diff options
Diffstat (limited to 'polarssl/src/include/polarssl/ssl.h')
| -rw-r--r-- | polarssl/src/include/polarssl/ssl.h | 766 |
1 files changed, 0 insertions, 766 deletions
diff --git a/polarssl/src/include/polarssl/ssl.h b/polarssl/src/include/polarssl/ssl.h deleted file mode 100644 index 4ac6f86..0000000 --- a/polarssl/src/include/polarssl/ssl.h +++ /dev/null @@ -1,766 +0,0 @@ -/** - * \file ssl.h - * - * \brief SSL/TLS functions. - * - * Copyright (C) 2006-2012, Brainspark B.V. - * - * This file is part of PolarSSL (http://www.polarssl.org) - * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> - * - * All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ -#ifndef POLARSSL_SSL_H -#define POLARSSL_SSL_H - -#include <time.h> - -#include "net.h" -#include "dhm.h" -#include "rsa.h" -#include "md5.h" -#include "sha1.h" -#include "sha2.h" -#include "sha4.h" -#include "x509.h" -#include "config.h" - -#if defined(POLARSSL_PKCS11_C) -#include "pkcs11.h" -#endif - -#if defined(_MSC_VER) && !defined(inline) -#define inline _inline -#else -#if defined(__ARMCC_VERSION) && !defined(inline) -#define inline __inline -#endif /* __ARMCC_VERSION */ -#endif /*_MSC_VER */ - -/* - * SSL Error codes - */ -#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE -0x7080 /**< The requested feature is not available. */ -#define POLARSSL_ERR_SSL_BAD_INPUT_DATA -0x7100 /**< Bad input parameters to function. */ -#define POLARSSL_ERR_SSL_INVALID_MAC -0x7180 /**< Verification of the message MAC failed. */ -#define POLARSSL_ERR_SSL_INVALID_RECORD -0x7200 /**< An invalid SSL record was received. */ -#define POLARSSL_ERR_SSL_CONN_EOF -0x7280 /**< The connection indicated an EOF. */ -#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER -0x7300 /**< An unknown cipher was received. */ -#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 /**< The server has no ciphersuites in common with the client. */ -#define POLARSSL_ERR_SSL_NO_SESSION_FOUND -0x7400 /**< No session to recover was found. */ -#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 /**< No client certification received from the client, but required by the authentication mode. */ -#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 /**< Our own certificate(s) is/are too large to send in an SSL message.*/ -#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 /**< The own certificate is not set, but needed by the server. */ -#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 /**< The own private key is not set, but needed. */ -#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 /**< No CA Chain is set, but required to operate. */ -#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE -0x7700 /**< An unexpected message was received from our peer. */ -#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 /**< A fatal alert message was received from our peer. */ -#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED -0x7800 /**< Verification of our peer failed. */ -#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 /**< The peer notified us that the connection is going to be closed. */ -#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900 /**< Processing of the ClientHello handshake message failed. */ -#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980 /**< Processing of the ServerHello handshake message failed. */ -#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE -0x7A00 /**< Processing of the Certificate handshake message failed. */ -#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST -0x7A80 /**< Processing of the CertificateRequest handshake message failed. */ -#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE -0x7B00 /**< Processing of the ServerKeyExchange handshake message failed. */ -#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE -0x7B80 /**< Processing of the ServerHelloDone handshake message failed. */ -#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE -0x7C00 /**< Processing of the ClientKeyExchange handshake message failed. */ -#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP -0x7C80 /**< Processing of the ClientKeyExchange handshake message failed in DHM Read Public. */ -#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS -0x7D00 /**< Processing of the ClientKeyExchange handshake message failed in DHM Calculate Secret. */ -#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY -0x7D80 /**< Processing of the CertificateVerify handshake message failed. */ -#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC -0x7E00 /**< Processing of the ChangeCipherSpec handshake message failed. */ -#define POLARSSL_ERR_SSL_BAD_HS_FINISHED -0x7E80 /**< Processing of the Finished handshake message failed. */ -#define POLARSSL_ERR_SSL_MALLOC_FAILED -0x7F00 /**< Memory allocation failed */ - -/* - * Various constants - */ -#define SSL_MAJOR_VERSION_3 3 -#define SSL_MINOR_VERSION_0 0 /*!< SSL v3.0 */ -#define SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 */ -#define SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 */ -#define SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */ - -#define SSL_IS_CLIENT 0 -#define SSL_IS_SERVER 1 -#define SSL_COMPRESS_NULL 0 - -#define SSL_VERIFY_NONE 0 -#define SSL_VERIFY_OPTIONAL 1 -#define SSL_VERIFY_REQUIRED 2 - -#define SSL_MAX_CONTENT_LEN 16384 - -/* - * Allow an extra 512 bytes for the record header - * and encryption overhead (counter + MAC + padding). - */ -#define SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + 512) - -/* - * Supported ciphersuites - */ -#define SSL_RSA_NULL_MD5 0x01 /**< Weak! */ -#define SSL_RSA_NULL_SHA 0x02 /**< Weak! */ -#define SSL_RSA_NULL_SHA256 0x3B /**< Weak! */ -#define SSL_RSA_DES_SHA 0x09 /**< Weak! Not in TLS 1.2 */ -#define SSL_EDH_RSA_DES_SHA 0x15 /**< Weak! Not in TLS 1.2 */ - -#define SSL_RSA_RC4_128_MD5 0x04 -#define SSL_RSA_RC4_128_SHA 0x05 - -#define SSL_RSA_DES_168_SHA 0x0A -#define SSL_EDH_RSA_DES_168_SHA 0x16 - -#define SSL_RSA_AES_128_SHA 0x2F -#define SSL_EDH_RSA_AES_128_SHA 0x33 -#define SSL_RSA_AES_256_SHA 0x35 -#define SSL_EDH_RSA_AES_256_SHA 0x39 -#define SSL_RSA_AES_128_SHA256 0x3C /**< TLS 1.2 */ -#define SSL_RSA_AES_256_SHA256 0x3D /**< TLS 1.2 */ -#define SSL_EDH_RSA_AES_128_SHA256 0x67 /**< TLS 1.2 */ -#define SSL_EDH_RSA_AES_256_SHA256 0x6B /**< TLS 1.2 */ - -#define SSL_RSA_CAMELLIA_128_SHA 0x41 -#define SSL_EDH_RSA_CAMELLIA_128_SHA 0x45 -#define SSL_RSA_CAMELLIA_256_SHA 0x84 -#define SSL_EDH_RSA_CAMELLIA_256_SHA 0x88 -#define SSL_RSA_CAMELLIA_128_SHA256 0xBA /**< TLS 1.2 */ -#define SSL_EDH_RSA_CAMELLIA_128_SHA256 0xBE /**< TLS 1.2 */ -#define SSL_RSA_CAMELLIA_256_SHA256 0xC0 /**< TLS 1.2 */ -#define SSL_EDH_RSA_CAMELLIA_256_SHA256 0xC4 /**< TLS 1.2 */ - -#define SSL_RSA_AES_128_GCM_SHA256 0x9C -#define SSL_RSA_AES_256_GCM_SHA384 0x9D -#define SSL_EDH_RSA_AES_128_GCM_SHA256 0x9E -#define SSL_EDH_RSA_AES_256_GCM_SHA384 0x9F - -/* - * Supported Signature and Hash algorithms (For TLS 1.2) - */ -#define SSL_HASH_NONE 0 -#define SSL_HASH_MD5 1 -#define SSL_HASH_SHA1 2 -#define SSL_HASH_SHA224 3 -#define