/
ssl.h
2461 lines (2201 loc) · 109 KB
/
ssl.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_SSL_H
# define HEADER_SSL_H
# include <openssl/e_os2.h>
# include <openssl/opensslconf.h>
# include <openssl/comp.h>
# include <openssl/bio.h>
# if !OPENSSL_API_1_1_0
# include <openssl/x509.h>
# include <openssl/crypto.h>
# include <openssl/buffer.h>
# endif
# include <openssl/lhash.h>
# include <openssl/pem.h>
# include <openssl/hmac.h>
# include <openssl/async.h>
# include <openssl/safestack.h>
# include <openssl/symhacks.h>
# include <openssl/ct.h>
# include <openssl/sslerr.h>
#ifdef __cplusplus
extern "C" {
#endif
/* OpenSSL version number for ASN.1 encoding of the session information */
/*-
* Version 0 - initial version
* Version 1 - added the optional peer certificate
*/
# define SSL_SESSION_ASN1_VERSION 0x0001
# define SSL_MAX_SSL_SESSION_ID_LENGTH 32
# define SSL_MAX_SID_CTX_LENGTH 32
# define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8)
# define SSL_MAX_KEY_ARG_LENGTH 8
# define SSL_MAX_MASTER_KEY_LENGTH 48
/* The maximum number of encrypt/decrypt pipelines we can support */
# define SSL_MAX_PIPELINES 32
/* text strings for the ciphers */
/* These are used to specify which ciphers to use and not to use */
# define SSL_TXT_LOW "LOW"
# define SSL_TXT_MEDIUM "MEDIUM"
# define SSL_TXT_HIGH "HIGH"
# define SSL_TXT_FIPS "FIPS"
# define SSL_TXT_aNULL "aNULL"
# define SSL_TXT_eNULL "eNULL"
# define SSL_TXT_NULL "NULL"
# define SSL_TXT_kRSA "kRSA"
# define SSL_TXT_kDHr "kDHr"/* this cipher class has been removed */
# define SSL_TXT_kDHd "kDHd"/* this cipher class has been removed */
# define SSL_TXT_kDH "kDH"/* this cipher class has been removed */
# define SSL_TXT_kEDH "kEDH"/* alias for kDHE */
# define SSL_TXT_kDHE "kDHE"
# define SSL_TXT_kECDHr "kECDHr"/* this cipher class has been removed */
# define SSL_TXT_kECDHe "kECDHe"/* this cipher class has been removed */
# define SSL_TXT_kECDH "kECDH"/* this cipher class has been removed */
# define SSL_TXT_kEECDH "kEECDH"/* alias for kECDHE */
# define SSL_TXT_kECDHE "kECDHE"
# define SSL_TXT_kPSK "kPSK"
# define SSL_TXT_kRSAPSK "kRSAPSK"
# define SSL_TXT_kECDHEPSK "kECDHEPSK"
# define SSL_TXT_kDHEPSK "kDHEPSK"
# define SSL_TXT_kGOST "kGOST"
# define SSL_TXT_kSRP "kSRP"
# define SSL_TXT_aRSA "aRSA"
# define SSL_TXT_aDSS "aDSS"
# define SSL_TXT_aDH "aDH"/* this cipher class has been removed */
# define SSL_TXT_aECDH "aECDH"/* this cipher class has been removed */
# define SSL_TXT_aECDSA "aECDSA"
# define SSL_TXT_aPSK "aPSK"
# define SSL_TXT_aGOST94 "aGOST94"
# define SSL_TXT_aGOST01 "aGOST01"
# define SSL_TXT_aGOST12 "aGOST12"
# define SSL_TXT_aGOST "aGOST"
# define SSL_TXT_aSRP "aSRP"
# define SSL_TXT_DSS "DSS"
# define SSL_TXT_DH "DH"
# define SSL_TXT_DHE "DHE"/* same as "kDHE:-ADH" */
# define SSL_TXT_EDH "EDH"/* alias for DHE */
# define SSL_TXT_ADH "ADH"
# define SSL_TXT_RSA "RSA"
# define SSL_TXT_ECDH "ECDH"
# define SSL_TXT_EECDH "EECDH"/* alias for ECDHE" */
# define SSL_TXT_ECDHE "ECDHE"/* same as "kECDHE:-AECDH" */
# define SSL_TXT_AECDH "AECDH"
# define SSL_TXT_ECDSA "ECDSA"
# define SSL_TXT_PSK "PSK"
# define SSL_TXT_SRP "SRP"
# define SSL_TXT_DES "DES"
# define SSL_TXT_3DES "3DES"
# define SSL_TXT_RC4 "RC4"
# define SSL_TXT_RC2 "RC2"
# define SSL_TXT_IDEA "IDEA"
# define SSL_TXT_SEED "SEED"
# define SSL_TXT_AES128 "AES128"
# define SSL_TXT_AES256 "AES256"
# define SSL_TXT_AES "AES"
# define SSL_TXT_AES_GCM "AESGCM"
# define SSL_TXT_AES_CCM "AESCCM"
# define SSL_TXT_AES_CCM_8 "AESCCM8"
# define SSL_TXT_CAMELLIA128 "CAMELLIA128"
# define SSL_TXT_CAMELLIA256 "CAMELLIA256"
# define SSL_TXT_CAMELLIA "CAMELLIA"
# define SSL_TXT_CHACHA20 "CHACHA20"
# define SSL_TXT_GOST "GOST89"
# define SSL_TXT_ARIA "ARIA"
# define SSL_TXT_ARIA_GCM "ARIAGCM"
# define SSL_TXT_ARIA128 "ARIA128"
# define SSL_TXT_ARIA256 "ARIA256"
# define SSL_TXT_MD5 "MD5"
# define SSL_TXT_SHA1 "SHA1"
# define SSL_TXT_SHA "SHA"/* same as "SHA1" */
# define SSL_TXT_GOST94 "GOST94"
# define SSL_TXT_GOST89MAC "GOST89MAC"
# define SSL_TXT_GOST12 "GOST12"
# define SSL_TXT_GOST89MAC12 "GOST89MAC12"
# define SSL_TXT_SHA256 "SHA256"
# define SSL_TXT_SHA384 "SHA384"
# define SSL_TXT_SSLV3 "SSLv3"
# define SSL_TXT_TLSV1 "TLSv1"
# define SSL_TXT_TLSV1_1 "TLSv1.1"
# define SSL_TXT_TLSV1_2 "TLSv1.2"
# define SSL_TXT_ALL "ALL"
/*-
* COMPLEMENTOF* definitions. These identifiers are used to (de-select)
* ciphers normally not being used.
* Example: "RC4" will activate all ciphers using RC4 including ciphers
* without authentication, which would normally disabled by DEFAULT (due
* the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
* will make sure that it is also disabled in the specific selection.
* COMPLEMENTOF* identifiers are portable between version, as adjustments
* to the default cipher setup will also be included here.
*
* COMPLEMENTOFDEFAULT does not experience the same special treatment that
* DEFAULT gets, as only selection is being done and no sorting as needed
* for DEFAULT.
*/
# define SSL_TXT_CMPALL "COMPLEMENTOFALL"
# define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
/*
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
* This applies to ciphersuites for TLSv1.2 and below.
* DEPRECATED IN 3.0.0, in favor of OSSL_default_cipher_list()
* Update both macro and function simultaneously
*/
# if !OPENSSL_API_3
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
/*
* This is the default set of TLSv1.3 ciphersuites
* DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
* Update both macro and function simultaneously
*/
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
"TLS_CHACHA20_POLY1305_SHA256:" \
"TLS_AES_128_GCM_SHA256"
# else
# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
"TLS_AES_128_GCM_SHA256"
# endif
# endif
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
*/
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
# define SSL_RECEIVED_SHUTDOWN 2
#ifdef __cplusplus
}
#endif
#ifdef __cplusplus
extern "C" {
#endif
# define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
# define SSL_FILETYPE_PEM X509_FILETYPE_PEM
/*
* This is needed to stop compilers complaining about the 'struct ssl_st *'
* function parameters used to prototype callbacks in SSL_CTX.
