public/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add an API for other QUIC stacks to use our TLS implementation

Browse source 
We provide some callbacks for third party QUIC stacks to use in order
to be able to reuse the OpenSSL TLS implementation in that stack. This is
essentially a thin wrapper around the same API that OpenSSL's own QUIC
stack uses in order to integrate TLS.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26683)
This commit is contained in:
Matt Caswell 2024-08-20 15:09:17 +01:00
parent 3252fe646b
commit 3cf15554f2
15 changed files with 590 additions and 316 deletions
Download patch file Download diff file Expand all files Collapse all files

3
crypto/err/openssl.txt
View file

@ -1,4 +1,4 @@
# Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -1489,6 +1489,7 @@ SSL_R_MISSING_ECDSA_SIGNING_CERT:381:missing ecdsa signing cert
SSL_R_MISSING_FATAL:256:missing fatal
SSL_R_MISSING_PARAMETERS:290:missing parameters
SSL_R_MISSING_PSK_KEX_MODES_EXTENSION:310:missing psk kex modes extension
SSL_R_MISSING_QUIC_TLS_FUNCTIONS:421:missing quic tls functions
SSL_R_MISSING_RSA_CERTIFICATE:168:missing rsa certificate
SSL_R_MISSING_RSA_ENCRYPTING_CERT:169:missing rsa encrypting cert
SSL_R_MISSING_RSA_SIGNING_CERT:170:missing rsa signing cert

12
include/internal/quic_tls.h
View file

@ -45,8 +45,11 @@ typedef struct quic_tls_args_st {
void *crypto_release_rcd_cb_arg;
/* Called when a traffic secret is available for a given encryption level. */
int (*yield_secret_cb)(uint32_t enc_level, int direction /* 0=RX, 1=TX */,
/*
* Called when a traffic secret is available for a given TLS protection
* level.
*/
int (*yield_secret_cb)(uint32_t prot_level, int direction /* 0=RX, 1=TX */,
uint32_t suite_id, EVP_MD *md,
const unsigned char *secret, size_t secret_len,
void *arg);
@ -82,12 +85,17 @@ typedef struct quic_tls_args_st {
/* Set to 1 if we are running in the server role. */
int is_server;
/* Set to 1 if this is an internal use of the QUIC TLS */
int ossl_quic;
} QUIC_TLS_ARGS;
QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args);
void ossl_quic_tls_free(QUIC_TLS *qtls);
int ossl_quic_tls_configure(QUIC_TLS *qtls);
/* Advance the state machine */
int ossl_quic_tls_tick(QUIC_TLS *qtls);

8
include/internal/recordmethod.h
View file

@ -43,14 +43,6 @@ typedef struct ossl_record_layer_st OSSL_RECORD_LAYER;
# define OSSL_RECORD_DIRECTION_READ 0
# define OSSL_RECORD_DIRECTION_WRITE 1
/*
* Protection level. For <= TLSv1.2 only "NONE" and "APPLICATION" are used.
*/
# define OSSL_RECORD_PROTECTION_LEVEL_NONE 0
# define OSSL_RECORD_PROTECTION_LEVEL_EARLY 1
# define OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE 2
# define OSSL_RECORD_PROTECTION_LEVEL_APPLICATION 3
# define OSSL_RECORD_RETURN_SUCCESS 1
# define OSSL_RECORD_RETURN_RETRY 0
# define OSSL_RECORD_RETURN_NON_FATAL_ERR -1

24
include/openssl/core_dispatch.h
View file

@ -274,6 +274,30 @@ OSSL_CORE_MAKE_FUNC(int, provider_random_bytes, (void *provctx, int which,
void *buf, size_t n,
unsigned int strength))
/* Libssl related functions */
#define OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND 2001
OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_crypto_send,
(SSL *s, const unsigned char *buf, size_t buf_len,
size_t *consumed, void *arg))
#define OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD 2002
OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_crypto_recv_rcd,
(SSL *s, const unsigned char **buf, size_t *bytes_read,
void *arg))
#define OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD 2003
OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_crypto_release_rcd,
(SSL *s, size_t bytes_read, void *arg))
#define OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET 2004
OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_yield_secret,
(SSL *s, uint32_t prot_level, int direction,
const unsigned char *secret, size_t secret_len, void *arg))
#define OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS 2005
OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_got_transport_params,
(SSL *s, const unsigned char *params, size_t params_len,
void *arg))
#define OSSL_FUNC_SSL_QUIC_TLS_ALERT 2006
OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_alert,
(SSL *s, unsigned char alert_code, void *arg))
/* Operations */
# define OSSL_OP_DIGEST 1

13
include/openssl/ssl.h.in
View file

@ -2825,6 +2825,19 @@ __owur int SSL_get0_server_cert_type(const SSL *s, unsigned char **t, size_t *le
__owur int SSL_CTX_get0_client_cert_type(const SSL_CTX *ctx, unsigned char **t, size_t *len);
__owur int SSL_CTX_get0_server_cert_type(const SSL_CTX *s, unsigned char **t, size_t *len);
/*
* Protection level. For <= TLSv1.2 only "NONE" and "APPLICATION" are used.
*/
# define OSSL_RECORD_PROTECTION_LEVEL_NONE 0
# define OSSL_RECORD_PROTECTION_LEVEL_EARLY 1
# define OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE 2
# define OSSL_RECORD_PROTECTION_LEVEL_APPLICATION 3
int SSL_set_quic_tls_cbs(SSL *s, const OSSL_DISPATCH *qtdis, void *arg);
int SSL_set_quic_tls_transport_params(SSL *s,
const unsigned char *params,
size_t params_len);
# ifdef __cplusplus
}
# endif

