SSL/TLS functions. More...
#include "config.h"
#include "net.h"
#include "bignum.h"
#include "ssl_ciphersuites.h"
#include "md5.h"
#include "sha1.h"
#include "sha256.h"
#include "sha512.h"
#include "aes.h"
#include "x509_crt.h"
#include "x509_crl.h"
#include "dhm.h"
#include "ecdh.h"
#include <time.h>
Go to the source code of this file.
Data Structures | |
struct | _ssl_session |
struct | _ssl_transform |
struct | _ssl_handshake_params |
struct | _ssl_ticket_keys |
struct | _ssl_key_cert |
struct | _ssl_context |
Defines | |
#define | POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED |
#define | POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE -0x7080 |
The requested feature is not available. | |
#define | POLARSSL_ERR_SSL_BAD_INPUT_DATA -0x7100 |
Bad input parameters to function. | |
#define | POLARSSL_ERR_SSL_INVALID_MAC -0x7180 |
Verification of the message MAC failed. | |
#define | POLARSSL_ERR_SSL_INVALID_RECORD -0x7200 |
An invalid SSL record was received. | |
#define | POLARSSL_ERR_SSL_CONN_EOF -0x7280 |
The connection indicated an EOF. | |
#define | POLARSSL_ERR_SSL_UNKNOWN_CIPHER -0x7300 |
An unknown cipher was received. | |
#define | POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 |
The server has no ciphersuites in common with the client. | |
#define | POLARSSL_ERR_SSL_NO_SESSION_FOUND -0x7400 |
No session to recover was found. | |
#define | POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 |
No client certification received from the client, but required by the authentication mode. | |
#define | POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 |
Our own certificate(s) is/are too large to send in an SSL message. | |
#define | POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 |
The own certificate is not set, but needed by the server. | |
#define | POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 |
The own private key or pre-shared key is not set, but needed. | |
#define | POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 |
No CA Chain is set, but required to operate. | |
#define | POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE -0x7700 |
An unexpected message was received from our peer. | |
#define | POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 |
A fatal alert message was received from our peer. | |
#define | POLARSSL_ERR_SSL_PEER_VERIFY_FAILED -0x7800 |
Verification of our peer failed. | |
#define | POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 |
The peer notified us that the connection is going to be closed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900 |
Processing of the ClientHello handshake message failed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980 |
Processing of the ServerHello handshake message failed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE -0x7A00 |
Processing of the Certificate handshake message failed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST -0x7A80 |
Processing of the CertificateRequest handshake message failed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE -0x7B00 |
Processing of the ServerKeyExchange handshake message failed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE -0x7B80 |
Processing of the ServerHelloDone handshake message failed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE -0x7C00 |
Processing of the ClientKeyExchange handshake message failed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP -0x7C80 |
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public. | |
#define | POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS -0x7D00 |
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret. | |
#define | POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY -0x7D80 |
Processing of the CertificateVerify handshake message failed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC -0x7E00 |
Processing of the ChangeCipherSpec handshake message failed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_FINISHED -0x7E80 |
Processing of the Finished handshake message failed. | |
#define | POLARSSL_ERR_SSL_MALLOC_FAILED -0x7F00 |
Memory allocation failed. | |
#define | POLARSSL_ERR_SSL_HW_ACCEL_FAILED -0x7F80 |
Hardware acceleration function returned with error. | |
#define | POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80 |
Hardware acceleration function skipped / left alone data. | |
#define | POLARSSL_ERR_SSL_COMPRESSION_FAILED -0x6F00 |
Processing of the compression / decompression failed. | |
#define | POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 |
Handshake protocol not within min/max boundaries. | |
#define | POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 |
Processing of the NewSessionTicket handshake message failed. | |
#define | POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 |
Session ticket has expired. | |
#define | POLARSSL_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 |
Public key type mismatch (eg, asked for RSA key exchange and presented EC key). | |
#define | POLARSSL_ERR_SSL_UNKNOWN_IDENTITY -0x6C80 |
Unkown identity received (eg, PSK identity). | |
#define | POLARSSL_ERR_SSL_INTERNAL_ERROR -0x6C00 |
Internal error (eg, unexpected failure in lower-level module). | |
#define | SSL_MAJOR_VERSION_3 3 |
#define | SSL_MINOR_VERSION_0 0 |
#define | SSL_MINOR_VERSION_1 1 |
#define | SSL_MINOR_VERSION_2 2 |
#define | SSL_MINOR_VERSION_3 3 |
#define | SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3 |
#define | SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0 |
#define | SSL_MAX_MAJOR_VERSION SSL_MAJOR_VERSION_3 |
#define | SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_3 |
#define | SSL_MAX_FRAG_LEN_NONE 0 |
#define | SSL_MAX_FRAG_LEN_512 1 |
#define | SSL_MAX_FRAG_LEN_1024 2 |
#define | SSL_MAX_FRAG_LEN_2048 3 |
#define | SSL_MAX_FRAG_LEN_4096 4 |
#define | SSL_MAX_FRAG_LEN_INVALID 5 |
#define | SSL_IS_CLIENT 0 |
#define | SSL_IS_SERVER 1 |
#define | SSL_COMPRESS_NULL 0 |
#define | SSL_COMPRESS_DEFLATE 1 |
#define | SSL_VERIFY_NONE 0 |
#define | SSL_VERIFY_OPTIONAL 1 |
#define | SSL_VERIFY_REQUIRED 2 |
#define | SSL_INITIAL_HANDSHAKE 0 |
#define | SSL_RENEGOTIATION 1 |
#define | SSL_RENEGOTIATION_DONE 2 |
#define | SSL_RENEGOTIATION_PENDING 3 |
#define | SSL_LEGACY_RENEGOTIATION 0 |
#define | SSL_SECURE_RENEGOTIATION 1 |
#define | SSL_RENEGOTIATION_DISABLED 0 |
#define | SSL_RENEGOTIATION_ENABLED 1 |
#define | SSL_LEGACY_NO_RENEGOTIATION 0 |
#define | SSL_LEGACY_ALLOW_RENEGOTIATION 1 |
#define | SSL_LEGACY_BREAK_HANDSHAKE 2 |
#define | SSL_TRUNC_HMAC_DISABLED 0 |
#define | SSL_TRUNC_HMAC_ENABLED 1 |
#define | SSL_TRUNCATED_HMAC_LEN 10 |
#define | SSL_SESSION_TICKETS_DISABLED 0 |
#define | SSL_SESSION_TICKETS_ENABLED 1 |
#define | SSL_DEFAULT_TICKET_LIFETIME 86400 |
Lifetime of session tickets (if enabled). | |
#define | SSL_MAX_CONTENT_LEN 16384 |
Size of the input / output buffer. | |
#define | SSL_COMPRESSION_ADD 0 |
#define | SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + SSL_COMPRESSION_ADD + 512) |
#define | SSL_EMPTY_RENEGOTIATION_INFO 0xFF |
renegotiation info ext | |
#define | SSL_HASH_NONE 0 |
#define | SSL_HASH_MD5 1 |
#define | SSL_HASH_SHA1 2 |
#define | SSL_HASH_SHA224 3 |
#define | SSL_HASH_SHA256 4 |
#define | SSL_HASH_SHA384 5 |
#define | SSL_HASH_SHA512 6 |
#define | SSL_SIG_ANON 0 |
#define | SSL_SIG_RSA 1 |
#define | SSL_SIG_ECDSA 3 |
#define | SSL_CERT_TYPE_RSA_SIGN 1 |
#define | SSL_CERT_TYPE_ECDSA_SIGN 64 |
#define | SSL_MSG_CHANGE_CIPHER_SPEC 20 |
#define | SSL_MSG_ALERT 21 |
#define | SSL_MSG_HANDSHAKE 22 |
#define | SSL_MSG_APPLICATION_DATA 23 |
#define | SSL_ALERT_LEVEL_WARNING 1 |
#define | SSL_ALERT_LEVEL_FATAL 2 |
#define | SSL_ALERT_MSG_CLOSE_NOTIFY 0 |
#define | SSL_ALERT_MSG_UNEXPECTED_MESSAGE 10 |
#define | SSL_ALERT_MSG_BAD_RECORD_MAC 20 |
#define | SSL_ALERT_MSG_DECRYPTION_FAILED 21 |
#define | SSL_ALERT_MSG_RECORD_OVERFLOW 22 |
#define | SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30 |
#define | SSL_ALERT_MSG_HANDSHAKE_FAILURE 40 |
#define | SSL_ALERT_MSG_NO_CERT 41 |
#define | SSL_ALERT_MSG_BAD_CERT 42 |
#define | SSL_ALERT_MSG_UNSUPPORTED_CERT 43 |
#define | SSL_ALERT_MSG_CERT_REVOKED 44 |
#define | SSL_ALERT_MSG_CERT_EXPIRED 45 |
#define | SSL_ALERT_MSG_CERT_UNKNOWN 46 |
#define | SSL_ALERT_MSG_ILLEGAL_PARAMETER 47 |
#define | SSL_ALERT_MSG_UNKNOWN_CA 48 |
#define | SSL_ALERT_MSG_ACCESS_DENIED 49 |
#define | SSL_ALERT_MSG_DECODE_ERROR 50 |
#define | SSL_ALERT_MSG_DECRYPT_ERROR 51 |
#define | SSL_ALERT_MSG_EXPORT_RESTRICTION 60 |
#define | SSL_ALERT_MSG_PROTOCOL_VERSION 70 |
#define | SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71 |
#define | SSL_ALERT_MSG_INTERNAL_ERROR 80 |
#define | SSL_ALERT_MSG_USER_CANCELED 90 |
#define | SSL_ALERT_MSG_NO_RENEGOTIATION 100 |
#define | SSL_ALERT_MSG_UNSUPPORTED_EXT 110 |
#define | SSL_ALERT_MSG_UNRECOGNIZED_NAME 112 |
#define | SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115 |
#define | SSL_HS_HELLO_REQUEST 0 |
#define | SSL_HS_CLIENT_HELLO 1 |
#define | SSL_HS_SERVER_HELLO 2 |
#define | SSL_HS_NEW_SESSION_TICKET 4 |
#define | SSL_HS_CERTIFICATE 11 |
#define | SSL_HS_SERVER_KEY_EXCHANGE 12 |
#define | SSL_HS_CERTIFICATE_REQUEST 13 |
#define | SSL_HS_SERVER_HELLO_DONE 14 |
#define | SSL_HS_CERTIFICATE_VERIFY 15 |
#define | SSL_HS_CLIENT_KEY_EXCHANGE 16 |
#define | SSL_HS_FINISHED 20 |
#define | TLS_EXT_SERVERNAME 0 |
#define | TLS_EXT_SERVERNAME_HOSTNAME 0 |
#define | TLS_EXT_MAX_FRAGMENT_LENGTH 1 |
#define | TLS_EXT_TRUNCATED_HMAC 4 |
#define | TLS_EXT_SUPPORTED_ELLIPTIC_CURVES 10 |
#define | TLS_EXT_SUPPORTED_POINT_FORMATS 11 |
#define | TLS_EXT_SIG_ALG 13 |
#define | TLS_EXT_SESSION_TICKET 35 |
#define | TLS_EXT_RENEGOTIATION_INFO 0xFF01 |
#define | TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) |
#define | POLARSSL_PREMASTER_SIZE POLARSSL_MPI_MAX_SIZE |
Typedefs | |
typedef int(* | rsa_decrypt_func )(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len) |
typedef int(* | rsa_sign_func )(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig) |
typedef size_t(* | rsa_key_len_func )(void *ctx) |
typedef struct _ssl_session | ssl_session |
typedef struct _ssl_context | ssl_context |
typedef struct _ssl_transform | ssl_transform |
typedef struct _ssl_handshake_params | ssl_handshake_params |
typedef struct _ssl_ticket_keys | ssl_ticket_keys |
typedef struct _ssl_key_cert | ssl_key_cert |
Enumerations | |
enum | ssl_states { SSL_HELLO_REQUEST, SSL_CLIENT_HELLO, SSL_SERVER_HELLO, SSL_SERVER_CERTIFICATE, SSL_SERVER_KEY_EXCHANGE, SSL_CERTIFICATE_REQUEST, SSL_SERVER_HELLO_DONE, SSL_CLIENT_CERTIFICATE, SSL_CLIENT_KEY_EXCHANGE, SSL_CERTIFICATE_VERIFY, SSL_CLIENT_CHANGE_CIPHER_SPEC, SSL_CLIENT_FINISHED, SSL_SERVER_CHANGE_CIPHER_SPEC, SSL_SERVER_FINISHED, SSL_FLUSH_BUFFERS, SSL_HANDSHAKE_WRAPUP, SSL_HANDSHAKE_OVER, SSL_SERVER_NEW_SESSION_TICKET } |
Functions | |
const int * | ssl_list_ciphersuites (void) |
Returns the list of ciphersuites supported by the SSL/TLS module. | |
const char * | ssl_get_ciphersuite_name (const int ciphersuite_id) |
Return the name of the ciphersuite associated with the given ID. | |
int | ssl_get_ciphersuite_id (const char *ciphersuite_name) |
Return the ID of the ciphersuite associated with the given name. | |
int | ssl_init (ssl_context *ssl) |
Initialize an SSL context (An individual SSL context is not thread-safe). | |
int | ssl_session_reset (ssl_context *ssl) |
Reset an already initialized SSL context for re-use while retaining application-set variables, function pointers and data. | |
void | ssl_set_endpoint (ssl_context *ssl, int endpoint) |
Set the current endpoint type. | |
void | ssl_set_authmode (ssl_context *ssl, int authmode) |
Set the certificate verification mode. | |
void | ssl_set_verify (ssl_context *ssl, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy) |
Set the verification callback (Optional). | |
void | ssl_set_rng (ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Set the random number generator callback. | |
void | ssl_set_dbg (ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg) |
Set the debug callback. | |
void | ssl_set_bio (ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send) |
Set the underlying BIO read and write callbacks. | |
void | ssl_set_session_cache (ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache) |
Set the session cache callbacks (server-side only) If not set, no session resuming is done. | |
int | ssl_set_session (ssl_context *ssl, const ssl_session *session) |
Request resumption of session (client-side only) Session data is copied from presented session structure. | |
void | ssl_set_ciphersuites (ssl_context *ssl, const int *ciphersuites) |
Set the list of allowed ciphersuites (Overrides all version specific lists). | |
void | ssl_set_ciphersuites_for_version (ssl_context *ssl, const int *ciphersuites, int major, int minor) |
Set the list of allowed ciphersuites for a specific version of the protocol. | |
void | ssl_set_ca_chain (ssl_context *ssl, x509_crt *ca_chain, x509_crl *ca_crl, const char *peer_cn) |
