Standard preamble:
========================================================================
..
.... Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.
If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.
Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================
Title "SSL_EXTENSION_SUPPORTED 3ossl"
way too many mistakes in technical documents.
\fBSSL_CTX_add_client_custom_ext() adds a custom extension for a \s-1TLS/DTLS\s0 client with extension type ext_type and callbacks add_cb, free_cb and \fBparse_cb. This function is similar to SSL_CTX_add_custom_ext() except it only applies to clients, uses the older style of callbacks, and implicitly sets the \fBcontext value to:
.Vb 2 SSL_EXT_TLS1_2_AND_BELOW_ONLY | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_IGNORE_ON_RESUMPTION .Ve
\fBSSL_CTX_add_server_custom_ext() adds a custom extension for a \s-1TLS/DTLS\s0 server with extension type ext_type and callbacks add_cb, free_cb and \fBparse_cb. This function is similar to SSL_CTX_add_custom_ext() except it only applies to servers, uses the older style of callbacks, and implicitly sets the context value to the same as for SSL_CTX_add_client_custom_ext() above.
The ext_type parameter corresponds to the extension_type field of \s-1RFC5246\s0 et al. It is not a \s-1NID.\s0 In all cases the extension type must not be handled by OpenSSL internally or an error occurs.
\fBSSL_extension_supported() returns 1 if the extension ext_type is handled internally by OpenSSL and 0 otherwise.
If the application wishes to include the extension ext_type it should set *out to the extension data, set *outlen to the length of the extension data and return 1.
If the add_cb does not wish to include the extension it must return 0.
If add_cb returns -1 a fatal handshake error occurs using the \s-1TLS\s0 alert value specified in *al.
When constructing the ClientHello, if add_cb is set to \s-1NULL\s0 a zero length extension is added for ext_type. For all other messages if add_cb is set to \s-1NULL\s0 then no extension is added.
When constructing a Certificate message the callback will be called for each certificate in the message. The x parameter will indicate the current certificate and the chainidx parameter will indicate the position of the certificate in the message. The first certificate is always the end entity certificate and has a chainidx value of 0. The certificates are in the order that they were received in the Certificate message.
For all messages except the ServerHello and EncryptedExtensions every registered add_cb is always called to see if the application wishes to add an extension (as long as all requirements of the specified context are met).
For the ServerHello and EncryptedExtension messages every registered add_cb is called once if and only if the requirements of the specified context are met and the corresponding extension was received in the ClientHello. That is, if no corresponding extension was received in the ClientHello then add_cb will not be called.
If an extension is added (that is add_cb returns 1) free_cb is called (if it is set) with the value of out set by the add callback. It can be used to free up any dynamic extension data set by add_cb. Since out is constant (to permit use of constant data in add_cb) applications may need to cast away const to free the data.
The callback parse_cb receives data for \s-1TLS\s0 extensions. The callback is only called if the extension is present and relevant for the context (see \*(L"\s-1EXTENSION CONTEXTS\*(R"\s0 below).
The extension data consists of inlen bytes in the buffer in for the extension ext_type.
If the message being parsed is a TLSv1.3 compatible Certificate message then \fBparse_cb will be called for each certificate contained within the message. The x parameter will indicate the current certificate and the chainidx parameter will indicate the position of the certificate in the message. The first certificate is always the end entity certificate and has a chainidx value of 0.
If the parse_cb considers the extension data acceptable it must return 1. If it returns 0 or a negative value a fatal handshake error occurs using the \s-1TLS\s0 alert value specified in *al.
The buffer in is a temporary internal buffer which will not be valid after the callback returns.
The context must include at least one message value (otherwise the extension will never be used).
If the same custom extension type is received multiple times a fatal \fBdecode_error alert is sent and the handshake aborts. If a custom extension is received in a ServerHello/EncryptedExtensions message which was not sent in the ClientHello a fatal unsupported_extension alert is sent and the handshake is aborted. The ServerHello/EncryptedExtensions add_cb callback is only called if the corresponding extension was received in the ClientHello. This is compliant with the \s-1TLS\s0 specifications. This behaviour ensures that each callback is called at most once and that an application can never send unsolicited extensions.
\fBSSL_extension_supported() returns 1 if the extension ext_type is handled internally by OpenSSL and 0 otherwise.
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.