ssl_local.h@ 109302

Last change on this file since 109302 was 109052, checked in by vboxsync, 4 weeks ago
openssl-3.4.1: Applied our changes, regenerated files, added missing files and functions. This time with a three way merge. bugref:10890
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 121.0 KB

Line
1	/*
2	* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
3	* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4	* Copyright 2005 Nokia. All rights reserved.
5	*
6	* Licensed under the Apache License 2.0 (the "License"). You may not use
7	* this file except in compliance with the License. You can obtain a copy
8	* in the file LICENSE in the source distribution or at
9	* https://www.openssl.org/source/license.html
10	*/
11
12	#ifndef OSSL_SSL_LOCAL_H
13	# define OSSL_SSL_LOCAL_H
14
15	# include "internal/e_os.h" /* struct timeval for DTLS */
16	# include <stdlib.h>
17	# include <time.h>
18	# include <errno.h>
19	# include "internal/common.h" /* for HAS_PREFIX */
20
21	# include <openssl/buffer.h>
22	# include <openssl/bio.h>
23	# include <openssl/comp.h>
24	# include <openssl/dsa.h>
25	# include <openssl/err.h>
26	# include <openssl/ssl.h>
27	# include <openssl/async.h>
28	# include <openssl/symhacks.h>
29	# include <openssl/ct.h>
30	# include "internal/recordmethod.h"
31	# include "internal/statem.h"
32	# include "internal/packet.h"
33	# include "internal/dane.h"
34	# include "internal/refcount.h"
35	# include "internal/tsan_assist.h"
36	# include "internal/bio.h"
37	# include "internal/ktls.h"
38	# include "internal/time.h"
39	# include "internal/ssl.h"
40	# include "internal/cryptlib.h"
41	# include "record/record.h"
42
43	# ifdef OPENSSL_BUILD_SHLIBSSL
44	# undef OPENSSL_EXTERN
45	# define OPENSSL_EXTERN OPENSSL_EXPORT
46	# endif
47
48	# define TLS_MAX_VERSION_INTERNAL TLS1_3_VERSION
49	# define DTLS_MAX_VERSION_INTERNAL DTLS1_2_VERSION
50
51	/*
52	* DTLS version numbers are strange because they're inverted. Except for
53	* DTLS1_BAD_VER, which should be considered "lower" than the rest.
54	*/
55	# define dtls_ver_ordinal(v1) (((v1) == DTLS1_BAD_VER) ? 0xff00 : (v1))
56	# define DTLS_VERSION_GT(v1, v2) (dtls_ver_ordinal(v1) < dtls_ver_ordinal(v2))
57	# define DTLS_VERSION_GE(v1, v2) (dtls_ver_ordinal(v1) <= dtls_ver_ordinal(v2))
58	# define DTLS_VERSION_LT(v1, v2) (dtls_ver_ordinal(v1) > dtls_ver_ordinal(v2))
59	# define DTLS_VERSION_LE(v1, v2) (dtls_ver_ordinal(v1) >= dtls_ver_ordinal(v2))
60
61	# define SSL_AD_NO_ALERT -1
62
63	/*
64	* Define the Bitmasks for SSL_CIPHER.algorithms.
65	* This bits are used packed as dense as possible. If new methods/ciphers
66	* etc will be added, the bits a likely to change, so this information
67	* is for internal library use only, even though SSL_CIPHER.algorithms
68	* can be publicly accessed.
69	* Use the according functions for cipher management instead.
70	*
71	* The bit mask handling in the selection and sorting scheme in
72	* ssl_create_cipher_list() has only limited capabilities, reflecting
73	* that the different entities within are mutually exclusive:
74	* ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
75	*/
76
77	/* Bits for algorithm_mkey (key exchange algorithm) */
78	/* RSA key exchange */
79	# define SSL_kRSA 0x00000001U
80	/* tmp DH key no DH cert */
81	# define SSL_kDHE 0x00000002U
82	/* synonym */
83	# define SSL_kEDH SSL_kDHE
84	/* ephemeral ECDH */
85	# define SSL_kECDHE 0x00000004U
86	/* synonym */
87	# define SSL_kEECDH SSL_kECDHE
88	/* PSK */
89	# define SSL_kPSK 0x00000008U
90	/* GOST key exchange */
91	# define SSL_kGOST 0x00000010U
92	/* SRP */
93	# define SSL_kSRP 0x00000020U
94
95	# define SSL_kRSAPSK 0x00000040U
96	# define SSL_kECDHEPSK 0x00000080U
97	# define SSL_kDHEPSK 0x00000100U
98	/* GOST KDF key exchange, draft-smyshlyaev-tls12-gost-suites */
99	# define SSL_kGOST18 0x00000200U
100
101	/* all PSK */
102
103	# define SSL_PSK (SSL_kPSK \| SSL_kRSAPSK \| SSL_kECDHEPSK \| SSL_kDHEPSK)
104
105	/* Any appropriate key exchange algorithm (for TLS 1.3 ciphersuites) */
106	# define SSL_kANY 0x00000000U
107
108	/* Bits for algorithm_auth (server authentication) */
109	/* RSA auth */
110	# define SSL_aRSA 0x00000001U
111	/* DSS auth */
112	# define SSL_aDSS 0x00000002U
113	/* no auth (i.e. use ADH or AECDH) */
114	# define SSL_aNULL 0x00000004U
115	/* ECDSA auth*/
116	# define SSL_aECDSA 0x00000008U
117	/* PSK auth */
118	# define SSL_aPSK 0x00000010U
119	/* GOST R 34.10-2001 signature auth */
120	# define SSL_aGOST01 0x00000020U
121	/* SRP auth */
122	# define SSL_aSRP 0x00000040U
123	/* GOST R 34.10-2012 signature auth */
124	# define SSL_aGOST12 0x00000080U
125	/* Any appropriate signature auth (for TLS 1.3 ciphersuites) */
126	# define SSL_aANY 0x00000000U
127	/* All bits requiring a certificate */
128	#define SSL_aCERT \
129	(SSL_aRSA \| SSL_aDSS \| SSL_aECDSA \| SSL_aGOST01 \| SSL_aGOST12)
130
131	/* Bits for algorithm_enc (symmetric encryption) */
132	# define SSL_DES 0x00000001U
133	# define SSL_3DES 0x00000002U
134	# define SSL_RC4 0x00000004U
135	# define SSL_RC2 0x00000008U
136	# define SSL_IDEA 0x00000010U
137	# define SSL_eNULL 0x00000020U
138	# define SSL_AES128 0x00000040U
139	# define SSL_AES256 0x00000080U
140	# define SSL_CAMELLIA128 0x00000100U
141	# define SSL_CAMELLIA256 0x00000200U
142	# define SSL_eGOST2814789CNT 0x00000400U
143	# define SSL_SEED 0x00000800U
144	# define SSL_AES128GCM 0x00001000U
145	# define SSL_AES256GCM 0x00002000U
146	# define SSL_AES128CCM 0x00004000U
147	# define SSL_AES256CCM 0x00008000U
148	# define SSL_AES128CCM8 0x00010000U
149	# define SSL_AES256CCM8 0x00020000U
150	# define SSL_eGOST2814789CNT12 0x00040000U
151	# define SSL_CHACHA20POLY1305 0x00080000U
152	# define SSL_ARIA128GCM 0x00100000U
153	# define SSL_ARIA256GCM 0x00200000U
154	# define SSL_MAGMA 0x00400000U
155	# define SSL_KUZNYECHIK 0x00800000U
156
157	# define SSL_AESGCM (SSL_AES128GCM \| SSL_AES256GCM)
158	# define SSL_AESCCM (SSL_AES128CCM \| SSL_AES256CCM \| SSL_AES128CCM8 \| SSL_AES256CCM8)
159	# define SSL_AES (SSL_AES128\|SSL_AES256\|SSL_AESGCM\|SSL_AESCCM)
160	# define SSL_CAMELLIA (SSL_CAMELLIA128\|SSL_CAMELLIA256)
161	# define SSL_CHACHA20 (SSL_CHACHA20POLY1305)
162	# define SSL_ARIAGCM (SSL_ARIA128GCM \| SSL_ARIA256GCM)
163	# define SSL_ARIA (SSL_ARIAGCM)
164	# define SSL_CBC (SSL_DES \| SSL_3DES \| SSL_RC2 \| SSL_IDEA \
165	\| SSL_AES128 \| SSL_AES256 \| SSL_CAMELLIA128 \
166	\| SSL_CAMELLIA256 \| SSL_SEED)
167
168	/* Bits for algorithm_mac (symmetric authentication) */
169
170	# define SSL_MD5 0x00000001U
171	# define SSL_SHA1 0x00000002U
172	# define SSL_GOST94 0x00000004U
173	# define SSL_GOST89MAC 0x00000008U
174	# define SSL_SHA256 0x00000010U
175	# define SSL_SHA384 0x00000020U
176	/* Not a real MAC, just an indication it is part of cipher */
177	# define SSL_AEAD 0x00000040U
178	# define SSL_GOST12_256 0x00000080U
179	# define SSL_GOST89MAC12 0x00000100U
180	# define SSL_GOST12_512 0x00000200U
181	# define SSL_MAGMAOMAC 0x00000400U
182	# define SSL_KUZNYECHIKOMAC 0x00000800U
183
184	/*
185	* When adding new digest in the ssl_ciph.c and increment SSL_MD_NUM_IDX make
186	* sure to update this constant too
187	*/
188
189	# define SSL_MD_MD5_IDX 0
190	# define SSL_MD_SHA1_IDX 1
191	# define SSL_MD_GOST94_IDX 2
192	# define SSL_MD_GOST89MAC_IDX 3
193	# define SSL_MD_SHA256_IDX 4
194	# define SSL_MD_SHA384_IDX 5
195	# define SSL_MD_GOST12_256_IDX 6
196	# define SSL_MD_GOST89MAC12_IDX 7
197	# define SSL_MD_GOST12_512_IDX 8
198	# define SSL_MD_MD5_SHA1_IDX 9
199	# define SSL_MD_SHA224_IDX 10
200	# define SSL_MD_SHA512_IDX 11
201	# define SSL_MD_MAGMAOMAC_IDX 12
202	# define SSL_MD_KUZNYECHIKOMAC_IDX 13
203	# define SSL_MAX_DIGEST 14
204
205	#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
206
207	/* Bits for algorithm2 (handshake digests and other extra flags) */
208
209	/* Bits 0-7 are handshake MAC */
210	# define SSL_HANDSHAKE_MAC_MASK 0xFF
211	# define SSL_HANDSHAKE_MAC_MD5_SHA1 SSL_MD_MD5_SHA1_IDX
212	# define SSL_HANDSHAKE_MAC_SHA256 SSL_MD_SHA256_IDX
213	# define SSL_HANDSHAKE_MAC_SHA384 SSL_MD_SHA384_IDX
214	# define SSL_HANDSHAKE_MAC_GOST94 SSL_MD_GOST94_IDX
215	# define SSL_HANDSHAKE_MAC_GOST12_256 SSL_MD_GOST12_256_IDX
216	# define SSL_HANDSHAKE_MAC_GOST12_512 SSL_MD_GOST12_512_IDX
217	# define SSL_HANDSHAKE_MAC_DEFAULT SSL_HANDSHAKE_MAC_MD5_SHA1
218
219	/* Bits 8-15 bits are PRF */
220	# define TLS1_PRF_DGST_SHIFT 8
221	# define TLS1_PRF_SHA1_MD5 (SSL_MD_MD5_SHA1_IDX << TLS1_PRF_DGST_SHIFT)
222	# define TLS1_PRF_SHA256 (SSL_MD_SHA256_IDX << TLS1_PRF_DGST_SHIFT)
223	# define TLS1_PRF_SHA384 (SSL_MD_SHA384_IDX << TLS1_PRF_DGST_SHIFT)
224	# define TLS1_PRF_GOST94 (SSL_MD_GOST94_IDX << TLS1_PRF_DGST_SHIFT)
225	# define TLS1_PRF_GOST12_256 (SSL_MD_GOST12_256_IDX << TLS1_PRF_DGST_SHIFT)
226	# define TLS1_PRF_GOST12_512 (SSL_MD_GOST12_512_IDX << TLS1_PRF_DGST_SHIFT)
227	# define TLS1_PRF (SSL_MD_MD5_SHA1_IDX << TLS1_PRF_DGST_SHIFT)
228
229	/*
230	* Stream MAC for GOST ciphersuites from cryptopro draft (currently this also
231	* goes into algorithm2)
232	*/
233	# define TLS1_STREAM_MAC 0x10000
234	/*
235	* TLSTREE cipher/mac key derivation from draft-smyshlyaev-tls12-gost-suites
236	* (currently this also goes into algorithm2)
237	*/
238	# define TLS1_TLSTREE 0x20000
239
240	/* Ciphersuite supported in QUIC */
241	# define SSL_QUIC 0x00040000U
242
243	# define SSL_STRONG_MASK 0x0000001FU
244	# define SSL_DEFAULT_MASK 0X00000020U
245
246	# define SSL_STRONG_NONE 0x00000001U
247	# define SSL_LOW 0x00000002U
248	# define SSL_MEDIUM 0x00000004U
249	# define SSL_HIGH 0x00000008U
250	# define SSL_FIPS 0x00000010U
251	# define SSL_NOT_DEFAULT 0x00000020U
252
253	/* we have used 0000003f - 26 bits left to go */
254
255	/* Flag used on OpenSSL ciphersuite ids to indicate they are for SSLv3+ */
256	# define SSL3_CK_CIPHERSUITE_FLAG 0x03000000
257
258	/* Check if an SSL structure is using DTLS */
259	# define SSL_CONNECTION_IS_DTLS(s) \
260	(SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
261
262	/* Check if we are using TLSv1.3 */
263	# define SSL_CONNECTION_IS_TLS13(s) (!SSL_CONNECTION_IS_DTLS(s) \
264	&& SSL_CONNECTION_GET_SSL(s)->method->version >= TLS1_3_VERSION \
265	&& SSL_CONNECTION_GET_SSL(s)->method->version != TLS_ANY_VERSION)
266
267	# define SSL_CONNECTION_TREAT_AS_TLS13(s) \
268	(SSL_CONNECTION_IS_TLS13(s) \
269	\|\| (s)->early_data_state == SSL_EARLY_DATA_CONNECTING \
270	\|\| (s)->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY \
271	\|\| (s)->early_data_state == SSL_EARLY_DATA_WRITING \
272	\|\| (s)->early_data_state == SSL_EARLY_DATA_WRITE_RETRY \
273	\|\| (s)->hello_retry_request == SSL_HRR_PENDING)
274
275	# define SSL_IS_FIRST_HANDSHAKE(s) ((s)->s3.tmp.finish_md_len == 0 \
276	\|\| (s)->s3.tmp.peer_finish_md_len == 0)
277
278	/*
279	* See if we use signature algorithms extension and signature algorithm
280	* before signatures.
281	*/
282	# define SSL_USE_SIGALGS(s) \
283	(SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS)
284	/*
285	* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2: may
286	* apply to others in future.
287	*/
288	# define SSL_USE_TLS1_2_CIPHERS(s) \
289	(SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
290	/*
291	* Determine if a client can use TLS 1.2 ciphersuites: can't rely on method
292	* flags because it may not be set to correct version yet.
293	*/
294	# define SSL_CLIENT_USE_TLS1_2_CIPHERS(s) \
295	((!SSL_CONNECTION_IS_DTLS(s) && s->client_version >= TLS1_2_VERSION) \|\| \
296	(SSL_CONNECTION_IS_DTLS(s) && DTLS_VERSION_GE(s->client_version, DTLS1_2_VERSION)))
297	/*
298	* Determine if a client should send signature algorithms extension:
299	* as with TLS1.2 cipher we can't rely on method flags.