*/
typedef struct ssl_st *ssl_crock_st;
typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
typedef struct ssl_method_st SSL_METHOD;
typedef struct ssl_cipher_st SSL_CIPHER;
typedef struct ssl_session_st SSL_SESSION;
typedef struct tls_sigalgs_st TLS_SIGALGS;
typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
typedef struct ssl_comp_st SSL_COMP;
STACK_OF(SSL_CIPHER);
STACK_OF(SSL_COMP);
/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
typedef struct srtp_protection_profile_st {
const char *name;
unsigned long id;
} SRTP_PROTECTION_PROFILE;
DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data,
int len, void *arg);
typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers,
const SSL_CIPHER **cipher, void *arg);
/* Extension context codes */
/* This extension is only allowed in TLS */
#define SSL_EXT_TLS_ONLY 0x0001
/* This extension is only allowed in DTLS */
#define SSL_EXT_DTLS_ONLY 0x0002
/* Some extensions may be allowed in DTLS but we don't implement them for it */
#define SSL_EXT_TLS_IMPLEMENTATION_ONLY 0x0004
/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */
#define SSL_EXT_SSL3_ALLOWED 0x0008
/* Extension is only defined for TLS1.2 and below */
#define SSL_EXT_TLS1_2_AND_BELOW_ONLY 0x0010
/* Extension is only defined for TLS1.3 and above */
#define SSL_EXT_TLS1_3_ONLY 0x0020
/* Ignore this extension during parsing if we are resuming */
#define SSL_EXT_IGNORE_ON_RESUMPTION 0x0040
#define SSL_EXT_CLIENT_HELLO 0x0080
/* Really means TLS1.2 or below */
#define SSL_EXT_TLS1_2_SERVER_HELLO 0x0100
#define SSL_EXT_TLS1_3_SERVER_HELLO 0x0200
#define SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 0x0400
#define SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST 0x0800
#define SSL_EXT_TLS1_3_CERTIFICATE 0x1000
#define SSL_EXT_TLS1_3_NEW_SESSION_TICKET 0x2000
#define SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 0x4000
/* Typedefs for handling custom extensions */
typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type,
const unsigned char **out, size_t *outlen,
int *al, void *add_arg);
typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type,
const unsigned char *out, void *add_arg);
typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type,
const unsigned char *in, size_t inlen,
int *al, void *parse_arg);
typedef int (*SSL_custom_ext_add_cb_ex)(SSL *s, unsigned int ext_type,
unsigned int context,
const unsigned char **out,
size_t *outlen, X509 *x,
size_t chainidx,
int *al, void *add_arg);
typedef void (*SSL_custom_ext_free_cb_ex)(SSL *s, unsigned int ext_type,
unsigned int context,
const unsigned char *out,
void *add_arg);
typedef int (*SSL_custom_ext_parse_cb_ex)(SSL *s, unsigned int ext_type,
unsigned int context,
const unsigned char *in,
size_t inlen, X509 *x,
size_t chainidx,
int *al, void *parse_arg);
/* Typedef for verification callback */
typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
/* Typedef for SSL async callback */
typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
/*
* Some values are reserved until OpenSSL 3.0.0 because they were previously
* included in SSL_OP_ALL in a 1.1.x release.
*/
/* Disable Extended master secret */
# define SSL_OP_NO_EXTENDED_MASTER_SECRET 0x00000001U
/* Reserved value (until OpenSSL 3.0.0) 0x00000002U */
/* Allow initial connection to servers that don't support RI */
# define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U
/* Reserved value (until OpenSSL 3.0.0) 0x00000008U */
# define SSL_OP_TLSEXT_PADDING 0x00000010U
/* Reserved value (until OpenSSL 3.0.0) 0x00000020U */
# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U
/*
* Reserved value (until OpenSSL 3.0.0) 0x00000080U
* Reserved value (until OpenSSL 3.0.0) 0x00000100U
* Reserved value (until OpenSSL 3.0.0) 0x00000200U
*/
/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
# define SSL_OP_ALLOW_NO_DHE_KEX 0x00000400U
/*
* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in
* OpenSSL 0.9.6d. Usually (depending on the application protocol) the
* workaround is not needed. Unfortunately some broken SSL/TLS
* implementations cannot handle it at all, which is why we include it in
* SSL_OP_ALL. Added in 0.9.6e
*/
# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800U
/* DTLS options */
# define SSL_OP_NO_QUERY_MTU 0x00001000U
/* Turn on Cookie Exchange (on relevant for servers) */
# define SSL_OP_COOKIE_EXCHANGE 0x00002000U
/* Don't use RFC4507 ticket extension */
# define SSL_OP_NO_TICKET 0x00004000U
# ifndef OPENSSL_NO_DTLS1_METHOD
/* Use Cisco's "speshul" version of DTLS_BAD_VER
* (only with deprecated DTLSv1_client_method()) */
# define SSL_OP_CISCO_ANYCONNECT 0x00008000U
# endif
/* As server, disallow session resumption on renegotiation */
# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000U
/* Don't use compression even if supported */
# define SSL_OP_NO_COMPRESSION 0x00020000U
/* Permit unsafe legacy renegotiation */
# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U
/* Disable encrypt-then-mac */
# define SSL_OP_NO_ENCRYPT_THEN_MAC 0x00080000U
/*
* Enable TLSv1.3 Compatibility mode. This is on by default. A future version
* of OpenSSL may have this disabled by default.
