--- google_boringssl/include/openssl/ssl.h 2021-02-03 18:29:04.000000000 -0800 +++ boringssl/include/openssl/ssl.h 2021-02-03 20:24:49.000000000 -0800 @@ -138,6 +138,25 @@ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR * OTHERWISE. */ +/* ==================================================================== + * Copyright 2020 Apple Inc. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the “Software”), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom + * the Software is furnished to do so, subject to the following conditions: + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ #ifndef OPENSSL_HEADER_SSL_H #define OPENSSL_HEADER_SSL_H @@ -1102,6 +1121,16 @@ SSL_CTX *ctx, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method); +// SSL_CTX_set_nullchain_and_key sets the private key for a +// TLS client or server. Reference to the given |EVP_PKEY| +// object is added as needed. Exactly one of |privkey| or |privkey_method| +// may be non-NULL. Returns one on success and zero on error. +// Note the lack of a corresponding public-key certificate. +// See SSL_CTX_set_server_raw_public_key_certificate. +OPENSSL_EXPORT int SSL_CTX_set_nullchain_and_key( + SSL_CTX *ctx, + EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method); + // SSL_set_chain_and_key sets the certificate chain and private key for a TLS // client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY| // objects are added as needed. Exactly one of |privkey| or |privkey_method| @@ -1110,6 +1139,16 @@ SSL *ssl, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method); +// SSL_set_nullchain_and_key sets the private key for a TLS +// client or server. Reference to the given |EVP_PKEY| +// object is added as needed. Exactly one of |privkey| or |privkey_method| +// may be non-NULL. Returns one on success and zero on error. +// Note the lack of a corresponding public-key certificate. +// See SSL_set_server_raw_public_key_certificate. +OPENSSL_EXPORT int SSL_set_nullchain_and_key( + SSL *ssl, EVP_PKEY *privkey, + const SSL_PRIVATE_KEY_METHOD *privkey_method); + // SSL_CTX_get0_chain returns the list of |CRYPTO_BUFFER|s that were set by // |SSL_CTX_set_chain_and_key|. Reference counts are not incremented by this // call. The return value may be |NULL| if no chain has been set. @@ -2821,6 +2860,21 @@ OPENSSL_EXPORT int SSL_has_application_settings(const SSL *ssl); +// Server Certificate Type. + +#define TLSEXT_CERTIFICATETYPE_X509 0 +#define TLSEXT_CERTIFICATETYPE_RAW_PUBLIC_KEY 2 + +OPENSSL_EXPORT int SSL_CTX_set_server_raw_public_key_certificate( + SSL_CTX *ctx, const uint8_t *raw_public_key, unsigned raw_public_key_len); + +OPENSSL_EXPORT int SSL_CTX_has_server_raw_public_key_certificate(SSL_CTX *ctx); + +OPENSSL_EXPORT int SSL_set_server_raw_public_key_certificate( + SSL *ssl, const uint8_t *raw_public_key, unsigned raw_public_key_len); + +OPENSSL_EXPORT int SSL_has_server_raw_public_key_certificate(SSL *ssl); + // Certificate compression. // // Certificates in TLS 1.3 can be compressed (RFC 8879). BoringSSL supports this