3
include/openssl/sslerr.h
View file

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -172,6 +172,7 @@
# define SSL_R_MISSING_FATAL 256
# define SSL_R_MISSING_PARAMETERS 290
# define SSL_R_MISSING_PSK_KEX_MODES_EXTENSION 310
# define SSL_R_MISSING_QUIC_TLS_FUNCTIONS 421
# define SSL_R_MISSING_RSA_CERTIFICATE 168
# define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
# define SSL_R_MISSING_RSA_SIGNING_CERT 170

2
ssl/quic/build.info
View file

@ -11,7 +11,7 @@ SOURCE[$LIBSSL]=quic_sf_list.c quic_rstream.c quic_sstream.c
SOURCE[$LIBSSL]=quic_reactor.c
SOURCE[$LIBSSL]=quic_channel.c quic_port.c quic_engine.c
SOURCE[$LIBSSL]=quic_tserver.c
SOURCE[$LIBSSL]=quic_tls.c
SOURCE[$LIBSSL]=quic_tls.c quic_tls_api.c
SOURCE[$LIBSSL]=quic_thread_assist.c
SOURCE[$LIBSSL]=quic_trace.c
SOURCE[$LIBSSL]=quic_srtm.c quic_srt_gen.c

24
ssl/quic/quic_channel.c
View file

@ -68,7 +68,7 @@ static int ch_on_transport_params(const unsigned char *params,
void *arg);
static int ch_on_handshake_alert(void *arg, unsigned char alert_code);
static int ch_on_handshake_complete(void *arg);
static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
static int ch_on_handshake_yield_secret(uint32_t prot_level, int direction,
uint32_t suite_id, EVP_MD *md,
const unsigned char *secret,
size_t secret_len,
@ -333,6 +333,7 @@ static int ch_init(QUIC_CHANNEL *ch)
tls_args.alert_cb = ch_on_handshake_alert;
tls_args.alert_cb_arg = ch;
tls_args.is_server = ch->is_server;
tls_args.ossl_quic = 1;
if ((ch->qtls = ossl_quic_tls_new(&tls_args)) == NULL)
goto err;
@ -946,7 +947,7 @@ static int ch_on_crypto_release_record(size_t bytes_read, void *arg)
return ossl_quic_rstream_release_record(rstream, bytes_read);
}
static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
static int ch_on_handshake_yield_secret(uint32_t prot_level, int direction,
uint32_t suite_id, EVP_MD *md,
const unsigned char *secret,
size_t secret_len,
@ -954,6 +955,25 @@ static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
{
QUIC_CHANNEL *ch = arg;
uint32_t i;
uint32_t enc_level;
/* Convert TLS protection level to QUIC encryption level */
switch (prot_level) {
case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
enc_level = QUIC_ENC_LEVEL_0RTT;
break;
case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
break;
case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
enc_level = QUIC_ENC_LEVEL_1RTT;
break;
default:
return 0;
}
if (enc_level < QUIC_ENC_LEVEL_HANDSHAKE || enc_level >= QUIC_ENC_LEVEL_NUM)
/* Invalid EL. */

106
ssl/quic/quic_tls.c
View file

@ -103,7 +103,6 @@ quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
OSSL_RECORD_LAYER **retrl)
{
OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
uint32_t enc_level;
int qdir;
uint32_t suite_id = 0;
@ -135,51 +134,41 @@ quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
}
}
switch (level) {
case OSSL_RECORD_PROTECTION_LEVEL_NONE:
if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
return 1;
case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
enc_level = QUIC_ENC_LEVEL_0RTT;
break;
case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
break;
case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
enc_level = QUIC_ENC_LEVEL_1RTT;
break;
default:
QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
if (direction == OSSL_RECORD_DIRECTION_READ)
qdir = 0;
else
qdir = 1;
if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
suite_id = QRL_SUITE_AES128GCM;
} else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
suite_id = QRL_SUITE_AES256GCM;
} else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
suite_id = QRL_SUITE_CHACHA20POLY1305;
} else {
QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
goto err;
if (rl->qtls->args.ossl_quic) {
/*
* We only look up the suite_id/MD for internal callers. Not used in the
* public API. We assume that a 3rd party QUIC stack will want to
* figure this out by itself (e.g. so that they could add new
* ciphersuites at a different pace to us)
*/
if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
suite_id = QRL_SUITE_AES128GCM;
} else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
suite_id = QRL_SUITE_AES256GCM;
} else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
suite_id = QRL_SUITE_CHACHA20POLY1305;
} else {
QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
goto err;
}
/* We pass a ref to the md in a successful yield_secret_cb call */
/* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
}
/* We pass a ref to the md in a successful yield_secret_cb call */
/* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
if (!rl->qtls->args.yield_secret_cb(enc_level, qdir, suite_id,
if (!rl->qtls->args.yield_secret_cb(level, qdir, suite_id,
(EVP_MD *)kdfdigest, secret, secretlen,
rl->qtls->args.yield_secret_cb_arg)) {
QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@ -698,6 +687,33 @@ static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
#define RAISE_INTERNAL_ERROR(qtls) \
RAISE_ERROR((qtls), OSSL_QUIC_ERR_INTERNAL_ERROR, "internal error")
int ossl_quic_tls_configure(QUIC_TLS *qtls)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
return RAISE_INTERNAL_ERROR(qtls);
SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
qtls->args.is_server ? ENDPOINT_SERVER
: ENDPOINT_CLIENT,
TLSEXT_TYPE_quic_transport_parameters,
SSL_EXT_TLS1_3_ONLY
| SSL_EXT_CLIENT_HELLO
| SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
add_transport_params_cb,
free_transport_params_cb, qtls,
parse_transport_params_cb, qtls))
return 0;
sc->s3.flags |= TLS1_FLAGS_QUIC;
return 1;
}
int ossl_quic_tls_tick(QUIC_TLS *qtls)
{
int ret, err;
@ -749,22 +765,8 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
"ALPN must be configured when using QUIC");
}
if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
return RAISE_INTERNAL_ERROR(qtls);
SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
qtls->args.is_server ? ENDPOINT_SERVER
: ENDPOINT_CLIENT,
TLSEXT_TYPE_quic_transport_parameters,
SSL_EXT_TLS1_3_ONLY
| SSL_EXT_CLIENT_HELLO
| SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
add_transport_params_cb,
free_transport_params_cb, qtls,
parse_transport_params_cb, qtls))
if (!ossl_quic_tls_configure(qtls))
return RAISE_INTERNAL_ERROR(qtls);
nullbio = BIO_new(BIO_s_null());