300	*/
301	# define SSL_CLIENT_USE_SIGALGS(s) \
302	SSL_CLIENT_USE_TLS1_2_CIPHERS(s)
303
304	# define IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value) \
305	(((value) >= TLSEXT_max_fragment_length_512) && \
306	((value) <= TLSEXT_max_fragment_length_4096))
307	# define USE_MAX_FRAGMENT_LENGTH_EXT(session) \
308	IS_MAX_FRAGMENT_LENGTH_EXT_VALID(session->ext.max_fragment_len_mode)
309	# define GET_MAX_FRAGMENT_LENGTH(session) \
310	(512U << (session->ext.max_fragment_len_mode - 1))
311
312	# define SSL_READ_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_READ)
313	# define SSL_WRITE_ETM(s) (s->s3.flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE)
314
315	# define SSL_IS_QUIC_HANDSHAKE(s) (((s)->s3.flags & TLS1_FLAGS_QUIC) != 0)
316
317	/* alert_dispatch values */
318
319	/* No alert pending */
320	# define SSL_ALERT_DISPATCH_NONE 0
321	/* Alert pending */
322	# define SSL_ALERT_DISPATCH_PENDING 1
323	/* Pending alert write needs to be retried */
324	# define SSL_ALERT_DISPATCH_RETRY 2
325
326	/* Mostly for SSLv3 */
327	# define SSL_PKEY_RSA 0
328	# define SSL_PKEY_RSA_PSS_SIGN 1
329	# define SSL_PKEY_DSA_SIGN 2
330	# define SSL_PKEY_ECC 3
331	# define SSL_PKEY_GOST01 4
332	# define SSL_PKEY_GOST12_256 5
333	# define SSL_PKEY_GOST12_512 6
334	# define SSL_PKEY_ED25519 7
335	# define SSL_PKEY_ED448 8
336	# define SSL_PKEY_NUM 9
337
338	# define SSL_ENC_DES_IDX 0
339	# define SSL_ENC_3DES_IDX 1
340	# define SSL_ENC_RC4_IDX 2
341	# define SSL_ENC_RC2_IDX 3
342	# define SSL_ENC_IDEA_IDX 4
343	# define SSL_ENC_NULL_IDX 5
344	# define SSL_ENC_AES128_IDX 6
345	# define SSL_ENC_AES256_IDX 7
346	# define SSL_ENC_CAMELLIA128_IDX 8
347	# define SSL_ENC_CAMELLIA256_IDX 9
348	# define SSL_ENC_GOST89_IDX 10
349	# define SSL_ENC_SEED_IDX 11
350	# define SSL_ENC_AES128GCM_IDX 12
351	# define SSL_ENC_AES256GCM_IDX 13
352	# define SSL_ENC_AES128CCM_IDX 14
353	# define SSL_ENC_AES256CCM_IDX 15
354	# define SSL_ENC_AES128CCM8_IDX 16
355	# define SSL_ENC_AES256CCM8_IDX 17
356	# define SSL_ENC_GOST8912_IDX 18
357	# define SSL_ENC_CHACHA_IDX 19
358	# define SSL_ENC_ARIA128GCM_IDX 20
359	# define SSL_ENC_ARIA256GCM_IDX 21
360	# define SSL_ENC_MAGMA_IDX 22
361	# define SSL_ENC_KUZNYECHIK_IDX 23
362	# define SSL_ENC_NUM_IDX 24
363
364	/*-
365	* SSL_kRSA <- RSA_ENC
366	* SSL_kDH <- DH_ENC & (RSA_ENC \| RSA_SIGN \| DSA_SIGN)
367	* SSL_kDHE <- RSA_ENC \| RSA_SIGN \| DSA_SIGN
368	* SSL_aRSA <- RSA_ENC \| RSA_SIGN
369	* SSL_aDSS <- DSA_SIGN
370	*/
371
372	/*-
373	#define CERT_INVALID 0
374	#define CERT_PUBLIC_KEY 1
375	#define CERT_PRIVATE_KEY 2
376	*/
377
378	/* Certificate Type State */
379	# define OSSL_CERT_TYPE_CTOS_NONE 0
380	# define OSSL_CERT_TYPE_CTOS_GOOD 1
381	# define OSSL_CERT_TYPE_CTOS_ERROR 2
382
383	/* Post-Handshake Authentication state */
384	typedef enum {
385	SSL_PHA_NONE = 0,
386	SSL_PHA_EXT_SENT, /* client-side only: extension sent */
387	SSL_PHA_EXT_RECEIVED, /* server-side only: extension received */
388	SSL_PHA_REQUEST_PENDING, /* server-side only: request pending */
389	SSL_PHA_REQUESTED /* request received by client, or sent by server */
390	} SSL_PHA_STATE;
391
392	/* CipherSuite length. SSLv3 and all TLS versions. */
393	# define TLS_CIPHER_LEN 2
394	/* used to hold info on the particular ciphers used */
395	struct ssl_cipher_st {
396	uint32_t valid;
397	const char name; / text name */
398	const char stdname; / RFC name */
399	uint32_t id; /* id, 4 bytes, first is version */
400	/*
401	* changed in 1.0.0: these four used to be portions of a single value
402	* 'algorithms'
403	*/
404	uint32_t algorithm_mkey; /* key exchange algorithm */
405	uint32_t algorithm_auth; /* server authentication */
406	uint32_t algorithm_enc; /* symmetric encryption */
407	uint32_t algorithm_mac; /* symmetric authentication */
408	int min_tls; /* minimum SSL/TLS protocol version */
409	int max_tls; /* maximum SSL/TLS protocol version */
410	int min_dtls; /* minimum DTLS protocol version */
411	int max_dtls; /* maximum DTLS protocol version */
412	uint32_t algo_strength; /* strength and export flags */
413	uint32_t algorithm2; /* Extra flags */
414	int32_t strength_bits; /* Number of bits really used */
415	uint32_t alg_bits; /* Number of bits for algorithm */
416	};
417
418	/* Used to hold SSL/TLS functions */
419	struct ssl_method_st {
420	int version;
421	unsigned flags;
422	uint64_t mask;
423	SSL (ssl_new) (SSL_CTX *ctx);
424	void (ssl_free) (SSL s);
425	int (ssl_reset) (SSL s);
426	int (ssl_init) (SSL s);
427	int (ssl_clear) (SSL s);
428	void (ssl_deinit) (SSL s);
429	int (ssl_accept) (SSL s);
430	int (ssl_connect) (SSL s);
431	int (ssl_read) (SSL s, void buf, size_t len, size_t readbytes);
432	int (ssl_peek) (SSL s, void buf, size_t len, size_t readbytes);
433	int (ssl_write) (SSL s, const void buf, size_t len, size_t written);
434	int (ssl_shutdown) (SSL s);
435	int (ssl_renegotiate) (SSL s);
436	int (ssl_renegotiate_check) (SSL s, int);
437	int (ssl_read_bytes) (SSL s, uint8_t type, uint8_t *recvd_type,
438	unsigned char *buf, size_t len, int peek,
439	size_t *readbytes);
440	int (ssl_write_bytes) (SSL s, uint8_t type, const void *buf_, size_t len,
441	size_t *written);
442	int (ssl_dispatch_alert) (SSL s);
443	long (ssl_ctrl) (SSL s, int cmd, long larg, void *parg);
444	long (ssl_ctx_ctrl) (SSL_CTX ctx, int cmd, long larg, void *parg);
445	const SSL_CIPHER (get_cipher_by_char) (const unsigned char *ptr);
446	int (put_cipher_by_char) (const SSL_CIPHER cipher, WPACKET *pkt,
447	size_t *len);
448	size_t (ssl_pending) (const SSL s);
449	int (*num_ciphers) (void);
450	const SSL_CIPHER (get_cipher) (unsigned ncipher);
451	OSSL_TIME (*get_timeout) (void);
452	const struct ssl3_enc_method ssl3_enc; / Extra SSLv3/TLS stuff */
453	int (*ssl_version) (void);
454	long (ssl_callback_ctrl) (SSL s, int cb_id, void (*fp) (void));
455	long (ssl_ctx_callback_ctrl) (SSL_CTX s, int cb_id, void (*fp) (void));
456	};
457
458	/*
459	* Matches the length of PSK_MAX_PSK_LEN. We keep it the same value for
460	* consistency, even in the event of OPENSSL_NO_PSK being defined.
461	*/
462	# define TLS13_MAX_RESUMPTION_PSK_LENGTH 512
463
464	/*-
465	* Lets make this into an ASN.1 type structure as follows
466	* SSL_SESSION_ID ::= SEQUENCE {
467	* version INTEGER, -- structure version number
468	* SSLversion INTEGER, -- SSL version number
469	* Cipher OCTET STRING, -- the 3 byte cipher ID
470	* Session_ID OCTET STRING, -- the Session ID
471	* Master_key OCTET STRING, -- the master key
472	* Key_Arg [ 0 ] IMPLICIT OCTET STRING, -- the optional Key argument
473	* Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
474	* Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
475	* Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
476	* Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context
477	* Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer'
478	* HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension
479	* PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
480	* PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity
481	* Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
482	* Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only)
483	* Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method
484	* SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
485	* flags [ 13 ] EXPLICIT INTEGER -- optional flags
486	* }
487	* Look in ssl/ssl_asn1.c for more details
488	* I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
489	*/
490	struct ssl_session_st {
491	int ssl_version; /* what ssl version session info is being kept
492	* in here? */
493	size_t master_key_length;
494
495	/* TLSv1.3 early_secret used for external PSKs */
496	unsigned char early_secret[EVP_MAX_MD_SIZE];
497	/*
498	* For <=TLS1.2 this is the master_key. For TLS1.3 this is the resumption
499	* PSK
500	*/
501	unsigned char master_key[TLS13_MAX_RESUMPTION_PSK_LENGTH];
502	/* session_id - valid? */
503	size_t session_id_length;
504	unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
505	/*
506	* this is used to determine whether the session is being reused in the
507	* appropriate context. It is up to the application to set this, via
508	* SSL_new
509	*/
510	size_t sid_ctx_length;
511	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
512	# ifndef OPENSSL_NO_PSK
513	char *psk_identity_hint;
514	char *psk_identity;
515	# endif
516	/*
517	* Used to indicate that session resumption is not allowed. Applications
518	* can also set this bit for a new session via not_resumable_session_cb
519	* to disable session caching and tickets.
520	*/
521	int not_resumable;
522	/* Peer raw public key, if available */
523	EVP_PKEY *peer_rpk;
524	/* This is the cert and type for the other end. */
525	X509 *peer;
526	/* Certificate chain peer sent. */
527	STACK_OF(X509) *peer_chain;
528	/*
529	* when app_verify_callback accepts a session where the peer's
530	* certificate is not ok, we must remember the error for session reuse:
531	*/
532	long verify_result; /* only for servers */
533	OSSL_TIME timeout;
534	OSSL_TIME time;
535	OSSL_TIME calc_timeout;
536	unsigned int compress_meth; /* Need to lookup the method */
537	const SSL_CIPHER *cipher;
538	unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used to
539	* load the 'cipher' structure */
540	unsigned int kex_group; /* TLS group from key exchange */
541	CRYPTO_EX_DATA ex_data; /* application specific data */
542
543	struct {
544	char *hostname;
545	/* RFC4507 info */
546	unsigned char tick; / Session ticket */
547	size_t ticklen; /* Session ticket length */
548	/* Session lifetime hint in seconds */
549	unsigned long tick_lifetime_hint;
550	uint32_t tick_age_add;
551	/* Max number of bytes that can be sent as early data */
552	uint32_t max_early_data;
553	/* The ALPN protocol selected for this session */
554	unsigned char *alpn_selected;
555	size_t alpn_selected_len;
556	/*
557	* Maximum Fragment Length as per RFC 4366.
558	* If this value does not contain RFC 4366 allowed values (1-4) then
559	* either the Maximum Fragment Length Negotiation failed or was not
560	* performed at all.
561	*/
562	uint8_t max_fragment_len_mode;
563	} ext;
564	# ifndef OPENSSL_NO_SRP
565	char *srp_username;
566	# endif
567	unsigned char *ticket_appdata;
568	size_t ticket_appdata_len;
569	uint32_t flags;
570	SSL_CTX *owner;
571
572	/*
573	* These are used to make removal of session-ids more efficient and to
574	* implement a maximum cache size. Access requires protection of ctx->lock.
575	*/
576	struct ssl_session_st prev, next;
577	CRYPTO_REF_COUNT references;
578	};
579
580	/* Extended master secret support */
581	# define SSL_SESS_FLAG_EXTMS 0x1
582
583	# ifndef OPENSSL_NO_SRP
584
585	typedef struct srp_ctx_st {
586	/* param for all the callbacks */
587	void *SRP_cb_arg;
588	/* set client Hello login callback */
589	int (TLS_ext_srp_username_callback) (SSL , int , void );
590	/* set SRP N/g param callback for verification */
591	int (SRP_verify_param_callback) (SSL , void *);
592	/* set SRP client passwd callback */
593	char (SRP_give_srp_client_pwd_callback) (SSL , void );
594	char *login;
595	BIGNUM N, g, s, B, *A;
596	BIGNUM a, b, *v;
597	char *info;
598	int strength;
599	unsigned long srp_Mask;
600	} SRP_CTX;
601
602	# endif
603
604	typedef enum {
605	SSL_EARLY_DATA_NONE = 0,
606	SSL_EARLY_DATA_CONNECT_RETRY,
607	SSL_EARLY_DATA_CONNECTING,
608	SSL_EARLY_DATA_WRITE_RETRY,
609	SSL_EARLY_DATA_WRITING,
610	SSL_EARLY_DATA_WRITE_FLUSH,
611	SSL_EARLY_DATA_UNAUTH_WRITING,
612	SSL_EARLY_DATA_FINISHED_WRITING,
613	SSL_EARLY_DATA_ACCEPT_RETRY,
614	SSL_EARLY_DATA_ACCEPTING,
615	SSL_EARLY_DATA_READ_RETRY,
616	SSL_EARLY_DATA_READING,
617	SSL_EARLY_DATA_FINISHED_READING
618	} SSL_EARLY_DATA_STATE;
619
620	/*
621	* We check that the amount of unreadable early data doesn't exceed
622	* max_early_data. max_early_data is given in plaintext bytes. However if it is
623	* unreadable then we only know the number of ciphertext bytes. We also don't
624	* know how much the overhead should be because it depends on the ciphersuite.
625	* We make a small allowance. We assume 5 records of actual data plus the end
626	* of early data alert record. Each record has a tag and a content type byte.
627	* The longest tag length we know of is EVP_GCM_TLS_TAG_LEN. We don't count the
628	* content of the alert record either which is 2 bytes.
629	*/
630	# define EARLY_DATA_CIPHERTEXT_OVERHEAD ((6 * (EVP_GCM_TLS_TAG_LEN + 1)) + 2)
631
632	/*
633	* The allowance we have between the client's calculated ticket age and our own.
634	* We allow for 10 seconds. If a ticket is presented and the
635	* client's age calculation is different by more than this than our own then we
636	* do not allow that ticket for early_data.
637	*/
638	# define TICKET_AGE_ALLOWANCE ossl_seconds2time(10)
639
640	#define MAX_COMPRESSIONS_SIZE 255
641
642
643	typedef struct raw_extension_st {
644	/* Raw packet data for the extension */
645	PACKET data;
646	/* Set to 1 if the extension is present or 0 otherwise */
647	int present;
648	/* Set to 1 if we have already parsed the extension or 0 otherwise */
649	int parsed;
650	/* The type of this extension, i.e. a TLSEXT_TYPE_* value */
651	unsigned int type;
652	/* Track what order extensions are received in (0-based). */
653	size_t received_order;
654	} RAW_EXTENSION;
655
656	typedef struct {
657	unsigned int isv2;
658	unsigned int legacy_version;
659	unsigned char random[SSL3_RANDOM_SIZE];
660	size_t session_id_len;
661	unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
662	size_t dtls_cookie_len;
663	unsigned char dtls_cookie[DTLS1_COOKIE_LENGTH];
664	PACKET ciphersuites;
665	size_t compressions_len;
666	unsigned char compressions[MAX_COMPRESSIONS_SIZE];
667	PACKET extensions;
668	size_t pre_proc_exts_len;
669	RAW_EXTENSION *pre_proc_exts;
670	} CLIENTHELLO_MSG;
671
672	/*
673	* Extension index values NOTE: Any updates to these defines should be mirrored
674	* with equivalent updates to ext_defs in extensions.c
675	*/
676	typedef enum tlsext_index_en {
677	TLSEXT_IDX_renegotiate,
678	TLSEXT_IDX_server_name,
679	TLSEXT_IDX_max_fragment_length,
680	TLSEXT_IDX_srp,
681	TLSEXT_IDX_ec_point_formats,
682	TLSEXT_IDX_supported_groups,
683	TLSEXT_IDX_session_ticket,
684	TLSEXT_IDX_status_request,
685	TLSEXT_IDX_next_proto_neg,
686	TLSEXT_IDX_application_layer_protocol_negotiation,
687	TLSEXT_IDX_use_srtp,
688	TLSEXT_IDX_encrypt_then_mac,
689	TLSEXT_IDX_signed_certificate_timestamp,
690	TLSEXT_IDX_extended_master_secret,
691	TLSEXT_IDX_signature_algorithms_cert,
692	TLSEXT_IDX_post_handshake_auth,
693	TLSEXT_IDX_client_cert_type,
694	TLSEXT_IDX_server_cert_type,
695	TLSEXT_IDX_signature_algorithms,
696	TLSEXT_IDX_supported_versions,
697	TLSEXT_IDX_psk_kex_modes,
698	TLSEXT_IDX_key_share,
699	TLSEXT_IDX_cookie,
700	TLSEXT_IDX_cryptopro_bug,
701	TLSEXT_IDX_compress_certificate,
702	TLSEXT_IDX_early_data,
703	TLSEXT_IDX_certificate_authorities,
704	TLSEXT_IDX_padding,
705	TLSEXT_IDX_psk,
706	/* Dummy index - must always be the last entry */
707	TLSEXT_IDX_num_builtins
708	} TLSEXT_INDEX;
709
710	DEFINE_LHASH_OF_EX(SSL_SESSION);
711	/* Needed in ssl_cert.c */
712	DEFINE_LHASH_OF_EX(X509_NAME);
713
714	# define TLSEXT_KEYNAME_LENGTH 16
715	# define TLSEXT_TICK_KEY_LENGTH 32
716
717	typedef struct ssl_ctx_ext_secure_st {
718	unsigned char tick_hmac_key[TLSEXT_TICK_KEY_LENGTH];
719	unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
720	} SSL_CTX_EXT_SECURE;
721
722	/*
723	* Helper function for HMAC
724	* The structure should be considered opaque, it will change once the low
725	* level deprecated calls are removed. At that point it can be replaced
726	* by EVP_MAC_CTX and most of the functions converted to macros or inlined
727	* directly.
