mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-05 01:53:43 +01:00
10699cc96c
There are situations in which it is not clear what message to expect next. For example, the message following the ServerHello might be either a Certificate, a ServerKeyExchange or a CertificateRequest. We deal with this situation in the following way: Initially, the message processing function for one of the allowed message types is called, which fetches and decodes a new message. If that message is not the expected one, the function returns successfully (instead of throwing an error as usual for unexpected messages), and the handshake continues to the processing function for the next possible message. To not have this function fetch a new message, a flag in the SSL context structure is used to indicate that the last message was retained for further processing, and if that's set, the following processing function will not fetch a new record. This commit simplifies the usage of this message-retaining parameter by doing the check within the record-fetching routine instead of the specific message-processing routines. The code gets cleaner this way and allows retaining messages to be used in other situations as well without much effort. This will be used in the next commits.
2071 lines
80 KiB
C
2071 lines
80 KiB
C
/**
|
|
* \file ssl.h
|
|
*
|
|
* \brief SSL/TLS functions.
|
|
*
|
|
* Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
|
|
*
|
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*/
|
|
#ifndef POLARSSL_SSL_H
|
|
#define POLARSSL_SSL_H
|
|
|
|
#if !defined(POLARSSL_CONFIG_FILE)
|
|
#include "config.h"
|
|
#else
|
|
#include POLARSSL_CONFIG_FILE
|
|
#endif
|
|
|
|
/* Temporary compatibility trick for the current stable branch */
|
|
#if !defined(POLARSSL_SSL_DISABLE_RENEGOTIATION)
|
|
#define POLARSSL_SSL_RENEGOTIATION
|
|
#endif
|
|
|
|
#include "net.h"
|
|
#include "bignum.h"
|
|
#include "ecp.h"
|
|
|
|
#include "ssl_ciphersuites.h"
|
|
|
|
#if defined(POLARSSL_MD5_C)
|
|
#include "md5.h"
|
|
#endif
|
|
|
|
#if defined(POLARSSL_SHA1_C)
|
|
#include "sha1.h"
|
|
#endif
|
|
|
|
#if defined(POLARSSL_SHA256_C)
|
|
#include "sha256.h"
|
|
#endif
|
|
|
|
#if defined(POLARSSL_SHA512_C)
|
|
#include "sha512.h"
|
|
#endif
|
|
|
|
// for session tickets
|
|
#if defined(POLARSSL_AES_C)
|
|
#include "aes.h"
|
|
#endif
|
|
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
#include "x509_crt.h"
|
|
#include "x509_crl.h"
|
|
#endif
|
|
|
|
#if defined(POLARSSL_DHM_C)
|
|
#include "dhm.h"
|
|
#endif
|
|
|
|
#if defined(POLARSSL_ECDH_C)
|
|
#include "ecdh.h"
|
|
#endif
|
|
|
|
#if defined(POLARSSL_ZLIB_SUPPORT)
|
|
#include "zlib.h"
|
|
#endif
|
|
|
|
#if defined(POLARSSL_HAVE_TIME)
|
|
#include <time.h>
|
|
#endif
|
|
|
|
/* For convenience below and in programs */
|
|
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
|
|
defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
|
defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
|
#define POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED
|
|
#endif
|
|
|
|
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
|
#define POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED
|
|
#endif
|
|
|
|
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
|
|
!defined(inline) && !defined(__cplusplus)
|
|
#define inline __inline
|
|
#endif
|
|
|
|
/*
|
|
* SSL Error codes
|
|
*/
|
|
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE -0x7080 /**< The requested feature is not available. */
|
|
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA -0x7100 /**< Bad input parameters to function. */
|
|
#define POLARSSL_ERR_SSL_INVALID_MAC -0x7180 /**< Verification of the message MAC failed. */
|
|
#define POLARSSL_ERR_SSL_INVALID_RECORD -0x7200 /**< An invalid SSL record was received. */
|
|
#define POLARSSL_ERR_SSL_CONN_EOF -0x7280 /**< The connection indicated an EOF. */
|
|
#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER -0x7300 /**< An unknown cipher was received. */
|
|
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 /**< The server has no ciphersuites in common with the client. */
|
|
#define POLARSSL_ERR_SSL_NO_RNG -0x7400 /**< No RNG was provided to the SSL module. */
|
|
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 /**< No client certification received from the client, but required by the authentication mode. */
|
|
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 /**< Our own certificate(s) is/are too large to send in an SSL message. */
|
|
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 /**< The own certificate is not set, but needed by the server. */
|
|
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 /**< The own private key or pre-shared key is not set, but needed. */
|
|
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 /**< No CA Chain is set, but required to operate. */
|
|
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE -0x7700 /**< An unexpected message was received from our peer. */
|
|
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 /**< A fatal alert message was received from our peer. */
|
|
#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED -0x7800 /**< Verification of our peer failed. */
|
|
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 /**< The peer notified us that the connection is going to be closed. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900 /**< Processing of the ClientHello handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980 /**< Processing of the ServerHello handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE -0x7A00 /**< Processing of the Certificate handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST -0x7A80 /**< Processing of the CertificateRequest handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE -0x7B00 /**< Processing of the ServerKeyExchange handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE -0x7B80 /**< Processing of the ServerHelloDone handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE -0x7C00 /**< Processing of the ClientKeyExchange handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP -0x7C80 /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS -0x7D00 /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY -0x7D80 /**< Processing of the CertificateVerify handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC -0x7E00 /**< Processing of the ChangeCipherSpec handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED -0x7E80 /**< Processing of the Finished handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_MALLOC_FAILED -0x7F00 /**< Memory allocation failed */
|
|
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED -0x7F80 /**< Hardware acceleration function returned with error */
|
|
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80 /**< Hardware acceleration function skipped / left alone data */
|
|
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED -0x6F00 /**< Processing of the compression / decompression failed */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 /**< Handshake protocol not within min/max boundaries */
|
|
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 /**< Processing of the NewSessionTicket handshake message failed. */
|
|
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 /**< Session ticket has expired. */
|
|
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
|
|
#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY -0x6C80 /**< Unknown identity received (eg, PSK identity) */
|
|
#define POLARSSL_ERR_SSL_INTERNAL_ERROR -0x6C00 /**< Internal error (eg, unexpected failure in lower-level module) */
|
|
#define POLARSSL_ERR_SSL_COUNTER_WRAPPING -0x6B80 /**< A counter would wrap (eg, too many messages exchanged). */
|
|
#define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO -0x6B00 /**< Unexpected message at ServerHello in renegotiation. */
|
|
#define POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE -0x6A80 /**< None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages). */
|
|
|
|
/*
|
|
* Various constants
|
|
*/
|
|
#define SSL_MAJOR_VERSION_3 3
|
|
#define SSL_MINOR_VERSION_0 0 /*!< SSL v3.0 */
|
|
#define SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 */
|
|
#define SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 */
|
|
#define SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */
|
|
|
|
/* Determine minimum supported version */
|
|
#define SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3
|
|
|
|
#if defined(POLARSSL_SSL_PROTO_SSL3)
|
|
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0
|
|
#else
|
|
#if defined(POLARSSL_SSL_PROTO_TLS1)
|
|
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_1
|
|
#else
|
|
#if defined(POLARSSL_SSL_PROTO_TLS1_1)
|
|
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_2
|
|
#else
|
|
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
|
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_3
|
|
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
|
|
#endif /* POLARSSL_SSL_PROTO_TLS1_1 */
|
|
#endif /* POLARSSL_SSL_PROTO_TLS1 */
|
|
#endif /* POLARSSL_SSL_PROTO_SSL3 */
|
|
|
|
/* Determine maximum supported version */
|
|
#define SSL_MAX_MAJOR_VERSION SSL_MAJOR_VERSION_3
|
|
|
|
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
|
#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_3
|
|
#else
|
|
#if defined(POLARSSL_SSL_PROTO_TLS1_1)
|
|
#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_2
|
|
#else
|
|
#if defined(POLARSSL_SSL_PROTO_TLS1)
|
|
#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_1
|
|
#else
|
|
#if defined(POLARSSL_SSL_PROTO_SSL3)
|
|
#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_0
|
|
#endif /* POLARSSL_SSL_PROTO_SSL3 */
|
|
#endif /* POLARSSL_SSL_PROTO_TLS1 */
|
|
#endif /* POLARSSL_SSL_PROTO_TLS1_1 */
|
|
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
|
|
|
|
#define SSL_MAX_HOST_NAME_LEN 255 /*!< Maximum host name defined in RFC 1035 */
|
|
|
|
/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
|
|
* NONE must be zero so that memset()ing structure to zero works */
|
|
#define SSL_MAX_FRAG_LEN_NONE 0 /*!< don't use this extension */
|
|
#define SSL_MAX_FRAG_LEN_512 1 /*!< MaxFragmentLength 2^9 */
|
|
#define SSL_MAX_FRAG_LEN_1024 2 /*!< MaxFragmentLength 2^10 */
|
|
#define SSL_MAX_FRAG_LEN_2048 3 /*!< MaxFragmentLength 2^11 */
|
|
#define SSL_MAX_FRAG_LEN_4096 4 /*!< MaxFragmentLength 2^12 */
|
|
#define SSL_MAX_FRAG_LEN_INVALID 5 /*!< first invalid value */
|
|
|
|
#define SSL_IS_CLIENT 0
|
|
#define SSL_IS_SERVER 1
|
|
|
|
#define SSL_IS_NOT_FALLBACK 0
|
|
#define SSL_IS_FALLBACK 1
|
|
|
|
#define SSL_EXTENDED_MS_DISABLED 0
|
|
#define SSL_EXTENDED_MS_ENABLED 1
|
|
|
|
#define SSL_ETM_DISABLED 0
|
|
#define SSL_ETM_ENABLED 1
|
|
|
|
#define SSL_COMPRESS_NULL 0
|
|
#define SSL_COMPRESS_DEFLATE 1
|
|
|
|
#define SSL_VERIFY_NONE 0
|
|
#define SSL_VERIFY_OPTIONAL 1
|
|
#define SSL_VERIFY_REQUIRED 2
|
|
|
|
#define SSL_INITIAL_HANDSHAKE 0
|
|
#define SSL_RENEGOTIATION 1 /* In progress */
|
|
#define SSL_RENEGOTIATION_DONE 2 /* Done */
|
|
#define SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
|
|
|
|
#define SSL_LEGACY_RENEGOTIATION 0
|
|
#define SSL_SECURE_RENEGOTIATION 1
|
|
|
|
#define SSL_RENEGOTIATION_DISABLED 0
|
|
#define SSL_RENEGOTIATION_ENABLED 1
|
|
|
|
#define SSL_RENEGOTIATION_NOT_ENFORCED -1
|
|
#define SSL_RENEGO_MAX_RECORDS_DEFAULT 16
|
|
|
|
#define SSL_LEGACY_NO_RENEGOTIATION 0
|
|
#define SSL_LEGACY_ALLOW_RENEGOTIATION 1
|
|
#define SSL_LEGACY_BREAK_HANDSHAKE 2
|
|
|
|
#define SSL_TRUNC_HMAC_DISABLED 0
|
|
#define SSL_TRUNC_HMAC_ENABLED 1
|
|
#define SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */
|
|
|
|
#define SSL_SESSION_TICKETS_DISABLED 0
|
|
#define SSL_SESSION_TICKETS_ENABLED 1
|
|
|
|
#define SSL_CBC_RECORD_SPLITTING_DISABLED -1
|
|
#define SSL_CBC_RECORD_SPLITTING_ENABLED 0
|
|
|
|
#define SSL_ARC4_ENABLED 0
|
|
#define SSL_ARC4_DISABLED 1
|
|
|
|
/**
|
|
* \name SECTION: Module settings
|
|
*
|
|
* The configuration options you can set for this module are in this section.
