 3378 * only the SHA-256 hash of peer's certificate should be saved in memory and in 3379 * the session. This can save memory, ticket size and session cache space. If 3380 * enabled, |SSL_get_peer_certificate| will return NULL after the handshake 3381 * completes. See the |peer_sha256| field of |SSL_SESSION| for the hash. */ 3382 OPENSSL_EXPORT void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, 3383 int enable); 3384 3385 /* SSL_CTX_set_grease_enabled configures whether sockets on |ctx| should enable 3386 * GREASE. See draft-davidben-tls-grease-01. */ 3387 OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled); 3388 3389 /* SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a 3390 * record with |ssl|. */ 3391 OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl); 3392 3393 /* SSL_get_ticket_age_skew returns the difference, in seconds, between the 3394 * client-sent ticket age and the server-computed value in TLS 1.3 server 3395 * connections which resumed a session. */ 3396 OPENSSL_EXPORT int32_t SSL_get_ticket_age_skew(const SSL *ssl); 3397 3398 3399 /* Deprecated functions. */ 3400 3401 /* SSL_library_init calls |CRYPTO_library_init| and returns one. */ 3402 OPENSSL_EXPORT int SSL_library_init(void); 3403 3404 /* SSL_CIPHER_description writes a description of |cipher| into |buf| and 3405 * returns |buf|. If |buf| is NULL, it returns a newly allocated string, to be 3406 * freed with |OPENSSL_free|, or NULL on error. 3407 * 3408 * The description includes a trailing newline and has the form: 3409 * AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 3410 * 3411 * Consider |SSL_CIPHER_standard_name| or |SSL_CIPHER_get_name| instead. */ 3412 OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, 3413 char *buf, int len); 3414 3415 /* SSL_CIPHER_get_version returns the string "TLSv1/SSLv3". */ 3416 OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher); 3417 3418 /* SSL_CIPHER_get_rfc_name returns a newly-allocated string containing the 3419 * result of |SSL_CIPHER_standard_name| or NULL on error. The caller is 3420 * responsible for calling |OPENSSL_free| on the result. 3421 * 3422 * Use |SSL_CIPHER_standard_name| instead. */ 3423 OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher); 3424 3425 typedef void COMP_METHOD; 3426 3427 /* SSL_COMP_get_compression_methods returns NULL. */ 3428 OPENSSL_EXPORT STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); 3429 3430 /* SSL_COMP_add_compression_method returns one. */ 3431 OPENSSL_EXPORT int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm); 3432 3433 /* SSL_COMP_get_name returns NULL. */ 3434 OPENSSL_EXPORT const char *SSL_COMP_get_name(const COMP_METHOD *comp); 3435 3436 /* SSL_COMP_free_compression_methods does nothing. */ 3437 OPENSSL_EXPORT void SSL_COMP_free_compression_methods(void); 3438 3439 /* SSLv23_method calls |TLS_method|. */ 3440 OPENSSL_EXPORT const SSL_METHOD *SSLv23_method(void); 3441 3442 /* These version-specific methods behave exactly like |TLS_method| and 3443 * |DTLS_method| except they also call |SSL_CTX_set_min_proto_version| and 3444 * |SSL_CTX_set_max_proto_version| to lock connections to that protocol 3445 * version. */ 3446 OPENSSL_EXPORT const SSL_METHOD *TLSv1_method(void); 3447 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_method(void); 3448 OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void); 3449 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void); 3450 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void); 3451 3452 /* SSLv3_method returns an |SSL_METHOD| with no versions enabled. */ 3453 OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void); 3454 3455 /* These client- and server-specific methods call their corresponding generic 3456 * methods. */ 3457 OPENSSL_EXPORT const SSL_METHOD *TLS_server_method(void); 3458 OPENSSL_EXPORT const SSL_METHOD *TLS_client_method(void); 3459 OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void); 3460 OPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void); 3461 OPENSSL_EXPORT const SSL_METHOD *SSLv3_server_method(void); 3462 OPENSSL_EXPORT const SSL_METHOD *SSLv3_client_method(void); 3463 OPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void); 3464 OPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void); 3465 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void); 3466 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_client_method(void); 3467 OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_server_method(void); 3468 OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_client_method(void); 3469 OPENSSL_EXPORT const SSL_METHOD *DTLS_server_method(void); 3470 OPENSSL_EXPORT const SSL_METHOD *DTLS_client_method(void); 3471 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_server_method(void); 3472 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_client_method(void); 3473 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_server_method(void); 3474 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_client_method(void); 3475 3476 /* SSL_clear resets |ssl| to allow another connection and returns one on success 3477 * or zero on failure. It returns most configuration state but releases memory 3478 * associated with the current connection. 3479 * 3480 * Free |ssl| and create a new one instead. */ 3481 OPENSSL_EXPORT int SSL_clear(SSL *ssl); 3482 3483 /* SSL_CTX_set_tmp_rsa_callback does nothing. */ 3484 OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback( 3485 SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, int keylength)); 3486 3487 /* SSL_set_tmp_rsa_callback does nothing. */ 3488 OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl, 3489 RSA *(*cb)(SSL *ssl, int is_export, 3490 int keylength)); 3491 3492 /* SSL_CTX_sess_connect returns zero. */ 3493 OPENSSL_EXPORT int SSL_CTX_sess_connect(const SSL_CTX *ctx); 3494 3495 /* SSL_CTX_sess_connect_good returns zero. */ 3496 OPENSSL_EXPORT int SSL_CTX_sess_connect_good(const SSL_CTX *ctx); 3497 3498 /* SSL_CTX_sess_connect_renegotiate returns zero. */ 3499 OPENSSL_EXPORT int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx); 3500 3501 /* SSL_CTX_sess_accept returns zero. */ 3502 OPENSSL_EXPORT int SSL_CTX_sess_accept(const SSL_CTX *ctx); 3503 3504 /* SSL_CTX_sess_accept_renegotiate returns zero. */ 3505 OPENSSL_EXPORT int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx); 3506 3507 /* SSL_CTX_sess_accept_good returns zero. */ 3508 OPENSSL_EXPORT int SSL_CTX_sess_accept_good(const SSL_CTX *ctx); 3509 3510 /* SSL_CTX_sess_hits returns zero. */ 3511 OPENSSL_EXPORT int SSL_CTX_sess_hits(const SSL_CTX *ctx); 3512 3513 /* SSL_CTX_sess_cb_hits returns zero. */ 3514 OPENSSL_EXPORT int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx); 3515 3516 /* SSL_CTX_sess_misses returns zero. */ 3517 OPENSSL_EXPORT int SSL_CTX_sess_misses(const SSL_CTX *ctx); 3518 3519 /* SSL_CTX_sess_timeouts returns zero. */ 3520 OPENSSL_EXPORT int SSL_CTX_sess_timeouts(const SSL_CTX *ctx); 3521 3522 /* SSL_CTX_sess_cache_full returns zero. */ 3523 OPENSSL_EXPORT int SSL_CTX_sess_cache_full(const SSL_CTX *ctx); 3524 3525 /* SSL_cutthrough_complete calls |SSL_in_false_start|. */ 3526 OPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *s); 3527 3528 /* SSL_num_renegotiations calls |SSL_total_renegotiations|. */ 3529 OPENSSL_EXPORT int SSL_num_renegotiations(const SSL *ssl); 3530 3531 /* SSL_CTX_need_tmp_RSA returns zero. */ 3532 OPENSSL_EXPORT int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx); 3533 3534 /* SSL_need_tmp_RSA returns zero. */ 3535 OPENSSL_EXPORT int SSL_need_tmp_RSA(const SSL *ssl); 3536 3537 /* SSL_CTX_set_tmp_rsa returns one. */ 3538 OPENSSL_EXPORT int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa); 3539 3540 /* SSL_set_tmp_rsa returns one. */ 3541 OPENSSL_EXPORT int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa); 