1 /* $OpenBSD: ssl.h,v 1.229 2022/09/11 17:39:46 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  * ECC cipher suite support in OpenSSL originally developed by
114  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115  */
116 /* ====================================================================
117  * Copyright 2005 Nokia. All rights reserved.
118  *
119  * The portions of the attached software ("Contribution") is developed by
120  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121  * license.
122  *
123  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125  * support (see RFC 4279) to OpenSSL.
126  *
127  * No patent licenses or other rights except those expressly stated in
128  * the OpenSSL open source license shall be deemed granted or received
129  * expressly, by implication, estoppel, or otherwise.
130  *
131  * No assurances are provided by Nokia that the Contribution does not
132  * infringe the patent or other intellectual property rights of any third
133  * party or that the license provides you with all the necessary rights
134  * to make use of the Contribution.
135  *
136  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140  * OTHERWISE.
141  */
142 
143 #ifndef HEADER_SSL_H
144 #define HEADER_SSL_H
145 
146 #include <stdint.h>
147 
148 #include <openssl/opensslconf.h>
149 
150 #include <openssl/hmac.h>
151 #include <openssl/pem.h>
152 #include <openssl/safestack.h>
153 
154 #include <openssl/bio.h>
155 
156 #ifndef OPENSSL_NO_DEPRECATED
157 #include <openssl/buffer.h>
158 #include <openssl/crypto.h>
159 #include <openssl/lhash.h>
160 
161 #ifndef OPENSSL_NO_X509
162 #include <openssl/x509.h>
163 #endif
164 #endif
165 
166 #ifdef  __cplusplus
167 extern "C" {
168 #endif
169 
170 /* SSLeay version number for ASN.1 encoding of the session information */
171 /* Version 0 - initial version
172  * Version 1 - added the optional peer certificate
173  */
174 #define SSL_SESSION_ASN1_VERSION 0x0001
175 
176 /* text strings for the ciphers */
177 #define SSL_TXT_NULL_WITH_MD5		SSL2_TXT_NULL_WITH_MD5
178 #define SSL_TXT_RC4_128_WITH_MD5	SSL2_TXT_RC4_128_WITH_MD5
179 #define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5
180 #define SSL_TXT_RC2_128_CBC_WITH_MD5	SSL2_TXT_RC2_128_CBC_WITH_MD5
181 #define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5
182 #define SSL_TXT_IDEA_128_CBC_WITH_MD5	SSL2_TXT_IDEA_128_CBC_WITH_MD5
183 #define SSL_TXT_DES_64_CBC_WITH_MD5	SSL2_TXT_DES_64_CBC_WITH_MD5
184 #define SSL_TXT_DES_64_CBC_WITH_SHA	SSL2_TXT_DES_64_CBC_WITH_SHA
185 #define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
186 #define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
187 
188 /*    VRS Additional Kerberos5 entries
189  */
190 #define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
191 #define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
192 #define SSL_TXT_KRB5_RC4_128_SHA      SSL3_TXT_KRB5_RC4_128_SHA
193 #define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
194 #define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5
195 #define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
196 #define SSL_TXT_KRB5_RC4_128_MD5      SSL3_TXT_KRB5_RC4_128_MD5
197 #define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
198 
199 #define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA
200 #define SSL_TXT_KRB5_RC2_40_CBC_SHA   SSL3_TXT_KRB5_RC2_40_CBC_SHA
201 #define SSL_TXT_KRB5_RC4_40_SHA	      SSL3_TXT_KRB5_RC4_40_SHA
202 #define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5
203 #define SSL_TXT_KRB5_RC2_40_CBC_MD5   SSL3_TXT_KRB5_RC2_40_CBC_MD5
204 #define SSL_TXT_KRB5_RC4_40_MD5	      SSL3_TXT_KRB5_RC4_40_MD5
205 
206 #define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA
207 #define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5
208 #define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
209 #define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5
210 #define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
211 #define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
212 #define SSL_MAX_KRB5_PRINCIPAL_LENGTH  256
213 
214 #define SSL_MAX_SSL_SESSION_ID_LENGTH		32
215 #define SSL_MAX_SID_CTX_LENGTH			32
216 
217 #define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES	(512/8)
218 #define SSL_MAX_KEY_ARG_LENGTH			8
219 #define SSL_MAX_MASTER_KEY_LENGTH		48
220 
221 
222 /* These are used to specify which ciphers to use and not to use */
223 
224 #define SSL_TXT_LOW		"LOW"
225 #define SSL_TXT_MEDIUM		"MEDIUM"
226 #define SSL_TXT_HIGH		"HIGH"
227 
228 #define SSL_TXT_kFZA		"kFZA" /* unused! */
229 #define	SSL_TXT_aFZA		"aFZA" /* unused! */
230 #define SSL_TXT_eFZA		"eFZA" /* unused! */
231 #define SSL_TXT_FZA		"FZA"  /* unused! */
232 
233 #define	SSL_TXT_aNULL		"aNULL"
234 #define	SSL_TXT_eNULL		"eNULL"
235 #define	SSL_TXT_NULL		"NULL"
236 
237 #define SSL_TXT_kRSA		"kRSA"
238 #define SSL_TXT_kDHr		"kDHr" /* no such ciphersuites supported! */
239 #define SSL_TXT_kDHd		"kDHd" /* no such ciphersuites supported! */
240 #define SSL_TXT_kDH 		"kDH"  /* no such ciphersuites supported! */
241 #define SSL_TXT_kEDH		"kEDH"
242 #define SSL_TXT_kKRB5     	"kKRB5"
243 #define SSL_TXT_kECDHr		"kECDHr"
244 #define SSL_TXT_kECDHe		"kECDHe"
245 #define SSL_TXT_kECDH		"kECDH"
246 #define SSL_TXT_kEECDH		"kEECDH"
247 #define SSL_TXT_kPSK            "kPSK"
248 #define SSL_TXT_kGOST		"kGOST"
249 #define SSL_TXT_kSRP		"kSRP"
250 
251 #define	SSL_TXT_aRSA		"aRSA"
252 #define	SSL_TXT_aDSS		"aDSS"
253 #define	SSL_TXT_aDH		"aDH" /* no such ciphersuites supported! */
254 #define	SSL_TXT_aECDH		"aECDH"
255 #define SSL_TXT_aKRB5     	"aKRB5"
256 #define SSL_TXT_aECDSA		"aECDSA"
257 #define SSL_TXT_aPSK            "aPSK"
258 #define SSL_TXT_aGOST94		"aGOST94"
259 #define SSL_TXT_aGOST01		"aGOST01"
260 #define SSL_TXT_aGOST		"aGOST"
261 
262 #define	SSL_TXT_DSS		"DSS"
263 #define SSL_TXT_DH		"DH"
264 #define SSL_TXT_DHE		"DHE" /* same as "kDHE:-ADH" */
265 #define SSL_TXT_EDH		"EDH" /* previous name for DHE */
266 #define SSL_TXT_ADH		"ADH"
267 #define SSL_TXT_RSA		"RSA"
268 #define SSL_TXT_ECDH		"ECDH"
269 #define SSL_TXT_ECDHE		"ECDHE" /* same as "kECDHE:-AECDH" */
270 #define SSL_TXT_EECDH		"EECDH" /* previous name for ECDHE */
271 #define SSL_TXT_AECDH		"AECDH"
272 #define SSL_TXT_ECDSA		"ECDSA"
273 #define SSL_TXT_KRB5      	"KRB5"
274 #define SSL_TXT_PSK             "PSK"
275 #define SSL_TXT_SRP		"SRP"
276 
277 #define SSL_TXT_DES		"DES"
278 #define SSL_TXT_3DES		"3DES"
279 #define SSL_TXT_RC4		"RC4"
280 #define SSL_TXT_RC2		"RC2"
281 #define SSL_TXT_IDEA		"IDEA"
282 #define SSL_TXT_SEED		"SEED"
283 #define SSL_TXT_AES128		"AES128"
284 #define SSL_TXT_AES256		"AES256"
285 #define SSL_TXT_AES		"AES"
286 #define SSL_TXT_AES_GCM		"AESGCM"
287 #define SSL_TXT_CAMELLIA128	"CAMELLIA128"
288 #define SSL_TXT_CAMELLIA256	"CAMELLIA256"
289 #define SSL_TXT_CAMELLIA	"CAMELLIA"
290 #define SSL_TXT_CHACHA20	"CHACHA20"
291 
292 #define SSL_TXT_AEAD		"AEAD"
293 #define SSL_TXT_MD5		"MD5"
294 #define SSL_TXT_SHA1		"SHA1"
295 #define SSL_TXT_SHA		"SHA" /* same as "SHA1" */
296 #define SSL_TXT_GOST94		"GOST94"
297 #define SSL_TXT_GOST89MAC		"GOST89MAC"
298 #define SSL_TXT_SHA256		"SHA256"
299 #define SSL_TXT_SHA384		"SHA384"
300 #define SSL_TXT_STREEBOG256		"STREEBOG256"
301 #define SSL_TXT_STREEBOG512		"STREEBOG512"
302 
303 #define SSL_TXT_DTLS1		"DTLSv1"
304 #define SSL_TXT_DTLS1_2		"DTLSv1.2"
305 #define SSL_TXT_SSLV2		"SSLv2"
306 #define SSL_TXT_SSLV3		"SSLv3"
307 #define SSL_TXT_TLSV1		"TLSv1"
308 #define SSL_TXT_TLSV1_1		"TLSv1.1"
309 #define SSL_TXT_TLSV1_2		"TLSv1.2"
310 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
311 #define SSL_TXT_TLSV1_3		"TLSv1.3"
312 #endif
313 
314 #define SSL_TXT_EXP		"EXP"
315 #define SSL_TXT_EXPORT		"EXPORT"
316 
317 #define SSL_TXT_ALL		"ALL"
318 
319 /*
320  * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
321  * ciphers normally not being used.
322  * Example: "RC4" will activate all ciphers using RC4 including ciphers
323  * without authentication, which would normally disabled by DEFAULT (due
324  * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
325  * will make sure that it is also disabled in the specific selection.
326  * COMPLEMENTOF* identifiers are portable between version, as adjustments
327  * to the default cipher setup will also be included here.
328  *
329  * COMPLEMENTOFDEFAULT does not experience the same special treatment that
330  * DEFAULT gets, as only selection is being done and no sorting as needed
331  * for DEFAULT.
332  */
333 #define SSL_TXT_CMPALL		"COMPLEMENTOFALL"
334 #define SSL_TXT_CMPDEF		"COMPLEMENTOFDEFAULT"
335 
336 /* The following cipher list is used by default.
337  * It also is substituted when an application-defined cipher list string
338  * starts with 'DEFAULT'. */
339 #define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:!SSLv2"
340 /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
341  * starts with a reasonable order, and all we have to do for DEFAULT is
342  * throwing out anonymous and unencrypted ciphersuites!
343  * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
344  * some of them.)
345  */
346 
347 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
348 #define SSL_SENT_SHUTDOWN	1
349 #define SSL_RECEIVED_SHUTDOWN	2
350 
351 
352 #define SSL_FILETYPE_ASN1	X509_FILETYPE_ASN1
353 #define SSL_FILETYPE_PEM	X509_FILETYPE_PEM
354 
355 /* This is needed to stop compilers complaining about the
356  * 'struct ssl_st *' function parameters used to prototype callbacks
357  * in SSL_CTX. */
358 typedef struct ssl_st *ssl_crock_st;
359 
360 typedef struct ssl_method_st SSL_METHOD;
361 typedef struct ssl_cipher_st SSL_CIPHER;
362 typedef struct ssl_session_st SSL_SESSION;
363 
364 #if defined(LIBRESSL_HAS_QUIC) || defined(LIBRESSL_INTERNAL)
365 typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
366 #endif
367 
368 DECLARE_STACK_OF(SSL_CIPHER)
369 
370 /* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
371 typedef struct srtp_protection_profile_st {
372 	const char *name;
373 	unsigned long id;
374 } SRTP_PROTECTION_PROFILE;
375 
376 DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
377 
378 typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data,
379     int len, void *arg);
380 typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
381     STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
382 
383 /* Allow initial connection to servers that don't support RI */
384 #define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L
385 
386 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
387  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
388  * the workaround is not needed.
389  * Unfortunately some broken SSL/TLS implementations cannot handle it
390  * at all, which is why it was previously included in SSL_OP_ALL.
391  * Now it's not.
392  */
393 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS		0x00000800L
394 
395 /* DTLS options */
396 #define SSL_OP_NO_QUERY_MTU				0x00001000L
397 /* Turn on Cookie Exchange (on relevant for servers) */
398 #define SSL_OP_COOKIE_EXCHANGE				0x00002000L
399 /* Don't use RFC4507 ticket extension */
400 #define SSL_OP_NO_TICKET				0x00004000L
401 
402 /* As server, disallow session resumption on renegotiation */
403 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	0x00010000L
404 /* Disallow client initiated renegotiation. */
405 #define SSL_OP_NO_CLIENT_RENEGOTIATION			0x00020000L
406 /* If set, always create a new key when using tmp_dh parameters */
407 #define SSL_OP_SINGLE_DH_USE				0x00100000L
408 /* Set on servers to choose the cipher according to the server's
409  * preferences */
410 #define SSL_OP_CIPHER_SERVER_PREFERENCE			0x00400000L
411 
412 #define SSL_OP_NO_TLSv1					0x04000000L
413 #define SSL_OP_NO_TLSv1_2				0x08000000L
414 #define SSL_OP_NO_TLSv1_1				0x10000000L
415 
416 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
417 #define SSL_OP_NO_TLSv1_3				0x20000000L
418 #endif
419 
420 #define SSL_OP_NO_DTLSv1				0x40000000L
421 #define SSL_OP_NO_DTLSv1_2				0x80000000L
422 
423 /* SSL_OP_ALL: various bug workarounds that should be rather harmless. */
424 #define SSL_OP_ALL \
425     (SSL_OP_LEGACY_SERVER_CONNECT)
426 
427 /* Obsolete flags kept for compatibility. No sane code should use them. */
428 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION	0x0
429 #define SSL_OP_CISCO_ANYCONNECT				0x0
430 #define SSL_OP_CRYPTOPRO_TLSEXT_BUG			0x0
431 #define SSL_OP_EPHEMERAL_RSA				0x0
432 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x0
433 #define SSL_OP_MICROSOFT_SESS_ID_BUG			0x0
434 #define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x0
435 #define SSL_OP_NETSCAPE_CA_DN_BUG			0x0
436 #define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x0
437 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG		0x0
438 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x0
439 #define SSL_OP_NO_COMPRESSION				0x0
440 #define SSL_OP_NO_SSLv2					0x0
441 #define SSL_OP_NO_SSLv3					0x0
442 #define SSL_OP_PKCS1_CHECK_1				0x0
443 #define SSL_OP_PKCS1_CHECK_2				0x0
444 #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG			0x0
445 #define SSL_OP_SINGLE_ECDH_USE				0x0
446 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x0
447 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x0
448 #define SSL_OP_TLSEXT_PADDING				0x0
449 #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x0
450 #define SSL_OP_TLS_D5_BUG				0x0
451 #define SSL_OP_TLS_ROLLBACK_BUG				0x0
452 
453 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
454  * when just a single record has been written): */
455 #define SSL_MODE_ENABLE_PARTIAL_WRITE       0x00000001L
456 /* Make it possible to retry SSL_write() with changed buffer location
457  * (buffer contents must stay the same!); this is not the default to avoid
458  * the misconception that non-blocking SSL_write() behaves like
459  * non-blocking write(): */
460 #define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
461 /* Never bother the application with retries if the transport
462  * is blocking: */
463 #define SSL_MODE_AUTO_RETRY 0x00000004L
464 /* Don't attempt to automatically build certificate chain */
465 #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
466 /* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
467  * TLS only.)  "Released" buffers are put onto a free-list in the context
468  * or just freed (depending on the context's setting for freelist_max_len). */
469 #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
470 
471 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
472  * they cannot be used to clear bits. */
473 
474 #define SSL_CTX_set_options(ctx,op) \
475 	SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
476 #define SSL_CTX_clear_options(ctx,op) \
477 	SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
478 #define SSL_CTX_get_options(ctx) \
479 	SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
480 #define SSL_set_options(ssl,op) \
481 	SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
482 #define SSL_clear_options(ssl,op) \
483 	SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
484 #define SSL_get_options(ssl) \
485         SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
486 
487 #define SSL_CTX_set_mode(ctx,op) \
488 	SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
489 #define SSL_CTX_clear_mode(ctx,op) \
490 	SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
491 #define SSL_CTX_get_mode(ctx) \
492 	SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
493 #define SSL_clear_mode(ssl,op) \
494 	SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
495 #define SSL_set_mode(ssl,op) \
496 	SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
497 #define SSL_get_mode(ssl) \
498         SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
499 #define SSL_set_mtu(ssl, mtu) \
500         SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
501 
502 #define SSL_get_secure_renegotiation_support(ssl) \
503 	SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
504 
505 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p,
506     int version, int content_type, const void *buf, size_t len, SSL *ssl,
507     void *arg));
508 void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
509     int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
510 #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
511 #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
512 typedef void (*SSL_CTX_keylog_cb_func)(const SSL *ssl, const char *line);
513 void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb);
514 SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx);
515 int SSL_set_num_tickets(SSL *s, size_t num_tickets);
516 size_t SSL_get_num_tickets(const SSL *s);
517 int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
518 size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
519 STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s);
520 
521 #ifndef LIBRESSL_INTERNAL
522 struct ssl_aead_ctx_st;
523 typedef struct ssl_aead_ctx_st SSL_AEAD_CTX;
524 #endif
525 
526 #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
527 
528 #define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT	(1024*20)
529 
530 /* This callback type is used inside SSL_CTX, SSL, and in the functions that set
531  * them. It is used to override the generation of SSL/TLS session IDs in a
532  * server. Return value should be zero on an error, non-zero to proceed. Also,
533  * callbacks should themselves check if the id they generate is unique otherwise
534  * the SSL handshake will fail with an error - callbacks can do this using the
535  * 'ssl' value they're passed by;
536  *      SSL_has_matching_session_id(ssl, id, *id_len)
537  * The length value passed in is set at the maximum size the session ID can be.
538  * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
539  * can alter this length to be less if desired, but under SSLv2 session IDs are
540  * supposed to be fixed at 16 bytes so the id will be padded after the callback
541  * returns in this case. It is also an error for the callback to set the size to
542  * zero. */
543 typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
544     unsigned int *id_len);
545 
546 typedef struct ssl_comp_st SSL_COMP;
547 
548 #ifdef LIBRESSL_INTERNAL
549 DECLARE_STACK_OF(SSL_COMP)
550 struct lhash_st_SSL_SESSION {
551 	int dummy;
552 };
553 #endif
554 
555 #define SSL_SESS_CACHE_OFF			0x0000
556 #define SSL_SESS_CACHE_CLIENT			0x0001
557 #define SSL_SESS_CACHE_SERVER			0x0002
558 #define SSL_SESS_CACHE_BOTH	(SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
559 #define SSL_SESS_CACHE_NO_AUTO_CLEAR		0x0080
560 /* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
561 #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP	0x0100
562 #define SSL_SESS_CACHE_NO_INTERNAL_STORE	0x0200
563 #define SSL_SESS_CACHE_NO_INTERNAL \
564 	(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
565 
566 struct lhash_st_SSL_SESSION *SSL_CTX_sessions(SSL_CTX *ctx);
567 #define SSL_CTX_sess_number(ctx) \
568 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
569 #define SSL_CTX_sess_connect(ctx) \
570 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
571 #define SSL_CTX_sess_connect_good(ctx) \
572 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
573 #define SSL_CTX_sess_connect_renegotiate(ctx) \
574 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
575 #define SSL_CTX_sess_accept(ctx) \
576 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
577 #define SSL_CTX_sess_accept_renegotiate(ctx) \
578 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
579 #define SSL_CTX_sess_accept_good(ctx) \
580 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
581 #define SSL_CTX_sess_hits(ctx) \
582 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
583 #define SSL_CTX_sess_cb_hits(ctx) \
584 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
585 #define SSL_CTX_sess_misses(ctx) \
586 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
587 #define SSL_CTX_sess_timeouts(ctx) \
588 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
589 #define SSL_CTX_sess_cache_full(ctx) \
590 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
591 
592 void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
593     int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess));
594 int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
595     SSL_SESSION *sess);
596 void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
597     void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess));
598 void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx,
599     SSL_SESSION *sess);
600 void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
601     SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
602     const unsigned char *data, int len, int *copy));
603 SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
604     const unsigned char *data, int len, int *copy);
605 void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,
606     int type, int val));
607 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type,
608     int val);
609 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
610     int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
611 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509,
612     EVP_PKEY **pkey);
613 #ifndef OPENSSL_NO_ENGINE
614 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
615 #endif
616 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
617     int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
618     unsigned int *cookie_len));
619 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
620     int (*app_verify_cookie_cb)(SSL *ssl, const unsigned char *cookie,
621     unsigned int cookie_len));
622 void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, int (*cb)(SSL *ssl,
623     const unsigned char **out, unsigned int *outlen, void *arg), void *arg);
624 void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s, int (*cb)(SSL *ssl,
625     unsigned char **out, unsigned char *outlen, const unsigned char *in,
626     unsigned int inlen, void *arg), void *arg);
627 
628 int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
629     const unsigned char *in, unsigned int inlen, const unsigned char *client,
630     unsigned int client_len);
631 void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
632     unsigned int *len);
633 
634 #define OPENSSL_NPN_UNSUPPORTED	0
635 #define OPENSSL_NPN_NEGOTIATED	1
636 #define OPENSSL_NPN_NO_OVERLAP	2
637 
638 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
639     unsigned int protos_len);
640 int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
641     unsigned int protos_len);
642 void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
643     int (*cb)(SSL *ssl, const unsigned char **out, unsigned char *outlen,
644     const unsigned char *in, unsigned int inlen, void *arg), void *arg);
645 void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
646     unsigned int *len);
647 
648 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
649 typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md,
650     const unsigned char **id, size_t *idlen, SSL_SESSION **sess);
651 void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb);
652 #endif
653 
654 #define SSL_NOTHING	1
655 #define SSL_WRITING	2
656 #define SSL_READING	3
657 #define SSL_X509_LOOKUP	4
658 
659 /* These will only be used when doing non-blocking IO */
660 #define SSL_want_nothing(s)	(SSL_want(s) == SSL_NOTHING)
661 #define SSL_want_read(s)	(SSL_want(s) == SSL_READING)
662 #define SSL_want_write(s)	(SSL_want(s) == SSL_WRITING)
663 #define SSL_want_x509_lookup(s)	(SSL_want(s) == SSL_X509_LOOKUP)
664 
665 #define SSL_MAC_FLAG_READ_MAC_STREAM 1
666 #define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
667 
668 #ifdef __cplusplus
669 }
670 #endif
671 
672 #include <openssl/ssl2.h>
673 #include <openssl/ssl3.h>
674 #include <openssl/tls1.h>	/* This is mostly sslv3 with a few tweaks */
675 #include <openssl/dtls1.h>	/* Datagram TLS */
676 #include <openssl/ssl23.h>
677 #include <openssl/srtp.h>	/* Support for the use_srtp extension */
678 
679 #ifdef  __cplusplus
680 extern "C" {
681 #endif
682 
683 /* compatibility */
684 #define SSL_set_app_data(s,arg)		(SSL_set_ex_data(s,0,(char *)arg))
685 #define SSL_get_app_data(s)		(SSL_get_ex_data(s,0))
686 #define SSL_SESSION_set_app_data(s,a)	(SSL_SESSION_set_ex_data(s,0,(char *)a))
687 #define SSL_SESSION_get_app_data(s)	(SSL_SESSION_get_ex_data(s,0))
688 #define SSL_CTX_get_app_data(ctx)	(SSL_CTX_get_ex_data(ctx,0))
689 #define SSL_CTX_set_app_data(ctx,arg)	(SSL_CTX_set_ex_data(ctx,0,(char *)arg))
690 
691 /* The following are the possible values for ssl->state are are
692  * used to indicate where we are up to in the SSL connection establishment.
693  * The macros that follow are about the only things you should need to use
694  * and even then, only when using non-blocking IO.
695  * It can also be useful to work out where you were when the connection
696  * failed */
697 
698 #define SSL_ST_CONNECT			0x1000
699 #define SSL_ST_ACCEPT			0x2000
700 #define SSL_ST_MASK			0x0FFF
701 #define SSL_ST_INIT			(SSL_ST_CONNECT|SSL_ST_ACCEPT)
702 #define SSL_ST_BEFORE			0x4000
703 #define SSL_ST_OK			0x03
704 #define SSL_ST_RENEGOTIATE		(0x04|SSL_ST_INIT)
705 
706 #define SSL_CB_LOOP			0x01
707 #define SSL_CB_EXIT			0x02
708 #define SSL_CB_READ			0x04
709 #define SSL_CB_WRITE			0x08
710 #define SSL_CB_ALERT			0x4000 /* used in callback */
711 #define SSL_CB_READ_ALERT		(SSL_CB_ALERT|SSL_CB_READ)
712 #define SSL_CB_WRITE_ALERT		(SSL_CB_ALERT|SSL_CB_WRITE)
713 #define SSL_CB_ACCEPT_LOOP		(SSL_ST_ACCEPT|SSL_CB_LOOP)
714 #define SSL_CB_ACCEPT_EXIT		(SSL_ST_ACCEPT|SSL_CB_EXIT)
715 #define SSL_CB_CONNECT_LOOP		(SSL_ST_CONNECT|SSL_CB_LOOP)
716 #define SSL_CB_CONNECT_EXIT		(SSL_ST_CONNECT|SSL_CB_EXIT)
717 #define SSL_CB_HANDSHAKE_START		0x10
718 #define SSL_CB_HANDSHAKE_DONE		0x20
719 
720 /* Is the SSL_connection established? */
721 #define SSL_get_state(a)		(SSL_state((a)))
722 #define SSL_is_init_finished(a)		(SSL_state((a)) == SSL_ST_OK)
723 #define SSL_in_init(a)			(SSL_state((a))&SSL_ST_INIT)
724 #define SSL_in_before(a)		(SSL_state((a))&SSL_ST_BEFORE)
725 #define SSL_in_connect_init(a)		(SSL_state((a))&SSL_ST_CONNECT)
726 #define SSL_in_accept_init(a)		(SSL_state((a))&SSL_ST_ACCEPT)
727 
728 /* The following 2 states are kept in ssl->rstate when reads fail,
729  * you should not need these */
730 #define SSL_ST_READ_HEADER		0xF0
731 #define SSL_ST_READ_BODY		0xF1
732 #define SSL_ST_READ_DONE		0xF2
733 
734 /* Obtain latest Finished message
735  *   -- that we sent (SSL_get_finished)
736  *   -- that we expected from peer (SSL_get_peer_finished).
737  * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
738 size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
739 size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
740 
741 /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
742  * are 'ored' with SSL_VERIFY_PEER if they are desired */
743 #define SSL_VERIFY_NONE			0x00
744 #define SSL_VERIFY_PEER			0x01
745 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT	0x02
746 #define SSL_VERIFY_CLIENT_ONCE		0x04
747 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
748 #define SSL_VERIFY_POST_HANDSHAKE	0x08
749 
750 int SSL_verify_client_post_handshake(SSL *s);
751 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
752 void SSL_set_post_handshake_auth(SSL *s, int val);
753 #endif
754 
755 #define OpenSSL_add_ssl_algorithms()	SSL_library_init()
756 #define SSLeay_add_ssl_algorithms()	SSL_library_init()
757 
758 /* More backward compatibility */
759 #define SSL_get_cipher(s) \
760 		SSL_CIPHER_get_name(SSL_get_current_cipher(s))
761 #define SSL_get_cipher_bits(s,np) \
762 		SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
763 #define SSL_get_cipher_version(s) \
764 		SSL_CIPHER_get_version(SSL_get_current_cipher(s))
765 #define SSL_get_cipher_name(s) \
766 		SSL_CIPHER_get_name(SSL_get_current_cipher(s))
767 #define SSL_get_time(a)		SSL_SESSION_get_time(a)
768 #define SSL_set_time(a,b)	SSL_SESSION_set_time((a),(b))
769 #define SSL_get_timeout(a)	SSL_SESSION_get_timeout(a)
770 #define SSL_set_timeout(a,b)	SSL_SESSION_set_timeout((a),(b))
771 
772 #define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
773 #define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
774 
775 SSL_SESSION *PEM_read_bio_SSL_SESSION(BIO *bp, SSL_SESSION **x,
776     pem_password_cb *cb, void *u);
777 SSL_SESSION *PEM_read_SSL_SESSION(FILE *fp, SSL_SESSION **x,
778     pem_password_cb *cb, void *u);
779 int PEM_write_bio_SSL_SESSION(BIO *bp, SSL_SESSION *x);
780 int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
781 
782 /*
783  * TLS Alerts.
784  *
785  * https://www.iana.org/assignments/tls-parameters/#tls-parameters-6
786  */
787 
788 /* Obsolete alerts. */
789 #ifndef LIBRESSL_INTERNAL
790 #define SSL_AD_DECRYPTION_FAILED		21	/* Removed in TLSv1.1 */
791 #define SSL_AD_NO_CERTIFICATE			41	/* Removed in TLSv1.0 */
792 #define SSL_AD_EXPORT_RESTRICTION		60	/* Removed in TLSv1.1 */
793 #endif
794 
795 #define SSL_AD_CLOSE_NOTIFY			0
796 #define SSL_AD_UNEXPECTED_MESSAGE		10
797 #define SSL_AD_BAD_RECORD_MAC			20
798 #define SSL_AD_RECORD_OVERFLOW			22
799 #define SSL_AD_DECOMPRESSION_FAILURE		30	/* Removed in TLSv1.3 */
800 #define SSL_AD_HANDSHAKE_FAILURE		40
801 #define SSL_AD_BAD_CERTIFICATE			42
802 #define SSL_AD_UNSUPPORTED_CERTIFICATE		43
803 #define SSL_AD_CERTIFICATE_REVOKED		44
804 #define SSL_AD_CERTIFICATE_EXPIRED		45
805 #define SSL_AD_CERTIFICATE_UNKNOWN		46
806 #define SSL_AD_ILLEGAL_PARAMETER		47
807 #define SSL_AD_UNKNOWN_CA			48
808 #define SSL_AD_ACCESS_DENIED			49
809 #define SSL_AD_DECODE_ERROR			50
810 #define SSL_AD_DECRYPT_ERROR			51
811 #define SSL_AD_PROTOCOL_VERSION			70
812 #define SSL_AD_INSUFFICIENT_SECURITY		71
813 #define SSL_AD_INTERNAL_ERROR			80
814 #define SSL_AD_INAPPROPRIATE_FALLBACK		86
815 #define SSL_AD_USER_CANCELLED			90
816 #define SSL_AD_NO_RENEGOTIATION			100	/* Removed in TLSv1.3 */
817 #define SSL_AD_MISSING_EXTENSION		109	/* Added in TLSv1.3. */
818 #define SSL_AD_UNSUPPORTED_EXTENSION		110
819 #define SSL_AD_CERTIFICATE_UNOBTAINABLE		111	/* Removed in TLSv1.3 */
820 #define SSL_AD_UNRECOGNIZED_NAME		112
821 #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE	113
822 #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE	114	/* Removed in TLSv1.3 */
823 #define SSL_AD_UNKNOWN_PSK_IDENTITY		115
824 #define SSL_AD_CERTIFICATE_REQUIRED		116
825 #define SSL_AD_NO_APPLICATION_PROTOCOL		120
826 
827 /* Offset to get an SSL_R_... value from an SSL_AD_... value. */
828 #define SSL_AD_REASON_OFFSET			1000
829 
830 #define SSL_ERROR_NONE				0
831 #define SSL_ERROR_SSL				1
832 #define SSL_ERROR_WANT_READ			2
833 #define SSL_ERROR_WANT_WRITE			3
834 #define SSL_ERROR_WANT_X509_LOOKUP		4
835 #define SSL_ERROR_SYSCALL			5
836 #define SSL_ERROR_ZERO_RETURN			6
837 #define SSL_ERROR_WANT_CONNECT			7
838 #define SSL_ERROR_WANT_ACCEPT			8
839 #define SSL_ERROR_WANT_ASYNC			9
840 #define SSL_ERROR_WANT_ASYNC_JOB		10
841 #define SSL_ERROR_WANT_CLIENT_HELLO_CB		11
842 
843 #define SSL_CTRL_NEED_TMP_RSA			1
844 #define SSL_CTRL_SET_TMP_RSA			2
845 #define SSL_CTRL_SET_TMP_DH			3
846 #define SSL_CTRL_SET_TMP_ECDH			4
847 #define SSL_CTRL_SET_TMP_RSA_CB			5
848 #define SSL_CTRL_SET_TMP_DH_CB			6
849 #define SSL_CTRL_SET_TMP_ECDH_CB		7
850 
851 #define SSL_CTRL_GET_SESSION_REUSED		8
852 #define SSL_CTRL_GET_CLIENT_CERT_REQUEST	9
853 #define SSL_CTRL_GET_NUM_RENEGOTIATIONS		10
854 #define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS	11
855 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS	12
856 #define SSL_CTRL_GET_FLAGS			13
857 #define SSL_CTRL_EXTRA_CHAIN_CERT		14
858 
859 #define SSL_CTRL_SET_MSG_CALLBACK               15
860 #define SSL_CTRL_SET_MSG_CALLBACK_ARG           16
861 
862 /* only applies to datagram connections */
863 #define SSL_CTRL_SET_MTU                17
864 /* Stats */
865 #define SSL_CTRL_SESS_NUMBER			20
866 #define SSL_CTRL_SESS_CONNECT			21
867 #define SSL_CTRL_SESS_CONNECT_GOOD		22
868 #define SSL_CTRL_SESS_CONNECT_RENEGOTIATE	23
869 #define SSL_CTRL_SESS_ACCEPT			24
870 #define SSL_CTRL_SESS_ACCEPT_GOOD		25
871 #define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE	26
872 #define SSL_CTRL_SESS_HIT			27
873 #define SSL_CTRL_SESS_CB_HIT			28
874 #define SSL_CTRL_SESS_MISSES			29
875 #define SSL_CTRL_SESS_TIMEOUTS			30
876 #define SSL_CTRL_SESS_CACHE_FULL		31
877 #define SSL_CTRL_OPTIONS			32
878 #define SSL_CTRL_MODE				33
879 
880 #define SSL_CTRL_GET_READ_AHEAD			40
881 #define SSL_CTRL_SET_READ_AHEAD			41
882 #define SSL_CTRL_SET_SESS_CACHE_SIZE		42
883 #define SSL_CTRL_GET_SESS_CACHE_SIZE		43
884 #define SSL_CTRL_SET_SESS_CACHE_MODE		44
885 #define SSL_CTRL_GET_SESS_CACHE_MODE		45
886 
887 #define SSL_CTRL_GET_MAX_CERT_LIST		50
888 #define SSL_CTRL_SET_MAX_CERT_LIST		51
889 
890 #define SSL_CTRL_SET_MAX_SEND_FRAGMENT		52
891 
892 /* see tls1.h for macros based on these */
893 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB	53
894 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG	54
895 #define SSL_CTRL_SET_TLSEXT_HOSTNAME		55
896 #define SSL_CTRL_SET_TLSEXT_DEBUG_CB		56
897 #define SSL_CTRL_SET_TLSEXT_DEBUG_ARG		57
898 #define SSL_CTRL_GET_TLSEXT_TICKET_KEYS		58
899 #define SSL_CTRL_SET_TLSEXT_TICKET_KEYS		59
900 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB	128
901 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB	63
902 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG	129
903 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG	64
904 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE	127
905 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE	65
906 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS	66
907 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS	67
908 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS	68
909 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS	69
910 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP	70
911 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP	71
912 
913 #define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB	72
914 
915 #define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB	75
916 #define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB		76
917 #define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB		77
918 
919 #define SSL_CTRL_SET_SRP_ARG		78
920 #define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME		79
921 #define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH		80
922 #define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD		81
923 
924 #define DTLS_CTRL_GET_TIMEOUT		73
925 #define DTLS_CTRL_HANDLE_TIMEOUT	74
926 #define DTLS_CTRL_LISTEN			75
927 
928 #define SSL_CTRL_GET_RI_SUPPORT			76
929 #define SSL_CTRL_CLEAR_OPTIONS			77
930 #define SSL_CTRL_CLEAR_MODE			78
931 
932 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS		82
933 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS	83
934 
935 #define	SSL_CTRL_CHAIN					88
936 #define	SSL_CTRL_CHAIN_CERT				89
937 
938 #define SSL_CTRL_SET_GROUPS				91
939 #define SSL_CTRL_SET_GROUPS_LIST			92
940 #define SSL_CTRL_GET_SHARED_GROUP			93
941 #define SSL_CTRL_SET_ECDH_AUTO				94
942 
943 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
944 #define SSL_CTRL_GET_PEER_SIGNATURE_NID			108
945 #define SSL_CTRL_GET_PEER_TMP_KEY			109
946 #define SSL_CTRL_GET_SERVER_TMP_KEY SSL_CTRL_GET_PEER_TMP_KEY
947 #else
948 #define SSL_CTRL_GET_SERVER_TMP_KEY		109
949 #endif
950 
951 #define	SSL_CTRL_GET_CHAIN_CERTS			115
952 
953 #define SSL_CTRL_SET_DH_AUTO			118
954 
955 #define SSL_CTRL_SET_MIN_PROTO_VERSION			123
956 #define SSL_CTRL_SET_MAX_PROTO_VERSION			124
957 #define SSL_CTRL_GET_MIN_PROTO_VERSION			130
958 #define SSL_CTRL_GET_MAX_PROTO_VERSION			131
959 
960 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
961 #define SSL_CTRL_GET_SIGNATURE_NID			132
962 #endif
963 
964 #define DTLSv1_get_timeout(ssl, arg) \
965 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
966 #define DTLSv1_handle_timeout(ssl) \
967 	SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL)
968 #define DTLSv1_listen(ssl, peer) \
969 	SSL_ctrl(ssl,DTLS_CTRL_LISTEN,0, (void *)peer)
970 
971 #define SSL_session_reused(ssl) \
972 	SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
973 #define SSL_num_renegotiations(ssl) \
974 	SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
975 #define SSL_clear_num_renegotiations(ssl) \
976 	SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
977 #define SSL_total_renegotiations(ssl) \
978 	SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
979 
980 #define SSL_CTX_need_tmp_RSA(ctx) \
981 	SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
982 #define SSL_CTX_set_tmp_rsa(ctx,rsa) \
983 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
984 #define SSL_CTX_set_tmp_dh(ctx,dh) \
985 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
986 #define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
987 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
988 #define SSL_CTX_set_dh_auto(ctx, onoff) \
989 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
990 #define SSL_CTX_set_ecdh_auto(ctx, onoff) \
991 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
992 
993 #define SSL_need_tmp_RSA(ssl) \
994 	SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
995 #define SSL_set_tmp_rsa(ssl,rsa) \
996 	SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
997 #define SSL_set_tmp_dh(ssl,dh) \
998 	SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
999 #define SSL_set_tmp_ecdh(ssl,ecdh) \
1000 	SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
1001 #define SSL_set_dh_auto(s, onoff) \
1002 	SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
1003 #define SSL_set_ecdh_auto(s, onoff) \
1004 	SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
1005 
1006 int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);
1007 int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);
1008 int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509);
1009 int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509);
1010 int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain);
1011 int SSL_CTX_clear_chain_certs(SSL_CTX *ctx);
1012 
1013 int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain);
1014 int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain);
1015 int SSL_add0_chain_cert(SSL *ssl, X509 *x509);
1016 int SSL_add1_chain_cert(SSL *ssl, X509 *x509);
1017 int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain);
1018 int SSL_clear_chain_certs(SSL *ssl);
1019 
1020 int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len);
1021 int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups);
1022 
1023 int SSL_set1_groups(SSL *ssl, const int *groups, size_t groups_len);
1024 int SSL_set1_groups_list(SSL *ssl, const char *groups);
1025 
1026 int SSL_CTX_get_min_proto_version(SSL_CTX *ctx);
1027 int SSL_CTX_get_max_proto_version(SSL_CTX *ctx);
1028 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version);
1029 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version);
1030 
1031 int SSL_get_min_proto_version(SSL *ssl);
1032 int SSL_get_max_proto_version(SSL *ssl);
1033 int SSL_set_min_proto_version(SSL *ssl, uint16_t version);
1034 int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
1035 
1036 const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx);
1037 
1038 #ifndef LIBRESSL_INTERNAL
1039 #define SSL_CTRL_SET_CURVES			SSL_CTRL_SET_GROUPS
1040 #define SSL_CTRL_SET_CURVES_LIST		SSL_CTRL_SET_GROUPS_LIST
1041 
1042 #define SSL_CTX_set1_curves SSL_CTX_set1_groups
1043 #define SSL_CTX_set1_curves_list SSL_CTX_set1_groups_list
1044 #define SSL_set1_curves SSL_set1_groups
1045 #define SSL_set1_curves_list SSL_set1_groups_list
1046 #endif
1047 
1048 #define SSL_CTX_add_extra_chain_cert(ctx, x509) \
1049 	SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, (char *)x509)
1050 #define SSL_CTX_get_extra_chain_certs(ctx, px509) \
1051 	SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 0, px509)
1052 #define SSL_CTX_get_extra_chain_certs_only(ctx, px509) \
1053 	SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 1, px509)
1054 #define SSL_CTX_clear_extra_chain_certs(ctx) \
1055 	SSL_CTX_ctrl(ctx, SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS, 0, NULL)
1056 
1057 #define SSL_get_shared_group(s, n) \
1058 	SSL_ctrl((s), SSL_CTRL_GET_SHARED_GROUP, (n), NULL)
1059 #define SSL_get_shared_curve SSL_get_shared_group
1060 
1061 #define SSL_get_server_tmp_key(s, pk) \
1062 	SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
1063 
1064 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1065 #define SSL_get_signature_nid(s, pn) \
1066 	SSL_ctrl(s, SSL_CTRL_GET_SIGNATURE_NID, 0, pn)
1067 
1068 #define SSL_get_peer_signature_nid(s, pn) \
1069 	SSL_ctrl(s, SSL_CTRL_GET_PEER_SIGNATURE_NID, 0, pn)
1070 #define SSL_get_peer_tmp_key(s, pk) \
1071 	SSL_ctrl(s, SSL_CTRL_GET_PEER_TMP_KEY, 0, pk)
1072 
1073 int SSL_get_signature_type_nid(const SSL *ssl, int *nid);
1074 int SSL_get_peer_signature_type_nid(const SSL *ssl, int *nid);
1075 
1076 #endif /* LIBRESSL_HAS_TLS1_3 || LIBRESSL_INTERNAL */
1077 
1078 #ifndef LIBRESSL_INTERNAL
1079 /*
1080  * Also provide those functions as macros for compatibility with
1081  * existing users.
1082  */
1083 #define SSL_CTX_set0_chain		SSL_CTX_set0_chain
1084 #define SSL_CTX_set1_chain		SSL_CTX_set1_chain
1085 #define SSL_CTX_add0_chain_cert		SSL_CTX_add0_chain_cert
1086 #define SSL_CTX_add1_chain_cert		SSL_CTX_add1_chain_cert
1087 #define SSL_CTX_get0_chain_certs	SSL_CTX_get0_chain_certs
1088 #define SSL_CTX_clear_chain_certs	SSL_CTX_clear_chain_certs
1089 
1090 #define SSL_add0_chain_cert		SSL_add0_chain_cert
1091 #define SSL_add1_chain_cert		SSL_add1_chain_cert
1092 #define SSL_set0_chain			SSL_set0_chain
1093 #define SSL_set1_chain			SSL_set1_chain
1094 #define SSL_get0_chain_certs		SSL_get0_chain_certs
1095 #define SSL_clear_chain_certs		SSL_clear_chain_certs
1096 
1097 #define SSL_CTX_set1_groups		SSL_CTX_set1_groups
1098 #define SSL_CTX_set1_groups_list	SSL_CTX_set1_groups_list
1099 #define SSL_set1_groups			SSL_set1_groups
1100 #define SSL_set1_groups_list		SSL_set1_groups_list
1101 
1102 #define SSL_CTX_get_min_proto_version	SSL_CTX_get_min_proto_version
1103 #define SSL_CTX_get_max_proto_version	SSL_CTX_get_max_proto_version
1104 #define SSL_CTX_set_min_proto_version	SSL_CTX_set_min_proto_version
1105 #define SSL_CTX_set_max_proto_version	SSL_CTX_set_max_proto_version
1106 
1107 #define SSL_get_min_proto_version	SSL_get_min_proto_version
1108 #define SSL_get_max_proto_version	SSL_get_max_proto_version
1109 #define SSL_set_min_proto_version	SSL_set_min_proto_version
1110 #define SSL_set_max_proto_version	SSL_set_max_proto_version
1111 #endif
1112 
1113 const BIO_METHOD *BIO_f_ssl(void);
1114 BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
1115 BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
1116 BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
1117 int BIO_ssl_copy_session_id(BIO *to, BIO *from);
1118 void BIO_ssl_shutdown(BIO *ssl_bio);
1119 
1120 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
1121 int	SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
1122 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1123 int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str);
1124 #endif
1125 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
1126 void	SSL_CTX_free(SSL_CTX *);
1127 int SSL_CTX_up_ref(SSL_CTX *ctx);
1128 long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
1129 long SSL_CTX_get_timeout(const SSL_CTX *ctx);
1130 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
1131 void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
1132 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
1133 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
1134 int SSL_want(const SSL *s);
1135 int	SSL_clear(SSL *s);
1136 
1137 void	SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
1138 
1139 const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1140 const SSL_CIPHER *SSL_CIPHER_get_by_id(unsigned int id);
1141 const SSL_CIPHER *SSL_CIPHER_get_by_value(uint16_t value);
1142 int	SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
1143 const char *	SSL_CIPHER_get_version(const SSL_CIPHER *c);
1144 const char *	SSL_CIPHER_get_name(const SSL_CIPHER *c);
1145 unsigned long 	SSL_CIPHER_get_id(const SSL_CIPHER *c);
1146 uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *c);
1147 const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
1148 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
1149 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
1150 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
1151 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
1152 int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
1153 
1154 int	SSL_get_fd(const SSL *s);
1155 int	SSL_get_rfd(const SSL *s);
1156 int	SSL_get_wfd(const SSL *s);
1157 const char  * SSL_get_cipher_list(const SSL *s, int n);
1158 char *	SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
1159 int	SSL_get_read_ahead(const SSL * s);
1160 int	SSL_pending(const SSL *s);
1161 int	SSL_set_fd(SSL *s, int fd);
1162 int	SSL_set_rfd(SSL *s, int fd);
1163 int	SSL_set_wfd(SSL *s, int fd);
1164 void	SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio);
1165 BIO *	SSL_get_rbio(const SSL *s);
1166 void	SSL_set0_rbio(SSL *s, BIO *rbio);
1167 BIO *	SSL_get_wbio(const SSL *s);
1168 int	SSL_set_cipher_list(SSL *s, const char *str);
1169 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1170 int	SSL_set_ciphersuites(SSL *s, const char *str);
1171 #endif
1172 void	SSL_set_read_ahead(SSL *s, int yes);
1173 int	SSL_get_verify_mode(const SSL *s);
1174 int	SSL_get_verify_depth(const SSL *s);
1175 int	(*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *);
1176 void	SSL_set_verify(SSL *s, int mode,
1177 	    int (*callback)(int ok, X509_STORE_CTX *ctx));
1178 void	SSL_set_verify_depth(SSL *s, int depth);
1179 int	SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1180 int	SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len);
1181 int	SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
1182 int	SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, long len);
1183 int	SSL_use_certificate(SSL *ssl, X509 *x);
1184 int	SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
1185 
1186 int	SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
1187 int	SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
1188 int	SSL_use_certificate_file(SSL *ssl, const char *file, int type);
1189 int	SSL_use_certificate_chain_file(SSL *ssl, const char *file);
1190 int	SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1191 int	SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
1192 int	SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
1193 int	SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
1194 int	SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len);
1195 STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
1196 int	SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1197 	    const char *file);
1198 int	SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
1199 	    const char *dir);
1200 
1201 void	SSL_load_error_strings(void );
1202 const char *SSL_state_string(const SSL *s);
1203 const char *SSL_rstate_string(const SSL *s);
1204 const char *SSL_state_string_long(const SSL *s);
1205 const char *SSL_rstate_string_long(const SSL *s);
1206 const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *ss);
1207 size_t	SSL_SESSION_get_master_key(const SSL_SESSION *ss,
1208 	    unsigned char *out, size_t max_out);
1209 int	SSL_SESSION_get_protocol_version(const SSL_SESSION *s);
1210 long	SSL_SESSION_get_time(const SSL_SESSION *s);
1211 long	SSL_SESSION_set_time(SSL_SESSION *s, long t);
1212 long	SSL_SESSION_get_timeout(const SSL_SESSION *s);
1213 long	SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1214 int	SSL_copy_session_id(SSL *to, const SSL *from);
1215 X509	*SSL_SESSION_get0_peer(SSL_SESSION *s);
1216 int	SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
1217 	    unsigned int sid_len);
1218 int	SSL_SESSION_set1_id_context(SSL_SESSION *s,
1219 	    const unsigned char *sid_ctx, unsigned int sid_ctx_len);
1220 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1221 int SSL_SESSION_is_resumable(const SSL_SESSION *s);
1222 #endif
1223 
1224 SSL_SESSION *SSL_SESSION_new(void);
1225 void	SSL_SESSION_free(SSL_SESSION *ses);
1226 int	SSL_SESSION_up_ref(SSL_SESSION *ss);
1227 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *ss,
1228 	    unsigned int *len);
1229 const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *ss,
1230 	    unsigned int *len);
1231 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1232 uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *sess);
1233 int SSL_SESSION_set_max_early_data(SSL_SESSION *sess, uint32_t max_early_data);
1234 #endif
1235 unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s);
1236 int	SSL_SESSION_has_ticket(const SSL_SESSION *s);
1237 unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *ss);
1238 int	SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
1239 int	SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
1240 int	i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
1241 int	SSL_set_session(SSL *to, SSL_SESSION *session);
1242 int	SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
1243 int	SSL_CTX_remove_session(SSL_CTX *, SSL_SESSION *c);
1244 int	SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
1245 int	SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
1246 int	SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
1247 	    unsigned int id_len);
1248 SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
1249 	    long length);
1250 
1251 #ifdef HEADER_X509_H
1252 X509 *	SSL_get_peer_certificate(const SSL *s);
1253 #endif
1254 
1255 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
1256 
1257 int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
1258 int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
1259 int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *);
1260 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
1261     int (*callback)(int, X509_STORE_CTX *));
1262 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
1263 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg);
1264 int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1265 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
1266 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
1267 int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, long len);
1268 int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
1269 int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
1270 
1271 pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx);
1272 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
1273 void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx);
1274 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
1275 
1276 int SSL_CTX_check_private_key(const SSL_CTX *ctx);
1277 int SSL_check_private_key(const SSL *ctx);
1278 
1279 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len);
1280 
1281 int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, unsigned int sid_ctx_len);
1282 
1283 int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
1284 int SSL_set_purpose(SSL *s, int purpose);
1285 int SSL_CTX_set_trust(SSL_CTX *s, int trust);
1286 int SSL_set_trust(SSL *s, int trust);
1287 int SSL_set1_host(SSL *s, const char *hostname);
1288 void SSL_set_hostflags(SSL *s, unsigned int flags);
1289 const char *SSL_get0_peername(SSL *s);
1290 
1291 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);
1292 int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
1293 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
1294 int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
1295 
1296 SSL *SSL_new(SSL_CTX *ctx);
1297 void	SSL_free(SSL *ssl);
1298 int	SSL_up_ref(SSL *ssl);
1299 int 	SSL_accept(SSL *ssl);
1300 int 	SSL_connect(SSL *ssl);
1301 int	SSL_is_dtls(const SSL *s);
1302 int	SSL_is_server(const SSL *s);
1303 int 	SSL_read(SSL *ssl, void *buf, int num);
1304 int 	SSL_peek(SSL *ssl, void *buf, int num);
1305 int 	SSL_write(SSL *ssl, const void *buf, int num);
1306 int 	SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *bytes_read);
1307 int 	SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *bytes_peeked);
1308 int 	SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *bytes_written);
1309 
1310 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
1311 uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx);
1312 int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data);
1313 
1314 uint32_t SSL_get_max_early_data(const SSL *s);
1315 int SSL_set_max_early_data(SSL *s, uint32_t max_early_data);
1316 
1317 #define SSL_EARLY_DATA_NOT_SENT		0
1318 #define SSL_EARLY_DATA_REJECTED		1
1319 #define SSL_EARLY_DATA_ACCEPTED		2
1320 int SSL_get_early_data_status(const SSL *s);
1321 
1322 #define SSL_READ_EARLY_DATA_ERROR	0
1323 #define SSL_READ_EARLY_DATA_SUCCESS	1
1324 #define SSL_READ_EARLY_DATA_FINISH	2
1325 int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes);
1326 int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written);
1327 #endif
1328 
1329 long	SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
1330 long	SSL_callback_ctrl(SSL *, int, void (*)(void));
1331 long	SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
1332 long	SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
1333 
1334 int	SSL_get_error(const SSL *s, int ret_code);
1335 const char *SSL_get_version(const SSL *s);
1336 
1337 /* This sets the 'default' SSL version that SSL_new() will create */
1338 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
1339 
1340 const SSL_METHOD *SSLv23_method(void);		/* SSLv3 or TLSv1.* */
1341 const SSL_METHOD *SSLv23_server_method(void);	/* SSLv3 or TLSv1.* */
1342 const SSL_METHOD *SSLv23_client_method(void);	/* SSLv3 or TLSv1.* */
1343 
1344 const SSL_METHOD *TLSv1_method(void);		/* TLSv1.0 */
1345 const SSL_METHOD *TLSv1_server_method(void);	/* TLSv1.0 */
1346 const SSL_METHOD *TLSv1_client_method(void);	/* TLSv1.0 */
1347 
1348 const SSL_METHOD *TLSv1_1_method(void);		/* TLSv1.1 */
1349 const SSL_METHOD *TLSv1_1_server_method(void);	/* TLSv1.1 */
1350 const SSL_METHOD *TLSv1_1_client_method(void);	/* TLSv1.1 */
1351 
1352 const SSL_METHOD *TLSv1_2_method(void);		/* TLSv1.2 */
1353 const SSL_METHOD *TLSv1_2_server_method(void);	/* TLSv1.2 */
1354 const SSL_METHOD *TLSv1_2_client_method(void);	/* TLSv1.2 */
1355 
1356 const SSL_METHOD *TLS_method(void);		/* TLS v1.0 or later */
1357 const SSL_METHOD *TLS_server_method(void);	/* TLS v1.0 or later */
1358 const SSL_METHOD *TLS_client_method(void);	/* TLS v1.0 or later */
1359 
1360 const SSL_METHOD *DTLSv1_method(void);		/* DTLSv1.0 */
1361 const SSL_METHOD *DTLSv1_server_method(void);	/* DTLSv1.0 */
1362 const SSL_METHOD *DTLSv1_client_method(void);	/* DTLSv1.0 */
1363 
1364 const SSL_METHOD *DTLSv1_2_method(void);	/* DTLSv1.2 */
1365 const SSL_METHOD *DTLSv1_2_server_method(void);	/* DTLSv1.2 */
1366 const SSL_METHOD *DTLSv1_2_client_method(void);	/* DTLSv1.2 */
1367 
1368 const SSL_METHOD *DTLS_method(void);		/* DTLS v1.0 or later */
1369 const SSL_METHOD *DTLS_server_method(void);	/* DTLS v1.0 or later */
1370 const SSL_METHOD *DTLS_client_method(void);	/* DTLS v1.0 or later */
1371 
1372 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1373 STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s);
1374 STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s);
1375 
1376 int SSL_do_handshake(SSL *s);
1377 int SSL_renegotiate(SSL *s);
1378 int SSL_renegotiate_abbreviated(SSL *s);
1379 int SSL_renegotiate_pending(SSL *s);
1380 int SSL_shutdown(SSL *s);
1381 
1382 const SSL_METHOD *SSL_get_ssl_method(SSL *s);
1383 int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
1384 const char *SSL_alert_type_string_long(int value);
1385 const char *SSL_alert_type_string(int value);
1386 const char *SSL_alert_desc_string_long(int value);
1387 const char *SSL_alert_desc_string(int value);
1388 
1389 void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
1390 void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
1391 STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
1392 STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
1393 int SSL_add_client_CA(SSL *ssl, X509 *x);
1394 int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
1395 
1396 void SSL_set_connect_state(SSL *s);
1397 void SSL_set_accept_state(SSL *s);
1398 
1399 long SSL_get_default_timeout(const SSL *s);
1400 
1401 int SSL_library_init(void );
1402 
1403 char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf, int size);
1404 STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk);
1405 
1406 SSL *SSL_dup(SSL *ssl);
1407 
1408 X509 *SSL_get_certificate(const SSL *ssl);
1409 /* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(const SSL *ssl);
1410 
1411 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
1412 int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
1413 void SSL_set_quiet_shutdown(SSL *ssl,int mode);
1414 int SSL_get_quiet_shutdown(const SSL *ssl);
1415 void SSL_set_shutdown(SSL *ssl,int mode);
1416 int SSL_get_shutdown(const SSL *ssl);
1417 int SSL_version(const SSL *ssl);
1418 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
1419 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
1420     const char *CApath);
1421 int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len);
1422 #define SSL_get0_session SSL_get_session /* just peek at pointer */
1423 SSL_SESSION *SSL_get_session(const SSL *ssl);
1424 SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
1425 SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
1426 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx);
1427 void SSL_set_info_callback(SSL *ssl,
1428     void (*cb)(const SSL *ssl, int type, int val));
1429 void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val);
1430 int SSL_state(const SSL *ssl);
1431 void SSL_set_state(SSL *ssl, int state);
1432 
1433 void SSL_set_verify_result(SSL *ssl, long v);
1434 long SSL_get_verify_result(const SSL *ssl);
1435 
1436 int SSL_set_ex_data(SSL *ssl, int idx, void *data);
1437 void *SSL_get_ex_data(const SSL *ssl, int idx);
1438 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1439     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1440 
1441 int SSL_SESSION_set_ex_data(SSL_SESSION *ss, int idx, void *data);
1442 void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss, int idx);
1443 int SSL_SESSION_get_ex_new_index(long argl, void *argp,
1444     CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
1445     CRYPTO_EX_free *free_func);
1446 
1447 int SSL_CTX_set_ex_data(SSL_CTX *ssl, int idx, void *data);
1448 void *SSL_CTX_get_ex_data(const SSL_CTX *ssl, int idx);
1449 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1450     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
1451 
1452 int SSL_get_ex_data_X509_STORE_CTX_idx(void );
1453 
1454 #define SSL_CTX_sess_set_cache_size(ctx,t) \
1455 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
1456 #define SSL_CTX_sess_get_cache_size(ctx) \
1457 	SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
1458 #define SSL_CTX_set_session_cache_mode(ctx,m) \
1459 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
1460 #define SSL_CTX_get_session_cache_mode(ctx) \
1461 	SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
1462 
1463 #define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
1464 #define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
1465 #define SSL_CTX_get_read_ahead(ctx) \
1466 	SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
1467 #define SSL_CTX_set_read_ahead(ctx,m) \
1468 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
1469 #define SSL_CTX_get_max_cert_list(ctx) \
1470 	SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1471 #define SSL_CTX_set_max_cert_list(ctx,m) \
1472 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1473 #define SSL_get_max_cert_list(ssl) \
1474 	SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
1475 #define SSL_set_max_cert_list(ssl,m) \
1476 	SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
1477 
1478 #define SSL_CTX_set_max_send_fragment(ctx,m) \
1479 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
1480 #define SSL_set_max_send_fragment(ssl,m) \
1481 	SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
1482 
1483 /* NB: the keylength is only applicable when is_export is true */
1484 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
1485     RSA *(*cb)(SSL *ssl, int is_export, int keylength));
1486 
1487 void SSL_set_tmp_rsa_callback(SSL *ssl,
1488     RSA *(*cb)(SSL *ssl, int is_export, int keylength));
1489 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
1490     DH *(*dh)(SSL *ssl, int is_export, int keylength));
1491 void SSL_set_tmp_dh_callback(SSL *ssl,
1492     DH *(*dh)(SSL *ssl, int is_export, int keylength));
1493 void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
1494     EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
1495 void SSL_set_tmp_ecdh_callback(SSL *ssl,
1496     EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
1497 
1498 size_t SSL_get_client_random(const SSL *s, unsigned char *out, size_t max_out);
1499 size_t SSL_get_server_random(const SSL *s, unsigned char *out, size_t max_out);
1500 
1501 const void *SSL_get_current_compression(SSL *s);
1502 const void *SSL_get_current_expansion(SSL *s);
1503 
1504 const char *SSL_COMP_get_name(const void *comp);
1505 void *SSL_COMP_get_compression_methods(void);
1506 int SSL_COMP_add_compression_method(int id, void *cm);
1507 
1508 /* TLS extensions functions */
1509 int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
1510 
1511 int SSL_set_session_ticket_ext_cb(SSL *s,
1512     tls_session_ticket_ext_cb_fn cb, void *arg);
1513 
1514 /* Pre-shared secret session resumption functions */
1515 int SSL_set_session_secret_cb(SSL *s,
1516     tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
1517 
1518 void SSL_set_debug(SSL *s, int debug);
1519 int SSL_cache_hit(SSL *s);
1520 
1521 /* What the "other" parameter contains in security callback */
1522 /* Mask for type */
1523 #define SSL_SECOP_OTHER_TYPE		0xffff0000
1524 #define SSL_SECOP_OTHER_NONE		0
1525 #define SSL_SECOP_OTHER_CIPHER		(1 << 16)
1526 #define SSL_SECOP_OTHER_CURVE		(2 << 16)
1527 #define SSL_SECOP_OTHER_DH		(3 << 16)
1528 #define SSL_SECOP_OTHER_PKEY		(4 << 16)
1529 #define SSL_SECOP_OTHER_SIGALG		(5 << 16)
1530 #define SSL_SECOP_OTHER_CERT		(6 << 16)
1531 
1532 /* Indicated operation refers to peer key or certificate */
1533 #define SSL_SECOP_PEER			0x1000
1534 
1535 /* Values for "op" parameter in security callback */
1536 
1537 /* Called to filter ciphers */
1538 /* Ciphers client supports */
1539 #define SSL_SECOP_CIPHER_SUPPORTED	(1 | SSL_SECOP_OTHER_CIPHER)
1540 /* Cipher shared by client/server */
1541 #define SSL_SECOP_CIPHER_SHARED		(2 | SSL_SECOP_OTHER_CIPHER)
1542 /* Sanity check of cipher server selects */
1543 #define SSL_SECOP_CIPHER_CHECK		(3 | SSL_SECOP_OTHER_CIPHER)
1544 /* Curves supported by client */
1545 #define SSL_SECOP_CURVE_SUPPORTED	(4 | SSL_SECOP_OTHER_CURVE)
1546 /* Curves shared by client/server */
1547 #define SSL_SECOP_CURVE_SHARED		(5 | SSL_SECOP_OTHER_CURVE)
1548 /* Sanity check of curve server selects */
1549 #define SSL_SECOP_CURVE_CHECK		(6 | SSL_SECOP_OTHER_CURVE)
1550 /* Temporary DH key */
1551 /*
1552  * XXX: changed in OpenSSL e2b420fdd70 to (7 | SSL_SECOP_OTHER_PKEY)
1553  * Needs switching internal use of DH to EVP_PKEY. The code is not reachable
1554  * from outside the library as long as we do not expose the callback in the API.
1555  */
1556 #define SSL_SECOP_TMP_DH		(7 | SSL_SECOP_OTHER_DH)
1557 /* SSL/TLS version */
1558 #define SSL_SECOP_VERSION		(9 | SSL_SECOP_OTHER_NONE)
1559 /* Session tickets */
1560 #define SSL_SECOP_TICKET		(10 | SSL_SECOP_OTHER_NONE)
1561 /* Supported signature algorithms sent to peer */
1562 #define SSL_SECOP_SIGALG_SUPPORTED	(11 | SSL_SECOP_OTHER_SIGALG)
1563 /* Shared signature algorithm */
1564 #define SSL_SECOP_SIGALG_SHARED		(12 | SSL_SECOP_OTHER_SIGALG)
1565 /* Sanity check signature algorithm allowed */
1566 #define SSL_SECOP_SIGALG_CHECK		(13 | SSL_SECOP_OTHER_SIGALG)
1567 /* Used to get mask of supported public key signature algorithms */
1568 #define SSL_SECOP_SIGALG_MASK		(14 | SSL_SECOP_OTHER_SIGALG)
1569 /* Use to see if compression is allowed */
1570 #define SSL_SECOP_COMPRESSION		(15 | SSL_SECOP_OTHER_NONE)
1571 /* EE key in certificate */
1572 #define SSL_SECOP_EE_KEY		(16 | SSL_SECOP_OTHER_CERT)
1573 /* CA key in certificate */
1574 #define SSL_SECOP_CA_KEY		(17 | SSL_SECOP_OTHER_CERT)
1575 /* CA digest algorithm in certificate */
1576 #define SSL_SECOP_CA_MD			(18 | SSL_SECOP_OTHER_CERT)
1577 /* Peer EE key in certificate */
1578 #define SSL_SECOP_PEER_EE_KEY		(SSL_SECOP_EE_KEY | SSL_SECOP_PEER)
1579 /* Peer CA key in certificate */
1580 #define SSL_SECOP_PEER_CA_KEY		(SSL_SECOP_CA_KEY | SSL_SECOP_PEER)
1581 /* Peer CA digest algorithm in certificate */
1582 #define SSL_SECOP_PEER_CA_MD		(SSL_SECOP_CA_MD | SSL_SECOP_PEER)
1583 
1584 void SSL_set_security_level(SSL *ssl, int level);
1585 int SSL_get_security_level(const SSL *ssl);
1586 
1587 void SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
1588 int SSL_CTX_get_security_level(const SSL_CTX *ctx);
1589 
1590 #if defined(LIBRESSL_HAS_QUIC) || defined(LIBRESSL_INTERNAL)
1591 /*
1592  * QUIC integration.
1593  *
1594  * QUIC acts as an underlying transport for the TLS 1.3 handshake. The following
1595  * functions allow a QUIC implementation to serve as the underlying transport as
1596  * described in RFC 9001.
1597  *
1598  * When configured for QUIC, |SSL_do_handshake| will drive the handshake as
1599  * before, but it will not use the configured |BIO|. It will call functions on
1600  * |SSL_QUIC_METHOD| to configure secrets and send data. If data is needed from
1601  * the peer, it will return |SSL_ERROR_WANT_READ|. As the caller receives data
1602  * it can decrypt, it calls |SSL_provide_quic_data|. Subsequent
1603  * |SSL_do_handshake| calls will then consume that data and progress the
1604  * handshake. After the handshake is complete, the caller should continue to
1605  * call |SSL_provide_quic_data| for any post-handshake data, followed by
1606  * |SSL_process_quic_post_handshake| to process it. It is an error to call
1607  * |SSL_peek|, |SSL_read| and |SSL_write| in QUIC.
1608  *
1609  * To avoid DoS attacks, the QUIC implementation must limit the amount of data
1610  * being queued up. The implementation can call
1611  * |SSL_quic_max_handshake_flight_len| to get the maximum buffer length at each
1612  * encryption level.
1613  *
1614  * QUIC implementations must additionally configure transport parameters with
1615  * |SSL_set_quic_transport_params|. |SSL_get_peer_quic_transport_params| may be
1616  * used to query the value received from the peer. This extension is handled
1617  * as an opaque byte string, which the caller is responsible for serializing
1618  * and parsing. See RFC 9000 section 7.4 for further details.
1619  */
1620 
1621 /*
1622  * ssl_encryption_level_t specifies the QUIC encryption level used to transmit
1623  * handshake messages.
1624  */
1625 typedef enum ssl_encryption_level_t {
1626 	ssl_encryption_initial = 0,
1627 	ssl_encryption_early_data,
1628 	ssl_encryption_handshake,
1629 	ssl_encryption_application,
1630 } OSSL_ENCRYPTION_LEVEL;
1631 
1632 /*
1633  * ssl_quic_method_st (aka |SSL_QUIC_METHOD|) describes custom QUIC hooks.
1634  *
1635  * Note that we provide both the new (BoringSSL) secrets interface
1636  * (set_read_secret/set_write_secret) along with the old interface
1637  * (set_encryption_secrets), which quictls is still using.
1638  *
1639  * Since some consumers fail to use named initialisers, the order of these
1640  * functions is important. Hopefully all of these consumers use the old version.
1641  */
1642 struct ssl_quic_method_st {
1643 	/*
1644 	 * set_encryption_secrets configures the read and write secrets for the
1645 	 * given encryption level. This function will always be called before an
1646 	 * encryption level other than |ssl_encryption_initial| is used.
1647 	 *
1648 	 * When reading packets at a given level, the QUIC implementation must
1649 	 * send ACKs at the same level, so this function provides read and write
1650 	 * secrets together. The exception is |ssl_encryption_early_data|, where
1651 	 * secrets are only available in the client to server direction. The
1652 	 * other secret will be NULL. The server acknowledges such data at
1653 	 * |ssl_encryption_application|, which will be configured in the same
1654 	 * |SSL_do_handshake| call.
1655 	 *
1656 	 * This function should use |SSL_get_current_cipher| to determine the TLS
1657 	 * cipher suite.
1658 	 */
1659 	int (*set_encryption_secrets)(SSL *ssl, enum ssl_encryption_level_t level,
1660 	    const uint8_t *read_secret, const uint8_t *write_secret,
1661 	    size_t secret_len);
1662 
1663 	/*
1664 	 * add_handshake_data adds handshake data to the current flight at the
1665 	 * given encryption level. It returns one on success and zero on error.
1666 	 * Callers should defer writing data to the network until |flush_flight|
1667 	 * to better pack QUIC packets into transport datagrams.
1668 	 *
1669 	 * If |level| is not |ssl_encryption_initial|, this function will not be
1670 	 * called before |level| is initialized with |set_write_secret|.
1671 	 */
1672 	int (*add_handshake_data)(SSL *ssl, enum ssl_encryption_level_t level,
1673 	    const uint8_t *data, size_t len);
1674 
1675 	/*
1676 	 * flush_flight is called when the current flight is complete and should
1677 	 * be written to the transport. Note a flight may contain data at
1678 	 * several encryption levels. It returns one on success and zero on
1679 	 * error.
1680 	 */
1681 	int (*flush_flight)(SSL *ssl);
1682 
1683 	/*
1684 	 * send_alert sends a fatal alert at the specified encryption level. It
1685 	 * returns one on success and zero on error.
1686 	 *
1687 	 * If |level| is not |ssl_encryption_initial|, this function will not be
1688 	 * called before |level| is initialized with |set_write_secret|.
1689 	 */
1690 	int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level,
1691 	    uint8_t alert);
1692 
1693 	/*
1694 	 * set_read_secret configures the read secret and cipher suite for the
1695 	 * given encryption level. It returns one on success and zero to
1696 	 * terminate the handshake with an error. It will be called at most once
1697 	 * per encryption level.
1698 	 *
1699 	 * Read keys will not be released before QUIC may use them. Once a level
1700 	 * has been initialized, QUIC may begin processing data from it.
1701 	 * Handshake data should be passed to |SSL_provide_quic_data| and
1702 	 * application data (if |level| is |ssl_encryption_early_data| or
1703 	 * |ssl_encryption_application|) may be processed according to the rules
1704 	 * of the QUIC protocol.
1705 	 */
1706 	int (*set_read_secret)(SSL *ssl, enum ssl_encryption_level_t level,
1707 	    const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len);
1708 
1709 	/*
1710 	 * set_write_secret behaves like |set_read_secret| but configures the
1711 	 * write secret and cipher suite for the given encryption level. It will
1712 	 * be called at most once per encryption level.
1713 	 *
1714 	 * Write keys will not be released before QUIC may use them. If |level|
1715 	 * is |ssl_encryption_early_data| or |ssl_encryption_application|, QUIC
1716 	 * may begin sending application data at |level|.
1717 	 */
1718 	int (*set_write_secret)(SSL *ssl, enum ssl_encryption_level_t level,
1719 	    const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len);
1720 };
1721 
1722 /*
1723  * SSL_CTX_set_quic_method configures the QUIC hooks. This should only be
1724  * configured with a minimum version of TLS 1.3. |quic_method| must remain valid
1725  * for the lifetime of |ctx|. It returns one on success and zero on error.
1726  */
1727 int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method);
1728 
1729 /*
1730  * SSL_set_quic_method configures the QUIC hooks. This should only be
1731  * configured with a minimum version of TLS 1.3. |quic_method| must remain valid
1732  * for the lifetime of |ssl|. It returns one on success and zero on error.
1733  */
1734 int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method);
1735 
1736 /* SSL_is_quic returns true if an SSL has been configured for use with QUIC. */
1737 int SSL_is_quic(const SSL *ssl);
1738 
1739 /*
1740  * SSL_quic_max_handshake_flight_len returns returns the maximum number of bytes
1741  * that may be received at the given encryption level. This function should be
1742  * used to limit buffering in the QUIC implementation. See RFC 9000 section 7.5.
1743  */
1744 size_t SSL_quic_max_handshake_flight_len(const SSL *ssl,
1745     enum ssl_encryption_level_t level);
1746 
1747 /*
1748  * SSL_quic_read_level returns the current read encryption level.
1749  */
1750 enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl);
1751 
1752 /*
1753  * SSL_quic_write_level returns the current write encryption level.
1754  */
1755 enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl);
1756 
1757 /*
1758  * SSL_provide_quic_data provides data from QUIC at a particular encryption
1759  * level |level|. It returns one on success and zero on error. Note this
1760  * function will return zero if the handshake is not expecting data from |level|
1761  * at this time. The QUIC implementation should then close the connection with
1762  * an error.
1763  */
1764 int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
1765     const uint8_t *data, size_t len);
1766 
1767 /*
1768  * SSL_process_quic_post_handshake processes any data that QUIC has provided
1769  * after the handshake has completed. This includes NewSessionTicket messages
1770  * sent by the server. It returns one on success and zero on error.
1771  */
1772 int SSL_process_quic_post_handshake(SSL *ssl);
1773 
1774 /*
1775  * SSL_set_quic_transport_params configures |ssl| to send |params| (of length
1776  * |params_len|) in the quic_transport_parameters extension in either the
1777  * ClientHello or EncryptedExtensions handshake message. It is an error to set
1778  * transport parameters if |ssl| is not configured for QUIC. The buffer pointed
1779  * to by |params| only need be valid for the duration of the call to this
1780  * function. This function returns 1 on success and 0 on failure.
1781  */
1782 int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
1783     size_t params_len);
1784 
1785 /*
1786  * SSL_get_peer_quic_transport_params provides the caller with the value of the
1787  * quic_transport_parameters extension sent by the peer. A pointer to the buffer
1788  * containing the TransportParameters will be put in |*out_params|, and its
1789  * length in |*params_len|. This buffer will be valid for the lifetime of the
1790  * |SSL|. If no params were received from the peer, |*out_params_len| will be 0.
1791  */
1792 void SSL_get_peer_quic_transport_params(const SSL *ssl,
1793     const uint8_t **out_params, size_t *out_params_len);
1794 
1795 /*
1796  * SSL_set_quic_use_legacy_codepoint configures whether to use the legacy QUIC
1797  * extension codepoint 0xffa5 as opposed to the official value 57. This is
1798  * unsupported in LibreSSL.
1799  */
1800 void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);
1801 
1802 #endif
1803 
1804 void ERR_load_SSL_strings(void);
1805 
1806 /* Error codes for the SSL functions. */
1807 
1808 /* Function codes. */
1809 #define SSL_F_CLIENT_CERTIFICATE			 100
1810 #define SSL_F_CLIENT_FINISHED				 167
1811 #define SSL_F_CLIENT_HELLO				 101
1812 #define SSL_F_CLIENT_MASTER_KEY				 102
1813 #define SSL_F_D2I_SSL_SESSION				 103
1814 #define SSL_F_DO_DTLS1_WRITE				 245
1815 #define SSL_F_DO_SSL3_WRITE				 104
1816 #define SSL_F_DTLS1_ACCEPT				 246
1817 #define SSL_F_DTLS1_ADD_CERT_TO_BUF			 295
1818 #define SSL_F_DTLS1_BUFFER_RECORD			 247
1819 #define SSL_F_DTLS1_CHECK_TIMEOUT_NUM			 316
1820 #define SSL_F_DTLS1_CLIENT_HELLO			 248
1821 #define SSL_F_DTLS1_CONNECT				 249
1822 #define SSL_F_DTLS1_ENC					 250
1823 #define SSL_F_DTLS1_GET_HELLO_VERIFY			 251
1824 #define SSL_F_DTLS1_GET_MESSAGE				 252
1825 #define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT		 253
1826 #define SSL_F_DTLS1_GET_RECORD				 254
1827 #define SSL_F_DTLS1_HANDLE_TIMEOUT			 297
1828 #define SSL_F_DTLS1_HEARTBEAT				 305
1829 #define SSL_F_DTLS1_OUTPUT_CERT_CHAIN			 255
1830 #define SSL_F_DTLS1_PREPROCESS_FRAGMENT			 288
1831 #define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE		 256
1832 #define SSL_F_DTLS1_PROCESS_RECORD			 257
1833 #define SSL_F_DTLS1_READ_BYTES				 258
1834 #define SSL_F_DTLS1_READ_FAILED				 259
1835 #define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST		 260
1836 #define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE		 261
1837 #define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE		 262
1838 #define SSL_F_DTLS1_SEND_CLIENT_VERIFY			 263
1839 #define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST		 264
1840 #define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE		 265
1841 #define SSL_F_DTLS1_SEND_SERVER_HELLO			 266
1842 #define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE		 267
1843 #define SSL_F_DTLS1_WRITE_APP_DATA_BYTES		 268
1844 #define SSL_F_GET_CLIENT_FINISHED			 105
1845 #define SSL_F_GET_CLIENT_HELLO				 106
1846 #define SSL_F_GET_CLIENT_MASTER_KEY			 107
1847 #define SSL_F_GET_SERVER_FINISHED			 108
1848 #define SSL_F_GET_SERVER_HELLO				 109
1849 #define SSL_F_GET_SERVER_VERIFY				 110
1850 #define SSL_F_I2D_SSL_SESSION				 111
1851 #define SSL_F_READ_N					 112
1852 #define SSL_F_REQUEST_CERTIFICATE			 113
1853 #define SSL_F_SERVER_FINISH				 239
1854 #define SSL_F_SERVER_HELLO				 114
1855 #define SSL_F_SERVER_VERIFY				 240
1856 #define SSL_F_SSL23_ACCEPT				 115
1857 #define SSL_F_SSL23_CLIENT_HELLO			 116
1858 #define SSL_F_SSL23_CONNECT				 117
1859 #define SSL_F_SSL23_GET_CLIENT_HELLO			 118
1860 #define SSL_F_SSL23_GET_SERVER_HELLO			 119
1861 #define SSL_F_SSL23_PEEK				 237
1862 #define SSL_F_SSL23_READ				 120
1863 #define SSL_F_SSL23_WRITE				 121
1864 #define SSL_F_SSL2_ACCEPT				 122
1865 #define SSL_F_SSL2_CONNECT				 123
1866 #define SSL_F_SSL2_ENC_INIT				 124
1867 #define SSL_F_SSL2_GENERATE_KEY_MATERIAL		 241
1868 #define SSL_F_SSL2_PEEK					 234
1869 #define SSL_F_SSL2_READ					 125
1870 #define SSL_F_SSL2_READ_INTERNAL			 236
1871 #define SSL_F_SSL2_SET_CERTIFICATE			 126
1872 #define SSL_F_SSL2_WRITE				 127
1873 #define SSL_F_SSL3_ACCEPT				 128
1874 #define SSL_F_SSL3_ADD_CERT_TO_BUF			 296
1875 #define SSL_F_SSL3_CALLBACK_CTRL			 233
1876 #define SSL_F_SSL3_CHANGE_CIPHER_STATE			 129
1877 #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM		 130
1878 #define SSL_F_SSL3_CHECK_CLIENT_HELLO			 304
1879 #define SSL_F_SSL3_CLIENT_HELLO				 131
1880 #define SSL_F_SSL3_CONNECT				 132
1881 #define SSL_F_SSL3_CTRL					 213
1882 #define SSL_F_SSL3_CTX_CTRL				 133
1883 #define SSL_F_SSL3_DIGEST_CACHED_RECORDS		 293
1884 #define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC		 292
1885 #define SSL_F_SSL3_ENC					 134
1886 #define SSL_F_SSL3_GENERATE_KEY_BLOCK			 238
1887 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST		 135
1888 #define SSL_F_SSL3_GET_CERT_STATUS			 289
1889 #define SSL_F_SSL3_GET_CERT_VERIFY			 136
1890 #define SSL_F_SSL3_GET_CLIENT_CERTIFICATE		 137
1891 #define SSL_F_SSL3_GET_CLIENT_HELLO			 138
1892 #define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE		 139
1893 #define SSL_F_SSL3_GET_FINISHED				 140
1894 #define SSL_F_SSL3_GET_KEY_EXCHANGE			 141
1895 #define SSL_F_SSL3_GET_MESSAGE				 142
1896 #define SSL_F_SSL3_GET_NEW_SESSION_TICKET		 283
1897 #define SSL_F_SSL3_GET_NEXT_PROTO			 306
1898 #define SSL_F_SSL3_GET_RECORD				 143
1899 #define SSL_F_SSL3_GET_SERVER_CERTIFICATE		 144
1900 #define SSL_F_SSL3_GET_SERVER_DONE			 145
1901 #define SSL_F_SSL3_GET_SERVER_HELLO			 146
1902 #define SSL_F_SSL3_HANDSHAKE_MAC			 285
1903 #define SSL_F_SSL3_NEW_SESSION_TICKET			 287
1904 #define SSL_F_SSL3_OUTPUT_CERT_CHAIN			 147
1905 #define SSL_F_SSL3_PEEK					 235
1906 #define SSL_F_SSL3_READ_BYTES				 148
1907 #define SSL_F_SSL3_READ_N				 149
1908 #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST		 150
1909 #define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE		 151
1910 #define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE		 152
1911 #define SSL_F_SSL3_SEND_CLIENT_VERIFY			 153
1912 #define SSL_F_SSL3_SEND_SERVER_CERTIFICATE		 154
1913 #define SSL_F_SSL3_SEND_SERVER_HELLO			 242
1914 #define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE		 155
1915 #define SSL_F_SSL3_SETUP_KEY_BLOCK			 157
1916 #define SSL_F_SSL3_SETUP_READ_BUFFER			 156
1917 #define SSL_F_SSL3_SETUP_WRITE_BUFFER			 291
1918 #define SSL_F_SSL3_WRITE_BYTES				 158
1919 #define SSL_F_SSL3_WRITE_PENDING			 159
1920 #define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT	 298
1921 #define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT		 277
1922 #define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT		 307
1923 #define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK	 215
1924 #define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK	 216
1925 #define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT	 299
1926 #define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT		 278
1927 #define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT		 308
1928 #define SSL_F_SSL_BAD_METHOD				 160
1929 #define SSL_F_SSL_BYTES_TO_CIPHER_LIST			 161
1930 #define SSL_F_SSL_CERT_DUP				 221
1931 #define SSL_F_SSL_CERT_INST				 222
1932 #define SSL_F_SSL_CERT_INSTANTIATE			 214
1933 #define SSL_F_SSL_CERT_NEW				 162
1934 #define SSL_F_SSL_CHECK_PRIVATE_KEY			 163
1935 #define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT		 280
1936 #define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG		 279
1937 #define SSL_F_SSL_CIPHER_PROCESS_RULESTR		 230
1938 #define SSL_F_SSL_CIPHER_STRENGTH_SORT			 231
1939 #define SSL_F_SSL_CLEAR					 164
1940 #define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD		 165
1941 #define SSL_F_SSL_CREATE_CIPHER_LIST			 166
1942 #define SSL_F_SSL_CTRL					 232
1943 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY			 168
1944 #define SSL_F_SSL_CTX_MAKE_PROFILES			 309
1945 #define SSL_F_SSL_CTX_NEW				 169
1946 #define SSL_F_SSL_CTX_SET_CIPHER_LIST			 269
1947 #define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE		 290
1948 #define SSL_F_SSL_CTX_SET_PURPOSE			 226
1949 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT		 219
1950 #define SSL_F_SSL_CTX_SET_SSL_VERSION			 170
1951 #define SSL_F_SSL_CTX_SET_TRUST				 229
1952 #define SSL_F_SSL_CTX_USE_CERTIFICATE			 171
1953 #define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1		 172
1954 #define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE	 220
1955 #define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE		 173
1956 #define SSL_F_SSL_CTX_USE_PRIVATEKEY			 174
1957 #define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1		 175
1958 #define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE		 176
1959 #define SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT		 272
1960 #define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY			 177
1961 #define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1		 178
1962 #define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE		 179
1963 #define SSL_F_SSL_DO_HANDSHAKE				 180
1964 #define SSL_F_SSL_GET_NEW_SESSION			 181
1965 #define SSL_F_SSL_GET_PREV_SESSION			 217
1966 #define SSL_F_SSL_GET_SERVER_SEND_CERT			 182
1967 #define SSL_F_SSL_GET_SERVER_SEND_PKEY			 317
1968 #define SSL_F_SSL_GET_SIGN_PKEY				 183
1969 #define SSL_F_SSL_INIT_WBIO_BUFFER			 184
1970 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185
1971 #define SSL_F_SSL_NEW					 186
1972 #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT	 300
1973 #define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT		 302
1974 #define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT	 310
1975 #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT	 301
1976 #define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT		 303
1977 #define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT	 311
1978 #define SSL_F_SSL_PEEK					 270
1979 #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT		 281
1980 #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT		 282
1981 #define SSL_F_SSL_READ					 223
1982 #define SSL_F_SSL_RSA_PRIVATE_DECRYPT			 187
1983 #define SSL_F_SSL_RSA_PUBLIC_ENCRYPT			 188
1984 #define SSL_F_SSL_SESSION_NEW				 189
1985 #define SSL_F_SSL_SESSION_PRINT_FP			 190
1986 #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT		 312
1987 #define SSL_F_SSL_SESS_CERT_NEW				 225
1988 #define SSL_F_SSL_SET_CERT				 191
1989 #define SSL_F_SSL_SET_CIPHER_LIST			 271
1990 #define SSL_F_SSL_SET_FD				 192
1991 #define SSL_F_SSL_SET_PKEY				 193
1992 #define SSL_F_SSL_SET_PURPOSE				 227
1993 #define SSL_F_SSL_SET_RFD				 194
1994 #define SSL_F_SSL_SET_SESSION				 195
1995 #define SSL_F_SSL_SET_SESSION_ID_CONTEXT		 218
1996 #define SSL_F_SSL_SET_SESSION_TICKET_EXT		 294
1997 #define SSL_F_SSL_SET_TRUST				 228
1998 #define SSL_F_SSL_SET_WFD				 196
1999 #define SSL_F_SSL_SHUTDOWN				 224
2000 #define SSL_F_SSL_SRP_CTX_INIT				 313
2001 #define SSL_F_SSL_UNDEFINED_CONST_FUNCTION		 243
2002 #define SSL_F_SSL_UNDEFINED_FUNCTION			 197
2003 #define SSL_F_SSL_UNDEFINED_VOID_FUNCTION		 244
2004 #define SSL_F_SSL_USE_CERTIFICATE			 198
2005 #define SSL_F_SSL_USE_CERTIFICATE_ASN1			 199
2006 #define SSL_F_SSL_USE_CERTIFICATE_FILE			 200
2007 #define SSL_F_SSL_USE_PRIVATEKEY			 201
2008 #define SSL_F_SSL_USE_PRIVATEKEY_ASN1			 202
2009 #define SSL_F_SSL_USE_PRIVATEKEY_FILE			 203
2010 #define SSL_F_SSL_USE_PSK_IDENTITY_HINT			 273
2011 #define SSL_F_SSL_USE_RSAPRIVATEKEY			 204
2012 #define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1		 205
2013 #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE		 206
2014 #define SSL_F_SSL_VERIFY_CERT_CHAIN			 207
2015 #define SSL_F_SSL_WRITE					 208
2016 #define SSL_F_TLS1_AEAD_CTX_INIT			 339
2017 #define SSL_F_TLS1_CERT_VERIFY_MAC			 286
2018 #define SSL_F_TLS1_CHANGE_CIPHER_STATE			 209
2019 #define SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD		 340
2020 #define SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER		 338
2021 #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT		 274
2022 #define SSL_F_TLS1_ENC					 210
2023 #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL		 314
2024 #define SSL_F_TLS1_HEARTBEAT				 315
2025 #define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT		 275
2026 #define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT		 276
2027 #define SSL_F_TLS1_PRF					 284
2028 #define SSL_F_TLS1_SETUP_KEY_BLOCK			 211
2029 #define SSL_F_WRITE_PENDING				 212
2030 
2031 /* Reason codes. */
2032 #define SSL_R_APP_DATA_IN_HANDSHAKE			 100
2033 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
2034 #define SSL_R_BAD_ALERT_RECORD				 101
2035 #define SSL_R_BAD_AUTHENTICATION_TYPE			 102
2036 #define SSL_R_BAD_CHANGE_CIPHER_SPEC			 103
2037 #define SSL_R_BAD_CHECKSUM				 104
2038 #define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK		 106
2039 #define SSL_R_BAD_DECOMPRESSION				 107
2040 #define SSL_R_BAD_DH_G_LENGTH				 108
2041 #define SSL_R_BAD_DH_PUB_KEY_LENGTH			 109
2042 #define SSL_R_BAD_DH_P_LENGTH				 110
2043 #define SSL_R_BAD_DIGEST_LENGTH				 111
2044 #define SSL_R_BAD_DSA_SIGNATURE				 112
2045 #define SSL_R_BAD_ECC_CERT				 304
2046 #define SSL_R_BAD_ECDSA_SIGNATURE			 305
2047 #define SSL_R_BAD_ECPOINT				 306
2048 #define SSL_R_BAD_HANDSHAKE_LENGTH			 332
2049 #define SSL_R_BAD_HELLO_REQUEST				 105
2050 #define SSL_R_BAD_LENGTH				 271
2051 #define SSL_R_BAD_MAC_DECODE				 113
2052 #define SSL_R_BAD_MAC_LENGTH				 333
2053 #define SSL_R_BAD_MESSAGE_TYPE				 114
2054 #define SSL_R_BAD_PACKET_LENGTH				 115
2055 #define SSL_R_BAD_PROTOCOL_VERSION_NUMBER		 116
2056 #define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH		 316
2057 #define SSL_R_BAD_RESPONSE_ARGUMENT			 117
2058 #define SSL_R_BAD_RSA_DECRYPT				 118
2059 #define SSL_R_BAD_RSA_ENCRYPT				 119
2060 #define SSL_R_BAD_RSA_E_LENGTH				 120
2061 #define SSL_R_BAD_RSA_MODULUS_LENGTH			 121
2062 #define SSL_R_BAD_RSA_SIGNATURE				 122
2063 #define SSL_R_BAD_SIGNATURE				 123
2064 #define SSL_R_BAD_SRP_A_LENGTH				 347
2065 #define SSL_R_BAD_SRP_B_LENGTH				 348
2066 #define SSL_R_BAD_SRP_G_LENGTH				 349
2067 #define SSL_R_BAD_SRP_N_LENGTH				 350
2068 #define SSL_R_BAD_SRP_S_LENGTH				 351
2069 #define SSL_R_BAD_SRTP_MKI_VALUE			 352
2070 #define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST		 353
2071 #define SSL_R_BAD_SSL_FILETYPE				 124
2072 #define SSL_R_BAD_SSL_SESSION_ID_LENGTH			 125
2073 #define SSL_R_BAD_STATE					 126
2074 #define SSL_R_BAD_WRITE_RETRY				 127
2075 #define SSL_R_BIO_NOT_SET				 128
2076 #define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG			 129
2077 #define SSL_R_BN_LIB					 130
2078 #define SSL_R_CA_DN_LENGTH_MISMATCH			 131
2079 #define SSL_R_CA_DN_TOO_LONG				 132
2080 #define SSL_R_CA_KEY_TOO_SMALL				 397
2081 #define SSL_R_CA_MD_TOO_WEAK				 398
2082 #define SSL_R_CCS_RECEIVED_EARLY			 133
2083 #define SSL_R_CERTIFICATE_VERIFY_FAILED			 134
2084 #define SSL_R_CERT_LENGTH_MISMATCH			 135
2085 #define SSL_R_CHALLENGE_IS_DIFFERENT			 136
2086 #define SSL_R_CIPHER_CODE_WRONG_LENGTH			 137
2087 #define SSL_R_CIPHER_COMPRESSION_UNAVAILABLE		 371
2088 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE		 138
2089 #define SSL_R_CIPHER_TABLE_SRC_ERROR			 139
2090 #define SSL_R_CLIENTHELLO_TLSEXT			 226
2091 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG		 140
2092 #define SSL_R_COMPRESSION_DISABLED			 343
2093 #define SSL_R_COMPRESSION_FAILURE			 141
2094 #define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE	 307
2095 #define SSL_R_COMPRESSION_LIBRARY_ERROR			 142
2096 #define SSL_R_CONNECTION_ID_IS_DIFFERENT		 143
2097 #define SSL_R_CONNECTION_TYPE_NOT_SET			 144
2098 #define SSL_R_COOKIE_MISMATCH				 308
2099 #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED		 145
2100 #define SSL_R_DATA_LENGTH_TOO_LONG			 146
2101 #define SSL_R_DECRYPTION_FAILED				 147
2102 #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC	 281
2103 #define SSL_R_DH_KEY_TOO_SMALL				 394
2104 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG		 148
2105 #define SSL_R_DIGEST_CHECK_FAILED			 149
2106 #define SSL_R_DTLS_MESSAGE_TOO_BIG			 334
2107 #define SSL_R_DUPLICATE_COMPRESSION_ID			 309
2108 #define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT		 317
2109 #define SSL_R_ECC_CERT_NOT_FOR_SIGNING			 318
2110 #define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE	 322
2111 #define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE	 323
2112 #define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER		 310
2113 #define SSL_R_EE_KEY_TOO_SMALL				 399
2114 #define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST	 354
2115 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 150
2116 #define SSL_R_ERROR_GENERATING_TMP_RSA_KEY		 282
2117 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST		 151
2118 #define SSL_R_EXCESSIVE_MESSAGE_SIZE			 152
2119 #define SSL_R_EXTRA_DATA_IN_MESSAGE			 153
2120 #define SSL_R_GOT_A_FIN_BEFORE_A_CCS			 154
2121 #define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS		 355
2122 #define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION		 356
2123 #define SSL_R_HTTPS_PROXY_REQUEST			 155
2124 #define SSL_R_HTTP_REQUEST				 156
2125 #define SSL_R_ILLEGAL_PADDING				 283
2126 #define SSL_R_INAPPROPRIATE_FALLBACK			 373
2127 #define SSL_R_INCONSISTENT_COMPRESSION			 340
2128 #define SSL_R_INVALID_CHALLENGE_LENGTH			 158
2129 #define SSL_R_INVALID_COMMAND				 280
2130 #define SSL_R_INVALID_COMPRESSION_ALGORITHM		 341
2131 #define SSL_R_INVALID_PURPOSE				 278
2132 #define SSL_R_INVALID_SRP_USERNAME			 357
2133 #define SSL_R_INVALID_STATUS_RESPONSE			 328
2134 #define SSL_R_INVALID_TICKET_KEYS_LENGTH		 325
2135 #define SSL_R_INVALID_TRUST				 279
2136 #define SSL_R_KEY_ARG_TOO_LONG				 284
2137 #define SSL_R_KRB5					 285
2138 #define SSL_R_KRB5_C_CC_PRINC				 286
2139 #define SSL_R_KRB5_C_GET_CRED				 287
2140 #define SSL_R_KRB5_C_INIT				 288
2141 #define SSL_R_KRB5_C_MK_REQ				 289
2142 #define SSL_R_KRB5_S_BAD_TICKET				 290
2143 #define SSL_R_KRB5_S_INIT				 291
2144 #define SSL_R_KRB5_S_RD_REQ				 292
2145 #define SSL_R_KRB5_S_TKT_EXPIRED			 293
2146 #define SSL_R_KRB5_S_TKT_NYV				 294
2147 #define SSL_R_KRB5_S_TKT_SKEW				 295
2148 #define SSL_R_LENGTH_MISMATCH				 159
2149 #define SSL_R_LENGTH_TOO_SHORT				 160
2150 #define SSL_R_LIBRARY_BUG				 274
2151 #define SSL_R_LIBRARY_HAS_NO_CIPHERS			 161
2152 #define SSL_R_MESSAGE_TOO_LONG				 296
2153 #define SSL_R_MISSING_DH_DSA_CERT			 162
2154 #define SSL_R_MISSING_DH_KEY				 163
2155 #define SSL_R_MISSING_DH_RSA_CERT			 164
2156 #define SSL_R_MISSING_DSA_SIGNING_CERT			 165
2157 #define SSL_R_MISSING_EXPORT_TMP_DH_KEY			 166
2158 #define SSL_R_MISSING_EXPORT_TMP_RSA_KEY		 167
2159 #define SSL_R_MISSING_RSA_CERTIFICATE			 168
2160 #define SSL_R_MISSING_RSA_ENCRYPTING_CERT		 169
2161 #define SSL_R_MISSING_RSA_SIGNING_CERT			 170
2162 #define SSL_R_MISSING_SRP_PARAM				 358
2163 #define SSL_R_MISSING_TMP_DH_KEY			 171
2164 #define SSL_R_MISSING_TMP_ECDH_KEY			 311
2165 #define SSL_R_MISSING_TMP_RSA_KEY			 172
2166 #define SSL_R_MISSING_TMP_RSA_PKEY			 173
2167 #define SSL_R_MISSING_VERIFY_MESSAGE			 174
2168 #define SSL_R_MULTIPLE_SGC_RESTARTS			 346
2169 #define SSL_R_NON_SSLV2_INITIAL_PACKET			 175
2170 #define SSL_R_NO_APPLICATION_PROTOCOL			 235
2171 #define SSL_R_NO_CERTIFICATES_RETURNED			 176
2172 #define SSL_R_NO_CERTIFICATE_ASSIGNED			 177
2173 #define SSL_R_NO_CERTIFICATE_RETURNED			 178
2174 #define SSL_R_NO_CERTIFICATE_SET			 179
2175 #define SSL_R_NO_CERTIFICATE_SPECIFIED			 180
2176 #define SSL_R_NO_CIPHERS_AVAILABLE			 181
2177 #define SSL_R_NO_CIPHERS_PASSED				 182
2178 #define SSL_R_NO_CIPHERS_SPECIFIED			 183
2179 #define SSL_R_NO_CIPHER_LIST				 184
2180 #define SSL_R_NO_CIPHER_MATCH				 185
2181 #define SSL_R_NO_CLIENT_CERT_METHOD			 331
2182 #define SSL_R_NO_CLIENT_CERT_RECEIVED			 186
2183 #define SSL_R_NO_COMPRESSION_SPECIFIED			 187
2184 #define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER		 330
2185 #define SSL_R_NO_METHOD_SPECIFIED			 188
2186 #define SSL_R_NO_PRIVATEKEY				 189
2187 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 190
2188 #define SSL_R_NO_PROTOCOLS_AVAILABLE			 191
2189 #define SSL_R_NO_PUBLICKEY				 192
2190 #define SSL_R_NO_RENEGOTIATION				 339
2191 #define SSL_R_NO_REQUIRED_DIGEST			 324
2192 #define SSL_R_NO_SHARED_CIPHER				 193
2193 #define SSL_R_NO_SRTP_PROFILES				 359
2194 #define SSL_R_NO_VERIFY_CALLBACK			 194
2195 #define SSL_R_NULL_SSL_CTX				 195
2196 #define SSL_R_NULL_SSL_METHOD_PASSED			 196
2197 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED		 197
2198 #define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
2199 #define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE		 297
2200 #define SSL_R_PACKET_LENGTH_TOO_LONG			 198
2201 #define SSL_R_PARSE_TLSEXT				 227
2202 #define SSL_R_PATH_TOO_LONG				 270
2203 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE		 199
2204 #define SSL_R_PEER_ERROR				 200
2205 #define SSL_R_PEER_ERROR_CERTIFICATE			 201
2206 #define SSL_R_PEER_ERROR_NO_CERTIFICATE			 202
2207 #define SSL_R_PEER_ERROR_NO_CIPHER			 203
2208 #define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	 204
2209 #define SSL_R_PRE_MAC_LENGTH_TOO_LONG			 205
2210 #define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS		 206
2211 #define SSL_R_PROTOCOL_IS_SHUTDOWN			 207
2212 #define SSL_R_PSK_IDENTITY_NOT_FOUND			 223
2213 #define SSL_R_PSK_NO_CLIENT_CB				 224
2214 #define SSL_R_PSK_NO_SERVER_CB				 225
2215 #define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR			 208
2216 #define SSL_R_PUBLIC_KEY_IS_NOT_RSA			 209
2217 #define SSL_R_PUBLIC_KEY_NOT_RSA			 210
2218 #define SSL_R_READ_BIO_NOT_SET				 211
2219 #define SSL_R_READ_TIMEOUT_EXPIRED			 312
2220 #define SSL_R_READ_WRONG_PACKET_TYPE			 212
2221 #define SSL_R_RECORD_LENGTH_MISMATCH			 213
2222 #define SSL_R_RECORD_TOO_LARGE				 214
2223 #define SSL_R_RECORD_TOO_SMALL				 298
2224 #define SSL_R_RENEGOTIATE_EXT_TOO_LONG			 335
2225 #define SSL_R_RENEGOTIATION_ENCODING_ERR		 336
2226 #define SSL_R_RENEGOTIATION_MISMATCH			 337
2227 #define SSL_R_REQUIRED_CIPHER_MISSING			 215
2228 #define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING	 342
2229 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO		 216
2230 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO			 217
2231 #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO		 218
2232 #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING		 345
2233 #define SSL_R_SERVERHELLO_TLSEXT			 275
2234 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED		 277
2235 #define SSL_R_SHORT_READ				 219
2236 #define SSL_R_SIGNATURE_ALGORITHMS_ERROR		 360
2237 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 220
2238 #define SSL_R_SRP_A_CALC				 361
2239 #define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES		 362
2240 #define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG	 363
2241 #define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE		 364
2242 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE		 221
2243 #define SSL_R_SSL2_CONNECTION_ID_TOO_LONG		 299
2244 #define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT		 321
2245 #define SSL_R_SSL3_EXT_INVALID_SERVERNAME		 319
2246 #define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE		 320
2247 #define SSL_R_SSL3_SESSION_ID_TOO_LONG			 300
2248 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT			 222
2249 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE		 1042
2250 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC		 1020
2251 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED		 1045
2252 #define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED		 1044
2253 #define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN		 1046
2254 #define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE		 1030
2255 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE		 1040
2256 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER		 1047
2257 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE		 1041
2258 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE		 1010
2259 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE	 1043
2260 #define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION	 228
2261 #define SSL_R_SSL_HANDSHAKE_FAILURE			 229
2262 #define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS		 230
2263 #define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED		 301
2264 #define SSL_R_SSL_SESSION_ID_CONFLICT			 302
2265 #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG		 273
2266 #define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH		 303
2267 #define SSL_R_SSL_SESSION_ID_IS_DIFFERENT		 231
2268 #define SSL_R_SSL_SESSION_ID_TOO_LONG			 408
2269 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED			 1049
2270 #define SSL_R_TLSV1_ALERT_DECODE_ERROR			 1050
2271 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED		 1021
2272 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR			 1051
2273 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION		 1060
2274 #define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK	 1086
2275 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY		 1071
2276 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR		 1080
2277 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION		 1100
2278 #define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION		 1070
2279 #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW		 1022
2280 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA			 1048
2281 #define SSL_R_TLSV1_ALERT_USER_CANCELLED		 1090
2282 #define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE		 1114
2283 #define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE	 1113
2284 #define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE		 1111
2285 #define SSL_R_TLSV1_UNRECOGNIZED_NAME			 1112
2286 #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION		 1110
2287 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER	 232
2288 #define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT		 365
2289 #define SSL_R_TLS_HEARTBEAT_PENDING			 366
2290 #define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL		 367
2291 #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST		 157
2292 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
2293 #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG	 234
2294 #define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER		 235
2295 #define SSL_R_UNABLE_TO_DECODE_DH_CERTS			 236
2296 #define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS		 313
2297 #define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY		 237
2298 #define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS		 238
2299 #define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS		 314
2300 #define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS	 239
2301 #define SSL_R_UNABLE_TO_FIND_SSL_METHOD			 240
2302 #define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES		 241
2303 #define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES		 242
2304 #define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES		 243
2305 #define SSL_R_UNEXPECTED_MESSAGE			 244
2306 #define SSL_R_UNEXPECTED_RECORD				 245
2307 #define SSL_R_UNINITIALIZED				 276
2308 #define SSL_R_UNKNOWN_ALERT_TYPE			 246
2309 #define SSL_R_UNKNOWN_CERTIFICATE_TYPE			 247
2310 #define SSL_R_UNKNOWN_CIPHER_RETURNED			 248
2311 #define SSL_R_UNKNOWN_CIPHER_TYPE			 249
2312 #define SSL_R_UNKNOWN_DIGEST				 368
2313 #define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE			 250
2314 #define SSL_R_UNKNOWN_PKEY_TYPE				 251
2315 #define SSL_R_UNKNOWN_PROTOCOL				 252
2316 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 253
2317 #define SSL_R_UNKNOWN_SSL_VERSION			 254
2318 #define SSL_R_UNKNOWN_STATE				 255
2319 #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED	 338
2320 #define SSL_R_UNSUPPORTED_CIPHER			 256
2321 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257
2322 #define SSL_R_UNSUPPORTED_DIGEST_TYPE			 326
2323 #define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE		 315
2324 #define SSL_R_UNSUPPORTED_PROTOCOL			 258
2325 #define SSL_R_UNSUPPORTED_SSL_VERSION			 259
2326 #define SSL_R_UNSUPPORTED_STATUS_TYPE			 329
2327 #define SSL_R_USE_SRTP_NOT_NEGOTIATED			 369
2328 #define SSL_R_VERSION_TOO_LOW				 396
2329 #define SSL_R_WRITE_BIO_NOT_SET				 260
2330 #define SSL_R_WRONG_CIPHER_RETURNED			 261
2331 #define SSL_R_WRONG_CURVE				 378
2332 #define SSL_R_WRONG_MESSAGE_TYPE			 262
2333 #define SSL_R_WRONG_NUMBER_OF_KEY_BITS			 263
2334 #define SSL_R_WRONG_SIGNATURE_LENGTH			 264
2335 #define SSL_R_WRONG_SIGNATURE_SIZE			 265
2336 #define SSL_R_WRONG_SIGNATURE_TYPE			 370
2337 #define SSL_R_WRONG_SSL_VERSION				 266
2338 #define SSL_R_WRONG_VERSION_NUMBER			 267
2339 #define SSL_R_X509_LIB					 268
2340 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 269
2341 #define SSL_R_PEER_BEHAVING_BADLY			 666
2342 #define SSL_R_QUIC_INTERNAL_ERROR			 667
2343 #define SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED		 668
2344 #define SSL_R_UNKNOWN					 999
2345 
2346 /*
2347  * OpenSSL compatible OPENSSL_INIT options
2348  */
2349 
2350 /*
2351  * These are provided for compatibiliy, but have no effect
2352  * on how LibreSSL is initialized.
2353  */
2354 #define OPENSSL_INIT_LOAD_SSL_STRINGS	_OPENSSL_INIT_FLAG_NOOP
2355 #define OPENSSL_INIT_SSL_DEFAULT	_OPENSSL_INIT_FLAG_NOOP
2356 
2357 int OPENSSL_init_ssl(uint64_t opts, const void *settings);
2358 
2359 #ifdef  __cplusplus
2360 }
2361 #endif
2362 #endif
2363