|
|
* Either change them in config.h or define them on the compiler command line.
|
|
* \{
|
|
*/
|
|
|
|
#if !defined(SSL_DEFAULT_TICKET_LIFETIME)
|
|
#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
|
|
#endif
|
|
|
|
/*
|
|
* Size of the input / output buffer.
|
|
* Note: the RFC defines the default size of SSL / TLS messages. If you
|
|
* change the value here, other clients / servers may not be able to
|
|
* communicate with you anymore. Only change this value if you control
|
|
* both sides of the connection and have it reduced at both sides, or
|
|
* if you're using the Max Fragment Length extension and you know all your
|
|
* peers are using it too!
|
|
*/
|
|
#if !defined(SSL_MAX_CONTENT_LEN)
|
|
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
|
|
#endif
|
|
|
|
/*
|
|
* Minimum size of the Diffie-Hellman parameters to accept from a server.
|
|
* The default is 1024 bits (128 bytes) for compatibility reasons.
|
|
* From a purely security perspective, 2048 bits would be better.
|
|
*/
|
|
#if !defined(SSL_MIN_DHM_BYTES)
|
|
#define SSL_MIN_DHM_BYTES 128 /**< Min size of the Diffie-Hellman prime */
|
|
#endif
|
|
/* \} name SECTION: Module settings */
|
|
|
|
/*
|
|
* Allow extra bytes for record, authentication and encryption overhead:
|
|
* counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
|
|
* and allow for a maximum of 1024 of compression expansion if
|
|
* enabled.
|
|
*/
|
|
#if defined(POLARSSL_ZLIB_SUPPORT)
|
|
#define SSL_COMPRESSION_ADD 1024
|
|
#else
|
|
#define SSL_COMPRESSION_ADD 0
|
|
#endif
|
|
|
|
#if defined(POLARSSL_RC4_C) || defined(POLARSSL_CIPHER_MODE_CBC)
|
|
/* Ciphersuites using HMAC */
|
|
#if defined(POLARSSL_SHA512_C)
|
|
#define SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
|
|
#elif defined(POLARSSL_SHA256_C)
|
|
#define SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
|
|
#else
|
|
#define SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
|
|
#endif
|
|
#else
|
|
/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
|
|
#define SSL_MAC_ADD 16
|
|
#endif
|
|
|
|
#if defined(POLARSSL_CIPHER_MODE_CBC)
|
|
#define SSL_PADDING_ADD 256
|
|
#else
|
|
#define SSL_PADDING_ADD 0
|
|
#endif
|
|
|
|
#define SSL_BUFFER_LEN ( SSL_MAX_CONTENT_LEN \
|
|
+ SSL_COMPRESSION_ADD \
|
|
+ 29 /* counter + header + IV */ \
|
|
+ SSL_MAC_ADD \
|
|
+ SSL_PADDING_ADD \
|
|
)
|
|
|
|
/*
|
|
* Length of the verify data for secure renegotiation
|
|
*/
|
|
#if defined(POLARSSL_SSL_PROTO_SSL3)
|
|
#define SSL_VERIFY_DATA_MAX_LEN 36
|
|
#else
|
|
#define SSL_VERIFY_DATA_MAX_LEN 12
|
|
#endif
|
|
|
|
/*
|
|
* Signaling ciphersuite values (SCSV)
|
|
*/
|
|
#define SSL_EMPTY_RENEGOTIATION_INFO 0xFF /**< renegotiation info ext */
|
|
#define SSL_FALLBACK_SCSV 0x5600 /**< draft-ietf-tls-downgrade-scsv-00 */
|
|
|
|
/*
|
|
* Supported Signature and Hash algorithms (For TLS 1.2)
|
|
* RFC 5246 section 7.4.1.4.1
|
|
*/
|
|
#define SSL_HASH_NONE 0
|
|
#define SSL_HASH_MD5 1
|
|
#define SSL_HASH_SHA1 2
|
|
#define SSL_HASH_SHA224 3
|
|
#define SSL_HASH_SHA256 4
|
|
#define SSL_HASH_SHA384 5
|
|
#define SSL_HASH_SHA512 6
|
|
|
|
#define SSL_SIG_ANON 0
|
|
#define SSL_SIG_RSA 1
|
|
#define SSL_SIG_ECDSA 3
|
|
|
|
/*
|
|
* Client Certificate Types
|
|
* RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
|
|
*/
|
|
#define SSL_CERT_TYPE_RSA_SIGN 1
|
|
#define SSL_CERT_TYPE_ECDSA_SIGN 64
|
|
|
|
/*
|
|
* Message, alert and handshake types
|
|
*/
|
|
#define SSL_MSG_CHANGE_CIPHER_SPEC 20
|
|
#define SSL_MSG_ALERT 21
|
|
#define SSL_MSG_HANDSHAKE 22
|
|
#define SSL_MSG_APPLICATION_DATA 23
|
|
|
|
#define SSL_ALERT_LEVEL_WARNING 1
|
|
#define SSL_ALERT_LEVEL_FATAL 2
|
|
|
|
#define SSL_ALERT_MSG_CLOSE_NOTIFY 0 /* 0x00 */
|
|
#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE 10 /* 0x0A */
|
|
#define SSL_ALERT_MSG_BAD_RECORD_MAC 20 /* 0x14 */
|
|
#define SSL_ALERT_MSG_DECRYPTION_FAILED 21 /* 0x15 */
|
|
#define SSL_ALERT_MSG_RECORD_OVERFLOW 22 /* 0x16 */
|
|
#define SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30 /* 0x1E */
|
|
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE 40 /* 0x28 */
|
|
#define SSL_ALERT_MSG_NO_CERT 41 /* 0x29 */
|
|
#define SSL_ALERT_MSG_BAD_CERT 42 /* 0x2A */
|
|
#define SSL_ALERT_MSG_UNSUPPORTED_CERT 43 /* 0x2B */
|
|
#define SSL_ALERT_MSG_CERT_REVOKED 44 /* 0x2C */
|
|
#define SSL_ALERT_MSG_CERT_EXPIRED 45 /* 0x2D */
|
|
#define SSL_ALERT_MSG_CERT_UNKNOWN 46 /* 0x2E */
|
|
#define SSL_ALERT_MSG_ILLEGAL_PARAMETER 47 /* 0x2F */
|
|
#define SSL_ALERT_MSG_UNKNOWN_CA 48 /* 0x30 */
|
|
#define SSL_ALERT_MSG_ACCESS_DENIED 49 /* 0x31 */
|
|
#define SSL_ALERT_MSG_DECODE_ERROR 50 /* 0x32 */
|
|
#define SSL_ALERT_MSG_DECRYPT_ERROR 51 /* 0x33 */
|
|
#define SSL_ALERT_MSG_EXPORT_RESTRICTION 60 /* 0x3C */
|
|
#define SSL_ALERT_MSG_PROTOCOL_VERSION 70 /* 0x46 */
|
|
#define SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71 /* 0x47 */
|
|
#define SSL_ALERT_MSG_INTERNAL_ERROR 80 /* 0x50 */
|
|
#define SSL_ALERT_MSG_INAPROPRIATE_FALLBACK 86 /* 0x56 */
|
|
#define SSL_ALERT_MSG_USER_CANCELED 90 /* 0x5A */
|
|
#define SSL_ALERT_MSG_NO_RENEGOTIATION 100 /* 0x64 */
|
|
#define SSL_ALERT_MSG_UNSUPPORTED_EXT 110 /* 0x6E */
|
|
#define SSL_ALERT_MSG_UNRECOGNIZED_NAME 112 /* 0x70 */
|
|
#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115 /* 0x73 */
|
|
#define SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL 120 /* 0x78 */
|
|
|
|
#define SSL_HS_HELLO_REQUEST 0
|
|
#define SSL_HS_CLIENT_HELLO 1
|
|
#define SSL_HS_SERVER_HELLO 2
|
|
#define SSL_HS_NEW_SESSION_TICKET 4
|
|
#define SSL_HS_CERTIFICATE 11
|
|
#define SSL_HS_SERVER_KEY_EXCHANGE 12
|
|
#define SSL_HS_CERTIFICATE_REQUEST 13
|
|
#define SSL_HS_SERVER_HELLO_DONE 14
|
|
#define SSL_HS_CERTIFICATE_VERIFY 15
|
|
#define SSL_HS_CLIENT_KEY_EXCHANGE 16
|
|
#define SSL_HS_FINISHED 20
|
|
|
|
/*
|
|
* TLS extensions
|
|
*/
|
|
#define TLS_EXT_SERVERNAME 0
|
|
#define TLS_EXT_SERVERNAME_HOSTNAME 0
|
|
|
|
#define TLS_EXT_MAX_FRAGMENT_LENGTH 1
|
|
|
|
#define TLS_EXT_TRUNCATED_HMAC 4
|
|
|
|
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES 10
|
|
#define TLS_EXT_SUPPORTED_POINT_FORMATS 11
|
|
|
|
#define TLS_EXT_SIG_ALG 13
|
|
|
|
#define TLS_EXT_ALPN 16
|
|
|
|
#define TLS_EXT_ENCRYPT_THEN_MAC 22 /* 0x16 */
|
|
#define TLS_EXT_EXTENDED_MASTER_SECRET 0x0017 /* 23 */
|
|
|
|
#define TLS_EXT_SESSION_TICKET 35
|
|
|
|
#define TLS_EXT_RENEGOTIATION_INFO 0xFF01
|
|
|
|
/*
|
|
* TLS extension flags (for extensions with outgoing ServerHello content
|
|
* that need it (e.g. for RENEGOTIATION_INFO the server already knows because
|
|
* of state of the renegotiation flag, so no indicator is required)
|
|
*/
|
|
#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
|
|
|
|
/*
|
|
* Size defines
|
|
*/
|
|
#if !defined(POLARSSL_PSK_MAX_LEN)
|
|
#define POLARSSL_PSK_MAX_LEN 32 /* 256 bits */
|
|
#endif
|
|
|
|
/* Dummy type used only for its size */
|
|
union _ssl_premaster_secret
|
|
{
|
|
#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)
|
|
unsigned char _pms_rsa[48]; /* RFC 5246 8.1.1 */
|
|
#endif
|
|
#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)
|
|
unsigned char _pms_dhm[POLARSSL_MPI_MAX_SIZE]; /* RFC 5246 8.1.2 */
|
|
#endif
|
|
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
|
defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
|
defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
|
unsigned char _pms_ecdh[POLARSSL_ECP_MAX_BYTES]; /* RFC 4492 5.10 */
|
|
#endif
|
|
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
|
unsigned char _pms_psk[4 + 2 * POLARSSL_PSK_MAX_LEN]; /* RFC 4279 2 */
|
|
#endif
|
|
#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
|
unsigned char _pms_dhe_psk[4 + POLARSSL_MPI_MAX_SIZE
|
|
+ POLARSSL_PSK_MAX_LEN]; /* RFC 4279 3 */
|
|
#endif
|
|
#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
|
unsigned char _pms_rsa_psk[52 + POLARSSL_PSK_MAX_LEN]; /* RFC 4279 4 */
|
|
#endif
|
|
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
|
unsigned char _pms_ecdhe_psk[4 + POLARSSL_ECP_MAX_BYTES
|
|
+ POLARSSL_PSK_MAX_LEN]; /* RFC 5489 2 */
|
|
#endif
|
|
};
|
|
|
|
#define POLARSSL_PREMASTER_SIZE sizeof( union _ssl_premaster_secret )
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
/*
|
|
* Generic function pointers for allowing external RSA private key
|
|
* implementations.