SSL_HASH_SHA256 4 -#define SSL_HASH_SHA384 5 -#define SSL_HASH_SHA512 6 - -#define SSL_SIG_RSA 1 - -/* - * Message, alert and handshake types - */ -#define SSL_MSG_CHANGE_CIPHER_SPEC 20 -#define SSL_MSG_ALERT 21 -#define SSL_MSG_HANDSHAKE 22 -#define SSL_MSG_APPLICATION_DATA 23 - -#define SSL_ALERT_LEVEL_WARNING 1 -#define SSL_ALERT_LEVEL_FATAL 2 - -#define SSL_ALERT_MSG_CLOSE_NOTIFY 0 /* 0x00 */ -#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE 10 /* 0x0A */ -#define SSL_ALERT_MSG_BAD_RECORD_MAC 20 /* 0x14 */ -#define SSL_ALERT_MSG_DECRYPTION_FAILED 21 /* 0x15 */ -#define SSL_ALERT_MSG_RECORD_OVERFLOW 22 /* 0x16 */ -#define SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30 /* 0x1E */ -#define SSL_ALERT_MSG_HANDSHAKE_FAILURE 40 /* 0x28 */ -#define SSL_ALERT_MSG_NO_CERT 41 /* 0x29 */ -#define SSL_ALERT_MSG_BAD_CERT 42 /* 0x2A */ -#define SSL_ALERT_MSG_UNSUPPORTED_CERT 43 /* 0x2B */ -#define SSL_ALERT_MSG_CERT_REVOKED 44 /* 0x2C */ -#define SSL_ALERT_MSG_CERT_EXPIRED 45 /* 0x2D */ -#define SSL_ALERT_MSG_CERT_UNKNOWN 46 /* 0x2E */ -#define SSL_ALERT_MSG_ILLEGAL_PARAMETER 47 /* 0x2F */ -#define SSL_ALERT_MSG_UNKNOWN_CA 48 /* 0x30 */ -#define SSL_ALERT_MSG_ACCESS_DENIED 49 /* 0x31 */ -#define SSL_ALERT_MSG_DECODE_ERROR 50 /* 0x32 */ -#define SSL_ALERT_MSG_DECRYPT_ERROR 51 /* 0x33 */ -#define SSL_ALERT_MSG_EXPORT_RESTRICTION 60 /* 0x3C */ -#define SSL_ALERT_MSG_PROTOCOL_VERSION 70 /* 0x46 */ -#define SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71 /* 0x47 */ -#define SSL_ALERT_MSG_INTERNAL_ERROR 80 /* 0x50 */ -#define SSL_ALERT_MSG_USER_CANCELED 90 /* 0x5A */ -#define SSL_ALERT_MSG_NO_RENEGOTIATION 100 /* 0x64 */ -#define SSL_ALERT_MSG_UNSUPPORTED_EXT 110 /* 0x6E */ - -#define SSL_HS_HELLO_REQUEST 0 -#define SSL_HS_CLIENT_HELLO 1 -#define SSL_HS_SERVER_HELLO 2 -#define SSL_HS_CERTIFICATE 11 -#define SSL_HS_SERVER_KEY_EXCHANGE 12 -#define SSL_HS_CERTIFICATE_REQUEST 13 -#define SSL_HS_SERVER_HELLO_DONE 14 -#define SSL_HS_CERTIFICATE_VERIFY 15 -#define SSL_HS_CLIENT_KEY_EXCHANGE 16 -#define SSL_HS_FINISHED 20 - -/* - * TLS extensions - */ -#define TLS_EXT_SERVERNAME 0 -#define TLS_EXT_SERVERNAME_HOSTNAME 0 - -#define TLS_EXT_SIG_ALG 13 - -/* - * SSL state machine - */ -typedef enum -{ - SSL_HELLO_REQUEST, - SSL_CLIENT_HELLO, - SSL_SERVER_HELLO, - SSL_SERVER_CERTIFICATE, - SSL_SERVER_KEY_EXCHANGE, - SSL_CERTIFICATE_REQUEST, - SSL_SERVER_HELLO_DONE, - SSL_CLIENT_CERTIFICATE, - SSL_CLIENT_KEY_EXCHANGE, - SSL_CERTIFICATE_VERIFY, - SSL_CLIENT_CHANGE_CIPHER_SPEC, - SSL_CLIENT_FINISHED, - SSL_SERVER_CHANGE_CIPHER_SPEC, - SSL_SERVER_FINISHED, - SSL_FLUSH_BUFFERS, - SSL_HANDSHAKE_OVER -} -ssl_states; - -typedef struct _ssl_session ssl_session; -typedef struct _ssl_context ssl_context; - -/* - * This structure is used for session resuming. - */ -struct _ssl_session -{ - time_t start; /*!< starting time */ - int ciphersuite; /*!< chosen ciphersuite */ - size_t length; /*!< session id length */ - unsigned char id[32]; /*!< session identifier */ - unsigned char master[48]; /*!< the master secret */ - ssl_session *next; /*!< next session entry */ -}; - -struct _ssl_context -{ - /* - * Miscellaneous - */ - int state; /*!< SSL handshake: current state */ - - int major_ver; /*!< equal to SSL_MAJOR_VERSION_3 */ - int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */ - - int max_major_ver; /*!< max. major version from client */ - int max_minor_ver; /*!