xref: /freebsd/contrib/bearssl/inc/bearssl_ssl.h (revision e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6)
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #ifndef BR_BEARSSL_SSL_H__
26 #define BR_BEARSSL_SSL_H__
27 
28 #include <stddef.h>
29 #include <stdint.h>
30 
31 #include "bearssl_block.h"
32 #include "bearssl_hash.h"
33 #include "bearssl_hmac.h"
34 #include "bearssl_prf.h"
35 #include "bearssl_rand.h"
36 #include "bearssl_x509.h"
37 
38 #ifdef __cplusplus
39 extern "C" {
40 #endif
41 
42 /** \file bearssl_ssl.h
43  *
44  * # SSL
45  *
46  * For an overview of the SSL/TLS API, see [the BearSSL Web
47  * site](https://www.bearssl.org/api1.html).
48  *
49  * The `BR_TLS_*` constants correspond to the standard cipher suites and
50  * their values in the [IANA
51  * registry](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4).
52  *
53  * The `BR_ALERT_*` constants are for standard TLS alert messages. When
54  * a fatal alert message is sent of received, then the SSL engine context
55  * status is set to the sum of that alert value (an integer in the 0..255
56  * range) and a fixed offset (`BR_ERR_SEND_FATAL_ALERT` for a sent alert,
57  * `BR_ERR_RECV_FATAL_ALERT` for a received alert).
58  */
59 
60 /** \brief Optimal input buffer size. */
61 #define BR_SSL_BUFSIZE_INPUT    (16384 + 325)
62 
63 /** \brief Optimal output buffer size. */
64 #define BR_SSL_BUFSIZE_OUTPUT   (16384 + 85)
65 
66 /** \brief Optimal buffer size for monodirectional engine
67     (shared input/output buffer). */
68 #define BR_SSL_BUFSIZE_MONO     BR_SSL_BUFSIZE_INPUT
69 
70 /** \brief Optimal buffer size for bidirectional engine
71     (single buffer split into two separate input/output buffers). */
72 #define BR_SSL_BUFSIZE_BIDI     (BR_SSL_BUFSIZE_INPUT + BR_SSL_BUFSIZE_OUTPUT)
73 
74 /*
75  * Constants for known SSL/TLS protocol versions (SSL 3.0, TLS 1.0, TLS 1.1
76  * and TLS 1.2). Note that though there is a constant for SSL 3.0, that
77  * protocol version is not actually supported.
78  */
79 
80 /** \brief Protocol version: SSL 3.0 (unsupported). */
81 #define BR_SSL30   0x0300
82 /** \brief Protocol version: TLS 1.0. */
83 #define BR_TLS10   0x0301
84 /** \brief Protocol version: TLS 1.1. */
85 #define BR_TLS11   0x0302
86 /** \brief Protocol version: TLS 1.2. */
87 #define BR_TLS12   0x0303
88 
89 /*
90  * Error constants. They are used to report the reason why a context has
91  * been marked as failed.
92  *
93  * Implementation note: SSL-level error codes should be in the 1..31
94  * range. The 32..63 range is for certificate decoding and validation
95  * errors. Received fatal alerts imply an error code in the 256..511 range.
96  */
97 
98 /** \brief SSL status: no error so far (0). */
99 #define BR_ERR_OK                      0
100 
101 /** \brief SSL status: caller-provided parameter is incorrect. */
102 #define BR_ERR_BAD_PARAM               1
103 
104 /** \brief SSL status: operation requested by the caller cannot be applied
105     with the current context state (e.g. reading data while outgoing data
106     is waiting to be sent). */
107 #define BR_ERR_BAD_STATE               2
108 
109 /** \brief SSL status: incoming protocol or record version is unsupported. */
110 #define BR_ERR_UNSUPPORTED_VERSION     3
111 
112 /** \brief SSL status: incoming record version does not match the expected
113     version. */
114 #define BR_ERR_BAD_VERSION             4
115 
116 /** \brief SSL status: incoming record length is invalid. */
117 #define BR_ERR_BAD_LENGTH              5
118 
119 /** \brief SSL status: incoming record is too large to be processed, or
120     buffer is too small for the handshake message to send. */
121 #define BR_ERR_TOO_LARGE               6
122 
123 /** \brief SSL status: decryption found an invalid padding, or the record
124     MAC is not correct. */
125 #define BR_ERR_BAD_MAC                 7
126 
127 /** \brief SSL status: no initial entropy was provided, and none can be
128     obtained from the OS. */
129 #define BR_ERR_NO_RANDOM               8
130 
131 /** \brief SSL status: incoming record type is unknown. */
132 #define BR_ERR_UNKNOWN_TYPE            9
133 
134 /** \brief SSL status: incoming record or message has wrong type with
135     regards to the current engine state. */
136 #define BR_ERR_UNEXPECTED             10
137 
138 /** \brief SSL status: ChangeCipherSpec message from the peer has invalid
139     contents. */
140 #define BR_ERR_BAD_CCS                12
141 
142 /** \brief SSL status: alert message from the peer has invalid contents
143     (odd length). */
144 #define BR_ERR_BAD_ALERT              13
145 
146 /** \brief SSL status: incoming handshake message decoding failed. */
147 #define BR_ERR_BAD_HANDSHAKE          14
148 
149 /** \brief SSL status: ServerHello contains a session ID which is larger
150     than 32 bytes. */
151 #define BR_ERR_OVERSIZED_ID           15
152 
153 /** \brief SSL status: server wants to use a cipher suite that we did
154     not claim to support. This is also reported if we tried to advertise
155     a cipher suite that we do not support. */
156 #define BR_ERR_BAD_CIPHER_SUITE       16
157 
158 /** \brief SSL status: server wants to use a compression that we did not
159     claim to support. */
160 #define BR_ERR_BAD_COMPRESSION        17
161 
162 /** \brief SSL status: server's max fragment length does not match
163     client's. */
164 #define BR_ERR_BAD_FRAGLEN            18
165 
166 /** \brief SSL status: secure renegotiation failed. */
167 #define BR_ERR_BAD_SECRENEG           19
168 
169 /** \brief SSL status: server sent an extension type that we did not
170     announce, or used the same extension type several times in a single
171     ServerHello. */
172 #define BR_ERR_EXTRA_EXTENSION        20
173 
174 /** \brief SSL status: invalid Server Name Indication contents (when
175     used by the server, this extension shall be empty). */
176 #define BR_ERR_BAD_SNI                21
177 
178 /** \brief SSL status: invalid ServerHelloDone from the server (length
179     is not 0). */
180 #define BR_ERR_BAD_HELLO_DONE         22
181 
182 /** \brief SSL status: internal limit exceeded (e.g. server's public key
183     is too large). */
184 #define BR_ERR_LIMIT_EXCEEDED         23
185 
186 /** \brief SSL status: Finished message from peer does not match the
187     expected value. */
188 #define BR_ERR_BAD_FINISHED           24
189 
190 /** \brief SSL status: session resumption attempt with distinct version
191     or cipher suite. */
192 #define BR_ERR_RESUME_MISMATCH        25
193 
194 /** \brief SSL status: unsupported or invalid algorithm (ECDHE curve,
195     signature algorithm, hash function). */
196 #define BR_ERR_INVALID_ALGORITHM      26
197 
198 /** \brief SSL status: invalid signature (on ServerKeyExchange from
199     server, or in CertificateVerify from client). */
200 #define BR_ERR_BAD_SIGNATURE          27
201 
202 /** \brief SSL status: peer's public key does not have the proper type
203     or is not allowed for requested operation. */
204 #define BR_ERR_WRONG_KEY_USAGE        28
205 
206 /** \brief SSL status: client did not send a certificate upon request,
207     or the client certificate could not be validated. */
208 #define BR_ERR_NO_CLIENT_AUTH         29
209 
210 /** \brief SSL status: I/O error or premature close on underlying
211     transport stream. This error code is set only by the simplified
212     I/O API ("br_sslio_*"). */
213 #define BR_ERR_IO                     31
214 
215 /** \brief SSL status: base value for a received fatal alert.
216 
217     When a fatal alert is received from the peer, the alert value
218     is added to this constant. */
219 #define BR_ERR_RECV_FATAL_ALERT      256
220 
221 /** \brief SSL status: base value for a sent fatal alert.
222 
223     When a fatal alert is sent to the peer, the alert value is added
224     to this constant. */
225 #define BR_ERR_SEND_FATAL_ALERT      512
226 
227 /* ===================================================================== */
228 
229 /**
230  * \brief Decryption engine for SSL.
231  *
232  * When processing incoming records, the SSL engine will use a decryption
233  * engine that uses a specific context structure, and has a set of
234  * methods (a vtable) that follows this template.
235  *
236  * The decryption engine is responsible for applying decryption, verifying
237  * MAC, and keeping track of the record sequence number.
238  */
239 typedef struct br_sslrec_in_class_ br_sslrec_in_class;
240 struct br_sslrec_in_class_ {
241 	/**
242 	 * \brief Context size (in bytes).
243 	 */
244 	size_t context_size;
245 
246 	/**
247 	 * \brief Test validity of the incoming record length.
248 	 *
249 	 * This function returns 1 if the announced length for an
250 	 * incoming record is valid, 0 otherwise,
251 	 *
252 	 * \param ctx          decryption engine context.
253 	 * \param record_len   incoming record length.
254 	 * \return  1 of a valid length, 0 otherwise.
255 	 */
256 	int (*check_length)(const br_sslrec_in_class *const *ctx,
257 		size_t record_len);
258 
259 	/**
260 	 * \brief Decrypt the incoming record.
261 	 *
262 	 * This function may assume that the record length is valid
263 	 * (it has been previously tested with `check_length()`).
264 	 * Decryption is done in place; `*len` is updated with the
265 	 * cleartext length, and the address of the first plaintext
266 	 * byte is returned. If the record is correct but empty, then
267 	 * `*len` is set to 0 and a non-`NULL` pointer is returned.
268 	 *
269 	 * On decryption/MAC error, `NULL` is returned.
270 	 *
271 	 * \param ctx           decryption engine context.
272 	 * \param record_type   record type (23 for application data, etc).
273 	 * \param version       record version.
274 	 * \param payload       address of encrypted payload.
275 	 * \param len           pointer to payload length (updated).
276 	 * \return  pointer to plaintext, or `NULL` on error.
277 	 */
278 	unsigned char *(*decrypt)(const br_sslrec_in_class **ctx,
279 		int record_type, unsigned version,
280 		void *payload, size_t *len);
281 };
282 
283 /**
284  * \brief Encryption engine for SSL.
285  *
286  * When building outgoing records, the SSL engine will use an encryption
287  * engine that uses a specific context structure, and has a set of
288  * methods (a vtable) that follows this template.
289  *
290  * The encryption engine is responsible for applying encryption and MAC,
291  * and keeping track of the record sequence number.
292  */
293 typedef struct br_sslrec_out_class_ br_sslrec_out_class;
294 struct br_sslrec_out_class_ {
295 	/**
296 	 * \brief Context size (in bytes).
297 	 */
298 	size_t context_size;
299 
300 	/**
301 	 * \brief Compute maximum plaintext sizes and offsets.
302 	 *
303 	 * When this function is called, the `*start` and `*end`
304 	 * values contain offsets designating the free area in the
305 	 * outgoing buffer for plaintext data; that free area is
306 	 * preceded by a 5-byte space which will receive the record
307 	 * header.
308 	 *
309 	 * The `max_plaintext()` function is responsible for adjusting
310 	 * both `*start` and `*end` to make room for any record-specific
311 	 * header, MAC, padding, and possible split.
312 	 *
313 	 * \param ctx     encryption engine context.
314 	 * \param start   pointer to start of plaintext offset (updated).
315 	 * \param end     pointer to start of plaintext offset (updated).
316 	 */
317 	void (*max_plaintext)(const br_sslrec_out_class *const *ctx,
318 		size_t *start, size_t *end);
319 
320 	/**
321 	 * \brief Perform record encryption.
322 	 *
323 	 * This function encrypts the record. The plaintext address and
324 	 * length are provided. Returned value is the start of the
325 	 * encrypted record (or sequence of records, if a split was
326 	 * performed), _including_ the 5-byte header, and `*len` is
327 	 * adjusted to the total size of the record(s), there again
328 	 * including the header(s).
329 	 *
330 	 * \param ctx           decryption engine context.
331 	 * \param record_type   record type (23 for application data, etc).
332 	 * \param version       record version.
333 	 * \param plaintext     address of plaintext.
334 	 * \param len           pointer to plaintext length (updated).
335 	 * \return  pointer to start of built record.
336 	 */
337 	unsigned char *(*encrypt)(const br_sslrec_out_class **ctx,
338 		int record_type, unsigned version,
339 		void *plaintext, size_t *len);
340 };
341 
342 /**
343  * \brief Context for a no-encryption engine.
344  *
345  * The no-encryption engine processes outgoing records during the initial
346  * handshake, before encryption is applied.
347  */
348 typedef struct {
349 	/** \brief No-encryption engine vtable. */
350 	const br_sslrec_out_class *vtable;
351 } br_sslrec_out_clear_context;
352 
353 /** \brief Static, constant vtable for the no-encryption engine. */
354 extern const br_sslrec_out_class br_sslrec_out_clear_vtable;
355 
356 /* ===================================================================== */
357 
358 /**
359  * \brief Record decryption engine class, for CBC mode.
360  *
361  * This class type extends the decryption engine class with an
362  * initialisation method that receives the parameters needed
363  * for CBC processing: block cipher implementation, block cipher key,
364  * HMAC parameters (hash function, key, MAC length), and IV. If the
365  * IV is `NULL`, then a per-record IV will be used (TLS 1.1+).
366  */
367 typedef struct br_sslrec_in_cbc_class_ br_sslrec_in_cbc_class;
368 struct br_sslrec_in_cbc_class_ {
369 	/**
370 	 * \brief Superclass, as first vtable field.
371 	 */
372 	br_sslrec_in_class inner;
373 
374 	/**
375 	 * \brief Engine initialisation method.
376 	 *
377 	 * This method sets the vtable field in the context.
378 	 *
379 	 * \param ctx           context to initialise.
380 	 * \param bc_impl       block cipher implementation (CBC decryption).
381 	 * \param bc_key        block cipher key.
382 	 * \param bc_key_len    block cipher key length (in bytes).
383 	 * \param dig_impl      hash function for HMAC.
384 	 * \param mac_key       HMAC key.
385 	 * \param mac_key_len   HMAC key length (in bytes).
386 	 * \param mac_out_len   HMAC output length (in bytes).
387 	 * \param iv            initial IV (or `NULL`).
388 	 */
389 	void (*init)(const br_sslrec_in_cbc_class **ctx,
390 		const br_block_cbcdec_class *bc_impl,
391 		const void *bc_key, size_t bc_key_len,
392 		const br_hash_class *dig_impl,
393 		const void *mac_key, size_t mac_key_len, size_t mac_out_len,
394 		const void *iv);
395 };
396 
397 /**
398  * \brief Record encryption engine class, for CBC mode.
399  *
400  * This class type extends the encryption engine class with an
401  * initialisation method that receives the parameters needed
402  * for CBC processing: block cipher implementation, block cipher key,
403  * HMAC parameters (hash function, key, MAC length), and IV. If the
404  * IV is `NULL`, then a per-record IV will be used (TLS 1.1+).
405  */
406 typedef struct br_sslrec_out_cbc_class_ br_sslrec_out_cbc_class;
407 struct br_sslrec_out_cbc_class_ {
408 	/**
409 	 * \brief Superclass, as first vtable field.
410 	 */
411 	br_sslrec_out_class inner;
412 
413 	/**
414 	 * \brief Engine initialisation method.
415 	 *
416 	 * This method sets the vtable field in the context.
417 	 *
418 	 * \param ctx           context to initialise.
419 	 * \param bc_impl       block cipher implementation (CBC encryption).
420 	 * \param bc_key        block cipher key.
421 	 * \param bc_key_len    block cipher key length (in bytes).
422 	 * \param dig_impl      hash function for HMAC.
423 	 * \param mac_key       HMAC key.
424 	 * \param mac_key_len   HMAC key length (in bytes).
425 	 * \param mac_out_len   HMAC output length (in bytes).
426 	 * \param iv            initial IV (or `NULL`).
427 	 */
428 	void (*init)(const br_sslrec_out_cbc_class **ctx,
429 		const br_block_cbcenc_class *bc_impl,
430 		const void *bc_key, size_t bc_key_len,
431 		const br_hash_class *dig_impl,
432 		const void *mac_key, size_t mac_key_len, size_t mac_out_len,
433 		const void *iv);
434 };
435 
436 /**
437  * \brief Context structure for decrypting incoming records with
438  * CBC + HMAC.
439  *
440  * The first field points to the vtable. The other fields are opaque
441  * and shall not be accessed directly.
442  */
443 typedef struct {
444 	/** \brief Pointer to vtable. */
445 	const br_sslrec_in_cbc_class *vtable;
446 #ifndef BR_DOXYGEN_IGNORE
447 	uint64_t seq;
448 	union {
449 		const br_block_cbcdec_class *vtable;
450 		br_aes_gen_cbcdec_keys aes;
451 		br_des_gen_cbcdec_keys des;
452 	} bc;
453 	br_hmac_key_context mac;
454 	size_t mac_len;
455 	unsigned char iv[16];
456 	int explicit_IV;
457 #endif
458 } br_sslrec_in_cbc_context;
459 
460 /**
461  * \brief Static, constant vtable for record decryption with CBC.
462  */
463 extern const br_sslrec_in_cbc_class br_sslrec_in_cbc_vtable;
464 
465 /**
466  * \brief Context structure for encrypting outgoing records with
467  * CBC + HMAC.
468  *
469  * The first field points to the vtable. The other fields are opaque
470  * and shall not be accessed directly.
471  */
472 typedef struct {
473 	/** \brief Pointer to vtable. */
474 	const br_sslrec_out_cbc_class *vtable;
475 #ifndef BR_DOXYGEN_IGNORE
476 	uint64_t seq;
477 	union {
478 		const br_block_cbcenc_class *vtable;
479 		br_aes_gen_cbcenc_keys aes;
480 		br_des_gen_cbcenc_keys des;
481 	} bc;
482 	br_hmac_key_context mac;
483 	size_t mac_len;
484 	unsigned char iv[16];
485 	int explicit_IV;
486 #endif
487 } br_sslrec_out_cbc_context;
488 
489 /**
490  * \brief Static, constant vtable for record encryption with CBC.
491  */
492 extern const br_sslrec_out_cbc_class br_sslrec_out_cbc_vtable;
493 
494 /* ===================================================================== */
495 
496 /**
497  * \brief Record decryption engine class, for GCM mode.
498  *
499  * This class type extends the decryption engine class with an
500  * initialisation method that receives the parameters needed
501  * for GCM processing: block cipher implementation, block cipher key,
502  * GHASH implementation, and 4-byte IV.
503  */
504 typedef struct br_sslrec_in_gcm_class_ br_sslrec_in_gcm_class;
505 struct br_sslrec_in_gcm_class_ {
506 	/**
507 	 * \brief Superclass, as first vtable field.
508 	 */
509 	br_sslrec_in_class inner;
510 
511 	/**
512 	 * \brief Engine initialisation method.
513 	 *
514 	 * This method sets the vtable field in the context.
515 	 *
516 	 * \param ctx           context to initialise.
517 	 * \param bc_impl       block cipher implementation (CTR).
518 	 * \param key           block cipher key.
519 	 * \param key_len       block cipher key length (in bytes).
520 	 * \param gh_impl       GHASH implementation.
521 	 * \param iv            static IV (4 bytes).
522 	 */
523 	void (*init)(const br_sslrec_in_gcm_class **ctx,
524 		const br_block_ctr_class *bc_impl,
525 		const void *key, size_t key_len,
526 		br_ghash gh_impl,
527 		const void *iv);
528 };
529 
530 /**
531  * \brief Record encryption engine class, for GCM mode.
532  *
533  * This class type extends the encryption engine class with an
534  * initialisation method that receives the parameters needed
535  * for GCM processing: block cipher implementation, block cipher key,
536  * GHASH implementation, and 4-byte IV.
537  */
538 typedef struct br_sslrec_out_gcm_class_ br_sslrec_out_gcm_class;
539 struct br_sslrec_out_gcm_class_ {
540 	/**
541 	 * \brief Superclass, as first vtable field.
542 	 */
543 	br_sslrec_out_class inner;
544 
545 	/**
546 	 * \brief Engine initialisation method.
547 	 *
548 	 * This method sets the vtable field in the context.
549 	 *
550 	 * \param ctx           context to initialise.
551 	 * \param bc_impl       block cipher implementation (CTR).
552 	 * \param key           block cipher key.
553 	 * \param key_len       block cipher key length (in bytes).
554 	 * \param gh_impl       GHASH implementation.
555 	 * \param iv            static IV (4 bytes).
556 	 */
557 	void (*init)(const br_sslrec_out_gcm_class **ctx,
558 		const br_block_ctr_class *bc_impl,
559 		const void *key, size_t key_len,
560 		br_ghash gh_impl,
561 		const void *iv);
562 };
563 
564 /**
565  * \brief Context structure for processing records with GCM.
566  *
567  * The same context structure is used for encrypting and decrypting.
568  *
569  * The first field points to the vtable. The other fields are opaque
570  * and shall not be accessed directly.
571  */
572 typedef struct {
573 	/** \brief Pointer to vtable. */
574 	union {
575 		const void *gen;
576 		const br_sslrec_in_gcm_class *in;
577 		const br_sslrec_out_gcm_class *out;
578 	} vtable;
579 #ifndef BR_DOXYGEN_IGNORE
580 	uint64_t seq;
581 	union {
582 		const br_block_ctr_class *vtable;
583 		br_aes_gen_ctr_keys aes;
584 	} bc;
585 	br_ghash gh;
586 	unsigned char iv[4];
587 	unsigned char h[16];
588 #endif
589 } br_sslrec_gcm_context;
590 
591 /**
592  * \brief Static, constant vtable for record decryption with GCM.
