PolarSSL v1.3.1
|
SSL/TLS functions. More...
#include "config.h"
#include "net.h"
#include "bignum.h"
#include "ssl_ciphersuites.h"
#include "md5.h"
#include "sha1.h"
#include "sha256.h"
#include "sha512.h"
#include "aes.h"
#include "x509_crt.h"
#include "x509_crl.h"
#include "dhm.h"
#include "ecdh.h"
#include <time.h>
Go to the source code of this file.
Data Structures | |
struct | _ssl_session |
struct | _ssl_transform |
struct | _ssl_handshake_params |
struct | _ssl_ticket_keys |
struct | _ssl_key_cert |
struct | _ssl_context |
Macros | |
#define | POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED |
#define | POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE -0x7080 |
The requested feature is not available. More... | |
#define | POLARSSL_ERR_SSL_BAD_INPUT_DATA -0x7100 |
Bad input parameters to function. More... | |
#define | POLARSSL_ERR_SSL_INVALID_MAC -0x7180 |
Verification of the message MAC failed. More... | |
#define | POLARSSL_ERR_SSL_INVALID_RECORD -0x7200 |
An invalid SSL record was received. More... | |
#define | POLARSSL_ERR_SSL_CONN_EOF -0x7280 |
The connection indicated an EOF. More... | |
#define | POLARSSL_ERR_SSL_UNKNOWN_CIPHER -0x7300 |
An unknown cipher was received. More... | |
#define | POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 |
The server has no ciphersuites in common with the client. More... | |
#define | POLARSSL_ERR_SSL_NO_SESSION_FOUND -0x7400 |
No session to recover was found. More... | |
#define | POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 |
No client certification received from the client, but required by the authentication mode. More... | |
#define | POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 |
Our own certificate(s) is/are too large to send in an SSL message. More... | |
#define | POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 |
The own certificate is not set, but needed by the server. More... | |
#define | POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 |
The own private key or pre-shared key is not set, but needed. More... | |
#define | POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 |
No CA Chain is set, but required to operate. More... | |
#define | POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE -0x7700 |
An unexpected message was received from our peer. More... | |
#define | POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 |
A fatal alert message was received from our peer. More... | |
#define | POLARSSL_ERR_SSL_PEER_VERIFY_FAILED -0x7800 |
Verification of our peer failed. More... | |
#define | POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 |
The peer notified us that the connection is going to be closed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900 |
Processing of the ClientHello handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980 |
Processing of the ServerHello handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE -0x7A00 |
Processing of the Certificate handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST -0x7A80 |
Processing of the CertificateRequest handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE -0x7B00 |
Processing of the ServerKeyExchange handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE -0x7B80 |
Processing of the ServerHelloDone handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE -0x7C00 |
Processing of the ClientKeyExchange handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP -0x7C80 |
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS -0x7D00 |
Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY -0x7D80 |
Processing of the CertificateVerify handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC -0x7E00 |
Processing of the ChangeCipherSpec handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_FINISHED -0x7E80 |
Processing of the Finished handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_MALLOC_FAILED -0x7F00 |
Memory allocation failed. More... | |
#define | POLARSSL_ERR_SSL_HW_ACCEL_FAILED -0x7F80 |
Hardware acceleration function returned with error. More... | |
#define | POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80 |
Hardware acceleration function skipped / left alone data. More... | |
#define | POLARSSL_ERR_SSL_COMPRESSION_FAILED -0x6F00 |
Processing of the compression / decompression failed. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 |
Handshake protocol not within min/max boundaries. More... | |
#define | POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 |
Processing of the NewSessionTicket handshake message failed. More... | |
#define | POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 |
Session ticket has expired. More... | |
#define | POLARSSL_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 |
Public key type mismatch (eg, asked for RSA key exchange and presented EC key) More... | |
