X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=inc%2Fbearssl_ssl.h;h=2a4fadadd88831306b964e4e32fc406240a0ac62;hp=ad807ab9acbfe6e86104d6a69bbb008a2e4708fe;hb=d69276c18d55480e1bfa4b4c28b31062a706f6f0;hpb=ea95d8264c6aefe742a9c3f4f9d834b188566a29

diff --git a/inc/bearssl_ssl.h b/inc/bearssl_ssl.h
index ad807ab..2a4fada 100644
--- a/inc/bearssl_ssl.h
+++ b/inc/bearssl_ssl.h
@@ -833,6 +833,14 @@ typedef struct {
 
 	/*
 	 * Context RNG.
+	 *
+	 *   rng_init_done is initially 0. It is set to 1 when the
+	 *   basic structure of the RNG is set, and 2 when some
+	 *   entropy has been pushed in. The value 2 marks the RNG
+	 *   as "properly seeded".
+	 *
+	 *   rng_os_rand_done is initially 0. It is set to 1 when
+	 *   some seeding from the OS or hardware has been attempted.
 	 */
 	br_hmac_drbg_context rng;
 	int rng_init_done;
@@ -871,8 +879,8 @@ typedef struct {
 	/*
 	 * Secure renegotiation (RFC 5746): 'reneg' can be:
 	 *   0   first handshake (server support is not known)
-	 *   1   server does not support secure renegotiation
-	 *   2   server supports secure renegotiation
+	 *   1   peer does not support secure renegotiation
+	 *   2   peer supports secure renegotiation
 	 *
 	 * The saved_finished buffer contains the client and the
 	 * server "Finished" values from the last handshake, in
@@ -1270,7 +1278,7 @@ br_ssl_engine_get_hash(br_ssl_engine_context *ctx, int id)
 /**
  * \brief Set the PRF implementation (for TLS 1.0 and 1.1).
  *
- * This function sets (or removes, if `impl` is `NULL`) the implemenation
+ * This function sets (or removes, if `impl` is `NULL`) the implementation
  * for the PRF used in TLS 1.0 and 1.1.
  *
  * \param cc     SSL engine context.
@@ -1285,7 +1293,7 @@ br_ssl_engine_set_prf10(br_ssl_engine_context *cc, br_tls_prf_impl impl)
 /**
  * \brief Set the PRF implementation with SHA-256 (for TLS 1.2).
  *
- * This function sets (or removes, if `impl` is `NULL`) the implemenation
+ * This function sets (or removes, if `impl` is `NULL`) the implementation
  * for the SHA-256 variant of the PRF used in TLS 1.2.
  *
  * \param cc     SSL engine context.
@@ -1300,7 +1308,7 @@ br_ssl_engine_set_prf_sha256(br_ssl_engine_context *cc, br_tls_prf_impl impl)
 /**
  * \brief Set the PRF implementation with SHA-384 (for TLS 1.2).
  *
- * This function sets (or removes, if `impl` is `NULL`) the implemenation
+ * This function sets (or removes, if `impl` is `NULL`) the implementation
  * for the SHA-384 variant of the PRF used in TLS 1.2.
  *
  * \param cc     SSL engine context.
@@ -1908,7 +1916,7 @@ br_ssl_engine_last_error(const br_ssl_engine_context *cc)
  *      Informs the engine that 'len' bytes have been read from the buffer
  *      (extract operation) or written to the buffer (inject operation).
  *      The 'len' value MUST NOT be zero. The 'len' value MUST NOT exceed
- *      that which was obtained from a preceeding br_ssl_engine_xxx_buf()
+ *      that which was obtained from a preceding br_ssl_engine_xxx_buf()
  *      call.
  */
 
@@ -2063,8 +2071,9 @@ void br_ssl_engine_close(br_ssl_engine_context *cc);
  *
  * If the engine is failed or closed, or if the peer is known not to
  * support secure renegotiation (RFC 5746), or if renegotiations have
- * been disabled with the `BR_OPT_NO_RENEGOTIATION` flag, then this
- * function returns 0 and nothing else happens.
+ * been disabled with the `BR_OPT_NO_RENEGOTIATION` flag, or if there
+ * is buffered incoming application data, then this function returns 0
+ * and nothing else happens.
  *
  * Otherwise, this function returns 1, and a renegotiation attempt is
  * triggered (if a handshake is already ongoing at that point, then
@@ -2508,7 +2517,7 @@ struct br_ssl_client_context_ {
  *     then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1,
  *     or 2 to 6 for the SHA family).
  *
- *   - If ECDSA is suported with hash function of ID `x`, then bit `8+x`
+ *   - If ECDSA is supported with hash function of ID `x`, then bit `8+x`
  *     is set.
  *
  *   - Newer algorithms are symbolic 16-bit identifiers that do not
@@ -3219,6 +3228,19 @@ typedef struct {
 void br_ssl_session_cache_lru_init(br_ssl_session_cache_lru *cc,
 	unsigned char *store, size_t store_len);
 
+/**
+ * \brief Forget an entry in an LRU session cache.
+ *
+ * The session cache context must have been initialised. The entry
+ * with the provided session ID (of exactly 32 bytes) is looked for
+ * in the cache; if located, it is disabled.
+ *
+ * \param cc   session cache context.
+ * \param id   session ID to forget.
+ */
+void br_ssl_session_cache_lru_forget(
+	br_ssl_session_cache_lru *cc, const unsigned char *id);
+
 /**
  * \brief Context structure for a SSL server.
  *
@@ -3542,7 +3564,7 @@ br_ssl_server_get_client_suites(const br_ssl_server_context *cc, size_t *num)
  *     then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1,
  *     or 2 to 6 for the SHA family).
  *
- *   - If ECDSA is suported with hash function of ID `x`, then bit `8+x`
+ *   - If ECDSA is supported with hash function of ID `x`, then bit `8+x`
  *     is set.
  *
  *   - Newer algorithms are symbolic 16-bit identifiers that do not