PolarSSL v1.2.8
|
SSL/TLS functions. More...
#include <time.h>
#include "net.h"
#include "rsa.h"
#include "md5.h"
#include "sha1.h"
#include "sha2.h"
#include "sha4.h"
#include "x509.h"
#include "config.h"
#include "dhm.h"
Go to the source code of this file.
Data Structures | |
struct | _ssl_session |
struct | _ssl_transform |
struct | _ssl_handshake_params |
struct | _ssl_context |
Typedefs | |
typedef int(* | rsa_decrypt_func )(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len) |
typedef int(* | rsa_sign_func )(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig) |
typedef size_t(* | rsa_key_len_func )(void *ctx) |
typedef struct _ssl_session | ssl_session |
typedef struct _ssl_context | ssl_context |
typedef struct _ssl_transform | ssl_transform |
typedef struct _ssl_handshake_params | ssl_handshake_params |
Functions | |
static const int * | ssl_list_ciphersuites (void) |
Returns the list of ciphersuites supported by the SSL/TLS module. More... | |
const char * | ssl_get_ciphersuite_name (const int ciphersuite_id) |
Return the name of the ciphersuite associated with the given ID. More... | |
int | ssl_get_ciphersuite_id (const char *ciphersuite_name) |
Return the ID of the ciphersuite associated with the given name. More... | |
int | ssl_init (ssl_context *ssl) |
Initialize an SSL context. More... | |
int | ssl_session_reset (ssl_context *ssl) |
Reset an already initialized SSL context for re-use while retaining application-set variables, function pointers and data. More... | |
void | ssl_set_endpoint (ssl_context *ssl, int endpoint) |
Set the current endpoint type. More... | |
void | ssl_set_authmode (ssl_context *ssl, int authmode) |
Set the certificate verification mode. More... | |
void | ssl_set_verify (ssl_context *ssl, int(*f_vrfy)(void *, x509_cert *, int, int *), void *p_vrfy) |
Set the verification callback (Optional). More... | |
void | ssl_set_rng (ssl_context *ssl, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng) |
Set the random number generator callback. More... | |
void | ssl_set_dbg (ssl_context *ssl, void(*f_dbg)(void *, int, const char *), void *p_dbg) |
Set the debug callback. More... | |
void | ssl_set_bio (ssl_context *ssl, int(*f_recv)(void *, unsigned char *, size_t), void *p_recv, int(*f_send)(void *, const unsigned char *, size_t), void *p_send) |
Set the underlying BIO read and write callbacks. More... | |
void | ssl_set_session_cache (ssl_context *ssl, int(*f_get_cache)(void *, ssl_session *), void *p_get_cache, int(*f_set_cache)(void *, const ssl_session *), void *p_set_cache) |
Set the session cache callbacks (server-side only) If not set, no session resuming is done. More... | |
void | ssl_set_session (ssl_context *ssl, const ssl_session *session) |
Request resumption of session (client-side only) Session data is copied from presented session structure. More... | |
void | ssl_set_ciphersuites (ssl_context *ssl, const int *ciphersuites) |
Set the list of allowed ciphersuites (Default: ssl_default_ciphersuites) (Overrides all version specific lists) More... | |
void | ssl_set_ciphersuites_for_version (ssl_context *ssl, const int *ciphersuites, int major, int minor) |
Set the list of allowed ciphersuites for a specific version of the protocol. More... | |
void | ssl_set_ca_chain (ssl_context *ssl, x509_cert *ca_chain, x509_crl *ca_crl, const char *peer_cn) |
Set the data required to verify peer certificate. More... | |
void | ssl_set_own_cert (ssl_context *ssl, x509_cert *own_cert, rsa_context *rsa_key) |
Set own certificate chain and private key. More... | |
void | ssl_set_own_cert_alt (ssl_context *ssl, x509_cert *own_cert, void *rsa_key, rsa_decrypt_func rsa_decrypt, rsa_sign_func rsa_sign, rsa_key_len_func rsa_key_len) |
Set own certificate and alternate non-PolarSSL private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler. More... | |
int | ssl_set_dh_param (ssl_context *ssl, const char *dhm_P, const char *dhm_G) |
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG]) More... | |
int | ssl_set_dh_param_ctx (ssl_context *ssl, dhm_context *dhm_ctx) |
