/* ssl.h

*

* Copyright (C) 2006-2026 wolfSSL Inc.

*

* This file is part of wolfSSL.

*

* wolfSSL is free software; you can redistribute it and/or modify

* it under the terms of the GNU General Public License as published by

* the Free Software Foundation; either version 3 of the License, or

* (at your option) any later version.

*

* wolfSSL is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

*

* You should have received a copy of the GNU General Public License

* along with this program; if not, write to the Free Software

* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA

*/

/*!

\file ../wolfssl/ssl.h

\brief Header file containing key wolfSSL API

*/

/* wolfSSL API */

#ifndef WOLFSSL_SSL_H

#define WOLFSSL_SSL_H

/* for users not using preprocessor flags*/

#include <wolfssl/wolfcrypt/settings.h>

#include <wolfssl/version.h>

#include <wolfssl/error-ssl.h>

#include <wolfssl/wolfcrypt/asn_public.h>

#include <wolfssl/wolfcrypt/logging.h>

#include <wolfssl/wolfcrypt/memory.h>

#include <wolfssl/wolfcrypt/types.h>

#include <wolfssl/wolfcrypt/pkcs12.h>

#if defined(HAVE_OCSP) || defined(HAVE_CRL) || (defined(WOLFSSL_CUSTOM_OID) && \

defined(WOLFSSL_ASN_TEMPLATE) && defined(HAVE_OID_DECODING)) || \

defined(WC_ASN_UNKNOWN_EXT_CB)

#include "wolfssl/wolfcrypt/asn.h"

#endif

#ifdef NO_TLS

/* in NO_TLS builds, WOLFSSL_NO_TLS12 must be defined in the TLS layer, but

* must not be defined in the crypto layer, to allow building the TLS12

* KDFs. Similarly for WOLFSSL_TLS13.

*/

#ifndef WOLFSSL_NO_TLS12

#define WOLFSSL_NO_TLS12

#endif

#undef WOLFSSL_TLS13

#endif

/* For the types */

#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)

#include <wolfssl/openssl/compat_types.h>

#endif

#ifdef HAVE_WOLF_EVENT

#include <wolfssl/wolfcrypt/wolfevent.h>

#endif

#ifdef WOLF_CRYPTO_CB

#include <wolfssl/wolfcrypt/cryptocb.h>

#endif

/* used internally by wolfSSL while OpenSSL types aren't */

#include <wolfssl/callbacks.h>

#ifdef WOLFSSL_PREFIX

#include "prefix_ssl.h"

#endif

#ifdef LIBWOLFSSL_VERSION_STRING

#define WOLFSSL_VERSION LIBWOLFSSL_VERSION_STRING

#endif

#ifdef _WIN32

/* wincrypt.h clashes */

#undef OCSP_REQUEST

#undef OCSP_RESPONSE

#endif

#ifdef OPENSSL_ALL

#if !defined(WOLFSSL_HAVE_BIO_ADDR) && !defined(WOLFSSL_NO_SOCK)

#define WOLFSSL_HAVE_BIO_ADDR

#endif

#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_DTLS_MTU)

#define WOLFSSL_DTLS_MTU

#endif

#endif

#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))

#include <wolfssl/openssl/bn.h>

#ifndef WOLFCRYPT_ONLY

#include <wolfssl/openssl/hmac.h>

#endif

#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)

#include <wolfssl/openssl/cmac.h>

#endif

#endif

#ifdef OPENSSL_COEXIST

/* mode to allow wolfSSL and OpenSSL to coexist without symbol conflicts */

#ifndef NO_OLD_SSL_NAMES

#define NO_OLD_SSL_NAMES

#endif

#ifndef NO_OLD_WC_NAMES

#define NO_OLD_WC_NAMES

#endif

#ifdef TEST_OPENSSL_COEXIST

/*

./configure --enable-opensslcoexist \

CFLAGS="-I/usr/local/opt/openssl/include -DTEST_OPENSSL_COEXIST" \

LDFLAGS="-L/usr/local/opt/openssl/lib -lcrypto"

*/

#include <openssl/ssl.h>

#include <openssl/rand.h>

#include <openssl/err.h>

#include <openssl/ec.h>

#include <openssl/hmac.h>

#include <openssl/bn.h>

#include <openssl/crypto.h>

#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \

FIPS_VERSION3_GE(5,2,0))

#include <openssl/aes.h>

#include <openssl/blowfish.h>

#include <openssl/camellia.h>

#include <openssl/cast.h>

#include <openssl/cmac.h>

#include <openssl/cms.h>

#include <openssl/conf_api.h>

#include <openssl/des.h>

#include <openssl/dh.h>

#include <openssl/dsa.h>

#include <openssl/ecdh.h>

#include <openssl/ecdsa.h>

#include <openssl/engine.h>

#include <openssl/hmac.h>

#include <openssl/idea.h>

#include <openssl/kdf.h>

#include <openssl/md2.h>

#include <openssl/md4.h>

#include <openssl/md5.h>

#include <openssl/mdc2.h>

#include <openssl/modes.h>

#include <openssl/ocsp.h>

#include <openssl/ossl_typ.h>

#include <openssl/pem2.h>

#include <openssl/pem.h>

#include <openssl/pkcs12.h>

#include <openssl/pkcs7.h>

#include <openssl/rand.h>

#include <openssl/rc2.h>

#include <openssl/rc4.h>

#include <openssl/rc5.h>

#include <openssl/ripemd.h>

#include <openssl/rsa.h>

#if defined(HAVE_FIPS_VERSION) && FIPS_VERSION3_LT(6,0,0)