593  */
594 extern const br_sslrec_in_gcm_class br_sslrec_in_gcm_vtable;
595 
596 /**
597  * \brief Static, constant vtable for record encryption with GCM.
598  */
599 extern const br_sslrec_out_gcm_class br_sslrec_out_gcm_vtable;
600 
601 /* ===================================================================== */
602 
603 /**
604  * \brief Record decryption engine class, for ChaCha20+Poly1305.
605  *
606  * This class type extends the decryption engine class with an
607  * initialisation method that receives the parameters needed
608  * for ChaCha20+Poly1305 processing: ChaCha20 implementation,
609  * Poly1305 implementation, key, and 12-byte IV.
610  */
611 typedef struct br_sslrec_in_chapol_class_ br_sslrec_in_chapol_class;
612 struct br_sslrec_in_chapol_class_ {
613 	/**
614 	 * \brief Superclass, as first vtable field.
615 	 */
616 	br_sslrec_in_class inner;
617 
618 	/**
619 	 * \brief Engine initialisation method.
620 	 *
621 	 * This method sets the vtable field in the context.
622 	 *
623 	 * \param ctx           context to initialise.
624 	 * \param ichacha       ChaCha20 implementation.
625 	 * \param ipoly         Poly1305 implementation.
626 	 * \param key           secret key (32 bytes).
627 	 * \param iv            static IV (12 bytes).
628 	 */
629 	void (*init)(const br_sslrec_in_chapol_class **ctx,
630 		br_chacha20_run ichacha,
631 		br_poly1305_run ipoly,
632 		const void *key, const void *iv);
633 };
634 
635 /**
636  * \brief Record encryption engine class, for ChaCha20+Poly1305.
637  *
638  * This class type extends the encryption engine class with an
639  * initialisation method that receives the parameters needed
640  * for ChaCha20+Poly1305 processing: ChaCha20 implementation,
641  * Poly1305 implementation, key, and 12-byte IV.
642  */
643 typedef struct br_sslrec_out_chapol_class_ br_sslrec_out_chapol_class;
644 struct br_sslrec_out_chapol_class_ {
645 	/**
646 	 * \brief Superclass, as first vtable field.
647 	 */
648 	br_sslrec_out_class inner;
649 
650 	/**
651 	 * \brief Engine initialisation method.
652 	 *
653 	 * This method sets the vtable field in the context.
654 	 *
655 	 * \param ctx           context to initialise.
656 	 * \param ichacha       ChaCha20 implementation.
657 	 * \param ipoly         Poly1305 implementation.
658 	 * \param key           secret key (32 bytes).
659 	 * \param iv            static IV (12 bytes).
660 	 */
661 	void (*init)(const br_sslrec_out_chapol_class **ctx,
662 		br_chacha20_run ichacha,
663 		br_poly1305_run ipoly,
664 		const void *key, const void *iv);
665 };
666 
667 /**
668  * \brief Context structure for processing records with ChaCha20+Poly1305.
669  *
670  * The same context structure is used for encrypting and decrypting.
671  *
672  * The first field points to the vtable. The other fields are opaque
673  * and shall not be accessed directly.
674  */
675 typedef struct {
676 	/** \brief Pointer to vtable. */
677 	union {
678 		const void *gen;
679 		const br_sslrec_in_chapol_class *in;
680 		const br_sslrec_out_chapol_class *out;
681 	} vtable;
682 #ifndef BR_DOXYGEN_IGNORE
683 	uint64_t seq;
684 	unsigned char key[32];
685 	unsigned char iv[12];
686 	br_chacha20_run ichacha;
687 	br_poly1305_run ipoly;
688 #endif
689 } br_sslrec_chapol_context;
690 
691 /**
692  * \brief Static, constant vtable for record decryption with ChaCha20+Poly1305.
693  */
694 extern const br_sslrec_in_chapol_class br_sslrec_in_chapol_vtable;
695 
696 /**
697  * \brief Static, constant vtable for record encryption with ChaCha20+Poly1305.
698  */
699 extern const br_sslrec_out_chapol_class br_sslrec_out_chapol_vtable;
700 
701 /* ===================================================================== */
702 
703 /**
704  * \brief Record decryption engine class, for CCM mode.
705  *
706  * This class type extends the decryption engine class with an
707  * initialisation method that receives the parameters needed
708  * for CCM processing: block cipher implementation, block cipher key,
709  * and 4-byte IV.
710  */
711 typedef struct br_sslrec_in_ccm_class_ br_sslrec_in_ccm_class;
712 struct br_sslrec_in_ccm_class_ {
713 	/**
714 	 * \brief Superclass, as first vtable field.
715 	 */
716 	br_sslrec_in_class inner;
717 
718 	/**
719 	 * \brief Engine initialisation method.
720 	 *
721 	 * This method sets the vtable field in the context.
722 	 *
723 	 * \param ctx           context to initialise.
724 	 * \param bc_impl       block cipher implementation (CTR+CBC).
725 	 * \param key           block cipher key.
726 	 * \param key_len       block cipher key length (in bytes).
727 	 * \param iv            static IV (4 bytes).
728 	 * \param tag_len       tag length (in bytes)
729 	 */
730 	void (*init)(const br_sslrec_in_ccm_class **ctx,
731 		const br_block_ctrcbc_class *bc_impl,
732 		const void *key, size_t key_len,
733 		const void *iv, size_t tag_len);
734 };
735 
736 /**
737  * \brief Record encryption engine class, for CCM mode.
738  *
739  * This class type extends the encryption engine class with an
740  * initialisation method that receives the parameters needed
741  * for CCM processing: block cipher implementation, block cipher key,
742  * and 4-byte IV.
743  */
744 typedef struct br_sslrec_out_ccm_class_ br_sslrec_out_ccm_class;
745 struct br_sslrec_out_ccm_class_ {
746 	/**
747 	 * \brief Superclass, as first vtable field.
748 	 */
749 	br_sslrec_out_class inner;
750 
751 	/**
752 	 * \brief Engine initialisation method.
753 	 *
754 	 * This method sets the vtable field in the context.
755 	 *
756 	 * \param ctx           context to initialise.
757 	 * \param bc_impl       block cipher implementation (CTR+CBC).
758 	 * \param key           block cipher key.
759 	 * \param key_len       block cipher key length (in bytes).
760 	 * \param iv            static IV (4 bytes).
761 	 * \param tag_len       tag length (in bytes)
762 	 */
763 	void (*init)(const br_sslrec_out_ccm_class **ctx,
764 		const br_block_ctrcbc_class *bc_impl,
765 		const void *key, size_t key_len,
766 		const void *iv, size_t tag_len);
767 };
768 
769 /**
770  * \brief Context structure for processing records with CCM.
771  *
772  * The same context structure is used for encrypting and decrypting.
773  *
774  * The first field points to the vtable. The other fields are opaque
775  * and shall not be accessed directly.
776  */
777 typedef struct {
778 	/** \brief Pointer to vtable. */
779 	union {
780 		const void *gen;
781 		const br_sslrec_in_ccm_class *in;
782 		const br_sslrec_out_ccm_class *out;
783 	} vtable;
784 #ifndef BR_DOXYGEN_IGNORE
785 	uint64_t seq;
786 	union {
787 		const br_block_ctrcbc_class *vtable;
788 		br_aes_gen_ctrcbc_keys aes;
789 	} bc;
790 	unsigned char iv[4];
791 	size_t tag_len;
792 #endif
793 } br_sslrec_ccm_context;
794 
795 /**
796  * \brief Static, constant vtable for record decryption with CCM.
797  */
798 extern const br_sslrec_in_ccm_class br_sslrec_in_ccm_vtable;
799 
800 /**
801  * \brief Static, constant vtable for record encryption with CCM.
802  */
803 extern const br_sslrec_out_ccm_class br_sslrec_out_ccm_vtable;
804 
805 /* ===================================================================== */
806 
807 /**
808  * \brief Type for session parameters, to be saved for session resumption.
809  */
810 typedef struct {
811 	/** \brief Session ID buffer. */
812 	unsigned char session_id[32];
813 	/** \brief Session ID length (in bytes, at most 32). */
814 	unsigned char session_id_len;
815 	/** \brief Protocol version. */
816 	uint16_t version;
817 	/** \brief Cipher suite. */
818 	uint16_t cipher_suite;
819 	/** \brief Master secret. */
820 	unsigned char master_secret[48];
821 } br_ssl_session_parameters;
822 
823 #ifndef BR_DOXYGEN_IGNORE
824 /*
825  * Maximum number of cipher suites supported by a client or server.
826  */
827 #define BR_MAX_CIPHER_SUITES   48
828 #endif
829 
830 /**
831  * \brief Context structure for SSL engine.
832  *
833  * This strucuture is common to the client and server; both the client
834  * context (`br_ssl_client_context`) and the server context
835  * (`br_ssl_server_context`) include a `br_ssl_engine_context` as their
836  * first field.
837  *
838  * The engine context manages records, including alerts, closures, and
839  * transitions to new encryption/MAC algorithms. Processing of handshake
840  * records is delegated to externally provided code. This structure
841  * should not be used directly.
842  *
843  * Structure contents are opaque and shall not be accessed directly.
844  */
845 typedef struct {
846 #ifndef BR_DOXYGEN_IGNORE
847 	/*
848 	 * The error code. When non-zero, then the state is "failed" and
849 	 * no I/O may occur until reset.
850 	 */
851 	int err;
852 
853 	/*
854 	 * Configured I/O buffers. They are either disjoint, or identical.
855 	 */
856 	unsigned char *ibuf, *obuf;
857 	size_t ibuf_len, obuf_len;
858 
859 	/*
860 	 * Maximum fragment length applies to outgoing records; incoming
861 	 * records can be processed as long as they fit in the input
862 	 * buffer. It is guaranteed that incoming records at least as big
863 	 * as max_frag_len can be processed.
864 	 */
865 	uint16_t max_frag_len;
866 	unsigned char log_max_frag_len;
867 	unsigned char peer_log_max_frag_len;
868 
869 	/*
870 	 * Buffering management registers.
871 	 */
872 	size_t ixa, ixb, ixc;
873 	size_t oxa, oxb, oxc;
874 	unsigned char iomode;
875 	unsigned char incrypt;
876 
877 	/*
878 	 * Shutdown flag: when set to non-zero, incoming record bytes
879 	 * will not be accepted anymore. This is used after a close_notify
880 	 * has been received: afterwards, the engine no longer claims that
881 	 * it could receive bytes from the transport medium.
882 	 */
883 	unsigned char shutdown_recv;
884 
885 	/*
886 	 * 'record_type_in' is set to the incoming record type when the
887 	 * record header has been received.
888 	 * 'record_type_out' is used to make the next outgoing record
889 	 * header when it is ready to go.
890 	 */
891 	unsigned char record_type_in, record_type_out;
892 
893 	/*
894 	 * When a record is received, its version is extracted:
895 	 * -- if 'version_in' is 0, then it is set to the received version;
896 	 * -- otherwise, if the received version is not identical to
897 	 *    the 'version_in' contents, then a failure is reported.
898 	 *
899 	 * This implements the SSL requirement that all records shall
900 	 * use the negotiated protocol version, once decided (in the
901 	 * ServerHello). It is up to the handshake handler to adjust this
902 	 * field when necessary.
903 	 */
904 	uint16_t version_in;
905 
906 	/*
907 	 * 'version_out' is used when the next outgoing record is ready
908 	 * to go.
909 	 */
910 	uint16_t version_out;
911 
912 	/*
913 	 * Record handler contexts.
914 	 */
915 	union {
916 		const br_sslrec_in_class *vtable;
917 		br_sslrec_in_cbc_context cbc;
918 		br_sslrec_gcm_context gcm;
919 		br_sslrec_chapol_context chapol;
920 		br_sslrec_ccm_context ccm;
921 	} in;
922 	union {
923 		const br_sslrec_out_class *vtable;
924 		br_sslrec_out_clear_context clear;
925 		br_sslrec_out_cbc_context cbc;
926 		br_sslrec_gcm_context gcm;
927 		br_sslrec_chapol_context chapol;
928 		br_sslrec_ccm_context ccm;
929 	} out;
930 
931 	/*
932 	 * The "application data" flag. Value:
933 	 *   0   handshake is in process, no application data acceptable
934 	 *   1   application data can be sent and received
935 	 *   2   closing, no application data can be sent, but some
936 	 *       can still be received (and discarded)
937 	 */
938 	unsigned char application_data;
939 
940 	/*
941 	 * Context RNG.
942 	 *
943 	 *   rng_init_done is initially 0. It is set to 1 when the
944 	 *   basic structure of the RNG is set, and 2 when some
945 	 *   entropy has been pushed in. The value 2 marks the RNG
946 	 *   as "properly seeded".
947 	 *
948 	 *   rng_os_rand_done is initially 0. It is set to 1 when
949 	 *   some seeding from the OS or hardware has been attempted.
950 	 */
951 	br_hmac_drbg_context rng;
952 	int rng_init_done;
953 	int rng_os_rand_done;
954 
955 	/*
956 	 * Supported minimum and maximum versions, and cipher suites.
957 	 */
958 	uint16_t version_min;
959 	uint16_t version_max;
960 	uint16_t suites_buf[BR_MAX_CIPHER_SUITES];
961 	unsigned char suites_num;
962 
963 	/*
964 	 * For clients, the server name to send as a SNI extension. For
965 	 * servers, the name received in the SNI extension (if any).
966 	 */
967 	char server_name[256];
968 
969 	/*
970 	 * "Security parameters". These are filled by the handshake
971 	 * handler, and used when switching encryption state.
972 	 */
973 	unsigned char client_random[32];
974 	unsigned char server_random[32];
975 	br_ssl_session_parameters session;
976 
977 	/*
978 	 * ECDHE elements: curve and point from the peer. The server also
979 	 * uses that buffer for the point to send to the client.
980 	 */
981 	unsigned char ecdhe_curve;
982 	unsigned char ecdhe_point[133];
983 	unsigned char ecdhe_point_len;
984 
985 	/*
986 	 * Secure renegotiation (RFC 5746): 'reneg' can be:
987 	 *   0   first handshake (server support is not known)
988 	 *   1   peer does not support secure renegotiation
989 	 *   2   peer supports secure renegotiation
990 	 *
991 	 * The saved_finished buffer contains the client and the
992 	 * server "Finished" values from the last handshake, in
993 	 * that order (12 bytes each).
994 	 */
995 	unsigned char reneg;
996 	unsigned char saved_finished[24];
997 
998 	/*
999 	 * Behavioural flags.
1000 	 */
1001 	uint32_t flags;
1002 
1003 	/*
1004 	 * Context variables for the handshake processor. The 'pad' must
1005 	 * be large enough to accommodate an RSA-encrypted pre-master
1006 	 * secret, or an RSA signature; since we want to support up to
1007 	 * RSA-4096, this means at least 512 bytes. (Other pad usages
1008 	 * require its length to be at least 256.)
1009 	 */
1010 	struct {
1011 		uint32_t *dp;
1012 		uint32_t *rp;
1013 		const unsigned char *ip;
1014 	} cpu;
1015 	uint32_t dp_stack[32];
1016 	uint32_t rp_stack[32];
1017 	unsigned char pad[512];
1018 	unsigned char *hbuf_in, *hbuf_out, *saved_hbuf_out;
1019 	size_t hlen_in, hlen_out;
1020 	void (*hsrun)(void *ctx);
1021 
1022 	/*
1023 	 * The 'action' value communicates OOB information between the
1024 	 * engine and the handshake processor.
1025 	 *
1026 	 * From the engine:
1027 	 *   0  invocation triggered by I/O
1028 	 *   1  invocation triggered by explicit close
1029 	 *   2  invocation triggered by explicit renegotiation
1030 	 */
1031 	unsigned char action;
1032 
1033 	/*
1034 	 * State for alert messages. Value is either 0, or the value of
1035 	 * the alert level byte (level is either 1 for warning, or 2 for
1036 	 * fatal; we convert all other values to 'fatal').
1037 	 */
1038 	unsigned char alert;
1039 
1040 	/*
1041 	 * Closure flags. This flag is set when a close_notify has been
1042 	 * received from the peer.
1043 	 */
1044 	unsigned char close_received;
1045 
1046 	/*
1047 	 * Multi-hasher for the handshake messages. The handshake handler
1048 	 * is responsible for resetting it when appropriate.
1049 	 */
1050 	br_multihash_context mhash;
1051 
1052 	/*
1053 	 * Pointer to the X.509 engine. The engine is supposed to be
1054 	 * already initialized. It is used to validate the peer's
1055 	 * certificate.
1056 	 */
1057 	const br_x509_class **x509ctx;
1058 
1059 	/*
1060 	 * Certificate chain to send. This is used by both client and
1061 	 * server, when they send their respective Certificate messages.
1062 	 * If chain_len is 0, then chain may be NULL.
1063 	 */
1064 	const br_x509_certificate *chain;
1065 	size_t chain_len;
1066 	const unsigned char *cert_cur;
1067 	size_t cert_len;
1068 
1069 	/*
1070 	 * List of supported protocol names (ALPN extension). If unset,
1071 	 * (number of names is 0), then:
1072 	 *  - the client sends no ALPN extension;
1073 	 *  - the server ignores any incoming ALPN extension.
1074 	 *
1075 	 * Otherwise:
1076 	 *  - the client sends an ALPN extension with all the names;
1077 	 *  - the server selects the first protocol in its list that
1078 	 *    the client also supports, or fails (fatal alert 120)
1079 	 *    if the client sends an ALPN extension and there is no
1080 	 *    match.
1081 	 *
1082 	 * The 'selected_protocol' field contains 1+n if the matching
1083 	 * name has index n in the list (the value is 0 if no match was
1084 	 * performed, e.g. the peer did not send an ALPN extension).
1085 	 */
1086 	const char **protocol_names;
1087 	uint16_t protocol_names_num;
1088 	uint16_t selected_protocol;
1089 
1090 	/*
1091 	 * Pointers to implementations; left to NULL for unsupported
1092 	 * functions. For the raw hash functions, implementations are
1093 	 * referenced from the multihasher (mhash field).
1094 	 */
1095 	br_tls_prf_impl prf10;
1096 	br_tls_prf_impl prf_sha256;
1097 	br_tls_prf_impl prf_sha384;
1098 	const br_block_cbcenc_class *iaes_cbcenc;
1099 	const br_block_cbcdec_class *iaes_cbcdec;
1100 	const br_block_ctr_class *iaes_ctr;
1101 	const br_block_ctrcbc_class *iaes_ctrcbc;
1102 	const br_block_cbcenc_class *ides_cbcenc;
1103 	const br_block_cbcdec_class *ides_cbcdec;
1104 	br_ghash ighash;
1105 	br_chacha20_run ichacha;
1106 	br_poly1305_run ipoly;
1107 	const br_sslrec_in_cbc_class *icbc_in;
1108 	const br_sslrec_out_cbc_class *icbc_out;
1109 	const br_sslrec_in_gcm_class *igcm_in;
1110 	const br_sslrec_out_gcm_class *igcm_out;
1111 	const br_sslrec_in_chapol_class *ichapol_in;
1112 	const br_sslrec_out_chapol_class *ichapol_out;
1113 	const br_sslrec_in_ccm_class *iccm_in;
1114 	const br_sslrec_out_ccm_class *iccm_out;
1115 	const br_ec_impl *iec;
1116 	br_rsa_pkcs1_vrfy irsavrfy;
1117 	br_ecdsa_vrfy iecdsa;
1118 #endif
1119 } br_ssl_engine_context;
1120 
1121 /**
1122  * \brief Get currently defined engine behavioural flags.
1123  *
1124  * \param cc   SSL engine context.
1125  * \return  the flags.
1126  */
1127 static inline uint32_t
1128 br_ssl_engine_get_flags(br_ssl_engine_context *cc)
1129 {
1130 	return cc->flags;
1131 }
1132 
1133 /**
1134  * \brief Set all engine behavioural flags.
1135  *
1136  * \param cc      SSL engine context.
1137  * \param flags   new value for all flags.
1138  */
1139 static inline void
1140 br_ssl_engine_set_all_flags(br_ssl_engine_context *cc, uint32_t flags)
1141 {
1142 	cc->flags = flags;
1143 }
1144 
1145 /**
1146  * \brief Set some engine behavioural flags.
1147  *
1148  * The flags set in the `flags` parameter are set in the context; other
1149  * flags are untouched.
1150  *
1151  * \param cc      SSL engine context.
1152  * \param flags   additional set flags.
1153  */
1154 static inline void
1155 br_ssl_engine_add_flags(br_ssl_engine_context *cc, uint32_t flags)
1156 {
1157 	cc->flags |= flags;
1158 }
1159 
1160 /**
1161  * \brief Clear some engine behavioural flags.
1162  *
1163  * The flags set in the `flags` parameter are cleared from the context; other
1164  * flags are untouched.
1165  *
1166  * \param cc      SSL engine context.
1167  * \param flags   flags to remove.
1168  */
1169 static inline void
1170 br_ssl_engine_remove_flags(br_ssl_engine_context *cc, uint32_t flags)
1171 {
1172 	cc->flags &= ~flags;
1173 }
1174 
1175 /**
1176  * \brief Behavioural flag: enforce server preferences.
1177  *
1178  * If this flag is set, then the server will enforce its own cipher suite
1179  * preference order; otherwise, it follows the client preferences.
1180  */
1181 #define BR_OPT_ENFORCE_SERVER_PREFERENCES      ((uint32_t)1 << 0)
1182 
1183 /**
1184  * \brief Behavioural flag: disable renegotiation.