728	*/
729	typedef struct ssl_hmac_st {
730	EVP_MAC_CTX *ctx;
731	# ifndef OPENSSL_NO_DEPRECATED_3_0
732	HMAC_CTX *old_ctx;
733	# endif
734	} SSL_HMAC;
735
736	SSL_HMAC ssl_hmac_new(const SSL_CTX ctx);
737	void ssl_hmac_free(SSL_HMAC *ctx);
738	# ifndef OPENSSL_NO_DEPRECATED_3_0
739	HMAC_CTX ssl_hmac_get0_HMAC_CTX(SSL_HMAC ctx);
740	# endif
741	EVP_MAC_CTX ssl_hmac_get0_EVP_MAC_CTX(SSL_HMAC ctx);
742	int ssl_hmac_init(SSL_HMAC ctx, void key, size_t len, char *md);
743	int ssl_hmac_update(SSL_HMAC ctx, const unsigned char data, size_t len);
744	int ssl_hmac_final(SSL_HMAC ctx, unsigned char md, size_t *len,
745	size_t max_size);
746	size_t ssl_hmac_size(const SSL_HMAC *ctx);
747
748	int ssl_get_EC_curve_nid(const EVP_PKEY *pkey);
749	__owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey,
750	const unsigned char *enckey,
751	size_t enckeylen);
752
753	typedef struct tls_group_info_st {
754	char tlsname; / Curve Name as in TLS specs */
755	char realname; / Curve Name according to provider */
756	char algorithm; / Algorithm name to fetch */
757	unsigned int secbits; /* Bits of security (from SP800-57) */
758	uint16_t group_id; /* Group ID */
759	int mintls; /* Minimum TLS version, -1 unsupported */
760	int maxtls; /* Maximum TLS version (or 0 for undefined) */
761	int mindtls; /* Minimum DTLS version, -1 unsupported */
762	int maxdtls; /* Maximum DTLS version (or 0 for undefined) */
763	char is_kem; /* Mode for this Group: 0 is KEX, 1 is KEM */
764	} TLS_GROUP_INFO;
765
766	typedef struct tls_sigalg_info_st {
767	char name; / name as in IANA TLS specs */
768	uint16_t code_point; /* IANA-specified code point of sigalg-name */
769	char sigalg_name; / (combined) sigalg name */
770	char sigalg_oid; / (combined) sigalg OID */
771	char sig_name; / pure signature algorithm name */
772	char sig_oid; / pure signature algorithm OID */
773	char hash_name; / hash algorithm name */
774	char hash_oid; / hash algorithm OID */
775	char keytype; / keytype name */
776	char keytype_oid; / keytype OID */
777	unsigned int secbits; /* Bits of security (from SP800-57) */
778	int mintls; /* Minimum TLS version, -1 unsupported */
779	int maxtls; /* Maximum TLS version (or 0 for undefined) */
780	} TLS_SIGALG_INFO;
781
782	/*
783	* Structure containing table entry of certificate info corresponding to
784	* CERT_PKEY entries
785	*/
786	typedef struct {
787	int nid; /* NID of public key algorithm */
788	uint32_t amask; /* authmask corresponding to key type */
789	} SSL_CERT_LOOKUP;
790
791	/* flags values */
792	# define TLS_GROUP_TYPE 0x0000000FU /* Mask for group type */
793	# define TLS_GROUP_CURVE_PRIME 0x00000001U
794	# define TLS_GROUP_CURVE_CHAR2 0x00000002U
795	# define TLS_GROUP_CURVE_CUSTOM 0x00000004U
796	# define TLS_GROUP_FFDHE 0x00000008U
797	# define TLS_GROUP_ONLY_FOR_TLS1_3 0x00000010U
798
799	# define TLS_GROUP_FFDHE_FOR_TLS1_3 (TLS_GROUP_FFDHE\|TLS_GROUP_ONLY_FOR_TLS1_3)
800
801	struct ssl_ctx_st {
802	OSSL_LIB_CTX *libctx;
803
804	const SSL_METHOD *method;
805	STACK_OF(SSL_CIPHER) *cipher_list;
806	/* same as above but sorted for lookup */
807	STACK_OF(SSL_CIPHER) *cipher_list_by_id;
808	/* TLSv1.3 specific ciphersuites */
809	STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
810	struct x509_store_st /* X509_STORE / cert_store;
811	LHASH_OF(SSL_SESSION) *sessions;
812	/*
813	* Most session-ids that will be cached, default is
814	* SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited.
815	*/
816	size_t session_cache_size;
817	struct ssl_session_st *session_cache_head;
818	struct ssl_session_st *session_cache_tail;
819	/*
820	* This can have one of 2 values, ored together, SSL_SESS_CACHE_CLIENT,
821	* SSL_SESS_CACHE_SERVER, Default is SSL_SESSION_CACHE_SERVER, which
822	* means only SSL_accept will cache SSL_SESSIONS.
823	*/
824	uint32_t session_cache_mode;
825	/*
826	* If timeout is not 0, it is the default timeout value set when
827	* SSL_new() is called. This has been put in to make life easier to set
828	* things up
829	*/
830	OSSL_TIME session_timeout;
831	/*
832	* If this callback is not null, it will be called each time a session id
833	* is added to the cache. If this function returns 1, it means that the
834	* callback will do a SSL_SESSION_free() when it has finished using it.
835	* Otherwise, on 0, it means the callback has finished with it. If
836	* remove_session_cb is not null, it will be called when a session-id is
837	* removed from the cache. After the call, OpenSSL will
838	* SSL_SESSION_free() it.
839	*/
840	int (new_session_cb) (struct ssl_st ssl, SSL_SESSION *sess);
841	void (remove_session_cb) (struct ssl_ctx_st ctx, SSL_SESSION *sess);
842	SSL_SESSION (get_session_cb) (struct ssl_st *ssl,
843	const unsigned char *data, int len,
844	int *copy);
845	struct {
846	TSAN_QUALIFIER int sess_connect; /* SSL new conn - started */
847	TSAN_QUALIFIER int sess_connect_renegotiate; /* SSL reneg - requested */
848	TSAN_QUALIFIER int sess_connect_good; /* SSL new conne/reneg - finished */
849	TSAN_QUALIFIER int sess_accept; /* SSL new accept - started */
850	TSAN_QUALIFIER int sess_accept_renegotiate; /* SSL reneg - requested */
851	TSAN_QUALIFIER int sess_accept_good; /* SSL accept/reneg - finished */
852	TSAN_QUALIFIER int sess_miss; /* session lookup misses */
853	TSAN_QUALIFIER int sess_timeout; /* reuse attempt on timeouted session */
854	TSAN_QUALIFIER int sess_cache_full; /* session removed due to full cache */
855	TSAN_QUALIFIER int sess_hit; /* session reuse actually done */
856	TSAN_QUALIFIER int sess_cb_hit; /* session-id that was not in
857	* the cache was passed back via
858	* the callback. This indicates
859	* that the application is
860	* supplying session-id's from
861	* other processes - spooky
862	* :-) */
863	} stats;
864	#ifdef TSAN_REQUIRES_LOCKING
865	CRYPTO_RWLOCK *tsan_lock;
866	#endif
867
868	CRYPTO_REF_COUNT references;
869
870	/* if defined, these override the X509_verify_cert() calls */
871	int (app_verify_callback) (X509_STORE_CTX , void *);
872	void *app_verify_arg;
873	/*
874	* before OpenSSL 0.9.7, 'app_verify_arg' was ignored
875	* ('app_verify_callback' was called with just one argument)
876	*/
877
878	/* Default password callback. */
879	pem_password_cb *default_passwd_callback;
880
881	/* Default password callback user data. */
882	void *default_passwd_callback_userdata;
883
884	/* get client cert callback */
885	int (client_cert_cb) (SSL ssl, X509 x509, EVP_PKEY pkey);
886
887	/* cookie generate callback */
888	int (app_gen_cookie_cb) (SSL ssl, unsigned char *cookie,
889	unsigned int *cookie_len);
890
891	/* verify cookie callback */
892	int (app_verify_cookie_cb) (SSL ssl, const unsigned char *cookie,
893	unsigned int cookie_len);
894
895	/* TLS1.3 app-controlled cookie generate callback */
896	int (gen_stateless_cookie_cb) (SSL ssl, unsigned char *cookie,
897	size_t *cookie_len);
898
899	/* TLS1.3 verify app-controlled cookie callback */
900	int (verify_stateless_cookie_cb) (SSL ssl, const unsigned char *cookie,
901	size_t cookie_len);
902
903	CRYPTO_EX_DATA ex_data;
904
905	const EVP_MD md5; / For SSLv3/TLSv1 'ssl3-md5' */
906	const EVP_MD sha1; / For SSLv3/TLSv1 'ssl3-sha1' */
907
908	STACK_OF(X509) *extra_certs;
909	STACK_OF(SSL_COMP) comp_methods; / stack of SSL_COMP, SSLv3/TLSv1 */
910
911	/* Default values used when no per-SSL value is defined follow */
912
913	/* used if SSL's info_callback is NULL */
914	void (info_callback) (const SSL ssl, int type, int val);
915
916	/*
917	* What we put in certificate_authorities extension for TLS 1.3
918	* (ClientHello and CertificateRequest) or just client cert requests for
919	* earlier versions. If client_ca_names is populated then it is only used
920	* for client cert requests, and in preference to ca_names.
921	*/
922	STACK_OF(X509_NAME) *ca_names;
923	STACK_OF(X509_NAME) *client_ca_names;
924
925	/*
926	* Default values to use in SSL structures follow (these are copied by
927	* SSL_new)
928	*/
929
930	uint64_t options;
931	uint32_t mode;
932	int min_proto_version;
933	int max_proto_version;
934	size_t max_cert_list;
935
936	struct cert_st /* CERT / cert;
937	SSL_CERT_LOOKUP *ssl_cert_info;
938	int read_ahead;
939
940	/* callback that allows applications to peek at protocol messages */
941	ossl_msg_cb msg_callback;
942	void *msg_callback_arg;
943
944	uint32_t verify_mode;
945	size_t sid_ctx_length;
946	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
947	/* called 'verify_callback' in the SSL */
948	int (default_verify_callback) (int ok, X509_STORE_CTX ctx);
949
950	/* Default generate session ID callback. */
951	GEN_SESSION_CB generate_session_id;
952
953	X509_VERIFY_PARAM *param;
954
955	int quiet_shutdown;
956
957	# ifndef OPENSSL_NO_CT
958	CTLOG_STORE ctlog_store; / CT Log Store */
959	/*
960	* Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
961	* If they are not, the connection should be aborted.
962	*/
963	ssl_ct_validation_cb ct_validation_callback;
964	void *ct_validation_callback_arg;
965	# endif
966
967	/*
968	* If we're using more than one pipeline how should we divide the data
969	* up between the pipes?
970	*/
971	size_t split_send_fragment;
972	/*
973	* Maximum amount of data to send in one fragment. actual record size can
974	* be more than this due to padding and MAC overheads.
975	*/
976	size_t max_send_fragment;
977
978	/* Up to how many pipelines should we use? If 0 then 1 is assumed */
979	size_t max_pipelines;
980
981	/* The default read buffer length to use (0 means not set) */
982	size_t default_read_buf_len;
983
984	# ifndef OPENSSL_NO_ENGINE
985	/*
986	* Engine to pass requests for client certs to
987	*/
988	ENGINE *client_cert_engine;
989	# endif
990
991	/* ClientHello callback. Mostly for extensions, but not entirely. */
992	SSL_client_hello_cb_fn client_hello_cb;
993	void *client_hello_cb_arg;
994
995	/* TLS extensions. */
996	struct {
997	/* TLS extensions servername callback */
998	int (servername_cb) (SSL , int , void );
999	void *servername_arg;
1000	/* RFC 4507 session ticket keys */
1001	unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH];
1002	SSL_CTX_EXT_SECURE *secure;
1003	# ifndef OPENSSL_NO_DEPRECATED_3_0
1004	/* Callback to support customisation of ticket key setting */
1005	int (ticket_key_cb) (SSL ssl,
1006	unsigned char name, unsigned char iv,
1007	EVP_CIPHER_CTX ectx, HMAC_CTX hctx, int enc);
1008	#endif
1009	int (ticket_key_evp_cb) (SSL ssl,
1010	unsigned char name, unsigned char iv,
1011	EVP_CIPHER_CTX ectx, EVP_MAC_CTX hctx,
1012	int enc);
1013
1014	/* certificate status request info */
1015	/* Callback for status request */
1016	int (status_cb) (SSL ssl, void *arg);
1017	void *status_arg;
1018	/* ext status type used for CSR extension (OCSP Stapling) */
1019	int status_type;
1020	/* RFC 4366 Maximum Fragment Length Negotiation */
1021	uint8_t max_fragment_len_mode;
1022
1023	/* EC extension values inherited by SSL structure */
1024	size_t ecpointformats_len;
1025	unsigned char *ecpointformats;
1026
1027	size_t supportedgroups_len;
1028	uint16_t *supportedgroups;
1029
1030	uint16_t *supported_groups_default;
1031	size_t supported_groups_default_len;
1032	/*
1033	* ALPN information (we are in the process of transitioning from NPN to
1034	* ALPN.)
1035	*/
1036
1037	/*-
1038	* For a server, this contains a callback function that allows the
1039	* server to select the protocol for the connection.
1040	* out: on successful return, this must point to the raw protocol
1041	* name (without the length prefix).
1042	* outlen: on successful return, this contains the length of \|*out\|.
1043	* in: points to the client's list of supported protocols in
1044	* wire-format.
1045	* inlen: the length of \|in\|.
1046	*/
1047	int (alpn_select_cb) (SSL s,
1048	const unsigned char **out,
1049	unsigned char *outlen,
1050	const unsigned char *in,
1051	unsigned int inlen, void *arg);
1052	void *alpn_select_cb_arg;
1053
1054	/*
1055	* For a client, this contains the list of supported protocols in wire
1056	* format.
1057	*/
1058	unsigned char *alpn;
1059	size_t alpn_len;
1060
1061	# ifndef OPENSSL_NO_NEXTPROTONEG
1062	/* Next protocol negotiation information */
1063
1064	/*
1065	* For a server, this contains a callback function by which the set of
1066	* advertised protocols can be provided.
1067	*/
1068	SSL_CTX_npn_advertised_cb_func npn_advertised_cb;
1069	void *npn_advertised_cb_arg;
1070	/*
1071	* For a client, this contains a callback function that selects the next
1072	* protocol from the list provided by the server.
1073	*/
1074	SSL_CTX_npn_select_cb_func npn_select_cb;
1075	void *npn_select_cb_arg;
1076	# endif
1077
1078	unsigned char cookie_hmac_key[SHA256_DIGEST_LENGTH];
1079	} ext;
1080
1081	# ifndef OPENSSL_NO_PSK
1082	SSL_psk_client_cb_func psk_client_callback;
1083	SSL_psk_server_cb_func psk_server_callback;
1084	# endif
1085	SSL_psk_find_session_cb_func psk_find_session_cb;
1086	SSL_psk_use_session_cb_func psk_use_session_cb;
1087
1088	# ifndef OPENSSL_NO_SRP
1089	SRP_CTX srp_ctx; /* ctx for SRP authentication */
1090	# endif
1091
1092	/* Shared DANE context */
1093	struct dane_ctx_st dane;
1094
1095	# ifndef OPENSSL_NO_SRTP
1096	/* SRTP profiles we are willing to do from RFC 5764 */
1097	STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
1098	# endif
1099	/*
1100	* Callback for disabling session caching and ticket support on a session
1101	* basis, depending on the chosen cipher.
1102	*/
1103	int (not_resumable_session_cb) (SSL ssl, int is_forward_secure);
1104
1105	CRYPTO_RWLOCK *lock;
1106
1107	/*
1108	* Callback for logging key material for use with debugging tools like
1109	* Wireshark. The callback should log `line` followed by a newline.
1110	*/
1111	SSL_CTX_keylog_cb_func keylog_callback;
1112
1113	/*
1114	* The maximum number of bytes advertised in session tickets that can be
1115	* sent as early data.
1116	*/
1117	uint32_t max_early_data;
1118
1119	/*
1120	* The maximum number of bytes of early data that a server will tolerate
1121	* (which should be at least as much as max_early_data).
1122	*/
1123	uint32_t recv_max_early_data;
1124
1125	/* TLS1.3 padding callback */
1126	size_t (record_padding_cb)(SSL s, int type, size_t len, void *arg);
1127	void *record_padding_arg;
1128	size_t block_padding;
1129	size_t hs_padding;
1130
1131	/* Session ticket appdata */
1132	SSL_CTX_generate_session_ticket_fn generate_ticket_cb;
1133	SSL_CTX_decrypt_session_ticket_fn decrypt_ticket_cb;
1134	void *ticket_cb_data;
1135
1136	/* The number of TLS1.3 tickets to automatically send */
1137	size_t num_tickets;
1138
1139	/* Callback to determine if early_data is acceptable or not */
1140	SSL_allow_early_data_cb_fn allow_early_data_cb;
1141	void *allow_early_data_cb_data;
1142
1143	/* Do we advertise Post-handshake auth support? */
1144	int pha_enabled;
1145
1146	/* Callback for SSL async handling */
1147	SSL_async_callback_fn async_cb;
1148	void *async_cb_arg;
1149
1150	char *propq;
1151
1152	int ssl_mac_pkey_id[SSL_MD_NUM_IDX];
1153	const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
1154	const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX];
1155	size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
1156
1157	size_t tls12_sigalgs_len;
1158	/* Cache of all sigalgs we know and whether they are available or not */
1159	struct sigalg_lookup_st *sigalg_lookup_cache;
1160	/* List of all sigalgs (code points) available, incl. from providers */
1161	uint16_t *tls12_sigalgs;
1162
1163	TLS_GROUP_INFO *group_list;
1164	size_t group_list_len;
1165	size_t group_list_max_len;
1166
1167	TLS_SIGALG_INFO *sigalg_list;
1168	size_t sigalg_list_len;
1169	size_t sigalg_list_max_len;
1170
1171	/* masks of disabled algorithms */
1172	uint32_t disabled_enc_mask;
1173	uint32_t disabled_mac_mask;
1174	uint32_t disabled_mkey_mask;
1175	uint32_t disabled_auth_mask;
1176
1177	#ifndef OPENSSL_NO_COMP_ALG
1178	/* certificate compression preferences */
1179	int cert_comp_prefs[TLSEXT_comp_cert_limit];
1180	#endif
1181
1182	/* Certificate Type stuff - for RPK vs X.509 */
1183	unsigned char *client_cert_type;
1184	size_t client_cert_type_len;
1185	unsigned char *server_cert_type;
1186	size_t server_cert_type_len;
1187
1188	# ifndef OPENSSL_NO_QLOG
1189	char qlog_title; / Session title for qlog */
1190	# endif
1191	};
1192
1193	typedef struct cert_pkey_st CERT_PKEY;
1194
1195	#define SSL_TYPE_SSL_CONNECTION 0
1196	#define SSL_TYPE_QUIC_CONNECTION 1
1197	#define SSL_TYPE_QUIC_XSO 2
1198
1199	struct ssl_st {
1200	int type;
1201	SSL_CTX *ctx;
1202	const SSL_METHOD *defltmeth;
1203	const SSL_METHOD *method;
1204	CRYPTO_REF_COUNT references;
1205	CRYPTO_RWLOCK *lock;
1206	/* extra application data */
1207	CRYPTO_EX_DATA ex_data;
1208	};
1209
1210	struct ssl_connection_st {
1211	/* type identifier and common data */
1212	struct ssl_st ssl;
1213
1214	/*
1215	* The actual end user's SSL object. Could be different to this one for
1216	* QUIC
1217	*/
1218	SSL *user_ssl;
1219
1220	/*
1221	* protocol version (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION,
1222	* DTLS1_VERSION)
1223	*/
1224	int version;
1225	/*
1226	* There are 2 BIO's even though they are normally both the same. This
1227	* is so data can be read and written to different handlers
1228	*/
1229	/* used by SSL_read */
1230	BIO *rbio;
1231	/* used by SSL_write */
1232	BIO *wbio;
1233	/* used during session-id reuse to concatenate messages */
1234	BIO *bbio;
1235	/*
1236	* This holds a variable that indicates what we were doing when a 0 or -1
1237	* is returned. This is needed for non-blocking IO so we know what
1238	* request needs re-doing when in SSL_accept or SSL_connect
1239	*/
1240	int rwstate;
1241	int (handshake_func) (SSL );
1242	/*
1243	* Imagine that here's a boolean member "init" that is switched as soon
1244	* as SSL_set_{accept/connect}_state is called for the first time, so
1245	* that "state" and "handshake_func" are properly initialized. But as
1246	* handshake_func is == 0 until then, we use this test instead of an
1247	* "init" member.