/* clear conflicting name */

#undef RSA_PKCS1_PADDING_SIZE

#endif

#include <openssl/seed.h>

#include <openssl/sha.h>

#include <openssl/srp.h>

#include <openssl/srtp.h>

#include <openssl/ssl.h>

#include <openssl/store.h>

#include <openssl/txt_db.h>

#include <openssl/ui.h>

#include <openssl/whrlpool.h>

#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L

#include <openssl/cmp.h>

#include <openssl/core_object.h>

#include <openssl/decoder.h>

#include <openssl/encoder.h>

#include <openssl/ess.h>

#include <openssl/fipskey.h>

#include <openssl/fips_names.h>

#if OPENSSL_VERSION_NUMBER >= 0x30200000L

#include <openssl/hpke.h>

#endif

#include <openssl/http.h>

#include <openssl/param_build.h>

#include <openssl/params.h>

#include <openssl/proverr.h>

#include <openssl/provider.h>

#include <openssl/self_test.h>

#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */

#endif /* !HAVE_SELFTEST && (!HAVE_FIPS || FIPS_VERSION3_GE(5,2,0)) */

#endif

#elif (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))

#include <wolfssl/openssl/rsa.h>

/* We need the old SSL names */

#if defined(NO_OLD_SSL_NAMES) && !defined(OPENSSL_COEXIST)

#undef NO_OLD_SSL_NAMES

#endif

#if defined(NO_OLD_WC_NAMES) && !defined(OPENSSL_COEXIST)

#undef NO_OLD_WC_NAMES

#endif

#endif

#ifdef __cplusplus

extern "C" {

#endif

#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)

#ifndef WOLFSSL_LOCAL_X509_STORE

#define WOLFSSL_LOCAL_X509_STORE

#endif

#endif

/* LHASH is implemented as a stack */

typedef struct WOLFSSL_STACK WOLFSSL_LHASH;

#ifndef WOLF_LHASH_OF

#define WOLF_LHASH_OF(x) WOLFSSL_LHASH

#endif

#ifndef WOLF_STACK_OF

#define WOLF_STACK_OF(x) WOLFSSL_STACK

#endif

#ifndef DECLARE_STACK_OF

#define DECLARE_STACK_OF(x) WOLF_STACK_OF(x);

#endif

#ifndef WOLFSSL_TYPE_DEFINED

#define WOLFSSL_TYPE_DEFINED

typedef struct WOLFSSL WOLFSSL;

#endif

typedef struct WOLFSSL_SESSION WOLFSSL_SESSION;

typedef struct WOLFSSL_METHOD WOLFSSL_METHOD;

#ifndef WOLFSSL_CTX_TYPE_DEFINED

#define WOLFSSL_CTX_TYPE_DEFINED

typedef struct WOLFSSL_CTX WOLFSSL_CTX;

#endif

typedef struct WOLFSSL_STACK WOLFSSL_STACK;

typedef struct WOLFSSL_X509 WOLFSSL_X509;

typedef struct WOLFSSL_X509_ACERT WOLFSSL_X509_ACERT;

typedef struct WOLFSSL_X509_NAME WOLFSSL_X509_NAME;

typedef struct WOLFSSL_X509_NAME_ENTRY WOLFSSL_X509_NAME_ENTRY;

typedef struct WOLFSSL_X509_PUBKEY WOLFSSL_X509_PUBKEY;

typedef struct WOLFSSL_X509_ALGOR WOLFSSL_X509_ALGOR;

typedef struct WOLFSSL_X509_CHAIN WOLFSSL_X509_CHAIN;

typedef struct WC_PKCS12 WOLFSSL_X509_PKCS12;

typedef struct WOLFSSL_X509_INFO WOLFSSL_X509_INFO;

typedef struct WOLFSSL_CERT_MANAGER WOLFSSL_CERT_MANAGER;

typedef struct WOLFSSL_SOCKADDR WOLFSSL_SOCKADDR;

typedef struct WOLFSSL_CRL WOLFSSL_CRL;

typedef struct WOLFSSL_X509_STORE_CTX WOLFSSL_X509_STORE_CTX;

typedef struct WOLFSSL_BY_DIR_HASH WOLFSSL_BY_DIR_HASH;

typedef struct WOLFSSL_BY_DIR_entry WOLFSSL_BY_DIR_entry;

typedef struct WOLFSSL_BY_DIR WOLFSSL_BY_DIR;

/* redeclare guard */

#define WOLFSSL_TYPES_DEFINED

#ifdef __cplusplus

} /* extern "C" */

#endif

#include <wolfssl/wolfio.h>

/* The WOLFSSL_RSA type is required in all build configurations. */

#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)

#include <wolfssl/openssl/rsa.h>

#endif

#ifdef __cplusplus

extern "C" {

#endif

#ifndef WC_RNG_TYPE_DEFINED /* guard on redeclaration */

typedef struct WC_RNG WC_RNG;

#define WC_RNG_TYPE_DEFINED

#endif

#ifndef WOLFSSL_DSA_TYPE_DEFINED /* guard on redeclaration */

typedef struct WOLFSSL_DSA WOLFSSL_DSA;