1185  *
1186  * If this flag is set, then renegotiations are rejected unconditionally:
1187  * they won't be honoured if asked for programmatically, and requests from
1188  * the peer are rejected.
1189  */
1190 #define BR_OPT_NO_RENEGOTIATION                ((uint32_t)1 << 1)
1191 
1192 /**
1193  * \brief Behavioural flag: tolerate lack of client authentication.
1194  *
1195  * If this flag is set in a server and the server requests a client
1196  * certificate, but the authentication fails (the client does not send
1197  * a certificate, or the client's certificate chain cannot be validated),
1198  * then the connection keeps on. Without this flag, a failed client
1199  * authentication terminates the connection.
1200  *
1201  * Notes:
1202  *
1203  *   - If the client's certificate can be validated and its public key is
1204  *     supported, then a wrong signature value terminates the connection
1205  *     regardless of that flag.
1206  *
1207  *   - If using full-static ECDH, then a failure to validate the client's
1208  *     certificate prevents the handshake from succeeding.
1209  */
1210 #define BR_OPT_TOLERATE_NO_CLIENT_AUTH         ((uint32_t)1 << 2)
1211 
1212 /**
1213  * \brief Behavioural flag: fail on application protocol mismatch.
1214  *
1215  * The ALPN extension ([RFC 7301](https://tools.ietf.org/html/rfc7301))
1216  * allows the client to send a list of application protocol names, and
1217  * the server to select one. A mismatch is one of the following occurrences:
1218  *
1219  *   - On the client: the client sends a list of names, the server
1220  *     responds with a protocol name which is _not_ part of the list of
1221  *     names sent by the client.
1222  *
1223  *   - On the server: the client sends a list of names, and the server
1224  *     is also configured with a list of names, but there is no common
1225  *     protocol name between the two lists.
1226  *
1227  * Normal behaviour in case of mismatch is to report no matching name
1228  * (`br_ssl_engine_get_selected_protocol()` returns `NULL`) and carry on.
1229  * If the flag is set, then a mismatch implies a protocol failure (if
1230  * the mismatch is detected by the server, it will send a fatal alert).
1231  *
1232  * Note: even with this flag, `br_ssl_engine_get_selected_protocol()`
1233  * may still return `NULL` if the client or the server does not send an
1234  * ALPN extension at all.
1235  */
1236 #define BR_OPT_FAIL_ON_ALPN_MISMATCH           ((uint32_t)1 << 3)
1237 
1238 /**
1239  * \brief Set the minimum and maximum supported protocol versions.
1240  *
1241  * The two provided versions MUST be supported by the implementation
1242  * (i.e. TLS 1.0, 1.1 and 1.2), and `version_max` MUST NOT be lower
1243  * than `version_min`.
1244  *
1245  * \param cc            SSL engine context.
1246  * \param version_min   minimum supported TLS version.
1247  * \param version_max   maximum supported TLS version.
1248  */
1249 static inline void
1250 br_ssl_engine_set_versions(br_ssl_engine_context *cc,
1251 	unsigned version_min, unsigned version_max)
1252 {
1253 	cc->version_min = (uint16_t)version_min;
1254 	cc->version_max = (uint16_t)version_max;
1255 }
1256 
1257 /**
1258  * \brief Set the list of cipher suites advertised by this context.
1259  *
1260  * The provided array is copied into the context. It is the caller
1261  * responsibility to ensure that all provided suites will be supported
1262  * by the context. The engine context has enough room to receive _all_
1263  * suites supported by the implementation. The provided array MUST NOT
1264  * contain duplicates.
1265  *
1266  * If the engine is for a client, the "signaling" pseudo-cipher suite
1267  * `TLS_FALLBACK_SCSV` can be added at the end of the list, if the
1268  * calling application is performing a voluntary downgrade (voluntary
1269  * downgrades are not recommended, but if such a downgrade is done, then
1270  * adding the fallback pseudo-suite is a good idea).
1271  *
1272  * \param cc           SSL engine context.
1273  * \param suites       cipher suites.
1274  * \param suites_num   number of cipher suites.
1275  */
1276 void br_ssl_engine_set_suites(br_ssl_engine_context *cc,
1277 	const uint16_t *suites, size_t suites_num);
1278 
1279 /**
1280  * \brief Set the X.509 engine.
1281  *
1282  * The caller shall ensure that the X.509 engine is properly initialised.
1283  *
1284  * \param cc        SSL engine context.
1285  * \param x509ctx   X.509 certificate validation context.
1286  */
1287 static inline void
1288 br_ssl_engine_set_x509(br_ssl_engine_context *cc, const br_x509_class **x509ctx)
1289 {
1290 	cc->x509ctx = x509ctx;
1291 }
1292 
1293 /**
1294  * \brief Set the supported protocol names.
1295  *
1296  * Protocol names are part of the ALPN extension ([RFC
1297  * 7301](https://tools.ietf.org/html/rfc7301)). Each protocol name is a
1298  * character string, containing no more than 255 characters (256 with the
1299  * terminating zero). When names are set, then:
1300  *
1301  *   - The client will send an ALPN extension, containing the names. If
1302  *     the server responds with an ALPN extension, the client will verify
1303  *     that the response contains one of its name, and report that name
1304  *     through `br_ssl_engine_get_selected_protocol()`.
1305  *
1306  *   - The server will parse incoming ALPN extension (from clients), and
1307  *     try to find a common protocol; if none is found, the connection
1308  *     is aborted with a fatal alert. On match, a response ALPN extension
1309  *     is sent, and name is reported through
1310  *     `br_ssl_engine_get_selected_protocol()`.
1311  *
1312  * The provided array is linked in, and must remain valid while the
1313  * connection is live.
1314  *
1315  * Names MUST NOT be empty. Names MUST NOT be longer than 255 characters
1316  * (excluding the terminating 0).
1317  *
1318  * \param ctx     SSL engine context.
1319  * \param names   list of protocol names (zero-terminated).
1320  * \param num     number of protocol names (MUST be 1 or more).
1321  */
1322 static inline void
1323 br_ssl_engine_set_protocol_names(br_ssl_engine_context *ctx,
1324 	const char **names, size_t num)
1325 {
1326 	ctx->protocol_names = names;
1327 	ctx->protocol_names_num = (uint16_t)num;
1328 }
1329 
1330 /**
1331  * \brief Get the selected protocol.
1332  *
1333  * If this context was initialised with a non-empty list of protocol
1334  * names, and both client and server sent ALPN extensions during the
1335  * handshake, and a common name was found, then that name is returned.
1336  * Otherwise, `NULL` is returned.
1337  *
1338  * The returned pointer is one of the pointers provided to the context
1339  * with `br_ssl_engine_set_protocol_names()`.
1340  *
1341  * \return  the selected protocol, or `NULL`.
1342  */
1343 static inline const char *
1344 br_ssl_engine_get_selected_protocol(br_ssl_engine_context *ctx)
1345 {
1346 	unsigned k;
1347 
1348 	k = ctx->selected_protocol;
1349 	return (k == 0 || k == 0xFFFF) ? NULL : ctx->protocol_names[k - 1];
1350 }
1351 
1352 /**
1353  * \brief Set a hash function implementation (by ID).
1354  *
1355  * Hash functions set with this call will be used for SSL/TLS specific
1356  * usages, not X.509 certificate validation. Only "standard" hash functions
1357  * may be set (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512). If `impl`
1358  * is `NULL`, then the hash function support is removed, not added.
1359  *
1360  * \param ctx    SSL engine context.
1361  * \param id     hash function identifier.
1362  * \param impl   hash function implementation (or `NULL`).
1363  */
1364 static inline void
1365 br_ssl_engine_set_hash(br_ssl_engine_context *ctx,
1366 	int id, const br_hash_class *impl)
1367 {
1368 	br_multihash_setimpl(&ctx->mhash, id, impl);
1369 }
1370 
1371 /**
1372  * \brief Get a hash function implementation (by ID).
1373  *
1374  * This function retrieves a hash function implementation which was
1375  * set with `br_ssl_engine_set_hash()`.
1376  *
1377  * \param ctx   SSL engine context.
1378  * \param id    hash function identifier.
1379  * \return  the hash function implementation (or `NULL`).
1380  */
1381 static inline const br_hash_class *
1382 br_ssl_engine_get_hash(br_ssl_engine_context *ctx, int id)
1383 {
1384 	return br_multihash_getimpl(&ctx->mhash, id);
1385 }
1386 
1387 /**
1388  * \brief Set the PRF implementation (for TLS 1.0 and 1.1).
1389  *
1390  * This function sets (or removes, if `impl` is `NULL`) the implementation
1391  * for the PRF used in TLS 1.0 and 1.1.
1392  *
1393  * \param cc     SSL engine context.
1394  * \param impl   PRF implementation (or `NULL`).
1395  */
1396 static inline void
1397 br_ssl_engine_set_prf10(br_ssl_engine_context *cc, br_tls_prf_impl impl)
1398 {
1399 	cc->prf10 = impl;
1400 }
1401 
1402 /**
1403  * \brief Set the PRF implementation with SHA-256 (for TLS 1.2).
1404  *
1405  * This function sets (or removes, if `impl` is `NULL`) the implementation
1406  * for the SHA-256 variant of the PRF used in TLS 1.2.
1407  *
1408  * \param cc     SSL engine context.
1409  * \param impl   PRF implementation (or `NULL`).
1410  */
1411 static inline void
1412 br_ssl_engine_set_prf_sha256(br_ssl_engine_context *cc, br_tls_prf_impl impl)
1413 {
1414 	cc->prf_sha256 = impl;
1415 }
1416 
1417 /**
1418  * \brief Set the PRF implementation with SHA-384 (for TLS 1.2).
1419  *
1420  * This function sets (or removes, if `impl` is `NULL`) the implementation
1421  * for the SHA-384 variant of the PRF used in TLS 1.2.
1422  *
1423  * \param cc     SSL engine context.
1424  * \param impl   PRF implementation (or `NULL`).
1425  */
1426 static inline void
1427 br_ssl_engine_set_prf_sha384(br_ssl_engine_context *cc, br_tls_prf_impl impl)
1428 {
1429 	cc->prf_sha384 = impl;
1430 }
1431 
1432 /**
1433  * \brief Set the AES/CBC implementations.
1434  *
1435  * \param cc         SSL engine context.
1436  * \param impl_enc   AES/CBC encryption implementation (or `NULL`).
1437  * \param impl_dec   AES/CBC decryption implementation (or `NULL`).
1438  */
1439 static inline void
1440 br_ssl_engine_set_aes_cbc(br_ssl_engine_context *cc,
1441 	const br_block_cbcenc_class *impl_enc,
1442 	const br_block_cbcdec_class *impl_dec)
1443 {
1444 	cc->iaes_cbcenc = impl_enc;
1445 	cc->iaes_cbcdec = impl_dec;
1446 }
1447 
1448 /**
1449  * \brief Set the "default" AES/CBC implementations.
1450  *
1451  * This function configures in the engine the AES implementations that
1452  * should provide best runtime performance on the local system, while
1453  * still being safe (in particular, constant-time). It also sets the
1454  * handlers for CBC records.
1455  *
1456  * \param cc   SSL engine context.
1457  */
1458 void br_ssl_engine_set_default_aes_cbc(br_ssl_engine_context *cc);
1459 
1460 /**
1461  * \brief Set the AES/CTR implementation.
1462  *
1463  * \param cc     SSL engine context.
1464  * \param impl   AES/CTR encryption/decryption implementation (or `NULL`).
1465  */
1466 static inline void
1467 br_ssl_engine_set_aes_ctr(br_ssl_engine_context *cc,
1468 	const br_block_ctr_class *impl)
1469 {
1470 	cc->iaes_ctr = impl;
1471 }
1472 
1473 /**
1474  * \brief Set the "default" implementations for AES/GCM (AES/CTR + GHASH).
1475  *
1476  * This function configures in the engine the AES/CTR and GHASH
1477  * implementation that should provide best runtime performance on the local
1478  * system, while still being safe (in particular, constant-time). It also
1479  * sets the handlers for GCM records.
1480  *
1481  * \param cc   SSL engine context.
1482  */
1483 void br_ssl_engine_set_default_aes_gcm(br_ssl_engine_context *cc);
1484 
1485 /**
1486  * \brief Set the DES/CBC implementations.
1487  *
1488  * \param cc         SSL engine context.
1489  * \param impl_enc   DES/CBC encryption implementation (or `NULL`).
1490  * \param impl_dec   DES/CBC decryption implementation (or `NULL`).
1491  */
1492 static inline void
1493 br_ssl_engine_set_des_cbc(br_ssl_engine_context *cc,
1494 	const br_block_cbcenc_class *impl_enc,
1495 	const br_block_cbcdec_class *impl_dec)
1496 {
1497 	cc->ides_cbcenc = impl_enc;
1498 	cc->ides_cbcdec = impl_dec;
1499 }
1500 
1501 /**
1502  * \brief Set the "default" DES/CBC implementations.
1503  *
1504  * This function configures in the engine the DES implementations that
1505  * should provide best runtime performance on the local system, while
1506  * still being safe (in particular, constant-time). It also sets the
1507  * handlers for CBC records.
1508  *
1509  * \param cc   SSL engine context.
1510  */
1511 void br_ssl_engine_set_default_des_cbc(br_ssl_engine_context *cc);
1512 
1513 /**
1514  * \brief Set the GHASH implementation (used in GCM mode).
1515  *
1516  * \param cc     SSL engine context.
1517  * \param impl   GHASH implementation (or `NULL`).
1518  */
1519 static inline void
1520 br_ssl_engine_set_ghash(br_ssl_engine_context *cc, br_ghash impl)
1521 {
1522 	cc->ighash = impl;
1523 }
1524 
1525 /**
1526  * \brief Set the ChaCha20 implementation.
1527  *
1528  * \param cc        SSL engine context.
1529  * \param ichacha   ChaCha20 implementation (or `NULL`).
1530  */
1531 static inline void
1532 br_ssl_engine_set_chacha20(br_ssl_engine_context *cc,
1533 	br_chacha20_run ichacha)
1534 {
1535 	cc->ichacha = ichacha;
1536 }
1537 
1538 /**
1539  * \brief Set the Poly1305 implementation.
1540  *
1541  * \param cc      SSL engine context.
1542  * \param ipoly   Poly1305 implementation (or `NULL`).
1543  */
1544 static inline void
1545 br_ssl_engine_set_poly1305(br_ssl_engine_context *cc,
1546 	br_poly1305_run ipoly)
1547 {
1548 	cc->ipoly = ipoly;
1549 }
1550 
1551 /**
1552  * \brief Set the "default" ChaCha20 and Poly1305 implementations.
1553  *
1554  * This function configures in the engine the ChaCha20 and Poly1305
1555  * implementations that should provide best runtime performance on the
1556  * local system, while still being safe (in particular, constant-time).
1557  * It also sets the handlers for ChaCha20+Poly1305 records.
1558  *
1559  * \param cc   SSL engine context.
1560  */
1561 void br_ssl_engine_set_default_chapol(br_ssl_engine_context *cc);
1562 
1563 /**
1564  * \brief Set the AES/CTR+CBC implementation.
1565  *
1566  * \param cc     SSL engine context.
1567  * \param impl   AES/CTR+CBC encryption/decryption implementation (or `NULL`).
1568  */
1569 static inline void
1570 br_ssl_engine_set_aes_ctrcbc(br_ssl_engine_context *cc,
1571 	const br_block_ctrcbc_class *impl)
1572 {
1573 	cc->iaes_ctrcbc = impl;
1574 }
1575 
1576 /**
1577  * \brief Set the "default" implementations for AES/CCM.
1578  *
1579  * This function configures in the engine the AES/CTR+CBC
1580  * implementation that should provide best runtime performance on the local
1581  * system, while still being safe (in particular, constant-time). It also
1582  * sets the handlers for CCM records.
1583  *
1584  * \param cc   SSL engine context.
1585  */
1586 void br_ssl_engine_set_default_aes_ccm(br_ssl_engine_context *cc);
1587 
1588 /**
1589  * \brief Set the record encryption and decryption engines for CBC + HMAC.
1590  *
1591  * \param cc         SSL engine context.
1592  * \param impl_in    record CBC decryption implementation (or `NULL`).
1593  * \param impl_out   record CBC encryption implementation (or `NULL`).
1594  */
1595 static inline void
1596 br_ssl_engine_set_cbc(br_ssl_engine_context *cc,
1597 	const br_sslrec_in_cbc_class *impl_in,
1598 	const br_sslrec_out_cbc_class *impl_out)
1599 {
1600 	cc->icbc_in = impl_in;
1601 	cc->icbc_out = impl_out;
1602 }
1603 
1604 /**
1605  * \brief Set the record encryption and decryption engines for GCM.
1606  *
1607  * \param cc         SSL engine context.
1608  * \param impl_in    record GCM decryption implementation (or `NULL`).
1609  * \param impl_out   record GCM encryption implementation (or `NULL`).
1610  */
1611 static inline void
1612 br_ssl_engine_set_gcm(br_ssl_engine_context *cc,
1613 	const br_sslrec_in_gcm_class *impl_in,
1614 	const br_sslrec_out_gcm_class *impl_out)
1615 {
1616 	cc->igcm_in = impl_in;
1617 	cc->igcm_out = impl_out;
1618 }
1619 
1620 /**
1621  * \brief Set the record encryption and decryption engines for CCM.
1622  *
1623  * \param cc         SSL engine context.
1624  * \param impl_in    record CCM decryption implementation (or `NULL`).
1625  * \param impl_out   record CCM encryption implementation (or `NULL`).
1626  */
1627 static inline void
1628 br_ssl_engine_set_ccm(br_ssl_engine_context *cc,
1629 	const br_sslrec_in_ccm_class *impl_in,
1630 	const br_sslrec_out_ccm_class *impl_out)
1631 {
1632 	cc->iccm_in = impl_in;
1633 	cc->iccm_out = impl_out;
1634 }
1635 
1636 /**
1637  * \brief Set the record encryption and decryption engines for
1638  * ChaCha20+Poly1305.
1639  *
1640  * \param cc         SSL engine context.
1641  * \param impl_in    record ChaCha20 decryption implementation (or `NULL`).
1642  * \param impl_out   record ChaCha20 encryption implementation (or `NULL`).
1643  */
1644 static inline void
1645 br_ssl_engine_set_chapol(br_ssl_engine_context *cc,
1646 	const br_sslrec_in_chapol_class *impl_in,
1647 	const br_sslrec_out_chapol_class *impl_out)
1648 {
1649 	cc->ichapol_in = impl_in;
1650 	cc->ichapol_out = impl_out;
1651 }
1652 
1653 /**
1654  * \brief Set the EC implementation.
1655  *
1656  * The elliptic curve implementation will be used for ECDH and ECDHE
1657  * cipher suites, and for ECDSA support.
1658  *
1659  * \param cc    SSL engine context.
1660  * \param iec   EC implementation (or `NULL`).
1661  */
1662 static inline void
1663 br_ssl_engine_set_ec(br_ssl_engine_context *cc, const br_ec_impl *iec)
1664 {
1665 	cc->iec = iec;
1666 }
1667 
1668 /**
1669  * \brief Set the "default" EC implementation.
1670  *
1671  * This function sets the elliptic curve implementation for ECDH and
1672  * ECDHE cipher suites, and for ECDSA support. It selects the fastest
1673  * implementation on the current system.
1674  *
1675  * \param cc   SSL engine context.
1676  */
1677 void br_ssl_engine_set_default_ec(br_ssl_engine_context *cc);
1678 
1679 /**
1680  * \brief Get the EC implementation configured in the provided engine.
1681  *
1682  * \param cc   SSL engine context.
1683  * \return  the EC implementation.
1684  */
1685 static inline const br_ec_impl *
1686 br_ssl_engine_get_ec(br_ssl_engine_context *cc)
1687 {
1688 	return cc->iec;
1689 }
1690 
1691 /**
1692  * \brief Set the RSA signature verification implementation.
1693  *
1694  * On the client, this is used to verify the server's signature on its
1695  * ServerKeyExchange message (for ECDHE_RSA cipher suites). On the server,
1696  * this is used to verify the client's CertificateVerify message (if a
1697  * client certificate is requested, and that certificate contains a RSA key).
1698  *
1699  * \param cc         SSL engine context.
1700  * \param irsavrfy   RSA signature verification implementation.
1701  */
1702 static inline void
1703 br_ssl_engine_set_rsavrfy(br_ssl_engine_context *cc, br_rsa_pkcs1_vrfy irsavrfy)
1704 {
1705 	cc->irsavrfy = irsavrfy;
1706 }
1707 
1708 /**
1709  * \brief Set the "default" RSA implementation (signature verification).
1710  *
1711  * This function sets the RSA implementation (signature verification)
1712  * to the fastest implementation available on the current platform.
1713  *
1714  * \param cc   SSL engine context.
1715  */
1716 void br_ssl_engine_set_default_rsavrfy(br_ssl_engine_context *cc);
1717 
1718 /**
1719  * \brief Get the RSA implementation (signature verification) configured
1720  * in the provided engine.
1721  *
1722  * \param cc   SSL engine context.
1723  * \return  the RSA signature verification implementation.
1724  */
1725 static inline br_rsa_pkcs1_vrfy
1726 br_ssl_engine_get_rsavrfy(br_ssl_engine_context *cc)
1727 {
1728 	return cc->irsavrfy;
1729 }
1730 
1731 /*
1732  * \brief Set the ECDSA implementation (signature verification).
1733  *
1734  * On the client, this is used to verify the server's signature on its
1735  * ServerKeyExchange message (for ECDHE_ECDSA cipher suites). On the server,
1736  * this is used to verify the client's CertificateVerify message (if a
1737  * client certificate is requested, that certificate contains an EC key,
1738  * and full-static ECDH is not used).