1248	*/
1249	/* are we the server side? */
1250	int server;
1251	/*
1252	* Generate a new session or reuse an old one.
1253	* NB: For servers, the 'new' session may actually be a previously
1254	* cached session or even the previous session unless
1255	* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set
1256	*/
1257	int new_session;
1258	/* don't send shutdown packets */
1259	int quiet_shutdown;
1260	/* we have shut things down, 0x01 sent, 0x02 for received */
1261	int shutdown;
1262	/* Timestamps used to calculate the handshake RTT */
1263	OSSL_TIME ts_msg_write;
1264	OSSL_TIME ts_msg_read;
1265	/* where we are */
1266	OSSL_STATEM statem;
1267	SSL_EARLY_DATA_STATE early_data_state;
1268	BUF_MEM init_buf; / buffer used during init */
1269	void init_msg; / pointer to handshake message body, set by
1270	* tls_get_message_header() */
1271	size_t init_num; /* amount read/written */
1272	size_t init_off; /* amount read/written */
1273
1274	size_t ssl_pkey_num;
1275
1276	struct {
1277	long flags;
1278	unsigned char server_random[SSL3_RANDOM_SIZE];
1279	unsigned char client_random[SSL3_RANDOM_SIZE];
1280
1281	/* used during startup, digest all incoming/outgoing packets */
1282	BIO *handshake_buffer;
1283	/*
1284	* When handshake digest is determined, buffer is hashed and
1285	* freed and MD_CTX for the required digest is stored here.
1286	*/
1287	EVP_MD_CTX *handshake_dgst;
1288	/*
1289	* Set whenever an expected ChangeCipherSpec message is processed.
1290	* Unset when the peer's Finished message is received.
1291	* Unexpected ChangeCipherSpec messages trigger a fatal alert.
1292	*/
1293	int change_cipher_spec;
1294	int warn_alert;
1295	int fatal_alert;
1296	/*
1297	* we allow one fatal and one warning alert to be outstanding, send close
1298	* alert via the warning alert
1299	*/
1300	int alert_dispatch;
1301	unsigned char send_alert[2];
1302	/*
1303	* This flag is set when we should renegotiate ASAP, basically when there
1304	* is no more data in the read or write buffers
1305	*/
1306	int renegotiate;
1307	int total_renegotiations;
1308	int num_renegotiations;
1309	int in_read_app_data;
1310
1311	struct {
1312	/* actually only need to be 16+20 for SSLv3 and 12 for TLS */
1313	unsigned char finish_md[EVP_MAX_MD_SIZE * 2];
1314	size_t finish_md_len;
1315	unsigned char peer_finish_md[EVP_MAX_MD_SIZE * 2];
1316	size_t peer_finish_md_len;
1317	size_t message_size;
1318	int message_type;
1319	/* used to hold the new cipher we are going to use */
1320	const SSL_CIPHER *new_cipher;
1321	EVP_PKEY pkey; / holds short lived key exchange key */
1322	/* used for certificate requests */
1323	int cert_req;
1324	/* Certificate types in certificate request message. */
1325	uint8_t *ctype;
1326	size_t ctype_len;
1327	/* Certificate authorities list peer sent */
1328	STACK_OF(X509_NAME) *peer_ca_names;
1329	size_t key_block_length;
1330	unsigned char *key_block;
1331	const EVP_CIPHER *new_sym_enc;
1332	const EVP_MD *new_hash;
1333	int new_mac_pkey_type;
1334	size_t new_mac_secret_size;
1335	# ifndef OPENSSL_NO_COMP
1336	const SSL_COMP *new_compression;
1337	# else
1338	char *new_compression;
1339	# endif
1340	int cert_request;
1341	/* Raw values of the cipher list from a client */
1342	unsigned char *ciphers_raw;
1343	size_t ciphers_rawlen;
1344	/* Temporary storage for premaster secret */
1345	unsigned char *pms;
1346	size_t pmslen;
1347	# ifndef OPENSSL_NO_PSK
1348	/* Temporary storage for PSK key */
1349	unsigned char *psk;
1350	size_t psklen;
1351	# endif
1352	/* Signature algorithm we actually use */
1353	const struct sigalg_lookup_st *sigalg;
1354	/* Pointer to certificate we use */
1355	CERT_PKEY *cert;
1356	/*
1357	* signature algorithms peer reports: e.g. supported signature
1358	* algorithms extension for server or as part of a certificate
1359	* request for client.
1360	* Keep track of the algorithms for TLS and X.509 usage separately.
1361	*/
1362	uint16_t *peer_sigalgs;
1363	uint16_t *peer_cert_sigalgs;
1364	/* Size of above arrays */
1365	size_t peer_sigalgslen;
1366	size_t peer_cert_sigalgslen;
1367	/* Sigalg peer actually uses */
1368	const struct sigalg_lookup_st *peer_sigalg;
1369	/*
1370	* Set if corresponding CERT_PKEY can be used with current
1371	* SSL session: e.g. appropriate curve, signature algorithms etc.
1372	* If zero it can't be used at all.
1373	*/
1374	uint32_t *valid_flags;
1375	/*
1376	* For servers the following masks are for the key and auth algorithms
1377	* that are supported by the certs below. For clients they are masks of
1378	* disabled algorithms based on the current session.
1379	*/
1380	uint32_t mask_k;
1381	uint32_t mask_a;
1382	/*
1383	* The following are used by the client to see if a cipher is allowed or
1384	* not. It contains the minimum and maximum version the client's using
1385	* based on what it knows so far.
1386	*/
1387	int min_ver;
1388	int max_ver;
1389	} tmp;
1390
1391	/* Connection binding to prevent renegotiation attacks */
1392	unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
1393	size_t previous_client_finished_len;
1394	unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
1395	size_t previous_server_finished_len;
1396	int send_connection_binding;
1397
1398	# ifndef OPENSSL_NO_NEXTPROTONEG
1399	/*
1400	* Set if we saw the Next Protocol Negotiation extension from our peer.
1401	*/
1402	int npn_seen;
1403	# endif
1404
1405	/*
1406	* ALPN information (we are in the process of transitioning from NPN to
1407	* ALPN.)
1408	*/
1409
1410	/*
1411	* In a server these point to the selected ALPN protocol after the
1412	* ClientHello has been processed. In a client these contain the protocol
1413	* that the server selected once the ServerHello has been processed.
1414	*/
1415	unsigned char *alpn_selected;
1416	size_t alpn_selected_len;
1417	/* used by the server to know what options were proposed */
1418	unsigned char *alpn_proposed;
1419	size_t alpn_proposed_len;
1420	/* used by the client to know if it actually sent alpn */
1421	int alpn_sent;
1422
1423	/*
1424	* This is set to true if we believe that this is a version of Safari
1425	* running on OS X 10.6 or newer. We wish to know this because Safari on
1426	* 10.8 .. 10.8.3 has broken ECDHE-ECDSA support.
1427	*/
1428	char is_probably_safari;
1429
1430	/*
1431	* Track whether we did a key exchange this handshake or not, so
1432	* SSL_get_negotiated_group() knows whether to fall back to the
1433	* value in the SSL_SESSION.
1434	*/
1435	char did_kex;
1436	/* For clients: peer temporary key */
1437	/* The group_id for the key exchange key */
1438	uint16_t group_id;
1439	EVP_PKEY *peer_tmp;
1440
1441	} s3;
1442
1443	struct dtls1_state_st d1; / DTLSv1 variables */
1444	/* callback that allows applications to peek at protocol messages */
1445	void (*msg_callback) (int write_p, int version, int content_type,
1446	const void buf, size_t len, SSL ssl, void *arg);
1447	void *msg_callback_arg;
1448	int hit; /* reusing a previous session */
1449	X509_VERIFY_PARAM *param;
1450	/* Per connection DANE state */
1451	SSL_DANE dane;
1452	/* crypto */
1453	STACK_OF(SSL_CIPHER) *peer_ciphers;
1454	STACK_OF(SSL_CIPHER) *cipher_list;
1455	STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1456	/* TLSv1.3 specific ciphersuites */
1457	STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
1458	/*
1459	* These are the ones being used, the ones in SSL_SESSION are the ones to
1460	* be 'copied' into these ones
1461	*/
1462	uint32_t mac_flags;
1463	/*
1464	* The TLS1.3 secrets.
1465	*/
1466	unsigned char early_secret[EVP_MAX_MD_SIZE];
1467	unsigned char handshake_secret[EVP_MAX_MD_SIZE];
1468	unsigned char master_secret[EVP_MAX_MD_SIZE];
1469	unsigned char resumption_master_secret[EVP_MAX_MD_SIZE];
1470	unsigned char client_finished_secret[EVP_MAX_MD_SIZE];
1471	unsigned char server_finished_secret[EVP_MAX_MD_SIZE];
1472	unsigned char server_finished_hash[EVP_MAX_MD_SIZE];
1473	unsigned char handshake_traffic_hash[EVP_MAX_MD_SIZE];
1474	unsigned char client_app_traffic_secret[EVP_MAX_MD_SIZE];
1475	unsigned char server_app_traffic_secret[EVP_MAX_MD_SIZE];
1476	unsigned char exporter_master_secret[EVP_MAX_MD_SIZE];
1477	unsigned char early_exporter_master_secret[EVP_MAX_MD_SIZE];
1478
1479	/* session info */
1480	/* client cert? */
1481	/* This is used to hold the server certificate used */
1482	struct cert_st /* CERT / cert;
1483
1484	/*
1485	* The hash of all messages prior to the CertificateVerify, and the length
1486	* of that hash.
1487	*/
1488	unsigned char cert_verify_hash[EVP_MAX_MD_SIZE];
1489	size_t cert_verify_hash_len;
1490
1491	/* Flag to indicate whether we should send a HelloRetryRequest or not */
1492	enum {SSL_HRR_NONE = 0, SSL_HRR_PENDING, SSL_HRR_COMPLETE}
1493	hello_retry_request;
1494
1495	/*
1496	* the session_id_context is used to ensure sessions are only reused in
1497	* the appropriate context
1498	*/
1499	size_t sid_ctx_length;
1500	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
1501	/* This can also be in the session once a session is established */
1502	SSL_SESSION *session;
1503	/* TLSv1.3 PSK session */
1504	SSL_SESSION *psksession;
1505	unsigned char *psksession_id;
1506	size_t psksession_id_len;
1507	/* Default generate session ID callback. */
1508	GEN_SESSION_CB generate_session_id;
1509	/*
1510	* The temporary TLSv1.3 session id. This isn't really a session id at all
1511	* but is a random value sent in the legacy session id field.
1512	*/
1513	unsigned char tmp_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
1514	size_t tmp_session_id_len;
1515	/* Used in SSL3 */
1516	/*
1517	* 0 don't care about verify failure.
1518	* 1 fail if verify fails
1519	*/
1520	uint32_t verify_mode;
1521	/* fail if callback returns 0 */
1522	int (verify_callback) (int ok, X509_STORE_CTX ctx);
1523	/* optional informational callback */
1524	void (info_callback) (const SSL ssl, int type, int val);
1525	/* error bytes to be written */
1526	int error;
1527	/* actual code */
1528	int error_code;
1529	# ifndef OPENSSL_NO_PSK
1530	SSL_psk_client_cb_func psk_client_callback;
1531	SSL_psk_server_cb_func psk_server_callback;
1532	# endif
1533	SSL_psk_find_session_cb_func psk_find_session_cb;
1534	SSL_psk_use_session_cb_func psk_use_session_cb;
1535
1536	/* Verified chain of peer */
1537	STACK_OF(X509) *verified_chain;
1538	long verify_result;
1539	/*
1540	* What we put in certificate_authorities extension for TLS 1.3
1541	* (ClientHello and CertificateRequest) or just client cert requests for
1542	* earlier versions. If client_ca_names is populated then it is only used
1543	* for client cert requests, and in preference to ca_names.
1544	*/
1545	STACK_OF(X509_NAME) *ca_names;
1546	STACK_OF(X509_NAME) *client_ca_names;
1547	/* protocol behaviour */
1548	uint64_t options;
1549	/* API behaviour */
1550	uint32_t mode;
1551	int min_proto_version;
1552	int max_proto_version;
1553	size_t max_cert_list;
1554	int first_packet;
1555	/*
1556	* What was passed in ClientHello.legacy_version. Used for RSA pre-master
1557	* secret and SSLv3/TLS (<=1.2) rollback check
1558	*/
1559	int client_version;
1560	/*
1561	* If we're using more than one pipeline how should we divide the data
1562	* up between the pipes?
1563	*/
1564	size_t split_send_fragment;
1565	/*
1566	* Maximum amount of data to send in one fragment. actual record size can
1567	* be more than this due to padding and MAC overheads.
1568	*/
1569	size_t max_send_fragment;
1570	/* Up to how many pipelines should we use? If 0 then 1 is assumed */
1571	size_t max_pipelines;
1572
1573	struct {
1574	/* Built-in extension flags */
1575	uint8_t extflags[TLSEXT_IDX_num_builtins];
1576	/* TLS extension debug callback */
1577	void (debug_cb)(SSL s, int client_server, int type,
1578	const unsigned char data, int len, void arg);
1579	void *debug_arg;
1580	char *hostname;
1581	/* certificate status request info */
1582	/* Status type or -1 if no status type */
1583	int status_type;
1584	/* Raw extension data, if seen */
1585	unsigned char *scts;
1586	/* Length of raw extension data, if seen */
1587	uint16_t scts_len;
1588	/* Expect OCSP CertificateStatus message */
1589	int status_expected;
1590
1591	struct {
1592	/* OCSP status request only */
1593	STACK_OF(OCSP_RESPID) *ids;
1594	X509_EXTENSIONS *exts;
1595	/* OCSP response received or to be sent */
1596	unsigned char *resp;
1597	size_t resp_len;
1598	} ocsp;
1599
1600	/* RFC4507 session ticket expected to be received or sent */
1601	int ticket_expected;
1602	/* TLS 1.3 tickets requested by the application. */
1603	int extra_tickets_expected;
1604	size_t ecpointformats_len;
1605	/* our list */
1606	unsigned char *ecpointformats;
1607
1608	size_t peer_ecpointformats_len;
1609	/* peer's list */
1610	unsigned char *peer_ecpointformats;
1611	size_t supportedgroups_len;
1612	/* our list */
1613	uint16_t *supportedgroups;
1614
1615	size_t peer_supportedgroups_len;
1616	/* peer's list */
1617	uint16_t *peer_supportedgroups;
1618
1619	/* TLS Session Ticket extension override */
1620	TLS_SESSION_TICKET_EXT *session_ticket;
1621	/* TLS Session Ticket extension callback */
1622	tls_session_ticket_ext_cb_fn session_ticket_cb;
1623	void *session_ticket_cb_arg;
1624	/* TLS pre-shared secret session resumption */
1625	tls_session_secret_cb_fn session_secret_cb;
1626	void *session_secret_cb_arg;
1627	/*
1628	* For a client, this contains the list of supported protocols in wire
1629	* format.
1630	*/
1631	unsigned char *alpn;
1632	size_t alpn_len;
1633	/*
1634	* Next protocol negotiation. For the client, this is the protocol that
1635	* we sent in NextProtocol and is set when handling ServerHello
1636	* extensions. For a server, this is the client's selected_protocol from
1637	* NextProtocol and is set when handling the NextProtocol message, before
1638	* the Finished message.
1639	*/
1640	unsigned char *npn;
1641	size_t npn_len;
1642
1643	/* The available PSK key exchange modes */
1644	int psk_kex_mode;
1645
1646	/* Set to one if we have negotiated ETM */
1647	int use_etm;
1648
1649	/* Are we expecting to receive early data? */
1650	int early_data;
1651	/* Is the session suitable for early data? */
1652	int early_data_ok;
1653
1654	/* May be sent by a server in HRR. Must be echoed back in ClientHello */
1655	unsigned char *tls13_cookie;
1656	size_t tls13_cookie_len;
1657	/* Have we received a cookie from the client? */
1658	int cookieok;
1659
1660	/*
1661	* Maximum Fragment Length as per RFC 4366.
1662	* If this member contains one of the allowed values (1-4)
1663	* then we should include Maximum Fragment Length Negotiation
1664	* extension in Client Hello.
1665	* Please note that value of this member does not have direct
1666	* effect. The actual (binding) value is stored in SSL_SESSION,
1667	* as this extension is optional on server side.
1668	*/
1669	uint8_t max_fragment_len_mode;
1670
1671	/*
1672	* On the client side the number of ticket identities we sent in the
1673	* ClientHello. On the server side the identity of the ticket we
1674	* selected.
1675	*/
1676	int tick_identity;
1677
1678	/* This is the list of algorithms the peer supports that we also support */
1679	int compress_certificate_from_peer[TLSEXT_comp_cert_limit];
1680	/* indicate that we sent the extension, so we'll accept it */
1681	int compress_certificate_sent;
1682
1683	uint8_t client_cert_type;
1684	uint8_t client_cert_type_ctos;
1685	uint8_t server_cert_type;
1686	uint8_t server_cert_type_ctos;
1687	} ext;
1688
1689	/*
1690	* Parsed form of the ClientHello, kept around across client_hello_cb
1691	* calls.