187
ssl/quic/quic_tls_api.c Normal file
View file

@ -0,0 +1,187 @@
/*
* Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/ssl.h>
#include "internal/quic_tls.h"
#include "../ssl_local.h"
static int crypto_send_cb(const unsigned char *buf, size_t buf_len,
size_t *consumed, void *arg)
{
SSL *s = (SSL *)arg;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL)
return 0;
return sc->qtcb.crypto_send_cb(s, buf, buf_len, consumed, sc->qtarg);
}
static int crypto_recv_rcd_cb(const unsigned char **buf, size_t *bytes_read,
void *arg)
{
SSL *s = (SSL *)arg;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL)
return 0;
return sc->qtcb.crypto_recv_rcd_cb(s, buf, bytes_read, sc->qtarg);
}
static int crypto_release_rcd_cb(size_t bytes_read, void *arg)
{
SSL *s = (SSL *)arg;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL)
return 0;
return sc->qtcb.crypto_release_rcd_cb(s, bytes_read, sc->qtarg);
}
static int yield_secret_cb(uint32_t prot_level, int direction,
uint32_t suite_id, EVP_MD *md,
const unsigned char *secret, size_t secret_len,
void *arg)
{
SSL *s = (SSL *)arg;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL)
return 0;
return sc->qtcb.yield_secret_cb(s, prot_level, direction,
secret, secret_len, sc->qtarg);
}
static int got_transport_params_cb(const unsigned char *params,
size_t params_len,
void *arg)
{
SSL *s = (SSL *)arg;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL)
return 0;
return sc->qtcb.got_transport_params_cb(s, params, params_len, sc->qtarg);
}
static int alert_cb(void *arg, unsigned char alert_code)
{
SSL *s = (SSL *)arg;
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc == NULL)
return 0;
return sc->qtcb.alert_cb(s, alert_code, sc->qtarg);
}
static int tls_callbacks_from_dispatch(OSSL_QUIC_TLS_CALLBACKS *qtcb,
const OSSL_DISPATCH *qtdis)
{
for (; qtdis->function_id != 0; qtdis++) {
switch (qtdis->function_id) {
case OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND:
if (qtcb->crypto_send_cb == NULL)
qtcb->crypto_send_cb = OSSL_FUNC_SSL_QUIC_TLS_crypto_send(qtdis);
break;
case OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD:
if (qtcb->crypto_recv_rcd_cb == NULL)
qtcb->crypto_recv_rcd_cb =
OSSL_FUNC_SSL_QUIC_TLS_crypto_recv_rcd(qtdis);
break;
case OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD:
if (qtcb->crypto_release_rcd_cb == NULL)
qtcb->crypto_release_rcd_cb =
OSSL_FUNC_SSL_QUIC_TLS_crypto_release_rcd(qtdis);
break;
case OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET:
if (qtcb->yield_secret_cb == NULL)
qtcb->yield_secret_cb =
OSSL_FUNC_SSL_QUIC_TLS_yield_secret(qtdis);
break;
case OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS:
if (qtcb->got_transport_params_cb == NULL)
qtcb->got_transport_params_cb =
OSSL_FUNC_SSL_QUIC_TLS_got_transport_params(qtdis);
break;
case OSSL_FUNC_SSL_QUIC_TLS_ALERT:
if (qtcb->alert_cb == NULL)
qtcb->alert_cb =
OSSL_FUNC_SSL_QUIC_TLS_alert(qtdis);
break;
}
}
if (qtcb->crypto_send_cb == NULL
|| qtcb->crypto_recv_rcd_cb == NULL
|| qtcb->crypto_release_rcd_cb == NULL
|| qtcb->yield_secret_cb == NULL
|| qtcb->got_transport_params_cb == NULL
|| qtcb->alert_cb == NULL) {
ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_QUIC_TLS_FUNCTIONS);
return 0;
}
return 1;
}
int SSL_set_quic_tls_cbs(SSL *s, const OSSL_DISPATCH *qtdis, void *arg)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
QUIC_TLS_ARGS qtlsargs;
if (!SSL_is_tls(s)) {
ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
if (!tls_callbacks_from_dispatch(&sc->qtcb, qtdis))
/* ERR_raise already called*/
return 0;
sc->qtarg = arg;
ossl_quic_tls_free(sc->qtls);
qtlsargs.s = s;
qtlsargs.crypto_send_cb = crypto_send_cb;
qtlsargs.crypto_send_cb_arg = s;
qtlsargs.crypto_recv_rcd_cb = crypto_recv_rcd_cb;
qtlsargs.crypto_recv_rcd_cb_arg = s;
qtlsargs.crypto_release_rcd_cb = crypto_release_rcd_cb;
qtlsargs.crypto_release_rcd_cb_arg = s;
qtlsargs.yield_secret_cb = yield_secret_cb;
qtlsargs.yield_secret_cb_arg = s;
qtlsargs.got_transport_params_cb = got_transport_params_cb;
qtlsargs.got_transport_params_cb_arg = s;
qtlsargs.handshake_complete_cb = NULL;
qtlsargs.handshake_complete_cb_arg = NULL;
qtlsargs.alert_cb = alert_cb;
qtlsargs.alert_cb_arg = s;
qtlsargs.is_server = sc->server;
qtlsargs.ossl_quic = 0;
sc->qtls = ossl_quic_tls_new(&qtlsargs);
if (sc->qtls == NULL)
return 0;
if (!ossl_quic_tls_configure(sc->qtls))
return 0;
return 1;
}
int SSL_set_quic_tls_transport_params(SSL *s,
const unsigned char *params,
size_t params_len)
{
SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
if (sc->qtls == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
return ossl_quic_tls_set_transport_params(sc->qtls, params, params_len);
}