#define | POLARSSL_ERR_SSL_UNKNOWN_IDENTITY -0x6C80 |
Unkown identity received (eg, PSK identity) More... | |
#define | SSL_MAJOR_VERSION_3 3 |
#define | SSL_MINOR_VERSION_0 0 |
#define | SSL_MINOR_VERSION_1 1 |
#define | SSL_MINOR_VERSION_2 2 |
#define | SSL_MINOR_VERSION_3 3 |
#define | SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3 |
#define | SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0 |
#define | SSL_MAX_MAJOR_VERSION SSL_MAJOR_VERSION_3 |
#define | SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_3 |
#define | SSL_MAX_FRAG_LEN_NONE 0 |
#define | SSL_MAX_FRAG_LEN_512 1 |
#define | SSL_MAX_FRAG_LEN_1024 2 |
#define | SSL_MAX_FRAG_LEN_2048 3 |
#define | SSL_MAX_FRAG_LEN_4096 4 |
#define | SSL_MAX_FRAG_LEN_INVALID 5 |
#define | SSL_IS_CLIENT 0 |
#define | SSL_IS_SERVER 1 |
#define | SSL_COMPRESS_NULL 0 |
#define | SSL_COMPRESS_DEFLATE 1 |
#define | SSL_VERIFY_NONE 0 |
#define | SSL_VERIFY_OPTIONAL 1 |
#define | SSL_VERIFY_REQUIRED 2 |
#define | SSL_INITIAL_HANDSHAKE 0 |
#define | SSL_RENEGOTIATION 1 |
#define | SSL_LEGACY_RENEGOTIATION 0 |
#define | SSL_SECURE_RENEGOTIATION 1 |
#define | SSL_RENEGOTIATION_DISABLED 0 |
#define | SSL_RENEGOTIATION_ENABLED 1 |
#define | SSL_LEGACY_NO_RENEGOTIATION 0 |
#define | SSL_LEGACY_ALLOW_RENEGOTIATION 1 |
#define | SSL_LEGACY_BREAK_HANDSHAKE 2 |
#define | SSL_TRUNC_HMAC_DISABLED 0 |
#define | SSL_TRUNC_HMAC_ENABLED 1 |
#define | SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */ |
#define | SSL_SESSION_TICKETS_DISABLED 0 |
#define | SSL_SESSION_TICKETS_ENABLED 1 |
#define | SSL_DEFAULT_TICKET_LIFETIME 86400 |
Lifetime of session tickets (if enabled) More... | |
#define | SSL_MAX_CONTENT_LEN 16384 |
Size of the input / output buffer. More... | |
#define | SSL_COMPRESSION_ADD 0 |
#define | SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + SSL_COMPRESSION_ADD + 512) |
#define | SSL_EMPTY_RENEGOTIATION_INFO 0xFF |
renegotiation info ext More... | |
#define | SSL_HASH_NONE 0 |
#define | SSL_HASH_MD5 1 |
#define | SSL_HASH_SHA1 2 |
#define | SSL_HASH_SHA224 3 |
#define | SSL_HASH_SHA256 4 |
#define | SSL_HASH_SHA384 5 |
#define | SSL_HASH_SHA512 6 |
#define | SSL_SIG_ANON 0 |
#define | SSL_SIG_RSA 1 |
#define | SSL_SIG_ECDSA 3 |
#define | SSL_CERT_TYPE_RSA_SIGN 1 |
#define | SSL_CERT_TYPE_ECDSA_SIGN 64 |
#define | SSL_MSG_CHANGE_CIPHER_SPEC 20 |
#define | SSL_MSG_ALERT 21 |
#define | SSL_MSG_HANDSHAKE 22 |
#define | SSL_MSG_APPLICATION_DATA 23 |
#define | SSL_ALERT_LEVEL_WARNING 1 |
#define | SSL_ALERT_LEVEL_FATAL 2 |
#define | SSL_ALERT_MSG_CLOSE_NOTIFY 0 /* 0x00 */ |
#define | SSL_ALERT_MSG_UNEXPECTED_MESSAGE 10 /* 0x0A */ |
#define | SSL_ALERT_MSG_BAD_RECORD_MAC 20 /* 0x14 */ |
#define | SSL_ALERT_MSG_DECRYPTION_FAILED 21 /* 0x15 */ |
#define | SSL_ALERT_MSG_RECORD_OVERFLOW 22 /* 0x16 */ |
#define | SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30 /* 0x1E */ |
#define | SSL_ALERT_MSG_HANDSHAKE_FAILURE 40 /* 0x28 */ |
#define | SSL_ALERT_MSG_NO_CERT 41 /* 0x29 */ |
#define | SSL_ALERT_MSG_BAD_CERT 42 /* 0x2A */ |
#define | SSL_ALERT_MSG_UNSUPPORTED_CERT 43 /* 0x2B */ |
#define | SSL_ALERT_MSG_CERT_REVOKED 44 /* 0x2C */ |
#define | SSL_ALERT_MSG_CERT_EXPIRED 45 /* 0x2D */ |
#define | SSL_ALERT_MSG_CERT_UNKNOWN 46 /* 0x2E */ |
#define | SSL_ALERT_MSG_ILLEGAL_PARAMETER 47 /* 0x2F */ |
#define | SSL_ALERT_MSG_UNKNOWN_CA 48 /* 0x30 */ |
#define | SSL_ALERT_MSG_ACCESS_DENIED 49 /* 0x31 */ |
#define | SSL_ALERT_MSG_DECODE_ERROR 50 /* 0x32 */ |
#define | SSL_ALERT_MSG_DECRYPT_ERROR 51 /* 0x33 */ |
#define | SSL_ALERT_MSG_EXPORT_RESTRICTION 60 /* 0x3C */ |
#define | SSL_ALERT_MSG_PROTOCOL_VERSION 70 /* 0x46 */ |
#define | SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71 /* 0x47 */ |
#define | SSL_ALERT_MSG_INTERNAL_ERROR 80 /* 0x50 */ |
#define | SSL_ALERT_MSG_USER_CANCELED 90 /* 0x5A */ |
#define | SSL_ALERT_MSG_NO_RENEGOTIATION 100 /* 0x64 */ |
#define | SSL_ALERT_MSG_UNSUPPORTED_EXT 110 /* 0x6E */ |
#define | SSL_ALERT_MSG_UNRECOGNIZED_NAME 112 /* 0x70 */ |
#define | SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115 /* 0x73 */ |
#define | SSL_HS_HELLO_REQUEST 0 |
#define | SSL_HS_CLIENT_HELLO 1 |
#define | SSL_HS_SERVER_HELLO 2 |
#define | SSL_HS_NEW_SESSION_TICKET 4 |
#define | SSL_HS_CERTIFICATE 11 |
#define | SSL_HS_SERVER_KEY_EXCHANGE 12 |
#define | SSL_HS_CERTIFICATE_REQUEST 13 |
#define | SSL_HS_SERVER_HELLO_DONE 14 |
#define | SSL_HS_CERTIFICATE_VERIFY 15 |
#define | SSL_HS_CLIENT_KEY_EXCHANGE 16 |
#define | SSL_HS_FINISHED 20 |
#define | TLS_EXT_SERVERNAME 0 |
#define | TLS_EXT_SERVERNAME_HOSTNAME 0 |
#define | TLS_EXT_MAX_FRAGMENT_LENGTH 1 |
#define | TLS_EXT_TRUNCATED_HMAC 4 |
#define | TLS_EXT_SUPPORTED_ELLIPTIC_CURVES 10 |
#define | TLS_EXT_SUPPORTED_POINT_FORMATS 11 |
#define | TLS_EXT_SIG_ALG 13 |
#define | TLS_EXT_SESSION_TICKET 35 |