Set the data required to verify peer certificate. | |
int | ssl_set_own_cert (ssl_context *ssl, x509_crt *own_cert, pk_context *pk_key) |
Set own certificate chain and private key. | |
int | ssl_set_own_cert_rsa (ssl_context *ssl, x509_crt *own_cert, rsa_context *rsa_key) |
Set own certificate chain and private RSA key. | |
int | ssl_set_own_cert_alt (ssl_context *ssl, x509_crt *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len) |
Set own certificate and alternate non-PolarSSL RSA private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler. | |
int | ssl_set_psk (ssl_context *ssl, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len) |
Set the Pre Shared Key (PSK) and the identity name connected to it. | |
void | ssl_set_psk_cb (ssl_context *ssl, int(*f_psk)(void *, ssl_context *, const unsigned char *, size_t), void *p_psk) |
Set the PSK callback (server-side only) (Optional). | |
int | ssl_set_dh_param (ssl_context *ssl, const char *dhm_P, const char *dhm_G) |
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG]). | |
int | ssl_set_dh_param_ctx (ssl_context *ssl, dhm_context *dhm_ctx) |
Set the Diffie-Hellman public P and G values, read from existing context (server-side only). | |
int | ssl_set_hostname (ssl_context *ssl, const char *hostname) |
Set hostname for ServerName TLS extension (client-side only). | |
void | ssl_set_sni (ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni) |
Set server side ServerName TLS extension callback (optional, server-side only). | |
void | ssl_set_max_version (ssl_context *ssl, int major, int minor) |
Set the maximum supported version sent from the client side and/or accepted at the server side (Default: SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION). | |
void | ssl_set_min_version (ssl_context *ssl, int major, int minor) |
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION). | |
int | ssl_set_max_frag_len (ssl_context *ssl, unsigned char mfl_code) |
Set the maximum fragment length to emit and/or negotiate (Default: SSL_MAX_CONTENT_LEN, usually 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake (Client: set maximum fragment length to emit *and* negotiate with the server during handshake). | |
int | ssl_set_truncated_hmac (ssl_context *ssl, int truncate) |
Activate negotiation of truncated HMAC (Client only) (Default: SSL_TRUNC_HMAC_ENABLED). | |
int | ssl_set_session_tickets (ssl_context *ssl, int use_tickets) |
Enable / Disable session tickets (Default: SSL_SESSION_TICKETS_ENABLED on client, SSL_SESSION_TICKETS_DISABLED on server). | |
void | ssl_set_session_ticket_lifetime (ssl_context *ssl, int lifetime) |
Set session ticket lifetime (server only) (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day)). | |
void | ssl_set_renegotiation (ssl_context *ssl, int renegotiation) |
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIATION_DISABLED). | |
void | ssl_legacy_renegotiation (ssl_context *ssl, int allow_legacy) |
Prevent or allow legacy renegotiation. | |
size_t | ssl_get_bytes_avail (const ssl_context *ssl) |
Return the number of data bytes available to read. | |
int | ssl_get_verify_result (const ssl_context *ssl) |
Return the result of the certificate verification. | |
const char * | ssl_get_ciphersuite (const ssl_context *ssl) |
Return the name of the current ciphersuite. | |
const char * | ssl_get_version (const ssl_context *ssl) |
Return the current SSL version (SSLv3/TLSv1/etc). | |
const x509_crt * | ssl_get_peer_cert (const ssl_context *ssl) |
Return the peer certificate from the current connection. | |
int | ssl_get_session (const ssl_context *ssl, ssl_session *session) |
Save session in order to resume it later (client-side only) Session data is copied to presented session structure. | |
int | ssl_handshake (ssl_context *ssl) |
Perform the SSL handshake. | |
int | ssl_handshake_step (ssl_context *ssl) |
Perform a single step of the SSL handshake. | |
int | ssl_renegotiate (ssl_context *ssl) |
Initiate an SSL renegotiation on the running connection. | |
int | ssl_read (ssl_context *ssl, unsigned char *buf, size_t len) |
Read at most 'len' application data bytes. | |
int | ssl_write (ssl_context *ssl, const unsigned char *buf, size_t len) |
Write exactly 'len' application data bytes. | |
int | ssl_send_alert_message (ssl_context *ssl, unsigned char level, unsigned char message) |
Send an alert message. | |
int | ssl_close_notify (ssl_context *ssl) |
Notify the peer that the connection is being closed. | |
void | ssl_free (ssl_context *ssl) |
Free referenced items in an SSL context and clear memory. | |
void | ssl_session_free (ssl_session *session) |
Free referenced items in an SSL session including the peer certificate and clear memory. | |
void | ssl_transform_free (ssl_transform *transform) |
Free referenced items in an SSL transform context and clear memory. | |
void | ssl_handshake_free (ssl_handshake_params *handshake) |
Free referenced items in an SSL handshake context and clear memory. | |
int | ssl_handshake_client_step (ssl_context *ssl) |
int | ssl_handshake_server_step (ssl_context *ssl) |
void | ssl_handshake_wrapup (ssl_context *ssl) |
int | ssl_send_fatal_handshake_failure (ssl_context *ssl) |
int | ssl_derive_keys (ssl_context *ssl) |
int | ssl_read_record (ssl_context *ssl) |
int | ssl_fetch_input (ssl_context *ssl, size_t nb_want) |
int | ssl_write_record (ssl_context *ssl) |
int | ssl_flush_output (ssl_context *ssl) |
int | ssl_parse_certificate (ssl_context *ssl) |
int | ssl_write_certificate (ssl_context *ssl) |
int | ssl_parse_change_cipher_spec (ssl_context *ssl) |
int | ssl_write_change_cipher_spec (ssl_context *ssl) |
int | ssl_parse_finished (ssl_context *ssl) |
int | ssl_write_finished (ssl_context *ssl) |
void | ssl_optimize_checksum (ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info) |
int | ssl_psk_derive_premaster (ssl_context *ssl, key_exchange_type_t key_ex) |
unsigned char | ssl_sig_from_pk (pk_context *pk) |
pk_type_t | ssl_pk_alg_from_sig (unsigned char sig) |
md_type_t | ssl_md_alg_from_hash (unsigned char hash) |
static pk_context * | ssl_own_key (ssl_context *ssl) |
static x509_crt * | ssl_own_cert (ssl_context *ssl) |
static int | safer_memcmp (const void *a, const void *b, size_t n) |
SSL/TLS functions.
Copyright (C) 2006-2013, Brainspark B.V.
This file is part of PolarSSL (http://www.polarssl.org) Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
All rights reserved.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Definition in file ssl.h.
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE -0x7A00 |
Processing of the Certificate handshake message failed.
Definition at line 116 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_certificate().
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST -0x7A80 |
Processing of the CertificateRequest handshake message failed.
Definition at line 117 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_certificate_request().
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY -0x7D80 |
Processing of the CertificateVerify handshake message failed.
Definition at line 123 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_certificate_verify().
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC -0x7E00 |
Processing of the ChangeCipherSpec handshake message failed.
Definition at line 124 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_change_cipher_spec().
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900 |
Processing of the ClientHello handshake message failed.
Definition at line 114 of file ssl.h.
Referenced by polarssl_strerror(), ssl_parse_client_hello(), ssl_parse_client_hello_v2(), ssl_parse_max_fragment_length_ext(), ssl_parse_renegotiation_info(), ssl_parse_servername_ext(), ssl_parse_signature_algorithms_ext(), ssl_parse_supported_elliptic_curves(), ssl_parse_supported_point_formats(), and ssl_parse_truncated_hmac_ext().
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE -0x7C00 |
Processing of the ClientKeyExchange handshake message failed.
Definition at line 120 of file ssl.h.
Referenced by polarssl_strerror(), ssl_parse_client_dh_public(), ssl_parse_client_key_exchange(), ssl_parse_client_psk_identity(), and ssl_parse_encrypted_pms().
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS -0x7D00 |
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret.
Definition at line 122 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_client_key_exchange().
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP -0x7C80 |
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public.
Definition at line 121 of file ssl.h.
Referenced by polarssl_strerror(), ssl_parse_client_dh_public(), and ssl_parse_client_key_exchange().
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED -0x7E80 |
Processing of the Finished handshake message failed.
Definition at line 125 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_finished().
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 |
Processing of the NewSessionTicket handshake message failed.
Definition at line 131 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_new_session_ticket().
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 |
Handshake protocol not within min/max boundaries.
Definition at line 130 of file ssl.h.
Referenced by polarssl_strerror(), ssl_parse_client_hello(), ssl_parse_client_hello_v2(), and ssl_parse_server_hello().
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980 |
Processing of the ServerHello handshake message failed.
Definition at line 115 of file ssl.h.
Referenced by polarssl_strerror(), ssl_parse_max_fragment_length_ext(), ssl_parse_renegotiation_info(), ssl_parse_server_hello(), ssl_parse_session_ticket_ext(), ssl_parse_supported_point_formats_ext(), and ssl_parse_truncated_hmac_ext().
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE -0x7B80 |
Processing of the ServerHelloDone handshake message failed.
Definition at line 119 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_server_hello_done().
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE -0x7B00 |
Processing of the ServerKeyExchange handshake message failed.
Definition at line 118 of file ssl.h.
Referenced by polarssl_strerror(), ssl_parse_server_dh_params(), ssl_parse_server_ecdh_params(), ssl_parse_server_key_exchange(), ssl_parse_server_psk_hint(), and ssl_parse_signature_algorithm().
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA -0x7100 |
Bad input parameters to function.
Definition at line 98 of file ssl.h.
Referenced by polarssl_strerror(), ssl_derive_keys(), ssl_get_session(), ssl_handshake_client_step(), ssl_handshake_server_step(), ssl_load_session(), ssl_parse_client_hello(), ssl_parse_client_hello_v2(), ssl_parse_server_hello(), ssl_parse_ticket(), ssl_psk_derive_premaster(), ssl_renegotiate(), ssl_set_hostname(), ssl_set_max_frag_len(), ssl_set_psk(), ssl_set_session(), ssl_set_session_tickets(), ssl_set_truncated_hmac(), ssl_write_ticket(), tls1_prf(), tls_prf_sha256(), and tls_prf_sha384().
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 |
No CA Chain is set, but required to operate.
Definition at line 109 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_certificate().
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 |
The own certificate is not set, but needed by the server.
Definition at line 107 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_write_certificate().
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 |
Our own certificate(s) is/are too large to send in an SSL message.
Definition at line 106 of file ssl.h.
Referenced by polarssl_strerror(), ssl_write_certificate(), and ssl_write_ticket().
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED -0x6F00 |
Processing of the compression / decompression failed.
Definition at line 129 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_derive_keys().
#define POLARSSL_ERR_SSL_CONN_EOF -0x7280 |
The connection indicated an EOF.
Definition at line 101 of file ssl.h.
Referenced by polarssl_strerror(), ssl_fetch_input(), and ssl_read().
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 |
A fatal alert message was received from our peer.
Definition at line 111 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_read_record().
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE -0x7080 |
The requested feature is not available.
Definition at line 97 of file ssl.h.
Referenced by polarssl_strerror(), ssl_decrypt_buf(), ssl_derive_keys(), ssl_encrypt_buf(), ssl_handshake_step(), ssl_parse_certificate(), ssl_parse_certificate_verify(), ssl_parse_client_dh_public(), ssl_parse_client_key_exchange(), ssl_parse_server_dh_params(), ssl_parse_server_ecdh_params(), ssl_parse_server_key_exchange(), ssl_parse_server_psk_hint(), ssl_psk_derive_premaster(), ssl_read(), ssl_renegotiate(), ssl_write_certificate(), ssl_write_certificate_request(), ssl_write_certificate_verify(), ssl_write_client_key_exchange(), and ssl_write_server_key_exchange().