*/
# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0x00100000U
/* Prioritize Chacha20Poly1305 when client does.
* Modifies SSL_OP_CIPHER_SERVER_PREFERENCE */
# define SSL_OP_PRIORITIZE_CHACHA 0x00200000U
/*
* Set on servers to choose the cipher according to the server's preferences
*/
# define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000U
/*
* If set, a server will allow a client to issue a SSLv3.0 version number as
* latest version supported in the premaster secret, even when TLSv1.0
* (version 3.1) was announced in the client hello. Normally this is
* forbidden to prevent version rollback attacks.
*/
# define SSL_OP_TLS_ROLLBACK_BUG 0x00800000U
/*
* Switches off automatic TLSv1.3 anti-replay protection for early data. This
* is a server-side option only (no effect on the client).
*/
# define SSL_OP_NO_ANTI_REPLAY 0x01000000U
# define SSL_OP_NO_SSLv3 0x02000000U
# define SSL_OP_NO_TLSv1 0x04000000U
# define SSL_OP_NO_TLSv1_2 0x08000000U
# define SSL_OP_NO_TLSv1_1 0x10000000U
# define SSL_OP_NO_TLSv1_3 0x20000000U
# define SSL_OP_NO_DTLSv1 0x04000000U
# define SSL_OP_NO_DTLSv1_2 0x08000000U
# define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv3|\
SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2|SSL_OP_NO_TLSv1_3)
# define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
/* Disallow all renegotiation */
# define SSL_OP_NO_RENEGOTIATION 0x40000000U
/*
* Make server add server-hello extension from early version of cryptopro
* draft, when GOST ciphersuite is negotiated. Required for interoperability
* with CryptoPro CSP 3.x
*/
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000U
/*
* SSL_OP_ALL: various bug workarounds that should be rather harmless.
* This used to be 0x000FFFFFL before 0.9.7.
* This used to be 0x80000BFFU before 1.1.1.
*/
# define SSL_OP_ALL (SSL_OP_CRYPTOPRO_TLSEXT_BUG|\
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|\
SSL_OP_LEGACY_SERVER_CONNECT|\
SSL_OP_TLSEXT_PADDING|\
SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
/* OBSOLETE OPTIONS: retained for compatibility */
/* Removed from OpenSSL 1.1.0. Was 0x00000001L */
/* Related to removed SSLv2. */
# define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0
/* Removed from OpenSSL 1.1.0. Was 0x00000002L */
/* Related to removed SSLv2. */
# define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0
/* Removed from OpenSSL 0.9.8q and 1.0.0c. Was 0x00000008L */
/* Dead forever, see CVE-2010-4180 */
# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0
/* Removed from OpenSSL 1.0.1h and 1.0.2. Was 0x00000010L */
/* Refers to ancient SSLREF and SSLv2. */
# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
/* Removed from OpenSSL 1.1.0. Was 0x00000020 */
# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0
/* Removed from OpenSSL 0.9.7h and 0.9.8b. Was 0x00000040L */
# define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
/* Removed from OpenSSL 1.1.0. Was 0x00000080 */
/* Ancient SSLeay version. */
# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
/* Removed from OpenSSL 1.1.0. Was 0x00000100L */
# define SSL_OP_TLS_D5_BUG 0x0
/* Removed from OpenSSL 1.1.0. Was 0x00000200L */
# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0
/* Removed from OpenSSL 1.1.0. Was 0x00080000L */
# define SSL_OP_SINGLE_ECDH_USE 0x0
/* Removed from OpenSSL 1.1.0. Was 0x00100000L */
# define SSL_OP_SINGLE_DH_USE 0x0
/* Removed from OpenSSL 1.0.1k and 1.0.2. Was 0x00200000L */
# define SSL_OP_EPHEMERAL_RSA 0x0
/* Removed from OpenSSL 1.1.0. Was 0x01000000L */
# define SSL_OP_NO_SSLv2 0x0
/* Removed from OpenSSL 1.0.1. Was 0x08000000L */
# define SSL_OP_PKCS1_CHECK_1 0x0
/* Removed from OpenSSL 1.0.1. Was 0x10000000L */
# define SSL_OP_PKCS1_CHECK_2 0x0
/* Removed from OpenSSL 1.1.0. Was 0x20000000L */
# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
/* Removed from OpenSSL 1.1.0. Was 0x40000000L */
# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0
/*
* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
* when just a single record has been written):
*/
# define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001U
/*
* Make it possible to retry SSL_write() with changed buffer location (buffer
* contents must stay the same!); this is not the default to avoid the
* misconception that non-blocking SSL_write() behaves like non-blocking
* write():
*/
# define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002U
/*
* Never bother the application with retries if the transport is blocking:
*/
# define SSL_MODE_AUTO_RETRY 0x00000004U
/* Don't attempt to automatically build certificate chain */
# define SSL_MODE_NO_AUTO_CHAIN 0x00000008U
/*
* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
* TLS only.) Released buffers are freed.