#define | TLS_EXT_RENEGOTIATION_INFO 0xFF01 |
#define | POLARSSL_PREMASTER_SIZE POLARSSL_MPI_MAX_SIZE |
Typedefs | |
typedef int(* | rsa_decrypt_func )(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len) |
typedef int(* | rsa_sign_func )(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig) |
typedef size_t(* | rsa_key_len_func )(void *ctx) |
typedef struct _ssl_session | ssl_session |
typedef struct _ssl_context | ssl_context |
typedef struct _ssl_transform | ssl_transform |
typedef struct _ssl_handshake_params | ssl_handshake_params |
typedef struct _ssl_ticket_keys | ssl_ticket_keys |
typedef struct _ssl_key_cert | ssl_key_cert |
Functions | |
const int * | ssl_list_ciphersuites (void) |
Returns the list of ciphersuites supported by the SSL/TLS module. More... | |
const char * | ssl_get_ciphersuite_name (const int ciphersuite_id) |
Return the name of the ciphersuite associated with the given ID. More... | |
int | ssl_get_ciphersuite_id (const char *ciphersuite_name) |
Return the ID of the ciphersuite associated with the given name. More... | |
int | ssl_init (ssl_context *ssl) |
Initialize an SSL context (An individual SSL context is not thread-safe) More... | |
int | ssl_session_reset (ssl_context *ssl) |
Reset an already initialized SSL context for re-use while retaining application-set variables, function pointers and data. More... | |
void | ssl_set_endpoint (ssl_context *ssl, int endpoint) |
Set the current endpoint type. More... | |
void | ssl_set_authmode (ssl_context *ssl, int authmode) |
Set the certificate verification mode. More... | |
void | ssl_set_verify (ssl_context *ssl, int(*f_vrfy)(void *, x509_crt *, int, int *), void *p_vrfy) |
Set the verification callback (Optional). More... | |
void | ssl_set_rng (ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Set the random number generator callback. More... | |
void | ssl_set_dbg (ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg) |
Set the debug callback. More... | |
void | ssl_set_bio (ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send) |
Set the underlying BIO read and write callbacks. More... | |
void | ssl_set_session_cache (ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache) |
Set the session cache callbacks (server-side only) If not set, no session resuming is done. More... | |
int | ssl_set_session (ssl_context *ssl, const ssl_session *session) |
Request resumption of session (client-side only) Session data is copied from presented session structure. More... | |
void | ssl_set_ciphersuites (ssl_context *ssl, const int *ciphersuites) |
Set the list of allowed ciphersuites (Overrides all version specific lists) More... | |
void | ssl_set_ciphersuites_for_version (ssl_context *ssl, const int *ciphersuites, int major, int minor) |
Set the list of allowed ciphersuites for a specific version of the protocol. More... | |
void | ssl_set_ca_chain (ssl_context *ssl, x509_crt *ca_chain, x509_crl *ca_crl, const char *peer_cn) |
Set the data required to verify peer certificate. More... | |
int | ssl_set_own_cert (ssl_context *ssl, x509_crt *own_cert, pk_context *pk_key) |
Set own certificate chain and private key. More... | |
int | ssl_set_own_cert_rsa (ssl_context *ssl, x509_crt *own_cert, rsa_context *rsa_key) |
Set own certificate chain and private RSA key. More... | |
int | ssl_set_own_cert_alt (ssl_context *ssl, x509_crt *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len) |
Set own certificate and alternate non-PolarSSL RSA private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler. More... | |
int | ssl_set_psk (ssl_context *ssl, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len) |
Set the Pre Shared Key (PSK) and the identity name connected to it. More... | |
void | ssl_set_psk_cb (ssl_context *ssl, int(*f_psk)(void *, ssl_context *, const unsigned char *, size_t), void *p_psk) |
Set the PSK callback (server-side only) (Optional). More... | |
int | ssl_set_dh_param (ssl_context *ssl, const char *dhm_P, const char *dhm_G) |
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG]) More... | |
int | ssl_set_dh_param_ctx (ssl_context *ssl, dhm_context *dhm_ctx) |
Set the Diffie-Hellman public P and G values, read from existing context (server-side only) More... | |
int | ssl_set_hostname (ssl_context *ssl, const char *hostname) |
Set hostname for ServerName TLS extension (client-side only) More... | |
void | ssl_set_sni (ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni) |
Set server side ServerName TLS extension callback (optional, server-side only). More... | |
void | ssl_set_max_version (ssl_context *ssl, int major, int minor) |
Set the maximum supported version sent from the client side and/or accepted at the server side (Default: SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION) More... | |
void | ssl_set_min_version (ssl_context *ssl, int major, int minor) |
