GENERATE[html/man3/SSL_set_session.html]=man3/SSL_set_session.pod
DEPEND[man/man3/SSL_set_session.3]=man3/SSL_set_session.pod
GENERATE[man/man3/SSL_set_session.3]=man3/SSL_set_session.pod
+DEPEND[html/man3/SSL_set_session_secret_cb.html]=man3/SSL_set_session_secret_cb.pod
+GENERATE[html/man3/SSL_set_session_secret_cb.html]=man3/SSL_set_session_secret_cb.pod
+DEPEND[man/man3/SSL_set_session_secret_cb.3]=man3/SSL_set_session_secret_cb.pod
+GENERATE[man/man3/SSL_set_session_secret_cb.3]=man3/SSL_set_session_secret_cb.pod
DEPEND[html/man3/SSL_set_shutdown.html]=man3/SSL_set_shutdown.pod
GENERATE[html/man3/SSL_set_shutdown.html]=man3/SSL_set_shutdown.pod
DEPEND[man/man3/SSL_set_shutdown.3]=man3/SSL_set_shutdown.pod
html/man3/SSL_set_incoming_stream_policy.html \
html/man3/SSL_set_retry_verify.html \
html/man3/SSL_set_session.html \
+html/man3/SSL_set_session_secret_cb.html \
html/man3/SSL_set_shutdown.html \
html/man3/SSL_set_verify_result.html \
html/man3/SSL_shutdown.html \
man/man3/SSL_set_incoming_stream_policy.3 \
man/man3/SSL_set_retry_verify.3 \
man/man3/SSL_set_session.3 \
+man/man3/SSL_set_session_secret_cb.3 \
man/man3/SSL_set_shutdown.3 \
man/man3/SSL_set_verify_result.3 \
man/man3/SSL_shutdown.3 \
--- /dev/null
+=pod
+
+=head1 NAME
+
+SSL_set_session_secret_cb, tls_session_secret_cb_fn
+- set the session secret callback
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
+ STACK_OF(SSL_CIPHER) *peer_ciphers,
+ const SSL_CIPHER **cipher, void *arg);
+
+ int SSL_set_session_secret_cb(SSL *s,
+ tls_session_secret_cb_fn session_secret_cb,
+ void *arg);
+
+=head1 DESCRIPTION
+
+SSL_set_session_secret_cb() sets the session secret callback to be used
+(I<session_secret_cb>), and an optional argument (I<arg>) to be passed to that
+callback when it is called. This is only useful for an implementation of
+EAP-FAST (RFC4851). The presence of the callback also modifies the internal
+OpenSSL TLS state machine to match the modified TLS behaviour as described in
+RFC4851. Therefore this callback should not be used except when implementing
+EAP-FAST.
+
+The callback is expected to set the master secret to be used by filling in the
+data pointed to by I<*secret>. The size of the secret buffer is initially
+available in I<*secret_len> and may be updated by the callback (but must not be
+larger than the initial value).
+
+On the server side the set of ciphersuites offered by the peer is provided in
+the I<peer_ciphers> stack. Optionally the callback may select the preferred
+ciphersuite by setting it in I<*cipher>.
+
+On the client side the I<peer_ciphers> stack will always be NULL. The callback
+may specify the preferred cipher in I<*cipher> and this will be associated with
+the B<SSL_SESSION> - but it does not affect the ciphersuite selected by the
+server.
+
+The callback is also supplied with an additional argument in I<arg> which is the
+argument that was provided to the original SSL_set_session_secret_cb() call.
+
+=head1 RETURN VALUES
+
+SSL_set_session_secret_cb() returns 1 on success and 0 on failure.
+
+If the callback returns 1 then this indicates it has successfully set the
+secret. A return value of 0 indicates that the secret has not been set. On the
+client this will cause an immediate abort of the handshake.
+
+=head1 SEE ALSO
+
+L<ssl(7)>,
+L<SSL_get_session(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
projects / openssl.git / commitdiff