< max. minor version from client */ - - /* - * Callbacks (RNG, debug, I/O, verification) - */ - int (*f_rng)(void *, unsigned char *, size_t); - void (*f_dbg)(void *, int, const char *); - int (*f_recv)(void *, unsigned char *, size_t); - int (*f_send)(void *, const unsigned char *, size_t); - int (*f_vrfy)(void *, x509_cert *, int, int); - - void *p_rng; /*!< context for the RNG function */ - void *p_dbg; /*!< context for the debug function */ - void *p_recv; /*!< context for reading operations */ - void *p_send; /*!< context for writing operations */ - void *p_vrfy; /*!< context for verification */ - - /* - * Session layer - */ - int resume; /*!< session resuming flag */ - int timeout; /*!< sess. expiration time */ - ssl_session *session; /*!< current session data */ - int (*s_get)(ssl_context *); /*!< (server) get callback */ - int (*s_set)(ssl_context *); /*!< (server) set callback */ - - /* - * Record layer (incoming data) - */ - unsigned char *in_ctr; /*!< 64-bit incoming message counter */ - unsigned char *in_hdr; /*!< 5-byte record header (in_ctr+8) */ - unsigned char *in_msg; /*!< the message contents (in_hdr+5) */ - unsigned char *in_offt; /*!< read offset in application data */ - - int in_msgtype; /*!< record header: message type */ - size_t in_msglen; /*!< record header: message length */ - size_t in_left; /*!< amount of data read so far */ - - size_t in_hslen; /*!< current handshake message length */ - int nb_zero; /*!< # of 0-length encrypted messages */ - - /* - * Record layer (outgoing data) - */ - unsigned char *out_ctr; /*!< 64-bit outgoing message counter */ - unsigned char *out_hdr; /*!< 5-byte record header (out_ctr+8) */ - unsigned char *out_msg; /*!< the message contents (out_hdr+5) */ - - int out_msgtype; /*!< record header: message type */ - size_t out_msglen; /*!< record header: message length */ - size_t out_left; /*!< amount of data not yet written */ - - /* - * PKI layer - */ - rsa_context *rsa_key; /*!< own RSA private key */ -#if defined(POLARSSL_PKCS11_C) - pkcs11_context *pkcs11_key; /*!< own PKCS#11 RSA private key */ -#endif - x509_cert *own_cert; /*!< own X.509 certificate */ - x509_cert *ca_chain; /*!< own trusted CA chain */ - x509_crl *ca_crl; /*!< trusted CA CRLs */ - x509_cert *peer_cert; /*!< peer X.509 cert chain */ - const char *peer_cn; /*!< expected peer CN */ - - int endpoint; /*!< 0: client, 1: server */ - int authmode; /*!< verification mode */ - int client_auth; /*!< flag for client auth. */ - int verify_result; /*!< verification result */ - - /* - * Crypto layer - */ - dhm_context dhm_ctx; /*!< DHM key exchange */ - unsigned char ctx_checksum[500]; /*!< Checksum context(s) */ - - void (*update_checksum)(ssl_context *, unsigned char *, size_t); - void (*calc_verify)(ssl_context *, unsigned char *); - void (*calc_finished)(ssl_context *, unsigned char *, int); - int (*tls_prf)(unsigned char *, size_t, char *, - unsigned char *, size_t, - unsigned char *, size_t); - - int do_crypt; /*!< en(de)cryption flag */ - int *ciphersuites; /*!< allowed ciphersuites */ - size_t pmslen; /*!< premaster length */ - unsigned int keylen; /*!< symmetric key length */ - size_t minlen; /*!< min. ciphertext length */ - size_t ivlen; /*!< IV length */ - size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */ - size_t maclen; /*!< MAC length */ - - unsigned char randbytes[64]; /*!< random bytes */ - unsigned char premaster[256]; /*!< premaster secret */ - - unsigned char iv_enc[16]; /*!< IV (encryption) */ - unsigned char iv_dec[16]; /*!< IV (decryption) */ - - unsigned char mac_enc[32]; /*!< MAC (encryption) */ - unsigned char mac_dec[32]; /*!