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED -0x7F80 |
Hardware acceleration function returned with error.
Definition at line 127 of file ssl.h.
Referenced by polarssl_strerror(), ssl_derive_keys(), ssl_parse_finished(), ssl_read_record(), ssl_session_reset(), ssl_write_finished(), and ssl_write_record().
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80 |
Hardware acceleration function skipped / left alone data.
Definition at line 128 of file ssl.h.
Referenced by polarssl_strerror(), ssl_read_record(), and ssl_write_record().
#define POLARSSL_ERR_SSL_INTERNAL_ERROR -0x6C00 |
Internal error (eg, unexpected failure in lower-level module).
Definition at line 135 of file ssl.h.
Referenced by polarssl_strerror(), ssl_decrypt_buf(), and ssl_encrypt_buf().
#define POLARSSL_ERR_SSL_INVALID_MAC -0x7180 |
Verification of the message MAC failed.
Definition at line 99 of file ssl.h.
Referenced by polarssl_strerror(), ssl_decrypt_buf(), ssl_parse_ticket(), and ssl_read_record().
#define POLARSSL_ERR_SSL_INVALID_RECORD -0x7200 |
An invalid SSL record was received.
Definition at line 100 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_read_record().
#define POLARSSL_ERR_SSL_MALLOC_FAILED -0x7F00 |
Memory allocation failed.
Definition at line 126 of file ssl.h.
Referenced by polarssl_strerror(), ssl_derive_keys(), ssl_handshake_init(), ssl_init(), ssl_load_session(), ssl_parse_certificate(), ssl_parse_new_session_ticket(), ssl_parse_supported_elliptic_curves(), ssl_session_copy(), ssl_set_hostname(), ssl_set_own_cert(), ssl_set_own_cert_alt(), ssl_set_own_cert_rsa(), ssl_set_psk(), and ssl_ticket_keys_init().
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 |
The server has no ciphersuites in common with the client.
Definition at line 103 of file ssl.h.
Referenced by polarssl_strerror(), ssl_parse_client_hello(), and ssl_parse_client_hello_v2().
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 |
No client certification received from the client, but required by the authentication mode.
Definition at line 105 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_certificate().
#define POLARSSL_ERR_SSL_NO_SESSION_FOUND -0x7400 |
No session to recover was found.
Definition at line 104 of file ssl.h.
Referenced by polarssl_strerror().
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 |
The peer notified us that the connection is going to be closed.
Definition at line 113 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_read_record().
#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED -0x7800 |
Verification of our peer failed.
Definition at line 112 of file ssl.h.
Referenced by polarssl_strerror().
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 |
Public key type mismatch (eg, asked for RSA key exchange and presented EC key).
Definition at line 133 of file ssl.h.
Referenced by polarssl_strerror(), ssl_parse_server_key_exchange(), and ssl_write_encrypted_pms().
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 |
The own private key or pre-shared key is not set, but needed.
Definition at line 108 of file ssl.h.
Referenced by polarssl_strerror(), ssl_parse_client_psk_identity(), ssl_parse_encrypted_pms(), ssl_write_certificate_verify(), ssl_write_client_key_exchange(), and ssl_write_server_key_exchange().
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 |
Session ticket has expired.
Definition at line 132 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_ticket().
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE -0x7700 |
An unexpected message was received from our peer.
Definition at line 110 of file ssl.h.
Referenced by polarssl_strerror(), ssl_parse_certificate(), ssl_parse_certificate_request(), ssl_parse_change_cipher_spec(), ssl_parse_finished(), ssl_parse_new_session_ticket(), ssl_parse_server_hello(), ssl_parse_server_hello_done(), ssl_parse_server_key_exchange(), and ssl_read().
#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER -0x7300 |
An unknown cipher was received.
Definition at line 102 of file ssl.h.
Referenced by polarssl_strerror().
#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY -0x6C80 |
Unkown identity received (eg, PSK identity).
Definition at line 134 of file ssl.h.
Referenced by polarssl_strerror(), and ssl_parse_client_psk_identity().
#define SSL_ALERT_LEVEL_FATAL 2 |
Definition at line 287 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), ssl_parse_client_psk_identity(), ssl_parse_server_hello(), ssl_parse_servername_ext(), ssl_read_record(), and ssl_send_fatal_handshake_failure().
#define SSL_ALERT_LEVEL_WARNING 1 |
Definition at line 286 of file ssl.h.
Referenced by ssl_close_notify(), ssl_parse_certificate(), ssl_read(), ssl_read_record(), and ssl_write_certificate().
#define SSL_ALERT_MSG_BAD_RECORD_MAC 20 |
Definition at line 291 of file ssl.h.
Referenced by ssl_read_record().
#define SSL_ALERT_MSG_CLOSE_NOTIFY 0 |
Definition at line 289 of file ssl.h.
Referenced by ssl_close_notify(), and ssl_read_record().
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE 40 |
Definition at line 295 of file ssl.h.
Referenced by ssl_send_fatal_handshake_failure().
#define SSL_ALERT_MSG_NO_CERT 41 |
Definition at line 296 of file ssl.h.
Referenced by ssl_parse_certificate(), and ssl_write_certificate().
#define SSL_ALERT_MSG_NO_RENEGOTIATION 100 |
Definition at line 312 of file ssl.h.
Referenced by ssl_read().
#define SSL_ALERT_MSG_PROTOCOL_VERSION 70 |
Definition at line 308 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), and ssl_parse_server_hello().
#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE 10 |
Definition at line 290 of file ssl.h.
Referenced by ssl_read_record().
#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115 |
Definition at line 315 of file ssl.h.
Referenced by ssl_parse_client_psk_identity().
#define SSL_ALERT_MSG_UNRECOGNIZED_NAME 112 |
Definition at line 314 of file ssl.h.
Referenced by ssl_parse_servername_ext().
#define SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + SSL_COMPRESSION_ADD + 512) |
Definition at line 251 of file ssl.h.
Referenced by ssl_derive_keys(), ssl_free(), ssl_init(), and ssl_session_reset().
#define SSL_CERT_TYPE_ECDSA_SIGN 64 |
Definition at line 276 of file ssl.h.
Referenced by ssl_parse_certificate_request(), and ssl_write_certificate_request().
#define SSL_CERT_TYPE_RSA_SIGN 1 |
Definition at line 275 of file ssl.h.
Referenced by ssl_parse_certificate_request(), and ssl_write_certificate_request().
#define SSL_COMPRESS_DEFLATE 1 |
Definition at line 196 of file ssl.h.
Referenced by ssl_derive_keys(), ssl_parse_client_hello(), ssl_parse_server_hello(), ssl_read_record(), ssl_write_client_hello(), and ssl_write_record().
#define SSL_COMPRESS_NULL 0 |
Definition at line 195 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_server_hello(), and ssl_write_client_hello().
#define SSL_DEFAULT_TICKET_LIFETIME 86400 |
Lifetime of session tickets (if enabled).
Definition at line 225 of file ssl.h.
Referenced by ssl_init().
#define SSL_EMPTY_RENEGOTIATION_INFO 0xFF |
renegotiation info ext
Definition at line 253 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), and ssl_write_client_hello().
#define SSL_HASH_MD5 1 |
Definition at line 260 of file ssl.h.
Referenced by ssl_md_alg_from_hash(), ssl_parse_signature_algorithms_ext(), and ssl_write_signature_algorithms_ext().
#define SSL_HASH_SHA1 2 |
Definition at line 261 of file ssl.h.
Referenced by ssl_handshake_init(), ssl_md_alg_from_hash(), ssl_parse_signature_algorithms_ext(), and ssl_write_signature_algorithms_ext().
#define SSL_HASH_SHA224 3 |
Definition at line 262 of file ssl.h.
Referenced by ssl_md_alg_from_hash(), ssl_parse_signature_algorithms_ext(), and ssl_write_signature_algorithms_ext().
#define SSL_HASH_SHA256 4 |
Definition at line 263 of file ssl.h.
Referenced by ssl_md_alg_from_hash(), ssl_parse_signature_algorithms_ext(), ssl_write_certificate_request(), ssl_write_certificate_verify(), and ssl_write_signature_algorithms_ext().
#define SSL_HASH_SHA384 5 |
Definition at line 264 of file ssl.h.
Referenced by ssl_md_alg_from_hash(), ssl_parse_signature_algorithms_ext(), ssl_write_certificate_request(), ssl_write_certificate_verify(), and ssl_write_signature_algorithms_ext().
#define SSL_HASH_SHA512 6 |
Definition at line 265 of file ssl.h.
Referenced by ssl_md_alg_from_hash(), ssl_parse_signature_algorithms_ext(), and ssl_write_signature_algorithms_ext().
#define SSL_HS_CERTIFICATE 11 |
Definition at line 321 of file ssl.h.
Referenced by ssl_parse_certificate(), and ssl_write_certificate().
#define SSL_HS_CERTIFICATE_REQUEST 13 |
Definition at line 323 of file ssl.h.
Referenced by ssl_parse_certificate_request(), and ssl_write_certificate_request().
#define SSL_HS_CERTIFICATE_VERIFY 15 |
Definition at line 325 of file ssl.h.
Referenced by ssl_parse_certificate_verify(), and ssl_write_certificate_verify().
#define SSL_HS_CLIENT_HELLO 1 |
Definition at line 318 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), and ssl_write_client_hello().
#define SSL_HS_CLIENT_KEY_EXCHANGE 16 |
Definition at line 326 of file ssl.h.
Referenced by ssl_parse_client_key_exchange(), and ssl_write_client_key_exchange().
#define SSL_HS_FINISHED 20 |
Definition at line 327 of file ssl.h.
Referenced by ssl_parse_finished(), and ssl_write_finished().
#define SSL_HS_HELLO_REQUEST 0 |
Definition at line 317 of file ssl.h.
Referenced by ssl_read(), ssl_write_hello_request(), and ssl_write_record().
#define SSL_HS_NEW_SESSION_TICKET 4 |
Definition at line 320 of file ssl.h.
Referenced by ssl_parse_new_session_ticket(), and ssl_write_new_session_ticket().
#define SSL_HS_SERVER_HELLO 2 |
Definition at line 319 of file ssl.h.
Referenced by ssl_parse_server_hello(), and ssl_write_server_hello().
#define SSL_HS_SERVER_HELLO_DONE 14 |
Definition at line 324 of file ssl.h.
Referenced by ssl_parse_server_hello_done(), and ssl_write_server_hello_done().
#define SSL_HS_SERVER_KEY_EXCHANGE 12 |
Definition at line 322 of file ssl.h.
Referenced by ssl_parse_server_key_exchange(), and ssl_write_server_key_exchange().
#define SSL_INITIAL_HANDSHAKE 0 |
Definition at line 202 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), ssl_parse_renegotiation_info(), ssl_parse_server_hello(), ssl_parse_session_ticket_ext(), ssl_session_reset(), ssl_write_client_hello(), and ssl_write_server_hello().
#define SSL_IS_CLIENT 0 |
Definition at line 193 of file ssl.h.
Referenced by ssl_calc_finished_ssl(), ssl_calc_finished_tls(), ssl_calc_finished_tls_sha256(), ssl_calc_finished_tls_sha384(), ssl_derive_keys(), ssl_get_session(), ssl_handshake_step(), ssl_parse_finished(), ssl_read(), ssl_set_endpoint(), ssl_set_session(), ssl_set_session_tickets(), ssl_set_truncated_hmac(), ssl_write_certificate(), and ssl_write_finished().
#define SSL_IS_SERVER 1 |
Definition at line 194 of file ssl.h.
Referenced by ssl_handshake_step(), ssl_parse_certificate(), ssl_parse_finished(), and ssl_renegotiate().
#define SSL_LEGACY_BREAK_HANDSHAKE 2 |
Definition at line 215 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), and ssl_parse_server_hello().
#define SSL_LEGACY_NO_RENEGOTIATION 0 |
Definition at line 213 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_server_hello(), and ssl_read().
#define SSL_LEGACY_RENEGOTIATION 0 |
Definition at line 207 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), ssl_parse_server_hello(), ssl_read(), and ssl_session_reset().
#define SSL_MAJOR_VERSION_3 3 |
Definition at line 140 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), ssl_parse_server_hello(), and ssl_set_ciphersuites_for_version().
#define SSL_MAX_CONTENT_LEN 16384 |
Size of the input / output buffer.
Definition at line 236 of file ssl.h.
Referenced by ssl_read_record(), ssl_set_max_frag_len(), ssl_write(), ssl_write_certificate(), ssl_write_client_key_exchange(), ssl_write_encrypted_pms(), ssl_write_server_key_exchange(), and ssl_write_ticket().
#define SSL_MAX_FRAG_LEN_INVALID 5 |
first invalid value
Definition at line 191 of file ssl.h.
Referenced by ssl_parse_max_fragment_length_ext().
#define SSL_MAX_FRAG_LEN_NONE 0 |
don't use this extension
Definition at line 186 of file ssl.h.
Referenced by ssl_parse_max_fragment_length_ext(), and ssl_write_max_fragment_length_ext().
#define SSL_MAX_MAJOR_VERSION SSL_MAJOR_VERSION_3 |
Definition at line 166 of file ssl.h.
Referenced by ssl_init(), ssl_set_max_version(), ssl_set_min_version(), and ssl_write_client_hello().
#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_3 |
Definition at line 169 of file ssl.h.
Referenced by ssl_init(), ssl_set_max_version(), ssl_set_min_version(), and ssl_write_client_hello().
#define SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3 |
Definition at line 147 of file ssl.h.
Referenced by ssl_init(), ssl_set_max_version(), and ssl_set_min_version().
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0 |
Definition at line 150 of file ssl.h.
Referenced by ssl_init(), ssl_set_max_version(), and ssl_set_min_version().
#define SSL_MINOR_VERSION_0 0 |
SSL v3.0
Definition at line 141 of file ssl.h.
Referenced by ssl_decrypt_buf(), ssl_derive_keys(), ssl_encrypt_buf(), ssl_get_version(), ssl_parse_certificate(), ssl_parse_encrypted_pms(), ssl_parse_finished(), ssl_read(), ssl_read_record(), ssl_set_ciphersuites(), ssl_write_certificate(), ssl_write_encrypted_pms(), and ssl_write_finished().
#define SSL_MINOR_VERSION_1 1 |
TLS v1.0
Definition at line 142 of file ssl.h.
Referenced by ssl_derive_keys(), ssl_encrypt_buf(), ssl_get_version(), ssl_read(), ssl_read_record(), and ssl_set_ciphersuites().
#define SSL_MINOR_VERSION_2 2 |
TLS v1.1
Definition at line 143 of file ssl.h.
Referenced by ssl_decrypt_buf(), ssl_encrypt_buf(), ssl_get_version(), ssl_parse_finished(), ssl_set_ciphersuites(), and ssl_write_finished().
#define SSL_MINOR_VERSION_3 3 |
TLS v1.2
Definition at line 144 of file ssl.h.
Referenced by ssl_derive_keys(), ssl_get_version(), ssl_optimize_checksum(), ssl_parse_certificate_request(), ssl_parse_certificate_verify(), ssl_parse_server_key_exchange(), ssl_parse_signature_algorithm(), ssl_set_ciphersuites(), ssl_set_ciphersuites_for_version(), ssl_write_certificate_request(), ssl_write_certificate_verify(), ssl_write_server_key_exchange(), and ssl_write_signature_algorithms_ext().
#define SSL_MSG_ALERT 21 |
Definition at line 282 of file ssl.h.
Referenced by ssl_parse_certificate(), ssl_read_record(), ssl_send_alert_message(), and ssl_write_certificate().
#define SSL_MSG_APPLICATION_DATA 23 |
Definition at line 284 of file ssl.h.
Referenced by ssl_read(), ssl_read_record(), and ssl_write().
#define SSL_MSG_CHANGE_CIPHER_SPEC 20 |
Definition at line 281 of file ssl.h.
Referenced by ssl_parse_change_cipher_spec(), ssl_read_record(), and ssl_write_change_cipher_spec().
#define SSL_MSG_HANDSHAKE 22 |
Definition at line 283 of file ssl.h.
Referenced by ssl_parse_certificate(), ssl_parse_certificate_request(), ssl_parse_certificate_verify(), ssl_parse_client_hello(), ssl_parse_client_key_exchange(), ssl_parse_finished(), ssl_parse_new_session_ticket(), ssl_parse_server_hello(), ssl_parse_server_hello_done(), ssl_parse_server_key_exchange(), ssl_read(), ssl_read_record(), ssl_write_certificate(), ssl_write_certificate_request(), ssl_write_certificate_verify(), ssl_write_client_hello(), ssl_write_client_key_exchange(), ssl_write_finished(), ssl_write_hello_request(), ssl_write_new_session_ticket(), ssl_write_record(), ssl_write_server_hello(), ssl_write_server_hello_done(), and ssl_write_server_key_exchange().
#define SSL_RENEGOTIATION 1 |
Definition at line 203 of file ssl.h.
Referenced by ssl_handshake_wrapup(), ssl_parse_client_hello(), ssl_parse_client_hello_v2(), ssl_parse_server_hello(), ssl_renegotiate(), ssl_start_renegotiation(), and ssl_write_renegotiation_ext().
#define SSL_RENEGOTIATION_DISABLED 0 |
Definition at line 210 of file ssl.h.
Referenced by ssl_read().
#define SSL_RENEGOTIATION_DONE 2 |
Definition at line 204 of file ssl.h.
Referenced by ssl_handshake_wrapup().
#define SSL_RENEGOTIATION_PENDING 3 |
Definition at line 205 of file ssl.h.
Referenced by ssl_read(), and ssl_write_hello_request().
#define SSL_SECURE_RENEGOTIATION 1 |
Definition at line 208 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), ssl_parse_renegotiation_info(), ssl_parse_server_hello(), and ssl_write_renegotiation_ext().
#define SSL_SESSION_TICKETS_DISABLED 0 |
Definition at line 221 of file ssl.h.
Referenced by ssl_parse_session_ticket_ext(), and ssl_write_session_ticket_ext().
#define SSL_SESSION_TICKETS_ENABLED 1 |
Definition at line 222 of file ssl.h.
Referenced by ssl_set_endpoint().
#define SSL_SIG_ANON 0 |
Definition at line 267 of file ssl.h.
Referenced by ssl_sig_from_pk().
#define SSL_SIG_ECDSA 3 |
Definition at line 269 of file ssl.h.
Referenced by ssl_pk_alg_from_sig(), ssl_sig_from_pk(), ssl_write_certificate_request(), and ssl_write_signature_algorithms_ext().
#define SSL_SIG_RSA 1 |
Definition at line 268 of file ssl.h.
Referenced by ssl_pk_alg_from_sig(), ssl_sig_from_pk(), ssl_write_certificate_request(), and ssl_write_signature_algorithms_ext().
#define SSL_TRUNC_HMAC_DISABLED 0 |
Definition at line 217 of file ssl.h.
Referenced by ssl_parse_truncated_hmac_ext(), and ssl_write_truncated_hmac_ext().
#define SSL_TRUNC_HMAC_ENABLED 1 |
Definition at line 218 of file ssl.h.
Referenced by ssl_derive_keys(), and ssl_parse_truncated_hmac_ext().
#define SSL_TRUNCATED_HMAC_LEN 10 |
Definition at line 219 of file ssl.h.
Referenced by ssl_derive_keys().
#define SSL_VERIFY_NONE 0 |
Definition at line 198 of file ssl.h.
Referenced by ssl_parse_certificate(), and ssl_write_certificate_request().
#define SSL_VERIFY_OPTIONAL 1 |
Definition at line 199 of file ssl.h.
Referenced by ssl_parse_certificate().
#define SSL_VERIFY_REQUIRED 2 |
Definition at line 200 of file ssl.h.
Referenced by ssl_parse_certificate().
#define TLS_EXT_MAX_FRAGMENT_LENGTH 1 |
Definition at line 335 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_server_hello(), and ssl_write_max_fragment_length_ext().
#define TLS_EXT_RENEGOTIATION_INFO 0xFF01 |
Definition at line 346 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_server_hello(), and ssl_write_renegotiation_ext().
#define TLS_EXT_SERVERNAME 0 |
Definition at line 332 of file ssl.h.
Referenced by ssl_parse_client_hello(), and ssl_write_hostname_ext().
#define TLS_EXT_SERVERNAME_HOSTNAME 0 |
Definition at line 333 of file ssl.h.
Referenced by ssl_parse_servername_ext(), and ssl_write_hostname_ext().
#define TLS_EXT_SESSION_TICKET 35 |
Definition at line 344 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_server_hello(), and ssl_write_session_ticket_ext().
#define TLS_EXT_SIG_ALG 13 |
Definition at line 342 of file ssl.h.
Referenced by ssl_parse_client_hello(), and ssl_write_signature_algorithms_ext().
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES 10 |
Definition at line 339 of file ssl.h.
Referenced by ssl_parse_client_hello(), and ssl_write_supported_elliptic_curves_ext().
#define TLS_EXT_SUPPORTED_POINT_FORMATS 11 |
Definition at line 340 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_server_hello(), and ssl_write_supported_point_formats_ext().
#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) |
Definition at line 353 of file ssl.h.
Referenced by ssl_parse_client_hello(), and ssl_write_supported_point_formats_ext().
#define TLS_EXT_TRUNCATED_HMAC 4 |
Definition at line 337 of file ssl.h.
Referenced by ssl_parse_client_hello(), ssl_parse_server_hello(), and ssl_write_truncated_hmac_ext().
typedef int(* rsa_decrypt_func)(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len) |
typedef size_t(* rsa_key_len_func)(void *ctx) |
typedef int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig) |
typedef struct _ssl_context ssl_context |
typedef struct _ssl_handshake_params ssl_handshake_params |
typedef struct _ssl_key_cert ssl_key_cert |
typedef struct _ssl_session ssl_session |
typedef struct _ssl_ticket_keys ssl_ticket_keys |
typedef struct _ssl_transform ssl_transform |
enum ssl_states |
static int safer_memcmp | ( | const void * | a, | |
const void * | b, | |||
size_t | n | |||
) | [inline, static] |
Definition at line 1574 of file ssl.h.
References A.
Referenced by ssl_decrypt_buf(), ssl_parse_client_psk_identity(), ssl_parse_finished(), and ssl_parse_renegotiation_info().
int ssl_close_notify | ( | ssl_context * | ssl | ) |
Notify the peer that the connection is being closed.
ssl | SSL context |
Definition at line 4289 of file ssl_tls.c.
References SSL_ALERT_LEVEL_WARNING, SSL_ALERT_MSG_CLOSE_NOTIFY, SSL_DEBUG_MSG, SSL_DEBUG_RET, ssl_flush_output(), SSL_HANDSHAKE_OVER, ssl_send_alert_message(), and _ssl_context::state.
int ssl_derive_keys | ( | ssl_context * | ssl | ) |
Definition at line 359 of file ssl_tls.c.
References _ssl_handshake_params::calc_finished, _ssl_handshake_params::calc_verify, _ssl_ciphersuite_t::cipher, _ssl_transform::cipher_ctx_dec, _ssl_transform::cipher_ctx_enc, cipher_info_from_type(), cipher_init_ctx(), cipher_setkey(), _ssl_session::ciphersuite, _ssl_transform::ciphersuite_info, _ssl_session::compression, _ssl_context::endpoint, _ssl_transform::fixed_ivlen, _ssl_context::handshake, _ssl_transform::iv_dec, _ssl_transform::iv_enc, cipher_info_t::iv_size, _ssl_transform::ivlen, cipher_info_t::key_length, _ssl_transform::keylen, _ssl_ciphersuite_t::mac, _ssl_transform::mac_dec, _ssl_transform::mac_enc, _ssl_transform::maclen, _ssl_session::master, _ssl_transform::md_ctx_dec, _ssl_transform::md_ctx_enc, md_get_size(), md_hmac_starts(), md_info_from_type(), md_init_ctx(), _ssl_transform::minlen, _ssl_context::minor_ver, cipher_info_t::mode, _ssl_handshake_params::pmslen, POLARSSL_DECRYPT, POLARSSL_ENCRYPT, POLARSSL_ERR_SSL_BAD_INPUT_DATA, POLARSSL_ERR_SSL_COMPRESSION_FAILED, POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE, POLARSSL_ERR_SSL_HW_ACCEL_FAILED, POLARSSL_ERR_SSL_MALLOC_FAILED, polarssl_malloc, POLARSSL_MD_NONE, POLARSSL_MD_SHA384, POLARSSL_MODE_CBC, POLARSSL_MODE_GCM, POLARSSL_MODE_STREAM, POLARSSL_PADDING_NONE, _ssl_handshake_params::premaster, _ssl_handshake_params::randbytes, _ssl_handshake_params::resume, _ssl_context::session_negotiate, ssl3_prf(), SSL_BUFFER_LEN, ssl_calc_finished_ssl(), ssl_calc_finished_tls(), ssl_calc_finished_tls_sha256(), ssl_calc_finished_tls_sha384(), ssl_calc_verify_ssl(), ssl_calc_verify_tls(), ssl_calc_verify_tls_sha256(), ssl_calc_verify_tls_sha384(), SSL_COMPRESS_DEFLATE, SSL_DEBUG_BUF, SSL_DEBUG_MSG, SSL_DEBUG_RET, ssl_get_ciphersuite_name(), SSL_IS_CLIENT, SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1, SSL_MINOR_VERSION_3, SSL_TRUNC_HMAC_ENABLED, SSL_TRUNCATED_HMAC_LEN, tls1_prf(), _ssl_handshake_params::tls_prf, tls_prf_sha256(), tls_prf_sha384(), _ssl_context::transform_negotiate, _ssl_session::trunc_hmac, and md_info_t::type.
Referenced by ssl_parse_client_key_exchange(), ssl_parse_server_hello(), ssl_write_client_key_exchange(), and ssl_write_server_hello().
int ssl_fetch_input | ( | ssl_context * | ssl, | |
size_t | nb_want | |||
) |
Definition at line 1856 of file ssl_tls.c.
References _ssl_context::f_recv, _ssl_context::in_hdr, _ssl_context::in_left, _ssl_context::p_recv, POLARSSL_ERR_SSL_CONN_EOF, SSL_DEBUG_MSG, and SSL_DEBUG_RET.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), and ssl_read_record().
int ssl_flush_output | ( | ssl_context * | ssl | ) |
Definition at line 1889 of file ssl_tls.c.
References _ssl_context::f_send, _ssl_context::out_hdr, _ssl_context::out_left, _ssl_context::out_msglen, _ssl_context::p_send, SSL_DEBUG_MSG, and SSL_DEBUG_RET.
Referenced by ssl_close_notify(), ssl_handshake_client_step(), ssl_handshake_server_step(), ssl_write(), and ssl_write_record().
void ssl_free | ( | ssl_context * | ssl | ) |
Free referenced items in an SSL context and clear memory.
ssl | SSL context |
Definition at line 4409 of file ssl_tls.c.
References _ssl_context::dhm_G, _ssl_context::dhm_P, _ssl_context::handshake, _ssl_context::hostname, _ssl_context::hostname_len, _ssl_context::in_ctr, _ssl_context::key_cert, mpi_free(), _ssl_context::out_ctr, polarssl_free, _ssl_context::psk, _ssl_context::psk_identity, _ssl_context::psk_identity_len, _ssl_context::psk_len, _ssl_context::session, _ssl_context::session_negotiate, SSL_BUFFER_LEN, SSL_DEBUG_MSG, ssl_handshake_free(), ssl_key_cert_free(), ssl_session_free(), ssl_transform_free(), _ssl_context::ticket_keys, _ssl_context::transform, and _ssl_context::transform_negotiate.
size_t ssl_get_bytes_avail | ( | const ssl_context * | ssl | ) |
Return the number of data bytes available to read.
ssl | SSL context |
Definition at line 3872 of file ssl_tls.c.
References _ssl_context::in_msglen, and _ssl_context::in_offt.
const char* ssl_get_ciphersuite | ( | const ssl_context * | ssl | ) |
Return the name of the current ciphersuite.
ssl | SSL context |
Definition at line 3882 of file ssl_tls.c.
References _ssl_session::ciphersuite, _ssl_context::session, and ssl_get_ciphersuite_name().
int ssl_get_ciphersuite_id | ( | const char * | ciphersuite_name | ) |
Return the ID of the ciphersuite associated with the given name.
ciphersuite_name | SSL ciphersuite name |
Definition at line 1353 of file ssl_ciphersuites.c.
References _ssl_ciphersuite_t::id, and ssl_ciphersuite_from_string().
const char* ssl_get_ciphersuite_name | ( | const int | ciphersuite_id | ) |
Return the name of the ciphersuite associated with the given ID.
ciphersuite_id | SSL ciphersuite ID |
Definition at line 1341 of file ssl_ciphersuites.c.
References _ssl_ciphersuite_t::name, and ssl_ciphersuite_from_id().
Referenced by ssl_derive_keys(), ssl_get_ciphersuite(), and ssl_write_server_hello().
const x509_crt* ssl_get_peer_cert | ( | const ssl_context * | ssl | ) |
Return the peer certificate from the current connection.
Note: Can be NULL in case no certificate was sent during the handshake. Different calls for the same connection can return the same or different pointers for the same certificate and even a different certificate altogether. The peer cert CAN change in a single connection if renegotiation is performed.
ssl | SSL context |
Definition at line 3913 of file ssl_tls.c.
References _ssl_session::peer_cert, and _ssl_context::session.
int ssl_get_session | ( | const ssl_context * | ssl, | |
ssl_session * | session | |||
) |
Save session in order to resume it later (client-side only) Session data is copied to presented session structure.
ssl | SSL context | |
session | session context |
Definition at line 3922 of file ssl_tls.c.
References _ssl_context::endpoint, POLARSSL_ERR_SSL_BAD_INPUT_DATA, _ssl_context::session, SSL_IS_CLIENT, and ssl_session_copy().
int ssl_get_verify_result | ( | const ssl_context * | ssl | ) |
Return the result of the certificate verification.
ssl | SSL context |
Definition at line 3877 of file ssl_tls.c.
References _ssl_context::session, and _ssl_session::verify_result.
const char* ssl_get_version | ( | const ssl_context * | ssl | ) |
Return the current SSL version (SSLv3/TLSv1/etc).
ssl | SSL context |
Definition at line 3890 of file ssl_tls.c.
References _ssl_context::minor_ver, SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1, SSL_MINOR_VERSION_2, and SSL_MINOR_VERSION_3.
int ssl_handshake | ( | ssl_context * | ssl | ) |
Perform the SSL handshake.
ssl | SSL context |
Definition at line 3958 of file ssl_tls.c.
References SSL_DEBUG_MSG, SSL_HANDSHAKE_OVER, ssl_handshake_step(), and _ssl_context::state.
Referenced by ssl_read(), ssl_renegotiate(), ssl_start_renegotiation(), and ssl_write().
int ssl_handshake_client_step | ( | ssl_context * | ssl | ) |
Definition at line 2238 of file ssl_cli.c.
References _ssl_context::handshake, _ssl_handshake_params::new_session_ticket, POLARSSL_ERR_SSL_BAD_INPUT_DATA, SSL_CERTIFICATE_REQUEST, SSL_CERTIFICATE_VERIFY, SSL_CLIENT_CERTIFICATE, SSL_CLIENT_CHANGE_CIPHER_SPEC, SSL_CLIENT_FINISHED, SSL_CLIENT_HELLO, SSL_CLIENT_KEY_EXCHANGE, SSL_DEBUG_MSG, SSL_FLUSH_BUFFERS, ssl_flush_output(), SSL_HANDSHAKE_OVER, ssl_handshake_wrapup(), SSL_HANDSHAKE_WRAPUP, SSL_HELLO_REQUEST, ssl_parse_certificate(), ssl_parse_certificate_request(), ssl_parse_change_cipher_spec(), ssl_parse_finished(), ssl_parse_new_session_ticket(), ssl_parse_server_hello(), ssl_parse_server_hello_done(), ssl_parse_server_key_exchange(), SSL_SERVER_CERTIFICATE, SSL_SERVER_CHANGE_CIPHER_SPEC, SSL_SERVER_FINISHED, SSL_SERVER_HELLO, SSL_SERVER_HELLO_DONE, SSL_SERVER_KEY_EXCHANGE, ssl_write_certificate(), ssl_write_certificate_verify(), ssl_write_change_cipher_spec(), ssl_write_client_hello(), ssl_write_client_key_exchange(), ssl_write_finished(), and _ssl_context::state.
Referenced by ssl_handshake_step().
void ssl_handshake_free | ( | ssl_handshake_params * | handshake | ) |
Free referenced items in an SSL handshake context and clear memory.
handshake | SSL handshake context |
Definition at line 4353 of file ssl_tls.c.
References _ssl_handshake_params::curves, _ssl_handshake_params::dhm_ctx, dhm_free(), _ssl_handshake_params::ecdh_ctx, ecdh_free(), _ssl_key_cert::next, polarssl_free, and _ssl_handshake_params::sni_key_cert.
Referenced by ssl_free(), ssl_handshake_init(), and ssl_handshake_wrapup().
int ssl_handshake_server_step | ( | ssl_context * | ssl | ) |
Definition at line 2907 of file ssl_srv.c.
References _ssl_context::handshake, _ssl_handshake_params::new_session_ticket, POLARSSL_ERR_SSL_BAD_INPUT_DATA, SSL_CERTIFICATE_REQUEST, SSL_CERTIFICATE_VERIFY, SSL_CLIENT_CERTIFICATE, SSL_CLIENT_CHANGE_CIPHER_SPEC, SSL_CLIENT_FINISHED, SSL_CLIENT_HELLO, SSL_CLIENT_KEY_EXCHANGE, SSL_DEBUG_MSG, SSL_FLUSH_BUFFERS, ssl_flush_output(), SSL_HANDSHAKE_OVER, ssl_handshake_wrapup(), SSL_HANDSHAKE_WRAPUP, SSL_HELLO_REQUEST, ssl_parse_certificate(), ssl_parse_certificate_verify(), ssl_parse_change_cipher_spec(), ssl_parse_client_hello(), ssl_parse_client_key_exchange(), ssl_parse_finished(), SSL_SERVER_CERTIFICATE, SSL_SERVER_CHANGE_CIPHER_SPEC, SSL_SERVER_FINISHED, SSL_SERVER_HELLO, SSL_SERVER_HELLO_DONE, SSL_SERVER_KEY_EXCHANGE, ssl_write_certificate(), ssl_write_certificate_request(), ssl_write_change_cipher_spec(), ssl_write_finished(), ssl_write_new_session_ticket(), ssl_write_server_hello(), ssl_write_server_hello_done(), ssl_write_server_key_exchange(), and _ssl_context::state.
Referenced by ssl_handshake_step().
int ssl_handshake_step | ( | ssl_context * | ssl | ) |
Perform a single step of the SSL handshake.
Note: the state of the context (ssl->state) will be at the following state after execution of this function. Do not call this function if state is SSL_HANDSHAKE_OVER.
ssl | SSL context |
Definition at line 3938 of file ssl_tls.c.
References _ssl_context::endpoint, POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE, ssl_handshake_client_step(), ssl_handshake_server_step(), SSL_IS_CLIENT, and SSL_IS_SERVER.
Referenced by ssl_handshake().
void ssl_handshake_wrapup | ( | ssl_context * | ssl | ) |
Definition at line 3013 of file ssl_tls.c.
References _ssl_context::f_set_cache, _ssl_context::handshake, _ssl_session::length, _ssl_context::p_set_cache, polarssl_free, _ssl_context::renegotiation, _ssl_handshake_params::resume, _ssl_context::session, _ssl_context::session_negotiate, SSL_DEBUG_MSG, ssl_handshake_free(), SSL_RENEGOTIATION, SSL_RENEGOTIATION_DONE, ssl_session_free(), ssl_transform_free(), _ssl_context::state, _ssl_context::transform, and _ssl_context::transform_negotiate.
Referenced by ssl_handshake_client_step(), and ssl_handshake_server_step().
int ssl_init | ( | ssl_context * | ssl | ) |
Initialize an SSL context (An individual SSL context is not thread-safe).
ssl | SSL context |
Definition at line 3293 of file ssl_tls.c.
References _ssl_context::dhm_G, _ssl_context::dhm_P, _ssl_context::in_ctr, _ssl_context::in_hdr, _ssl_context::in_iv, _ssl_context::in_msg, _ssl_context::max_major_ver, _ssl_context::max_minor_ver, _ssl_context::min_major_ver, _ssl_context::min_minor_ver, mpi_read_string(), _ssl_context::out_ctr, _ssl_context::out_hdr, _ssl_context::out_iv, _ssl_context::out_msg, POLARSSL_DHM_RFC5114_MODP_1024_G, POLARSSL_DHM_RFC5114_MODP_1024_P, POLARSSL_ERR_SSL_MALLOC_FAILED, polarssl_free, polarssl_malloc, SSL_BUFFER_LEN, SSL_DEBUG_MSG, SSL_DEBUG_RET, SSL_DEFAULT_TICKET_LIFETIME, ssl_handshake_init(), ssl_list_ciphersuites(), SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION, SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION, ssl_set_ciphersuites(), and _ssl_context::ticket_lifetime.
void ssl_legacy_renegotiation | ( | ssl_context * | ssl, | |
int | allow_legacy | |||
) |
Prevent or allow legacy renegotiation.
(Default: SSL_LEGACY_NO_RENEGOTIATION)
SSL_LEGACY_NO_RENEGOTIATION allows connections to be established even if the peer does not support secure renegotiation, but does not allow renegotiation to take place if not secure. (Interoperable and secure option)
SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations with non-upgraded peers. Allowing legacy renegotiation makes the connection vulnerable to specific man in the middle attacks. (See RFC 5746) (Most interoperable and least secure option)
SSL_LEGACY_BREAK_HANDSHAKE breaks off connections if peer does not support secure renegotiation. Results in interoperability issues with non-upgraded peers that do not support renegotiation altogether. (Most secure option, interoperability issues)
ssl | SSL context | |
allow_legacy | Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION, SSL_ALLOW_LEGACY_RENEGOTIATION or SSL_LEGACY_BREAK_HANDSHAKE) |
Definition at line 3844 of file ssl_tls.c.
References _ssl_context::allow_legacy_renegotiation.
const int* ssl_list_ciphersuites | ( | void | ) |
Returns the list of ciphersuites supported by the SSL/TLS module.
Definition at line 1282 of file ssl_ciphersuites.c.
Referenced by ssl_init().
md_type_t ssl_md_alg_from_hash | ( | unsigned char | hash | ) |
Definition at line 4542 of file ssl_tls.c.