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION) More... | |
int | ssl_set_max_frag_len (ssl_context *ssl, unsigned char mfl_code) |
Set the maximum fragment length to emit and/or negotiate (Default: SSL_MAX_CONTENT_LEN, usually 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake (Client: set maximum fragment length to emit and negotiate with the server during handshake) More... | |
int | ssl_set_truncated_hmac (ssl_context *ssl, int truncate) |
Activate negotiation of truncated HMAC (Client only) (Default: SSL_TRUNC_HMAC_ENABLED) More... | |
int | ssl_set_session_tickets (ssl_context *ssl, int use_tickets) |
Enable / Disable session tickets (Default: SSL_SESSION_TICKETS_ENABLED on client, SSL_SESSION_TICKETS_DISABLED on server) More... | |
void | ssl_set_session_ticket_lifetime (ssl_context *ssl, int lifetime) |
Set session ticket lifetime (server only) (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day)) More... | |
void | ssl_set_renegotiation (ssl_context *ssl, int renegotiation) |
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIATION_DISABLED) More... | |
void | ssl_legacy_renegotiation (ssl_context *ssl, int allow_legacy) |
Prevent or allow legacy renegotiation. More... | |
size_t | ssl_get_bytes_avail (const ssl_context *ssl) |
Return the number of data bytes available to read. More... | |
int | ssl_get_verify_result (const ssl_context *ssl) |
Return the result of the certificate verification. More... | |
const char * | ssl_get_ciphersuite (const ssl_context *ssl) |
Return the name of the current ciphersuite. More... | |
const char * | ssl_get_version (const ssl_context *ssl) |
Return the current SSL version (SSLv3/TLSv1/etc) More... | |
const x509_crt * | ssl_get_peer_cert (const ssl_context *ssl) |
Return the peer certificate from the current connection. More... | |
int | ssl_get_session (const ssl_context *ssl, ssl_session *session) |
Save session in order to resume it later (client-side only) Session data is copied to presented session structure. More... | |
int | ssl_handshake (ssl_context *ssl) |
Perform the SSL handshake. More... | |
int | ssl_handshake_step (ssl_context *ssl) |
Perform a single step of the SSL handshake. More... | |
int | ssl_renegotiate (ssl_context *ssl) |
Perform an SSL renegotiation on the running connection. More... | |
int | ssl_read (ssl_context *ssl, unsigned char *buf, size_t len) |
Read at most 'len' application data bytes. More... | |
int | ssl_write (ssl_context *ssl, const unsigned char *buf, size_t len) |
Write exactly 'len' application data bytes. More... | |
int | ssl_send_alert_message (ssl_context *ssl, unsigned char level, unsigned char message) |
Send an alert message. More... | |
int | ssl_close_notify (ssl_context *ssl) |
Notify the peer that the connection is being closed. More... | |
void | ssl_free (ssl_context *ssl) |
Free referenced items in an SSL context and clear memory. More... | |
void | ssl_session_free (ssl_session *session) |
Free referenced items in an SSL session including the peer certificate and clear memory. More... | |
void | ssl_transform_free (ssl_transform *transform) |
Free referenced items in an SSL transform context and clear memory. More... | |
void | ssl_handshake_free (ssl_handshake_params *handshake) |
Free referenced items in an SSL handshake context and clear memory. More... | |
int | ssl_handshake_client_step (ssl_context *ssl) |
int | ssl_handshake_server_step (ssl_context *ssl) |
void | ssl_handshake_wrapup (ssl_context *ssl) |
int | ssl_send_fatal_handshake_failure (ssl_context *ssl) |
int | ssl_derive_keys (ssl_context *ssl) |
int | ssl_read_record (ssl_context *ssl) |
int | ssl_fetch_input (ssl_context *ssl, size_t nb_want) |
int | ssl_write_record (ssl_context *ssl) |
int | ssl_flush_output (ssl_context *ssl) |
int | ssl_parse_certificate (ssl_context *ssl) |
int | ssl_write_certificate (ssl_context *ssl) |
int | ssl_parse_change_cipher_spec (ssl_context *ssl) |
int | ssl_write_change_cipher_spec (ssl_context *ssl) |
int | ssl_parse_finished (ssl_context *ssl) |
int | ssl_write_finished (ssl_context *ssl) |
void | ssl_optimize_checksum (ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info) |
int | ssl_psk_derive_premaster (ssl_context *ssl, key_exchange_type_t key_ex) |
unsigned char | ssl_sig_from_pk (pk_context *pk) |
pk_type_t | ssl_pk_alg_from_sig (unsigned char sig) |
md_type_t | ssl_md_alg_from_hash (unsigned char hash) |
static pk_context * | ssl_own_key (ssl_context *ssl) |
static x509_crt * | ssl_own_cert (ssl_context *ssl) |
SSL/TLS functions.
Copyright (C) 2006-2013, Brainspark B.V.
This file is part of PolarSSL (http://www.polarssl.org) Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
All rights reserved.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Definition in file ssl.h.
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE -0x7A00 |
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST -0x7A80 |
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY -0x7D80 |
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC -0x7E00 |
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900 |
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE -0x7C00 |
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS -0x7D00 |
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP -0x7C80 |
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED -0x7E80 |
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 |
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 |
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980 |
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE -0x7B80 |
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE -0x7B00 |
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA -0x7100 |
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 |
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 |
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 |
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED -0x6F00 |
#define POLARSSL_ERR_SSL_CONN_EOF -0x7280 |
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 |
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE -0x7080 |
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED -0x7F80 |
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80 |
#define POLARSSL_ERR_SSL_INVALID_MAC -0x7180 |
#define POLARSSL_ERR_SSL_INVALID_RECORD -0x7200 |
#define POLARSSL_ERR_SSL_MALLOC_FAILED -0x7F00 |
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 |
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 |
#define POLARSSL_ERR_SSL_NO_SESSION_FOUND -0x7400 |
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 |
#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED -0x7800 |
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 |
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 |
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 |
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE -0x7700 |
#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER -0x7300 |
#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY -0x6C80 |
#define POLARSSL_PREMASTER_SIZE POLARSSL_MPI_MAX_SIZE |
#define SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + SSL_COMPRESSION_ADD + 512) |
#define SSL_DEFAULT_TICKET_LIFETIME 86400 |
#define SSL_EMPTY_RENEGOTIATION_INFO 0xFF |
#define SSL_MAX_CONTENT_LEN 16384 |
#define SSL_MAX_MAJOR_VERSION SSL_MAJOR_VERSION_3 |
#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_3 |
#define SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3 |
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0 |
#define SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */ |
typedef int(* rsa_decrypt_func)(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len) |
typedef int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig) |
typedef struct _ssl_context ssl_context |
typedef struct _ssl_handshake_params ssl_handshake_params |
typedef struct _ssl_key_cert ssl_key_cert |
typedef struct _ssl_session ssl_session |
typedef struct _ssl_ticket_keys ssl_ticket_keys |
typedef struct _ssl_transform ssl_transform |
enum ssl_states |
int ssl_close_notify | ( | ssl_context * | ssl | ) |
Notify the peer that the connection is being closed.
ssl | SSL context |
int ssl_derive_keys | ( | ssl_context * | ssl | ) |
int ssl_fetch_input | ( | ssl_context * | ssl, |
size_t | nb_want | ||
) |
int ssl_flush_output | ( | ssl_context * | ssl | ) |
void ssl_free | ( | ssl_context * | ssl | ) |
Free referenced items in an SSL context and clear memory.
ssl | SSL context |
size_t ssl_get_bytes_avail | ( | const ssl_context * | ssl | ) |
Return the number of data bytes available to read.
ssl | SSL context |
const char* ssl_get_ciphersuite | ( | const ssl_context * | ssl | ) |
Return the name of the current ciphersuite.
ssl | SSL context |
int ssl_get_ciphersuite_id | ( | const char * | ciphersuite_name | ) |
Return the ID of the ciphersuite associated with the given name.
ciphersuite_name | SSL ciphersuite name |
const char* ssl_get_ciphersuite_name | ( | const int | ciphersuite_id | ) |
Return the name of the ciphersuite associated with the given ID.
ciphersuite_id | SSL ciphersuite ID |
const x509_crt* ssl_get_peer_cert | ( | const ssl_context * | ssl | ) |
Return the peer certificate from the current connection.
Note: Can be NULL in case no certificate was sent during the handshake. Different calls for the same connection can return the same or different pointers for the same certificate and even a different certificate altogether. The peer cert CAN change in a single connection if renegotiation is performed.
ssl | SSL context |
int ssl_get_session | ( | const ssl_context * | ssl, |
ssl_session * | session | ||
) |
Save session in order to resume it later (client-side only) Session data is copied to presented session structure.
ssl | SSL context |
session | session context |
int ssl_get_verify_result | ( | const ssl_context * | ssl | ) |
Return the result of the certificate verification.
ssl | SSL context |
const char* ssl_get_version | ( | const ssl_context * | ssl | ) |
Return the current SSL version (SSLv3/TLSv1/etc)
ssl | SSL context |
int ssl_handshake | ( | ssl_context * | ssl | ) |
Perform the SSL handshake.
ssl | SSL context |
int ssl_handshake_client_step | ( | ssl_context * | ssl | ) |
void ssl_handshake_free | ( | ssl_handshake_params * | handshake | ) |
Free referenced items in an SSL handshake context and clear memory.
handshake | SSL handshake context |
int ssl_handshake_server_step | ( | ssl_context * | ssl | ) |
int ssl_handshake_step | ( | ssl_context * | ssl | ) |
Perform a single step of the SSL handshake.
Note: the state of the context (ssl->state) will be at the following state after execution of this function. Do not call this function if state is SSL_HANDSHAKE_OVER.
ssl | SSL context |
void ssl_handshake_wrapup | ( | ssl_context * | ssl | ) |
int ssl_init | ( | ssl_context * | ssl | ) |
Initialize an SSL context (An individual SSL context is not thread-safe)
ssl | SSL context |
void ssl_legacy_renegotiation | ( | ssl_context * | ssl, |
int | allow_legacy | ||
) |
Prevent or allow legacy renegotiation.
