|
|
@@ -1583,8 +1583,11 @@ OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl, |
|
|
|
* certificate verification externally. This may be done with |
|
|
|
* |SSL_CTX_set_cert_verify_callback| or by extracting the chain with |
|
|
|
* |SSL_get_peer_cert_chain| after the handshake. In the future, functions will |
|
|
|
* be added to use the SSL stack without depending on any part of the legacy |
|
|
|
* X.509 and ASN.1 stack. */ |
|
|
|
* be added to use the SSL stack without dependency on any part of the legacy |
|
|
|
* X.509 and ASN.1 stack. |
|
|
|
* |
|
|
|
* To augment certificate verification, a client may also enable OCSP stapling |
|
|
|
* (RFC 6066) and Certificate Transparency (RFC 6962) extensions. */ |
|
|
|
|
|
|
|
/* SSL_VERIFY_NONE, on a client, verifies the server certificate but does not |
|
|
|
* make errors fatal. The result may be checked with |SSL_get_verify_result|. On |
|
|
@@ -1750,6 +1753,44 @@ OPENSSL_EXPORT void SSL_CTX_set_cert_verify_callback( |
|
|
|
SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *store_ctx, void *arg), |
|
|
|
void *arg); |
|
|
|
|
|
|
|
/* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end |
|
|
|
* of a connection) to request SCTs from the server. See |
|
|
|
* https://tools.ietf.org/html/rfc6962. It returns one. */ |
|
|
|
OPENSSL_EXPORT int SSL_enable_signed_cert_timestamps(SSL *ssl); |
|
|
|
|
|
|
|
/* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL |
|
|
|
* objects created from |ctx|. */ |
|
|
|
OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx); |
|
|
|
|
|
|
|
/* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to |
|
|
|
* |*out_len| bytes of SCT information from the server. This is only valid if |
|
|
|
* |ssl| is a client. The SCT information is a SignedCertificateTimestampList |
|
|
|
* (including the two leading length bytes). |
|
|
|
* See https://tools.ietf.org/html/rfc6962#section-3.3 |
|
|
|
* If no SCT was received then |*out_len| will be zero on return. |
|
|
|
* |
|
|
|
* WARNING: the returned data is not guaranteed to be well formed. */ |
|
|
|
OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, |
|
|
|
const uint8_t **out, |
|
|
|
size_t *out_len); |
|
|
|
|
|
|
|
/* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a |
|
|
|
* connection) to request a stapled OCSP response from the server. It returns |
|
|
|
* one. */ |
|
|
|
OPENSSL_EXPORT int SSL_enable_ocsp_stapling(SSL *ssl); |
|
|
|
|
|
|
|
/* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects |
|
|
|
* created from |ctx|. */ |
|
|
|
OPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx); |
|
|
|
|
|
|
|
/* SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len| |
|
|
|
* bytes of an OCSP response from the server. This is the DER encoding of an |
|
|
|
* OCSPResponse type as defined in RFC 2560. |
|
|
|
* |
|
|
|
* WARNING: the returned data is not guaranteed to be well formed. */ |
|
|
|
OPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, |
|
|
|
size_t *out_len); |
|
|
|
|
|
|
|
|
|
|
|
/* Client certificate CA list. |
|
|
|
* |
|
|
@@ -2348,43 +2389,6 @@ OPENSSL_EXPORT void SSL_CTX_set_client_cert_cb( |
|
|
|
OPENSSL_EXPORT int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, |
|
|
|
X509 **x509, |
|
|
|
EVP_PKEY **pkey); |
|
|
|
/* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end |
|
|
|
* of a connection) to request SCTs from the server. See |
|
|
|
* https://tools.ietf.org/html/rfc6962. It returns one. */ |
|
|
|
OPENSSL_EXPORT int SSL_enable_signed_cert_timestamps(SSL *ssl); |
|
|
|
|
|
|
|
/* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL |
|
|
|
* objects created from |ctx|. */ |
|
|
|
OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx); |
|
|
|
|
|
|
|
/* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a |
|
|
|
* connection) to request a stapled OCSP response from the server. It returns |
|
|
|
* one. */ |
|
|
|
OPENSSL_EXPORT int SSL_enable_ocsp_stapling(SSL *ssl); |
|
|
|
|
|
|
|
/* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects |
|
|
|
* created from |ctx|. */ |
|
|
|
OPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx); |
|
|
|
|
|
|
|
/* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to |
|
|
|
* |*out_len| bytes of SCT information from the server. This is only valid if |
|
|
|
* |ssl| is a client. The SCT information is a SignedCertificateTimestampList |
|
|
|
* (including the two leading length bytes). |
|
|
|
* See https://tools.ietf.org/html/rfc6962#section-3.3 |
|
|
|
* If no SCT was received then |*out_len| will be zero on return. |
|
|
|
* |
|
|
|
* WARNING: the returned data is not guaranteed to be well formed. */ |
|
|
|
OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, |
|
|
|
const uint8_t **out, |
|
|
|
size_t *out_len); |
|
|
|
|
|
|
|
/* SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len| |
|
|
|
* bytes of an OCSP response from the server. This is the DER encoding of an |
|
|
|
* OCSPResponse type as defined in RFC 2560. |
|
|
|
* |
|
|
|
* WARNING: the returned data is not guaranteed to be well formed. */ |
|
|
|
OPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out, |
|
|
|
size_t *out_len); |
|
|
|
|
|
|
|
#define SSL_NOTHING 1 |
|
|
|
#define SSL_WRITING 2 |
|
|
|