Newer
Older
void SSL_trace(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg);
__owur const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c);
int DTLSv1_listen(SSL *s, BIO_ADDR *client);
/*
* A callback for verifying that the received SCTs are sufficient.
* Expected to return 1 if they are sufficient, otherwise 0.
* May return a negative integer if an error occurs.
* A connection should be aborted if the SCTs are deemed insufficient.
*/
typedef int(*ssl_ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx,
const STACK_OF(SCT) *scts, void *arg);
/*
* Sets a |callback| that is invoked upon receipt of ServerHelloDone to validate
* the received SCTs.
* If the callback returns a non-positive result, the connection is terminated.
* Call this function before beginning a handshake.
* If a NULL |callback| is provided, SCT validation is disabled.
* |arg| is arbitrary userdata that will be passed to the callback whenever it
* is invoked. Ownership of |arg| remains with the caller.
*
* NOTE: A side-effect of setting a CT callback is that an OCSP stapled response
* will be requested.
*/
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
void *arg);
int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
ssl_ct_validation_cb callback,
void *arg);
#define SSL_disable_ct(s) \
((void) SSL_set_validation_callback((s), NULL, NULL))
#define SSL_CTX_disable_ct(ctx) \
((void) SSL_CTX_set_validation_callback((ctx), NULL, NULL))
/*
* The validation type enumerates the available behaviours of the built-in SSL
* CT validation callback selected via SSL_enable_ct() and SSL_CTX_enable_ct().
* The underlying callback is a static function in libssl.
*/
enum {
SSL_CT_VALIDATION_PERMISSIVE = 0,
SSL_CT_VALIDATION_STRICT
};
/*
* Enable CT by setting up a callback that implements one of the built-in
* validation variants. The SSL_CT_VALIDATION_PERMISSIVE variant always
* continues the handshake, the application can make appropriate decisions at
* handshake completion. The SSL_CT_VALIDATION_STRICT variant requires at
* least one valid SCT, or else handshake termination will be requested. The
* handshake may continue anyway if SSL_VERIFY_NONE is in effect.
*/
int SSL_enable_ct(SSL *s, int validation_mode);
int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode);
* Report whether a non-NULL callback is enabled.
int SSL_ct_is_enabled(const SSL *s);
int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx);
/* Gets the SCTs received from a connection */
const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s);
/*
* Loads the CT log list from the default location.
* If a CTLOG_STORE has previously been set using SSL_CTX_set_ctlog_store,
* the log information loaded from this file will be appended to the
* CTLOG_STORE.
* Returns 1 on success, 0 otherwise.
*/
int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx);
/*
* Loads the CT log list from the specified file path.
* If a CTLOG_STORE has previously been set using SSL_CTX_set_ctlog_store,
* the log information loaded from this file will be appended to the
* CTLOG_STORE.
* Returns 1 on success, 0 otherwise.
*/
int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
/*
* Sets the CT log list used by all SSL connections created from this SSL_CTX.
* Ownership of the CTLOG_STORE is transferred to the SSL_CTX.
*/
void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE *logs);
/*
* Gets the CT log list used by all SSL connections created from this SSL_CTX.
* This will be NULL unless one of the following functions has been called:
* - SSL_CTX_set_default_ctlog_list_file
* - SSL_CTX_set_ctlog_list_file
* - SSL_CTX_set_ctlog_store
*/
const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx);
/* What the "other" parameter contains in security callback */
/* Mask for type */
# define SSL_SECOP_OTHER_TYPE 0xffff0000
# define SSL_SECOP_OTHER_NONE 0
# define SSL_SECOP_OTHER_CIPHER (1 << 16)
# define SSL_SECOP_OTHER_CURVE (2 << 16)
# define SSL_SECOP_OTHER_DH (3 << 16)
# define SSL_SECOP_OTHER_PKEY (4 << 16)
# define SSL_SECOP_OTHER_SIGALG (5 << 16)
# define SSL_SECOP_OTHER_CERT (6 << 16)
/* Indicated operation refers to peer key or certificate */
/* Values for "op" parameter in security callback */
/* Called to filter ciphers */
/* Ciphers client supports */
# define SSL_SECOP_CIPHER_SUPPORTED (1 | SSL_SECOP_OTHER_CIPHER)
# define SSL_SECOP_CIPHER_SHARED (2 | SSL_SECOP_OTHER_CIPHER)
# define SSL_SECOP_CIPHER_CHECK (3 | SSL_SECOP_OTHER_CIPHER)
# define SSL_SECOP_CURVE_SUPPORTED (4 | SSL_SECOP_OTHER_CURVE)
# define SSL_SECOP_CURVE_SHARED (5 | SSL_SECOP_OTHER_CURVE)
# define SSL_SECOP_CURVE_CHECK (6 | SSL_SECOP_OTHER_CURVE)
# define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY)
# define SSL_SECOP_VERSION (9 | SSL_SECOP_OTHER_NONE)
# define SSL_SECOP_TICKET (10 | SSL_SECOP_OTHER_NONE)
/* Supported signature algorithms sent to peer */
# define SSL_SECOP_SIGALG_SUPPORTED (11 | SSL_SECOP_OTHER_SIGALG)
# define SSL_SECOP_SIGALG_SHARED (12 | SSL_SECOP_OTHER_SIGALG)
/* Sanity check signature algorithm allowed */
# define SSL_SECOP_SIGALG_CHECK (13 | SSL_SECOP_OTHER_SIGALG)
/* Used to get mask of supported public key signature algorithms */
# define SSL_SECOP_SIGALG_MASK (14 | SSL_SECOP_OTHER_SIGALG)
# define SSL_SECOP_COMPRESSION (15 | SSL_SECOP_OTHER_NONE)
# define SSL_SECOP_EE_KEY (16 | SSL_SECOP_OTHER_CERT)
# define SSL_SECOP_CA_KEY (17 | SSL_SECOP_OTHER_CERT)
# define SSL_SECOP_CA_MD (18 | SSL_SECOP_OTHER_CERT)
# define SSL_SECOP_PEER_EE_KEY (SSL_SECOP_EE_KEY | SSL_SECOP_PEER)
# define SSL_SECOP_PEER_CA_KEY (SSL_SECOP_CA_KEY | SSL_SECOP_PEER)
# define SSL_SECOP_PEER_CA_MD (SSL_SECOP_CA_MD | SSL_SECOP_PEER)
void SSL_set_security_level(SSL *s, int level);
__owur int SSL_get_security_level(const SSL *s);
void SSL_set_security_callback(SSL *s,
int (*cb) (const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid, void *other,
void *ex));
int (*SSL_get_security_callback(const SSL *s)) (const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid,
void *other, void *ex);
void SSL_set0_security_ex_data(SSL *s, void *ex);
__owur void *SSL_get0_security_ex_data(const SSL *s);
void SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
__owur int SSL_CTX_get_security_level(const SSL_CTX *ctx);
void SSL_CTX_set_security_callback(SSL_CTX *ctx,
int (*cb) (const SSL *s, const SSL_CTX *ctx, int op,
int bits, int nid, void *other,
void *ex));
int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
const SSL_CTX *ctx,
int op, int bits,
int nid,
void *other,
void *ex);
void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex);
__owur void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx);
/* OPENSSL_INIT flag 0x010000 reserved for internal use */
#define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L
#define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L
#define OPENSSL_INIT_SSL_DEFAULT \
(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS)
int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
__owur const struct openssl_ssl_test_functions *SSL_test_functions(void);
extern const char SSL_version_str[];
int ERR_load_SSL_strings(void);
Dr. Stephen Henson
committed