1
ssl/s3_lib.c
View file

@ -3441,6 +3441,7 @@ void ssl3_free(SSL *s)
ssl3_free_digest_list(sc);
OPENSSL_free(sc->s3.alpn_selected);
OPENSSL_free(sc->s3.alpn_proposed);
ossl_quic_tls_free(sc->qtls);
#ifndef OPENSSL_NO_PSK
OPENSSL_free(sc->s3.tmp.psk);

498
ssl/ssl_err.c
View file

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -16,22 +16,22 @@
static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY),
"application data after close notify"},
"application data after close notify"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE),
"app data in handshake"},
"app data in handshake"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),
"attempt to reuse session in different context"},
"attempt to reuse session in different context"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE),
"at least (D)TLS 1.2 needed in Suite B mode"},
"at least (D)TLS 1.2 needed in Suite B mode"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CERTIFICATE), "bad certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CHANGE_CIPHER_SPEC),
"bad change cipher spec"},
"bad change cipher spec"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CIPHER), "bad cipher"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_COMPRESSION_ALGORITHM),
"bad compression algorithm"},
"bad compression algorithm"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA), "bad data"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),
"bad data returned by callback"},
"bad data returned by callback"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DECOMPRESSION), "bad decompression"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_VALUE), "bad dh value"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DIGEST_LENGTH), "bad digest length"},
@ -40,9 +40,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECPOINT), "bad ecpoint"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_EXTENSION), "bad extension"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_LENGTH),
"bad handshake length"},
"bad handshake length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_STATE),
"bad handshake state"},
"bad handshake state"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HELLO_REQUEST), "bad hello request"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HRR_VERSION), "bad hrr version"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_SHARE), "bad key share"},
@ -52,7 +52,7 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET), "bad packet"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET_LENGTH), "bad packet length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PROTOCOL_VERSION_NUMBER),
"bad protocol version number"},
"bad protocol version number"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PSK), "bad psk"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PSK_IDENTITY), "bad psk identity"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RECORD_TYPE), "bad record type"},
@ -62,560 +62,562 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_PARAMETERS), "bad srp parameters"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRTP_MKI_VALUE), "bad srtp mki value"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST),
"bad srtp protection profile list"},
"bad srtp protection profile list"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SSL_FILETYPE), "bad ssl filetype"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_VALUE), "bad value"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_WRITE_RETRY), "bad write retry"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BINDER_DOES_NOT_VERIFY),
"binder does not verify"},
"binder does not verify"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BIO_NOT_SET), "bio not set"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),
"block cipher pad is wrong"},
"block cipher pad is wrong"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BN_LIB), "bn lib"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CALLBACK_FAILED), "callback failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_CHANGE_CIPHER),
"cannot change cipher"},
"cannot change cipher"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_GET_GROUP_NAME),
"cannot get group name"},
"cannot get group name"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_LENGTH_MISMATCH),
"ca dn length mismatch"},
"ca dn length mismatch"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_KEY_TOO_SMALL), "ca key too small"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_MD_TOO_WEAK), "ca md too weak"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CCS_RECEIVED_EARLY), "ccs received early"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERTIFICATE_VERIFY_FAILED),
"certificate verify failed"},
"certificate verify failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_CB_ERROR), "cert cb error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_LENGTH_MISMATCH),
"cert length mismatch"},
"cert length mismatch"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED),
"ciphersuite digest has changed"},
"ciphersuite digest has changed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_CODE_WRONG_LENGTH),
"cipher code wrong length"},
"cipher code wrong length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CLIENTHELLO_TLSEXT), "clienthello tlsext"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSED_LENGTH_TOO_LONG),
"compressed length too long"},
"compressed length too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_DISABLED),
"compression disabled"},
"compression disabled"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_FAILURE),
"compression failure"},
"compression failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),
"compression id not within private range"},
"compression id not within private range"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_LIBRARY_ERROR),
"compression library error"},
"compression library error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONNECTION_TYPE_NOT_SET),
"connection type not set"},
"connection type not set"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONN_USE_ONLY), "conn use only"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONTEXT_NOT_DANE_ENABLED),
"context not dane enabled"},
"context not dane enabled"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COOKIE_GEN_CALLBACK_FAILURE),
"cookie gen callback failure"},
"cookie gen callback failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COOKIE_MISMATCH), "cookie mismatch"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COPY_PARAMETERS_FAILED),
"copy parameters failed"},
"copy parameters failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED),
"custom ext handler already installed"},
"custom ext handler already installed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_ALREADY_ENABLED),
"dane already enabled"},
"dane already enabled"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL),
"dane cannot override mtype full"},
"dane cannot override mtype full"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_NOT_ENABLED), "dane not enabled"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_CERTIFICATE),
"dane tlsa bad certificate"},
"dane tlsa bad certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE),
"dane tlsa bad certificate usage"},
"dane tlsa bad certificate usage"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_DATA_LENGTH),
"dane tlsa bad data length"},
"dane tlsa bad data length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH),
"dane tlsa bad digest length"},
"dane tlsa bad digest length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE),
"dane tlsa bad matching type"},
"dane tlsa bad matching type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY),
"dane tlsa bad public key"},
"dane tlsa bad public key"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_SELECTOR),
"dane tlsa bad selector"},
"dane tlsa bad selector"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_NULL_DATA),
"dane tlsa null data"},
"dane tlsa null data"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),
"data between ccs and finished"},
"data between ccs and finished"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DATA_LENGTH_TOO_LONG),
"data length too long"},
"data length too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED), "decryption failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),
"decryption failed or bad record mac"},
"decryption failed or bad record mac"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DH_KEY_TOO_SMALL), "dh key too small"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),
"dh public value length is wrong"},
"dh public value length is wrong"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DIGEST_CHECK_FAILED),
"digest check failed"},
"digest check failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DTLS_MESSAGE_TOO_BIG),
"dtls message too big"},
"dtls message too big"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DUPLICATE_COMPRESSION_ID),
"duplicate compression id"},
"duplicate compression id"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_NOT_FOR_SIGNING),
"ecc cert not for signing"},
"ecc cert not for signing"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE),
"ecdh required for suiteb mode"},
"ecdh required for suiteb mode"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EE_KEY_TOO_SMALL), "ee key too small"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EMPTY_RAW_PUBLIC_KEY),
"empty raw public key"},
"empty raw public key"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),
"empty srtp protection profile list"},
"empty srtp protection profile list"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ENCRYPTED_LENGTH_TOO_LONG),
"encrypted length too long"},
"encrypted length too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),
