diff --git a/doc/ssl/SSL_CTX_set_custom_cli_ext.pod b/doc/ssl/SSL_CTX_set_custom_cli_ext.pod new file mode 100644 index 0000000000000000000000000000000000000000..3fceef9258a3102d8e0c17aa39654bca9a58d00f --- /dev/null +++ b/doc/ssl/SSL_CTX_set_custom_cli_ext.pod @@ -0,0 +1,133 @@ +=pod + +=head1 NAME + +SSL_CTX_add_client_custom_ext, SSL_CTX_add_server_custom_ext - custom TLS extension handling + +=head1 SYNOPSIS + + #include + + int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, void *add_arg, + custom_ext_parse_cb parse_cb, + void *parse_arg); + + int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, void *add_arg, + custom_ext_parse_cb parse_cb, + void *parse_arg); + + int SSL_extension_supported(unsigned int ext_type); + + typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type, + const unsigned char **out, + size_t *outlen, int *al, + void *add_arg); + + typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type, + const unsigned char *out, + void *add_arg); + + typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, + void *parse_arg); + + +=head1 DESCRIPTION + +SSL_CTX_add_client_custom_ext() adds a custom extension for a TLS client +with extension type B and callbacks B, B and +B. + +SSL_CTX_add_server_custom_ext() adds a custom extension for a TLS server +with extension type B and callbacks B, B and +B. + +In both cases the extension type must not be handled by OpenSSL internally +or an error occurs. + +SSL_extension_supported() returns 1 if the extension B is handled +internally by OpenSSL and 0 otherwise. + +=head1 EXTENSION CALLBACKS + +The callback B is called to send custom extension data to be +included in ClientHello for TLS clients or ServerHello for servers. The +B parameter is set to the extension type which will be added and +B to the value set when the extension handler was added. + +If the application wishes to include the extension B it should +set B<*out> to the extension data, set B<*outlen> to the length of the +extension data and return 1. + +If the B does not wish to include the extension it must return 0. + +If B returns -1 a fatal handshake error occurs using the TLS +alert value specified in B<*al>. + +For clients (but not servers) if B is set to NULL a zero length +extension is added for B. + +For clients every registered B is always called to see if the +application wishes to add an extension to ClientHello. + +For servers every registered B is called once if and only if the +corresponding extension was received in ClientHello to see if the application +wishes to add the extension to ServerHello. That is, if no corresponding extension +was received in ClientHello then B will not be called. + +If an extension is added (that is B returns 1) B is called +(if it is set) with the value of B set by the add callback. It can be +used to free up any dynamic extension data set by B. Since B is +constant (to permit use of constant data in B) applications may need to +cast away const to free the data. + +The callback B receives data for TLS extensions. For TLS clients +the extension data will come from ServerHello and for TLS servers it will +come from ClientHello. + +The extension data consists of B bytes in the buffer B for the +extension B. + +If the B considers the extension data acceptable it must return +1. If it returns 0 or a negative value a fatal handshake error occurs +using the TLS alert value specified in B<*al>. + +The buffer B is a temporary internal buffer which will not be valid after +the callback returns. + +=head1 NOTES + +The B and B parameters can be set to arbitrary values +which will be passed to the corresponding callbacks. They can, for example, +be used to store the extension data received in a convenient structure or +pass the extension data to be added or freed when adding extensions. + +The B parameter corresponds to the B field of +RFC5246 et al. It is B a NID. + +If the same custom extension type is received multiple times a fatal +B alert is sent and the handshake aborts. If a custom extension +is received in ServerHello which was not sent in ClientHello a fatal +B alert is sent and the handshake is aborted. The +ServerHello B callback is only called if the corresponding extension +was received in ClientHello. This is compliant with the TLS specifications. +This behaviour ensures that each callback is called at most once and that +an application can never send unsolicited extensions. + +=head1 RETURN VALUES + +SSL_CTX_add_client_custom_ext() and SSL_CTX_add_server_custom_ext() return 1 for +success and 0 for failure. A failure can occur if an attempt is made to +add the same B more than once, if an attempt is made to use an +extension type handled internally by OpenSSL or if an internal error occurs +(for example a memory allocation failure). + +SSL_extension_supported() returns 1 if the extension B is handled +internally by OpenSSL and 0 otherwise. + +=cut