+#define sk_socket_error(s) (((*s)->socket_error) (s))
+
+/*
+ * Set the `frozen' flag on a socket. A frozen socket is one in
+ * which all READABLE notifications are ignored, so that data is
+ * not accepted from the peer until the socket is unfrozen. This
+ * exists for two purposes:
+ *
+ * - Port forwarding: when a local listening port receives a
+ * connection, we do not want to receive data from the new
+ * socket until we have somewhere to send it. Hence, we freeze
+ * the socket until its associated SSH channel is ready; then we
+ * unfreeze it and pending data is delivered.
+ *
+ * - Socket buffering: if an SSH channel (or the whole connection)
+ * backs up or presents a zero window, we must freeze the
+ * associated local socket in order to avoid unbounded buffer
+ * growth.
+ */
+#define sk_set_frozen(s, is_frozen) (((*s)->set_frozen) (s, is_frozen))
+
+/*
+ * Call this after an operation that might have tried to send on a
+ * socket, to clean up any pending network errors.
+ */
+void net_pending_errors(void);
+
+/*
+ * Simple wrapper on getservbyname(), needed by ssh.c. Returns the
+ * port number, in host byte order (suitable for printf and so on).
+ * Returns 0 on failure. Any platform not supporting getservbyname
+ * can just return 0 - this function is not required to handle
+ * numeric port specifications.
+ */
+int net_service_lookup(char *service);
+
+/********** SSL stuff **********/
+
+/*
+ * This section is subject to change, but you get the general idea
+ * of what it will eventually look like.
+ */
+
+typedef struct certificate *Certificate;
+typedef struct our_certificate *Our_Certificate;
+ /* to be defined somewhere else, somehow */
+
+typedef struct ssl_client_socket_function_table **SSL_Client_Socket;
+typedef struct ssl_client_plug_function_table **SSL_Client_Plug;
+
+struct ssl_client_socket_function_table {
+ struct socket_function_table base;
+ void (*renegotiate) (SSL_Client_Socket s);
+ /* renegotiate the cipher spec */
+};
+
+struct ssl_client_plug_function_table {
+ struct plug_function_table base;
+ int (*refuse_cert) (SSL_Client_Plug p, Certificate cert[]);
+ /* do we accept this certificate chain? If not, why not? */
+ /* cert[0] is the server's certificate, cert[] is NULL-terminated */
+ /* the last certificate may or may not be the root certificate */
+ Our_Certificate(*client_cert) (SSL_Client_Plug p);
+ /* the server wants us to identify ourselves */
+ /* may return NULL if we want anonymity */
+};
+
+SSL_Client_Socket sk_ssl_client_over(Socket s, /* pre-existing (tcp) connection */
+ SSL_Client_Plug p);
+
+#define sk_renegotiate(s) (((*s)->renegotiate) (s))