|
|
*/
|
|
typedef int (*rsa_decrypt_func)( void *ctx, int mode, size_t *olen,
|
|
const unsigned char *input, unsigned char *output,
|
|
size_t output_max_len );
|
|
typedef int (*rsa_sign_func)( void *ctx,
|
|
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
|
int mode, md_type_t md_alg, unsigned int hashlen,
|
|
const unsigned char *hash, unsigned char *sig );
|
|
typedef size_t (*rsa_key_len_func)( void *ctx );
|
|
|
|
/*
|
|
* SSL state machine
|
|
*/
|
|
typedef enum
|
|
{
|
|
SSL_HELLO_REQUEST,
|
|
SSL_CLIENT_HELLO,
|
|
SSL_SERVER_HELLO,
|
|
SSL_SERVER_CERTIFICATE,
|
|
SSL_SERVER_KEY_EXCHANGE,
|
|
SSL_CERTIFICATE_REQUEST,
|
|
SSL_SERVER_HELLO_DONE,
|
|
SSL_CLIENT_CERTIFICATE,
|
|
SSL_CLIENT_KEY_EXCHANGE,
|
|
SSL_CERTIFICATE_VERIFY,
|
|
SSL_CLIENT_CHANGE_CIPHER_SPEC,
|
|
SSL_CLIENT_FINISHED,
|
|
SSL_SERVER_CHANGE_CIPHER_SPEC,
|
|
SSL_SERVER_FINISHED,
|
|
SSL_FLUSH_BUFFERS,
|
|
SSL_HANDSHAKE_WRAPUP,
|
|
SSL_HANDSHAKE_OVER,
|
|
SSL_SERVER_NEW_SESSION_TICKET,
|
|
}
|
|
ssl_states;
|
|
|
|
typedef struct _ssl_session ssl_session;
|
|
typedef struct _ssl_context ssl_context;
|
|
typedef struct _ssl_transform ssl_transform;
|
|
typedef struct _ssl_handshake_params ssl_handshake_params;
|
|
typedef struct _ssl_sig_hash_set_t ssl_sig_hash_set_t;
|
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
|
typedef struct _ssl_ticket_keys ssl_ticket_keys;
|
|
#endif
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
typedef struct _ssl_key_cert ssl_key_cert;
|
|
#endif
|
|
|
|
/*
|
|
* This structure is used for storing current session data.
|
|
*/
|
|
struct _ssl_session
|
|
{
|
|
#if defined(POLARSSL_HAVE_TIME)
|
|
time_t start; /*!< starting time */
|
|
#endif
|
|
int ciphersuite; /*!< chosen ciphersuite */
|
|
int compression; /*!< chosen compression */
|
|
size_t length; /*!< session id length */
|
|
unsigned char id[32]; /*!< session identifier */
|
|
unsigned char master[48]; /*!< the master secret */
|
|
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
x509_crt *peer_cert; /*!< peer X.509 cert chain */
|
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
|
int verify_result; /*!< verification result */
|
|
|
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
|
unsigned char *ticket; /*!< RFC 5077 session ticket */
|
|
size_t ticket_len; /*!< session ticket length */
|
|
uint32_t ticket_lifetime; /*!< ticket lifetime hint */
|
|
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
|
|
|
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
|
|
unsigned char mfl_code; /*!< MaxFragmentLength negotiated by peer */
|
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
|
|
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
|
int trunc_hmac; /*!< flag for truncated hmac activation */
|
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
|
|
|
#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
|
|
int encrypt_then_mac; /*!< flag for EtM activation */
|
|
#endif
|
|
};
|
|
|
|
/*
|
|
* This structure contains a full set of runtime transform parameters
|
|
* either in negotiation or active.
|
|
*/
|
|
struct _ssl_transform
|
|
{
|
|
/*
|
|
* Session specific crypto layer
|
|
*/
|
|
const ssl_ciphersuite_t *ciphersuite_info;
|
|
/*!< Chosen cipersuite_info */
|
|
unsigned int keylen; /*!< symmetric key length */
|
|
size_t minlen; /*!< min. ciphertext length */
|
|
size_t ivlen; /*!< IV length */
|
|
size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
|
|
size_t maclen; /*!< MAC length */
|
|
|
|
unsigned char iv_enc[16]; /*!< IV (encryption) */
|
|
unsigned char iv_dec[16]; /*!< IV (decryption) */
|
|
|
|
#if defined(POLARSSL_SSL_PROTO_SSL3)
|
|
/* Needed only for SSL v3.0 secret */
|
|
unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
|
|
unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
|
|
#endif /* POLARSSL_SSL_PROTO_SSL3 */
|
|
|
|
md_context_t md_ctx_enc; /*!< MAC (encryption) */
|
|
md_context_t md_ctx_dec; /*!< MAC (decryption) */
|
|
|
|
cipher_context_t cipher_ctx_enc; /*!< encryption context */
|
|
cipher_context_t cipher_ctx_dec; /*!< decryption context */
|
|
|
|
/*
|
|
* Session specific compression layer
|
|
*/
|
|
#if defined(POLARSSL_ZLIB_SUPPORT)
|
|
z_stream ctx_deflate; /*!< compression context */
|
|
z_stream ctx_inflate; /*!< decompression context */
|
|
#endif
|
|
};
|
|
|
|
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
|
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
|
/*
|
|
* Abstraction for a grid of allowed signature-hash-algorithm pairs.
|
|
*/
|
|
struct _ssl_sig_hash_set_t
|
|
{
|
|
/* At the moment, we only need to remember a single suitable
|
|
* hash algorithm per signature algorithm. As long as that's
|
|
* the case - and we don't need a general lookup function -
|
|
* we can implement the sig-hash-set as a map from signatures
|
|
* to hash algorithms. */
|
|
md_type_t rsa;
|
|
md_type_t ecdsa;
|
|
};
|
|
#endif /* POLARSSL_SSL_PROTO_TLS1_2) &&
|
|
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
|
|
|
/*
|
|
* This structure contains the parameters only needed during handshake.
|
|
*/
|
|
struct _ssl_handshake_params
|
|
{
|
|
/*
|
|
* Handshake specific crypto variables
|
|
*/
|
|
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
|
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
|
ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
|
|
#endif
|
|
int cert_type; /*!< Requested cert type */
|
|
int verify_sig_alg; /*!< Signature algorithm for verify */
|
|
#if defined(POLARSSL_DHM_C)
|
|
dhm_context dhm_ctx; /*!< DHM key exchange */
|
|
#endif
|
|
#if defined(POLARSSL_ECDH_C)
|
|
ecdh_context ecdh_ctx; /*!< ECDH key exchange */
|
|
#endif
|
|
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
|
|
const ecp_curve_info **curves; /*!< Supported elliptic curves */
|
|
#endif
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
/**
|
|
* Current key/cert or key/cert list.
|
|
* On client: pointer to ssl->key_cert, only the first entry used.
|
|
* On server: starts as a pointer to ssl->key_cert, then becomes
|
|
* a pointer to the chosen key from this list or the SNI list.