#define WOLFSSL_DSA_TYPE_DEFINED

#endif

#ifndef WOLFSSL_EC_TYPE_DEFINED /* guard on redeclaration */

typedef struct WOLFSSL_EC_KEY WOLFSSL_EC_KEY;

typedef struct WOLFSSL_EC_POINT WOLFSSL_EC_POINT;

typedef struct WOLFSSL_EC_GROUP WOLFSSL_EC_GROUP;

typedef struct WOLFSSL_EC_BUILTIN_CURVE WOLFSSL_EC_BUILTIN_CURVE;

/* WOLFSSL_EC_METHOD is just an alias of WOLFSSL_EC_GROUP for now */

typedef struct WOLFSSL_EC_GROUP WOLFSSL_EC_METHOD;

#define WOLFSSL_EC_TYPE_DEFINED

#endif

#ifndef WOLFSSL_ECDSA_TYPE_DEFINED /* guard on redeclaration */

typedef struct WOLFSSL_ECDSA_SIG WOLFSSL_ECDSA_SIG;

#define WOLFSSL_ECDSA_TYPE_DEFINED

#endif

typedef struct WOLFSSL_CIPHER WOLFSSL_CIPHER;

typedef struct WOLFSSL_X509_LOOKUP WOLFSSL_X509_LOOKUP;

typedef struct WOLFSSL_X509_LOOKUP_METHOD WOLFSSL_X509_LOOKUP_METHOD;

typedef struct WOLFSSL_CRL WOLFSSL_X509_CRL;

typedef struct WOLFSSL_X509_STORE WOLFSSL_X509_STORE;

typedef struct WOLFSSL_X509_VERIFY_PARAM WOLFSSL_X509_VERIFY_PARAM;

typedef struct WOLFSSL_BIO_METHOD WOLFSSL_BIO_METHOD;

typedef struct WOLFSSL_X509_EXTENSION WOLFSSL_X509_EXTENSION;

typedef struct WOLFSSL_ASN1_OBJECT WOLFSSL_ASN1_OBJECT;

typedef struct WOLFSSL_ASN1_OTHERNAME WOLFSSL_ASN1_OTHERNAME;

#ifndef OPENSSL_COEXIST

typedef struct WOLFSSL_ASN1_OTHERNAME OTHERNAME;

#endif

typedef struct WOLFSSL_X509V3_CTX WOLFSSL_X509V3_CTX;

typedef struct WOLFSSL_v3_ext_method WOLFSSL_v3_ext_method;

typedef struct WOLFSSL_OBJ_NAME WOLFSSL_OBJ_NAME;

typedef struct WOLFSSL_ASN1_STRING WOLFSSL_ASN1_STRING;

typedef struct WOLFSSL_dynlock_value WOLFSSL_dynlock_value;

#ifndef WOLFSSL_DH_TYPE_DEFINED /* guard on redeclaration */

typedef struct WOLFSSL_DH WOLFSSL_DH;

#define WOLFSSL_DH_TYPE_DEFINED /* guard on redeclaration */

#endif

typedef struct WOLFSSL_ASN1_BIT_STRING WOLFSSL_ASN1_BIT_STRING;

typedef struct WOLFSSL_ASN1_TYPE WOLFSSL_ASN1_TYPE;

typedef struct WOLFSSL_X509_ATTRIBUTE WOLFSSL_X509_ATTRIBUTE;

typedef struct WOLFSSL_GENERAL_NAME WOLFSSL_GENERAL_NAME;

typedef struct WOLFSSL_AUTHORITY_KEYID WOLFSSL_AUTHORITY_KEYID;

typedef struct WOLFSSL_BASIC_CONSTRAINTS WOLFSSL_BASIC_CONSTRAINTS;

typedef struct WOLFSSL_ACCESS_DESCRIPTION WOLFSSL_ACCESS_DESCRIPTION;

typedef struct WOLFSSL_DIST_POINT_NAME WOLFSSL_DIST_POINT_NAME;

typedef struct WOLFSSL_DIST_POINT WOLFSSL_DIST_POINT;

typedef struct WOLFSSL_GENERAL_SUBTREE WOLFSSL_GENERAL_SUBTREE;

typedef struct WOLFSSL_NAME_CONSTRAINTS WOLFSSL_NAME_CONSTRAINTS;

typedef struct WOLFSSL_CONF_CTX WOLFSSL_CONF_CTX;

typedef int (*WOLFSSL_X509_STORE_CTX_get_crl_cb)(WOLFSSL_X509_STORE_CTX *,

WOLFSSL_X509_CRL **, WOLFSSL_X509 *);

typedef int (*WOLFSSL_X509_STORE_CTX_check_crl_cb)(WOLFSSL_X509_STORE_CTX *,

WOLFSSL_X509_CRL *);

#define WOLFSSL_V_ASN1_BIT_STRING 0x03

#define WOLFSSL_V_ASN1_INTEGER 0x02

#define WOLFSSL_V_ASN1_NEG 0x100

#define WOLFSSL_V_ASN1_NEG_INTEGER (2 | WOLFSSL_V_ASN1_NEG)

#define WOLFSSL_V_ASN1_NEG_ENUMERATED (10 | WOLFSSL_V_ASN1_NEG)

/* Type for ASN1_print_ex */

#define WOLFSSL_ASN1_STRFLGS_ESC_2253 1

#define WOLFSSL_ASN1_STRFLGS_ESC_CTRL 2

#define WOLFSSL_ASN1_STRFLGS_ESC_MSB 4

#define WOLFSSL_ASN1_STRFLGS_ESC_QUOTE 8

#define WOLFSSL_ASN1_STRFLGS_UTF8_CONVERT 0x10

#define WOLFSSL_ASN1_STRFLGS_IGNORE_TYPE 0x20

#define WOLFSSL_ASN1_STRFLGS_SHOW_TYPE 0x40

#define WOLFSSL_ASN1_STRFLGS_DUMP_ALL 0x80

#define WOLFSSL_ASN1_STRFLGS_DUMP_UNKNOWN 0x100

#define WOLFSSL_ASN1_STRFLGS_DUMP_DER 0x200

#define WOLFSSL_ASN1_STRFLGS_RFC2253 (WOLFSSL_ASN1_STRFLGS_ESC_2253 | \

WOLFSSL_ASN1_STRFLGS_ESC_CTRL | \

WOLFSSL_ASN1_STRFLGS_ESC_MSB | \

WOLFSSL_ASN1_STRFLGS_UTF8_CONVERT | \

WOLFSSL_ASN1_STRFLGS_DUMP_UNKNOWN | \

WOLFSSL_ASN1_STRFLGS_DUMP_DER)

#define WOLFSSL_MBSTRING_UTF8 0x1000

#define WOLFSSL_MBSTRING_ASC 0x1001

#define WOLFSSL_MBSTRING_BMP 0x1002

#define WOLFSSL_MBSTRING_UNIV 0x1004

#define WOLFSSL_V_ASN1_EOC 0

#define WOLFSSL_V_ASN1_BOOLEAN 1

#define WOLFSSL_V_ASN1_OCTET_STRING 4

#define WOLFSSL_V_ASN1_NULL 5

#define WOLFSSL_V_ASN1_OBJECT 6

#define WOLFSSL_V_ASN1_UTF8STRING 12

#define WOLFSSL_V_ASN1_SEQUENCE 16

#define WOLFSSL_V_ASN1_SET 17

#define WOLFSSL_V_ASN1_PRINTABLESTRING 19

#define WOLFSSL_V_ASN1_T61STRING 20

#define WOLFSSL_V_ASN1_IA5STRING 22

#define WOLFSSL_V_ASN1_UTCTIME 23

#define WOLFSSL_V_ASN1_GENERALIZEDTIME 24

#define WOLFSSL_V_ASN1_UNIVERSALSTRING 28

#define WOLFSSL_V_ASN1_BMPSTRING 30

#define WOLFSSL_V_ASN1_CONSTRUCTED 0x20

#define WOLFSSL_ASN1_STRING_FLAG_BITS_LEFT 0x008

#define WOLFSSL_ASN1_STRING_FLAG_NDEF 0x010

#define WOLFSSL_ASN1_STRING_FLAG_CONT 0x020

#define WOLFSSL_ASN1_STRING_FLAG_MSTRING 0x040

#define WOLFSSL_ASN1_STRING_FLAG_EMBED 0x080

/* X.509 PKI size limits from RFC2459 (appendix A) */

/* internally our limit is CTC_NAME_SIZE (64) - overridden with WC_CTC_NAME_SIZE */

#define WOLFSSL_ub_name CTC_NAME_SIZE /* 32768 */

#define WOLFSSL_ub_common_name CTC_NAME_SIZE /* 64 */

#define WOLFSSL_ub_locality_name CTC_NAME_SIZE /* 128 */

#define WOLFSSL_ub_state_name CTC_NAME_SIZE /* 128 */

#define WOLFSSL_ub_organization_name CTC_NAME_SIZE /* 64 */

#define WOLFSSL_ub_organization_unit_name CTC_NAME_SIZE /* 64 */

#define WOLFSSL_ub_title CTC_NAME_SIZE /* 64 */

#define WOLFSSL_ub_email_address CTC_NAME_SIZE /* 128 */

#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || defined(HAVE_CURL)

struct WOLFSSL_OBJ_NAME {

int type;

int alias;

const char *name;

const char *data;

};

struct WOLFSSL_AUTHORITY_KEYID {

WOLFSSL_ASN1_STRING *keyid;

WOLFSSL_ASN1_OBJECT *issuer;

WOLFSSL_ASN1_INTEGER *serial;

};

struct WOLFSSL_BASIC_CONSTRAINTS {

int ca;

WOLFSSL_ASN1_INTEGER *pathlen;

};

#endif /* OPENSSL_EXTRA*/

#define WOLFSSL_ASN1_UTCTIME WOLFSSL_ASN1_TIME

#define WOLFSSL_ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME

struct WOLFSSL_ASN1_STRING {

char strData[CTC_NAME_SIZE];

int length;

int type; /* type of string i.e. CTC_UTF8 */

int nid;

char* data;

long flags;

unsigned int isDynamic:1; /* flag for if data pointer dynamic (1 is yes 0 is no) */

};

#define WOLFSSL_MAX_SNAME 40

#define WOLFSSL_ASN1_DYNAMIC 0x1

#define WOLFSSL_ASN1_DYNAMIC_DATA 0x2

struct WOLFSSL_ASN1_OTHERNAME {

WOLFSSL_ASN1_OBJECT* type_id;

WOLFSSL_ASN1_TYPE* value;

};

struct WOLFSSL_GENERAL_NAME {

int type;

union {

char* ptr;

WOLFSSL_ASN1_OTHERNAME* otherName;

WOLFSSL_ASN1_STRING* rfc822Name;

WOLFSSL_ASN1_STRING* dNSName;

WOLFSSL_ASN1_TYPE* x400Address;

WOLFSSL_X509_NAME* directoryName;

WOLFSSL_ASN1_STRING* uniformResourceIdentifier;

WOLFSSL_ASN1_STRING* iPAddress;

WOLFSSL_ASN1_OBJECT* registeredID;

WOLFSSL_ASN1_STRING* ip;

WOLFSSL_X509_NAME* dirn;

WOLFSSL_ASN1_STRING* ia5;

WOLFSSL_ASN1_OBJECT* rid;

WOLFSSL_ASN1_TYPE* other;

} d; /* dereference */

};

/* GeneralSubtree for Name Constraints extension (RFC 5280) */

struct WOLFSSL_GENERAL_SUBTREE {

WOLFSSL_GENERAL_NAME* base;

};

struct WOLFSSL_NAME_CONSTRAINTS {

WOLF_STACK_OF(WOLFSSL_GENERAL_SUBTREE)* permittedSubtrees;

WOLF_STACK_OF(WOLFSSL_GENERAL_SUBTREE)* excludedSubtrees;

};

struct WOLFSSL_DIST_POINT_NAME {

int type;

/* name 'name.fullname' needs to remain the same, in some ports the elements

* of the structure are accessed directly */

union {

WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)* fullname;

} name;

};

struct WOLFSSL_DIST_POINT {

/* name 'distpoint' needs to remain the same, in some ports the elements of

* the structure are accessed directly */

WOLFSSL_DIST_POINT_NAME* distpoint;

};

struct WOLFSSL_ACCESS_DESCRIPTION {

WOLFSSL_ASN1_OBJECT* method;

WOLFSSL_GENERAL_NAME* location;

};

struct WOLFSSL_X509V3_CTX {

WOLFSSL_X509* x509;

};

struct WOLFSSL_ASN1_OBJECT {

void* heap;

const unsigned char* obj;

/* sName is short name i.e sha256 rather than oid (null terminated) */

char sName[WOLFSSL_MAX_SNAME];

int type; /* oid */

int grp; /* type of OID, i.e. oidCertPolicyType */

int nid;

unsigned int objSz;

#if defined(OPENSSL_EXTRA)

int ca;

WOLFSSL_ASN1_INTEGER *pathlen;

#endif

unsigned char dynamic; /* Use WOLFSSL_ASN1_DYNAMIC and WOLFSSL_ASN1_DYNAMIC_DATA

* to determine what needs to be freed. */

#if defined(WOLFSSL_APACHE_HTTPD)

WOLFSSL_GENERAL_NAME* gn;

#endif

struct d { /* dereferenced */

WOLFSSL_ASN1_STRING* dNSName;

WOLFSSL_ASN1_STRING ia5_internal;

WOLFSSL_ASN1_STRING* ia5; /* points to ia5_internal */

#if defined(OPENSSL_ALL)

WOLFSSL_ASN1_STRING* uniformResourceIdentifier;

WOLFSSL_ASN1_STRING iPAddress_internal;

WOLFSSL_ASN1_OTHERNAME* otherName; /* added for Apache httpd */

#endif

WOLFSSL_ASN1_STRING* iPAddress; /* points to iPAddress_internal */

} d;

};

/* wrap ASN1 types */

struct WOLFSSL_ASN1_TYPE {

int type;

union {

char *ptr;

WOLFSSL_ASN1_STRING* asn1_string;

WOLFSSL_ASN1_OBJECT* object;

WOLFSSL_ASN1_INTEGER* integer;

WOLFSSL_ASN1_BIT_STRING* bit_string;

WOLFSSL_ASN1_STRING* octet_string;

WOLFSSL_ASN1_STRING* printablestring;

WOLFSSL_ASN1_STRING* ia5string;

WOLFSSL_ASN1_UTCTIME* utctime;

WOLFSSL_ASN1_GENERALIZEDTIME* generalizedtime;

WOLFSSL_ASN1_STRING* utf8string;

WOLFSSL_ASN1_STRING* set;

WOLFSSL_ASN1_STRING* sequence;

} value;

};

struct WOLFSSL_X509_ATTRIBUTE {

WOLFSSL_ASN1_OBJECT *object;

WOLFSSL_ASN1_TYPE *value;

WOLF_STACK_OF(WOLFSSL_ASN1_TYPE) *set;

};

struct WOLFSSL_EVP_PKEY {

void* heap;

int type; /* openssh dereference */

int save_type; /* openssh dereference */

int pkey_sz;

wolfSSL_Ref ref;

union {

char* ptr; /* der format of key */

} pkey;

#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)

#ifndef NO_RSA

WOLFSSL_RSA* rsa;

#endif

#ifndef NO_DSA

WOLFSSL_DSA* dsa;

#endif

#ifdef HAVE_ECC

WOLFSSL_EC_KEY* ecc;

#endif

#ifndef NO_DH

WOLFSSL_DH* dh;

#endif

WC_RNG rng;

#ifdef HAVE_HKDF

const WOLFSSL_EVP_MD* hkdfMd;

byte* hkdfSalt;

word32 hkdfSaltSz;

byte* hkdfKey;

word32 hkdfKeySz;

byte* hkdfInfo;

word32 hkdfInfoSz;

int hkdfMode;

#endif

#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)

WOLFSSL_CMAC_CTX* cmacCtx;

#endif

#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */

#ifdef HAVE_ECC

int pkey_curve;

#endif

word16 pkcs8HeaderSz;

/* option bits */

WC_BITFIELD ownDh:1; /* if struct owns DH and should free it */

WC_BITFIELD ownEcc:1; /* if struct owns ECC and should free it */

WC_BITFIELD ownDsa:1; /* if struct owns DSA and should free it */

WC_BITFIELD ownRsa:1; /* if struct owns RSA and should free it */

};

#define WOLFSSL_ALWAYS_CHECK_SUBJECT 0x1

#define WOLFSSL_NO_WILDCARDS 0x2

#define WOLFSSL_NO_PARTIAL_WILDCARDS 0x4

#define WOLFSSL_MULTI_LABEL_WILDCARDS 0x8

/* Custom to wolfSSL, OpenSSL compat goes up to 0x20 */

#define WOLFSSL_LEFT_MOST_WILDCARD_ONLY 0x40

typedef struct WOLFSSL_BUFFER_INFO {

unsigned char* buffer;

word32 length;

} WOLFSSL_BUFFER_INFO;

typedef struct WOLFSSL_BUF_MEM {

char* data; /* dereferenced */

size_t length; /* current length */

size_t max; /* maximum length */

} WOLFSSL_BUF_MEM;

typedef int (*VerifyCallback)(int, WOLFSSL_X509_STORE_CTX*);

typedef int (*WOLFSSL_X509_STORE_CTX_verify_cb)(int, WOLFSSL_X509_STORE_CTX *);

struct WOLFSSL_X509_STORE_CTX {

#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)

WOLFSSL_X509_STORE* store; /* Store full of a CA cert chain */

WOLFSSL_X509* current_cert; /* current X509 (OPENSSL_EXTRA) */

#if defined(WOLFSSL_ASIO) || defined(OPENSSL_EXTRA)

WOLFSSL_X509* current_issuer; /* asio dereference */

#endif

#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */

WOLFSSL_X509_CHAIN* sesChain; /* pointer to WOLFSSL_SESSION peer chain */

#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)

WOLFSSL_STACK* chain;

#ifdef OPENSSL_EXTRA

WOLFSSL_X509_VERIFY_PARAM* param; /* certificate validation parameter */

#endif

#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */

char* domain; /* subject CN domain name */

#ifdef HAVE_EX_DATA

WOLFSSL_CRYPTO_EX_DATA ex_data; /* external data */

#endif

#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_EXTRA)

int depth; /* used in X509_STORE_CTX_*_depth */

#endif

void* userCtx; /* user ctx */

int error; /* current error */

int error_depth; /* index of cert depth for this error */

int discardSessionCerts; /* so verify callback can flag for discard */

int totalCerts; /* number of peer cert buffers */

WOLFSSL_BUFFER_INFO* certs; /* peer certs */

WOLFSSL_X509_STORE_CTX_verify_cb verify_cb; /* verify callback */

void* heap;

int flags;

#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)

WOLF_STACK_OF(WOLFSSL_X509)* owned; /* Certs owned by this CTX */

WOLF_STACK_OF(WOLFSSL_X509)* ctxIntermediates; /* Intermediates specified

* on store ctx init */

WOLF_STACK_OF(WOLFSSL_X509)* setTrustedSk;/* A trusted stack override

* set with

* X509_STORE_CTX_trusted_stack */

#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */

};

#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)

struct WOLFSSL_X509_PKEY {

WOLFSSL_EVP_PKEY* dec_pkey; /* dereferenced by Apache */

void* heap;

};

typedef struct WOLFSSL_X509_PKEY WOLFSSL_X509_PKEY;

struct WOLFSSL_X509_INFO {

WOLFSSL_X509 *x509;

WOLFSSL_X509_CRL *crl;

WOLFSSL_X509_PKEY *x_pkey; /* dereferenced by Apache */

EncryptedInfo enc_cipher;

int enc_len;

char *enc_data;

int num;

};

#define WOLFSSL_EVP_PKEY_DEFAULT WC_EVP_PKEY_RSA /* default key type */

#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)

#define wolfSSL_SSL_MODE_RELEASE_BUFFERS 0x00000010U

#define wolfSSL_SSL_CTRL_SET_TMP_ECDH 4

#endif

struct WOLFSSL_X509_ALGOR {

WOLFSSL_ASN1_OBJECT* algorithm;

WOLFSSL_ASN1_TYPE* parameter;

};

struct WOLFSSL_X509_PUBKEY {

WOLFSSL_X509_ALGOR* algor;

WOLFSSL_EVP_PKEY* pkey;

int pubKeyOID;

};

enum BIO_TYPE {

WOLFSSL_BIO_UNDEF = 0,

WOLFSSL_BIO_BUFFER = 1,

WOLFSSL_BIO_SOCKET = 2,

WOLFSSL_BIO_SSL = 3,

WOLFSSL_BIO_MEMORY = 4,

WOLFSSL_BIO_BIO = 5,

WOLFSSL_BIO_FILE = 6,

WOLFSSL_BIO_BASE64 = 7,

WOLFSSL_BIO_MD = 8,

WOLFSSL_BIO_DGRAM = 9,

WOLFSSL_BIO_NULL = 10

};

enum BIO_FLAGS {

WOLFSSL_BIO_FLAG_BASE64_NO_NL = 0x01,

WOLFSSL_BIO_FLAG_READ = 0x02,

WOLFSSL_BIO_FLAG_WRITE = 0x04,

WOLFSSL_BIO_FLAG_IO_SPECIAL = 0x08,

WOLFSSL_BIO_FLAG_RETRY = 0x10,

WOLFSSL_BIO_FLAG_MEM_RDONLY = 0x200

};

enum BIO_CB_OPS {

WOLFSSL_BIO_CB_FREE = 0x01,

WOLFSSL_BIO_CB_READ = 0x02,

WOLFSSL_BIO_CB_WRITE = 0x03,

WOLFSSL_BIO_CB_PUTS = 0x04,

WOLFSSL_BIO_CB_GETS = 0x05,

WOLFSSL_BIO_CB_CTRL = 0x06,

WOLFSSL_BIO_CB_RETURN = 0x80

};

/* custom method with user set callbacks */

typedef int (*wolfSSL_BIO_meth_write_cb)(WOLFSSL_BIO*, const char*, int);

typedef int (*wolfSSL_BIO_meth_read_cb)(WOLFSSL_BIO *, char *, int);

typedef int (*wolfSSL_BIO_meth_puts_cb)(WOLFSSL_BIO*, const char*);

typedef int (*wolfSSL_BIO_meth_gets_cb)(WOLFSSL_BIO*, char*, int);

typedef long (*wolfSSL_BIO_meth_ctrl_get_cb)(WOLFSSL_BIO*, int, long, void*);

typedef int (*wolfSSL_BIO_meth_create_cb)(WOLFSSL_BIO*);

typedef int (*wolfSSL_BIO_meth_destroy_cb)(WOLFSSL_BIO*);

typedef int wolfSSL_BIO_info_cb(WOLFSSL_BIO *, int, int);

typedef long (*wolfssl_BIO_meth_ctrl_info_cb)(WOLFSSL_BIO*, int, wolfSSL_BIO_info_cb*);

/* wolfSSL BIO_METHOD type */

#ifndef MAX_BIO_METHOD_NAME

#define MAX_BIO_METHOD_NAME 256

#endif

struct WOLFSSL_BIO_METHOD {

int type; /* method type */

char name[MAX_BIO_METHOD_NAME];

wolfSSL_BIO_meth_write_cb writeCb;

wolfSSL_BIO_meth_read_cb readCb;

wolfSSL_BIO_meth_puts_cb putsCb;

wolfSSL_BIO_meth_gets_cb getsCb;

wolfSSL_BIO_meth_ctrl_get_cb ctrlCb;

wolfSSL_BIO_meth_create_cb createCb;

wolfSSL_BIO_meth_destroy_cb freeCb;

wolfssl_BIO_meth_ctrl_info_cb ctrlInfoCb;

};

#define WOLFSSL_BIO_METHOD_INIT(bio_type) \

{ bio_type, { 0 }, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }

/* wolfSSL BIO type */

typedef long (*wolf_bio_info_cb)(WOLFSSL_BIO *bio, int event, const char *parg,

int iarg, long larg, long return_value);

typedef struct WOLFSSL_COMP_METHOD {

int type; /* stunnel dereference */

} WOLFSSL_COMP_METHOD;

typedef struct WOLFSSL_COMP {

int id;

const char *name;

WOLFSSL_COMP_METHOD *method;

} WOLFSSL_COMP;

#define WOLFSSL_X509_L_FILE_LOAD 0x1

#define WOLFSSL_X509_L_ADD_DIR 0x2

#define WOLFSSL_X509_L_ADD_STORE 0x3

#define WOLFSSL_X509_L_LOAD_STORE 0x4

struct WOLFSSL_X509_LOOKUP_METHOD {

int type;

};

struct WOLFSSL_X509_LOOKUP {

WOLFSSL_X509_STORE *store;

int type;

WOLFSSL_BY_DIR* dirs;

};

struct WOLFSSL_X509_STORE {

int cache; /* stunnel dereference */

WOLFSSL_CERT_MANAGER* cm;

WOLFSSL_X509_LOOKUP lookup;

#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \

defined(WOLFSSL_WPAS_SMALL)

int isDynamic;

WOLFSSL_X509_VERIFY_PARAM* param; /* certificate validation parameter */

#endif

#ifdef OPENSSL_ALL

WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* objs; /* object stack cache */

#endif

#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)

WOLFSSL_X509_STORE_CTX_verify_cb verify_cb;

WOLFSSL_X509_STORE_CTX_get_crl_cb get_crl_cb;

#endif

#ifdef HAVE_EX_DATA

WOLFSSL_CRYPTO_EX_DATA ex_data;

#endif

#if (defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \

defined(WOLFSSL_WPAS_SMALL)) && defined(HAVE_CRL)

WOLFSSL_X509_CRL *crl; /* points to cm->crl */

#endif

wolfSSL_Ref ref;

WOLF_STACK_OF(WOLFSSL_X509)* certs;

WOLF_STACK_OF(WOLFSSL_X509)* trusted;

WOLF_STACK_OF(WOLFSSL_X509)* owned;

word32 numAdded; /* Number of objs in objs that are in certs sk */

};

#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)

#define WOLFSSL_USE_CHECK_TIME 0x2

#define WOLFSSL_NO_CHECK_TIME 0x200000

#define WOLFSSL_PARTIAL_CHAIN 0x80000

#define WOLFSSL_HOST_NAME_MAX 256

#define WOLFSSL_VPARAM_DEFAULT 0x1

#define WOLFSSL_VPARAM_OVERWRITE 0x2

#define WOLFSSL_VPARAM_RESET_FLAGS 0x4

#define WOLFSSL_VPARAM_LOCKED 0x8

#define WOLFSSL_VPARAM_ONCE 0x10

#ifndef WOLFSSL_MAX_IPSTR

#define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */

#endif

struct WOLFSSL_X509_VERIFY_PARAM {

const char *name;

time_t check_time;

unsigned int inherit_flags;

unsigned long flags;

char hostName[WOLFSSL_HOST_NAME_MAX];

unsigned int hostFlags;

char ipasc[WOLFSSL_MAX_IPSTR];

};

#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */

typedef struct WOLFSSL_X509_REVOKED {

WOLFSSL_ASN1_INTEGER* serialNumber; /* certificate serial number */

WOLFSSL_ASN1_TIME* revocationDate; /* revocation date */

WOLFSSL_STACK* extensions; /* STACK_OF(X509_EXTENSION) */

WOLFSSL_STACK* issuer; /* STACK_OF(GENERAL_NAME) for

* indirect CRL (currently NULL) */

int reason; /* CRL reason code, -1 if absent */

int sequence; /* tracks original order of entries

* in the CRL for iteration */

} WOLFSSL_X509_REVOKED;

typedef enum {

WOLFSSL_X509_LU_NONE = 0,

WOLFSSL_X509_LU_X509,

WOLFSSL_X509_LU_CRL

} WOLFSSL_X509_LOOKUP_TYPE;

typedef struct WOLFSSL_X509_OBJECT {

WOLFSSL_X509_LOOKUP_TYPE type;

union {

char* ptr;

WOLFSSL_X509 *x509;

WOLFSSL_X509_CRL* crl; /* stunnel dereference */

} data;

} WOLFSSL_X509_OBJECT;

#define WOLFSSL_ASN1_BOOLEAN int

typedef char* WOLFSSL_STRING;

typedef struct WOLFSSL_RAND_METHOD {

/* seed = Data to mix into the random generator.

* len = Number of bytes to mix from seed. */

int (*seed)(const void* seed, int len);

/* buf = Buffer to store random bytes in.

* len = Number of bytes to store in buf. */

int (*bytes)(unsigned char* buf, int len);

void (*cleanup)(void);

/* add = Data to mix into the random generator.

* len = Number of bytes to mix from add.

* entropy = Estimate of randomness contained in seed.

* Should be between 0 and len. */

int (*add)(const void* add, int len, double entropy);

/* buf = Buffer to store pseudorandom bytes in.

* len = Number of bytes to store in buf. */

int (*pseudorand)(unsigned char *buf, int len);

int (*status)(void);

} WOLFSSL_RAND_METHOD;

#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */

typedef struct WOLFSSL_ALERT {

int code;

int level;

} WOLFSSL_ALERT;

typedef struct WOLFSSL_ALERT_HISTORY {

WOLFSSL_ALERT last_rx;

WOLFSSL_ALERT last_tx;

} WOLFSSL_ALERT_HISTORY;

/* Valid Alert types from page 16/17

* Add alert string to the function AlertTypeToString in src/ssl.c

*/

enum AlertDescription {

invalid_alert = -1,

close_notify = 0,

unexpected_message = 10,

bad_record_mac = 20,

record_overflow = 22,

decompression_failure = 30,

handshake_failure = 40,

no_certificate = 41,

bad_certificate = 42,

unsupported_certificate = 43,

certificate_revoked = 44,

certificate_expired = 45,

certificate_unknown = 46,

illegal_parameter = 47,

unknown_ca = 48,

access_denied = 49,

decode_error = 50,

decrypt_error = 51,

#ifdef WOLFSSL_MYSQL_COMPATIBLE

/* catch name conflict for enum protocol with MYSQL build */

wc_protocol_version = 70,

#else

protocol_version = 70,

#endif

insufficient_security = 71,

internal_error = 80,

inappropriate_fallback = 86,

user_canceled = 90,

no_renegotiation = 100,

missing_extension = 109,

unsupported_extension = 110, /**< RFC 5246, section 7.2.2 */

unrecognized_name = 112, /**< RFC 6066, section 3 */

bad_certificate_status_response = 113, /**< RFC 6066, section 8 */

unknown_psk_identity = 115, /**< RFC 4279, section 2 */

certificate_required = 116, /**< RFC 8446, section 8.2 */

no_application_protocol = 120

};

#ifdef WOLFSSL_MYSQL_COMPATIBLE

#define wolfssl_alert_protocol_version wc_protocol_version

#else

#define wolfssl_alert_protocol_version protocol_version

#endif

enum AlertLevel {

alert_none = 0, /* Used to indicate no alert level is set */

alert_warning = 1,