< MAC (decryption) */ - - unsigned long ctx_enc[134]; /*!< encryption context */ - unsigned long ctx_dec[134]; /*!< decryption context */ - - /* - * TLS extensions - */ - unsigned char *hostname; - size_t hostname_len; -}; - -#ifdef __cplusplus -extern "C" { -#endif - -extern int ssl_default_ciphersuites[]; - -/** - * \brief Returns the list of ciphersuites supported by the SSL/TLS module. - * - * \return a statically allocated array of ciphersuites, the last - * entry is 0. - */ -static inline const int *ssl_list_ciphersuites( void ) -{ - return ssl_default_ciphersuites; -} - -/** - * \brief Return the name of the ciphersuite associated with the given - * ID - * - * \param ciphersuite_id SSL ciphersuite ID - * - * \return a string containing the ciphersuite name - */ -const char *ssl_get_ciphersuite_name( const int ciphersuite_id ); - -/** - * \brief Return the ID of the ciphersuite associated with the given - * name - * - * \param ciphersuite_name SSL ciphersuite name - * - * \return the ID with the ciphersuite or 0 if not found - */ -int ssl_get_ciphersuite_id( const char *ciphersuite_name ); - -/** - * \brief Initialize an SSL context - * - * \param ssl SSL context - * - * \return 0 if successful, or POLARSSL_ERR_SSL_MALLOC_FAILED if - * memory allocation failed - */ -int ssl_init( ssl_context *ssl ); - -/** - * \brief Reset an already initialized SSL context for re-use - * while retaining application-set variables, function - * pointers and data. - * - * \param ssl SSL context - */ -void ssl_session_reset( ssl_context *ssl ); - -/** - * \brief Set the current endpoint type - * - * \param ssl SSL context - * \param endpoint must be SSL_IS_CLIENT or SSL_IS_SERVER - */ -void ssl_set_endpoint( ssl_context *ssl, int endpoint ); - -/** - * \brief Set the certificate verification mode - * - * \param ssl SSL context - * \param authmode can be: - * - * SSL_VERIFY_NONE: peer certificate is not checked (default), - * this is insecure and SHOULD be avoided. - * - * SSL_VERIFY_OPTIONAL: peer certificate is checked, however the - * handshake continues even if verification failed; - * ssl_get_verify_result() can be called after the - * handshake is complete. - * - * SSL_VERIFY_REQUIRED: peer *must* present a valid certificate, - * handshake is aborted if verification failed. - */ -void ssl_set_authmode( ssl_context *ssl, int authmode ); - -/** - * \brief Set the verification callback (Optional). - * - * If set, the verification callback is called once for every - * certificate in the chain. The verification function has the - * following parameter: (void *parameter, x509_cert certificate, - * int certifcate_depth, int preverify_ok). It should - * return 0 on SUCCESS. - * - * \param ssl SSL context - * \param f_vrfy verification function - * \param p_vrfy verification parameter - */ -void ssl_set_verify( ssl_context *ssl, - int (*f_vrfy)(void *, x509_cert *, int, int), - void *p_vrfy ); - -/** - * \brief Set the random number generator callback - * - * \param ssl SSL context - * \param f_rng RNG function - * \param p_rng RNG parameter - */ -void ssl_set_rng( ssl_context *ssl, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ); - -/** - * \brief Set the debug callback - * - * \param ssl SSL context - * \param f_dbg debug function - * \param p_dbg debug parameter - */ -void ssl_set_dbg( ssl_context *ssl, - void (*f_dbg)(void *, int, const char *), - void *p_dbg ); - -/** - * \brief Set the underlying BIO read and write callbacks - * - * \param ssl SSL context - * \param f_recv read callback - * \param