|
|
*/
|
|
ssl_key_cert *key_cert;
|
|
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
|
ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
|
|
#endif
|
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
|
|
|
/*
|
|
* Checksum contexts
|
|
*/
|
|
#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
|
|
defined(POLARSSL_SSL_PROTO_TLS1_1)
|
|
md5_context fin_md5;
|
|
sha1_context fin_sha1;
|
|
#endif
|
|
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
|
|
#if defined(POLARSSL_SHA256_C)
|
|
sha256_context fin_sha256;
|
|
#endif
|
|
#if defined(POLARSSL_SHA512_C)
|
|
sha512_context fin_sha512;
|
|
#endif
|
|
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
|
|
|
|
void (*update_checksum)(ssl_context *, const unsigned char *, size_t);
|
|
void (*calc_verify)(ssl_context *, unsigned char *);
|
|
void (*calc_finished)(ssl_context *, unsigned char *, int);
|
|
int (*tls_prf)(const unsigned char *, size_t, const char *,
|
|
const unsigned char *, size_t,
|
|
unsigned char *, size_t);
|
|
|
|
size_t pmslen; /*!< premaster length */
|
|
|
|
unsigned char randbytes[64]; /*!< random bytes */
|
|
unsigned char premaster[POLARSSL_PREMASTER_SIZE];
|
|
/*!< premaster secret */
|
|
|
|
int resume; /*!< session resume indicator*/
|
|
int max_major_ver; /*!< max. major version client*/
|
|
int max_minor_ver; /*!< max. minor version client*/
|
|
int cli_exts; /*!< client extension presence*/
|
|
|
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
|
int new_session_ticket; /*!< use NewSessionTicket? */
|
|
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
|
#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
|
|
int extended_ms; /*!< use Extended Master Secret? */
|
|
#endif
|
|
};
|
|
|
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
|
/*
|
|
* Parameters needed to secure session tickets
|
|
*/
|
|
struct _ssl_ticket_keys
|
|
{
|
|
unsigned char key_name[16]; /*!< name to quickly discard bad tickets */
|
|
aes_context enc; /*!< encryption context */
|
|
aes_context dec; /*!< decryption context */
|
|
unsigned char mac_key[16]; /*!< authentication key */
|
|
};
|
|
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
|
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
/*
|
|
* List of certificate + private key pairs
|
|
*/
|
|
struct _ssl_key_cert
|
|
{
|
|
x509_crt *cert; /*!< cert */
|
|
pk_context *key; /*!< private key */
|
|
int key_own_alloc; /*!< did we allocate key? */
|
|
ssl_key_cert *next; /*!< next key/cert pair */
|
|
};
|
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
|
|
|
struct _ssl_context
|
|
{
|
|
/*
|
|
* Miscellaneous
|
|
*/
|
|
int state; /*!< SSL handshake: current state */
|
|
int renegotiation; /*!< Initial or renegotiation */
|
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
|
int renego_records_seen; /*!< Records since renego request */
|
|
#endif
|
|
|
|
int major_ver; /*!< equal to SSL_MAJOR_VERSION_3 */
|
|
int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */
|
|
|
|
int max_major_ver; /*!< max. major version used */
|
|
int max_minor_ver; /*!< max. minor version used */
|
|
int min_major_ver; /*!< min. major version used */
|
|
int min_minor_ver; /*!< min. minor version used */
|
|
|
|
#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
|
|
char fallback; /*!< flag for fallback connections */
|
|
#endif
|
|
#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
|
|
char encrypt_then_mac; /*!< flag for encrypt-then-mac */
|
|
#endif
|
|
#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
|
|
char extended_ms; /*!< flag for extended master secret */
|
|
#endif
|
|
char arc4_disabled; /*!< flag for disabling RC4 */
|
|
|
|
/*
|
|
* Callbacks (RNG, debug, I/O, verification)
|
|
*/
|
|
int (*f_rng)(void *, unsigned char *, size_t);
|
|
void (*f_dbg)(void *, int, const char *);
|
|
int (*f_recv)(void *, unsigned char *, size_t);
|
|
int (*f_send)(void *, const unsigned char *, size_t);
|
|
int (*f_get_cache)(void *, ssl_session *);
|
|
int (*f_set_cache)(void *, const ssl_session *);
|
|
|
|
void *p_rng; /*!< context for the RNG function */
|
|
void *p_dbg; /*!< context for the debug function */
|
|
void *p_recv; /*!< context for reading operations */
|
|
void *p_send; /*!< context for writing operations */
|
|
void *p_get_cache; /*!< context for cache retrieval */
|
|
void *p_set_cache; /*!< context for cache store */
|
|
void *p_hw_data; /*!< context for HW acceleration */
|
|
|
|
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
|
int (*f_sni)(void *, ssl_context *, const unsigned char *, size_t);
|
|
void *p_sni; /*!< context for SNI extension */
|
|
#endif
|
|
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
int (*f_vrfy)(void *, x509_crt *, int, int *);
|
|
void *p_vrfy; /*!< context for verification */
|
|
#endif
|
|
|
|
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
|
int (*f_psk)(void *, ssl_context *, const unsigned char *, size_t);
|
|
void *p_psk; /*!< context for PSK retrieval */
|
|
#endif
|
|
|
|
/*
|
|
* Session layer
|
|
*/
|
|
ssl_session *session_in; /*!< current session data (in) */
|
|
ssl_session *session_out; /*!< current session data (out) */
|
|
ssl_session *session; /*!< negotiated session data */
|
|
ssl_session *session_negotiate; /*!< session data in negotiation */
|
|
|
|
ssl_handshake_params *handshake; /*!< params required only during
|
|
the handshake process */
|
|
|
|
/*
|
|
* Record layer transformations
|
|
*/
|
|
ssl_transform *transform_in; /*!< current transform params (in) */
|
|
ssl_transform *transform_out; /*!< current transform params (in) */
|
|
ssl_transform *transform; /*!< negotiated transform params */
|
|
ssl_transform *transform_negotiate; /*!< transform params in negotiation */
|
|
|
|
/*
|
|
* Record layer (incoming data)
|
|
*/
|
|
unsigned char *in_ctr; /*!< 64-bit incoming message counter */
|
|
unsigned char *in_hdr; /*!< 5-byte record header (in_ctr+8) */
|
|
unsigned char *in_iv; /*!< ivlen-byte IV (in_hdr+5) */
|
|
unsigned char *in_msg; /*!< message contents (in_iv+ivlen) */
|
|
unsigned char *in_offt; /*!< read offset in application data */
|
|
|
|
int in_msgtype; /*!< record header: message type */
|
|
size_t in_msglen; /*!< record header: message length */
|
|
size_t in_left; /*!< amount of data read so far */
|
|
|
|
size_t in_hslen; /*!< current handshake message length */
|
|
int nb_zero; /*!< # of 0-length encrypted messages */
|
|
|
|
int keep_current_message; /*!< drop or reuse current message
|
|
on next call to record layer? */
|
|
|
|
/*
|
|
* Record layer (outgoing data)
|
|
*/
|
|
unsigned char *out_ctr; /*!< 64-bit outgoing message counter */
|
|
unsigned char *out_hdr; /*!< 5-byte record header (out_ctr+8) */
|
|
unsigned char *out_iv; /*!< ivlen-byte IV (out_hdr+5) */
|
|
unsigned char *out_msg; /*!< message contents (out_iv+ivlen) */
|
|
|
|
int out_msgtype; /*!< record header: message type */
|
|
size_t out_msglen; /*!< record header: message length */
|
|
size_t out_left; /*!< amount of data not yet written */
|
|
|
|
#if defined(POLARSSL_ZLIB_SUPPORT)
|
|
unsigned char *compress_buf; /*!< zlib data buffer */
|
|
#endif
|
|
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
|
|
unsigned char mfl_code; /*!< MaxFragmentLength chosen by us */
|
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
|
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
|
|
signed char split_done; /*!< flag for record splitting:
|
|
-1 disabled, 0 todo, 1 done */
|
|
#endif
|
|
|
|
/*
|
|
* PKI layer
|
|
*/
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
ssl_key_cert *key_cert; /*!< own certificate(s)/key(s) */
|
|
|
|
x509_crt *ca_chain; /*!< own trusted CA chain */
|
|
x509_crl *ca_crl; /*!< trusted CA CRLs */
|
|
const char *peer_cn; /*!< expected peer CN */
|
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
|
|
|
/*
|
|
* Support for generating and checking session tickets
|
|
*/
|
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
|
ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */
|
|
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
|
|
|
/*
|
|
* User settings
|
|
*/
|
|
int endpoint; /*!< 0: client, 1: server */
|
|
int authmode; /*!< verification mode */
|
|
int client_auth; /*!< flag for client auth. */
|
|
int verify_result; /*!< verification result */
|
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
|
int disable_renegotiation; /*!< enable/disable renegotiation */
|
|
int renego_max_records; /*!< grace period for renegotiation */
|
|
unsigned char renego_period[8]; /*!< value of the record counters
|
|
that triggers renegotiation */
|
|
#endif
|
|
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
|
|
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
|
|
#if defined(POLARSSL_SSL_SET_CURVES)
|
|
const ecp_group_id *curve_list; /*!< allowed curves */
|
|
#endif
|
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
|
int trunc_hmac; /*!< negotiate truncated hmac? */
|
|
#endif
|
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
|
int session_tickets; /*!< use session tickets? */
|
|
int ticket_lifetime; /*!< session ticket lifetime */
|
|
#endif
|
|
|
|
#if defined(POLARSSL_DHM_C)
|
|
mpi dhm_P; /*!< prime modulus for DHM */
|
|
mpi dhm_G; /*!< generator for DHM */
|
|
#endif
|
|
|
|
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
|
/*
|
|
* PSK values
|
|
*/
|
|
unsigned char *psk;
|
|
size_t psk_len;
|
|
unsigned char *psk_identity;
|
|
size_t psk_identity_len;
|
|
#endif
|
|
|
|
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
|
/*
|
|
* SNI extension
|
|
*/
|
|
unsigned char *hostname;
|
|
size_t hostname_len;
|
|
#endif
|
|
|
|
#if defined(POLARSSL_SSL_ALPN)
|
|
/*
|
|
* ALPN extension
|
|
*/
|
|
const char **alpn_list; /*!< ordered list of supported protocols */
|
|
const char *alpn_chosen; /*!< negotiated protocol */
|
|
#endif
|
|
|
|
/*
|
|
* Secure renegotiation
|
|
*/
|
|
int secure_renegotiation; /*!< does peer support legacy or
|
|
secure renegotiation */
|
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
|
size_t verify_data_len; /*!< length of verify data stored */
|
|
char own_verify_data[SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */
|
|
char peer_verify_data[SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */
|
|
#endif
|
|
};
|
|
|
|
#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
|
|
|
|
#define SSL_CHANNEL_OUTBOUND 0
|
|
#define SSL_CHANNEL_INBOUND 1
|
|
|
|
extern int (*ssl_hw_record_init)(ssl_context *ssl,
|
|
const unsigned char *key_enc, const unsigned char *key_dec,
|
|
size_t keylen,
|
|
const unsigned char *iv_enc, const unsigned char *iv_dec,
|
|
size_t ivlen,
|
|
const unsigned char *mac_enc, const unsigned char *mac_dec,
|
|
size_t maclen);
|
|
extern int (*ssl_hw_record_activate)(ssl_context *ssl, int direction);
|
|
extern int (*ssl_hw_record_reset)(ssl_context *ssl);
|
|
extern int (*ssl_hw_record_write)(ssl_context *ssl);
|
|
extern int (*ssl_hw_record_read)(ssl_context *ssl);
|
|
extern int (*ssl_hw_record_finish)(ssl_context *ssl);
|
|
#endif /* POLARSSL_SSL_HW_RECORD_ACCEL */
|
|
|
|
/**
|
|
* \brief Returns the list of ciphersuites supported by the SSL/TLS module.
|
|
*
|
|
* \return a statically allocated array of ciphersuites, the last
|
|
* entry is 0.
