1/* -*- c -*-
2 * Copyright (C) 2000-2016 Free Software Foundation, Inc.
3 * Copyright (C) 2015-2017 Red Hat, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this program.  If not, see <https://www.gnu.org/licenses/>
21 *
22 */
23
24/* This file contains the types and prototypes for all the
25 * high level functionality of the gnutls main library.
26 *
27 * If the optional C++ binding was built, it is available in
28 * gnutls/gnutlsxx.h.
29 *
30 * The openssl compatibility layer (which is under the GNU GPL
31 * license) is in gnutls/openssl.h.
32 *
33 * The low level cipher functionality is in gnutls/crypto.h.
34 */
35
36
37#ifndef GNUTLS_H
38#define GNUTLS_H
39
40/* Get ssize_t. */
41#include <sys/types.h>
42
43/* Get size_t. */
44#include <stddef.h>
45
46/* Get time_t. */
47#include <time.h>
48
49/* *INDENT-OFF* */
50#ifdef __cplusplus
51extern "C" {
52#endif
53/* *INDENT-ON* */
54
55#define GNUTLS_VERSION "@VERSION@"
56
57#define GNUTLS_VERSION_MAJOR @MAJOR_VERSION@
58#define GNUTLS_VERSION_MINOR @MINOR_VERSION@
59#define GNUTLS_VERSION_PATCH @PATCH_VERSION@
60
61#define GNUTLS_VERSION_NUMBER @NUMBER_VERSION@
62
63#define GNUTLS_CIPHER_RIJNDAEL_128_CBC GNUTLS_CIPHER_AES_128_CBC
64#define GNUTLS_CIPHER_RIJNDAEL_256_CBC GNUTLS_CIPHER_AES_256_CBC
65#define GNUTLS_CIPHER_RIJNDAEL_CBC GNUTLS_CIPHER_AES_128_CBC
66#define GNUTLS_CIPHER_ARCFOUR GNUTLS_CIPHER_ARCFOUR_128
67
68#if !defined(GNUTLS_INTERNAL_BUILD) && defined(_WIN32)
69# define _SYM_EXPORT __declspec(dllimport)
70#else
71# define _SYM_EXPORT
72#endif
73
74#ifdef __GNUC__
75# define __GNUTLS_CONST__  __attribute__((const))
76# define __GNUTLS_PURE__  __attribute__((pure))
77#else
78# define __GNUTLS_CONST__
79# define __GNUTLS_PURE__
80#endif
81
82
83/* Use the following definition globally in your program to disable
84 * implicit initialization of gnutls. */
85#define GNUTLS_SKIP_GLOBAL_INIT int _gnutls_global_init_skip(void); \
86    int _gnutls_global_init_skip(void) {return 1;}
87
88/**
89 * gnutls_cipher_algorithm_t:
90 * @GNUTLS_CIPHER_UNKNOWN: Value to identify an unknown/unsupported algorithm.
91 * @GNUTLS_CIPHER_NULL: The NULL (identity) encryption algorithm.
92 * @GNUTLS_CIPHER_ARCFOUR_128: ARCFOUR stream cipher with 128-bit keys.
93 * @GNUTLS_CIPHER_3DES_CBC: 3DES in CBC mode.
94 * @GNUTLS_CIPHER_AES_128_CBC: AES in CBC mode with 128-bit keys.
95 * @GNUTLS_CIPHER_AES_192_CBC: AES in CBC mode with 192-bit keys.
96 * @GNUTLS_CIPHER_AES_256_CBC: AES in CBC mode with 256-bit keys.
97 * @GNUTLS_CIPHER_AES_128_CFB8: AES in CFB8 mode with 128-bit keys.
98 * @GNUTLS_CIPHER_AES_192_CFB8: AES in CFB8 mode with 192-bit keys.
99 * @GNUTLS_CIPHER_AES_256_CFB8: AES in CFB8 mode with 256-bit keys.
100 * @GNUTLS_CIPHER_ARCFOUR_40: ARCFOUR stream cipher with 40-bit keys.
101 * @GNUTLS_CIPHER_CAMELLIA_128_CBC: Camellia in CBC mode with 128-bit keys.
102 * @GNUTLS_CIPHER_CAMELLIA_192_CBC: Camellia in CBC mode with 192-bit keys.
103 * @GNUTLS_CIPHER_CAMELLIA_256_CBC: Camellia in CBC mode with 256-bit keys.
104 * @GNUTLS_CIPHER_RC2_40_CBC: RC2 in CBC mode with 40-bit keys.
105 * @GNUTLS_CIPHER_DES_CBC: DES in CBC mode (56-bit keys).
106 * @GNUTLS_CIPHER_AES_128_GCM: AES in GCM mode with 128-bit keys (AEAD).
107 * @GNUTLS_CIPHER_AES_256_GCM: AES in GCM mode with 256-bit keys (AEAD).
108 * @GNUTLS_CIPHER_AES_128_CCM: AES in CCM mode with 128-bit keys (AEAD).
109 * @GNUTLS_CIPHER_AES_256_CCM: AES in CCM mode with 256-bit keys (AEAD).
110 * @GNUTLS_CIPHER_AES_128_CCM_8: AES in CCM mode with 64-bit tag and 128-bit keys (AEAD).
111 * @GNUTLS_CIPHER_AES_256_CCM_8: AES in CCM mode with 64-bit tag and 256-bit keys (AEAD).
112 * @GNUTLS_CIPHER_CAMELLIA_128_GCM: CAMELLIA in GCM mode with 128-bit keys (AEAD).
113 * @GNUTLS_CIPHER_CAMELLIA_256_GCM: CAMELLIA in GCM mode with 256-bit keys (AEAD).
114 * @GNUTLS_CIPHER_SALSA20_256: Salsa20 with 256-bit keys.
115 * @GNUTLS_CIPHER_ESTREAM_SALSA20_256: Estream's Salsa20 variant with 256-bit keys.
116 * @GNUTLS_CIPHER_CHACHA20_32: Chacha20 cipher with 96-bit nonces and 32-bit block counters.
117 * @GNUTLS_CIPHER_CHACHA20_64: Chacha20 cipher with 64-bit nonces and 64-bit block counters.
118 * @GNUTLS_CIPHER_CHACHA20_POLY1305: The Chacha20 cipher with the Poly1305 authenticator (AEAD).
119 * @GNUTLS_CIPHER_GOST28147_TC26Z_CFB: GOST 28147-89 (Magma) cipher in CFB mode with TC26 Z S-box.
120 * @GNUTLS_CIPHER_GOST28147_CPA_CFB: GOST 28147-89 (Magma) cipher in CFB mode with CryptoPro A S-box.
121 * @GNUTLS_CIPHER_GOST28147_CPB_CFB: GOST 28147-89 (Magma) cipher in CFB mode with CryptoPro B S-box.
122 * @GNUTLS_CIPHER_GOST28147_CPC_CFB: GOST 28147-89 (Magma) cipher in CFB mode with CryptoPro C S-box.
123 * @GNUTLS_CIPHER_GOST28147_CPD_CFB: GOST 28147-89 (Magma) cipher in CFB mode with CryptoPro D S-box.
124 * @GNUTLS_CIPHER_AES_128_XTS: AES in XTS mode with 128-bit key + 128bit tweak key.
125 * @GNUTLS_CIPHER_AES_256_XTS: AES in XTS mode with 256-bit key + 256bit tweak key.
126 *                             Note that the XTS ciphers are message oriented.
127 *                             The whole message needs to be provided with a single call, because
128 *                             cipher-stealing requires to know where the message actually terminates
129 *                             in order to be able to compute where the stealing occurs.
130 * @GNUTLS_CIPHER_GOST28147_TC26Z_CNT: GOST 28147-89 (Magma) cipher in CNT mode with TC26 Z S-box.
131 * @GNUTLS_CIPHER_IDEA_PGP_CFB: IDEA in CFB mode (placeholder - unsupported).
132 * @GNUTLS_CIPHER_3DES_PGP_CFB: 3DES in CFB mode (placeholder - unsupported).
133 * @GNUTLS_CIPHER_CAST5_PGP_CFB: CAST5 in CFB mode (placeholder - unsupported).
134 * @GNUTLS_CIPHER_BLOWFISH_PGP_CFB: Blowfish in CFB mode (placeholder - unsupported).
135 * @GNUTLS_CIPHER_SAFER_SK128_PGP_CFB: Safer-SK in CFB mode with 128-bit keys (placeholder - unsupported).
136 * @GNUTLS_CIPHER_AES128_PGP_CFB: AES in CFB mode with 128-bit keys (placeholder - unsupported).
137 * @GNUTLS_CIPHER_AES192_PGP_CFB: AES in CFB mode with 192-bit keys (placeholder - unsupported).
138 * @GNUTLS_CIPHER_AES256_PGP_CFB: AES in CFB mode with 256-bit keys (placeholder - unsupported).
139 * @GNUTLS_CIPHER_TWOFISH_PGP_CFB: Twofish in CFB mode (placeholder - unsupported).
140 * @GNUTLS_CIPHER_AES_128_SIV: AES in SIV mode with 128-bit key.
141 * @GNUTLS_CIPHER_AES_256_SIV: AES in SIV mode with 256-bit key.
142 *                             Note that the SIV ciphers can only be used with
143 *                             the AEAD interface, and the IV plays a role as
144 *                             the authentication tag while it is prepended to
145 *                             the cipher text.
146 * @GNUTLS_CIPHER_AES_192_GCM: AES in GCM mode with 192-bit keys (AEAD).
147 *
148 * Enumeration of different symmetric encryption algorithms.
149 */
150typedef enum gnutls_cipher_algorithm {
151	GNUTLS_CIPHER_UNKNOWN = 0,
152	GNUTLS_CIPHER_NULL = 1,
153	GNUTLS_CIPHER_ARCFOUR_128 = 2,
154	GNUTLS_CIPHER_3DES_CBC = 3,
155	GNUTLS_CIPHER_AES_128_CBC = 4,
156	GNUTLS_CIPHER_AES_256_CBC = 5,
157	GNUTLS_CIPHER_ARCFOUR_40 = 6,
158	GNUTLS_CIPHER_CAMELLIA_128_CBC = 7,
159	GNUTLS_CIPHER_CAMELLIA_256_CBC = 8,
160	GNUTLS_CIPHER_AES_192_CBC = 9,
161	GNUTLS_CIPHER_AES_128_GCM = 10,
162	GNUTLS_CIPHER_AES_256_GCM = 11,
163	GNUTLS_CIPHER_CAMELLIA_192_CBC = 12,
164	GNUTLS_CIPHER_SALSA20_256 = 13,
165	GNUTLS_CIPHER_ESTREAM_SALSA20_256 = 14,
166	GNUTLS_CIPHER_CAMELLIA_128_GCM = 15,
167	GNUTLS_CIPHER_CAMELLIA_256_GCM = 16,
168	GNUTLS_CIPHER_RC2_40_CBC = 17,
169	GNUTLS_CIPHER_DES_CBC = 18,
170	GNUTLS_CIPHER_AES_128_CCM = 19,
171	GNUTLS_CIPHER_AES_256_CCM = 20,
172	GNUTLS_CIPHER_AES_128_CCM_8 = 21,
173	GNUTLS_CIPHER_AES_256_CCM_8 = 22,
174	GNUTLS_CIPHER_CHACHA20_POLY1305 = 23,
175	GNUTLS_CIPHER_GOST28147_TC26Z_CFB = 24,
176	GNUTLS_CIPHER_GOST28147_CPA_CFB = 25,
177	GNUTLS_CIPHER_GOST28147_CPB_CFB = 26,
178	GNUTLS_CIPHER_GOST28147_CPC_CFB = 27,
179	GNUTLS_CIPHER_GOST28147_CPD_CFB = 28,
180	GNUTLS_CIPHER_AES_128_CFB8 = 29,
181	GNUTLS_CIPHER_AES_192_CFB8 = 30,
182	GNUTLS_CIPHER_AES_256_CFB8 = 31,
183	GNUTLS_CIPHER_AES_128_XTS = 32,
184	GNUTLS_CIPHER_AES_256_XTS = 33,
185	GNUTLS_CIPHER_GOST28147_TC26Z_CNT = 34,
186	GNUTLS_CIPHER_CHACHA20_64 = 35,
187	GNUTLS_CIPHER_CHACHA20_32 = 36,
188	GNUTLS_CIPHER_AES_128_SIV = 37,
189	GNUTLS_CIPHER_AES_256_SIV = 38,
190	GNUTLS_CIPHER_AES_192_GCM = 39,
191
192	/* used only for PGP internals. Ignored in TLS/SSL
193	 */
194	GNUTLS_CIPHER_IDEA_PGP_CFB = 200,
195	GNUTLS_CIPHER_3DES_PGP_CFB = 201,
196	GNUTLS_CIPHER_CAST5_PGP_CFB = 202,
197	GNUTLS_CIPHER_BLOWFISH_PGP_CFB = 203,
198	GNUTLS_CIPHER_SAFER_SK128_PGP_CFB = 204,
199	GNUTLS_CIPHER_AES128_PGP_CFB = 205,
200	GNUTLS_CIPHER_AES192_PGP_CFB = 206,
201	GNUTLS_CIPHER_AES256_PGP_CFB = 207,
202	GNUTLS_CIPHER_TWOFISH_PGP_CFB = 208
203} gnutls_cipher_algorithm_t;
204
205/**
206 * gnutls_kx_algorithm_t:
207 * @GNUTLS_KX_UNKNOWN: Unknown key-exchange algorithm.
208 * @GNUTLS_KX_RSA: RSA key-exchange algorithm.
209 * @GNUTLS_KX_DHE_DSS: DHE-DSS key-exchange algorithm.
210 * @GNUTLS_KX_DHE_RSA: DHE-RSA key-exchange algorithm.
211 * @GNUTLS_KX_ECDHE_RSA: ECDHE-RSA key-exchange algorithm.
212 * @GNUTLS_KX_ECDHE_ECDSA: ECDHE-ECDSA key-exchange algorithm.
213 * @GNUTLS_KX_ANON_DH: Anon-DH key-exchange algorithm.
214 * @GNUTLS_KX_ANON_ECDH: Anon-ECDH key-exchange algorithm.
215 * @GNUTLS_KX_SRP: SRP key-exchange algorithm.
216 * @GNUTLS_KX_RSA_EXPORT: RSA-EXPORT key-exchange algorithm (defunc).
217 * @GNUTLS_KX_SRP_RSA: SRP-RSA key-exchange algorithm.
218 * @GNUTLS_KX_SRP_DSS: SRP-DSS key-exchange algorithm.
219 * @GNUTLS_KX_PSK: PSK key-exchange algorithm.
220 * @GNUTLS_KX_DHE_PSK: DHE-PSK key-exchange algorithm.
221 * @GNUTLS_KX_ECDHE_PSK: ECDHE-PSK key-exchange algorithm.
222 * @GNUTLS_KX_RSA_PSK: RSA-PSK key-exchange algorithm.
223 * @GNUTLS_KX_VKO_GOST_12: VKO GOST R 34.10-2012 key-exchange algorithm.
224 *
225 * Enumeration of different key exchange algorithms.
226 */
227typedef enum {
228	GNUTLS_KX_UNKNOWN = 0,
229	GNUTLS_KX_RSA = 1,
230	GNUTLS_KX_DHE_DSS = 2,
231	GNUTLS_KX_DHE_RSA = 3,
232	GNUTLS_KX_ANON_DH = 4,
233	GNUTLS_KX_SRP = 5,
234	GNUTLS_KX_RSA_EXPORT = 6,
235	GNUTLS_KX_SRP_RSA = 7,
236	GNUTLS_KX_SRP_DSS = 8,
237	GNUTLS_KX_PSK = 9,
238	GNUTLS_KX_DHE_PSK = 10,
239	GNUTLS_KX_ANON_ECDH = 11,
240	GNUTLS_KX_ECDHE_RSA = 12,
241	GNUTLS_KX_ECDHE_ECDSA = 13,
242	GNUTLS_KX_ECDHE_PSK = 14,
243	GNUTLS_KX_RSA_PSK = 15,
244	GNUTLS_KX_VKO_GOST_12 = 16
245} gnutls_kx_algorithm_t;
246
247/**
248 * gnutls_params_type_t:
249 * @GNUTLS_PARAMS_RSA_EXPORT: Session RSA-EXPORT parameters (defunc).
250 * @GNUTLS_PARAMS_DH: Session Diffie-Hellman parameters.
251 * @GNUTLS_PARAMS_ECDH: Session Elliptic-Curve Diffie-Hellman parameters.
252 *
253 * Enumeration of different TLS session parameter types.
254 */
255typedef enum {
256	GNUTLS_PARAMS_RSA_EXPORT = 1,
257	GNUTLS_PARAMS_DH = 2,
258	GNUTLS_PARAMS_ECDH = 3
259} gnutls_params_type_t;
260
261/**
262 * gnutls_credentials_type_t:
263 * @GNUTLS_CRD_CERTIFICATE: Certificate credential.
264 * @GNUTLS_CRD_ANON: Anonymous credential.
265 * @GNUTLS_CRD_SRP: SRP credential.
266 * @GNUTLS_CRD_PSK: PSK credential.
267 * @GNUTLS_CRD_IA: IA credential.
268 *
269 * Enumeration of different credential types.
270 */
271typedef enum {
272	GNUTLS_CRD_CERTIFICATE = 1,
273	GNUTLS_CRD_ANON,
274	GNUTLS_CRD_SRP,
275	GNUTLS_CRD_PSK,
276	GNUTLS_CRD_IA
277} gnutls_credentials_type_t;
278
279#define GNUTLS_MAC_SHA GNUTLS_MAC_SHA1
280#define GNUTLS_DIG_SHA GNUTLS_DIG_SHA1
281
282/**
283 * gnutls_mac_algorithm_t:
284 * @GNUTLS_MAC_UNKNOWN: Unknown MAC algorithm.
285 * @GNUTLS_MAC_NULL: NULL MAC algorithm (empty output).
286 * @GNUTLS_MAC_MD5: HMAC-MD5 algorithm.
287 * @GNUTLS_MAC_SHA1: HMAC-SHA-1 algorithm.
288 * @GNUTLS_MAC_RMD160: HMAC-RMD160 algorithm.
289 * @GNUTLS_MAC_MD2: HMAC-MD2 algorithm.
290 * @GNUTLS_MAC_SHA256: HMAC-SHA-256 algorithm.
291 * @GNUTLS_MAC_SHA384: HMAC-SHA-384 algorithm.
292 * @GNUTLS_MAC_SHA512: HMAC-SHA-512 algorithm.
293 * @GNUTLS_MAC_SHA224: HMAC-SHA-224 algorithm.
294 * @GNUTLS_MAC_MD5_SHA1: Combined MD5+SHA1 MAC placeholder.
295 * @GNUTLS_MAC_GOSTR_94: HMAC GOST R 34.11-94 algorithm.
296 * @GNUTLS_MAC_STREEBOG_256: HMAC GOST R 34.11-2001 (Streebog) algorithm, 256 bit.
297 * @GNUTLS_MAC_STREEBOG_512: HMAC GOST R 34.11-2001 (Streebog) algorithm, 512 bit.
298 * @GNUTLS_MAC_AEAD: MAC implicit through AEAD cipher.
299 * @GNUTLS_MAC_UMAC_96: The UMAC-96 MAC algorithm (requires nonce).
300 * @GNUTLS_MAC_UMAC_128: The UMAC-128 MAC algorithm (requires nonce).
301 * @GNUTLS_MAC_AES_CMAC_128: The AES-CMAC-128 MAC algorithm.
302 * @GNUTLS_MAC_AES_CMAC_256: The AES-CMAC-256 MAC algorithm.
303 * @GNUTLS_MAC_AES_GMAC_128: The AES-GMAC-128 MAC algorithm (requires nonce).
304 * @GNUTLS_MAC_AES_GMAC_192: The AES-GMAC-192 MAC algorithm (requires nonce).
305 * @GNUTLS_MAC_AES_GMAC_256: The AES-GMAC-256 MAC algorithm (requires nonce).
306 * @GNUTLS_MAC_SHA3_224: Reserved; unimplemented.
307 * @GNUTLS_MAC_SHA3_256: Reserved; unimplemented.
308 * @GNUTLS_MAC_SHA3_384: Reserved; unimplemented.
309 * @GNUTLS_MAC_SHA3_512: Reserved; unimplemented.
310 * @GNUTLS_MAC_GOST28147_TC26Z_IMIT: The GOST 28147-89 working in IMIT mode with TC26 Z S-box.
311 * @GNUTLS_MAC_SHAKE_128: Reserved; unimplemented.
312 * @GNUTLS_MAC_SHAKE_256: Reserved; unimplemented.
313 *
314 * Enumeration of different Message Authentication Code (MAC)
315 * algorithms.
316 */
317typedef enum {
318	GNUTLS_MAC_UNKNOWN = 0,
319	GNUTLS_MAC_NULL = 1,
320	GNUTLS_MAC_MD5 = 2,
321	GNUTLS_MAC_SHA1 = 3,
322	GNUTLS_MAC_RMD160 = 4,
323	GNUTLS_MAC_MD2 = 5,
324	GNUTLS_MAC_SHA256 = 6,
325	GNUTLS_MAC_SHA384 = 7,
326	GNUTLS_MAC_SHA512 = 8,
327	GNUTLS_MAC_SHA224 = 9,
328	GNUTLS_MAC_SHA3_224 = 10, /* reserved: no implementation */
329	GNUTLS_MAC_SHA3_256 = 11, /* reserved: no implementation */
330	GNUTLS_MAC_SHA3_384 = 12, /* reserved: no implementation */
331	GNUTLS_MAC_SHA3_512 = 13, /* reserved: no implementation */
332	GNUTLS_MAC_MD5_SHA1 = 14, /* reserved: no implementation */
333	GNUTLS_MAC_GOSTR_94 = 15,
334	GNUTLS_MAC_STREEBOG_256 = 16,
335	GNUTLS_MAC_STREEBOG_512 = 17,
336	/* If you add anything here, make sure you align with
337	   gnutls_digest_algorithm_t. */
338	GNUTLS_MAC_AEAD = 200,	/* indicates that MAC is on the cipher */
339	GNUTLS_MAC_UMAC_96 = 201,
340	GNUTLS_MAC_UMAC_128 = 202,
341	GNUTLS_MAC_AES_CMAC_128 = 203,
342	GNUTLS_MAC_AES_CMAC_256 = 204,
343	GNUTLS_MAC_AES_GMAC_128 = 205,
344	GNUTLS_MAC_AES_GMAC_192 = 206,
345	GNUTLS_MAC_AES_GMAC_256 = 207,
346	GNUTLS_MAC_GOST28147_TC26Z_IMIT = 208,
347	GNUTLS_MAC_SHAKE_128 = 209,
348	GNUTLS_MAC_SHAKE_256 = 210
349} gnutls_mac_algorithm_t;
350
351/**
352 * gnutls_digest_algorithm_t:
353 * @GNUTLS_DIG_UNKNOWN: Unknown hash algorithm.
354 * @GNUTLS_DIG_NULL: NULL hash algorithm (empty output).
355 * @GNUTLS_DIG_MD5: MD5 algorithm.
356 * @GNUTLS_DIG_SHA1: SHA-1 algorithm.
357 * @GNUTLS_DIG_RMD160: RMD160 algorithm.
358 * @GNUTLS_DIG_MD2: MD2 algorithm.
359 * @GNUTLS_DIG_SHA256: SHA-256 algorithm.
360 * @GNUTLS_DIG_SHA384: SHA-384 algorithm.
361 * @GNUTLS_DIG_SHA512: SHA-512 algorithm.
362 * @GNUTLS_DIG_SHA224: SHA-224 algorithm.
363 * @GNUTLS_DIG_SHA3_224: SHA3-224 algorithm.
364 * @GNUTLS_DIG_SHA3_256: SHA3-256 algorithm.
365 * @GNUTLS_DIG_SHA3_384: SHA3-384 algorithm.
366 * @GNUTLS_DIG_SHA3_512: SHA3-512 algorithm.
367 * @GNUTLS_DIG_MD5_SHA1: Combined MD5+SHA1 algorithm.
368 * @GNUTLS_DIG_GOSTR_94: GOST R 34.11-94 algorithm.
369 * @GNUTLS_DIG_STREEBOG_256: GOST R 34.11-2001 (Streebog) algorithm, 256 bit.
370 * @GNUTLS_DIG_STREEBOG_512: GOST R 34.11-2001 (Streebog) algorithm, 512 bit.
371 * @GNUTLS_DIG_SHAKE_128: Reserved; unimplemented.
372 * @GNUTLS_DIG_SHAKE_256: Reserved; unimplemented.
373 *
374 * Enumeration of different digest (hash) algorithms.
375 */
376typedef enum {
377	GNUTLS_DIG_UNKNOWN = GNUTLS_MAC_UNKNOWN,
378	GNUTLS_DIG_NULL = GNUTLS_MAC_NULL,
379	GNUTLS_DIG_MD5 = GNUTLS_MAC_MD5,
380	GNUTLS_DIG_SHA1 = GNUTLS_MAC_SHA1,
381	GNUTLS_DIG_RMD160 = GNUTLS_MAC_RMD160,
382	GNUTLS_DIG_MD2 = GNUTLS_MAC_MD2,
383	GNUTLS_DIG_SHA256 = GNUTLS_MAC_SHA256,
384	GNUTLS_DIG_SHA384 = GNUTLS_MAC_SHA384,
385	GNUTLS_DIG_SHA512 = GNUTLS_MAC_SHA512,
386	GNUTLS_DIG_SHA224 = GNUTLS_MAC_SHA224,
387	GNUTLS_DIG_SHA3_224 = GNUTLS_MAC_SHA3_224,
388	GNUTLS_DIG_SHA3_256 = GNUTLS_MAC_SHA3_256,
389	GNUTLS_DIG_SHA3_384 = GNUTLS_MAC_SHA3_384,
390	GNUTLS_DIG_SHA3_512 = GNUTLS_MAC_SHA3_512,
391	GNUTLS_DIG_MD5_SHA1 = GNUTLS_MAC_MD5_SHA1,
392	GNUTLS_DIG_GOSTR_94 = GNUTLS_MAC_GOSTR_94,
393	GNUTLS_DIG_STREEBOG_256 = GNUTLS_MAC_STREEBOG_256,
394	GNUTLS_DIG_STREEBOG_512 = GNUTLS_MAC_STREEBOG_512,
395	GNUTLS_DIG_SHAKE_128 = GNUTLS_MAC_SHAKE_128,
396	GNUTLS_DIG_SHAKE_256 = GNUTLS_MAC_SHAKE_256
397	    /* If you add anything here, make sure you align with
398	       gnutls_mac_algorithm_t. */
399} gnutls_digest_algorithm_t;
400
401  /* exported for other gnutls headers. This is the maximum number of
402   * algorithms (ciphers, kx or macs).
403   */
404#define GNUTLS_MAX_ALGORITHM_NUM 64
405#define GNUTLS_MAX_SESSION_ID_SIZE 32
406
407
408/**
409 * gnutls_compression_method_t:
410 * @GNUTLS_COMP_UNKNOWN: Unknown compression method.
411 * @GNUTLS_COMP_NULL: The NULL compression method (no compression).
412 * @GNUTLS_COMP_DEFLATE: The DEFLATE compression method from zlib.
413 * @GNUTLS_COMP_ZLIB: Same as %GNUTLS_COMP_DEFLATE.
414 *
415 * Enumeration of different TLS compression methods.
416 */
417typedef enum {
418	GNUTLS_COMP_UNKNOWN = 0,
419	GNUTLS_COMP_NULL = 1,
420	GNUTLS_COMP_DEFLATE = 2,
421	GNUTLS_COMP_ZLIB = GNUTLS_COMP_DEFLATE
422} gnutls_compression_method_t;
423
424
425/**
426 * gnutls_init_flags_t:
427 *
428 * @GNUTLS_SERVER: Connection end is a server.
429 * @GNUTLS_CLIENT: Connection end is a client.
430 * @GNUTLS_DATAGRAM: Connection is datagram oriented (DTLS). Since 3.0.0.
431 * @GNUTLS_NONBLOCK: Connection should not block. Since 3.0.0.
432 * @GNUTLS_NO_SIGNAL: In systems where SIGPIPE is delivered on send, it will be disabled. That flag has effect in systems which support the MSG_NOSIGNAL sockets flag (since 3.4.2).
433 * @GNUTLS_NO_EXTENSIONS: Do not enable any TLS extensions by default (since 3.1.2). As TLS 1.2 and later require extensions this option is considered obsolete and should not be used.
434 * @GNUTLS_NO_REPLAY_PROTECTION: Disable any replay protection in DTLS. This must only be used if  replay protection is achieved using other means. Since 3.2.2.
435 * @GNUTLS_ALLOW_ID_CHANGE: Allow the peer to replace its certificate, or change its ID during a rehandshake. This change is often used in attacks and thus prohibited by default. Since 3.5.0.
436 * @GNUTLS_ENABLE_FALSE_START: Enable the TLS false start on client side if the negotiated ciphersuites allow it. This will enable sending data prior to the handshake being complete, and may introduce a risk of crypto failure when combined with certain key exchanged; for that GnuTLS may not enable that option in ciphersuites that are known to be not safe for false start. Since 3.5.0.
437 * @GNUTLS_ENABLE_EARLY_START: Under TLS1.3 allow the server to return earlier than the full handshake
438 *   finish; similarly to false start the handshake will be completed once data are received by the
439 *   client, while the server is able to transmit sooner. This is not enabled by default as it could
440 *   break certain existing server assumptions and use-cases. Since 3.6.4.
441 * @GNUTLS_ENABLE_EARLY_DATA: Under TLS1.3 allow the server to receive early data sent as part of the initial ClientHello (0-RTT). This is not enabled by default as early data has weaker security properties than other data. Since 3.6.5.
442 * @GNUTLS_FORCE_CLIENT_CERT: When in client side and only a single cert is specified, send that certificate irrespective of the issuers expected by the server. Since 3.5.0.
443 * @GNUTLS_NO_TICKETS: Flag to indicate that the session should not use resumption with session tickets.
444 * @GNUTLS_KEY_SHARE_TOP3: Generate key shares for the top-3 different groups which are enabled.
445 *   That is, as each group is associated with a key type (EC, finite field, x25519), generate
446 *   three keys using %GNUTLS_PK_DH, %GNUTLS_PK_EC, %GNUTLS_PK_ECDH_X25519 if all of them are enabled.
447 * @GNUTLS_KEY_SHARE_TOP2: Generate key shares for the top-2 different groups which are enabled.
448 *   For example (ECDH + x25519). This is the default.
449 * @GNUTLS_KEY_SHARE_TOP: Generate key share for the first group which is enabled.
450 *   For example x25519. This option is the most performant for client (less CPU spent
451 *   generating keys), but if the server doesn't support the advertized option it may
452 *   result to more roundtrips needed to discover the server's choice.
453 * @GNUTLS_NO_AUTO_REKEY: Disable auto-rekeying under TLS1.3. If this option is not specified
454 *   gnutls will force a rekey after 2^24 records have been sent.
455 * @GNUTLS_POST_HANDSHAKE_AUTH: Enable post handshake authentication for server and client. When set and
456 *   a server requests authentication after handshake %GNUTLS_E_REAUTH_REQUEST will be returned
457 *   by gnutls_record_recv(). A client should then call gnutls_reauth() to re-authenticate.
458 * @GNUTLS_SAFE_PADDING_CHECK: Flag to indicate that the TLS 1.3 padding check will be done in a
459 *   safe way which doesn't leak the pad size based on GnuTLS processing time. This is of use to
460 *   applications which hide the length of transferred data via the TLS1.3 padding mechanism and
461 *   are already taking steps to hide the data processing time. This comes at a performance
462 *   penalty.
463 * @GNUTLS_AUTO_REAUTH: Enable transparent re-authentication in client side when the server
464 *    requests to. That is, reauthentication is handled within gnutls_record_recv(), and
465 *    the %GNUTLS_E_REHANDSHAKE or %GNUTLS_E_REAUTH_REQUEST are not returned. This must be
466 *    enabled with %GNUTLS_POST_HANDSHAKE_AUTH for TLS1.3. Enabling this flag requires to restore
467 *    interrupted calls to gnutls_record_recv() based on the output of gnutls_record_get_direction(),
468 *    since gnutls_record_recv() could be interrupted when sending when this flag is enabled.
469 *    Note this flag may not be used if you are using the same session for sending and receiving
470 *    in different threads.
471 * @GNUTLS_ENABLE_EARLY_DATA: Under TLS1.3 allow the server to receive early data sent as part of the initial ClientHello (0-RTT).
472 *    This is not enabled by default as early data has weaker security properties than other data. Since 3.6.5.
473 * @GNUTLS_ENABLE_RAWPK: Allows raw public-keys to be negotiated during the handshake. Since 3.6.6.
474 * @GNUTLS_NO_AUTO_SEND_TICKET: Under TLS1.3 disable auto-sending of
475 *    session tickets during the handshake.
476 *
477 * Enumeration of different flags for gnutls_init() function. All the flags
478 * can be combined except @GNUTLS_SERVER and @GNUTLS_CLIENT which are mutually
479 * exclusive.
480 *
481 * The key share options relate to the TLS 1.3 key share extension
482 * which is a speculative key generation expecting that the server
483 * would support the generated key.
484 */
485typedef enum {
486	GNUTLS_SERVER = 1,
487	GNUTLS_CLIENT = (1<<1),
488	GNUTLS_DATAGRAM = (1<<2),
489	GNUTLS_NONBLOCK = (1<<3),
490	GNUTLS_NO_EXTENSIONS = (1<<4),
491	GNUTLS_NO_REPLAY_PROTECTION = (1<<5),
492	GNUTLS_NO_SIGNAL = (1<<6),
493	GNUTLS_ALLOW_ID_CHANGE = (1<<7),
494	GNUTLS_ENABLE_FALSE_START = (1<<8),
495	GNUTLS_FORCE_CLIENT_CERT = (1<<9),
496	GNUTLS_NO_TICKETS = (1<<10),
497	GNUTLS_KEY_SHARE_TOP = (1<<11),
498	GNUTLS_KEY_SHARE_TOP2 = (1<<12),
499	GNUTLS_KEY_SHARE_TOP3 = (1<<13),
500	GNUTLS_POST_HANDSHAKE_AUTH = (1<<14),
501	GNUTLS_NO_AUTO_REKEY = (1<<15),
502	GNUTLS_SAFE_PADDING_CHECK = (1<<16),
503	GNUTLS_ENABLE_EARLY_START = (1<<17),
504	GNUTLS_ENABLE_RAWPK = (1<<18),
505	GNUTLS_AUTO_REAUTH = (1<<19),
506	GNUTLS_ENABLE_EARLY_DATA = (1<<20),
507	GNUTLS_NO_AUTO_SEND_TICKET = (1<<21)
508} gnutls_init_flags_t;
509
510/* compatibility defines (previous versions of gnutls
511 * used defines instead of enumerated values). */
512#define GNUTLS_SERVER (1)
513#define GNUTLS_CLIENT (1<<1)
514#define GNUTLS_DATAGRAM (1<<2)
515#define GNUTLS_NONBLOCK (1<<3)
516#define GNUTLS_NO_EXTENSIONS (1<<4)
517#define GNUTLS_NO_REPLAY_PROTECTION (1<<5)
518#define GNUTLS_NO_SIGNAL (1<<6)
519#define GNUTLS_ALLOW_ID_CHANGE (1<<7)
520#define GNUTLS_ENABLE_FALSE_START (1<<8)
521#define GNUTLS_FORCE_CLIENT_CERT (1<<9)
522#define GNUTLS_NO_TICKETS (1<<10)
523#define GNUTLS_ENABLE_CERT_TYPE_NEG 0
524	// Here for compatibility reasons
525
526/**
527 * gnutls_alert_level_t:
528 * @GNUTLS_AL_WARNING: Alert of warning severity.
529 * @GNUTLS_AL_FATAL: Alert of fatal severity.
530 *
531 * Enumeration of different TLS alert severities.
532 */
533typedef enum {
534	GNUTLS_AL_WARNING = 1,
535	GNUTLS_AL_FATAL
536} gnutls_alert_level_t;
537
538/**
539 * gnutls_alert_description_t:
540 * @GNUTLS_A_CLOSE_NOTIFY: Close notify.
541 * @GNUTLS_A_UNEXPECTED_MESSAGE: Unexpected message.
542 * @GNUTLS_A_BAD_RECORD_MAC: Bad record MAC.
543 * @GNUTLS_A_DECRYPTION_FAILED: Decryption failed.
544 * @GNUTLS_A_RECORD_OVERFLOW: Record overflow.
545 * @GNUTLS_A_DECOMPRESSION_FAILURE: Decompression failed.
546 * @GNUTLS_A_HANDSHAKE_FAILURE: Handshake failed.
547 * @GNUTLS_A_SSL3_NO_CERTIFICATE: No certificate.
548 * @GNUTLS_A_BAD_CERTIFICATE: Certificate is bad.
549 * @GNUTLS_A_UNSUPPORTED_CERTIFICATE: Certificate is not supported.
550 * @GNUTLS_A_CERTIFICATE_REVOKED: Certificate was revoked.
551 * @GNUTLS_A_CERTIFICATE_EXPIRED: Certificate is expired.
552 * @GNUTLS_A_CERTIFICATE_UNKNOWN: Unknown certificate.
553 * @GNUTLS_A_ILLEGAL_PARAMETER: Illegal parameter.
554 * @GNUTLS_A_UNKNOWN_CA: CA is unknown.
555 * @GNUTLS_A_ACCESS_DENIED: Access was denied.
556 * @GNUTLS_A_DECODE_ERROR: Decode error.
557 * @GNUTLS_A_DECRYPT_ERROR: Decrypt error.
558 * @GNUTLS_A_EXPORT_RESTRICTION: Export restriction.
559 * @GNUTLS_A_PROTOCOL_VERSION: Error in protocol version.
560 * @GNUTLS_A_INSUFFICIENT_SECURITY: Insufficient security.
561 * @GNUTLS_A_INTERNAL_ERROR: Internal error.
562 * @GNUTLS_A_INAPPROPRIATE_FALLBACK: Inappropriate fallback,
563 * @GNUTLS_A_USER_CANCELED: User canceled.
564 * @GNUTLS_A_NO_RENEGOTIATION: No renegotiation is allowed.
565 * @GNUTLS_A_MISSING_EXTENSION: An extension was expected but was not seen
566 * @GNUTLS_A_UNSUPPORTED_EXTENSION: An unsupported extension was
567 *   sent.
568 * @GNUTLS_A_CERTIFICATE_UNOBTAINABLE: Could not retrieve the
569 *   specified certificate.
570 * @GNUTLS_A_UNRECOGNIZED_NAME: The server name sent was not
571 *   recognized.
572 * @GNUTLS_A_UNKNOWN_PSK_IDENTITY: The SRP/PSK username is missing
573 *   or not known.
574 * @GNUTLS_A_CERTIFICATE_REQUIRED: Certificate is required.
575 * @GNUTLS_A_NO_APPLICATION_PROTOCOL: The ALPN protocol requested is
576 *   not supported by the peer.
577 *
578 * Enumeration of different TLS alerts.
579 */
580typedef enum {
581	GNUTLS_A_CLOSE_NOTIFY,
582	GNUTLS_A_UNEXPECTED_MESSAGE = 10,
583	GNUTLS_A_BAD_RECORD_MAC = 20,
584	GNUTLS_A_DECRYPTION_FAILED,
585	GNUTLS_A_RECORD_OVERFLOW,
586	GNUTLS_A_DECOMPRESSION_FAILURE = 30,
587	GNUTLS_A_HANDSHAKE_FAILURE = 40,
588	GNUTLS_A_SSL3_NO_CERTIFICATE = 41,
589	GNUTLS_A_BAD_CERTIFICATE = 42,
590	GNUTLS_A_UNSUPPORTED_CERTIFICATE,
591	GNUTLS_A_CERTIFICATE_REVOKED,
592	GNUTLS_A_CERTIFICATE_EXPIRED,
593	GNUTLS_A_CERTIFICATE_UNKNOWN,
594	GNUTLS_A_ILLEGAL_PARAMETER,
595	GNUTLS_A_UNKNOWN_CA,
596	GNUTLS_A_ACCESS_DENIED,
597	GNUTLS_A_DECODE_ERROR = 50,
598	GNUTLS_A_DECRYPT_ERROR,
599	GNUTLS_A_EXPORT_RESTRICTION = 60,
600	GNUTLS_A_PROTOCOL_VERSION = 70,
601	GNUTLS_A_INSUFFICIENT_SECURITY,
602	GNUTLS_A_INTERNAL_ERROR = 80,
603	GNUTLS_A_INAPPROPRIATE_FALLBACK = 86,
604	GNUTLS_A_USER_CANCELED = 90,
605	GNUTLS_A_NO_RENEGOTIATION = 100,
606	GNUTLS_A_MISSING_EXTENSION = 109,
607	GNUTLS_A_UNSUPPORTED_EXTENSION = 110,
608	GNUTLS_A_CERTIFICATE_UNOBTAINABLE = 111,
609	GNUTLS_A_UNRECOGNIZED_NAME = 112,
610	GNUTLS_A_UNKNOWN_PSK_IDENTITY = 115,
611	GNUTLS_A_CERTIFICATE_REQUIRED = 116,
612	GNUTLS_A_NO_APPLICATION_PROTOCOL = 120,
613	GNUTLS_A_MAX = GNUTLS_A_NO_APPLICATION_PROTOCOL
614} gnutls_alert_description_t;
615
616/**
617 * gnutls_handshake_description_t:
618 * @GNUTLS_HANDSHAKE_HELLO_REQUEST: Hello request.
619 * @GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST: DTLS Hello verify request.
620 * @GNUTLS_HANDSHAKE_CLIENT_HELLO: Client hello.
621 * @GNUTLS_HANDSHAKE_SERVER_HELLO: Server hello.
622 * @GNUTLS_HANDSHAKE_END_OF_EARLY_DATA: End of early data.
623 * @GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST: Hello retry request.
624 * @GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: New session ticket.
625 * @GNUTLS_HANDSHAKE_CERTIFICATE_PKT: Certificate packet.
626 * @GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: Server key exchange.
627 * @GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: Certificate request.
628 * @GNUTLS_HANDSHAKE_SERVER_HELLO_DONE: Server hello done.
629 * @GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY: Certificate verify.
630 * @GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE: Client key exchange.
631 * @GNUTLS_HANDSHAKE_FINISHED: Finished.
632 * @GNUTLS_HANDSHAKE_CERTIFICATE_STATUS: Certificate status (OCSP).
633 * @GNUTLS_HANDSHAKE_KEY_UPDATE: TLS1.3 key update message.
634 * @GNUTLS_HANDSHAKE_SUPPLEMENTAL: Supplemental.
635 * @GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC: Change Cipher Spec.
636 * @GNUTLS_HANDSHAKE_CLIENT_HELLO_V2: SSLv2 Client Hello.
637 * @GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS: Encrypted extensions message.
638 *
639 * Enumeration of different TLS handshake packets.
640 */
641typedef enum {
642	GNUTLS_HANDSHAKE_HELLO_REQUEST = 0,
643	GNUTLS_HANDSHAKE_CLIENT_HELLO = 1,
644	GNUTLS_HANDSHAKE_SERVER_HELLO = 2,
645	GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST = 3,
646	GNUTLS_HANDSHAKE_NEW_SESSION_TICKET = 4,
647	GNUTLS_HANDSHAKE_END_OF_EARLY_DATA = 5,
648	GNUTLS_HANDSHAKE_ENCRYPTED_EXTENSIONS = 8,
649	GNUTLS_HANDSHAKE_CERTIFICATE_PKT = 11,
650	GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE = 12,
651	GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST = 13,
652	GNUTLS_HANDSHAKE_SERVER_HELLO_DONE = 14,
653	GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY = 15,
654	GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE = 16,
655	GNUTLS_HANDSHAKE_FINISHED = 20,
656	GNUTLS_HANDSHAKE_CERTIFICATE_STATUS = 22,
657	GNUTLS_HANDSHAKE_SUPPLEMENTAL = 23,
658	GNUTLS_HANDSHAKE_KEY_UPDATE = 24,
659	GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC = 254,
660	GNUTLS_HANDSHAKE_CLIENT_HELLO_V2 = 1024,
661	GNUTLS_HANDSHAKE_HELLO_RETRY_REQUEST = 1025,
662} gnutls_handshake_description_t;
663
664#define GNUTLS_HANDSHAKE_ANY ((unsigned int)-1)
665
666const char
667    *gnutls_handshake_description_get_name(gnutls_handshake_description_t
668					   type);
669
670/**
671 * gnutls_certificate_status_t:
672 * @GNUTLS_CERT_INVALID: The certificate is not signed by one of the
673 *   known authorities or the signature is invalid (deprecated by the flags
674 *   %GNUTLS_CERT_SIGNATURE_FAILURE and %GNUTLS_CERT_SIGNER_NOT_FOUND).
675 * @GNUTLS_CERT_SIGNATURE_FAILURE: The signature verification failed.
676 * @GNUTLS_CERT_REVOKED: Certificate is revoked by its authority.  In X.509 this will be
677 *   set only if CRLs are checked.
678 * @GNUTLS_CERT_SIGNER_NOT_FOUND: The certificate's issuer is not known.
679 *   This is the case if the issuer is not included in the trusted certificate list.
680 * @GNUTLS_CERT_SIGNER_NOT_CA: The certificate's signer was not a CA. This
681 *   may happen if this was a version 1 certificate, which is common with
682 *   some CAs, or a version 3 certificate without the basic constrains extension.
683 * @GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE: The certificate's signer constraints were
684 *   violated.
685 * @GNUTLS_CERT_INSECURE_ALGORITHM:  The certificate was signed using an insecure
686 *   algorithm such as MD2 or MD5. These algorithms have been broken and
687 *   should not be trusted.
688 * @GNUTLS_CERT_NOT_ACTIVATED: The certificate is not yet activated.
689 * @GNUTLS_CERT_EXPIRED: The certificate has expired.
690 * @GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: The revocation data are old and have been superseded.
691 * @GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: The revocation data have a future issue date.
692 * @GNUTLS_CERT_UNEXPECTED_OWNER: The owner is not the expected one.
693 * @GNUTLS_CERT_MISMATCH: The certificate presented isn't the expected one (TOFU)
694 * @GNUTLS_CERT_PURPOSE_MISMATCH: The certificate or an intermediate does not match the intended purpose (extended key usage).
695 * @GNUTLS_CERT_MISSING_OCSP_STATUS: The certificate requires the server to send the certifiate status, but no status was received.
696 * @GNUTLS_CERT_INVALID_OCSP_STATUS: The received OCSP status response is invalid.
697 * @GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: The certificate has extensions marked as critical which are not supported.
698 *
699 * Enumeration of certificate status codes.  Note that the status
700 * bits may have different meanings in OpenPGP keys and X.509
701 * certificate verification.
702 */
703typedef enum {
704	GNUTLS_CERT_INVALID = 1 << 1,
705	GNUTLS_CERT_REVOKED = 1 << 5,
706	GNUTLS_CERT_SIGNER_NOT_FOUND = 1 << 6,
707	GNUTLS_CERT_SIGNER_NOT_CA = 1 << 7,
708	GNUTLS_CERT_INSECURE_ALGORITHM = 1 << 8,
709	GNUTLS_CERT_NOT_ACTIVATED = 1 << 9,
710	GNUTLS_CERT_EXPIRED = 1 << 10,
711	GNUTLS_CERT_SIGNATURE_FAILURE = 1 << 11,
712	GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED = 1 << 12,
713	GNUTLS_CERT_UNEXPECTED_OWNER = 1 << 14,
714	GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE = 1 << 15,
715	GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE = 1 << 16,
716	GNUTLS_CERT_MISMATCH = 1 << 17,
717	GNUTLS_CERT_PURPOSE_MISMATCH = 1 << 18,
718	GNUTLS_CERT_MISSING_OCSP_STATUS = 1 << 19,
719	GNUTLS_CERT_INVALID_OCSP_STATUS = 1 << 20,
720	GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS = 1 << 21
721} gnutls_certificate_status_t;
722
723/**
724 * gnutls_certificate_request_t:
725 * @GNUTLS_CERT_IGNORE: Ignore certificate.
726 * @GNUTLS_CERT_REQUEST: Request certificate.
727 * @GNUTLS_CERT_REQUIRE: Require certificate.
728 *
729 * Enumeration of certificate request types.
730 */
731typedef enum {
732	GNUTLS_CERT_IGNORE = 0,
733	GNUTLS_CERT_REQUEST = 1,
734	GNUTLS_CERT_REQUIRE = 2
735} gnutls_certificate_request_t;
736
737/**
738 * gnutls_openpgp_crt_status_t:
739 * @GNUTLS_OPENPGP_CERT: Send entire certificate.
740 * @GNUTLS_OPENPGP_CERT_FINGERPRINT: Send only certificate fingerprint.
741 *
742 * Enumeration of ways to send OpenPGP certificate.
743 */
744typedef enum {
745	GNUTLS_OPENPGP_CERT = 0,
746	GNUTLS_OPENPGP_CERT_FINGERPRINT = 1
747} gnutls_openpgp_crt_status_t;
748
749/**
750 * gnutls_close_request_t:
751 * @GNUTLS_SHUT_RDWR: Disallow further receives/sends.
752 * @GNUTLS_SHUT_WR: Disallow further sends.
753 *
754 * Enumeration of how TLS session should be terminated.  See gnutls_bye().
755 */
756typedef enum {
757	GNUTLS_SHUT_RDWR = 0,
758	GNUTLS_SHUT_WR = 1
759} gnutls_close_request_t;
760
761/**
762 * gnutls_protocol_t:
763 * @GNUTLS_SSL3: SSL version 3.0.
764 * @GNUTLS_TLS1_0: TLS version 1.0.
765 * @GNUTLS_TLS1: Same as %GNUTLS_TLS1_0.
766 * @GNUTLS_TLS1_1: TLS version 1.1.
767 * @GNUTLS_TLS1_2: TLS version 1.2.
768 * @GNUTLS_TLS1_3: TLS version 1.3.
769 * @GNUTLS_DTLS1_0: DTLS version 1.0.
770 * @GNUTLS_DTLS1_2: DTLS version 1.2.
771 * @GNUTLS_DTLS0_9: DTLS version 0.9 (Cisco AnyConnect / OpenSSL 0.9.8e).
772 * @GNUTLS_TLS_VERSION_MAX: Maps to the highest supported TLS version.
773 * @GNUTLS_DTLS_VERSION_MAX: Maps to the highest supported DTLS version.
774 * @GNUTLS_VERSION_UNKNOWN: Unknown SSL/TLS version.
775 *
776 * Enumeration of different SSL/TLS protocol versions.
777 */
778typedef enum {
779	GNUTLS_SSL3 = 1,
780	GNUTLS_TLS1_0 = 2,
781	GNUTLS_TLS1 = GNUTLS_TLS1_0,
782	GNUTLS_TLS1_1 = 3,
783	GNUTLS_TLS1_2 = 4,
784	GNUTLS_TLS1_3 = 5,
785
786	GNUTLS_DTLS0_9 = 200,
787	GNUTLS_DTLS1_0 = 201,	/* 201 */
788	GNUTLS_DTLS1_2 = 202,
789	GNUTLS_DTLS_VERSION_MIN = GNUTLS_DTLS0_9,
790	GNUTLS_DTLS_VERSION_MAX = GNUTLS_DTLS1_2,
791	GNUTLS_TLS_VERSION_MAX = GNUTLS_TLS1_3,
792	GNUTLS_VERSION_UNKNOWN = 0xff	/* change it to 0xffff */
793} gnutls_protocol_t;
794
795#define GNUTLS_CRT_RAW GNUTLS_CRT_RAWPK
796
797/**
798 * gnutls_certificate_type_t:
799 * @GNUTLS_CRT_UNKNOWN: Unknown certificate type.
800 * @GNUTLS_CRT_X509: X.509 Certificate.
801 * @GNUTLS_CRT_OPENPGP: OpenPGP certificate.
802 * @GNUTLS_CRT_RAWPK: Raw public-key (SubjectPublicKeyInfo)
803 *
804 * Enumeration of different certificate types.
805 */
806typedef enum {
807	GNUTLS_CRT_UNKNOWN = 0,
808	GNUTLS_CRT_X509 = 1,
809	GNUTLS_CRT_OPENPGP = 2,
810	GNUTLS_CRT_RAWPK = 3,
811	GNUTLS_CRT_MAX = GNUTLS_CRT_RAWPK
812} gnutls_certificate_type_t;
813
814/**
815 * gnutls_x509_crt_fmt_t:
816 * @GNUTLS_X509_FMT_DER: X.509 certificate in DER format (binary).
817 * @GNUTLS_X509_FMT_PEM: X.509 certificate in PEM format (text).
818 *
819 * Enumeration of different certificate encoding formats.
820 */
821typedef enum {
822	GNUTLS_X509_FMT_DER = 0,
823	GNUTLS_X509_FMT_PEM = 1
824} gnutls_x509_crt_fmt_t;
825
826/**
827 * gnutls_certificate_print_formats_t:
828 * @GNUTLS_CRT_PRINT_FULL: Full information about certificate.
829 * @GNUTLS_CRT_PRINT_FULL_NUMBERS: Full information about certificate and include easy to parse public key parameters.
830 * @GNUTLS_CRT_PRINT_COMPACT: Information about certificate name in one line, plus identification of the public key.
831 * @GNUTLS_CRT_PRINT_ONELINE: Information about certificate in one line.
832 * @GNUTLS_CRT_PRINT_UNSIGNED_FULL: All info for an unsigned certificate.
833 *
834 * Enumeration of different certificate printing variants.
835 */
836typedef enum gnutls_certificate_print_formats {
837	GNUTLS_CRT_PRINT_FULL = 0,
838	GNUTLS_CRT_PRINT_ONELINE = 1,
839	GNUTLS_CRT_PRINT_UNSIGNED_FULL = 2,
840	GNUTLS_CRT_PRINT_COMPACT = 3,
841	GNUTLS_CRT_PRINT_FULL_NUMBERS = 4
842} gnutls_certificate_print_formats_t;
843
844#define GNUTLS_PK_ECC GNUTLS_PK_ECDSA
845#define GNUTLS_PK_EC GNUTLS_PK_ECDSA
846
847#define GNUTLS_PK_ECDHX GNUTLS_PK_ECDH_X25519
848/**
849 * gnutls_pk_algorithm_t:
850 * @GNUTLS_PK_UNKNOWN: Unknown public-key algorithm.
851 * @GNUTLS_PK_RSA: RSA public-key algorithm.
852 * @GNUTLS_PK_RSA_PSS: RSA public-key algorithm, with PSS padding.
853 * @GNUTLS_PK_DSA: DSA public-key algorithm.
854 * @GNUTLS_PK_DH: Diffie-Hellman algorithm. Used to generate parameters.
855 * @GNUTLS_PK_ECDSA: Elliptic curve algorithm. These parameters are compatible with the ECDSA and ECDH algorithm.
856 * @GNUTLS_PK_ECDH_X25519: Elliptic curve algorithm, restricted to ECDH as per rfc7748.
857 * @GNUTLS_PK_EDDSA_ED25519: Edwards curve Digital signature algorithm. Used with SHA512 on signatures.
858 * @GNUTLS_PK_GOST_01: GOST R 34.10-2001 algorithm per rfc5832.
859 * @GNUTLS_PK_GOST_12_256: GOST R 34.10-2012 algorithm, 256-bit key per rfc7091.
860 * @GNUTLS_PK_GOST_12_512: GOST R 34.10-2012 algorithm, 512-bit key per rfc7091.
861 * @GNUTLS_PK_ECDH_X448: Elliptic curve algorithm, restricted to ECDH as per rfc7748.
862 * @GNUTLS_PK_EDDSA_ED448: Edwards curve Digital signature algorithm. Used with SHAKE256 on signatures.
863 *
864 * Enumeration of different public-key algorithms.
865 */
866typedef enum {
867	GNUTLS_PK_UNKNOWN = 0,
868	GNUTLS_PK_RSA = 1,
869	GNUTLS_PK_DSA = 2,
870	GNUTLS_PK_DH = 3,
871	GNUTLS_PK_ECDSA = 4,
872	GNUTLS_PK_ECDH_X25519 = 5,
873	GNUTLS_PK_RSA_PSS = 6,
874	GNUTLS_PK_EDDSA_ED25519 = 7,
875	GNUTLS_PK_GOST_01 = 8,
876	GNUTLS_PK_GOST_12_256 = 9,
877	GNUTLS_PK_GOST_12_512 = 10,
878	GNUTLS_PK_ECDH_X448 = 11,
879	GNUTLS_PK_EDDSA_ED448 = 12,
880	GNUTLS_PK_MAX = GNUTLS_PK_EDDSA_ED448
881} gnutls_pk_algorithm_t;
882
883
884const char *gnutls_pk_algorithm_get_name(gnutls_pk_algorithm_t algorithm);
885
886/**
887 * gnutls_sign_algorithm_t:
888 * @GNUTLS_SIGN_UNKNOWN: Unknown signature algorithm.
889 * @GNUTLS_SIGN_RSA_RAW: Digital signature algorithm RSA with DigestInfo formatted data
890 * @GNUTLS_SIGN_RSA_SHA1: Digital signature algorithm RSA with SHA-1
891 * @GNUTLS_SIGN_RSA_SHA: Same as %GNUTLS_SIGN_RSA_SHA1.
892 * @GNUTLS_SIGN_DSA_SHA1: Digital signature algorithm DSA with SHA-1
893 * @GNUTLS_SIGN_DSA_SHA224: Digital signature algorithm DSA with SHA-224
894 * @GNUTLS_SIGN_DSA_SHA256: Digital signature algorithm DSA with SHA-256
895 * @GNUTLS_SIGN_DSA_SHA384: Digital signature algorithm DSA with SHA-384
896 * @GNUTLS_SIGN_DSA_SHA512: Digital signature algorithm DSA with SHA-512
897 * @GNUTLS_SIGN_DSA_SHA: Same as %GNUTLS_SIGN_DSA_SHA1.
898 * @GNUTLS_SIGN_RSA_MD5: Digital signature algorithm RSA with MD5.
899 * @GNUTLS_SIGN_RSA_MD2: Digital signature algorithm RSA with MD2.
900 * @GNUTLS_SIGN_RSA_RMD160: Digital signature algorithm RSA with RMD-160.
901 * @GNUTLS_SIGN_RSA_SHA256: Digital signature algorithm RSA with SHA-256.
902 * @GNUTLS_SIGN_RSA_SHA384: Digital signature algorithm RSA with SHA-384.
903 * @GNUTLS_SIGN_RSA_SHA512: Digital signature algorithm RSA with SHA-512.
904 * @GNUTLS_SIGN_RSA_SHA224: Digital signature algorithm RSA with SHA-224.
905 * @GNUTLS_SIGN_ECDSA_SHA1: ECDSA with SHA1.
906 * @GNUTLS_SIGN_ECDSA_SHA224: Digital signature algorithm ECDSA with SHA-224.
907 * @GNUTLS_SIGN_ECDSA_SHA256: Digital signature algorithm ECDSA with SHA-256.
908 * @GNUTLS_SIGN_ECDSA_SHA384: Digital signature algorithm ECDSA with SHA-384.
909 * @GNUTLS_SIGN_ECDSA_SHA512: Digital signature algorithm ECDSA with SHA-512.
910 * @GNUTLS_SIGN_ECDSA_SECP256R1_SHA256: Digital signature algorithm ECDSA-SECP256R1 with SHA-256 (used in TLS 1.3 but not PKIX).
911 * @GNUTLS_SIGN_ECDSA_SECP384R1_SHA384: Digital signature algorithm ECDSA-SECP384R1 with SHA-384 (used in TLS 1.3 but not PKIX).
912 * @GNUTLS_SIGN_ECDSA_SECP521R1_SHA512: Digital signature algorithm ECDSA-SECP521R1 with SHA-512 (used in TLS 1.3 but not PKIX).
913 * @GNUTLS_SIGN_ECDSA_SHA3_224: Digital signature algorithm ECDSA with SHA3-224.
914 * @GNUTLS_SIGN_ECDSA_SHA3_256: Digital signature algorithm ECDSA with SHA3-256.
915 * @GNUTLS_SIGN_ECDSA_SHA3_384: Digital signature algorithm ECDSA with SHA3-384.
916 * @GNUTLS_SIGN_ECDSA_SHA3_512: Digital signature algorithm ECDSA with SHA3-512.
917 * @GNUTLS_SIGN_DSA_SHA3_224: Digital signature algorithm DSA with SHA3-224.
918 * @GNUTLS_SIGN_DSA_SHA3_256: Digital signature algorithm DSA with SHA3-256.
919 * @GNUTLS_SIGN_DSA_SHA3_384: Digital signature algorithm DSA with SHA3-384.
920 * @GNUTLS_SIGN_DSA_SHA3_512: Digital signature algorithm DSA with SHA3-512.
921 * @GNUTLS_SIGN_RSA_SHA3_224: Digital signature algorithm RSA with SHA3-224.
922 * @GNUTLS_SIGN_RSA_SHA3_256: Digital signature algorithm RSA with SHA3-256.
923 * @GNUTLS_SIGN_RSA_SHA3_384: Digital signature algorithm RSA with SHA3-384.
924 * @GNUTLS_SIGN_RSA_SHA3_512: Digital signature algorithm RSA with SHA3-512.
925 * @GNUTLS_SIGN_RSA_PSS_RSAE_SHA256: Digital signature algorithm RSA with SHA-256,
926 *      with PSS padding (RSA PKCS#1 1.5 certificate). This signature is identical
927 *      to #GNUTLS_SIGN_RSA_PSS_SHA256, but they are distinct as the TLS1.3 protocol
928 *      treats them differently.
929 * @GNUTLS_SIGN_RSA_PSS_RSAE_SHA384: Digital signature algorithm RSA with SHA-384,
930 *      with PSS padding (RSA PKCS#1 1.5 certificate). This signature is identical
931 *      to #GNUTLS_SIGN_RSA_PSS_SHA384, but they are distinct as the TLS1.3 protocol
932 *      treats them differently.
933 * @GNUTLS_SIGN_RSA_PSS_RSAE_SHA512: Digital signature algorithm RSA with SHA-512,
934 *      with PSS padding (RSA PKCS#1 1.5 certificate). This signature is identical
935 *      to #GNUTLS_SIGN_RSA_PSS_SHA512, but they are distinct as the TLS1.3 protocol
936 *      treats them differently.
937 * @GNUTLS_SIGN_RSA_PSS_SHA256: Digital signature algorithm RSA with SHA-256, with PSS padding (RSA-PSS certificate).
938 * @GNUTLS_SIGN_RSA_PSS_SHA384: Digital signature algorithm RSA with SHA-384, with PSS padding (RSA-PSS certificate).
939 * @GNUTLS_SIGN_RSA_PSS_SHA512: Digital signature algorithm RSA with SHA-512, with PSS padding (RSA-PSS certificate).
940 * @GNUTLS_SIGN_EDDSA_ED25519: Digital signature algorithm EdDSA with Ed25519 curve.
941 * @GNUTLS_SIGN_GOST_94: Digital signature algorithm GOST R 34.10-2001 with GOST R 34.11-94
942 * @GNUTLS_SIGN_GOST_256: Digital signature algorithm GOST R 34.10-2012 with GOST R 34.11-2012 256 bit
943 * @GNUTLS_SIGN_GOST_512: Digital signature algorithm GOST R 34.10-2012 with GOST R 34.11-2012 512 bit
944 * @GNUTLS_SIGN_EDDSA_ED448: Digital signature algorithm EdDSA with Ed448 curve.
945 *
946 * Enumeration of different digital signature algorithms.
947 */
948typedef enum {
949	GNUTLS_SIGN_UNKNOWN = 0,
950	GNUTLS_SIGN_RSA_SHA1 = 1,
951	GNUTLS_SIGN_RSA_SHA = GNUTLS_SIGN_RSA_SHA1,
952	GNUTLS_SIGN_DSA_SHA1 = 2,
953	GNUTLS_SIGN_DSA_SHA = GNUTLS_SIGN_DSA_SHA1,
954	GNUTLS_SIGN_RSA_MD5 = 3,
955	GNUTLS_SIGN_RSA_MD2 = 4,
956	GNUTLS_SIGN_RSA_RMD160 = 5,
957	GNUTLS_SIGN_RSA_SHA256 = 6,
958	GNUTLS_SIGN_RSA_SHA384 = 7,
959	GNUTLS_SIGN_RSA_SHA512 = 8,
960	GNUTLS_SIGN_RSA_SHA224 = 9,
961	GNUTLS_SIGN_DSA_SHA224 = 10,
962	GNUTLS_SIGN_DSA_SHA256 = 11,
963	GNUTLS_SIGN_ECDSA_SHA1 = 12,
964	GNUTLS_SIGN_ECDSA_SHA224 = 13,
965	GNUTLS_SIGN_ECDSA_SHA256 = 14,
966	GNUTLS_SIGN_ECDSA_SHA384 = 15,
967	GNUTLS_SIGN_ECDSA_SHA512 = 16,
968	GNUTLS_SIGN_DSA_SHA384 = 17,
969	GNUTLS_SIGN_DSA_SHA512 = 18,
970	GNUTLS_SIGN_ECDSA_SHA3_224 = 20,
971	GNUTLS_SIGN_ECDSA_SHA3_256 = 21,
972	GNUTLS_SIGN_ECDSA_SHA3_384 = 22,
973	GNUTLS_SIGN_ECDSA_SHA3_512 = 23,
974
975	GNUTLS_SIGN_DSA_SHA3_224 = 24,
976	GNUTLS_SIGN_DSA_SHA3_256 = 25,
977	GNUTLS_SIGN_DSA_SHA3_384 = 26,
978	GNUTLS_SIGN_DSA_SHA3_512 = 27,
979	GNUTLS_SIGN_RSA_SHA3_224 = 28,
980	GNUTLS_SIGN_RSA_SHA3_256 = 29,
981	GNUTLS_SIGN_RSA_SHA3_384 = 30,
982	GNUTLS_SIGN_RSA_SHA3_512 = 31,
983
984	GNUTLS_SIGN_RSA_PSS_SHA256 = 32,
985	GNUTLS_SIGN_RSA_PSS_SHA384 = 33,
986	GNUTLS_SIGN_RSA_PSS_SHA512 = 34,
987	GNUTLS_SIGN_EDDSA_ED25519 = 35,
988	GNUTLS_SIGN_RSA_RAW = 36,
989
990	GNUTLS_SIGN_ECDSA_SECP256R1_SHA256 = 37,
991	GNUTLS_SIGN_ECDSA_SECP384R1_SHA384 = 38,
992	GNUTLS_SIGN_ECDSA_SECP521R1_SHA512 = 39,
993
994	GNUTLS_SIGN_RSA_PSS_RSAE_SHA256 = 40,
995	GNUTLS_SIGN_RSA_PSS_RSAE_SHA384 = 41,
996	GNUTLS_SIGN_RSA_PSS_RSAE_SHA512 = 42,
997
998	GNUTLS_SIGN_GOST_94 = 43,
999	GNUTLS_SIGN_GOST_256 = 44,
1000	GNUTLS_SIGN_GOST_512 = 45,
1001	GNUTLS_SIGN_EDDSA_ED448 = 46,
1002	GNUTLS_SIGN_MAX = GNUTLS_SIGN_EDDSA_ED448
1003} gnutls_sign_algorithm_t;
1004
1005/**
1006 * gnutls_ecc_curve_t:
1007 * @GNUTLS_ECC_CURVE_INVALID: Cannot be known
1008 * @GNUTLS_ECC_CURVE_SECP192R1: the SECP192R1 curve
1009 * @GNUTLS_ECC_CURVE_SECP224R1: the SECP224R1 curve
1010 * @GNUTLS_ECC_CURVE_SECP256R1: the SECP256R1 curve
1011 * @GNUTLS_ECC_CURVE_SECP384R1: the SECP384R1 curve
1012 * @GNUTLS_ECC_CURVE_SECP521R1: the SECP521R1 curve
1013 * @GNUTLS_ECC_CURVE_X25519: the X25519 curve (ECDH only)
1014 * @GNUTLS_ECC_CURVE_ED25519: the Ed25519 curve
1015 * @GNUTLS_ECC_CURVE_GOST256CPA: GOST R 34.10 CryptoPro 256 A curve
1016 * @GNUTLS_ECC_CURVE_GOST256CPB: GOST R 34.10 CryptoPro 256 B curve
1017 * @GNUTLS_ECC_CURVE_GOST256CPC: GOST R 34.10 CryptoPro 256 C curve
1018 * @GNUTLS_ECC_CURVE_GOST256CPXA: GOST R 34.10 CryptoPro 256 XchA curve
1019 * @GNUTLS_ECC_CURVE_GOST256CPXB: GOST R 34.10 CryptoPro 256 XchB curve
1020 * @GNUTLS_ECC_CURVE_GOST512A: GOST R 34.10 TC26 512 A curve
1021 * @GNUTLS_ECC_CURVE_GOST512B: GOST R 34.10 TC26 512 B curve
1022 * @GNUTLS_ECC_CURVE_GOST512C: GOST R 34.10 TC26 512 C curve
1023 * @GNUTLS_ECC_CURVE_GOST256A: GOST R 34.10 TC26 256 A curve
1024 * @GNUTLS_ECC_CURVE_GOST256B: GOST R 34.10 TC26 256 B curve
1025 * @GNUTLS_ECC_CURVE_GOST256C: GOST R 34.10 TC26 256 C curve
1026 * @GNUTLS_ECC_CURVE_GOST256D: GOST R 34.10 TC26 256 D curve
1027 * @GNUTLS_ECC_CURVE_X448: the X448 curve (ECDH only)
1028 * @GNUTLS_ECC_CURVE_ED448: the Ed448 curve
1029 *
1030 * Enumeration of ECC curves.
1031 */
1032typedef enum {
1033	GNUTLS_ECC_CURVE_INVALID = 0,
1034	GNUTLS_ECC_CURVE_SECP224R1,
1035	GNUTLS_ECC_CURVE_SECP256R1,
1036	GNUTLS_ECC_CURVE_SECP384R1,
1037	GNUTLS_ECC_CURVE_SECP521R1,
1038	GNUTLS_ECC_CURVE_SECP192R1,
1039	GNUTLS_ECC_CURVE_X25519,
1040	GNUTLS_ECC_CURVE_ED25519,
1041	GNUTLS_ECC_CURVE_GOST256CPA,
1042	GNUTLS_ECC_CURVE_GOST256CPB,
1043	GNUTLS_ECC_CURVE_GOST256CPC,
1044	GNUTLS_ECC_CURVE_GOST256CPXA,
1045	GNUTLS_ECC_CURVE_GOST256CPXB,
1046	GNUTLS_ECC_CURVE_GOST512A,
1047	GNUTLS_ECC_CURVE_GOST512B,
1048	GNUTLS_ECC_CURVE_GOST512C,
1049	GNUTLS_ECC_CURVE_GOST256A,
1050	GNUTLS_ECC_CURVE_GOST256B,
1051	GNUTLS_ECC_CURVE_GOST256C,
1052	GNUTLS_ECC_CURVE_GOST256D,
1053	GNUTLS_ECC_CURVE_X448,
1054	GNUTLS_ECC_CURVE_ED448,
1055	GNUTLS_ECC_CURVE_MAX = GNUTLS_ECC_CURVE_ED448
1056} gnutls_ecc_curve_t;
1057
1058/**
1059 * gnutls_group_t:
1060 * @GNUTLS_GROUP_INVALID: Indicates unknown/invalid group
1061 * @GNUTLS_GROUP_SECP192R1: the SECP192R1 curve group (legacy, only for TLS 1.2 compatibility)
1062 * @GNUTLS_GROUP_SECP224R1: the SECP224R1 curve group (legacy, only for TLS 1.2 compatibility)
1063 * @GNUTLS_GROUP_SECP256R1: the SECP256R1 curve group
1064 * @GNUTLS_GROUP_SECP384R1: the SECP384R1 curve group
1065 * @GNUTLS_GROUP_SECP521R1: the SECP521R1 curve group
1066 * @GNUTLS_GROUP_X25519: the X25519 curve group
1067 * @GNUTLS_GROUP_GC256A: the GOST R 34.10 TC26 256 A curve group
1068 * @GNUTLS_GROUP_GC256B: the GOST R 34.10 TC26 256 B curve group
1069 * @GNUTLS_GROUP_GC256C: the GOST R 34.10 TC26 256 C curve group
1070 * @GNUTLS_GROUP_GC256D: the GOST R 34.10 TC26 256 D curve group
1071 * @GNUTLS_GROUP_GC512A: the GOST R 34.10 TC26 512 A curve group
1072 * @GNUTLS_GROUP_GC512B: the GOST R 34.10 TC26 512 B curve group
1073 * @GNUTLS_GROUP_GC512C: the GOST R 34.10 TC26 512 C curve group
1074 * @GNUTLS_GROUP_FFDHE2048: the FFDHE2048 group
1075 * @GNUTLS_GROUP_FFDHE3072: the FFDHE3072 group
1076 * @GNUTLS_GROUP_FFDHE4096: the FFDHE4096 group
1077 * @GNUTLS_GROUP_FFDHE6144: the FFDHE6144 group
1078 * @GNUTLS_GROUP_FFDHE8192: the FFDHE8192 group
1079 * @GNUTLS_GROUP_X448: the X448 curve group
1080 *
1081 * Enumeration of supported groups. It is intended to be backwards
1082 * compatible with the enumerations in %gnutls_ecc_curve_t for the groups
1083 * which are valid elliptic curves.
1084 */
1085typedef enum {
1086	GNUTLS_GROUP_INVALID = 0,
1087	GNUTLS_GROUP_SECP192R1 = GNUTLS_ECC_CURVE_SECP192R1,
1088	GNUTLS_GROUP_SECP224R1 = GNUTLS_ECC_CURVE_SECP224R1,
1089	GNUTLS_GROUP_SECP256R1 = GNUTLS_ECC_CURVE_SECP256R1,
1090	GNUTLS_GROUP_SECP384R1 = GNUTLS_ECC_CURVE_SECP384R1,
1091	GNUTLS_GROUP_SECP521R1 = GNUTLS_ECC_CURVE_SECP521R1,
1092	GNUTLS_GROUP_X25519 = GNUTLS_ECC_CURVE_X25519,
1093	GNUTLS_GROUP_X448 = GNUTLS_ECC_CURVE_X448,
1094
1095	GNUTLS_GROUP_GC256A = GNUTLS_ECC_CURVE_GOST256A,
1096	GNUTLS_GROUP_GC256B = GNUTLS_ECC_CURVE_GOST256B,
1097	GNUTLS_GROUP_GC256C = GNUTLS_ECC_CURVE_GOST256C,
1098	GNUTLS_GROUP_GC256D = GNUTLS_ECC_CURVE_GOST256D,
1099	GNUTLS_GROUP_GC512A = GNUTLS_ECC_CURVE_GOST512A,
1100	GNUTLS_GROUP_GC512B = GNUTLS_ECC_CURVE_GOST512B,
1101	GNUTLS_GROUP_GC512C = GNUTLS_ECC_CURVE_GOST512C,
1102
1103	GNUTLS_GROUP_FFDHE2048 = 256,
1104	GNUTLS_GROUP_FFDHE3072,
1105	GNUTLS_GROUP_FFDHE4096,
1106	GNUTLS_GROUP_FFDHE8192,
1107	GNUTLS_GROUP_FFDHE6144,
1108	GNUTLS_GROUP_MAX = GNUTLS_GROUP_FFDHE6144,
1109} gnutls_group_t;
1110
1111/* macros to allow specifying a specific curve in gnutls_privkey_generate()
1112 * and gnutls_x509_privkey_generate() */
1113#define GNUTLS_CURVE_TO_BITS(curve) (unsigned int)(((unsigned int)1<<31)|((unsigned int)(curve)))
1114#define GNUTLS_BITS_TO_CURVE(bits) (((unsigned int)(bits)) & 0x7FFFFFFF)
1115#define GNUTLS_BITS_ARE_CURVE(bits) (((unsigned int)(bits)) & 0x80000000)
1116
1117/**
1118 * gnutls_sec_param_t:
1119 * @GNUTLS_SEC_PARAM_UNKNOWN: Cannot be known
1120 * @GNUTLS_SEC_PARAM_INSECURE: Less than 42 bits of security
1121 * @GNUTLS_SEC_PARAM_EXPORT: 42 bits of security
1122 * @GNUTLS_SEC_PARAM_VERY_WEAK: 64 bits of security
1123 * @GNUTLS_SEC_PARAM_WEAK: 72 bits of security
1124 * @GNUTLS_SEC_PARAM_LOW: 80 bits of security
1125 * @GNUTLS_SEC_PARAM_LEGACY: 96 bits of security
1126 * @GNUTLS_SEC_PARAM_MEDIUM: 112 bits of security (used to be %GNUTLS_SEC_PARAM_NORMAL)
1127 * @GNUTLS_SEC_PARAM_HIGH: 128 bits of security
1128 * @GNUTLS_SEC_PARAM_ULTRA: 192 bits of security
1129 * @GNUTLS_SEC_PARAM_FUTURE: 256 bits of security
1130 *
1131 * Enumeration of security parameters for passive attacks.
1132 */
1133typedef enum {
1134	GNUTLS_SEC_PARAM_UNKNOWN = 0,
1135	GNUTLS_SEC_PARAM_INSECURE = 5,
1136	GNUTLS_SEC_PARAM_EXPORT = 10,
1137	GNUTLS_SEC_PARAM_VERY_WEAK = 15,
1138	GNUTLS_SEC_PARAM_WEAK = 20,
1139	GNUTLS_SEC_PARAM_LOW = 25,
1140	GNUTLS_SEC_PARAM_LEGACY = 30,
1141	GNUTLS_SEC_PARAM_MEDIUM = 35,
1142	GNUTLS_SEC_PARAM_HIGH = 40,
1143	GNUTLS_SEC_PARAM_ULTRA = 45,
1144	GNUTLS_SEC_PARAM_FUTURE = 50,
1145	GNUTLS_SEC_PARAM_MAX = GNUTLS_SEC_PARAM_FUTURE
1146} gnutls_sec_param_t;
1147
1148/* old name */
1149#define GNUTLS_SEC_PARAM_NORMAL GNUTLS_SEC_PARAM_MEDIUM
1150
1151/**
1152 * gnutls_channel_binding_t:
1153 * @GNUTLS_CB_TLS_UNIQUE: "tls-unique" (RFC 5929) channel binding
1154 *
1155 * Enumeration of support channel binding types.
1156 */
1157typedef enum {
1158	GNUTLS_CB_TLS_UNIQUE
1159} gnutls_channel_binding_t;
1160
1161/**
1162 * gnutls_gost_paramset_t:
1163 * @GNUTLS_GOST_PARAMSET_UNKNOWN: Unknown/default parameter set
1164 * @GNUTLS_GOST_PARAMSET_TC26_Z: Specified by TC26, see rfc7836
1165 * @GNUTLS_GOST_PARAMSET_CP_A: CryptoPro-A, see rfc4357
1166 * @GNUTLS_GOST_PARAMSET_CP_B: CryptoPro-B, see rfc4357
1167 * @GNUTLS_GOST_PARAMSET_CP_C: CryptoPro-C, see rfc4357
1168 * @GNUTLS_GOST_PARAMSET_CP_D: CryptoPro-D, see rfc4357
1169 *
1170 * Enumeration of different GOST 28147 parameter sets.
1171 */
1172typedef enum {
1173	GNUTLS_GOST_PARAMSET_UNKNOWN = 0,
1174	GNUTLS_GOST_PARAMSET_TC26_Z,
1175	GNUTLS_GOST_PARAMSET_CP_A,
1176	GNUTLS_GOST_PARAMSET_CP_B,
1177	GNUTLS_GOST_PARAMSET_CP_C,
1178	GNUTLS_GOST_PARAMSET_CP_D
1179} gnutls_gost_paramset_t;
1180
1181/**
1182 * gnutls_ctype_target_t:
1183 * @GNUTLS_CTYPE_CLIENT: for requesting client certificate type values.
1184 * @GNUTLS_CTYPE_SERVER: for requesting server certificate type values.
1185 * @GNUTLS_CTYPE_OURS: for requesting our certificate type values.
1186 * @GNUTLS_CTYPE_PEERS: for requesting the peers' certificate type values.
1187 *
1188 * Enumeration of certificate type targets with respect to asymmetric
1189 * certificate types as specified in RFC7250 and P2P connection set up
1190 * as specified in draft-vanrein-tls-symmetry-02.
1191 */
1192typedef enum {
1193	GNUTLS_CTYPE_CLIENT,
1194	GNUTLS_CTYPE_SERVER,
1195	GNUTLS_CTYPE_OURS,
1196	GNUTLS_CTYPE_PEERS
1197} gnutls_ctype_target_t;
1198
1199/* If you want to change this, then also change the define in
1200 * gnutls_int.h, and recompile.
1201 */
1202typedef void *gnutls_transport_ptr_t;
1203
1204struct gnutls_session_int;
1205typedef struct gnutls_session_int *gnutls_session_t;
1206
1207struct gnutls_dh_params_int;
1208typedef struct gnutls_dh_params_int *gnutls_dh_params_t;
1209
1210  /* XXX ugly. */
1211struct gnutls_x509_privkey_int;
1212typedef struct gnutls_x509_privkey_int *gnutls_rsa_params_t;
1213
1214struct gnutls_priority_st;
1215typedef struct gnutls_priority_st *gnutls_priority_t;
1216
1217typedef struct {
1218	unsigned char *data;
1219	unsigned int size;
1220} gnutls_datum_t;
1221
1222
1223typedef struct gnutls_params_st {
1224	gnutls_params_type_t type;
1225	union params {
1226		gnutls_dh_params_t dh;
1227		gnutls_rsa_params_t rsa_export;
1228	} params;
1229	int deinit;
1230} gnutls_params_st;
1231
1232typedef int gnutls_params_function(gnutls_session_t, gnutls_params_type_t,
1233				   gnutls_params_st *);
1234
1235/* internal functions */
1236
1237int gnutls_init(gnutls_session_t * session, unsigned int flags);
1238void gnutls_deinit(gnutls_session_t session);
1239#define _gnutls_deinit(x) gnutls_deinit(x)
1240
1241int gnutls_bye(gnutls_session_t session, gnutls_close_request_t how);
1242
1243int gnutls_handshake(gnutls_session_t session);
1244
1245int gnutls_reauth(gnutls_session_t session, unsigned int flags);
1246
1247#define GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT ((unsigned int)-1)
1248#define GNUTLS_INDEFINITE_TIMEOUT ((unsigned int)-2)
1249void gnutls_handshake_set_timeout(gnutls_session_t session,
1250				  unsigned int ms);
1251int gnutls_rehandshake(gnutls_session_t session);
1252
1253#define GNUTLS_KU_PEER 1
1254int gnutls_session_key_update(gnutls_session_t session, unsigned flags);
1255
1256gnutls_alert_description_t gnutls_alert_get(gnutls_session_t session);
1257int gnutls_alert_send(gnutls_session_t session,
1258		      gnutls_alert_level_t level,
1259		      gnutls_alert_description_t desc);
1260int gnutls_alert_send_appropriate(gnutls_session_t session, int err);
1261const char *gnutls_alert_get_name(gnutls_alert_description_t alert);
1262const char *gnutls_alert_get_strname(gnutls_alert_description_t alert);
1263
1264gnutls_sec_param_t gnutls_pk_bits_to_sec_param(gnutls_pk_algorithm_t algo,
1265					       unsigned int bits);
1266const char *gnutls_sec_param_get_name(gnutls_sec_param_t param);
1267unsigned int gnutls_sec_param_to_pk_bits(gnutls_pk_algorithm_t algo,
1268					 gnutls_sec_param_t param);
1269unsigned int
1270	gnutls_sec_param_to_symmetric_bits(gnutls_sec_param_t param) __GNUTLS_CONST__;
1271
1272/* Elliptic curves */
1273const char *
1274	gnutls_ecc_curve_get_name(gnutls_ecc_curve_t curve) __GNUTLS_CONST__;
1275const char *
1276	gnutls_ecc_curve_get_oid(gnutls_ecc_curve_t curve) __GNUTLS_CONST__;
1277
1278const char *
1279	gnutls_group_get_name(gnutls_group_t group) __GNUTLS_CONST__;
1280
1281int
1282	gnutls_ecc_curve_get_size(gnutls_ecc_curve_t curve) __GNUTLS_CONST__;
1283gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
1284
1285gnutls_group_t gnutls_group_get(gnutls_session_t session);
1286
1287/* get information on the current session */
1288gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session);
1289gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session);
1290gnutls_mac_algorithm_t gnutls_mac_get(gnutls_session_t session);
1291gnutls_digest_algorithm_t gnutls_prf_hash_get(const gnutls_session_t session);
1292gnutls_certificate_type_t
1293gnutls_certificate_type_get(gnutls_session_t session);
1294gnutls_certificate_type_t
1295gnutls_certificate_type_get2(gnutls_session_t session,
1296								gnutls_ctype_target_t target);
1297
1298int gnutls_sign_algorithm_get(gnutls_session_t session);
1299int gnutls_sign_algorithm_get_client(gnutls_session_t session);
1300
1301int gnutls_sign_algorithm_get_requested(gnutls_session_t session,
1302					size_t indx,
1303					gnutls_sign_algorithm_t * algo);
1304
1305/* the name of the specified algorithms */
1306const char *
1307	gnutls_cipher_get_name(gnutls_cipher_algorithm_t algorithm) __GNUTLS_CONST__;
1308const char *
1309	gnutls_mac_get_name(gnutls_mac_algorithm_t algorithm) __GNUTLS_CONST__;
1310
1311const char *
1312	gnutls_digest_get_name(gnutls_digest_algorithm_t algorithm) __GNUTLS_CONST__;
1313const char *
1314	gnutls_digest_get_oid(gnutls_digest_algorithm_t algorithm) __GNUTLS_CONST__;
1315
1316const char *
1317	gnutls_kx_get_name(gnutls_kx_algorithm_t algorithm) __GNUTLS_CONST__;
1318const char *
1319	gnutls_certificate_type_get_name(gnutls_certificate_type_t
1320					     type) __GNUTLS_CONST__;
1321const char *
1322	gnutls_pk_get_name(gnutls_pk_algorithm_t algorithm) __GNUTLS_CONST__;
1323const char *
1324	gnutls_pk_get_oid(gnutls_pk_algorithm_t algorithm) __GNUTLS_CONST__;
1325
1326const char *
1327	gnutls_sign_get_name(gnutls_sign_algorithm_t algorithm) __GNUTLS_CONST__;
1328
1329const char *gnutls_sign_get_oid(gnutls_sign_algorithm_t sign) __GNUTLS_CONST__;
1330
1331const char *
1332	gnutls_gost_paramset_get_name(gnutls_gost_paramset_t param) __GNUTLS_CONST__;
1333const char *
1334	gnutls_gost_paramset_get_oid(gnutls_gost_paramset_t param) __GNUTLS_CONST__;
1335
1336size_t
1337	gnutls_cipher_get_key_size(gnutls_cipher_algorithm_t algorithm) __GNUTLS_CONST__;
1338size_t
1339	gnutls_mac_get_key_size(gnutls_mac_algorithm_t algorithm) __GNUTLS_CONST__;
1340
1341unsigned gnutls_sign_is_secure(gnutls_sign_algorithm_t algorithm) __GNUTLS_CONST__;
1342
1343/* It is possible that a signature algorithm is ok to use for short-lived
1344 * data (e.g., to sign a TLS session), but not for data that are long-lived
1345 * like certificates. This flag is about checking the security of the algorithm
1346 * for long-lived data. */
1347#define GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS 1
1348unsigned gnutls_sign_is_secure2(gnutls_sign_algorithm_t algorithm, unsigned int flags) __GNUTLS_CONST__;
1349
1350gnutls_digest_algorithm_t
1351	gnutls_sign_get_hash_algorithm(gnutls_sign_algorithm_t sign) __GNUTLS_CONST__;
1352gnutls_pk_algorithm_t
1353	gnutls_sign_get_pk_algorithm(gnutls_sign_algorithm_t sign) __GNUTLS_CONST__;
1354gnutls_sign_algorithm_t
1355	gnutls_pk_to_sign(gnutls_pk_algorithm_t pk,
1356		  gnutls_digest_algorithm_t hash) __GNUTLS_CONST__;
1357
1358unsigned
1359gnutls_sign_supports_pk_algorithm(gnutls_sign_algorithm_t sign, gnutls_pk_algorithm_t pk) __GNUTLS_CONST__;
1360
1361#define gnutls_sign_algorithm_get_name gnutls_sign_get_name
1362
1363gnutls_mac_algorithm_t gnutls_mac_get_id(const char *name) __GNUTLS_CONST__;
1364gnutls_digest_algorithm_t gnutls_digest_get_id(const char *name) __GNUTLS_CONST__;
1365
1366gnutls_cipher_algorithm_t
1367	gnutls_cipher_get_id(const char *name) __GNUTLS_CONST__;
1368
1369gnutls_kx_algorithm_t
1370	gnutls_kx_get_id(const char *name) __GNUTLS_CONST__;
1371gnutls_protocol_t
1372	gnutls_protocol_get_id(const char *name) __GNUTLS_CONST__;
1373gnutls_certificate_type_t
1374	gnutls_certificate_type_get_id(const char *name) __GNUTLS_CONST__;
1375gnutls_pk_algorithm_t
1376	gnutls_pk_get_id(const char *name) __GNUTLS_CONST__;
1377gnutls_sign_algorithm_t
1378	gnutls_sign_get_id(const char *name) __GNUTLS_CONST__;
1379gnutls_ecc_curve_t gnutls_ecc_curve_get_id(const char *name)  __GNUTLS_CONST__;
1380gnutls_pk_algorithm_t gnutls_ecc_curve_get_pk(gnutls_ecc_curve_t curve) __GNUTLS_CONST__;
1381gnutls_group_t gnutls_group_get_id(const char *name);
1382
1383gnutls_digest_algorithm_t
1384	gnutls_oid_to_digest(const char *oid)  __GNUTLS_CONST__;
1385gnutls_mac_algorithm_t
1386	gnutls_oid_to_mac(const char *oid)  __GNUTLS_CONST__;
1387gnutls_pk_algorithm_t
1388	gnutls_oid_to_pk(const char *oid) __GNUTLS_CONST__;
1389gnutls_sign_algorithm_t
1390	gnutls_oid_to_sign(const char *oid) __GNUTLS_CONST__;
1391gnutls_ecc_curve_t
1392	gnutls_oid_to_ecc_curve(const char *oid) __GNUTLS_CONST__;
1393gnutls_gost_paramset_t
1394	gnutls_oid_to_gost_paramset(const char *oid) __GNUTLS_CONST__;
1395
1396  /* list supported algorithms */
1397const gnutls_ecc_curve_t *
1398	gnutls_ecc_curve_list(void)  __GNUTLS_PURE__;
1399const gnutls_group_t *
1400	gnutls_group_list(void)  __GNUTLS_PURE__;
1401const gnutls_cipher_algorithm_t *
1402	gnutls_cipher_list(void) __GNUTLS_PURE__;
1403const gnutls_mac_algorithm_t *
1404	gnutls_mac_list(void) __GNUTLS_PURE__;
1405const gnutls_digest_algorithm_t *
1406	gnutls_digest_list(void) __GNUTLS_PURE__;
1407const gnutls_protocol_t *
1408	gnutls_protocol_list(void) __GNUTLS_PURE__;
1409const gnutls_certificate_type_t *
1410	gnutls_certificate_type_list(void) __GNUTLS_PURE__;
1411const gnutls_kx_algorithm_t *
1412	gnutls_kx_list(void) __GNUTLS_PURE__;
1413const gnutls_pk_algorithm_t *
1414	gnutls_pk_list(void) __GNUTLS_PURE__;
1415const gnutls_sign_algorithm_t *
1416	gnutls_sign_list(void) __GNUTLS_PURE__;
1417const char *
1418	gnutls_cipher_suite_info(size_t idx,
1419			         unsigned char *cs_id,
1420				 gnutls_kx_algorithm_t * kx,
1421				 gnutls_cipher_algorithm_t * cipher,
1422				 gnutls_mac_algorithm_t * mac,
1423				 gnutls_protocol_t * min_version);
1424
1425  /* error functions */
1426int gnutls_error_is_fatal(int error) __GNUTLS_CONST__;
1427int gnutls_error_to_alert(int err, int *level);
1428
1429void gnutls_perror(int error);
1430const char * gnutls_strerror(int error) __GNUTLS_CONST__;
1431const char * gnutls_strerror_name(int error) __GNUTLS_CONST__;
1432
1433/* Semi-internal functions.
1434 */
1435void gnutls_handshake_set_private_extensions(gnutls_session_t session,
1436					     int allow);
1437int gnutls_handshake_set_random(gnutls_session_t session,
1438				const gnutls_datum_t * random);
1439
1440gnutls_handshake_description_t
1441gnutls_handshake_get_last_out(gnutls_session_t session);
1442gnutls_handshake_description_t
1443gnutls_handshake_get_last_in(gnutls_session_t session);
1444
1445/* Record layer functions.
1446 */
1447#define GNUTLS_HEARTBEAT_WAIT 1
1448int gnutls_heartbeat_ping(gnutls_session_t session, size_t data_size,
1449			  unsigned int max_tries, unsigned int flags);
1450int gnutls_heartbeat_pong(gnutls_session_t session, unsigned int flags);
1451
1452void gnutls_record_set_timeout(gnutls_session_t session, unsigned int ms);
1453void gnutls_record_disable_padding(gnutls_session_t session);
1454
1455void gnutls_record_cork(gnutls_session_t session);
1456#define GNUTLS_RECORD_WAIT 1
1457int gnutls_record_uncork(gnutls_session_t session, unsigned int flags);
1458size_t gnutls_record_discard_queued(gnutls_session_t session);
1459
1460int
1461gnutls_record_get_state(gnutls_session_t session,
1462			unsigned read,
1463			gnutls_datum_t *mac_key,
1464			gnutls_datum_t *IV,
1465			gnutls_datum_t *cipher_key,
1466			unsigned char seq_number[8]);
1467
1468int
1469gnutls_record_set_state(gnutls_session_t session,
1470			unsigned read,
1471			const unsigned char seq_number[8]);
1472
1473typedef struct {
1474	size_t low;
1475	size_t high;
1476} gnutls_range_st;
1477
1478int gnutls_range_split(gnutls_session_t session,
1479		       const gnutls_range_st * orig,
1480		       gnutls_range_st * small_range,
1481		       gnutls_range_st * rem_range);
1482
1483ssize_t gnutls_record_send(gnutls_session_t session, const void *data,
1484			   size_t data_size);
1485ssize_t gnutls_record_send2(gnutls_session_t session, const void *data,
1486			    size_t data_size, size_t pad, unsigned flags);
1487ssize_t gnutls_record_send_range(gnutls_session_t session,
1488				 const void *data, size_t data_size,
1489				 const gnutls_range_st * range);
1490ssize_t gnutls_record_recv(gnutls_session_t session, void *data,
1491			   size_t data_size);
1492
1493typedef struct mbuffer_st *gnutls_packet_t;
1494
1495ssize_t
1496gnutls_record_recv_packet(gnutls_session_t session,
1497			  gnutls_packet_t *packet);
1498
1499void gnutls_packet_get(gnutls_packet_t packet, gnutls_datum_t *data, unsigned char *sequence);
1500void gnutls_packet_deinit(gnutls_packet_t packet);
1501
1502#define gnutls_read gnutls_record_recv
1503#define gnutls_write gnutls_record_send
1504ssize_t gnutls_record_recv_seq(gnutls_session_t session, void *data,
1505			       size_t data_size, unsigned char *seq);
1506
1507size_t gnutls_record_overhead_size(gnutls_session_t session);
1508
1509size_t
1510	gnutls_est_record_overhead_size(gnutls_protocol_t version,
1511				        gnutls_cipher_algorithm_t cipher,
1512				        gnutls_mac_algorithm_t mac,
1513				        gnutls_compression_method_t comp,
1514				        unsigned int flags) __GNUTLS_CONST__;
1515
1516void gnutls_session_enable_compatibility_mode(gnutls_session_t session);
1517#define gnutls_record_set_max_empty_records(session, x)
1518
1519unsigned gnutls_record_can_use_length_hiding(gnutls_session_t session);
1520
1521int gnutls_record_get_direction(gnutls_session_t session);
1522
1523size_t gnutls_record_get_max_size(gnutls_session_t session);
1524ssize_t gnutls_record_set_max_size(gnutls_session_t session, size_t size);
1525ssize_t gnutls_record_set_max_recv_size(gnutls_session_t session, size_t size);
1526
1527size_t gnutls_record_check_pending(gnutls_session_t session);
1528size_t gnutls_record_check_corked(gnutls_session_t session);
1529
1530size_t gnutls_record_get_max_early_data_size(gnutls_session_t session);
1531int gnutls_record_set_max_early_data_size(gnutls_session_t session, size_t size);
1532ssize_t gnutls_record_send_early_data(gnutls_session_t session,
1533				      const void *data,
1534				      size_t length);
1535ssize_t gnutls_record_recv_early_data(gnutls_session_t session,
1536				      void *data,
1537				      size_t data_size);
1538
1539void gnutls_session_force_valid(gnutls_session_t session);
1540
1541int gnutls_prf(gnutls_session_t session,
1542	       size_t label_size, const char *label,
1543	       int server_random_first,
1544	       size_t extra_size, const char *extra,
1545	       size_t outsize, char *out);
1546int gnutls_prf_rfc5705(gnutls_session_t session,
1547	       size_t label_size, const char *label,
1548	       size_t context_size, const char *context,
1549	       size_t outsize, char *out);
1550int gnutls_prf_early(gnutls_session_t session,
1551		     size_t label_size, const char *label,
1552		     size_t context_size, const char *context,
1553		     size_t outsize, char *out);
1554
1555int gnutls_prf_raw(gnutls_session_t session,
1556		   size_t label_size, const char *label,
1557		   size_t seed_size, const char *seed,
1558		   size_t outsize, char *out);
1559
1560/**
1561 * gnutls_server_name_type_t:
1562 * @GNUTLS_NAME_DNS: Domain Name System name type.
1563 *
1564 * Enumeration of different server name types.
1565 */
1566typedef enum {
1567	GNUTLS_NAME_DNS = 1
1568} gnutls_server_name_type_t;
1569
1570int gnutls_server_name_set(gnutls_session_t session,
1571			   gnutls_server_name_type_t type,
1572			   const void *name, size_t name_length);
1573
1574int gnutls_server_name_get(gnutls_session_t session,
1575			   void *data, size_t * data_length,
1576			   unsigned int *type, unsigned int indx);
1577
1578unsigned int gnutls_heartbeat_get_timeout(gnutls_session_t session);
1579void gnutls_heartbeat_set_timeouts(gnutls_session_t session,
1580				   unsigned int retrans_timeout,
1581				   unsigned int total_timeout);
1582
1583#define GNUTLS_HB_PEER_ALLOWED_TO_SEND (1)
1584#define GNUTLS_HB_PEER_NOT_ALLOWED_TO_SEND (1<<1)
1585
1586  /* Heartbeat */
1587void gnutls_heartbeat_enable(gnutls_session_t session, unsigned int type);
1588
1589#define GNUTLS_HB_LOCAL_ALLOWED_TO_SEND (1<<2)
1590unsigned gnutls_heartbeat_allowed(gnutls_session_t session, unsigned int type);
1591
1592  /* Safe renegotiation */
1593unsigned gnutls_safe_renegotiation_status(gnutls_session_t session);
1594unsigned gnutls_session_ext_master_secret_status(gnutls_session_t session);
1595unsigned gnutls_session_etm_status(gnutls_session_t session);
1596
1597/**
1598 * gnutls_session_flags_t:
1599 * @GNUTLS_SFLAGS_SAFE_RENEGOTIATION: Safe renegotiation (RFC5746) was used
1600 * @GNUTLS_SFLAGS_EXT_MASTER_SECRET: The extended master secret (RFC7627) extension was used
1601 * @GNUTLS_SFLAGS_ETM: The encrypt then MAC (RFC7366) extension was used
1602 * @GNUTLS_SFLAGS_RFC7919: The RFC7919 Diffie-Hellman parameters were negotiated
1603 * @GNUTLS_SFLAGS_HB_LOCAL_SEND: The heartbeat negotiation allows the local side to send heartbeat messages
1604 * @GNUTLS_SFLAGS_HB_PEER_SEND: The heartbeat negotiation allows the peer to send heartbeat messages
1605 * @GNUTLS_SFLAGS_FALSE_START: False start was used in this client session.
1606 * @GNUTLS_SFLAGS_SESSION_TICKET: A session ticket has been received by the server.
1607 * @GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH: Indicates client capability for post-handshake auth; set only on server side.
1608 * @GNUTLS_SFLAGS_EARLY_START: The TLS1.3 server session returned early.
1609 * @GNUTLS_SFLAGS_EARLY_DATA: The TLS1.3 early data has been received by the server.
1610 * @GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Set when the client has requested OCSP staple during handshake.
1611 * @GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Set when the server has requested OCSP staple during handshake.
1612 *
1613 * Enumeration of different session parameters.
1614 */
1615typedef enum {
1616	GNUTLS_SFLAGS_SAFE_RENEGOTIATION = 1,
1617	GNUTLS_SFLAGS_EXT_MASTER_SECRET = 1<<1,
1618	GNUTLS_SFLAGS_ETM = 1<<2,
1619	GNUTLS_SFLAGS_HB_LOCAL_SEND = 1<<3,
1620	GNUTLS_SFLAGS_HB_PEER_SEND = 1<<4,
1621	GNUTLS_SFLAGS_FALSE_START = 1<<5,
1622	GNUTLS_SFLAGS_RFC7919 = 1<<6,
1623	GNUTLS_SFLAGS_SESSION_TICKET = 1<<7,
1624	GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH = 1<<8,
1625	GNUTLS_SFLAGS_EARLY_START = 1<<9,
1626	GNUTLS_SFLAGS_EARLY_DATA = 1<<10,
1627	GNUTLS_SFLAGS_CLI_REQUESTED_OCSP = 1<<11,
1628	GNUTLS_SFLAGS_SERV_REQUESTED_OCSP = 1<<12
1629} gnutls_session_flags_t;
1630
1631unsigned gnutls_session_get_flags(gnutls_session_t session);
1632
1633/**
1634 * gnutls_supplemental_data_format_type_t:
1635 * @GNUTLS_SUPPLEMENTAL_UNKNOWN: Unknown data format
1636 *
1637 * Enumeration of different supplemental data types (RFC 4680).
1638 */
1639typedef enum {
1640	GNUTLS_SUPPLEMENTAL_UNKNOWN = 0,
1641} gnutls_supplemental_data_format_type_t;
1642
1643const char
1644*gnutls_supplemental_get_name(gnutls_supplemental_data_format_type_t type);
1645
1646  /* SessionTicket, RFC 5077. */
1647int gnutls_session_ticket_key_generate(gnutls_datum_t * key);
1648int gnutls_session_ticket_enable_client(gnutls_session_t session);
1649int gnutls_session_ticket_enable_server(gnutls_session_t session,
1650					const gnutls_datum_t * key);
1651
1652int gnutls_session_ticket_send(gnutls_session_t session, unsigned nr, unsigned flags);
1653
1654  /* SRTP, RFC 5764 */
1655
1656/**
1657 * gnutls_srtp_profile_t:
1658 * @GNUTLS_SRTP_AES128_CM_HMAC_SHA1_80: 128 bit AES with a 80 bit HMAC-SHA1
1659 * @GNUTLS_SRTP_AES128_CM_HMAC_SHA1_32: 128 bit AES with a 32 bit HMAC-SHA1
1660 * @GNUTLS_SRTP_NULL_HMAC_SHA1_80: NULL cipher with a 80 bit HMAC-SHA1
1661 * @GNUTLS_SRTP_NULL_HMAC_SHA1_32: NULL cipher with a 32 bit HMAC-SHA1
1662 *
1663 * Enumeration of different SRTP protection profiles.
1664 */
1665typedef enum {
1666	GNUTLS_SRTP_AES128_CM_HMAC_SHA1_80 = 0x0001,
1667	GNUTLS_SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002,
1668	GNUTLS_SRTP_NULL_HMAC_SHA1_80 = 0x0005,
1669	GNUTLS_SRTP_NULL_HMAC_SHA1_32 = 0x0006
1670} gnutls_srtp_profile_t;
1671
1672int gnutls_srtp_set_profile(gnutls_session_t session,
1673			    gnutls_srtp_profile_t profile);
1674int gnutls_srtp_set_profile_direct(gnutls_session_t session,
1675				   const char *profiles,
1676				   const char **err_pos);
1677int gnutls_srtp_get_selected_profile(gnutls_session_t session,
1678				     gnutls_srtp_profile_t * profile);
1679
1680const char *gnutls_srtp_get_profile_name(gnutls_srtp_profile_t profile);
1681int gnutls_srtp_get_profile_id(const char *name,
1682			       gnutls_srtp_profile_t * profile);
1683int gnutls_srtp_get_keys(gnutls_session_t session,
1684			 void *key_material,
1685			 unsigned int key_material_size,
1686			 gnutls_datum_t * client_key,
1687			 gnutls_datum_t * client_salt,
1688			 gnutls_datum_t * server_key,
1689			 gnutls_datum_t * server_salt);
1690
1691int gnutls_srtp_set_mki(gnutls_session_t session,
1692			const gnutls_datum_t * mki);
1693int gnutls_srtp_get_mki(gnutls_session_t session, gnutls_datum_t * mki);
1694
1695/* ALPN TLS extension */
1696
1697/**
1698 * gnutls_alpn_flags_t:
1699 * @GNUTLS_ALPN_MANDATORY: Require ALPN negotiation. The connection will be
1700 *   aborted if no matching ALPN protocol is found.
1701 * @GNUTLS_ALPN_SERVER_PRECEDENCE: The choices set by the server
1702 *   will take precedence over the client's.
1703 *
1704 * Enumeration of different ALPN flags. These are used by gnutls_alpn_set_protocols().
1705 */
1706typedef enum {
1707	GNUTLS_ALPN_MANDATORY = 1,
1708	GNUTLS_ALPN_SERVER_PRECEDENCE = (1<<1)
1709} gnutls_alpn_flags_t;
1710
1711#define GNUTLS_ALPN_MAND GNUTLS_ALPN_MANDATORY
1712int gnutls_alpn_get_selected_protocol(gnutls_session_t session,
1713				      gnutls_datum_t * protocol);
1714int gnutls_alpn_set_protocols(gnutls_session_t session,
1715			      const gnutls_datum_t * protocols,
1716			      unsigned protocols_size, unsigned flags);
1717
1718int gnutls_key_generate(gnutls_datum_t * key, unsigned int key_size);
1719
1720
1721#define GNUTLS_PRIORITY_INIT_DEF_APPEND 1
1722int gnutls_priority_init(gnutls_priority_t * priority_cache,
1723			 const char *priorities, const char **err_pos);
1724int gnutls_priority_init2(gnutls_priority_t * priority_cache,
1725			  const char *priorities, const char **err_pos,
1726			  unsigned flags);
1727void gnutls_priority_deinit(gnutls_priority_t priority_cache);
1728int gnutls_priority_get_cipher_suite_index(gnutls_priority_t pcache,
1729					   unsigned int idx,
1730					   unsigned int *sidx);
1731
1732#define GNUTLS_PRIORITY_LIST_INIT_KEYWORDS 1
1733#define GNUTLS_PRIORITY_LIST_SPECIAL 2
1734const char *
1735gnutls_priority_string_list(unsigned iter, unsigned int flags);
1736
1737int gnutls_priority_set(gnutls_session_t session,
1738			gnutls_priority_t priority);
1739
1740int gnutls_priority_set_direct(gnutls_session_t session,
1741			       const char *priorities,
1742			       const char **err_pos);
1743
1744int gnutls_priority_certificate_type_list(gnutls_priority_t pcache,
1745					  const unsigned int **list);
1746int gnutls_priority_certificate_type_list2(gnutls_priority_t pcache,
1747					  const unsigned int **list,
1748					  gnutls_ctype_target_t target);
1749int gnutls_priority_sign_list(gnutls_priority_t pcache,
1750			      const unsigned int **list);
1751int gnutls_priority_protocol_list(gnutls_priority_t pcache,
1752				  const unsigned int **list);
1753int gnutls_priority_ecc_curve_list(gnutls_priority_t pcache,
1754				   const unsigned int **list);
1755int
1756gnutls_priority_group_list(gnutls_priority_t pcache,
1757			   const unsigned int **list);
1758
1759int gnutls_priority_kx_list(gnutls_priority_t pcache,
1760			    const unsigned int **list);
1761int gnutls_priority_cipher_list(gnutls_priority_t pcache,
1762				const unsigned int **list);
1763int gnutls_priority_mac_list(gnutls_priority_t pcache,
1764			     const unsigned int **list);
1765
1766const char *gnutls_get_system_config_file(void);
1767
1768int gnutls_set_default_priority(gnutls_session_t session);
1769int gnutls_set_default_priority_append(gnutls_session_t session,
1770				       const char *add_prio,
1771				       const char **err_pos,
1772				       unsigned flags);
1773
1774/* Returns the name of a cipher suite */
1775const char *
1776	gnutls_cipher_suite_get_name(gnutls_kx_algorithm_t kx_algorithm,
1777				     gnutls_cipher_algorithm_t cipher_algorithm,
1778				     gnutls_mac_algorithm_t mac_algorithm) __GNUTLS_CONST__;
1779
1780/* get the currently used protocol version */
1781gnutls_protocol_t gnutls_protocol_get_version(gnutls_session_t session);
1782
1783const char *
1784	gnutls_protocol_get_name(gnutls_protocol_t version) __GNUTLS_CONST__;
1785
1786
1787/* get/set session
1788 */
1789int gnutls_session_set_data(gnutls_session_t session,
1790			    const void *session_data,
1791			    size_t session_data_size);
1792int gnutls_session_get_data(gnutls_session_t session, void *session_data,
1793			    size_t * session_data_size);
1794int gnutls_session_get_data2(gnutls_session_t session,
1795			     gnutls_datum_t * data);
1796void gnutls_session_get_random(gnutls_session_t session,
1797			       gnutls_datum_t * client,
1798			       gnutls_datum_t * server);
1799
1800void gnutls_session_get_master_secret(gnutls_session_t session,
1801			              gnutls_datum_t * secret);
1802
1803char *gnutls_session_get_desc(gnutls_session_t session);
1804
1805typedef int gnutls_certificate_verify_function(gnutls_session_t);
1806void gnutls_session_set_verify_function(gnutls_session_t session, gnutls_certificate_verify_function * func);
1807
1808/**
1809 * gnutls_vdata_types_t:
1810 * @GNUTLS_DT_UNKNOWN: Unknown data type.
1811 * @GNUTLS_DT_DNS_HOSTNAME: The data contain a null-terminated DNS hostname; the hostname will be
1812 *   matched using the RFC6125 rules. If the data contain a textual IP (v4 or v6) address it will
1813 *   be marched against the IPAddress Alternative name, unless the verification flag %GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES
1814 *   is specified.
1815 * @GNUTLS_DT_IP_ADDRESS: The data contain a raw IP address (4 or 16 bytes). If will be matched
1816 *   against the IPAddress Alternative name; option available since 3.6.0.
1817 * @GNUTLS_DT_RFC822NAME: The data contain a null-terminated email address; the email will be
1818 *   matched against the RFC822Name Alternative name of the certificate, or the EMAIL DN component if the
1819 *   former isn't available. Prior to matching the email address will be converted to ACE
1820 *   (ASCII-compatible-encoding).
1821 * @GNUTLS_DT_KEY_PURPOSE_OID: The data contain a null-terminated key purpose OID. It will be matched
1822 *   against the certificate's Extended Key Usage extension.
1823 *
1824 * Enumeration of different typed-data options. They are used as input to certificate
1825 * verification functions to provide information about the name and purpose of the
1826 * certificate. Only a single option of a type can be provided to the relevant functions
1827 * (i.e., options %GNUTLS_DT_DNS_HOSTNAME, %GNUTLS_DT_IP_ADDRESS and
1828 * %GNUTLS_DT_RFC822NAME cannot be combined).
1829 */
1830typedef enum {
1831	GNUTLS_DT_UNKNOWN = 0,
1832	GNUTLS_DT_DNS_HOSTNAME = 1,
1833	GNUTLS_DT_KEY_PURPOSE_OID = 2,
1834	GNUTLS_DT_RFC822NAME = 3,
1835	GNUTLS_DT_IP_ADDRESS = 4
1836} gnutls_vdata_types_t;
1837
1838typedef struct {
1839	gnutls_vdata_types_t type;
1840	unsigned char *data;
1841	unsigned int size;
1842} gnutls_typed_vdata_st;
1843
1844void gnutls_session_set_verify_cert(gnutls_session_t session,
1845			       const char *hostname, unsigned flags);
1846
1847void
1848gnutls_session_set_verify_cert2(gnutls_session_t session,
1849				gnutls_typed_vdata_st * data,
1850				unsigned elements, unsigned flags);
1851
1852unsigned int gnutls_session_get_verify_cert_status(gnutls_session_t);
1853
1854int gnutls_session_set_premaster(gnutls_session_t session,
1855				 unsigned int entity,
1856				 gnutls_protocol_t version,
1857				 gnutls_kx_algorithm_t kx,
1858				 gnutls_cipher_algorithm_t cipher,
1859				 gnutls_mac_algorithm_t mac,
1860				 gnutls_compression_method_t comp,
1861				 const gnutls_datum_t * master,
1862				 const gnutls_datum_t * session_id);
1863
1864/* returns the session ID */
1865#define GNUTLS_MAX_SESSION_ID 32
1866int gnutls_session_get_id(gnutls_session_t session, void *session_id,
1867			  size_t * session_id_size);
1868int gnutls_session_get_id2(gnutls_session_t session,
1869			   gnutls_datum_t * session_id);
1870
1871int gnutls_session_set_id(gnutls_session_t session,
1872			  const gnutls_datum_t * sid);
1873
1874int gnutls_session_channel_binding(gnutls_session_t session,
1875				   gnutls_channel_binding_t cbtype,
1876				   gnutls_datum_t * cb);
1877
1878/* checks if this session is a resumed one
1879 */
1880int gnutls_session_is_resumed(gnutls_session_t session);
1881int gnutls_session_resumption_requested(gnutls_session_t session);
1882
1883typedef int (*gnutls_db_store_func) (void *, gnutls_datum_t key,
1884				     gnutls_datum_t data);
1885typedef int (*gnutls_db_remove_func) (void *, gnutls_datum_t key);
1886typedef gnutls_datum_t(*gnutls_db_retr_func) (void *, gnutls_datum_t key);
1887
1888void gnutls_db_set_cache_expiration(gnutls_session_t session, int seconds);
1889unsigned gnutls_db_get_default_cache_expiration(void);
1890
1891void gnutls_db_remove_session(gnutls_session_t session);
1892void gnutls_db_set_retrieve_function(gnutls_session_t session,
1893				     gnutls_db_retr_func retr_func);
1894void gnutls_db_set_remove_function(gnutls_session_t session,
1895				   gnutls_db_remove_func rem_func);
1896void gnutls_db_set_store_function(gnutls_session_t session,
1897				  gnutls_db_store_func store_func);
1898void gnutls_db_set_ptr(gnutls_session_t session, void *ptr);
1899void *gnutls_db_get_ptr(gnutls_session_t session);
1900int gnutls_db_check_entry(gnutls_session_t session,
1901			  gnutls_datum_t session_entry);
1902time_t gnutls_db_check_entry_time(gnutls_datum_t * entry);
1903time_t gnutls_db_check_entry_expire_time(gnutls_datum_t * entry);
1904
1905  /**
1906   * gnutls_handshake_hook_func:
1907   * @session: the current session
1908   * @htype: the type of the handshake message (%gnutls_handshake_description_t)
1909   * @when: non zero if this is a post-process/generation call and zero otherwise
1910   * @incoming: non zero if this is an incoming message and zero if this is an outgoing message
1911   * @msg: the (const) data of the handshake message without the handshake headers.
1912   *
1913   * Function prototype for handshake hooks. It is set using
1914   * gnutls_handshake_set_hook_function().
1915   *
1916   * Returns: Non zero on error.
1917   */
1918#define GNUTLS_HOOK_POST (1)
1919#define GNUTLS_HOOK_PRE (0)
1920#define GNUTLS_HOOK_BOTH (-1)
1921
1922typedef int (*gnutls_handshake_hook_func) (gnutls_session_t,
1923					   unsigned int htype,
1924					   unsigned when,
1925					   unsigned int incoming,
1926					   const gnutls_datum_t *msg);
1927void gnutls_handshake_set_hook_function(gnutls_session_t session,
1928					unsigned int htype, int when,
1929					gnutls_handshake_hook_func func);
1930
1931#define gnutls_handshake_post_client_hello_func gnutls_handshake_simple_hook_func
1932typedef int (*gnutls_handshake_simple_hook_func) (gnutls_session_t);
1933void
1934gnutls_handshake_set_post_client_hello_function(gnutls_session_t session,
1935						gnutls_handshake_simple_hook_func func);
1936
1937void gnutls_handshake_set_max_packet_length(gnutls_session_t session,
1938					    size_t max);
1939
1940/* returns libgnutls version (call it with a NULL argument)
1941 */
1942const char * gnutls_check_version(const char *req_version) __GNUTLS_CONST__;
1943
1944/* A macro which will allow optimizing out calls to gnutls_check_version()
1945 * when the version being compiled with is sufficient.
1946 * Used as:
1947 *   if (gnutls_check_version_numerc(3,3,16)) {
1948 */
1949#define gnutls_check_version_numeric(a,b,c) \
1950	((GNUTLS_VERSION_MAJOR >= (a)) &&  \
1951	 ((GNUTLS_VERSION_NUMBER >= ( ((a) << 16) + ((b) << 8) + (c) )) || \
1952	 gnutls_check_version(#a "." #b "." #c)))
1953
1954/* Functions for setting/clearing credentials
1955 */
1956void gnutls_credentials_clear(gnutls_session_t session);
1957
1958/* cred is a structure defined by the kx algorithm
1959 */
1960int gnutls_credentials_set(gnutls_session_t session,
1961			   gnutls_credentials_type_t type, void *cred);
1962int gnutls_credentials_get(gnutls_session_t session,
1963			   gnutls_credentials_type_t type, void **cred);
1964#define gnutls_cred_set	gnutls_credentials_set
1965
1966/* x.509 types */
1967
1968struct gnutls_pubkey_st;
1969typedef struct gnutls_pubkey_st *gnutls_pubkey_t;
1970
1971struct gnutls_privkey_st;
1972typedef struct gnutls_privkey_st *gnutls_privkey_t;
1973
1974struct gnutls_x509_privkey_int;
1975typedef struct gnutls_x509_privkey_int *gnutls_x509_privkey_t;
1976
1977struct gnutls_x509_crl_int;
1978typedef struct gnutls_x509_crl_int *gnutls_x509_crl_t;
1979
1980struct gnutls_x509_crt_int;
1981typedef struct gnutls_x509_crt_int *gnutls_x509_crt_t;
1982
1983struct gnutls_x509_crq_int;
1984typedef struct gnutls_x509_crq_int *gnutls_x509_crq_t;
1985
1986struct gnutls_openpgp_keyring_int;
1987typedef struct gnutls_openpgp_keyring_int *gnutls_openpgp_keyring_t;
1988
1989
1990/* Credential structures - used in gnutls_credentials_set(); */
1991
1992struct gnutls_certificate_credentials_st;
1993typedef struct gnutls_certificate_credentials_st
1994*gnutls_certificate_credentials_t;
1995typedef gnutls_certificate_credentials_t
1996    gnutls_certificate_server_credentials;
1997typedef gnutls_certificate_credentials_t
1998    gnutls_certificate_client_credentials;
1999
2000typedef struct gnutls_anon_server_credentials_st
2001*gnutls_anon_server_credentials_t;
2002typedef struct gnutls_anon_client_credentials_st
2003*gnutls_anon_client_credentials_t;
2004
2005void gnutls_anon_free_server_credentials(gnutls_anon_server_credentials_t
2006					 sc);
2007int
2008gnutls_anon_allocate_server_credentials(gnutls_anon_server_credentials_t
2009					* sc);
2010
2011void gnutls_anon_set_server_dh_params(gnutls_anon_server_credentials_t res,
2012				      gnutls_dh_params_t dh_params);
2013
2014int
2015gnutls_anon_set_server_known_dh_params(gnutls_anon_server_credentials_t res,
2016					gnutls_sec_param_t sec_param);
2017
2018void
2019gnutls_anon_set_server_params_function(gnutls_anon_server_credentials_t
2020				       res, gnutls_params_function * func);
2021
2022void
2023gnutls_anon_free_client_credentials(gnutls_anon_client_credentials_t sc);
2024int
2025gnutls_anon_allocate_client_credentials(gnutls_anon_client_credentials_t
2026					* sc);
2027
2028/* CERTFILE is an x509 certificate in PEM form.
2029 * KEYFILE is a pkcs-1 private key in PEM form (for RSA keys).
2030 */
2031void
2032gnutls_certificate_free_credentials(gnutls_certificate_credentials_t sc);
2033int
2034gnutls_certificate_allocate_credentials(gnutls_certificate_credentials_t
2035					* res);
2036
2037int
2038gnutls_certificate_get_issuer(gnutls_certificate_credentials_t sc,
2039			      gnutls_x509_crt_t cert,
2040			      gnutls_x509_crt_t * issuer,
2041			      unsigned int flags);
2042
2043int gnutls_certificate_get_crt_raw(gnutls_certificate_credentials_t sc,
2044				   unsigned idx1, unsigned idx2,
2045				   gnutls_datum_t * cert);
2046
2047void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc);
2048void gnutls_certificate_free_cas(gnutls_certificate_credentials_t sc);
2049void gnutls_certificate_free_ca_names(gnutls_certificate_credentials_t sc);
2050void gnutls_certificate_free_crls(gnutls_certificate_credentials_t sc);
2051
2052void gnutls_certificate_set_dh_params(gnutls_certificate_credentials_t res,
2053				      gnutls_dh_params_t dh_params);
2054
2055int gnutls_certificate_set_known_dh_params(gnutls_certificate_credentials_t res,
2056					   gnutls_sec_param_t sec_param);
2057void gnutls_certificate_set_verify_flags(gnutls_certificate_credentials_t
2058					 res, unsigned int flags);
2059unsigned int
2060gnutls_certificate_get_verify_flags(gnutls_certificate_credentials_t res);
2061
2062/**
2063 * gnutls_certificate_flags:
2064 * @GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH: Skip the key and certificate matching check.
2065 * @GNUTLS_CERTIFICATE_API_V2: If set the gnutls_certificate_set_*key* functions will return an index of the added key pair instead of zero.
2066 * @GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK: If set, the gnutls_certificate_set_ocsp_status_request_file
2067 *    function, will not check whether the response set matches any of the certificates.
2068 * @GNUTLS_CERTIFICATE_VERIFY_CRLS: This will enable CRL verification when added in the certificate structure.
2069 *    When used, it requires CAs to be added before CRLs.
2070 *
2071 * Enumeration of different certificate credentials flags.
2072 */
2073typedef enum gnutls_certificate_flags {
2074	GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH = 1,
2075	GNUTLS_CERTIFICATE_API_V2 = (1<<1),
2076	GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK = (1<<2),
2077	GNUTLS_CERTIFICATE_VERIFY_CRLS = (1<<3)
2078} gnutls_certificate_flags;
2079
2080void gnutls_certificate_set_flags(gnutls_certificate_credentials_t,
2081				  unsigned flags);
2082
2083void gnutls_certificate_set_verify_limits(gnutls_certificate_credentials_t
2084					  res, unsigned int max_bits,
2085					  unsigned int max_depth);
2086
2087int
2088gnutls_certificate_set_x509_system_trust(gnutls_certificate_credentials_t
2089					 cred);
2090
2091int
2092gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t
2093				       cred, const char *cafile,
2094				       gnutls_x509_crt_fmt_t type);
2095int
2096gnutls_certificate_set_x509_trust_dir(gnutls_certificate_credentials_t cred,
2097				      const char *ca_dir,
2098				      gnutls_x509_crt_fmt_t type);
2099
2100int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials_t
2101					  res, const gnutls_datum_t * ca,
2102					  gnutls_x509_crt_fmt_t type);
2103
2104int
2105gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t
2106				     res, const char *crlfile,
2107				     gnutls_x509_crt_fmt_t type);
2108int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t
2109					res, const gnutls_datum_t * CRL,
2110					gnutls_x509_crt_fmt_t type);
2111
2112int
2113gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials_t
2114				     res, const char *certfile,
2115				     const char *keyfile,
2116				     gnutls_x509_crt_fmt_t type);
2117
2118int
2119gnutls_certificate_set_x509_key_file2(gnutls_certificate_credentials_t
2120				      res, const char *certfile,
2121				      const char *keyfile,
2122				      gnutls_x509_crt_fmt_t type,
2123				      const char *pass,
2124				      unsigned int flags);
2125
2126int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials_t
2127					res, const gnutls_datum_t * cert,
2128					const gnutls_datum_t * key,
2129					gnutls_x509_crt_fmt_t type);
2130
2131int gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t
2132					 res, const gnutls_datum_t * cert,
2133					 const gnutls_datum_t * key,
2134					 gnutls_x509_crt_fmt_t type,
2135					 const char *pass,
2136					 unsigned int flags);
2137
2138void gnutls_certificate_send_x509_rdn_sequence(gnutls_session_t session,
2139					       int status);
2140
2141int
2142gnutls_certificate_set_x509_simple_pkcs12_file
2143(gnutls_certificate_credentials_t res, const char *pkcs12file,
2144 gnutls_x509_crt_fmt_t type, const char *password);
2145int
2146gnutls_certificate_set_x509_simple_pkcs12_mem
2147(gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob,
2148 gnutls_x509_crt_fmt_t type, const char *password);
2149
2150/* New functions to allow setting already parsed X.509 stuff.
2151 */
2152
2153int gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res,
2154				    gnutls_x509_crt_t * cert_list,
2155				    int cert_list_size,
2156				    gnutls_x509_privkey_t key);
2157int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res,
2158				      gnutls_x509_crt_t * ca_list,
2159				      int ca_list_size);
2160int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res,
2161				    gnutls_x509_crl_t * crl_list,
2162				    int crl_list_size);
2163
2164int gnutls_certificate_get_x509_key(gnutls_certificate_credentials_t res,
2165                                    unsigned index,
2166                                    gnutls_x509_privkey_t *key);
2167int gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res,
2168                                    unsigned index,
2169                                    gnutls_x509_crt_t **crt_list,
2170                                    unsigned *crt_list_size);
2171
2172  /* OCSP status request extension, RFC 6066 */
2173typedef int (*gnutls_status_request_ocsp_func)
2174 (gnutls_session_t session, void *ptr, gnutls_datum_t *ocsp_response);
2175
2176void
2177gnutls_certificate_set_ocsp_status_request_function
2178(gnutls_certificate_credentials_t res,
2179gnutls_status_request_ocsp_func ocsp_func, void *ptr);
2180
2181int
2182gnutls_certificate_set_ocsp_status_request_function2
2183(gnutls_certificate_credentials_t res, unsigned idx,
2184gnutls_status_request_ocsp_func ocsp_func, void *ptr);
2185
2186int
2187gnutls_certificate_set_ocsp_status_request_file
2188(gnutls_certificate_credentials_t res, const char *response_file,
2189 unsigned idx);
2190
2191int
2192gnutls_certificate_set_ocsp_status_request_file2
2193(gnutls_certificate_credentials_t res, const char *response_file,
2194 unsigned idx, gnutls_x509_crt_fmt_t fmt);
2195
2196int
2197gnutls_certificate_set_ocsp_status_request_mem
2198(gnutls_certificate_credentials_t res, const gnutls_datum_t *resp,
2199 unsigned idx, gnutls_x509_crt_fmt_t fmt);
2200
2201typedef struct gnutls_ocsp_data_st {
2202	unsigned int version; /* must be zero */
2203	gnutls_datum_t response;
2204	time_t exptime;
2205	unsigned char padding[32];
2206} gnutls_ocsp_data_st;
2207
2208time_t
2209gnutls_certificate_get_ocsp_expiration(gnutls_certificate_credentials_t sc,
2210				       unsigned idx,
2211				       int oidx,
2212				       unsigned flags);
2213
2214int gnutls_ocsp_status_request_enable_client(gnutls_session_t session,
2215					     gnutls_datum_t * responder_id,
2216					     size_t responder_id_size,
2217					     gnutls_datum_t *
2218					     request_extensions);
2219
2220int gnutls_ocsp_status_request_get(gnutls_session_t session,
2221				   gnutls_datum_t * response);
2222
2223#define GNUTLS_OCSP_SR_IS_AVAIL 1
2224unsigned gnutls_ocsp_status_request_is_checked(gnutls_session_t session,
2225					       unsigned int flags);
2226
2227int
2228gnutls_ocsp_status_request_get2(gnutls_session_t session,
2229			        unsigned idx,
2230			        gnutls_datum_t * response);
2231
2232/* RAW public key functions (RFC7250) */
2233int gnutls_certificate_set_rawpk_key_mem(gnutls_certificate_credentials_t cred,
2234				    const gnutls_datum_t* spki,
2235				    const gnutls_datum_t* pkey,
2236				    gnutls_x509_crt_fmt_t format,
2237				    const char* pass,
2238				    unsigned int key_usage,
2239				    const char **names,
2240				    unsigned int names_length,
2241				    unsigned int flags);
2242
2243int gnutls_certificate_set_rawpk_key_file(gnutls_certificate_credentials_t cred,
2244				      const char* rawpkfile,
2245				      const char* privkeyfile,
2246				      gnutls_x509_crt_fmt_t format,
2247				      const char *pass,
2248				      unsigned int key_usage,
2249				      const char **names,
2250				      unsigned int names_length,
2251				      unsigned int privkey_flags,
2252				      unsigned int pkcs11_flags);
2253
2254
2255/* global state functions
2256 */
2257int gnutls_global_init(void);
2258void gnutls_global_deinit(void);
2259
2260  /**
2261   * gnutls_time_func:
2262   * @t: where to store time.
2263   *
2264   * Function prototype for time()-like function.  Set with
2265   * gnutls_global_set_time_function().
2266   *
2267   * Returns: Number of seconds since the epoch, or (time_t)-1 on errors.
2268   */
2269typedef time_t(*gnutls_time_func) (time_t * t);
2270
2271typedef int (*mutex_init_func) (void **mutex);
2272typedef int (*mutex_lock_func) (void **mutex);
2273typedef int (*mutex_unlock_func) (void **mutex);
2274typedef int (*mutex_deinit_func) (void **mutex);
2275
2276void gnutls_global_set_mutex(mutex_init_func init,
2277			     mutex_deinit_func deinit,
2278			     mutex_lock_func lock,
2279			     mutex_unlock_func unlock);
2280
2281typedef void *(*gnutls_alloc_function) (size_t);
2282typedef void *(*gnutls_calloc_function) (size_t, size_t);
2283typedef int (*gnutls_is_secure_function) (const void *);
2284typedef void (*gnutls_free_function) (void *);
2285typedef void *(*gnutls_realloc_function) (void *, size_t);
2286
2287void gnutls_global_set_time_function(gnutls_time_func time_func);
2288
2289/* For use in callbacks */
2290extern _SYM_EXPORT gnutls_alloc_function gnutls_malloc;
2291extern _SYM_EXPORT gnutls_realloc_function gnutls_realloc;
2292extern _SYM_EXPORT gnutls_calloc_function gnutls_calloc;
2293extern _SYM_EXPORT gnutls_free_function gnutls_free;
2294
2295#ifdef GNUTLS_INTERNAL_BUILD
2296#define gnutls_free(a) gnutls_free((void *) (a)), a=NULL
2297#endif
2298
2299extern _SYM_EXPORT char *(*gnutls_strdup) (const char *);
2300
2301/* a variant of memset that doesn't get optimized out */
2302void gnutls_memset(void *data, int c, size_t size);
2303
2304/* constant time memcmp */
2305int gnutls_memcmp(const void *s1, const void *s2, size_t n);
2306
2307typedef void (*gnutls_log_func) (int, const char *);
2308typedef void (*gnutls_audit_log_func) (gnutls_session_t, const char *);
2309void gnutls_global_set_log_function(gnutls_log_func log_func);
2310void gnutls_global_set_audit_log_function(gnutls_audit_log_func log_func);
2311void gnutls_global_set_log_level(int level);
2312
2313  /**
2314   * gnutls_keylog_func:
2315   * @session: the current session
2316   * @label: the keylog label
2317   * @secret: the (const) data of the derived secret.
2318   *
2319   * Function prototype for keylog hooks. It is set using
2320   * gnutls_session_set_keylog_function().
2321   *
2322   * Returns: Non zero on error.
2323   * Since: 3.6.13
2324   */
2325typedef int (*gnutls_keylog_func) (gnutls_session_t session,
2326				   const char *label,
2327				   const gnutls_datum_t *secret);
2328gnutls_keylog_func gnutls_session_get_keylog_function(const gnutls_session_t session);
2329void gnutls_session_set_keylog_function(gnutls_session_t session,
2330					gnutls_keylog_func func);
2331
2332/* Diffie-Hellman parameter handling.
2333 */
2334int gnutls_dh_params_init(gnutls_dh_params_t * dh_params);
2335void gnutls_dh_params_deinit(gnutls_dh_params_t dh_params);
2336int gnutls_dh_params_import_raw(gnutls_dh_params_t dh_params,
2337				const gnutls_datum_t * prime,
2338				const gnutls_datum_t * generator);
2339int gnutls_dh_params_import_dsa(gnutls_dh_params_t dh_params, gnutls_x509_privkey_t key);
2340int gnutls_dh_params_import_raw2(gnutls_dh_params_t dh_params,
2341				 const gnutls_datum_t * prime,
2342				 const gnutls_datum_t * generator,
2343				 unsigned key_bits);
2344int gnutls_dh_params_import_raw3(gnutls_dh_params_t dh_params,
2345				 const gnutls_datum_t * prime,
2346				 const gnutls_datum_t * q,
2347				 const gnutls_datum_t * generator);
2348int gnutls_dh_params_import_pkcs3(gnutls_dh_params_t params,
2349				  const gnutls_datum_t * pkcs3_params,
2350				  gnutls_x509_crt_fmt_t format);
2351int gnutls_dh_params_generate2(gnutls_dh_params_t params,
2352			       unsigned int bits);
2353int gnutls_dh_params_export_pkcs3(gnutls_dh_params_t params,
2354				  gnutls_x509_crt_fmt_t format,
2355				  unsigned char *params_data,
2356				  size_t * params_data_size);
2357int gnutls_dh_params_export2_pkcs3(gnutls_dh_params_t params,
2358				   gnutls_x509_crt_fmt_t format,
2359				   gnutls_datum_t * out);
2360int gnutls_dh_params_export_raw(gnutls_dh_params_t params,
2361				gnutls_datum_t * prime,
2362				gnutls_datum_t * generator,
2363				unsigned int *bits);
2364int gnutls_dh_params_cpy(gnutls_dh_params_t dst, gnutls_dh_params_t src);
2365
2366
2367
2368/* Session stuff
2369 */
2370@DEFINE_IOVEC_T@
2371
2372typedef ssize_t(*gnutls_pull_func) (gnutls_transport_ptr_t, void *,
2373				    size_t);
2374typedef ssize_t(*gnutls_push_func) (gnutls_transport_ptr_t, const void *,
2375				    size_t);
2376
2377int gnutls_system_recv_timeout(gnutls_transport_ptr_t ptr, unsigned int ms);
2378typedef int (*gnutls_pull_timeout_func) (gnutls_transport_ptr_t,
2379					 unsigned int ms);
2380
2381typedef ssize_t(*gnutls_vec_push_func) (gnutls_transport_ptr_t,
2382					const giovec_t * iov, int iovcnt);
2383
2384typedef int (*gnutls_errno_func) (gnutls_transport_ptr_t);
2385
2386#if 0
2387 /* This will be defined as macro. */
2388  void gnutls_transport_set_int (gnutls_session_t session, int r);
2389#endif
2390
2391void gnutls_transport_set_int2(gnutls_session_t session, int r, int s);
2392#define gnutls_transport_set_int(s, i) gnutls_transport_set_int2(s, i, i)
2393
2394void gnutls_transport_get_int2(gnutls_session_t session, int *r, int *s);
2395int gnutls_transport_get_int(gnutls_session_t session);
2396
2397void gnutls_transport_set_ptr(gnutls_session_t session,
2398			      gnutls_transport_ptr_t ptr);
2399void gnutls_transport_set_ptr2(gnutls_session_t session,
2400			       gnutls_transport_ptr_t recv_ptr,
2401			       gnutls_transport_ptr_t send_ptr);
2402
2403gnutls_transport_ptr_t gnutls_transport_get_ptr(gnutls_session_t session);
2404void gnutls_transport_get_ptr2(gnutls_session_t session,
2405			       gnutls_transport_ptr_t * recv_ptr,
2406			       gnutls_transport_ptr_t * send_ptr);
2407
2408void gnutls_transport_set_vec_push_function(gnutls_session_t session,
2409					    gnutls_vec_push_func vec_func);
2410void gnutls_transport_set_push_function(gnutls_session_t session,
2411					gnutls_push_func push_func);
2412void gnutls_transport_set_pull_function(gnutls_session_t session,
2413					gnutls_pull_func pull_func);
2414
2415void gnutls_transport_set_pull_timeout_function(gnutls_session_t session,
2416						gnutls_pull_timeout_func
2417						func);
2418
2419void gnutls_transport_set_errno_function(gnutls_session_t session,
2420					 gnutls_errno_func errno_func);
2421
2422void gnutls_transport_set_errno(gnutls_session_t session, int err);
2423
2424/* session specific
2425 */
2426void gnutls_session_set_ptr(gnutls_session_t session, void *ptr);
2427void *gnutls_session_get_ptr(gnutls_session_t session);
2428
2429void gnutls_openpgp_send_cert(gnutls_session_t session,
2430			      gnutls_openpgp_crt_status_t status);
2431
2432/* This function returns the hash of the given data.
2433 */
2434int gnutls_fingerprint(gnutls_digest_algorithm_t algo,
2435		       const gnutls_datum_t * data, void *result,
2436		       size_t * result_size);
2437
2438  /**
2439   * gnutls_random_art_t:
2440   * @GNUTLS_RANDOM_ART_OPENSSH: OpenSSH-style random art.
2441   *
2442   * Enumeration of different random art types.
2443   */
2444typedef enum gnutls_random_art {
2445	GNUTLS_RANDOM_ART_OPENSSH = 1
2446} gnutls_random_art_t;
2447
2448int gnutls_random_art(gnutls_random_art_t type,
2449		      const char *key_type, unsigned int key_size,
2450		      void *fpr, size_t fpr_size, gnutls_datum_t * art);
2451
2452/* IDNA */
2453#define GNUTLS_IDNA_FORCE_2008 (1<<1)
2454int gnutls_idna_map(const char * input, unsigned ilen, gnutls_datum_t *out, unsigned flags);
2455int gnutls_idna_reverse_map(const char *input, unsigned ilen, gnutls_datum_t *out, unsigned flags);
2456
2457/* SRP
2458 */
2459
2460typedef struct gnutls_srp_server_credentials_st
2461*gnutls_srp_server_credentials_t;
2462typedef struct gnutls_srp_client_credentials_st
2463*gnutls_srp_client_credentials_t;
2464
2465void
2466gnutls_srp_free_client_credentials(gnutls_srp_client_credentials_t sc);
2467int
2468gnutls_srp_allocate_client_credentials(gnutls_srp_client_credentials_t *
2469				       sc);
2470int gnutls_srp_set_client_credentials(gnutls_srp_client_credentials_t res,
2471				      const char *username,
2472				      const char *password);
2473
2474void
2475gnutls_srp_free_server_credentials(gnutls_srp_server_credentials_t sc);
2476int
2477gnutls_srp_allocate_server_credentials(gnutls_srp_server_credentials_t *
2478				       sc);
2479int gnutls_srp_set_server_credentials_file(gnutls_srp_server_credentials_t
2480					   res, const char *password_file,
2481					   const char *password_conf_file);
2482
2483const char *gnutls_srp_server_get_username(gnutls_session_t session);
2484
2485void gnutls_srp_set_prime_bits(gnutls_session_t session,
2486                               unsigned int bits);
2487
2488int gnutls_srp_verifier(const char *username,
2489			const char *password,
2490			const gnutls_datum_t * salt,
2491			const gnutls_datum_t * generator,
2492			const gnutls_datum_t * prime,
2493			gnutls_datum_t * res);
2494
2495/* The static parameters defined in draft-ietf-tls-srp-05
2496 * Those should be used as input to gnutls_srp_verifier().
2497 */
2498extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_8192_group_prime;
2499extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_8192_group_generator;
2500
2501extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_4096_group_prime;
2502extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_4096_group_generator;
2503
2504extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_3072_group_prime;
2505extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_3072_group_generator;
2506
2507extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_2048_group_prime;
2508extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_2048_group_generator;
2509
2510extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_1536_group_prime;
2511extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_1536_group_generator;
2512
2513extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_1024_group_prime;
2514extern _SYM_EXPORT const gnutls_datum_t gnutls_srp_1024_group_generator;
2515
2516/* The static parameters defined in rfc7919
2517 */
2518
2519extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_8192_group_prime;
2520extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_8192_group_q;
2521extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_8192_group_generator;
2522extern _SYM_EXPORT const unsigned int gnutls_ffdhe_8192_key_bits;
2523
2524extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_6144_group_prime;
2525extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_6144_group_q;
2526extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_6144_group_generator;
2527extern _SYM_EXPORT const unsigned int gnutls_ffdhe_6144_key_bits;
2528
2529extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_4096_group_prime;
2530extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_4096_group_q;
2531extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_4096_group_generator;
2532extern _SYM_EXPORT const unsigned int gnutls_ffdhe_4096_key_bits;
2533
2534extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_3072_group_prime;
2535extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_3072_group_q;
2536extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_3072_group_generator;
2537extern _SYM_EXPORT const unsigned int gnutls_ffdhe_3072_key_bits;
2538
2539extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_2048_group_prime;
2540extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_2048_group_q;
2541extern _SYM_EXPORT const gnutls_datum_t gnutls_ffdhe_2048_group_generator;
2542extern _SYM_EXPORT const unsigned int gnutls_ffdhe_2048_key_bits;
2543
2544typedef int gnutls_srp_server_credentials_function(gnutls_session_t,
2545						   const char *username,
2546						   gnutls_datum_t * salt,
2547						   gnutls_datum_t *
2548						   verifier,
2549						   gnutls_datum_t *
2550						   generator,
2551						   gnutls_datum_t * prime);
2552void
2553gnutls_srp_set_server_credentials_function(gnutls_srp_server_credentials_t
2554					   cred,
2555					   gnutls_srp_server_credentials_function
2556					   * func);
2557
2558typedef int gnutls_srp_client_credentials_function(gnutls_session_t,
2559						   char **, char **);
2560void
2561gnutls_srp_set_client_credentials_function(gnutls_srp_client_credentials_t
2562					   cred,
2563					   gnutls_srp_client_credentials_function
2564					   * func);
2565
2566int gnutls_srp_base64_encode(const gnutls_datum_t * data, char *result,
2567			     size_t * result_size);
2568int gnutls_srp_base64_encode2(const gnutls_datum_t * data,
2569				   gnutls_datum_t * result);
2570
2571int gnutls_srp_base64_decode(const gnutls_datum_t * b64_data, char *result,
2572			     size_t * result_size);
2573int gnutls_srp_base64_decode2(const gnutls_datum_t * b64_data,
2574				   gnutls_datum_t * result);
2575
2576#define gnutls_srp_base64_encode_alloc gnutls_srp_base64_encode2
2577#define gnutls_srp_base64_decode_alloc gnutls_srp_base64_decode2
2578
2579void
2580gnutls_srp_set_server_fake_salt_seed(gnutls_srp_server_credentials_t
2581				     sc,
2582				     const gnutls_datum_t * seed,
2583				     unsigned int salt_length);
2584
2585/* PSK stuff */
2586typedef struct gnutls_psk_server_credentials_st
2587*gnutls_psk_server_credentials_t;
2588typedef struct gnutls_psk_client_credentials_st
2589*gnutls_psk_client_credentials_t;
2590
2591/**
2592 * gnutls_psk_key_flags:
2593 * @GNUTLS_PSK_KEY_RAW: PSK-key in raw format.
2594 * @GNUTLS_PSK_KEY_HEX: PSK-key in hex format.
2595 *
2596 * Enumeration of different PSK key flags.
2597 */
2598typedef enum gnutls_psk_key_flags {
2599	GNUTLS_PSK_KEY_RAW = 0,
2600	GNUTLS_PSK_KEY_HEX
2601} gnutls_psk_key_flags;
2602
2603void
2604gnutls_psk_free_client_credentials(gnutls_psk_client_credentials_t sc);
2605int
2606gnutls_psk_allocate_client_credentials(gnutls_psk_client_credentials_t *
2607				       sc);
2608int gnutls_psk_set_client_credentials(gnutls_psk_client_credentials_t res,
2609				      const char *username,
2610				      const gnutls_datum_t * key,
2611				      gnutls_psk_key_flags flags);
2612int gnutls_psk_set_client_credentials2(gnutls_psk_client_credentials_t res,
2613				       const gnutls_datum_t *username,
2614				       const gnutls_datum_t *key,
2615				       gnutls_psk_key_flags flags);
2616
2617void
2618gnutls_psk_free_server_credentials(gnutls_psk_server_credentials_t sc);
2619int
2620gnutls_psk_allocate_server_credentials(gnutls_psk_server_credentials_t *
2621				       sc);
2622int gnutls_psk_set_server_credentials_file(gnutls_psk_server_credentials_t
2623					   res, const char *password_file);
2624
2625int
2626gnutls_psk_set_server_credentials_hint(gnutls_psk_server_credentials_t
2627				       res, const char *hint);
2628
2629const char *gnutls_psk_server_get_username(gnutls_session_t session);
2630int gnutls_psk_server_get_username2(gnutls_session_t session,
2631				    gnutls_datum_t *out);
2632const char *gnutls_psk_client_get_hint(gnutls_session_t session);
2633
2634typedef int gnutls_psk_server_credentials_function(gnutls_session_t,
2635						   const char *username,
2636						   gnutls_datum_t * key);
2637typedef int gnutls_psk_server_credentials_function2(gnutls_session_t,
2638						    const gnutls_datum_t *username,
2639						    gnutls_datum_t *key);
2640void
2641gnutls_psk_set_server_credentials_function(gnutls_psk_server_credentials_t
2642					   cred,
2643					   gnutls_psk_server_credentials_function
2644					   * func);
2645void
2646gnutls_psk_set_server_credentials_function2(gnutls_psk_server_credentials_t cred,
2647					    gnutls_psk_server_credentials_function2 *func);
2648
2649typedef int gnutls_psk_client_credentials_function(gnutls_session_t,
2650						   char **username,
2651						   gnutls_datum_t * key);
2652typedef int gnutls_psk_client_credentials_function2(gnutls_session_t,
2653						    gnutls_datum_t *username,
2654						    gnutls_datum_t *key);
2655void
2656gnutls_psk_set_client_credentials_function(gnutls_psk_client_credentials_t
2657					   cred,
2658					   gnutls_psk_client_credentials_function
2659					   * func);
2660void
2661gnutls_psk_set_client_credentials_function2(gnutls_psk_client_credentials_t cred,
2662					    gnutls_psk_client_credentials_function2 *func);
2663
2664int gnutls_hex_encode(const gnutls_datum_t * data, char *result,
2665		      size_t * result_size);
2666int gnutls_hex_decode(const gnutls_datum_t * hex_data, void *result,
2667		      size_t * result_size);
2668
2669int gnutls_hex_encode2(const gnutls_datum_t * data, gnutls_datum_t *result);
2670int gnutls_hex_decode2(const gnutls_datum_t * data, gnutls_datum_t *result);
2671
2672void
2673gnutls_psk_set_server_dh_params(gnutls_psk_server_credentials_t res,
2674				gnutls_dh_params_t dh_params);
2675
2676int
2677gnutls_psk_set_server_known_dh_params(gnutls_psk_server_credentials_t res,
2678				      gnutls_sec_param_t sec_param);
2679
2680void
2681gnutls_psk_set_server_params_function(gnutls_psk_server_credentials_t
2682				      res, gnutls_params_function * func);
2683
2684/**
2685 * gnutls_x509_subject_alt_name_t:
2686 * @GNUTLS_SAN_DNSNAME: DNS-name SAN.
2687 * @GNUTLS_SAN_RFC822NAME: E-mail address SAN.
2688 * @GNUTLS_SAN_URI: URI SAN.
2689 * @GNUTLS_SAN_IPADDRESS: IP address SAN.
2690 * @GNUTLS_SAN_OTHERNAME: OtherName SAN.
2691 * @GNUTLS_SAN_DN: DN SAN.
2692 * @GNUTLS_SAN_REGISTERED_ID: RegisteredID.
2693 * @GNUTLS_SAN_OTHERNAME_XMPP: Virtual SAN, used by certain functions for convenience.
2694 * @GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL: Virtual SAN, used by certain functions for convenience.
2695 *
2696 * Enumeration of different subject alternative names types.
2697 */
2698typedef enum gnutls_x509_subject_alt_name_t {
2699	GNUTLS_SAN_DNSNAME = 1,
2700	GNUTLS_SAN_RFC822NAME = 2,
2701	GNUTLS_SAN_URI = 3,
2702	GNUTLS_SAN_IPADDRESS = 4,
2703	GNUTLS_SAN_OTHERNAME = 5,
2704	GNUTLS_SAN_DN = 6,
2705	GNUTLS_SAN_REGISTERED_ID = 7,
2706	GNUTLS_SAN_MAX = GNUTLS_SAN_REGISTERED_ID,
2707	/* The following are "virtual" subject alternative name types, in
2708	   that they are represented by an otherName value and an OID.
2709	   Used by gnutls_x509_crt_get_subject_alt_othername_oid.  */
2710	GNUTLS_SAN_OTHERNAME_XMPP = 1000,
2711	GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL
2712} gnutls_x509_subject_alt_name_t;
2713
2714struct gnutls_openpgp_crt_int;
2715typedef struct gnutls_openpgp_crt_int *gnutls_openpgp_crt_t;
2716
2717struct gnutls_openpgp_privkey_int;
2718typedef struct gnutls_openpgp_privkey_int *gnutls_openpgp_privkey_t;
2719
2720struct gnutls_pkcs11_privkey_st;
2721typedef struct gnutls_pkcs11_privkey_st *gnutls_pkcs11_privkey_t;
2722
2723/**
2724 * gnutls_privkey_type_t:
2725 * @GNUTLS_PRIVKEY_X509: X.509 private key, #gnutls_x509_privkey_t.
2726 * @GNUTLS_PRIVKEY_OPENPGP: OpenPGP private key, #gnutls_openpgp_privkey_t.
2727 * @GNUTLS_PRIVKEY_PKCS11: PKCS11 private key, #gnutls_pkcs11_privkey_t.
2728 * @GNUTLS_PRIVKEY_EXT: External private key, operating using callbacks.
2729 *
2730 * Enumeration of different private key types.
2731 */
2732typedef enum {
2733	GNUTLS_PRIVKEY_X509,
2734	GNUTLS_PRIVKEY_OPENPGP,
2735	GNUTLS_PRIVKEY_PKCS11,
2736	GNUTLS_PRIVKEY_EXT
2737} gnutls_privkey_type_t;
2738
2739typedef struct gnutls_retr2_st {
2740	gnutls_certificate_type_t cert_type;
2741	gnutls_privkey_type_t key_type;
2742
2743	union {
2744		gnutls_x509_crt_t *x509;
2745		gnutls_openpgp_crt_t pgp;
2746	} cert;
2747	unsigned int ncerts;	/* one for pgp keys */
2748
2749	union {
2750		gnutls_x509_privkey_t x509;
2751		gnutls_openpgp_privkey_t pgp;
2752		gnutls_pkcs11_privkey_t pkcs11;
2753	} key;
2754
2755	unsigned int deinit_all;	/* if non zero all keys will be deinited */
2756} gnutls_retr2_st;
2757
2758
2759  /* Functions that allow auth_info_t structures handling
2760   */
2761
2762gnutls_credentials_type_t gnutls_auth_get_type(gnutls_session_t session);
2763gnutls_credentials_type_t
2764gnutls_auth_server_get_type(gnutls_session_t session);
2765gnutls_credentials_type_t
2766gnutls_auth_client_get_type(gnutls_session_t session);
2767
2768  /* DH */
2769
2770void gnutls_dh_set_prime_bits(gnutls_session_t session, unsigned int bits);
2771int gnutls_dh_get_secret_bits(gnutls_session_t session);
2772int gnutls_dh_get_peers_public_bits(gnutls_session_t session);
2773int gnutls_dh_get_prime_bits(gnutls_session_t session);
2774
2775int gnutls_dh_get_group(gnutls_session_t session, gnutls_datum_t * raw_gen,
2776			gnutls_datum_t * raw_prime);
2777int gnutls_dh_get_pubkey(gnutls_session_t session,
2778			 gnutls_datum_t * raw_key);
2779
2780  /* X509PKI */
2781
2782
2783  /* These are set on the credentials structure.
2784   */
2785
2786  /* use gnutls_certificate_set_retrieve_function2() in abstract.h
2787   * instead. It's much more efficient.
2788   */
2789
2790typedef int gnutls_certificate_retrieve_function(gnutls_session_t,
2791						 const
2792						 gnutls_datum_t *
2793						 req_ca_rdn,
2794						 int nreqs,
2795						 const
2796						 gnutls_pk_algorithm_t
2797						 * pk_algos,
2798						 int
2799						 pk_algos_length,
2800						 gnutls_retr2_st *);
2801
2802
2803void
2804gnutls_certificate_set_retrieve_function(gnutls_certificate_credentials_t
2805					 cred,
2806					 gnutls_certificate_retrieve_function
2807					 * func);
2808
2809void
2810gnutls_certificate_set_verify_function(gnutls_certificate_credentials_t
2811				       cred,
2812				       gnutls_certificate_verify_function
2813				       * func);
2814
2815void
2816gnutls_certificate_server_set_request(gnutls_session_t session,
2817				      gnutls_certificate_request_t req);
2818
2819  /* get data from the session
2820   */
2821const gnutls_datum_t *gnutls_certificate_get_peers(gnutls_session_t
2822						   session, unsigned int
2823						   *list_size);
2824const gnutls_datum_t *gnutls_certificate_get_ours(gnutls_session_t
2825						  session);
2826
2827int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session,
2828					   gnutls_datum_t * id);
2829
2830time_t gnutls_certificate_activation_time_peers(gnutls_session_t session);
2831time_t gnutls_certificate_expiration_time_peers(gnutls_session_t session);
2832
2833unsigned gnutls_certificate_client_get_request_status(gnutls_session_t session);
2834int gnutls_certificate_verify_peers2(gnutls_session_t session,
2835				     unsigned int *status);
2836int gnutls_certificate_verify_peers3(gnutls_session_t session,
2837				     const char *hostname,
2838				     unsigned int *status);
2839
2840int
2841gnutls_certificate_verify_peers(gnutls_session_t session,
2842				gnutls_typed_vdata_st * data,
2843				unsigned int elements,
2844				unsigned int *status);
2845
2846int gnutls_certificate_verification_status_print(unsigned int status,
2847						 gnutls_certificate_type_t
2848						 type,
2849						 gnutls_datum_t * out,
2850						 unsigned int flags);
2851
2852int gnutls_pem_base64_encode(const char *msg, const gnutls_datum_t * data,
2853			     char *result, size_t * result_size);
2854int gnutls_pem_base64_decode(const char *header,
2855			     const gnutls_datum_t * b64_data,
2856			     unsigned char *result, size_t * result_size);
2857
2858int gnutls_pem_base64_encode2(const char *msg,
2859				   const gnutls_datum_t * data,
2860				   gnutls_datum_t * result);
2861int gnutls_pem_base64_decode2(const char *header,
2862				   const gnutls_datum_t * b64_data,
2863				   gnutls_datum_t * result);
2864
2865int gnutls_base64_encode2(const gnutls_datum_t * data,
2866			  gnutls_datum_t * result);
2867int gnutls_base64_decode2(const gnutls_datum_t * b64_data,
2868			  gnutls_datum_t * result);
2869
2870#define gnutls_pem_base64_encode_alloc gnutls_pem_base64_encode2
2871#define gnutls_pem_base64_decode_alloc gnutls_pem_base64_decode2
2872
2873  /* key_usage will be an OR of the following values:
2874   */
2875
2876  /* when the key is to be used for signing: */
2877#define GNUTLS_KEY_DIGITAL_SIGNATURE	128
2878#define GNUTLS_KEY_NON_REPUDIATION	64
2879  /* when the key is to be used for encryption: */
2880#define GNUTLS_KEY_KEY_ENCIPHERMENT	32
2881#define GNUTLS_KEY_DATA_ENCIPHERMENT	16
2882#define GNUTLS_KEY_KEY_AGREEMENT	8
2883#define GNUTLS_KEY_KEY_CERT_SIGN	4
2884#define GNUTLS_KEY_CRL_SIGN		2
2885#define GNUTLS_KEY_ENCIPHER_ONLY	1
2886#define GNUTLS_KEY_DECIPHER_ONLY	32768
2887
2888void
2889gnutls_certificate_set_params_function(gnutls_certificate_credentials_t
2890				       res, gnutls_params_function * func);
2891void gnutls_anon_set_params_function(gnutls_anon_server_credentials_t res,
2892				     gnutls_params_function * func);
2893void gnutls_psk_set_params_function(gnutls_psk_server_credentials_t res,
2894				    gnutls_params_function * func);
2895
2896int gnutls_hex2bin(const char *hex_data, size_t hex_size,
2897		   void *bin_data, size_t * bin_size);
2898
2899  /* Trust on first use (or ssh like) functions */
2900
2901  /* stores the provided information to a database
2902   */
2903typedef int (*gnutls_tdb_store_func) (const char *db_name,
2904				      const char *host,
2905				      const char *service,
2906				      time_t expiration,
2907				      const gnutls_datum_t * pubkey);
2908
2909typedef int (*gnutls_tdb_store_commitment_func) (const char *db_name,
2910						 const char *host,
2911						 const char *service,
2912						 time_t expiration,
2913						 gnutls_digest_algorithm_t
2914						 hash_algo,
2915						 const gnutls_datum_t *
2916						 hash);
2917
2918  /* searches for the provided host/service pair that match the
2919   * provided public key in the database. */
2920typedef int (*gnutls_tdb_verify_func) (const char *db_name,
2921				       const char *host,
2922				       const char *service,
2923				       const gnutls_datum_t * pubkey);
2924
2925
2926struct gnutls_tdb_int;
2927typedef struct gnutls_tdb_int *gnutls_tdb_t;
2928
2929int gnutls_tdb_init(gnutls_tdb_t * tdb);
2930void gnutls_tdb_set_store_func(gnutls_tdb_t tdb,
2931			       gnutls_tdb_store_func store);
2932void gnutls_tdb_set_store_commitment_func(gnutls_tdb_t tdb,
2933					  gnutls_tdb_store_commitment_func
2934					  cstore);
2935void gnutls_tdb_set_verify_func(gnutls_tdb_t tdb,
2936				gnutls_tdb_verify_func verify);
2937void gnutls_tdb_deinit(gnutls_tdb_t tdb);
2938
2939int gnutls_verify_stored_pubkey(const char *db_name,
2940				gnutls_tdb_t tdb,
2941				const char *host,
2942				const char *service,
2943				gnutls_certificate_type_t cert_type,
2944				const gnutls_datum_t * cert,
2945				unsigned int flags);
2946
2947#define GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN 1
2948int gnutls_store_commitment(const char *db_name,
2949			    gnutls_tdb_t tdb,
2950			    const char *host,
2951			    const char *service,
2952			    gnutls_digest_algorithm_t hash_algo,
2953			    const gnutls_datum_t * hash,
2954			    time_t expiration, unsigned int flags);
2955
2956int gnutls_store_pubkey(const char *db_name,
2957			gnutls_tdb_t tdb,
2958			const char *host,
2959			const char *service,
2960			gnutls_certificate_type_t cert_type,
2961			const gnutls_datum_t * cert,
2962			time_t expiration, unsigned int flags);
2963
2964  /* Other helper functions */
2965int gnutls_load_file(const char *filename, gnutls_datum_t * data);
2966
2967unsigned gnutls_url_is_supported(const char *url);
2968
2969  /* PIN callback */
2970
2971/**
2972 * gnutls_pin_flag_t:
2973 * @GNUTLS_PIN_USER: The PIN for the user.
2974 * @GNUTLS_PIN_SO: The PIN for the security officer (admin).
2975 * @GNUTLS_PIN_CONTEXT_SPECIFIC: The PIN is for a specific action and key like signing.
2976 * @GNUTLS_PIN_FINAL_TRY: This is the final try before blocking.
2977 * @GNUTLS_PIN_COUNT_LOW: Few tries remain before token blocks.
2978 * @GNUTLS_PIN_WRONG: Last given PIN was not correct.
2979 *
2980 * Enumeration of different flags that are input to the PIN function.
2981 */
2982typedef enum {
2983	GNUTLS_PIN_USER = (1 << 0),
2984	GNUTLS_PIN_SO = (1 << 1),
2985	GNUTLS_PIN_FINAL_TRY = (1 << 2),
2986	GNUTLS_PIN_COUNT_LOW = (1 << 3),
2987	GNUTLS_PIN_CONTEXT_SPECIFIC = (1 << 4),
2988	GNUTLS_PIN_WRONG = (1 << 5)
2989} gnutls_pin_flag_t;
2990
2991#define GNUTLS_PKCS11_PIN_USER GNUTLS_PIN_USER
2992#define GNUTLS_PKCS11_PIN_SO GNUTLS_PIN_SO
2993#define GNUTLS_PKCS11_PIN_FINAL_TRY GNUTLS_PIN_FINAL_TRY
2994#define GNUTLS_PKCS11_PIN_COUNT_LOW  GNUTLS_PIN_COUNT_LOW
2995#define GNUTLS_PKCS11_PIN_CONTEXT_SPECIFIC GNUTLS_PIN_CONTEXT_SPECIFIC
2996#define GNUTLS_PKCS11_PIN_WRONG GNUTLS_PIN_WRONG
2997
2998/**
2999 * gnutls_pin_callback_t:
3000 * @userdata: user-controlled data from gnutls_pkcs11_set_pin_function().
3001 * @attempt: pin-attempt counter, initially 0.
3002 * @token_url: URL of token.
3003 * @token_label: label of token.
3004 * @flags: a #gnutls_pin_flag_t flag.
3005 * @pin: buffer to hold PIN, of size @pin_max.
3006 * @pin_max: size of @pin buffer.
3007 *
3008 * Callback function type for PKCS#11 or TPM PIN entry.  It is set by
3009 * functions like gnutls_pkcs11_set_pin_function().
3010 *
3011 * The callback should provides the PIN code to unlock the token with
3012 * label @token_label, specified by the URL @token_url.
3013 *
3014 * The PIN code, as a NUL-terminated ASCII string, should be copied
3015 * into the @pin buffer (of maximum size @pin_max), and return 0 to
3016 * indicate success.  Alternatively, the callback may return a
3017 * negative gnutls error code to indicate failure and cancel PIN entry
3018 * (in which case, the contents of the @pin parameter are ignored).
3019 *
3020 * When a PIN is required, the callback will be invoked repeatedly
3021 * (and indefinitely) until either the returned PIN code is correct,
3022 * the callback returns failure, or the token refuses login (e.g. when
3023 * the token is locked due to too many incorrect PINs!).  For the
3024 * first such invocation, the @attempt counter will have value zero;
3025 * it will increase by one for each subsequent attempt.
3026 *
3027 * Returns: %GNUTLS_E_SUCCESS (0) on success or a negative error code on error.
3028 *
3029 * Since: 2.12.0
3030 **/
3031typedef int (*gnutls_pin_callback_t) (void *userdata, int attempt,
3032				      const char *token_url,
3033				      const char *token_label,
3034				      unsigned int flags,
3035				      char *pin, size_t pin_max);
3036
3037void gnutls_certificate_set_pin_function(gnutls_certificate_credentials_t,
3038					 gnutls_pin_callback_t fn,
3039					 void *userdata);
3040
3041/* Public string related functions */
3042typedef struct gnutls_buffer_st *gnutls_buffer_t;
3043
3044int gnutls_buffer_append_data(gnutls_buffer_t, const void *data, size_t data_size);
3045
3046#define GNUTLS_UTF8_IGNORE_ERRS 1
3047int gnutls_utf8_password_normalize(const unsigned char *password, unsigned password_len,
3048				   gnutls_datum_t *out, unsigned flags);
3049
3050/* Public extensions related functions */
3051
3052typedef void *gnutls_ext_priv_data_t;
3053
3054void gnutls_ext_set_data(gnutls_session_t session, unsigned type,
3055			 gnutls_ext_priv_data_t);
3056int gnutls_ext_get_data(gnutls_session_t session, unsigned type,
3057			gnutls_ext_priv_data_t *);
3058
3059unsigned gnutls_ext_get_current_msg(gnutls_session_t session);
3060
3061typedef int (*gnutls_ext_recv_func) (gnutls_session_t session,
3062				     const unsigned char *data,
3063				     size_t len);
3064
3065typedef int (*gnutls_ext_send_func) (gnutls_session_t session,
3066				     gnutls_buffer_t extdata);
3067
3068typedef void (*gnutls_ext_deinit_data_func) (gnutls_ext_priv_data_t data);
3069
3070typedef int (*gnutls_ext_pack_func) (gnutls_ext_priv_data_t data,
3071				     gnutls_buffer_t packed_data);
3072
3073typedef int (*gnutls_ext_unpack_func) (gnutls_buffer_t packed_data,
3074				       gnutls_ext_priv_data_t *data);
3075
3076#define GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO 1
3077#define GNUTLS_EXT_RAW_FLAG_DTLS_CLIENT_HELLO (1<<1)
3078typedef int (*gnutls_ext_raw_process_func)(void *ctx, unsigned tls_id, const unsigned char *data, unsigned data_size);
3079int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb,
3080			 const gnutls_datum_t *data, unsigned int flags);
3081
3082/**
3083 * gnutls_ext_parse_type_t:
3084 * @GNUTLS_EXT_NONE: Never to be parsed
3085 * @GNUTLS_EXT_ANY: Any extension type (should not be used as it is used only internally).
3086 * @GNUTLS_EXT_VERSION_NEG: Extensions to be parsed first for TLS version negotiation.
3087 * @GNUTLS_EXT_MANDATORY: Parsed after @GNUTLS_EXT_VERSION_NEG and even when resuming.
3088 * @GNUTLS_EXT_APPLICATION: Parsed after @GNUTLS_EXT_MANDATORY
3089 * @GNUTLS_EXT_TLS: TLS-internal extensions, parsed after @GNUTLS_EXT_APPLICATION.
3090 *
3091 * Enumeration of different TLS extension parsing phases.  The @gnutls_ext_parse_type_t
3092 * indicates the time/phase an extension is parsed during Client or Server hello parsing.
3093 *
3094 */
3095typedef enum {
3096  GNUTLS_EXT_ANY = 0,
3097  GNUTLS_EXT_APPLICATION = 1,
3098  GNUTLS_EXT_TLS = 2,
3099  GNUTLS_EXT_MANDATORY = 3,
3100  GNUTLS_EXT_NONE = 4,
3101  GNUTLS_EXT_VERSION_NEG = 5
3102} gnutls_ext_parse_type_t;
3103
3104/**
3105 * gnutls_ext_flags_t:
3106 * @GNUTLS_EXT_FLAG_OVERRIDE_INTERNAL: If specified the extension registered will override the internal; this does not work with extensions existing prior to 3.6.0.
3107 * @GNUTLS_EXT_FLAG_CLIENT_HELLO: This extension can be present in a client hello
3108 * @GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO: This extension can be present in a TLS1.2 or earlier server hello
3109 * @GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO: This extension can be present in a TLS1.3 server hello
3110 * @GNUTLS_EXT_FLAG_EE: This extension can be present in encrypted extensions message
3111 * @GNUTLS_EXT_FLAG_HRR: This extension can be present in hello retry request message
3112 * @GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST: When flag is present, this extension will be send even if the client didn't advertise it. An extension of this type is the Cookie TLS1.3 extension.
3113 * @GNUTLS_EXT_FLAG_DTLS: This extension can be present under DTLS; otherwise ignored.
3114 * @GNUTLS_EXT_FLAG_TLS: This extension can be present under TLS; otherwise ignored.
3115 *
3116 * Enumeration of different TLS extension registration flags.
3117 */
3118typedef enum {
3119  GNUTLS_EXT_FLAG_OVERRIDE_INTERNAL = 1,
3120  GNUTLS_EXT_FLAG_CLIENT_HELLO = (1<<1),
3121  GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO = (1<<2),
3122  GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO = (1<<3),
3123  GNUTLS_EXT_FLAG_EE = (1<<4), /* ENCRYPTED */
3124  GNUTLS_EXT_FLAG_HRR = (1<<5),
3125  GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST = (1<<6),
3126  GNUTLS_EXT_FLAG_TLS = (1<<7),
3127  GNUTLS_EXT_FLAG_DTLS = (1<<8)
3128} gnutls_ext_flags_t;
3129
3130/* Register a custom tls extension
3131 */
3132int gnutls_ext_register(const char *name, int type, gnutls_ext_parse_type_t parse_point,
3133				gnutls_ext_recv_func recv_func, gnutls_ext_send_func send_func,
3134				gnutls_ext_deinit_data_func deinit_func, gnutls_ext_pack_func pack_func,
3135				gnutls_ext_unpack_func unpack_func);
3136
3137int gnutls_session_ext_register(gnutls_session_t, const char *name, int type, gnutls_ext_parse_type_t parse_point,
3138				gnutls_ext_recv_func recv_func, gnutls_ext_send_func send_func,
3139				gnutls_ext_deinit_data_func deinit_func, gnutls_ext_pack_func pack_func,
3140				gnutls_ext_unpack_func unpack_func, unsigned flags);
3141
3142const char *gnutls_ext_get_name(unsigned int ext);
3143const char *gnutls_ext_get_name2(gnutls_session_t session, unsigned int tls_id,
3144				 gnutls_ext_parse_type_t parse_point);
3145
3146/* Public supplemental data related functions */
3147
3148typedef int (*gnutls_supp_recv_func) (gnutls_session_t session,
3149			       const unsigned char * data, size_t data_size);
3150typedef int (*gnutls_supp_send_func) (gnutls_session_t session,
3151			       gnutls_buffer_t buf);
3152
3153int gnutls_supplemental_register(const char *name,
3154				gnutls_supplemental_data_format_type_t type,
3155				gnutls_supp_recv_func supp_recv_func,
3156				gnutls_supp_send_func supp_send_func);
3157
3158int gnutls_session_supplemental_register(gnutls_session_t session, const char *name,
3159				gnutls_supplemental_data_format_type_t type,
3160				gnutls_supp_recv_func supp_recv_func,
3161				gnutls_supp_send_func supp_send_func,
3162				unsigned int flags);
3163
3164void gnutls_supplemental_recv(gnutls_session_t session, unsigned do_recv_supplemental);
3165
3166void gnutls_supplemental_send(gnutls_session_t session, unsigned do_send_supplemental);
3167
3168/* Anti-replay related functions */
3169
3170typedef struct gnutls_anti_replay_st *gnutls_anti_replay_t;
3171
3172int gnutls_anti_replay_init(gnutls_anti_replay_t *anti_replay);
3173void gnutls_anti_replay_deinit(gnutls_anti_replay_t anti_replay);
3174void gnutls_anti_replay_set_window(gnutls_anti_replay_t anti_replay,
3175				   unsigned int window);
3176void gnutls_anti_replay_enable(gnutls_session_t session,
3177			       gnutls_anti_replay_t anti_replay);
3178
3179typedef int (*gnutls_db_add_func) (void *, time_t exp_time, const gnutls_datum_t *key,
3180				   const gnutls_datum_t *data);
3181
3182void gnutls_anti_replay_set_add_function(gnutls_anti_replay_t,
3183					 gnutls_db_add_func add_func);
3184
3185void gnutls_anti_replay_set_ptr(gnutls_anti_replay_t, void *ptr);
3186
3187
3188/* FIPS140-2 related functions */
3189unsigned gnutls_fips140_mode_enabled(void);
3190
3191/**
3192 * gnutls_fips_mode_t:
3193 * @GNUTLS_FIPS140_DISABLED: The FIPS140-2 mode is disabled.
3194 * @GNUTLS_FIPS140_STRICT: The default mode; all forbidden operations will cause an
3195 *                         operation failure via error code.
3196 * @GNUTLS_FIPS140_LAX: The library still uses the FIPS140-2 relevant algorithms but all
3197 *                      forbidden by FIPS140-2 operations are allowed; this is useful when the
3198 *                      application is aware of the followed security policy, and needs
3199 *                      to utilize disallowed operations for other reasons (e.g., compatibility).
3200 * @GNUTLS_FIPS140_LOG: Similarly to %GNUTLS_FIPS140_LAX, it allows forbidden operations; any use of them results
3201 *                      to a message to the audit callback functions.
3202 * @GNUTLS_FIPS140_SELFTESTS: A transient state during library initialization. That state
3203 *			cannot be set or seen by applications.
3204 *
3205 * Enumeration of different operational modes under FIPS140-2.
3206 */
3207typedef enum gnutls_fips_mode_t {
3208  GNUTLS_FIPS140_DISABLED = 0,
3209  GNUTLS_FIPS140_STRICT = 1,
3210  GNUTLS_FIPS140_SELFTESTS = 2,
3211  GNUTLS_FIPS140_LAX = 3,
3212  GNUTLS_FIPS140_LOG = 4
3213} gnutls_fips_mode_t;
3214
3215#define GNUTLS_FIPS140_SET_MODE_THREAD 1
3216
3217void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags);
3218
3219#define GNUTLS_FIPS140_SET_LAX_MODE() do { \
3220	if (gnutls_fips140_mode_enabled()) \
3221		gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); \
3222	} while(0)
3223
3224#define GNUTLS_FIPS140_SET_STRICT_MODE() do { \
3225	if (gnutls_fips140_mode_enabled()) \
3226		gnutls_fips140_set_mode(GNUTLS_FIPS140_STRICT, GNUTLS_FIPS140_SET_MODE_THREAD); \
3227	} while(0)
3228
3229  /* Gnutls error codes. The mapping to a TLS alert is also shown in
3230   * comments.
3231   */
3232
3233#define GNUTLS_E_SUCCESS 0
3234#define	GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM -3
3235#define	GNUTLS_E_UNKNOWN_CIPHER_TYPE -6
3236#define	GNUTLS_E_LARGE_PACKET -7
3237#define GNUTLS_E_UNSUPPORTED_VERSION_PACKET -8	/* GNUTLS_A_PROTOCOL_VERSION */
3238#define GNUTLS_E_TLS_PACKET_DECODING_ERROR GNUTLS_E_UNEXPECTED_PACKET_LENGTH
3239#define GNUTLS_E_UNEXPECTED_PACKET_LENGTH -9	/* GNUTLS_A_DECODE_ERROR */
3240#define GNUTLS_E_INVALID_SESSION -10
3241#define GNUTLS_E_FATAL_ALERT_RECEIVED -12
3242#define GNUTLS_E_UNEXPECTED_PACKET -15	/* GNUTLS_A_UNEXPECTED_MESSAGE */
3243#define GNUTLS_E_WARNING_ALERT_RECEIVED -16
3244#define GNUTLS_E_ERROR_IN_FINISHED_PACKET -18
3245#define GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET -19
3246#define	GNUTLS_E_UNKNOWN_CIPHER_SUITE -21	/* GNUTLS_A_HANDSHAKE_FAILURE */
3247#define	GNUTLS_E_UNWANTED_ALGORITHM -22
3248#define	GNUTLS_E_MPI_SCAN_FAILED -23
3249#define GNUTLS_E_DECRYPTION_FAILED -24	/* GNUTLS_A_DECRYPTION_FAILED, GNUTLS_A_BAD_RECORD_MAC */
3250#define GNUTLS_E_MEMORY_ERROR -25
3251#define GNUTLS_E_DECOMPRESSION_FAILED -26	/* GNUTLS_A_DECOMPRESSION_FAILURE */
3252#define GNUTLS_E_COMPRESSION_FAILED -27
3253#define GNUTLS_E_AGAIN -28
3254#define GNUTLS_E_EXPIRED -29
3255#define GNUTLS_E_DB_ERROR -30
3256#define GNUTLS_E_SRP_PWD_ERROR GNUTLS_E_KEYFILE_ERROR
3257#define GNUTLS_E_KEYFILE_ERROR -31
3258#define GNUTLS_E_INSUFFICIENT_CREDENTIALS -32
3259#define GNUTLS_E_INSUFICIENT_CREDENTIALS GNUTLS_E_INSUFFICIENT_CREDENTIALS	/* for backwards compatibility only */
3260#define GNUTLS_E_INSUFFICIENT_CRED GNUTLS_E_INSUFFICIENT_CREDENTIALS
3261#define GNUTLS_E_INSUFICIENT_CRED GNUTLS_E_INSUFFICIENT_CREDENTIALS	/* for backwards compatibility only */
3262
3263#define GNUTLS_E_HASH_FAILED -33
3264#define GNUTLS_E_BASE64_DECODING_ERROR -34
3265
3266#define	GNUTLS_E_MPI_PRINT_FAILED -35
3267#define GNUTLS_E_REHANDSHAKE -37	/* GNUTLS_A_NO_RENEGOTIATION */
3268#define GNUTLS_E_GOT_APPLICATION_DATA -38
3269#define GNUTLS_E_RECORD_LIMIT_REACHED -39
3270#define GNUTLS_E_ENCRYPTION_FAILED -40
3271
3272#define GNUTLS_E_PK_ENCRYPTION_FAILED -44
3273#define GNUTLS_E_PK_DECRYPTION_FAILED -45
3274#define GNUTLS_E_PK_SIGN_FAILED -46
3275#define GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION -47
3276#define GNUTLS_E_KEY_USAGE_VIOLATION -48
3277#define GNUTLS_E_NO_CERTIFICATE_FOUND -49	/* GNUTLS_A_BAD_CERTIFICATE */
3278#define GNUTLS_E_INVALID_REQUEST -50
3279#define GNUTLS_E_SHORT_MEMORY_BUFFER -51
3280#define GNUTLS_E_INTERRUPTED -52
3281#define GNUTLS_E_PUSH_ERROR -53
3282#define GNUTLS_E_PULL_ERROR -54
3283#define GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER -55	/* GNUTLS_A_ILLEGAL_PARAMETER */
3284#define GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE -56
3285#define GNUTLS_E_PKCS1_WRONG_PAD -57
3286#define GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION -58
3287#define GNUTLS_E_INTERNAL_ERROR -59
3288#define GNUTLS_E_DH_PRIME_UNACCEPTABLE -63
3289#define GNUTLS_E_FILE_ERROR -64
3290#define GNUTLS_E_TOO_MANY_EMPTY_PACKETS -78
3291#define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80
3292#define GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS -81
3293#define GNUTLS_E_RECEIVED_DISALLOWED_NAME -82 /* GNUTLS_A_ILLEGAL_PARAMETER */
3294#define GNUTLS_E_CERTIFICATE_REQUIRED -112 /* GNUTLS_A_CERTIFICATE_REQUIRED */
3295
3296  /* returned if you need to generate temporary RSA
3297   * parameters. These are needed for export cipher suites.
3298   */
3299#define GNUTLS_E_NO_TEMPORARY_RSA_PARAMS -84
3300
3301#define GNUTLS_E_NO_COMPRESSION_ALGORITHMS -86
3302#define GNUTLS_E_NO_CIPHER_SUITES -87
3303
3304#define GNUTLS_E_OPENPGP_GETKEY_FAILED -88
3305#define GNUTLS_E_PK_SIG_VERIFY_FAILED -89
3306
3307#define GNUTLS_E_ILLEGAL_SRP_USERNAME -90
3308#define GNUTLS_E_SRP_PWD_PARSING_ERROR GNUTLS_E_KEYFILE_PARSING_ERROR
3309#define GNUTLS_E_KEYFILE_PARSING_ERROR -91
3310#define GNUTLS_E_NO_TEMPORARY_DH_PARAMS -93
3311
3312  /* For certificate and key stuff
3313   */
3314#define GNUTLS_E_ASN1_ELEMENT_NOT_FOUND -67
3315#define GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND -68
3316#define GNUTLS_E_ASN1_DER_ERROR -69
3317#define GNUTLS_E_ASN1_VALUE_NOT_FOUND -70
3318#define GNUTLS_E_ASN1_GENERIC_ERROR -71
3319#define GNUTLS_E_ASN1_VALUE_NOT_VALID -72
3320#define GNUTLS_E_ASN1_TAG_ERROR -73
3321#define GNUTLS_E_ASN1_TAG_IMPLICIT -74
3322#define GNUTLS_E_ASN1_TYPE_ANY_ERROR -75
3323#define GNUTLS_E_ASN1_SYNTAX_ERROR -76
3324#define GNUTLS_E_ASN1_DER_OVERFLOW -77
3325#define GNUTLS_E_OPENPGP_UID_REVOKED -79
3326#define GNUTLS_E_CERTIFICATE_ERROR -43
3327#define GNUTLS_E_X509_CERTIFICATE_ERROR GNUTLS_E_CERTIFICATE_ERROR
3328#define GNUTLS_E_CERTIFICATE_KEY_MISMATCH -60
3329#define GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE -61	/* GNUTLS_A_UNSUPPORTED_CERTIFICATE */
3330#define GNUTLS_E_X509_UNKNOWN_SAN -62
3331#define GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED -94
3332#define GNUTLS_E_X509_UNSUPPORTED_ATTRIBUTE -95
3333#define GNUTLS_E_UNKNOWN_HASH_ALGORITHM -96
3334#define GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE -97
3335#define GNUTLS_E_UNKNOWN_PKCS_BAG_TYPE -98
3336#define GNUTLS_E_INVALID_PASSWORD -99
3337#define GNUTLS_E_MAC_VERIFY_FAILED -100	/* for PKCS #12 MAC */
3338#define GNUTLS_E_CONSTRAINT_ERROR -101
3339
3340#define GNUTLS_E_WARNING_IA_IPHF_RECEIVED -102
3341#define GNUTLS_E_WARNING_IA_FPHF_RECEIVED -103
3342
3343#define GNUTLS_E_IA_VERIFY_FAILED -104
3344#define GNUTLS_E_UNKNOWN_ALGORITHM -105
3345#define GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM -106
3346#define GNUTLS_E_SAFE_RENEGOTIATION_FAILED -107
3347#define GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED -108
3348#define GNUTLS_E_UNKNOWN_SRP_USERNAME -109
3349#define GNUTLS_E_PREMATURE_TERMINATION -110
3350
3351#define GNUTLS_E_MALFORMED_CIDR -111
3352
3353#define GNUTLS_E_BASE64_ENCODING_ERROR -201
3354#define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202	/* obsolete */
3355#define GNUTLS_E_INCOMPATIBLE_CRYPTO_LIBRARY -202
3356#define GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY -203
3357
3358#define GNUTLS_E_OPENPGP_KEYRING_ERROR -204
3359#define GNUTLS_E_X509_UNSUPPORTED_OID -205
3360
3361#define GNUTLS_E_RANDOM_FAILED -206
3362#define GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR -207
3363
3364#define GNUTLS_E_OPENPGP_SUBKEY_ERROR -208
3365
3366#define GNUTLS_E_CRYPTO_ALREADY_REGISTERED GNUTLS_E_ALREADY_REGISTERED
3367#define GNUTLS_E_ALREADY_REGISTERED -209
3368
3369#define GNUTLS_E_HANDSHAKE_TOO_LARGE -210
3370
3371#define GNUTLS_E_CRYPTODEV_IOCTL_ERROR -211
3372#define GNUTLS_E_CRYPTODEV_DEVICE_ERROR -212
3373
3374#define GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE -213
3375#define GNUTLS_E_BAD_COOKIE -214
3376#define GNUTLS_E_OPENPGP_PREFERRED_KEY_ERROR -215
3377#define GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL -216
3378#define GNUTLS_E_INSUFFICIENT_SECURITY -217
3379
3380#define GNUTLS_E_HEARTBEAT_PONG_RECEIVED -292
3381#define GNUTLS_E_HEARTBEAT_PING_RECEIVED -293
3382
3383#define GNUTLS_E_UNRECOGNIZED_NAME -294
3384
3385/* PKCS11 related */
3386#define GNUTLS_E_PKCS11_ERROR -300
3387#define GNUTLS_E_PKCS11_LOAD_ERROR -301
3388#define GNUTLS_E_PARSING_ERROR -302
3389#define GNUTLS_E_PKCS11_PIN_ERROR -303
3390
3391#define GNUTLS_E_PKCS11_SLOT_ERROR -305
3392#define GNUTLS_E_LOCKING_ERROR -306
3393#define GNUTLS_E_PKCS11_ATTRIBUTE_ERROR -307
3394#define GNUTLS_E_PKCS11_DEVICE_ERROR -308
3395#define GNUTLS_E_PKCS11_DATA_ERROR -309
3396#define GNUTLS_E_PKCS11_UNSUPPORTED_FEATURE_ERROR -310
3397#define GNUTLS_E_PKCS11_KEY_ERROR -311
3398#define GNUTLS_E_PKCS11_PIN_EXPIRED -312
3399#define GNUTLS_E_PKCS11_PIN_LOCKED -313
3400#define GNUTLS_E_PKCS11_SESSION_ERROR -314
3401#define GNUTLS_E_PKCS11_SIGNATURE_ERROR -315
3402#define GNUTLS_E_PKCS11_TOKEN_ERROR -316
3403#define GNUTLS_E_PKCS11_USER_ERROR -317
3404
3405#define GNUTLS_E_CRYPTO_INIT_FAILED -318
3406#define GNUTLS_E_TIMEDOUT -319
3407#define GNUTLS_E_USER_ERROR -320
3408#define GNUTLS_E_ECC_NO_SUPPORTED_CURVES -321
3409#define GNUTLS_E_ECC_UNSUPPORTED_CURVE -322
3410#define GNUTLS_E_PKCS11_REQUESTED_OBJECT_NOT_AVAILBLE -323
3411#define GNUTLS_E_CERTIFICATE_LIST_UNSORTED -324
3412#define GNUTLS_E_ILLEGAL_PARAMETER -325 /* GNUTLS_A_ILLEGAL_PARAMETER */
3413#define GNUTLS_E_NO_PRIORITIES_WERE_SET -326
3414#define GNUTLS_E_X509_UNSUPPORTED_EXTENSION -327
3415#define GNUTLS_E_SESSION_EOF -328
3416
3417#define GNUTLS_E_TPM_ERROR -329
3418#define GNUTLS_E_TPM_KEY_PASSWORD_ERROR -330
3419#define GNUTLS_E_TPM_SRK_PASSWORD_ERROR -331
3420#define GNUTLS_E_TPM_SESSION_ERROR -332
3421#define GNUTLS_E_TPM_KEY_NOT_FOUND -333
3422#define GNUTLS_E_TPM_UNINITIALIZED -334
3423#define GNUTLS_E_TPM_NO_LIB -335
3424
3425#define GNUTLS_E_NO_CERTIFICATE_STATUS -340
3426#define GNUTLS_E_OCSP_RESPONSE_ERROR -341
3427#define GNUTLS_E_RANDOM_DEVICE_ERROR -342
3428#define GNUTLS_E_AUTH_ERROR -343
3429#define GNUTLS_E_NO_APPLICATION_PROTOCOL -344
3430#define GNUTLS_E_SOCKETS_INIT_ERROR -345
3431#define GNUTLS_E_KEY_IMPORT_FAILED -346
3432#define GNUTLS_E_INAPPROPRIATE_FALLBACK -347 /*GNUTLS_A_INAPPROPRIATE_FALLBACK*/
3433#define GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR -348
3434#define GNUTLS_E_PRIVKEY_VERIFICATION_ERROR -349
3435#define GNUTLS_E_UNEXPECTED_EXTENSIONS_LENGTH -350 /*GNUTLS_A_DECODE_ERROR*/
3436#define GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING -351
3437
3438#define GNUTLS_E_SELF_TEST_ERROR -400
3439#define GNUTLS_E_NO_SELF_TEST -401
3440#define GNUTLS_E_LIB_IN_ERROR_STATE -402
3441#define GNUTLS_E_PK_GENERATION_ERROR -403
3442#define GNUTLS_E_IDNA_ERROR -404
3443
3444#define GNUTLS_E_NEED_FALLBACK -405
3445#define GNUTLS_E_SESSION_USER_ID_CHANGED -406
3446#define GNUTLS_E_HANDSHAKE_DURING_FALSE_START -407
3447#define GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE -408
3448#define GNUTLS_E_PK_INVALID_PUBKEY -409
3449#define GNUTLS_E_PK_INVALID_PRIVKEY -410
3450#define GNUTLS_E_NOT_YET_ACTIVATED -411
3451#define GNUTLS_E_INVALID_UTF8_STRING -412
3452#define GNUTLS_E_NO_EMBEDDED_DATA -413
3453#define GNUTLS_E_INVALID_UTF8_EMAIL -414
3454#define GNUTLS_E_INVALID_PASSWORD_STRING -415
3455#define GNUTLS_E_CERTIFICATE_TIME_ERROR -416
3456#define GNUTLS_E_RECORD_OVERFLOW -417	/* GNUTLS_A_RECORD_OVERFLOW */
3457#define GNUTLS_E_ASN1_TIME_ERROR -418
3458#define GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY -419
3459#define GNUTLS_E_PK_INVALID_PUBKEY_PARAMS -420
3460#define GNUTLS_E_PK_NO_VALIDATION_PARAMS -421
3461#define GNUTLS_E_OCSP_MISMATCH_WITH_CERTS -422
3462
3463#define GNUTLS_E_NO_COMMON_KEY_SHARE -423
3464#define GNUTLS_E_REAUTH_REQUEST -424
3465#define GNUTLS_E_TOO_MANY_MATCHES -425
3466#define GNUTLS_E_CRL_VERIFICATION_ERROR -426
3467#define GNUTLS_E_MISSING_EXTENSION -427
3468#define GNUTLS_E_DB_ENTRY_EXISTS -428
3469#define GNUTLS_E_EARLY_DATA_REJECTED -429
3470#define GNUTLS_E_X509_DUPLICATE_EXTENSION -430
3471
3472#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
3473
3474/* Internal errors of the library; will never be returned
3475 * to a calling application */
3476#define GNUTLS_E_INT_RET_0 -1251
3477#define GNUTLS_E_INT_CHECK_AGAIN -1252
3478
3479#define GNUTLS_E_APPLICATION_ERROR_MAX -65000
3480#define GNUTLS_E_APPLICATION_ERROR_MIN -65500
3481
3482/* *INDENT-OFF* */
3483#ifdef __cplusplus
3484}
3485#endif
3486/* *INDENT-ON* */
3487
3488#include <gnutls/compat.h>
3489
3490#endif				/* GNUTLS_H */
3491