1739  *
1740  * The ECDSA implementation will use the EC core implementation configured
1741  * in the engine context.
1742  *
1743  * \param cc       client context.
1744  * \param iecdsa   ECDSA verification implementation.
1745  */
1746 static inline void
1747 br_ssl_engine_set_ecdsa(br_ssl_engine_context *cc, br_ecdsa_vrfy iecdsa)
1748 {
1749 	cc->iecdsa = iecdsa;
1750 }
1751 
1752 /**
1753  * \brief Set the "default" ECDSA implementation (signature verification).
1754  *
1755  * This function sets the ECDSA implementation (signature verification)
1756  * to the fastest implementation available on the current platform. This
1757  * call also sets the elliptic curve implementation itself, there again
1758  * to the fastest EC implementation available.
1759  *
1760  * \param cc   SSL engine context.
1761  */
1762 void br_ssl_engine_set_default_ecdsa(br_ssl_engine_context *cc);
1763 
1764 /**
1765  * \brief Get the ECDSA implementation (signature verification) configured
1766  * in the provided engine.
1767  *
1768  * \param cc   SSL engine context.
1769  * \return  the ECDSA signature verification implementation.
1770  */
1771 static inline br_ecdsa_vrfy
1772 br_ssl_engine_get_ecdsa(br_ssl_engine_context *cc)
1773 {
1774 	return cc->iecdsa;
1775 }
1776 
1777 /**
1778  * \brief Set the I/O buffer for the SSL engine.
1779  *
1780  * Once this call has been made, `br_ssl_client_reset()` or
1781  * `br_ssl_server_reset()` MUST be called before using the context.
1782  *
1783  * The provided buffer will be used as long as the engine context is
1784  * used. The caller is responsible for keeping it available.
1785  *
1786  * If `bidi` is 0, then the engine will operate in half-duplex mode
1787  * (it won't be able to send data while there is unprocessed incoming
1788  * data in the buffer, and it won't be able to receive data while there
1789  * is unsent data in the buffer). The optimal buffer size in half-duplex
1790  * mode is `BR_SSL_BUFSIZE_MONO`; if the buffer is larger, then extra
1791  * bytes are ignored. If the buffer is smaller, then this limits the
1792  * capacity of the engine to support all allowed record sizes.
1793  *
1794  * If `bidi` is 1, then the engine will split the buffer into two
1795  * parts, for separate handling of outgoing and incoming data. This
1796  * enables full-duplex processing, but requires more RAM. The optimal
1797  * buffer size in full-duplex mode is `BR_SSL_BUFSIZE_BIDI`; if the
1798  * buffer is larger, then extra bytes are ignored. If the buffer is
1799  * smaller, then the split will favour the incoming part, so that
1800  * interoperability is maximised.
1801  *
1802  * \param cc          SSL engine context
1803  * \param iobuf       I/O buffer.
1804  * \param iobuf_len   I/O buffer length (in bytes).
1805  * \param bidi        non-zero for full-duplex mode.
1806  */
1807 void br_ssl_engine_set_buffer(br_ssl_engine_context *cc,
1808 	void *iobuf, size_t iobuf_len, int bidi);
1809 
1810 /**
1811  * \brief Set the I/O buffers for the SSL engine.
1812  *
1813  * Once this call has been made, `br_ssl_client_reset()` or
1814  * `br_ssl_server_reset()` MUST be called before using the context.
1815  *
1816  * This function is similar to `br_ssl_engine_set_buffer()`, except
1817  * that it enforces full-duplex mode, and the two I/O buffers are
1818  * provided as separate chunks.
1819  *
1820  * The macros `BR_SSL_BUFSIZE_INPUT` and `BR_SSL_BUFSIZE_OUTPUT`
1821  * evaluate to the optimal (maximum) sizes for the input and output
1822  * buffer, respectively.
1823  *
1824  * \param cc         SSL engine context
1825  * \param ibuf       input buffer.
1826  * \param ibuf_len   input buffer length (in bytes).
1827  * \param obuf       output buffer.
1828  * \param obuf_len   output buffer length (in bytes).
1829  */
1830 void br_ssl_engine_set_buffers_bidi(br_ssl_engine_context *cc,
1831 	void *ibuf, size_t ibuf_len, void *obuf, size_t obuf_len);
1832 
1833 /**
1834  * \brief Inject some "initial entropy" in the context.
1835  *
1836  * This entropy will be added to what can be obtained from the
1837  * underlying operating system, if that OS is supported.
1838  *
1839  * This function may be called several times; all injected entropy chunks
1840  * are cumulatively mixed.
1841  *
1842  * If entropy gathering from the OS is supported and compiled in, then this
1843  * step is optional. Otherwise, it is mandatory to inject randomness, and
1844  * the caller MUST take care to push (as one or several successive calls)
1845  * enough entropy to achieve cryptographic resistance (at least 80 bits,
1846  * preferably 128 or more). The engine will report an error if no entropy
1847  * was provided and none can be obtained from the OS.
1848  *
1849  * Take care that this function cannot assess the cryptographic quality of
1850  * the provided bytes.
1851  *
1852  * In all generality, "entropy" must here be considered to mean "that
1853  * which the attacker cannot predict". If your OS/architecture does not
1854  * have a suitable source of randomness, then you can make do with the
1855  * combination of a large enough secret value (possibly a copy of an
1856  * asymmetric private key that you also store on the system) AND a
1857  * non-repeating value (e.g. current time, provided that the local clock
1858  * cannot be reset or altered by the attacker).
1859  *
1860  * \param cc     SSL engine context.
1861  * \param data   extra entropy to inject.
1862  * \param len    length of the extra data (in bytes).
1863  */
1864 void br_ssl_engine_inject_entropy(br_ssl_engine_context *cc,
1865 	const void *data, size_t len);
1866 
1867 /**
1868  * \brief Get the "server name" in this engine.
1869  *
1870  * For clients, this is the name provided with `br_ssl_client_reset()`;
1871  * for servers, this is the name received from the client as part of the
1872  * ClientHello message. If there is no such name (e.g. the client did
1873  * not send an SNI extension) then the returned string is empty
1874  * (returned pointer points to a byte of value 0).
1875  *
1876  * The returned pointer refers to a buffer inside the context, which may
1877  * be overwritten as part of normal SSL activity (even within the same
1878  * connection, if a renegotiation occurs).
1879  *
1880  * \param cc   SSL engine context.
1881  * \return  the server name (possibly empty).
1882  */
1883 static inline const char *
1884 br_ssl_engine_get_server_name(const br_ssl_engine_context *cc)
1885 {
1886 	return cc->server_name;
1887 }
1888 
1889 /**
1890  * \brief Get the protocol version.
1891  *
1892  * This function returns the protocol version that is used by the
1893  * engine. That value is set after sending (for a server) or receiving
1894  * (for a client) the ServerHello message.
1895  *
1896  * \param cc   SSL engine context.
1897  * \return  the protocol version.
1898  */
1899 static inline unsigned
1900 br_ssl_engine_get_version(const br_ssl_engine_context *cc)
1901 {
1902 	return cc->session.version;
1903 }
1904 
1905 /**
1906  * \brief Get a copy of the session parameters.
1907  *
1908  * The session parameters are filled during the handshake, so this
1909  * function shall not be called before completion of the handshake.
1910  * The initial handshake is completed when the context first allows
1911  * application data to be injected.
1912  *
1913  * This function copies the current session parameters into the provided
1914  * structure. Beware that the session parameters include the master
1915  * secret, which is sensitive data, to handle with great care.
1916  *
1917  * \param cc   SSL engine context.
1918  * \param pp   destination structure for the session parameters.
1919  */
1920 static inline void
1921 br_ssl_engine_get_session_parameters(const br_ssl_engine_context *cc,
1922 	br_ssl_session_parameters *pp)
1923 {
1924 	memcpy(pp, &cc->session, sizeof *pp);
1925 }
1926 
1927 /**
1928  * \brief Set the session parameters to the provided values.
1929  *
1930  * This function is meant to be used in the client, before doing a new
1931  * handshake; a session resumption will be attempted with these
1932  * parameters. In the server, this function has no effect.
1933  *
1934  * \param cc   SSL engine context.
1935  * \param pp   source structure for the session parameters.
1936  */
1937 static inline void
1938 br_ssl_engine_set_session_parameters(br_ssl_engine_context *cc,
1939 	const br_ssl_session_parameters *pp)
1940 {
1941 	memcpy(&cc->session, pp, sizeof *pp);
1942 }
1943 
1944 /**
1945  * \brief Get identifier for the curve used for key exchange.
1946  *
1947  * If the cipher suite uses ECDHE, then this function returns the
1948  * identifier for the curve used for transient parameters. This is
1949  * defined during the course of the handshake, when the ServerKeyExchange
1950  * is sent (on the server) or received (on the client). If the
1951  * cipher suite does not use ECDHE (e.g. static ECDH, or RSA key
1952  * exchange), then this value is indeterminate.
1953  *
1954  * @param cc   SSL engine context.
1955  * @return  the ECDHE curve identifier.
1956  */
1957 static inline int
1958 br_ssl_engine_get_ecdhe_curve(br_ssl_engine_context *cc)
1959 {
1960 	return cc->ecdhe_curve;
1961 }
1962 
1963 /**
1964  * \brief Get the current engine state.
1965  *
1966  * An SSL engine (client or server) has, at any time, a state which is
1967  * the combination of zero, one or more of these flags:
1968  *
1969  *   - `BR_SSL_CLOSED`
1970  *
1971  *     Engine is finished, no more I/O (until next reset).
1972  *
1973  *   - `BR_SSL_SENDREC`
1974  *
1975  *     Engine has some bytes to send to the peer.
1976  *
1977  *   - `BR_SSL_RECVREC`
1978  *
1979  *     Engine expects some bytes from the peer.
1980  *
1981  *   - `BR_SSL_SENDAPP`
1982  *
1983  *     Engine may receive application data to send (or flush).
1984  *
1985  *   - `BR_SSL_RECVAPP`
1986  *
1987  *     Engine has obtained some application data from the peer,
1988  *     that should be read by the caller.
1989  *
1990  * If no flag at all is set (state value is 0), then the engine is not
1991  * fully initialised yet.
1992  *
1993  * The `BR_SSL_CLOSED` flag is exclusive; when it is set, no other flag
1994  * is set. To distinguish between a normal closure and an error, use
1995  * `br_ssl_engine_last_error()`.
1996  *
1997  * Generally speaking, `BR_SSL_SENDREC` and `BR_SSL_SENDAPP` are mutually
1998  * exclusive: the input buffer, at any point, either accumulates
1999  * plaintext data, or contains an assembled record that is being sent.
2000  * Similarly, `BR_SSL_RECVREC` and `BR_SSL_RECVAPP` are mutually exclusive.
2001  * This may change in a future library version.
2002  *
2003  * \param cc   SSL engine context.
2004  * \return  the current engine state.
2005  */
2006 unsigned br_ssl_engine_current_state(const br_ssl_engine_context *cc);
2007 
2008 /** \brief SSL engine state: closed or failed. */
2009 #define BR_SSL_CLOSED    0x0001
2010 /** \brief SSL engine state: record data is ready to be sent to the peer. */
2011 #define BR_SSL_SENDREC   0x0002
2012 /** \brief SSL engine state: engine may receive records from the peer. */
2013 #define BR_SSL_RECVREC   0x0004
2014 /** \brief SSL engine state: engine may accept application data to send. */
2015 #define BR_SSL_SENDAPP   0x0008
2016 /** \brief SSL engine state: engine has received application data. */
2017 #define BR_SSL_RECVAPP   0x0010
2018 
2019 /**
2020  * \brief Get the engine error indicator.
2021  *
2022  * The error indicator is `BR_ERR_OK` (0) if no error was encountered
2023  * since the last call to `br_ssl_client_reset()` or
2024  * `br_ssl_server_reset()`. Other status values are "sticky": they
2025  * remain set, and prevent all I/O activity, until cleared. Only the
2026  * reset calls clear the error indicator.
2027  *
2028  * \param cc   SSL engine context.
2029  * \return  0, or a non-zero error code.
2030  */
2031 static inline int
2032 br_ssl_engine_last_error(const br_ssl_engine_context *cc)
2033 {
2034 	return cc->err;
2035 }
2036 
2037 /*
2038  * There are four I/O operations, each identified by a symbolic name:
2039  *
2040  *   sendapp   inject application data in the engine
2041  *   recvapp   retrieving application data from the engine
2042  *   sendrec   sending records on the transport medium
2043  *   recvrec   receiving records from the transport medium
2044  *
2045  * Terminology works thus: in a layered model where the SSL engine sits
2046  * between the application and the network, "send" designates operations
2047  * where bytes flow from application to network, and "recv" for the
2048  * reverse operation. Application data (the plaintext that is to be
2049  * conveyed through SSL) is "app", while encrypted records are "rec".
2050  * Note that from the SSL engine point of view, "sendapp" and "recvrec"
2051  * designate bytes that enter the engine ("inject" operation), while
2052  * "recvapp" and "sendrec" designate bytes that exit the engine
2053  * ("extract" operation).
2054  *
2055  * For the operation 'xxx', two functions are defined:
2056  *
2057  *   br_ssl_engine_xxx_buf
2058  *      Returns a pointer and length to the buffer to use for that
2059  *      operation. '*len' is set to the number of bytes that may be read
2060  *      from the buffer (extract operation) or written to the buffer
2061  *      (inject operation). If no byte may be exchanged for that operation
2062  *      at that point, then '*len' is set to zero, and NULL is returned.
2063  *      The engine state is unmodified by this call.
2064  *
2065  *   br_ssl_engine_xxx_ack
2066  *      Informs the engine that 'len' bytes have been read from the buffer
2067  *      (extract operation) or written to the buffer (inject operation).
2068  *      The 'len' value MUST NOT be zero. The 'len' value MUST NOT exceed
2069  *      that which was obtained from a preceding br_ssl_engine_xxx_buf()
2070  *      call.
2071  */
2072 
2073 /**
2074  * \brief Get buffer for application data to send.
2075  *
2076  * If the engine is ready to accept application data to send to the
2077  * peer, then this call returns a pointer to the buffer where such
2078  * data shall be written, and its length is written in `*len`.
2079  * Otherwise, `*len` is set to 0 and `NULL` is returned.
2080  *
2081  * \param cc    SSL engine context.
2082  * \param len   receives the application data output buffer length, or 0.
2083  * \return  the application data output buffer, or `NULL`.
2084  */
2085 unsigned char *br_ssl_engine_sendapp_buf(
2086 	const br_ssl_engine_context *cc, size_t *len);
2087 
2088 /**
2089  * \brief Inform the engine of some new application data.
2090  *
2091  * After writing `len` bytes in the buffer returned by
2092  * `br_ssl_engine_sendapp_buf()`, the application shall call this
2093  * function to trigger any relevant processing. The `len` parameter
2094  * MUST NOT be 0, and MUST NOT exceed the value obtained in the
2095  * `br_ssl_engine_sendapp_buf()` call.
2096  *
2097  * \param cc    SSL engine context.
2098  * \param len   number of bytes pushed (not zero).
2099  */
2100 void br_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len);
2101 
2102 /**
2103  * \brief Get buffer for received application data.
2104  *
2105  * If the engine has received application data from the peer, then this
2106  * call returns a pointer to the buffer from where such data shall be
2107  * read, and its length is written in `*len`. Otherwise, `*len` is set
2108  * to 0 and `NULL` is returned.
2109  *
2110  * \param cc    SSL engine context.
2111  * \param len   receives the application data input buffer length, or 0.
2112  * \return  the application data input buffer, or `NULL`.
2113  */
2114 unsigned char *br_ssl_engine_recvapp_buf(
2115 	const br_ssl_engine_context *cc, size_t *len);
2116 
2117 /**
2118  * \brief Acknowledge some received application data.
2119  *
2120  * After reading `len` bytes from the buffer returned by
2121  * `br_ssl_engine_recvapp_buf()`, the application shall call this
2122  * function to trigger any relevant processing. The `len` parameter
2123  * MUST NOT be 0, and MUST NOT exceed the value obtained in the
2124  * `br_ssl_engine_recvapp_buf()` call.
2125  *
2126  * \param cc    SSL engine context.
2127  * \param len   number of bytes read (not zero).
2128  */
2129 void br_ssl_engine_recvapp_ack(br_ssl_engine_context *cc, size_t len);
2130 
2131 /**
2132  * \brief Get buffer for record data to send.
2133  *
2134  * If the engine has prepared some records to send to the peer, then this
2135  * call returns a pointer to the buffer from where such data shall be
2136  * read, and its length is written in `*len`. Otherwise, `*len` is set
2137  * to 0 and `NULL` is returned.
2138  *
2139  * \param cc    SSL engine context.
2140  * \param len   receives the record data output buffer length, or 0.
2141  * \return  the record data output buffer, or `NULL`.
2142  */
2143 unsigned char *br_ssl_engine_sendrec_buf(
2144 	const br_ssl_engine_context *cc, size_t *len);
2145 
2146 /**
2147  * \brief Acknowledge some sent record data.
2148  *
2149  * After reading `len` bytes from the buffer returned by
2150  * `br_ssl_engine_sendrec_buf()`, the application shall call this
2151  * function to trigger any relevant processing. The `len` parameter
2152  * MUST NOT be 0, and MUST NOT exceed the value obtained in the
2153  * `br_ssl_engine_sendrec_buf()` call.
2154  *
2155  * \param cc    SSL engine context.
2156  * \param len   number of bytes read (not zero).
2157  */
2158 void br_ssl_engine_sendrec_ack(br_ssl_engine_context *cc, size_t len);
2159 
2160 /**
2161  * \brief Get buffer for incoming records.
2162  *
2163  * If the engine is ready to accept records from the peer, then this
2164  * call returns a pointer to the buffer where such data shall be
2165  * written, and its length is written in `*len`. Otherwise, `*len` is
2166  * set to 0 and `NULL` is returned.
2167  *
2168  * \param cc    SSL engine context.
2169  * \param len   receives the record data input buffer length, or 0.
2170  * \return  the record data input buffer, or `NULL`.
2171  */
2172 unsigned char *br_ssl_engine_recvrec_buf(
2173 	const br_ssl_engine_context *cc, size_t *len);
2174 
2175 /**
2176  * \brief Inform the engine of some new record data.
2177  *
2178  * After writing `len` bytes in the buffer returned by
2179  * `br_ssl_engine_recvrec_buf()`, the application shall call this
2180  * function to trigger any relevant processing. The `len` parameter
2181  * MUST NOT be 0, and MUST NOT exceed the value obtained in the
2182  * `br_ssl_engine_recvrec_buf()` call.
2183  *
2184  * \param cc    SSL engine context.
2185  * \param len   number of bytes pushed (not zero).
2186  */
2187 void br_ssl_engine_recvrec_ack(br_ssl_engine_context *cc, size_t len);
2188 
2189 /**
2190  * \brief Flush buffered application data.
2191  *
2192  * If some application data has been buffered in the engine, then wrap
2193  * it into a record and mark it for sending. If no application data has
2194  * been buffered but the engine would be ready to accept some, AND the
2195  * `force` parameter is non-zero, then an empty record is assembled and
2196  * marked for sending. In all other cases, this function does nothing.
2197  *
2198  * Empty records are technically legal, but not all existing SSL/TLS
2199  * implementations support them. Empty records can be useful as a
2200  * transparent "keep-alive" mechanism to maintain some low-level
2201  * network activity.
2202  *
2203  * \param cc      SSL engine context.
2204  * \param force   non-zero to force sending an empty record.
2205  */
2206 void br_ssl_engine_flush(br_ssl_engine_context *cc, int force);
2207 
2208 /**
2209  * \brief Initiate a closure.
2210  *
2211  * If, at that point, the context is open and in ready state, then a
2212  * `close_notify` alert is assembled and marked for sending; this
2213  * triggers the closure protocol. Otherwise, no such alert is assembled.
2214  *
2215  * \param cc   SSL engine context.
2216  */
2217 void br_ssl_engine_close(br_ssl_engine_context *cc);
2218 
2219 /**
2220  * \brief Initiate a renegotiation.
2221  *
2222  * If the engine is failed or closed, or if the peer is known not to
2223  * support secure renegotiation (RFC 5746), or if renegotiations have
2224  * been disabled with the `BR_OPT_NO_RENEGOTIATION` flag, or if there
2225  * is buffered incoming application data, then this function returns 0
2226  * and nothing else happens.
2227  *
2228  * Otherwise, this function returns 1, and a renegotiation attempt is
2229  * triggered (if a handshake is already ongoing at that point, then
2230  * no new handshake is triggered).
2231  *
2232  * \param cc   SSL engine context.
2233  * \return  1 on success, 0 on error.
2234  */
2235 int br_ssl_engine_renegotiate(br_ssl_engine_context *cc);
2236 
2237 /**
2238  * \brief Export key material from a connected SSL engine (RFC 5705).
2239  *
2240  * This calls compute a secret key of arbitrary length from the master
2241  * secret of a connected SSL engine. If the provided context is not
2242  * currently in "application data" state (initial handshake is not
2243  * finished, another handshake is ongoing, or the connection failed or
2244  * was closed), then this function returns 0. Otherwise, a secret key of
2245  * length `len` bytes is computed and written in the buffer pointed to
2246  * by `dst`, and 1 is returned.
2247  *
2248  * The computed key follows the specification described in RFC 5705.
2249  * That RFC includes two key computations, with and without a "context
2250  * value". If `context` is `NULL`, then the variant without context is
2251  * used; otherwise, the `context_len` bytes located at the address
2252  * pointed to by `context` are used in the computation. Note that it
2253  * is possible to have a "with context" key with a context length of
2254  * zero bytes, by setting `context` to a non-`NULL` value but
2255  * `context_len` to 0.