|
|
*/
|
|
const int *ssl_list_ciphersuites( void );
|
|
|
|
/**
|
|
* \brief Return the name of the ciphersuite associated with the
|
|
* given ID
|
|
*
|
|
* \param ciphersuite_id SSL ciphersuite ID
|
|
*
|
|
* \return a string containing the ciphersuite name
|
|
*/
|
|
const char *ssl_get_ciphersuite_name( const int ciphersuite_id );
|
|
|
|
/**
|
|
* \brief Return the ID of the ciphersuite associated with the
|
|
* given name
|
|
*
|
|
* \param ciphersuite_name SSL ciphersuite name
|
|
*
|
|
* \return the ID with the ciphersuite or 0 if not found
|
|
*/
|
|
int ssl_get_ciphersuite_id( const char *ciphersuite_name );
|
|
|
|
/**
|
|
* \brief Initialize an SSL context
|
|
* (An individual SSL context is not thread-safe)
|
|
*
|
|
* \param ssl SSL context
|
|
*
|
|
* \return 0 if successful, or POLARSSL_ERR_SSL_MALLOC_FAILED if
|
|
* memory allocation failed
|
|
*/
|
|
int ssl_init( ssl_context *ssl );
|
|
|
|
/**
|
|
* \brief Reset an already initialized SSL context for re-use
|
|
* while retaining application-set variables, function
|
|
* pointers and data.
|
|
*
|
|
* \param ssl SSL context
|
|
* \return 0 if successful, or POLASSL_ERR_SSL_MALLOC_FAILED,
|
|
POLARSSL_ERR_SSL_HW_ACCEL_FAILED or
|
|
* POLARSSL_ERR_SSL_COMPRESSION_FAILED
|
|
*/
|
|
int ssl_session_reset( ssl_context *ssl );
|
|
|
|
/**
|
|
* \brief Set the current endpoint type
|
|
*
|
|
* \param ssl SSL context
|
|
* \param endpoint must be SSL_IS_CLIENT or SSL_IS_SERVER
|
|
*
|
|
* \note This function should be called right after ssl_init() since
|
|
* some other ssl_set_foo() functions depend on it.
|
|
*/
|
|
void ssl_set_endpoint( ssl_context *ssl, int endpoint );
|
|
|
|
/**
|
|
* \brief Set the certificate verification mode
|
|
*
|
|
* \param ssl SSL context
|
|
* \param authmode can be:
|
|
*
|
|
* SSL_VERIFY_NONE: peer certificate is not checked (default),
|
|
* this is insecure and SHOULD be avoided.
|
|
*
|
|
* SSL_VERIFY_OPTIONAL: peer certificate is checked, however the
|
|
* handshake continues even if verification failed;
|
|
* ssl_get_verify_result() can be called after the
|
|
* handshake is complete.
|
|
*
|
|
* SSL_VERIFY_REQUIRED: peer *must* present a valid certificate,
|
|
* handshake is aborted if verification failed.
|
|
*
|
|
* \note On client, SSL_VERIFY_REQUIRED is the recommended mode.
|
|
* With SSL_VERIFY_OPTIONAL, the user needs to call ssl_get_verify_result() at
|
|
* the right time(s), which may not be obvious, while REQUIRED always perform
|
|
* the verification as soon as possible. For example, REQUIRED was protecting
|
|
* against the "triple handshake" attack even before it was found.
|
|
*/
|
|
void ssl_set_authmode( ssl_context *ssl, int authmode );
|
|
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
/**
|
|
* \brief Set the verification callback (Optional).
|
|
*
|
|
* If set, the verify callback is called for each
|
|
* certificate in the chain. For implementation
|
|
* information, please see \c x509parse_verify()
|
|
*
|
|
* \param ssl SSL context
|
|
* \param f_vrfy verification function
|
|
* \param p_vrfy verification parameter
|
|
*/
|
|
void ssl_set_verify( ssl_context *ssl,
|
|
int (*f_vrfy)(void *, x509_crt *, int, int *),
|
|
void *p_vrfy );
|
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
|
|
|
/**
|
|
* \brief Set the random number generator callback
|
|
*
|
|
* \param ssl SSL context
|
|
* \param f_rng RNG function
|
|
* \param p_rng RNG parameter
|
|
*/
|
|
void ssl_set_rng( ssl_context *ssl,
|
|
int (*f_rng)(void *, unsigned char *, size_t),
|
|
void *p_rng );
|
|
|
|
/**
|
|
* \brief Set the debug callback
|
|
*
|
|
* \param ssl SSL context
|
|
* \param f_dbg debug function
|
|
* \param p_dbg debug parameter
|
|
*/
|
|
void ssl_set_dbg( ssl_context *ssl,
|
|
void (*f_dbg)(void *, int, const char *),
|
|
void *p_dbg );
|
|
|
|
/**
|
|
* \brief Set the underlying BIO read and write callbacks
|
|
*
|
|
* \param ssl SSL context
|
|
* \param f_recv read callback
|
|
* \param p_recv read parameter
|
|
* \param f_send write callback
|
|
* \param p_send write parameter
|
|
*/
|
|
void ssl_set_bio( ssl_context *ssl,
|
|
int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
|
|
int (*f_send)(void *, const unsigned char *, size_t), void *p_send );
|
|
|
|
#if defined(POLARSSL_SSL_SRV_C)
|
|
/**
|
|
* \brief Set the session cache callbacks (server-side only)
|
|
* If not set, no session resuming is done (except if session
|
|
* tickets are enabled too).
|
|
*
|
|
* The session cache has the responsibility to check for stale
|
|
* entries based on timeout. See RFC 5246 for recommendations.
|
|
*
|
|
* Warning: session.peer_cert is cleared by the SSL/TLS layer on
|
|
* connection shutdown, so do not cache the pointer! Either set
|
|
* it to NULL or make a full copy of the certificate.
|
|
*
|
|
* The get callback is called once during the initial handshake
|
|
* to enable session resuming. The get function has the
|
|
* following parameters: (void *parameter, ssl_session *session)
|
|
* If a valid entry is found, it should fill the master of
|
|
* the session object with the cached values and return 0,
|
|
* return 1 otherwise. Optionally peer_cert can be set as well
|
|
* if it is properly present in cache entry.
|
|
*
|
|
* The set callback is called once during the initial handshake
|
|
* to enable session resuming after the entire handshake has
|
|
* been finished. The set function has the following parameters:
|
|
* (void *parameter, const ssl_session *session). The function
|
|
* should create a cache entry for future retrieval based on
|
|
* the data in the session structure and should keep in mind
|
|
* that the ssl_session object presented (and all its referenced
|
|
* data) is cleared by the SSL/TLS layer when the connection is
|
|
* terminated. It is recommended to add metadata to determine if
|
|
* an entry is still valid in the future. Return 0 if
|
|
* successfully cached, return 1 otherwise.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param f_get_cache session get callback
|
|
* \param p_get_cache session get parameter
|
|
* \param f_set_cache session set callback
|
|
* \param p_set_cache session set parameter
|
|
*/
|
|
void ssl_set_session_cache( ssl_context *ssl,
|
|
int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
|
|
int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache );
|
|
#endif /* POLARSSL_SSL_SRV_C */
|
|
|
|
#if defined(POLARSSL_SSL_CLI_C)
|
|
/**
|
|
* \brief Request resumption of session (client-side only)
|
|
* Session data is copied from presented session structure.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param session session context
|
|
*
|
|
* \return 0 if successful,
|
|
* POLARSSL_ERR_SSL_MALLOC_FAILED if memory allocation failed,
|
|
* POLARSSL_ERR_SSL_BAD_INPUT_DATA if used server-side or
|
|
* arguments are otherwise invalid
|
|
*
|
|
* \sa ssl_get_session()
|
|
*/
|
|
int ssl_set_session( ssl_context *ssl, const ssl_session *session );
|
|
#endif /* POLARSSL_SSL_CLI_C */
|
|
|
|
/**
|
|
* \brief Set the list of allowed ciphersuites and the preference
|
|
* order. First in the list has the highest preference.
|
|
* (Overrides all version specific lists)
|
|
*
|
|
* The ciphersuites array is not copied, and must remain
|
|
* valid for the lifetime of the ssl_context.
|
|
*
|
|
* Note: The server uses its own preferences
|
|
* over the preference of the client unless
|
|
* POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
|
|
*
|
|
* \param ssl SSL context
|
|
* \param ciphersuites 0-terminated list of allowed ciphersuites
|
|
*/
|
|
void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites );
|
|
|
|
/**
|
|
* \brief Set the list of allowed ciphersuites and the
|
|
* preference order for a specific version of the protocol.
|
|
* (Only useful on the server side)
|
|
*
|
|
* \param ssl SSL context
|
|
* \param ciphersuites 0-terminated list of allowed ciphersuites
|
|
* \param major Major version number (only SSL_MAJOR_VERSION_3
|
|
* supported)
|
|
* \param minor Minor version number (SSL_MINOR_VERSION_0,
|
|
* SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2,
|
|
* SSL_MINOR_VERSION_3 supported)
|
|
*/
|
|
void ssl_set_ciphersuites_for_version( ssl_context *ssl,
|
|
const int *ciphersuites,
|
|
int major, int minor );
|
|
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
/**
|
|
* \brief Set the data required to verify peer certificate
|
|
*
|
|
* \param ssl SSL context
|
|
* \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
|
|
* \param ca_crl trusted CA CRLs
|
|
* \param peer_cn expected peer CommonName (or NULL)
|
|
*/
|
|
void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
|
|
x509_crl *ca_crl, const char *peer_cn );
|
|
|
|
/**
|
|
* \brief Set own certificate chain and private key
|
|
*
|
|
* \note own_cert should contain in order from the bottom up your
|
|
* certificate chain. The top certificate (self-signed)
|
|
* can be omitted.
|
|
*
|
|
* \note This function may be called more than once if you want to
|
|
* support multiple certificates (eg, one using RSA and one
|
|
* using ECDSA). However, on client, currently only the first
|
|
* certificate is used (subsequent calls have no effect).
|
|
*
|
|
* \param ssl SSL context
|
|
* \param own_cert own public certificate chain
|
|
* \param pk_key own private key
|
|
*
|
|
* \return 0 on success or POLARSSL_ERR_SSL_MALLOC_FAILED
|
|
*/
|
|
int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
|
|
pk_context *pk_key );
|
|
|
|
#if ! defined(POLARSSL_DEPRECATED_REMOVED)
|
|
#if defined(POLARSSL_DEPRECATED_WARNING)
|
|
#define DEPRECATED __attribute__((deprecated))
|
|
#else
|
|
#define DEPRECATED
|
|
#endif
|
|
#if defined(POLARSSL_RSA_C)
|
|
/**
|
|
* \brief Set own certificate chain and private RSA key
|
|
*
|
|
* Note: own_cert should contain IN order from the bottom
|
|
* up your certificate chain. The top certificate (self-signed)
|
|
* can be omitted.