"error in received cipher list"},
"error in received cipher list"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG),
"error in system default config"},
"error in system default config"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN),
"error setting tlsa base domain"},
"error setting tlsa base domain"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE),
"exceeds max fragment size"},
"exceeds max fragment size"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCESSIVE_MESSAGE_SIZE),
"excessive message size"},
"excessive message size"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXTENSION_NOT_RECEIVED),
"extension not received"},
"extension not received"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXTRA_DATA_IN_MESSAGE),
"extra data in message"},
"extra data in message"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXT_LENGTH_MISMATCH),
"ext length mismatch"},
"ext length mismatch"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FAILED_TO_GET_PARAMETER),
"failed to get parameter"},
"failed to get parameter"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FAILED_TO_INIT_ASYNC),
"failed to init async"},
"failed to init async"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FEATURE_NEGOTIATION_NOT_COMPLETE),
"feature negotiation not complete"},
"feature negotiation not complete"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FEATURE_NOT_RENEGOTIABLE),
"feature not renegotiable"},
"feature not renegotiable"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FRAGMENTED_CLIENT_HELLO),
"fragmented client hello"},
"fragmented client hello"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_A_FIN_BEFORE_A_CCS),
"got a fin before a ccs"},
"got a fin before a ccs"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HTTPS_PROXY_REQUEST),
"https proxy request"},
"https proxy request"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HTTP_REQUEST), "http request"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ILLEGAL_POINT_COMPRESSION),
"illegal point compression"},
"illegal point compression"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ILLEGAL_SUITEB_DIGEST),
"illegal Suite B digest"},
"illegal Suite B digest"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INAPPROPRIATE_FALLBACK),
"inappropriate fallback"},
"inappropriate fallback"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_COMPRESSION),
"inconsistent compression"},
"inconsistent compression"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EARLY_DATA_ALPN),
"inconsistent early data alpn"},
"inconsistent early data alpn"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EARLY_DATA_SNI),
"inconsistent early data sni"},
"inconsistent early data sni"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EXTMS), "inconsistent extms"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INSUFFICIENT_SECURITY),
"insufficient security"},
"insufficient security"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_ALERT), "invalid alert"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CCS_MESSAGE),
"invalid ccs message"},
"invalid ccs message"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CERTIFICATE_OR_ALG),
"invalid certificate or alg"},
"invalid certificate or alg"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMMAND), "invalid command"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMPRESSION_ALGORITHM),
"invalid compression algorithm"},
"invalid compression algorithm"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CONFIG), "invalid config"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CONFIGURATION_NAME),
"invalid configuration name"},
"invalid configuration name"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CONTEXT), "invalid context"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CT_VALIDATION_TYPE),
"invalid ct validation type"},
"invalid ct validation type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_KEY_UPDATE_TYPE),
"invalid key update type"},
"invalid key update type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_MAX_EARLY_DATA),
"invalid max early data"},
"invalid max early data"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_NULL_CMD_NAME),
"invalid null cmd name"},
"invalid null cmd name"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_RAW_PUBLIC_KEY),
"invalid raw public key"},
"invalid raw public key"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_RECORD), "invalid record"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SEQUENCE_NUMBER),
"invalid sequence number"},
"invalid sequence number"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SERVERINFO_DATA),
"invalid serverinfo data"},
"invalid serverinfo data"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SESSION_ID), "invalid session id"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SRP_USERNAME),
"invalid srp username"},
"invalid srp username"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_STATUS_RESPONSE),
"invalid status response"},
"invalid status response"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_TICKET_KEYS_LENGTH),
"invalid ticket keys length"},
"invalid ticket keys length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED),
"legacy sigalg disallowed or unsupported"},
"legacy sigalg disallowed or unsupported"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_MISMATCH), "length mismatch"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_LONG), "length too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_SHORT), "length too short"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LIBRARY_BUG), "library bug"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LIBRARY_HAS_NO_CIPHERS),
"library has no ciphers"},
"library has no ciphers"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MAXIMUM_ENCRYPTED_PKTS_REACHED),
"maximum encrypted pkts reached"},
"maximum encrypted pkts reached"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DSA_SIGNING_CERT),
"missing dsa signing cert"},
"missing dsa signing cert"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_ECDSA_SIGNING_CERT),
"missing ecdsa signing cert"},
"missing ecdsa signing cert"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_FATAL), "missing fatal"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PARAMETERS), "missing parameters"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION),
"missing psk kex modes extension"},
"missing psk kex modes extension"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_QUIC_TLS_FUNCTIONS),
"missing quic tls functions"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_CERTIFICATE),
"missing rsa certificate"},
"missing rsa certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_ENCRYPTING_CERT),
"missing rsa encrypting cert"},
"missing rsa encrypting cert"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_SIGNING_CERT),
"missing rsa signing cert"},
"missing rsa signing cert"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SIGALGS_EXTENSION),
"missing sigalgs extension"},
"missing sigalgs extension"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SIGNING_CERT),
"missing signing cert"},
"missing signing cert"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SRP_PARAM),
"can't find SRP server param"},
"can't find SRP server param"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION),
"missing supported groups extension"},
"missing supported groups extension"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SUPPORTED_VERSIONS_EXTENSION),
"missing supported versions extension"},
"missing supported versions extension"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY),
"missing tmp ecdh key"},
"missing tmp ecdh key"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
"mixed handshake and non handshake data"},
"mixed handshake and non handshake data"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
"not on record boundary"},
"not on record boundary"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
"not replacing certificate"},
"not replacing certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_SERVER), "not server"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_APPLICATION_PROTOCOL),
"no application protocol"},
"no application protocol"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATES_RETURNED),
"no certificates returned"},
"no certificates returned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_ASSIGNED),
"no certificate assigned"},
"no certificate assigned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_SET), "no certificate set"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CHANGE_FOLLOWING_HRR),
"no change following hrr"},
"no change following hrr"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_AVAILABLE),
"no ciphers available"},
"no ciphers available"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_SPECIFIED),
"no ciphers specified"},
"no ciphers specified"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHER_MATCH), "no cipher match"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CLIENT_CERT_METHOD),
"no client cert method"},
"no client cert method"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_COMPRESSION_SPECIFIED),
"no compression specified"},
"no compression specified"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_COOKIE_CALLBACK_SET),
"no cookie callback set"},
"no cookie callback set"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
"Peer haven't sent GOST certificate, required for selected ciphersuite"},
"Peer haven't sent GOST certificate, required for selected ciphersuite"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_METHOD_SPECIFIED),
"no method specified"},
"no method specified"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PEM_EXTENSIONS), "no pem extensions"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PRIVATE_KEY_ASSIGNED),