2256  *
2257  * When context bytes are used, the context length MUST NOT exceed
2258  * 65535 bytes.
2259  *
2260  * \param cc            SSL engine context.
2261  * \param dst           destination buffer for exported key.
2262  * \param len           exported key length (in bytes).
2263  * \param label         disambiguation label.
2264  * \param context       context value (or `NULL`).
2265  * \param context_len   context length (in bytes).
2266  * \return  1 on success, 0 on error.
2267  */
2268 int br_ssl_key_export(br_ssl_engine_context *cc,
2269 	void *dst, size_t len, const char *label,
2270 	const void *context, size_t context_len);
2271 
2272 /*
2273  * Pre-declaration for the SSL client context.
2274  */
2275 typedef struct br_ssl_client_context_ br_ssl_client_context;
2276 
2277 /**
2278  * \brief Type for the client certificate, if requested by the server.
2279  */
2280 typedef struct {
2281 	/**
2282 	 * \brief Authentication type.
2283 	 *
2284 	 * This is either `BR_AUTH_RSA` (RSA signature), `BR_AUTH_ECDSA`
2285 	 * (ECDSA signature), or `BR_AUTH_ECDH` (static ECDH key exchange).
2286 	 */
2287 	int auth_type;
2288 
2289 	/**
2290 	 * \brief Hash function for computing the CertificateVerify.
2291 	 *
2292 	 * This is the symbolic identifier for the hash function that
2293 	 * will be used to produce the hash of handshake messages, to
2294 	 * be signed into the CertificateVerify. For full static ECDH
2295 	 * (client and server certificates are both EC in the same
2296 	 * curve, and static ECDH is used), this value is set to -1.
2297 	 *
2298 	 * Take care that with TLS 1.0 and 1.1, that value MUST match
2299 	 * the protocol requirements: value must be 0 (MD5+SHA-1) for
2300 	 * a RSA signature, or 2 (SHA-1) for an ECDSA signature. Only
2301 	 * TLS 1.2 allows for other hash functions.
2302 	 */
2303 	int hash_id;
2304 
2305 	/**
2306 	 * \brief Certificate chain to send to the server.
2307 	 *
2308 	 * This is an array of `br_x509_certificate` objects, each
2309 	 * normally containing a DER-encoded certificate. The client
2310 	 * code does not try to decode these elements. If there is no
2311 	 * chain to send to the server, then this pointer shall be
2312 	 * set to `NULL`.
2313 	 */
2314 	const br_x509_certificate *chain;
2315 
2316 	/**
2317 	 * \brief Certificate chain length (number of certificates).
2318 	 *
2319 	 * If there is no chain to send to the server, then this value
2320 	 * shall be set to 0.
2321 	 */
2322 	size_t chain_len;
2323 
2324 } br_ssl_client_certificate;
2325 
2326 /*
2327  * Note: the constants below for signatures match the TLS constants.
2328  */
2329 
2330 /** \brief Client authentication type: static ECDH. */
2331 #define BR_AUTH_ECDH    0
2332 /** \brief Client authentication type: RSA signature. */
2333 #define BR_AUTH_RSA     1
2334 /** \brief Client authentication type: ECDSA signature. */
2335 #define BR_AUTH_ECDSA   3
2336 
2337 /**
2338  * \brief Class type for a certificate handler (client side).
2339  *
2340  * A certificate handler selects a client certificate chain to send to
2341  * the server, upon explicit request from that server. It receives
2342  * the list of trust anchor DN from the server, and supported types
2343  * of certificates and signatures, and returns the chain to use. It
2344  * is also invoked to perform the corresponding private key operation
2345  * (a signature, or an ECDH computation).
2346  *
2347  * The SSL client engine will first push the trust anchor DN with
2348  * `start_name_list()`, `start_name()`, `append_name()`, `end_name()`
2349  * and `end_name_list()`. Then it will call `choose()`, to select the
2350  * actual chain (and signature/hash algorithms). Finally, it will call
2351  * either `do_sign()` or `do_keyx()`, depending on the algorithm choices.
2352  */
2353 typedef struct br_ssl_client_certificate_class_ br_ssl_client_certificate_class;
2354 struct br_ssl_client_certificate_class_ {
2355 	/**
2356 	 * \brief Context size (in bytes).
2357 	 */
2358 	size_t context_size;
2359 
2360 	/**
2361 	 * \brief Begin reception of a list of trust anchor names. This
2362 	 * is called while parsing the incoming CertificateRequest.
2363 	 *
2364 	 * \param pctx   certificate handler context.
2365 	 */
2366 	void (*start_name_list)(const br_ssl_client_certificate_class **pctx);
2367 
2368 	/**
2369 	 * \brief Begin reception of a new trust anchor name.
2370 	 *
2371 	 * The total encoded name length is provided; it is less than
2372 	 * 65535 bytes.
2373 	 *
2374 	 * \param pctx   certificate handler context.
2375 	 * \param len    encoded name length (in bytes).
2376 	 */
2377 	void (*start_name)(const br_ssl_client_certificate_class **pctx,
2378 		size_t len);
2379 
2380 	/**
2381 	 * \brief Receive some more bytes for the current trust anchor name.
2382 	 *
2383 	 * The provided reference (`data`) points to a transient buffer
2384 	 * they may be reused as soon as this function returns. The chunk
2385 	 * length (`len`) is never zero.
2386 	 *
2387 	 * \param pctx   certificate handler context.
2388 	 * \param data   anchor name chunk.
2389 	 * \param len    anchor name chunk length (in bytes).
2390 	 */
2391 	void (*append_name)(const br_ssl_client_certificate_class **pctx,
2392 		const unsigned char *data, size_t len);
2393 
2394 	/**
2395 	 * \brief End current trust anchor name.
2396 	 *
2397 	 * This function is called when all the encoded anchor name data
2398 	 * has been provided.
2399 	 *
2400 	 * \param pctx   certificate handler context.
2401 	 */
2402 	void (*end_name)(const br_ssl_client_certificate_class **pctx);
2403 
2404 	/**
2405 	 * \brief End list of trust anchor names.
2406 	 *
2407 	 * This function is called when all the anchor names in the
2408 	 * CertificateRequest message have been obtained.
2409 	 *
2410 	 * \param pctx   certificate handler context.
2411 	 */
2412 	void (*end_name_list)(const br_ssl_client_certificate_class **pctx);
2413 
2414 	/**
2415 	 * \brief Select client certificate and algorithms.
2416 	 *
2417 	 * This callback function shall fill the provided `choices`
2418 	 * structure with the selected algorithms and certificate chain.
2419 	 * The `hash_id`, `chain` and `chain_len` fields must be set. If
2420 	 * the client cannot or does not wish to send a certificate,
2421 	 * then it shall set `chain` to `NULL` and `chain_len` to 0.
2422 	 *
2423 	 * The `auth_types` parameter describes the authentication types,
2424 	 * signature algorithms and hash functions that are supported by
2425 	 * both the client context and the server, and compatible with
2426 	 * the current protocol version. This is a bit field with the
2427 	 * following contents:
2428 	 *
2429 	 *   - If RSA signatures with hash function x are supported, then
2430 	 *     bit x is set.
2431 	 *
2432 	 *   - If ECDSA signatures with hash function x are supported,
2433 	 *     then bit 8+x is set.
2434 	 *
2435 	 *   - If static ECDH is supported, with a RSA-signed certificate,
2436 	 *     then bit 16 is set.
2437 	 *
2438 	 *   - If static ECDH is supported, with an ECDSA-signed certificate,
2439 	 *     then bit 17 is set.
2440 	 *
2441 	 * Notes:
2442 	 *
2443 	 *   - When using TLS 1.0 or 1.1, the hash function for RSA
2444 	 *     signatures is always the special MD5+SHA-1 (id 0), and the
2445 	 *     hash function for ECDSA signatures is always SHA-1 (id 2).
2446 	 *
2447 	 *   - When using TLS 1.2, the list of hash functions is trimmed
2448 	 *     down to include only hash functions that the client context
2449 	 *     can support. The actual server list can be obtained with
2450 	 *     `br_ssl_client_get_server_hashes()`; that list may be used
2451 	 *     to select the certificate chain to send to the server.
2452 	 *
2453 	 * \param pctx         certificate handler context.
2454 	 * \param cc           SSL client context.
2455 	 * \param auth_types   supported authentication types and algorithms.
2456 	 * \param choices      destination structure for the policy choices.
2457 	 */
2458 	void (*choose)(const br_ssl_client_certificate_class **pctx,
2459 		const br_ssl_client_context *cc, uint32_t auth_types,
2460 		br_ssl_client_certificate *choices);
2461 
2462 	/**
2463 	 * \brief Perform key exchange (client part).
2464 	 *
2465 	 * This callback is invoked in case of a full static ECDH key
2466 	 * exchange:
2467 	 *
2468 	 *   - the cipher suite uses `ECDH_RSA` or `ECDH_ECDSA`;
2469 	 *
2470 	 *   - the server requests a client certificate;
2471 	 *
2472 	 *   - the client has, and sends, a client certificate that
2473 	 *     uses an EC key in the same curve as the server's key,
2474 	 *     and chooses static ECDH (the `hash_id` field in the choice
2475 	 *     structure was set to -1).
2476 	 *
2477 	 * In that situation, this callback is invoked to compute the
2478 	 * client-side ECDH: the provided `data` (of length `*len` bytes)
2479 	 * is the server's public key point (as decoded from its
2480 	 * certificate), and the client shall multiply that point with
2481 	 * its own private key, and write back the X coordinate of the
2482 	 * resulting point in the same buffer, starting at offset 0.
2483 	 * The `*len` value shall be modified to designate the actual
2484 	 * length of the X coordinate.
2485 	 *
2486 	 * The callback must uphold the following:
2487 	 *
2488 	 *   - If the input array does not have the proper length for
2489 	 *     an encoded curve point, then an error (0) shall be reported.
2490 	 *
2491 	 *   - If the input array has the proper length, then processing
2492 	 *     MUST be constant-time, even if the data is not a valid
2493 	 *     encoded point.
2494 	 *
2495 	 *   - This callback MUST check that the input point is valid.
2496 	 *
2497 	 * Returned value is 1 on success, 0 on error.
2498 	 *
2499 	 * \param pctx   certificate handler context.
2500 	 * \param data   server public key point.
2501 	 * \param len    public key point length / X coordinate length.
2502 	 * \return  1 on success, 0 on error.
2503 	 */
2504 	uint32_t (*do_keyx)(const br_ssl_client_certificate_class **pctx,
2505 		unsigned char *data, size_t *len);
2506 
2507 	/**
2508 	 * \brief Perform a signature (client authentication).
2509 	 *
2510 	 * This callback is invoked when a client certificate was sent,
2511 	 * and static ECDH is not used. It shall compute a signature,
2512 	 * using the client's private key, over the provided hash value
2513 	 * (which is the hash of all previous handshake messages).
2514 	 *
2515 	 * On input, the hash value to sign is in `data`, of size
2516 	 * `hv_len`; the involved hash function is identified by
2517 	 * `hash_id`. The signature shall be computed and written
2518 	 * back into `data`; the total size of that buffer is `len`
2519 	 * bytes.
2520 	 *
2521 	 * This callback shall verify that the signature length does not
2522 	 * exceed `len` bytes, and abstain from writing the signature if
2523 	 * it does not fit.
2524 	 *
2525 	 * For RSA signatures, the `hash_id` may be 0, in which case
2526 	 * this is the special header-less signature specified in TLS 1.0
2527 	 * and 1.1, with a 36-byte hash value. Otherwise, normal PKCS#1
2528 	 * v1.5 signatures shall be computed.
2529 	 *
2530 	 * For ECDSA signatures, the signature value shall use the ASN.1
2531 	 * based encoding.
2532 	 *
2533 	 * Returned value is the signature length (in bytes), or 0 on error.
2534 	 *
2535 	 * \param pctx      certificate handler context.
2536 	 * \param hash_id   hash function identifier.
2537 	 * \param hv_len    hash value length (in bytes).
2538 	 * \param data      input/output buffer (hash value, then signature).
2539 	 * \param len       total buffer length (in bytes).
2540 	 * \return  signature length (in bytes) on success, or 0 on error.
2541 	 */
2542 	size_t (*do_sign)(const br_ssl_client_certificate_class **pctx,
2543 		int hash_id, size_t hv_len, unsigned char *data, size_t len);
2544 };
2545 
2546 /**
2547  * \brief A single-chain RSA client certificate handler.
2548  *
2549  * This handler uses a single certificate chain, with a RSA
2550  * signature. The list of trust anchor DN is ignored.
2551  *
2552  * Apart from the first field (vtable pointer), its contents are
2553  * opaque and shall not be accessed directly.
2554  */
2555 typedef struct {
2556 	/** \brief Pointer to vtable. */
2557 	const br_ssl_client_certificate_class *vtable;
2558 #ifndef BR_DOXYGEN_IGNORE
2559 	const br_x509_certificate *chain;
2560 	size_t chain_len;
2561 	const br_rsa_private_key *sk;
2562 	br_rsa_pkcs1_sign irsasign;
2563 #endif
2564 } br_ssl_client_certificate_rsa_context;
2565 
2566 /**
2567  * \brief A single-chain EC client certificate handler.
2568  *
2569  * This handler uses a single certificate chain, with a RSA
2570  * signature. The list of trust anchor DN is ignored.
2571  *
2572  * This handler may support both static ECDH, and ECDSA signatures
2573  * (either usage may be selectively disabled).
2574  *
2575  * Apart from the first field (vtable pointer), its contents are
2576  * opaque and shall not be accessed directly.
2577  */
2578 typedef struct {
2579 	/** \brief Pointer to vtable. */
2580 	const br_ssl_client_certificate_class *vtable;
2581 #ifndef BR_DOXYGEN_IGNORE
2582 	const br_x509_certificate *chain;
2583 	size_t chain_len;
2584 	const br_ec_private_key *sk;
2585 	unsigned allowed_usages;
2586 	unsigned issuer_key_type;
2587 	const br_multihash_context *mhash;
2588 	const br_ec_impl *iec;
2589 	br_ecdsa_sign iecdsa;
2590 #endif
2591 } br_ssl_client_certificate_ec_context;
2592 
2593 /**
2594  * \brief Context structure for a SSL client.
2595  *
2596  * The first field (called `eng`) is the SSL engine; all functions that
2597  * work on a `br_ssl_engine_context` structure shall take as parameter
2598  * a pointer to that field. The other structure fields are opaque and
2599  * must not be accessed directly.
2600  */
2601 struct br_ssl_client_context_ {
2602 	/**
2603 	 * \brief The encapsulated engine context.
2604 	 */
2605 	br_ssl_engine_context eng;
2606 
2607 #ifndef BR_DOXYGEN_IGNORE
2608 	/*
2609 	 * Minimum ClientHello length; padding with an extension (RFC
2610 	 * 7685) is added if necessary to match at least that length.
2611 	 * Such padding is nominally unnecessary, but it has been used
2612 	 * to work around some server implementation bugs.
2613 	 */
2614 	uint16_t min_clienthello_len;
2615 
2616 	/*
2617 	 * Bit field for algoithms (hash + signature) supported by the
2618 	 * server when requesting a client certificate.
2619 	 */
2620 	uint32_t hashes;
2621 
2622 	/*
2623 	 * Server's public key curve.
2624 	 */
2625 	int server_curve;
2626 
2627 	/*
2628 	 * Context for certificate handler.
2629 	 */
2630 	const br_ssl_client_certificate_class **client_auth_vtable;
2631 
2632 	/*
2633 	 * Client authentication type.
2634 	 */
2635 	unsigned char auth_type;
2636 
2637 	/*
2638 	 * Hash function to use for the client signature. This is 0xFF
2639 	 * if static ECDH is used.
2640 	 */
2641 	unsigned char hash_id;
2642 
2643 	/*
2644 	 * For the core certificate handlers, thus avoiding (in most
2645 	 * cases) the need for an externally provided policy context.
2646 	 */
2647 	union {
2648 		const br_ssl_client_certificate_class *vtable;
2649 		br_ssl_client_certificate_rsa_context single_rsa;
2650 		br_ssl_client_certificate_ec_context single_ec;
2651 	} client_auth;
2652 
2653 	/*
2654 	 * Implementations.
2655 	 */
2656 	br_rsa_public irsapub;
2657 #endif
2658 };
2659 
2660 /**
2661  * \brief Get the hash functions and signature algorithms supported by
2662  * the server.
2663  *
2664  * This value is a bit field:
2665  *
2666  *   - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`,
2667  *     then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1,
2668  *     or 2 to 6 for the SHA family).
2669  *
2670  *   - If ECDSA is supported with hash function of ID `x`, then bit `8+x`
2671  *     is set.
2672  *
2673  *   - Newer algorithms are symbolic 16-bit identifiers that do not
2674  *     represent signature algorithm and hash function separately. If
2675  *     the TLS-level identifier is `0x0800+x` for a `x` in the 0..15
2676  *     range, then bit `16+x` is set.
2677  *
2678  * "New algorithms" are currently defined only in draft documents, so
2679  * this support is subject to possible change. Right now (early 2017),
2680  * this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA
2681  * on Curve448) to bit 24. If the identifiers on the wire change in
2682  * future document, then the decoding mechanism in BearSSL will be
2683  * amended to keep mapping ed25519 and ed448 on bits 23 and 24,
2684  * respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not
2685  * guaranteed yet.
2686  *
2687  * \param cc   client context.
2688  * \return  the server-supported hash functions and signature algorithms.
2689  */
2690 static inline uint32_t
2691 br_ssl_client_get_server_hashes(const br_ssl_client_context *cc)
2692 {
2693 	return cc->hashes;
2694 }
2695 
2696 /**
2697  * \brief Get the server key curve.
2698  *
2699  * This function returns the ID for the curve used by the server's public
2700  * key. This is set when the server's certificate chain is processed;
2701  * this value is 0 if the server's key is not an EC key.
2702  *
2703  * \return  the server's public key curve ID, or 0.
2704  */
2705 static inline int
2706 br_ssl_client_get_server_curve(const br_ssl_client_context *cc)
2707 {
2708 	return cc->server_curve;
2709 }
2710 
2711 /*
2712  * Each br_ssl_client_init_xxx() function sets the list of supported
2713  * cipher suites and used implementations, as specified by the profile
2714  * name 'xxx'. Defined profile names are:
2715  *
2716  *    full    all supported versions and suites; constant-time implementations
2717  *    TODO: add other profiles
2718  */
2719 
2720 /**
2721  * \brief SSL client profile: full.
2722  *
2723  * This function initialises the provided SSL client context with
2724  * all supported algorithms and cipher suites. It also initialises
2725  * a companion X.509 validation engine with all supported algorithms,
2726  * and the provided trust anchors; the X.509 engine will be used by
2727  * the client context to validate the server's certificate.
2728  *
2729  * \param cc                  client context to initialise.
2730  * \param xc                  X.509 validation context to initialise.
2731  * \param trust_anchors       trust anchors to use.
2732  * \param trust_anchors_num   number of trust anchors.
2733  */
2734 void br_ssl_client_init_full(br_ssl_client_context *cc,
2735 	br_x509_minimal_context *xc,
2736 	const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);
2737 
2738 /**
2739  * \brief Clear the complete contents of a SSL client context.
2740  *
2741  * Everything is cleared, including the reference to the configured buffer,
2742  * implementations, cipher suites and state. This is a preparatory step
2743  * to assembling a custom profile.
2744  *
2745  * \param cc   client context to clear.
2746  */
2747 void br_ssl_client_zero(br_ssl_client_context *cc);
2748 
2749 /**
2750  * \brief Set an externally provided client certificate handler context.
2751  *
2752  * The handler's methods are invoked when the server requests a client
2753  * certificate.
2754  *
2755  * \param cc     client context.
2756  * \param pctx   certificate handler context (pointer to its vtable field).
2757  */
2758 static inline void
2759 br_ssl_client_set_client_certificate(br_ssl_client_context *cc,
2760 	const br_ssl_client_certificate_class **pctx)
2761 {
2762 	cc->client_auth_vtable = pctx;
2763 }
2764 
2765 /**
2766  * \brief Set the RSA public-key operations implementation.
2767  *
2768  * This will be used to encrypt the pre-master secret with the server's
2769  * RSA public key (RSA-encryption cipher suites only).
2770  *
2771  * \param cc        client context.
2772  * \param irsapub   RSA public-key encryption implementation.
2773  */
2774 static inline void
2775 br_ssl_client_set_rsapub(br_ssl_client_context *cc, br_rsa_public irsapub)
2776 {
2777 	cc->irsapub = irsapub;
2778 }
2779 
2780 /**
2781  * \brief Set the "default" RSA implementation for public-key operations.
2782  *
2783  * This sets the RSA implementation in the client context (for encrypting
2784  * the pre-master secret, in `TLS_RSA_*` cipher suites) to the fastest
2785  * available on the current platform.
2786  *
2787  * \param cc   client context.
2788  */
2789 void br_ssl_client_set_default_rsapub(br_ssl_client_context *cc);
2790 
2791 /**
2792  * \brief Set the minimum ClientHello length (RFC 7685 padding).
2793  *
2794  * If this value is set and the ClientHello would be shorter, then
2795  * the Pad ClientHello extension will be added with enough padding bytes
2796  * to reach the target size. Because of the extension header, the resulting
2797  * size will sometimes be slightly more than `len` bytes if the target
2798  * size cannot be exactly met.
2799  *
2800  * The target length relates to the _contents_ of the ClientHello, not
2801  * counting its 4-byte header. For instance, if `len` is set to 512,
2802  * then the padding will bring the ClientHello size to 516 bytes with its
2803  * header, and 521 bytes when counting the 5-byte record header.
2804  *
2805  * \param cc    client context.
2806  * \param len   minimum ClientHello length (in bytes).