References POLARSSL_MD_MD5, POLARSSL_MD_NONE, POLARSSL_MD_SHA1, POLARSSL_MD_SHA224, POLARSSL_MD_SHA256, POLARSSL_MD_SHA384, POLARSSL_MD_SHA512, SSL_HASH_MD5, SSL_HASH_SHA1, SSL_HASH_SHA224, SSL_HASH_SHA256, SSL_HASH_SHA384, and SSL_HASH_SHA512.
Referenced by ssl_parse_certificate_verify(), ssl_parse_signature_algorithm(), and ssl_write_server_key_exchange().
void ssl_optimize_checksum | ( | ssl_context * | ssl, | |
const ssl_ciphersuite_t * | ciphersuite_info | |||
) |
Definition at line 2706 of file ssl_tls.c.
References _ssl_context::handshake, _ssl_ciphersuite_t::mac, _ssl_context::minor_ver, POLARSSL_MD_SHA384, SSL_MINOR_VERSION_3, ssl_update_checksum_md5sha1(), ssl_update_checksum_sha256(), ssl_update_checksum_sha384(), and _ssl_handshake_params::update_checksum.
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), and ssl_parse_server_hello().
static x509_crt* ssl_own_cert | ( | ssl_context * | ssl | ) | [inline, static] |
Definition at line 1566 of file ssl.h.
References _ssl_key_cert::cert, _ssl_context::handshake, and _ssl_handshake_params::key_cert.
Referenced by ssl_write_certificate(), and ssl_write_certificate_verify().
static pk_context* ssl_own_key | ( | ssl_context * | ssl | ) | [inline, static] |
Definition at line 1560 of file ssl.h.
References _ssl_context::handshake, _ssl_key_cert::key, and _ssl_handshake_params::key_cert.
Referenced by ssl_parse_certificate_request(), ssl_parse_encrypted_pms(), ssl_write_certificate_verify(), and ssl_write_server_key_exchange().
int ssl_parse_certificate | ( | ssl_context * | ssl | ) |
Definition at line 2472 of file ssl_tls.c.
References _ssl_context::authmode, BADCERT_MISSING, BADCERT_SKIP_VERIFY, _ssl_context::ca_chain, _ssl_context::ca_crl, _ssl_transform::ciphersuite_info, _ssl_context::endpoint, _ssl_context::f_vrfy, _ssl_context::in_hslen, _ssl_context::in_msg, _ssl_context::in_msglen, _ssl_context::in_msgtype, _ssl_ciphersuite_t::key_exchange, _ssl_context::minor_ver, _ssl_context::p_vrfy, _ssl_session::peer_cert, _ssl_context::peer_cn, POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE, POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED, POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE, POLARSSL_ERR_SSL_MALLOC_FAILED, POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE, POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE, polarssl_free, POLARSSL_KEY_EXCHANGE_DHE_PSK, POLARSSL_KEY_EXCHANGE_ECDHE_PSK, POLARSSL_KEY_EXCHANGE_PSK, polarssl_malloc, _ssl_context::session_negotiate, SSL_ALERT_LEVEL_WARNING, SSL_ALERT_MSG_NO_CERT, SSL_DEBUG_CRT, SSL_DEBUG_MSG, SSL_DEBUG_RET, SSL_HS_CERTIFICATE, SSL_IS_SERVER, SSL_MINOR_VERSION_0, SSL_MSG_ALERT, SSL_MSG_HANDSHAKE, ssl_read_record(), SSL_VERIFY_NONE, SSL_VERIFY_OPTIONAL, SSL_VERIFY_REQUIRED, _ssl_context::state, _ssl_context::transform_negotiate, _ssl_session::verify_result, x509_crt_free(), x509_crt_init(), x509_crt_parse_der(), and x509_crt_verify().
Referenced by ssl_handshake_client_step(), and ssl_handshake_server_step().
int ssl_parse_change_cipher_spec | ( | ssl_context * | ssl | ) |
Definition at line 2675 of file ssl_tls.c.
References _ssl_context::in_msg, _ssl_context::in_msglen, _ssl_context::in_msgtype, POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC, POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE, SSL_DEBUG_MSG, SSL_DEBUG_RET, SSL_MSG_CHANGE_CIPHER_SPEC, ssl_read_record(), and _ssl_context::state.
Referenced by ssl_handshake_client_step(), and ssl_handshake_server_step().
int ssl_parse_finished | ( | ssl_context * | ssl | ) |
Definition at line 3137 of file ssl_tls.c.
References _ssl_handshake_params::calc_finished, _ssl_context::endpoint, _ssl_transform::fixed_ivlen, _ssl_context::handshake, _ssl_context::in_ctr, _ssl_context::in_hslen, _ssl_context::in_iv, _ssl_context::in_msg, _ssl_context::in_msgtype, _ssl_transform::ivlen, _ssl_context::minor_ver, _ssl_context::peer_verify_data, POLARSSL_ERR_SSL_BAD_HS_FINISHED, POLARSSL_ERR_SSL_HW_ACCEL_FAILED, POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE, _ssl_handshake_params::resume, safer_memcmp(), _ssl_context::session_in, _ssl_context::session_negotiate, SSL_CLIENT_CHANGE_CIPHER_SPEC, SSL_DEBUG_MSG, SSL_DEBUG_RET, SSL_HANDSHAKE_WRAPUP, SSL_HS_FINISHED, SSL_IS_CLIENT, SSL_IS_SERVER, SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_2, SSL_MSG_HANDSHAKE, ssl_read_record(), _ssl_context::state, _ssl_context::transform_in, _ssl_context::transform_negotiate, and _ssl_context::verify_data_len.
Referenced by ssl_handshake_client_step(), and ssl_handshake_server_step().
pk_type_t ssl_pk_alg_from_sig | ( | unsigned char | sig | ) |
Definition at line 4521 of file ssl_tls.c.
References POLARSSL_PK_ECDSA, POLARSSL_PK_NONE, POLARSSL_PK_RSA, SSL_SIG_ECDSA, and SSL_SIG_RSA.
Referenced by ssl_parse_certificate_verify(), and ssl_parse_signature_algorithm().
int ssl_psk_derive_premaster | ( | ssl_context * | ssl, | |
key_exchange_type_t | key_ex | |||
) |
Definition at line 825 of file ssl_tls.c.
References dhm_calc_secret(), _ssl_handshake_params::dhm_ctx, ecdh_calc_secret(), _ssl_handshake_params::ecdh_ctx, _ssl_context::f_rng, _ssl_context::handshake, dhm_context::K, dhm_context::len, _ssl_context::p_rng, _ssl_handshake_params::pmslen, POLARSSL_ERR_SSL_BAD_INPUT_DATA, POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE, POLARSSL_KEY_EXCHANGE_DHE_PSK, POLARSSL_KEY_EXCHANGE_ECDHE_PSK, POLARSSL_KEY_EXCHANGE_PSK, POLARSSL_KEY_EXCHANGE_RSA_PSK, _ssl_handshake_params::premaster, _ssl_context::psk, _ssl_context::psk_len, SSL_DEBUG_MPI, SSL_DEBUG_MSG, SSL_DEBUG_RET, and ecdh_context::z.
Referenced by ssl_parse_client_key_exchange(), and ssl_write_client_key_exchange().
int ssl_read | ( | ssl_context * | ssl, | |
unsigned char * | buf, | |||
size_t | len | |||
) |
Read at most 'len' application data bytes.
ssl | SSL context | |
buf | buffer that will hold the data | |
len | how many bytes must be read |
Definition at line 4088 of file ssl_tls.c.
References _ssl_context::allow_legacy_renegotiation, _ssl_context::disable_renegotiation, _ssl_context::endpoint, _ssl_context::in_hslen, _ssl_context::in_msg, _ssl_context::in_msglen, _ssl_context::in_msgtype, _ssl_context::in_offt, _ssl_context::minor_ver, POLARSSL_ERR_NET_WANT_READ, POLARSSL_ERR_SSL_CONN_EOF, POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE, POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE, _ssl_context::renegotiation, _ssl_context::secure_renegotiation, SSL_ALERT_LEVEL_WARNING, SSL_ALERT_MSG_NO_RENEGOTIATION, SSL_DEBUG_MSG, SSL_DEBUG_RET, ssl_handshake(), SSL_HANDSHAKE_OVER, SSL_HS_HELLO_REQUEST, SSL_IS_CLIENT, SSL_LEGACY_NO_RENEGOTIATION, SSL_LEGACY_RENEGOTIATION, SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1, SSL_MSG_APPLICATION_DATA, SSL_MSG_HANDSHAKE, ssl_read_record(), SSL_RENEGOTIATION_DISABLED, SSL_RENEGOTIATION_PENDING, ssl_send_alert_message(), ssl_send_fatal_handshake_failure(), ssl_start_renegotiation(), and _ssl_context::state.
int ssl_read_record | ( | ssl_context * | ssl | ) |
Subtract from error code as ssl->in_msg[1] is 7-bit positive error identifier.
Definition at line 2010 of file ssl_tls.c.
References _ssl_session::compression, _ssl_context::handshake, _ssl_context::in_hdr, _ssl_context::in_hslen, _ssl_context::in_left, _ssl_context::in_msg, _ssl_context::in_msglen, _ssl_context::in_msgtype, _ssl_context::major_ver, _ssl_context::max_minor_ver, _ssl_transform::minlen, _ssl_context::minor_ver, POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE, POLARSSL_ERR_SSL_HW_ACCEL_FAILED, POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH, POLARSSL_ERR_SSL_INVALID_MAC, POLARSSL_ERR_SSL_INVALID_RECORD, POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY, _ssl_context::session_in, SSL_ALERT_LEVEL_FATAL, SSL_ALERT_LEVEL_WARNING, SSL_ALERT_MSG_BAD_RECORD_MAC, SSL_ALERT_MSG_CLOSE_NOTIFY, SSL_ALERT_MSG_UNEXPECTED_MESSAGE, SSL_COMPRESS_DEFLATE, SSL_DEBUG_BUF, SSL_DEBUG_MSG, SSL_DEBUG_RET, ssl_decrypt_buf(), ssl_fetch_input(), SSL_HANDSHAKE_OVER, SSL_MAX_CONTENT_LEN, SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1, SSL_MSG_ALERT, SSL_MSG_APPLICATION_DATA, SSL_MSG_CHANGE_CIPHER_SPEC, SSL_MSG_HANDSHAKE, ssl_send_alert_message(), _ssl_context::state, _ssl_context::transform_in, and _ssl_handshake_params::update_checksum.
Referenced by ssl_parse_certificate(), ssl_parse_certificate_request(), ssl_parse_certificate_verify(), ssl_parse_change_cipher_spec(), ssl_parse_client_key_exchange(), ssl_parse_finished(), ssl_parse_new_session_ticket(), ssl_parse_server_hello(), ssl_parse_server_hello_done(), ssl_parse_server_key_exchange(), and ssl_read().
int ssl_renegotiate | ( | ssl_context * | ssl | ) |
Initiate an SSL renegotiation on the running connection.
Client: perform the renegotiation right now. Server: request renegotiation, which will be performed during the next call to ssl_read() if honored by client.
ssl | SSL context |
Definition at line 4041 of file ssl_tls.c.
References _ssl_context::endpoint, POLARSSL_ERR_SSL_BAD_INPUT_DATA, POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE, _ssl_context::renegotiation, SSL_DEBUG_RET, ssl_handshake(), SSL_HANDSHAKE_OVER, SSL_IS_SERVER, SSL_RENEGOTIATION, ssl_start_renegotiation(), ssl_write_hello_request(), and _ssl_context::state.
int ssl_send_alert_message | ( | ssl_context * | ssl, | |
unsigned char | level, | |||
unsigned char | message | |||
) |
Send an alert message.
ssl | SSL context | |
level | The alert level of the message (SSL_ALERT_LEVEL_WARNING or SSL_ALERT_LEVEL_FATAL) | |
message | The alert message (SSL_ALERT_MSG_*) |
Definition at line 2290 of file ssl_tls.c.
References _ssl_context::out_msg, _ssl_context::out_msglen, _ssl_context::out_msgtype, SSL_DEBUG_MSG, SSL_DEBUG_RET, SSL_MSG_ALERT, and ssl_write_record().
Referenced by ssl_close_notify(), ssl_parse_client_hello(), ssl_parse_client_hello_v2(), ssl_parse_client_psk_identity(), ssl_parse_server_hello(), ssl_parse_servername_ext(), ssl_read(), ssl_read_record(), and ssl_send_fatal_handshake_failure().
int ssl_send_fatal_handshake_failure | ( | ssl_context * | ssl | ) |
Definition at line 2276 of file ssl_tls.c.
References SSL_ALERT_LEVEL_FATAL, SSL_ALERT_MSG_HANDSHAKE_FAILURE, and ssl_send_alert_message().
Referenced by ssl_parse_client_hello(), ssl_parse_client_hello_v2(), ssl_parse_renegotiation_info(), ssl_parse_server_hello(), and ssl_read().
void ssl_session_free | ( | ssl_session * | session | ) |
Free referenced items in an SSL session including the peer certificate and clear memory.
session | SSL session |
Definition at line 4389 of file ssl_tls.c.
References _ssl_session::peer_cert, polarssl_free, _ssl_session::ticket, and x509_crt_free().
Referenced by ssl_cache_free(), ssl_free(), ssl_handshake_init(), ssl_handshake_wrapup(), ssl_parse_ticket(), ssl_session_copy(), and ssl_session_reset().
int ssl_session_reset | ( | ssl_context * | ssl | ) |
Reset an already initialized SSL context for re-use while retaining application-set variables, function pointers and data.
ssl | SSL context |
Definition at line 3364 of file ssl_tls.c.
References _ssl_context::in_ctr, _ssl_context::in_hslen, _ssl_context::in_left, _ssl_context::in_msg, _ssl_context::in_msglen, _ssl_context::in_msgtype, _ssl_context::in_offt, _ssl_context::nb_zero, _ssl_context::out_ctr, _ssl_context::out_left, _ssl_context::out_msg, _ssl_context::out_msglen, _ssl_context::out_msgtype, _ssl_context::own_verify_data, _ssl_context::peer_verify_data, POLARSSL_ERR_SSL_HW_ACCEL_FAILED, polarssl_free, _ssl_context::record_read, _ssl_context::renegotiation, _ssl_context::secure_renegotiation, _ssl_context::session, SSL_BUFFER_LEN, SSL_DEBUG_MSG, SSL_DEBUG_RET, ssl_handshake_init(), SSL_HELLO_REQUEST, SSL_INITIAL_HANDSHAKE, SSL_LEGACY_RENEGOTIATION, ssl_session_free(), ssl_transform_free(), _ssl_context::state, _ssl_context::transform, _ssl_context::transform_in, _ssl_context::transform_out, and _ssl_context::verify_data_len.
void ssl_set_authmode | ( | ssl_context * | ssl, | |
int | authmode | |||
) |
Set the certificate verification mode.
ssl | SSL context | |
authmode | can be: |
SSL_VERIFY_NONE: peer certificate is not checked (default), this is insecure and SHOULD be avoided.
SSL_VERIFY_OPTIONAL: peer certificate is checked, however the handshake continues even if verification failed; ssl_get_verify_result() can be called after the handshake is complete.
SSL_VERIFY_REQUIRED: peer *must* present a valid certificate, handshake is aborted if verification failed.
Definition at line 3479 of file ssl_tls.c.
References _ssl_context::authmode.
void ssl_set_bio | ( | ssl_context * | ssl, | |
int(*)(void *, unsigned char *, size_t) | f_recv, | |||
void * | p_recv, | |||
int(*)(void *, const unsigned char *, size_t) | f_send, | |||
void * | p_send | |||
) |
Set the underlying BIO read and write callbacks.
ssl | SSL context | |
f_recv | read callback | |
p_recv | read parameter | |
f_send | write callback | |
p_send | write parameter |
Definition at line 3510 of file ssl_tls.c.
References _ssl_context::f_recv, _ssl_context::f_send, _ssl_context::p_recv, and _ssl_context::p_send.
void ssl_set_ca_chain | ( | ssl_context * | ssl, | |
x509_crt * | ca_chain, | |||
x509_crl * | ca_crl, | |||
const char * | peer_cn | |||
) |
Set the data required to verify peer certificate.
ssl | SSL context | |
ca_chain | trusted CA chain (meaning all fully trusted top-level CAs) | |
ca_crl | trusted CA CRLs | |
peer_cn | expected peer CommonName (or NULL) |
Definition at line 3599 of file ssl_tls.c.
References _ssl_context::ca_chain, _ssl_context::ca_crl, and _ssl_context::peer_cn.
void ssl_set_ciphersuites | ( | ssl_context * | ssl, | |
const int * | ciphersuites | |||
) |
Set the list of allowed ciphersuites (Overrides all version specific lists).
ssl | SSL context | |
ciphersuites | 0-terminated list of allowed ciphersuites |
Definition at line 3550 of file ssl_tls.c.
References _ssl_context::ciphersuite_list, SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1, SSL_MINOR_VERSION_2, and SSL_MINOR_VERSION_3.
Referenced by ssl_init().
void ssl_set_ciphersuites_for_version | ( | ssl_context * | ssl, | |
const int * | ciphersuites, | |||
int | major, | |||
int | minor | |||
) |
Set the list of allowed ciphersuites for a specific version of the protocol.
(Only useful on the server side)
ssl | SSL context | |
ciphersuites | 0-terminated list of allowed ciphersuites | |
major | Major version number (only SSL_MAJOR_VERSION_3 supported) | |
minor | Minor version number (SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, SSL_MINOR_VERSION_3 supported) |
Definition at line 3558 of file ssl_tls.c.
References _ssl_context::ciphersuite_list, SSL_MAJOR_VERSION_3, and SSL_MINOR_VERSION_3.
void ssl_set_dbg | ( | ssl_context * | ssl, | |
void(*)(void *, int, const char *) | f_dbg, | |||
void * | p_dbg | |||
) |
Set the debug callback.
ssl | SSL context | |
f_dbg | debug function | |
p_dbg | debug parameter |
Definition at line 3502 of file ssl_tls.c.
References _ssl_context::f_dbg, and _ssl_context::p_dbg.
Referenced by test_suite_debug_print_crt(), and test_suite_debug_print_mpi().
int ssl_set_dh_param | ( | ssl_context * | ssl, | |
const char * | dhm_P, | |||
const char * | dhm_G | |||
) |
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG]).
ssl | SSL context | |
dhm_P | Diffie-Hellman-Merkle modulus | |
dhm_G | Diffie-Hellman-Merkle generator |
Definition at line 3719 of file ssl_tls.c.
References _ssl_context::dhm_G, _ssl_context::dhm_P, mpi_read_string(), and SSL_DEBUG_RET.
int ssl_set_dh_param_ctx | ( | ssl_context * | ssl, | |
dhm_context * | dhm_ctx | |||
) |
Set the Diffie-Hellman public P and G values, read from existing context (server-side only).
ssl | SSL context | |
dhm_ctx | Diffie-Hellman-Merkle context |
Definition at line 3738 of file ssl_tls.c.
References _ssl_context::dhm_G, _ssl_context::dhm_P, dhm_context::G, mpi_copy(), dhm_context::P, and SSL_DEBUG_RET.
void ssl_set_endpoint | ( | ssl_context * | ssl, | |
int | endpoint | |||
) |
Set the current endpoint type.
ssl | SSL context | |
endpoint | must be SSL_IS_CLIENT or SSL_IS_SERVER |
Definition at line 3469 of file ssl_tls.c.
References _ssl_context::endpoint, _ssl_context::session_tickets, SSL_IS_CLIENT, and SSL_SESSION_TICKETS_ENABLED.
int ssl_set_hostname | ( | ssl_context * | ssl, | |
const char * | hostname | |||
) |
Set hostname for ServerName TLS extension (client-side only).
ssl | SSL context | |
hostname | the server hostname |
Definition at line 3759 of file ssl_tls.c.
References _ssl_context::hostname, _ssl_context::hostname_len, POLARSSL_ERR_SSL_BAD_INPUT_DATA, POLARSSL_ERR_SSL_MALLOC_FAILED, and polarssl_malloc.
int ssl_set_max_frag_len | ( | ssl_context * | ssl, | |
unsigned char | mfl_code | |||
) |
Set the maximum fragment length to emit and/or negotiate (Default: SSL_MAX_CONTENT_LEN, usually 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake (Client: set maximum fragment length to emit *and* negotiate with the server during handshake).
ssl | SSL context | |
mfl_code | Code for maximum fragment length (allowed values: SSL_MAX_FRAG_LEN_512, SSL_MAX_FRAG_LEN_1024, SSL_MAX_FRAG_LEN_2048, SSL_MAX_FRAG_LEN_4096) |
Definition at line 3813 of file ssl_tls.c.
References _ssl_context::mfl_code, mfl_code_to_length, POLARSSL_ERR_SSL_BAD_INPUT_DATA, and SSL_MAX_CONTENT_LEN.
void ssl_set_max_version | ( | ssl_context * | ssl, | |
int | major, | |||
int | minor | |||
) |
Set the maximum supported version sent from the client side and/or accepted at the server side (Default: SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION).
Note: This ignores ciphersuites from 'higher' versions. Note: Input outside of the SSL_MAX_XXXXX_VERSION and SSL_MIN_XXXXX_VERSION range is ignored.
ssl | SSL context | |
major | Major version number (only SSL_MAJOR_VERSION_3 supported) | |
minor | Minor version number (SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, SSL_MINOR_VERSION_3 supported) |
Definition at line 3792 of file ssl_tls.c.
References _ssl_context::max_major_ver, _ssl_context::max_minor_ver, SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION, SSL_MIN_MAJOR_VERSION, and SSL_MIN_MINOR_VERSION.
void ssl_set_min_version | ( | ssl_context * | ssl, | |
int | major, | |||
int | minor | |||
) |
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION).
Note: Input outside of the SSL_MAX_XXXXX_VERSION and SSL_MIN_XXXXX_VERSION range is ignored.
ssl | SSL context | |
major | Major version number (only SSL_MAJOR_VERSION_3 supported) | |
minor | Minor version number (SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, SSL_MINOR_VERSION_3 supported) |
Definition at line 3802 of file ssl_tls.c.
References _ssl_context::min_major_ver, _ssl_context::min_minor_ver, SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION, SSL_MIN_MAJOR_VERSION, and SSL_MIN_MINOR_VERSION.
int ssl_set_own_cert | ( | ssl_context * | ssl, | |
x509_crt * | own_cert, | |||
pk_context * | pk_key | |||
) |
Set own certificate chain and private key.
ssl | SSL context | |
own_cert | own public certificate chain | |
pk_key | own private key |
Definition at line 3607 of file ssl_tls.c.
References _ssl_key_cert::cert, _ssl_key_cert::key, POLARSSL_ERR_SSL_MALLOC_FAILED, and ssl_add_key_cert().
int ssl_set_own_cert_alt | ( | ssl_context * | ssl, | |
x509_crt * | own_cert, | |||
void * | rsa_key, | |||
rsa_decrypt_func | rsa_decrypt, | |||
rsa_sign_func | rsa_sign, | |||
rsa_key_len_func | rsa_key_len | |||
) |
Set own certificate and alternate non-PolarSSL RSA private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler.
(see the respective RSA functions in rsa.h for documentation of the callback parameters, with the only change being that the rsa_context * is a void * in the callbacks)
Note: own_cert should contain IN order from the bottom up your certificate chain. The top certificate (self-signed) can be omitted.
ssl | SSL context | |
own_cert | own public certificate chain | |
rsa_key | alternate implementation private RSA key | |
rsa_decrypt | alternate implementation of rsa_pkcs1_decrypt() | |
rsa_sign | alternate implementation of rsa_pkcs1_sign() | |
rsa_key_len | function returning length of RSA key in bytes |
Definition at line 3651 of file ssl_tls.c.
References _ssl_key_cert::cert, _ssl_key_cert::key, _ssl_key_cert::key_own_alloc, pk_init(), pk_init_ctx_rsa_alt(), POLARSSL_ERR_SSL_MALLOC_FAILED, polarssl_malloc, and ssl_add_key_cert().
int ssl_set_own_cert_rsa | ( | ssl_context * | ssl, | |
x509_crt * | own_cert, | |||
rsa_context * | rsa_key | |||
) |
Set own certificate chain and private RSA key.
Note: own_cert should contain IN order from the bottom up your certificate chain. The top certificate (self-signed) can be omitted.
ssl | SSL context | |
own_cert | own public certificate chain | |
rsa_key | own private RSA key |
Definition at line 3622 of file ssl_tls.c.
References _ssl_key_cert::cert, _ssl_key_cert::key, _ssl_key_cert::key_own_alloc, pk_info_from_type(), pk_init(), pk_init_ctx(), pk_rsa, POLARSSL_ERR_SSL_MALLOC_FAILED, polarssl_malloc, POLARSSL_PK_RSA, rsa_copy(), and ssl_add_key_cert().
int ssl_set_psk | ( | ssl_context * | ssl, | |
const unsigned char * | psk, | |||
size_t | psk_len, | |||
const unsigned char * | psk_identity, | |||
size_t | psk_identity_len | |||
) |
Set the Pre Shared Key (PSK) and the identity name connected to it.
ssl | SSL context | |
psk | pointer to the pre-shared key | |
psk_len | pre-shared key length | |
psk_identity | pointer to the pre-shared key identity | |
psk_identity_len | identity key length |
Definition at line 3681 of file ssl_tls.c.
References POLARSSL_ERR_SSL_BAD_INPUT_DATA, POLARSSL_ERR_SSL_MALLOC_FAILED, polarssl_free, polarssl_malloc, _ssl_context::psk, _ssl_context::psk_identity, _ssl_context::psk_identity_len, and _ssl_context::psk_len.
void ssl_set_psk_cb | ( | ssl_context * | ssl, | |
int(*)(void *, ssl_context *, const unsigned char *, size_t) | f_psk, | |||
void * | p_psk | |||
) |
Set the PSK callback (server-side only) (Optional).