1692	*/
1693	CLIENTHELLO_MSG *clienthello;
1694
1695	/*-
1696	* no further mod of servername
1697	* 0 : call the servername extension callback.
1698	* 1 : prepare 2, allow last ack just after in server callback.
1699	* 2 : don't call servername callback, no ack in server hello
1700	*/
1701	int servername_done;
1702	# ifndef OPENSSL_NO_CT
1703	/*
1704	* Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
1705	* If they are not, the connection should be aborted.
1706	*/
1707	ssl_ct_validation_cb ct_validation_callback;
1708	/* User-supplied argument that is passed to the ct_validation_callback */
1709	void *ct_validation_callback_arg;
1710	/*
1711	* Consolidated stack of SCTs from all sources.
1712	* Lazily populated by CT_get_peer_scts(SSL*)
1713	*/
1714	STACK_OF(SCT) *scts;
1715	/* Have we attempted to find/parse SCTs yet? */
1716	int scts_parsed;
1717	# endif
1718	SSL_CTX session_ctx; / initial ctx, used to store sessions */
1719	# ifndef OPENSSL_NO_SRTP
1720	/* What we'll do */
1721	STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
1722	/* What's been chosen */
1723	SRTP_PROTECTION_PROFILE *srtp_profile;
1724	# endif
1725	/*-
1726	* 1 if we are renegotiating.
1727	* 2 if we are a server and are inside a handshake
1728	* (i.e. not just sending a HelloRequest)
1729	*/
1730	int renegotiate;
1731	/* If sending a KeyUpdate is pending */
1732	int key_update;
1733	/* Post-handshake authentication state */
1734	SSL_PHA_STATE post_handshake_auth;
1735	int pha_enabled;
1736	uint8_t* pha_context;
1737	size_t pha_context_len;
1738	int certreqs_sent;
1739	EVP_MD_CTX pha_dgst; / this is just the digest through ClientFinished */
1740
1741	# ifndef OPENSSL_NO_SRP
1742	/* ctx for SRP authentication */
1743	SRP_CTX srp_ctx;
1744	# endif
1745	/*
1746	* Callback for disabling session caching and ticket support on a session
1747	* basis, depending on the chosen cipher.
1748	*/
1749	int (not_resumable_session_cb) (SSL ssl, int is_forward_secure);
1750
1751	/* Record layer data */
1752	RECORD_LAYER rlayer;
1753
1754	/* Default password callback. */
1755	pem_password_cb *default_passwd_callback;
1756	/* Default password callback user data. */
1757	void *default_passwd_callback_userdata;
1758	/* Async Job info */
1759	ASYNC_JOB *job;
1760	ASYNC_WAIT_CTX *waitctx;
1761	size_t asyncrw;
1762
1763	/*
1764	* The maximum number of bytes advertised in session tickets that can be
1765	* sent as early data.
1766	*/
1767	uint32_t max_early_data;
1768	/*
1769	* The maximum number of bytes of early data that a server will tolerate
1770	* (which should be at least as much as max_early_data).
1771	*/
1772	uint32_t recv_max_early_data;
1773
1774	/*
1775	* The number of bytes of early data received so far. If we accepted early
1776	* data then this is a count of the plaintext bytes. If we rejected it then
1777	* this is a count of the ciphertext bytes.
1778	*/
1779	uint32_t early_data_count;
1780
1781	/* The number of TLS1.3 tickets to automatically send */
1782	size_t num_tickets;
1783	/* The number of TLS1.3 tickets actually sent so far */
1784	size_t sent_tickets;
1785	/* The next nonce value to use when we send a ticket on this connection */
1786	uint64_t next_ticket_nonce;
1787
1788	/* Callback to determine if early_data is acceptable or not */
1789	SSL_allow_early_data_cb_fn allow_early_data_cb;
1790	void *allow_early_data_cb_data;
1791
1792	/* Callback for SSL async handling */
1793	SSL_async_callback_fn async_cb;
1794	void *async_cb_arg;
1795
1796	/*
1797	* Signature algorithms shared by client and server: cached because these
1798	* are used most often.
1799	*/
1800	const struct sigalg_lookup_st **shared_sigalgs;
1801	size_t shared_sigalgslen;
1802
1803	#ifndef OPENSSL_NO_COMP_ALG
1804	/* certificate compression preferences */
1805	int cert_comp_prefs[TLSEXT_comp_cert_limit];
1806	#endif
1807
1808	/* Certificate Type stuff - for RPK vs X.509 */
1809	unsigned char *client_cert_type;
1810	size_t client_cert_type_len;
1811	unsigned char *server_cert_type;
1812	size_t server_cert_type_len;
1813	};
1814
1815	# define SSL_CONNECTION_FROM_SSL_ONLY_int(ssl, c) \
1816	((ssl) == NULL ? NULL \
1817	: ((ssl)->type == SSL_TYPE_SSL_CONNECTION \
1818	? (c SSL_CONNECTION *)(ssl) \
1819	: NULL))
1820	# define SSL_CONNECTION_NO_CONST
1821	# define SSL_CONNECTION_FROM_SSL_ONLY(ssl) \
1822	SSL_CONNECTION_FROM_SSL_ONLY_int(ssl, SSL_CONNECTION_NO_CONST)
1823	# define SSL_CONNECTION_FROM_CONST_SSL_ONLY(ssl) \
1824	SSL_CONNECTION_FROM_SSL_ONLY_int(ssl, const)
1825	# define SSL_CONNECTION_GET_CTX(sc) ((sc)->ssl.ctx)
1826	# define SSL_CONNECTION_GET_SSL(sc) (&(sc)->ssl)
1827	# define SSL_CONNECTION_GET_USER_SSL(sc) ((sc)->user_ssl)
1828	# ifndef OPENSSL_NO_QUIC
1829	# include "quic/quic_local.h"
1830	# define SSL_CONNECTION_FROM_SSL_int(ssl, c) \
1831	((ssl) == NULL ? NULL \
1832	: ((ssl)->type == SSL_TYPE_SSL_CONNECTION \
1833	? (c SSL_CONNECTION *)(ssl) \
1834	: ((ssl)->type == SSL_TYPE_QUIC_CONNECTION \
1835	? (c SSL_CONNECTION )((c QUIC_CONNECTION )(ssl))->tls \
1836	: NULL)))
1837	# define SSL_CONNECTION_FROM_SSL(ssl) \
1838	SSL_CONNECTION_FROM_SSL_int(ssl, SSL_CONNECTION_NO_CONST)
1839	# define SSL_CONNECTION_FROM_CONST_SSL(ssl) \
1840	SSL_CONNECTION_FROM_SSL_int(ssl, const)
1841	# else
1842	# define SSL_CONNECTION_FROM_SSL(ssl) \
1843	SSL_CONNECTION_FROM_SSL_ONLY_int(ssl, SSL_CONNECTION_NO_CONST)
1844	# define SSL_CONNECTION_FROM_CONST_SSL(ssl) \
1845	SSL_CONNECTION_FROM_SSL_ONLY_int(ssl, const)
1846	# endif
1847
1848	/*
1849	* Structure containing table entry of values associated with the signature
1850	* algorithms (signature scheme) extension
1851	*/
1852	typedef struct sigalg_lookup_st {
1853	/* TLS 1.3 signature scheme name */
1854	const char *name;
1855	/* Raw value used in extension */
1856	uint16_t sigalg;
1857	/* NID of hash algorithm or NID_undef if no hash */
1858	int hash;
1859	/* Index of hash algorithm or -1 if no hash algorithm */
1860	int hash_idx;
1861	/* NID of signature algorithm */
1862	int sig;
1863	/* Index of signature algorithm */
1864	int sig_idx;
1865	/* Combined hash and signature NID, if any */
1866	int sigandhash;
1867	/* Required public key curve (ECDSA only) */
1868	int curve;
1869	/* Whether this signature algorithm is actually available for use */
1870	int enabled;
1871	} SIGALG_LOOKUP;
1872
1873	/* DTLS structures */
1874
1875	# ifndef OPENSSL_NO_SCTP
1876	# define DTLS1_SCTP_AUTH_LABEL "EXPORTER_DTLS_OVER_SCTP"
1877	# endif
1878
1879	/* Max MTU overhead we know about so far is 40 for IPv6 + 8 for UDP */
1880	# define DTLS1_MAX_MTU_OVERHEAD 48
1881
1882	/*
1883	* Flag used in message reuse to indicate the buffer contains the record
1884	* header as well as the handshake message header.
1885	*/
1886	# define DTLS1_SKIP_RECORD_HEADER 2
1887
1888	struct dtls1_retransmit_state {
1889	const OSSL_RECORD_METHOD *wrlmethod;
1890	OSSL_RECORD_LAYER *wrl;
1891	};
1892
1893	struct hm_header_st {
1894	unsigned char type;
1895	size_t msg_len;
1896	unsigned short seq;
1897	size_t frag_off;
1898	size_t frag_len;
1899	unsigned int is_ccs;
1900	struct dtls1_retransmit_state saved_retransmit_state;
1901	};
1902
1903	typedef struct hm_fragment_st {
1904	struct hm_header_st msg_header;
1905	unsigned char *fragment;
1906	unsigned char *reassembly;
1907	} hm_fragment;
1908
1909	typedef struct pqueue_st pqueue;
1910	typedef struct pitem_st pitem;
1911
1912	struct pitem_st {
1913	unsigned char priority[8]; /* 64-bit value in big-endian encoding */
1914	void *data;
1915	pitem *next;
1916	};
1917
1918	typedef struct pitem_st *piterator;
1919
1920	pitem pitem_new(unsigned char prio64be, void *data);
1921	void pitem_free(pitem *item);
1922	pqueue *pqueue_new(void);
1923	void pqueue_free(pqueue *pq);
1924	pitem pqueue_insert(pqueue pq, pitem *item);
1925	pitem pqueue_peek(pqueue pq);
1926	pitem pqueue_pop(pqueue pq);
1927	pitem pqueue_find(pqueue pq, unsigned char *prio64be);
1928	pitem pqueue_iterator(pqueue pq);
1929	pitem pqueue_next(piterator iter);
1930	size_t pqueue_size(pqueue *pq);
1931
1932	typedef struct dtls1_state_st {
1933	unsigned char cookie[DTLS1_COOKIE_LENGTH];
1934	size_t cookie_len;
1935	unsigned int cookie_verified;
1936	/* handshake message numbers */
1937	unsigned short handshake_write_seq;
1938	unsigned short next_handshake_write_seq;
1939	unsigned short handshake_read_seq;
1940	/* Buffered handshake messages */
1941	pqueue *buffered_messages;
1942	/* Buffered (sent) handshake records */
1943	pqueue *sent_messages;
1944	size_t link_mtu; /* max on-the-wire DTLS packet size */
1945	size_t mtu; /* max DTLS packet size */
1946	struct hm_header_st w_msg_hdr;
1947	struct hm_header_st r_msg_hdr;
1948	/* Number of alerts received so far */
1949	unsigned int timeout_num_alerts;
1950	/*
1951	* Indicates when the last handshake msg sent will timeout
1952	*/
1953	OSSL_TIME next_timeout;
1954	/* Timeout duration */
1955	unsigned int timeout_duration_us;
1956
1957	unsigned int retransmitting;
1958	# ifndef OPENSSL_NO_SCTP
1959	int shutdown_received;
1960	# endif
1961
1962	DTLS_timer_cb timer_cb;
1963
1964	} DTLS1_STATE;
1965
1966	/*
1967	* From ECC-TLS draft, used in encoding the curve type in ECParameters
1968	*/
1969	# define EXPLICIT_PRIME_CURVE_TYPE 1
1970	# define EXPLICIT_CHAR2_CURVE_TYPE 2
1971	# define NAMED_CURVE_TYPE 3
1972
1973	# ifndef OPENSSL_NO_COMP_ALG
1974	struct ossl_comp_cert_st {
1975	unsigned char *data;
1976	size_t len;
1977	size_t orig_len;
1978	CRYPTO_REF_COUNT references;
1979	int alg;
1980	};
1981	typedef struct ossl_comp_cert_st OSSL_COMP_CERT;
1982
1983	void OSSL_COMP_CERT_free(OSSL_COMP_CERT *c);
1984	int OSSL_COMP_CERT_up_ref(OSSL_COMP_CERT *c);
1985	# endif
1986
1987	struct cert_pkey_st {
1988	X509 *x509;
1989	EVP_PKEY *privatekey;
1990	/* Chain for this certificate */
1991	STACK_OF(X509) *chain;
1992	/*-
1993	* serverinfo data for this certificate. The data is in TLS Extension
1994	* wire format, specifically it's a series of records like:
1995	* uint16_t extension_type; // (RFC 5246, 7.4.1.4, Extension)
1996	* uint16_t length;
1997	* uint8_t data[length];
1998	*/
1999	unsigned char *serverinfo;
2000	size_t serverinfo_length;
2001	# ifndef OPENSSL_NO_COMP_ALG
2002	/* Compressed certificate data - index 0 is unused */
2003	OSSL_COMP_CERT *comp_cert[TLSEXT_comp_cert_limit];
2004	int cert_comp_used;
2005	# endif
2006	};
2007	/* Retrieve Suite B flags */
2008	# define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
2009	/* Uses to check strict mode: suite B modes are always strict */
2010	# define SSL_CERT_FLAGS_CHECK_TLS_STRICT \
2011	(SSL_CERT_FLAG_SUITEB_128_LOS\|SSL_CERT_FLAG_TLS_STRICT)
2012
2013	typedef enum {
2014	ENDPOINT_CLIENT = 0,
2015	ENDPOINT_SERVER,
2016	ENDPOINT_BOTH
2017	} ENDPOINT;
2018
2019
2020	typedef struct {
2021	unsigned short ext_type;
2022	ENDPOINT role;
2023	/* The context which this extension applies to */
2024	unsigned int context;
2025	/*
2026	* Per-connection flags relating to this extension type: not used if
2027	* part of an SSL_CTX structure.
2028	*/
2029	uint32_t ext_flags;
2030	SSL_custom_ext_add_cb_ex add_cb;
2031	SSL_custom_ext_free_cb_ex free_cb;
2032	void *add_arg;
2033	SSL_custom_ext_parse_cb_ex parse_cb;
2034	void *parse_arg;
2035	} custom_ext_method;
2036
2037	/* ext_flags values */
2038
2039	/*
2040	* Indicates an extension has been received. Used to check for unsolicited or
2041	* duplicate extensions.
2042	*/
2043	# define SSL_EXT_FLAG_RECEIVED 0x1
2044	/*
2045	* Indicates an extension has been sent: used to enable sending of
2046	* corresponding ServerHello extension.
2047	*/
2048	# define SSL_EXT_FLAG_SENT 0x2
2049
2050	typedef struct {
2051	custom_ext_method *meths;
2052	size_t meths_count;
2053	} custom_ext_methods;
2054
2055	typedef struct cert_st {
2056	/* Current active set */
2057	/*
2058	* ALWAYS points to an element of the pkeys array
2059	* Probably it would make more sense to store
2060	* an index, not a pointer.
2061	*/
2062	CERT_PKEY *key;
2063
2064	EVP_PKEY *dh_tmp;
2065	DH (dh_tmp_cb) (SSL *ssl, int is_export, int keysize);
2066	int dh_tmp_auto;
2067	/* Flags related to certificates */
2068	uint32_t cert_flags;
2069	CERT_PKEY *pkeys;
2070	size_t ssl_pkey_num;
2071	/* Custom certificate types sent in certificate request message. */
2072	uint8_t *ctype;
2073	size_t ctype_len;
2074	/*
2075	* supported signature algorithms. When set on a client this is sent in
2076	* the client hello as the supported signature algorithms extension. For
2077	* servers it represents the signature algorithms we are willing to use.
2078	*/
2079	uint16_t *conf_sigalgs;
2080	/* Size of above array */
2081	size_t conf_sigalgslen;
2082	/*
2083	* Client authentication signature algorithms, if not set then uses
2084	* conf_sigalgs. On servers these will be the signature algorithms sent
2085	* to the client in a certificate request for TLS 1.2. On a client this
2086	* represents the signature algorithms we are willing to use for client
2087	* authentication.
2088	*/
2089	uint16_t *client_sigalgs;
2090	/* Size of above array */
2091	size_t client_sigalgslen;
2092	/*
2093	* Certificate setup callback: if set is called whenever a certificate
2094	* may be required (client or server). the callback can then examine any
2095	* appropriate parameters and setup any certificates required. This
2096	* allows advanced applications to select certificates on the fly: for
2097	* example based on supported signature algorithms or curves.
2098	*/
2099	int (cert_cb) (SSL ssl, void *arg);
2100	void *cert_cb_arg;
2101	/*
2102	* Optional X509_STORE for chain building or certificate validation If
2103	* NULL the parent SSL_CTX store is used instead.