|
|
*
|
|
* \deprecated Please use \c ssl_set_own_cert() instead.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param own_cert own public certificate chain
|
|
* \param rsa_key own private RSA key
|
|
*
|
|
* \return 0 on success, or a specific error code.
|
|
*/
|
|
int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
|
|
rsa_context *rsa_key ) DEPRECATED;
|
|
#endif /* POLARSSL_RSA_C */
|
|
|
|
/**
|
|
* \brief Set own certificate and external RSA private
|
|
* key and handling callbacks, such as the PKCS#11 wrappers
|
|
* or any other external private key handler.
|
|
* (see the respective RSA functions in rsa.h for documentation
|
|
* of the callback parameters, with the only change being
|
|
* that the rsa_context * is a void * in the callbacks)
|
|
*
|
|
* Note: own_cert should contain IN order from the bottom
|
|
* up your certificate chain. The top certificate (self-signed)
|
|
* can be omitted.
|
|
*
|
|
* \deprecated Please use \c pk_init_ctx_rsa_alt()
|
|
* and \c ssl_set_own_cert() instead.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param own_cert own public certificate chain
|
|
* \param rsa_key alternate implementation private RSA key
|
|
* \param rsa_decrypt alternate implementation of \c rsa_pkcs1_decrypt()
|
|
* \param rsa_sign alternate implementation of \c rsa_pkcs1_sign()
|
|
* \param rsa_key_len function returning length of RSA key in bytes
|
|
*
|
|
* \return 0 on success, or a specific error code.
|
|
*/
|
|
int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
|
|
void *rsa_key,
|
|
rsa_decrypt_func rsa_decrypt,
|
|
rsa_sign_func rsa_sign,
|
|
rsa_key_len_func rsa_key_len ) DEPRECATED;
|
|
#undef DEPRECATED
|
|
#endif /* POLARSSL_DEPRECATED_REMOVED */
|
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
|
|
|
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
|
/**
|
|
* \brief Set the Pre Shared Key (PSK) and the identity name connected
|
|
* to it.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param psk pointer to the pre-shared key
|
|
* \param psk_len pre-shared key length
|
|
* \param psk_identity pointer to the pre-shared key identity
|
|
* \param psk_identity_len identity key length
|
|
*
|
|
* \return 0 if successful or POLARSSL_ERR_SSL_MALLOC_FAILED
|
|
*/
|
|
int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
|
|
const unsigned char *psk_identity, size_t psk_identity_len );
|
|
|
|
/**
|
|
* \brief Set the PSK callback (server-side only) (Optional).
|
|
*
|
|
* If set, the PSK callback is called for each
|
|
* handshake where a PSK ciphersuite was negotiated.
|
|
* The caller provides the identity received and wants to
|
|
* receive the actual PSK data and length.
|
|
*
|
|
* The callback has the following parameters: (void *parameter,
|
|
* ssl_context *ssl, const unsigned char *psk_identity,
|
|
* size_t identity_len)
|
|
* If a valid PSK identity is found, the callback should use
|
|
* ssl_set_psk() on the ssl context to set the correct PSK and
|
|
* identity and return 0.
|
|
* Any other return value will result in a denied PSK identity.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param f_psk PSK identity function
|
|
* \param p_psk PSK identity parameter
|
|
*/
|
|
void ssl_set_psk_cb( ssl_context *ssl,
|
|
int (*f_psk)(void *, ssl_context *, const unsigned char *,
|
|
size_t),
|
|
void *p_psk );
|
|
#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
|
|
|
|
#if defined(POLARSSL_DHM_C)
|
|
/**
|
|
* \brief Set the Diffie-Hellman public P and G values,
|
|
* read as hexadecimal strings (server-side only)
|
|
* (Default: POLARSSL_DHM_RFC5114_MODP_2048_[PG])
|
|
*
|
|
* \param ssl SSL context
|
|
* \param dhm_P Diffie-Hellman-Merkle modulus
|
|
* \param dhm_G Diffie-Hellman-Merkle generator
|
|
*
|
|
* \return 0 if successful
|
|
*/
|
|
int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G );
|
|
|
|
/**
|
|
* \brief Set the Diffie-Hellman public P and G values,
|
|
* read from existing context (server-side only)
|
|
*
|
|
* \param ssl SSL context
|
|
* \param dhm_ctx Diffie-Hellman-Merkle context
|
|
*
|
|
* \return 0 if successful
|
|
*/
|
|
int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx );
|
|
#endif /* POLARSSL_DHM_C */
|
|
|
|
#if defined(POLARSSL_SSL_SET_CURVES)
|
|
/**
|
|
* \brief Set the allowed curves in order of preference.
|
|
* (Default: all defined curves.)
|
|
*
|
|
* On server: this only affects selection of the ECDHE curve;
|
|
* the curves used for ECDH and ECDSA are determined by the
|
|
* list of available certificates instead.
|
|
*
|
|
* On client: this affects the list of curves offered for any
|
|
* use. The server can override our preference order.
|
|
*
|
|
* Both sides: limits the set of curves used by peer to the
|
|
* listed curves for any use (ECDH(E), certificates).
|
|
*
|
|
* \param ssl SSL context
|
|
* \param curves Ordered list of allowed curves,
|
|
* terminated by POLARSSL_ECP_DP_NONE.
|
|
*/
|
|
void ssl_set_curves( ssl_context *ssl, const ecp_group_id *curves );
|
|
#endif /* POLARSSL_SSL_SET_CURVES */
|
|
|
|
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
|
/**
|
|
* \brief Set hostname for ServerName TLS extension
|
|
* (client-side only)
|
|
*
|
|
*
|
|
* \param ssl SSL context
|
|
* \param hostname the server hostname
|
|
*
|
|
* \return 0 if successful or POLARSSL_ERR_SSL_MALLOC_FAILED
|
|
*/
|
|
int ssl_set_hostname( ssl_context *ssl, const char *hostname );
|
|
|
|
/**
|
|
* \brief Set server side ServerName TLS extension callback
|
|
* (optional, server-side only).
|
|
*
|
|
* If set, the ServerName callback is called whenever the
|
|
* server receives a ServerName TLS extension from the client
|
|
* during a handshake. The ServerName callback has the
|
|
* following parameters: (void *parameter, ssl_context *ssl,
|
|
* const unsigned char *hostname, size_t len). If a suitable
|
|
* certificate is found, the callback should set the
|
|
* certificate and key to use with ssl_set_own_cert() (and
|
|
* possibly adjust the CA chain as well) and return 0. The
|
|
* callback should return -1 to abort the handshake at this
|
|
* point.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param f_sni verification function
|
|
* \param p_sni verification parameter
|
|
*/
|
|
void ssl_set_sni( ssl_context *ssl,
|
|
int (*f_sni)(void *, ssl_context *, const unsigned char *,
|
|
size_t),
|
|
void *p_sni );
|
|
#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
|
|
|
|
#if defined(POLARSSL_SSL_ALPN)
|
|
/**
|
|
* \brief Set the supported Application Layer Protocols.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param protos NULL-terminated list of supported protocols,
|
|
* in decreasing preference order.
|
|
*
|
|
* \return 0 on success, or POLARSSL_ERR_SSL_BAD_INPUT_DATA.
|
|
*/
|
|
int ssl_set_alpn_protocols( ssl_context *ssl, const char **protos );
|
|
|
|
/**
|
|
* \brief Get the name of the negotiated Application Layer Protocol.
|
|
* This function should be called after the handshake is
|
|
* completed.
|
|
*
|
|
* \param ssl SSL context
|
|
*
|
|
* \return Protcol name, or NULL if no protocol was negotiated.
|
|
*/
|
|
const char *ssl_get_alpn_protocol( const ssl_context *ssl );
|
|
#endif /* POLARSSL_SSL_ALPN */
|
|
|
|
/**
|
|
* \brief Set the maximum supported version sent from the client side
|
|
* and/or accepted at the server side
|
|
* (Default: SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION)
|
|
*
|
|
* Note: This ignores ciphersuites from 'higher' versions.
|
|
* Note: Input outside of the SSL_MAX_XXXXX_VERSION and
|
|
* SSL_MIN_XXXXX_VERSION range is ignored.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param major Major version number (only SSL_MAJOR_VERSION_3 supported)
|
|
* \param minor Minor version number (SSL_MINOR_VERSION_0,
|
|
* SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2,
|
|
* SSL_MINOR_VERSION_3 supported)
|
|
*/
|
|
void ssl_set_max_version( ssl_context *ssl, int major, int minor );
|
|
|
|
/**
|
|
* \brief Set the minimum accepted SSL/TLS protocol version
|
|
* (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
|
|
*
|
|
* \note Input outside of the SSL_MAX_XXXXX_VERSION and
|
|
* SSL_MIN_XXXXX_VERSION range is ignored.
|
|
*
|
|
* \note SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param major Major version number (only SSL_MAJOR_VERSION_3 supported)
|
|
* \param minor Minor version number (SSL_MINOR_VERSION_0,
|
|
* SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2,
|
|
* SSL_MINOR_VERSION_3 supported)
|
|
*/
|
|
void ssl_set_min_version( ssl_context *ssl, int major, int minor );
|
|
|
|
#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
|
|
/**
|
|
* \brief Set the fallback flag (client-side only).
|
|
* (Default: SSL_IS_NOT_FALLBACK).
|
|
*
|
|
* \note Set to SSL_IS_FALLBACK when preparing a fallback
|
|
* connection, that is a connection with max_version set to a
|
|
* lower value than the value you're willing to use. Such
|
|
* fallback connections are not recommended but are sometimes
|
|
* necessary to interoperate with buggy (version-intolerant)
|
|
* servers.
|
|
*
|
|
* \warning You should NOT set this to SSL_IS_FALLBACK for
|
|
* non-fallback connections! This would appear to work for a
|
|
* while, then cause failures when the server is upgraded to
|
|
* support a newer TLS version.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param fallback SSL_IS_NOT_FALLBACK or SSL_IS_FALLBACK
|
|
*/
|
|
void ssl_set_fallback( ssl_context *ssl, char fallback );
|
|
#endif /* POLARSSL_SSL_FALLBACK_SCSV && POLARSSL_SSL_CLI_C */
|
|
|
|
#if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
|
|
/**
|
|
* \brief Enable or disable Encrypt-then-MAC
|
|
* (Default: SSL_ETM_ENABLED)
|
|
*
|
|
* \note This should always be enabled, it is a security
|
|
* improvement, and should not cause any interoperability
|
|
* issue (used only if the peer supports it too).
