X-Git-Url: https://bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=inc%2Fbearssl_ssl.h;h=ad807ab9acbfe6e86104d6a69bbb008a2e4708fe;hp=fee7b3c496086b96b5435674c130af2e740b1b88;hb=ea95d8264c6aefe742a9c3f4f9d834b188566a29;hpb=5f045c759957fdff8c85716e6af99e10901fdac0 diff --git a/inc/bearssl_ssl.h b/inc/bearssl_ssl.h index fee7b3c..ad807ab 100644 --- a/inc/bearssl_ssl.h +++ b/inc/bearssl_ssl.h @@ -35,6 +35,10 @@ #include "bearssl_rand.h" #include "bearssl_x509.h" +#ifdef __cplusplus +extern "C" { +#endif + /** \file bearssl_ssl.h * * # SSL @@ -819,8 +823,11 @@ typedef struct { } out; /* - * The "application data" flag. It is set when application data - * can be exchanged, cleared otherwise. + * The "application data" flag. Value: + * 0 handshake is in process, no application data acceptable + * 1 application data can be sent and received + * 2 closing, no application data can be sent, but some + * can still be received (and discarded) */ unsigned char application_data; @@ -2068,6 +2075,41 @@ void br_ssl_engine_close(br_ssl_engine_context *cc); */ int br_ssl_engine_renegotiate(br_ssl_engine_context *cc); +/** + * \brief Export key material from a connected SSL engine (RFC 5705). + * + * This calls compute a secret key of arbitrary length from the master + * secret of a connected SSL engine. If the provided context is not + * currently in "application data" state (initial handshake is not + * finished, another handshake is ongoing, or the connection failed or + * was closed), then this function returns 0. Otherwise, a secret key of + * length `len` bytes is computed and written in the buffer pointed to + * by `dst`, and 1 is returned. + * + * The computed key follows the specification described in RFC 5705. + * That RFC includes two key computations, with and without a "context + * value". If `context` is `NULL`, then the variant without context is + * used; otherwise, the `context_len` bytes located at the address + * pointed to by `context` are used in the computation. Note that it + * is possible to have a "with context" key with a context length of + * zero bytes, by setting `context` to a non-`NULL` value but + * `context_len` to 0. + * + * When context bytes are used, the context length MUST NOT exceed + * 65535 bytes. + * + * \param cc SSL engine context. + * \param dst destination buffer for exported key. + * \param len exported key length (in bytes). + * \param label disambiguation label. + * \param context context value (or `NULL`). + * \param context_len context length (in bytes). + * \return 1 on success, 0 on error. + */ +int br_ssl_key_export(br_ssl_engine_context *cc, + void *dst, size_t len, const char *label, + const void *context, size_t context_len); + /* * Pre-declaration for the SSL client context. */ @@ -4065,4 +4107,8 @@ int br_sslio_close(br_sslio_context *cc); #define BR_ALERT_UNSUPPORTED_EXTENSION 110 #define BR_ALERT_NO_APPLICATION_PROTOCOL 120 +#ifdef __cplusplus +} +#endif + #endif