2104	*/
2105	X509_STORE *chain_store;
2106	X509_STORE *verify_store;
2107	/* Custom extensions */
2108	custom_ext_methods custext;
2109	/* Security callback */
2110	int (sec_cb) (const SSL s, const SSL_CTX *ctx, int op, int bits, int nid,
2111	void other, void ex);
2112	/* Security level */
2113	int sec_level;
2114	void *sec_ex;
2115	# ifndef OPENSSL_NO_PSK
2116	/* If not NULL psk identity hint to use for servers */
2117	char *psk_identity_hint;
2118	# endif
2119	CRYPTO_REF_COUNT references; /* >1 only if SSL_copy_session_id is used */
2120	} CERT;
2121
2122	# define FP_ICC (int ()(const void ,const void *))
2123
2124	/*
2125	* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff It is a bit
2126	* of a mess of functions, but hell, think of it as an opaque structure :-)
2127	*/
2128	typedef struct ssl3_enc_method {
2129	int (setup_key_block) (SSL_CONNECTION );
2130	int (generate_master_secret) (SSL_CONNECTION , unsigned char *,
2131	unsigned char , size_t, size_t );
2132	int (change_cipher_state) (SSL_CONNECTION , int);
2133	size_t (final_finish_mac) (SSL_CONNECTION , const char *, size_t,
2134	unsigned char *);
2135	const char *client_finished_label;
2136	size_t client_finished_label_len;
2137	const char *server_finished_label;
2138	size_t server_finished_label_len;
2139	int (*alert_value) (int);
2140	int (export_keying_material) (SSL_CONNECTION , unsigned char *, size_t,
2141	const char *, size_t,
2142	const unsigned char *, size_t,
2143	int use_context);
2144	/* Various flags indicating protocol version requirements */
2145	uint32_t enc_flags;
2146	/* Set the handshake header */
2147	int (set_handshake_header) (SSL_CONNECTION s, WPACKET *pkt, int type);
2148	/* Close construction of the handshake message */
2149	int (close_construct_packet) (SSL_CONNECTION s, WPACKET *pkt, int htype);
2150	/* Write out handshake message */
2151	int (do_write) (SSL_CONNECTION s);
2152	} SSL3_ENC_METHOD;
2153
2154	# define ssl_set_handshake_header(s, pkt, htype) \
2155	SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->set_handshake_header((s), (pkt), (htype))
2156	# define ssl_close_construct_packet(s, pkt, htype) \
2157	SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->close_construct_packet((s), (pkt), (htype))
2158	# define ssl_do_write(s) SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->do_write(s)
2159
2160	/* Values for enc_flags */
2161
2162	/* Uses signature algorithms extension */
2163	# define SSL_ENC_FLAG_SIGALGS 0x2
2164	/* Uses SHA256 default PRF */
2165	# define SSL_ENC_FLAG_SHA256_PRF 0x4
2166	/* Is DTLS */
2167	# define SSL_ENC_FLAG_DTLS 0x8
2168	/*
2169	* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2: may
2170	* apply to others in future.
2171	*/
2172	# define SSL_ENC_FLAG_TLS1_2_CIPHERS 0x10
2173
2174	typedef enum downgrade_en {
2175	DOWNGRADE_NONE,
2176	DOWNGRADE_TO_1_2,
2177	DOWNGRADE_TO_1_1
2178	} DOWNGRADE;
2179
2180	/*
2181	* Dummy status type for the status_type extension. Indicates no status type
2182	* set
2183	*/
2184	#define TLSEXT_STATUSTYPE_nothing -1
2185
2186	/* Sigalgs values */
2187	#define TLSEXT_SIGALG_ecdsa_secp256r1_sha256 0x0403
2188	#define TLSEXT_SIGALG_ecdsa_secp384r1_sha384 0x0503
2189	#define TLSEXT_SIGALG_ecdsa_secp521r1_sha512 0x0603
2190	#define TLSEXT_SIGALG_ecdsa_sha224 0x0303
2191	#define TLSEXT_SIGALG_ecdsa_sha1 0x0203
2192	#define TLSEXT_SIGALG_rsa_pss_rsae_sha256 0x0804
2193	#define TLSEXT_SIGALG_rsa_pss_rsae_sha384 0x0805
2194	#define TLSEXT_SIGALG_rsa_pss_rsae_sha512 0x0806
2195	#define TLSEXT_SIGALG_rsa_pss_pss_sha256 0x0809
2196	#define TLSEXT_SIGALG_rsa_pss_pss_sha384 0x080a
2197	#define TLSEXT_SIGALG_rsa_pss_pss_sha512 0x080b
2198	#define TLSEXT_SIGALG_rsa_pkcs1_sha256 0x0401
2199	#define TLSEXT_SIGALG_rsa_pkcs1_sha384 0x0501
2200	#define TLSEXT_SIGALG_rsa_pkcs1_sha512 0x0601
2201	#define TLSEXT_SIGALG_rsa_pkcs1_sha224 0x0301
2202	#define TLSEXT_SIGALG_rsa_pkcs1_sha1 0x0201
2203	#define TLSEXT_SIGALG_dsa_sha256 0x0402
2204	#define TLSEXT_SIGALG_dsa_sha384 0x0502
2205	#define TLSEXT_SIGALG_dsa_sha512 0x0602
2206	#define TLSEXT_SIGALG_dsa_sha224 0x0302
2207	#define TLSEXT_SIGALG_dsa_sha1 0x0202
2208	#define TLSEXT_SIGALG_gostr34102012_256_intrinsic 0x0840
2209	#define TLSEXT_SIGALG_gostr34102012_512_intrinsic 0x0841
2210	#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 0xeeee
2211	#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 0xefef
2212	#define TLSEXT_SIGALG_gostr34102001_gostr3411 0xeded
2213
2214	#define TLSEXT_SIGALG_ed25519 0x0807
2215	#define TLSEXT_SIGALG_ed448 0x0808
2216	#define TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256 0x081a
2217	#define TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384 0x081b
2218	#define TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512 0x081c
2219
2220	/* Sigalgs names */
2221	#define TLSEXT_SIGALG_ecdsa_secp256r1_sha256_name "ecdsa_secp256r1_sha256"
2222	#define TLSEXT_SIGALG_ecdsa_secp384r1_sha384_name "ecdsa_secp384r1_sha384"
2223	#define TLSEXT_SIGALG_ecdsa_secp521r1_sha512_name "ecdsa_secp521r1_sha512"
2224	#define TLSEXT_SIGALG_ecdsa_sha224_name "ecdsa_sha224"
2225	#define TLSEXT_SIGALG_ecdsa_sha1_name "ecdsa_sha1"
2226	#define TLSEXT_SIGALG_rsa_pss_rsae_sha256_name "rsa_pss_rsae_sha256"
2227	#define TLSEXT_SIGALG_rsa_pss_rsae_sha384_name "rsa_pss_rsae_sha384"
2228	#define TLSEXT_SIGALG_rsa_pss_rsae_sha512_name "rsa_pss_rsae_sha512"
2229	#define TLSEXT_SIGALG_rsa_pss_pss_sha256_name "rsa_pss_pss_sha256"
2230	#define TLSEXT_SIGALG_rsa_pss_pss_sha384_name "rsa_pss_pss_sha384"
2231	#define TLSEXT_SIGALG_rsa_pss_pss_sha512_name "rsa_pss_pss_sha512"
2232	#define TLSEXT_SIGALG_rsa_pkcs1_sha256_name "rsa_pkcs1_sha256"
2233	#define TLSEXT_SIGALG_rsa_pkcs1_sha384_name "rsa_pkcs1_sha384"
2234	#define TLSEXT_SIGALG_rsa_pkcs1_sha512_name "rsa_pkcs1_sha512"
2235	#define TLSEXT_SIGALG_rsa_pkcs1_sha224_name "rsa_pkcs1_sha224"
2236	#define TLSEXT_SIGALG_rsa_pkcs1_sha1_name "rsa_pkcs1_sha1"
2237	#define TLSEXT_SIGALG_dsa_sha256_name "dsa_sha256"
2238	#define TLSEXT_SIGALG_dsa_sha384_name "dsa_sha384"
2239	#define TLSEXT_SIGALG_dsa_sha512_name "dsa_sha512"
2240	#define TLSEXT_SIGALG_dsa_sha224_name "dsa_sha224"
2241	#define TLSEXT_SIGALG_dsa_sha1_name "dsa_sha1"
2242	#define TLSEXT_SIGALG_gostr34102012_256_intrinsic_name "gost2012_256"
2243	#define TLSEXT_SIGALG_gostr34102012_512_intrinsic_name "gost2012_512"
2244	#define TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256_name "gost2012_256"
2245	#define TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512_name "gost2012_512"
2246	#define TLSEXT_SIGALG_gostr34102001_gostr3411_name "gost2001_gost94"
2247
2248	#define TLSEXT_SIGALG_ed25519_name "ed25519"
2249	#define TLSEXT_SIGALG_ed448_name "ed448"
2250	#define TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_name "ecdsa_brainpoolP256r1_sha256"
2251	#define TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_name "ecdsa_brainpoolP384r1_sha384"
2252	#define TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name "ecdsa_brainpoolP512r1_sha512"
2253
2254	/* Known PSK key exchange modes */
2255	#define TLSEXT_KEX_MODE_KE 0x00
2256	#define TLSEXT_KEX_MODE_KE_DHE 0x01
2257
2258	/*
2259	* Internal representations of key exchange modes
2260	*/
2261	#define TLSEXT_KEX_MODE_FLAG_NONE 0
2262	#define TLSEXT_KEX_MODE_FLAG_KE 1
2263	#define TLSEXT_KEX_MODE_FLAG_KE_DHE 2
2264
2265	#define SSL_USE_PSS(s) (s->s3.tmp.peer_sigalg != NULL && \
2266	s->s3.tmp.peer_sigalg->sig == EVP_PKEY_RSA_PSS)
2267
2268	/* A dummy signature value not valid for TLSv1.2 signature algs */
2269	#define TLSEXT_signature_rsa_pss 0x0101
2270
2271	/* TLSv1.3 downgrade protection sentinel values */
2272	extern const unsigned char tls11downgrade[8];
2273	extern const unsigned char tls12downgrade[8];
2274
2275	extern const SSL3_ENC_METHOD ssl3_undef_enc_method;
2276
2277	__owur const SSL_METHOD *sslv3_method(void);
2278	__owur const SSL_METHOD *sslv3_server_method(void);
2279	__owur const SSL_METHOD *sslv3_client_method(void);
2280	__owur const SSL_METHOD *tlsv1_method(void);
2281	__owur const SSL_METHOD *tlsv1_server_method(void);
2282	__owur const SSL_METHOD *tlsv1_client_method(void);
2283	__owur const SSL_METHOD *tlsv1_1_method(void);
2284	__owur const SSL_METHOD *tlsv1_1_server_method(void);
2285	__owur const SSL_METHOD *tlsv1_1_client_method(void);
2286	__owur const SSL_METHOD *tlsv1_2_method(void);
2287	__owur const SSL_METHOD *tlsv1_2_server_method(void);
2288	__owur const SSL_METHOD *tlsv1_2_client_method(void);
2289	__owur const SSL_METHOD *tlsv1_3_method(void);
2290	__owur const SSL_METHOD *tlsv1_3_server_method(void);
2291	__owur const SSL_METHOD *tlsv1_3_client_method(void);
2292	__owur const SSL_METHOD *dtlsv1_method(void);
2293	__owur const SSL_METHOD *dtlsv1_server_method(void);
2294	__owur const SSL_METHOD *dtlsv1_client_method(void);
2295	__owur const SSL_METHOD *dtls_bad_ver_client_method(void);
2296	__owur const SSL_METHOD *dtlsv1_2_method(void);
2297	__owur const SSL_METHOD *dtlsv1_2_server_method(void);
2298	__owur const SSL_METHOD *dtlsv1_2_client_method(void);
2299
2300	extern const SSL3_ENC_METHOD TLSv1_enc_data;
2301	extern const SSL3_ENC_METHOD TLSv1_1_enc_data;
2302	extern const SSL3_ENC_METHOD TLSv1_2_enc_data;
2303	extern const SSL3_ENC_METHOD TLSv1_3_enc_data;
2304	extern const SSL3_ENC_METHOD SSLv3_enc_data;
2305	extern const SSL3_ENC_METHOD DTLSv1_enc_data;
2306	extern const SSL3_ENC_METHOD DTLSv1_2_enc_data;
2307
2308	/*
2309	* Flags for SSL methods
2310	*/
2311	# define SSL_METHOD_NO_FIPS (1U<<0)
2312	# define SSL_METHOD_NO_SUITEB (1U<<1)
2313
2314	# define IMPLEMENT_tls_meth_func(version, flags, mask, func_name, s_accept, \
2315	s_connect, enc_data) \
2316	const SSL_METHOD *func_name(void) \
2317	{ \
2318	static const SSL_METHOD func_name##_data= { \
2319	version, \
2320	flags, \
2321	mask, \
2322	ossl_ssl_connection_new, \
2323	ossl_ssl_connection_free, \
2324	ossl_ssl_connection_reset, \
2325	tls1_new, \
2326	tls1_clear, \
2327	tls1_free, \
2328	s_accept, \
2329	s_connect, \
2330	ssl3_read, \
2331	ssl3_peek, \
2332	ssl3_write, \
2333	ssl3_shutdown, \
2334	ssl3_renegotiate, \
2335	ssl3_renegotiate_check, \
2336	ssl3_read_bytes, \
2337	ssl3_write_bytes, \
2338	ssl3_dispatch_alert, \
2339	ssl3_ctrl, \
2340	ssl3_ctx_ctrl, \
2341	ssl3_get_cipher_by_char, \
2342	ssl3_put_cipher_by_char, \
2343	ssl3_pending, \
2344	ssl3_num_ciphers, \
2345	ssl3_get_cipher, \
2346	tls1_default_timeout, \
2347	&enc_data, \
2348	ssl_undefined_void_function, \
2349	ssl3_callback_ctrl, \
2350	ssl3_ctx_callback_ctrl, \
2351	}; \
2352	return &func_name##_data; \
2353	}
2354
2355	# define IMPLEMENT_ssl3_meth_func(func_name, s_accept, s_connect) \
2356	const SSL_METHOD *func_name(void) \
2357	{ \
2358	static const SSL_METHOD func_name##_data= { \
2359	SSL3_VERSION, \
2360	SSL_METHOD_NO_FIPS \| SSL_METHOD_NO_SUITEB, \
2361	SSL_OP_NO_SSLv3, \
2362	ossl_ssl_connection_new, \
2363	ossl_ssl_connection_free, \
2364	ossl_ssl_connection_reset, \
2365	ssl3_new, \
2366	ssl3_clear, \
2367	ssl3_free, \
2368	s_accept, \
2369	s_connect, \
2370	ssl3_read, \
2371	ssl3_peek, \
2372	ssl3_write, \
2373	ssl3_shutdown, \
2374	ssl3_renegotiate, \
2375	ssl3_renegotiate_check, \
2376	ssl3_read_bytes, \
2377	ssl3_write_bytes, \
2378	ssl3_dispatch_alert, \
2379	ssl3_ctrl, \
2380	ssl3_ctx_ctrl, \
2381	ssl3_get_cipher_by_char, \
2382	ssl3_put_cipher_by_char, \
2383	ssl3_pending, \
2384	ssl3_num_ciphers, \
2385	ssl3_get_cipher, \
2386	ssl3_default_timeout, \
2387	&SSLv3_enc_data, \
2388	ssl_undefined_void_function, \
2389	ssl3_callback_ctrl, \
2390	ssl3_ctx_callback_ctrl, \
2391	}; \
2392	return &func_name##_data; \
2393	}
2394
2395	# define IMPLEMENT_dtls1_meth_func(version, flags, mask, func_name, s_accept, \
2396	s_connect, enc_data) \
2397	const SSL_METHOD *func_name(void) \
2398	{ \
2399	static const SSL_METHOD func_name##_data= { \
2400	version, \
2401	flags, \
2402	mask, \
2403	ossl_ssl_connection_new, \
2404	ossl_ssl_connection_free, \
2405	ossl_ssl_connection_reset, \
2406	dtls1_new, \
2407	dtls1_clear, \
2408	dtls1_free, \
2409	s_accept, \
2410	s_connect, \
2411	ssl3_read, \
2412	ssl3_peek, \
2413	ssl3_write, \
2414	dtls1_shutdown, \
2415	ssl3_renegotiate, \
2416	ssl3_renegotiate_check, \
2417	dtls1_read_bytes, \
2418	dtls1_write_app_data_bytes, \
2419	dtls1_dispatch_alert, \
2420	dtls1_ctrl, \
2421	ssl3_ctx_ctrl, \
2422	ssl3_get_cipher_by_char, \
2423	ssl3_put_cipher_by_char, \
2424	ssl3_pending, \
2425	ssl3_num_ciphers, \
2426	ssl3_get_cipher, \
2427	dtls1_default_timeout, \
2428	&enc_data, \
2429	ssl_undefined_void_function, \
2430	ssl3_callback_ctrl, \
2431	ssl3_ctx_callback_ctrl, \
2432	}; \
2433	return &func_name##_data; \
2434	}
2435
2436	struct openssl_ssl_test_functions {
2437	int (p_ssl_init_wbio_buffer) (SSL_CONNECTION s);
2438	};
2439
2440	const char *ssl_protocol_to_string(int version);
2441
2442	static ossl_inline int tls12_rpk_and_privkey(const SSL_CONNECTION *sc, int idx)
2443	{
2444	/*
2445	* This is to check for special cases when using RPK with just
2446	* a private key, and NO CERTIFICATE
2447	*/
2448	return ((sc->server && sc->ext.server_cert_type == TLSEXT_cert_type_rpk)
2449	\|\| (!sc->server && sc->ext.client_cert_type == TLSEXT_cert_type_rpk))
2450	&& sc->cert->pkeys[idx].privatekey != NULL
2451	&& sc->cert->pkeys[idx].x509 == NULL;
2452	}
2453
2454	static ossl_inline int ssl_has_cert_type(const SSL_CONNECTION *sc, unsigned char ct)
2455	{
2456	unsigned char *ptr;
2457	size_t len;
2458
2459	if (sc->server) {
2460	ptr = sc->server_cert_type;
2461	len = sc->server_cert_type_len;
2462	} else {
2463	ptr = sc->client_cert_type;
2464	len = sc->client_cert_type_len;
2465	}
2466
2467	if (ptr == NULL)
2468	return 0;
2469
2470	return memchr(ptr, ct, len) != NULL;
2471	}
2472
2473	/* Returns true if certificate and private key for 'idx' are present */
2474	static ossl_inline int ssl_has_cert(const SSL_CONNECTION *s, int idx)
2475	{
2476	if (idx < 0 \|\| idx >= (int)s->ssl_pkey_num)
2477	return 0;
2478
2479	/* If RPK is enabled for this SSL... only require private key */
