mbed TLS v2.2.0
ssl.h
Go to the documentation of this file.
1 
23 #ifndef MBEDTLS_SSL_H
24 #define MBEDTLS_SSL_H
25 
26 #if !defined(MBEDTLS_CONFIG_FILE)
27 #include "config.h"
28 #else
29 #include MBEDTLS_CONFIG_FILE
30 #endif
31 
32 #include "bignum.h"
33 #include "ecp.h"
34 
35 #include "ssl_ciphersuites.h"
36 
37 #if defined(MBEDTLS_X509_CRT_PARSE_C)
38 #include "x509_crt.h"
39 #include "x509_crl.h"
40 #endif
41 
42 #if defined(MBEDTLS_DHM_C)
43 #include "dhm.h"
44 #endif
45 
46 #if defined(MBEDTLS_ECDH_C)
47 #include "ecdh.h"
48 #endif
49 
50 #if defined(MBEDTLS_ZLIB_SUPPORT)
51 #include "zlib.h"
52 #endif
53 
54 #if defined(MBEDTLS_HAVE_TIME)
55 #include <time.h>
56 #endif
57 
58 /*
59  * SSL Error codes
60  */
61 #define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE -0x7080
62 #define MBEDTLS_ERR_SSL_BAD_INPUT_DATA -0x7100
63 #define MBEDTLS_ERR_SSL_INVALID_MAC -0x7180
64 #define MBEDTLS_ERR_SSL_INVALID_RECORD -0x7200
65 #define MBEDTLS_ERR_SSL_CONN_EOF -0x7280
66 #define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER -0x7300
67 #define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN -0x7380
68 #define MBEDTLS_ERR_SSL_NO_RNG -0x7400
69 #define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480
70 #define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500
71 #define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED -0x7580
72 #define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600
73 #define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED -0x7680
74 #define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE -0x7700
75 #define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780
76 #define MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED -0x7800
77 #define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880
78 #define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900
79 #define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980
80 #define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE -0x7A00
81 #define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST -0x7A80
82 #define MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE -0x7B00
83 #define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE -0x7B80
84 #define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE -0x7C00
85 #define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP -0x7C80
86 #define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS -0x7D00
87 #define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY -0x7D80
88 #define MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC -0x7E00
89 #define MBEDTLS_ERR_SSL_BAD_HS_FINISHED -0x7E80
90 #define MBEDTLS_ERR_SSL_ALLOC_FAILED -0x7F00
91 #define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED -0x7F80
92 #define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80
93 #define MBEDTLS_ERR_SSL_COMPRESSION_FAILED -0x6F00
94 #define MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80
95 #define MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00
96 #define MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80
97 #define MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH -0x6D00
98 #define MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY -0x6C80
99 #define MBEDTLS_ERR_SSL_INTERNAL_ERROR -0x6C00
100 #define MBEDTLS_ERR_SSL_COUNTER_WRAPPING -0x6B80
101 #define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO -0x6B00
102 #define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED -0x6A80
103 #define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL -0x6A00
104 #define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE -0x6980
105 #define MBEDTLS_ERR_SSL_WANT_READ -0x6900
106 #define MBEDTLS_ERR_SSL_WANT_WRITE -0x6880
107 #define MBEDTLS_ERR_SSL_TIMEOUT -0x6800
108 #define MBEDTLS_ERR_SSL_CLIENT_RECONNECT -0x6780
110 /*
111  * Various constants
112  */
113 #define MBEDTLS_SSL_MAJOR_VERSION_3 3
114 #define MBEDTLS_SSL_MINOR_VERSION_0 0
115 #define MBEDTLS_SSL_MINOR_VERSION_1 1
116 #define MBEDTLS_SSL_MINOR_VERSION_2 2
117 #define MBEDTLS_SSL_MINOR_VERSION_3 3
119 #define MBEDTLS_SSL_TRANSPORT_STREAM 0
120 #define MBEDTLS_SSL_TRANSPORT_DATAGRAM 1
122 #define MBEDTLS_SSL_MAX_HOST_NAME_LEN 255
124 /* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
125  * NONE must be zero so that memset()ing structure to zero works */
126 #define MBEDTLS_SSL_MAX_FRAG_LEN_NONE 0
127 #define MBEDTLS_SSL_MAX_FRAG_LEN_512 1
128 #define MBEDTLS_SSL_MAX_FRAG_LEN_1024 2
129 #define MBEDTLS_SSL_MAX_FRAG_LEN_2048 3
130 #define MBEDTLS_SSL_MAX_FRAG_LEN_4096 4
131 #define MBEDTLS_SSL_MAX_FRAG_LEN_INVALID 5
133 #define MBEDTLS_SSL_IS_CLIENT 0
134 #define MBEDTLS_SSL_IS_SERVER 1
135 
136 #define MBEDTLS_SSL_IS_NOT_FALLBACK 0
137 #define MBEDTLS_SSL_IS_FALLBACK 1
138 
139 #define MBEDTLS_SSL_EXTENDED_MS_DISABLED 0
140 #define MBEDTLS_SSL_EXTENDED_MS_ENABLED 1
141 
142 #define MBEDTLS_SSL_ETM_DISABLED 0
143 #define MBEDTLS_SSL_ETM_ENABLED 1
144 
145 #define MBEDTLS_SSL_COMPRESS_NULL 0
146 #define MBEDTLS_SSL_COMPRESS_DEFLATE 1
147 