"no private key assigned"},
"no private key assigned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PROTOCOLS_AVAILABLE),
"no protocols available"},
"no protocols available"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_RENEGOTIATION), "no renegotiation"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_REQUIRED_DIGEST), "no required digest"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_CIPHER), "no shared cipher"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_GROUPS), "no shared groups"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS),
"no shared signature algorithms"},
"no shared signature algorithms"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SRTP_PROFILES), "no srtp profiles"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_STREAM), "no stream"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_DIGEST_ALGORITHM),
"no suitable digest algorithm"},
"no suitable digest algorithm"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_GROUPS), "no suitable groups"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_KEY_SHARE),
"no suitable key share"},
"no suitable key share"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_RECORD_LAYER),
"no suitable record layer"},
"no suitable record layer"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM),
"no suitable signature algorithm"},
"no suitable signature algorithm"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_VALID_SCTS), "no valid scts"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_VERIFY_COOKIE_CALLBACK),
"no verify cookie callback"},
"no verify cookie callback"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_CTX), "null ssl ctx"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_METHOD_PASSED),
"null ssl method passed"},
"null ssl method passed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OCSP_CALLBACK_FAILURE),
"ocsp callback failure"},
"ocsp callback failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),
"old session cipher not returned"},
"old session cipher not returned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),
"old session compression algorithm not returned"},
"old session compression algorithm not returned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OVERFLOW_ERROR), "overflow error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PACKET_LENGTH_TOO_LONG),
"packet length too long"},
"packet length too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PARSE_TLSEXT), "parse tlsext"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PATH_TOO_LONG), "path too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),
"peer did not return a certificate"},
"peer did not return a certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEM_NAME_BAD_PREFIX),
"pem name bad prefix"},
"pem name bad prefix"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEM_NAME_TOO_SHORT), "pem name too short"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PIPELINE_FAILURE), "pipeline failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_POLL_REQUEST_NOT_SUPPORTED),
"poll request not supported"},
"poll request not supported"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR),
"post handshake auth encoding err"},
"post handshake auth encoding err"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PRIVATE_KEY_MISMATCH),
"private key mismatch"},
"private key mismatch"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PROTOCOL_IS_SHUTDOWN),
"protocol is shutdown"},
"protocol is shutdown"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_IDENTITY_NOT_FOUND),
"psk identity not found"},
"psk identity not found"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_NO_CLIENT_CB), "psk no client cb"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_NO_SERVER_CB), "psk no server cb"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR),
"quic handshake layer error"},
"quic handshake layer error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_QUIC_NETWORK_ERROR), "quic network error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_QUIC_PROTOCOL_ERROR),
"quic protocol error"},
"quic protocol error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_BIO_NOT_SET), "read bio not set"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_TIMEOUT_EXPIRED),
"read timeout expired"},
"read timeout expired"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORDS_NOT_RELEASED),
"records not released"},
"records not released"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_LAYER_FAILURE),
"record layer failure"},
"record layer failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_LENGTH_MISMATCH),
"record length mismatch"},
"record length mismatch"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_TOO_SMALL), "record too small"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REMOTE_PEER_ADDRESS_NOT_SET),
"remote peer address not set"},
"remote peer address not set"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATE_EXT_TOO_LONG),
"renegotiate ext too long"},
"renegotiate ext too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_ENCODING_ERR),
"renegotiation encoding err"},
"renegotiation encoding err"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_MISMATCH),
"renegotiation mismatch"},
"renegotiation mismatch"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUEST_PENDING), "request pending"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUEST_SENT), "request sent"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUIRED_CIPHER_MISSING),
"required cipher missing"},
"required cipher missing"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING),
"required compression algorithm missing"},
"required compression algorithm missing"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),
"scsv received when renegotiating"},
"scsv received when renegotiating"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SCT_VERIFICATION_FAILED),
"sct verification failed"},
"sct verification failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SEQUENCE_CTR_WRAPPED),
"sequence ctr wrapped"},
"sequence ctr wrapped"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SERVERHELLO_TLSEXT), "serverhello tlsext"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),
"session id context uninitialized"},
"session id context uninitialized"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHUTDOWN_WHILE_IN_INIT),
"shutdown while in init"},
"shutdown while in init"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_ALGORITHMS_ERROR),
"signature algorithms error"},
"signature algorithms error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),
"signature for non signing certificate"},
"signature for non signing certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRP_A_CALC), "error with the srp params"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES),
"srtp could not allocate profiles"},
"srtp could not allocate profiles"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG),
"srtp protection profile list too long"},
"srtp protection profile list too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE),
"srtp unknown protection profile"},
"srtp unknown protection profile"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH),
"ssl3 ext invalid max fragment length"},
"ssl3 ext invalid max fragment length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME),
"ssl3 ext invalid servername"},
"ssl3 ext invalid servername"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),
"ssl3 ext invalid servername type"},
"ssl3 ext invalid servername type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_SESSION_ID_TOO_LONG),
"ssl3 session id too long"},
"ssl3 session id too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),
"ssl/tls alert bad certificate"},
"ssl/tls alert bad certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),
"ssl/tls alert bad record mac"},
"ssl/tls alert bad record mac"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),
"ssl/tls alert certificate expired"},
"ssl/tls alert certificate expired"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),
"ssl/tls alert certificate revoked"},
"ssl/tls alert certificate revoked"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),
"ssl/tls alert certificate unknown"},
"ssl/tls alert certificate unknown"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),
"ssl/tls alert decompression failure"},
"ssl/tls alert decompression failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),
"ssl/tls alert handshake failure"},
"ssl/tls alert handshake failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),
"ssl/tls alert illegal parameter"},
"ssl/tls alert illegal parameter"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_NO_CERTIFICATE),
"ssl/tls alert no certificate"},
"ssl/tls alert no certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),
"ssl/tls alert unexpected message"},
"ssl/tls alert unexpected message"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),
"ssl/tls alert unsupported certificate"},
"ssl/tls alert unsupported certificate"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_COMMAND_SECTION_EMPTY),
"ssl command section empty"},
"ssl command section empty"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_COMMAND_SECTION_NOT_FOUND),
"ssl command section not found"},
"ssl command section not found"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),
"ssl ctx has no default ssl version"},
"ssl ctx has no default ssl version"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_HANDSHAKE_FAILURE),
"ssl handshake failure"},
"ssl handshake failure"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),
"ssl library has no ciphers"},
"ssl library has no ciphers"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_NEGATIVE_LENGTH),