2480	if (ssl_has_cert_type(s, TLSEXT_cert_type_rpk))
2481	return s->cert->pkeys[idx].privatekey != NULL;
2482
2483	return s->cert->pkeys[idx].x509 != NULL
2484	&& s->cert->pkeys[idx].privatekey != NULL;
2485	}
2486
2487	static ossl_inline void tls1_get_peer_groups(SSL_CONNECTION *s,
2488	const uint16_t **pgroups,
2489	size_t *pgroupslen)
2490	{
2491	*pgroups = s->ext.peer_supportedgroups;
2492	*pgroupslen = s->ext.peer_supportedgroups_len;
2493	}
2494
2495	# ifndef OPENSSL_UNIT_TEST
2496
2497	__owur int ossl_ssl_init(SSL ssl, SSL_CTX ctx, const SSL_METHOD *method,
2498	int type);
2499	__owur SSL ossl_ssl_connection_new_int(SSL_CTX ctx, SSL *user_ssl,
2500	const SSL_METHOD *method);
2501	__owur SSL ossl_ssl_connection_new(SSL_CTX ctx);
2502	void ossl_ssl_connection_free(SSL *ssl);
2503	__owur int ossl_ssl_connection_reset(SSL *ssl);
2504
2505	__owur int ssl_read_internal(SSL s, void buf, size_t num, size_t *readbytes);
2506	__owur int ssl_write_internal(SSL s, const void buf, size_t num,
2507	uint64_t flags, size_t *written);
2508	int ssl_clear_bad_session(SSL_CONNECTION *s);
2509	__owur CERT *ssl_cert_new(size_t ssl_pkey_num);
2510	__owur CERT ssl_cert_dup(CERT cert);
2511	void ssl_cert_clear_certs(CERT *c);
2512	void ssl_cert_free(CERT *c);
2513	__owur int ssl_generate_session_id(SSL_CONNECTION s, SSL_SESSION ss);
2514	__owur int ssl_get_new_session(SSL_CONNECTION *s, int session);
2515	__owur SSL_SESSION lookup_sess_in_cache(SSL_CONNECTION s,
2516	const unsigned char *sess_id,
2517	size_t sess_id_len);
2518	__owur int ssl_get_prev_session(SSL_CONNECTION s, CLIENTHELLO_MSG hello);
2519	__owur SSL_SESSION ssl_session_dup(const SSL_SESSION src, int ticket);
2520	__owur int ssl_cipher_id_cmp(const SSL_CIPHER a, const SSL_CIPHER b);
2521	DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
2522	__owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER const ap,
2523	const SSL_CIPHER const bp);
2524	__owur STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,
2525	STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
2526	STACK_OF(SSL_CIPHER) **cipher_list,
2527	STACK_OF(SSL_CIPHER) **cipher_list_by_id,
2528	const char *rule_str,
2529	CERT *c);
2530	__owur int ssl_cache_cipherlist(SSL_CONNECTION s, PACKET cipher_suites,
2531	int sslv2format);
2532	__owur int ossl_bytes_to_cipher_list(SSL_CONNECTION s, PACKET cipher_suites,
2533	STACK_OF(SSL_CIPHER) **skp,
2534	STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
2535	int fatal);
2536	void ssl_update_cache(SSL_CONNECTION *s, int mode);
2537	__owur int ssl_cipher_get_evp_cipher(SSL_CTX ctx, const SSL_CIPHER sslc,
2538	const EVP_CIPHER **enc);
2539	__owur int ssl_cipher_get_evp_md_mac(SSL_CTX ctx, const SSL_CIPHER sslc,
2540	const EVP_MD **md,
2541	int mac_pkey_type, size_t mac_secret_size);
2542	__owur int ssl_cipher_get_evp(SSL_CTX ctxc, const SSL_SESSION s,
2543	const EVP_CIPHER enc, const EVP_MD md,
2544	int mac_pkey_type, size_t mac_secret_size,
2545	SSL_COMP **comp, int use_etm);
2546	__owur int ssl_cipher_get_overhead(const SSL_CIPHER c, size_t mac_overhead,
2547	size_t int_overhead, size_t blocksize,
2548	size_t *ext_overhead);
2549	__owur int ssl_cert_is_disabled(SSL_CTX *ctx, size_t idx);
2550	__owur const SSL_CIPHER ssl_get_cipher_by_char(SSL_CONNECTION ssl,
2551	const unsigned char *ptr,
2552	int all);
2553	__owur int ssl_cert_set0_chain(SSL_CONNECTION s, SSL_CTX ctx,
2554	STACK_OF(X509) *chain);
2555	__owur int ssl_cert_set1_chain(SSL_CONNECTION s, SSL_CTX ctx,
2556	STACK_OF(X509) *chain);
2557	__owur int ssl_cert_add0_chain_cert(SSL_CONNECTION s, SSL_CTX ctx, X509 *x);
2558	__owur int ssl_cert_add1_chain_cert(SSL_CONNECTION s, SSL_CTX ctx, X509 *x);
2559	__owur int ssl_cert_select_current(CERT c, X509 x);
2560	__owur int ssl_cert_set_current(CERT *c, long arg);
2561	void ssl_cert_set_cert_cb(CERT c, int (cb) (SSL ssl, void arg), void *arg);
2562
2563	__owur int ssl_verify_cert_chain(SSL_CONNECTION s, STACK_OF(X509) sk);
2564	__owur int ssl_verify_rpk(SSL_CONNECTION s, EVP_PKEY rpk);
2565	__owur int ssl_build_cert_chain(SSL_CONNECTION s, SSL_CTX ctx, int flags);
2566	__owur int ssl_cert_set_cert_store(CERT c, X509_STORE store, int chain,
2567	int ref);
2568	__owur int ssl_cert_get_cert_store(CERT c, X509_STORE *pstore, int chain);
2569
2570	__owur int ssl_security(const SSL_CONNECTION *s, int op, int bits, int nid,
2571	void *other);
2572	__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
2573	void *other);
2574	int ssl_get_security_level_bits(const SSL s, const SSL_CTX ctx, int *levelp);
2575
2576	__owur int ssl_cert_lookup_by_nid(int nid, size_t pidx, SSL_CTX ctx);
2577	__owur const SSL_CERT_LOOKUP ssl_cert_lookup_by_pkey(const EVP_PKEY pk,
2578	size_t *pidx,
2579	SSL_CTX *ctx);
2580	__owur const SSL_CERT_LOOKUP ssl_cert_lookup_by_idx(size_t idx, SSL_CTX ctx);
2581
2582	int ssl_undefined_function(SSL *s);
2583	__owur int ssl_undefined_void_function(void);
2584	__owur int ssl_undefined_const_function(const SSL *s);
2585	__owur int ssl_get_server_cert_serverinfo(SSL_CONNECTION *s,
2586	const unsigned char **serverinfo,
2587	size_t *serverinfo_length);
2588	void ssl_set_masks(SSL_CONNECTION *s);
2589	__owur STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL_CONNECTION sc);
2590	__owur int ssl_x509err2alert(int type);
2591	void ssl_sort_cipher_list(void);
2592	int ssl_load_ciphers(SSL_CTX *ctx);
2593	__owur int ssl_setup_sigalgs(SSL_CTX *ctx);
2594	int ssl_load_groups(SSL_CTX *ctx);
2595	int ssl_load_sigalgs(SSL_CTX *ctx);
2596	__owur int ssl_fill_hello_random(SSL_CONNECTION *s, int server,
2597	unsigned char *field, size_t len,
2598	DOWNGRADE dgrd);
2599	__owur int ssl_generate_master_secret(SSL_CONNECTION s, unsigned char pms,
2600	size_t pmslen, int free_pms);
2601	__owur EVP_PKEY ssl_generate_pkey(SSL_CONNECTION s, EVP_PKEY *pm);
2602	__owur int ssl_gensecret(SSL_CONNECTION s, unsigned char pms, size_t pmslen);
2603	__owur int ssl_derive(SSL_CONNECTION s, EVP_PKEY privkey, EVP_PKEY *pubkey,
2604	int genmaster);
2605	__owur int ssl_decapsulate(SSL_CONNECTION s, EVP_PKEY privkey,
2606	const unsigned char *ct, size_t ctlen,
2607	int gensecret);
2608	__owur int ssl_encapsulate(SSL_CONNECTION s, EVP_PKEY pubkey,
2609	unsigned char *ctp, size_t ctlenp,
2610	int gensecret);
2611	__owur EVP_PKEY ssl_dh_to_pkey(DH dh);
2612	__owur int ssl_set_tmp_ecdh_groups(uint16_t *pext, size_t pextlen,
2613	void *key);
2614	__owur unsigned int ssl_get_max_send_fragment(const SSL_CONNECTION *sc);
2615	__owur unsigned int ssl_get_split_send_fragment(const SSL_CONNECTION *sc);
2616
2617	__owur const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id);
2618	__owur const SSL_CIPHER ssl3_get_cipher_by_std_name(const char stdname);
2619	__owur const SSL_CIPHER ssl3_get_cipher_by_char(const unsigned char p);
2620	__owur int ssl3_put_cipher_by_char(const SSL_CIPHER c, WPACKET pkt,
2621	size_t *len);
2622	int ssl3_init_finished_mac(SSL_CONNECTION *s);
2623	__owur int ssl3_setup_key_block(SSL_CONNECTION *s);
2624	__owur int ssl3_change_cipher_state(SSL_CONNECTION *s, int which);
2625	void ssl3_cleanup_key_block(SSL_CONNECTION *s);
2626	__owur int ssl3_do_write(SSL_CONNECTION *s, uint8_t type);
2627	int ssl3_send_alert(SSL_CONNECTION *s, int level, int desc);
2628	__owur int ssl3_generate_master_secret(SSL_CONNECTION s, unsigned char out,
2629	unsigned char *p, size_t len,
2630	size_t *secret_size);
2631	__owur int ssl3_get_req_cert_type(SSL_CONNECTION s, WPACKET pkt);
2632	__owur int ssl3_num_ciphers(void);
2633	__owur const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
2634	int ssl3_renegotiate(SSL *ssl);
2635	int ssl3_renegotiate_check(SSL *ssl, int initok);
2636	void ssl3_digest_master_key_set_params(const SSL_SESSION *session,
2637	OSSL_PARAM params[]);
2638	__owur int ssl3_dispatch_alert(SSL *s);
2639	__owur size_t ssl3_final_finish_mac(SSL_CONNECTION s, const char sender,
2640	size_t slen, unsigned char *p);
2641	__owur int ssl3_finish_mac(SSL_CONNECTION s, const unsigned char buf,
2642	size_t len);
2643	void ssl3_free_digest_list(SSL_CONNECTION *s);
2644	__owur unsigned long ssl3_output_cert_chain(SSL_CONNECTION s, WPACKET pkt,
2645	CERT_PKEY *cpk, int for_comp);
2646	__owur const SSL_CIPHER ssl3_choose_cipher(SSL_CONNECTION s,
2647	STACK_OF(SSL_CIPHER) *clnt,
2648	STACK_OF(SSL_CIPHER) *srvr);
2649	__owur int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep);
2650	__owur int ssl3_new(SSL *s);
2651	void ssl3_free(SSL *s);
2652	__owur int ssl3_read(SSL s, void buf, size_t len, size_t *readbytes);
2653	__owur int ssl3_peek(SSL s, void buf, size_t len, size_t *readbytes);
2654	__owur int ssl3_write(SSL s, const void buf, size_t len, size_t *written);
2655	__owur int ssl3_shutdown(SSL *s);
2656	int ssl3_clear(SSL *s);
2657	__owur long ssl3_ctrl(SSL s, int cmd, long larg, void parg);
2658	__owur long ssl3_ctx_ctrl(SSL_CTX s, int cmd, long larg, void parg);
2659	__owur long ssl3_callback_ctrl(SSL s, int cmd, void (fp) (void));
2660	__owur long ssl3_ctx_callback_ctrl(SSL_CTX s, int cmd, void (fp) (void));
2661
2662	__owur int ssl3_do_change_cipher_spec(SSL_CONNECTION *s);
2663	__owur OSSL_TIME ssl3_default_timeout(void);
2664
2665	__owur int ssl3_set_handshake_header(SSL_CONNECTION s, WPACKET pkt,
2666	int htype);
2667	__owur int tls_close_construct_packet(SSL_CONNECTION s, WPACKET pkt, int htype);
2668	__owur int tls_setup_handshake(SSL_CONNECTION *s);
2669	__owur int dtls1_set_handshake_header(SSL_CONNECTION s, WPACKET pkt, int htype);
2670	__owur int dtls1_close_construct_packet(SSL_CONNECTION s, WPACKET pkt, int htype);
2671	__owur int ssl3_handshake_write(SSL_CONNECTION *s);
2672
2673	__owur int ssl_allow_compression(SSL_CONNECTION *s);
2674
2675	__owur int ssl_version_cmp(const SSL_CONNECTION *s, int versiona, int versionb);
2676	__owur int ssl_version_supported(const SSL_CONNECTION *s, int version,
2677	const SSL_METHOD **meth);
2678
2679	__owur int ssl_set_client_hello_version(SSL_CONNECTION *s);
2680	__owur int ssl_check_version_downgrade(SSL_CONNECTION *s);
2681	__owur int ssl_set_version_bound(int method_version, int version, int *bound);
2682	__owur int ssl_choose_server_version(SSL_CONNECTION s, CLIENTHELLO_MSG hello,
2683	DOWNGRADE *dgrd);
2684	__owur int ssl_choose_client_version(SSL_CONNECTION *s, int version,
2685	RAW_EXTENSION *extensions);
2686	__owur int ssl_get_min_max_version(const SSL_CONNECTION s, int min_version,
2687	int max_version, int real_max);
2688
2689	__owur OSSL_TIME tls1_default_timeout(void);
2690	__owur int dtls1_do_write(SSL_CONNECTION *s, uint8_t type);
2691	void dtls1_set_message_header(SSL_CONNECTION *s,
2692	unsigned char mt,
2693	size_t len,
2694	size_t frag_off, size_t frag_len);
2695
2696	int dtls1_write_app_data_bytes(SSL s, uint8_t type, const void buf_,
2697	size_t len, size_t *written);
2698
2699	__owur int dtls1_read_failed(SSL_CONNECTION *s, int code);
2700	__owur int dtls1_buffer_message(SSL_CONNECTION *s, int ccs);
2701	__owur int dtls1_retransmit_message(SSL_CONNECTION *s, unsigned short seq,
2702	int *found);
2703	__owur int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
2704	int dtls1_retransmit_buffered_messages(SSL_CONNECTION *s);
2705	void dtls1_clear_received_buffer(SSL_CONNECTION *s);
2706	void dtls1_clear_sent_buffer(SSL_CONNECTION *s);
2707	void dtls1_get_message_header(const unsigned char *data,
2708	struct hm_header_st *msg_hdr);
2709	__owur OSSL_TIME dtls1_default_timeout(void);
2710	__owur int dtls1_get_timeout(const SSL_CONNECTION s, OSSL_TIME timeleft);
2711	__owur int dtls1_check_timeout_num(SSL_CONNECTION *s);
2712	__owur int dtls1_handle_timeout(SSL_CONNECTION *s);
2713	void dtls1_start_timer(SSL_CONNECTION *s);
2714	void dtls1_stop_timer(SSL_CONNECTION *s);
2715	__owur int dtls1_is_timer_expired(SSL_CONNECTION *s);
2716	__owur int dtls_raw_hello_verify_request(WPACKET pkt, unsigned char cookie,
2717	size_t cookie_len);
2718	__owur size_t dtls1_min_mtu(SSL_CONNECTION *s);
2719	void dtls1_hm_fragment_free(hm_fragment *frag);
2720	__owur int dtls1_query_mtu(SSL_CONNECTION *s);
2721
2722	__owur int tls1_new(SSL *s);
2723	void tls1_free(SSL *s);
2724	int tls1_clear(SSL *s);
2725
2726	__owur int dtls1_new(SSL *s);
2727	void dtls1_free(SSL *s);
2728	int dtls1_clear(SSL *s);
2729	long dtls1_ctrl(SSL s, int cmd, long larg, void parg);
2730	__owur int dtls1_shutdown(SSL *s);
2731
2732	__owur int dtls1_dispatch_alert(SSL *s);
2733
2734	__owur int ssl_init_wbio_buffer(SSL_CONNECTION *s);
2735	int ssl_free_wbio_buffer(SSL_CONNECTION *s);
2736
2737	__owur int tls1_change_cipher_state(SSL_CONNECTION *s, int which);
2738	__owur int tls1_setup_key_block(SSL_CONNECTION *s);
2739	__owur size_t tls1_final_finish_mac(SSL_CONNECTION s, const char str,
2740	size_t slen, unsigned char *p);
2741	__owur int tls1_generate_master_secret(SSL_CONNECTION s, unsigned char out,
2742	unsigned char *p, size_t len,
2743	size_t *secret_size);
2744	__owur int tls13_setup_key_block(SSL_CONNECTION *s);
2745	__owur size_t tls13_final_finish_mac(SSL_CONNECTION s, const char str, size_t slen,
2746	unsigned char *p);
2747	__owur int tls13_change_cipher_state(SSL_CONNECTION *s, int which);
2748	__owur int tls13_update_key(SSL_CONNECTION *s, int send);
2749	__owur int tls13_hkdf_expand(SSL_CONNECTION *s,
2750	const EVP_MD *md,
2751	const unsigned char *secret,
2752	const unsigned char *label, size_t labellen,
2753	const unsigned char *data, size_t datalen,
2754	unsigned char *out, size_t outlen, int fatal);
2755	__owur int tls13_hkdf_expand_ex(OSSL_LIB_CTX libctx, const char propq,
2756	const EVP_MD *md,
2757	const unsigned char *secret,
2758	const unsigned char *label, size_t labellen,
2759	const unsigned char *data, size_t datalen,
2760	unsigned char *out, size_t outlen,
2761	int raise_error);
2762	__owur int tls13_derive_key(SSL_CONNECTION s, const EVP_MD md,
2763	const unsigned char secret, unsigned char key,
2764	size_t keylen);
2765	__owur int tls13_derive_iv(SSL_CONNECTION s, const EVP_MD md,
2766	const unsigned char secret, unsigned char iv,
2767	size_t ivlen);
2768	__owur int tls13_derive_finishedkey(SSL_CONNECTION s, const EVP_MD md,