2807  */
2808 static inline void
2809 br_ssl_client_set_min_clienthello_len(br_ssl_client_context *cc, uint16_t len)
2810 {
2811 	cc->min_clienthello_len = len;
2812 }
2813 
2814 /**
2815  * \brief Prepare or reset a client context for a new connection.
2816  *
2817  * The `server_name` parameter is used to fill the SNI extension; the
2818  * X.509 "minimal" engine will also match that name against the server
2819  * names included in the server's certificate. If the parameter is
2820  * `NULL` then no SNI extension will be sent, and the X.509 "minimal"
2821  * engine (if used for server certificate validation) will not check
2822  * presence of any specific name in the received certificate.
2823  *
2824  * Therefore, setting the `server_name` to `NULL` shall be reserved
2825  * to cases where alternate or additional methods are used to ascertain
2826  * that the right server public key is used (e.g. a "known key" model).
2827  *
2828  * If `resume_session` is non-zero and the context was previously used
2829  * then the session parameters may be reused (depending on whether the
2830  * server previously sent a non-empty session ID, and accepts the session
2831  * resumption). The session parameters for session resumption can also
2832  * be set explicitly with `br_ssl_engine_set_session_parameters()`.
2833  *
2834  * On failure, the context is marked as failed, and this function
2835  * returns 0. A possible failure condition is when no initial entropy
2836  * was injected, and none could be obtained from the OS (either OS
2837  * randomness gathering is not supported, or it failed).
2838  *
2839  * \param cc               client context.
2840  * \param server_name      target server name, or `NULL`.
2841  * \param resume_session   non-zero to try session resumption.
2842  * \return  0 on failure, 1 on success.
2843  */
2844 int br_ssl_client_reset(br_ssl_client_context *cc,
2845 	const char *server_name, int resume_session);
2846 
2847 /**
2848  * \brief Forget any session in the context.
2849  *
2850  * This means that the next handshake that uses this context will
2851  * necessarily be a full handshake (this applies both to new connections
2852  * and to renegotiations).
2853  *
2854  * \param cc   client context.
2855  */
2856 static inline void
2857 br_ssl_client_forget_session(br_ssl_client_context *cc)
2858 {
2859 	cc->eng.session.session_id_len = 0;
2860 }
2861 
2862 /**
2863  * \brief Set client certificate chain and key (single RSA case).
2864  *
2865  * This function sets a client certificate chain, that the client will
2866  * send to the server whenever a client certificate is requested. This
2867  * certificate uses an RSA public key; the corresponding private key is
2868  * invoked for authentication. Trust anchor names sent by the server are
2869  * ignored.
2870  *
2871  * The provided chain and private key are linked in the client context;
2872  * they must remain valid as long as they may be used, i.e. normally
2873  * for the duration of the connection, since they might be invoked
2874  * again upon renegotiations.
2875  *
2876  * \param cc          SSL client context.
2877  * \param chain       client certificate chain (SSL order: EE comes first).
2878  * \param chain_len   client chain length (number of certificates).
2879  * \param sk          client private key.
2880  * \param irsasign    RSA signature implementation (PKCS#1 v1.5).
2881  */
2882 void br_ssl_client_set_single_rsa(br_ssl_client_context *cc,
2883 	const br_x509_certificate *chain, size_t chain_len,
2884 	const br_rsa_private_key *sk, br_rsa_pkcs1_sign irsasign);
2885 
2886 /*
2887  * \brief Set the client certificate chain and key (single EC case).
2888  *
2889  * This function sets a client certificate chain, that the client will
2890  * send to the server whenever a client certificate is requested. This
2891  * certificate uses an EC public key; the corresponding private key is
2892  * invoked for authentication. Trust anchor names sent by the server are
2893  * ignored.
2894  *
2895  * The provided chain and private key are linked in the client context;
2896  * they must remain valid as long as they may be used, i.e. normally
2897  * for the duration of the connection, since they might be invoked
2898  * again upon renegotiations.
2899  *
2900  * The `allowed_usages` is a combination of usages, namely
2901  * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`. The `BR_KEYTYPE_KEYX`
2902  * value allows full static ECDH, while the `BR_KEYTYPE_SIGN` value
2903  * allows ECDSA signatures. If ECDSA signatures are used, then an ECDSA
2904  * signature implementation must be provided; otherwise, the `iecdsa`
2905  * parameter may be 0.
2906  *
2907  * The `cert_issuer_key_type` value is either `BR_KEYTYPE_RSA` or
2908  * `BR_KEYTYPE_EC`; it is the type of the public key used the the CA
2909  * that issued (signed) the client certificate. That value is used with
2910  * full static ECDH: support of the certificate by the server depends
2911  * on how the certificate was signed. (Note: when using TLS 1.2, this
2912  * parameter is ignored; but its value matters for TLS 1.0 and 1.1.)
2913  *
2914  * \param cc                     server context.
2915  * \param chain                  server certificate chain to send.
2916  * \param chain_len              chain length (number of certificates).
2917  * \param sk                     server private key (EC).
2918  * \param allowed_usages         allowed private key usages.
2919  * \param cert_issuer_key_type   issuing CA's key type.
2920  * \param iec                    EC core implementation.
2921  * \param iecdsa                 ECDSA signature implementation ("asn1" format).
2922  */
2923 void br_ssl_client_set_single_ec(br_ssl_client_context *cc,
2924 	const br_x509_certificate *chain, size_t chain_len,
2925 	const br_ec_private_key *sk, unsigned allowed_usages,
2926 	unsigned cert_issuer_key_type,
2927 	const br_ec_impl *iec, br_ecdsa_sign iecdsa);
2928 
2929 /**
2930  * \brief Type for a "translated cipher suite", as an array of two
2931  * 16-bit integers.
2932  *
2933  * The first element is the cipher suite identifier (as used on the wire).
2934  * The second element is the concatenation of four 4-bit elements which
2935  * characterise the cipher suite contents. In most to least significant
2936  * order, these 4-bit elements are:
2937  *
2938  *   - Bits 12 to 15: key exchange + server key type
2939  *
2940  *     | val | symbolic constant        | suite type  | details                                          |
2941  *     | :-- | :----------------------- | :---------- | :----------------------------------------------- |
2942  *     |  0  | `BR_SSLKEYX_RSA`         | RSA         | RSA key exchange, key is RSA (encryption)        |
2943  *     |  1  | `BR_SSLKEYX_ECDHE_RSA`   | ECDHE_RSA   | ECDHE key exchange, key is RSA (signature)       |
2944  *     |  2  | `BR_SSLKEYX_ECDHE_ECDSA` | ECDHE_ECDSA | ECDHE key exchange, key is EC (signature)        |
2945  *     |  3  | `BR_SSLKEYX_ECDH_RSA`    | ECDH_RSA    | Key is EC (key exchange), cert signed with RSA   |
2946  *     |  4  | `BR_SSLKEYX_ECDH_ECDSA`  | ECDH_ECDSA  | Key is EC (key exchange), cert signed with ECDSA |
2947  *
2948  *   - Bits 8 to 11: symmetric encryption algorithm
2949  *
2950  *     | val | symbolic constant      | symmetric encryption | key strength (bits) |
2951  *     | :-- | :--------------------- | :------------------- | :------------------ |
2952  *     |  0  | `BR_SSLENC_3DES_CBC`   | 3DES/CBC             | 168                 |
2953  *     |  1  | `BR_SSLENC_AES128_CBC` | AES-128/CBC          | 128                 |
2954  *     |  2  | `BR_SSLENC_AES256_CBC` | AES-256/CBC          | 256                 |
2955  *     |  3  | `BR_SSLENC_AES128_GCM` | AES-128/GCM          | 128                 |
2956  *     |  4  | `BR_SSLENC_AES256_GCM` | AES-256/GCM          | 256                 |
2957  *     |  5  | `BR_SSLENC_CHACHA20`   | ChaCha20/Poly1305    | 256                 |
2958  *
2959  *   - Bits 4 to 7: MAC algorithm
2960  *
2961  *     | val | symbolic constant  | MAC type     | details                               |
2962  *     | :-- | :----------------- | :----------- | :------------------------------------ |
2963  *     |  0  | `BR_SSLMAC_AEAD`   | AEAD         | No dedicated MAC (encryption is AEAD) |
2964  *     |  2  | `BR_SSLMAC_SHA1`   | HMAC/SHA-1   | Value matches `br_sha1_ID`            |
2965  *     |  4  | `BR_SSLMAC_SHA256` | HMAC/SHA-256 | Value matches `br_sha256_ID`          |
2966  *     |  5  | `BR_SSLMAC_SHA384` | HMAC/SHA-384 | Value matches `br_sha384_ID`          |
2967  *
2968  *   - Bits 0 to 3: hash function for PRF when used with TLS-1.2
2969  *
2970  *     | val | symbolic constant  | hash function | details                              |
2971  *     | :-- | :----------------- | :------------ | :----------------------------------- |
2972  *     |  4  | `BR_SSLPRF_SHA256` | SHA-256       | Value matches `br_sha256_ID`         |
2973  *     |  5  | `BR_SSLPRF_SHA384` | SHA-384       | Value matches `br_sha384_ID`         |
2974  *
2975  * For instance, cipher suite `TLS_RSA_WITH_AES_128_GCM_SHA256` has
2976  * standard identifier 0x009C, and is translated to 0x0304, for, in
2977  * that order: RSA key exchange (0), AES-128/GCM (3), AEAD integrity (0),
2978  * SHA-256 in the TLS PRF (4).
2979  */
2980 typedef uint16_t br_suite_translated[2];
2981 
2982 #ifndef BR_DOXYGEN_IGNORE
2983 /*
2984  * Constants are already documented in the br_suite_translated type.
2985  */
2986 
2987 #define BR_SSLKEYX_RSA           0
2988 #define BR_SSLKEYX_ECDHE_RSA     1
2989 #define BR_SSLKEYX_ECDHE_ECDSA   2
2990 #define BR_SSLKEYX_ECDH_RSA      3
2991 #define BR_SSLKEYX_ECDH_ECDSA    4
2992 
2993 #define BR_SSLENC_3DES_CBC       0
2994 #define BR_SSLENC_AES128_CBC     1
2995 #define BR_SSLENC_AES256_CBC     2
2996 #define BR_SSLENC_AES128_GCM     3
2997 #define BR_SSLENC_AES256_GCM     4
2998 #define BR_SSLENC_CHACHA20       5
2999 
3000 #define BR_SSLMAC_AEAD           0
3001 #define BR_SSLMAC_SHA1           br_sha1_ID
3002 #define BR_SSLMAC_SHA256         br_sha256_ID
3003 #define BR_SSLMAC_SHA384         br_sha384_ID
3004 
3005 #define BR_SSLPRF_SHA256         br_sha256_ID
3006 #define BR_SSLPRF_SHA384         br_sha384_ID
3007 
3008 #endif
3009 
3010 /*
3011  * Pre-declaration for the SSL server context.
3012  */
3013 typedef struct br_ssl_server_context_ br_ssl_server_context;
3014 
3015 /**
3016  * \brief Type for the server policy choices, taken after analysis of
3017  * the client message (ClientHello).
3018  */
3019 typedef struct {
3020 	/**
3021 	 * \brief Cipher suite to use with that client.
3022 	 */
3023 	uint16_t cipher_suite;
3024 
3025 	/**
3026 	 * \brief Hash function or algorithm for signing the ServerKeyExchange.
3027 	 *
3028 	 * This parameter is ignored for `TLS_RSA_*` and `TLS_ECDH_*`
3029 	 * cipher suites; it is used only for `TLS_ECDHE_*` suites, in
3030 	 * which the server _signs_ the ephemeral EC Diffie-Hellman
3031 	 * parameters sent to the client.
3032 	 *
3033 	 * This identifier must be one of the following values:
3034 	 *
3035 	 *   - `0xFF00 + id`, where `id` is a hash function identifier
3036 	 *     (0 for MD5+SHA-1, or 2 to 6 for one of the SHA functions);
3037 	 *
3038 	 *   - a full 16-bit identifier, lower than `0xFF00`.
3039 	 *
3040 	 * If the first option is used, then the SSL engine will
3041 	 * compute the hash of the data that is to be signed, with the
3042 	 * designated hash function. The `do_sign()` method will be
3043 	 * invoked with that hash value provided in the the `data`
3044 	 * buffer.
3045 	 *
3046 	 * If the second option is used, then the SSL engine will NOT
3047 	 * compute a hash on the data; instead, it will provide the
3048 	 * to-be-signed data itself in `data`, i.e. the concatenation of
3049 	 * the client random, server random, and encoded ECDH
3050 	 * parameters. Furthermore, with TLS-1.2 and later, the 16-bit
3051 	 * identifier will be used "as is" in the protocol, in the
3052 	 * SignatureAndHashAlgorithm; for instance, `0x0401` stands for
3053 	 * RSA PKCS#1 v1.5 signature (the `01`) with SHA-256 as hash
3054 	 * function (the `04`).
3055 	 *
3056 	 * Take care that with TLS 1.0 and 1.1, the hash function is
3057 	 * constrainted by the protocol: RSA signature must use
3058 	 * MD5+SHA-1 (so use `0xFF00`), while ECDSA must use SHA-1
3059 	 * (`0xFF02`). Since TLS 1.0 and 1.1 don't include a
3060 	 * SignatureAndHashAlgorithm field in their ServerKeyExchange
3061 	 * messages, any value below `0xFF00` will be usable to send the
3062 	 * raw ServerKeyExchange data to the `do_sign()` callback, but
3063 	 * that callback must still follow the protocol requirements
3064 	 * when generating the signature.
3065 	 */
3066 	unsigned algo_id;
3067 
3068 	/**
3069 	 * \brief Certificate chain to send to the client.
3070 	 *
3071 	 * This is an array of `br_x509_certificate` objects, each
3072 	 * normally containing a DER-encoded certificate. The server
3073 	 * code does not try to decode these elements.
3074 	 */
3075 	const br_x509_certificate *chain;
3076 
3077 	/**
3078 	 * \brief Certificate chain length (number of certificates).
3079 	 */
3080 	size_t chain_len;
3081 
3082 } br_ssl_server_choices;
3083 
3084 /**
3085  * \brief Class type for a policy handler (server side).
3086  *
3087  * A policy handler selects the policy parameters for a connection
3088  * (cipher suite and other algorithms, and certificate chain to send to
3089  * the client); it also performs the server-side computations involving
3090  * its permanent private key.
3091  *
3092  * The SSL server engine will invoke first `choose()`, once the
3093  * ClientHello message has been received, then either `do_keyx()`
3094  * `do_sign()`, depending on the cipher suite.
3095  */
3096 typedef struct br_ssl_server_policy_class_ br_ssl_server_policy_class;
3097 struct br_ssl_server_policy_class_ {
3098 	/**
3099 	 * \brief Context size (in bytes).
3100 	 */
3101 	size_t context_size;
3102 
3103 	/**
3104 	 * \brief Select algorithms and certificates for this connection.
3105 	 *
3106 	 * This callback function shall fill the provided `choices`
3107 	 * structure with the policy choices for this connection. This
3108 	 * entails selecting the cipher suite, hash function for signing
3109 	 * the ServerKeyExchange (applicable only to ECDHE cipher suites),
3110 	 * and certificate chain to send.
3111 	 *
3112 	 * The callback receives a pointer to the server context that
3113 	 * contains the relevant data. In particular, the functions
3114 	 * `br_ssl_server_get_client_suites()`,
3115 	 * `br_ssl_server_get_client_hashes()` and
3116 	 * `br_ssl_server_get_client_curves()` can be used to obtain
3117 	 * the cipher suites, hash functions and elliptic curves
3118 	 * supported by both the client and server, respectively. The
3119 	 * `br_ssl_engine_get_version()` and `br_ssl_engine_get_server_name()`
3120 	 * functions yield the protocol version and requested server name
3121 	 * (SNI), respectively.
3122 	 *
3123 	 * This function may modify its context structure (`pctx`) in
3124 	 * arbitrary ways to keep track of its own choices.
3125 	 *
3126 	 * This function shall return 1 if appropriate policy choices
3127 	 * could be made, or 0 if this connection cannot be pursued.
3128 	 *
3129 	 * \param pctx      policy context.
3130 	 * \param cc        SSL server context.
3131 	 * \param choices   destination structure for the policy choices.
3132 	 * \return  1 on success, 0 on error.
3133 	 */
3134 	int (*choose)(const br_ssl_server_policy_class **pctx,
3135 		const br_ssl_server_context *cc,
3136 		br_ssl_server_choices *choices);
3137 
3138 	/**
3139 	 * \brief Perform key exchange (server part).
3140 	 *
3141 	 * This callback is invoked to perform the server-side cryptographic
3142 	 * operation for a key exchange that is not ECDHE. This callback
3143 	 * uses the private key.
3144 	 *
3145 	 * **For RSA key exchange**, the provided `data` (of length `*len`
3146 	 * bytes) shall be decrypted with the server's private key, and
3147 	 * the 48-byte premaster secret copied back to the first 48 bytes
3148 	 * of `data`.
3149 	 *
3150 	 *   - The caller makes sure that `*len` is at least 59 bytes.
3151 	 *
3152 	 *   - This callback MUST check that the provided length matches
3153 	 *     that of the key modulus; it shall report an error otherwise.
3154 	 *
3155 	 *   - If the length matches that of the RSA key modulus, then
3156 	 *     processing MUST be constant-time, even if decryption fails,
3157 	 *     or the padding is incorrect, or the plaintext message length
3158 	 *     is not exactly 48 bytes.
3159 	 *
3160 	 *   - This callback needs not check the two first bytes of the
3161 	 *     obtained pre-master secret (the caller will do that).
3162 	 *
3163 	 *   - If an error is reported (0), then what the callback put
3164 	 *     in the first 48 bytes of `data` is unimportant (the caller
3165 	 *     will use random bytes instead).
3166 	 *
3167 	 * **For ECDH key exchange**, the provided `data` (of length `*len`
3168 	 * bytes) is the elliptic curve point from the client. The
3169 	 * callback shall multiply it with its private key, and store
3170 	 * the resulting X coordinate in `data`, starting at offset 0,
3171 	 * and set `*len` to the length of the X coordinate.
3172 	 *
3173 	 *   - If the input array does not have the proper length for
3174 	 *     an encoded curve point, then an error (0) shall be reported.
3175 	 *
3176 	 *   - If the input array has the proper length, then processing
3177 	 *     MUST be constant-time, even if the data is not a valid
3178 	 *     encoded point.
3179 	 *
3180 	 *   - This callback MUST check that the input point is valid.
3181 	 *
3182 	 * Returned value is 1 on success, 0 on error.
3183 	 *
3184 	 * \param pctx   policy context.
3185 	 * \param data   key exchange data from the client.
3186 	 * \param len    key exchange data length (in bytes).
3187 	 * \return  1 on success, 0 on error.
3188 	 */
3189 	uint32_t (*do_keyx)(const br_ssl_server_policy_class **pctx,
3190 		unsigned char *data, size_t *len);
3191 
3192 	/**
3193 	 * \brief Perform a signature (for a ServerKeyExchange message).
3194 	 *
3195 	 * This callback function is invoked for ECDHE cipher suites. On
3196 	 * input, the hash value or message to sign is in `data`, of
3197 	 * size `hv_len`; the involved hash function or algorithm is
3198 	 * identified by `algo_id`. The signature shall be computed and
3199 	 * written back into `data`; the total size of that buffer is
3200 	 * `len` bytes.
3201 	 *
3202 	 * This callback shall verify that the signature length does not
3203 	 * exceed `len` bytes, and abstain from writing the signature if
3204 	 * it does not fit.
3205 	 *
3206 	 * The `algo_id` value matches that which was written in the
3207 	 * `choices` structures by the `choose()` callback. This will be
3208 	 * one of the following:
3209 	 *
3210 	 *   - `0xFF00 + id` for a hash function identifier `id`. In
3211 	 *     that case, the `data` buffer contains a hash value
3212 	 *     already computed over the data that is to be signed,
3213 	 *     of length `hv_len`. The `id` may be 0 to designate the
3214 	 *     special MD5+SHA-1 concatenation (old-style RSA signing).
3215 	 *
3216 	 *   - Another value, lower than `0xFF00`. The `data` buffer
3217 	 *     then contains the raw, non-hashed data to be signed
3218 	 *     (concatenation of the client and server randoms and
3219 	 *     ECDH parameters). The callback is responsible to apply
3220 	 *     any relevant hashing as part of the signing process.
3221 	 *
3222 	 * Returned value is the signature length (in bytes), or 0 on error.
3223 	 *
3224 	 * \param pctx      policy context.
3225 	 * \param algo_id   hash function / algorithm identifier.
3226 	 * \param data      input/output buffer (message/hash, then signature).
3227 	 * \param hv_len    hash value or message length (in bytes).
3228 	 * \param len       total buffer length (in bytes).
3229 	 * \return  signature length (in bytes) on success, or 0 on error.
3230 	 */
3231 	size_t (*do_sign)(const br_ssl_server_policy_class **pctx,
3232 		unsigned algo_id,
3233 		unsigned char *data, size_t hv_len, size_t len);
3234 };
3235 
3236 /**
3237  * \brief A single-chain RSA policy handler.
3238  *
3239  * This policy context uses a single certificate chain, and a RSA
3240  * private key. The context can be restricted to only signatures or
3241  * only key exchange.
3242  *
3243  * Apart from the first field (vtable pointer), its contents are
3244  * opaque and shall not be accessed directly.
3245  */
3246 typedef struct {
3247 	/** \brief Pointer to vtable. */
3248 	const br_ssl_server_policy_class *vtable;
3249 #ifndef BR_DOXYGEN_IGNORE
3250 	const br_x509_certificate *chain;
3251 	size_t chain_len;
3252 	const br_rsa_private_key *sk;
3253 	unsigned allowed_usages;
3254 	br_rsa_private irsacore;
3255 	br_rsa_pkcs1_sign irsasign;
3256 #endif
3257 } br_ssl_server_policy_rsa_context;
3258 
3259 /**
3260  * \brief A single-chain EC policy handler.
3261  *
3262  * This policy context uses a single certificate chain, and an EC
3263  * private key. The context can be restricted to only signatures or
3264  * only key exchange.
3265  *
3266  * Due to how TLS is defined, this context must be made aware whether
3267  * the server certificate was itself signed with RSA or ECDSA. The code
3268  * does not try to decode the certificate to obtain that information.
3269  *
3270  * Apart from the first field (vtable pointer), its contents are
3271  * opaque and shall not be accessed directly.
3272  */
3273 typedef struct {
3274 	/** \brief Pointer to vtable. */
3275 	const br_ssl_server_policy_class *vtable;
3276 #ifndef BR_DOXYGEN_IGNORE
3277 	const br_x509_certificate *chain;
3278 	size_t chain_len;
3279 	const br_ec_private_key *sk;
3280 	unsigned allowed_usages;
3281 	unsigned cert_issuer_key_type;
3282 	const br_multihash_context *mhash;
3283 	const br_ec_impl *iec;
3284 	br_ecdsa_sign iecdsa;
3285 #endif
3286 } br_ssl_server_policy_ec_context;
3287 
3288 /**
3289  * \brief Class type for a session parameter cache.
3290  *
3291  * Session parameters are saved in the cache with `save()`, and
3292  * retrieved with `load()`. The cache implementation can apply any
3293  * storage and eviction strategy that it sees fit. The SSL server
3294  * context that performs the request is provided, so that its
3295  * functionalities may be used by the implementation (e.g. hash
3296  * functions or random number generation).
3297  */
3298 typedef struct br_ssl_session_cache_class_ br_ssl_session_cache_class;
3299 struct br_ssl_session_cache_class_ {
3300 	/**
3301 	 * \brief Context size (in bytes).
3302 	 */
3303 	size_t context_size;
3304 
3305 	/**
3306 	 * \brief Record a session.
3307 	 *
3308 	 * This callback should record the provided session parameters.
3309 	 * The `params` structure is transient, so its contents shall
3310 	 * be copied into the cache. The session ID has been randomly
3311 	 * generated and always has length exactly 32 bytes.
3312 	 *
3313 	 * \param ctx          session cache context.
3314 	 * \param server_ctx   SSL server context.
3315 	 * \param params       session parameters to save.
3316 	 */
3317 	void (*save)(const br_ssl_session_cache_class **ctx,
3318 		br_ssl_server_context *server_ctx,
3319 		const br_ssl_session_parameters *params);
3320 
3321 	/**
3322 	 * \brief Lookup a session in the cache.
3323 	 *
3324 	 * The session ID to lookup is in `params` and always has length
3325 	 * exactly 32 bytes. If the session parameters are found in the
3326 	 * cache, then the parameters shall be copied into the `params`
3327 	 * structure. Returned value is 1 on successful lookup, 0
3328 	 * otherwise.
3329 	 *
3330 	 * \param ctx          session cache context.
3331 	 * \param server_ctx   SSL server context.
3332 	 * \param params       destination for session parameters.
3333 	 * \return  1 if found, 0 otherwise.
3334 	 */
3335 	int (*load)(const br_ssl_session_cache_class **ctx,
3336 		br_ssl_server_context *server_ctx,
3337 		br_ssl_session_parameters *params);
3338 };
3339 
3340 /**
3341  * \brief Context for a basic cache system.
3342  *
3343  * The system stores session parameters in a buffer provided at
3344  * initialisation time. Each entry uses exactly 100 bytes, and
3345  * buffer sizes up to 4294967295 bytes are supported.
3346  *
3347  * Entries are evicted with a LRU (Least Recently Used) policy. A
3348  * search tree is maintained to keep lookups fast even with large
3349  * caches.
3350  *
3351  * Apart from the first field (vtable pointer), the structure
3352  * contents are opaque and shall not be accessed directly.
3353  */
3354 typedef struct {
3355 	/** \brief Pointer to vtable. */
3356 	const br_ssl_session_cache_class *vtable;
3357 #ifndef BR_DOXYGEN_IGNORE
3358 	unsigned char *store;
3359 	size_t store_len, store_ptr;
3360 	unsigned char index_key[32];
3361 	const br_hash_class *hash;
3362 	int init_done;
3363 	uint32_t head, tail, root;
3364 #endif
3365 } br_ssl_session_cache_lru;
3366 
3367 /**
3368  * \brief Initialise a LRU session cache with the provided storage space.
3369  *
3370  * The provided storage space must remain valid as long as the cache
3371  * is used. Arbitrary lengths are supported, up to 4294967295 bytes;
3372  * each entry uses up exactly 100 bytes.
3373  *
3374  * \param cc          session cache context.
3375  * \param store       storage space for cached entries.
3376  * \param store_len   storage space length (in bytes).
3377  */
3378 void br_ssl_session_cache_lru_init(br_ssl_session_cache_lru *cc,
3379 	unsigned char *store, size_t store_len);
3380 
3381 /**
3382  * \brief Forget an entry in an LRU session cache.
3383  *
3384  * The session cache context must have been initialised. The entry
3385  * with the provided session ID (of exactly 32 bytes) is looked for
3386  * in the cache; if located, it is disabled.
3387  *
3388  * \param cc   session cache context.
3389  * \param id   session ID to forget.
3390  */
3391 void br_ssl_session_cache_lru_forget(
3392 	br_ssl_session_cache_lru *cc, const unsigned char *id);
3393 
3394 /**
3395  * \brief Context structure for a SSL server.
3396  *
3397  * The first field (called `eng`) is the SSL engine; all functions that
3398  * work on a `br_ssl_engine_context` structure shall take as parameter
3399  * a pointer to that field. The other structure fields are opaque and
3400  * must not be accessed directly.
3401  */
3402 struct br_ssl_server_context_ {
3403 	/**
3404 	 * \brief The encapsulated engine context.
3405 	 */
3406 	br_ssl_engine_context eng;
3407 
3408 #ifndef BR_DOXYGEN_IGNORE
3409 	/*
3410 	 * Maximum version from the client.
3411 	 */
3412 	uint16_t client_max_version;
3413 
3414 	/*
3415 	 * Session cache.
3416 	 */
3417 	const br_ssl_session_cache_class **cache_vtable;
3418 
3419 	/*
3420 	 * Translated cipher suites supported by the client. The list
3421 	 * is trimmed to include only the cipher suites that the
3422 	 * server also supports; they are in the same order as in the
3423 	 * client message.
3424 	 */
3425 	br_suite_translated client_suites[BR_MAX_CIPHER_SUITES];
3426 	unsigned char client_suites_num;
3427 
3428 	/*
3429 	 * Hash functions supported by the client, with ECDSA and RSA
3430 	 * (bit mask). For hash function with id 'x', set bit index is
3431 	 * x for RSA, x+8 for ECDSA. For newer algorithms, with ID
3432 	 * 0x08**, bit 16+k is set for algorithm 0x0800+k.
3433 	 */
3434 	uint32_t hashes;
3435 
3436 	/*
3437 	 * Curves supported by the client (bit mask, for named curves).
3438 	 */
3439 	uint32_t curves;
3440 
3441 	/*
3442 	 * Context for chain handler.
3443 	 */
3444 	const br_ssl_server_policy_class **policy_vtable;
3445 	uint16_t sign_hash_id;
3446 
3447 	/*
3448 	 * For the core handlers, thus avoiding (in most cases) the
3449 	 * need for an externally provided policy context.
3450 	 */
3451 	union {
3452 		const br_ssl_server_policy_class *vtable;
3453 		br_ssl_server_policy_rsa_context single_rsa;
3454 		br_ssl_server_policy_ec_context single_ec;
3455 	} chain_handler;
3456 
3457 	/*
3458 	 * Buffer for the ECDHE private key.
3459 	 */
3460 	unsigned char ecdhe_key[70];
3461 	size_t ecdhe_key_len;
3462 
3463 	/*
3464 	 * Trust anchor names for client authentication. "ta_names" and
3465 	 * "tas" cannot be both non-NULL.
3466 	 */
3467 	const br_x500_name *ta_names;
3468 	const br_x509_trust_anchor *tas;
3469 	size_t num_tas;
3470 	size_t cur_dn_index;
3471 	const unsigned char *cur_dn;
3472 	size_t cur_dn_len;
3473 
3474 	/*
3475 	 * Buffer for the hash value computed over all handshake messages
3476 	 * prior to CertificateVerify, and identifier for the hash function.
3477 	 */
3478 	unsigned char hash_CV[64];
3479 	size_t hash_CV_len;
3480 	int hash_CV_id;
3481 
3482 	/*
3483 	 * Server-specific implementations.
3484 	 * (none for now)
3485 	 */
3486 #endif
3487 };
3488 
3489 /*
3490  * Each br_ssl_server_init_xxx() function sets the list of supported
3491  * cipher suites and used implementations, as specified by the profile
3492  * name 'xxx'. Defined profile names are:
3493  *
3494  *    full_rsa    all supported algorithm, server key type is RSA
3495  *    full_ec     all supported algorithm, server key type is EC
3496  *    TODO: add other profiles
3497  *
3498  * Naming scheme for "minimal" profiles: min123
3499  *
3500  * -- character 1: key exchange
3501  *      r = RSA
3502  *      e = ECDHE_RSA
3503  *      f = ECDHE_ECDSA
3504  *      u = ECDH_RSA
3505  *      v = ECDH_ECDSA
3506  * -- character 2: version / PRF
3507  *      0 = TLS 1.0 / 1.1 with MD5+SHA-1
3508  *      2 = TLS 1.2 with SHA-256
3509  *      3 = TLS 1.2 with SHA-384
3510  * -- character 3: encryption
3511  *      a = AES/CBC
3512  *      d = 3DES/CBC
3513  *      g = AES/GCM
3514  *      c = ChaCha20+Poly1305
3515  */
3516 
3517 /**
3518  * \brief SSL server profile: full_rsa.
3519  *
3520  * This function initialises the provided SSL server context with
3521  * all supported algorithms and cipher suites that rely on a RSA
3522  * key pair.
3523  *
3524  * \param cc          server context to initialise.
3525  * \param chain       server certificate chain.
3526  * \param chain_len   certificate chain length (number of certificate).
3527  * \param sk          RSA private key.
3528  */
3529 void br_ssl_server_init_full_rsa(br_ssl_server_context *cc,
3530 	const br_x509_certificate *chain, size_t chain_len,
3531 	const br_rsa_private_key *sk);
3532 
3533 /**
3534  * \brief SSL server profile: full_ec.
3535  *
3536  * This function initialises the provided SSL server context with
3537  * all supported algorithms and cipher suites that rely on an EC
3538  * key pair.
3539  *
3540  * The key type of the CA that issued the server's certificate must
3541  * be provided, since it matters for ECDH cipher suites (ECDH_RSA
3542  * suites require a RSA-powered CA). The key type is either
3543  * `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`.
3544  *
3545  * \param cc                     server context to initialise.
3546  * \param chain                  server certificate chain.
3547  * \param chain_len              chain length (number of certificates).
3548  * \param cert_issuer_key_type   certificate issuer's key type.
3549  * \param sk                     EC private key.
3550  */
3551 void br_ssl_server_init_full_ec(br_ssl_server_context *cc,
3552 	const br_x509_certificate *chain, size_t chain_len,
3553 	unsigned cert_issuer_key_type, const br_ec_private_key *sk);
3554 
3555 /**
3556  * \brief SSL server profile: minr2g.
3557  *
3558  * This profile uses only TLS_RSA_WITH_AES_128_GCM_SHA256. Server key is
3559  * RSA, and RSA key exchange is used (not forward secure, but uses little
3560  * CPU in the client).
3561  *
3562  * \param cc          server context to initialise.
3563  * \param chain       server certificate chain.
3564  * \param chain_len   certificate chain length (number of certificate).
3565  * \param sk          RSA private key.
3566  */
3567 void br_ssl_server_init_minr2g(br_ssl_server_context *cc,
3568 	const br_x509_certificate *chain, size_t chain_len,
3569 	const br_rsa_private_key *sk);
3570 
3571 /**
3572  * \brief SSL server profile: mine2g.
3573  *
3574  * This profile uses only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Server key
3575  * is RSA, and ECDHE key exchange is used. This suite provides forward
3576  * security, with a higher CPU expense on the client, and a somewhat
3577  * larger code footprint (compared to "minr2g").
3578  *
3579  * \param cc          server context to initialise.
3580  * \param chain       server certificate chain.
3581  * \param chain_len   certificate chain length (number of certificate).
3582  * \param sk          RSA private key.
3583  */
3584 void br_ssl_server_init_mine2g(br_ssl_server_context *cc,
3585 	const br_x509_certificate *chain, size_t chain_len,
3586 	const br_rsa_private_key *sk);
3587 
3588 /**
3589  * \brief SSL server profile: minf2g.
3590  *
3591  * This profile uses only TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
3592  * Server key is EC, and ECDHE key exchange is used. This suite provides
3593  * forward security, with a higher CPU expense on the client and server
3594  * (by a factor of about 3 to 4), and a somewhat larger code footprint
3595  * (compared to "minu2g" and "minv2g").
3596  *
3597  * \param cc          server context to initialise.
3598  * \param chain       server certificate chain.
3599  * \param chain_len   certificate chain length (number of certificate).
3600  * \param sk          EC private key.
3601  */
3602 void br_ssl_server_init_minf2g(br_ssl_server_context *cc,
3603 	const br_x509_certificate *chain, size_t chain_len,
3604 	const br_ec_private_key *sk);
3605 
3606 /**
3607  * \brief SSL server profile: minu2g.
3608  *
3609  * This profile uses only TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256.
3610  * Server key is EC, and ECDH key exchange is used; the issuing CA used
3611  * a RSA key.
3612  *
3613  * The "minu2g" and "minv2g" profiles do not provide forward secrecy,
3614  * but are the lightest on the server (for CPU usage), and are rather
3615  * inexpensive on the client as well.
3616  *
3617  * \param cc          server context to initialise.
3618  * \param chain       server certificate chain.
3619  * \param chain_len   certificate chain length (number of certificate).
3620  * \param sk          EC private key.
3621  */
3622 void br_ssl_server_init_minu2g(br_ssl_server_context *cc,
3623 	const br_x509_certificate *chain, size_t chain_len,
3624 	const br_ec_private_key *sk);
3625 
3626 /**
3627  * \brief SSL server profile: minv2g.
3628  *
3629  * This profile uses only TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256.
3630  * Server key is EC, and ECDH key exchange is used; the issuing CA used
3631  * an EC key.
3632  *
3633  * The "minu2g" and "minv2g" profiles do not provide forward secrecy,
3634  * but are the lightest on the server (for CPU usage), and are rather
3635  * inexpensive on the client as well.
3636  *
3637  * \param cc          server context to initialise.
3638  * \param chain       server certificate chain.
3639  * \param chain_len   certificate chain length (number of certificate).
3640  * \param sk          EC private key.
3641  */
3642 void br_ssl_server_init_minv2g(br_ssl_server_context *cc,
3643 	const br_x509_certificate *chain, size_t chain_len,
3644 	const br_ec_private_key *sk);
3645 
3646 /**
3647  * \brief SSL server profile: mine2c.
3648  *
3649  * This profile uses only TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
3650  * Server key is RSA, and ECDHE key exchange is used. This suite
3651  * provides forward security.
3652  *
3653  * \param cc          server context to initialise.
3654  * \param chain       server certificate chain.
3655  * \param chain_len   certificate chain length (number of certificate).
3656  * \param sk          RSA private key.
3657  */
3658 void br_ssl_server_init_mine2c(br_ssl_server_context *cc,
3659 	const br_x509_certificate *chain, size_t chain_len,
3660 	const br_rsa_private_key *sk);
3661 
3662 /**
3663  * \brief SSL server profile: minf2c.
3664  *
3665  * This profile uses only TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256.
3666  * Server key is EC, and ECDHE key exchange is used. This suite provides
3667  * forward security.
3668  *
3669  * \param cc          server context to initialise.
3670  * \param chain       server certificate chain.
3671  * \param chain_len   certificate chain length (number of certificate).
3672  * \param sk          EC private key.
3673  */
3674 void br_ssl_server_init_minf2c(br_ssl_server_context *cc,
3675 	const br_x509_certificate *chain, size_t chain_len,
3676 	const br_ec_private_key *sk);
3677 
3678 /**
3679  * \brief Get the supported client suites.
3680  *
3681  * This function shall be called only after the ClientHello has been
3682  * processed, typically from the policy engine. The returned array
3683  * contains the cipher suites that are supported by both the client
3684  * and the server; these suites are in client preference order, unless
3685  * the `BR_OPT_ENFORCE_SERVER_PREFERENCES` flag was set, in which case
3686  * they are in server preference order.
3687  *
3688  * The suites are _translated_, which means that each suite is given
3689  * as two 16-bit integers: the standard suite identifier, and its
3690  * translated version, broken down into its individual components,
3691  * as explained with the `br_suite_translated` type.
3692  *
3693  * The returned array is allocated in the context and will be rewritten
3694  * by each handshake.
3695  *
3696  * \param cc    server context.
3697  * \param num   receives the array size (number of suites).
3698  * \return  the translated common cipher suites, in preference order.
3699  */
3700 static inline const br_suite_translated *
3701 br_ssl_server_get_client_suites(const br_ssl_server_context *cc, size_t *num)
3702 {
3703 	*num = cc->client_suites_num;
3704 	return cc->client_suites;
3705 }
3706 
3707 /**
3708  * \brief Get the hash functions and signature algorithms supported by
3709  * the client.
3710  *
3711  * This value is a bit field:
3712  *
3713  *   - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`,
3714  *     then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1,
3715  *     or 2 to 6 for the SHA family).
3716  *
3717  *   - If ECDSA is supported with hash function of ID `x`, then bit `8+x`
3718  *     is set.
3719  *
3720  *   - Newer algorithms are symbolic 16-bit identifiers that do not
3721  *     represent signature algorithm and hash function separately. If
3722  *     the TLS-level identifier is `0x0800+x` for a `x` in the 0..15
3723  *     range, then bit `16+x` is set.
3724  *
3725  * "New algorithms" are currently defined only in draft documents, so
3726  * this support is subject to possible change. Right now (early 2017),
3727  * this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA
3728  * on Curve448) to bit 24. If the identifiers on the wire change in
3729  * future document, then the decoding mechanism in BearSSL will be
3730  * amended to keep mapping ed25519 and ed448 on bits 23 and 24,
3731  * respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not
3732  * guaranteed yet.
3733  *
3734  * \param cc   server context.
3735  * \return  the client-supported hash functions and signature algorithms.
3736  */
3737 static inline uint32_t
3738 br_ssl_server_get_client_hashes(const br_ssl_server_context *cc)
3739 {
3740 	return cc->hashes;
3741 }
3742 
3743 /**
3744  * \brief Get the elliptic curves supported by the client.
3745  *
3746  * This is a bit field (bit x is set if curve of ID x is supported).
3747  *
3748  * \param cc   server context.
3749  * \return  the client-supported elliptic curves.
3750  */
3751 static inline uint32_t
3752 br_ssl_server_get_client_curves(const br_ssl_server_context *cc)
3753 {
3754 	return cc->curves;
3755 }
3756 
3757 /**
3758  * \brief Clear the complete contents of a SSL server context.
3759  *
3760  * Everything is cleared, including the reference to the configured buffer,
3761  * implementations, cipher suites and state. This is a preparatory step
3762  * to assembling a custom profile.
3763  *
3764  * \param cc   server context to clear.
3765  */
3766 void br_ssl_server_zero(br_ssl_server_context *cc);
3767 
3768 /**
3769  * \brief Set an externally provided policy context.
3770  *
3771  * The policy context's methods are invoked to decide the cipher suite
3772  * and certificate chain, and to perform operations involving the server's
3773  * private key.
3774  *
3775  * \param cc     server context.
3776  * \param pctx   policy context (pointer to its vtable field).
3777  */
3778 static inline void
3779 br_ssl_server_set_policy(br_ssl_server_context *cc,
3780 	const br_ssl_server_policy_class **pctx)
3781 {
3782 	cc->policy_vtable = pctx;
3783 }
3784 
3785 /**
3786  * \brief Set the server certificate chain and key (single RSA case).
3787  *
3788  * This function uses a policy context included in the server context.
3789  * It configures use of a single server certificate chain with a RSA
3790  * private key. The `allowed_usages` is a combination of usages, namely
3791  * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables
3792  * the corresponding cipher suites (i.e. `TLS_RSA_*` use the RSA key for
3793  * key exchange, while `TLS_ECDHE_RSA_*` use the RSA key for signatures).
3794  *
3795  * \param cc               server context.
3796  * \param chain            server certificate chain to send to the client.
3797  * \param chain_len        chain length (number of certificates).
3798  * \param sk               server private key (RSA).
3799  * \param allowed_usages   allowed private key usages.
3800  * \param irsacore         RSA core implementation.
3801  * \param irsasign         RSA signature implementation (PKCS#1 v1.5).
3802  */
3803 void br_ssl_server_set_single_rsa(br_ssl_server_context *cc,
3804 	const br_x509_certificate *chain, size_t chain_len,
3805 	const br_rsa_private_key *sk, unsigned allowed_usages,
3806 	br_rsa_private irsacore, br_rsa_pkcs1_sign irsasign);
3807 
3808 /**
3809  * \brief Set the server certificate chain and key (single EC case).
3810  *
3811  * This function uses a policy context included in the server context.