Set the Diffie-Hellman public P and G values, read from existing context (server-side only) More... | |
int | ssl_set_hostname (ssl_context *ssl, const char *hostname) |
Set hostname for ServerName TLS extension (client-side only) More... | |
void | ssl_set_sni (ssl_context *ssl, int(*f_sni)(void *, ssl_context *, const unsigned char *, size_t), void *p_sni) |
Set server side ServerName TLS extension callback (optional, server-side only). More... | |
void | ssl_set_max_version (ssl_context *ssl, int major, int minor) |
Set the maximum supported version sent from the client side. More... | |
void | ssl_set_min_version (ssl_context *ssl, int major, int minor) |
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0) More... | |
void | ssl_set_renegotiation (ssl_context *ssl, int renegotiation) |
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIATION_DISABLED) More... | |
void | ssl_legacy_renegotiation (ssl_context *ssl, int allow_legacy) |
Prevent or allow legacy renegotiation. More... | |
size_t | ssl_get_bytes_avail (const ssl_context *ssl) |
Return the number of data bytes available to read. More... | |
int | ssl_get_verify_result (const ssl_context *ssl) |
Return the result of the certificate verification. More... | |
const char * | ssl_get_ciphersuite (const ssl_context *ssl) |
Return the name of the current ciphersuite. More... | |
const char * | ssl_get_version (const ssl_context *ssl) |
Return the current SSL version (SSLv3/TLSv1/etc) More... | |
const x509_cert * | ssl_get_peer_cert (const ssl_context *ssl) |
Return the peer certificate from the current connection. More... | |
int | ssl_handshake (ssl_context *ssl) |
Perform the SSL handshake. More... | |
int | ssl_handshake_step (ssl_context *ssl) |
Perform a single step of the SSL handshake. More... | |
int | ssl_renegotiate (ssl_context *ssl) |
Perform an SSL renegotiation on the running connection. More... | |
int | ssl_read (ssl_context *ssl, unsigned char *buf, size_t len) |
Read at most 'len' application data bytes. More... | |
int | ssl_write (ssl_context *ssl, const unsigned char *buf, size_t len) |
Write exactly 'len' application data bytes. More... | |
int | ssl_send_alert_message (ssl_context *ssl, unsigned char level, unsigned char message) |
Send an alert message. More... | |
int | ssl_close_notify (ssl_context *ssl) |
Notify the peer that the connection is being closed. More... | |
void | ssl_free (ssl_context *ssl) |
Free referenced items in an SSL context and clear memory. More... | |
void | ssl_session_free (ssl_session *session) |
Free referenced items in an SSL session including the peer certificate and clear memory. More... | |
void | ssl_transform_free (ssl_transform *transform) |
Free referenced items in an SSL transform context and clear memory. More... | |
void | ssl_handshake_free (ssl_handshake_params *handshake) |
Free referenced items in an SSL handshake context and clear memory. More... | |
int | ssl_handshake_client_step (ssl_context *ssl) |
int | ssl_handshake_server_step (ssl_context *ssl) |
void | ssl_handshake_wrapup (ssl_context *ssl) |
int | ssl_send_fatal_handshake_failure (ssl_context *ssl) |
int | ssl_derive_keys (ssl_context *ssl) |
int | ssl_read_record (ssl_context *ssl) |
int | ssl_fetch_input (ssl_context *ssl, size_t nb_want) |
int | ssl_write_record (ssl_context *ssl) |
int | ssl_flush_output (ssl_context *ssl) |
int | ssl_parse_certificate (ssl_context *ssl) |
int | ssl_write_certificate (ssl_context *ssl) |
int | ssl_parse_change_cipher_spec (ssl_context *ssl) |
int | ssl_write_change_cipher_spec (ssl_context *ssl) |
int | ssl_parse_finished (ssl_context *ssl) |
int | ssl_write_finished (ssl_context *ssl) |
void | ssl_optimize_checksum (ssl_context *ssl, int ciphersuite) |
Variables | |
const int | ssl_default_ciphersuites [] |
SSL/TLS functions.
Copyright (C) 2006-2013, Brainspark B.V.
This file is part of PolarSSL (http://www.polarssl.org) Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
All rights reserved.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Definition in file ssl.h.