|
|
*
|
|
* \param ssl SSL context
|
|
* \param etm SSL_ETM_ENABLED or SSL_ETM_DISABLED
|
|
*/
|
|
void ssl_set_encrypt_then_mac( ssl_context *ssl, char etm );
|
|
#endif /* POLARSSL_SSL_ENCRYPT_THEN_MAC */
|
|
|
|
#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
|
|
/**
|
|
* \brief Enable or disable Extended Master Secret negotiation.
|
|
* (Default: SSL_EXTENDED_MS_ENABLED)
|
|
*
|
|
* \note This should always be enabled, it is a security fix to the
|
|
* protocol, and should not cause any interoperability issue
|
|
* (used only if the peer supports it too).
|
|
*
|
|
* \param ssl SSL context
|
|
* \param ems SSL_EXTENDED_MS_ENABLED or SSL_EXTENDED_MS_DISABLED
|
|
*/
|
|
void ssl_set_extended_master_secret( ssl_context *ssl, char ems );
|
|
#endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */
|
|
|
|
/**
|
|
* \brief Disable or enable support for RC4
|
|
* (Default: SSL_ARC4_ENABLED)
|
|
*
|
|
* \note Though the default is RC4 for compatibility reasons in the
|
|
* 1.3 branch, the recommended value is SSL_ARC4_DISABLED.
|
|
*
|
|
* \note This function will likely be removed in future versions as
|
|
* RC4 will then be disabled by default at compile time.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param arc4 SSL_ARC4_ENABLED or SSL_ARC4_DISABLED
|
|
*/
|
|
void ssl_set_arc4_support( ssl_context *ssl, char arc4 );
|
|
|
|
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
|
|
/**
|
|
* \brief Set the maximum fragment length to emit and/or negotiate
|
|
* (Default: SSL_MAX_CONTENT_LEN, usually 2^14 bytes)
|
|
* (Server: set maximum fragment length to emit,
|
|
* usually negotiated by the client during handshake
|
|
* (Client: set maximum fragment length to emit *and*
|
|
* negotiate with the server during handshake)
|
|
*
|
|
* \param ssl SSL context
|
|
* \param mfl_code Code for maximum fragment length (allowed values:
|
|
* SSL_MAX_FRAG_LEN_512, SSL_MAX_FRAG_LEN_1024,
|
|
* SSL_MAX_FRAG_LEN_2048, SSL_MAX_FRAG_LEN_4096)
|
|
*
|
|
* \return 0 if successful or POLARSSL_ERR_SSL_BAD_INPUT_DATA
|
|
*/
|
|
int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );
|
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
|
|
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
|
/**
|
|
* \brief Activate negotiation of truncated HMAC
|
|
* (Default: SSL_TRUNC_HMAC_DISABLED on client,
|
|
* SSL_TRUNC_HMAC_ENABLED on server.)
|
|
*
|
|
* \param ssl SSL context
|
|
* \param truncate Enable or disable (SSL_TRUNC_HMAC_ENABLED or
|
|
* SSL_TRUNC_HMAC_DISABLED)
|
|
*
|
|
* \return Always 0.
|
|
*/
|
|
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
|
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
|
|
|
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
|
|
/**
|
|
* \brief Enable / Disable 1/n-1 record splitting
|
|
* (Default: SSL_CBC_RECORD_SPLITTING_ENABLED)
|
|
*
|
|
* \note Only affects SSLv3 and TLS 1.0, not higher versions.
|
|
* Does not affect non-CBC ciphersuites in any version.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param split SSL_CBC_RECORD_SPLITTING_ENABLED or
|
|
* SSL_CBC_RECORD_SPLITTING_DISABLED
|
|
*/
|
|
void ssl_set_cbc_record_splitting( ssl_context *ssl, char split );
|
|
#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
|
|
|
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
|
/**
|
|
* \brief Enable / Disable session tickets
|
|
* (Default: SSL_SESSION_TICKETS_ENABLED on client,
|
|
* SSL_SESSION_TICKETS_DISABLED on server)
|
|
*
|
|
* \note On server, ssl_set_rng() must be called before this function
|
|
* to allow generating the ticket encryption and
|
|
* authentication keys.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param use_tickets Enable or disable (SSL_SESSION_TICKETS_ENABLED or
|
|
* SSL_SESSION_TICKETS_DISABLED)
|
|
*
|
|
* \return 0 if successful,
|
|
* or a specific error code (server only).
|
|
*/
|
|
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets );
|
|
|
|
/**
|
|
* \brief Set session ticket lifetime (server only)
|
|
* (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))
|
|
*
|
|
* \param ssl SSL context
|
|
* \param lifetime session ticket lifetime
|
|
*/
|
|
void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime );
|
|
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
|
|
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
|
/**
|
|
* \brief Enable / Disable renegotiation support for connection when
|
|
* initiated by peer
|
|
* (Default: SSL_RENEGOTIATION_DISABLED)
|
|
*
|
|
* Note: A server with support enabled is more vulnerable for a
|
|
* resource DoS by a malicious client. You should enable this on
|
|
* a client to enable server-initiated renegotiation.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param renegotiation Enable or disable (SSL_RENEGOTIATION_ENABLED or
|
|
* SSL_RENEGOTIATION_DISABLED)
|
|
*/
|
|
void ssl_set_renegotiation( ssl_context *ssl, int renegotiation );
|
|
#endif /* POLARSSL_SSL_RENEGOTIATION */
|
|
|
|
/**
|
|
* \brief Prevent or allow legacy renegotiation.
|
|
* (Default: SSL_LEGACY_NO_RENEGOTIATION)
|
|
*
|
|
* SSL_LEGACY_NO_RENEGOTIATION allows connections to
|
|
* be established even if the peer does not support
|
|
* secure renegotiation, but does not allow renegotiation
|
|
* to take place if not secure.
|
|
* (Interoperable and secure option)
|
|
*
|
|
* SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations
|
|
* with non-upgraded peers. Allowing legacy renegotiation
|
|
* makes the connection vulnerable to specific man in the
|
|
* middle attacks. (See RFC 5746)
|
|
* (Most interoperable and least secure option)
|
|
*
|
|
* SSL_LEGACY_BREAK_HANDSHAKE breaks off connections
|
|
* if peer does not support secure renegotiation. Results
|
|
* in interoperability issues with non-upgraded peers
|
|
* that do not support renegotiation altogether.
|
|
* (Most secure option, interoperability issues)
|
|
*
|
|
* \param ssl SSL context
|
|
* \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
|
|
* SSL_ALLOW_LEGACY_RENEGOTIATION or
|
|
* SSL_LEGACY_BREAK_HANDSHAKE)
|
|
*/
|
|
void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy );
|
|
|
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
|
/**
|
|
* \brief Enforce requested renegotiation.
|
|
* (Default: enforced, max_records = 16)
|
|
*
|
|
* When we request a renegotiation, the peer can comply or
|
|
* ignore the request. This function allows us to decide
|
|
* whether to enforce our renegotiation requests by closing
|
|
* the connection if the peer doesn't comply.
|
|
*
|
|
* However, records could already be in transit from the peer
|
|
* when the request is emitted. In order to increase
|
|
* reliability, we can accept a number of records before the
|
|
* expected handshake records.
|
|
*
|
|
* The optimal value is highly dependent on the specific usage
|
|
* scenario.
|
|
*
|
|
* \warning On client, the grace period can only happen during
|
|
* ssl_read(), as opposed to ssl_write() and ssl_renegotiate()
|
|
* which always behave as if max_record was 0. The reason is,
|
|
* if we receive application data from the server, we need a
|
|
* place to write it, which only happens during ssl_read().
|
|
*
|
|
* \param ssl SSL context
|
|
* \param max_records Use SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
|
|
* enforce renegotiation, or a non-negative value to enforce
|
|
* it but allow for a grace period of max_records records.
|
|
*/
|
|
void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records );
|
|
|
|
/**
|
|
* \brief Set record counter threshold for periodic renegotiation.
|
|
* (Default: 2^64 - 256.)
|
|
*
|
|
* Renegotiation is automatically triggered when a record
|
|
* counter (outgoing or ingoing) crosses the defined
|
|
* threshold. The default value is meant to prevent the
|
|
* connection from being closed when the counter is about to
|
|
* reached its maximal value (it is not allowed to wrap).
|
|
*
|
|
* Lower values can be used to enforce policies such as "keys
|
|
* must be refreshed every N packets with cipher X".
|
|
*
|
|
* \param ssl SSL context
|
|
* \param period The threshold value: a big-endian 64-bit number.
|
|
* Set to 2^64 - 1 to disable periodic renegotiation
|
|
*/
|
|
void ssl_set_renegotiation_period( ssl_context *ssl,
|
|
const unsigned char period[8] );
|
|
#endif /* POLARSSL_SSL_RENEGOTIATION */
|
|
|
|
/**
|
|
* \brief Return the number of data bytes available to read
|
|
*
|
|
* \param ssl SSL context
|
|
*
|
|
* \return how many bytes are available in the read buffer
|
|
*/
|
|
size_t ssl_get_bytes_avail( const ssl_context *ssl );
|
|
|
|
/**
|
|
* \brief Return the result of the certificate verification
|
|
*
|
|
* \param ssl SSL context
|
|
*
|
|
* \return 0 if successful,
|
|
* -1 if result is not available (eg because the handshake was
|
|
* aborted too early), or
|
|
* a combination of BADCERT_xxx and BADCRL_xxx flags, see
|
|
* x509.h
|
|
*/
|
|
int ssl_get_verify_result( const ssl_context *ssl );
|
|
|
|
/**
|
|
* \brief Return the name of the current ciphersuite
|
|
*
|
|
* \param ssl SSL context
|
|
*
|
|
* \return a string containing the ciphersuite name
|
|
*/
|
|
const char *ssl_get_ciphersuite( const ssl_context *ssl );
|
|
|
|
/**
|
|
* \brief Return the current SSL version (SSLv3/TLSv1/etc)
|
|
*
|
|
* \param ssl SSL context
|
|
*
|
|
* \return a string containing the SSL version
|
|
*/
|
|
const char *ssl_get_version( const ssl_context *ssl );
|
|
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
/**
|
|
* \brief Return the peer certificate from the current connection
|
|
*
|
|
* Note: Can be NULL in case no certificate was sent during
|
|
* the handshake. Different calls for the same connection can
|
|
* return the same or different pointers for the same
|
|
* certificate and even a different certificate altogether.
|
|
* The peer cert CAN change in a single connection if
|
|
* renegotiation is performed.