"ssl negative length"},
"ssl negative length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SECTION_EMPTY), "ssl section empty"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SECTION_NOT_FOUND),
"ssl section not found"},
"ssl section not found"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),
"ssl session id callback failed"},
"ssl session id callback failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CONFLICT),
"ssl session id conflict"},
"ssl session id conflict"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),
"ssl session id context too long"},
"ssl session id context too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),
"ssl session id has bad length"},
"ssl session id has bad length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_TOO_LONG),
"ssl session id too long"},
"ssl session id too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_VERSION_MISMATCH),
"ssl session version mismatch"},
"ssl session version mismatch"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STILL_IN_INIT), "still in init"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STREAM_COUNT_LIMITED),
"stream count limited"},
"stream count limited"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STREAM_FINISHED), "stream finished"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STREAM_RECV_ONLY), "stream recv only"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STREAM_RESET), "stream reset"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STREAM_SEND_ONLY), "stream send only"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED),
"tlsv13 alert certificate required"},
"tlsv13 alert certificate required"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_MISSING_EXTENSION),
"tlsv13 alert missing extension"},
"tlsv13 alert missing extension"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_ACCESS_DENIED),
"tlsv1 alert access denied"},
"tlsv1 alert access denied"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECODE_ERROR),
"tlsv1 alert decode error"},
"tlsv1 alert decode error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),
"tlsv1 alert decryption failed"},
"tlsv1 alert decryption failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECRYPT_ERROR),
"tlsv1 alert decrypt error"},
"tlsv1 alert decrypt error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),
"tlsv1 alert export restriction"},
"tlsv1 alert export restriction"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),
"tlsv1 alert inappropriate fallback"},
"tlsv1 alert inappropriate fallback"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),
"tlsv1 alert insufficient security"},
"tlsv1 alert insufficient security"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INTERNAL_ERROR),
"tlsv1 alert internal error"},
"tlsv1 alert internal error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_NO_APPLICATION_PROTOCOL),
"tlsv1 alert no application protocol"},
"tlsv1 alert no application protocol"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),
"tlsv1 alert no renegotiation"},
"tlsv1 alert no renegotiation"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),
"tlsv1 alert protocol version"},
"tlsv1 alert protocol version"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),
"tlsv1 alert record overflow"},
"tlsv1 alert record overflow"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_UNKNOWN_CA),
"tlsv1 alert unknown ca"},
"tlsv1 alert unknown ca"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_UNKNOWN_PSK_IDENTITY),
"tlsv1 alert unknown psk identity"},
"tlsv1 alert unknown psk identity"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_USER_CANCELLED),
"tlsv1 alert user cancelled"},
"tlsv1 alert user cancelled"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE),
"tlsv1 bad certificate hash value"},
"tlsv1 bad certificate hash value"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE),
"tlsv1 bad certificate status response"},
"tlsv1 bad certificate status response"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),
"tlsv1 certificate unobtainable"},
"tlsv1 certificate unobtainable"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNRECOGNIZED_NAME),
"tlsv1 unrecognized name"},
"tlsv1 unrecognized name"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNSUPPORTED_EXTENSION),
"tlsv1 unsupported extension"},
"tlsv1 unsupported extension"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL),
"tls illegal exporter label"},
"tls illegal exporter label"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),
"tls invalid ecpointformat list"},
"tls invalid ecpointformat list"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MANY_KEY_UPDATES),
"too many key updates"},
"too many key updates"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MANY_WARN_ALERTS),
"too many warn alerts"},
"too many warn alerts"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MUCH_EARLY_DATA),
"too much early data"},
"too much early data"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS),
"unable to find ecdh parameters"},
"unable to find ecdh parameters"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),
"unable to find public key parameters"},
"unable to find public key parameters"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),
"unable to load ssl3 md5 routines"},
"unable to load ssl3 md5 routines"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
"unable to load ssl3 sha1 routines"},
"unable to load ssl3 sha1 routines"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_CCS_MESSAGE),
"unexpected ccs message"},
"unexpected ccs message"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
"unexpected end of early data"},
"unexpected end of early data"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING),
"unexpected eof while reading"},
"unexpected eof while reading"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CERTIFICATE_TYPE),
"unknown certificate type"},
"unknown certificate type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_RETURNED),
"unknown cipher returned"},
"unknown cipher returned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_TYPE),
"unknown cipher type"},
"unknown cipher type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_COMMAND), "unknown command"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_DIGEST), "unknown digest"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),
"unknown key exchange type"},
"unknown key exchange type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_MANDATORY_PARAMETER),
"unknown mandatory parameter"},
"unknown mandatory parameter"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_PKEY_TYPE), "unknown pkey type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_PROTOCOL), "unknown protocol"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_SSL_VERSION),
"unknown ssl version"},
"unknown ssl version"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_STATE), "unknown state"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),
"unsafe legacy renegotiation disabled"},
"unsafe legacy renegotiation disabled"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSOLICITED_EXTENSION),
"unsolicited extension"},
"unsolicited extension"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),
"unsupported compression algorithm"},
"unsupported compression algorithm"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_CONFIG_VALUE),
"unsupported config value"},
"unsupported config value"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_CONFIG_VALUE_CLASS),
"unsupported config value class"},
"unsupported config value class"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_CONFIG_VALUE_OP),
"unsupported config value op"},
"unsupported config value op"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),
"unsupported elliptic curve"},
"unsupported elliptic curve"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_PROTOCOL),
"unsupported protocol"},
"unsupported protocol"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_SSL_VERSION),
"unsupported ssl version"},
"unsupported ssl version"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_STATUS_TYPE),
"unsupported status type"},
"unsupported status type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_WRITE_FLAG),
"unsupported write flag"},
"unsupported write flag"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_USE_SRTP_NOT_NEGOTIATED),
"use srtp not negotiated"},
"use srtp not negotiated"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_VERSION_TOO_HIGH), "version too high"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_VERSION_TOO_LOW), "version too low"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CERTIFICATE_TYPE),
"wrong certificate type"},
"wrong certificate type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CIPHER_RETURNED),
"wrong cipher returned"},
"wrong cipher returned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CURVE), "wrong curve"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_RPK_TYPE), "wrong rpk type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_LENGTH),
"wrong signature length"},
"wrong signature length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_SIZE),
"wrong signature size"},
"wrong signature size"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_TYPE),
"wrong signature type"},
"wrong signature type"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SSL_VERSION), "wrong ssl version"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_VERSION_NUMBER),
"wrong version number"},
"wrong version number"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_X509_LIB), "x509 lib"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),
"x509 verification setup problems"},
"x509 verification setup problems"},
{0, NULL}
};