*/
# define SSL_MODE_RELEASE_BUFFERS 0x00000010U
/*
* Send the current time in the Random fields of the ClientHello and
* ServerHello records for compatibility with hypothetical implementations
* that require it.
*/
# define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020U
# define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040U
/*
* Send TLS_FALLBACK_SCSV in the ClientHello. To be set only by applications
* that reconnect with a downgraded protocol version; see
* draft-ietf-tls-downgrade-scsv-00 for details. DO NOT ENABLE THIS if your
* application attempts a normal handshake. Only use this in explicit
* fallback retries, following the guidance in
* draft-ietf-tls-downgrade-scsv-00.
*/
# define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080U
/*
* Support Asynchronous operation
*/
# define SSL_MODE_ASYNC 0x00000100U
/*
* Don't use the kernel TLS data-path for sending.
*/
# define SSL_MODE_NO_KTLS_TX 0x00000200U
/*
* When using DTLS/SCTP, include the terminating zero in the label
* used for computing the endpoint-pair shared secret. Required for
* interoperability with implementations having this bug like these
* older version of OpenSSL:
* - OpenSSL 1.0.0 series
* - OpenSSL 1.0.1 series
* - OpenSSL 1.0.2 series
* - OpenSSL 1.1.0 series
* - OpenSSL 1.1.1 and 1.1.1a
*/
# define SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 0x00000400U
/*
* Don't use the kernel TLS data-path for receiving.
*/
# define SSL_MODE_NO_KTLS_RX 0x00000800U
/* Cert related flags */
/*
* Many implementations ignore some aspects of the TLS standards such as
* enforcing certificate chain algorithms. When this is set we enforce them.
*/
# define SSL_CERT_FLAG_TLS_STRICT 0x00000001U
/* Suite B modes, takes same values as certificate verify flags */
# define SSL_CERT_FLAG_SUITEB_128_LOS_ONLY 0x10000
/* Suite B 192 bit only mode */
# define SSL_CERT_FLAG_SUITEB_192_LOS 0x20000
/* Suite B 128 bit mode allowing 192 bit algorithms */
# define SSL_CERT_FLAG_SUITEB_128_LOS 0x30000
/* Perform all sorts of protocol violations for testing purposes */
# define SSL_CERT_FLAG_BROKEN_PROTOCOL 0x10000000
/* Flags for building certificate chains */
/* Treat any existing certificates as untrusted CAs */
# define SSL_BUILD_CHAIN_FLAG_UNTRUSTED 0x1
/* Don't include root CA in chain */
# define SSL_BUILD_CHAIN_FLAG_NO_ROOT 0x2
/* Just check certificates already there */
# define SSL_BUILD_CHAIN_FLAG_CHECK 0x4
/* Ignore verification errors */
# define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR 0x8
/* Clear verification errors from queue */
# define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10
/* Flags returned by SSL_check_chain */
/* Certificate can be used with this session */
# define CERT_PKEY_VALID 0x1
/* Certificate can also be used for signing */
# define CERT_PKEY_SIGN 0x2
/* EE certificate signing algorithm OK */
# define CERT_PKEY_EE_SIGNATURE 0x10
/* CA signature algorithms OK */
# define CERT_PKEY_CA_SIGNATURE 0x20
/* EE certificate parameters OK */
# define CERT_PKEY_EE_PARAM 0x40
/* CA certificate parameters OK */
# define CERT_PKEY_CA_PARAM 0x80
/* Signing explicitly allowed as opposed to SHA1 fallback */
# define CERT_PKEY_EXPLICIT_SIGN 0x100
/* Client CA issuer names match (always set for server cert) */
# define CERT_PKEY_ISSUER_NAME 0x200
/* Cert type matches client types (always set for server cert) */
# define CERT_PKEY_CERT_TYPE 0x400
/* Cert chain suitable to Suite B */
# define CERT_PKEY_SUITEB 0x800
# define SSL_CONF_FLAG_CMDLINE 0x1
# define SSL_CONF_FLAG_FILE 0x2
# define SSL_CONF_FLAG_CLIENT 0x4
# define SSL_CONF_FLAG_SERVER 0x8
# define SSL_CONF_FLAG_SHOW_ERRORS 0x10
# define SSL_CONF_FLAG_CERTIFICATE 0x20
# define SSL_CONF_FLAG_REQUIRE_PRIVATE 0x40
/* Configuration value types */
# define SSL_CONF_TYPE_UNKNOWN 0x0
# define SSL_CONF_TYPE_STRING 0x1
# define SSL_CONF_TYPE_FILE 0x2
# define SSL_CONF_TYPE_DIR 0x3
# define SSL_CONF_TYPE_NONE 0x4
/* Maximum length of the application-controlled segment of a a TLSv1.3 cookie */
# define SSL_COOKIE_LENGTH 4096
/*
* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they
* cannot be used to clear bits.
*/
unsigned long SSL_CTX_get_options(const SSL_CTX *ctx);
unsigned long SSL_get_options(const SSL *s);
unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
unsigned long SSL_clear_options(SSL *s, unsigned long op);
unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);
unsigned long SSL_set_options(SSL *s, unsigned long op);
# define SSL_CTX_set_mode(ctx,op) \
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
# define SSL_CTX_clear_mode(ctx,op) \
SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
# define SSL_CTX_get_mode(ctx) \
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
# define SSL_clear_mode(ssl,op) \
SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
# define SSL_set_mode(ssl,op) \
SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
# define SSL_get_mode(ssl) \
SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
# define SSL_set_mtu(ssl, mtu) \
SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
# define DTLS_set_link_mtu(ssl, mtu) \
SSL_ctrl((ssl),DTLS_CTRL_SET_LINK_MTU,(mtu),NULL)
# define DTLS_get_link_min_mtu(ssl) \
SSL_ctrl((ssl),DTLS_CTRL_GET_LINK_MIN_MTU,0,NULL)
# define SSL_get_secure_renegotiation_support(ssl) \
SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
# define SSL_CTX_set_cert_flags(ctx,op) \
SSL_CTX_ctrl((ctx),SSL_CTRL_CERT_FLAGS,(op),NULL)
# define SSL_set_cert_flags(s,op) \
SSL_ctrl((s),SSL_CTRL_CERT_FLAGS,(op),NULL)
# define SSL_CTX_clear_cert_flags(ctx,op) \
SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_CERT_FLAGS,(op),NULL)
# define SSL_clear_cert_flags(s,op) \
SSL_ctrl((s),SSL_CTRL_CLEAR_CERT_FLAGS,(op),NULL)
void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
void (*cb) (int write_p, int version,
int content_type, const void *buf,
size_t len, SSL *ssl, void *arg));
void SSL_set_msg_callback(SSL *ssl,
void (*cb) (int write_p, int version,
int content_type, const void *buf,
size_t len, SSL *ssl, void *arg));
# define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
# define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
# define SSL_get_extms_support(s) \
SSL_ctrl((s),SSL_CTRL_GET_EXTMS_SUPPORT,0,NULL)
# ifndef OPENSSL_NO_SRP
/* see tls_srp.c */
__owur int SSL_SRP_CTX_init(SSL *s);
__owur int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
int SSL_SRP_CTX_free(SSL *ctx);
int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
__owur int SSL_srp_server_param_with_username(SSL *s, int *ad);
__owur int SRP_Calc_A_param(SSL *s);
# endif
/* 100k max cert list */
# define SSL_MAX_CERT_LIST_DEFAULT 1024*100
# define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
/*
* This callback type is used inside SSL_CTX, SSL, and in the functions that
* set them. It is used to override the generation of SSL/TLS session IDs in
* a server. Return value should be zero on an error, non-zero to proceed.
* Also, callbacks should themselves check if the id they generate is unique
* otherwise the SSL handshake will fail with an error - callbacks can do
* this using the 'ssl' value they're passed by;
* SSL_has_matching_session_id(ssl, id, *id_len) The length value passed in
* is set at the maximum size the session ID can be. In SSLv3/TLSv1 it is 32
* bytes. The callback can alter this length to be less if desired. It is
* also an error for the callback to set the size to zero.
*/
typedef int (*GEN_SESSION_CB) (SSL *ssl, unsigned char *id,
unsigned int *id_len);
# define SSL_SESS_CACHE_OFF 0x0000
# define SSL_SESS_CACHE_CLIENT 0x0001
# define SSL_SESS_CACHE_SERVER 0x0002
# define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
# define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
# define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
# define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
# define SSL_SESS_CACHE_NO_INTERNAL \
(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
# define SSL_CTX_sess_number(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
# define SSL_CTX_sess_connect(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
# define SSL_CTX_sess_connect_good(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
# define SSL_CTX_sess_connect_renegotiate(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
# define SSL_CTX_sess_accept(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
# define SSL_CTX_sess_accept_renegotiate(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
# define SSL_CTX_sess_accept_good(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
# define SSL_CTX_sess_hits(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
# define SSL_CTX_sess_cb_hits(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
# define SSL_CTX_sess_misses(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
# define SSL_CTX_sess_timeouts(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
# define SSL_CTX_sess_cache_full(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
int (*new_session_cb) (struct ssl_st *ssl,
SSL_SESSION *sess));
int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)) (struct ssl_st *ssl,
SSL_SESSION *sess);
void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
void (*remove_session_cb) (struct ssl_ctx_st
*ctx,
SSL_SESSION *sess));
void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)) (struct ssl_ctx_st *ctx,
SSL_SESSION *sess);
void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
SSL_SESSION *(*get_session_cb) (struct ssl_st
*ssl,
const unsigned char
*data, int len,
int *copy));
SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx)) (struct ssl_st *ssl,
const unsigned char *data,
int len, int *copy);
void SSL_CTX_set_info_callback(SSL_CTX *ctx,
void (*cb) (const SSL *ssl, int type, int val));
void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type,
int val);
void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
int (*client_cert_cb) (SSL *ssl, X509 **x509,
EVP_PKEY **pkey));
int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx)) (SSL *ssl, X509 **x509,
EVP_PKEY **pkey);
# ifndef OPENSSL_NO_ENGINE
__owur int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
# endif
void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
int (*app_gen_cookie_cb) (SSL *ssl,
unsigned char
*cookie,
unsigned int
*cookie_len));
void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
int (*app_verify_cookie_cb) (SSL *ssl,
const unsigned
char *cookie,
unsigned int
cookie_len));
void SSL_CTX_set_stateless_cookie_generate_cb(
SSL_CTX *ctx,
int (*gen_stateless_cookie_cb) (SSL *ssl,
unsigned char *cookie,
size_t *cookie_len));
void SSL_CTX_set_stateless_cookie_verify_cb(
SSL_CTX *ctx,
int (*verify_stateless_cookie_cb) (SSL *ssl,
const unsigned char *cookie,
size_t cookie_len));
# ifndef OPENSSL_NO_NEXTPROTONEG
typedef int (*SSL_CTX_npn_advertised_cb_func)(SSL *ssl,
const unsigned char **out,
unsigned int *outlen,
void *arg);
void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
SSL_CTX_npn_advertised_cb_func cb,
void *arg);
# define SSL_CTX_set_npn_advertised_cb SSL_CTX_set_next_protos_advertised_cb
typedef int (*SSL_CTX_npn_select_cb_func)(SSL *s,
unsigned char **out,
unsigned char *outlen,
const unsigned char *in,
unsigned int inlen,
void *arg);
void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
SSL_CTX_npn_select_cb_func cb,
void *arg);
# define SSL_CTX_set_npn_select_cb SSL_CTX_set_next_proto_select_cb
void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
unsigned *len);
# define SSL_get0_npn_negotiated SSL_get0_next_proto_negotiated
# endif
__owur int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen,
const unsigned char *client,
unsigned int client_len);
# define OPENSSL_NPN_UNSUPPORTED 0
# define OPENSSL_NPN_NEGOTIATED 1
# define OPENSSL_NPN_NO_OVERLAP 2
__owur int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
unsigned int protos_len);
__owur int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
unsigned int protos_len);
typedef int (*SSL_CTX_alpn_select_cb_func)(SSL *ssl,
const unsigned char **out,
unsigned char *outlen,
const unsigned char *in,
unsigned int inlen,
void *arg);
void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
SSL_CTX_alpn_select_cb_func cb,
void *arg);
void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
unsigned int *len);
# ifndef OPENSSL_NO_PSK
/*
* the maximum length of the buffer given to callbacks containing the
* resulting identity/psk
*/
# define PSK_MAX_IDENTITY_LEN 128
# define PSK_MAX_PSK_LEN 256
typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl,
const char *hint,
char *identity,
unsigned int max_identity_len,
unsigned char *psk,
unsigned int max_psk_len);
void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb);
void SSL_set_psk_client_callback(SSL *ssl, SSL_psk_client_cb_func cb);
typedef unsigned int (*SSL_psk_server_cb_func)(SSL *ssl,
const char *identity,
unsigned char *psk,
unsigned int max_psk_len);
void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb);
void SSL_set_psk_server_callback(SSL *ssl, SSL_psk_server_cb_func cb);
__owur int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint);
__owur int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint);
const char *SSL_get_psk_identity_hint(const SSL *s);
const char *SSL_get_psk_identity(const SSL *s);
# endif
typedef int (*SSL_psk_find_session_cb_func)(SSL *ssl,
const unsigned char *identity,
size_t identity_len,
SSL_SESSION **sess);
typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md,
const unsigned char **id,
size_t *idlen,
SSL_SESSION **sess);
void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb);
void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx,
SSL_psk_find_session_cb_func cb);
void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb);
void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx,
SSL_psk_use_session_cb_func cb);
/* Register callbacks to handle custom TLS Extensions for client or server. */
__owur int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx,
unsigned int ext_type);
__owur int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx,
unsigned int ext_type,
custom_ext_add_cb add_cb,
custom_ext_free_cb free_cb,
void *add_arg,
custom_ext_parse_cb parse_cb,
void *parse_arg);
__owur int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx,
unsigned int ext_type,
custom_ext_add_cb add_cb,
custom_ext_free_cb free_cb,
void *add_arg,
custom_ext_parse_cb parse_cb,
void *parse_arg);
__owur int SSL_CTX_add_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
unsigned int context,
SSL_custom_ext_add_cb_ex add_cb,
SSL_custom_ext_free_cb_ex free_cb,
void *add_arg,
SSL_custom_ext_parse_cb_ex parse_cb,
void *parse_arg);
__owur int SSL_extension_supported(unsigned int ext_type);
# define SSL_NOTHING 1
# define SSL_WRITING 2
# define SSL_READING 3
# define SSL_X509_LOOKUP 4
# define SSL_ASYNC_PAUSED 5
# define SSL_ASYNC_NO_JOBS 6
# define SSL_CLIENT_HELLO_CB 7
/* These will only be used when doing non-blocking IO */
# define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
# define SSL_want_read(s) (SSL_want(s) == SSL_READING)
# define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
# define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
# define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED)
# define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS)
# define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB)
# define SSL_MAC_FLAG_READ_MAC_STREAM 1
# define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
/*
* A callback for logging out TLS key material. This callback should log out
* |line| followed by a newline.
*/
typedef void (*SSL_CTX_keylog_cb_func)(const SSL *ssl, const char *line);
/*
* SSL_CTX_set_keylog_callback configures a callback to log key material. This
* is intended for debugging use with tools like Wireshark. The cb function
* should log line followed by a newline.
*/
void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb);
/*
* SSL_CTX_get_keylog_callback returns the callback configured by
* SSL_CTX_set_keylog_callback.
*/
SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx);
int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data);
uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx);
int SSL_set_max_early_data(SSL *s, uint32_t max_early_data);
uint32_t SSL_get_max_early_data(const SSL *s);
int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data);
uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx);
int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data);
uint32_t SSL_get_recv_max_early_data(const SSL *s);
#ifdef __cplusplus
}
#endif
# include <openssl/ssl2.h>
# include <openssl/ssl3.h>
# include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
# include <openssl/dtls1.h> /* Datagram TLS */
# include <openssl/srtp.h> /* Support for the use_srtp extension */
#ifdef __cplusplus
extern "C" {
#endif
/*
* These need to be after the above set of includes due to a compiler bug
* in VisualStudio 2015
*/
DEFINE_STACK_OF_CONST(SSL_CIPHER)
DEFINE_STACK_OF(SSL_COMP)
/* compatibility */
# define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)(arg)))
# define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
# define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0, \
(char *)(a)))
# define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0))
# define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0))
# define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0, \
(char *)(arg)))
DEPRECATEDIN_1_1_0(void SSL_set_debug(SSL *s, int debug))
/* TLSv1.3 KeyUpdate message types */
/* -1 used so that this is an invalid value for the on-the-wire protocol */
#define SSL_KEY_UPDATE_NONE -1
/* Values as defined for the on-the-wire protocol */
#define SSL_KEY_UPDATE_NOT_REQUESTED 0
#define SSL_KEY_UPDATE_REQUESTED 1
/*
* The valid handshake states (one for each type message sent and one for each
* type of message received). There are also two "special" states:
* TLS = TLS or DTLS state
* DTLS = DTLS specific state
* CR/SR = Client Read/Server Read