p_recv read parameter - * \param f_send write callback - * \param p_send write parameter - */ -void ssl_set_bio( ssl_context *ssl, - int (*f_recv)(void *, unsigned char *, size_t), void *p_recv, - int (*f_send)(void *, const unsigned char *, size_t), void *p_send ); - -/** - * \brief Set the session callbacks (server-side only) - * - * \param ssl SSL context - * \param s_get session get callback - * \param s_set session set callback - */ -void ssl_set_scb( ssl_context *ssl, - int (*s_get)(ssl_context *), - int (*s_set)(ssl_context *) ); - -/** - * \brief Set the session resuming flag, timeout and data - * - * \param ssl SSL context - * \param resume if 0 (default), the session will not be resumed - * \param timeout session timeout in seconds, or 0 (no timeout) - * \param session session context - */ -void ssl_set_session( ssl_context *ssl, int resume, int timeout, - ssl_session *session ); - -/** - * \brief Set the list of allowed ciphersuites - * - * \param ssl SSL context - * \param ciphersuites 0-terminated list of allowed ciphersuites - */ -void ssl_set_ciphersuites( ssl_context *ssl, int *ciphersuites ); - -/** - * \brief Set the data required to verify peer certificate - * - * \param ssl SSL context - * \param ca_chain trusted CA chain - * \param ca_crl trusted CA CRLs - * \param peer_cn expected peer CommonName (or NULL) - * - * \note TODO: add two more parameters: depth and crl - */ -void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, - x509_crl *ca_crl, const char *peer_cn ); - -/** - * \brief Set own certificate and private key - * - * \param ssl SSL context - * \param own_cert own public certificate - * \param rsa_key own private RSA key - */ -void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, - rsa_context *rsa_key ); - -#if defined(POLARSSL_PKCS11_C) -/** - * \brief Set own certificate and PKCS#11 private key - * - * \param ssl SSL context - * \param own_cert own public certificate - * \param pkcs11_key own PKCS#11 RSA key - */ -void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert, - pkcs11_context *pkcs11_key ); -#endif - -/** - * \brief Set the Diffie-Hellman public P and G values, - * read as hexadecimal strings (server-side only) - * - * \param ssl SSL context - * \param dhm_P Diffie-Hellman-Merkle modulus - * \param dhm_G Diffie-Hellman-Merkle generator - * - * \return 0 if successful - */ -int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G ); - -/** - * \brief Set the Diffie-Hellman public P and G values, - * read from existing context (server-side only) - * - * \param ssl SSL context - * \param dhm_ctx Diffie-Hellman-Merkle context - * - * \return 0 if successful - */ -int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx ); - -/** - * \brief Set hostname for ServerName TLS Extension - * - * - * \param ssl SSL context - * \param hostname the server hostname - * - * \return 0 if successful or POLARSSL_ERR_SSL_MALLOC_FAILED - */ -int ssl_set_hostname( ssl_context *ssl, const char *hostname ); - -/** - * \brief Set the maximum supported version sent from the client side - * - * \param ssl SSL context - * \param major Major version number (only SSL_MAJOR_VERSION_3 supported) - * \param minor Minor version number (SSL_MINOR_VERSION_0, - * SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, - * SSL_MINOR_VERSION_3 supported) - */ -void ssl_set_max_version( ssl_context *ssl, int major, int minor ); - -/** - * \brief Return the number of data bytes available to read - * - * \param ssl SSL context - * - * \return how many