3812  * It configures use of a single server certificate chain with an EC
3813  * private key. The `allowed_usages` is a combination of usages, namely
3814  * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables
3815  * the corresponding cipher suites (i.e. `TLS_ECDH_*` use the EC key for
3816  * key exchange, while `TLS_ECDHE_ECDSA_*` use the EC key for signatures).
3817  *
3818  * In order to support `TLS_ECDH_*` cipher suites (non-ephemeral ECDH),
3819  * the algorithm type of the key used by the issuing CA to sign the
3820  * server's certificate must be provided, as `cert_issuer_key_type`
3821  * parameter (this value is either `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`).
3822  *
3823  * \param cc                     server context.
3824  * \param chain                  server certificate chain to send.
3825  * \param chain_len              chain length (number of certificates).
3826  * \param sk                     server private key (EC).
3827  * \param allowed_usages         allowed private key usages.
3828  * \param cert_issuer_key_type   issuing CA's key type.
3829  * \param iec                    EC core implementation.
3830  * \param iecdsa                 ECDSA signature implementation ("asn1" format).
3831  */
3832 void br_ssl_server_set_single_ec(br_ssl_server_context *cc,
3833 	const br_x509_certificate *chain, size_t chain_len,
3834 	const br_ec_private_key *sk, unsigned allowed_usages,
3835 	unsigned cert_issuer_key_type,
3836 	const br_ec_impl *iec, br_ecdsa_sign iecdsa);
3837 
3838 /**
3839  * \brief Activate client certificate authentication.
3840  *
3841  * The trust anchor encoded X.500 names (DN) to send to the client are
3842  * provided. A client certificate will be requested and validated through
3843  * the X.509 validator configured in the SSL engine. If `num` is 0, then
3844  * client certificate authentication is disabled.
3845  *
3846  * If the client does not send a certificate, or on validation failure,
3847  * the handshake aborts. Unauthenticated clients can be tolerated by
3848  * setting the `BR_OPT_TOLERATE_NO_CLIENT_AUTH` flag.
3849  *
3850  * The provided array is linked in, not copied, so that pointer must
3851  * remain valid as long as anchor names may be used.
3852  *
3853  * \param cc         server context.
3854  * \param ta_names   encoded trust anchor names.
3855  * \param num        number of encoded trust anchor names.
3856  */
3857 static inline void
3858 br_ssl_server_set_trust_anchor_names(br_ssl_server_context *cc,
3859 	const br_x500_name *ta_names, size_t num)
3860 {
3861 	cc->ta_names = ta_names;
3862 	cc->tas = NULL;
3863 	cc->num_tas = num;
3864 }
3865 
3866 /**
3867  * \brief Activate client certificate authentication.
3868  *
3869  * This is a variant for `br_ssl_server_set_trust_anchor_names()`: the
3870  * trust anchor names are provided not as an array of stand-alone names
3871  * (`br_x500_name` structures), but as an array of trust anchors
3872  * (`br_x509_trust_anchor` structures). The server engine itself will
3873  * only use the `dn` field of each trust anchor. This is meant to allow
3874  * defining a single array of trust anchors, to be used here and in the
3875  * X.509 validation engine itself.
3876  *
3877  * The provided array is linked in, not copied, so that pointer must
3878  * remain valid as long as anchor names may be used.
3879  *
3880  * \param cc    server context.
3881  * \param tas   trust anchors (only names are used).
3882  * \param num   number of trust anchors.
3883  */
3884 static inline void
3885 br_ssl_server_set_trust_anchor_names_alt(br_ssl_server_context *cc,
3886 	const br_x509_trust_anchor *tas, size_t num)
3887 {
3888 	cc->ta_names = NULL;
3889 	cc->tas = tas;
3890 	cc->num_tas = num;
3891 }
3892 
3893 /**
3894  * \brief Configure the cache for session parameters.
3895  *
3896  * The cache context is provided as a pointer to its first field (vtable
3897  * pointer).
3898  *
3899  * \param cc       server context.
3900  * \param vtable   session cache context.
3901  */
3902 static inline void
3903 br_ssl_server_set_cache(br_ssl_server_context *cc,
3904 	const br_ssl_session_cache_class **vtable)
3905 {
3906 	cc->cache_vtable = vtable;
3907 }
3908 
3909 /**
3910  * \brief Prepare or reset a server context for handling an incoming client.
3911  *
3912  * \param cc   server context.
3913  * \return  1 on success, 0 on error.
3914  */
3915 int br_ssl_server_reset(br_ssl_server_context *cc);
3916 
3917 /* ===================================================================== */
3918 
3919 /*
3920  * Context for the simplified I/O context. The transport medium is accessed
3921  * through the low_read() and low_write() callback functions, each with
3922  * its own opaque context pointer.
3923  *
3924  *  low_read()    read some bytes, at most 'len' bytes, into data[]. The
3925  *                returned value is the number of read bytes, or -1 on error.
3926  *                The 'len' parameter is guaranteed never to exceed 20000,
3927  *                so the length always fits in an 'int' on all platforms.
3928  *
3929  *  low_write()   write up to 'len' bytes, to be read from data[]. The
3930  *                returned value is the number of written bytes, or -1 on
3931  *                error. The 'len' parameter is guaranteed never to exceed
3932  *                20000, so the length always fits in an 'int' on all
3933  *                parameters.
3934  *
3935  * A socket closure (if the transport medium is a socket) should be reported
3936  * as an error (-1). The callbacks shall endeavour to block until at least
3937  * one byte can be read or written; a callback returning 0 at times is
3938  * acceptable, but this normally leads to the callback being immediately
3939  * called again, so the callback should at least always try to block for
3940  * some time if no I/O can take place.
3941  *
3942  * The SSL engine naturally applies some buffering, so the callbacks need
3943  * not apply buffers of their own.
3944  */
3945 /**
3946  * \brief Context structure for the simplified SSL I/O wrapper.
3947  *
3948  * This structure is initialised with `br_sslio_init()`. Its contents
3949  * are opaque and shall not be accessed directly.
3950  */
3951 typedef struct {
3952 #ifndef BR_DOXYGEN_IGNORE
3953 	br_ssl_engine_context *engine;
3954 	int (*low_read)(void *read_context,
3955 		unsigned char *data, size_t len);
3956 	void *read_context;
3957 	int (*low_write)(void *write_context,
3958 		const unsigned char *data, size_t len);
3959 	void *write_context;
3960 #endif
3961 } br_sslio_context;
3962 
3963 /**
3964  * \brief Initialise a simplified I/O wrapper context.
3965  *
3966  * The simplified I/O wrapper offers a simpler read/write API for a SSL
3967  * engine (client or server), using the provided callback functions for
3968  * reading data from, or writing data to, the transport medium.
3969  *
3970  * The callback functions have the following semantics:
3971  *
3972  *   - Each callback receives an opaque context value (of type `void *`)
3973  *     that the callback may use arbitrarily (or possibly ignore).
3974  *
3975  *   - `low_read()` reads at least one byte, at most `len` bytes, from
3976  *     the transport medium. Read bytes shall be written in `data`.
3977  *
3978  *   - `low_write()` writes at least one byte, at most `len` bytes, unto
3979  *     the transport medium. The bytes to write are read from `data`.
3980  *
3981  *   - The `len` parameter is never zero, and is always lower than 20000.
3982  *
3983  *   - The number of processed bytes (read or written) is returned. Since
3984  *     that number is less than 20000, it always fits on an `int`.
3985  *
3986  *   - On error, the callbacks return -1. Reaching end-of-stream is an
3987  *     error. Errors are permanent: the SSL connection is terminated.
3988  *
3989  *   - Callbacks SHOULD NOT return 0. This is tolerated, as long as
3990  *     callbacks endeavour to block for some non-negligible amount of
3991  *     time until at least one byte can be sent or received (if a
3992  *     callback returns 0, then the wrapper invokes it again
3993  *     immediately).
3994  *
3995  *   - Callbacks MAY return as soon as at least one byte is processed;
3996  *     they MAY also insist on reading or writing _all_ requested bytes.
3997  *     Since SSL is a self-terminated protocol (each record has a length
3998  *     header), this does not change semantics.
3999  *
4000  *   - Callbacks need not apply any buffering (for performance) since SSL
4001  *     itself uses buffers.
4002  *
4003  * \param ctx             wrapper context to initialise.
4004  * \param engine          SSL engine to wrap.
4005  * \param low_read        callback for reading data from the transport.
4006  * \param read_context    context pointer for `low_read()`.
4007  * \param low_write       callback for writing data on the transport.
4008  * \param write_context   context pointer for `low_write()`.
4009  */
4010 void br_sslio_init(br_sslio_context *ctx,
4011 	br_ssl_engine_context *engine,
4012 	int (*low_read)(void *read_context,
4013 		unsigned char *data, size_t len),
4014 	void *read_context,
4015 	int (*low_write)(void *write_context,
4016 		const unsigned char *data, size_t len),
4017 	void *write_context);
4018 
4019 /**
4020  * \brief Read some application data from a SSL connection.
4021  *
4022  * If `len` is zero, then this function returns 0 immediately. In
4023  * all other cases, it never returns 0.
4024  *
4025  * This call returns only when at least one byte has been obtained.
4026  * Returned value is the number of bytes read, or -1 on error. The
4027  * number of bytes always fits on an 'int' (data from a single SSL/TLS
4028  * record is returned).
4029  *
4030  * On error or SSL closure, this function returns -1. The caller should
4031  * inspect the error status on the SSL engine to distinguish between
4032  * normal closure and error.
4033  *
4034  * \param cc    SSL wrapper context.
4035  * \param dst   destination buffer for application data.
4036  * \param len   maximum number of bytes to obtain.
4037  * \return  number of bytes obtained, or -1 on error.
4038  */
4039 int br_sslio_read(br_sslio_context *cc, void *dst, size_t len);
4040 
4041 /**
4042  * \brief Read application data from a SSL connection.
4043  *
4044  * This calls returns only when _all_ requested `len` bytes are read,
4045  * or an error is reached. Returned value is 0 on success, -1 on error.
4046  * A normal (verified) SSL closure before that many bytes are obtained
4047  * is reported as an error by this function.
4048  *
4049  * \param cc    SSL wrapper context.
4050  * \param dst   destination buffer for application data.
4051  * \param len   number of bytes to obtain.
4052  * \return  0 on success, or -1 on error.
4053  */
4054 int br_sslio_read_all(br_sslio_context *cc, void *dst, size_t len);
4055 
4056 /**
4057  * \brief Write some application data unto a SSL connection.
4058  *
4059  * If `len` is zero, then this function returns 0 immediately. In
4060  * all other cases, it never returns 0.
4061  *
4062  * This call returns only when at least one byte has been written.
4063  * Returned value is the number of bytes written, or -1 on error. The
4064  * number of bytes always fits on an 'int' (less than 20000).
4065  *
4066  * On error or SSL closure, this function returns -1. The caller should
4067  * inspect the error status on the SSL engine to distinguish between
4068  * normal closure and error.
4069  *
4070  * **Important:** SSL is buffered; a "written" byte is a byte that was
4071  * injected into the wrapped SSL engine, but this does not necessarily mean
4072  * that it has been scheduled for sending. Use `br_sslio_flush()` to
4073  * ensure that all pending data has been sent to the transport medium.
4074  *
4075  * \param cc    SSL wrapper context.
4076  * \param src   source buffer for application data.
4077  * \param len   maximum number of bytes to write.
4078  * \return  number of bytes written, or -1 on error.
4079  */
4080 int br_sslio_write(br_sslio_context *cc, const void *src, size_t len);
4081 
4082 /**
4083  * \brief Write application data unto a SSL connection.
4084  *
4085  * This calls returns only when _all_ requested `len` bytes have been
4086  * written, or an error is reached. Returned value is 0 on success, -1
4087  * on error. A normal (verified) SSL closure before that many bytes are
4088  * written is reported as an error by this function.
4089  *
4090  * **Important:** SSL is buffered; a "written" byte is a byte that was
4091  * injected into the wrapped SSL engine, but this does not necessarily mean
4092  * that it has been scheduled for sending. Use `br_sslio_flush()` to
4093  * ensure that all pending data has been sent to the transport medium.
4094  *
4095  * \param cc    SSL wrapper context.
4096  * \param src   source buffer for application data.
4097  * \param len   number of bytes to write.
4098  * \return  0 on success, or -1 on error.
4099  */
4100 int br_sslio_write_all(br_sslio_context *cc, const void *src, size_t len);
4101 
4102 /**
4103  * \brief Flush pending data.
4104  *
4105  * This call makes sure that any buffered application data in the
4106  * provided context (including the wrapped SSL engine) has been sent
4107  * to the transport medium (i.e. accepted by the `low_write()` callback
4108  * method). If there is no such pending data, then this function does
4109  * nothing (and returns a success, i.e. 0).
4110  *
4111  * If the underlying transport medium has its own buffers, then it is
4112  * up to the caller to ensure the corresponding flushing.
4113  *
4114  * Returned value is 0 on success, -1 on error.
4115  *
4116  * \param cc    SSL wrapper context.
4117  * \return  0 on success, or -1 on error.
4118  */
4119 int br_sslio_flush(br_sslio_context *cc);
4120 
4121 /**
4122  * \brief Close the SSL connection.
4123  *
4124  * This call runs the SSL closure protocol (sending a `close_notify`,
4125  * receiving the response `close_notify`). When it returns, the SSL
4126  * connection is finished. It is still up to the caller to manage the
4127  * possible transport-level termination, if applicable (alternatively,
4128  * the underlying transport stream may be reused for non-SSL messages).
4129  *
4130  * Returned value is 0 on success, -1 on error. A failure by the peer
4131  * to process the complete closure protocol (i.e. sending back the
4132  * `close_notify`) is an error.
4133  *
4134  * \param cc    SSL wrapper context.
4135  * \return  0 on success, or -1 on error.
4136  */
4137 int br_sslio_close(br_sslio_context *cc);
4138 
4139 /* ===================================================================== */
4140 
4141 /*
4142  * Symbolic constants for cipher suites.
4143  */
4144 
4145 /* From RFC 5246 */
4146 #define BR_TLS_NULL_WITH_NULL_NULL                   0x0000
4147 #define BR_TLS_RSA_WITH_NULL_MD5                     0x0001
4148 #define BR_TLS_RSA_WITH_NULL_SHA                     0x0002
4149 #define BR_TLS_RSA_WITH_NULL_SHA256                  0x003B
4150 #define BR_TLS_RSA_WITH_RC4_128_MD5                  0x0004
4151 #define BR_TLS_RSA_WITH_RC4_128_SHA                  0x0005
4152 #define BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA             0x000A
4153 #define BR_TLS_RSA_WITH_AES_128_CBC_SHA              0x002F
4154 #define BR_TLS_RSA_WITH_AES_256_CBC_SHA              0x0035
4155 #define BR_TLS_RSA_WITH_AES_128_CBC_SHA256           0x003C
4156 #define BR_TLS_RSA_WITH_AES_256_CBC_SHA256           0x003D
4157 #define BR_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA          0x000D
4158 #define BR_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA          0x0010
4159 #define BR_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA         0x0013
4160 #define BR_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA         0x0016
4161 #define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA           0x0030
4162 #define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA           0x0031
4163 #define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA          0x0032
4164 #define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA          0x0033
4165 #define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA           0x0036
4166 #define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA           0x0037
4167 #define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA          0x0038
4168 #define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA          0x0039
4169 #define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA256        0x003E
4170 #define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA256        0x003F
4171 #define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       0x0040
4172 #define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       0x0067
4173 #define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA256        0x0068
4174 #define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA256        0x0069
4175 #define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       0x006A
4176 #define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       0x006B
4177 #define BR_TLS_DH_anon_WITH_RC4_128_MD5              0x0018
4178 #define BR_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA         0x001B
4179 #define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA          0x0034
4180 #define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA          0x003A
4181 #define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA256       0x006C
4182 #define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA256       0x006D
4183 
4184 /* From RFC 4492 */
4185 #define BR_TLS_ECDH_ECDSA_WITH_NULL_SHA              0xC001
4186 #define BR_TLS_ECDH_ECDSA_WITH_RC4_128_SHA           0xC002
4187 #define BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA      0xC003
4188 #define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA       0xC004
4189 #define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA       0xC005
4190 #define BR_TLS_ECDHE_ECDSA_WITH_NULL_SHA             0xC006
4191 #define BR_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA          0xC007
4192 #define BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA     0xC008
4193 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA      0xC009
4194 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA      0xC00A
4195 #define BR_TLS_ECDH_RSA_WITH_NULL_SHA                0xC00B
4196 #define BR_TLS_ECDH_RSA_WITH_RC4_128_SHA             0xC00C
4197 #define BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA        0xC00D
4198 #define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA         0xC00E
4199 #define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA         0xC00F
4200 #define BR_TLS_ECDHE_RSA_WITH_NULL_SHA               0xC010
4201 #define BR_TLS_ECDHE_RSA_WITH_RC4_128_SHA            0xC011
4202 #define BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA       0xC012
4203 #define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA        0xC013
4204 #define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA        0xC014
4205 #define BR_TLS_ECDH_anon_WITH_NULL_SHA               0xC015
4206 #define BR_TLS_ECDH_anon_WITH_RC4_128_SHA            0xC016
4207 #define BR_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA       0xC017
4208 #define BR_TLS_ECDH_anon_WITH_AES_128_CBC_SHA        0xC018
4209 #define BR_TLS_ECDH_anon_WITH_AES_256_CBC_SHA        0xC019
4210 
4211 /* From RFC 5288 */
4212 #define BR_TLS_RSA_WITH_AES_128_GCM_SHA256           0x009C
4213 #define BR_TLS_RSA_WITH_AES_256_GCM_SHA384           0x009D
4214 #define BR_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       0x009E
4215 #define BR_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       0x009F
4216 #define BR_TLS_DH_RSA_WITH_AES_128_GCM_SHA256        0x00A0
4217 #define BR_TLS_DH_RSA_WITH_AES_256_GCM_SHA384        0x00A1
4218 #define BR_TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       0x00A2
4219 #define BR_TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       0x00A3
4220 #define BR_TLS_DH_DSS_WITH_AES_128_GCM_SHA256        0x00A4
4221 #define BR_TLS_DH_DSS_WITH_AES_256_GCM_SHA384        0x00A5
4222 #define BR_TLS_DH_anon_WITH_AES_128_GCM_SHA256       0x00A6
4223 #define BR_TLS_DH_anon_WITH_AES_256_GCM_SHA384       0x00A7
4224 
4225 /* From RFC 5289 */
4226 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   0xC023
4227 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   0xC024
4228 #define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256    0xC025
4229 #define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384    0xC026
4230 #define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     0xC027
4231 #define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     0xC028
4232 #define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256      0xC029
4233 #define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384      0xC02A
4234 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   0xC02B
4235 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   0xC02C
4236 #define BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256    0xC02D
4237 #define BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384    0xC02E
4238 #define BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     0xC02F
4239 #define BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     0xC030
4240 #define BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256      0xC031
4241 #define BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384      0xC032
4242 
4243 /* From RFC 6655 and 7251 */
4244 #define BR_TLS_RSA_WITH_AES_128_CCM                  0xC09C
4245 #define BR_TLS_RSA_WITH_AES_256_CCM                  0xC09D
4246 #define BR_TLS_RSA_WITH_AES_128_CCM_8                0xC0A0
4247 #define BR_TLS_RSA_WITH_AES_256_CCM_8                0xC0A1
4248 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM          0xC0AC
4249 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM          0xC0AD
4250 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8        0xC0AE
4251 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8        0xC0AF
4252 
4253 /* From RFC 7905 */
4254 #define BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256     0xCCA8
4255 #define BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256   0xCCA9
4256 #define BR_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256       0xCCAA
4257 #define BR_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256           0xCCAB
4258 #define BR_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAC
4259 #define BR_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256       0xCCAD
4260 #define BR_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256       0xCCAE
4261 
4262 /* From RFC 7507 */
4263 #define BR_TLS_FALLBACK_SCSV                         0x5600
4264 
4265 /*
4266  * Symbolic constants for alerts.
4267  */
4268 #define BR_ALERT_CLOSE_NOTIFY                0
4269 #define BR_ALERT_UNEXPECTED_MESSAGE         10
4270 #define BR_ALERT_BAD_RECORD_MAC             20
4271 #define BR_ALERT_RECORD_OVERFLOW            22
4272 #define BR_ALERT_DECOMPRESSION_FAILURE      30
4273 #define BR_ALERT_HANDSHAKE_FAILURE          40
4274 #define BR_ALERT_BAD_CERTIFICATE            42
4275 #define BR_ALERT_UNSUPPORTED_CERTIFICATE    43
4276 #define BR_ALERT_CERTIFICATE_REVOKED        44
4277 #define BR_ALERT_CERTIFICATE_EXPIRED        45
4278 #define BR_ALERT_CERTIFICATE_UNKNOWN        46
4279 #define BR_ALERT_ILLEGAL_PARAMETER          47
4280 #define BR_ALERT_UNKNOWN_CA                 48
4281 #define BR_ALERT_ACCESS_DENIED              49
4282 #define BR_ALERT_DECODE_ERROR               50
4283 #define BR_ALERT_DECRYPT_ERROR              51
4284 #define BR_ALERT_PROTOCOL_VERSION           70
4285 #define BR_ALERT_INSUFFICIENT_SECURITY      71
4286 #define BR_ALERT_INTERNAL_ERROR             80
4287 #define BR_ALERT_USER_CANCELED              90
4288 #define BR_ALERT_NO_RENEGOTIATION          100
4289 #define BR_ALERT_UNSUPPORTED_EXTENSION     110
4290 #define BR_ALERT_NO_APPLICATION_PROTOCOL   120
4291 
4292 #ifdef __cplusplus
4293 }
4294 #endif
4295 
4296 #endif
4297