If set, the PSK callback is called for each handshake where a PSK ciphersuite was negotiated. The callback provides the identity received and wants to receive the actual PSK data and length.
The callback has the following parameters: (void *parameter, ssl_context *ssl, const unsigned char *psk_identity, size_t identity_len) If a valid PSK identity is found, the callback should use ssl_set_psk() on the ssl context to set the correct PSK and identity and return 0. Any other return value will result in a denied PSK identity.
ssl | SSL context | |
f_psk | PSK identity function | |
p_psk | PSK identity parameter |
Definition at line 3708 of file ssl_tls.c.
References _ssl_context::f_psk, and _ssl_context::p_psk.
void ssl_set_renegotiation | ( | ssl_context * | ssl, | |
int | renegotiation | |||
) |
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIATION_DISABLED).
Note: A server with support enabled is more vulnerable for a resource DoS by a malicious client. You should enable this on a client to enable server-initiated renegotiation.
ssl | SSL context | |
renegotiation | Enable or disable (SSL_RENEGOTIATION_ENABLED or SSL_RENEGOTIATION_DISABLED) |
Definition at line 3839 of file ssl_tls.c.
References _ssl_context::disable_renegotiation.
void ssl_set_rng | ( | ssl_context * | ssl, | |
int(*)(void *, unsigned char *, size_t) | f_rng, | |||
void * | p_rng | |||
) |
Set the random number generator callback.
ssl | SSL context | |
f_rng | RNG function | |
p_rng | RNG parameter |
Definition at line 3494 of file ssl_tls.c.
References _ssl_context::f_rng, and _ssl_context::p_rng.
int ssl_set_session | ( | ssl_context * | ssl, | |
const ssl_session * | session | |||
) |
Request resumption of session (client-side only) Session data is copied from presented session structure.
ssl | SSL context | |
session | session context |
Definition at line 3530 of file ssl_tls.c.
References _ssl_context::endpoint, _ssl_context::handshake, POLARSSL_ERR_SSL_BAD_INPUT_DATA, _ssl_handshake_params::resume, _ssl_context::session_negotiate, SSL_IS_CLIENT, and ssl_session_copy().
void ssl_set_session_cache | ( | ssl_context * | ssl, | |
int(*)(void *, ssl_session *) | f_get_cache, | |||
void * | p_get_cache, | |||
int(*)(void *, const ssl_session *) | f_set_cache, | |||
void * | p_set_cache | |||
) |
Set the session cache callbacks (server-side only) If not set, no session resuming is done.
The session cache has the responsibility to check for stale entries based on timeout. See RFC 5246 for recommendations.
Warning: session.peer_cert is cleared by the SSL/TLS layer on connection shutdown, so do not cache the pointer! Either set it to NULL or make a full copy of the certificate.
The get callback is called once during the initial handshake to enable session resuming. The get function has the following parameters: (void *parameter, ssl_session *session) If a valid entry is found, it should fill the master of the session object with the cached values and return 0, return 1 otherwise. Optionally peer_cert can be set as well if it is properly present in cache entry.
The set callback is called once during the initial handshake to enable session resuming after the entire handshake has been finished. The set function has the following parameters: (void *parameter, const ssl_session *session). The function should create a cache entry for future retrieval based on the data in the session structure and should keep in mind that the ssl_session object presented (and all its referenced data) is cleared by the SSL/TLS layer when the connection is terminated. It is recommended to add metadata to determine if an entry is still valid in the future. Return 0 if successfully cached, return 1 otherwise.
ssl | SSL context | |
f_get_cache | session get callback | |
p_get_cache | session get parameter | |
f_set_cache | session set callback | |
p_set_cache | session set parameter |
Definition at line 3520 of file ssl_tls.c.
References _ssl_context::f_get_cache, _ssl_context::f_set_cache, _ssl_context::p_get_cache, and _ssl_context::p_set_cache.
void ssl_set_session_ticket_lifetime | ( | ssl_context * | ssl, | |
int | lifetime | |||
) |
Set session ticket lifetime (server only) (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day)).
ssl | SSL context | |
lifetime | session ticket lifetime |
Definition at line 3863 of file ssl_tls.c.
References _ssl_context::ticket_lifetime.
int ssl_set_session_tickets | ( | ssl_context * | ssl, | |
int | use_tickets | |||
) |
Enable / Disable session tickets (Default: SSL_SESSION_TICKETS_ENABLED on client, SSL_SESSION_TICKETS_DISABLED on server).
ssl | SSL context | |
use_tickets | Enable or disable (SSL_SESSION_TICKETS_ENABLED or SSL_SESSION_TICKETS_DISABLED) |
Definition at line 3850 of file ssl_tls.c.
References _ssl_context::endpoint, _ssl_context::f_rng, POLARSSL_ERR_SSL_BAD_INPUT_DATA, _ssl_context::session_tickets, SSL_IS_CLIENT, and ssl_ticket_keys_init().
void ssl_set_sni | ( | ssl_context * | ssl, | |
int(*)(void *, ssl_context *, const unsigned char *, size_t) | f_sni, | |||
void * | p_sni | |||
) |
Set server side ServerName TLS extension callback (optional, server-side only).
If set, the ServerName callback is called whenever the server receives a ServerName TLS extension from the client during a handshake. The ServerName callback has the following parameters: (void *parameter, ssl_context *ssl, const unsigned char *hostname, size_t len). If a suitable certificate is found, the callback should set the certificate and key to use with ssl_set_own_cert() (and possibly adjust the CA chain as well) and return 0. The callback should return -1 to abort the handshake at this point.
ssl | SSL context | |
f_sni | verification function | |
p_sni | verification parameter |
Definition at line 3782 of file ssl_tls.c.
References _ssl_context::f_sni, and _ssl_context::p_sni.
int ssl_set_truncated_hmac | ( | ssl_context * | ssl, | |
int | truncate | |||
) |
Activate negotiation of truncated HMAC (Client only) (Default: SSL_TRUNC_HMAC_ENABLED).
ssl | SSL context | |
truncate | Enable or disable (SSL_TRUNC_HMAC_ENABLED or SSL_TRUNC_HMAC_DISABLED) |
Definition at line 3828 of file ssl_tls.c.
References _ssl_context::endpoint, POLARSSL_ERR_SSL_BAD_INPUT_DATA, SSL_IS_CLIENT, and _ssl_context::trunc_hmac.
void ssl_set_verify | ( | ssl_context * | ssl, | |
int(*)(void *, x509_crt *, int, int *) | f_vrfy, | |||
void * | p_vrfy | |||
) |
Set the verification callback (Optional).
If set, the verify callback is called for each certificate in the chain. For implementation information, please see x509parse_verify()
ssl | SSL context | |
f_vrfy | verification function | |
p_vrfy | verification parameter |
Definition at line 3485 of file ssl_tls.c.
References _ssl_context::f_vrfy, and _ssl_context::p_vrfy.
unsigned char ssl_sig_from_pk | ( | pk_context * | pk | ) |
Definition at line 4508 of file ssl_tls.c.
References pk_can_do(), POLARSSL_PK_ECDSA, POLARSSL_PK_RSA, SSL_SIG_ANON, SSL_SIG_ECDSA, and SSL_SIG_RSA.
Referenced by ssl_write_certificate_verify(), and ssl_write_server_key_exchange().
void ssl_transform_free | ( | ssl_transform * | transform | ) |
Free referenced items in an SSL transform context and clear memory.
transform | SSL transform context |
Definition at line 4316 of file ssl_tls.c.
References _ssl_transform::cipher_ctx_dec, _ssl_transform::cipher_ctx_enc, cipher_free_ctx(), _ssl_transform::md_ctx_dec, _ssl_transform::md_ctx_enc, and md_free_ctx().
Referenced by ssl_free(), ssl_handshake_init(), ssl_handshake_wrapup(), and ssl_session_reset().
int ssl_write | ( | ssl_context * | ssl, | |
const unsigned char * | buf, | |||
size_t | len | |||
) |
Write exactly 'len' application data bytes.
ssl | SSL context | |
buf | buffer holding the data | |
len | how many bytes must be written |
Definition at line 4225 of file ssl_tls.c.
References _ssl_session::mfl_code, _ssl_context::mfl_code, mfl_code_to_length, _ssl_context::out_left, _ssl_context::out_msg, _ssl_context::out_msglen, _ssl_context::out_msgtype, _ssl_context::session_out, SSL_DEBUG_MSG, SSL_DEBUG_RET, ssl_flush_output(), ssl_handshake(), SSL_HANDSHAKE_OVER, SSL_MAX_CONTENT_LEN, SSL_MSG_APPLICATION_DATA, ssl_write_record(), and _ssl_context::state.
int ssl_write_certificate | ( | ssl_context * | ssl | ) |
Definition at line 2361 of file ssl_tls.c.
References _ssl_transform::ciphersuite_info, _ssl_context::client_auth, _ssl_context::endpoint, _ssl_ciphersuite_t::key_exchange, _asn1_buf::len, _ssl_context::minor_ver, _x509_crt::next, _ssl_context::out_msg, _ssl_context::out_msglen, _ssl_context::out_msgtype, _asn1_buf::p, POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED, POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE, POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE, POLARSSL_KEY_EXCHANGE_DHE_PSK, POLARSSL_KEY_EXCHANGE_ECDHE_PSK, POLARSSL_KEY_EXCHANGE_PSK, _x509_crt::raw, SSL_ALERT_LEVEL_WARNING, SSL_ALERT_MSG_NO_CERT, SSL_DEBUG_CRT, SSL_DEBUG_MSG, SSL_DEBUG_RET, SSL_HS_CERTIFICATE, SSL_IS_CLIENT, SSL_MAX_CONTENT_LEN, SSL_MINOR_VERSION_0, SSL_MSG_ALERT, SSL_MSG_HANDSHAKE, ssl_own_cert(), ssl_write_record(), _ssl_context::state, and _ssl_context::transform_negotiate.
Referenced by ssl_handshake_client_step(), and ssl_handshake_server_step().
int ssl_write_change_cipher_spec | ( | ssl_context * | ssl | ) |
Definition at line 2652 of file ssl_tls.c.
References _ssl_context::out_msg, _ssl_context::out_msglen, _ssl_context::out_msgtype, SSL_DEBUG_MSG, SSL_DEBUG_RET, SSL_MSG_CHANGE_CIPHER_SPEC, ssl_write_record(), and _ssl_context::state.
Referenced by ssl_handshake_client_step(), and ssl_handshake_server_step().
int ssl_write_finished | ( | ssl_context * | ssl | ) |
Definition at line 3064 of file ssl_tls.c.
References _ssl_handshake_params::calc_finished, _ssl_context::endpoint, _ssl_transform::fixed_ivlen, _ssl_context::handshake, _ssl_transform::ivlen, _ssl_context::minor_ver, _ssl_context::out_ctr, _ssl_context::out_iv, _ssl_context::out_msg, _ssl_context::out_msglen, _ssl_context::out_msgtype, _ssl_context::own_verify_data, POLARSSL_ERR_SSL_HW_ACCEL_FAILED, _ssl_handshake_params::resume, _ssl_context::session_negotiate, _ssl_context::session_out, SSL_CLIENT_CHANGE_CIPHER_SPEC, SSL_DEBUG_MSG, SSL_DEBUG_RET, SSL_HANDSHAKE_WRAPUP, SSL_HS_FINISHED, SSL_IS_CLIENT, SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_2, SSL_MSG_HANDSHAKE, ssl_write_record(), _ssl_context::state, _ssl_context::transform_negotiate, _ssl_context::transform_out, and _ssl_context::verify_data_len.
Referenced by ssl_handshake_client_step(), and ssl_handshake_server_step().
int ssl_write_record | ( | ssl_context * | ssl | ) |
Definition at line 1920 of file ssl_tls.c.
References _ssl_session::compression, _ssl_context::handshake, _ssl_context::major_ver, _ssl_context::minor_ver, _ssl_context::out_hdr, _ssl_context::out_left, _ssl_context::out_msg, _ssl_context::out_msglen, _ssl_context::out_msgtype, POLARSSL_ERR_SSL_HW_ACCEL_FAILED, POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH, _ssl_context::session_out, SSL_COMPRESS_DEFLATE, SSL_DEBUG_BUF, SSL_DEBUG_MSG, SSL_DEBUG_RET, ssl_encrypt_buf(), ssl_flush_output(), SSL_HS_HELLO_REQUEST, SSL_MSG_HANDSHAKE, _ssl_context::transform_out, and _ssl_handshake_params::update_checksum.
Referenced by ssl_send_alert_message(), ssl_write(), ssl_write_certificate(), ssl_write_certificate_request(), ssl_write_certificate_verify(), ssl_write_change_cipher_spec(), ssl_write_client_hello(), ssl_write_client_key_exchange(), ssl_write_finished(), ssl_write_hello_request(), ssl_write_new_session_ticket(), ssl_write_server_hello(), ssl_write_server_hello_done(), and ssl_write_server_key_exchange().