bytes are available in the read buffer - */ -size_t ssl_get_bytes_avail( const ssl_context *ssl ); - -/** - * \brief Return the result of the certificate verification - * - * \param ssl SSL context - * - * \return 0 if successful, or a combination of: - * BADCERT_EXPIRED - * BADCERT_REVOKED - * BADCERT_CN_MISMATCH - * BADCERT_NOT_TRUSTED - */ -int ssl_get_verify_result( const ssl_context *ssl ); - -/** - * \brief Return the name of the current ciphersuite - * - * \param ssl SSL context - * - * \return a string containing the ciphersuite name - */ -const char *ssl_get_ciphersuite( const ssl_context *ssl ); - -/** - * \brief Return the current SSL version (SSLv3/TLSv1/etc) - * - * \param ssl SSL context - * - * \return a string containing the SSL version - */ -const char *ssl_get_version( const ssl_context *ssl ); - -/** - * \brief Perform the SSL handshake - * - * \param ssl SSL context - * - * \return 0 if successful, POLARSSL_ERR_NET_WANT_READ, - * POLARSSL_ERR_NET_WANT_WRITE, or a specific SSL error code. - */ -int ssl_handshake( ssl_context *ssl ); - -/** - * \brief Read at most 'len' application data bytes - * - * \param ssl SSL context - * \param buf buffer that will hold the data - * \param len how many bytes must be read - * - * \return This function returns the number of bytes read, 0 for EOF, - * or a negative error code. - */ -int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ); - -/** - * \brief Write exactly 'len' application data bytes - * - * \param ssl SSL context - * \param buf buffer holding the data - * \param len how many bytes must be written - * - * \return This function returns the number of bytes written, - * or a negative error code. - * - * \note When this function returns POLARSSL_ERR_NET_WANT_WRITE, - * it must be called later with the *same* arguments, - * until it returns a positive value. - */ -int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len ); - -/** - * \brief Send an alert message - * - * \param ssl SSL context - * \param level The alert level of the message - * (SSL_ALERT_LEVEL_WARNING or SSL_ALERT_LEVEL_FATAL) - * \param message The alert message (SSL_ALERT_MSG_*) - * - * \return 1 if successful, or a specific SSL error code. - */ -int ssl_send_alert_message( ssl_context *ssl, - unsigned char level, - unsigned char message ); -/** - * \brief Notify the peer that the connection is being closed - * - * \param ssl SSL context - */ -int ssl_close_notify( ssl_context *ssl ); - -/** - * \brief Free an SSL context - * - * \param ssl SSL context - */ -void ssl_free( ssl_context *ssl ); - -/* - * Internal functions (do not call directly) - */ -int ssl_handshake_client( ssl_context *ssl ); -int ssl_handshake_server( ssl_context *ssl ); - -int ssl_derive_keys( ssl_context *ssl ); - -int ssl_read_record( ssl_context *ssl ); -/** - * \return 0 if successful, POLARSSL_ERR_SSL_CONN_EOF on EOF or - * another negative error code. - */ -int ssl_fetch_input( ssl_context *ssl, size_t nb_want ); - -int ssl_write_record( ssl_context *ssl ); -int ssl_flush_output( ssl_context *ssl ); - -int ssl_parse_certificate( ssl_context *ssl ); -int ssl_write_certificate( ssl_context *ssl ); - -int ssl_parse_change_cipher_spec( ssl_context *ssl ); -int ssl_write_change_cipher_spec( ssl_context *ssl ); - -int ssl_parse_finished( ssl_context *ssl ); -int ssl_write_finished( ssl_context *ssl ); - -void ssl_kickstart_checksum( ssl_context *ssl, int ciphersuite, - unsigned char *input_buf, size_t len ); - -#ifdef __cplusplus -} -#endif - -#endif /* ssl.h */ |