3542 3543 /* SSL_CTX_get_read_ahead returns zero. */ 3544 OPENSSL_EXPORT int SSL_CTX_get_read_ahead(const SSL_CTX *ctx); 3545 3546 /* SSL_CTX_set_read_ahead does nothing. */ 3547 OPENSSL_EXPORT void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes); 3548 3549 /* SSL_get_read_ahead returns zero. */ 3550 OPENSSL_EXPORT int SSL_get_read_ahead(const SSL *s); 3551 3552 /* SSL_set_read_ahead does nothing. */ 3553 OPENSSL_EXPORT void SSL_set_read_ahead(SSL *s, int yes); 3554 3555 /* SSL_renegotiate put an error on the error queue and returns zero. */ 3556 OPENSSL_EXPORT int SSL_renegotiate(SSL *ssl); 3557 3558 /* SSL_set_state does nothing. */ 3559 OPENSSL_EXPORT void SSL_set_state(SSL *ssl, int state); 3560 3561 /* SSL_get_shared_ciphers writes an empty string to |buf| and returns a 3562 * pointer to |buf|, or NULL if |len| is less than or equal to zero. */ 3563 OPENSSL_EXPORT char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len); 3564 3565 /* SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as SSL_MODE_ENABLE_FALSE_START. */ 3566 #define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START 3567 3568 /* i2d_SSL_SESSION serializes |in| to the bytes pointed to by |*pp|. On success, 3569 * it returns the number of bytes written and advances |*pp| by that many bytes. 3570 * On failure, it returns -1. If |pp| is NULL, no bytes are written and only the 3571 * length is returned. 3572 * 3573 * Use |SSL_SESSION_to_bytes| instead. */ 3574 OPENSSL_EXPORT int i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp); 3575 3576 /* d2i_SSL_SESSION parses a serialized session from the |length| bytes pointed 3577 * to by |*pp|. It returns the new |SSL_SESSION| and advances |*pp| by the 3578 * number of bytes consumed on success and NULL on failure. The caller takes 3579 * ownership of the new session and must call |SSL_SESSION_free| when done. 3580 * 3581 * If |a| is non-NULL, |*a| is released and set the new |SSL_SESSION|. 3582 * 3583 * Use |SSL_SESSION_from_bytes| instead. */ 3584 OPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, 3585 long length); 3586 3587 /* i2d_SSL_SESSION_bio serializes |session| and writes the result to |bio|. It 3588 * returns the number of bytes written on success and <= 0 on error. */ 3589 OPENSSL_EXPORT int i2d_SSL_SESSION_bio(BIO *bio, const SSL_SESSION *session); 3590 3591 /* d2i_SSL_SESSION_bio reads a serialized |SSL_SESSION| from |bio| and returns a 3592 * newly-allocated |SSL_SESSION| or NULL on error. If |out| is not NULL, it also 3593 * frees |*out| and sets |*out| to the new |SSL_SESSION|. */ 3594 OPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION_bio(BIO *bio, SSL_SESSION **out); 3595 3596 /* ERR_load_SSL_strings does nothing. */ 3597 OPENSSL_EXPORT void ERR_load_SSL_strings(void); 3598 3599 /* SSL_load_error_strings does nothing. */ 3600 OPENSSL_EXPORT void SSL_load_error_strings(void); 3601 3602 /* SSL_CTX_set_tlsext_use_srtp calls |SSL_CTX_set_srtp_profiles|. It returns 3603 * zero on success and one on failure. 3604 * 3605 * WARNING: this function is dangerous because it breaks the usual return value 3606 * convention. Use |SSL_CTX_set_srtp_profiles| instead. */ 3607 OPENSSL_EXPORT int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, 3608 const char *profiles); 3609 3610 /* SSL_set_tlsext_use_srtp calls |SSL_set_srtp_profiles|. It returns zero on 3611 * success and one on failure. 3612 * 3613 * WARNING: this function is dangerous because it breaks the usual return value 3614 * convention. Use |SSL_set_srtp_profiles| instead. */ 3615 OPENSSL_EXPORT int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles); 3616 3617 /* SSL_get_current_compression returns NULL. */ 3618 OPENSSL_EXPORT const COMP_METHOD *SSL_get_current_compression(SSL *s); 3619 3620 /* SSL_get_current_expansion returns NULL. */ 3621 OPENSSL_EXPORT const COMP_METHOD *SSL_get_current_expansion(SSL *s); 3622 3623 /* SSL_get_server_tmp_key returns zero. */ 3624 OPENSSL_EXPORT int *SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key); 3625 3626 /* SSL_CTX_set_tmp_dh returns 1. */ 3627 OPENSSL_EXPORT int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh); 3628 3629 /* SSL_set_tmp_dh returns 1. */ 3630 OPENSSL_EXPORT int SSL_set_tmp_dh(SSL *ssl, const DH *dh); 3631 3632 /* SSL_CTX_set_tmp_dh_callback does nothing. */ 3633 OPENSSL_EXPORT void SSL_CTX_set_tmp_dh_callback( 3634 SSL_CTX *ctx, DH *(*callback)(SSL *ssl, int is_export, int keylength)); 3635 3636 /* SSL_set_tmp_dh_callback does nothing. */ 3637 OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl, 3638 DH *(*dh)(SSL *ssl, int is_export, 3639 int keylength)); 3640 3641 3642 #define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)(arg))) 3643 #define SSL_get_app_data(s) (SSL_get_ex_data(s, 0)) 3644 #define SSL_SESSION_set_app_data(s, a) \ 3645 (SSL_SESSION_set_ex_data(s, 0, (char *)(a))) 3646 #define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s, 0)) 3647 #define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx, 0)) 3648 #define SSL_CTX_set_app_data(ctx, arg) \ 3649 (SSL_CTX_set_ex_data(ctx, 0, (char *)(arg))) 3650 3651 #define OpenSSL_add_ssl_algorithms() SSL_library_init() 3652 #define SSLeay_add_ssl_algorithms() SSL_library_init() 3653 3654 #define SSL_get_cipher(ssl) SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)) 3655 #define SSL_get_cipher_bits(ssl, out_alg_bits) \ 3656 SSL_CIPHER_get_bits(SSL_get_current_cipher(ssl), out_alg_bits) 3657 #define SSL_get_cipher_version(ssl) \ 3658 SSL_CIPHER_get_version(SSL_get_current_cipher(ssl)) 3659 #define SSL_get_cipher_name(ssl) \ 3660 SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)) 3661 #define SSL_get_time(session) SSL_SESSION_get_time(session) 3662 #define SSL_set_time(session, time) SSL_SESSION_set_time((session), (time)) 3663 #define SSL_get_timeout(session) SSL_SESSION_get_timeout(session) 3664 #define SSL_set_timeout(session, timeout) \ 3665 SSL_SESSION_set_timeout((session), (timeout)) 3666 3667 typedef struct ssl_comp_st SSL_COMP; 3668 3669 struct ssl_comp_st { 3670 int id; 3671 const char *name; 3672 char *method; 3673 }; 3674 3675 DEFINE_STACK_OF(SSL_COMP) 3676 3677 /* The following flags do nothing and are included only to make it easier to 3678 * compile code with BoringSSL. */ 3679 #define SSL_MODE_AUTO_RETRY 0 3680 #define SSL_MODE_RELEASE_BUFFERS 0 3681 #define SSL_MODE_SEND_CLIENTHELLO_TIME 0 3682 #define SSL_MODE_SEND_SERVERHELLO_TIME 0 3683 #define SSL_OP_ALL 0 3684 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0 3685 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0 3686 #define SSL_OP_EPHEMERAL_RSA 0 3687 #define SSL_OP_LEGACY_SERVER_CONNECT 0 3688 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0 3689 #define SSL_OP_MICROSOFT_SESS_ID_BUG 0 3690 #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0 3691 #define SSL_OP_NETSCAPE_CA_DN_BUG 0 3692 #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0 3693 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0 3694 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0 3695 #define SSL_OP_NO_COMPRESSION 0 3696 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 3697 #define SSL_OP_NO_SSLv2 0 3698 #define SSL_OP_PKCS1_CHECK_1 0 3699 #define SSL_OP_PKCS1_CHECK_2 0 3700 #define SSL_OP_SINGLE_DH_USE 0 3701 #define SSL_OP_SINGLE_ECDH_USE 0 3702 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0 3703 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0 3704 #define SSL_OP_TLS_BLOCK_PADDING_BUG 0 3705 #define SSL_OP_TLS_D5_BUG 0 3706 #define SSL_OP_TLS_ROLLBACK_BUG 0 3707 #define SSL_VERIFY_CLIENT_ONCE 0 3708 3709 /* SSL_cache_hit calls |SSL_session_reused|. */ 3710 OPENSSL_EXPORT int SSL_cache_hit(SSL *ssl); 3711 3712 /* SSL_get_default_timeout returns |SSL_DEFAULT_SESSION_TIMEOUT|. */ 3713 OPENSSL_EXPORT long SSL_get_default_timeout(const SSL *ssl); 3714 3715 /* SSL_get_version returns a string describing the TLS version used by |ssl|. 3716 * For example, "TLSv1.2" or "SSLv3". */ 3717 OPENSSL_EXPORT const char *SSL_get_version(const SSL *ssl); 3718 3719 /* SSL_get_cipher_list returns the name of the |n|th cipher in the output of 3720 * |SSL_get_ciphers| or NULL if out of range. Use |SSL_get_ciphers| instead. */ 3721 OPENSSL_EXPORT const char *SSL_get_cipher_list(const SSL *ssl, int n); 3722 3723 /* SSL_CTX_set_client_cert_cb sets a callback which is called on the client if 3724 * the server requests a client certificate and none is configured. On success, 3725 * the callback should return one and set |*out_x509| to |*out_pkey| to a leaf 3726 * certificate and private key, respectively, passing ownership. It should 3727 * return zero to send no certificate and -1 to fail or pause the handshake. If 3728 * the handshake is paused, |SSL_get_error| will return 3729 * |SSL_ERROR_WANT_X509_LOOKUP|. 3730 * 3731 * The callback may call |SSL_get0_certificate_types| and 3732 * |SSL_get_client_CA_list| for information on the server's certificate request. 3733 * 3734 * Use |SSL_CTX_set_cert_cb| instead. Configuring intermediate certificates with 3735 * this function is confusing. This callback may not be registered concurrently 3736 * with |SSL_CTX_set_cert_cb| or |SSL_set_cert_cb|. */ 3737 OPENSSL_EXPORT void SSL_CTX_set_client_cert_cb( 3738 SSL_CTX *ctx, 3739 int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey)); 3740 3741 #define SSL_NOTHING 1 3742 #define SSL_WRITING 2 3743 #define SSL_READING 3 3744 #define SSL_X509_LOOKUP 4 3745 #define SSL_CHANNEL_ID_LOOKUP 5 3746 #define SSL_PENDING_SESSION 7 3747 #define SSL_CERTIFICATE_SELECTION_PENDING 8 3748 #define SSL_PRIVATE_KEY_OPERATION 9 3749 #define SSL_PENDING_TICKET 10 3750 #define SSL_EARLY_DATA_REJECTED 11 3751 3752 /* SSL_want returns one of the above values to determine what the most recent 3753 * operation on |ssl| was blocked on. Use |SSL_get_error| instead. */ 3754 OPENSSL_EXPORT int SSL_want(const SSL *ssl); 3755 3756 #define SSL_want_read(ssl) (SSL_want(ssl) == SSL_READING) 3757 #define SSL_want_write(ssl) (SSL_want(ssl) == SSL_WRITING) 3758 3759 /* SSL_get_finished writes up to |count| bytes of the Finished message sent by 3760 * |ssl| to |buf|. It returns the total untruncated length or zero if none has 3761 * been sent yet. At SSL 3.0 or TLS 1.3 and later, it returns zero. 3762 * 3763 * Use |SSL_get_tls_unique| instead. */ 3764 OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count); 3765 3766 /* SSL_get_peer_finished writes up to |count| bytes of the Finished message 3767 * received from |ssl|'s peer to |buf|. It returns the total untruncated length 3768 * or zero if none has been received yet. At SSL 3.0 or TLS 1.3 and later, it 3769 * returns zero. 3770 * 3771 * Use |SSL_get_tls_unique| instead. */ 3772 OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf, 3773 size_t count); 3774 3775 /* SSL_alert_type_string returns "!". Use |SSL_alert_type_string_long| 3776 * instead. */ 3777 OPENSSL_EXPORT const char *SSL_alert_type_string(int value); 3778 3779 /* SSL_alert_desc_string returns "!!". Use |SSL_alert_desc_string_long| 3780 * instead. */ 3781 OPENSSL_EXPORT const char *SSL_alert_desc_string(int value); 3782 3783 /* SSL_TXT_* expand to strings. */ 3784 #define SSL_TXT_MEDIUM "MEDIUM" 3785 #define SSL_TXT_HIGH "HIGH" 3786 #define SSL_TXT_FIPS "FIPS" 3787 #define SSL_TXT_kRSA "kRSA" 3788 #define SSL_TXT_kDHE "kDHE" 3789 #define SSL_TXT_kEDH "kEDH" 3790 #define SSL_TXT_kECDHE "kECDHE" 3791 #define SSL_TXT_kEECDH "kEECDH" 3792 #define SSL_TXT_kPSK "kPSK" 3793 #define SSL_TXT_aRSA "aRSA" 3794 #define SSL_TXT_aECDSA "aECDSA" 3795 #define SSL_TXT_aPSK "aPSK" 3796 #define SSL_TXT_DH "DH" 3797 #define SSL_TXT_DHE "DHE" 3798 #define SSL_TXT_EDH "EDH" 3799 #define SSL_TXT_RSA "RSA" 3800 #define SSL_TXT_ECDH "ECDH" 3801 #define SSL_TXT_ECDHE "ECDHE" 3802 #define SSL_TXT_EECDH "EECDH" 3803 #define SSL_TXT_ECDSA "ECDSA" 3804 #define SSL_TXT_PSK "PSK" 3805 #define SSL_TXT_3DES "3DES" 3806 #define SSL_TXT_RC4 "RC4" 3807 #define SSL_TXT_AES128 "AES128" 3808 #define SSL_TXT_AES256 "AES256" 3809 #define SSL_TXT_AES "AES" 3810 #define SSL_TXT_AES_GCM "AESGCM" 3811 #define SSL_TXT_CHACHA20 "CHACHA20" 3812 #define SSL_TXT_MD5 "MD5" 3813 #define SSL_TXT_SHA1 "SHA1" 3814 #define SSL_TXT_SHA "SHA" 3815 #define SSL_TXT_SHA256 "SHA256" 3816 #define SSL_TXT_SHA384 "SHA384" 3817 #define SSL_TXT_SSLV3 "SSLv3" 3818 #define SSL_TXT_TLSV1 "TLSv1" 3819 #define SSL_TXT_TLSV1_1 "TLSv1.1" 3820 #define SSL_TXT_TLSV1_2 "TLSv1.2" 3821 #define SSL_TXT_TLSV1_3 "TLSv1.3" 3822 #define SSL_TXT_ALL "ALL" 3823 #define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" 3824 3825 typedef struct ssl_conf_ctx_st SSL_CONF_CTX; 3826 3827 /* SSL_state returns |SSL_ST_INIT| if a handshake is in progress and |SSL_ST_OK| 3828 * otherwise. 3829 * 3830 * Use |SSL_is_init| instead. */ 3831 OPENSSL_EXPORT int SSL_state(const SSL *ssl); 3832 3833 #define SSL_get_state(ssl) SSL_state(ssl) 3834 3835 /* SSL_state_string returns the current state of the handshake state machine as 3836 * a six-letter string. Use |SSL_state_string_long| for a more intelligible 3837 * string. */ 3838 OPENSSL_EXPORT const char *SSL_state_string(const SSL *ssl); 3839 3840 /* SSL_set_shutdown causes |ssl| to behave as if the shutdown bitmask (see 3841 * |SSL_get_shutdown|) were |mode|. This may be used to skip sending or 3842 * receiving close_notify in |SSL_shutdown| by causing the implementation to 3843 * believe the events already happened. 3844 * 3845 * It is an error to use |SSL_set_shutdown| to unset a bit that has already been 3846 * set. Doing so will trigger an |assert| in debug builds and otherwise be 3847 * ignored. 3848 * 3849 * Use |SSL_CTX_set_quiet_shutdown| instead. */ 3850 OPENSSL_EXPORT void SSL_set_shutdown(SSL *ssl, int mode); 3851 3852 /* SSL_CTX_set_tmp_ecdh calls |SSL_CTX_set1_curves| with a one-element list 3853 * containing |ec_key|'s curve. */ 3854 OPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key); 3855 3856 /* SSL_set_tmp_ecdh calls |SSL_set1_curves| with a one-element list containing 3857 * |ec_key|'s curve. */ 3858 OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key); 3859 3860 /* SSL_add_dir_cert_subjects_to_stack lists files in directory |dir|. It calls 3861 * |SSL_add_file_cert_subjects_to_stack| on each file and returns one on success 3862 * or zero on error. This function is only available from the libdecrepit 3863 * library. */ 3864 OPENSSL_EXPORT int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, 3865 const char *dir); 3866 3867 /* SSL_set_private_key_digest_prefs copies |num_digests| NIDs from |digest_nids| 3868 * into |ssl|. These digests will be used, in decreasing order of preference, 3869 * when signing with |ssl|'s private key. It returns one on success and zero on 3870 * error. 3871 * 3872 * Use |SSL_set_signing_algorithm_prefs| instead. 3873 * 3874 * TODO(davidben): Remove this API when callers have been updated. */ 3875 OPENSSL_EXPORT int SSL_set_private_key_digest_prefs(SSL *ssl, 3876 const int *digest_nids, 3877 size_t num_digests); 3878 3879 /* SSL_set_verify_result calls |abort| unless |result| is |X509_V_OK|. 3880 * 3881 * TODO(davidben): Remove this function once it has been removed from 3882 * netty-tcnative. */ 3883 OPENSSL_EXPORT void SSL_set_verify_result(SSL *ssl, long result); 3884 3885 /* SSL_CTX_enable_tls_channel_id calls |SSL_CTX_set_tls_channel_id_enabled|. */ 3886 OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx); 3887 3888 /* SSL_enable_tls_channel_id calls |SSL_set_tls_channel_id_enabled|. */ 3889 OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl); 3890 3891 /* BIO_f_ssl returns a |BIO_METHOD| that can wrap an |SSL*| in a |BIO*|. Note 3892 * that this has quite different behaviour from the version in OpenSSL (notably 3893 * that it doesn't try to auto renegotiate). 3894 * 3895 * IMPORTANT: if you are not curl, don't use this. */ 3896 OPENSSL_EXPORT const BIO_METHOD *BIO_f_ssl(void); 3897 3898 /* BIO_set_ssl sets |ssl| as the underlying connection for |bio|, which must 3899 * have been created using |BIO_f_ssl|. If |take_owership| is true, |bio| will 3900 * call |SSL_free| on |ssl| when closed. It returns one on success or something 3901 * other than one on error. */ 3902 OPENSSL_EXPORT long BIO_set_ssl(BIO *bio, SSL *ssl, int take_owership); 3903 3904 /* SSL_CTX_set_ecdh_auto returns one. */ 3905 #define SSL_CTX_set_ecdh_auto(ctx, onoff) 1 3906 3907 /* SSL_set_ecdh_auto returns one. */ 3908 #define SSL_set_ecdh_auto(ssl, onoff) 1 3909 3910 /* SSL_get_session returns a non-owning pointer to |ssl|'s session. For 3911 * historical reasons, which session it returns depends on |ssl|'s state. 3912 * 3913 * Prior to the start of the initial handshake, it returns the session the 3914 * caller set with |SSL_set_session|. After the initial handshake has finished 3915 * and if no additional handshakes are in progress, it returns the currently 3916 * active session. Its behavior is undefined while a handshake is in progress. 3917 * 3918 * If trying to add new sessions to an external session cache, use 3919 * |SSL_CTX_sess_set_new_cb| instead. In particular, using the callback is 3920 * required as of TLS 1.3. For compatibility, this function will return an 3921 * unresumable session which may be cached, but will never be resumed. 3922 * 3923 * If querying properties of the connection, use APIs on the |SSL| object. */ 3924 OPENSSL_EXPORT SSL_SESSION *SSL_get_session(const SSL *ssl); 3925 3926 /* SSL_get0_session is an alias for |SSL_get_session|. */ 3927 #define SSL_get0_session SSL_get_session 3928 3929 /* SSL_get1_session acts like |SSL_get_session| but returns a new reference to 3930 * the session. */ 3931 OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl); 3932 3933 3934 /* Private structures. 3935 * 3936 * This structures are exposed for historical reasons, but access to them is 3937 * deprecated. */ 3938 3939 typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD; 3940 typedef struct ssl_x509_method_st SSL_X509_METHOD; 3941 3942 struct ssl_cipher_st { 3943 /* name is the OpenSSL name for the cipher. */ 3944 const char *name; 3945 /* standard_name is the IETF name for the cipher. */ 3946 const char *standard_name; 3947 /* id is the cipher suite value bitwise OR-d with 0x03000000. */ 3948 uint32_t id; 3949 3950 /* algorithm_* are internal fields. See ssl/internal.h for their values. */ 3951 uint32_t algorithm_mkey; 3952 uint32_t algorithm_auth; 3953 uint32_t algorithm_enc; 3954 uint32_t algorithm_mac; 3955 uint32_t algorithm_prf; 3956 }; 3957 3958 #define SSL_MAX_SSL_SESSION_ID_LENGTH 32 3959 #define SSL_MAX_SID_CTX_LENGTH 32 3960 #define SSL_MAX_MASTER_KEY_LENGTH 48 3961 3962 struct ssl_session_st { 3963 CRYPTO_refcount_t references; 3964 int ssl_version; /* what ssl version session info is being kept in here? */ 3965 3966 /* group_id is the ID of the ECDH group used to establish this session or zero 3967 * if not applicable or unknown. */ 3968 uint16_t group_id; 3969 3970 /* peer_signature_algorithm is the signature algorithm used to authenticate 3971 * the peer, or zero if not applicable or unknown. */ 3972 uint16_t peer_signature_algorithm; 3973 3974 /* master_key, in TLS 1.2 and below, is the master secret associated with the 3975 * session. In TLS 1.3 and up, it is the resumption secret. */ 3976 int master_key_length; 3977 uint8_t master_key[SSL_MAX_MASTER_KEY_LENGTH]; 3978 3979 /* session_id - valid? */ 3980 unsigned int session_id_length; 3981 uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; 3982 /* this is used to determine whether the session is being reused in 3983 * the appropriate context. It is up to the application to set this, 3984 * via SSL_new */ 3985 uint8_t sid_ctx_length; 3986 uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH]; 3987 3988 char *psk_identity; 3989 3990 /* certs contains the certificate chain from the peer, starting with the leaf 3991 * certificate. */ 3992 STACK_OF(CRYPTO_BUFFER) *certs; 3993 3994 const SSL_X509_METHOD *x509_method; 3995 3996 /* x509_peer is the peer's certificate. */ 3997 X509 *x509_peer; 3998 3999 /* x509_chain is the certificate chain sent by the peer. NOTE: for historical 4000 * reasons, when a client (so the peer is a server), the chain includes 4001 * |peer|, but when a server it does not. */ 4002 STACK_OF(X509) *x509_chain; 4003 4004 /* x509_chain_without_leaf is a lazily constructed copy of |x509_chain| that 4005 * omits the leaf certificate. This exists because OpenSSL, historically, 4006 * didn't include the leaf certificate in the chain for a server, but did for 4007 * a client. The |x509_chain| always includes it and, if an API call requires 4008 * a chain without, it is stored here. */ 4009 STACK_OF(X509) *x509_chain_without_leaf; 4010 4011 /* verify_result is the result of certificate verification in the case of 4012 * non-fatal certificate errors. */ 4013 long verify_result; 4014 4015 /* timeout is the lifetime of the session in seconds, measured from |time|. 4016 * This is renewable up to |auth_timeout|. */ 4017 uint32_t timeout; 4018 4019 /* auth_timeout is the non-renewable lifetime of the session in seconds, 4020 * measured from |time|. */ 4021 uint32_t auth_timeout; 4022 4023 /* time is the time the session was issued, measured in seconds from the UNIX 4024 * epoch. */ 4025 uint64_t time; 4026 4027 const SSL_CIPHER *cipher; 4028 4029 CRYPTO_EX_DATA ex_data; /* application specific data */ 4030 4031 /* These are used to make removal of session-ids more efficient and to 4032 * implement a maximum cache size. */ 4033 SSL_SESSION *prev, *next; 4034 char *tlsext_hostname; 4035 4036 /* RFC4507 info */ 4037 uint8_t *tlsext_tick; /* Session ticket */ 4038 size_t tlsext_ticklen; /* Session ticket length */ 4039 4040 size_t tlsext_signed_cert_timestamp_list_length; 4041 uint8_t *tlsext_signed_cert_timestamp_list; /* Server's list. */ 4042 4043 /* The OCSP response that came with the session. */ 4044 size_t ocsp_response_length; 4045 uint8_t *ocsp_response; 4046 4047 /* peer_sha256 contains the SHA-256 hash of the peer's certificate if 4048 * |peer_sha256_valid| is true. */ 4049 uint8_t peer_sha256[SHA256_DIGEST_LENGTH]; 4050 4051 /* original_handshake_hash contains the handshake hash (either SHA-1+MD5 or 4052 * SHA-2, depending on TLS version) for the original, full handshake that 4053 * created a session. This is used by Channel IDs during resumption. */ 4054 uint8_t original_handshake_hash[EVP_MAX_MD_SIZE]; 4055 uint8_t original_handshake_hash_len; 4056 4057 uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ 4058 4059 uint32_t ticket_age_add; 4060 4061 /* ticket_max_early_data is the maximum amount of data allowed to be sent as 4062 * early data. If zero, 0-RTT is disallowed. */ 4063 uint32_t ticket_max_early_data; 4064 4065 /* early_alpn is the ALPN protocol from the initial handshake. This is only 4066 * stored for TLS 1.3 and above in order to enforce ALPN matching for 0-RTT 4067 * resumptions. */ 4068 uint8_t *early_alpn; 4069 size_t early_alpn_len; 4070 4071 /* extended_master_secret is true if the master secret in this session was 4072 * generated using EMS and thus isn't vulnerable to the Triple Handshake 4073 * attack. */ 4074 unsigned extended_master_secret:1; 4075 4076 /* peer_sha256_valid is non-zero if |peer_sha256| is valid. */ 4077 unsigned peer_sha256_valid:1; /* Non-zero if peer_sha256 is valid */ 4078 4079 /* not_resumable is used to indicate that session resumption is disallowed. */ 4080 unsigned not_resumable:1; 4081 4082 /* ticket_age_add_valid is non-zero if |ticket_age_add| is valid. */ 4083 unsigned ticket_age_add_valid:1; 4084 4085 /* is_server is true if this session was created by a server. */ 4086 unsigned is_server:1; 4087 }; 4088 4089 /* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with 4090 * equal-preference groups. For TLS clients, the groups are moot because the 4091 * server picks the cipher and groups cannot be expressed on the wire. However, 4092 * for servers, the equal-preference groups allow the client's preferences to 4093 * be partially respected. (This only has an effect with 4094 * SSL_OP_CIPHER_SERVER_PREFERENCE). 4095 * 4096 * The equal-preference groups are expressed by grouping SSL_CIPHERs together. 4097 * All elements of a group have the same priority: no ordering is expressed 4098 * within a group. 4099 * 4100 * The values in |ciphers| are in one-to-one correspondence with 4101 * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of 4102 * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to 4103 * indicate that the corresponding SSL_CIPHER is not the last element of a 4104 * group, or 0 to indicate that it is. 4105 * 4106 * For example, if |in_group_flags| contains all zeros then that indicates a 4107 * traditional, fully-ordered preference. Every SSL_CIPHER is the last element 4108 * of the group (i.e. they are all in a one-element group). 4109 * 4110 * For a more complex example, consider: 4111 * ciphers: A B C D E F 4112 * in_group_flags: 1 1 0 0 1 0 4113 * 4114 * That would express the following, order: 4115 * 4116 * A E 4117 * B -> D -> F 4118 * C 4119 */ 4120 struct ssl_cipher_preference_list_st { 4121 STACK_OF(SSL_CIPHER) *ciphers; 4122 uint8_t *in_group_flags; 4123 }; 4124 4125 DECLARE_STACK_OF(SSL_CUSTOM_EXTENSION) 4126 4127 /* ssl_ctx_st (aka |SSL_CTX|) contains configuration common to several SSL 4128 * connections. */ 4129 struct ssl_ctx_st { 4130 const SSL_PROTOCOL_METHOD *method; 4131 const SSL_X509_METHOD *x509_method; 4132 4133 /* lock is used to protect various operations on this object. */ 4134 CRYPTO_MUTEX lock; 4135 4136 /* conf_max_version is the maximum acceptable protocol version configured by 4137 * |SSL_CTX_set_max_proto_version|. Note this version is normalized in DTLS 4138 * and is further constrainted by |SSL_OP_NO_*|. */ 4139 uint16_t conf_max_version; 4140 4141 /* conf_min_version is the minimum acceptable protocol version configured by 4142 * |SSL_CTX_set_min_proto_version|. Note this version is normalized in DTLS 4143 * and is further constrainted by |SSL_OP_NO_*|. */ 4144 uint16_t conf_min_version; 4145 4146 /* tls13_variant is the variant of TLS 1.3 we are using for this 4147 * configuration. */ 4148 enum tls13_variant_t tls13_variant; 4149 4150 struct ssl_cipher_preference_list_st *cipher_list; 4151 4152 X509_STORE *cert_store; 4153 LHASH_OF(SSL_SESSION) *sessions; 4154 /* Most session-ids that will be cached, default is 4155 * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ 4156 unsigned long session_cache_size; 4157 SSL_SESSION *session_cache_head; 4158 SSL_SESSION *session_cache_tail; 4159 4160 /* handshakes_since_cache_flush is the number of successful handshakes since 4161 * the last cache flush. */ 4162 int handshakes_since_cache_flush; 4163 4164 /* This can have one of 2 values, ored together, 4165 * SSL_SESS_CACHE_CLIENT, 4166 * SSL_SESS_CACHE_SERVER, 4167 * Default is SSL_SESSION_CACHE_SERVER, which means only 4168 * SSL_accept which cache SSL_SESSIONS. */ 4169 int session_cache_mode; 4170 4171 /* session_timeout is the default lifetime for new sessions in TLS 1.2 and 4172 * earlier, in seconds. */ 4173 uint32_t session_timeout; 4174 4175 /* session_psk_dhe_timeout is the default lifetime for new sessions in TLS 4176 * 1.3, in seconds. */ 4177 uint32_t session_psk_dhe_timeout; 4178 4179 /* If this callback is not null, it will be called each time a session id is 4180 * added to the cache. If this function returns 1, it means that the 4181 * callback will do a SSL_SESSION_free() when it has finished using it. 4182 * Otherwise, on 0, it means the callback has finished with it. If 4183 * remove_session_cb is not null, it will be called when a session-id is 4184 * removed from the cache. After the call, OpenSSL will SSL_SESSION_free() 4185 * it. */ 4186 int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess); 4187 void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess); 4188 SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *data, int len, 4189 int *copy); 4190 4191 CRYPTO_refcount_t references; 4192 4193 /* if defined, these override the X509_verify_cert() calls */ 4194 int (*app_verify_callback)(X509_STORE_CTX *store_ctx, void *arg); 4195 void *app_verify_arg; 4196 4197 /* Default password callback. */ 4198 pem_password_cb *default_passwd_callback; 4199 4200 /* Default password callback user data. */ 4201 void *default_passwd_callback_userdata; 4202 4203 /* get client cert callback */ 4204 int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey); 4205 4206 /* get channel id callback */ 4207 void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey); 4208 4209 CRYPTO_EX_DATA ex_data; 4210 4211 /* custom_*_extensions stores any callback sets for custom extensions. Note 4212 * that these pointers will be NULL if the stack would otherwise be empty. */ 4213 STACK_OF(SSL_CUSTOM_EXTENSION) *client_custom_extensions; 4214 STACK_OF(SSL_CUSTOM_EXTENSION) *server_custom_extensions; 4215 4216 /* Default values used when no per-SSL value is defined follow */ 4217 4218 void (*info_callback)(const SSL *ssl, int type, int value); 4219 4220 /* what we put in client cert requests */ 4221 STACK_OF(CRYPTO_BUFFER) *client_CA; 4222 4223 /* cached_x509_client_CA is a cache of parsed versions of the elements of 4224 * |client_CA|. */ 4225 STACK_OF(X509_NAME) *cached_x509_client_CA; 4226 4227 4228 /* Default values to use in SSL structures follow (these are copied by 4229 * SSL_new) */ 4230 4231 uint32_t options; 4232 uint32_t mode; 4233 uint32_t max_cert_list; 4234 4235 struct cert_st /* CERT */ *cert; 4236 4237 /* callback that allows applications to peek at protocol messages */ 4238 void (*msg_callback)(int write_p, int version, int content_type, 4239 const void *buf, size_t len, SSL *ssl, void *arg); 4240 void *msg_callback_arg; 4241 4242 int verify_mode; 4243 int (*default_verify_callback)( 4244 int ok, X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ 4245 4246 X509_VERIFY_PARAM *param; 4247 4248 /* select_certificate_cb is called before most ClientHello processing and 4249 * before the decision whether to resume a session is made. See 4250 * |ssl_select_cert_result_t| for details of the return values. */ 4251 enum ssl_select_cert_result_t (*select_certificate_cb)( 4252 const SSL_CLIENT_HELLO *); 4253 4254 /* dos_protection_cb is called once the resumption decision for a ClientHello 4255 * has been made. It returns one to continue the handshake or zero to 4256 * abort. */ 4257 int (*dos_protection_cb) (const SSL_CLIENT_HELLO *); 4258 4259 /* Maximum amount of data to send in one fragment. actual record size can be 4260 * more than this due to padding and MAC overheads. */ 4261 uint16_t max_send_fragment; 4262 4263 /* TLS extensions servername callback */ 4264 int (*tlsext_servername_callback)(SSL *, int *, void *); 4265 void *tlsext_servername_arg; 4266 /* RFC 4507 session ticket keys */ 4267 uint8_t tlsext_tick_key_name[SSL_TICKET_KEY_NAME_LEN]; 4268 uint8_t tlsext_tick_hmac_key[16]; 4269 uint8_t tlsext_tick_aes_key[16]; 4270 /* Callback to support customisation of ticket key setting */ 4271 int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv, 4272 EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); 4273 4274 /* Server-only: psk_identity_hint is the default identity hint to send in 4275 * PSK-based key exchanges. */ 4276 char *psk_identity_hint; 4277 4278 unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, 4279 char *identity, 4280 unsigned int max_identity_len, 4281 uint8_t *psk, unsigned int max_psk_len); 4282 unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, 4283 uint8_t *psk, unsigned int max_psk_len); 4284 4285 4286 /* retain_only_sha256_of_client_certs is true if we should compute the SHA256 4287 * hash of the peer's certificate and then discard it to save memory and 4288 * session space. Only effective on the server side. */ 4289 char retain_only_sha256_of_client_certs; 4290 4291 /* Next protocol negotiation information */ 4292 /* (for experimental NPN extension). */ 4293 4294 /* For a server, this contains a callback function by which the set of 4295 * advertised protocols can be provided. */ 4296 int (*next_protos_advertised_cb)(SSL *ssl, const uint8_t **out, 4297 unsigned *out_len, void *arg); 4298 void *next_protos_advertised_cb_arg; 4299 /* For a client, this contains a callback function that selects the 4300 * next protocol from the list provided by the server. */ 4301 int (*next_proto_select_cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, 4302 const uint8_t *in, unsigned in_len, void *arg); 4303 void *next_proto_select_cb_arg; 4304 4305 /* ALPN information 4306 * (we are in the process of transitioning from NPN to ALPN.) */ 4307 4308 /* For a server, this contains a callback function that allows the 4309 * server to select the protocol for the connection. 4310 * out: on successful return, this must point to the raw protocol 4311 * name (without the length prefix). 4312 * outlen: on successful return, this contains the length of |*out|. 4313 * in: points to the client's list of supported protocols in 4314 * wire-format. 4315 * inlen: the length of |in|. */ 4316 int (*alpn_select_cb)(SSL *s, const uint8_t **out, uint8_t *out_len, 4317 const uint8_t *in, unsigned in_len, void *arg); 4318 void *alpn_select_cb_arg; 4319 4320 /* For a client, this contains the list of supported protocols in wire 4321 * format. */ 4322 uint8_t *alpn_client_proto_list; 4323 unsigned alpn_client_proto_list_len; 4324 4325 /* SRTP profiles we are willing to do from RFC 5764 */ 4326 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; 4327 4328 /* Supported group values inherited by SSL structure */ 4329 size_t supported_group_list_len; 4330 uint16_t *supported_group_list; 4331 4332 /* The client's Channel ID private key. */ 4333 EVP_PKEY *tlsext_channel_id_private; 4334 4335 /* keylog_callback, if not NULL, is the key logging callback. See 4336 * |SSL_CTX_set_keylog_callback|. */ 4337 void (*keylog_callback)(const SSL *ssl, const char *line); 4338 4339 /* current_time_cb, if not NULL, is the function to use to get the current 4340 * time. It sets |*out_clock| to the current time. See 4341 * |SSL_CTX_set_current_time_cb|. */ 4342 void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock); 4343 4344 /* pool is used for all |CRYPTO_BUFFER|s in case we wish to share certificate 4345 * memory. */ 4346 CRYPTO_BUFFER_POOL *pool; 4347 4348 /* ticket_aead_method contains function pointers for opening and sealing 4349 * session tickets. */ 4350 const SSL_TICKET_AEAD_METHOD *ticket_aead_method; 4351 4352 /* verify_sigalgs, if not empty, is the set of signature algorithms 4353 * accepted from the peer in decreasing order of preference. */ 4354 uint16_t *verify_sigalgs; 4355 size_t num_verify_sigalgs; 4356 4357 /* quiet_shutdown is true if the connection should not send a close_notify on 4358 * shutdown. */ 4359 unsigned quiet_shutdown:1; 4360 4361 /* ocsp_stapling_enabled is only used by client connections and indicates 4362 * whether OCSP stapling will be requested. */ 4363 unsigned ocsp_stapling_enabled:1; 4364 4365 /* If true, a client will request certificate timestamps. */ 4366 unsigned signed_cert_timestamps_enabled:1; 4367 4368 /* tlsext_channel_id_enabled is one if Channel ID is enabled and zero 4369 * otherwise. For a server, means that we'll accept Channel IDs from clients. 4370 * For a client, means that we'll advertise support. */ 4371 unsigned tlsext_channel_id_enabled:1; 4372 4373 /* grease_enabled is one if draft-davidben-tls-grease-01 is enabled and zero 4374 * otherwise. */ 4375 unsigned grease_enabled:1; 4376 4377 /* i_promise_to_verify_certs_after_the_handshake indicates that the 4378 * application is using the |CRYPTO_BUFFER|-based methods and understands 4379 * that this currently requires post-handshake verification of 4380 * certificates. */ 4381 unsigned i_promise_to_verify_certs_after_the_handshake:1; 4382 4383 /* allow_unknown_alpn_protos is one if the client allows unsolicited ALPN 4384 * protocols from the peer. */ 4385 unsigned allow_unknown_alpn_protos:1; 4386 4387 /* ed25519_enabled is one if Ed25519 is advertised in the handshake. */ 4388 unsigned ed25519_enabled:1; 4389 }; 4390 4391 4392 /* Nodejs compatibility section (hidden). 4393 * 4394 * These defines exist for node.js, with the hope that we can eliminate the 4395 * need for them over time. */ 4396 #define SSLerr(function, reason) \ 4397 ERR_put_error(ERR_LIB_SSL, 0, reason, __FILE__, __LINE__) 4398 4399 4400 /* Preprocessor compatibility section (hidden). 4401 * 4402 * Historically, a number of APIs were implemented in OpenSSL as macros and 4403 * constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this 4404 * section defines a number of legacy macros. 4405 * 4406 * Although using either the CTRL values or their wrapper macros in #ifdefs is 4407 * still supported, the CTRL values may not be passed to |SSL_ctrl| and 4408 * |SSL_CTX_ctrl|. Call the functions (previously wrapper macros) instead. 4409 * 4410 * See PORTING.md in the BoringSSL source tree for a table of corresponding 4411 * functions. 4412 * https://boringssl.googlesource.com/boringssl/+/master/PORTING.md#Replacements-for-values 4413 */ 4414 4415 #define DTLS_CTRL_GET_TIMEOUT doesnt_exist 4416 #define DTLS_CTRL_HANDLE_TIMEOUT doesnt_exist 4417 #define SSL_CTRL_CHAIN doesnt_exist 4418 #define SSL_CTRL_CHAIN_CERT doesnt_exist 4419 #define SSL_CTRL_CHANNEL_ID doesnt_exist 4420 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS doesnt_exist 4421 #define SSL_CTRL_CLEAR_MODE doesnt_exist 4422 #define SSL_CTRL_CLEAR_OPTIONS doesnt_exist 4423 #define SSL_CTRL_EXTRA_CHAIN_CERT doesnt_exist 4424 #define SSL_CTRL_GET_CHAIN_CERTS doesnt_exist 4425 #define SSL_CTRL_GET_CHANNEL_ID doesnt_exist 4426 #define SSL_CTRL_GET_CLIENT_CERT_TYPES doesnt_exist 4427 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS doesnt_exist 4428 #define SSL_CTRL_GET_MAX_CERT_LIST doesnt_exist 4429 #define SSL_CTRL_GET_NUM_RENEGOTIATIONS doesnt_exist 4430 #define SSL_CTRL_GET_READ_AHEAD doesnt_exist 4431 #define SSL_CTRL_GET_RI_SUPPORT doesnt_exist 4432 #define SSL_CTRL_GET_SESSION_REUSED doesnt_exist 4433 #define SSL_CTRL_GET_SESS_CACHE_MODE doesnt_exist 4434 #define SSL_CTRL_GET_SESS_CACHE_SIZE doesnt_exist 4435 #define SSL_CTRL_GET_TLSEXT_TICKET_KEYS doesnt_exist 4436 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS doesnt_exist 4437 #define SSL_CTRL_MODE doesnt_exist 4438 #define SSL_CTRL_NEED_TMP_RSA doesnt_exist 4439 #define SSL_CTRL_OPTIONS doesnt_exist 4440 #define SSL_CTRL_SESS_NUMBER doesnt_exist 4441 #define SSL_CTRL_SET_CURVES doesnt_exist 4442 #define SSL_CTRL_SET_CURVES_LIST doesnt_exist 4443 #define SSL_CTRL_SET_ECDH_AUTO doesnt_exist 4444 #define SSL_CTRL_SET_MAX_CERT_LIST doesnt_exist 4445 #define SSL_CTRL_SET_MAX_SEND_FRAGMENT doesnt_exist 4446 #define SSL_CTRL_SET_MSG_CALLBACK doesnt_exist 4447 #define SSL_CTRL_SET_MSG_CALLBACK_ARG doesnt_exist 4448 #define SSL_CTRL_SET_MTU doesnt_exist 4449 #define SSL_CTRL_SET_READ_AHEAD doesnt_exist 4450 #define SSL_CTRL_SET_SESS_CACHE_MODE doesnt_exist 4451 #define SSL_CTRL_SET_SESS_CACHE_SIZE doesnt_exist 4452 #define SSL_CTRL_SET_TLSEXT_HOSTNAME doesnt_exist 4453 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG doesnt_exist 4454 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB doesnt_exist 4455 #define SSL_CTRL_SET_TLSEXT_TICKET_KEYS doesnt_exist 4456 #define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB doesnt_exist 4457 #define SSL_CTRL_SET_TMP_DH doesnt_exist 4458 #define SSL_CTRL_SET_TMP_DH_CB doesnt_exist 4459 #define SSL_CTRL_SET_TMP_ECDH doesnt_exist 4460 #define SSL_CTRL_SET_TMP_ECDH_CB doesnt_exist 4461 #define SSL_CTRL_SET_TMP_RSA doesnt_exist 4462 #define SSL_CTRL_SET_TMP_RSA_CB doesnt_exist 4463 4464 #define DTLSv1_get_timeout DTLSv1_get_timeout 4465 #define DTLSv1_handle_timeout DTLSv1_handle_timeout 4466 #define SSL_CTX_add0_chain_cert SSL_CTX_add0_chain_cert 4467 #define SSL_CTX_add1_chain_cert SSL_CTX_add1_chain_cert 4468 #define SSL_CTX_add_extra_chain_cert SSL_CTX_add_extra_chain_cert 4469 #define SSL_CTX_clear_extra_chain_certs SSL_CTX_clear_extra_chain_certs 4470 #define SSL_CTX_clear_chain_certs SSL_CTX_clear_chain_certs 4471 #define SSL_CTX_clear_mode SSL_CTX_clear_mode 4472 #define SSL_CTX_clear_options SSL_CTX_clear_options 4473 #define SSL_CTX_get0_chain_certs SSL_CTX_get0_chain_certs 4474 #define SSL_CTX_get_extra_chain_certs SSL_CTX_get_extra_chain_certs 4475 #define SSL_CTX_get_max_cert_list SSL_CTX_get_max_cert_list 4476 #define SSL_CTX_get_mode SSL_CTX_get_mode 4477 #define SSL_CTX_get_options SSL_CTX_get_options 4478 #define SSL_CTX_get_read_ahead SSL_CTX_get_read_ahead 4479 #define SSL_CTX_get_session_cache_mode SSL_CTX_get_session_cache_mode 4480 #define SSL_CTX_get_tlsext_ticket_keys SSL_CTX_get_tlsext_ticket_keys 4481 #define SSL_CTX_need_tmp_RSA SSL_CTX_need_tmp_RSA 4482 #define SSL_CTX_sess_get_cache_size SSL_CTX_sess_get_cache_size 4483 #define SSL_CTX_sess_number SSL_CTX_sess_number 4484 #define SSL_CTX_sess_set_cache_size SSL_CTX_sess_set_cache_size 4485 #define SSL_CTX_set0_chain SSL_CTX_set0_chain 4486 #define SSL_CTX_set1_chain SSL_CTX_set1_chain 4487 #define SSL_CTX_set1_curves SSL_CTX_set1_curves 4488 #define SSL_CTX_set_max_cert_list SSL_CTX_set_max_cert_list 4489 #define SSL_CTX_set_max_send_fragment SSL_CTX_set_max_send_fragment 4490 #define SSL_CTX_set_mode SSL_CTX_set_mode 4491 #define SSL_CTX_set_msg_callback_arg SSL_CTX_set_msg_callback_arg 4492 #define SSL_CTX_set_options SSL_CTX_set_options 4493 #define SSL_CTX_set_read_ahead SSL_CTX_set_read_ahead 4494 #define SSL_CTX_set_session_cache_mode SSL_CTX_set_session_cache_mode 4495 #define SSL_CTX_set_tlsext_servername_arg SSL_CTX_set_tlsext_servername_arg 4496 #define SSL_CTX_set_tlsext_servername_callback \ 4497 SSL_CTX_set_tlsext_servername_callback 4498 #define SSL_CTX_set_tlsext_ticket_key_cb SSL_CTX_set_tlsext_ticket_key_cb 4499 #define SSL_CTX_set_tlsext_ticket_keys SSL_CTX_set_tlsext_ticket_keys 4500 #define SSL_CTX_set_tmp_dh SSL_CTX_set_tmp_dh 4501 #define SSL_CTX_set_tmp_ecdh SSL_CTX_set_tmp_ecdh 4502 #define SSL_CTX_set_tmp_rsa SSL_CTX_set_tmp_rsa 4503 #define SSL_add0_chain_cert SSL_add0_chain_cert 4504 #define SSL_add1_chain_cert SSL_add1_chain_cert 4505 #define SSL_clear_chain_certs SSL_clear_chain_certs 4506 #define SSL_clear_mode SSL_clear_mode 4507 #define SSL_clear_options SSL_clear_options 4508 #define SSL_get0_certificate_types SSL_get0_certificate_types 4509 #define SSL_get0_chain_certs SSL_get0_chain_certs 4510 #define SSL_get_max_cert_list SSL_get_max_cert_list 4511 #define SSL_get_mode SSL_get_mode 4512 #define SSL_get_options SSL_get_options 4513 #define SSL_get_secure_renegotiation_support \ 4514 SSL_get_secure_renegotiation_support 4515 #define SSL_need_tmp_RSA SSL_need_tmp_RSA 4516 #define SSL_num_renegotiations SSL_num_renegotiations 4517 #define SSL_session_reused SSL_session_reused 4518 #define SSL_set0_chain SSL_set0_chain 4519 #define SSL_set1_chain SSL_set1_chain 4520 #define SSL_set1_curves SSL_set1_curves 4521 #define SSL_set_max_cert_list SSL_set_max_cert_list 4522 #define SSL_set_max_send_fragment SSL_set_max_send_fragment 4523 #define SSL_set_mode SSL_set_mode 4524 #define SSL_set_msg_callback_arg SSL_set_msg_callback_arg 4525 #define SSL_set_mtu SSL_set_mtu 4526 #define SSL_set_options SSL_set_options 4527 #define SSL_set_tlsext_host_name SSL_set_tlsext_host_name 4528 #define SSL_set_tmp_dh SSL_set_tmp_dh 4529 #define SSL_set_tmp_ecdh SSL_set_tmp_ecdh 4530 #define SSL_set_tmp_rsa SSL_set_tmp_rsa 4531 #define SSL_total_renegotiations SSL_total_renegotiations 4532 4533 4534 #if defined(__cplusplus) 4535 } /* extern C */ 4536 4537 extern "C++" { 4538 4539 namespace bssl { 4540 4541 BORINGSSL_MAKE_DELETER(SSL, SSL_free) 4542 BORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free) 4543 BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free) 4544 4545 } // namespace bssl 4546 4547 } /* extern C++ */ 4548 4549 #endif 4550 4551 #define SSL_R_APP_DATA_IN_HANDSHAKE 100 4552 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101 4553 #define SSL_R_BAD_ALERT 102 4554 #define SSL_R_BAD_CHANGE_CIPHER_SPEC 103 4555 #define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 104 4556 #define SSL_R_BAD_DH_P_LENGTH 105 4557 #define SSL_R_BAD_DIGEST_LENGTH 106 4558 #define SSL_R_BAD_ECC_CERT 107 4559 #define SSL_R_BAD_ECPOINT 108 4560 #define SSL_R_BAD_HANDSHAKE_RECORD 109 4561 #define SSL_R_BAD_HELLO_REQUEST 110 4562 #define SSL_R_BAD_LENGTH 111 4563 #define SSL_R_BAD_PACKET_LENGTH 112 4564 #define SSL_R_BAD_RSA_ENCRYPT 113 4565 #define SSL_R_BAD_SIGNATURE 114 4566 #define SSL_R_BAD_SRTP_MKI_VALUE 115 4567 #define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 116 4568 #define SSL_R_BAD_SSL_FILETYPE 117 4569 #define SSL_R_BAD_WRITE_RETRY 118 4570 #define SSL_R_BIO_NOT_SET 119 4571 #define SSL_R_BN_LIB 120 4572 #define SSL_R_BUFFER_TOO_SMALL 121 4573 #define SSL_R_CA_DN_LENGTH_MISMATCH 122 4574 #define SSL_R_CA_DN_TOO_LONG 123 4575 #define SSL_R_CCS_RECEIVED_EARLY 124 4576 #define SSL_R_CERTIFICATE_VERIFY_FAILED 125 4577 #define SSL_R_CERT_CB_ERROR 126 4578 #define SSL_R_CERT_LENGTH_MISMATCH 127 4579 #define SSL_R_CHANNEL_ID_NOT_P256 128 4580 #define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 129 4581 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 130 4582 #define SSL_R_CLIENTHELLO_PARSE_FAILED 131 4583 #define SSL_R_CLIENTHELLO_TLSEXT 132 4584 #define SSL_R_CONNECTION_REJECTED 133 4585 #define SSL_R_CONNECTION_TYPE_NOT_SET 134 4586 #define SSL_R_CUSTOM_EXTENSION_ERROR 135 4587 #define SSL_R_DATA_LENGTH_TOO_LONG 136 4588 #define SSL_R_DECODE_ERROR 137 4589 #define SSL_R_DECRYPTION_FAILED 138 4590 #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 139 4591 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 140 4592 #define SSL_R_DH_P_TOO_LONG 141 4593 #define SSL_R_DIGEST_CHECK_FAILED 142 4594 #define SSL_R_DTLS_MESSAGE_TOO_BIG 143 4595 #define SSL_R_ECC_CERT_NOT_FOR_SIGNING 144 4596 #define SSL_R_EMS_STATE_INCONSISTENT 145 4597 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 146 4598 #define SSL_R_ERROR_ADDING_EXTENSION 147 4599 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 148 4600 #define SSL_R_ERROR_PARSING_EXTENSION 149 4601 #define SSL_R_EXCESSIVE_MESSAGE_SIZE 150 4602 #define SSL_R_EXTRA_DATA_IN_MESSAGE 151 4603 #define SSL_R_FRAGMENT_MISMATCH 152 4604 #define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 153 4605 #define SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO 154 4606 #define SSL_R_HTTPS_PROXY_REQUEST 155 4607 #define SSL_R_HTTP_REQUEST 156 4608 #define SSL_R_INAPPROPRIATE_FALLBACK 157 4609 #define SSL_R_INVALID_COMMAND 158 4610 #define SSL_R_INVALID_MESSAGE 159 4611 #define SSL_R_INVALID_SSL_SESSION 160 4612 #define SSL_R_INVALID_TICKET_KEYS_LENGTH 161 4613 #define SSL_R_LENGTH_MISMATCH 162 4614 #define SSL_R_MISSING_EXTENSION 164 4615 #define SSL_R_MISSING_RSA_CERTIFICATE 165 4616 #define SSL_R_MISSING_TMP_DH_KEY 166 4617 #define SSL_R_MISSING_TMP_ECDH_KEY 167 4618 #define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 168 4619 #define SSL_R_MTU_TOO_SMALL 169 4620 #define SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN 170 4621 #define SSL_R_NESTED_GROUP 171 4622 #define SSL_R_NO_CERTIFICATES_RETURNED 172 4623 #define SSL_R_NO_CERTIFICATE_ASSIGNED 173 4624 #define SSL_R_NO_CERTIFICATE_SET 174 4625 #define SSL_R_NO_CIPHERS_AVAILABLE 175 4626 #define SSL_R_NO_CIPHERS_PASSED 176 4627 #define SSL_R_NO_CIPHER_MATCH 177 4628 #define SSL_R_NO_COMPRESSION_SPECIFIED 178 4629 #define SSL_R_NO_METHOD_SPECIFIED 179 4630 #define SSL_R_NO_P256_SUPPORT 180 4631 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 181 4632 #define SSL_R_NO_RENEGOTIATION 182 4633 #define SSL_R_NO_REQUIRED_DIGEST 183 4634 #define SSL_R_NO_SHARED_CIPHER 184 4635 #define SSL_R_NULL_SSL_CTX 185 4636 #define SSL_R_NULL_SSL_METHOD_PASSED 186 4637 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 187 4638 #define SSL_R_OLD_SESSION_VERSION_NOT_RETURNED 188 4639 #define SSL_R_OUTPUT_ALIASES_INPUT 189 4640 #define SSL_R_PARSE_TLSEXT 190 4641 #define SSL_R_PATH_TOO_LONG 191 4642 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 192 4643 #define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 193 4644 #define SSL_R_PROTOCOL_IS_SHUTDOWN 194 4645 #define SSL_R_PSK_IDENTITY_NOT_FOUND 195 4646 #define SSL_R_PSK_NO_CLIENT_CB 196 4647 #define SSL_R_PSK_NO_SERVER_CB 197 4648 #define SSL_R_READ_TIMEOUT_EXPIRED 198 4649 #define SSL_R_RECORD_LENGTH_MISMATCH 199 4650 #define SSL_R_RECORD_TOO_LARGE 200 4651 #define SSL_R_RENEGOTIATION_ENCODING_ERR 201 4652 #define SSL_R_RENEGOTIATION_MISMATCH 202 4653 #define SSL_R_REQUIRED_CIPHER_MISSING 203 4654 #define SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION 204 4655 #define SSL_R_RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION 205 4656 #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 206 4657 #define SSL_R_SERVERHELLO_TLSEXT 207 4658 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 208 4659 #define SSL_R_SESSION_MAY_NOT_BE_CREATED 209 4660 #define SSL_R_SIGNATURE_ALGORITHMS_EXTENSION_SENT_BY_SERVER 210 4661 #define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 211 4662 #define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 212 4663 #define SSL_R_SSL3_EXT_INVALID_SERVERNAME 213 4664 #define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 214 4665 #define SSL_R_SSL_HANDSHAKE_FAILURE 215 4666 #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 216 4667 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 217 4668 #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 218 4669 #define SSL_R_TOO_MANY_EMPTY_FRAGMENTS 219 4670 #define SSL_R_TOO_MANY_WARNING_ALERTS 220 4671 #define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 221 4672 #define SSL_R_UNEXPECTED_EXTENSION 222 4673 #define SSL_R_UNEXPECTED_MESSAGE 223 4674 #define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 224 4675 #define SSL_R_UNEXPECTED_RECORD 225 4676 #define SSL_R_UNINITIALIZED 226 4677 #define SSL_R_UNKNOWN_ALERT_TYPE 227 4678 #define SSL_R_UNKNOWN_CERTIFICATE_TYPE 228 4679 #define SSL_R_UNKNOWN_CIPHER_RETURNED 229 4680 #define SSL_R_UNKNOWN_CIPHER_TYPE 230 4681 #define SSL_R_UNKNOWN_DIGEST 231 4682 #define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 232 4683 #define SSL_R_UNKNOWN_PROTOCOL 233 4684 #define SSL_R_UNKNOWN_SSL_VERSION 234 4685 #define SSL_R_UNKNOWN_STATE 235 4686 #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 236 4687 #define SSL_R_UNSUPPORTED_CIPHER 237 4688 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 238 4689 #define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 239 4690 #define SSL_R_UNSUPPORTED_PROTOCOL 240 4691 #define SSL_R_WRONG_CERTIFICATE_TYPE 241 4692 #define SSL_R_WRONG_CIPHER_RETURNED 242 4693 #define SSL_R_WRONG_CURVE 243 4694 #define SSL_R_WRONG_MESSAGE_TYPE 244 4695 #define SSL_R_WRONG_SIGNATURE_TYPE 245 4696 #define SSL_R_WRONG_SSL_VERSION 246 4697 #define SSL_R_WRONG_VERSION_NUMBER 247 4698 #define SSL_R_X509_LIB 248 4699 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 249 4700 #define SSL_R_SHUTDOWN_WHILE_IN_INIT 250 4701 #define SSL_R_INVALID_OUTER_RECORD_TYPE 251 4702 #define SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY 252 4703 #define SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS 253 4704 #define SSL_R_DOWNGRADE_DETECTED 254 4705 #define SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE 255 4706 #define SSL_R_INVALID_COMPRESSION_LIST 256 4707 #define SSL_R_DUPLICATE_EXTENSION 257 4708 #define SSL_R_MISSING_KEY_SHARE 258 4709 #define SSL_R_INVALID_ALPN_PROTOCOL 259 4710 #define SSL_R_TOO_MANY_KEY_UPDATES 260 4711 #define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 261 4712 #define SSL_R_NO_CIPHERS_SPECIFIED 262 4713 #define SSL_R_RENEGOTIATION_EMS_MISMATCH 263 4714 #define SSL_R_DUPLICATE_KEY_SHARE 264 4715 #define SSL_R_NO_GROUPS_SPECIFIED 265 4716 #define SSL_R_NO_SHARED_GROUP 266 4717 #define SSL_R_PRE_SHARED_KEY_MUST_BE_LAST 267 4718 #define SSL_R_OLD_SESSION_PRF_HASH_MISMATCH 268 4719 #define SSL_R_INVALID_SCT_LIST 269 4720 #define SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA 270 4721 #define SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH 271 4722 #define SSL_R_CANNOT_PARSE_LEAF_CERT 272 4723 #define SSL_R_SERVER_CERT_CHANGED 273 4724 #define SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH 274 4725 #define SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD 275 4726 #define SSL_R_TICKET_ENCRYPTION_FAILED 276 4727 #define SSL_R_ALPN_MISMATCH_ON_EARLY_DATA 277 4728 #define SSL_R_WRONG_VERSION_ON_EARLY_DATA 278 4729 #define SSL_R_CHANNEL_ID_ON_EARLY_DATA 279 4730 #define SSL_R_NO_SUPPORTED_VERSIONS_ENABLED 280 4731 #define SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE 281 4732 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000 4733 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 4734 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 4735 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 4736 #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 4737 #define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030 4738 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 4739 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 4740 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 4741 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 4742 #define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044 4743 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 4744 #define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046 4745 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 4746 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 4747 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 4748 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 4749 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 4750 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 4751 #define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 4752 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 4753 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 4754 #define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 4755 #define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 4756 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 4757 #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 4758 #define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 4759 #define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 4760 #define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 4761 #define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 4762 #define SSL_R_TLSV1_UNKNOWN_PSK_IDENTITY 1115 4763 #define SSL_R_TLSV1_CERTIFICATE_REQUIRED 1116 4764 #define SSL_R_TOO_MUCH_READ_EARLY_DATA 1117 4765 4766 #endif /* OPENSSL_HEADER_SSL_H */ 4767