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE -0x7A00 |
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST -0x7A80 |
#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY -0x7D80 |
#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC -0x7E00 |
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900 |
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE -0x7C00 |
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS -0x7D00 |
#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP -0x7C80 |
#define POLARSSL_ERR_SSL_BAD_HS_FINISHED -0x7E80 |
#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 |
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980 |
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE -0x7B80 |
#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE -0x7B00 |
#define POLARSSL_ERR_SSL_BAD_INPUT_DATA -0x7100 |
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 |
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 |
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 |
#define POLARSSL_ERR_SSL_COMPRESSION_FAILED -0x6F00 |
#define POLARSSL_ERR_SSL_CONN_EOF -0x7280 |
#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 |
#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE -0x7080 |
#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED -0x7F80 |
#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80 |
#define POLARSSL_ERR_SSL_INVALID_MAC -0x7180 |
#define POLARSSL_ERR_SSL_INVALID_RECORD -0x7200 |
#define POLARSSL_ERR_SSL_MALLOC_FAILED -0x7F00 |
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 |
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 |
#define POLARSSL_ERR_SSL_NO_SESSION_FOUND -0x7400 |
#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 |
#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED -0x7800 |
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 |
#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE -0x7700 |
#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER -0x7300 |
#define SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + SSL_COMPRESSION_ADD + 512) |
#define SSL_EMPTY_RENEGOTIATION_INFO 0xFF |
#define SSL_MAX_CONTENT_LEN 16384 |
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE |
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4 |
#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x15 |
typedef int(* rsa_decrypt_func)(void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len) |
typedef int(* rsa_sign_func)(void *ctx, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, int hash_id, unsigned int hashlen, const unsigned char *hash, unsigned char *sig) |
typedef struct _ssl_context ssl_context |
typedef struct _ssl_handshake_params ssl_handshake_params |
typedef struct _ssl_session ssl_session |
typedef struct _ssl_transform ssl_transform |
enum ssl_states |
int ssl_close_notify | ( | ssl_context * | ssl | ) |
Notify the peer that the connection is being closed.
ssl | SSL context |
int ssl_derive_keys | ( | ssl_context * | ssl | ) |
int ssl_fetch_input | ( | ssl_context * | ssl, |
size_t | nb_want | ||
) |
int ssl_flush_output | ( | ssl_context * | ssl | ) |
void ssl_free | ( | ssl_context * | ssl | ) |
Free referenced items in an SSL context and clear memory.
ssl | SSL context |
size_t ssl_get_bytes_avail | ( | const ssl_context * | ssl | ) |
Return the number of data bytes available to read.
ssl | SSL context |
const char* ssl_get_ciphersuite | ( | const ssl_context * | ssl | ) |
Return the name of the current ciphersuite.
ssl | SSL context |
int ssl_get_ciphersuite_id | ( | const char * | ciphersuite_name | ) |
Return the ID of the ciphersuite associated with the given name.
ciphersuite_name | SSL ciphersuite name |
const char* ssl_get_ciphersuite_name | ( | const int | ciphersuite_id | ) |
Return the name of the ciphersuite associated with the given ID.
ciphersuite_id | SSL ciphersuite ID |
const x509_cert* ssl_get_peer_cert | ( | const ssl_context * | ssl | ) |
Return the peer certificate from the current connection.
Note: Can be NULL in case no certificate was sent during the handshake. Different calls for the same connection can return the same or different pointers for the same certificate and even a different certificate altogether. The peer cert CAN change in a single connection if renegotiation is performed.
ssl | SSL context |
int ssl_get_verify_result | ( | const ssl_context * | ssl | ) |
Return the result of the certificate verification.
ssl | SSL context |
const char* ssl_get_version | ( | const ssl_context * | ssl | ) |
Return the current SSL version (SSLv3/TLSv1/etc)
ssl | SSL context |
int ssl_handshake | ( | ssl_context * | ssl | ) |
Perform the SSL handshake.
ssl | SSL context |
int ssl_handshake_client_step | ( | ssl_context * | ssl | ) |
void ssl_handshake_free | ( | ssl_handshake_params * | handshake | ) |
Free referenced items in an SSL handshake context and clear memory.
handshake | SSL handshake context |
int ssl_handshake_server_step | ( | ssl_context * | ssl | ) |
int ssl_handshake_step | ( | ssl_context * | ssl | ) |
Perform a single step of the SSL handshake.
Note: the state of the context (ssl->state) will be at the following state after execution of this function. Do not call this function if state is SSL_HANDSHAKE_OVER.
ssl | SSL context |
void ssl_handshake_wrapup | ( | ssl_context * | ssl | ) |
int ssl_init | ( | ssl_context * | ssl | ) |
Initialize an SSL context.
ssl | SSL context |
void ssl_legacy_renegotiation | ( | ssl_context * | ssl, |
int | allow_legacy | ||
) |
Prevent or allow legacy renegotiation.
(Default: SSL_LEGACY_NO_RENEGOTIATION) SSL_LEGACY_NO_RENEGOTIATION allows connections to be established even if the peer does not support secure renegotiation, but does not allow renegotiation to take place if not secure. (Interoperable and secure option) SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations with non-upgraded peers. Allowing legacy renegotiation makes the connection vulnerable to specific man in the middle attacks. (See RFC 5746) (Most interoperable and least secure option) SSL_LEGACY_BREAK_HANDSHAKE breaks off connections if peer does not support secure renegotiation. Results in interoperability issues with non-upgraded peers that do not support renegotiation altogether. (Most secure option, interoperability issues)
ssl | SSL context |
allow_legacy | Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION, SSL_ALLOW_LEGACY_RENEGOTIATION or SSL_LEGACY_BREAK_HANDSHAKE) |
|
inlinestatic |
void ssl_optimize_checksum | ( | ssl_context * | ssl, |
int | ciphersuite | ||
) |
int ssl_parse_certificate | ( | ssl_context * | ssl | ) |
int ssl_parse_change_cipher_spec | ( | ssl_context * | ssl | ) |
int ssl_parse_finished | ( | ssl_context * | ssl | ) |
int ssl_read | ( | ssl_context * | ssl, |
unsigned char * | buf, | ||
size_t | len | ||
) |
Read at most 'len' application data bytes.
ssl | SSL context |
buf | buffer that will hold the data |
len | how many bytes must be read |
int ssl_read_record | ( | ssl_context * | ssl | ) |
int ssl_renegotiate | ( | ssl_context * | ssl | ) |
Perform an SSL renegotiation on the running connection.
ssl | SSL context |
int ssl_send_alert_message | ( | ssl_context * | ssl, |
unsigned char | level, | ||
unsigned char | message | ||
) |
Send an alert message.
ssl | SSL context |
level | The alert level of the message (SSL_ALERT_LEVEL_WARNING or SSL_ALERT_LEVEL_FATAL) |
message | The alert message (SSL_ALERT_MSG_*) |
int ssl_send_fatal_handshake_failure | ( | ssl_context * | ssl | ) |
void ssl_session_free | ( | ssl_session * | session | ) |
Free referenced items in an SSL session including the peer certificate and clear memory.
session | SSL session |
int ssl_session_reset | ( | ssl_context * | ssl | ) |
Reset an already initialized SSL context for re-use while retaining application-set variables, function pointers and data.
ssl | SSL context |
void ssl_set_authmode | ( | ssl_context * | ssl, |
int | authmode | ||
) |
Set the certificate verification mode.
ssl | SSL context |
authmode | can be: |
SSL_VERIFY_NONE: peer certificate is not checked (default), this is insecure and SHOULD be avoided.
SSL_VERIFY_OPTIONAL: peer certificate is checked, however the handshake continues even if verification failed; ssl_get_verify_result() can be called after the handshake is complete.
SSL_VERIFY_REQUIRED: peer must present a valid certificate, handshake is aborted if verification failed.
void ssl_set_bio | ( | ssl_context * | ssl, |
int(*)(void *, unsigned char *, size_t) | f_recv, | ||
void * | p_recv, | ||
int(*)(void *, const unsigned char *, size_t) | f_send, | ||
void * | p_send | ||
) |
Set the underlying BIO read and write callbacks.
ssl | SSL context |
f_recv | read callback |
p_recv | read parameter |
f_send | write callback |
p_send | write parameter |
void ssl_set_ca_chain | ( | ssl_context * | ssl, |
x509_cert * | ca_chain, | ||
x509_crl * | ca_crl, | ||
const char * | peer_cn | ||
) |
Set the data required to verify peer certificate.
ssl | SSL context |
ca_chain | trusted CA chain (meaning all fully trusted top-level CAs) |
ca_crl | trusted CA CRLs |
peer_cn | expected peer CommonName (or NULL) |
void ssl_set_ciphersuites | ( | ssl_context * | ssl, |
const int * | ciphersuites | ||
) |
Set the list of allowed ciphersuites (Default: ssl_default_ciphersuites) (Overrides all version specific lists)
ssl | SSL context |
ciphersuites | 0-terminated list of allowed ciphersuites |
void ssl_set_ciphersuites_for_version | ( | ssl_context * | ssl, |
const int * | ciphersuites, | ||
int | major, | ||
int | minor | ||
) |
Set the list of allowed ciphersuites for a specific version of the protocol.
(Default: ssl_default_ciphersuites) (Only useful on the server side)
ssl | SSL context |
ciphersuites | 0-terminated list of allowed ciphersuites |
major | Major version number (only SSL_MAJOR_VERSION_3 supported) |
minor | Minor version number (SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, SSL_MINOR_VERSION_3 supported) |
void ssl_set_dbg | ( | ssl_context * | ssl, |
void(*)(void *, int, const char *) | f_dbg, | ||
void * | p_dbg | ||
) |
Set the debug callback.
ssl | SSL context |
f_dbg | debug function |
p_dbg | debug parameter |
int ssl_set_dh_param | ( | ssl_context * | ssl, |
const char * | dhm_P, | ||
const char * | dhm_G | ||
) |
Set the Diffie-Hellman public P and G values, read as hexadecimal strings (server-side only) (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG])
ssl | SSL context |
dhm_P | Diffie-Hellman-Merkle modulus |
dhm_G | Diffie-Hellman-Merkle generator |
int ssl_set_dh_param_ctx | ( | ssl_context * | ssl, |
dhm_context * | dhm_ctx | ||
) |
Set the Diffie-Hellman public P and G values, read from existing context (server-side only)
ssl | SSL context |
dhm_ctx | Diffie-Hellman-Merkle context |
void ssl_set_endpoint | ( | ssl_context * | ssl, |
int | endpoint | ||
) |
Set the current endpoint type.
ssl | SSL context |
endpoint | must be SSL_IS_CLIENT or SSL_IS_SERVER |
int ssl_set_hostname | ( | ssl_context * | ssl, |
const char * | hostname | ||
) |
Set hostname for ServerName TLS extension (client-side only)
ssl | SSL context |
hostname | the server hostname |
void ssl_set_max_version | ( | ssl_context * | ssl, |
int | major, | ||
int | minor | ||
) |
Set the maximum supported version sent from the client side.
ssl | SSL context |
major | Major version number (only SSL_MAJOR_VERSION_3 supported) |
minor | Minor version number (SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, SSL_MINOR_VERSION_3 supported) |
void ssl_set_min_version | ( | ssl_context * | ssl, |
int | major, | ||
int | minor | ||
) |
Set the minimum accepted SSL/TLS protocol version (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0)
ssl | SSL context |
major | Major version number (only SSL_MAJOR_VERSION_3 supported) |
minor | Minor version number (SSL_MINOR_VERSION_0, SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2, SSL_MINOR_VERSION_3 supported) |
void ssl_set_own_cert | ( | ssl_context * | ssl, |
x509_cert * | own_cert, | ||
rsa_context * | rsa_key | ||
) |
Set own certificate chain and private key.
Note: own_cert should contain IN order from the bottom up your certificate chain. The top certificate (self-signed) can be omitted.
ssl | SSL context |
own_cert | own public certificate chain |
rsa_key | own private RSA key |
void ssl_set_own_cert_alt | ( | ssl_context * | ssl, |
x509_cert * | own_cert, | ||
void * | rsa_key, | ||
rsa_decrypt_func | rsa_decrypt, | ||
rsa_sign_func | rsa_sign, | ||
rsa_key_len_func | rsa_key_len | ||
) |
Set own certificate and alternate non-PolarSSL private key and handling callbacks, such as the PKCS#11 wrappers or any other external private key handler.
(see the respective RSA functions in rsa.h for documentation of the callback parameters, with the only change being that the rsa_context * is a void * in the callbacks) Note: own_cert should contain IN order from the bottom up your certificate chain. The top certificate (self-signed) can be omitted.
ssl | SSL context |
own_cert | own public certificate chain |
rsa_key | alternate implementation private RSA key |
rsa_decrypt_func | alternate implementation of rsa_pkcs1_decrypt() |
rsa_sign_func | alternate implementation of rsa_pkcs1_sign() |
rsa_key_len_func | function returning length of RSA key in bytes |
void ssl_set_renegotiation | ( | ssl_context * | ssl, |
int | renegotiation | ||
) |
Enable / Disable renegotiation support for connection when initiated by peer (Default: SSL_RENEGOTIATION_DISABLED)
Note: A server with support enabled is more vulnerable for a resource DoS by a malicious client. You should enable this on a client to enable server-initiated renegotiation.
ssl | SSL context |
renegotiation | Enable or disable (SSL_RENEGOTIATION_ENABLED or SSL_RENEGOTIATION_DISABLED) |
void ssl_set_rng | ( | ssl_context * | ssl, |
int(*)(void *, unsigned char *, size_t) | f_rng, | ||
void * | p_rng | ||
) |
Set the random number generator callback.
ssl | SSL context |
f_rng | RNG function |
p_rng | RNG parameter |
void ssl_set_session | ( | ssl_context * | ssl, |
const ssl_session * | session | ||
) |
Request resumption of session (client-side only) Session data is copied from presented session structure.
Warning: session.peer_cert is cleared by the SSL/TLS layer on connection shutdown, so do not cache the pointer! Either set it to NULL or make a full copy of the certificate when storing the session for use in this function.
ssl | SSL context |
session | session context |
void ssl_set_session_cache | ( | ssl_context * | ssl, |
int(*)(void *, ssl_session *) | f_get_cache, | ||
void * | p_get_cache, | ||
int(*)(void *, const ssl_session *) | f_set_cache, | ||
void * | p_set_cache | ||
) |
Set the session cache callbacks (server-side only) If not set, no session resuming is done.
The session cache has the responsibility to check for stale entries based on timeout. See RFC 5246 for recommendations. Warning: session.peer_cert is cleared by the SSL/TLS layer on connection shutdown, so do not cache the pointer! Either set it to NULL or make a full copy of the certificate. The get callback is called once during the initial handshake to enable session resuming. The get function has the following parameters: (void *parameter, ssl_session *session) If a valid entry is found, it should fill the master of the session object with the cached values and return 0, return 1 otherwise. Optionally peer_cert can be set as well if it is properly present in cache entry. The set callback is called once during the initial handshake to enable session resuming after the entire handshake has been finished. The set function has the following parameters: (void *parameter, const ssl_session *session). The function should create a cache entry for future retrieval based on the data in the session structure and should keep in mind that the ssl_session object presented (and all its referenced data) is cleared by the SSL/TLS layer when the connection is terminated. It is recommended to add metadata to determine if an entry is still valid in the future. Return 0 if successfully cached, return 1 otherwise.
ssl | SSL context |
f_get_cache | session get callback |
p_get_cache | session get parameter |
f_set_cache | session set callback |
p_set_cache | session set parameter |
void ssl_set_sni | ( | ssl_context * | ssl, |
int(*)(void *, ssl_context *, const unsigned char *, size_t) | f_sni, | ||
void * | p_sni | ||
) |
Set server side ServerName TLS extension callback (optional, server-side only).
If set, the ServerName callback is called whenever the server receives a ServerName TLS extension from the client during a handshake. The ServerName callback has the following parameters: (void *parameter, ssl_context *ssl, const unsigned char *hostname, size_t len). If a suitable certificate is found, the callback should set the certificate and key to use with ssl_set_own_cert() (and possibly adjust the CA chain as well) and return 0. The callback should return -1 to abort the handshake at this point.
ssl | SSL context |
f_sni | verification function |
p_sni | verification parameter |
void ssl_set_verify | ( | ssl_context * | ssl, |
int(*)(void *, x509_cert *, int, int *) | f_vrfy, | ||
void * | p_vrfy | ||
) |
Set the verification callback (Optional).
If set, the verify callback is called for each certificate in the chain. For implementation information, please see \c x509parse_verify()
ssl | SSL context |
f_vrfy | verification function |
p_vrfy | verification parameter |
void ssl_transform_free | ( | ssl_transform * | transform | ) |
Free referenced items in an SSL transform context and clear memory.
transform | SSL transform context |
int ssl_write | ( | ssl_context * | ssl, |
const unsigned char * | buf, | ||
size_t | len | ||
) |
Write exactly 'len' application data bytes.
ssl | SSL context |
buf | buffer holding the data |
len | how many bytes must be written |
int ssl_write_certificate | ( | ssl_context * | ssl | ) |
int ssl_write_change_cipher_spec | ( | ssl_context * | ssl | ) |
int ssl_write_finished | ( | ssl_context * | ssl | ) |
int ssl_write_record | ( | ssl_context * | ssl | ) |
const int ssl_default_ciphersuites[] |