148 #define MBEDTLS_SSL_VERIFY_NONE 0
149 #define MBEDTLS_SSL_VERIFY_OPTIONAL 1
150 #define MBEDTLS_SSL_VERIFY_REQUIRED 2
151 #define MBEDTLS_SSL_VERIFY_UNSET 3 /* Used only for sni_authmode */
152 
153 #define MBEDTLS_SSL_LEGACY_RENEGOTIATION 0
154 #define MBEDTLS_SSL_SECURE_RENEGOTIATION 1
155 
156 #define MBEDTLS_SSL_RENEGOTIATION_DISABLED 0
157 #define MBEDTLS_SSL_RENEGOTIATION_ENABLED 1
158 
159 #define MBEDTLS_SSL_ANTI_REPLAY_DISABLED 0
160 #define MBEDTLS_SSL_ANTI_REPLAY_ENABLED 1
161 
162 #define MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED -1
163 #define MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT 16
164 
165 #define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION 0
166 #define MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION 1
167 #define MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE 2
168 
169 #define MBEDTLS_SSL_TRUNC_HMAC_DISABLED 0
170 #define MBEDTLS_SSL_TRUNC_HMAC_ENABLED 1
171 #define MBEDTLS_SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */
172 
173 #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0
174 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1
175 
176 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED 0
177 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED 1
178 
179 #define MBEDTLS_SSL_ARC4_ENABLED 0
180 #define MBEDTLS_SSL_ARC4_DISABLED 1
181 
182 #define MBEDTLS_SSL_PRESET_DEFAULT 0
183 #define MBEDTLS_SSL_PRESET_SUITEB 2
184 
185 /*
186  * Default range for DTLS retransmission timer value, in milliseconds.
187  * RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
188  */
189 #define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN 1000
190 #define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX 60000
191 
200 #if !defined(MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME)
201 #define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400
202 #endif
203 
204 /*
205  * Maxium fragment length in bytes,
206  * determines the size of each of the two internal I/O buffers.
207  *
208  * Note: the RFC defines the default size of SSL / TLS messages. If you
209  * change the value here, other clients / servers may not be able to
210  * communicate with you anymore. Only change this value if you control
211  * both sides of the connection and have it reduced at both sides, or
212  * if you're using the Max Fragment Length extension and you know all your
213  * peers are using it too!
214  */
215 #if !defined(MBEDTLS_SSL_MAX_CONTENT_LEN)
216 #define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
217 #endif
218 
219 /* \} name SECTION: Module settings */
220 
221 /*
222  * Length of the verify data for secure renegotiation
223  */
224 #if defined(MBEDTLS_SSL_PROTO_SSL3)
225 #define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 36
226 #else
227 #define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 12
228 #endif
229 
230 /*
231  * Signaling ciphersuite values (SCSV)
232  */
233 #define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO 0xFF
234 #define MBEDTLS_SSL_FALLBACK_SCSV_VALUE 0x5600
236 /*
237  * Supported Signature and Hash algorithms (For TLS 1.2)
238  * RFC 5246 section 7.4.1.4.1
239  */
240 #define MBEDTLS_SSL_HASH_NONE 0
241 #define MBEDTLS_SSL_HASH_MD5 1
242 #define MBEDTLS_SSL_HASH_SHA1 2
243 #define MBEDTLS_SSL_HASH_SHA224 3
244 #define MBEDTLS_SSL_HASH_SHA256 4
245 #define MBEDTLS_SSL_HASH_SHA384 5
246 #define MBEDTLS_SSL_HASH_SHA512 6
247 
248 #define MBEDTLS_SSL_SIG_ANON 0
249 #define MBEDTLS_SSL_SIG_RSA 1
250 #define MBEDTLS_SSL_SIG_ECDSA 3
251 
252 /*
253  * Client Certificate Types
254  * RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
255  */
256 #define MBEDTLS_SSL_CERT_TYPE_RSA_SIGN 1
257 #define MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN 64
258 
259 /*
260  * Message, alert and handshake types
261  */
262 #define MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC 20
263 #define MBEDTLS_SSL_MSG_ALERT 21
264 #define MBEDTLS_SSL_MSG_HANDSHAKE 22
265 #define MBEDTLS_SSL_MSG_APPLICATION_DATA 23
266 
267 #define MBEDTLS_SSL_ALERT_LEVEL_WARNING 1
268 #define MBEDTLS_SSL_ALERT_LEVEL_FATAL 2
269 
270 #define MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY 0 /* 0x00 */
271 #define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE 10 /* 0x0A */
272 #define MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC 20 /* 0x14 */
273 #define MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED 21 /* 0x15 */
274 #define MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW 22 /* 0x16 */
275 #define MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30 /* 0x1E */
276 #define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE 40 /* 0x28 */
277 #define MBEDTLS_SSL_ALERT_MSG_NO_CERT 41 /* 0x29 */
278 #define MBEDTLS_SSL_ALERT_MSG_BAD_CERT 42 /* 0x2A */
279 #define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT 43 /* 0x2B */
280 #define MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED 44 /* 0x2C */
281 #define MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED 45 /* 0x2D */
282 #define MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN 46 /* 0x2E */
283 #define MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER 47 /* 0x2F */
284 #define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA 48 /* 0x30 */
285 #define MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED 49 /* 0x31 */
286 #define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR 50 /* 0x32 */
287 #define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR 51 /* 0x33 */
288 #define MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION 60 /* 0x3C */
289 #define MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION 70 /* 0x46 */
290 #define MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71 /* 0x47 */
291 #define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR 80 /* 0x50 */
292 #define MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK 86 /* 0x56 */
293 #define MBEDTLS_SSL_ALERT_MSG_USER_CANCELED 90 /* 0x5A */
294 #define MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION 100 /* 0x64 */
295 #define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT 110 /* 0x6E */
296 #define MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME 112 /* 0x70 */
297 #define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115 /* 0x73 */
298 #define MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL 120 /* 0x78 */
299 
300 #define MBEDTLS_SSL_HS_HELLO_REQUEST 0
301 #define MBEDTLS_SSL_HS_CLIENT_HELLO 1
302 #define MBEDTLS_SSL_HS_SERVER_HELLO 2
303 #define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST 3
304 #define MBEDTLS_SSL_HS_NEW_SESSION_TICKET 4
305 #define MBEDTLS_SSL_HS_CERTIFICATE 11
306 #define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE 12
307 #define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST 13
308 #define MBEDTLS_SSL_HS_SERVER_HELLO_DONE 14
309 #define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY 15
310 #define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE 16
311 #define MBEDTLS_SSL_HS_FINISHED 20
312 
313 /*
314  * TLS extensions
315  */
316 #define MBEDTLS_TLS_EXT_SERVERNAME 0
317 #define MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME 0
318 
319 #define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH 1
320 
321 #define MBEDTLS_TLS_EXT_TRUNCATED_HMAC 4
322 
323 #define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES 10
324 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS 11
325 
326 #define MBEDTLS_TLS_EXT_SIG_ALG 13
327 
328 #define MBEDTLS_TLS_EXT_ALPN 16
329 
330 #define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC 22 /* 0x16 */
331 #define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET 0x0017 /* 23 */
332 
333 #define MBEDTLS_TLS_EXT_SESSION_TICKET 35
334 
335 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */
336 
337 #define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO 0xFF01
338 
339 /*
340  * Size defines
341  */
342 #if !defined(MBEDTLS_PSK_MAX_LEN)
343 #define MBEDTLS_PSK_MAX_LEN 32 /* 256 bits */
344 #endif
345 
346 /* Dummy type used only for its size */
348 {
349 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
350  unsigned char _pms_rsa[48]; /* RFC 5246 8.1.1 */
351 #endif
352 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
353  unsigned char _pms_dhm[MBEDTLS_MPI_MAX_SIZE]; /* RFC 5246 8.1.2 */
354 #endif
355 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
356  defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
357  defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
358  defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
359  unsigned char _pms_ecdh[MBEDTLS_ECP_MAX_BYTES]; /* RFC 4492 5.10 */
360 #endif
361 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
362  unsigned char _pms_psk[4 + 2 * MBEDTLS_PSK_MAX_LEN]; /* RFC 4279 2 */
363 #endif
364 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
365  unsigned char _pms_dhe_psk[4 + MBEDTLS_MPI_MAX_SIZE
366  + MBEDTLS_PSK_MAX_LEN]; /* RFC 4279 3 */
367 #endif
368 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
369  unsigned char _pms_rsa_psk[52 + MBEDTLS_PSK_MAX_LEN]; /* RFC 4279 4 */
370 #endif
371 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
372  unsigned char _pms_ecdhe_psk[4 + MBEDTLS_ECP_MAX_BYTES
373  + MBEDTLS_PSK_MAX_LEN]; /* RFC 5489 2 */
374 #endif
375 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
376  unsigned char _pms_ecjpake[32]; /* Thread spec: SHA-256 output */
377 #endif
378 };
379 
380 #define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret )
381 
382 #ifdef __cplusplus
383 extern "C" {
384 #endif
385 
386 /*
387  * SSL state machine
388  */
389 typedef enum
390 {
410 }
412 
413 /* Defined below */
417 
418 /* Defined in ssl_internal.h */
421 #if defined(MBEDTLS_X509_CRT_PARSE_C)
422 typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
423 #endif
424 #if defined(MBEDTLS_SSL_PROTO_DTLS)
425 typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
426 #endif
427 
428 /*
429  * This structure is used for storing current session data.
430  */
432 {
433 #if defined(MBEDTLS_HAVE_TIME)
434  time_t start;
435 #endif
438  size_t id_len;
439  unsigned char id[32];
440  unsigned char master[48];
442 #if defined(MBEDTLS_X509_CRT_PARSE_C)
443  mbedtls_x509_crt *peer_cert;
444 #endif /* MBEDTLS_X509_CRT_PARSE_C */
445  uint32_t verify_result;
447 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
448  unsigned char *ticket;
449  size_t ticket_len;
450  uint32_t ticket_lifetime;
451 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
452 
453 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
454  unsigned char mfl_code;
455 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
456 
457 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
458  int trunc_hmac;
459 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
460 
461 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
462  int encrypt_then_mac;
463 #endif
464 };
465 
470 {
471  /* Group items by size (largest first) to minimize padding overhead */
472 
473  /*
474  * Pointers
475  */
476 
477  const int *ciphersuite_list[4];
480  void (*f_dbg)(void *, int, const char *, int, const char *);
481  void *p_dbg;
484  int (*f_rng)(void *, unsigned char *, size_t);
485  void *p_rng;
488  int (*f_get_cache)(void *, mbedtls_ssl_session *);
490  int (*f_set_cache)(void *, const mbedtls_ssl_session *);
491  void *p_cache;
493 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
494 
495  int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
496  void *p_sni;
497 #endif
498 
499 #if defined(MBEDTLS_X509_CRT_PARSE_C)
500 
501  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
502  void *p_vrfy;
503 #endif
504 
505 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
506 
507  int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
508  void *p_psk;
509 #endif
510 
511 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
512 
513  int (*f_cookie_write)( void *, unsigned char **, unsigned char *,
514  const unsigned char *, size_t );
516  int (*f_cookie_check)( void *, const unsigned char *, size_t,
517  const unsigned char *, size_t );
518  void *p_cookie;
519 #endif
520 
521 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
522 
523  int (*f_ticket_write)( void *, const mbedtls_ssl_session *,
524  unsigned char *, const unsigned char *, size_t *, uint32_t * );
526  int (*f_ticket_parse)( void *, mbedtls_ssl_session *, unsigned char *, size_t);
527  void *p_ticket;
528 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
529 
530 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
531 
532  int (*f_export_keys)( void *, const unsigned char *,
533  const unsigned char *, size_t, size_t, size_t );
534  void *p_export_keys;
535 #endif
536 
537 #if defined(MBEDTLS_X509_CRT_PARSE_C)
538  const mbedtls_x509_crt_profile *cert_profile;
539  mbedtls_ssl_key_cert *key_cert;
540  mbedtls_x509_crt *ca_chain;
541  mbedtls_x509_crl *ca_crl;
542 #endif /* MBEDTLS_X509_CRT_PARSE_C */
543 
544 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
545  const int *sig_hashes;
546 #endif
547 
548 #if defined(MBEDTLS_ECP_C)
549  const mbedtls_ecp_group_id *curve_list;
550 #endif
551 
552 #if defined(MBEDTLS_DHM_C)
553  mbedtls_mpi dhm_P;
554  mbedtls_mpi dhm_G;
555 #endif
556 
557 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
558  unsigned char *psk;
559  size_t psk_len;
560  unsigned char *psk_identity;
561  size_t psk_identity_len;
562 #endif
563 
564 #if defined(MBEDTLS_SSL_ALPN)
565  const char **alpn_list;
566 #endif
567 
568  /*
569  * Numerical settings (int then char)
570  */
571 
572  uint32_t read_timeout;
574 #if defined(MBEDTLS_SSL_PROTO_DTLS)
575  uint32_t hs_timeout_min;
577  uint32_t hs_timeout_max;
579 #endif
580 
581 #if defined(MBEDTLS_SSL_RENEGOTIATION)
582  int renego_max_records;
583  unsigned char renego_period[8];
585 #endif
586 
587 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
588  unsigned int badmac_limit;
589 #endif
590 
591 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
592  unsigned int dhm_min_bitlen;
593 #endif
594 
595  unsigned char max_major_ver;
596  unsigned char max_minor_ver;
597  unsigned char min_major_ver;
598  unsigned char min_minor_ver;
600  /*
601  * Flags (bitfields)
602  */
603 
604  unsigned int endpoint : 1;
605  unsigned int transport : 1;
606  unsigned int authmode : 2;
607  /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */
608  unsigned int allow_legacy_renegotiation : 2 ;
609 #if defined(MBEDTLS_ARC4_C)
610  unsigned int arc4_disabled : 1;
611 #endif
612 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
613  unsigned int mfl_code : 3;
614 #endif
615 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
616  unsigned int encrypt_then_mac : 1 ;
617 #endif
618 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
619  unsigned int extended_ms : 1;
620 #endif
621 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
622  unsigned int anti_replay : 1;
623 #endif
624 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
625  unsigned int cbc_record_splitting : 1;
626 #endif
627 #if defined(MBEDTLS_SSL_RENEGOTIATION)
628  unsigned int disable_renegotiation : 1;
629 #endif
630 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
631  unsigned int trunc_hmac : 1;
632 #endif
633 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
634  unsigned int session_tickets : 1;
635 #endif
636 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
637  unsigned int fallback : 1;
638 #endif
639 };
640 
641 
643 {
646  /*
647  * Miscellaneous
648  */
649  int state;
650 #if defined(MBEDTLS_SSL_RENEGOTIATION)
651  int renego_status;
652  int renego_records_seen;
655 #endif
656 
657  int major_ver;
658  int minor_ver;
660 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
661  unsigned badmac_seen;
662 #endif
663 
664  /*
665  * Callbacks
666  */
667  int (*f_send)(void *, const unsigned char *, size_t);
668  int (*f_recv)(void *, unsigned char *, size_t);
669  int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t);
670  void *p_bio;
672  /*
673  * Session layer
674  */
683  /*
684  * Record layer transformations
685  */
691  /*
692  * Timers
693  */
694  void *p_timer;
695  void (*f_set_timer)(void *, uint32_t, uint32_t);
696  int (*f_get_timer)(void *);
698  /*
699  * Record layer (incoming data)
700  */
701  unsigned char *in_buf;
702  unsigned char *in_ctr;
705  unsigned char *in_hdr;
706  unsigned char *in_len;
707  unsigned char *in_iv;
708  unsigned char *in_msg;
709  unsigned char *in_offt;
712  size_t in_msglen;
713  size_t in_left;
714 #if defined(MBEDTLS_SSL_PROTO_DTLS)
715  uint16_t in_epoch;
716  size_t next_record_offset;
718 #endif
719 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
720  uint64_t in_window_top;
721  uint64_t in_window;
722 #endif
723 
724  size_t in_hslen;
726  int nb_zero;
729  /*
730  * Record layer (outgoing data)
731  */
732  unsigned char *out_buf;
733  unsigned char *out_ctr;
734  unsigned char *out_hdr;
735  unsigned char *out_len;
736  unsigned char *out_iv;
737  unsigned char *out_msg;
740  size_t out_msglen;
741  size_t out_left;
743 #if defined(MBEDTLS_ZLIB_SUPPORT)
744  unsigned char *compress_buf;
745 #endif
746 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
747  signed char split_done;
748 #endif
749 
750  /*
751  * PKI layer
752  */
755  /*
756  * User settings
757  */
758 #if defined(MBEDTLS_X509_CRT_PARSE_C)
759  char *hostname;
761 #endif
762 
763 #if defined(MBEDTLS_SSL_ALPN)
764  const char *alpn_chosen;
765 #endif
766 
767  /*
768  * Information for DTLS hello verify
769  */
770 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
771  unsigned char *cli_id;
772  size_t cli_id_len;
773 #endif
774 
775  /*
776  * Secure renegotiation
777  */
778  /* needed to know when to send extension on server */
781 #if defined(MBEDTLS_SSL_RENEGOTIATION)
782  size_t verify_data_len;
783  char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN];
784  char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN];
785 #endif
786 };
787 
788 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
789 
790 #define MBEDTLS_SSL_CHANNEL_OUTBOUND 0
791 #define MBEDTLS_SSL_CHANNEL_INBOUND 1
792 
793 extern int (*mbedtls_ssl_hw_record_init)(mbedtls_ssl_context *ssl,
794  const unsigned char *key_enc, const unsigned char *key_dec,
795  size_t keylen,
796  const unsigned char *iv_enc, const unsigned char *iv_dec,
797  size_t ivlen,
798  const unsigned char *mac_enc, const unsigned char *mac_dec,
799  size_t maclen);
800 extern int (*mbedtls_ssl_hw_record_activate)(mbedtls_ssl_context *ssl, int direction);
801 extern int (*mbedtls_ssl_hw_record_reset)(mbedtls_ssl_context *ssl);
802 extern int (*mbedtls_ssl_hw_record_write)(mbedtls_ssl_context *ssl);
803 extern int (*mbedtls_ssl_hw_record_read)(mbedtls_ssl_context *ssl);
804 extern int (*mbedtls_ssl_hw_record_finish)(mbedtls_ssl_context *ssl);
805 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
806 
813 const int *mbedtls_ssl_list_ciphersuites( void );
814 
823 const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id );
824 
833 int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name );
834 
843 
860  const mbedtls_ssl_config *conf );
861 
873 
880 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );
881 
896 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport );
897 
923 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
924 
925 #if defined(MBEDTLS_X509_CRT_PARSE_C)
926 
937 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
938  int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
939  void *p_vrfy );
940 #endif /* MBEDTLS_X509_CRT_PARSE_C */
941 
950  int (*f_rng)(void *, unsigned char *, size_t),
951  void *p_rng );
952 
968  void (*f_dbg)(void *, int, const char *, int, const char *),
969  void *p_dbg );
970 
995  void *p_bio,
996  int (*f_send)(void *, const unsigned char *, size_t),
997  int (*f_recv)(void *, unsigned char *, size_t),
998  int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t) );
999 
1016 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
1017 
1034  void *p_timer,
1035  void (*f_set_timer)(void *, uint32_t int_ms, uint32_t fin_ms),
1036  int (*f_get_timer)(void *) );
1037 
1057 typedef int mbedtls_ssl_ticket_write_t( void *p_ticket,
1058  const mbedtls_ssl_session *session,
1059  unsigned char *start,
1060  const unsigned char *end,
1061  size_t *tlen,
1062  uint32_t *lifetime );
1063 
1064 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
1065 
1085 typedef int mbedtls_ssl_export_keys_t( void *p_expkey,
1086  const unsigned char *ms,
1087  const unsigned char *kb,
1088  size_t maclen,
1089  size_t keylen,
1090  size_t ivlen );
1091 #endif /* MBEDTLS_SSL_EXPORT_KEYS */
1092 
1116 typedef int mbedtls_ssl_ticket_parse_t( void *p_ticket,
1117  mbedtls_ssl_session *session,
1118  unsigned char *buf,
1119  size_t len );
1120 
1121 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
1122 
1136 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
1137  mbedtls_ssl_ticket_write_t *f_ticket_write,
1138  mbedtls_ssl_ticket_parse_t *f_ticket_parse,
1139  void *p_ticket );
1140 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
1141 
1142 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
1143 
1153 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
1154  mbedtls_ssl_export_keys_t *f_export_keys,
1155  void *p_export_keys );
1156 #endif /* MBEDTLS_SSL_EXPORT_KEYS */
1157 
1172 typedef int mbedtls_ssl_cookie_write_t( void *ctx,
1173  unsigned char **p, unsigned char *end,
1174  const unsigned char *info, size_t ilen );
1175 
1189 typedef int mbedtls_ssl_cookie_check_t( void *ctx,
1190  const unsigned char *cookie, size_t clen,
1191  const unsigned char *info, size_t ilen );
1192 
1193 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1194 
1222 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
1223  mbedtls_ssl_cookie_write_t *f_cookie_write,
1224  mbedtls_ssl_cookie_check_t *f_cookie_check,
1225  void *p_cookie );
1226 
1246 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
1247  const unsigned char *info,
1248  size_t ilen );
1249 
1250 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
1251 
1252 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1253 
1268 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
1269 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
1270 
1271 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
1272 
1295 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
1296 #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
1297 
1298 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1299 
1315 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max );
1316 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1317 
1318 #if defined(MBEDTLS_SSL_SRV_C)
1319 
1356 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
1357  void *p_cache,
1358  int (*f_get_cache)(void *, mbedtls_ssl_session *),
1359  int (*f_set_cache)(void *, const mbedtls_ssl_session *) );
1360 #endif /* MBEDTLS_SSL_SRV_C */
1361 
1362 #if defined(MBEDTLS_SSL_CLI_C)
1363 
1377 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session );
1378 #endif /* MBEDTLS_SSL_CLI_C */
1379 
1396  const int *ciphersuites );
1397 
1418  const int *ciphersuites,
1419  int major, int minor );
1420 
1421 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1422 
1432 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
1433  const mbedtls_x509_crt_profile *profile );
1434 
1442 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
1443  mbedtls_x509_crt *ca_chain,
1444  mbedtls_x509_crl *ca_crl );
1445 
1469 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
1470  mbedtls_x509_crt *own_cert,
1471  mbedtls_pk_context *pk_key );
1472 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1473 
1474 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1475 
1489 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
1490  const unsigned char *psk, size_t psk_len,
1491  const unsigned char *psk_identity, size_t psk_identity_len );
1492 
1493 
1506 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
1507  const unsigned char *psk, size_t psk_len );
1508 
1533 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
1534  int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
1535  size_t),
1536  void *p_psk );
1537 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
1538 
1539 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
1540 
1551 int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G );
1552 
1562 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx );
1563 #endif /* MBEDTLS_DHM_C && defined(MBEDTLS_SSL_SRV_C) */
1564 
1565 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
1566 
1574 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
1575  unsigned int bitlen );
1576 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
1577 
1578 #if defined(MBEDTLS_ECP_C)
1579 
1606 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
1607  const mbedtls_ecp_group_id *curves );
1608 #endif /* MBEDTLS_ECP_C */
1609 
1610 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1611 
1629 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
1630  const int *hashes );
1631 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1632 
1633 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1634 
1644 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname );
1645 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1646 
1647 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1648 
1660 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
1661  mbedtls_x509_crt *own_cert,
1662  mbedtls_pk_context *pk_key );
1663 
1675 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
1676  mbedtls_x509_crt *ca_chain,
1677  mbedtls_x509_crl *ca_crl );
1678 
1689 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
1690  int authmode );
1691 
1715 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
1716  int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *,
1717  size_t),
1718  void *p_sni );
1719 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1720 
1721 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1722 
1739 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
1740  const unsigned char *pw,
1741  size_t pw_len );
1742 #endif /*MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1743 
1744 #if defined(MBEDTLS_SSL_ALPN)
1745 
1754 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos );
1755 
1765 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
1766 #endif /* MBEDTLS_SSL_ALPN */
1767 
1784 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
1785 
1804 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
1805 
1806 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
1807 
1826 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback );
1827 #endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */
1828 
1829 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1830 
1841 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
1842 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1843 
1844 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1845 
1856 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems );
1857 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1858 
1859 #if defined(MBEDTLS_ARC4_C)
1860 
1873 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
1874 #endif /* MBEDTLS_ARC4_C */
1875 
1876 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1877 
1892 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code );
1893 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1894 
1895 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1896 
1904 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate );
1905 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1906 
1907 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
1908 
1919 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split );
1920 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
1921 
1922 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
1923 
1933 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets );
1934 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
1935 
1936 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1937 
1954 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation );
1955 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1956 
1984 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy );
1985 
1986 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1987 
2024 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records );
2025 
2043 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
2044  const unsigned char period[8] );
2045 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2046 
2055 
2067 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
2068 
2076 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl );
2077 
2085 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl );
2086 
2098 
2099 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2100 
2116 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
2117 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2118 
2119 #if defined(MBEDTLS_X509_CRT_PARSE_C)
2120 
2134 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl );
2135 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2136 
2137 #if defined(MBEDTLS_SSL_CLI_C)
2138 
2154 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *session );
2155 #endif /* MBEDTLS_SSL_CLI_C */
2156 
2178 
2193 
2194 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2195 
2205 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl );
2206 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2207 
2235 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len );
2236 
2266 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len );
2267 
2279  unsigned char level,
2280  unsigned char message );
2287 
2294 
2306 
2324  int endpoint, int transport, int preset );
2325 
2332 
2339 
2347 
2348 #ifdef __cplusplus
2349 }
2350 #endif
2351 
2352 #endif /* ssl.h */
void * p_rng
Definition: ssl.h:485
unsigned int transport
Definition: ssl.h:605
unsigned char * in_ctr
Definition: ssl.h:702
unsigned char * out_msg
Definition: ssl.h:737
unsigned char master[48]
Definition: ssl.h:440
unsigned char * in_len
Definition: ssl.h:706
unsigned char * in_buf
Definition: ssl.h:701
unsigned int endpoint
Definition: ssl.h:604
Public key container.
Definition: pk.h:126
int mbedtls_ssl_ticket_parse_t(void *p_ticket, mbedtls_ssl_session *session, unsigned char *buf, size_t len)
Callback type: parse and load session ticket.
Definition: ssl.h:1116
unsigned char max_minor_ver
Definition: ssl.h:596
const char * mbedtls_ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
unsigned char min_minor_ver
Definition: ssl.h:598
int mbedtls_ssl_cookie_write_t(void *ctx, unsigned char **p, unsigned char *end, const unsigned char *info, size_t ilen)
Callback type: generate a cookie.
Definition: ssl.h:1172
unsigned char * in_hdr
Definition: ssl.h:705
int mbedtls_ssl_cookie_check_t(void *ctx, const unsigned char *cookie, size_t clen, const unsigned char *info, size_t ilen)
Callback type: verify a cookie.
Definition: ssl.h:1189
int(* f_get_timer)(void *)
Definition: ssl.h:696
int(* f_recv_timeout)(void *, unsigned char *, size_t, uint32_t)
Definition: ssl.h:669
unsigned char * out_iv
Definition: ssl.h:736
mbedtls_ssl_transform * transform_in
Definition: ssl.h:686
size_t in_left
Definition: ssl.h:713
unsigned int authmode
Definition: ssl.h:606
Elliptic curves over GF(p)
Certificate revocation list structure.
Definition: x509_crl.h:69
int(* f_get_cache)(void *, mbedtls_ssl_session *)
Callback to retrieve a session from the cache.
Definition: ssl.h:488
void(* f_dbg)(void *, int, const char *, int, const char *)
Callback for printing debug output.
Definition: ssl.h:480
void * p_cache
Definition: ssl.h:491
#define MBEDTLS_MPI_MAX_SIZE
mbedtls_ssl_session * session_in
Definition: ssl.h:675
Compatibility names (set of defines)
void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
Set the maximum supported version sent from the client side and/or accepted at the server side (Defau...
uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
Return the result of the certificate verification.
mbedtls_ssl_session * session_out
Definition: ssl.h:676
int mbedtls_ssl_send_alert_message(mbedtls_ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
SSL Ciphersuites for mbed TLS.
mbedtls_ssl_transform * transform_out
Definition: ssl.h:687
int(* f_recv)(void *, unsigned char *, size_t)
Definition: ssl.h:668
int(* f_set_cache)(void *, const mbedtls_ssl_session *)
Callback to store a session into the cache.
Definition: ssl.h:490
Multi-precision integer library.
size_t in_hslen
Definition: ssl.h:724
int mbedtls_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len)
Try to write exactly 'len' application data bytes.
void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
Set the minimum accepted SSL/TLS protocol version (Default: TLS 1.0)
int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl)
Notify the peer that the connection is being closed.
void mbedtls_ssl_conf_ciphersuites_for_version(mbedtls_ssl_config *conf, const int *ciphersuites, int major, int minor)
Set the list of allowed ciphersuites and the preference order for a specific version of the protocol...
mbedtls_ssl_transform * transform
Definition: ssl.h:688
mbedtls_ssl_handshake_params * handshake
Definition: ssl.h:680
void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
Free referenced items in an SSL context and clear memory.
void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
Set the current endpoint type.
size_t out_left
Definition: ssl.h:741
void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
unsigned char * in_msg
Definition: ssl.h:708
int(* f_send)(void *, const unsigned char *, size_t)
Definition: ssl.h:667
unsigned char min_major_ver
Definition: ssl.h:597
const int * ciphersuite_list[4]
Definition: ssl.h:477
int(* f_rng)(void *, unsigned char *, size_t)
Callback for getting (pseudo-)random numbers.
Definition: ssl.h:484
void(* f_set_timer)(void *, uint32_t, uint32_t)
Definition: ssl.h:695
int mbedtls_ssl_get_ciphersuite_id(const char *ciphersuite_name)
Return the ID of the ciphersuite associated with the given name.
void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
Set the transport type (TLS or DTLS).
mbedtls_ssl_session * session_negotiate
Definition: ssl.h:678
mbedtls_ssl_states
Definition: ssl.h:389
const int * mbedtls_ssl_list_ciphersuites(void)
Returns the list of ciphersuites supported by the SSL/TLS module.
size_t id_len
Definition: ssl.h:438
void * p_bio
Definition: ssl.h:670
void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Set the random number generator callback.
void * p_timer
Definition: ssl.h:694
Diffie-Hellman-Merkle key exchange.
X.509 certificate parsing and writing.
#define MBEDTLS_PSK_MAX_LEN
Definition: ssl.h:343
mbedtls_ssl_session * session
Definition: ssl.h:677
unsigned char * in_iv
Definition: ssl.h:707
void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
Initialize an SSL context Just makes the context ready for mbedtls_ssl_setup() or mbedtls_ssl_free() ...
mbedtls_ssl_transform * transform_negotiate
Definition: ssl.h:689
const char * mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
Return the name of the current ciphersuite.
mbedtls_ecp_group_id
Domain parameters (curve, subgroup and generator) identifiers.
Definition: ecp.h:60
unsigned char * out_ctr
Definition: ssl.h:733
int secure_renegotiation
Definition: ssl.h:779
DHM context structure.
Definition: dhm.h:149
const mbedtls_ssl_config * conf
Definition: ssl.h:644
void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf, void(*f_dbg)(void *, int, const char *, int, const char *), void *p_dbg)
Set the debug callback.
unsigned char * in_offt
Definition: ssl.h:709
unsigned char max_major_ver
Definition: ssl.h:595
void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
Initialize an SSL configuration context Just makes the context ready for mbedtls_ssl_config_defaults(...
int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl)
Return the (maximum) number of bytes added by the record layer: header + encryption/MAC overhead (inc...
Elliptic curve Diffie-Hellman.
void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl, void *p_timer, void(*f_set_timer)(void *, uint32_t int_ms, uint32_t fin_ms), int(*f_get_timer)(void *))
Set the timer callbacks (Mandatory for DTLS.)
int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, const mbedtls_ssl_config *conf)
Set up an SSL context for use.
size_t out_msglen
Definition: ssl.h:740
uint32_t read_timeout
Definition: ssl.h:572
void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
Prevent or allow legacy renegotiation.
unsigned char * out_len
Definition: ssl.h:735
MPI structure.
Definition: bignum.h:143
X.509 certificate revocation list parsing.
SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
Definition: ssl.h:469
Container for an X.509 certificate.
Definition: x509_crt.h:52
void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
Set the timeout period for mbedtls_ssl_read() (Default: no timeout.)
void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
Free an SSL configuration context.
int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
Read at most 'len' application data bytes.
size_t mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context *ssl)
Return the number of data bytes available to read.
unsigned char * out_buf
Definition: ssl.h:732
void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
Initialize SSL session structure.
Security profile for certificate verification.
Definition: x509_crt.h:107
void * p_dbg
Definition: ssl.h:481
int mbedtls_ssl_ticket_write_t(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime)
Callback type: generate and write session ticket.
Definition: ssl.h:1057
int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, int endpoint, int transport, int preset)
Load reasonnable default SSL configuration values.
unsigned char * out_hdr
Definition: ssl.h:734
uint32_t verify_result
Definition: ssl.h:445
int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
Perform the SSL handshake.
unsigned int allow_legacy_renegotiation
Definition: ssl.h:608
int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
Perform a single step of the SSL handshake.
void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl, void *p_bio, int(*f_send)(void *, const unsigned char *, size_t), int(*f_recv)(void *, unsigned char *, size_t), int(*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t))
Set the underlying BIO callbacks for write, read and read-with-timeout.
const char * mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
Return the current SSL version (SSLv3/TLSv1/etc)
void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
Set the certificate verification mode Default: NONE on server, REQUIRED on client.
int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
Reset an already initialized SSL context for re-use while retaining application-set variables...
#define MBEDTLS_ECP_MAX_BYTES
Definition: ecp.h:186
void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf, const int *ciphersuites)
Set the list of allowed ciphersuites and the preference order.
#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN
Definition: ssl.h:227
size_t in_msglen
Definition: ssl.h:712