2769	const unsigned char *secret,
2770	unsigned char *fin, size_t finlen);
2771	int tls13_generate_secret(SSL_CONNECTION s, const EVP_MD md,
2772	const unsigned char *prevsecret,
2773	const unsigned char *insecret,
2774	size_t insecretlen,
2775	unsigned char *outsecret);
2776	__owur int tls13_generate_handshake_secret(SSL_CONNECTION *s,
2777	const unsigned char *insecret,
2778	size_t insecretlen);
2779	__owur int tls13_generate_master_secret(SSL_CONNECTION s, unsigned char out,
2780	unsigned char *prev, size_t prevlen,
2781	size_t *secret_size);
2782	__owur int tls1_export_keying_material(SSL_CONNECTION *s,
2783	unsigned char *out, size_t olen,
2784	const char *label, size_t llen,
2785	const unsigned char *p, size_t plen,
2786	int use_context);
2787	__owur int tls13_export_keying_material(SSL_CONNECTION *s,
2788	unsigned char *out, size_t olen,
2789	const char *label, size_t llen,
2790	const unsigned char *context,
2791	size_t contextlen, int use_context);
2792	__owur int tls13_export_keying_material_early(SSL_CONNECTION *s,
2793	unsigned char *out, size_t olen,
2794	const char *label, size_t llen,
2795	const unsigned char *context,
2796	size_t contextlen);
2797	__owur int tls1_alert_code(int code);
2798	__owur int tls13_alert_code(int code);
2799	__owur int ssl3_alert_code(int code);
2800
2801	__owur int ssl_check_srvr_ecc_cert_and_alg(X509 x, SSL_CONNECTION s);
2802
2803	SSL_COMP ssl3_comp_find(STACK_OF(SSL_COMP) sk, int n);
2804
2805	__owur const TLS_GROUP_INFO tls1_group_id_lookup(SSL_CTX ctx, uint16_t curve_id);
2806	__owur const char tls1_group_id2name(SSL_CTX ctx, uint16_t group_id);
2807	__owur int tls1_group_id2nid(uint16_t group_id, int include_unknown);
2808	__owur uint16_t tls1_nid2group_id(int nid);
2809	__owur int tls1_check_group_id(SSL_CONNECTION *s, uint16_t group_id,
2810	int check_own_curves);
2811	__owur uint16_t tls1_shared_group(SSL_CONNECTION *s, int nmatch);
2812	__owur int tls1_set_groups(uint16_t *pext, size_t pextlen,
2813	int *curves, size_t ncurves);
2814	__owur int tls1_set_groups_list(SSL_CTX ctx, uint16_t pext, size_t pextlen,
2815	const char *str);
2816	__owur EVP_PKEY ssl_generate_pkey_group(SSL_CONNECTION s, uint16_t id);
2817	__owur int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id, int minversion,
2818	int maxversion, int isec, int *okfortls13);
2819	__owur EVP_PKEY ssl_generate_param_group(SSL_CONNECTION s, uint16_t id);
2820	void tls1_get_formatlist(SSL_CONNECTION s, const unsigned char *pformats,
2821	size_t *num_formats);
2822	__owur int tls1_check_ec_tmp_key(SSL_CONNECTION *s, unsigned long id);
2823
2824	__owur int tls_group_allowed(SSL_CONNECTION *s, uint16_t curve, int op);
2825	void tls1_get_supported_groups(SSL_CONNECTION s, const uint16_t *pgroups,
2826	size_t *pgroupslen);
2827
2828	__owur int tls1_set_server_sigalgs(SSL_CONNECTION *s);
2829
2830	__owur SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s,
2831	CLIENTHELLO_MSG *hello,
2832	SSL_SESSION **ret);
2833	__owur SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
2834	const unsigned char *etick,
2835	size_t eticklen,
2836	const unsigned char *sess_id,
2837	size_t sesslen, SSL_SESSION **psess);
2838
2839	__owur int tls_use_ticket(SSL_CONNECTION *s);
2840
2841	void ssl_set_sig_mask(uint32_t pmask_a, SSL_CONNECTION s, int op);
2842
2843	__owur int tls1_set_sigalgs_list(SSL_CTX ctx, CERT c, const char *str, int client);
2844	__owur int tls1_set_raw_sigalgs(CERT c, const uint16_t psigs, size_t salglen,
2845	int client);
2846	__owur int tls1_set_sigalgs(CERT c, const int salg, size_t salglen,
2847	int client);
2848	int tls1_check_chain(SSL_CONNECTION s, X509 x, EVP_PKEY *pk,
2849	STACK_OF(X509) *chain, int idx);
2850	void tls1_set_cert_validity(SSL_CONNECTION *s);
2851
2852	# ifndef OPENSSL_NO_CT
2853	__owur int ssl_validate_ct(SSL_CONNECTION *s);
2854	# endif
2855
2856	__owur EVP_PKEY ssl_get_auto_dh(SSL_CONNECTION s);
2857
2858	__owur int ssl_security_cert(SSL_CONNECTION s, SSL_CTX ctx, X509 *x, int vfy,
2859	int is_ee);
2860	__owur int ssl_security_cert_chain(SSL_CONNECTION s, STACK_OF(X509) sk,
2861	X509 *ex, int vfy);
2862
2863	int tls_choose_sigalg(SSL_CONNECTION *s, int fatalerrs);
2864
2865	__owur long ssl_get_algorithm2(SSL_CONNECTION *s);
2866	__owur int tls12_copy_sigalgs(SSL_CONNECTION s, WPACKET pkt,
2867	const uint16_t *psig, size_t psiglen);
2868	__owur int tls1_save_u16(PACKET pkt, uint16_t pdest, size_t pdestlen);
2869	__owur int tls1_save_sigalgs(SSL_CONNECTION s, PACKET pkt, int cert);
2870	__owur int tls1_process_sigalgs(SSL_CONNECTION *s);
2871	__owur int tls1_set_peer_legacy_sigalg(SSL_CONNECTION s, const EVP_PKEY pkey);
2872	__owur int tls1_lookup_md(SSL_CTX ctx, const SIGALG_LOOKUP lu,
2873	const EVP_MD **pmd);
2874	__owur size_t tls12_get_psigalgs(SSL_CONNECTION *s, int sent,
2875	const uint16_t **psigs);
2876	__owur int tls_check_sigalg_curve(const SSL_CONNECTION *s, int curve);
2877	__owur int tls12_check_peer_sigalg(SSL_CONNECTION s, uint16_t, EVP_PKEY pkey);
2878	__owur int ssl_set_client_disabled(SSL_CONNECTION *s);
2879	__owur int ssl_cipher_disabled(const SSL_CONNECTION s, const SSL_CIPHER c,
2880	int op, int echde);
2881
2882	__owur int ssl_handshake_hash(SSL_CONNECTION *s,
2883	unsigned char *out, size_t outlen,
2884	size_t *hashlen);
2885	__owur const EVP_MD ssl_md(SSL_CTX ctx, int idx);
2886	int ssl_get_md_idx(int md_nid);
2887	__owur const EVP_MD ssl_handshake_md(SSL_CONNECTION s);
2888	__owur const EVP_MD ssl_prf_md(SSL_CONNECTION s);
2889
2890	/*
2891	* ssl_log_rsa_client_key_exchange logs \|premaster\| to the SSL_CTX associated
2892	* with \|ssl\|, if logging is enabled. It returns one on success and zero on
2893	* failure. The entry is identified by the first 8 bytes of
2894	* \|encrypted_premaster\|.
2895	*/
2896	__owur int ssl_log_rsa_client_key_exchange(SSL_CONNECTION *s,
2897	const uint8_t *encrypted_premaster,
2898	size_t encrypted_premaster_len,
2899	const uint8_t *premaster,
2900	size_t premaster_len);
2901
2902	/*
2903	* ssl_log_secret logs \|secret\| to the SSL_CTX associated with \|ssl\|, if
2904	* logging is available. It returns one on success and zero on failure. It tags
2905	* the entry with \|label\|.
2906	*/
2907	__owur int ssl_log_secret(SSL_CONNECTION s, const char label,
2908	const uint8_t *secret, size_t secret_len);
2909
2910	#define MASTER_SECRET_LABEL "CLIENT_RANDOM"
2911	#define CLIENT_EARLY_LABEL "CLIENT_EARLY_TRAFFIC_SECRET"
2912	#define CLIENT_HANDSHAKE_LABEL "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
2913	#define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET"
2914	#define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0"
2915	#define CLIENT_APPLICATION_N_LABEL "CLIENT_TRAFFIC_SECRET_N"
2916	#define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0"
2917	#define SERVER_APPLICATION_N_LABEL "SERVER_TRAFFIC_SECRET_N"
2918	#define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET"
2919	#define EXPORTER_SECRET_LABEL "EXPORTER_SECRET"
2920
2921	__owur int srp_generate_server_master_secret(SSL_CONNECTION *s);
2922	__owur int srp_generate_client_master_secret(SSL_CONNECTION *s);
2923	__owur int srp_verify_server_param(SSL_CONNECTION *s);
2924
2925	/* statem/statem_srvr.c */
2926
2927	__owur int send_certificate_request(SSL_CONNECTION *s);
2928
2929	/* statem/extensions_cust.c */
2930
2931	custom_ext_method custom_ext_find(const custom_ext_methods exts,
2932	ENDPOINT role, unsigned int ext_type,
2933	size_t *idx);
2934
2935	void custom_ext_init(custom_ext_methods *meths);
2936
2937	int ossl_tls_add_custom_ext_intern(SSL_CTX ctx, custom_ext_methods exts,
2938	ENDPOINT role, unsigned int ext_type,
2939	unsigned int context,
2940	SSL_custom_ext_add_cb_ex add_cb,
2941	SSL_custom_ext_free_cb_ex free_cb,
2942	void *add_arg,
2943	SSL_custom_ext_parse_cb_ex parse_cb,
2944	void *parse_arg);
2945	__owur int custom_ext_parse(SSL_CONNECTION *s, unsigned int context,
2946	unsigned int ext_type,
2947	const unsigned char *ext_data, size_t ext_size,
2948	X509 *x, size_t chainidx);
2949	__owur int custom_ext_add(SSL_CONNECTION s, int context, WPACKET pkt, X509 *x,
2950	size_t chainidx, int maxversion);
2951
2952	__owur int custom_exts_copy(custom_ext_methods *dst,
2953	const custom_ext_methods *src);
2954	__owur int custom_exts_copy_flags(custom_ext_methods *dst,
2955	const custom_ext_methods *src);
2956	void custom_exts_free(custom_ext_methods *exts);
2957
2958	void ssl_comp_free_compression_methods_int(void);
2959
2960	/* ssl_mcnf.c */
2961	int ssl_ctx_system_config(SSL_CTX *ctx);
2962
2963	const EVP_CIPHER ssl_evp_cipher_fetch(OSSL_LIB_CTX libctx,
2964	int nid,
2965	const char *properties);
2966	int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher);
2967	void ssl_evp_cipher_free(const EVP_CIPHER *cipher);
2968	const EVP_MD ssl_evp_md_fetch(OSSL_LIB_CTX libctx,
2969	int nid,
2970	const char *properties);
2971	int ssl_evp_md_up_ref(const EVP_MD *md);
2972	void ssl_evp_md_free(const EVP_MD *md);
2973
2974	void tls_engine_finish(ENGINE *e);
2975	const EVP_CIPHER *tls_get_cipher_from_engine(int nid);
2976	const EVP_MD *tls_get_digest_from_engine(int nid);
2977	int tls_engine_load_ssl_client_cert(SSL_CONNECTION s, X509 *px509,
2978	EVP_PKEY **ppkey);
2979	int ssl_hmac_old_new(SSL_HMAC *ret);
2980	void ssl_hmac_old_free(SSL_HMAC *ctx);
2981	int ssl_hmac_old_init(SSL_HMAC ctx, void key, size_t len, char *md);
2982	int ssl_hmac_old_update(SSL_HMAC ctx, const unsigned char data, size_t len);
2983	int ssl_hmac_old_final(SSL_HMAC ctx, unsigned char md, size_t *len);
2984	size_t ssl_hmac_old_size(const SSL_HMAC *ctx);
2985
2986	int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx);
2987	int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx);
2988	int ssl_srp_ctx_free_intern(SSL_CONNECTION *s);
2989	int ssl_srp_ctx_init_intern(SSL_CONNECTION *s);
2990
2991	int ssl_srp_calc_a_param_intern(SSL_CONNECTION *s);
2992	int ssl_srp_server_param_with_username_intern(SSL_CONNECTION s, int ad);
2993
2994	void ssl_session_calculate_timeout(SSL_SESSION *ss);
2995
2996	# else /* OPENSSL_UNIT_TEST */
2997
2998	# define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer
2999
3000	# endif
3001
3002	/* Some helper routines to support TSAN operations safely */
3003	static ossl_unused ossl_inline int ssl_tsan_lock(const SSL_CTX *ctx)
3004	{
3005	#ifdef TSAN_REQUIRES_LOCKING
3006	if (!CRYPTO_THREAD_write_lock(ctx->tsan_lock))
3007	return 0;
3008	#endif
3009	return 1;
3010	}
3011
3012	static ossl_unused ossl_inline void ssl_tsan_unlock(const SSL_CTX *ctx)
3013	{
3014	#ifdef TSAN_REQUIRES_LOCKING
3015	CRYPTO_THREAD_unlock(ctx->tsan_lock);
3016	#endif
3017	}
3018
3019	static ossl_unused ossl_inline void ssl_tsan_counter(const SSL_CTX *ctx,
3020	TSAN_QUALIFIER int *stat)
3021	{
3022	if (ssl_tsan_lock(ctx)) {
3023	tsan_counter(stat);
3024	ssl_tsan_unlock(ctx);
3025	}
3026	}
3027
3028	int ossl_comp_has_alg(int a);
3029	size_t ossl_calculate_comp_expansion(int alg, size_t length);
3030
3031	void ossl_ssl_set_custom_record_layer(SSL_CONNECTION *s,
3032	const OSSL_RECORD_METHOD *meth,
3033	void *rlarg);
3034
3035	long ossl_ctrl_internal(SSL s, int cmd, long larg, void parg, int no_quic);
3036
3037	/*
3038	* Options which no longer have any effect, but which can be implemented
3039	* as no-ops for QUIC.
3040	*/
3041	#define OSSL_LEGACY_SSL_OPTIONS \
3042	(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG \| \
3043	SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER \| \
3044	SSL_OP_SSLEAY_080_CLIENT_DH_BUG \| \
3045	SSL_OP_TLS_D5_BUG \| \
3046	SSL_OP_TLS_BLOCK_PADDING_BUG \| \
3047	SSL_OP_MSIE_SSLV2_RSA_PADDING \| \
3048	SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG \| \
3049	SSL_OP_MICROSOFT_SESS_ID_BUG \| \
3050	SSL_OP_NETSCAPE_CHALLENGE_BUG \| \
3051	SSL_OP_PKCS1_CHECK_1 \| \
3052	SSL_OP_PKCS1_CHECK_2 \| \
3053	SSL_OP_SINGLE_DH_USE \| \
3054	SSL_OP_SINGLE_ECDH_USE \| \
3055	SSL_OP_EPHEMERAL_RSA )
3056
3057	/* This option is undefined in public headers with no-dtls1-method. */
3058	#ifndef SSL_OP_CISCO_ANYCONNECT
3059	# define SSL_OP_CISCO_ANYCONNECT 0
3060	#endif
3061	/*
3062	* Options which are no-ops under QUIC or TLSv1.3 and which are therefore
3063	* allowed but ignored under QUIC.
3064	*/
3065	#define OSSL_TLS1_2_OPTIONS \
3066	(SSL_OP_CRYPTOPRO_TLSEXT_BUG \| \
3067	SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS \| \
3068	SSL_OP_ALLOW_CLIENT_RENEGOTIATION \| \
3069	SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION \| \
3070	SSL_OP_NO_COMPRESSION \| \
3071	SSL_OP_NO_SSLv3 \| \
3072	SSL_OP_NO_TLSv1 \| \
3073	SSL_OP_NO_TLSv1_1 \| \
3074	SSL_OP_NO_TLSv1_2 \| \
3075	SSL_OP_NO_DTLSv1 \| \
3076	SSL_OP_NO_DTLSv1_2 \| \
3077	SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION \| \
3078	SSL_OP_CISCO_ANYCONNECT \| \
3079	SSL_OP_NO_RENEGOTIATION \| \
3080	SSL_OP_NO_EXTENDED_MASTER_SECRET \| \
3081	SSL_OP_NO_ENCRYPT_THEN_MAC \| \
3082	SSL_OP_COOKIE_EXCHANGE \| \
3083	SSL_OP_LEGACY_SERVER_CONNECT \| \
3084	SSL_OP_IGNORE_UNEXPECTED_EOF )
3085
3086	/* Total mask of connection-level options permitted or ignored under QUIC. */
3087	#define OSSL_QUIC_PERMITTED_OPTIONS_CONN \
3088	(OSSL_LEGACY_SSL_OPTIONS \| \
3089	OSSL_TLS1_2_OPTIONS \| \
3090	SSL_OP_CIPHER_SERVER_PREFERENCE \| \
3091	SSL_OP_DISABLE_TLSEXT_CA_NAMES \| \
3092	SSL_OP_NO_TX_CERTIFICATE_COMPRESSION \| \
3093	SSL_OP_NO_RX_CERTIFICATE_COMPRESSION \| \
3094	SSL_OP_PRIORITIZE_CHACHA \| \
3095	SSL_OP_NO_QUERY_MTU \| \
3096	SSL_OP_NO_TICKET \| \
3097	SSL_OP_NO_ANTI_REPLAY )
3098
3099	/* Total mask of stream-level options permitted or ignored under QUIC. */
3100	#define OSSL_QUIC_PERMITTED_OPTIONS_STREAM \
3101	(OSSL_LEGACY_SSL_OPTIONS \| \
3102	OSSL_TLS1_2_OPTIONS \| \
3103	SSL_OP_CLEANSE_PLAINTEXT )
3104
3105	/* Total mask of options permitted on either connections or streams. */
3106	#define OSSL_QUIC_PERMITTED_OPTIONS \
3107	(OSSL_QUIC_PERMITTED_OPTIONS_CONN \| \
3108	OSSL_QUIC_PERMITTED_OPTIONS_STREAM)
3109
3110	#endif

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.4.1/ssl/ssl_local.h@ 109302

Download in other formats: