File Coverage

include/bearssl_ssl.h

Criterion	Covered	Total	%
statement	2	27	7.4
branch			n/a
condition			n/a
subroutine			n/a
pod			n/a
total	2	27	7.4

line	stmt	code
1		/*
2		* Copyright (c) 2016 Thomas Pornin
3		*
4		* Permission is hereby granted, free of charge, to any person obtaining
5		* a copy of this software and associated documentation files (the
6		* "Software"), to deal in the Software without restriction, including
7		* without limitation the rights to use, copy, modify, merge, publish,
8		* distribute, sublicense, and/or sell copies of the Software, and to
9		* permit persons to whom the Software is furnished to do so, subject to
10		* the following conditions:
11		*
12		* The above copyright notice and this permission notice shall be
13		* included in all copies or substantial portions of the Software.
14		*
15		* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16		* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17		* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18		* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19		* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20		* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21		* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22		* SOFTWARE.
23		*/
24
25		#ifndef BR_BEARSSL_SSL_H__
26		#define BR_BEARSSL_SSL_H__
27
28		#include
29		#include
30
31		#include "bearssl_block.h"
32		#include "bearssl_hash.h"
33		#include "bearssl_hmac.h"
34		#include "bearssl_prf.h"
35		#include "bearssl_rand.h"
36		#include "bearssl_x509.h"
37
38		#ifdef __cplusplus
39		extern "C" {
40		#endif
41
42		/** \file bearssl_ssl.h
43		*
44		* # SSL
45		*
46		* For an overview of the SSL/TLS API, see [the BearSSL Web
47		* site](https://www.bearssl.org/api1.html).
48		*
49		* The `BR_TLS_*` constants correspond to the standard cipher suites and
50		* their values in the [IANA
51		* registry](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4).
52		*
53		* The `BR_ALERT_*` constants are for standard TLS alert messages. When
54		* a fatal alert message is sent of received, then the SSL engine context
55		* status is set to the sum of that alert value (an integer in the 0..255
56		* range) and a fixed offset (`BR_ERR_SEND_FATAL_ALERT` for a sent alert,
57		* `BR_ERR_RECV_FATAL_ALERT` for a received alert).
58		*/
59
60		/** \brief Optimal input buffer size. */
61		#define BR_SSL_BUFSIZE_INPUT (16384 + 325)
62
63		/** \brief Optimal output buffer size. */
64		#define BR_SSL_BUFSIZE_OUTPUT (16384 + 85)
65
66		/** \brief Optimal buffer size for monodirectional engine
67		(shared input/output buffer). */
68		#define BR_SSL_BUFSIZE_MONO BR_SSL_BUFSIZE_INPUT
69
70		/** \brief Optimal buffer size for bidirectional engine
71		(single buffer split into two separate input/output buffers). */
72		#define BR_SSL_BUFSIZE_BIDI (BR_SSL_BUFSIZE_INPUT + BR_SSL_BUFSIZE_OUTPUT)
73
74		/*
75		* Constants for known SSL/TLS protocol versions (SSL 3.0, TLS 1.0, TLS 1.1
76		* and TLS 1.2). Note that though there is a constant for SSL 3.0, that
77		* protocol version is not actually supported.
78		*/
79
80		/** \brief Protocol version: SSL 3.0 (unsupported). */
81		#define BR_SSL30 0x0300
82		/** \brief Protocol version: TLS 1.0. */
83		#define BR_TLS10 0x0301
84		/** \brief Protocol version: TLS 1.1. */
85		#define BR_TLS11 0x0302
86		/** \brief Protocol version: TLS 1.2. */
87		#define BR_TLS12 0x0303
88
89		/*
90		* Error constants. They are used to report the reason why a context has
91		* been marked as failed.
92		*
93		* Implementation note: SSL-level error codes should be in the 1..31
94		* range. The 32..63 range is for certificate decoding and validation
95		* errors. Received fatal alerts imply an error code in the 256..511 range.
96		*/
97
98		/** \brief SSL status: no error so far (0). */
99		#define BR_ERR_OK 0
100
101		/** \brief SSL status: caller-provided parameter is incorrect. */
102		#define BR_ERR_BAD_PARAM 1
103
104		/** \brief SSL status: operation requested by the caller cannot be applied
105		with the current context state (e.g. reading data while outgoing data
106		is waiting to be sent). */
107		#define BR_ERR_BAD_STATE 2
108
109		/** \brief SSL status: incoming protocol or record version is unsupported. */
110		#define BR_ERR_UNSUPPORTED_VERSION 3
111
112		/** \brief SSL status: incoming record version does not match the expected
113		version. */
114		#define BR_ERR_BAD_VERSION 4
115
116		/** \brief SSL status: incoming record length is invalid. */
117		#define BR_ERR_BAD_LENGTH 5
118
119		/** \brief SSL status: incoming record is too large to be processed, or
120		buffer is too small for the handshake message to send. */
121		#define BR_ERR_TOO_LARGE 6
122
123		/** \brief SSL status: decryption found an invalid padding, or the record
124		MAC is not correct. */
125		#define BR_ERR_BAD_MAC 7
126
127		/** \brief SSL status: no initial entropy was provided, and none can be
128		obtained from the OS. */
129		#define BR_ERR_NO_RANDOM 8
130
131		/** \brief SSL status: incoming record type is unknown. */
132		#define BR_ERR_UNKNOWN_TYPE 9
133
134		/** \brief SSL status: incoming record or message has wrong type with
135		regards to the current engine state. */
136		#define BR_ERR_UNEXPECTED 10
137
138		/** \brief SSL status: ChangeCipherSpec message from the peer has invalid
139		contents. */
140		#define BR_ERR_BAD_CCS 12
141
142		/** \brief SSL status: alert message from the peer has invalid contents
143		(odd length). */
144		#define BR_ERR_BAD_ALERT 13
145
146		/** \brief SSL status: incoming handshake message decoding failed. */
147		#define BR_ERR_BAD_HANDSHAKE 14
148
149		/** \brief SSL status: ServerHello contains a session ID which is larger
150		than 32 bytes. */
151		#define BR_ERR_OVERSIZED_ID 15
152
153		/** \brief SSL status: server wants to use a cipher suite that we did
154		not claim to support. This is also reported if we tried to advertise
155		a cipher suite that we do not support. */
156		#define BR_ERR_BAD_CIPHER_SUITE 16
157
158		/** \brief SSL status: server wants to use a compression that we did not
159		claim to support. */
160		#define BR_ERR_BAD_COMPRESSION 17
161
162		/** \brief SSL status: server's max fragment length does not match
163		client's. */
164		#define BR_ERR_BAD_FRAGLEN 18
165
166		/** \brief SSL status: secure renegotiation failed. */
167		#define BR_ERR_BAD_SECRENEG 19
168
169		/** \brief SSL status: server sent an extension type that we did not
170		announce, or used the same extension type several times in a single
171		ServerHello. */
172		#define BR_ERR_EXTRA_EXTENSION 20
173
174		/** \brief SSL status: invalid Server Name Indication contents (when
175		used by the server, this extension shall be empty). */
176		#define BR_ERR_BAD_SNI 21
177
178		/** \brief SSL status: invalid ServerHelloDone from the server (length
179		is not 0). */
180		#define BR_ERR_BAD_HELLO_DONE 22
181
182		/** \brief SSL status: internal limit exceeded (e.g. server's public key
183		is too large). */
184		#define BR_ERR_LIMIT_EXCEEDED 23
185
186		/** \brief SSL status: Finished message from peer does not match the
187		expected value. */
188		#define BR_ERR_BAD_FINISHED 24
189
190		/** \brief SSL status: session resumption attempt with distinct version
191		or cipher suite. */
192		#define BR_ERR_RESUME_MISMATCH 25
193
194		/** \brief SSL status: unsupported or invalid algorithm (ECDHE curve,
195		signature algorithm, hash function). */
196		#define BR_ERR_INVALID_ALGORITHM 26
197
198		/** \brief SSL status: invalid signature (on ServerKeyExchange from
199		server, or in CertificateVerify from client). */
200		#define BR_ERR_BAD_SIGNATURE 27
201
202		/** \brief SSL status: peer's public key does not have the proper type
203		or is not allowed for requested operation. */
204		#define BR_ERR_WRONG_KEY_USAGE 28
205
206		/** \brief SSL status: client did not send a certificate upon request,
207		or the client certificate could not be validated. */
208		#define BR_ERR_NO_CLIENT_AUTH 29
209
210		/** \brief SSL status: I/O error or premature close on underlying
211		transport stream. This error code is set only by the simplified
212		I/O API ("br_sslio_"). /
213		#define BR_ERR_IO 31
214
215		/** \brief SSL status: base value for a received fatal alert.
216
217		When a fatal alert is received from the peer, the alert value
218		is added to this constant. */
219		#define BR_ERR_RECV_FATAL_ALERT 256
220
221		/** \brief SSL status: base value for a sent fatal alert.
222
223		When a fatal alert is sent to the peer, the alert value is added
224		to this constant. */
225		#define BR_ERR_SEND_FATAL_ALERT 512
226
227		/* ===================================================================== */
228
229		/**
230		* \brief Decryption engine for SSL.
231		*
232		* When processing incoming records, the SSL engine will use a decryption
233		* engine that uses a specific context structure, and has a set of
234		* methods (a vtable) that follows this template.
235		*
236		* The decryption engine is responsible for applying decryption, verifying
237		* MAC, and keeping track of the record sequence number.
238		*/
239		typedef struct br_sslrec_in_class_ br_sslrec_in_class;
240		struct br_sslrec_in_class_ {
241		/**
242		* \brief Context size (in bytes).
243		*/
244		size_t context_size;
245
246		/**
247		* \brief Test validity of the incoming record length.
248		*
249		* This function returns 1 if the announced length for an
250		* incoming record is valid, 0 otherwise,
251		*
252		* \param ctx decryption engine context.
253		* \param record_len incoming record length.
254		* \return 1 of a valid length, 0 otherwise.
255		*/
256		int (check_length)(const br_sslrec_in_class const *ctx,
257		size_t record_len);
258
259		/**
260		* \brief Decrypt the incoming record.
261		*
262		* This function may assume that the record length is valid
263		* (it has been previously tested with `check_length()`).
264		* Decryption is done in place; `*len` is updated with the
265		* cleartext length, and the address of the first plaintext
266		* byte is returned. If the record is correct but empty, then
267		* `*len` is set to 0 and a non-`NULL` pointer is returned.
268		*
269		* On decryption/MAC error, `NULL` is returned.
270		*
271		* \param ctx decryption engine context.
272		* \param record_type record type (23 for application data, etc).
273		* \param version record version.
274		* \param payload address of encrypted payload.
275		* \param len pointer to payload length (updated).
276		* \return pointer to plaintext, or `NULL` on error.
277		*/
278		unsigned char (decrypt)(const br_sslrec_in_class **ctx,
279		int record_type, unsigned version,
280		void payload, size_t len);
281		};
282
283		/**
284		* \brief Encryption engine for SSL.
285		*
286		* When building outgoing records, the SSL engine will use an encryption
287		* engine that uses a specific context structure, and has a set of
288		* methods (a vtable) that follows this template.
289		*
290		* The encryption engine is responsible for applying encryption and MAC,
291		* and keeping track of the record sequence number.
292		*/
293		typedef struct br_sslrec_out_class_ br_sslrec_out_class;
294		struct br_sslrec_out_class_ {
295		/**
296		* \brief Context size (in bytes).
297		*/
298		size_t context_size;
299
300		/**
301		* \brief Compute maximum plaintext sizes and offsets.
302		*
303		* When this function is called, the `start` and `end`
304		* values contain offsets designating the free area in the
305		* outgoing buffer for plaintext data; that free area is
306		* preceded by a 5-byte space which will receive the record
307		* header.
308		*
309		* The `max_plaintext()` function is responsible for adjusting
310		* both `start` and `end` to make room for any record-specific
311		* header, MAC, padding, and possible split.
312		*
313		* \param ctx encryption engine context.
314		* \param start pointer to start of plaintext offset (updated).
315		* \param end pointer to start of plaintext offset (updated).
316		*/
317		void (max_plaintext)(const br_sslrec_out_class const *ctx,
318		size_t start, size_t end);
319
320		/**
321		* \brief Perform record encryption.
322		*
323		* This function encrypts the record. The plaintext address and
324		* length are provided. Returned value is the start of the
325		* encrypted record (or sequence of records, if a split was
326		* performed), _including_ the 5-byte header, and `*len` is
327		* adjusted to the total size of the record(s), there again
328		* including the header(s).
329		*
330		* \param ctx decryption engine context.
331		* \param record_type record type (23 for application data, etc).
332		* \param version record version.
333		* \param plaintext address of plaintext.
334		* \param len pointer to plaintext length (updated).
335		* \return pointer to start of built record.
336		*/
337		unsigned char (encrypt)(const br_sslrec_out_class **ctx,
338		int record_type, unsigned version,
339		void plaintext, size_t len);
340		};
341
342		/**
343		* \brief Context for a no-encryption engine.
344		*
345		* The no-encryption engine processes outgoing records during the initial
346		* handshake, before encryption is applied.
347		*/
348		typedef struct {
349		/** \brief No-encryption engine vtable. */
350		const br_sslrec_out_class *vtable;
351		} br_sslrec_out_clear_context;
352
353		/** \brief Static, constant vtable for the no-encryption engine. */
354		extern const br_sslrec_out_class br_sslrec_out_clear_vtable;
355
356		/* ===================================================================== */
357
358		/**
359		* \brief Record decryption engine class, for CBC mode.
360		*
361		* This class type extends the decryption engine class with an
362		* initialisation method that receives the parameters needed
363		* for CBC processing: block cipher implementation, block cipher key,
364		* HMAC parameters (hash function, key, MAC length), and IV. If the
365		* IV is `NULL`, then a per-record IV will be used (TLS 1.1+).
366		*/
367		typedef struct br_sslrec_in_cbc_class_ br_sslrec_in_cbc_class;
368		struct br_sslrec_in_cbc_class_ {
369		/**
370		* \brief Superclass, as first vtable field.
371		*/
372		br_sslrec_in_class inner;
373
374		/**
375		* \brief Engine initialisation method.
376		*
377		* This method sets the vtable field in the context.
378		*
379		* \param ctx context to initialise.
380		* \param bc_impl block cipher implementation (CBC decryption).
381		* \param bc_key block cipher key.
382		* \param bc_key_len block cipher key length (in bytes).
383		* \param dig_impl hash function for HMAC.
384		* \param mac_key HMAC key.
385		* \param mac_key_len HMAC key length (in bytes).
386		* \param mac_out_len HMAC output length (in bytes).
387		* \param iv initial IV (or `NULL`).
388		*/
389		void (init)(const br_sslrec_in_cbc_class *ctx,
390		const br_block_cbcdec_class *bc_impl,
391		const void *bc_key, size_t bc_key_len,
392		const br_hash_class *dig_impl,
393		const void *mac_key, size_t mac_key_len, size_t mac_out_len,
394		const void *iv);
395		};
396
397		/**
398		* \brief Record encryption engine class, for CBC mode.
399		*
400		* This class type extends the encryption engine class with an
401		* initialisation method that receives the parameters needed
402		* for CBC processing: block cipher implementation, block cipher key,
403		* HMAC parameters (hash function, key, MAC length), and IV. If the
404		* IV is `NULL`, then a per-record IV will be used (TLS 1.1+).
405		*/
406		typedef struct br_sslrec_out_cbc_class_ br_sslrec_out_cbc_class;
407		struct br_sslrec_out_cbc_class_ {
408		/**
409		* \brief Superclass, as first vtable field.
410		*/
411		br_sslrec_out_class inner;
412
413		/**
414		* \brief Engine initialisation method.
415		*
416		* This method sets the vtable field in the context.
417		*
418		* \param ctx context to initialise.
419		* \param bc_impl block cipher implementation (CBC encryption).
420		* \param bc_key block cipher key.
421		* \param bc_key_len block cipher key length (in bytes).
422		* \param dig_impl hash function for HMAC.
423		* \param mac_key HMAC key.
424		* \param mac_key_len HMAC key length (in bytes).
425		* \param mac_out_len HMAC output length (in bytes).
426		* \param iv initial IV (or `NULL`).
427		*/
428		void (init)(const br_sslrec_out_cbc_class *ctx,
429		const br_block_cbcenc_class *bc_impl,
430		const void *bc_key, size_t bc_key_len,
431		const br_hash_class *dig_impl,
432		const void *mac_key, size_t mac_key_len, size_t mac_out_len,
433		const void *iv);
434		};
435
436		/**
437		* \brief Context structure for decrypting incoming records with
438		* CBC + HMAC.
439		*
440		* The first field points to the vtable. The other fields are opaque
441		* and shall not be accessed directly.
442		*/
443		typedef struct {
444		/** \brief Pointer to vtable. */
445		const br_sslrec_in_cbc_class *vtable;
446		#ifndef BR_DOXYGEN_IGNORE
447		uint64_t seq;
448		union {
449		const br_block_cbcdec_class *vtable;
450		br_aes_gen_cbcdec_keys aes;
451		br_des_gen_cbcdec_keys des;
452		} bc;
453		br_hmac_key_context mac;
454		size_t mac_len;
455		unsigned char iv[16];
456		int explicit_IV;
457		#endif
458		} br_sslrec_in_cbc_context;
459
460		/**
461		* \brief Static, constant vtable for record decryption with CBC.
462		*/
463		extern const br_sslrec_in_cbc_class br_sslrec_in_cbc_vtable;
464
465		/**
466		* \brief Context structure for encrypting outgoing records with
467		* CBC + HMAC.
468		*
469		* The first field points to the vtable. The other fields are opaque
470		* and shall not be accessed directly.
471		*/
472		typedef struct {
473		/** \brief Pointer to vtable. */
474		const br_sslrec_out_cbc_class *vtable;
475		#ifndef BR_DOXYGEN_IGNORE
476		uint64_t seq;
477		union {
478		const br_block_cbcenc_class *vtable;
479		br_aes_gen_cbcenc_keys aes;
480		br_des_gen_cbcenc_keys des;
481		} bc;
482		br_hmac_key_context mac;
483		size_t mac_len;
484		unsigned char iv[16];
485		int explicit_IV;
486		#endif
487		} br_sslrec_out_cbc_context;
488
489		/**
490		* \brief Static, constant vtable for record encryption with CBC.
491		*/
492		extern const br_sslrec_out_cbc_class br_sslrec_out_cbc_vtable;
493
494		/* ===================================================================== */
495
496		/**
497		* \brief Record decryption engine class, for GCM mode.
498		*
499		* This class type extends the decryption engine class with an
500		* initialisation method that receives the parameters needed
501		* for GCM processing: block cipher implementation, block cipher key,
502		* GHASH implementation, and 4-byte IV.
503		*/
504		typedef struct br_sslrec_in_gcm_class_ br_sslrec_in_gcm_class;
505		struct br_sslrec_in_gcm_class_ {
506		/**
507		* \brief Superclass, as first vtable field.
508		*/
509		br_sslrec_in_class inner;
510
511		/**
512		* \brief Engine initialisation method.
513		*
514		* This method sets the vtable field in the context.
515		*
516		* \param ctx context to initialise.
517		* \param bc_impl block cipher implementation (CTR).
518		* \param key block cipher key.
519		* \param key_len block cipher key length (in bytes).
520		* \param gh_impl GHASH implementation.
521		* \param iv static IV (4 bytes).
522		*/
523		void (init)(const br_sslrec_in_gcm_class *ctx,
524		const br_block_ctr_class *bc_impl,
525		const void *key, size_t key_len,
526		br_ghash gh_impl,
527		const void *iv);
528		};
529
530		/**
531		* \brief Record encryption engine class, for GCM mode.
532		*
533		* This class type extends the encryption engine class with an
534		* initialisation method that receives the parameters needed
535		* for GCM processing: block cipher implementation, block cipher key,
536		* GHASH implementation, and 4-byte IV.
537		*/
538		typedef struct br_sslrec_out_gcm_class_ br_sslrec_out_gcm_class;
539		struct br_sslrec_out_gcm_class_ {
540		/**
541		* \brief Superclass, as first vtable field.
542		*/
543		br_sslrec_out_class inner;
544
545		/**
546		* \brief Engine initialisation method.
547		*
548		* This method sets the vtable field in the context.
549		*
550		* \param ctx context to initialise.
551		* \param bc_impl block cipher implementation (CTR).
552		* \param key block cipher key.
553		* \param key_len block cipher key length (in bytes).
554		* \param gh_impl GHASH implementation.
555		* \param iv static IV (4 bytes).
556		*/
557		void (init)(const br_sslrec_out_gcm_class *ctx,
558		const br_block_ctr_class *bc_impl,
559		const void *key, size_t key_len,
560		br_ghash gh_impl,
561		const void *iv);
562		};
563
564		/**
565		* \brief Context structure for processing records with GCM.
566		*
567		* The same context structure is used for encrypting and decrypting.
568		*
569		* The first field points to the vtable. The other fields are opaque
570		* and shall not be accessed directly.
571		*/
572		typedef struct {
573		/** \brief Pointer to vtable. */
574		union {
575		const void *gen;
576		const br_sslrec_in_gcm_class *in;
577		const br_sslrec_out_gcm_class *out;
578		} vtable;
579		#ifndef BR_DOXYGEN_IGNORE
580		uint64_t seq;
581		union {
582		const br_block_ctr_class *vtable;
583		br_aes_gen_ctr_keys aes;
584		} bc;
585		br_ghash gh;
586		unsigned char iv[4];
587		unsigned char h[16];
588		#endif
589		} br_sslrec_gcm_context;
590
591		/**
592		* \brief Static, constant vtable for record decryption with GCM.
593		*/
594		extern const br_sslrec_in_gcm_class br_sslrec_in_gcm_vtable;
595
596		/**
597		* \brief Static, constant vtable for record encryption with GCM.
598		*/
599		extern const br_sslrec_out_gcm_class br_sslrec_out_gcm_vtable;
600
601		/* ===================================================================== */
602
603		/**
604		* \brief Record decryption engine class, for ChaCha20+Poly1305.
605		*
606		* This class type extends the decryption engine class with an
607		* initialisation method that receives the parameters needed
608		* for ChaCha20+Poly1305 processing: ChaCha20 implementation,
609		* Poly1305 implementation, key, and 12-byte IV.
610		*/
611		typedef struct br_sslrec_in_chapol_class_ br_sslrec_in_chapol_class;
612		struct br_sslrec_in_chapol_class_ {
613		/**
614		* \brief Superclass, as first vtable field.
615		*/
616		br_sslrec_in_class inner;
617
618		/**
619		* \brief Engine initialisation method.
620		*
621		* This method sets the vtable field in the context.
622		*
623		* \param ctx context to initialise.
624		* \param ichacha ChaCha20 implementation.
625		* \param ipoly Poly1305 implementation.
626		* \param key secret key (32 bytes).
627		* \param iv static IV (12 bytes).
628		*/
629		void (init)(const br_sslrec_in_chapol_class *ctx,
630		br_chacha20_run ichacha,
631		br_poly1305_run ipoly,
632		const void key, const void iv);
633		};
634
635		/**
636		* \brief Record encryption engine class, for ChaCha20+Poly1305.
637		*
638		* This class type extends the encryption engine class with an
639		* initialisation method that receives the parameters needed
640		* for ChaCha20+Poly1305 processing: ChaCha20 implementation,
641		* Poly1305 implementation, key, and 12-byte IV.
642		*/
643		typedef struct br_sslrec_out_chapol_class_ br_sslrec_out_chapol_class;
644		struct br_sslrec_out_chapol_class_ {
645		/**
646		* \brief Superclass, as first vtable field.
647		*/
648		br_sslrec_out_class inner;
649
650		/**
651		* \brief Engine initialisation method.
652		*
653		* This method sets the vtable field in the context.
654		*
655		* \param ctx context to initialise.
656		* \param ichacha ChaCha20 implementation.
657		* \param ipoly Poly1305 implementation.
658		* \param key secret key (32 bytes).
659		* \param iv static IV (12 bytes).
660		*/
661		void (init)(const br_sslrec_out_chapol_class *ctx,
662		br_chacha20_run ichacha,
663		br_poly1305_run ipoly,
664		const void key, const void iv);
665		};
666
667		/**
668		* \brief Context structure for processing records with ChaCha20+Poly1305.
669		*
670		* The same context structure is used for encrypting and decrypting.
671		*
672		* The first field points to the vtable. The other fields are opaque
673		* and shall not be accessed directly.
674		*/
675		typedef struct {
676		/** \brief Pointer to vtable. */
677		union {
678		const void *gen;
679		const br_sslrec_in_chapol_class *in;
680		const br_sslrec_out_chapol_class *out;
681		} vtable;
682		#ifndef BR_DOXYGEN_IGNORE
683		uint64_t seq;
684		unsigned char key[32];
685		unsigned char iv[12];
686		br_chacha20_run ichacha;
687		br_poly1305_run ipoly;
688		#endif
689		} br_sslrec_chapol_context;
690
691		/**
692		* \brief Static, constant vtable for record decryption with ChaCha20+Poly1305.
693		*/
694		extern const br_sslrec_in_chapol_class br_sslrec_in_chapol_vtable;
695
696		/**
697		* \brief Static, constant vtable for record encryption with ChaCha20+Poly1305.
698		*/
699		extern const br_sslrec_out_chapol_class br_sslrec_out_chapol_vtable;
700
701		/* ===================================================================== */
702
703		/**
704		* \brief Record decryption engine class, for CCM mode.
705		*
706		* This class type extends the decryption engine class with an
707		* initialisation method that receives the parameters needed
708		* for CCM processing: block cipher implementation, block cipher key,
709		* and 4-byte IV.
710		*/
711		typedef struct br_sslrec_in_ccm_class_ br_sslrec_in_ccm_class;
712		struct br_sslrec_in_ccm_class_ {
713		/**
714		* \brief Superclass, as first vtable field.
715		*/
716		br_sslrec_in_class inner;
717
718		/**
719		* \brief Engine initialisation method.
720		*
721		* This method sets the vtable field in the context.
722		*
723		* \param ctx context to initialise.
724		* \param bc_impl block cipher implementation (CTR+CBC).
725		* \param key block cipher key.
726		* \param key_len block cipher key length (in bytes).
727		* \param iv static IV (4 bytes).
728		* \param tag_len tag length (in bytes)
729		*/
730		void (init)(const br_sslrec_in_ccm_class *ctx,
731		const br_block_ctrcbc_class *bc_impl,
732		const void *key, size_t key_len,
733		const void *iv, size_t tag_len);
734		};
735
736		/**
737		* \brief Record encryption engine class, for CCM mode.
738		*
739		* This class type extends the encryption engine class with an
740		* initialisation method that receives the parameters needed
741		* for CCM processing: block cipher implementation, block cipher key,
742		* and 4-byte IV.
743		*/
744		typedef struct br_sslrec_out_ccm_class_ br_sslrec_out_ccm_class;
745		struct br_sslrec_out_ccm_class_ {
746		/**
747		* \brief Superclass, as first vtable field.
748		*/
749		br_sslrec_out_class inner;
750
751		/**
752		* \brief Engine initialisation method.
753		*
754		* This method sets the vtable field in the context.
755		*
756		* \param ctx context to initialise.
757		* \param bc_impl block cipher implementation (CTR+CBC).
758		* \param key block cipher key.
759		* \param key_len block cipher key length (in bytes).
760		* \param iv static IV (4 bytes).
761		* \param tag_len tag length (in bytes)
762		*/
763		void (init)(const br_sslrec_out_ccm_class *ctx,
764		const br_block_ctrcbc_class *bc_impl,
765		const void *key, size_t key_len,
766		const void *iv, size_t tag_len);
767		};
768
769		/**
770		* \brief Context structure for processing records with CCM.
771		*
772		* The same context structure is used for encrypting and decrypting.
773		*
774		* The first field points to the vtable. The other fields are opaque
775		* and shall not be accessed directly.
776		*/
777		typedef struct {
778		/** \brief Pointer to vtable. */
779		union {
780		const void *gen;
781		const br_sslrec_in_ccm_class *in;
782		const br_sslrec_out_ccm_class *out;
783		} vtable;
784		#ifndef BR_DOXYGEN_IGNORE
785		uint64_t seq;
786		union {
787		const br_block_ctrcbc_class *vtable;
788		br_aes_gen_ctrcbc_keys aes;
789		} bc;
790		unsigned char iv[4];
791		size_t tag_len;
792		#endif
793		} br_sslrec_ccm_context;
794
795		/**
796		* \brief Static, constant vtable for record decryption with CCM.
797		*/
798		extern const br_sslrec_in_ccm_class br_sslrec_in_ccm_vtable;
799
800		/**
801		* \brief Static, constant vtable for record encryption with CCM.
802		*/
803		extern const br_sslrec_out_ccm_class br_sslrec_out_ccm_vtable;
804
805		/* ===================================================================== */
806
807		/**
808		* \brief Type for session parameters, to be saved for session resumption.
809		*/
810		typedef struct {
811		/** \brief Session ID buffer. */
812		unsigned char session_id[32];
813		/** \brief Session ID length (in bytes, at most 32). */
814		unsigned char session_id_len;
815		/** \brief Protocol version. */
816		uint16_t version;
817		/** \brief Cipher suite. */
818		uint16_t cipher_suite;
819		/** \brief Master secret. */
820		unsigned char master_secret[48];
821		} br_ssl_session_parameters;
822
823		#ifndef BR_DOXYGEN_IGNORE
824		/*
825		* Maximum number of cipher suites supported by a client or server.
826		*/
827		#define BR_MAX_CIPHER_SUITES 48
828		#endif
829
830		/**
831		* \brief Context structure for SSL engine.
832		*
833		* This strucuture is common to the client and server; both the client
834		* context (`br_ssl_client_context`) and the server context
835		* (`br_ssl_server_context`) include a `br_ssl_engine_context` as their
836		* first field.
837		*
838		* The engine context manages records, including alerts, closures, and
839		* transitions to new encryption/MAC algorithms. Processing of handshake
840		* records is delegated to externally provided code. This structure
841		* should not be used directly.
842		*
843		* Structure contents are opaque and shall not be accessed directly.
844		*/
845		typedef struct {
846		#ifndef BR_DOXYGEN_IGNORE
847		/*
848		* The error code. When non-zero, then the state is "failed" and
849		* no I/O may occur until reset.
850		*/
851		int err;
852
853		/*
854		* Configured I/O buffers. They are either disjoint, or identical.
855		*/
856		unsigned char ibuf, obuf;
857		size_t ibuf_len, obuf_len;
858
859		/*
860		* Maximum fragment length applies to outgoing records; incoming
861		* records can be processed as long as they fit in the input
862		* buffer. It is guaranteed that incoming records at least as big
863		* as max_frag_len can be processed.
864		*/
865		uint16_t max_frag_len;
866		unsigned char log_max_frag_len;
867		unsigned char peer_log_max_frag_len;
868
869		/*
870		* Buffering management registers.
871		*/
872		size_t ixa, ixb, ixc;
873		size_t oxa, oxb, oxc;
874		unsigned char iomode;
875		unsigned char incrypt;
876
877		/*
878		* Shutdown flag: when set to non-zero, incoming record bytes
879		* will not be accepted anymore. This is used after a close_notify
880		* has been received: afterwards, the engine no longer claims that
881		* it could receive bytes from the transport medium.
882		*/
883		unsigned char shutdown_recv;
884
885		/*
886		* 'record_type_in' is set to the incoming record type when the
887		* record header has been received.
888		* 'record_type_out' is used to make the next outgoing record
889		* header when it is ready to go.
890		*/
891		unsigned char record_type_in, record_type_out;
892
893		/*
894		* When a record is received, its version is extracted:
895		* -- if 'version_in' is 0, then it is set to the received version;
896		* -- otherwise, if the received version is not identical to
897		* the 'version_in' contents, then a failure is reported.
898		*
899		* This implements the SSL requirement that all records shall
900		* use the negotiated protocol version, once decided (in the
901		* ServerHello). It is up to the handshake handler to adjust this
902		* field when necessary.
903		*/
904		uint16_t version_in;
905
906		/*
907		* 'version_out' is used when the next outgoing record is ready
908		* to go.
909		*/
910		uint16_t version_out;
911
912		/*
913		* Record handler contexts.
914		*/
915		union {
916		const br_sslrec_in_class *vtable;
917		br_sslrec_in_cbc_context cbc;
918		br_sslrec_gcm_context gcm;
919		br_sslrec_chapol_context chapol;
920		br_sslrec_ccm_context ccm;
921		} in;
922		union {
923		const br_sslrec_out_class *vtable;
924		br_sslrec_out_clear_context clear;
925		br_sslrec_out_cbc_context cbc;
926		br_sslrec_gcm_context gcm;
927		br_sslrec_chapol_context chapol;
928		br_sslrec_ccm_context ccm;
929		} out;
930
931		/*
932		* The "application data" flag. Value:
933		* 0 handshake is in process, no application data acceptable
934		* 1 application data can be sent and received
935		* 2 closing, no application data can be sent, but some
936		* can still be received (and discarded)
937		*/
938		unsigned char application_data;
939
940		/*
941		* Context RNG.
942		*
943		* rng_init_done is initially 0. It is set to 1 when the
944		* basic structure of the RNG is set, and 2 when some
945		* entropy has been pushed in. The value 2 marks the RNG
946		* as "properly seeded".
947		*
948		* rng_os_rand_done is initially 0. It is set to 1 when
949		* some seeding from the OS or hardware has been attempted.
950		*/
951		br_hmac_drbg_context rng;
952		int rng_init_done;
953		int rng_os_rand_done;
954
955		/*
956		* Supported minimum and maximum versions, and cipher suites.
957		*/
958		uint16_t version_min;
959		uint16_t version_max;
960		uint16_t suites_buf[BR_MAX_CIPHER_SUITES];
961		unsigned char suites_num;
962
963		/*
964		* For clients, the server name to send as a SNI extension. For
965		* servers, the name received in the SNI extension (if any).
966		*/
967		char server_name[256];
968
969		/*
970		* "Security parameters". These are filled by the handshake
971		* handler, and used when switching encryption state.
972		*/
973		unsigned char client_random[32];
974		unsigned char server_random[32];
975		br_ssl_session_parameters session;
976
977		/*
978		* ECDHE elements: curve and point from the peer. The server also
979		* uses that buffer for the point to send to the client.
980		*/
981		unsigned char ecdhe_curve;
982		unsigned char ecdhe_point[133];
983		unsigned char ecdhe_point_len;
984
985		/*
986		* Secure renegotiation (RFC 5746): 'reneg' can be:
987		* 0 first handshake (server support is not known)
988		* 1 peer does not support secure renegotiation
989		* 2 peer supports secure renegotiation
990		*
991		* The saved_finished buffer contains the client and the
992		* server "Finished" values from the last handshake, in
993		* that order (12 bytes each).
994		*/
995		unsigned char reneg;
996		unsigned char saved_finished[24];
997
998		/*
999		* Behavioural flags.
1000		*/
1001		uint32_t flags;
1002
1003		/*
1004		* Context variables for the handshake processor. The 'pad' must
1005		* be large enough to accommodate an RSA-encrypted pre-master
1006		* secret, or an RSA signature; since we want to support up to
1007		* RSA-4096, this means at least 512 bytes. (Other pad usages
1008		* require its length to be at least 256.)
1009		*/
1010		struct {
1011		uint32_t *dp;
1012		uint32_t *rp;
1013		const unsigned char *ip;
1014		} cpu;
1015		uint32_t dp_stack[32];
1016		uint32_t rp_stack[32];
1017		unsigned char pad[512];
1018		unsigned char hbuf_in, hbuf_out, *saved_hbuf_out;
1019		size_t hlen_in, hlen_out;
1020		void (hsrun)(void ctx);
1021
1022		/*
1023		* The 'action' value communicates OOB information between the
1024		* engine and the handshake processor.
1025		*
1026		* From the engine:
1027		* 0 invocation triggered by I/O
1028		* 1 invocation triggered by explicit close
1029		* 2 invocation triggered by explicit renegotiation
1030		*/
1031		unsigned char action;
1032
1033		/*
1034		* State for alert messages. Value is either 0, or the value of
1035		* the alert level byte (level is either 1 for warning, or 2 for
1036		* fatal; we convert all other values to 'fatal').
1037		*/
1038		unsigned char alert;
1039
1040		/*
1041		* Closure flags. This flag is set when a close_notify has been
1042		* received from the peer.
1043		*/
1044		unsigned char close_received;
1045
1046		/*
1047		* Multi-hasher for the handshake messages. The handshake handler
1048		* is responsible for resetting it when appropriate.
1049		*/
1050		br_multihash_context mhash;
1051
1052		/*
1053		* Pointer to the X.509 engine. The engine is supposed to be
1054		* already initialized. It is used to validate the peer's
1055		* certificate.
1056		*/
1057		const br_x509_class **x509ctx;
1058
1059		/*
1060		* Certificate chain to send. This is used by both client and
1061		* server, when they send their respective Certificate messages.
1062		* If chain_len is 0, then chain may be NULL.
1063		*/
1064		const br_x509_certificate *chain;
1065		size_t chain_len;
1066		const unsigned char *cert_cur;
1067		size_t cert_len;
1068
1069		/*
1070		* List of supported protocol names (ALPN extension). If unset,
1071		* (number of names is 0), then:
1072		* - the client sends no ALPN extension;
1073		* - the server ignores any incoming ALPN extension.
1074		*
1075		* Otherwise:
1076		* - the client sends an ALPN extension with all the names;
1077		* - the server selects the first protocol in its list that
1078		* the client also supports, or fails (fatal alert 120)
1079		* if the client sends an ALPN extension and there is no
1080		* match.
1081		*
1082		* The 'selected_protocol' field contains 1+n if the matching
1083		* name has index n in the list (the value is 0 if no match was
1084		* performed, e.g. the peer did not send an ALPN extension).
1085		*/
1086		const char **protocol_names;
1087		uint16_t protocol_names_num;
1088		uint16_t selected_protocol;
1089
1090		/*
1091		* Pointers to implementations; left to NULL for unsupported
1092		* functions. For the raw hash functions, implementations are
1093		* referenced from the multihasher (mhash field).
1094		*/
1095		br_tls_prf_impl prf10;
1096		br_tls_prf_impl prf_sha256;
1097		br_tls_prf_impl prf_sha384;
1098		const br_block_cbcenc_class *iaes_cbcenc;
1099		const br_block_cbcdec_class *iaes_cbcdec;
1100		const br_block_ctr_class *iaes_ctr;
1101		const br_block_ctrcbc_class *iaes_ctrcbc;
1102		const br_block_cbcenc_class *ides_cbcenc;
1103		const br_block_cbcdec_class *ides_cbcdec;
1104		br_ghash ighash;
1105		br_chacha20_run ichacha;
1106		br_poly1305_run ipoly;
1107		const br_sslrec_in_cbc_class *icbc_in;
1108		const br_sslrec_out_cbc_class *icbc_out;
1109		const br_sslrec_in_gcm_class *igcm_in;
1110		const br_sslrec_out_gcm_class *igcm_out;
1111		const br_sslrec_in_chapol_class *ichapol_in;
1112		const br_sslrec_out_chapol_class *ichapol_out;
1113		const br_sslrec_in_ccm_class *iccm_in;
1114		const br_sslrec_out_ccm_class *iccm_out;
1115		const br_ec_impl *iec;
1116		br_rsa_pkcs1_vrfy irsavrfy;
1117		br_ecdsa_vrfy iecdsa;
1118		#endif
1119		} br_ssl_engine_context;
1120
1121		/**
1122		* \brief Get currently defined engine behavioural flags.
1123		*
1124		* \param cc SSL engine context.
1125		* \return the flags.
1126		*/
1127		static inline uint32_t
1128		br_ssl_engine_get_flags(br_ssl_engine_context *cc)
1129		{
1130		return cc->flags;
1131		}
1132
1133		/**
1134		* \brief Set all engine behavioural flags.
1135		*
1136		* \param cc SSL engine context.
1137		* \param flags new value for all flags.
1138		*/
1139		static inline void
1140		br_ssl_engine_set_all_flags(br_ssl_engine_context *cc, uint32_t flags)
1141		{
1142		cc->flags = flags;
1143		}
1144
1145		/**
1146		* \brief Set some engine behavioural flags.
1147		*
1148		* The flags set in the `flags` parameter are set in the context; other
1149		* flags are untouched.
1150		*
1151		* \param cc SSL engine context.
1152		* \param flags additional set flags.
1153		*/
1154		static inline void
1155		br_ssl_engine_add_flags(br_ssl_engine_context *cc, uint32_t flags)
1156		{
1157		cc->flags \|= flags;
1158		}
1159
1160		/**
1161		* \brief Clear some engine behavioural flags.
1162		*
1163		* The flags set in the `flags` parameter are cleared from the context; other
1164		* flags are untouched.
1165		*
1166		* \param cc SSL engine context.
1167		* \param flags flags to remove.
1168		*/
1169		static inline void
1170		br_ssl_engine_remove_flags(br_ssl_engine_context *cc, uint32_t flags)
1171		{
1172		cc->flags &= ~flags;
1173		}
1174
1175		/**
1176		* \brief Behavioural flag: enforce server preferences.
1177		*
1178		* If this flag is set, then the server will enforce its own cipher suite
1179		* preference order; otherwise, it follows the client preferences.
1180		*/
1181		#define BR_OPT_ENFORCE_SERVER_PREFERENCES ((uint32_t)1 << 0)
1182
1183		/**
1184		* \brief Behavioural flag: disable renegotiation.
1185		*
1186		* If this flag is set, then renegotiations are rejected unconditionally:
1187		* they won't be honoured if asked for programmatically, and requests from
1188		* the peer are rejected.
1189		*/
1190		#define BR_OPT_NO_RENEGOTIATION ((uint32_t)1 << 1)
1191
1192		/**
1193		* \brief Behavioural flag: tolerate lack of client authentication.
1194		*
1195		* If this flag is set in a server and the server requests a client
1196		* certificate, but the authentication fails (the client does not send
1197		* a certificate, or the client's certificate chain cannot be validated),
1198		* then the connection keeps on. Without this flag, a failed client
1199		* authentication terminates the connection.
1200		*
1201		* Notes:
1202		*
1203		* - If the client's certificate can be validated and its public key is
1204		* supported, then a wrong signature value terminates the connection
1205		* regardless of that flag.
1206		*
1207		* - If using full-static ECDH, then a failure to validate the client's
1208		* certificate prevents the handshake from succeeding.
1209		*/
1210		#define BR_OPT_TOLERATE_NO_CLIENT_AUTH ((uint32_t)1 << 2)
1211
1212		/**
1213		* \brief Behavioural flag: fail on application protocol mismatch.
1214		*
1215		* The ALPN extension ([RFC 7301](https://tools.ietf.org/html/rfc7301))
1216		* allows the client to send a list of application protocol names, and
1217		* the server to select one. A mismatch is one of the following occurrences:
1218		*
1219		* - On the client: the client sends a list of names, the server
1220		* responds with a protocol name which is _not_ part of the list of
1221		* names sent by the client.
1222		*
1223		* - On the server: the client sends a list of names, and the server
1224		* is also configured with a list of names, but there is no common
1225		* protocol name between the two lists.
1226		*
1227		* Normal behaviour in case of mismatch is to report no matching name
1228		* (`br_ssl_engine_get_selected_protocol()` returns `NULL`) and carry on.
1229		* If the flag is set, then a mismatch implies a protocol failure (if
1230		* the mismatch is detected by the server, it will send a fatal alert).
1231		*
1232		* Note: even with this flag, `br_ssl_engine_get_selected_protocol()`
1233		* may still return `NULL` if the client or the server does not send an
1234		* ALPN extension at all.
1235		*/
1236		#define BR_OPT_FAIL_ON_ALPN_MISMATCH ((uint32_t)1 << 3)
1237
1238		/**
1239		* \brief Set the minimum and maximum supported protocol versions.
1240		*
1241		* The two provided versions MUST be supported by the implementation
1242		* (i.e. TLS 1.0, 1.1 and 1.2), and `version_max` MUST NOT be lower
1243		* than `version_min`.
1244		*
1245		* \param cc SSL engine context.
1246		* \param version_min minimum supported TLS version.
1247		* \param version_max maximum supported TLS version.
1248		*/
1249		static inline void
1250	0	br_ssl_engine_set_versions(br_ssl_engine_context *cc,
1251		unsigned version_min, unsigned version_max)
1252		{
1253	0	cc->version_min = (uint16_t)version_min;
1254	0	cc->version_max = (uint16_t)version_max;
1255	0	}
1256
1257		/**
1258		* \brief Set the list of cipher suites advertised by this context.
1259		*
1260		* The provided array is copied into the context. It is the caller
1261		* responsibility to ensure that all provided suites will be supported
1262		* by the context. The engine context has enough room to receive _all_
1263		* suites supported by the implementation. The provided array MUST NOT
1264		* contain duplicates.
1265		*
1266		* If the engine is for a client, the "signaling" pseudo-cipher suite
1267		* `TLS_FALLBACK_SCSV` can be added at the end of the list, if the
1268		* calling application is performing a voluntary downgrade (voluntary
1269		* downgrades are not recommended, but if such a downgrade is done, then
1270		* adding the fallback pseudo-suite is a good idea).
1271		*
1272		* \param cc SSL engine context.
1273		* \param suites cipher suites.
1274		* \param suites_num number of cipher suites.
1275		*/
1276		void br_ssl_engine_set_suites(br_ssl_engine_context *cc,
1277		const uint16_t *suites, size_t suites_num);
1278
1279		/**
1280		* \brief Set the X.509 engine.
1281		*
1282		* The caller shall ensure that the X.509 engine is properly initialised.
1283		*
1284		* \param cc SSL engine context.
1285		* \param x509ctx X.509 certificate validation context.
1286		*/
1287		static inline void
1288	0	br_ssl_engine_set_x509(br_ssl_engine_context cc, const br_x509_class *x509ctx)
1289		{
1290	0	cc->x509ctx = x509ctx;
1291	0	}
1292
1293		/**
1294		* \brief Set the supported protocol names.
1295		*
1296		* Protocol names are part of the ALPN extension ([RFC
1297		* 7301](https://tools.ietf.org/html/rfc7301)). Each protocol name is a
1298		* character string, containing no more than 255 characters (256 with the
1299		* terminating zero). When names are set, then:
1300		*
1301		* - The client will send an ALPN extension, containing the names. If
1302		* the server responds with an ALPN extension, the client will verify
1303		* that the response contains one of its name, and report that name
1304		* through `br_ssl_engine_get_selected_protocol()`.
1305		*
1306		* - The server will parse incoming ALPN extension (from clients), and
1307		* try to find a common protocol; if none is found, the connection
1308		* is aborted with a fatal alert. On match, a response ALPN extension
1309		* is sent, and name is reported through
1310		* `br_ssl_engine_get_selected_protocol()`.
1311		*
1312		* The provided array is linked in, and must remain valid while the
1313		* connection is live.
1314		*
1315		* Names MUST NOT be empty. Names MUST NOT be longer than 255 characters
1316		* (excluding the terminating 0).
1317		*
1318		* \param ctx SSL engine context.
1319		* \param names list of protocol names (zero-terminated).
1320		* \param num number of protocol names (MUST be 1 or more).
1321		*/
1322		static inline void
1323		br_ssl_engine_set_protocol_names(br_ssl_engine_context *ctx,
1324		const char **names, size_t num)
1325		{
1326		ctx->protocol_names = names;
1327		ctx->protocol_names_num = (uint16_t)num;
1328		}
1329
1330		/**
1331		* \brief Get the selected protocol.
1332		*
1333		* If this context was initialised with a non-empty list of protocol
1334		* names, and both client and server sent ALPN extensions during the
1335		* handshake, and a common name was found, then that name is returned.
1336		* Otherwise, `NULL` is returned.
1337		*
1338		* The returned pointer is one of the pointers provided to the context
1339		* with `br_ssl_engine_set_protocol_names()`.
1340		*
1341		* \return the selected protocol, or `NULL`.
1342		*/
1343		static inline const char *
1344		br_ssl_engine_get_selected_protocol(br_ssl_engine_context *ctx)
1345		{
1346		unsigned k;
1347
1348		k = ctx->selected_protocol;
1349		return (k == 0 \|\| k == 0xFFFF) ? NULL : ctx->protocol_names[k - 1];
1350		}
1351
1352		/**
1353		* \brief Set a hash function implementation (by ID).
1354		*
1355		* Hash functions set with this call will be used for SSL/TLS specific
1356		* usages, not X.509 certificate validation. Only "standard" hash functions
1357		* may be set (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512). If `impl`
1358		* is `NULL`, then the hash function support is removed, not added.
1359		*
1360		* \param ctx SSL engine context.
1361		* \param id hash function identifier.
1362		* \param impl hash function implementation (or `NULL`).
1363		*/
1364		static inline void
1365		br_ssl_engine_set_hash(br_ssl_engine_context *ctx,
1366		int id, const br_hash_class *impl)
1367		{
1368		br_multihash_setimpl(&ctx->mhash, id, impl);
1369		}
1370
1371		/**
1372		* \brief Get a hash function implementation (by ID).
1373		*
1374		* This function retrieves a hash function implementation which was
1375		* set with `br_ssl_engine_set_hash()`.
1376		*
1377		* \param ctx SSL engine context.
1378		* \param id hash function identifier.
1379		* \return the hash function implementation (or `NULL`).
1380		*/
1381		static inline const br_hash_class *
1382		br_ssl_engine_get_hash(br_ssl_engine_context *ctx, int id)
1383		{
1384		return br_multihash_getimpl(&ctx->mhash, id);
1385		}
1386
1387		/**
1388		* \brief Set the PRF implementation (for TLS 1.0 and 1.1).
1389		*
1390		* This function sets (or removes, if `impl` is `NULL`) the implementation
1391		* for the PRF used in TLS 1.0 and 1.1.
1392		*
1393		* \param cc SSL engine context.
1394		* \param impl PRF implementation (or `NULL`).
1395		*/
1396		static inline void
1397		br_ssl_engine_set_prf10(br_ssl_engine_context *cc, br_tls_prf_impl impl)
1398		{
1399		cc->prf10 = impl;
1400		}
1401
1402		/**
1403		* \brief Set the PRF implementation with SHA-256 (for TLS 1.2).
1404		*
1405		* This function sets (or removes, if `impl` is `NULL`) the implementation
1406		* for the SHA-256 variant of the PRF used in TLS 1.2.
1407		*
1408		* \param cc SSL engine context.
1409		* \param impl PRF implementation (or `NULL`).
1410		*/
1411		static inline void
1412		br_ssl_engine_set_prf_sha256(br_ssl_engine_context *cc, br_tls_prf_impl impl)
1413		{
1414		cc->prf_sha256 = impl;
1415		}
1416
1417		/**
1418		* \brief Set the PRF implementation with SHA-384 (for TLS 1.2).
1419		*
1420		* This function sets (or removes, if `impl` is `NULL`) the implementation
1421		* for the SHA-384 variant of the PRF used in TLS 1.2.
1422		*
1423		* \param cc SSL engine context.
1424		* \param impl PRF implementation (or `NULL`).
1425		*/
1426		static inline void
1427		br_ssl_engine_set_prf_sha384(br_ssl_engine_context *cc, br_tls_prf_impl impl)
1428		{
1429		cc->prf_sha384 = impl;
1430		}
1431
1432		/**
1433		* \brief Set the AES/CBC implementations.
1434		*
1435		* \param cc SSL engine context.
1436		* \param impl_enc AES/CBC encryption implementation (or `NULL`).
1437		* \param impl_dec AES/CBC decryption implementation (or `NULL`).
1438		*/
1439		static inline void
1440		br_ssl_engine_set_aes_cbc(br_ssl_engine_context *cc,
1441		const br_block_cbcenc_class *impl_enc,
1442		const br_block_cbcdec_class *impl_dec)
1443		{
1444		cc->iaes_cbcenc = impl_enc;
1445		cc->iaes_cbcdec = impl_dec;
1446		}
1447
1448		/**
1449		* \brief Set the "default" AES/CBC implementations.
1450		*
1451		* This function configures in the engine the AES implementations that
1452		* should provide best runtime performance on the local system, while
1453		* still being safe (in particular, constant-time). It also sets the
1454		* handlers for CBC records.
1455		*
1456		* \param cc SSL engine context.
1457		*/
1458		void br_ssl_engine_set_default_aes_cbc(br_ssl_engine_context *cc);
1459
1460		/**
1461		* \brief Set the AES/CTR implementation.
1462		*
1463		* \param cc SSL engine context.
1464		* \param impl AES/CTR encryption/decryption implementation (or `NULL`).
1465		*/
1466		static inline void
1467		br_ssl_engine_set_aes_ctr(br_ssl_engine_context *cc,
1468		const br_block_ctr_class *impl)
1469		{
1470		cc->iaes_ctr = impl;
1471		}
1472
1473		/**
1474		* \brief Set the "default" implementations for AES/GCM (AES/CTR + GHASH).
1475		*
1476		* This function configures in the engine the AES/CTR and GHASH
1477		* implementation that should provide best runtime performance on the local
1478		* system, while still being safe (in particular, constant-time). It also
1479		* sets the handlers for GCM records.
1480		*
1481		* \param cc SSL engine context.
1482		*/
1483		void br_ssl_engine_set_default_aes_gcm(br_ssl_engine_context *cc);
1484
1485		/**
1486		* \brief Set the DES/CBC implementations.
1487		*
1488		* \param cc SSL engine context.
1489		* \param impl_enc DES/CBC encryption implementation (or `NULL`).
1490		* \param impl_dec DES/CBC decryption implementation (or `NULL`).
1491		*/
1492		static inline void
1493		br_ssl_engine_set_des_cbc(br_ssl_engine_context *cc,
1494		const br_block_cbcenc_class *impl_enc,
1495		const br_block_cbcdec_class *impl_dec)
1496		{
1497		cc->ides_cbcenc = impl_enc;
1498		cc->ides_cbcdec = impl_dec;
1499		}
1500
1501		/**
1502		* \brief Set the "default" DES/CBC implementations.
1503		*
1504		* This function configures in the engine the DES implementations that
1505		* should provide best runtime performance on the local system, while
1506		* still being safe (in particular, constant-time). It also sets the
1507		* handlers for CBC records.
1508		*
1509		* \param cc SSL engine context.
1510		*/
1511		void br_ssl_engine_set_default_des_cbc(br_ssl_engine_context *cc);
1512
1513		/**
1514		* \brief Set the GHASH implementation (used in GCM mode).
1515		*
1516		* \param cc SSL engine context.
1517		* \param impl GHASH implementation (or `NULL`).
1518		*/
1519		static inline void
1520		br_ssl_engine_set_ghash(br_ssl_engine_context *cc, br_ghash impl)
1521		{
1522		cc->ighash = impl;
1523		}
1524
1525		/**
1526		* \brief Set the ChaCha20 implementation.
1527		*
1528		* \param cc SSL engine context.
1529		* \param ichacha ChaCha20 implementation (or `NULL`).
1530		*/
1531		static inline void
1532		br_ssl_engine_set_chacha20(br_ssl_engine_context *cc,
1533		br_chacha20_run ichacha)
1534		{
1535		cc->ichacha = ichacha;
1536		}
1537
1538		/**
1539		* \brief Set the Poly1305 implementation.
1540		*
1541		* \param cc SSL engine context.
1542		* \param ipoly Poly1305 implementation (or `NULL`).
1543		*/
1544		static inline void
1545		br_ssl_engine_set_poly1305(br_ssl_engine_context *cc,
1546		br_poly1305_run ipoly)
1547		{
1548		cc->ipoly = ipoly;
1549		}
1550
1551		/**
1552		* \brief Set the "default" ChaCha20 and Poly1305 implementations.
1553		*
1554		* This function configures in the engine the ChaCha20 and Poly1305
1555		* implementations that should provide best runtime performance on the
1556		* local system, while still being safe (in particular, constant-time).
1557		* It also sets the handlers for ChaCha20+Poly1305 records.
1558		*
1559		* \param cc SSL engine context.
1560		*/
1561		void br_ssl_engine_set_default_chapol(br_ssl_engine_context *cc);
1562
1563		/**
1564		* \brief Set the AES/CTR+CBC implementation.
1565		*
1566		* \param cc SSL engine context.
1567		* \param impl AES/CTR+CBC encryption/decryption implementation (or `NULL`).
1568		*/
1569		static inline void
1570		br_ssl_engine_set_aes_ctrcbc(br_ssl_engine_context *cc,
1571		const br_block_ctrcbc_class *impl)
1572		{
1573		cc->iaes_ctrcbc = impl;
1574		}
1575
1576		/**
1577		* \brief Set the "default" implementations for AES/CCM.
1578		*
1579		* This function configures in the engine the AES/CTR+CBC
1580		* implementation that should provide best runtime performance on the local
1581		* system, while still being safe (in particular, constant-time). It also
1582		* sets the handlers for CCM records.
1583		*
1584		* \param cc SSL engine context.
1585		*/
1586		void br_ssl_engine_set_default_aes_ccm(br_ssl_engine_context *cc);
1587
1588		/**
1589		* \brief Set the record encryption and decryption engines for CBC + HMAC.
1590		*
1591		* \param cc SSL engine context.
1592		* \param impl_in record CBC decryption implementation (or `NULL`).
1593		* \param impl_out record CBC encryption implementation (or `NULL`).
1594		*/
1595		static inline void
1596		br_ssl_engine_set_cbc(br_ssl_engine_context *cc,
1597		const br_sslrec_in_cbc_class *impl_in,
1598		const br_sslrec_out_cbc_class *impl_out)
1599		{
1600		cc->icbc_in = impl_in;
1601		cc->icbc_out = impl_out;
1602		}
1603
1604		/**
1605		* \brief Set the record encryption and decryption engines for GCM.
1606		*
1607		* \param cc SSL engine context.
1608		* \param impl_in record GCM decryption implementation (or `NULL`).
1609		* \param impl_out record GCM encryption implementation (or `NULL`).
1610		*/
1611		static inline void
1612		br_ssl_engine_set_gcm(br_ssl_engine_context *cc,
1613		const br_sslrec_in_gcm_class *impl_in,
1614		const br_sslrec_out_gcm_class *impl_out)
1615		{
1616		cc->igcm_in = impl_in;
1617		cc->igcm_out = impl_out;
1618		}
1619
1620		/**
1621		* \brief Set the record encryption and decryption engines for CCM.
1622		*
1623		* \param cc SSL engine context.
1624		* \param impl_in record CCM decryption implementation (or `NULL`).
1625		* \param impl_out record CCM encryption implementation (or `NULL`).
1626		*/
1627		static inline void
1628		br_ssl_engine_set_ccm(br_ssl_engine_context *cc,
1629		const br_sslrec_in_ccm_class *impl_in,
1630		const br_sslrec_out_ccm_class *impl_out)
1631		{
1632		cc->iccm_in = impl_in;
1633		cc->iccm_out = impl_out;
1634		}
1635
1636		/**
1637		* \brief Set the record encryption and decryption engines for
1638		* ChaCha20+Poly1305.
1639		*
1640		* \param cc SSL engine context.
1641		* \param impl_in record ChaCha20 decryption implementation (or `NULL`).
1642		* \param impl_out record ChaCha20 encryption implementation (or `NULL`).
1643		*/
1644		static inline void
1645		br_ssl_engine_set_chapol(br_ssl_engine_context *cc,
1646		const br_sslrec_in_chapol_class *impl_in,
1647		const br_sslrec_out_chapol_class *impl_out)
1648		{
1649		cc->ichapol_in = impl_in;
1650		cc->ichapol_out = impl_out;
1651		}
1652
1653		/**
1654		* \brief Set the EC implementation.
1655		*
1656		* The elliptic curve implementation will be used for ECDH and ECDHE
1657		* cipher suites, and for ECDSA support.
1658		*
1659		* \param cc SSL engine context.
1660		* \param iec EC implementation (or `NULL`).
1661		*/
1662		static inline void
1663		br_ssl_engine_set_ec(br_ssl_engine_context cc, const br_ec_impl iec)
1664		{
1665		cc->iec = iec;
1666		}
1667
1668		/**
1669		* \brief Set the "default" EC implementation.
1670		*
1671		* This function sets the elliptic curve implementation for ECDH and
1672		* ECDHE cipher suites, and for ECDSA support. It selects the fastest
1673		* implementation on the current system.
1674		*
1675		* \param cc SSL engine context.
1676		*/
1677		void br_ssl_engine_set_default_ec(br_ssl_engine_context *cc);
1678
1679		/**
1680		* \brief Get the EC implementation configured in the provided engine.
1681		*
1682		* \param cc SSL engine context.
1683		* \return the EC implementation.
1684		*/
1685		static inline const br_ec_impl *
1686		br_ssl_engine_get_ec(br_ssl_engine_context *cc)
1687		{
1688		return cc->iec;
1689		}
1690
1691		/**
1692		* \brief Set the RSA signature verification implementation.
1693		*
1694		* On the client, this is used to verify the server's signature on its
1695		* ServerKeyExchange message (for ECDHE_RSA cipher suites). On the server,
1696		* this is used to verify the client's CertificateVerify message (if a
1697		* client certificate is requested, and that certificate contains a RSA key).
1698		*
1699		* \param cc SSL engine context.
1700		* \param irsavrfy RSA signature verification implementation.
1701		*/
1702		static inline void
1703		br_ssl_engine_set_rsavrfy(br_ssl_engine_context *cc, br_rsa_pkcs1_vrfy irsavrfy)
1704		{
1705		cc->irsavrfy = irsavrfy;
1706		}
1707
1708		/**
1709		* \brief Set the "default" RSA implementation (signature verification).
1710		*
1711		* This function sets the RSA implementation (signature verification)
1712		* to the fastest implementation available on the current platform.
1713		*
1714		* \param cc SSL engine context.
1715		*/
1716		void br_ssl_engine_set_default_rsavrfy(br_ssl_engine_context *cc);
1717
1718		/**
1719		* \brief Get the RSA implementation (signature verification) configured
1720		* in the provided engine.
1721		*
1722		* \param cc SSL engine context.
1723		* \return the RSA signature verification implementation.
1724		*/
1725		static inline br_rsa_pkcs1_vrfy
1726		br_ssl_engine_get_rsavrfy(br_ssl_engine_context *cc)
1727		{
1728		return cc->irsavrfy;
1729		}
1730
1731		/*
1732		* \brief Set the ECDSA implementation (signature verification).
1733		*
1734		* On the client, this is used to verify the server's signature on its
1735		* ServerKeyExchange message (for ECDHE_ECDSA cipher suites). On the server,
1736		* this is used to verify the client's CertificateVerify message (if a
1737		* client certificate is requested, that certificate contains an EC key,
1738		* and full-static ECDH is not used).
1739		*
1740		* The ECDSA implementation will use the EC core implementation configured
1741		* in the engine context.
1742		*
1743		* \param cc client context.
1744		* \param iecdsa ECDSA verification implementation.
1745		*/
1746		static inline void
1747		br_ssl_engine_set_ecdsa(br_ssl_engine_context *cc, br_ecdsa_vrfy iecdsa)
1748		{
1749		cc->iecdsa = iecdsa;
1750		}
1751
1752		/**
1753		* \brief Set the "default" ECDSA implementation (signature verification).
1754		*
1755		* This function sets the ECDSA implementation (signature verification)
1756		* to the fastest implementation available on the current platform. This
1757		* call also sets the elliptic curve implementation itself, there again
1758		* to the fastest EC implementation available.
1759		*
1760		* \param cc SSL engine context.
1761		*/
1762		void br_ssl_engine_set_default_ecdsa(br_ssl_engine_context *cc);
1763
1764		/**
1765		* \brief Get the ECDSA implementation (signature verification) configured
1766		* in the provided engine.
1767		*
1768		* \param cc SSL engine context.
1769		* \return the ECDSA signature verification implementation.
1770		*/
1771		static inline br_ecdsa_vrfy
1772		br_ssl_engine_get_ecdsa(br_ssl_engine_context *cc)
1773		{
1774		return cc->iecdsa;
1775		}
1776
1777		/**
1778		* \brief Set the I/O buffer for the SSL engine.
1779		*
1780		* Once this call has been made, `br_ssl_client_reset()` or
1781		* `br_ssl_server_reset()` MUST be called before using the context.
1782		*
1783		* The provided buffer will be used as long as the engine context is
1784		* used. The caller is responsible for keeping it available.
1785		*
1786		* If `bidi` is 0, then the engine will operate in half-duplex mode
1787		* (it won't be able to send data while there is unprocessed incoming
1788		* data in the buffer, and it won't be able to receive data while there
1789		* is unsent data in the buffer). The optimal buffer size in half-duplex
1790		* mode is `BR_SSL_BUFSIZE_MONO`; if the buffer is larger, then extra
1791		* bytes are ignored. If the buffer is smaller, then this limits the
1792		* capacity of the engine to support all allowed record sizes.
1793		*
1794		* If `bidi` is 1, then the engine will split the buffer into two
1795		* parts, for separate handling of outgoing and incoming data. This
1796		* enables full-duplex processing, but requires more RAM. The optimal
1797		* buffer size in full-duplex mode is `BR_SSL_BUFSIZE_BIDI`; if the
1798		* buffer is larger, then extra bytes are ignored. If the buffer is
1799		* smaller, then the split will favour the incoming part, so that
1800		* interoperability is maximised.
1801		*
1802		* \param cc SSL engine context
1803		* \param iobuf I/O buffer.
1804		* \param iobuf_len I/O buffer length (in bytes).
1805		* \param bidi non-zero for full-duplex mode.
1806		*/
1807		void br_ssl_engine_set_buffer(br_ssl_engine_context *cc,
1808		void *iobuf, size_t iobuf_len, int bidi);
1809
1810		/**
1811		* \brief Set the I/O buffers for the SSL engine.
1812		*
1813		* Once this call has been made, `br_ssl_client_reset()` or
1814		* `br_ssl_server_reset()` MUST be called before using the context.
1815		*
1816		* This function is similar to `br_ssl_engine_set_buffer()`, except
1817		* that it enforces full-duplex mode, and the two I/O buffers are
1818		* provided as separate chunks.
1819		*
1820		* The macros `BR_SSL_BUFSIZE_INPUT` and `BR_SSL_BUFSIZE_OUTPUT`
1821		* evaluate to the optimal (maximum) sizes for the input and output
1822		* buffer, respectively.
1823		*
1824		* \param cc SSL engine context
1825		* \param ibuf input buffer.
1826		* \param ibuf_len input buffer length (in bytes).
1827		* \param obuf output buffer.
1828		* \param obuf_len output buffer length (in bytes).
1829		*/
1830		void br_ssl_engine_set_buffers_bidi(br_ssl_engine_context *cc,
1831		void ibuf, size_t ibuf_len, void obuf, size_t obuf_len);
1832
1833		/**
1834		* \brief Inject some "initial entropy" in the context.
1835		*
1836		* This entropy will be added to what can be obtained from the
1837		* underlying operating system, if that OS is supported.
1838		*
1839		* This function may be called several times; all injected entropy chunks
1840		* are cumulatively mixed.
1841		*
1842		* If entropy gathering from the OS is supported and compiled in, then this
1843		* step is optional. Otherwise, it is mandatory to inject randomness, and
1844		* the caller MUST take care to push (as one or several successive calls)
1845		* enough entropy to achieve cryptographic resistance (at least 80 bits,
1846		* preferably 128 or more). The engine will report an error if no entropy
1847		* was provided and none can be obtained from the OS.
1848		*
1849		* Take care that this function cannot assess the cryptographic quality of
1850		* the provided bytes.
1851		*
1852		* In all generality, "entropy" must here be considered to mean "that
1853		* which the attacker cannot predict". If your OS/architecture does not
1854		* have a suitable source of randomness, then you can make do with the
1855		* combination of a large enough secret value (possibly a copy of an
1856		* asymmetric private key that you also store on the system) AND a
1857		* non-repeating value (e.g. current time, provided that the local clock
1858		* cannot be reset or altered by the attacker).
1859		*
1860		* \param cc SSL engine context.
1861		* \param data extra entropy to inject.
1862		* \param len length of the extra data (in bytes).
1863		*/
1864		void br_ssl_engine_inject_entropy(br_ssl_engine_context *cc,
1865		const void *data, size_t len);
1866
1867		/**
1868		* \brief Get the "server name" in this engine.
1869		*
1870		* For clients, this is the name provided with `br_ssl_client_reset()`;
1871		* for servers, this is the name received from the client as part of the
1872		* ClientHello message. If there is no such name (e.g. the client did
1873		* not send an SNI extension) then the returned string is empty
1874		* (returned pointer points to a byte of value 0).
1875		*
1876		* The returned pointer refers to a buffer inside the context, which may
1877		* be overwritten as part of normal SSL activity (even within the same
1878		* connection, if a renegotiation occurs).
1879		*
1880		* \param cc SSL engine context.
1881		* \return the server name (possibly empty).
1882		*/
1883		static inline const char *
1884	0	br_ssl_engine_get_server_name(const br_ssl_engine_context *cc)
1885		{
1886	0	return cc->server_name;
1887		}
1888
1889		/**
1890		* \brief Get the protocol version.
1891		*
1892		* This function returns the protocol version that is used by the
1893		* engine. That value is set after sending (for a server) or receiving
1894		* (for a client) the ServerHello message.
1895		*
1896		* \param cc SSL engine context.
1897		* \return the protocol version.
1898		*/
1899		static inline unsigned
1900	0	br_ssl_engine_get_version(const br_ssl_engine_context *cc)
1901		{
1902	0	return cc->session.version;
1903		}
1904
1905		/**
1906		* \brief Get a copy of the session parameters.
1907		*
1908		* The session parameters are filled during the handshake, so this
1909		* function shall not be called before completion of the handshake.
1910		* The initial handshake is completed when the context first allows
1911		* application data to be injected.
1912		*
1913		* This function copies the current session parameters into the provided
1914		* structure. Beware that the session parameters include the master
1915		* secret, which is sensitive data, to handle with great care.
1916		*
1917		* \param cc SSL engine context.
1918		* \param pp destination structure for the session parameters.
1919		*/
1920		static inline void
1921	0	br_ssl_engine_get_session_parameters(const br_ssl_engine_context *cc,
1922		br_ssl_session_parameters *pp)
1923		{
1924	0	memcpy(pp, &cc->session, sizeof *pp);
1925	0	}
1926
1927		/**
1928		* \brief Set the session parameters to the provided values.
1929		*
1930		* This function is meant to be used in the client, before doing a new
1931		* handshake; a session resumption will be attempted with these
1932		* parameters. In the server, this function has no effect.
1933		*
1934		* \param cc SSL engine context.
1935		* \param pp source structure for the session parameters.
1936		*/
1937		static inline void
1938	0	br_ssl_engine_set_session_parameters(br_ssl_engine_context *cc,
1939		const br_ssl_session_parameters *pp)
1940		{
1941	0	memcpy(&cc->session, pp, sizeof *pp);
1942	0	}
1943
1944		/**
1945		* \brief Get identifier for the curve used for key exchange.
1946		*
1947		* If the cipher suite uses ECDHE, then this function returns the
1948		* identifier for the curve used for transient parameters. This is
1949		* defined during the course of the handshake, when the ServerKeyExchange
1950		* is sent (on the server) or received (on the client). If the
1951		* cipher suite does not use ECDHE (e.g. static ECDH, or RSA key
1952		* exchange), then this value is indeterminate.
1953		*
1954		* @param cc SSL engine context.
1955		* @return the ECDHE curve identifier.
1956		*/
1957		static inline int
1958	0	br_ssl_engine_get_ecdhe_curve(br_ssl_engine_context *cc)
1959		{
1960	0	return cc->ecdhe_curve;
1961		}
1962
1963		/**
1964		* \brief Get the current engine state.
1965		*
1966		* An SSL engine (client or server) has, at any time, a state which is
1967		* the combination of zero, one or more of these flags:
1968		*
1969		* - `BR_SSL_CLOSED`
1970		*
1971		* Engine is finished, no more I/O (until next reset).
1972		*
1973		* - `BR_SSL_SENDREC`
1974		*
1975		* Engine has some bytes to send to the peer.
1976		*
1977		* - `BR_SSL_RECVREC`
1978		*
1979		* Engine expects some bytes from the peer.
1980		*
1981		* - `BR_SSL_SENDAPP`
1982		*
1983		* Engine may receive application data to send (or flush).
1984		*
1985		* - `BR_SSL_RECVAPP`
1986		*
1987		* Engine has obtained some application data from the peer,
1988		* that should be read by the caller.
1989		*
1990		* If no flag at all is set (state value is 0), then the engine is not
1991		* fully initialised yet.
1992		*
1993		* The `BR_SSL_CLOSED` flag is exclusive; when it is set, no other flag
1994		* is set. To distinguish between a normal closure and an error, use
1995		* `br_ssl_engine_last_error()`.
1996		*
1997		* Generally speaking, `BR_SSL_SENDREC` and `BR_SSL_SENDAPP` are mutually
1998		* exclusive: the input buffer, at any point, either accumulates
1999		* plaintext data, or contains an assembled record that is being sent.
2000		* Similarly, `BR_SSL_RECVREC` and `BR_SSL_RECVAPP` are mutually exclusive.
2001		* This may change in a future library version.
2002		*
2003		* \param cc SSL engine context.
2004		* \return the current engine state.
2005		*/
2006		unsigned br_ssl_engine_current_state(const br_ssl_engine_context *cc);
2007
2008		/** \brief SSL engine state: closed or failed. */
2009		#define BR_SSL_CLOSED 0x0001
2010		/** \brief SSL engine state: record data is ready to be sent to the peer. */
2011		#define BR_SSL_SENDREC 0x0002
2012		/** \brief SSL engine state: engine may receive records from the peer. */
2013		#define BR_SSL_RECVREC 0x0004
2014		/** \brief SSL engine state: engine may accept application data to send. */
2015		#define BR_SSL_SENDAPP 0x0008
2016		/** \brief SSL engine state: engine has received application data. */
2017		#define BR_SSL_RECVAPP 0x0010
2018
2019		/**
2020		* \brief Get the engine error indicator.
2021		*
2022		* The error indicator is `BR_ERR_OK` (0) if no error was encountered
2023		* since the last call to `br_ssl_client_reset()` or
2024		* `br_ssl_server_reset()`. Other status values are "sticky": they
2025		* remain set, and prevent all I/O activity, until cleared. Only the
2026		* reset calls clear the error indicator.
2027		*
2028		* \param cc SSL engine context.
2029		* \return 0, or a non-zero error code.
2030		*/
2031		static inline int
2032	3	br_ssl_engine_last_error(const br_ssl_engine_context *cc)
2033		{
2034	3	return cc->err;
2035		}
2036
2037		/*
2038		* There are four I/O operations, each identified by a symbolic name:
2039		*
2040		* sendapp inject application data in the engine
2041		* recvapp retrieving application data from the engine
2042		* sendrec sending records on the transport medium
2043		* recvrec receiving records from the transport medium
2044		*
2045		* Terminology works thus: in a layered model where the SSL engine sits
2046		* between the application and the network, "send" designates operations
2047		* where bytes flow from application to network, and "recv" for the
2048		* reverse operation. Application data (the plaintext that is to be
2049		* conveyed through SSL) is "app", while encrypted records are "rec".
2050		* Note that from the SSL engine point of view, "sendapp" and "recvrec"
2051		* designate bytes that enter the engine ("inject" operation), while
2052		* "recvapp" and "sendrec" designate bytes that exit the engine
2053		* ("extract" operation).
2054		*
2055		* For the operation 'xxx', two functions are defined:
2056		*
2057		* br_ssl_engine_xxx_buf
2058		* Returns a pointer and length to the buffer to use for that
2059		* operation. '*len' is set to the number of bytes that may be read
2060		* from the buffer (extract operation) or written to the buffer
2061		* (inject operation). If no byte may be exchanged for that operation
2062		* at that point, then '*len' is set to zero, and NULL is returned.
2063		* The engine state is unmodified by this call.
2064		*
2065		* br_ssl_engine_xxx_ack
2066		* Informs the engine that 'len' bytes have been read from the buffer
2067		* (extract operation) or written to the buffer (inject operation).
2068		* The 'len' value MUST NOT be zero. The 'len' value MUST NOT exceed
2069		* that which was obtained from a preceding br_ssl_engine_xxx_buf()
2070		* call.
2071		*/
2072
2073		/**
2074		* \brief Get buffer for application data to send.
2075		*
2076		* If the engine is ready to accept application data to send to the
2077		* peer, then this call returns a pointer to the buffer where such
2078		* data shall be written, and its length is written in `*len`.
2079		* Otherwise, `*len` is set to 0 and `NULL` is returned.
2080		*
2081		* \param cc SSL engine context.
2082		* \param len receives the application data output buffer length, or 0.
2083		* \return the application data output buffer, or `NULL`.
2084		*/
2085		unsigned char *br_ssl_engine_sendapp_buf(
2086		const br_ssl_engine_context cc, size_t len);
2087
2088		/**
2089		* \brief Inform the engine of some new application data.
2090		*
2091		* After writing `len` bytes in the buffer returned by
2092		* `br_ssl_engine_sendapp_buf()`, the application shall call this
2093		* function to trigger any relevant processing. The `len` parameter
2094		* MUST NOT be 0, and MUST NOT exceed the value obtained in the
2095		* `br_ssl_engine_sendapp_buf()` call.
2096		*
2097		* \param cc SSL engine context.
2098		* \param len number of bytes pushed (not zero).
2099		*/
2100		void br_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len);
2101
2102		/**
2103		* \brief Get buffer for received application data.
2104		*
2105		* If the engine has received application data from the peer, then this
2106		* call returns a pointer to the buffer from where such data shall be
2107		* read, and its length is written in `len`. Otherwise, `len` is set
2108		* to 0 and `NULL` is returned.
2109		*
2110		* \param cc SSL engine context.
2111		* \param len receives the application data input buffer length, or 0.
2112		* \return the application data input buffer, or `NULL`.
2113		*/
2114		unsigned char *br_ssl_engine_recvapp_buf(
2115		const br_ssl_engine_context cc, size_t len);
2116
2117		/**
2118		* \brief Acknowledge some received application data.
2119		*
2120		* After reading `len` bytes from the buffer returned by
2121		* `br_ssl_engine_recvapp_buf()`, the application shall call this
2122		* function to trigger any relevant processing. The `len` parameter
2123		* MUST NOT be 0, and MUST NOT exceed the value obtained in the
2124		* `br_ssl_engine_recvapp_buf()` call.
2125		*
2126		* \param cc SSL engine context.
2127		* \param len number of bytes read (not zero).
2128		*/
2129		void br_ssl_engine_recvapp_ack(br_ssl_engine_context *cc, size_t len);
2130
2131		/**
2132		* \brief Get buffer for record data to send.
2133		*
2134		* If the engine has prepared some records to send to the peer, then this
2135		* call returns a pointer to the buffer from where such data shall be
2136		* read, and its length is written in `len`. Otherwise, `len` is set
2137		* to 0 and `NULL` is returned.
2138		*
2139		* \param cc SSL engine context.
2140		* \param len receives the record data output buffer length, or 0.
2141		* \return the record data output buffer, or `NULL`.
2142		*/
2143		unsigned char *br_ssl_engine_sendrec_buf(
2144		const br_ssl_engine_context cc, size_t len);
2145
2146		/**
2147		* \brief Acknowledge some sent record data.
2148		*
2149		* After reading `len` bytes from the buffer returned by
2150		* `br_ssl_engine_sendrec_buf()`, the application shall call this
2151		* function to trigger any relevant processing. The `len` parameter
2152		* MUST NOT be 0, and MUST NOT exceed the value obtained in the
2153		* `br_ssl_engine_sendrec_buf()` call.
2154		*
2155		* \param cc SSL engine context.
2156		* \param len number of bytes read (not zero).
2157		*/
2158		void br_ssl_engine_sendrec_ack(br_ssl_engine_context *cc, size_t len);
2159
2160		/**
2161		* \brief Get buffer for incoming records.
2162		*
2163		* If the engine is ready to accept records from the peer, then this
2164		* call returns a pointer to the buffer where such data shall be
2165		* written, and its length is written in `len`. Otherwise, `len` is
2166		* set to 0 and `NULL` is returned.
2167		*
2168		* \param cc SSL engine context.
2169		* \param len receives the record data input buffer length, or 0.
2170		* \return the record data input buffer, or `NULL`.
2171		*/
2172		unsigned char *br_ssl_engine_recvrec_buf(
2173		const br_ssl_engine_context cc, size_t len);
2174
2175		/**
2176		* \brief Inform the engine of some new record data.
2177		*
2178		* After writing `len` bytes in the buffer returned by
2179		* `br_ssl_engine_recvrec_buf()`, the application shall call this
2180		* function to trigger any relevant processing. The `len` parameter
2181		* MUST NOT be 0, and MUST NOT exceed the value obtained in the
2182		* `br_ssl_engine_recvrec_buf()` call.
2183		*
2184		* \param cc SSL engine context.
2185		* \param len number of bytes pushed (not zero).
2186		*/
2187		void br_ssl_engine_recvrec_ack(br_ssl_engine_context *cc, size_t len);
2188
2189		/**
2190		* \brief Flush buffered application data.
2191		*
2192		* If some application data has been buffered in the engine, then wrap
2193		* it into a record and mark it for sending. If no application data has
2194		* been buffered but the engine would be ready to accept some, AND the
2195		* `force` parameter is non-zero, then an empty record is assembled and
2196		* marked for sending. In all other cases, this function does nothing.
2197		*
2198		* Empty records are technically legal, but not all existing SSL/TLS
2199		* implementations support them. Empty records can be useful as a
2200		* transparent "keep-alive" mechanism to maintain some low-level
2201		* network activity.
2202		*
2203		* \param cc SSL engine context.
2204		* \param force non-zero to force sending an empty record.
2205		*/
2206		void br_ssl_engine_flush(br_ssl_engine_context *cc, int force);
2207
2208		/**
2209		* \brief Initiate a closure.
2210		*
2211		* If, at that point, the context is open and in ready state, then a
2212		* `close_notify` alert is assembled and marked for sending; this
2213		* triggers the closure protocol. Otherwise, no such alert is assembled.
2214		*
2215		* \param cc SSL engine context.
2216		*/
2217		void br_ssl_engine_close(br_ssl_engine_context *cc);
2218
2219		/**
2220		* \brief Initiate a renegotiation.
2221		*
2222		* If the engine is failed or closed, or if the peer is known not to
2223		* support secure renegotiation (RFC 5746), or if renegotiations have
2224		* been disabled with the `BR_OPT_NO_RENEGOTIATION` flag, or if there
2225		* is buffered incoming application data, then this function returns 0
2226		* and nothing else happens.
2227		*
2228		* Otherwise, this function returns 1, and a renegotiation attempt is
2229		* triggered (if a handshake is already ongoing at that point, then
2230		* no new handshake is triggered).
2231		*
2232		* \param cc SSL engine context.
2233		* \return 1 on success, 0 on error.
2234		*/
2235		int br_ssl_engine_renegotiate(br_ssl_engine_context *cc);
2236
2237		/**
2238		* \brief Export key material from a connected SSL engine (RFC 5705).
2239		*
2240		* This calls compute a secret key of arbitrary length from the master
2241		* secret of a connected SSL engine. If the provided context is not
2242		* currently in "application data" state (initial handshake is not
2243		* finished, another handshake is ongoing, or the connection failed or
2244		* was closed), then this function returns 0. Otherwise, a secret key of
2245		* length `len` bytes is computed and written in the buffer pointed to
2246		* by `dst`, and 1 is returned.
2247		*
2248		* The computed key follows the specification described in RFC 5705.
2249		* That RFC includes two key computations, with and without a "context
2250		* value". If `context` is `NULL`, then the variant without context is
2251		* used; otherwise, the `context_len` bytes located at the address
2252		* pointed to by `context` are used in the computation. Note that it
2253		* is possible to have a "with context" key with a context length of
2254		* zero bytes, by setting `context` to a non-`NULL` value but
2255		* `context_len` to 0.
2256		*
2257		* When context bytes are used, the context length MUST NOT exceed
2258		* 65535 bytes.
2259		*
2260		* \param cc SSL engine context.
2261		* \param dst destination buffer for exported key.
2262		* \param len exported key length (in bytes).
2263		* \param label disambiguation label.
2264		* \param context context value (or `NULL`).
2265		* \param context_len context length (in bytes).
2266		* \return 1 on success, 0 on error.
2267		*/
2268		int br_ssl_key_export(br_ssl_engine_context *cc,
2269		void dst, size_t len, const char label,
2270		const void *context, size_t context_len);
2271
2272		/*
2273		* Pre-declaration for the SSL client context.
2274		*/
2275		typedef struct br_ssl_client_context_ br_ssl_client_context;
2276
2277		/**
2278		* \brief Type for the client certificate, if requested by the server.
2279		*/
2280		typedef struct {
2281		/**
2282		* \brief Authentication type.
2283		*
2284		* This is either `BR_AUTH_RSA` (RSA signature), `BR_AUTH_ECDSA`
2285		* (ECDSA signature), or `BR_AUTH_ECDH` (static ECDH key exchange).
2286		*/
2287		int auth_type;
2288
2289		/**
2290		* \brief Hash function for computing the CertificateVerify.
2291		*
2292		* This is the symbolic identifier for the hash function that
2293		* will be used to produce the hash of handshake messages, to
2294		* be signed into the CertificateVerify. For full static ECDH
2295		* (client and server certificates are both EC in the same
2296		* curve, and static ECDH is used), this value is set to -1.
2297		*
2298		* Take care that with TLS 1.0 and 1.1, that value MUST match
2299		* the protocol requirements: value must be 0 (MD5+SHA-1) for
2300		* a RSA signature, or 2 (SHA-1) for an ECDSA signature. Only
2301		* TLS 1.2 allows for other hash functions.
2302		*/
2303		int hash_id;
2304
2305		/**
2306		* \brief Certificate chain to send to the server.
2307		*
2308		* This is an array of `br_x509_certificate` objects, each
2309		* normally containing a DER-encoded certificate. The client
2310		* code does not try to decode these elements. If there is no
2311		* chain to send to the server, then this pointer shall be
2312		* set to `NULL`.
2313		*/
2314		const br_x509_certificate *chain;
2315
2316		/**
2317		* \brief Certificate chain length (number of certificates).
2318		*
2319		* If there is no chain to send to the server, then this value
2320		* shall be set to 0.
2321		*/
2322		size_t chain_len;
2323
2324		} br_ssl_client_certificate;
2325
2326		/*
2327		* Note: the constants below for signatures match the TLS constants.
2328		*/
2329
2330		/** \brief Client authentication type: static ECDH. */
2331		#define BR_AUTH_ECDH 0
2332		/** \brief Client authentication type: RSA signature. */
2333		#define BR_AUTH_RSA 1
2334		/** \brief Client authentication type: ECDSA signature. */
2335		#define BR_AUTH_ECDSA 3
2336
2337		/**
2338		* \brief Class type for a certificate handler (client side).
2339		*
2340		* A certificate handler selects a client certificate chain to send to
2341		* the server, upon explicit request from that server. It receives
2342		* the list of trust anchor DN from the server, and supported types
2343		* of certificates and signatures, and returns the chain to use. It
2344		* is also invoked to perform the corresponding private key operation
2345		* (a signature, or an ECDH computation).
2346		*
2347		* The SSL client engine will first push the trust anchor DN with
2348		* `start_name_list()`, `start_name()`, `append_name()`, `end_name()`
2349		* and `end_name_list()`. Then it will call `choose()`, to select the
2350		* actual chain (and signature/hash algorithms). Finally, it will call
2351		* either `do_sign()` or `do_keyx()`, depending on the algorithm choices.
2352		*/
2353		typedef struct br_ssl_client_certificate_class_ br_ssl_client_certificate_class;
2354		struct br_ssl_client_certificate_class_ {
2355		/**
2356		* \brief Context size (in bytes).
2357		*/
2358		size_t context_size;
2359
2360		/**
2361		* \brief Begin reception of a list of trust anchor names. This
2362		* is called while parsing the incoming CertificateRequest.
2363		*
2364		* \param pctx certificate handler context.
2365		*/
2366		void (start_name_list)(const br_ssl_client_certificate_class *pctx);
2367
2368		/**
2369		* \brief Begin reception of a new trust anchor name.
2370		*
2371		* The total encoded name length is provided; it is less than
2372		* 65535 bytes.
2373		*
2374		* \param pctx certificate handler context.
2375		* \param len encoded name length (in bytes).
2376		*/
2377		void (start_name)(const br_ssl_client_certificate_class *pctx,
2378		size_t len);
2379
2380		/**
2381		* \brief Receive some more bytes for the current trust anchor name.
2382		*
2383		* The provided reference (`data`) points to a transient buffer
2384		* they may be reused as soon as this function returns. The chunk
2385		* length (`len`) is never zero.
2386		*
2387		* \param pctx certificate handler context.
2388		* \param data anchor name chunk.
2389		* \param len anchor name chunk length (in bytes).
2390		*/
2391		void (append_name)(const br_ssl_client_certificate_class *pctx,
2392		const unsigned char *data, size_t len);
2393
2394		/**
2395		* \brief End current trust anchor name.
2396		*
2397		* This function is called when all the encoded anchor name data
2398		* has been provided.
2399		*
2400		* \param pctx certificate handler context.
2401		*/
2402		void (end_name)(const br_ssl_client_certificate_class *pctx);
2403
2404		/**
2405		* \brief End list of trust anchor names.
2406		*
2407		* This function is called when all the anchor names in the
2408		* CertificateRequest message have been obtained.
2409		*
2410		* \param pctx certificate handler context.
2411		*/
2412		void (end_name_list)(const br_ssl_client_certificate_class *pctx);
2413
2414		/**
2415		* \brief Select client certificate and algorithms.
2416		*
2417		* This callback function shall fill the provided `choices`
2418		* structure with the selected algorithms and certificate chain.
2419		* The `hash_id`, `chain` and `chain_len` fields must be set. If
2420		* the client cannot or does not wish to send a certificate,
2421		* then it shall set `chain` to `NULL` and `chain_len` to 0.
2422		*
2423		* The `auth_types` parameter describes the authentication types,
2424		* signature algorithms and hash functions that are supported by
2425		* both the client context and the server, and compatible with
2426		* the current protocol version. This is a bit field with the
2427		* following contents:
2428		*
2429		* - If RSA signatures with hash function x are supported, then
2430		* bit x is set.
2431		*
2432		* - If ECDSA signatures with hash function x are supported,
2433		* then bit 8+x is set.
2434		*
2435		* - If static ECDH is supported, with a RSA-signed certificate,
2436		* then bit 16 is set.
2437		*
2438		* - If static ECDH is supported, with an ECDSA-signed certificate,
2439		* then bit 17 is set.
2440		*
2441		* Notes:
2442		*
2443		* - When using TLS 1.0 or 1.1, the hash function for RSA
2444		* signatures is always the special MD5+SHA-1 (id 0), and the
2445		* hash function for ECDSA signatures is always SHA-1 (id 2).
2446		*
2447		* - When using TLS 1.2, the list of hash functions is trimmed
2448		* down to include only hash functions that the client context
2449		* can support. The actual server list can be obtained with
2450		* `br_ssl_client_get_server_hashes()`; that list may be used
2451		* to select the certificate chain to send to the server.
2452		*
2453		* \param pctx certificate handler context.
2454		* \param cc SSL client context.
2455		* \param auth_types supported authentication types and algorithms.
2456		* \param choices destination structure for the policy choices.
2457		*/
2458		void (choose)(const br_ssl_client_certificate_class *pctx,
2459		const br_ssl_client_context *cc, uint32_t auth_types,
2460		br_ssl_client_certificate *choices);
2461
2462		/**
2463		* \brief Perform key exchange (client part).
2464		*
2465		* This callback is invoked in case of a full static ECDH key
2466		* exchange:
2467		*
2468		* - the cipher suite uses `ECDH_RSA` or `ECDH_ECDSA`;
2469		*
2470		* - the server requests a client certificate;
2471		*
2472		* - the client has, and sends, a client certificate that
2473		* uses an EC key in the same curve as the server's key,
2474		* and chooses static ECDH (the `hash_id` field in the choice
2475		* structure was set to -1).
2476		*
2477		* In that situation, this callback is invoked to compute the
2478		* client-side ECDH: the provided `data` (of length `*len` bytes)
2479		* is the server's public key point (as decoded from its
2480		* certificate), and the client shall multiply that point with
2481		* its own private key, and write back the X coordinate of the
2482		* resulting point in the same buffer, starting at offset 0.
2483		* The `*len` value shall be modified to designate the actual
2484		* length of the X coordinate.
2485		*
2486		* The callback must uphold the following:
2487		*
2488		* - If the input array does not have the proper length for
2489		* an encoded curve point, then an error (0) shall be reported.
2490		*
2491		* - If the input array has the proper length, then processing
2492		* MUST be constant-time, even if the data is not a valid
2493		* encoded point.
2494		*
2495		* - This callback MUST check that the input point is valid.
2496		*
2497		* Returned value is 1 on success, 0 on error.
2498		*
2499		* \param pctx certificate handler context.
2500		* \param data server public key point.
2501		* \param len public key point length / X coordinate length.
2502		* \return 1 on success, 0 on error.
2503		*/
2504		uint32_t (do_keyx)(const br_ssl_client_certificate_class *pctx,
2505		unsigned char data, size_t len);
2506
2507		/**
2508		* \brief Perform a signature (client authentication).
2509		*
2510		* This callback is invoked when a client certificate was sent,
2511		* and static ECDH is not used. It shall compute a signature,
2512		* using the client's private key, over the provided hash value
2513		* (which is the hash of all previous handshake messages).
2514		*
2515		* On input, the hash value to sign is in `data`, of size
2516		* `hv_len`; the involved hash function is identified by
2517		* `hash_id`. The signature shall be computed and written
2518		* back into `data`; the total size of that buffer is `len`
2519		* bytes.
2520		*
2521		* This callback shall verify that the signature length does not
2522		* exceed `len` bytes, and abstain from writing the signature if
2523		* it does not fit.
2524		*
2525		* For RSA signatures, the `hash_id` may be 0, in which case
2526		* this is the special header-less signature specified in TLS 1.0
2527		* and 1.1, with a 36-byte hash value. Otherwise, normal PKCS#1
2528		* v1.5 signatures shall be computed.
2529		*
2530		* For ECDSA signatures, the signature value shall use the ASN.1
2531		* based encoding.
2532		*
2533		* Returned value is the signature length (in bytes), or 0 on error.
2534		*
2535		* \param pctx certificate handler context.
2536		* \param hash_id hash function identifier.
2537		* \param hv_len hash value length (in bytes).
2538		* \param data input/output buffer (hash value, then signature).
2539		* \param len total buffer length (in bytes).
2540		* \return signature length (in bytes) on success, or 0 on error.
2541		*/
2542		size_t (do_sign)(const br_ssl_client_certificate_class *pctx,
2543		int hash_id, size_t hv_len, unsigned char *data, size_t len);
2544		};
2545
2546		/**
2547		* \brief A single-chain RSA client certificate handler.
2548		*
2549		* This handler uses a single certificate chain, with a RSA
2550		* signature. The list of trust anchor DN is ignored.
2551		*
2552		* Apart from the first field (vtable pointer), its contents are
2553		* opaque and shall not be accessed directly.
2554		*/
2555		typedef struct {
2556		/** \brief Pointer to vtable. */
2557		const br_ssl_client_certificate_class *vtable;
2558		#ifndef BR_DOXYGEN_IGNORE
2559		const br_x509_certificate *chain;
2560		size_t chain_len;
2561		const br_rsa_private_key *sk;
2562		br_rsa_pkcs1_sign irsasign;
2563		#endif
2564		} br_ssl_client_certificate_rsa_context;
2565
2566		/**
2567		* \brief A single-chain EC client certificate handler.
2568		*
2569		* This handler uses a single certificate chain, with a RSA
2570		* signature. The list of trust anchor DN is ignored.
2571		*
2572		* This handler may support both static ECDH, and ECDSA signatures
2573		* (either usage may be selectively disabled).
2574		*
2575		* Apart from the first field (vtable pointer), its contents are
2576		* opaque and shall not be accessed directly.
2577		*/
2578		typedef struct {
2579		/** \brief Pointer to vtable. */
2580		const br_ssl_client_certificate_class *vtable;
2581		#ifndef BR_DOXYGEN_IGNORE
2582		const br_x509_certificate *chain;
2583		size_t chain_len;
2584		const br_ec_private_key *sk;
2585		unsigned allowed_usages;
2586		unsigned issuer_key_type;
2587		const br_multihash_context *mhash;
2588		const br_ec_impl *iec;
2589		br_ecdsa_sign iecdsa;
2590		#endif
2591		} br_ssl_client_certificate_ec_context;
2592
2593		/**
2594		* \brief Context structure for a SSL client.
2595		*
2596		* The first field (called `eng`) is the SSL engine; all functions that
2597		* work on a `br_ssl_engine_context` structure shall take as parameter
2598		* a pointer to that field. The other structure fields are opaque and
2599		* must not be accessed directly.
2600		*/
2601		struct br_ssl_client_context_ {
2602		/**
2603		* \brief The encapsulated engine context.
2604		*/
2605		br_ssl_engine_context eng;
2606
2607		#ifndef BR_DOXYGEN_IGNORE
2608		/*
2609		* Minimum ClientHello length; padding with an extension (RFC
2610		* 7685) is added if necessary to match at least that length.
2611		* Such padding is nominally unnecessary, but it has been used
2612		* to work around some server implementation bugs.
2613		*/
2614		uint16_t min_clienthello_len;
2615
2616		/*
2617		* Bit field for algoithms (hash + signature) supported by the
2618		* server when requesting a client certificate.
2619		*/
2620		uint32_t hashes;
2621
2622		/*
2623		* Server's public key curve.
2624		*/
2625		int server_curve;
2626
2627		/*
2628		* Context for certificate handler.
2629		*/
2630		const br_ssl_client_certificate_class **client_auth_vtable;
2631
2632		/*
2633		* Client authentication type.
2634		*/
2635		unsigned char auth_type;
2636
2637		/*
2638		* Hash function to use for the client signature. This is 0xFF
2639		* if static ECDH is used.
2640		*/
2641		unsigned char hash_id;
2642
2643		/*
2644		* For the core certificate handlers, thus avoiding (in most
2645		* cases) the need for an externally provided policy context.
2646		*/
2647		union {
2648		const br_ssl_client_certificate_class *vtable;
2649		br_ssl_client_certificate_rsa_context single_rsa;
2650		br_ssl_client_certificate_ec_context single_ec;
2651		} client_auth;
2652
2653		/*
2654		* Implementations.
2655		*/
2656		br_rsa_public irsapub;
2657		#endif
2658		};
2659
2660		/**
2661		* \brief Get the hash functions and signature algorithms supported by
2662		* the server.
2663		*
2664		* This value is a bit field:
2665		*
2666		* - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`,
2667		* then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1,
2668		* or 2 to 6 for the SHA family).
2669		*
2670		* - If ECDSA is supported with hash function of ID `x`, then bit `8+x`
2671		* is set.
2672		*
2673		* - Newer algorithms are symbolic 16-bit identifiers that do not
2674		* represent signature algorithm and hash function separately. If
2675		* the TLS-level identifier is `0x0800+x` for a `x` in the 0..15
2676		* range, then bit `16+x` is set.
2677		*
2678		* "New algorithms" are currently defined only in draft documents, so
2679		* this support is subject to possible change. Right now (early 2017),
2680		* this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA
2681		* on Curve448) to bit 24. If the identifiers on the wire change in
2682		* future document, then the decoding mechanism in BearSSL will be
2683		* amended to keep mapping ed25519 and ed448 on bits 23 and 24,
2684		* respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not
2685		* guaranteed yet.
2686		*
2687		* \param cc client context.
2688		* \return the server-supported hash functions and signature algorithms.
2689		*/
2690		static inline uint32_t
2691		br_ssl_client_get_server_hashes(const br_ssl_client_context *cc)
2692		{
2693		return cc->hashes;
2694		}
2695
2696		/**
2697		* \brief Get the server key curve.
2698		*
2699		* This function returns the ID for the curve used by the server's public
2700		* key. This is set when the server's certificate chain is processed;
2701		* this value is 0 if the server's key is not an EC key.
2702		*
2703		* \return the server's public key curve ID, or 0.
2704		*/
2705		static inline int
2706		br_ssl_client_get_server_curve(const br_ssl_client_context *cc)
2707		{
2708		return cc->server_curve;
2709		}
2710
2711		/*
2712		* Each br_ssl_client_init_xxx() function sets the list of supported
2713		* cipher suites and used implementations, as specified by the profile
2714		* name 'xxx'. Defined profile names are:
2715		*
2716		* full all supported versions and suites; constant-time implementations
2717		* TODO: add other profiles
2718		*/
2719
2720		/**
2721		* \brief SSL client profile: full.
2722		*
2723		* This function initialises the provided SSL client context with
2724		* all supported algorithms and cipher suites. It also initialises
2725		* a companion X.509 validation engine with all supported algorithms,
2726		* and the provided trust anchors; the X.509 engine will be used by
2727		* the client context to validate the server's certificate.
2728		*
2729		* \param cc client context to initialise.
2730		* \param xc X.509 validation context to initialise.
2731		* \param trust_anchors trust anchors to use.
2732		* \param trust_anchors_num number of trust anchors.
2733		*/
2734		void br_ssl_client_init_full(br_ssl_client_context *cc,
2735		br_x509_minimal_context *xc,
2736		const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);
2737
2738		/**
2739		* \brief Clear the complete contents of a SSL client context.
2740		*
2741		* Everything is cleared, including the reference to the configured buffer,
2742		* implementations, cipher suites and state. This is a preparatory step
2743		* to assembling a custom profile.
2744		*
2745		* \param cc client context to clear.
2746		*/
2747		void br_ssl_client_zero(br_ssl_client_context *cc);
2748
2749		/**
2750		* \brief Set an externally provided client certificate handler context.
2751		*
2752		* The handler's methods are invoked when the server requests a client
2753		* certificate.
2754		*
2755		* \param cc client context.
2756		* \param pctx certificate handler context (pointer to its vtable field).
2757		*/
2758		static inline void
2759		br_ssl_client_set_client_certificate(br_ssl_client_context *cc,
2760		const br_ssl_client_certificate_class **pctx)
2761		{
2762		cc->client_auth_vtable = pctx;
2763		}
2764
2765		/**
2766		* \brief Set the RSA public-key operations implementation.
2767		*
2768		* This will be used to encrypt the pre-master secret with the server's
2769		* RSA public key (RSA-encryption cipher suites only).
2770		*
2771		* \param cc client context.
2772		* \param irsapub RSA public-key encryption implementation.
2773		*/
2774		static inline void
2775		br_ssl_client_set_rsapub(br_ssl_client_context *cc, br_rsa_public irsapub)
2776		{
2777		cc->irsapub = irsapub;
2778		}
2779
2780		/**
2781		* \brief Set the "default" RSA implementation for public-key operations.
2782		*
2783		* This sets the RSA implementation in the client context (for encrypting
2784		* the pre-master secret, in `TLS_RSA_*` cipher suites) to the fastest
2785		* available on the current platform.
2786		*
2787		* \param cc client context.
2788		*/
2789		void br_ssl_client_set_default_rsapub(br_ssl_client_context *cc);
2790
2791		/**
2792		* \brief Set the minimum ClientHello length (RFC 7685 padding).
2793		*
2794		* If this value is set and the ClientHello would be shorter, then
2795		* the Pad ClientHello extension will be added with enough padding bytes
2796		* to reach the target size. Because of the extension header, the resulting
2797		* size will sometimes be slightly more than `len` bytes if the target
2798		* size cannot be exactly met.
2799		*
2800		* The target length relates to the _contents_ of the ClientHello, not
2801		* counting its 4-byte header. For instance, if `len` is set to 512,
2802		* then the padding will bring the ClientHello size to 516 bytes with its
2803		* header, and 521 bytes when counting the 5-byte record header.
2804		*
2805		* \param cc client context.
2806		* \param len minimum ClientHello length (in bytes).
2807		*/
2808		static inline void
2809		br_ssl_client_set_min_clienthello_len(br_ssl_client_context *cc, uint16_t len)
2810		{
2811		cc->min_clienthello_len = len;
2812		}
2813
2814		/**
2815		* \brief Prepare or reset a client context for a new connection.
2816		*
2817		* The `server_name` parameter is used to fill the SNI extension; the
2818		* X.509 "minimal" engine will also match that name against the server
2819		* names included in the server's certificate. If the parameter is
2820		* `NULL` then no SNI extension will be sent, and the X.509 "minimal"
2821		* engine (if used for server certificate validation) will not check
2822		* presence of any specific name in the received certificate.
2823		*
2824		* Therefore, setting the `server_name` to `NULL` shall be reserved
2825		* to cases where alternate or additional methods are used to ascertain
2826		* that the right server public key is used (e.g. a "known key" model).
2827		*
2828		* If `resume_session` is non-zero and the context was previously used
2829		* then the session parameters may be reused (depending on whether the
2830		* server previously sent a non-empty session ID, and accepts the session
2831		* resumption). The session parameters for session resumption can also
2832		* be set explicitly with `br_ssl_engine_set_session_parameters()`.
2833		*
2834		* On failure, the context is marked as failed, and this function
2835		* returns 0. A possible failure condition is when no initial entropy
2836		* was injected, and none could be obtained from the OS (either OS
2837		* randomness gathering is not supported, or it failed).
2838		*
2839		* \param cc client context.
2840		* \param server_name target server name, or `NULL`.
2841		* \param resume_session non-zero to try session resumption.
2842		* \return 0 on failure, 1 on success.
2843		*/
2844		int br_ssl_client_reset(br_ssl_client_context *cc,
2845		const char *server_name, int resume_session);
2846
2847		/**
2848		* \brief Forget any session in the context.
2849		*
2850		* This means that the next handshake that uses this context will
2851		* necessarily be a full handshake (this applies both to new connections
2852		* and to renegotiations).
2853		*
2854		* \param cc client context.
2855		*/
2856		static inline void
2857	0	br_ssl_client_forget_session(br_ssl_client_context *cc)
2858		{
2859	0	cc->eng.session.session_id_len = 0;
2860	0	}
2861
2862		/**
2863		* \brief Set client certificate chain and key (single RSA case).
2864		*
2865		* This function sets a client certificate chain, that the client will
2866		* send to the server whenever a client certificate is requested. This
2867		* certificate uses an RSA public key; the corresponding private key is
2868		* invoked for authentication. Trust anchor names sent by the server are
2869		* ignored.
2870		*
2871		* The provided chain and private key are linked in the client context;
2872		* they must remain valid as long as they may be used, i.e. normally
2873		* for the duration of the connection, since they might be invoked
2874		* again upon renegotiations.
2875		*
2876		* \param cc SSL client context.
2877		* \param chain client certificate chain (SSL order: EE comes first).
2878		* \param chain_len client chain length (number of certificates).
2879		* \param sk client private key.
2880		* \param irsasign RSA signature implementation (PKCS#1 v1.5).
2881		*/
2882		void br_ssl_client_set_single_rsa(br_ssl_client_context *cc,
2883		const br_x509_certificate *chain, size_t chain_len,
2884		const br_rsa_private_key *sk, br_rsa_pkcs1_sign irsasign);
2885
2886		/*
2887		* \brief Set the client certificate chain and key (single EC case).
2888		*
2889		* This function sets a client certificate chain, that the client will
2890		* send to the server whenever a client certificate is requested. This
2891		* certificate uses an EC public key; the corresponding private key is
2892		* invoked for authentication. Trust anchor names sent by the server are
2893		* ignored.
2894		*
2895		* The provided chain and private key are linked in the client context;
2896		* they must remain valid as long as they may be used, i.e. normally
2897		* for the duration of the connection, since they might be invoked
2898		* again upon renegotiations.
2899		*
2900		* The `allowed_usages` is a combination of usages, namely
2901		* `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`. The `BR_KEYTYPE_KEYX`
2902		* value allows full static ECDH, while the `BR_KEYTYPE_SIGN` value
2903		* allows ECDSA signatures. If ECDSA signatures are used, then an ECDSA
2904		* signature implementation must be provided; otherwise, the `iecdsa`
2905		* parameter may be 0.
2906		*
2907		* The `cert_issuer_key_type` value is either `BR_KEYTYPE_RSA` or
2908		* `BR_KEYTYPE_EC`; it is the type of the public key used the the CA
2909		* that issued (signed) the client certificate. That value is used with
2910		* full static ECDH: support of the certificate by the server depends
2911		* on how the certificate was signed. (Note: when using TLS 1.2, this
2912		* parameter is ignored; but its value matters for TLS 1.0 and 1.1.)
2913		*
2914		* \param cc server context.
2915		* \param chain server certificate chain to send.
2916		* \param chain_len chain length (number of certificates).
2917		* \param sk server private key (EC).
2918		* \param allowed_usages allowed private key usages.
2919		* \param cert_issuer_key_type issuing CA's key type.
2920		* \param iec EC core implementation.
2921		* \param iecdsa ECDSA signature implementation ("asn1" format).
2922		*/
2923		void br_ssl_client_set_single_ec(br_ssl_client_context *cc,
2924		const br_x509_certificate *chain, size_t chain_len,
2925		const br_ec_private_key *sk, unsigned allowed_usages,
2926		unsigned cert_issuer_key_type,
2927		const br_ec_impl *iec, br_ecdsa_sign iecdsa);
2928
2929		/**
2930		* \brief Type for a "translated cipher suite", as an array of two
2931		* 16-bit integers.
2932		*
2933		* The first element is the cipher suite identifier (as used on the wire).
2934		* The second element is the concatenation of four 4-bit elements which
2935		* characterise the cipher suite contents. In most to least significant
2936		* order, these 4-bit elements are:
2937		*
2938		* - Bits 12 to 15: key exchange + server key type
2939		*
2940		* \| val \| symbolic constant \| suite type \| details \|
2941		* \| :-- \| :----------------------- \| :---------- \| :----------------------------------------------- \|
2942		* \| 0 \| `BR_SSLKEYX_RSA` \| RSA \| RSA key exchange, key is RSA (encryption) \|
2943		* \| 1 \| `BR_SSLKEYX_ECDHE_RSA` \| ECDHE_RSA \| ECDHE key exchange, key is RSA (signature) \|
2944		* \| 2 \| `BR_SSLKEYX_ECDHE_ECDSA` \| ECDHE_ECDSA \| ECDHE key exchange, key is EC (signature) \|
2945		* \| 3 \| `BR_SSLKEYX_ECDH_RSA` \| ECDH_RSA \| Key is EC (key exchange), cert signed with RSA \|
2946		* \| 4 \| `BR_SSLKEYX_ECDH_ECDSA` \| ECDH_ECDSA \| Key is EC (key exchange), cert signed with ECDSA \|
2947		*
2948		* - Bits 8 to 11: symmetric encryption algorithm
2949		*
2950		* \| val \| symbolic constant \| symmetric encryption \| key strength (bits) \|
2951		* \| :-- \| :--------------------- \| :------------------- \| :------------------ \|
2952		* \| 0 \| `BR_SSLENC_3DES_CBC` \| 3DES/CBC \| 168 \|
2953		* \| 1 \| `BR_SSLENC_AES128_CBC` \| AES-128/CBC \| 128 \|
2954		* \| 2 \| `BR_SSLENC_AES256_CBC` \| AES-256/CBC \| 256 \|
2955		* \| 3 \| `BR_SSLENC_AES128_GCM` \| AES-128/GCM \| 128 \|
2956		* \| 4 \| `BR_SSLENC_AES256_GCM` \| AES-256/GCM \| 256 \|
2957		* \| 5 \| `BR_SSLENC_CHACHA20` \| ChaCha20/Poly1305 \| 256 \|
2958		*
2959		* - Bits 4 to 7: MAC algorithm
2960		*
2961		* \| val \| symbolic constant \| MAC type \| details \|
2962		* \| :-- \| :----------------- \| :----------- \| :------------------------------------ \|
2963		* \| 0 \| `BR_SSLMAC_AEAD` \| AEAD \| No dedicated MAC (encryption is AEAD) \|
2964		* \| 2 \| `BR_SSLMAC_SHA1` \| HMAC/SHA-1 \| Value matches `br_sha1_ID` \|
2965		* \| 4 \| `BR_SSLMAC_SHA256` \| HMAC/SHA-256 \| Value matches `br_sha256_ID` \|
2966		* \| 5 \| `BR_SSLMAC_SHA384` \| HMAC/SHA-384 \| Value matches `br_sha384_ID` \|
2967		*
2968		* - Bits 0 to 3: hash function for PRF when used with TLS-1.2
2969		*
2970		* \| val \| symbolic constant \| hash function \| details \|
2971		* \| :-- \| :----------------- \| :------------ \| :----------------------------------- \|
2972		* \| 4 \| `BR_SSLPRF_SHA256` \| SHA-256 \| Value matches `br_sha256_ID` \|
2973		* \| 5 \| `BR_SSLPRF_SHA384` \| SHA-384 \| Value matches `br_sha384_ID` \|
2974		*
2975		* For instance, cipher suite `TLS_RSA_WITH_AES_128_GCM_SHA256` has
2976		* standard identifier 0x009C, and is translated to 0x0304, for, in
2977		* that order: RSA key exchange (0), AES-128/GCM (3), AEAD integrity (0),
2978		* SHA-256 in the TLS PRF (4).
2979		*/
2980		typedef uint16_t br_suite_translated[2];
2981
2982		#ifndef BR_DOXYGEN_IGNORE
2983		/*
2984		* Constants are already documented in the br_suite_translated type.
2985		*/
2986
2987		#define BR_SSLKEYX_RSA 0
2988		#define BR_SSLKEYX_ECDHE_RSA 1
2989		#define BR_SSLKEYX_ECDHE_ECDSA 2
2990		#define BR_SSLKEYX_ECDH_RSA 3
2991		#define BR_SSLKEYX_ECDH_ECDSA 4
2992
2993		#define BR_SSLENC_3DES_CBC 0
2994		#define BR_SSLENC_AES128_CBC 1
2995		#define BR_SSLENC_AES256_CBC 2
2996		#define BR_SSLENC_AES128_GCM 3
2997		#define BR_SSLENC_AES256_GCM 4
2998		#define BR_SSLENC_CHACHA20 5
2999
3000		#define BR_SSLMAC_AEAD 0
3001		#define BR_SSLMAC_SHA1 br_sha1_ID
3002		#define BR_SSLMAC_SHA256 br_sha256_ID
3003		#define BR_SSLMAC_SHA384 br_sha384_ID
3004
3005		#define BR_SSLPRF_SHA256 br_sha256_ID
3006		#define BR_SSLPRF_SHA384 br_sha384_ID
3007
3008		#endif
3009
3010		/*
3011		* Pre-declaration for the SSL server context.
3012		*/
3013		typedef struct br_ssl_server_context_ br_ssl_server_context;
3014
3015		/**
3016		* \brief Type for the server policy choices, taken after analysis of
3017		* the client message (ClientHello).
3018		*/
3019		typedef struct {
3020		/**
3021		* \brief Cipher suite to use with that client.
3022		*/
3023		uint16_t cipher_suite;
3024
3025		/**
3026		* \brief Hash function or algorithm for signing the ServerKeyExchange.
3027		*
3028		* This parameter is ignored for `TLS_RSA_` and `TLS_ECDH_`
3029		* cipher suites; it is used only for `TLS_ECDHE_*` suites, in
3030		* which the server _signs_ the ephemeral EC Diffie-Hellman
3031		* parameters sent to the client.
3032		*
3033		* This identifier must be one of the following values:
3034		*
3035		* - `0xFF00 + id`, where `id` is a hash function identifier
3036		* (0 for MD5+SHA-1, or 2 to 6 for one of the SHA functions);
3037		*
3038		* - a full 16-bit identifier, lower than `0xFF00`.
3039		*
3040		* If the first option is used, then the SSL engine will
3041		* compute the hash of the data that is to be signed, with the
3042		* designated hash function. The `do_sign()` method will be
3043		* invoked with that hash value provided in the the `data`
3044		* buffer.
3045		*
3046		* If the second option is used, then the SSL engine will NOT
3047		* compute a hash on the data; instead, it will provide the
3048		* to-be-signed data itself in `data`, i.e. the concatenation of
3049		* the client random, server random, and encoded ECDH
3050		* parameters. Furthermore, with TLS-1.2 and later, the 16-bit
3051		* identifier will be used "as is" in the protocol, in the
3052		* SignatureAndHashAlgorithm; for instance, `0x0401` stands for
3053		* RSA PKCS#1 v1.5 signature (the `01`) with SHA-256 as hash
3054		* function (the `04`).
3055		*
3056		* Take care that with TLS 1.0 and 1.1, the hash function is
3057		* constrainted by the protocol: RSA signature must use
3058		* MD5+SHA-1 (so use `0xFF00`), while ECDSA must use SHA-1
3059		* (`0xFF02`). Since TLS 1.0 and 1.1 don't include a
3060		* SignatureAndHashAlgorithm field in their ServerKeyExchange
3061		* messages, any value below `0xFF00` will be usable to send the
3062		* raw ServerKeyExchange data to the `do_sign()` callback, but
3063		* that callback must still follow the protocol requirements
3064		* when generating the signature.
3065		*/
3066		unsigned algo_id;
3067
3068		/**
3069		* \brief Certificate chain to send to the client.
3070		*
3071		* This is an array of `br_x509_certificate` objects, each
3072		* normally containing a DER-encoded certificate. The server
3073		* code does not try to decode these elements.
3074		*/
3075		const br_x509_certificate *chain;
3076
3077		/**
3078		* \brief Certificate chain length (number of certificates).
3079		*/
3080		size_t chain_len;
3081
3082		} br_ssl_server_choices;
3083
3084		/**
3085		* \brief Class type for a policy handler (server side).
3086		*
3087		* A policy handler selects the policy parameters for a connection
3088		* (cipher suite and other algorithms, and certificate chain to send to
3089		* the client); it also performs the server-side computations involving
3090		* its permanent private key.
3091		*
3092		* The SSL server engine will invoke first `choose()`, once the
3093		* ClientHello message has been received, then either `do_keyx()`
3094		* `do_sign()`, depending on the cipher suite.
3095		*/
3096		typedef struct br_ssl_server_policy_class_ br_ssl_server_policy_class;
3097		struct br_ssl_server_policy_class_ {
3098		/**
3099		* \brief Context size (in bytes).
3100		*/
3101		size_t context_size;
3102
3103		/**
3104		* \brief Select algorithms and certificates for this connection.
3105		*
3106		* This callback function shall fill the provided `choices`
3107		* structure with the policy choices for this connection. This
3108		* entails selecting the cipher suite, hash function for signing
3109		* the ServerKeyExchange (applicable only to ECDHE cipher suites),
3110		* and certificate chain to send.
3111		*
3112		* The callback receives a pointer to the server context that
3113		* contains the relevant data. In particular, the functions
3114		* `br_ssl_server_get_client_suites()`,
3115		* `br_ssl_server_get_client_hashes()` and
3116		* `br_ssl_server_get_client_curves()` can be used to obtain
3117		* the cipher suites, hash functions and elliptic curves
3118		* supported by both the client and server, respectively. The
3119		* `br_ssl_engine_get_version()` and `br_ssl_engine_get_server_name()`
3120		* functions yield the protocol version and requested server name
3121		* (SNI), respectively.
3122		*
3123		* This function may modify its context structure (`pctx`) in
3124		* arbitrary ways to keep track of its own choices.
3125		*
3126		* This function shall return 1 if appropriate policy choices
3127		* could be made, or 0 if this connection cannot be pursued.
3128		*
3129		* \param pctx policy context.
3130		* \param cc SSL server context.
3131		* \param choices destination structure for the policy choices.
3132		* \return 1 on success, 0 on error.
3133		*/
3134		int (choose)(const br_ssl_server_policy_class *pctx,
3135		const br_ssl_server_context *cc,
3136		br_ssl_server_choices *choices);
3137
3138		/**
3139		* \brief Perform key exchange (server part).
3140		*
3141		* This callback is invoked to perform the server-side cryptographic
3142		* operation for a key exchange that is not ECDHE. This callback
3143		* uses the private key.
3144		*
3145		* For RSA key exchange, the provided `data` (of length `*len`
3146		* bytes) shall be decrypted with the server's private key, and
3147		* the 48-byte premaster secret copied back to the first 48 bytes
3148		* of `data`.
3149		*
3150		* - The caller makes sure that `*len` is at least 59 bytes.
3151		*
3152		* - This callback MUST check that the provided length matches
3153		* that of the key modulus; it shall report an error otherwise.
3154		*
3155		* - If the length matches that of the RSA key modulus, then
3156		* processing MUST be constant-time, even if decryption fails,
3157		* or the padding is incorrect, or the plaintext message length
3158		* is not exactly 48 bytes.
3159		*
3160		* - This callback needs not check the two first bytes of the
3161		* obtained pre-master secret (the caller will do that).
3162		*
3163		* - If an error is reported (0), then what the callback put
3164		* in the first 48 bytes of `data` is unimportant (the caller
3165		* will use random bytes instead).
3166		*
3167		* For ECDH key exchange, the provided `data` (of length `*len`
3168		* bytes) is the elliptic curve point from the client. The
3169		* callback shall multiply it with its private key, and store
3170		* the resulting X coordinate in `data`, starting at offset 0,
3171		* and set `*len` to the length of the X coordinate.
3172		*
3173		* - If the input array does not have the proper length for
3174		* an encoded curve point, then an error (0) shall be reported.
3175		*
3176		* - If the input array has the proper length, then processing
3177		* MUST be constant-time, even if the data is not a valid
3178		* encoded point.
3179		*
3180		* - This callback MUST check that the input point is valid.
3181		*
3182		* Returned value is 1 on success, 0 on error.
3183		*
3184		* \param pctx policy context.
3185		* \param data key exchange data from the client.
3186		* \param len key exchange data length (in bytes).
3187		* \return 1 on success, 0 on error.
3188		*/
3189		uint32_t (do_keyx)(const br_ssl_server_policy_class *pctx,
3190		unsigned char data, size_t len);
3191
3192		/**
3193		* \brief Perform a signature (for a ServerKeyExchange message).
3194		*
3195		* This callback function is invoked for ECDHE cipher suites. On
3196		* input, the hash value or message to sign is in `data`, of
3197		* size `hv_len`; the involved hash function or algorithm is
3198		* identified by `algo_id`. The signature shall be computed and
3199		* written back into `data`; the total size of that buffer is
3200		* `len` bytes.
3201		*
3202		* This callback shall verify that the signature length does not
3203		* exceed `len` bytes, and abstain from writing the signature if
3204		* it does not fit.
3205		*
3206		* The `algo_id` value matches that which was written in the
3207		* `choices` structures by the `choose()` callback. This will be
3208		* one of the following:
3209		*
3210		* - `0xFF00 + id` for a hash function identifier `id`. In
3211		* that case, the `data` buffer contains a hash value
3212		* already computed over the data that is to be signed,
3213		* of length `hv_len`. The `id` may be 0 to designate the
3214		* special MD5+SHA-1 concatenation (old-style RSA signing).
3215		*
3216		* - Another value, lower than `0xFF00`. The `data` buffer
3217		* then contains the raw, non-hashed data to be signed
3218		* (concatenation of the client and server randoms and
3219		* ECDH parameters). The callback is responsible to apply
3220		* any relevant hashing as part of the signing process.
3221		*
3222		* Returned value is the signature length (in bytes), or 0 on error.
3223		*
3224		* \param pctx policy context.
3225		* \param algo_id hash function / algorithm identifier.
3226		* \param data input/output buffer (message/hash, then signature).
3227		* \param hv_len hash value or message length (in bytes).
3228		* \param len total buffer length (in bytes).
3229		* \return signature length (in bytes) on success, or 0 on error.
3230		*/
3231		size_t (do_sign)(const br_ssl_server_policy_class *pctx,
3232		unsigned algo_id,
3233		unsigned char *data, size_t hv_len, size_t len);
3234		};
3235
3236		/**
3237		* \brief A single-chain RSA policy handler.
3238		*
3239		* This policy context uses a single certificate chain, and a RSA
3240		* private key. The context can be restricted to only signatures or
3241		* only key exchange.
3242		*
3243		* Apart from the first field (vtable pointer), its contents are
3244		* opaque and shall not be accessed directly.
3245		*/
3246		typedef struct {
3247		/** \brief Pointer to vtable. */
3248		const br_ssl_server_policy_class *vtable;
3249		#ifndef BR_DOXYGEN_IGNORE
3250		const br_x509_certificate *chain;
3251		size_t chain_len;
3252		const br_rsa_private_key *sk;
3253		unsigned allowed_usages;
3254		br_rsa_private irsacore;
3255		br_rsa_pkcs1_sign irsasign;
3256		#endif
3257		} br_ssl_server_policy_rsa_context;
3258
3259		/**
3260		* \brief A single-chain EC policy handler.
3261		*
3262		* This policy context uses a single certificate chain, and an EC
3263		* private key. The context can be restricted to only signatures or
3264		* only key exchange.
3265		*
3266		* Due to how TLS is defined, this context must be made aware whether
3267		* the server certificate was itself signed with RSA or ECDSA. The code
3268		* does not try to decode the certificate to obtain that information.
3269		*
3270		* Apart from the first field (vtable pointer), its contents are
3271		* opaque and shall not be accessed directly.
3272		*/
3273		typedef struct {
3274		/** \brief Pointer to vtable. */
3275		const br_ssl_server_policy_class *vtable;
3276		#ifndef BR_DOXYGEN_IGNORE
3277		const br_x509_certificate *chain;
3278		size_t chain_len;
3279		const br_ec_private_key *sk;
3280		unsigned allowed_usages;
3281		unsigned cert_issuer_key_type;
3282		const br_multihash_context *mhash;
3283		const br_ec_impl *iec;
3284		br_ecdsa_sign iecdsa;
3285		#endif
3286		} br_ssl_server_policy_ec_context;
3287
3288		/**
3289		* \brief Class type for a session parameter cache.
3290		*
3291		* Session parameters are saved in the cache with `save()`, and
3292		* retrieved with `load()`. The cache implementation can apply any
3293		* storage and eviction strategy that it sees fit. The SSL server
3294		* context that performs the request is provided, so that its
3295		* functionalities may be used by the implementation (e.g. hash
3296		* functions or random number generation).
3297		*/
3298		typedef struct br_ssl_session_cache_class_ br_ssl_session_cache_class;
3299		struct br_ssl_session_cache_class_ {
3300		/**
3301		* \brief Context size (in bytes).
3302		*/
3303		size_t context_size;
3304
3305		/**
3306		* \brief Record a session.
3307		*
3308		* This callback should record the provided session parameters.
3309		* The `params` structure is transient, so its contents shall
3310		* be copied into the cache. The session ID has been randomly
3311		* generated and always has length exactly 32 bytes.
3312		*
3313		* \param ctx session cache context.
3314		* \param server_ctx SSL server context.
3315		* \param params session parameters to save.
3316		*/
3317		void (save)(const br_ssl_session_cache_class *ctx,
3318		br_ssl_server_context *server_ctx,
3319		const br_ssl_session_parameters *params);
3320
3321		/**
3322		* \brief Lookup a session in the cache.
3323		*
3324		* The session ID to lookup is in `params` and always has length
3325		* exactly 32 bytes. If the session parameters are found in the
3326		* cache, then the parameters shall be copied into the `params`
3327		* structure. Returned value is 1 on successful lookup, 0
3328		* otherwise.
3329		*
3330		* \param ctx session cache context.
3331		* \param server_ctx SSL server context.
3332		* \param params destination for session parameters.
3333		* \return 1 if found, 0 otherwise.
3334		*/
3335		int (load)(const br_ssl_session_cache_class *ctx,
3336		br_ssl_server_context *server_ctx,
3337		br_ssl_session_parameters *params);
3338		};
3339
3340		/**
3341		* \brief Context for a basic cache system.
3342		*
3343		* The system stores session parameters in a buffer provided at
3344		* initialisation time. Each entry uses exactly 100 bytes, and
3345		* buffer sizes up to 4294967295 bytes are supported.
3346		*
3347		* Entries are evicted with a LRU (Least Recently Used) policy. A
3348		* search tree is maintained to keep lookups fast even with large
3349		* caches.
3350		*
3351		* Apart from the first field (vtable pointer), the structure
3352		* contents are opaque and shall not be accessed directly.
3353		*/
3354		typedef struct {
3355		/** \brief Pointer to vtable. */
3356		const br_ssl_session_cache_class *vtable;
3357		#ifndef BR_DOXYGEN_IGNORE
3358		unsigned char *store;
3359		size_t store_len, store_ptr;
3360		unsigned char index_key[32];
3361		const br_hash_class *hash;
3362		int init_done;
3363		uint32_t head, tail, root;
3364		#endif
3365		} br_ssl_session_cache_lru;
3366
3367		/**
3368		* \brief Initialise a LRU session cache with the provided storage space.
3369		*
3370		* The provided storage space must remain valid as long as the cache
3371		* is used. Arbitrary lengths are supported, up to 4294967295 bytes;
3372		* each entry uses up exactly 100 bytes.
3373		*
3374		* \param cc session cache context.
3375		* \param store storage space for cached entries.
3376		* \param store_len storage space length (in bytes).
3377		*/
3378		void br_ssl_session_cache_lru_init(br_ssl_session_cache_lru *cc,
3379		unsigned char *store, size_t store_len);
3380
3381		/**
3382		* \brief Forget an entry in an LRU session cache.
3383		*
3384		* The session cache context must have been initialised. The entry
3385		* with the provided session ID (of exactly 32 bytes) is looked for
3386		* in the cache; if located, it is disabled.
3387		*
3388		* \param cc session cache context.
3389		* \param id session ID to forget.
3390		*/
3391		void br_ssl_session_cache_lru_forget(
3392		br_ssl_session_cache_lru cc, const unsigned char id);
3393
3394		/**
3395		* \brief Context structure for a SSL server.
3396		*
3397		* The first field (called `eng`) is the SSL engine; all functions that
3398		* work on a `br_ssl_engine_context` structure shall take as parameter
3399		* a pointer to that field. The other structure fields are opaque and
3400		* must not be accessed directly.
3401		*/
3402		struct br_ssl_server_context_ {
3403		/**
3404		* \brief The encapsulated engine context.
3405		*/
3406		br_ssl_engine_context eng;
3407
3408		#ifndef BR_DOXYGEN_IGNORE
3409		/*
3410		* Maximum version from the client.
3411		*/
3412		uint16_t client_max_version;
3413
3414		/*
3415		* Session cache.
3416		*/
3417		const br_ssl_session_cache_class **cache_vtable;
3418
3419		/*
3420		* Translated cipher suites supported by the client. The list
3421		* is trimmed to include only the cipher suites that the
3422		* server also supports; they are in the same order as in the
3423		* client message.
3424		*/
3425		br_suite_translated client_suites[BR_MAX_CIPHER_SUITES];
3426		unsigned char client_suites_num;
3427
3428		/*
3429		* Hash functions supported by the client, with ECDSA and RSA
3430		* (bit mask). For hash function with id 'x', set bit index is
3431		* x for RSA, x+8 for ECDSA. For newer algorithms, with ID
3432		* 0x08**, bit 16+k is set for algorithm 0x0800+k.
3433		*/
3434		uint32_t hashes;
3435
3436		/*
3437		* Curves supported by the client (bit mask, for named curves).
3438		*/
3439		uint32_t curves;
3440
3441		/*
3442		* Context for chain handler.
3443		*/
3444		const br_ssl_server_policy_class **policy_vtable;
3445		uint16_t sign_hash_id;
3446
3447		/*
3448		* For the core handlers, thus avoiding (in most cases) the
3449		* need for an externally provided policy context.
3450		*/
3451		union {
3452		const br_ssl_server_policy_class *vtable;
3453		br_ssl_server_policy_rsa_context single_rsa;
3454		br_ssl_server_policy_ec_context single_ec;
3455		} chain_handler;
3456
3457		/*
3458		* Buffer for the ECDHE private key.
3459		*/
3460		unsigned char ecdhe_key[70];
3461		size_t ecdhe_key_len;
3462
3463		/*
3464		* Trust anchor names for client authentication. "ta_names" and
3465		* "tas" cannot be both non-NULL.
3466		*/
3467		const br_x500_name *ta_names;
3468		const br_x509_trust_anchor *tas;
3469		size_t num_tas;
3470		size_t cur_dn_index;
3471		const unsigned char *cur_dn;
3472		size_t cur_dn_len;
3473
3474		/*
3475		* Buffer for the hash value computed over all handshake messages
3476		* prior to CertificateVerify, and identifier for the hash function.
3477		*/
3478		unsigned char hash_CV[64];
3479		size_t hash_CV_len;
3480		int hash_CV_id;
3481
3482		/*
3483		* Server-specific implementations.
3484		* (none for now)
3485		*/
3486		#endif
3487		};
3488
3489		/*
3490		* Each br_ssl_server_init_xxx() function sets the list of supported
3491		* cipher suites and used implementations, as specified by the profile
3492		* name 'xxx'. Defined profile names are:
3493		*
3494		* full_rsa all supported algorithm, server key type is RSA
3495		* full_ec all supported algorithm, server key type is EC
3496		* TODO: add other profiles
3497		*
3498		* Naming scheme for "minimal" profiles: min123
3499		*
3500		* -- character 1: key exchange
3501		* r = RSA
3502		* e = ECDHE_RSA
3503		* f = ECDHE_ECDSA
3504		* u = ECDH_RSA
3505		* v = ECDH_ECDSA
3506		* -- character 2: version / PRF
3507		* 0 = TLS 1.0 / 1.1 with MD5+SHA-1
3508		* 2 = TLS 1.2 with SHA-256
3509		* 3 = TLS 1.2 with SHA-384
3510		* -- character 3: encryption
3511		* a = AES/CBC
3512		* d = 3DES/CBC
3513		* g = AES/GCM
3514		* c = ChaCha20+Poly1305
3515		*/
3516
3517		/**
3518		* \brief SSL server profile: full_rsa.
3519		*
3520		* This function initialises the provided SSL server context with
3521		* all supported algorithms and cipher suites that rely on a RSA
3522		* key pair.
3523		*
3524		* \param cc server context to initialise.
3525		* \param chain server certificate chain.
3526		* \param chain_len certificate chain length (number of certificate).
3527		* \param sk RSA private key.
3528		*/
3529		void br_ssl_server_init_full_rsa(br_ssl_server_context *cc,
3530		const br_x509_certificate *chain, size_t chain_len,
3531		const br_rsa_private_key *sk);
3532
3533		/**
3534		* \brief SSL server profile: full_ec.
3535		*
3536		* This function initialises the provided SSL server context with
3537		* all supported algorithms and cipher suites that rely on an EC
3538		* key pair.
3539		*
3540		* The key type of the CA that issued the server's certificate must
3541		* be provided, since it matters for ECDH cipher suites (ECDH_RSA
3542		* suites require a RSA-powered CA). The key type is either
3543		* `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`.
3544		*
3545		* \param cc server context to initialise.
3546		* \param chain server certificate chain.
3547		* \param chain_len chain length (number of certificates).
3548		* \param cert_issuer_key_type certificate issuer's key type.
3549		* \param sk EC private key.
3550		*/
3551		void br_ssl_server_init_full_ec(br_ssl_server_context *cc,
3552		const br_x509_certificate *chain, size_t chain_len,
3553		unsigned cert_issuer_key_type, const br_ec_private_key *sk);
3554
3555		/**
3556		* \brief SSL server profile: minr2g.
3557		*
3558		* This profile uses only TLS_RSA_WITH_AES_128_GCM_SHA256. Server key is
3559		* RSA, and RSA key exchange is used (not forward secure, but uses little
3560		* CPU in the client).
3561		*
3562		* \param cc server context to initialise.
3563		* \param chain server certificate chain.
3564		* \param chain_len certificate chain length (number of certificate).
3565		* \param sk RSA private key.
3566		*/
3567		void br_ssl_server_init_minr2g(br_ssl_server_context *cc,
3568		const br_x509_certificate *chain, size_t chain_len,
3569		const br_rsa_private_key *sk);
3570
3571		/**
3572		* \brief SSL server profile: mine2g.
3573		*
3574		* This profile uses only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Server key
3575		* is RSA, and ECDHE key exchange is used. This suite provides forward
3576		* security, with a higher CPU expense on the client, and a somewhat
3577		* larger code footprint (compared to "minr2g").
3578		*
3579		* \param cc server context to initialise.
3580		* \param chain server certificate chain.
3581		* \param chain_len certificate chain length (number of certificate).
3582		* \param sk RSA private key.
3583		*/
3584		void br_ssl_server_init_mine2g(br_ssl_server_context *cc,
3585		const br_x509_certificate *chain, size_t chain_len,
3586		const br_rsa_private_key *sk);
3587
3588		/**
3589		* \brief SSL server profile: minf2g.
3590		*
3591		* This profile uses only TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
3592		* Server key is EC, and ECDHE key exchange is used. This suite provides
3593		* forward security, with a higher CPU expense on the client and server
3594		* (by a factor of about 3 to 4), and a somewhat larger code footprint
3595		* (compared to "minu2g" and "minv2g").
3596		*
3597		* \param cc server context to initialise.
3598		* \param chain server certificate chain.
3599		* \param chain_len certificate chain length (number of certificate).
3600		* \param sk EC private key.
3601		*/
3602		void br_ssl_server_init_minf2g(br_ssl_server_context *cc,
3603		const br_x509_certificate *chain, size_t chain_len,
3604		const br_ec_private_key *sk);
3605
3606		/**
3607		* \brief SSL server profile: minu2g.
3608		*
3609		* This profile uses only TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256.
3610		* Server key is EC, and ECDH key exchange is used; the issuing CA used
3611		* a RSA key.
3612		*
3613		* The "minu2g" and "minv2g" profiles do not provide forward secrecy,
3614		* but are the lightest on the server (for CPU usage), and are rather
3615		* inexpensive on the client as well.
3616		*
3617		* \param cc server context to initialise.
3618		* \param chain server certificate chain.
3619		* \param chain_len certificate chain length (number of certificate).
3620		* \param sk EC private key.
3621		*/
3622		void br_ssl_server_init_minu2g(br_ssl_server_context *cc,
3623		const br_x509_certificate *chain, size_t chain_len,
3624		const br_ec_private_key *sk);
3625
3626		/**
3627		* \brief SSL server profile: minv2g.
3628		*
3629		* This profile uses only TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256.
3630		* Server key is EC, and ECDH key exchange is used; the issuing CA used
3631		* an EC key.
3632		*
3633		* The "minu2g" and "minv2g" profiles do not provide forward secrecy,
3634		* but are the lightest on the server (for CPU usage), and are rather
3635		* inexpensive on the client as well.
3636		*
3637		* \param cc server context to initialise.
3638		* \param chain server certificate chain.
3639		* \param chain_len certificate chain length (number of certificate).
3640		* \param sk EC private key.
3641		*/
3642		void br_ssl_server_init_minv2g(br_ssl_server_context *cc,
3643		const br_x509_certificate *chain, size_t chain_len,
3644		const br_ec_private_key *sk);
3645
3646		/**
3647		* \brief SSL server profile: mine2c.
3648		*
3649		* This profile uses only TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
3650		* Server key is RSA, and ECDHE key exchange is used. This suite
3651		* provides forward security.
3652		*
3653		* \param cc server context to initialise.
3654		* \param chain server certificate chain.
3655		* \param chain_len certificate chain length (number of certificate).
3656		* \param sk RSA private key.
3657		*/
3658		void br_ssl_server_init_mine2c(br_ssl_server_context *cc,
3659		const br_x509_certificate *chain, size_t chain_len,
3660		const br_rsa_private_key *sk);
3661
3662		/**
3663		* \brief SSL server profile: minf2c.
3664		*
3665		* This profile uses only TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256.
3666		* Server key is EC, and ECDHE key exchange is used. This suite provides
3667		* forward security.
3668		*
3669		* \param cc server context to initialise.
3670		* \param chain server certificate chain.
3671		* \param chain_len certificate chain length (number of certificate).
3672		* \param sk EC private key.
3673		*/
3674		void br_ssl_server_init_minf2c(br_ssl_server_context *cc,
3675		const br_x509_certificate *chain, size_t chain_len,
3676		const br_ec_private_key *sk);
3677
3678		/**
3679		* \brief Get the supported client suites.
3680		*
3681		* This function shall be called only after the ClientHello has been
3682		* processed, typically from the policy engine. The returned array
3683		* contains the cipher suites that are supported by both the client
3684		* and the server; these suites are in client preference order, unless
3685		* the `BR_OPT_ENFORCE_SERVER_PREFERENCES` flag was set, in which case
3686		* they are in server preference order.
3687		*
3688		* The suites are _translated_, which means that each suite is given
3689		* as two 16-bit integers: the standard suite identifier, and its
3690		* translated version, broken down into its individual components,
3691		* as explained with the `br_suite_translated` type.
3692		*
3693		* The returned array is allocated in the context and will be rewritten
3694		* by each handshake.
3695		*
3696		* \param cc server context.
3697		* \param num receives the array size (number of suites).
3698		* \return the translated common cipher suites, in preference order.
3699		*/
3700		static inline const br_suite_translated *
3701	0	br_ssl_server_get_client_suites(const br_ssl_server_context cc, size_t num)
3702		{
3703	0	*num = cc->client_suites_num;
3704	0	return cc->client_suites;
3705		}
3706
3707		/**
3708		* \brief Get the hash functions and signature algorithms supported by
3709		* the client.
3710		*
3711		* This value is a bit field:
3712		*
3713		* - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`,
3714		* then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1,
3715		* or 2 to 6 for the SHA family).
3716		*
3717		* - If ECDSA is supported with hash function of ID `x`, then bit `8+x`
3718		* is set.
3719		*
3720		* - Newer algorithms are symbolic 16-bit identifiers that do not
3721		* represent signature algorithm and hash function separately. If
3722		* the TLS-level identifier is `0x0800+x` for a `x` in the 0..15
3723		* range, then bit `16+x` is set.
3724		*
3725		* "New algorithms" are currently defined only in draft documents, so
3726		* this support is subject to possible change. Right now (early 2017),
3727		* this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA
3728		* on Curve448) to bit 24. If the identifiers on the wire change in
3729		* future document, then the decoding mechanism in BearSSL will be
3730		* amended to keep mapping ed25519 and ed448 on bits 23 and 24,
3731		* respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not
3732		* guaranteed yet.
3733		*
3734		* \param cc server context.
3735		* \return the client-supported hash functions and signature algorithms.
3736		*/
3737		static inline uint32_t
3738		br_ssl_server_get_client_hashes(const br_ssl_server_context *cc)
3739		{
3740		return cc->hashes;
3741		}
3742
3743		/**
3744		* \brief Get the elliptic curves supported by the client.
3745		*
3746		* This is a bit field (bit x is set if curve of ID x is supported).
3747		*
3748		* \param cc server context.
3749		* \return the client-supported elliptic curves.
3750		*/
3751		static inline uint32_t
3752		br_ssl_server_get_client_curves(const br_ssl_server_context *cc)
3753		{
3754		return cc->curves;
3755		}
3756
3757		/**
3758		* \brief Clear the complete contents of a SSL server context.
3759		*
3760		* Everything is cleared, including the reference to the configured buffer,
3761		* implementations, cipher suites and state. This is a preparatory step
3762		* to assembling a custom profile.
3763		*
3764		* \param cc server context to clear.
3765		*/
3766		void br_ssl_server_zero(br_ssl_server_context *cc);
3767
3768		/**
3769		* \brief Set an externally provided policy context.
3770		*
3771		* The policy context's methods are invoked to decide the cipher suite
3772		* and certificate chain, and to perform operations involving the server's
3773		* private key.
3774		*
3775		* \param cc server context.
3776		* \param pctx policy context (pointer to its vtable field).
3777		*/
3778		static inline void
3779		br_ssl_server_set_policy(br_ssl_server_context *cc,
3780		const br_ssl_server_policy_class **pctx)
3781		{
3782		cc->policy_vtable = pctx;
3783		}
3784
3785		/**
3786		* \brief Set the server certificate chain and key (single RSA case).
3787		*
3788		* This function uses a policy context included in the server context.
3789		* It configures use of a single server certificate chain with a RSA
3790		* private key. The `allowed_usages` is a combination of usages, namely
3791		* `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables
3792		* the corresponding cipher suites (i.e. `TLS_RSA_*` use the RSA key for
3793		* key exchange, while `TLS_ECDHE_RSA_*` use the RSA key for signatures).
3794		*
3795		* \param cc server context.
3796		* \param chain server certificate chain to send to the client.
3797		* \param chain_len chain length (number of certificates).
3798		* \param sk server private key (RSA).
3799		* \param allowed_usages allowed private key usages.
3800		* \param irsacore RSA core implementation.
3801		* \param irsasign RSA signature implementation (PKCS#1 v1.5).
3802		*/
3803		void br_ssl_server_set_single_rsa(br_ssl_server_context *cc,
3804		const br_x509_certificate *chain, size_t chain_len,
3805		const br_rsa_private_key *sk, unsigned allowed_usages,
3806		br_rsa_private irsacore, br_rsa_pkcs1_sign irsasign);
3807
3808		/**
3809		* \brief Set the server certificate chain and key (single EC case).
3810		*
3811		* This function uses a policy context included in the server context.
3812		* It configures use of a single server certificate chain with an EC
3813		* private key. The `allowed_usages` is a combination of usages, namely
3814		* `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables
3815		* the corresponding cipher suites (i.e. `TLS_ECDH_*` use the EC key for
3816		* key exchange, while `TLS_ECDHE_ECDSA_*` use the EC key for signatures).
3817		*
3818		* In order to support `TLS_ECDH_*` cipher suites (non-ephemeral ECDH),
3819		* the algorithm type of the key used by the issuing CA to sign the
3820		* server's certificate must be provided, as `cert_issuer_key_type`
3821		* parameter (this value is either `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`).
3822		*
3823		* \param cc server context.
3824		* \param chain server certificate chain to send.
3825		* \param chain_len chain length (number of certificates).
3826		* \param sk server private key (EC).
3827		* \param allowed_usages allowed private key usages.
3828		* \param cert_issuer_key_type issuing CA's key type.
3829		* \param iec EC core implementation.
3830		* \param iecdsa ECDSA signature implementation ("asn1" format).
3831		*/
3832		void br_ssl_server_set_single_ec(br_ssl_server_context *cc,
3833		const br_x509_certificate *chain, size_t chain_len,
3834		const br_ec_private_key *sk, unsigned allowed_usages,
3835		unsigned cert_issuer_key_type,
3836		const br_ec_impl *iec, br_ecdsa_sign iecdsa);
3837
3838		/**
3839		* \brief Activate client certificate authentication.
3840		*
3841		* The trust anchor encoded X.500 names (DN) to send to the client are
3842		* provided. A client certificate will be requested and validated through
3843		* the X.509 validator configured in the SSL engine. If `num` is 0, then
3844		* client certificate authentication is disabled.
3845		*
3846		* If the client does not send a certificate, or on validation failure,
3847		* the handshake aborts. Unauthenticated clients can be tolerated by
3848		* setting the `BR_OPT_TOLERATE_NO_CLIENT_AUTH` flag.
3849		*
3850		* The provided array is linked in, not copied, so that pointer must
3851		* remain valid as long as anchor names may be used.
3852		*
3853		* \param cc server context.
3854		* \param ta_names encoded trust anchor names.
3855		* \param num number of encoded trust anchor names.
3856		*/
3857		static inline void
3858		br_ssl_server_set_trust_anchor_names(br_ssl_server_context *cc,
3859		const br_x500_name *ta_names, size_t num)
3860		{
3861		cc->ta_names = ta_names;
3862		cc->tas = NULL;
3863		cc->num_tas = num;
3864		}
3865
3866		/**
3867		* \brief Activate client certificate authentication.
3868		*
3869		* This is a variant for `br_ssl_server_set_trust_anchor_names()`: the
3870		* trust anchor names are provided not as an array of stand-alone names
3871		* (`br_x500_name` structures), but as an array of trust anchors
3872		* (`br_x509_trust_anchor` structures). The server engine itself will
3873		* only use the `dn` field of each trust anchor. This is meant to allow
3874		* defining a single array of trust anchors, to be used here and in the
3875		* X.509 validation engine itself.
3876		*
3877		* The provided array is linked in, not copied, so that pointer must
3878		* remain valid as long as anchor names may be used.
3879		*
3880		* \param cc server context.
3881		* \param tas trust anchors (only names are used).
3882		* \param num number of trust anchors.
3883		*/
3884		static inline void
3885		br_ssl_server_set_trust_anchor_names_alt(br_ssl_server_context *cc,
3886		const br_x509_trust_anchor *tas, size_t num)
3887		{
3888		cc->ta_names = NULL;
3889		cc->tas = tas;
3890		cc->num_tas = num;
3891		}
3892
3893		/**
3894		* \brief Configure the cache for session parameters.
3895		*
3896		* The cache context is provided as a pointer to its first field (vtable
3897		* pointer).
3898		*
3899		* \param cc server context.
3900		* \param vtable session cache context.
3901		*/
3902		static inline void
3903		br_ssl_server_set_cache(br_ssl_server_context *cc,
3904		const br_ssl_session_cache_class **vtable)
3905		{
3906		cc->cache_vtable = vtable;
3907		}
3908
3909		/**
3910		* \brief Prepare or reset a server context for handling an incoming client.
3911		*
3912		* \param cc server context.
3913		* \return 1 on success, 0 on error.
3914		*/
3915		int br_ssl_server_reset(br_ssl_server_context *cc);
3916
3917		/* ===================================================================== */
3918
3919		/*
3920		* Context for the simplified I/O context. The transport medium is accessed
3921		* through the low_read() and low_write() callback functions, each with
3922		* its own opaque context pointer.
3923		*
3924		* low_read() read some bytes, at most 'len' bytes, into data[]. The
3925		* returned value is the number of read bytes, or -1 on error.
3926		* The 'len' parameter is guaranteed never to exceed 20000,
3927		* so the length always fits in an 'int' on all platforms.
3928		*
3929		* low_write() write up to 'len' bytes, to be read from data[]. The
3930		* returned value is the number of written bytes, or -1 on
3931		* error. The 'len' parameter is guaranteed never to exceed
3932		* 20000, so the length always fits in an 'int' on all
3933		* parameters.
3934		*
3935		* A socket closure (if the transport medium is a socket) should be reported
3936		* as an error (-1). The callbacks shall endeavour to block until at least
3937		* one byte can be read or written; a callback returning 0 at times is
3938		* acceptable, but this normally leads to the callback being immediately
3939		* called again, so the callback should at least always try to block for
3940		* some time if no I/O can take place.
3941		*
3942		* The SSL engine naturally applies some buffering, so the callbacks need
3943		* not apply buffers of their own.
3944		*/
3945		/**
3946		* \brief Context structure for the simplified SSL I/O wrapper.
3947		*
3948		* This structure is initialised with `br_sslio_init()`. Its contents
3949		* are opaque and shall not be accessed directly.
3950		*/
3951		typedef struct {
3952		#ifndef BR_DOXYGEN_IGNORE
3953		br_ssl_engine_context *engine;
3954		int (low_read)(void read_context,
3955		unsigned char *data, size_t len);
3956		void *read_context;
3957		int (low_write)(void write_context,
3958		const unsigned char *data, size_t len);
3959		void *write_context;
3960		#endif
3961		} br_sslio_context;
3962
3963		/**
3964		* \brief Initialise a simplified I/O wrapper context.
3965		*
3966		* The simplified I/O wrapper offers a simpler read/write API for a SSL
3967		* engine (client or server), using the provided callback functions for
3968		* reading data from, or writing data to, the transport medium.
3969		*
3970		* The callback functions have the following semantics:
3971		*
3972		* - Each callback receives an opaque context value (of type `void *`)
3973		* that the callback may use arbitrarily (or possibly ignore).
3974		*
3975		* - `low_read()` reads at least one byte, at most `len` bytes, from
3976		* the transport medium. Read bytes shall be written in `data`.
3977		*
3978		* - `low_write()` writes at least one byte, at most `len` bytes, unto
3979		* the transport medium. The bytes to write are read from `data`.
3980		*
3981		* - The `len` parameter is never zero, and is always lower than 20000.
3982		*
3983		* - The number of processed bytes (read or written) is returned. Since
3984		* that number is less than 20000, it always fits on an `int`.
3985		*
3986		* - On error, the callbacks return -1. Reaching end-of-stream is an
3987		* error. Errors are permanent: the SSL connection is terminated.
3988		*
3989		* - Callbacks SHOULD NOT return 0. This is tolerated, as long as
3990		* callbacks endeavour to block for some non-negligible amount of
3991		* time until at least one byte can be sent or received (if a
3992		* callback returns 0, then the wrapper invokes it again
3993		* immediately).
3994		*
3995		* - Callbacks MAY return as soon as at least one byte is processed;
3996		* they MAY also insist on reading or writing _all_ requested bytes.
3997		* Since SSL is a self-terminated protocol (each record has a length
3998		* header), this does not change semantics.
3999		*
4000		* - Callbacks need not apply any buffering (for performance) since SSL
4001		* itself uses buffers.
4002		*
4003		* \param ctx wrapper context to initialise.
4004		* \param engine SSL engine to wrap.
4005		* \param low_read callback for reading data from the transport.
4006		* \param read_context context pointer for `low_read()`.
4007		* \param low_write callback for writing data on the transport.
4008		* \param write_context context pointer for `low_write()`.
4009		*/
4010		void br_sslio_init(br_sslio_context *ctx,
4011		br_ssl_engine_context *engine,
4012		int (low_read)(void read_context,
4013		unsigned char *data, size_t len),
4014		void *read_context,
4015		int (low_write)(void write_context,
4016		const unsigned char *data, size_t len),
4017		void *write_context);
4018
4019		/**
4020		* \brief Read some application data from a SSL connection.
4021		*
4022		* If `len` is zero, then this function returns 0 immediately. In
4023		* all other cases, it never returns 0.
4024		*
4025		* This call returns only when at least one byte has been obtained.
4026		* Returned value is the number of bytes read, or -1 on error. The
4027		* number of bytes always fits on an 'int' (data from a single SSL/TLS
4028		* record is returned).
4029		*
4030		* On error or SSL closure, this function returns -1. The caller should
4031		* inspect the error status on the SSL engine to distinguish between
4032		* normal closure and error.
4033		*
4034		* \param cc SSL wrapper context.
4035		* \param dst destination buffer for application data.
4036		* \param len maximum number of bytes to obtain.
4037		* \return number of bytes obtained, or -1 on error.
4038		*/
4039		int br_sslio_read(br_sslio_context cc, void dst, size_t len);
4040
4041		/**
4042		* \brief Read application data from a SSL connection.
4043		*
4044		* This calls returns only when _all_ requested `len` bytes are read,
4045		* or an error is reached. Returned value is 0 on success, -1 on error.
4046		* A normal (verified) SSL closure before that many bytes are obtained
4047		* is reported as an error by this function.
4048		*
4049		* \param cc SSL wrapper context.
4050		* \param dst destination buffer for application data.
4051		* \param len number of bytes to obtain.
4052		* \return 0 on success, or -1 on error.
4053		*/
4054		int br_sslio_read_all(br_sslio_context cc, void dst, size_t len);
4055
4056		/**
4057		* \brief Write some application data unto a SSL connection.
4058		*
4059		* If `len` is zero, then this function returns 0 immediately. In
4060		* all other cases, it never returns 0.
4061		*
4062		* This call returns only when at least one byte has been written.
4063		* Returned value is the number of bytes written, or -1 on error. The
4064		* number of bytes always fits on an 'int' (less than 20000).
4065		*
4066		* On error or SSL closure, this function returns -1. The caller should
4067		* inspect the error status on the SSL engine to distinguish between
4068		* normal closure and error.
4069		*
4070		* Important: SSL is buffered; a "written" byte is a byte that was
4071		* injected into the wrapped SSL engine, but this does not necessarily mean
4072		* that it has been scheduled for sending. Use `br_sslio_flush()` to
4073		* ensure that all pending data has been sent to the transport medium.
4074		*
4075		* \param cc SSL wrapper context.
4076		* \param src source buffer for application data.
4077		* \param len maximum number of bytes to write.
4078		* \return number of bytes written, or -1 on error.
4079		*/
4080		int br_sslio_write(br_sslio_context cc, const void src, size_t len);
4081
4082		/**
4083		* \brief Write application data unto a SSL connection.
4084		*
4085		* This calls returns only when _all_ requested `len` bytes have been
4086		* written, or an error is reached. Returned value is 0 on success, -1
4087		* on error. A normal (verified) SSL closure before that many bytes are
4088		* written is reported as an error by this function.
4089		*
4090		* Important: SSL is buffered; a "written" byte is a byte that was
4091		* injected into the wrapped SSL engine, but this does not necessarily mean
4092		* that it has been scheduled for sending. Use `br_sslio_flush()` to
4093		* ensure that all pending data has been sent to the transport medium.
4094		*
4095		* \param cc SSL wrapper context.
4096		* \param src source buffer for application data.
4097		* \param len number of bytes to write.
4098		* \return 0 on success, or -1 on error.
4099		*/
4100		int br_sslio_write_all(br_sslio_context cc, const void src, size_t len);
4101
4102		/**
4103		* \brief Flush pending data.
4104		*
4105		* This call makes sure that any buffered application data in the
4106		* provided context (including the wrapped SSL engine) has been sent
4107		* to the transport medium (i.e. accepted by the `low_write()` callback
4108		* method). If there is no such pending data, then this function does
4109		* nothing (and returns a success, i.e. 0).
4110		*
4111		* If the underlying transport medium has its own buffers, then it is
4112		* up to the caller to ensure the corresponding flushing.
4113		*
4114		* Returned value is 0 on success, -1 on error.
4115		*
4116		* \param cc SSL wrapper context.
4117		* \return 0 on success, or -1 on error.
4118		*/
4119		int br_sslio_flush(br_sslio_context *cc);
4120
4121		/**
4122		* \brief Close the SSL connection.
4123		*
4124		* This call runs the SSL closure protocol (sending a `close_notify`,
4125		* receiving the response `close_notify`). When it returns, the SSL
4126		* connection is finished. It is still up to the caller to manage the
4127		* possible transport-level termination, if applicable (alternatively,
4128		* the underlying transport stream may be reused for non-SSL messages).
4129		*
4130		* Returned value is 0 on success, -1 on error. A failure by the peer
4131		* to process the complete closure protocol (i.e. sending back the
4132		* `close_notify`) is an error.
4133		*
4134		* \param cc SSL wrapper context.
4135		* \return 0 on success, or -1 on error.
4136		*/
4137		int br_sslio_close(br_sslio_context *cc);
4138
4139		/* ===================================================================== */
4140
4141		/*
4142		* Symbolic constants for cipher suites.
4143		*/
4144
4145		/* From RFC 5246 */
4146		#define BR_TLS_NULL_WITH_NULL_NULL 0x0000
4147		#define BR_TLS_RSA_WITH_NULL_MD5 0x0001
4148		#define BR_TLS_RSA_WITH_NULL_SHA 0x0002
4149		#define BR_TLS_RSA_WITH_NULL_SHA256 0x003B
4150		#define BR_TLS_RSA_WITH_RC4_128_MD5 0x0004
4151		#define BR_TLS_RSA_WITH_RC4_128_SHA 0x0005
4152		#define BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A
4153		#define BR_TLS_RSA_WITH_AES_128_CBC_SHA 0x002F
4154		#define BR_TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
4155		#define BR_TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C
4156		#define BR_TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D
4157		#define BR_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D
4158		#define BR_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010
4159		#define BR_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013
4160		#define BR_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016
4161		#define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030
4162		#define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031
4163		#define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032
4164		#define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033
4165		#define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036
4166		#define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037
4167		#define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038
4168		#define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039
4169		#define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E
4170		#define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F
4171		#define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040
4172		#define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067
4173		#define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068
4174		#define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069
4175		#define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A
4176		#define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B
4177		#define BR_TLS_DH_anon_WITH_RC4_128_MD5 0x0018
4178		#define BR_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B
4179		#define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034
4180		#define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A
4181		#define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C
4182		#define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D
4183
4184		/* From RFC 4492 */
4185		#define BR_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001
4186		#define BR_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002
4187		#define BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003
4188		#define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
4189		#define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
4190		#define BR_TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006
4191		#define BR_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007
4192		#define BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008
4193		#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009
4194		#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A
4195		#define BR_TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B
4196		#define BR_TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C
4197		#define BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D
4198		#define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E
4199		#define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F
4200		#define BR_TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010
4201		#define BR_TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011
4202		#define BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012
4203		#define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013
4204		#define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014
4205		#define BR_TLS_ECDH_anon_WITH_NULL_SHA 0xC015
4206		#define BR_TLS_ECDH_anon_WITH_RC4_128_SHA 0xC016
4207		#define BR_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 0xC017
4208		#define BR_TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018
4209		#define BR_TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019
4210
4211		/* From RFC 5288 */
4212		#define BR_TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
4213		#define BR_TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D
4214		#define BR_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
4215		#define BR_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F
4216		#define BR_TLS_DH_RSA_WITH_AES_128_GCM_SHA256 0x00A0
4217		#define BR_TLS_DH_RSA_WITH_AES_256_GCM_SHA384 0x00A1
4218		#define BR_TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2
4219		#define BR_TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3
4220		#define BR_TLS_DH_DSS_WITH_AES_128_GCM_SHA256 0x00A4
4221		#define BR_TLS_DH_DSS_WITH_AES_256_GCM_SHA384 0x00A5
4222		#define BR_TLS_DH_anon_WITH_AES_128_GCM_SHA256 0x00A6
4223		#define BR_TLS_DH_anon_WITH_AES_256_GCM_SHA384 0x00A7
4224
4225		/* From RFC 5289 */
4226		#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
4227		#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
4228		#define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025
4229		#define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026
4230		#define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
4231		#define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028
4232		#define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029
4233		#define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A
4234		#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
4235		#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
4236		#define BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
4237		#define BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E
4238		#define BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
4239		#define BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030
4240		#define BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
4241		#define BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032
4242
4243		/* From RFC 6655 and 7251 */
4244		#define BR_TLS_RSA_WITH_AES_128_CCM 0xC09C
4245		#define BR_TLS_RSA_WITH_AES_256_CCM 0xC09D
4246		#define BR_TLS_RSA_WITH_AES_128_CCM_8 0xC0A0
4247		#define BR_TLS_RSA_WITH_AES_256_CCM_8 0xC0A1
4248		#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC
4249		#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM 0xC0AD
4250		#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE
4251		#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF
4252
4253		/* From RFC 7905 */
4254		#define BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8
4255		#define BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9
4256		#define BR_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA
4257		#define BR_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB
4258		#define BR_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC
4259		#define BR_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD
4260		#define BR_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE
4261
4262		/* From RFC 7507 */
4263		#define BR_TLS_FALLBACK_SCSV 0x5600
4264
4265		/*
4266		* Symbolic constants for alerts.
4267		*/
4268		#define BR_ALERT_CLOSE_NOTIFY 0
4269		#define BR_ALERT_UNEXPECTED_MESSAGE 10
4270		#define BR_ALERT_BAD_RECORD_MAC 20
4271		#define BR_ALERT_RECORD_OVERFLOW 22
4272		#define BR_ALERT_DECOMPRESSION_FAILURE 30
4273		#define BR_ALERT_HANDSHAKE_FAILURE 40
4274		#define BR_ALERT_BAD_CERTIFICATE 42
4275		#define BR_ALERT_UNSUPPORTED_CERTIFICATE 43
4276		#define BR_ALERT_CERTIFICATE_REVOKED 44
4277		#define BR_ALERT_CERTIFICATE_EXPIRED 45
4278		#define BR_ALERT_CERTIFICATE_UNKNOWN 46
4279		#define BR_ALERT_ILLEGAL_PARAMETER 47
4280		#define BR_ALERT_UNKNOWN_CA 48
4281		#define BR_ALERT_ACCESS_DENIED 49
4282		#define BR_ALERT_DECODE_ERROR 50
4283		#define BR_ALERT_DECRYPT_ERROR 51
4284		#define BR_ALERT_PROTOCOL_VERSION 70
4285		#define BR_ALERT_INSUFFICIENT_SECURITY 71
4286		#define BR_ALERT_INTERNAL_ERROR 80
4287		#define BR_ALERT_USER_CANCELED 90
4288		#define BR_ALERT_NO_RENEGOTIATION 100
4289		#define BR_ALERT_UNSUPPORTED_EXTENSION 110
4290		#define BR_ALERT_NO_APPLICATION_PROTOCOL 120
4291
4292		#ifdef __cplusplus
4293		}
4294		#endif
4295
4296		#endif