(Default: SSL_LEGACY_NO_RENEGOTIATION) SSL_LEGACY_NO_RENEGOTIATION allows connections to be established even if the peer does not support secure renegotiation, but does not allow renegotiation to take place if not secure. (Interoperable and secure option) SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations with non-upgraded peers. Allowing legacy renegotiation makes the connection vulnerable to specific man in the middle attacks. (See RFC 5746) (Most interoperable and least secure option) SSL_LEGACY_BREAK_HANDSHAKE breaks off connections if peer does not support secure renegotiation. Results in interoperability issues with non-upgraded peers that do not support renegotiation altogether. (Most secure option, interoperability issues)
ssl | SSL context |
allow_legacy | Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION, SSL_ALLOW_LEGACY_RENEGOTIATION or SSL_LEGACY_BREAK_HANDSHAKE) |
const int* ssl_list_ciphersuites | ( | void | ) |
Returns the list of ciphersuites supported by the SSL/TLS module.
md_type_t ssl_md_alg_from_hash | ( | unsigned char | hash | ) |
void ssl_optimize_checksum | ( | ssl_context * | ssl, |
const ssl_ciphersuite_t * | ciphersuite_info | ||
) |
|
inlinestatic |
Definition at line 1552 of file ssl.h.
References _ssl_key_cert::cert, _ssl_context::handshake, and _ssl_handshake_params::key_cert.
|
inlinestatic |
Definition at line 1546 of file ssl.h.
References _ssl_context::handshake, _ssl_key_cert::key, and _ssl_handshake_params::key_cert.
int ssl_parse_certificate | ( | ssl_context * | ssl | ) |
int ssl_parse_change_cipher_spec | ( | ssl_context * | ssl | ) |
int ssl_parse_finished | ( | ssl_context * | ssl | ) |
pk_type_t ssl_pk_alg_from_sig | ( | unsigned char | sig | ) |
int ssl_psk_derive_premaster | ( | ssl_context * | ssl, |
key_exchange_type_t | key_ex | ||
) |
int ssl_read | ( | ssl_context * | ssl, |
unsigned char * | buf, | ||
size_t | len | ||
) |
Read at most 'len' application data bytes.
ssl | SSL context |
buf | buffer that will hold the data |
len | how many bytes must be read |
int ssl_read_record | ( | ssl_context * | ssl | ) |
int ssl_renegotiate | ( | ssl_context * | ssl | ) |
Perform an SSL renegotiation on the running connection.
ssl | SSL context |
int ssl_send_alert_message | ( | ssl_context * | ssl, |
unsigned char | level, | ||
unsigned char | message | ||
) |
Send an alert message.
ssl | SSL context |
level | The alert level of the message (SSL_ALERT_LEVEL_WARNING or SSL_ALERT_LEVEL_FATAL) |
message | The alert message (SSL_ALERT_MSG_*) |
int ssl_send_fatal_handshake_failure | ( | ssl_context * | ssl | ) |
void ssl_session_free | ( | ssl_session * | session | ) |
Free referenced items in an SSL session including the peer certificate and clear memory.
session | SSL session |
int ssl_session_reset | ( | ssl_context * | ssl | ) |
Reset an already initialized SSL context for re-use while retaining application-set variables, function pointers and data.
ssl | SSL context |
void ssl_set_authmode | ( | ssl_context * | ssl, |
int | authmode | ||
) |
Set the certificate verification mode.
ssl | SSL context |
authmode | can be: |
SSL_VERIFY_NONE: peer certificate is not checked (default), this is insecure and SHOULD be avoided.
SSL_VERIFY_OPTIONAL: peer certificate is checked, however the handshake continues even if verification failed; ssl_get_verify_result() can be called after the handshake is complete.
SSL_VERIFY_REQUIRED: peer must present a valid certificate, handshake is aborted if verification failed.
void ssl_set_bio | ( | ssl_context * | ssl, |
int(*)(void *, unsigned char *, size_t) | f_recv, | ||
void * | p_recv, | ||
int(*)(void *, const unsigned char *, size_t) | f_send, | ||
void * | p_send | ||
) |
Set the underlying BIO read and write callbacks.
ssl | SSL context |
f_recv | read callback |
p_recv | read parameter |
f_send | write callback |
p_send | write parameter |
void ssl_set_ca_chain | ( | ssl_context * | ssl, |
x509_crt * | ca_chain, | ||
x509_crl * | ca_crl, | ||
const char * | peer_cn | ||
) |
Set the data required to verify peer certificate.
ssl | SSL context |
ca_chain | trusted CA chain (meaning all fully trusted top-level CAs) |
ca_crl | trusted CA CRLs |
peer_cn | expected peer CommonName (or NULL) |
void ssl_set_ciphersuites | ( | ssl_context * | ssl, |
const int * | ciphersuites | ||
) |
Set the list of allowed ciphersuites (Overrides all version specific lists)
ssl | SSL context |
ciphersuites | 0-terminated list of allowed ciphersuites |
void ssl_set_ciphersuites_for_version | ( | ssl_context * | ssl, |
const int * | ciphersuites, | ||
int | major, | ||
int | minor | ||
) |
Set the list of allowed ciphersuites for a specific version of the protocol.
(Only useful on the server side)
ssl | SSL context |
ciphersuites | 0-terminated list of allowed ciphersuites |
major | Major version number (only SSL_MAJOR_VERSION_3 supported) |
minor | Minor version number (SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, SSL_MINOR_VERSION_3 supported) |
void ssl_set_dbg | ( | ssl_context * | ssl, |
void(*)(void *, int, const char *) | f_dbg, | ||
void * | p_dbg | ||
) |
Set the debug callback.
ssl | SSL context |
f_dbg | debug function |
p_dbg | debug parameter |
int ssl_set_dh_param | ( | ssl_context * | ssl, |
const char * | dhm_P, | ||
const char * | dhm_G | ||
) |
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG])
ssl | SSL context |
dhm_P | Diffie-Hellman-Merkle modulus |
dhm_G | Diffie-Hellman-Merkle generator |
int ssl_set_dh_param_ctx | ( | ssl_context * | ssl, |
dhm_context * | dhm_ctx | ||
) |
Set the Diffie-Hellman public P and G values, read from existing context (server-side only)
ssl | SSL context |
dhm_ctx | Diffie-Hellman-Merkle context |
void ssl_set_endpoint | ( | ssl_context * | ssl, |
int | endpoint | ||
) |
Set the current endpoint type.
ssl | SSL context |
endpoint | must be SSL_IS_CLIENT or SSL_IS_SERVER |
int ssl_set_hostname | ( | ssl_context * | ssl, |
const char * | hostname | ||
) |
Set hostname for ServerName TLS extension (client-side only)
ssl | SSL context |
hostname | the server hostname |
int ssl_set_max_frag_len | ( | ssl_context * | ssl, |
unsigned char | mfl_code | ||
) |
Set the maximum fragment length to emit and/or negotiate (Default: SSL_MAX_CONTENT_LEN, usually 2^14 bytes) (Server: set maximum fragment length to emit, usually negotiated by the client during handshake (Client: set maximum fragment length to emit and negotiate with the server during handshake)
ssl | SSL context |
mfl_code | Code for maximum fragment length (allowed values: SSL_MAX_FRAG_LEN_512, SSL_MAX_FRAG_LEN_1024, SSL_MAX_FRAG_LEN_2048, SSL_MAX_FRAG_LEN_4096) |
void ssl_set_max_version | ( | ssl_context * | ssl, |
int | major, | ||
int | minor | ||
) |
Set the maximum supported version sent from the client side and/or accepted at the server side (Default: SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION)
Note: This ignores ciphersuites from 'higher' versions. Note: Input outside of the SSL_MAX_XXXXX_VERSION and SSL_MIN_XXXXX_VERSION range is ignored.
ssl | SSL context |
major | Major version number (only SSL_MAJOR_VERSION_3 supported) |
minor | Minor version number (SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, SSL_MINOR_VERSION_3 supported) |
void ssl_set_min_version | ( | ssl_context * | ssl, |
int | major, | ||
int | minor | ||
) |
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
Note: Input outside of the SSL_MAX_XXXXX_VERSION and SSL_MIN_XXXXX_VERSION range is ignored.
ssl | SSL context |
major | Major version number (only SSL_MAJOR_VERSION_3 supported) |
minor | Minor version number (SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, SSL_MINOR_VERSION_3 supported) |
int ssl_set_own_cert | ( | ssl_context * | ssl, |
x509_crt * | own_cert, | ||
pk_context * | pk_key | ||
) |
Set own certificate chain and private key.
ssl | SSL context |
own_cert | own public certificate chain |
pk_key | own private key |
int ssl_set_own_cert_alt | ( | ssl_context * | ssl, |
x509_crt * | own_cert, | ||
void * | rsa_key, | ||
rsa_decrypt_func | rsa_decrypt, | ||
rsa_sign_func | rsa_sign, | ||
rsa_key_len_func | rsa_key_len | ||
) |
Set own certificate and alternate non-PolarSSL RSA private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler.
(see the respective RSA functions in rsa.h for documentation of the callback parameters, with the only change being that the rsa_context * is a void * in the callbacks) Note: own_cert should contain IN order from the bottom up your certificate chain. The top certificate (self-signed) can be omitted.
ssl | SSL context |
own_cert | own public certificate chain |
rsa_key | alternate implementation private RSA key |
rsa_decrypt | alternate implementation of rsa_pkcs1_decrypt() |
rsa_sign | alternate implementation of rsa_pkcs1_sign() |
rsa_key_len | function returning length of RSA key in bytes |
int ssl_set_own_cert_rsa | ( | ssl_context * | ssl, |
x509_crt * | own_cert, | ||
rsa_context * | rsa_key | ||
) |
Set own certificate chain and private RSA key.
Note: own_cert should contain IN order from the bottom up your certificate chain. The top certificate (self-signed) can be omitted.
ssl | SSL context |
own_cert | own public certificate chain |
rsa_key | own private RSA key |
int ssl_set_psk | ( | ssl_context * | ssl, |
const unsigned char * | psk, | ||
size_t | psk_len, | ||
const unsigned char * | psk_identity, | ||
size_t | psk_identity_len | ||
) |
Set the Pre Shared Key (PSK) and the identity name connected to it.
ssl | SSL context |
psk | pointer to the pre-shared key |
psk_len | pre-shared key length |
psk_identity | pointer to the pre-shared key identity |
psk_identity_len | identity key length |
void ssl_set_psk_cb | ( | ssl_context * | ssl, |
int(*)(void *, ssl_context *, const unsigned char *, size_t) | f_psk, | ||
void * | p_psk | ||
) |
Set the PSK callback (server-side only) (Optional).
If set, the PSK callback is called for each handshake where a PSK ciphersuite was negotiated. The callback provides the identity received and wants to receive the actual PSK data and length. The callback has the following parameters: (void *parameter, ssl_context *ssl, const unsigned char *psk_identity, size_t identity_len) If a valid PSK identity is found, the callback should use ssl_set_psk() on the ssl context to set the correct PSK and identity and return 0. Any other return value will result in a denied PSK identity.
ssl | SSL context |
f_psk | PSK identity function |
p_psk | PSK identity parameter |
void ssl_set_renegotiation | ( | ssl_context * | ssl, |
int | renegotiation | ||
) |
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIATION_DISABLED)
Note: A server with support enabled is more vulnerable for a resource DoS by a malicious client. You should enable this on a client to enable server-initiated renegotiation.
ssl | SSL context |
renegotiation | Enable or disable (SSL_RENEGOTIATION_ENABLED or SSL_RENEGOTIATION_DISABLED) |
void ssl_set_rng | ( | ssl_context * | ssl, |
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Set the random number generator callback.
ssl | SSL context |
f_rng | RNG function |
p_rng | RNG parameter |
int ssl_set_session | ( | ssl_context * | ssl, |
const ssl_session * | session | ||
) |
Request resumption of session (client-side only) Session data is copied from presented session structure.
ssl | SSL context |
session | session context |
void ssl_set_session_cache | ( | ssl_context * | ssl, |
int(*)(void *, ssl_session *) | f_get_cache, | ||
void * | p_get_cache, | ||
int(*)(void *, const ssl_session *) | f_set_cache, | ||
void * | p_set_cache | ||
) |
Set the session cache callbacks (server-side only) If not set, no session resuming is done.
The session cache has the responsibility to check for stale entries based on timeout. See RFC 5246 for recommendations. Warning: session.peer_cert is cleared by the SSL/TLS layer on connection shutdown, so do not cache the pointer! Either set it to NULL or make a full copy of the certificate. The get callback is called once during the initial handshake to enable session resuming. The get function has the following parameters: (void *parameter, ssl_session *session) If a valid entry is found, it should fill the master of the session object with the cached values and return 0, return 1 otherwise. Optionally peer_cert can be set as well if it is properly present in cache entry. The set callback is called once during the initial handshake to enable session resuming after the entire handshake has been finished. The set function has the following parameters: (void *parameter, const ssl_session *session). The function should create a cache entry for future retrieval based on the data in the session structure and should keep in mind that the ssl_session object presented (and all its referenced data) is cleared by the SSL/TLS layer when the connection is terminated. It is recommended to add metadata to determine if an entry is still valid in the future. Return 0 if successfully cached, return 1 otherwise.
ssl | SSL context |
f_get_cache | session get callback |
p_get_cache | session get parameter |
f_set_cache | session set callback |
p_set_cache | session set parameter |
void ssl_set_session_ticket_lifetime | ( | ssl_context * | ssl, |
int | lifetime | ||
) |
Set session ticket lifetime (server only) (Default: SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day))
ssl | SSL context |
lifetime | session ticket lifetime |
int ssl_set_session_tickets | ( | ssl_context * | ssl, |
int | use_tickets | ||
) |
Enable / Disable session tickets (Default: SSL_SESSION_TICKETS_ENABLED on client, SSL_SESSION_TICKETS_DISABLED on server)
ssl | SSL context |
use_tickets | Enable or disable (SSL_SESSION_TICKETS_ENABLED or SSL_SESSION_TICKETS_DISABLED) |
void ssl_set_sni | ( | ssl_context * | ssl, |
int(*)(void *, ssl_context *, const unsigned char *, size_t) | f_sni, | ||
void * | p_sni | ||
) |
Set server side ServerName TLS extension callback (optional, server-side only).
If set, the ServerName callback is called whenever the server receives a ServerName TLS extension from the client during a handshake. The ServerName callback has the following parameters: (void *parameter, ssl_context *ssl, const unsigned char *hostname, size_t len). If a suitable certificate is found, the callback should set the certificate and key to use with ssl_set_own_cert() (and possibly adjust the CA chain as well) and return 0. The callback should return -1 to abort the handshake at this point.
ssl | SSL context |
f_sni | verification function |
p_sni | verification parameter |
int ssl_set_truncated_hmac | ( | ssl_context * | ssl, |
int | truncate | ||
) |
Activate negotiation of truncated HMAC (Client only) (Default: SSL_TRUNC_HMAC_ENABLED)
ssl | SSL context |
truncate | Enable or disable (SSL_TRUNC_HMAC_ENABLED or SSL_TRUNC_HMAC_DISABLED) |
void ssl_set_verify | ( | ssl_context * | ssl, |
int(*)(void *, x509_crt *, int, int *) | f_vrfy, | ||
void * | p_vrfy | ||
) |
Set the verification callback (Optional).
If set, the verify callback is called for each certificate in the chain. For implementation information, please see \c x509parse_verify()
ssl | SSL context |
f_vrfy | verification function |
p_vrfy | verification parameter |
unsigned char ssl_sig_from_pk | ( | pk_context * | pk | ) |
void ssl_transform_free | ( | ssl_transform * | transform | ) |
Free referenced items in an SSL transform context and clear memory.
transform | SSL transform context |
int ssl_write | ( | ssl_context * | ssl, |
const unsigned char * | buf, | ||
size_t | len | ||
) |
Write exactly 'len' application data bytes.
ssl | SSL context |
buf | buffer holding the data |
len | how many bytes must be written |
int ssl_write_certificate | ( | ssl_context * | ssl | ) |
int ssl_write_change_cipher_spec | ( | ssl_context * | ssl | ) |
int ssl_write_finished | ( | ssl_context * | ssl | ) |
int ssl_write_record | ( | ssl_context * | ssl | ) |