|
|
*
|
|
* \param ssl SSL context
|
|
*
|
|
* \return the current peer certificate
|
|
*/
|
|
const x509_crt *ssl_get_peer_cert( const ssl_context *ssl );
|
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
|
|
|
#if defined(POLARSSL_SSL_CLI_C)
|
|
/**
|
|
* \brief Save session in order to resume it later (client-side only)
|
|
* Session data is copied to presented session structure.
|
|
*
|
|
* \warning Currently, peer certificate is lost in the operation.
|
|
*
|
|
* \param ssl SSL context
|
|
* \param session session context
|
|
*
|
|
* \return 0 if successful,
|
|
* POLARSSL_ERR_SSL_MALLOC_FAILED if memory allocation failed,
|
|
* POLARSSL_ERR_SSL_BAD_INPUT_DATA if used server-side or
|
|
* arguments are otherwise invalid
|
|
*
|
|
* \sa ssl_set_session()
|
|
*/
|
|
int ssl_get_session( const ssl_context *ssl, ssl_session *session );
|
|
#endif /* POLARSSL_SSL_CLI_C */
|
|
|
|
/**
|
|
* \brief Perform the SSL handshake
|
|
*
|
|
* \param ssl SSL context
|
|
*
|
|
* \return 0 if successful, POLARSSL_ERR_NET_WANT_READ,
|
|
* POLARSSL_ERR_NET_WANT_WRITE, or a specific SSL error code.
|
|
*/
|
|
int ssl_handshake( ssl_context *ssl );
|
|
|
|
/**
|
|
* \brief Perform a single step of the SSL handshake
|
|
*
|
|
* Note: the state of the context (ssl->state) will be at
|
|
* the following state after execution of this function.
|
|
* Do not call this function if state is SSL_HANDSHAKE_OVER.
|
|
*
|
|
* \param ssl SSL context
|
|
*
|
|
* \return 0 if successful, POLARSSL_ERR_NET_WANT_READ,
|
|
* POLARSSL_ERR_NET_WANT_WRITE, or a specific SSL error code.
|
|
*/
|
|
int ssl_handshake_step( ssl_context *ssl );
|
|
|
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
|
/**
|
|
* \brief Initiate an SSL renegotiation on the running connection.
|
|
* Client: perform the renegotiation right now.
|
|
* Server: request renegotiation, which will be performed
|
|
* during the next call to ssl_read() if honored by client.
|
|
*
|
|
* \param ssl SSL context
|
|
*
|
|
* \return 0 if successful, or any ssl_handshake() return value.
|
|
*/
|
|
int ssl_renegotiate( ssl_context *ssl );
|
|
#endif /* POLARSSL_SSL_RENEGOTIATION */
|
|
|
|
/**
|
|
* \brief Read at most 'len' application data bytes
|
|
*
|
|
* \param ssl SSL context
|
|
* \param buf buffer that will hold the data
|
|
* \param len maximum number of bytes to read
|
|
*
|
|
* \return This function returns the number of bytes read, 0 for EOF,
|
|
* or a negative error code.
|
|
*/
|
|
int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len );
|
|
|
|
/**
|
|
* \brief Write exactly 'len' application data bytes
|
|
*
|
|
* \param ssl SSL context
|
|
* \param buf buffer holding the data
|
|
* \param len how many bytes must be written
|
|
*
|
|
* \return This function returns the number of bytes written,
|
|
* or a negative error code.
|
|
*
|
|
* \note When this function returns POLARSSL_ERR_NET_WANT_WRITE,
|
|
* it must be called later with the *same* arguments,
|
|
* until it returns a positive value.
|
|
*
|
|
* \note This function may write less than the number of bytes
|
|
* requested if len is greater than the maximum record length.
|
|
* For arbitrary-sized messages, it should be called in a loop.
|
|
*/
|
|
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len );
|
|
|
|
/**
|
|
* \brief Send an alert message
|
|
*
|
|
* \param ssl SSL context
|
|
* \param level The alert level of the message
|
|
* (SSL_ALERT_LEVEL_WARNING or SSL_ALERT_LEVEL_FATAL)
|
|
* \param message The alert message (SSL_ALERT_MSG_*)
|
|
*
|
|
* \return 0 if successful, or a specific SSL error code.
|
|
*/
|
|
int ssl_send_alert_message( ssl_context *ssl,
|
|
unsigned char level,
|
|
unsigned char message );
|
|
/**
|
|
* \brief Notify the peer that the connection is being closed
|
|
*
|
|
* \param ssl SSL context
|
|
*/
|
|
int ssl_close_notify( ssl_context *ssl );
|
|
|
|
/**
|
|
* \brief Free referenced items in an SSL context and clear memory
|
|
*
|
|
* \param ssl SSL context
|
|
*/
|
|
void ssl_free( ssl_context *ssl );
|
|
|
|
/**
|
|
* \brief Initialize SSL session structure
|
|
*
|
|
* \param session SSL session
|
|
*/
|
|
void ssl_session_init( ssl_session *session );
|
|
|
|
/**
|
|
* \brief Free referenced items in an SSL session including the
|
|
* peer certificate and clear memory
|
|
*
|
|
* \param session SSL session
|
|
*/
|
|
void ssl_session_free( ssl_session *session );
|
|
|
|
/**
|
|
* \brief Free referenced items in an SSL transform context and clear
|
|
* memory
|
|
*
|
|
* \param transform SSL transform context
|
|
*/
|
|
void ssl_transform_free( ssl_transform *transform );
|
|
|
|
/**
|
|
* \brief Free referenced items in an SSL handshake context and clear
|
|
* memory
|
|
*
|
|
* \param handshake SSL handshake context
|
|
*/
|
|
void ssl_handshake_free( ssl_handshake_params *handshake );
|
|
|
|
/*
|
|
* Internal functions (do not call directly)
|
|
*/
|
|
int ssl_handshake_client_step( ssl_context *ssl );
|
|
int ssl_handshake_server_step( ssl_context *ssl );
|
|
void ssl_handshake_wrapup( ssl_context *ssl );
|
|
|
|
int ssl_send_fatal_handshake_failure( ssl_context *ssl );
|
|
|
|
int ssl_derive_keys( ssl_context *ssl );
|
|
|
|
int ssl_read_record( ssl_context *ssl );
|
|
/**
|
|
* \return 0 if successful, POLARSSL_ERR_SSL_CONN_EOF on EOF or
|
|
* another negative error code.
|
|
*/
|
|
int ssl_fetch_input( ssl_context *ssl, size_t nb_want );
|
|
|
|
int ssl_write_record( ssl_context *ssl );
|
|
int ssl_flush_output( ssl_context *ssl );
|
|
|
|
int ssl_parse_certificate( ssl_context *ssl );
|
|
int ssl_write_certificate( ssl_context *ssl );
|
|
|
|
int ssl_parse_change_cipher_spec( ssl_context *ssl );
|
|
int ssl_write_change_cipher_spec( ssl_context *ssl );
|
|
|
|
int ssl_parse_finished( ssl_context *ssl );
|
|
int ssl_write_finished( ssl_context *ssl );
|
|
|
|
void ssl_optimize_checksum( ssl_context *ssl,
|
|
const ssl_ciphersuite_t *ciphersuite_info );
|
|
|
|
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
|
int ssl_psk_derive_premaster( ssl_context *ssl, key_exchange_type_t key_ex );
|
|
#endif
|
|
|
|
#if defined(POLARSSL_PK_C)
|
|
unsigned char ssl_sig_from_pk( pk_context *pk );
|
|
unsigned char ssl_sig_from_pk_alg( pk_type_t type );
|
|
pk_type_t ssl_pk_alg_from_sig( unsigned char sig );
|
|
#endif
|
|
|
|
md_type_t ssl_md_alg_from_hash( unsigned char hash );
|
|
unsigned char ssl_hash_from_md_alg( md_type_t md );
|
|
|
|
#if defined(POLARSSL_SSL_SET_CURVES)
|
|
int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id );
|
|
#endif
|
|
|
|
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
|
|
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
|
|
|
/* Find an entry in a signature-hash set matching a given hash algorithm. */
|
|
md_type_t ssl_sig_hash_set_find( ssl_sig_hash_set_t *set,
|
|
pk_type_t sig_alg );
|
|
/* Add a signature-hash-pair to a signature-hash set */
|
|
void ssl_sig_hash_set_add( ssl_sig_hash_set_t *set,
|
|
pk_type_t sig_alg,
|
|
md_type_t md_alg );
|
|
/* Allow exactly one hash algorithm for each signature. */
|
|
void ssl_sig_hash_set_const_hash( ssl_sig_hash_set_t *set,
|
|
md_type_t md_alg );
|
|
|
|
/* Setup an empty signature-hash set */
|
|
static inline void ssl_sig_hash_set_init( ssl_sig_hash_set_t *set )
|
|
{
|
|
ssl_sig_hash_set_const_hash( set, POLARSSL_MD_NONE );
|
|
}
|
|
|
|
#endif /* POLARSSL_SSL_PROTO_TLS1_2) &&
|
|
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
|
|
|
#if defined(POLARSSL_X509_CRT_PARSE_C)
|
|
static inline pk_context *ssl_own_key( ssl_context *ssl )
|
|
{
|
|
return( ssl->handshake->key_cert == NULL ? NULL
|
|
: ssl->handshake->key_cert->key );
|
|
}
|
|
|
|
static inline x509_crt *ssl_own_cert( ssl_context *ssl )
|
|
{
|
|
return( ssl->handshake->key_cert == NULL ? NULL
|
|
: ssl->handshake->key_cert->cert );
|
|
}
|
|
|
|
/*
|
|
* Check if a hash proposed by the peer is in our list.
|
|
* Return 0 if we're willing to use it, -1 otherwise.
|
|
*/
|
|
int ssl_check_sig_hash( md_type_t md );
|
|
|
|
/*
|
|
* Check usage of a certificate wrt extensions:
|
|
* keyUsage, extendedKeyUsage (later), and nSCertType (later).
|
|
*
|
|
* Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
|
|
* check a cert we received from them)!
|
|
*
|
|
* Return 0 if everything is OK, -1 if not.
|
|
*/
|
|
int ssl_check_cert_usage( const x509_crt *cert,
|
|
const ssl_ciphersuite_t *ciphersuite,
|
|
int cert_endpoint,
|
|
int *flags );
|
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
|
|
|
/* constant-time buffer comparison */
|
|
static inline int safer_memcmp( const void *a, const void *b, size_t n )
|
|
{
|
|
size_t i;
|
|
const unsigned char *A = (const unsigned char *) a;
|
|
const unsigned char *B = (const unsigned char *) b;
|
|
unsigned char diff = 0;
|
|
|
|
for( i = 0; i < n; i++ )
|
|
diff |= A[i] ^ B[i];
|
|
|
|
return( diff );
|
|
}
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif /* ssl.h */
|