21
ssl/ssl_local.h
View file

@ -38,6 +38,7 @@
# include "internal/ssl.h"
# include "internal/cryptlib.h"
# include "record/record.h"
# include "internal/quic_predef.h"
# ifdef OPENSSL_BUILD_SHLIBSSL
# undef OPENSSL_EXTERN
@ -1197,6 +1198,21 @@ struct ssl_ctx_st {
# endif
};
typedef struct ossl_quic_tls_callbacks_st {
int (*crypto_send_cb)(SSL *s, const unsigned char *buf, size_t buf_len,
size_t *consumed, void *arg);
int (*crypto_recv_rcd_cb)(SSL *s, const unsigned char **buf,
size_t *bytes_read, void *arg);
int (*crypto_release_rcd_cb)(SSL *s, size_t bytes_read, void *arg);
int (*yield_secret_cb)(SSL *s, uint32_t prot_level, int direction,
const unsigned char *secret, size_t secret_len,
void *arg);
int (*got_transport_params_cb)(SSL *s, const unsigned char *params,
size_t params_len,
void *arg);
int (*alert_cb)(SSL *s, unsigned char alert_code, void *arg);
} OSSL_QUIC_TLS_CALLBACKS;
typedef struct cert_pkey_st CERT_PKEY;
#define SSL_TYPE_SSL_CONNECTION 0
@ -1280,6 +1296,11 @@ struct ssl_connection_st {
size_t ssl_pkey_num;
/* QUIC TLS fields */
OSSL_QUIC_TLS_CALLBACKS qtcb;
void *qtarg;
QUIC_TLS *qtls;
struct {
long flags;
unsigned char server_random[SSL3_RANDOM_SIZE];

2
ssl/sslerr.h
View file

@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy

2
util/libssl.num
View file

@ -587,3 +587,5 @@ SSL_CTX_flush_sessions_ex 587 3_4_0 EXIST::FUNCTION:
SSL_CTX_set_block_padding_ex 588 3_4_0 EXIST::FUNCTION:
SSL_set_block_padding_ex 589 3_4_0 EXIST::FUNCTION:
SSL_get1_builtin_sigalgs 590 3_4_0 EXIST::FUNCTION:
SSL_set_quic_tls_cbs ? 3_5_0 EXIST::FUNCTION:
SSL_set_quic_tls_transport_params ? 3_5_0 EXIST::FUNCTION: