Kenji Arai / mbed-os_TYBLE16

Dependents:   TYBLE16_simple_data_logger TYBLE16_MP3_Air

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers ssl.h Source File

ssl.h

Go to the documentation of this file.
00001 /**
00002  * \file ssl.h
00003  *
00004  * \brief SSL/TLS functions.
00005  */
00006 /*
00007  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00008  *  SPDX-License-Identifier: Apache-2.0
00009  *
00010  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00011  *  not use this file except in compliance with the License.
00012  *  You may obtain a copy of the License at
00013  *
00014  *  http://www.apache.org/licenses/LICENSE-2.0
00015  *
00016  *  Unless required by applicable law or agreed to in writing, software
00017  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00018  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00019  *  See the License for the specific language governing permissions and
00020  *  limitations under the License.
00021  *
00022  *  This file is part of mbed TLS (https://tls.mbed.org)
00023  */
00024 #ifndef MBEDTLS_SSL_H
00025 #define MBEDTLS_SSL_H
00026 
00027 #if !defined(MBEDTLS_CONFIG_FILE)
00028 #include "mbedtls/config.h"
00029 #else
00030 #include MBEDTLS_CONFIG_FILE
00031 #endif
00032 
00033 #include "mbedtls/bignum.h"
00034 #include "mbedtls/ecp.h"
00035 
00036 #include "mbedtls/ssl_ciphersuites.h"
00037 
00038 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00039 #include "mbedtls/x509_crt.h"
00040 #include "mbedtls/x509_crl.h"
00041 #endif
00042 
00043 #if defined(MBEDTLS_DHM_C)
00044 #include "mbedtls/dhm.h"
00045 #endif
00046 
00047 #if defined(MBEDTLS_ECDH_C)
00048 #include "mbedtls/ecdh.h"
00049 #endif
00050 
00051 #if defined(MBEDTLS_ZLIB_SUPPORT)
00052 
00053 #if defined(MBEDTLS_DEPRECATED_WARNING)
00054 #warning "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and will be removed in the next major revision of the library"
00055 #endif
00056 
00057 #if defined(MBEDTLS_DEPRECATED_REMOVED)
00058 #error "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and cannot be used if MBEDTLS_DEPRECATED_REMOVED is set"
00059 #endif
00060 
00061 #include "zlib.h"
00062 #endif
00063 
00064 #if defined(MBEDTLS_HAVE_TIME)
00065 #include "mbedtls/platform_time.h"
00066 #endif
00067 
00068 #if defined(MBEDTLS_USE_PSA_CRYPTO)
00069 #include "psa/crypto.h"
00070 #endif /* MBEDTLS_USE_PSA_CRYPTO */
00071 
00072 /*
00073  * SSL Error codes
00074  */
00075 #define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE               -0x7080  /**< The requested feature is not available. */
00076 #define MBEDTLS_ERR_SSL_BAD_INPUT_DATA                    -0x7100  /**< Bad input parameters to function. */
00077 #define MBEDTLS_ERR_SSL_INVALID_MAC                       -0x7180  /**< Verification of the message MAC failed. */
00078 #define MBEDTLS_ERR_SSL_INVALID_RECORD                    -0x7200  /**< An invalid SSL record was received. */
00079 #define MBEDTLS_ERR_SSL_CONN_EOF                          -0x7280  /**< The connection indicated an EOF. */
00080 #define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER                    -0x7300  /**< An unknown cipher was received. */
00081 #define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN                  -0x7380  /**< The server has no ciphersuites in common with the client. */
00082 #define MBEDTLS_ERR_SSL_NO_RNG                            -0x7400  /**< No RNG was provided to the SSL module. */
00083 #define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE             -0x7480  /**< No client certification received from the client, but required by the authentication mode. */
00084 #define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE             -0x7500  /**< Our own certificate(s) is/are too large to send in an SSL message. */
00085 #define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED              -0x7580  /**< The own certificate is not set, but needed by the server. */
00086 #define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED              -0x7600  /**< The own private key or pre-shared key is not set, but needed. */
00087 #define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED                 -0x7680  /**< No CA Chain is set, but required to operate. */
00088 #define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE                -0x7700  /**< An unexpected message was received from our peer. */
00089 #define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE               -0x7780  /**< A fatal alert message was received from our peer. */
00090 #define MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED                -0x7800  /**< Verification of our peer failed. */
00091 #define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY                 -0x7880  /**< The peer notified us that the connection is going to be closed. */
00092 #define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO               -0x7900  /**< Processing of the ClientHello handshake message failed. */
00093 #define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO               -0x7980  /**< Processing of the ServerHello handshake message failed. */
00094 #define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE                -0x7A00  /**< Processing of the Certificate handshake message failed. */
00095 #define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST        -0x7A80  /**< Processing of the CertificateRequest handshake message failed. */
00096 #define MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE        -0x7B00  /**< Processing of the ServerKeyExchange handshake message failed. */
00097 #define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE          -0x7B80  /**< Processing of the ServerHelloDone handshake message failed. */
00098 #define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE        -0x7C00  /**< Processing of the ClientKeyExchange handshake message failed. */
00099 #define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP     -0x7C80  /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public. */
00100 #define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS     -0x7D00  /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret. */
00101 #define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY         -0x7D80  /**< Processing of the CertificateVerify handshake message failed. */
00102 #define MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC         -0x7E00  /**< Processing of the ChangeCipherSpec handshake message failed. */
00103 #define MBEDTLS_ERR_SSL_BAD_HS_FINISHED                   -0x7E80  /**< Processing of the Finished handshake message failed. */
00104 #define MBEDTLS_ERR_SSL_ALLOC_FAILED                      -0x7F00  /**< Memory allocation failed */
00105 #define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED                   -0x7F80  /**< Hardware acceleration function returned with error */
00106 #define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH              -0x6F80  /**< Hardware acceleration function skipped / left alone data */
00107 #define MBEDTLS_ERR_SSL_COMPRESSION_FAILED                -0x6F00  /**< Processing of the compression / decompression failed */
00108 #define MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION           -0x6E80  /**< Handshake protocol not within min/max boundaries */
00109 #define MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET         -0x6E00  /**< Processing of the NewSessionTicket handshake message failed. */
00110 #define MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED            -0x6D80  /**< Session ticket has expired. */
00111 #define MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH                  -0x6D00  /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
00112 #define MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY                  -0x6C80  /**< Unknown identity received (eg, PSK identity) */
00113 #define MBEDTLS_ERR_SSL_INTERNAL_ERROR                    -0x6C00  /**< Internal error (eg, unexpected failure in lower-level module) */
00114 #define MBEDTLS_ERR_SSL_COUNTER_WRAPPING                  -0x6B80  /**< A counter would wrap (eg, too many messages exchanged). */
00115 #define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO       -0x6B00  /**< Unexpected message at ServerHello in renegotiation. */
00116 #define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED             -0x6A80  /**< DTLS client must retry for hello verification */
00117 #define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL                  -0x6A00  /**< A buffer is too small to receive or write a message */
00118 #define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE             -0x6980  /**< None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages). */
00119 #define MBEDTLS_ERR_SSL_WANT_READ                         -0x6900  /**< No data of requested type currently available on underlying transport. */
00120 #define MBEDTLS_ERR_SSL_WANT_WRITE                        -0x6880  /**< Connection requires a write call. */
00121 #define MBEDTLS_ERR_SSL_TIMEOUT                           -0x6800  /**< The operation timed out. */
00122 #define MBEDTLS_ERR_SSL_CLIENT_RECONNECT                  -0x6780  /**< The client initiated a reconnect from the same port. */
00123 #define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD                 -0x6700  /**< Record header looks valid but is not expected. */
00124 #define MBEDTLS_ERR_SSL_NON_FATAL                         -0x6680  /**< The alert message received indicates a non-fatal error. */
00125 #define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH               -0x6600  /**< Couldn't set the hash for verifying CertificateVerify */
00126 #define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING               -0x6580  /**< Internal-only message signaling that further message-processing should be done */
00127 #define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS                 -0x6500  /**< The asynchronous operation is not completed yet. */
00128 #define MBEDTLS_ERR_SSL_EARLY_MESSAGE                     -0x6480  /**< Internal-only message signaling that a message arrived early. */
00129 #define MBEDTLS_ERR_SSL_UNEXPECTED_CID                    -0x6000  /**< An encrypted DTLS-frame with an unexpected CID was received. */
00130 #define MBEDTLS_ERR_SSL_VERSION_MISMATCH                  -0x5F00  /**< An operation failed due to an unexpected version or configuration. */
00131 #define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS                -0x7000  /**< A cryptographic operation is in progress. Try again later. */
00132 
00133 /*
00134  * Various constants
00135  */
00136 #define MBEDTLS_SSL_MAJOR_VERSION_3             3
00137 #define MBEDTLS_SSL_MINOR_VERSION_0             0   /*!< SSL v3.0 */
00138 #define MBEDTLS_SSL_MINOR_VERSION_1             1   /*!< TLS v1.0 */
00139 #define MBEDTLS_SSL_MINOR_VERSION_2             2   /*!< TLS v1.1 */
00140 #define MBEDTLS_SSL_MINOR_VERSION_3             3   /*!< TLS v1.2 */
00141 
00142 #define MBEDTLS_SSL_TRANSPORT_STREAM            0   /*!< TLS      */
00143 #define MBEDTLS_SSL_TRANSPORT_DATAGRAM          1   /*!< DTLS     */
00144 
00145 #define MBEDTLS_SSL_MAX_HOST_NAME_LEN           255 /*!< Maximum host name defined in RFC 1035 */
00146 
00147 /* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
00148  * NONE must be zero so that memset()ing structure to zero works */
00149 #define MBEDTLS_SSL_MAX_FRAG_LEN_NONE           0   /*!< don't use this extension   */
00150 #define MBEDTLS_SSL_MAX_FRAG_LEN_512            1   /*!< MaxFragmentLength 2^9      */
00151 #define MBEDTLS_SSL_MAX_FRAG_LEN_1024           2   /*!< MaxFragmentLength 2^10     */
00152 #define MBEDTLS_SSL_MAX_FRAG_LEN_2048           3   /*!< MaxFragmentLength 2^11     */
00153 #define MBEDTLS_SSL_MAX_FRAG_LEN_4096           4   /*!< MaxFragmentLength 2^12     */
00154 #define MBEDTLS_SSL_MAX_FRAG_LEN_INVALID        5   /*!< first invalid value        */
00155 
00156 #define MBEDTLS_SSL_IS_CLIENT                   0
00157 #define MBEDTLS_SSL_IS_SERVER                   1
00158 
00159 #define MBEDTLS_SSL_IS_NOT_FALLBACK             0
00160 #define MBEDTLS_SSL_IS_FALLBACK                 1
00161 
00162 #define MBEDTLS_SSL_EXTENDED_MS_DISABLED        0
00163 #define MBEDTLS_SSL_EXTENDED_MS_ENABLED         1
00164 
00165 #define MBEDTLS_SSL_CID_DISABLED                0
00166 #define MBEDTLS_SSL_CID_ENABLED                 1
00167 
00168 #define MBEDTLS_SSL_ETM_DISABLED                0
00169 #define MBEDTLS_SSL_ETM_ENABLED                 1
00170 
00171 #define MBEDTLS_SSL_COMPRESS_NULL               0
00172 #define MBEDTLS_SSL_COMPRESS_DEFLATE            1
00173 
00174 #define MBEDTLS_SSL_VERIFY_NONE                 0
00175 #define MBEDTLS_SSL_VERIFY_OPTIONAL             1
00176 #define MBEDTLS_SSL_VERIFY_REQUIRED             2
00177 #define MBEDTLS_SSL_VERIFY_UNSET                3 /* Used only for sni_authmode */
00178 
00179 #define MBEDTLS_SSL_LEGACY_RENEGOTIATION        0
00180 #define MBEDTLS_SSL_SECURE_RENEGOTIATION        1
00181 
00182 #define MBEDTLS_SSL_RENEGOTIATION_DISABLED      0
00183 #define MBEDTLS_SSL_RENEGOTIATION_ENABLED       1
00184 
00185 #define MBEDTLS_SSL_ANTI_REPLAY_DISABLED        0
00186 #define MBEDTLS_SSL_ANTI_REPLAY_ENABLED         1
00187 
00188 #define MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED  -1
00189 #define MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT  16
00190 
00191 #define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION     0
00192 #define MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION  1
00193 #define MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE      2
00194 
00195 #define MBEDTLS_SSL_TRUNC_HMAC_DISABLED         0
00196 #define MBEDTLS_SSL_TRUNC_HMAC_ENABLED          1
00197 #define MBEDTLS_SSL_TRUNCATED_HMAC_LEN          10  /* 80 bits, rfc 6066 section 7 */
00198 
00199 #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED     0
00200 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED      1
00201 
00202 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED    0
00203 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED     1
00204 
00205 #define MBEDTLS_SSL_ARC4_ENABLED                0
00206 #define MBEDTLS_SSL_ARC4_DISABLED               1
00207 
00208 #define MBEDTLS_SSL_PRESET_DEFAULT              0
00209 #define MBEDTLS_SSL_PRESET_SUITEB               2
00210 
00211 #define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED       1
00212 #define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED      0
00213 
00214 /*
00215  * Default range for DTLS retransmission timer value, in milliseconds.
00216  * RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
00217  */
00218 #define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN    1000
00219 #define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX   60000
00220 
00221 /**
00222  * \name SECTION: Module settings
00223  *
00224  * The configuration options you can set for this module are in this section.
00225  * Either change them in config.h or define them on the compiler command line.
00226  * \{
00227  */
00228 
00229 #if !defined(MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME)
00230 #define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
00231 #endif
00232 
00233 /*
00234  * Maximum fragment length in bytes,
00235  * determines the size of each of the two internal I/O buffers.
00236  *
00237  * Note: the RFC defines the default size of SSL / TLS messages. If you
00238  * change the value here, other clients / servers may not be able to
00239  * communicate with you anymore. Only change this value if you control
00240  * both sides of the connection and have it reduced at both sides, or
00241  * if you're using the Max Fragment Length extension and you know all your
00242  * peers are using it too!
00243  */
00244 #if !defined(MBEDTLS_SSL_MAX_CONTENT_LEN)
00245 #define MBEDTLS_SSL_MAX_CONTENT_LEN         16384   /**< Size of the input / output buffer */
00246 #endif
00247 
00248 #if !defined(MBEDTLS_SSL_IN_CONTENT_LEN)
00249 #define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
00250 #endif
00251 
00252 #if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
00253 #define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
00254 #endif
00255 
00256 /*
00257  * Maximum number of heap-allocated bytes for the purpose of
00258  * DTLS handshake message reassembly and future message buffering.
00259  */
00260 #if !defined(MBEDTLS_SSL_DTLS_MAX_BUFFERING)
00261 #define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
00262 #endif
00263 
00264 /*
00265  * Maximum length of CIDs for incoming and outgoing messages.
00266  */
00267 #if !defined(MBEDTLS_SSL_CID_IN_LEN_MAX)
00268 #define MBEDTLS_SSL_CID_IN_LEN_MAX          32
00269 #endif
00270 
00271 #if !defined(MBEDTLS_SSL_CID_OUT_LEN_MAX)
00272 #define MBEDTLS_SSL_CID_OUT_LEN_MAX         32
00273 #endif
00274 
00275 #if !defined(MBEDTLS_SSL_CID_PADDING_GRANULARITY)
00276 #define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
00277 #endif
00278 
00279 /* \} name SECTION: Module settings */
00280 
00281 /*
00282  * Length of the verify data for secure renegotiation
00283  */
00284 #if defined(MBEDTLS_SSL_PROTO_SSL3)
00285 #define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 36
00286 #else
00287 #define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 12
00288 #endif
00289 
00290 /*
00291  * Signaling ciphersuite values (SCSV)
00292  */
00293 #define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO    0xFF   /**< renegotiation info ext */
00294 #define MBEDTLS_SSL_FALLBACK_SCSV_VALUE         0x5600 /**< RFC 7507 section 2 */
00295 
00296 /*
00297  * Supported Signature and Hash algorithms (For TLS 1.2)
00298  * RFC 5246 section 7.4.1.4.1
00299  */
00300 #define MBEDTLS_SSL_HASH_NONE                0
00301 #define MBEDTLS_SSL_HASH_MD5                 1
00302 #define MBEDTLS_SSL_HASH_SHA1                2
00303 #define MBEDTLS_SSL_HASH_SHA224              3
00304 #define MBEDTLS_SSL_HASH_SHA256              4
00305 #define MBEDTLS_SSL_HASH_SHA384              5
00306 #define MBEDTLS_SSL_HASH_SHA512              6
00307 
00308 #define MBEDTLS_SSL_SIG_ANON                 0
00309 #define MBEDTLS_SSL_SIG_RSA                  1
00310 #define MBEDTLS_SSL_SIG_ECDSA                3
00311 
00312 /*
00313  * Client Certificate Types
00314  * RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
00315  */
00316 #define MBEDTLS_SSL_CERT_TYPE_RSA_SIGN       1
00317 #define MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN    64
00318 
00319 /*
00320  * Message, alert and handshake types
00321  */
00322 #define MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC     20
00323 #define MBEDTLS_SSL_MSG_ALERT                  21
00324 #define MBEDTLS_SSL_MSG_HANDSHAKE              22
00325 #define MBEDTLS_SSL_MSG_APPLICATION_DATA       23
00326 #define MBEDTLS_SSL_MSG_CID                    25
00327 
00328 #define MBEDTLS_SSL_ALERT_LEVEL_WARNING         1
00329 #define MBEDTLS_SSL_ALERT_LEVEL_FATAL           2
00330 
00331 #define MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY           0  /* 0x00 */
00332 #define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE    10  /* 0x0A */
00333 #define MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC        20  /* 0x14 */
00334 #define MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED     21  /* 0x15 */
00335 #define MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW       22  /* 0x16 */
00336 #define MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30  /* 0x1E */
00337 #define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE     40  /* 0x28 */
00338 #define MBEDTLS_SSL_ALERT_MSG_NO_CERT               41  /* 0x29 */
00339 #define MBEDTLS_SSL_ALERT_MSG_BAD_CERT              42  /* 0x2A */
00340 #define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT      43  /* 0x2B */
00341 #define MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED          44  /* 0x2C */
00342 #define MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED          45  /* 0x2D */
00343 #define MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN          46  /* 0x2E */
00344 #define MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER     47  /* 0x2F */
00345 #define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA            48  /* 0x30 */
00346 #define MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED         49  /* 0x31 */
00347 #define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR          50  /* 0x32 */
00348 #define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR         51  /* 0x33 */
00349 #define MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION    60  /* 0x3C */
00350 #define MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION      70  /* 0x46 */
00351 #define MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71  /* 0x47 */
00352 #define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR        80  /* 0x50 */
00353 #define MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK 86  /* 0x56 */
00354 #define MBEDTLS_SSL_ALERT_MSG_USER_CANCELED         90  /* 0x5A */
00355 #define MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION     100  /* 0x64 */
00356 #define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT      110  /* 0x6E */
00357 #define MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME    112  /* 0x70 */
00358 #define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115  /* 0x73 */
00359 #define MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL 120 /* 0x78 */
00360 
00361 #define MBEDTLS_SSL_HS_HELLO_REQUEST            0
00362 #define MBEDTLS_SSL_HS_CLIENT_HELLO             1
00363 #define MBEDTLS_SSL_HS_SERVER_HELLO             2
00364 #define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST     3
00365 #define MBEDTLS_SSL_HS_NEW_SESSION_TICKET       4
00366 #define MBEDTLS_SSL_HS_CERTIFICATE             11
00367 #define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE     12
00368 #define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST     13
00369 #define MBEDTLS_SSL_HS_SERVER_HELLO_DONE       14
00370 #define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY      15
00371 #define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE     16
00372 #define MBEDTLS_SSL_HS_FINISHED                20
00373 
00374 /*
00375  * TLS extensions
00376  */
00377 #define MBEDTLS_TLS_EXT_SERVERNAME                   0
00378 #define MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME          0
00379 
00380 #define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH          1
00381 
00382 #define MBEDTLS_TLS_EXT_TRUNCATED_HMAC               4
00383 
00384 #define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES   10
00385 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS     11
00386 
00387 #define MBEDTLS_TLS_EXT_SIG_ALG                     13
00388 
00389 #define MBEDTLS_TLS_EXT_ALPN                        16
00390 
00391 #define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC            22 /* 0x16 */
00392 #define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET  0x0017 /* 23 */
00393 
00394 #define MBEDTLS_TLS_EXT_SESSION_TICKET              35
00395 
00396 /* The value of the CID extension is still TBD as of
00397  * draft-ietf-tls-dtls-connection-id-05
00398  * (https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) */
00399 #define MBEDTLS_TLS_EXT_CID                        254 /* TBD */
00400 
00401 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP               256 /* experimental */
00402 
00403 #define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      0xFF01
00404 
00405 /*
00406  * Size defines
00407  */
00408 #if !defined(MBEDTLS_PSK_MAX_LEN)
00409 #define MBEDTLS_PSK_MAX_LEN            32 /* 256 bits */
00410 #endif
00411 
00412 /* Dummy type used only for its size */
00413 union mbedtls_ssl_premaster_secret
00414 {
00415 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
00416     unsigned char _pms_rsa[48];                         /* RFC 5246 8.1.1 */
00417 #endif
00418 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
00419     unsigned char _pms_dhm[MBEDTLS_MPI_MAX_SIZE];      /* RFC 5246 8.1.2 */
00420 #endif
00421 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)    || \
00422     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)  || \
00423     defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)     || \
00424     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
00425     unsigned char _pms_ecdh[MBEDTLS_ECP_MAX_BYTES];    /* RFC 4492 5.10 */
00426 #endif
00427 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
00428     unsigned char _pms_psk[4 + 2 * MBEDTLS_PSK_MAX_LEN];       /* RFC 4279 2 */
00429 #endif
00430 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
00431     unsigned char _pms_dhe_psk[4 + MBEDTLS_MPI_MAX_SIZE
00432                                  + MBEDTLS_PSK_MAX_LEN];       /* RFC 4279 3 */
00433 #endif
00434 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
00435     unsigned char _pms_rsa_psk[52 + MBEDTLS_PSK_MAX_LEN];      /* RFC 4279 4 */
00436 #endif
00437 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
00438     unsigned char _pms_ecdhe_psk[4 + MBEDTLS_ECP_MAX_BYTES
00439                                    + MBEDTLS_PSK_MAX_LEN];     /* RFC 5489 2 */
00440 #endif
00441 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
00442     unsigned char _pms_ecjpake[32];     /* Thread spec: SHA-256 output */
00443 #endif
00444 };
00445 
00446 #define MBEDTLS_PREMASTER_SIZE     sizeof( union mbedtls_ssl_premaster_secret )
00447 
00448 #ifdef __cplusplus
00449 extern "C" {
00450 #endif
00451 
00452 /*
00453  * SSL state machine
00454  */
00455 typedef enum
00456 {
00457     MBEDTLS_SSL_HELLO_REQUEST,
00458     MBEDTLS_SSL_CLIENT_HELLO,
00459     MBEDTLS_SSL_SERVER_HELLO,
00460     MBEDTLS_SSL_SERVER_CERTIFICATE,
00461     MBEDTLS_SSL_SERVER_KEY_EXCHANGE,
00462     MBEDTLS_SSL_CERTIFICATE_REQUEST,
00463     MBEDTLS_SSL_SERVER_HELLO_DONE,
00464     MBEDTLS_SSL_CLIENT_CERTIFICATE,
00465     MBEDTLS_SSL_CLIENT_KEY_EXCHANGE,
00466     MBEDTLS_SSL_CERTIFICATE_VERIFY,
00467     MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC,
00468     MBEDTLS_SSL_CLIENT_FINISHED,
00469     MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC,
00470     MBEDTLS_SSL_SERVER_FINISHED,
00471     MBEDTLS_SSL_FLUSH_BUFFERS,
00472     MBEDTLS_SSL_HANDSHAKE_WRAPUP,
00473     MBEDTLS_SSL_HANDSHAKE_OVER,
00474     MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET,
00475     MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
00476 }
00477 mbedtls_ssl_states;
00478 
00479 /*
00480  * The tls_prf function types.
00481  */
00482 typedef enum
00483 {
00484    MBEDTLS_SSL_TLS_PRF_NONE,
00485    MBEDTLS_SSL_TLS_PRF_SSL3,
00486    MBEDTLS_SSL_TLS_PRF_TLS1,
00487    MBEDTLS_SSL_TLS_PRF_SHA384,
00488    MBEDTLS_SSL_TLS_PRF_SHA256
00489 }
00490 mbedtls_tls_prf_types;
00491 /**
00492  * \brief          Callback type: send data on the network.
00493  *
00494  * \note           That callback may be either blocking or non-blocking.
00495  *
00496  * \param ctx      Context for the send callback (typically a file descriptor)
00497  * \param buf      Buffer holding the data to send
00498  * \param len      Length of the data to send
00499  *
00500  * \return         The callback must return the number of bytes sent if any,
00501  *                 or a non-zero error code.
00502  *                 If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_WRITE
00503  *                 must be returned when the operation would block.
00504  *
00505  * \note           The callback is allowed to send fewer bytes than requested.
00506  *                 It must always return the number of bytes actually sent.
00507  */
00508 typedef int mbedtls_ssl_send_t( void *ctx,
00509                                 const unsigned char *buf,
00510                                 size_t len );
00511 
00512 /**
00513  * \brief          Callback type: receive data from the network.
00514  *
00515  * \note           That callback may be either blocking or non-blocking.
00516  *
00517  * \param ctx      Context for the receive callback (typically a file
00518  *                 descriptor)
00519  * \param buf      Buffer to write the received data to
00520  * \param len      Length of the receive buffer
00521  *
00522  * \return         The callback must return the number of bytes received,
00523  *                 or a non-zero error code.
00524  *                 If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ
00525  *                 must be returned when the operation would block.
00526  *
00527  * \note           The callback may receive fewer bytes than the length of the
00528  *                 buffer. It must always return the number of bytes actually
00529  *                 received and written to the buffer.
00530  */
00531 typedef int mbedtls_ssl_recv_t( void *ctx,
00532                                 unsigned char *buf,
00533                                 size_t len );
00534 
00535 /**
00536  * \brief          Callback type: receive data from the network, with timeout
00537  *
00538  * \note           That callback must block until data is received, or the
00539  *                 timeout delay expires, or the operation is interrupted by a
00540  *                 signal.
00541  *
00542  * \param ctx      Context for the receive callback (typically a file descriptor)
00543  * \param buf      Buffer to write the received data to
00544  * \param len      Length of the receive buffer
00545  * \param timeout  Maximum nomber of millisecondes to wait for data
00546  *                 0 means no timeout (potentially waiting forever)
00547  *
00548  * \return         The callback must return the number of bytes received,
00549  *                 or a non-zero error code:
00550  *                 \c MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
00551  *                 \c MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
00552  *
00553  * \note           The callback may receive fewer bytes than the length of the
00554  *                 buffer. It must always return the number of bytes actually
00555  *                 received and written to the buffer.
00556  */
00557 typedef int mbedtls_ssl_recv_timeout_t( void *ctx,
00558                                         unsigned char *buf,
00559                                         size_t len,
00560                                         uint32_t timeout );
00561 /**
00562  * \brief          Callback type: set a pair of timers/delays to watch
00563  *
00564  * \param ctx      Context pointer
00565  * \param int_ms   Intermediate delay in milliseconds
00566  * \param fin_ms   Final delay in milliseconds
00567  *                 0 cancels the current timer.
00568  *
00569  * \note           This callback must at least store the necessary information
00570  *                 for the associated \c mbedtls_ssl_get_timer_t callback to
00571  *                 return correct information.
00572  *
00573  * \note           If using a event-driven style of programming, an event must
00574  *                 be generated when the final delay is passed. The event must
00575  *                 cause a call to \c mbedtls_ssl_handshake() with the proper
00576  *                 SSL context to be scheduled. Care must be taken to ensure
00577  *                 that at most one such call happens at a time.
00578  *
00579  * \note           Only one timer at a time must be running. Calling this
00580  *                 function while a timer is running must cancel it. Cancelled
00581  *                 timers must not generate any event.
00582  */
00583 typedef void mbedtls_ssl_set_timer_t( void * ctx,
00584                                       uint32_t int_ms,
00585                                       uint32_t fin_ms );
00586 
00587 /**
00588  * \brief          Callback type: get status of timers/delays
00589  *
00590  * \param ctx      Context pointer
00591  *
00592  * \return         This callback must return:
00593  *                 -1 if cancelled (fin_ms == 0),
00594  *                  0 if none of the delays have passed,
00595  *                  1 if only the intermediate delay has passed,
00596  *                  2 if the final delay has passed.
00597  */
00598 typedef int mbedtls_ssl_get_timer_t( void * ctx );
00599 
00600 /* Defined below */
00601 typedef struct mbedtls_ssl_session mbedtls_ssl_session;
00602 typedef struct mbedtls_ssl_context mbedtls_ssl_context;
00603 typedef struct mbedtls_ssl_config  mbedtls_ssl_config;
00604 
00605 /* Defined in ssl_internal.h */
00606 typedef struct mbedtls_ssl_transform mbedtls_ssl_transform;
00607 typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params;
00608 typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t;
00609 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00610 typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
00611 #endif
00612 #if defined(MBEDTLS_SSL_PROTO_DTLS)
00613 typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
00614 #endif
00615 
00616 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
00617 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00618 /**
00619  * \brief           Callback type: start external signature operation.
00620  *
00621  *                  This callback is called during an SSL handshake to start
00622  *                  a signature decryption operation using an
00623  *                  external processor. The parameter \p cert contains
00624  *                  the public key; it is up to the callback function to
00625  *                  determine how to access the associated private key.
00626  *
00627  *                  This function typically sends or enqueues a request, and
00628  *                  does not wait for the operation to complete. This allows
00629  *                  the handshake step to be non-blocking.
00630  *
00631  *                  The parameters \p ssl and \p cert are guaranteed to remain
00632  *                  valid throughout the handshake. On the other hand, this
00633  *                  function must save the contents of \p hash if the value
00634  *                  is needed for later processing, because the \p hash buffer
00635  *                  is no longer valid after this function returns.
00636  *
00637  *                  This function may call mbedtls_ssl_set_async_operation_data()
00638  *                  to store an operation context for later retrieval
00639  *                  by the resume or cancel callback.
00640  *
00641  * \note            For RSA signatures, this function must produce output
00642  *                  that is consistent with PKCS#1 v1.5 in the same way as
00643  *                  mbedtls_rsa_pkcs1_sign(). Before the private key operation,
00644  *                  apply the padding steps described in RFC 8017, section 9.2
00645  *                  "EMSA-PKCS1-v1_5" as follows.
00646  *                  - If \p md_alg is #MBEDTLS_MD_NONE, apply the PKCS#1 v1.5
00647  *                    encoding, treating \p hash as the DigestInfo to be
00648  *                    padded. In other words, apply EMSA-PKCS1-v1_5 starting
00649  *                    from step 3, with `T = hash` and `tLen = hash_len`.
00650  *                  - If `md_alg != MBEDTLS_MD_NONE`, apply the PKCS#1 v1.5
00651  *                    encoding, treating \p hash as the hash to be encoded and
00652  *                    padded. In other words, apply EMSA-PKCS1-v1_5 starting
00653  *                    from step 2, with `digestAlgorithm` obtained by calling
00654  *                    mbedtls_oid_get_oid_by_md() on \p md_alg.
00655  *
00656  * \note            For ECDSA signatures, the output format is the DER encoding
00657  *                  `Ecdsa-Sig-Value` defined in
00658  *                  [RFC 4492 section 5.4](https://tools.ietf.org/html/rfc4492#section-5.4).
00659  *
00660  * \param ssl             The SSL connection instance. It should not be
00661  *                        modified other than via
00662  *                        mbedtls_ssl_set_async_operation_data().
00663  * \param cert            Certificate containing the public key.
00664  *                        In simple cases, this is one of the pointers passed to
00665  *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
00666  *                        connection. However, if other callbacks are used, this
00667  *                        property may not hold. For example, if an SNI callback
00668  *                        is registered with mbedtls_ssl_conf_sni(), then
00669  *                        this callback determines what certificate is used.
00670  * \param md_alg          Hash algorithm.
00671  * \param hash            Buffer containing the hash. This buffer is
00672  *                        no longer valid when the function returns.
00673  * \param hash_len        Size of the \c hash buffer in bytes.
00674  *
00675  * \return          0 if the operation was started successfully and the SSL
00676  *                  stack should call the resume callback immediately.
00677  * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
00678  *                  was started successfully and the SSL stack should return
00679  *                  immediately without calling the resume callback yet.
00680  * \return          #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
00681  *                  processor does not support this key. The SSL stack will
00682  *                  use the private key object instead.
00683  * \return          Any other error indicates a fatal failure and is
00684  *                  propagated up the call chain. The callback should
00685  *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
00686  *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
00687  *                  directed in the documentation of this callback.
00688  */
00689 typedef int mbedtls_ssl_async_sign_t( mbedtls_ssl_context *ssl,
00690                                       mbedtls_x509_crt *cert,
00691                                       mbedtls_md_type_t md_alg,
00692                                       const unsigned char *hash,
00693                                       size_t hash_len );
00694 
00695 /**
00696  * \brief           Callback type: start external decryption operation.
00697  *
00698  *                  This callback is called during an SSL handshake to start
00699  *                  an RSA decryption operation using an
00700  *                  external processor. The parameter \p cert contains
00701  *                  the public key; it is up to the callback function to
00702  *                  determine how to access the associated private key.
00703  *
00704  *                  This function typically sends or enqueues a request, and
00705  *                  does not wait for the operation to complete. This allows
00706  *                  the handshake step to be non-blocking.
00707  *
00708  *                  The parameters \p ssl and \p cert are guaranteed to remain
00709  *                  valid throughout the handshake. On the other hand, this
00710  *                  function must save the contents of \p input if the value
00711  *                  is needed for later processing, because the \p input buffer
00712  *                  is no longer valid after this function returns.
00713  *
00714  *                  This function may call mbedtls_ssl_set_async_operation_data()
00715  *                  to store an operation context for later retrieval
00716  *                  by the resume or cancel callback.
00717  *
00718  * \warning         RSA decryption as used in TLS is subject to a potential
00719  *                  timing side channel attack first discovered by Bleichenbacher
00720  *                  in 1998. This attack can be remotely exploitable
00721  *                  in practice. To avoid this attack, you must ensure that
00722  *                  if the callback performs an RSA decryption, the time it
00723  *                  takes to execute and return the result does not depend
00724  *                  on whether the RSA decryption succeeded or reported
00725  *                  invalid padding.
00726  *
00727  * \param ssl             The SSL connection instance. It should not be
00728  *                        modified other than via
00729  *                        mbedtls_ssl_set_async_operation_data().
00730  * \param cert            Certificate containing the public key.
00731  *                        In simple cases, this is one of the pointers passed to
00732  *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
00733  *                        connection. However, if other callbacks are used, this
00734  *                        property may not hold. For example, if an SNI callback
00735  *                        is registered with mbedtls_ssl_conf_sni(), then
00736  *                        this callback determines what certificate is used.
00737  * \param input           Buffer containing the input ciphertext. This buffer
00738  *                        is no longer valid when the function returns.
00739  * \param input_len       Size of the \p input buffer in bytes.
00740  *
00741  * \return          0 if the operation was started successfully and the SSL
00742  *                  stack should call the resume callback immediately.
00743  * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
00744  *                  was started successfully and the SSL stack should return
00745  *                  immediately without calling the resume callback yet.
00746  * \return          #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
00747  *                  processor does not support this key. The SSL stack will
00748  *                  use the private key object instead.
00749  * \return          Any other error indicates a fatal failure and is
00750  *                  propagated up the call chain. The callback should
00751  *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
00752  *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
00753  *                  directed in the documentation of this callback.
00754  */
00755 typedef int mbedtls_ssl_async_decrypt_t( mbedtls_ssl_context *ssl,
00756                                          mbedtls_x509_crt *cert,
00757                                          const unsigned char *input,
00758                                          size_t input_len );
00759 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00760 
00761 /**
00762  * \brief           Callback type: resume external operation.
00763  *
00764  *                  This callback is called during an SSL handshake to resume
00765  *                  an external operation started by the
00766  *                  ::mbedtls_ssl_async_sign_t or
00767  *                  ::mbedtls_ssl_async_decrypt_t callback.
00768  *
00769  *                  This function typically checks the status of a pending
00770  *                  request or causes the request queue to make progress, and
00771  *                  does not wait for the operation to complete. This allows
00772  *                  the handshake step to be non-blocking.
00773  *
00774  *                  This function may call mbedtls_ssl_get_async_operation_data()
00775  *                  to retrieve an operation context set by the start callback.
00776  *                  It may call mbedtls_ssl_set_async_operation_data() to modify
00777  *                  this context.
00778  *
00779  *                  Note that when this function returns a status other than
00780  *                  #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, it must free any
00781  *                  resources associated with the operation.
00782  *
00783  * \param ssl             The SSL connection instance. It should not be
00784  *                        modified other than via
00785  *                        mbedtls_ssl_set_async_operation_data().
00786  * \param output          Buffer containing the output (signature or decrypted
00787  *                        data) on success.
00788  * \param output_len      On success, number of bytes written to \p output.
00789  * \param output_size     Size of the \p output buffer in bytes.
00790  *
00791  * \return          0 if output of the operation is available in the
00792  *                  \p output buffer.
00793  * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
00794  *                  is still in progress. Subsequent requests for progress
00795  *                  on the SSL connection will call the resume callback
00796  *                  again.
00797  * \return          Any other error means that the operation is aborted.
00798  *                  The SSL handshake is aborted. The callback should
00799  *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
00800  *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
00801  *                  directed in the documentation of this callback.
00802  */
00803 typedef int mbedtls_ssl_async_resume_t( mbedtls_ssl_context *ssl,
00804                                         unsigned char *output,
00805                                         size_t *output_len,
00806                                         size_t output_size );
00807 
00808 /**
00809  * \brief           Callback type: cancel external operation.
00810  *
00811  *                  This callback is called if an SSL connection is closed
00812  *                  while an asynchronous operation is in progress. Note that
00813  *                  this callback is not called if the
00814  *                  ::mbedtls_ssl_async_resume_t callback has run and has
00815  *                  returned a value other than
00816  *                  #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, since in that case
00817  *                  the asynchronous operation has already completed.
00818  *
00819  *                  This function may call mbedtls_ssl_get_async_operation_data()
00820  *                  to retrieve an operation context set by the start callback.
00821  *
00822  * \param ssl             The SSL connection instance. It should not be
00823  *                        modified.
00824  */
00825 typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl );
00826 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
00827 
00828 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) &&        \
00829     !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
00830 #define MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN  48
00831 #if defined(MBEDTLS_SHA256_C)
00832 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA256
00833 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  32
00834 #elif defined(MBEDTLS_SHA512_C)
00835 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA384
00836 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  48
00837 #elif defined(MBEDTLS_SHA1_C)
00838 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA1
00839 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  20
00840 #else
00841 /* This is already checked in check_config.h, but be sure. */
00842 #error "Bad configuration - need SHA-1, SHA-256 or SHA-512 enabled to compute digest of peer CRT."
00843 #endif
00844 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED &&
00845           !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
00846 
00847 /*
00848  * This structure is used for storing current session data.
00849  *
00850  * Note: when changing this definition, we need to check and update:
00851  *  - in tests/suites/test_suite_ssl.function:
00852  *      ssl_populate_session() and ssl_serialize_session_save_load()
00853  *  - in library/ssl_tls.c:
00854  *      mbedtls_ssl_session_init() and mbedtls_ssl_session_free()
00855  *      mbedtls_ssl_session_save() and ssl_session_load()
00856  *      ssl_session_copy()
00857  */
00858 struct mbedtls_ssl_session
00859 {
00860 #if defined(MBEDTLS_HAVE_TIME)
00861     mbedtls_time_t start;       /*!< starting time      */
00862 #endif
00863     int ciphersuite;            /*!< chosen ciphersuite */
00864     int compression;            /*!< chosen compression */
00865     size_t id_len;              /*!< session id length  */
00866     unsigned char id[32];       /*!< session identifier */
00867     unsigned char master[48];   /*!< the master secret  */
00868 
00869 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00870 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
00871     mbedtls_x509_crt *peer_cert;       /*!< peer X.509 cert chain */
00872 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
00873     /*! The digest of the peer's end-CRT. This must be kept to detect CRT
00874      *  changes during renegotiation, mitigating the triple handshake attack. */
00875     unsigned char *peer_cert_digest;
00876     size_t peer_cert_digest_len;
00877     mbedtls_md_type_t peer_cert_digest_type;
00878 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
00879 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00880     uint32_t verify_result;          /*!<  verification result     */
00881 
00882 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
00883     unsigned char *ticket;      /*!< RFC 5077 session ticket */
00884     size_t ticket_len;          /*!< session ticket length   */
00885     uint32_t ticket_lifetime;   /*!< ticket lifetime hint    */
00886 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
00887 
00888 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
00889     unsigned char mfl_code;     /*!< MaxFragmentLength negotiated by peer */
00890 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
00891 
00892 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
00893     int trunc_hmac;             /*!< flag for truncated hmac activation   */
00894 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
00895 
00896 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
00897     int encrypt_then_mac;       /*!< flag for EtM activation                */
00898 #endif
00899 };
00900 
00901 /**
00902  * SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
00903  */
00904 struct mbedtls_ssl_config
00905 {
00906     /* Group items by size (largest first) to minimize padding overhead */
00907 
00908     /*
00909      * Pointers
00910      */
00911 
00912     const int *ciphersuite_list [4]; /*!< allowed ciphersuites per version   */
00913 
00914     /** Callback for printing debug output                                  */
00915     void (*f_dbg)(void *, int, const char *, int, const char *);
00916     void *p_dbg ;                    /*!< context for the debug function     */
00917 
00918     /** Callback for getting (pseudo-)random numbers                        */
00919     int  (*f_rng)(void *, unsigned char *, size_t);
00920     void *p_rng ;                    /*!< context for the RNG function       */
00921 
00922     /** Callback to retrieve a session from the cache                       */
00923     int (*f_get_cache)(void *, mbedtls_ssl_session *);
00924     /** Callback to store a session into the cache                          */
00925     int (*f_set_cache)(void *, const mbedtls_ssl_session *);
00926     void *p_cache ;                  /*!< context for cache callbacks        */
00927 
00928 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
00929     /** Callback for setting cert according to SNI extension                */
00930     int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
00931     void *p_sni ;                    /*!< context for SNI callback           */
00932 #endif
00933 
00934 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00935     /** Callback to customize X.509 certificate chain verification          */
00936     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
00937     void *p_vrfy ;                   /*!< context for X.509 verify calllback */
00938 #endif
00939 
00940 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
00941     /** Callback to retrieve PSK key from identity                          */
00942     int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
00943     void *p_psk ;                    /*!< context for PSK callback           */
00944 #endif
00945 
00946 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
00947     /** Callback to create & write a cookie for ClientHello veirifcation    */
00948     int (*f_cookie_write)( void *, unsigned char **, unsigned char *,
00949                            const unsigned char *, size_t );
00950     /** Callback to verify validity of a ClientHello cookie                 */
00951     int (*f_cookie_check)( void *, const unsigned char *, size_t,
00952                            const unsigned char *, size_t );
00953     void *p_cookie ;                 /*!< context for the cookie callbacks   */
00954 #endif
00955 
00956 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
00957     /** Callback to create & write a session ticket                         */
00958     int (*f_ticket_write)( void *, const mbedtls_ssl_session *,
00959             unsigned char *, const unsigned char *, size_t *, uint32_t * );
00960     /** Callback to parse a session ticket into a session structure         */
00961     int (*f_ticket_parse)( void *, mbedtls_ssl_session *, unsigned char *, size_t);
00962     void *p_ticket ;                 /*!< context for the ticket callbacks   */
00963 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
00964 
00965 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
00966     /** Callback to export key block and master secret                      */
00967     int (*f_export_keys)( void *, const unsigned char *,
00968             const unsigned char *, size_t, size_t, size_t );
00969     /** Callback to export key block, master secret,
00970      *  tls_prf and random bytes. Should replace f_export_keys    */
00971     int (*f_export_keys_ext)( void *, const unsigned char *,
00972                 const unsigned char *, size_t, size_t, size_t,
00973                 const unsigned char[32], const unsigned char[32],
00974                 mbedtls_tls_prf_types );
00975     void *p_export_keys ;            /*!< context for key export callback    */
00976 #endif
00977 
00978 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
00979     size_t cid_len ; /*!< The length of CIDs for incoming DTLS records.      */
00980 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
00981 
00982 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00983     const mbedtls_x509_crt_profile *cert_profile ; /*!< verification profile */
00984     mbedtls_ssl_key_cert *key_cert ; /*!< own certificate/key pair(s)        */
00985     mbedtls_x509_crt *ca_chain ;     /*!< trusted CAs                        */
00986     mbedtls_x509_crl *ca_crl ;       /*!< trusted CAs CRLs                   */
00987 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
00988     mbedtls_x509_crt_ca_cb_t f_ca_cb;
00989     void *p_ca_cb;
00990 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
00991 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00992 
00993 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
00994 #if defined(MBEDTLS_X509_CRT_PARSE_C)
00995     mbedtls_ssl_async_sign_t *f_async_sign_start ; /*!< start asynchronous signature operation */
00996     mbedtls_ssl_async_decrypt_t *f_async_decrypt_start ; /*!< start asynchronous decryption operation */
00997 #endif /* MBEDTLS_X509_CRT_PARSE_C */
00998     mbedtls_ssl_async_resume_t *f_async_resume ; /*!< resume asynchronous operation */
00999     mbedtls_ssl_async_cancel_t *f_async_cancel ; /*!< cancel asynchronous operation */
01000     void *p_async_config_data ; /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */
01001 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
01002 
01003 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
01004     const int *sig_hashes ;          /*!< allowed signature hashes           */
01005 #endif
01006 
01007 #if defined(MBEDTLS_ECP_C)
01008     const mbedtls_ecp_group_id *curve_list ; /*!< allowed curves             */
01009 #endif
01010 
01011 #if defined(MBEDTLS_DHM_C)
01012     mbedtls_mpi dhm_P ;              /*!< prime modulus for DHM              */
01013     mbedtls_mpi dhm_G ;              /*!< generator for DHM                  */
01014 #endif
01015 
01016 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
01017 
01018 #if defined(MBEDTLS_USE_PSA_CRYPTO)
01019     psa_key_handle_t psk_opaque ; /*!< PSA key slot holding opaque PSK.
01020                                   *   This field should only be set via
01021                                   *   mbedtls_ssl_conf_psk_opaque().
01022                                   *   If either no PSK or a raw PSK have
01023                                   *   been configured, this has value \c 0. */
01024 #endif /* MBEDTLS_USE_PSA_CRYPTO */
01025 
01026     unsigned char *psk ;      /*!< The raw pre-shared key. This field should
01027                               *   only be set via mbedtls_ssl_conf_psk().
01028                               *   If either no PSK or an opaque PSK
01029                               *   have been configured, this has value NULL. */
01030     size_t         psk_len ;  /*!< The length of the raw pre-shared key.
01031                               *   This field should only be set via
01032                               *   mbedtls_ssl_conf_psk().
01033                               *   Its value is non-zero if and only if
01034                               *   \c psk is not \c NULL. */
01035 
01036     unsigned char *psk_identity ;    /*!< The PSK identity for PSK negotiation.
01037                                      *   This field should only be set via
01038                                      *   mbedtls_ssl_conf_psk().
01039                                      *   This is set if and only if either
01040                                      *   \c psk or \c psk_opaque are set. */
01041     size_t         psk_identity_len ;/*!< The length of PSK identity.
01042                                      *   This field should only be set via
01043                                      *   mbedtls_ssl_conf_psk().
01044                                      *   Its value is non-zero if and only if
01045                                      *   \c psk is not \c NULL or \c psk_opaque
01046                                      *   is not \c 0. */
01047 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
01048 
01049 #if defined(MBEDTLS_SSL_ALPN)
01050     const char **alpn_list ;         /*!< ordered list of protocols          */
01051 #endif
01052 
01053     /*
01054      * Numerical settings (int then char)
01055      */
01056 
01057     uint32_t read_timeout ;          /*!< timeout for mbedtls_ssl_read (ms)  */
01058 
01059 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01060     uint32_t hs_timeout_min ;        /*!< initial value of the handshake
01061                                          retransmission timeout (ms)        */
01062     uint32_t hs_timeout_max ;        /*!< maximum value of the handshake
01063                                          retransmission timeout (ms)        */
01064 #endif
01065 
01066 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01067     int renego_max_records ;         /*!< grace period for renegotiation     */
01068     unsigned char renego_period [8]; /*!< value of the record counters
01069                                          that triggers renegotiation        */
01070 #endif
01071 
01072 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
01073     unsigned int badmac_limit ;      /*!< limit of records with a bad MAC    */
01074 #endif
01075 
01076 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
01077     unsigned int dhm_min_bitlen ;    /*!< min. bit length of the DHM prime   */
01078 #endif
01079 
01080     unsigned char max_major_ver ;    /*!< max. major version used            */
01081     unsigned char max_minor_ver ;    /*!< max. minor version used            */
01082     unsigned char min_major_ver ;    /*!< min. major version used            */
01083     unsigned char min_minor_ver ;    /*!< min. minor version used            */
01084 
01085     /*
01086      * Flags (bitfields)
01087      */
01088 
01089     unsigned int endpoint  : 1;      /*!< 0: client, 1: server               */
01090     unsigned int transport  : 1;     /*!< stream (TLS) or datagram (DTLS)    */
01091     unsigned int authmode  : 2;      /*!< MBEDTLS_SSL_VERIFY_XXX             */
01092     /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE          */
01093     unsigned int allow_legacy_renegotiation  : 2 ; /*!< MBEDTLS_LEGACY_XXX   */
01094 #if defined(MBEDTLS_ARC4_C)
01095     unsigned int arc4_disabled  : 1; /*!< blacklist RC4 ciphersuites?        */
01096 #endif
01097 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
01098     unsigned int mfl_code  : 3;      /*!< desired fragment length            */
01099 #endif
01100 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
01101     unsigned int encrypt_then_mac  : 1 ; /*!< negotiate encrypt-then-mac?    */
01102 #endif
01103 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
01104     unsigned int extended_ms  : 1;   /*!< negotiate extended master secret?  */
01105 #endif
01106 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
01107     unsigned int anti_replay  : 1;   /*!< detect and prevent replay?         */
01108 #endif
01109 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
01110     unsigned int cbc_record_splitting  : 1;  /*!< do cbc record splitting    */
01111 #endif
01112 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01113     unsigned int disable_renegotiation  : 1; /*!< disable renegotiation?     */
01114 #endif
01115 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
01116     unsigned int trunc_hmac  : 1;    /*!< negotiate truncated hmac?          */
01117 #endif
01118 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
01119     unsigned int session_tickets  : 1;   /*!< use session tickets?           */
01120 #endif
01121 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
01122     unsigned int fallback  : 1;      /*!< is this a fallback?                */
01123 #endif
01124 #if defined(MBEDTLS_SSL_SRV_C)
01125     unsigned int cert_req_ca_list  : 1;  /*!< enable sending CA list in
01126                                           Certificate Request messages?     */
01127 #endif
01128 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
01129     unsigned int ignore_unexpected_cid  : 1; /*!< Determines whether DTLS
01130                                              *   record with unexpected CID
01131                                              *   should lead to failure.    */
01132 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
01133 };
01134 
01135 
01136 struct mbedtls_ssl_context
01137 {
01138     const mbedtls_ssl_config *conf; /*!< configuration information          */
01139 
01140     /*
01141      * Miscellaneous
01142      */
01143     int state;                  /*!< SSL handshake: current state     */
01144 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01145     int renego_status;          /*!< Initial, in progress, pending?   */
01146     int renego_records_seen;    /*!< Records since renego request, or with DTLS,
01147                                   number of retransmissions of request if
01148                                   renego_max_records is < 0           */
01149 #endif /* MBEDTLS_SSL_RENEGOTIATION */
01150 
01151     int major_ver;              /*!< equal to  MBEDTLS_SSL_MAJOR_VERSION_3    */
01152     int minor_ver;              /*!< either 0 (SSL3) or 1 (TLS1.0)    */
01153 
01154 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
01155     unsigned badmac_seen;       /*!< records with a bad MAC received    */
01156 #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
01157 
01158 #if defined(MBEDTLS_X509_CRT_PARSE_C)
01159     /** Callback to customize X.509 certificate chain verification          */
01160     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
01161     void *p_vrfy;                   /*!< context for X.509 verify callback */
01162 #endif
01163 
01164     mbedtls_ssl_send_t *f_send; /*!< Callback for network send */
01165     mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */
01166     mbedtls_ssl_recv_timeout_t *f_recv_timeout;
01167                                 /*!< Callback for network receive with timeout */
01168 
01169     void *p_bio;                /*!< context for I/O operations   */
01170 
01171     /*
01172      * Session layer
01173      */
01174     mbedtls_ssl_session *session_in;            /*!<  current session data (in)   */
01175     mbedtls_ssl_session *session_out;           /*!<  current session data (out)  */
01176     mbedtls_ssl_session *session;               /*!<  negotiated session data     */
01177     mbedtls_ssl_session *session_negotiate;     /*!<  session data in negotiation */
01178 
01179     mbedtls_ssl_handshake_params *handshake;    /*!<  params required only during
01180                                               the handshake process        */
01181 
01182     /*
01183      * Record layer transformations
01184      */
01185     mbedtls_ssl_transform *transform_in;        /*!<  current transform params (in)   */
01186     mbedtls_ssl_transform *transform_out;       /*!<  current transform params (in)   */
01187     mbedtls_ssl_transform *transform;           /*!<  negotiated transform params     */
01188     mbedtls_ssl_transform *transform_negotiate; /*!<  transform params in negotiation */
01189 
01190     /*
01191      * Timers
01192      */
01193     void *p_timer;              /*!< context for the timer callbacks */
01194 
01195     mbedtls_ssl_set_timer_t *f_set_timer;       /*!< set timer callback */
01196     mbedtls_ssl_get_timer_t *f_get_timer;       /*!< get timer callback */
01197 
01198     /*
01199      * Record layer (incoming data)
01200      */
01201     unsigned char *in_buf;      /*!< input buffer                     */
01202     unsigned char *in_ctr;      /*!< 64-bit incoming message counter
01203                                      TLS: maintained by us
01204                                      DTLS: read from peer             */
01205     unsigned char *in_hdr;      /*!< start of record header           */
01206 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
01207     unsigned char *in_cid;      /*!< The start of the CID;
01208                                  *   (the end is marked by in_len).   */
01209 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
01210     unsigned char *in_len;      /*!< two-bytes message length field   */
01211     unsigned char *in_iv;       /*!< ivlen-byte IV                    */
01212     unsigned char *in_msg;      /*!< message contents (in_iv+ivlen)   */
01213     unsigned char *in_offt;     /*!< read offset in application data  */
01214 
01215     int in_msgtype;             /*!< record header: message type      */
01216     size_t in_msglen;           /*!< record header: message length    */
01217     size_t in_left;             /*!< amount of data read so far       */
01218 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01219     uint16_t in_epoch;          /*!< DTLS epoch for incoming records  */
01220     size_t next_record_offset;  /*!< offset of the next record in datagram
01221                                      (equal to in_left if none)       */
01222 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01223 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
01224     uint64_t in_window_top;     /*!< last validated record seq_num    */
01225     uint64_t in_window;         /*!< bitmask for replay detection     */
01226 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
01227 
01228     size_t in_hslen;            /*!< current handshake message length,
01229                                      including the handshake header   */
01230     int nb_zero;                /*!< # of 0-length encrypted messages */
01231 
01232     int keep_current_message;   /*!< drop or reuse current message
01233                                      on next call to record layer? */
01234 
01235 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01236     uint8_t disable_datagram_packing;  /*!< Disable packing multiple records
01237                                         *   within a single datagram.  */
01238 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01239 
01240     /*
01241      * Record layer (outgoing data)
01242      */
01243     unsigned char *out_buf;     /*!< output buffer                    */
01244     unsigned char *out_ctr;     /*!< 64-bit outgoing message counter  */
01245     unsigned char *out_hdr;     /*!< start of record header           */
01246 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
01247     unsigned char *out_cid;     /*!< The start of the CID;
01248                                  *   (the end is marked by in_len).   */
01249 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
01250     unsigned char *out_len;     /*!< two-bytes message length field   */
01251     unsigned char *out_iv;      /*!< ivlen-byte IV                    */
01252     unsigned char *out_msg;     /*!< message contents (out_iv+ivlen)  */
01253 
01254     int out_msgtype;            /*!< record header: message type      */
01255     size_t out_msglen;          /*!< record header: message length    */
01256     size_t out_left;            /*!< amount of data not yet written   */
01257 
01258     unsigned char cur_out_ctr[8]; /*!<  Outgoing record sequence  number. */
01259 
01260 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01261     uint16_t mtu;               /*!< path mtu, used to fragment outgoing messages */
01262 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01263 
01264 #if defined(MBEDTLS_ZLIB_SUPPORT)
01265     unsigned char *compress_buf;        /*!<  zlib data buffer        */
01266 #endif /* MBEDTLS_ZLIB_SUPPORT */
01267 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
01268     signed char split_done;     /*!< current record already splitted? */
01269 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
01270 
01271     /*
01272      * PKI layer
01273      */
01274     int client_auth;                    /*!<  flag for client auth.   */
01275 
01276     /*
01277      * User settings
01278      */
01279 #if defined(MBEDTLS_X509_CRT_PARSE_C)
01280     char *hostname;             /*!< expected peer CN for verification
01281                                      (and SNI if available)                 */
01282 #endif /* MBEDTLS_X509_CRT_PARSE_C */
01283 
01284 #if defined(MBEDTLS_SSL_ALPN)
01285     const char *alpn_chosen;    /*!<  negotiated protocol                   */
01286 #endif /* MBEDTLS_SSL_ALPN */
01287 
01288     /*
01289      * Information for DTLS hello verify
01290      */
01291 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
01292     unsigned char  *cli_id;         /*!<  transport-level ID of the client  */
01293     size_t          cli_id_len;     /*!<  length of cli_id                  */
01294 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
01295 
01296     /*
01297      * Secure renegotiation
01298      */
01299     /* needed to know when to send extension on server */
01300     int secure_renegotiation;           /*!<  does peer support legacy or
01301                                               secure renegotiation           */
01302 #if defined(MBEDTLS_SSL_RENEGOTIATION)
01303     size_t verify_data_len;             /*!<  length of verify data stored   */
01304     char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
01305     char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
01306 #endif /* MBEDTLS_SSL_RENEGOTIATION */
01307 
01308 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
01309     /* CID configuration to use in subsequent handshakes. */
01310 
01311     /*! The next incoming CID, chosen by the user and applying to
01312      *  all subsequent handshakes. This may be different from the
01313      *  CID currently used in case the user has re-configured the CID
01314      *  after an initial handshake. */
01315     unsigned char own_cid[ MBEDTLS_SSL_CID_IN_LEN_MAX ];
01316     uint8_t own_cid_len;   /*!< The length of \c own_cid. */
01317     uint8_t negotiate_cid; /*!< This indicates whether the CID extension should
01318                             *   be negotiated in the next handshake or not.
01319                             *   Possible values are #MBEDTLS_SSL_CID_ENABLED
01320                             *   and #MBEDTLS_SSL_CID_DISABLED. */
01321 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
01322 };
01323 
01324 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
01325 
01326 #define MBEDTLS_SSL_CHANNEL_OUTBOUND    0
01327 #define MBEDTLS_SSL_CHANNEL_INBOUND     1
01328 
01329 extern int (*mbedtls_ssl_hw_record_init)(mbedtls_ssl_context *ssl,
01330                 const unsigned char *key_enc, const unsigned char *key_dec,
01331                 size_t keylen,
01332                 const unsigned char *iv_enc,  const unsigned char *iv_dec,
01333                 size_t ivlen,
01334                 const unsigned char *mac_enc, const unsigned char *mac_dec,
01335                 size_t maclen);
01336 extern int (*mbedtls_ssl_hw_record_activate)(mbedtls_ssl_context *ssl, int direction);
01337 extern int (*mbedtls_ssl_hw_record_reset)(mbedtls_ssl_context *ssl);
01338 extern int (*mbedtls_ssl_hw_record_write)(mbedtls_ssl_context *ssl);
01339 extern int (*mbedtls_ssl_hw_record_read)(mbedtls_ssl_context *ssl);
01340 extern int (*mbedtls_ssl_hw_record_finish)(mbedtls_ssl_context *ssl);
01341 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
01342 
01343 /**
01344  * \brief               Return the name of the ciphersuite associated with the
01345  *                      given ID
01346  *
01347  * \param ciphersuite_id SSL ciphersuite ID
01348  *
01349  * \return              a string containing the ciphersuite name
01350  */
01351 const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id );
01352 
01353 /**
01354  * \brief               Return the ID of the ciphersuite associated with the
01355  *                      given name
01356  *
01357  * \param ciphersuite_name SSL ciphersuite name
01358  *
01359  * \return              the ID with the ciphersuite or 0 if not found
01360  */
01361 int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name );
01362 
01363 /**
01364  * \brief          Initialize an SSL context
01365  *                 Just makes the context ready for mbedtls_ssl_setup() or
01366  *                 mbedtls_ssl_free()
01367  *
01368  * \param ssl      SSL context
01369  */
01370 void mbedtls_ssl_init( mbedtls_ssl_context *ssl );
01371 
01372 /**
01373  * \brief          Set up an SSL context for use
01374  *
01375  * \note           No copy of the configuration context is made, it can be
01376  *                 shared by many mbedtls_ssl_context structures.
01377  *
01378  * \warning        The conf structure will be accessed during the session.
01379  *                 It must not be modified or freed as long as the session
01380  *                 is active.
01381  *
01382  * \warning        This function must be called exactly once per context.
01383  *                 Calling mbedtls_ssl_setup again is not supported, even
01384  *                 if no session is active.
01385  *
01386  * \param ssl      SSL context
01387  * \param conf     SSL configuration to use
01388  *
01389  * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if
01390  *                 memory allocation failed
01391  */
01392 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
01393                        const mbedtls_ssl_config *conf );
01394 
01395 /**
01396  * \brief          Reset an already initialized SSL context for re-use
01397  *                 while retaining application-set variables, function
01398  *                 pointers and data.
01399  *
01400  * \param ssl      SSL context
01401  * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED,
01402                    MBEDTLS_ERR_SSL_HW_ACCEL_FAILED or
01403  *                 MBEDTLS_ERR_SSL_COMPRESSION_FAILED
01404  */
01405 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl );
01406 
01407 /**
01408  * \brief          Set the current endpoint type
01409  *
01410  * \param conf     SSL configuration
01411  * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
01412  */
01413 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );
01414 
01415 /**
01416  * \brief           Set the transport type (TLS or DTLS).
01417  *                  Default: TLS
01418  *
01419  * \note            For DTLS, you must either provide a recv callback that
01420  *                  doesn't block, or one that handles timeouts, see
01421  *                  \c mbedtls_ssl_set_bio(). You also need to provide timer
01422  *                  callbacks with \c mbedtls_ssl_set_timer_cb().
01423  *
01424  * \param conf      SSL configuration
01425  * \param transport transport type:
01426  *                  MBEDTLS_SSL_TRANSPORT_STREAM for TLS,
01427  *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS.
01428  */
01429 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport );
01430 
01431 /**
01432  * \brief          Set the certificate verification mode
01433  *                 Default: NONE on server, REQUIRED on client
01434  *
01435  * \param conf     SSL configuration
01436  * \param authmode can be:
01437  *
01438  *  MBEDTLS_SSL_VERIFY_NONE:      peer certificate is not checked
01439  *                        (default on server)
01440  *                        (insecure on client)
01441  *
01442  *  MBEDTLS_SSL_VERIFY_OPTIONAL:  peer certificate is checked, however the
01443  *                        handshake continues even if verification failed;
01444  *                        mbedtls_ssl_get_verify_result() can be called after the
01445  *                        handshake is complete.
01446  *
01447  *  MBEDTLS_SSL_VERIFY_REQUIRED:  peer *must* present a valid certificate,
01448  *                        handshake is aborted if verification failed.
01449  *                        (default on client)
01450  *
01451  * \note On client, MBEDTLS_SSL_VERIFY_REQUIRED is the recommended mode.
01452  * With MBEDTLS_SSL_VERIFY_OPTIONAL, the user needs to call mbedtls_ssl_get_verify_result() at
01453  * the right time(s), which may not be obvious, while REQUIRED always perform
01454  * the verification as soon as possible. For example, REQUIRED was protecting
01455  * against the "triple handshake" attack even before it was found.
01456  */
01457 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
01458 
01459 #if defined(MBEDTLS_X509_CRT_PARSE_C)
01460 /**
01461  * \brief          Set the verification callback (Optional).
01462  *
01463  *                 If set, the provided verify callback is called for each
01464  *                 certificate in the peer's CRT chain, including the trusted
01465  *                 root. For more information, please see the documentation of
01466  *                 \c mbedtls_x509_crt_verify().
01467  *
01468  * \note           For per context callbacks and contexts, please use
01469  *                 mbedtls_ssl_set_verify() instead.
01470  *
01471  * \param conf     The SSL configuration to use.
01472  * \param f_vrfy   The verification callback to use during CRT verification.
01473  * \param p_vrfy   The opaque context to be passed to the callback.
01474  */
01475 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
01476                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
01477                      void *p_vrfy );
01478 #endif /* MBEDTLS_X509_CRT_PARSE_C */
01479 
01480 /**
01481  * \brief          Set the random number generator callback
01482  *
01483  * \param conf     SSL configuration
01484  * \param f_rng    RNG function
01485  * \param p_rng    RNG parameter
01486  */
01487 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
01488                   int (*f_rng)(void *, unsigned char *, size_t),
01489                   void *p_rng );
01490 
01491 /**
01492  * \brief          Set the debug callback
01493  *
01494  *                 The callback has the following argument:
01495  *                 void *           opaque context for the callback
01496  *                 int              debug level
01497  *                 const char *     file name
01498  *                 int              line number
01499  *                 const char *     message
01500  *
01501  * \param conf     SSL configuration
01502  * \param f_dbg    debug function
01503  * \param p_dbg    debug parameter
01504  */
01505 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
01506                   void (*f_dbg)(void *, int, const char *, int, const char *),
01507                   void  *p_dbg );
01508 
01509 /**
01510  * \brief          Set the underlying BIO callbacks for write, read and
01511  *                 read-with-timeout.
01512  *
01513  * \param ssl      SSL context
01514  * \param p_bio    parameter (context) shared by BIO callbacks
01515  * \param f_send   write callback
01516  * \param f_recv   read callback
01517  * \param f_recv_timeout blocking read callback with timeout.
01518  *
01519  * \note           One of f_recv or f_recv_timeout can be NULL, in which case
01520  *                 the other is used. If both are non-NULL, f_recv_timeout is
01521  *                 used and f_recv is ignored (as if it were NULL).
01522  *
01523  * \note           The two most common use cases are:
01524  *                 - non-blocking I/O, f_recv != NULL, f_recv_timeout == NULL
01525  *                 - blocking I/O, f_recv == NULL, f_recv_timout != NULL
01526  *
01527  * \note           For DTLS, you need to provide either a non-NULL
01528  *                 f_recv_timeout callback, or a f_recv that doesn't block.
01529  *
01530  * \note           See the documentations of \c mbedtls_ssl_sent_t,
01531  *                 \c mbedtls_ssl_recv_t and \c mbedtls_ssl_recv_timeout_t for
01532  *                 the conventions those callbacks must follow.
01533  *
01534  * \note           On some platforms, net_sockets.c provides
01535  *                 \c mbedtls_net_send(), \c mbedtls_net_recv() and
01536  *                 \c mbedtls_net_recv_timeout() that are suitable to be used
01537  *                 here.
01538  */
01539 void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
01540                           void *p_bio,
01541                           mbedtls_ssl_send_t *f_send,
01542                           mbedtls_ssl_recv_t *f_recv,
01543                           mbedtls_ssl_recv_timeout_t *f_recv_timeout );
01544 
01545 #if defined(MBEDTLS_SSL_PROTO_DTLS)
01546 
01547 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
01548 
01549 
01550 /**
01551  * \brief             Configure the use of the Connection ID (CID)
01552  *                    extension in the next handshake.
01553  *
01554  *                    Reference: draft-ietf-tls-dtls-connection-id-05
01555  *                    https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
01556  *
01557  *                    The DTLS CID extension allows the reliable association of
01558  *                    DTLS records to DTLS connections across changes in the
01559  *                    underlying transport (changed IP and Port metadata) by
01560  *                    adding explicit connection identifiers (CIDs) to the
01561  *                    headers of encrypted DTLS records. The desired CIDs are
01562  *                    configured by the application layer and are exchanged in
01563  *                    new `ClientHello` / `ServerHello` extensions during the
01564  *                    handshake, where each side indicates the CID it wants the
01565  *                    peer to use when writing encrypted messages. The CIDs are
01566  *                    put to use once records get encrypted: the stack discards
01567  *                    any incoming records that don't include the configured CID
01568  *                    in their header, and adds the peer's requested CID to the
01569  *                    headers of outgoing messages.
01570  *
01571  *                    This API enables or disables the use of the CID extension
01572  *                    in the next handshake and sets the value of the CID to
01573  *                    be used for incoming messages.
01574  *
01575  * \param ssl         The SSL context to configure. This must be initialized.
01576  * \param enable      This value determines whether the CID extension should
01577  *                    be used or not. Possible values are:
01578  *                    - MBEDTLS_SSL_CID_ENABLED to enable the use of the CID.
01579  *                    - MBEDTLS_SSL_CID_DISABLED (default) to disable the use
01580  *                      of the CID.
01581  * \param own_cid     The address of the readable buffer holding the CID we want
01582  *                    the peer to use when sending encrypted messages to us.
01583  *                    This may be \c NULL if \p own_cid_len is \c 0.
01584  *                    This parameter is unused if \p enabled is set to
01585  *                    MBEDTLS_SSL_CID_DISABLED.
01586  * \param own_cid_len The length of \p own_cid.
01587  *                    This parameter is unused if \p enabled is set to
01588  *                    MBEDTLS_SSL_CID_DISABLED.
01589  *
01590  * \note              The value of \p own_cid_len must match the value of the
01591  *                    \c len parameter passed to mbedtls_ssl_conf_cid()
01592  *                    when configuring the ::mbedtls_ssl_config that \p ssl
01593  *                    is bound to.
01594  *
01595  * \note              This CID configuration applies to subsequent handshakes
01596  *                    performed on the SSL context \p ssl, but does not trigger
01597  *                    one. You still have to call `mbedtls_ssl_handshake()`
01598  *                    (for the initial handshake) or `mbedtls_ssl_renegotiate()`
01599  *                    (for a renegotiation handshake) explicitly after a
01600  *                    successful call to this function to run the handshake.
01601  *
01602  * \note              This call cannot guarantee that the use of the CID
01603  *                    will be successfully negotiated in the next handshake,
01604  *                    because the peer might not support it. Specifically:
01605  *                    - On the Client, enabling the use of the CID through
01606  *                      this call implies that the `ClientHello` in the next
01607  *                      handshake will include the CID extension, thereby
01608  *                      offering the use of the CID to the server. Only if
01609  *                      the `ServerHello` contains the CID extension, too,
01610  *                      the CID extension will actually be put to use.
01611  *                    - On the Server, enabling the use of the CID through
01612  *                      this call implies that that the server will look for
01613  *                      the CID extension in a `ClientHello` from the client,
01614  *                      and, if present, reply with a CID extension in its
01615  *                      `ServerHello`.
01616  *
01617  * \note              To check whether the use of the CID was negotiated
01618  *                    after the subsequent handshake has completed, please
01619  *                    use the API mbedtls_ssl_get_peer_cid().
01620  *
01621  * \warning           If the use of the CID extension is enabled in this call
01622  *                    and the subsequent handshake negotiates its use, Mbed TLS
01623  *                    will silently drop every packet whose CID does not match
01624  *                    the CID configured in \p own_cid. It is the responsibility
01625  *                    of the user to adapt the underlying transport to take care
01626  *                    of CID-based demultiplexing before handing datagrams to
01627  *                    Mbed TLS.
01628  *
01629  * \return            \c 0 on success. In this case, the CID configuration
01630  *                    applies to the next handshake.
01631  * \return            A negative error code on failure.
01632  */
01633 int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
01634                          int enable,
01635                          unsigned char const *own_cid,
01636                          size_t own_cid_len );
01637 
01638 /**
01639  * \brief              Get information about the use of the CID extension
01640  *                     in the current connection.
01641  *
01642  * \param ssl          The SSL context to query.
01643  * \param enabled      The address at which to store whether the CID extension
01644  *                     is currently in use or not. If the CID is in use,
01645  *                     `*enabled` is set to MBEDTLS_SSL_CID_ENABLED;
01646  *                     otherwise, it is set to MBEDTLS_SSL_CID_DISABLED.
01647  * \param peer_cid     The address of the buffer in which to store the CID
01648  *                     chosen by the peer (if the CID extension is used).
01649  *                     This may be \c NULL in case the value of peer CID
01650  *                     isn't needed. If it is not \c NULL, \p peer_cid_len
01651  *                     must not be \c NULL.
01652  * \param peer_cid_len The address at which to store the size of the CID
01653  *                     chosen by the peer (if the CID extension is used).
01654  *                     This is also the number of Bytes in \p peer_cid that
01655  *                     have been written.
01656  *                     This may be \c NULL in case the length of the peer CID
01657  *                     isn't needed. If it is \c NULL, \p peer_cid must be
01658  *                     \c NULL, too.
01659  *
01660  * \note               This applies to the state of the CID negotiated in
01661  *                     the last complete handshake. If a handshake is in
01662  *                     progress, this function will attempt to complete
01663  *                     the handshake first.
01664  *
01665  * \note               If CID extensions have been exchanged but both client
01666  *                     and server chose to use an empty CID, this function
01667  *                     sets `*enabled` to #MBEDTLS_SSL_CID_DISABLED
01668  *                     (the rationale for this is that the resulting
01669  *                     communication is the same as if the CID extensions
01670  *                     hadn't been used).
01671  *
01672  * \return            \c 0 on success.
01673  * \return            A negative error code on failure.
01674  */
01675 int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
01676                      int *enabled,
01677                      unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
01678                      size_t *peer_cid_len );
01679 
01680 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
01681 
01682 /**
01683  * \brief          Set the Maximum Tranport Unit (MTU).
01684  *                 Special value: 0 means unset (no limit).
01685  *                 This represents the maximum size of a datagram payload
01686  *                 handled by the transport layer (usually UDP) as determined
01687  *                 by the network link and stack. In practice, this controls
01688  *                 the maximum size datagram the DTLS layer will pass to the
01689  *                 \c f_send() callback set using \c mbedtls_ssl_set_bio().
01690  *
01691  * \note           The limit on datagram size is converted to a limit on
01692  *                 record payload by subtracting the current overhead of
01693  *                 encapsulation and encryption/authentication if any.
01694  *
01695  * \note           This can be called at any point during the connection, for
01696  *                 example when a Path Maximum Transfer Unit (PMTU)
01697  *                 estimate becomes available from other sources,
01698  *                 such as lower (or higher) protocol layers.
01699  *
01700  * \note           This setting only controls the size of the packets we send,
01701  *                 and does not restrict the size of the datagrams we're
01702  *                 willing to receive. Client-side, you can request the
01703  *                 server to use smaller records with \c
01704  *                 mbedtls_ssl_conf_max_frag_len().
01705  *
01706  * \note           If both a MTU and a maximum fragment length have been
01707  *                 configured (or negotiated with the peer), the resulting
01708  *                 lower limit on record payload (see first note) is used.
01709  *
01710  * \note           This can only be used to decrease the maximum size
01711  *                 of datagrams (hence records, see first note) sent. It
01712  *                 cannot be used to increase the maximum size of records over
01713  *                 the limit set by #MBEDTLS_SSL_OUT_CONTENT_LEN.
01714  *
01715  * \note           Values lower than the current record layer expansion will
01716  *                 result in an error when trying to send data.
01717  *
01718  * \note           Using record compression together with a non-zero MTU value
01719  *                 will result in an error when trying to send data.
01720  *
01721  * \param ssl      SSL context
01722  * \param mtu      Value of the path MTU in bytes
01723  */
01724 void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
01725 #endif /* MBEDTLS_SSL_PROTO_DTLS */
01726 
01727 #if defined(MBEDTLS_X509_CRT_PARSE_C)
01728 /**
01729  * \brief          Set a connection-specific verification callback (optional).
01730  *
01731  *                 If set, the provided verify callback is called for each
01732  *                 certificate in the peer's CRT chain, including the trusted
01733  *                 root. For more information, please see the documentation of
01734  *                 \c mbedtls_x509_crt_verify().
01735  *
01736  * \note           This call is analogous to mbedtls_ssl_conf_verify() but
01737  *                 binds the verification callback and context to an SSL context
01738  *                 as opposed to an SSL configuration.
01739  *                 If mbedtls_ssl_conf_verify() and mbedtls_ssl_set_verify()
01740  *                 are both used, mbedtls_ssl_set_verify() takes precedence.
01741  *
01742  * \param ssl      The SSL context to use.
01743  * \param f_vrfy   The verification callback to use during CRT verification.
01744  * \param p_vrfy   The opaque context to be passed to the callback.
01745  */
01746 void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
01747                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
01748                      void *p_vrfy );
01749 #endif /* MBEDTLS_X509_CRT_PARSE_C */
01750 
01751 /**
01752  * \brief          Set the timeout period for mbedtls_ssl_read()
01753  *                 (Default: no timeout.)
01754  *
01755  * \param conf     SSL configuration context
01756  * \param timeout  Timeout value in milliseconds.
01757  *                 Use 0 for no timeout (default).
01758  *
01759  * \note           With blocking I/O, this will only work if a non-NULL
01760  *                 \c f_recv_timeout was set with \c mbedtls_ssl_set_bio().
01761  *                 With non-blocking I/O, this will only work if timer
01762  *                 callbacks were set with \c mbedtls_ssl_set_timer_cb().
01763  *
01764  * \note           With non-blocking I/O, you may also skip this function
01765  *                 altogether and handle timeouts at the application layer.
01766  */
01767 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
01768 
01769 #if defined(MBEDTLS_SSL_RECORD_CHECKING)
01770 /**
01771  * \brief          Check whether a buffer contains a valid and authentic record
01772  *                 that has not been seen before. (DTLS only).
01773  *
01774  *                 This function does not change the user-visible state
01775  *                 of the SSL context. Its sole purpose is to provide
01776  *                 an indication of the legitimacy of an incoming record.
01777  *
01778  *                 This can be useful e.g. in distributed server environments
01779  *                 using the DTLS Connection ID feature, in which connections
01780  *                 might need to be passed between service instances on a change
01781  *                 of peer address, but where such disruptive operations should
01782  *                 only happen after the validity of incoming records has been
01783  *                 confirmed.
01784  *
01785  * \param ssl      The SSL context to use.
01786  * \param buf      The address of the buffer holding the record to be checked.
01787  *                 This must be a read/write buffer of length \p buflen Bytes.
01788  * \param buflen   The length of \p buf in Bytes.
01789  *
01790  * \note           This routine only checks whether the provided buffer begins
01791  *                 with a valid and authentic record that has not been seen
01792  *                 before, but does not check potential data following the
01793  *                 initial record. In particular, it is possible to pass DTLS
01794  *                 datagrams containing multiple records, in which case only
01795  *                 the first record is checked.
01796  *
01797  * \note           This function modifies the input buffer \p buf. If you need
01798  *                 to preserve the original record, you have to maintain a copy.
01799  *
01800  * \return         \c 0 if the record is valid and authentic and has not been
01801  *                 seen before.
01802  * \return         MBEDTLS_ERR_SSL_INVALID_MAC if the check completed
01803  *                 successfully but the record was found to be not authentic.
01804  * \return         MBEDTLS_ERR_SSL_INVALID_RECORD if the check completed
01805  *                 successfully but the record was found to be invalid for
01806  *                 a reason different from authenticity checking.
01807  * \return         MBEDTLS_ERR_SSL_UNEXPECTED_RECORD if the check completed
01808  *                 successfully but the record was found to be unexpected
01809  *                 in the state of the SSL context, including replayed records.
01810  * \return         Another negative error code on different kinds of failure.
01811  *                 In this case, the SSL context becomes unusable and needs
01812  *                 to be freed or reset before reuse.
01813  */
01814 int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
01815                               unsigned char *buf,
01816                               size_t buflen );
01817 #endif /* MBEDTLS_SSL_RECORD_CHECKING */
01818 
01819 /**
01820  * \brief          Set the timer callbacks (Mandatory for DTLS.)
01821  *
01822  * \param ssl      SSL context
01823  * \param p_timer  parameter (context) shared by timer callbacks
01824  * \param f_set_timer   set timer callback
01825  * \param f_get_timer   get timer callback. Must return:
01826  *
01827  * \note           See the documentation of \c mbedtls_ssl_set_timer_t and
01828  *                 \c mbedtls_ssl_get_timer_t for the conventions this pair of
01829  *                 callbacks must follow.
01830  *
01831  * \note           On some platforms, timing.c provides
01832  *                 \c mbedtls_timing_set_delay() and
01833  *                 \c mbedtls_timing_get_delay() that are suitable for using
01834  *                 here, except if using an event-driven style.
01835  *
01836  * \note           See also the "DTLS tutorial" article in our knowledge base.
01837  *                 https://tls.mbed.org/kb/how-to/dtls-tutorial
01838  */
01839 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
01840                                void *p_timer,
01841                                mbedtls_ssl_set_timer_t *f_set_timer,
01842                                mbedtls_ssl_get_timer_t *f_get_timer );
01843 
01844 /**
01845  * \brief           Callback type: generate and write session ticket
01846  *
01847  * \note            This describes what a callback implementation should do.
01848  *                  This callback should generate an encrypted and
01849  *                  authenticated ticket for the session and write it to the
01850  *                  output buffer. Here, ticket means the opaque ticket part
01851  *                  of the NewSessionTicket structure of RFC 5077.
01852  *
01853  * \param p_ticket  Context for the callback
01854  * \param session   SSL session to be written in the ticket
01855  * \param start     Start of the output buffer
01856  * \param end       End of the output buffer
01857  * \param tlen      On exit, holds the length written
01858  * \param lifetime  On exit, holds the lifetime of the ticket in seconds
01859  *
01860  * \return          0 if successful, or
01861  *                  a specific MBEDTLS_ERR_XXX code.
01862  */
01863 typedef int mbedtls_ssl_ticket_write_t( void *p_ticket,
01864                                         const mbedtls_ssl_session *session,
01865                                         unsigned char *start,
01866                                         const unsigned char *end,
01867                                         size_t *tlen,
01868                                         uint32_t *lifetime );
01869 
01870 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
01871 /**
01872  * \brief           Callback type: Export key block and master secret
01873  *
01874  * \note            This is required for certain uses of TLS, e.g. EAP-TLS
01875  *                  (RFC 5216) and Thread. The key pointers are ephemeral and
01876  *                  therefore must not be stored. The master secret and keys
01877  *                  should not be used directly except as an input to a key
01878  *                  derivation function.
01879  *
01880  * \param p_expkey  Context for the callback
01881  * \param ms        Pointer to master secret (fixed length: 48 bytes)
01882  * \param kb        Pointer to key block, see RFC 5246 section 6.3
01883  *                  (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
01884  * \param maclen    MAC length
01885  * \param keylen    Key length
01886  * \param ivlen     IV length
01887  *
01888  * \return          0 if successful, or
01889  *                  a specific MBEDTLS_ERR_XXX code.
01890  */
01891 typedef int mbedtls_ssl_export_keys_t( void *p_expkey,
01892                                 const unsigned char *ms,
01893                                 const unsigned char *kb,
01894                                 size_t maclen,
01895                                 size_t keylen,
01896                                 size_t ivlen );
01897 
01898 /**
01899  * \brief           Callback type: Export key block, master secret,
01900  *                                 handshake randbytes and the tls_prf function
01901  *                                 used to derive keys.
01902  *
01903  * \note            This is required for certain uses of TLS, e.g. EAP-TLS
01904  *                  (RFC 5216) and Thread. The key pointers are ephemeral and
01905  *                  therefore must not be stored. The master secret and keys
01906  *                  should not be used directly except as an input to a key
01907  *                  derivation function.
01908  *
01909  * \param p_expkey  Context for the callback.
01910  * \param ms        Pointer to master secret (fixed length: 48 bytes).
01911  * \param kb            Pointer to key block, see RFC 5246 section 6.3.
01912  *                      (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
01913  * \param maclen        MAC length.
01914  * \param keylen        Key length.
01915  * \param ivlen         IV length.
01916  * \param client_random The client random bytes.
01917  * \param server_random The server random bytes.
01918  * \param tls_prf_type The tls_prf enum type.
01919  *
01920  * \return          0 if successful, or
01921  *                  a specific MBEDTLS_ERR_XXX code.
01922  */
01923 typedef int mbedtls_ssl_export_keys_ext_t( void *p_expkey,
01924                                            const unsigned char *ms,
01925                                            const unsigned char *kb,
01926                                            size_t maclen,
01927                                            size_t keylen,
01928                                            size_t ivlen,
01929                                            const unsigned char client_random[32],
01930                                            const unsigned char server_random[32],
01931                                            mbedtls_tls_prf_types tls_prf_type );
01932 #endif /* MBEDTLS_SSL_EXPORT_KEYS */
01933 
01934 /**
01935  * \brief           Callback type: parse and load session ticket
01936  *
01937  * \note            This describes what a callback implementation should do.
01938  *                  This callback should parse a session ticket as generated
01939  *                  by the corresponding mbedtls_ssl_ticket_write_t function,
01940  *                  and, if the ticket is authentic and valid, load the
01941  *                  session.
01942  *
01943  * \note            The implementation is allowed to modify the first len
01944  *                  bytes of the input buffer, eg to use it as a temporary
01945  *                  area for the decrypted ticket contents.
01946  *
01947  * \param p_ticket  Context for the callback
01948  * \param session   SSL session to be loaded
01949  * \param buf       Start of the buffer containing the ticket
01950  * \param len       Length of the ticket.
01951  *
01952  * \return          0 if successful, or
01953  *                  MBEDTLS_ERR_SSL_INVALID_MAC if not authentic, or
01954  *                  MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED if expired, or
01955  *                  any other non-zero code for other failures.
01956  */
01957 typedef int mbedtls_ssl_ticket_parse_t( void *p_ticket,
01958                                         mbedtls_ssl_session *session,
01959                                         unsigned char *buf,
01960                                         size_t len );
01961 
01962 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
01963 /**
01964  * \brief           Configure SSL session ticket callbacks (server only).
01965  *                  (Default: none.)
01966  *
01967  * \note            On server, session tickets are enabled by providing
01968  *                  non-NULL callbacks.
01969  *
01970  * \note            On client, use \c mbedtls_ssl_conf_session_tickets().
01971  *
01972  * \param conf      SSL configuration context
01973  * \param f_ticket_write    Callback for writing a ticket
01974  * \param f_ticket_parse    Callback for parsing a ticket
01975  * \param p_ticket          Context shared by the two callbacks
01976  */
01977 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
01978         mbedtls_ssl_ticket_write_t *f_ticket_write,
01979         mbedtls_ssl_ticket_parse_t *f_ticket_parse,
01980         void *p_ticket );
01981 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
01982 
01983 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
01984 /**
01985  * \brief           Configure key export callback.
01986  *                  (Default: none.)
01987  *
01988  * \note            See \c mbedtls_ssl_export_keys_t.
01989  *
01990  * \param conf      SSL configuration context
01991  * \param f_export_keys     Callback for exporting keys
01992  * \param p_export_keys     Context for the callback
01993  */
01994 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
01995         mbedtls_ssl_export_keys_t *f_export_keys,
01996         void *p_export_keys );
01997 
01998 /**
01999  * \brief           Configure extended key export callback.
02000  *                  (Default: none.)
02001  *
02002  * \note            See \c mbedtls_ssl_export_keys_ext_t.
02003  *
02004  * \param conf      SSL configuration context
02005  * \param f_export_keys_ext Callback for exporting keys
02006  * \param p_export_keys     Context for the callback
02007  */
02008 void mbedtls_ssl_conf_export_keys_ext_cb( mbedtls_ssl_config *conf,
02009         mbedtls_ssl_export_keys_ext_t *f_export_keys_ext,
02010         void *p_export_keys );
02011 #endif /* MBEDTLS_SSL_EXPORT_KEYS */
02012 
02013 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
02014 /**
02015  * \brief           Configure asynchronous private key operation callbacks.
02016  *
02017  * \param conf              SSL configuration context
02018  * \param f_async_sign      Callback to start a signature operation. See
02019  *                          the description of ::mbedtls_ssl_async_sign_t
02020  *                          for more information. This may be \c NULL if the
02021  *                          external processor does not support any signature
02022  *                          operation; in this case the private key object
02023  *                          associated with the certificate will be used.
02024  * \param f_async_decrypt   Callback to start a decryption operation. See
02025  *                          the description of ::mbedtls_ssl_async_decrypt_t
02026  *                          for more information. This may be \c NULL if the
02027  *                          external processor does not support any decryption
02028  *                          operation; in this case the private key object
02029  *                          associated with the certificate will be used.
02030  * \param f_async_resume    Callback to resume an asynchronous operation. See
02031  *                          the description of ::mbedtls_ssl_async_resume_t
02032  *                          for more information. This may not be \c NULL unless
02033  *                          \p f_async_sign and \p f_async_decrypt are both
02034  *                          \c NULL.
02035  * \param f_async_cancel    Callback to cancel an asynchronous operation. See
02036  *                          the description of ::mbedtls_ssl_async_cancel_t
02037  *                          for more information. This may be \c NULL if
02038  *                          no cleanup is needed.
02039  * \param config_data       A pointer to configuration data which can be
02040  *                          retrieved with
02041  *                          mbedtls_ssl_conf_get_async_config_data(). The
02042  *                          library stores this value without dereferencing it.
02043  */
02044 void mbedtls_ssl_conf_async_private_cb( mbedtls_ssl_config *conf,
02045                                         mbedtls_ssl_async_sign_t *f_async_sign,
02046                                         mbedtls_ssl_async_decrypt_t *f_async_decrypt,
02047                                         mbedtls_ssl_async_resume_t *f_async_resume,
02048                                         mbedtls_ssl_async_cancel_t *f_async_cancel,
02049                                         void *config_data );
02050 
02051 /**
02052  * \brief           Retrieve the configuration data set by
02053  *                  mbedtls_ssl_conf_async_private_cb().
02054  *
02055  * \param conf      SSL configuration context
02056  * \return          The configuration data set by
02057  *                  mbedtls_ssl_conf_async_private_cb().
02058  */
02059 void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf );
02060 
02061 /**
02062  * \brief           Retrieve the asynchronous operation user context.
02063  *
02064  * \note            This function may only be called while a handshake
02065  *                  is in progress.
02066  *
02067  * \param ssl       The SSL context to access.
02068  *
02069  * \return          The asynchronous operation user context that was last
02070  *                  set during the current handshake. If
02071  *                  mbedtls_ssl_set_async_operation_data() has not yet been
02072  *                  called during the current handshake, this function returns
02073  *                  \c NULL.
02074  */
02075 void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl );
02076 
02077 /**
02078  * \brief           Retrieve the asynchronous operation user context.
02079  *
02080  * \note            This function may only be called while a handshake
02081  *                  is in progress.
02082  *
02083  * \param ssl       The SSL context to access.
02084  * \param ctx       The new value of the asynchronous operation user context.
02085  *                  Call mbedtls_ssl_get_async_operation_data() later during the
02086  *                  same handshake to retrieve this value.
02087  */
02088 void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
02089                                  void *ctx );
02090 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
02091 
02092 /**
02093  * \brief          Callback type: generate a cookie
02094  *
02095  * \param ctx      Context for the callback
02096  * \param p        Buffer to write to,
02097  *                 must be updated to point right after the cookie
02098  * \param end      Pointer to one past the end of the output buffer
02099  * \param info     Client ID info that was passed to
02100  *                 \c mbedtls_ssl_set_client_transport_id()
02101  * \param ilen     Length of info in bytes
02102  *
02103  * \return         The callback must return 0 on success,
02104  *                 or a negative error code.
02105  */
02106 typedef int mbedtls_ssl_cookie_write_t( void *ctx,
02107                                 unsigned char **p, unsigned char *end,
02108                                 const unsigned char *info, size_t ilen );
02109 
02110 /**
02111  * \brief          Callback type: verify a cookie
02112  *
02113  * \param ctx      Context for the callback
02114  * \param cookie   Cookie to verify
02115  * \param clen     Length of cookie
02116  * \param info     Client ID info that was passed to
02117  *                 \c mbedtls_ssl_set_client_transport_id()
02118  * \param ilen     Length of info in bytes
02119  *
02120  * \return         The callback must return 0 if cookie is valid,
02121  *                 or a negative error code.
02122  */
02123 typedef int mbedtls_ssl_cookie_check_t( void *ctx,
02124                                 const unsigned char *cookie, size_t clen,
02125                                 const unsigned char *info, size_t ilen );
02126 
02127 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
02128 /**
02129  * \brief           Register callbacks for DTLS cookies
02130  *                  (Server only. DTLS only.)
02131  *
02132  *                  Default: dummy callbacks that fail, in order to force you to
02133  *                  register working callbacks (and initialize their context).
02134  *
02135  *                  To disable HelloVerifyRequest, register NULL callbacks.
02136  *
02137  * \warning         Disabling hello verification allows your server to be used
02138  *                  for amplification in DoS attacks against other hosts.
02139  *                  Only disable if you known this can't happen in your
02140  *                  particular environment.
02141  *
02142  * \note            See comments on \c mbedtls_ssl_handshake() about handling
02143  *                  the MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED that is expected
02144  *                  on the first handshake attempt when this is enabled.
02145  *
02146  * \note            This is also necessary to handle client reconnection from
02147  *                  the same port as described in RFC 6347 section 4.2.8 (only
02148  *                  the variant with cookies is supported currently). See
02149  *                  comments on \c mbedtls_ssl_read() for details.
02150  *
02151  * \param conf              SSL configuration
02152  * \param f_cookie_write    Cookie write callback
02153  * \param f_cookie_check    Cookie check callback
02154  * \param p_cookie          Context for both callbacks
02155  */
02156 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
02157                            mbedtls_ssl_cookie_write_t *f_cookie_write,
02158                            mbedtls_ssl_cookie_check_t *f_cookie_check,
02159                            void *p_cookie );
02160 
02161 /**
02162  * \brief          Set client's transport-level identification info.
02163  *                 (Server only. DTLS only.)
02164  *
02165  *                 This is usually the IP address (and port), but could be
02166  *                 anything identify the client depending on the underlying
02167  *                 network stack. Used for HelloVerifyRequest with DTLS.
02168  *                 This is *not* used to route the actual packets.
02169  *
02170  * \param ssl      SSL context
02171  * \param info     Transport-level info identifying the client (eg IP + port)
02172  * \param ilen     Length of info in bytes
02173  *
02174  * \note           An internal copy is made, so the info buffer can be reused.
02175  *
02176  * \return         0 on success,
02177  *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used on client,
02178  *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if out of memory.
02179  */
02180 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
02181                                  const unsigned char *info,
02182                                  size_t ilen );
02183 
02184 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
02185 
02186 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
02187 /**
02188  * \brief          Enable or disable anti-replay protection for DTLS.
02189  *                 (DTLS only, no effect on TLS.)
02190  *                 Default: enabled.
02191  *
02192  * \param conf     SSL configuration
02193  * \param mode     MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
02194  *
02195  * \warning        Disabling this is a security risk unless the application
02196  *                 protocol handles duplicated packets in a safe way. You
02197  *                 should not disable this without careful consideration.
02198  *                 However, if your application already detects duplicated
02199  *                 packets and needs information about them to adjust its
02200  *                 transmission strategy, then you'll want to disable this.
02201  */
02202 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
02203 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
02204 
02205 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
02206 /**
02207  * \brief          Set a limit on the number of records with a bad MAC
02208  *                 before terminating the connection.
02209  *                 (DTLS only, no effect on TLS.)
02210  *                 Default: 0 (disabled).
02211  *
02212  * \param conf     SSL configuration
02213  * \param limit    Limit, or 0 to disable.
02214  *
02215  * \note           If the limit is N, then the connection is terminated when
02216  *                 the Nth non-authentic record is seen.
02217  *
02218  * \note           Records with an invalid header are not counted, only the
02219  *                 ones going through the authentication-decryption phase.
02220  *
02221  * \note           This is a security trade-off related to the fact that it's
02222  *                 often relatively easy for an active attacker ot inject UDP
02223  *                 datagrams. On one hand, setting a low limit here makes it
02224  *                 easier for such an attacker to forcibly terminated a
02225  *                 connection. On the other hand, a high limit or no limit
02226  *                 might make us waste resources checking authentication on
02227  *                 many bogus packets.
02228  */
02229 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
02230 #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
02231 
02232 #if defined(MBEDTLS_SSL_PROTO_DTLS)
02233 
02234 /**
02235  * \brief          Allow or disallow packing of multiple handshake records
02236  *                 within a single datagram.
02237  *
02238  * \param ssl           The SSL context to configure.
02239  * \param allow_packing This determines whether datagram packing may
02240  *                      be used or not. A value of \c 0 means that every
02241  *                      record will be sent in a separate datagram; a
02242  *                      value of \c 1 means that, if space permits,
02243  *                      multiple handshake messages (including CCS) belonging to
02244  *                      a single flight may be packed within a single datagram.
02245  *
02246  * \note           This is enabled by default and should only be disabled
02247  *                 for test purposes, or if datagram packing causes
02248  *                 interoperability issues with peers that don't support it.
02249  *
02250  * \note           Allowing datagram packing reduces the network load since
02251  *                 there's less overhead if multiple messages share the same
02252  *                 datagram. Also, it increases the handshake efficiency
02253  *                 since messages belonging to a single datagram will not
02254  *                 be reordered in transit, and so future message buffering
02255  *                 or flight retransmission (if no buffering is used) as
02256  *                 means to deal with reordering are needed less frequently.
02257  *
02258  * \note           Application records are not affected by this option and
02259  *                 are currently always sent in separate datagrams.
02260  *
02261  */
02262 void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
02263                                        unsigned allow_packing );
02264 
02265 /**
02266  * \brief          Set retransmit timeout values for the DTLS handshake.
02267  *                 (DTLS only, no effect on TLS.)
02268  *
02269  * \param conf     SSL configuration
02270  * \param min      Initial timeout value in milliseconds.
02271  *                 Default: 1000 (1 second).
02272  * \param max      Maximum timeout value in milliseconds.
02273  *                 Default: 60000 (60 seconds).
02274  *
02275  * \note           Default values are from RFC 6347 section 4.2.4.1.
02276  *
02277  * \note           The 'min' value should typically be slightly above the
02278  *                 expected round-trip time to your peer, plus whatever time
02279  *                 it takes for the peer to process the message. For example,
02280  *                 if your RTT is about 600ms and you peer needs up to 1s to
02281  *                 do the cryptographic operations in the handshake, then you
02282  *                 should set 'min' slightly above 1600. Lower values of 'min'
02283  *                 might cause spurious resends which waste network resources,
02284  *                 while larger value of 'min' will increase overall latency
02285  *                 on unreliable network links.
02286  *
02287  * \note           The more unreliable your network connection is, the larger
02288  *                 your max / min ratio needs to be in order to achieve
02289  *                 reliable handshakes.
02290  *
02291  * \note           Messages are retransmitted up to log2(ceil(max/min)) times.
02292  *                 For example, if min = 1s and max = 5s, the retransmit plan
02293  *                 goes: send ... 1s -> resend ... 2s -> resend ... 4s ->
02294  *                 resend ... 5s -> give up and return a timeout error.
02295  */
02296 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max );
02297 #endif /* MBEDTLS_SSL_PROTO_DTLS */
02298 
02299 #if defined(MBEDTLS_SSL_SRV_C)
02300 /**
02301  * \brief          Set the session cache callbacks (server-side only)
02302  *                 If not set, no session resuming is done (except if session
02303  *                 tickets are enabled too).
02304  *
02305  *                 The session cache has the responsibility to check for stale
02306  *                 entries based on timeout. See RFC 5246 for recommendations.
02307  *
02308  *                 Warning: session.peer_cert is cleared by the SSL/TLS layer on
02309  *                 connection shutdown, so do not cache the pointer! Either set
02310  *                 it to NULL or make a full copy of the certificate.
02311  *
02312  *                 The get callback is called once during the initial handshake
02313  *                 to enable session resuming. The get function has the
02314  *                 following parameters: (void *parameter, mbedtls_ssl_session *session)
02315  *                 If a valid entry is found, it should fill the master of
02316  *                 the session object with the cached values and return 0,
02317  *                 return 1 otherwise. Optionally peer_cert can be set as well
02318  *                 if it is properly present in cache entry.
02319  *
02320  *                 The set callback is called once during the initial handshake
02321  *                 to enable session resuming after the entire handshake has
02322  *                 been finished. The set function has the following parameters:
02323  *                 (void *parameter, const mbedtls_ssl_session *session). The function
02324  *                 should create a cache entry for future retrieval based on
02325  *                 the data in the session structure and should keep in mind
02326  *                 that the mbedtls_ssl_session object presented (and all its referenced
02327  *                 data) is cleared by the SSL/TLS layer when the connection is
02328  *                 terminated. It is recommended to add metadata to determine if
02329  *                 an entry is still valid in the future. Return 0 if
02330  *                 successfully cached, return 1 otherwise.
02331  *
02332  * \param conf           SSL configuration
02333  * \param p_cache        parmater (context) for both callbacks
02334  * \param f_get_cache    session get callback
02335  * \param f_set_cache    session set callback
02336  */
02337 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
02338         void *p_cache,
02339         int (*f_get_cache)(void *, mbedtls_ssl_session *),
02340         int (*f_set_cache)(void *, const mbedtls_ssl_session *) );
02341 #endif /* MBEDTLS_SSL_SRV_C */
02342 
02343 #if defined(MBEDTLS_SSL_CLI_C)
02344 /**
02345  * \brief          Request resumption of session (client-side only)
02346  *                 Session data is copied from presented session structure.
02347  *
02348  * \param ssl      SSL context
02349  * \param session  session context
02350  *
02351  * \return         0 if successful,
02352  *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
02353  *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
02354  *                 arguments are otherwise invalid
02355  *
02356  * \sa             mbedtls_ssl_get_session()
02357  */
02358 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session );
02359 #endif /* MBEDTLS_SSL_CLI_C */
02360 
02361 /**
02362  * \brief          Load serialized session data into a session structure.
02363  *                 On client, this can be used for loading saved sessions
02364  *                 before resuming them with mbedstls_ssl_set_session().
02365  *                 On server, this can be used for alternative implementations
02366  *                 of session cache or session tickets.
02367  *
02368  * \warning        If a peer certificate chain is associated with the session,
02369  *                 the serialized state will only contain the peer's
02370  *                 end-entity certificate and the result of the chain
02371  *                 verification (unless verification was disabled), but not
02372  *                 the rest of the chain.
02373  *
02374  * \see            mbedtls_ssl_session_save()
02375  * \see            mbedtls_ssl_set_session()
02376  *
02377  * \param session  The session structure to be populated. It must have been
02378  *                 initialised with mbedtls_ssl_session_init() but not
02379  *                 populated yet.
02380  * \param buf      The buffer holding the serialized session data. It must be a
02381  *                 readable buffer of at least \p len bytes.
02382  * \param len      The size of the serialized data in bytes.
02383  *
02384  * \return         \c 0 if successful.
02385  * \return         #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed.
02386  * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
02387  * \return         #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data
02388  *                 was generated in a different version or configuration of
02389  *                 Mbed TLS.
02390  * \return         Another negative value for other kinds of errors (for
02391  *                 example, unsupported features in the embedded certificate).
02392  */
02393 int mbedtls_ssl_session_load( mbedtls_ssl_session *session,
02394                               const unsigned char *buf,
02395                               size_t len );
02396 
02397 /**
02398  * \brief          Save session structure as serialized data in a buffer.
02399  *                 On client, this can be used for saving session data,
02400  *                 potentially in non-volatile storage, for resuming later.
02401  *                 On server, this can be used for alternative implementations
02402  *                 of session cache or session tickets.
02403  *
02404  * \see            mbedtls_ssl_session_load()
02405  * \see            mbedtls_ssl_get_session_pointer()
02406  *
02407  * \param session  The session structure to be saved.
02408  * \param buf      The buffer to write the serialized data to. It must be a
02409  *                 writeable buffer of at least \p len bytes, or may be \c
02410  *                 NULL if \p len is \c 0.
02411  * \param buf_len  The number of bytes available for writing in \p buf.
02412  * \param olen     The size in bytes of the data that has been or would have
02413  *                 been written. It must point to a valid \c size_t.
02414  *
02415  * \note           \p olen is updated to the correct value regardless of
02416  *                 whether \p buf_len was large enough. This makes it possible
02417  *                 to determine the necessary size by calling this function
02418  *                 with \p buf set to \c NULL and \p buf_len to \c 0.
02419  *
02420  * \return         \c 0 if successful.
02421  * \return         #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
02422  */
02423 int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
02424                               unsigned char *buf,
02425                               size_t buf_len,
02426                               size_t *olen );
02427 
02428 /**
02429  * \brief          Get a pointer to the current session structure, for example
02430  *                 to serialize it.
02431  *
02432  * \warning        Ownership of the session remains with the SSL context, and
02433  *                 the returned pointer is only guaranteed to be valid until
02434  *                 the next API call operating on the same \p ssl context.
02435  *
02436  * \see            mbedtls_ssl_session_save()
02437  *
02438  * \param ssl      The SSL context.
02439  *
02440  * \return         A pointer to the current session if successful.
02441  * \return         \c NULL if no session is active.
02442  */
02443 const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_context *ssl );
02444 
02445 /**
02446  * \brief               Set the list of allowed ciphersuites and the preference
02447  *                      order. First in the list has the highest preference.
02448  *                      (Overrides all version-specific lists)
02449  *
02450  *                      The ciphersuites array is not copied, and must remain
02451  *                      valid for the lifetime of the ssl_config.
02452  *
02453  *                      Note: The server uses its own preferences
02454  *                      over the preference of the client unless
02455  *                      MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
02456  *
02457  * \param conf          SSL configuration
02458  * \param ciphersuites  0-terminated list of allowed ciphersuites
02459  */
02460 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
02461                                    const int *ciphersuites );
02462 
02463 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
02464 #define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
02465 #define MBEDTLS_SSL_UNEXPECTED_CID_FAIL   1
02466 /**
02467  * \brief               Specify the length of Connection IDs for incoming
02468  *                      encrypted DTLS records, as well as the behaviour
02469  *                      on unexpected CIDs.
02470  *
02471  *                      By default, the CID length is set to \c 0,
02472  *                      and unexpected CIDs are silently ignored.
02473  *
02474  * \param conf          The SSL configuration to modify.
02475  * \param len           The length in Bytes of the CID fields in encrypted
02476  *                      DTLS records using the CID mechanism. This must
02477  *                      not be larger than #MBEDTLS_SSL_CID_OUT_LEN_MAX.
02478  * \param ignore_other_cids This determines the stack's behaviour when
02479  *                          receiving a record with an unexpected CID.
02480  *                          Possible values are:
02481  *                          - #MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
02482  *                            In this case, the record is silently ignored.
02483  *                          - #MBEDTLS_SSL_UNEXPECTED_CID_FAIL
02484  *                            In this case, the stack fails with the specific
02485  *                            error code #MBEDTLS_ERR_SSL_UNEXPECTED_CID.
02486  *
02487  * \note                The CID specification allows implementations to either
02488  *                      use a common length for all incoming connection IDs or
02489  *                      allow variable-length incoming IDs. Mbed TLS currently
02490  *                      requires a common length for all connections sharing the
02491  *                      same SSL configuration; this allows simpler parsing of
02492  *                      record headers.
02493  *
02494  * \return              \c 0 on success.
02495  * \return              #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
02496  *                      is too large.
02497  */
02498 int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
02499                           int ignore_other_cids );
02500 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
02501 
02502 /**
02503  * \brief               Set the list of allowed ciphersuites and the
02504  *                      preference order for a specific version of the protocol.
02505  *                      (Only useful on the server side)
02506  *
02507  *                      The ciphersuites array is not copied, and must remain
02508  *                      valid for the lifetime of the ssl_config.
02509  *
02510  * \param conf          SSL configuration
02511  * \param ciphersuites  0-terminated list of allowed ciphersuites
02512  * \param major         Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3
02513  *                      supported)
02514  * \param minor         Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
02515  *                      MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
02516  *                      MBEDTLS_SSL_MINOR_VERSION_3 supported)
02517  *
02518  * \note                With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0
02519  *                      and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
02520  */
02521 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
02522                                        const int *ciphersuites,
02523                                        int major, int minor );
02524 
02525 #if defined(MBEDTLS_X509_CRT_PARSE_C)
02526 /**
02527  * \brief          Set the X.509 security profile used for verification
02528  *
02529  * \note           The restrictions are enforced for all certificates in the
02530  *                 chain. However, signatures in the handshake are not covered
02531  *                 by this setting but by \b mbedtls_ssl_conf_sig_hashes().
02532  *
02533  * \param conf     SSL configuration
02534  * \param profile  Profile to use
02535  */
02536 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
02537                                     const mbedtls_x509_crt_profile *profile );
02538 
02539 /**
02540  * \brief          Set the data required to verify peer certificate
02541  *
02542  * \note           See \c mbedtls_x509_crt_verify() for notes regarding the
02543  *                 parameters ca_chain (maps to trust_ca for that function)
02544  *                 and ca_crl.
02545  *
02546  * \param conf     SSL configuration
02547  * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
02548  * \param ca_crl   trusted CA CRLs
02549  */
02550 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
02551                                mbedtls_x509_crt *ca_chain,
02552                                mbedtls_x509_crl *ca_crl );
02553 
02554 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
02555 /**
02556  * \brief          Set the trusted certificate callback.
02557  *
02558  *                 This API allows to register the set of trusted certificates
02559  *                 through a callback, instead of a linked list as configured
02560  *                 by mbedtls_ssl_conf_ca_chain().
02561  *
02562  *                 This is useful for example in contexts where a large number
02563  *                 of CAs are used, and the inefficiency of maintaining them
02564  *                 in a linked list cannot be tolerated. It is also useful when
02565  *                 the set of trusted CAs needs to be modified frequently.
02566  *
02567  *                 See the documentation of `mbedtls_x509_crt_ca_cb_t` for
02568  *                 more information.
02569  *
02570  * \param conf     The SSL configuration to register the callback with.
02571  * \param f_ca_cb  The trusted certificate callback to use when verifying
02572  *                 certificate chains.
02573  * \param p_ca_cb  The context to be passed to \p f_ca_cb (for example,
02574  *                 a reference to a trusted CA database).
02575  *
02576  * \note           This API is incompatible with mbedtls_ssl_conf_ca_chain():
02577  *                 Any call to this function overwrites the values set through
02578  *                 earlier calls to mbedtls_ssl_conf_ca_chain() or
02579  *                 mbedtls_ssl_conf_ca_cb().
02580  *
02581  * \note           This API is incompatible with CA indication in
02582  *                 CertificateRequest messages: A server-side SSL context which
02583  *                 is bound to an SSL configuration that uses a CA callback
02584  *                 configured via mbedtls_ssl_conf_ca_cb(), and which requires
02585  *                 client authentication, will send an empty CA list in the
02586  *                 corresponding CertificateRequest message.
02587  *
02588  * \note           This API is incompatible with mbedtls_ssl_set_hs_ca_chain():
02589  *                 If an SSL context is bound to an SSL configuration which uses
02590  *                 CA callbacks configured via mbedtls_ssl_conf_ca_cb(), then
02591  *                 calls to mbedtls_ssl_set_hs_ca_chain() have no effect.
02592  *
02593  * \note           The use of this API disables the use of restartable ECC
02594  *                 during X.509 CRT signature verification (but doesn't affect
02595  *                 other uses).
02596  *
02597  * \warning        This API is incompatible with the use of CRLs. Any call to
02598  *                 mbedtls_ssl_conf_ca_cb() unsets CRLs configured through
02599  *                 earlier calls to mbedtls_ssl_conf_ca_chain().
02600  *
02601  * \warning        In multi-threaded environments, the callback \p f_ca_cb
02602  *                 must be thread-safe, and it is the user's responsibility
02603  *                 to guarantee this (for example through a mutex
02604  *                 contained in the callback context pointed to by \p p_ca_cb).
02605  */
02606 void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
02607                              mbedtls_x509_crt_ca_cb_t f_ca_cb,
02608                              void *p_ca_cb );
02609 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
02610 
02611 /**
02612  * \brief          Set own certificate chain and private key
02613  *
02614  * \note           own_cert should contain in order from the bottom up your
02615  *                 certificate chain. The top certificate (self-signed)
02616  *                 can be omitted.
02617  *
02618  * \note           On server, this function can be called multiple times to
02619  *                 provision more than one cert/key pair (eg one ECDSA, one
02620  *                 RSA with SHA-256, one RSA with SHA-1). An adequate
02621  *                 certificate will be selected according to the client's
02622  *                 advertised capabilities. In case multiple certificates are
02623  *                 adequate, preference is given to the one set by the first
02624  *                 call to this function, then second, etc.
02625  *
02626  * \note           On client, only the first call has any effect. That is,
02627  *                 only one client certificate can be provisioned. The
02628  *                 server's preferences in its CertficateRequest message will
02629  *                 be ignored and our only cert will be sent regardless of
02630  *                 whether it matches those preferences - the server can then
02631  *                 decide what it wants to do with it.
02632  *
02633  * \note           The provided \p pk_key needs to match the public key in the
02634  *                 first certificate in \p own_cert, or all handshakes using
02635  *                 that certificate will fail. It is your responsibility
02636  *                 to ensure that; this function will not perform any check.
02637  *                 You may use mbedtls_pk_check_pair() in order to perform
02638  *                 this check yourself, but be aware that this function can
02639  *                 be computationally expensive on some key types.
02640  *
02641  * \param conf     SSL configuration
02642  * \param own_cert own public certificate chain
02643  * \param pk_key   own private key
02644  *
02645  * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
02646  */
02647 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
02648                               mbedtls_x509_crt *own_cert,
02649                               mbedtls_pk_context *pk_key );
02650 #endif /* MBEDTLS_X509_CRT_PARSE_C */
02651 
02652 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
02653 /**
02654  * \brief          Configure a pre-shared key (PSK) and identity
02655  *                 to be used in PSK-based ciphersuites.
02656  *
02657  * \note           This is mainly useful for clients. Servers will usually
02658  *                 want to use \c mbedtls_ssl_conf_psk_cb() instead.
02659  *
02660  * \warning        Currently, clients can only register a single pre-shared key.
02661  *                 Calling this function or mbedtls_ssl_conf_psk_opaque() more
02662  *                 than once will overwrite values configured in previous calls.
02663  *                 Support for setting multiple PSKs on clients and selecting
02664  *                 one based on the identity hint is not a planned feature,
02665  *                 but feedback is welcomed.
02666  *
02667  * \param conf     The SSL configuration to register the PSK with.
02668  * \param psk      The pointer to the pre-shared key to use.
02669  * \param psk_len  The length of the pre-shared key in bytes.
02670  * \param psk_identity      The pointer to the pre-shared key identity.
02671  * \param psk_identity_len  The length of the pre-shared key identity
02672  *                          in bytes.
02673  *
02674  * \note           The PSK and its identity are copied internally and
02675  *                 hence need not be preserved by the caller for the lifetime
02676  *                 of the SSL configuration.
02677  *
02678  * \return         \c 0 if successful.
02679  * \return         An \c MBEDTLS_ERR_SSL_XXX error code on failure.
02680  */
02681 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
02682                 const unsigned char *psk, size_t psk_len,
02683                 const unsigned char *psk_identity, size_t psk_identity_len );
02684 
02685 #if defined(MBEDTLS_USE_PSA_CRYPTO)
02686 /**
02687  * \brief          Configure an opaque pre-shared key (PSK) and identity
02688  *                 to be used in PSK-based ciphersuites.
02689  *
02690  * \note           This is mainly useful for clients. Servers will usually
02691  *                 want to use \c mbedtls_ssl_conf_psk_cb() instead.
02692  *
02693  * \warning        Currently, clients can only register a single pre-shared key.
02694  *                 Calling this function or mbedtls_ssl_conf_psk() more than
02695  *                 once will overwrite values configured in previous calls.
02696  *                 Support for setting multiple PSKs on clients and selecting
02697  *                 one based on the identity hint is not a planned feature,
02698  *                 but feedback is welcomed.
02699  *
02700  * \param conf     The SSL configuration to register the PSK with.
02701  * \param psk      The identifier of the key slot holding the PSK.
02702  *                 Until \p conf is destroyed or this function is successfully
02703  *                 called again, the key slot \p psk must be populated with a
02704  *                 key of type PSA_ALG_CATEGORY_KEY_DERIVATION whose policy
02705  *                 allows its use for the key derivation algorithm applied
02706  *                 in the handshake.
02707  * \param psk_identity      The pointer to the pre-shared key identity.
02708  * \param psk_identity_len  The length of the pre-shared key identity
02709  *                          in bytes.
02710  *
02711  * \note           The PSK identity hint is copied internally and hence need
02712  *                 not be preserved by the caller for the lifetime of the
02713  *                 SSL configuration.
02714  *
02715  * \return         \c 0 if successful.
02716  * \return         An \c MBEDTLS_ERR_SSL_XXX error code on failure.
02717  */
02718 int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
02719                                  psa_key_handle_t psk,
02720                                  const unsigned char *psk_identity,
02721                                  size_t psk_identity_len );
02722 #endif /* MBEDTLS_USE_PSA_CRYPTO */
02723 
02724 /**
02725  * \brief          Set the pre-shared Key (PSK) for the current handshake.
02726  *
02727  * \note           This should only be called inside the PSK callback,
02728  *                 i.e. the function passed to \c mbedtls_ssl_conf_psk_cb().
02729  *
02730  * \param ssl      The SSL context to configure a PSK for.
02731  * \param psk      The pointer to the pre-shared key.
02732  * \param psk_len  The length of the pre-shared key in bytes.
02733  *
02734  * \return         \c 0 if successful.
02735  * \return         An \c MBEDTLS_ERR_SSL_XXX error code on failure.
02736  */
02737 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
02738                             const unsigned char *psk, size_t psk_len );
02739 
02740 #if defined(MBEDTLS_USE_PSA_CRYPTO)
02741 /**
02742  * \brief          Set an opaque pre-shared Key (PSK) for the current handshake.
02743  *
02744  * \note           This should only be called inside the PSK callback,
02745  *                 i.e. the function passed to \c mbedtls_ssl_conf_psk_cb().
02746  *
02747  * \param ssl      The SSL context to configure a PSK for.
02748  * \param psk      The identifier of the key slot holding the PSK.
02749  *                 For the duration of the current handshake, the key slot
02750  *                 must be populated with a key of type
02751  *                 PSA_ALG_CATEGORY_KEY_DERIVATION whose policy allows its
02752  *                 use for the key derivation algorithm
02753  *                 applied in the handshake.
02754   *
02755  * \return         \c 0 if successful.
02756  * \return         An \c MBEDTLS_ERR_SSL_XXX error code on failure.
02757  */
02758 int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
02759                                    psa_key_handle_t psk );
02760 #endif /* MBEDTLS_USE_PSA_CRYPTO */
02761 
02762 /**
02763  * \brief          Set the PSK callback (server-side only).
02764  *
02765  *                 If set, the PSK callback is called for each
02766  *                 handshake where a PSK-based ciphersuite was negotiated.
02767  *                 The caller provides the identity received and wants to
02768  *                 receive the actual PSK data and length.
02769  *
02770  *                 The callback has the following parameters:
02771  *                 - \c void*: The opaque pointer \p p_psk.
02772  *                 - \c mbedtls_ssl_context*: The SSL context to which
02773  *                                            the operation applies.
02774  *                 - \c const unsigned char*: The PSK identity
02775  *                                            selected by the client.
02776  *                 - \c size_t: The length of the PSK identity
02777  *                              selected by the client.
02778  *
02779  *                 If a valid PSK identity is found, the callback should use
02780  *                 \c mbedtls_ssl_set_hs_psk() or
02781  *                 \c mbedtls_ssl_set_hs_psk_opaque()
02782  *                 on the SSL context to set the correct PSK and return \c 0.
02783  *                 Any other return value will result in a denied PSK identity.
02784  *
02785  * \note           If you set a PSK callback using this function, then you
02786  *                 don't need to set a PSK key and identity using
02787  *                 \c mbedtls_ssl_conf_psk().
02788  *
02789  * \param conf     The SSL configuration to register the callback with.
02790  * \param f_psk    The callback for selecting and setting the PSK based
02791  *                 in the PSK identity chosen by the client.
02792  * \param p_psk    A pointer to an opaque structure to be passed to
02793  *                 the callback, for example a PSK store.
02794  */
02795 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
02796                      int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
02797                                   size_t),
02798                      void *p_psk );
02799 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
02800 
02801 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
02802 
02803 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
02804 
02805 #if defined(MBEDTLS_DEPRECATED_WARNING)
02806 #define MBEDTLS_DEPRECATED    __attribute__((deprecated))
02807 #else
02808 #define MBEDTLS_DEPRECATED
02809 #endif
02810 
02811 /**
02812  * \brief          Set the Diffie-Hellman public P and G values,
02813  *                 read as hexadecimal strings (server-side only)
02814  *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG])
02815  *
02816  * \param conf     SSL configuration
02817  * \param dhm_P    Diffie-Hellman-Merkle modulus
02818  * \param dhm_G    Diffie-Hellman-Merkle generator
02819  *
02820  * \deprecated     Superseded by \c mbedtls_ssl_conf_dh_param_bin.
02821  *
02822  * \return         0 if successful
02823  */
02824 MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf,
02825                                                   const char *dhm_P,
02826                                                   const char *dhm_G );
02827 
02828 #endif /* MBEDTLS_DEPRECATED_REMOVED */
02829 
02830 /**
02831  * \brief          Set the Diffie-Hellman public P and G values
02832  *                 from big-endian binary presentations.
02833  *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]_BIN)
02834  *
02835  * \param conf     SSL configuration
02836  * \param dhm_P    Diffie-Hellman-Merkle modulus in big-endian binary form
02837  * \param P_len    Length of DHM modulus
02838  * \param dhm_G    Diffie-Hellman-Merkle generator in big-endian binary form
02839  * \param G_len    Length of DHM generator
02840  *
02841  * \return         0 if successful
02842  */
02843 int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
02844                                    const unsigned char *dhm_P, size_t P_len,
02845                                    const unsigned char *dhm_G,  size_t G_len );
02846 
02847 /**
02848  * \brief          Set the Diffie-Hellman public P and G values,
02849  *                 read from existing context (server-side only)
02850  *
02851  * \param conf     SSL configuration
02852  * \param dhm_ctx  Diffie-Hellman-Merkle context
02853  *
02854  * \return         0 if successful
02855  */
02856 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx );
02857 #endif /* MBEDTLS_DHM_C && defined(MBEDTLS_SSL_SRV_C) */
02858 
02859 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
02860 /**
02861  * \brief          Set the minimum length for Diffie-Hellman parameters.
02862  *                 (Client-side only.)
02863  *                 (Default: 1024 bits.)
02864  *
02865  * \param conf     SSL configuration
02866  * \param bitlen   Minimum bit length of the DHM prime
02867  */
02868 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
02869                                       unsigned int bitlen );
02870 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
02871 
02872 #if defined(MBEDTLS_ECP_C)
02873 /**
02874  * \brief          Set the allowed curves in order of preference.
02875  *                 (Default: all defined curves.)
02876  *
02877  *                 On server: this only affects selection of the ECDHE curve;
02878  *                 the curves used for ECDH and ECDSA are determined by the
02879  *                 list of available certificates instead.
02880  *
02881  *                 On client: this affects the list of curves offered for any
02882  *                 use. The server can override our preference order.
02883  *
02884  *                 Both sides: limits the set of curves accepted for use in
02885  *                 ECDHE and in the peer's end-entity certificate.
02886  *
02887  * \note           This has no influence on which curves are allowed inside the
02888  *                 certificate chains, see \c mbedtls_ssl_conf_cert_profile()
02889  *                 for that. For the end-entity certificate however, the key
02890  *                 will be accepted only if it is allowed both by this list
02891  *                 and by the cert profile.
02892  *
02893  * \note           This list should be ordered by decreasing preference
02894  *                 (preferred curve first).
02895  *
02896  * \param conf     SSL configuration
02897  * \param curves   Ordered list of allowed curves,
02898  *                 terminated by MBEDTLS_ECP_DP_NONE.
02899  */
02900 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
02901                               const mbedtls_ecp_group_id *curves );
02902 #endif /* MBEDTLS_ECP_C */
02903 
02904 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
02905 /**
02906  * \brief          Set the allowed hashes for signatures during the handshake.
02907  *                 (Default: all available hashes except MD5.)
02908  *
02909  * \note           This only affects which hashes are offered and can be used
02910  *                 for signatures during the handshake. Hashes for message
02911  *                 authentication and the TLS PRF are controlled by the
02912  *                 ciphersuite, see \c mbedtls_ssl_conf_ciphersuites(). Hashes
02913  *                 used for certificate signature are controlled by the
02914  *                 verification profile, see \c mbedtls_ssl_conf_cert_profile().
02915  *
02916  * \note           This list should be ordered by decreasing preference
02917  *                 (preferred hash first).
02918  *
02919  * \param conf     SSL configuration
02920  * \param hashes   Ordered list of allowed signature hashes,
02921  *                 terminated by \c MBEDTLS_MD_NONE.
02922  */
02923 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
02924                                   const int *hashes );
02925 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
02926 
02927 #if defined(MBEDTLS_X509_CRT_PARSE_C)
02928 /**
02929  * \brief          Set or reset the hostname to check against the received
02930  *                 server certificate. It sets the ServerName TLS extension,
02931  *                 too, if that extension is enabled. (client-side only)
02932  *
02933  * \param ssl      SSL context
02934  * \param hostname the server hostname, may be NULL to clear hostname
02935 
02936  * \note           Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
02937  *
02938  * \return         0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
02939  *                 allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
02940  *                 too long input hostname.
02941  *
02942  *                 Hostname set to the one provided on success (cleared
02943  *                 when NULL). On allocation failure hostname is cleared.
02944  *                 On too long input failure, old hostname is unchanged.
02945  */
02946 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname );
02947 #endif /* MBEDTLS_X509_CRT_PARSE_C */
02948 
02949 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
02950 /**
02951  * \brief          Set own certificate and key for the current handshake
02952  *
02953  * \note           Same as \c mbedtls_ssl_conf_own_cert() but for use within
02954  *                 the SNI callback.
02955  *
02956  * \param ssl      SSL context
02957  * \param own_cert own public certificate chain
02958  * \param pk_key   own private key
02959  *
02960  * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
02961  */
02962 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
02963                                  mbedtls_x509_crt *own_cert,
02964                                  mbedtls_pk_context *pk_key );
02965 
02966 /**
02967  * \brief          Set the data required to verify peer certificate for the
02968  *                 current handshake
02969  *
02970  * \note           Same as \c mbedtls_ssl_conf_ca_chain() but for use within
02971  *                 the SNI callback.
02972  *
02973  * \param ssl      SSL context
02974  * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
02975  * \param ca_crl   trusted CA CRLs
02976  */
02977 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
02978                                   mbedtls_x509_crt *ca_chain,
02979                                   mbedtls_x509_crl *ca_crl );
02980 
02981 /**
02982  * \brief          Set authmode for the current handshake.
02983  *
02984  * \note           Same as \c mbedtls_ssl_conf_authmode() but for use within
02985  *                 the SNI callback.
02986  *
02987  * \param ssl      SSL context
02988  * \param authmode MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL or
02989  *                 MBEDTLS_SSL_VERIFY_REQUIRED
02990  */
02991 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
02992                                   int authmode );
02993 
02994 /**
02995  * \brief          Set server side ServerName TLS extension callback
02996  *                 (optional, server-side only).
02997  *
02998  *                 If set, the ServerName callback is called whenever the
02999  *                 server receives a ServerName TLS extension from the client
03000  *                 during a handshake. The ServerName callback has the
03001  *                 following parameters: (void *parameter, mbedtls_ssl_context *ssl,
03002  *                 const unsigned char *hostname, size_t len). If a suitable
03003  *                 certificate is found, the callback must set the
03004  *                 certificate(s) and key(s) to use with \c
03005  *                 mbedtls_ssl_set_hs_own_cert() (can be called repeatedly),
03006  *                 and may optionally adjust the CA and associated CRL with \c
03007  *                 mbedtls_ssl_set_hs_ca_chain() as well as the client
03008  *                 authentication mode with \c mbedtls_ssl_set_hs_authmode(),
03009  *                 then must return 0. If no matching name is found, the
03010  *                 callback must either set a default cert, or
03011  *                 return non-zero to abort the handshake at this point.
03012  *
03013  * \param conf     SSL configuration
03014  * \param f_sni    verification function
03015  * \param p_sni    verification parameter
03016  */
03017 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
03018                   int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *,
03019                                size_t),
03020                   void *p_sni );
03021 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
03022 
03023 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
03024 /**
03025  * \brief          Set the EC J-PAKE password for current handshake.
03026  *
03027  * \note           An internal copy is made, and destroyed as soon as the
03028  *                 handshake is completed, or when the SSL context is reset or
03029  *                 freed.
03030  *
03031  * \note           The SSL context needs to be already set up. The right place
03032  *                 to call this function is between \c mbedtls_ssl_setup() or
03033  *                 \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake().
03034  *
03035  * \param ssl      SSL context
03036  * \param pw       EC J-PAKE password (pre-shared secret)
03037  * \param pw_len   length of pw in bytes
03038  *
03039  * \return         0 on success, or a negative error code.
03040  */
03041 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
03042                                          const unsigned char *pw,
03043                                          size_t pw_len );
03044 #endif /*MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
03045 
03046 #if defined(MBEDTLS_SSL_ALPN)
03047 /**
03048  * \brief          Set the supported Application Layer Protocols.
03049  *
03050  * \param conf     SSL configuration
03051  * \param protos   Pointer to a NULL-terminated list of supported protocols,
03052  *                 in decreasing preference order. The pointer to the list is
03053  *                 recorded by the library for later reference as required, so
03054  *                 the lifetime of the table must be atleast as long as the
03055  *                 lifetime of the SSL configuration structure.
03056  *
03057  * \return         0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
03058  */
03059 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos );
03060 
03061 /**
03062  * \brief          Get the name of the negotiated Application Layer Protocol.
03063  *                 This function should be called after the handshake is
03064  *                 completed.
03065  *
03066  * \param ssl      SSL context
03067  *
03068  * \return         Protcol name, or NULL if no protocol was negotiated.
03069  */
03070 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
03071 #endif /* MBEDTLS_SSL_ALPN */
03072 
03073 /**
03074  * \brief          Set the maximum supported version sent from the client side
03075  *                 and/or accepted at the server side
03076  *                 (Default: MBEDTLS_SSL_MAX_MAJOR_VERSION, MBEDTLS_SSL_MAX_MINOR_VERSION)
03077  *
03078  * \note           This ignores ciphersuites from higher versions.
03079  *
03080  * \note           With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
03081  *                 MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
03082  *
03083  * \param conf     SSL configuration
03084  * \param major    Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
03085  * \param minor    Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
03086  *                 MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
03087  *                 MBEDTLS_SSL_MINOR_VERSION_3 supported)
03088  */
03089 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
03090 
03091 /**
03092  * \brief          Set the minimum accepted SSL/TLS protocol version
03093  *                 (Default: TLS 1.0)
03094  *
03095  * \note           Input outside of the SSL_MAX_XXXXX_VERSION and
03096  *                 SSL_MIN_XXXXX_VERSION range is ignored.
03097  *
03098  * \note           MBEDTLS_SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
03099  *
03100  * \note           With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
03101  *                 MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
03102  *
03103  * \param conf     SSL configuration
03104  * \param major    Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
03105  * \param minor    Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
03106  *                 MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
03107  *                 MBEDTLS_SSL_MINOR_VERSION_3 supported)
03108  */
03109 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
03110 
03111 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
03112 /**
03113  * \brief          Set the fallback flag (client-side only).
03114  *                 (Default: MBEDTLS_SSL_IS_NOT_FALLBACK).
03115  *
03116  * \note           Set to MBEDTLS_SSL_IS_FALLBACK when preparing a fallback
03117  *                 connection, that is a connection with max_version set to a
03118  *                 lower value than the value you're willing to use. Such
03119  *                 fallback connections are not recommended but are sometimes
03120  *                 necessary to interoperate with buggy (version-intolerant)
03121  *                 servers.
03122  *
03123  * \warning        You should NOT set this to MBEDTLS_SSL_IS_FALLBACK for
03124  *                 non-fallback connections! This would appear to work for a
03125  *                 while, then cause failures when the server is upgraded to
03126  *                 support a newer TLS version.
03127  *
03128  * \param conf     SSL configuration
03129  * \param fallback MBEDTLS_SSL_IS_NOT_FALLBACK or MBEDTLS_SSL_IS_FALLBACK
03130  */
03131 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback );
03132 #endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */
03133 
03134 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
03135 /**
03136  * \brief           Enable or disable Encrypt-then-MAC
03137  *                  (Default: MBEDTLS_SSL_ETM_ENABLED)
03138  *
03139  * \note            This should always be enabled, it is a security
03140  *                  improvement, and should not cause any interoperability
03141  *                  issue (used only if the peer supports it too).
03142  *
03143  * \param conf      SSL configuration
03144  * \param etm       MBEDTLS_SSL_ETM_ENABLED or MBEDTLS_SSL_ETM_DISABLED
03145  */
03146 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
03147 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
03148 
03149 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
03150 /**
03151  * \brief           Enable or disable Extended Master Secret negotiation.
03152  *                  (Default: MBEDTLS_SSL_EXTENDED_MS_ENABLED)
03153  *
03154  * \note            This should always be enabled, it is a security fix to the
03155  *                  protocol, and should not cause any interoperability issue
03156  *                  (used only if the peer supports it too).
03157  *
03158  * \param conf      SSL configuration
03159  * \param ems       MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED
03160  */
03161 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems );
03162 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
03163 
03164 #if defined(MBEDTLS_ARC4_C)
03165 /**
03166  * \brief          Disable or enable support for RC4
03167  *                 (Default: MBEDTLS_SSL_ARC4_DISABLED)
03168  *
03169  * \warning        Use of RC4 in DTLS/TLS has been prohibited by RFC 7465
03170  *                 for security reasons. Use at your own risk.
03171  *
03172  * \note           This function is deprecated and will likely be removed in
03173  *                 a future version of the library.
03174  *                 RC4 is disabled by default at compile time and needs to be
03175  *                 actively enabled for use with legacy systems.
03176  *
03177  * \param conf     SSL configuration
03178  * \param arc4     MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED
03179  */
03180 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
03181 #endif /* MBEDTLS_ARC4_C */
03182 
03183 #if defined(MBEDTLS_SSL_SRV_C)
03184 /**
03185  * \brief          Whether to send a list of acceptable CAs in
03186  *                 CertificateRequest messages.
03187  *                 (Default: do send)
03188  *
03189  * \param conf     SSL configuration
03190  * \param cert_req_ca_list   MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
03191  *                          MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
03192  */
03193 void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
03194                                           char cert_req_ca_list );
03195 #endif /* MBEDTLS_SSL_SRV_C */
03196 
03197 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
03198 /**
03199  * \brief          Set the maximum fragment length to emit and/or negotiate.
03200  *                 (Typical: the smaller of #MBEDTLS_SSL_IN_CONTENT_LEN and
03201  *                 #MBEDTLS_SSL_OUT_CONTENT_LEN, usually `2^14` bytes)
03202  *                 (Server: set maximum fragment length to emit,
03203  *                 usually negotiated by the client during handshake)
03204  *                 (Client: set maximum fragment length to emit *and*
03205  *                 negotiate with the server during handshake)
03206  *                 (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE)
03207  *
03208  * \note           On the client side, the maximum fragment length extension
03209  *                 *will not* be used, unless the maximum fragment length has
03210  *                 been set via this function to a value different than
03211  *                 #MBEDTLS_SSL_MAX_FRAG_LEN_NONE.
03212  *
03213  * \note           With TLS, this currently only affects ApplicationData (sent
03214  *                 with \c mbedtls_ssl_read()), not handshake messages.
03215  *                 With DTLS, this affects both ApplicationData and handshake.
03216  *
03217  * \note           This sets the maximum length for a record's payload,
03218  *                 excluding record overhead that will be added to it, see
03219  *                 \c mbedtls_ssl_get_record_expansion().
03220  *
03221  * \note           For DTLS, it is also possible to set a limit for the total
03222  *                 size of daragrams passed to the transport layer, including
03223  *                 record overhead, see \c mbedtls_ssl_set_mtu().
03224  *
03225  * \param conf     SSL configuration
03226  * \param mfl_code Code for maximum fragment length (allowed values:
03227  *                 MBEDTLS_SSL_MAX_FRAG_LEN_512,  MBEDTLS_SSL_MAX_FRAG_LEN_1024,
03228  *                 MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096)
03229  *
03230  * \return         0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA
03231  */
03232 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code );
03233 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
03234 
03235 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
03236 /**
03237  * \brief          Activate negotiation of truncated HMAC
03238  *                 (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
03239  *
03240  * \param conf     SSL configuration
03241  * \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
03242  *                                    MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
03243  */
03244 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate );
03245 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
03246 
03247 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
03248 /**
03249  * \brief          Enable / Disable 1/n-1 record splitting
03250  *                 (Default: MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED)
03251  *
03252  * \note           Only affects SSLv3 and TLS 1.0, not higher versions.
03253  *                 Does not affect non-CBC ciphersuites in any version.
03254  *
03255  * \param conf     SSL configuration
03256  * \param split    MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED or
03257  *                 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
03258  */
03259 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split );
03260 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
03261 
03262 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
03263 /**
03264  * \brief          Enable / Disable session tickets (client only).
03265  *                 (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
03266  *
03267  * \note           On server, use \c mbedtls_ssl_conf_session_tickets_cb().
03268  *
03269  * \param conf     SSL configuration
03270  * \param use_tickets   Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
03271  *                                         MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
03272  */
03273 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets );
03274 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
03275 
03276 #if defined(MBEDTLS_SSL_RENEGOTIATION)
03277 /**
03278  * \brief          Enable / Disable renegotiation support for connection when
03279  *                 initiated by peer
03280  *                 (Default: MBEDTLS_SSL_RENEGOTIATION_DISABLED)
03281  *
03282  * \warning        It is recommended to always disable renegotation unless you
03283  *                 know you need it and you know what you're doing. In the
03284  *                 past, there have been several issues associated with
03285  *                 renegotiation or a poor understanding of its properties.
03286  *
03287  * \note           Server-side, enabling renegotiation also makes the server
03288  *                 susceptible to a resource DoS by a malicious client.
03289  *
03290  * \param conf    SSL configuration
03291  * \param renegotiation     Enable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or
03292  *                                             MBEDTLS_SSL_RENEGOTIATION_DISABLED)
03293  */
03294 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation );
03295 #endif /* MBEDTLS_SSL_RENEGOTIATION */
03296 
03297 /**
03298  * \brief          Prevent or allow legacy renegotiation.
03299  *                 (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)
03300  *
03301  *                 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION allows connections to
03302  *                 be established even if the peer does not support
03303  *                 secure renegotiation, but does not allow renegotiation
03304  *                 to take place if not secure.
03305  *                 (Interoperable and secure option)
03306  *
03307  *                 MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations
03308  *                 with non-upgraded peers. Allowing legacy renegotiation
03309  *                 makes the connection vulnerable to specific man in the
03310  *                 middle attacks. (See RFC 5746)
03311  *                 (Most interoperable and least secure option)
03312  *
03313  *                 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE breaks off connections
03314  *                 if peer does not support secure renegotiation. Results
03315  *                 in interoperability issues with non-upgraded peers
03316  *                 that do not support renegotiation altogether.
03317  *                 (Most secure option, interoperability issues)
03318  *
03319  * \param conf     SSL configuration
03320  * \param allow_legacy  Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
03321  *                                        SSL_ALLOW_LEGACY_RENEGOTIATION or
03322  *                                        MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)
03323  */
03324 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy );
03325 
03326 #if defined(MBEDTLS_SSL_RENEGOTIATION)
03327 /**
03328  * \brief          Enforce renegotiation requests.
03329  *                 (Default: enforced, max_records = 16)
03330  *
03331  *                 When we request a renegotiation, the peer can comply or
03332  *                 ignore the request. This function allows us to decide
03333  *                 whether to enforce our renegotiation requests by closing
03334  *                 the connection if the peer doesn't comply.
03335  *
03336  *                 However, records could already be in transit from the peer
03337  *                 when the request is emitted. In order to increase
03338  *                 reliability, we can accept a number of records before the
03339  *                 expected handshake records.
03340  *
03341  *                 The optimal value is highly dependent on the specific usage
03342  *                 scenario.
03343  *
03344  * \note           With DTLS and server-initiated renegotiation, the
03345  *                 HelloRequest is retransmited every time mbedtls_ssl_read() times
03346  *                 out or receives Application Data, until:
03347  *                 - max_records records have beens seen, if it is >= 0, or
03348  *                 - the number of retransmits that would happen during an
03349  *                 actual handshake has been reached.
03350  *                 Please remember the request might be lost a few times
03351  *                 if you consider setting max_records to a really low value.
03352  *
03353  * \warning        On client, the grace period can only happen during
03354  *                 mbedtls_ssl_read(), as opposed to mbedtls_ssl_write() and mbedtls_ssl_renegotiate()
03355  *                 which always behave as if max_record was 0. The reason is,
03356  *                 if we receive application data from the server, we need a
03357  *                 place to write it, which only happens during mbedtls_ssl_read().
03358  *
03359  * \param conf     SSL configuration
03360  * \param max_records Use MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
03361  *                 enforce renegotiation, or a non-negative value to enforce
03362  *                 it but allow for a grace period of max_records records.
03363  */
03364 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records );
03365 
03366 /**
03367  * \brief          Set record counter threshold for periodic renegotiation.
03368  *                 (Default: 2^48 - 1)
03369  *
03370  *                 Renegotiation is automatically triggered when a record
03371  *                 counter (outgoing or incoming) crosses the defined
03372  *                 threshold. The default value is meant to prevent the
03373  *                 connection from being closed when the counter is about to
03374  *                 reached its maximal value (it is not allowed to wrap).
03375  *
03376  *                 Lower values can be used to enforce policies such as "keys
03377  *                 must be refreshed every N packets with cipher X".
03378  *
03379  *                 The renegotiation period can be disabled by setting
03380  *                 conf->disable_renegotiation to
03381  *                 MBEDTLS_SSL_RENEGOTIATION_DISABLED.
03382  *
03383  * \note           When the configured transport is
03384  *                 MBEDTLS_SSL_TRANSPORT_DATAGRAM the maximum renegotiation
03385  *                 period is 2^48 - 1, and for MBEDTLS_SSL_TRANSPORT_STREAM,
03386  *                 the maximum renegotiation period is 2^64 - 1.
03387  *
03388  * \param conf     SSL configuration
03389  * \param period   The threshold value: a big-endian 64-bit number.
03390  */
03391 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
03392                                    const unsigned char period[8] );
03393 #endif /* MBEDTLS_SSL_RENEGOTIATION */
03394 
03395 /**
03396  * \brief          Check if there is data already read from the
03397  *                 underlying transport but not yet processed.
03398  *
03399  * \param ssl      SSL context
03400  *
03401  * \return         0 if nothing's pending, 1 otherwise.
03402  *
03403  * \note           This is different in purpose and behaviour from
03404  *                 \c mbedtls_ssl_get_bytes_avail in that it considers
03405  *                 any kind of unprocessed data, not only unread
03406  *                 application data. If \c mbedtls_ssl_get_bytes
03407  *                 returns a non-zero value, this function will
03408  *                 also signal pending data, but the converse does
03409  *                 not hold. For example, in DTLS there might be
03410  *                 further records waiting to be processed from
03411  *                 the current underlying transport's datagram.
03412  *
03413  * \note           If this function returns 1 (data pending), this
03414  *                 does not imply that a subsequent call to
03415  *                 \c mbedtls_ssl_read will provide any data;
03416  *                 e.g., the unprocessed data might turn out
03417  *                 to be an alert or a handshake message.
03418  *
03419  * \note           This function is useful in the following situation:
03420  *                 If the SSL/TLS module successfully returns from an
03421  *                 operation - e.g. a handshake or an application record
03422  *                 read - and you're awaiting incoming data next, you
03423  *                 must not immediately idle on the underlying transport
03424  *                 to have data ready, but you need to check the value
03425  *                 of this function first. The reason is that the desired
03426  *                 data might already be read but not yet processed.
03427  *                 If, in contrast, a previous call to the SSL/TLS module
03428  *                 returned MBEDTLS_ERR_SSL_WANT_READ, it is not necessary
03429  *                 to call this function, as the latter error code entails
03430  *                 that all internal data has been processed.
03431  *
03432  */
03433 int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl );
03434 
03435 /**
03436  * \brief          Return the number of application data bytes
03437  *                 remaining to be read from the current record.
03438  *
03439  * \param ssl      SSL context
03440  *
03441  * \return         How many bytes are available in the application
03442  *                 data record read buffer.
03443  *
03444  * \note           When working over a datagram transport, this is
03445  *                 useful to detect the current datagram's boundary
03446  *                 in case \c mbedtls_ssl_read has written the maximal
03447  *                 amount of data fitting into the input buffer.
03448  *
03449  */
03450 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl );
03451 
03452 /**
03453  * \brief          Return the result of the certificate verification
03454  *
03455  * \param ssl      The SSL context to use.
03456  *
03457  * \return         \c 0 if the certificate verification was successful.
03458  * \return         \c -1u if the result is not available. This may happen
03459  *                 e.g. if the handshake aborts early, or a verification
03460  *                 callback returned a fatal error.
03461  * \return         A bitwise combination of \c MBEDTLS_X509_BADCERT_XXX
03462  *                 and \c MBEDTLS_X509_BADCRL_XXX failure flags; see x509.h.
03463  */
03464 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
03465 
03466 /**
03467  * \brief          Return the name of the current ciphersuite
03468  *
03469  * \param ssl      SSL context
03470  *
03471  * \return         a string containing the ciphersuite name
03472  */
03473 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl );
03474 
03475 /**
03476  * \brief          Return the current SSL version (SSLv3/TLSv1/etc)
03477  *
03478  * \param ssl      SSL context
03479  *
03480  * \return         a string containing the SSL version
03481  */
03482 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl );
03483 
03484 /**
03485  * \brief          Return the (maximum) number of bytes added by the record
03486  *                 layer: header + encryption/MAC overhead (inc. padding)
03487  *
03488  * \note           This function is not available (always returns an error)
03489  *                 when record compression is enabled.
03490  *
03491  * \param ssl      SSL context
03492  *
03493  * \return         Current maximum record expansion in bytes, or
03494  *                 MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if compression is
03495  *                 enabled, which makes expansion much less predictable
03496  */
03497 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl );
03498 
03499 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
03500 /**
03501  * \brief          Return the maximum fragment length (payload, in bytes).
03502  *                 This is the value negotiated with peer if any,
03503  *                 or the locally configured value.
03504  *
03505  * \sa             mbedtls_ssl_conf_max_frag_len()
03506  * \sa             mbedtls_ssl_get_max_record_payload()
03507  *
03508  * \param ssl      SSL context
03509  *
03510  * \return         Current maximum fragment length.
03511  */
03512 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
03513 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
03514 
03515 /**
03516  * \brief          Return the current maximum outgoing record payload in bytes.
03517  *                 This takes into account the config.h setting \c
03518  *                 MBEDTLS_SSL_OUT_CONTENT_LEN, the configured and negotiated
03519  *                 max fragment length extension if used, and for DTLS the
03520  *                 path MTU as configured and current record expansion.
03521  *
03522  * \note           With DTLS, \c mbedtls_ssl_write() will return an error if
03523  *                 called with a larger length value.
03524  *                 With TLS, \c mbedtls_ssl_write() will fragment the input if
03525  *                 necessary and return the number of bytes written; it is up
03526  *                 to the caller to call \c mbedtls_ssl_write() again in
03527  *                 order to send the remaining bytes if any.
03528  *
03529  * \note           This function is not available (always returns an error)
03530  *                 when record compression is enabled.
03531  *
03532  * \sa             mbedtls_ssl_set_mtu()
03533  * \sa             mbedtls_ssl_get_max_frag_len()
03534  * \sa             mbedtls_ssl_get_record_expansion()
03535  *
03536  * \param ssl      SSL context
03537  *
03538  * \return         Current maximum payload for an outgoing record,
03539  *                 or a negative error code.
03540  */
03541 int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl );
03542 
03543 #if defined(MBEDTLS_X509_CRT_PARSE_C)
03544 /**
03545  * \brief          Return the peer certificate from the current connection.
03546  *
03547  * \param  ssl     The SSL context to use. This must be initialized and setup.
03548  *
03549  * \return         The current peer certificate, if available.
03550  *                 The returned certificate is owned by the SSL context and
03551  *                 is valid only until the next call to the SSL API.
03552  * \return         \c NULL if no peer certificate is available. This might
03553  *                 be because the chosen ciphersuite doesn't use CRTs
03554  *                 (PSK-based ciphersuites, for example), or because
03555  *                 #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled,
03556  *                 allowing the stack to free the peer's CRT to save memory.
03557  *
03558  * \note           For one-time inspection of the peer's certificate during
03559  *                 the handshake, consider registering an X.509 CRT verification
03560  *                 callback through mbedtls_ssl_conf_verify() instead of calling
03561  *                 this function. Using mbedtls_ssl_conf_verify() also comes at
03562  *                 the benefit of allowing you to influence the verification
03563  *                 process, for example by masking expected and tolerated
03564  *                 verification failures.
03565  *
03566  * \warning        You must not use the pointer returned by this function
03567  *                 after any further call to the SSL API, including
03568  *                 mbedtls_ssl_read() and mbedtls_ssl_write(); this is
03569  *                 because the pointer might change during renegotiation,
03570  *                 which happens transparently to the user.
03571  *                 If you want to use the certificate across API calls,
03572  *                 you must make a copy.
03573  */
03574 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl );
03575 #endif /* MBEDTLS_X509_CRT_PARSE_C */
03576 
03577 #if defined(MBEDTLS_SSL_CLI_C)
03578 /**
03579  * \brief          Save session in order to resume it later (client-side only)
03580  *                 Session data is copied to presented session structure.
03581  *
03582  *
03583  * \param ssl      SSL context
03584  * \param session  session context
03585  *
03586  * \return         0 if successful,
03587  *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
03588  *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
03589  *                 arguments are otherwise invalid.
03590  *
03591  * \note           Only the server certificate is copied, and not the full chain,
03592  *                 so you should not attempt to validate the certificate again
03593  *                 by calling \c mbedtls_x509_crt_verify() on it.
03594  *                 Instead, you should use the results from the verification
03595  *                 in the original handshake by calling \c mbedtls_ssl_get_verify_result()
03596  *                 after loading the session again into a new SSL context
03597  *                 using \c mbedtls_ssl_set_session().
03598  *
03599  * \note           Once the session object is not needed anymore, you should
03600  *                 free it by calling \c mbedtls_ssl_session_free().
03601  *
03602  * \sa             mbedtls_ssl_set_session()
03603  */
03604 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *session );
03605 #endif /* MBEDTLS_SSL_CLI_C */
03606 
03607 /**
03608  * \brief          Perform the SSL handshake
03609  *
03610  * \param ssl      SSL context
03611  *
03612  * \return         \c 0 if successful.
03613  * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
03614  *                 if the handshake is incomplete and waiting for data to
03615  *                 be available for reading from or writing to the underlying
03616  *                 transport - in this case you must call this function again
03617  *                 when the underlying transport is ready for the operation.
03618  * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
03619  *                 operation is in progress (see
03620  *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
03621  *                 must call this function again when the operation is ready.
03622  * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
03623  *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
03624  *                 in this case you must call this function again to complete
03625  *                 the handshake when you're done attending other tasks.
03626  * \return         #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
03627  *                 and the client did not demonstrate reachability yet - in
03628  *                 this case you must stop using the context (see below).
03629  * \return         Another SSL error code - in this case you must stop using
03630  *                 the context (see below).
03631  *
03632  * \warning        If this function returns something other than
03633  *                 \c 0,
03634  *                 #MBEDTLS_ERR_SSL_WANT_READ,
03635  *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
03636  *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
03637  *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
03638  *                 you must stop using the SSL context for reading or writing,
03639  *                 and either free it or call \c mbedtls_ssl_session_reset()
03640  *                 on it before re-using it for a new connection; the current
03641  *                 connection must be closed.
03642  *
03643  * \note           If DTLS is in use, then you may choose to handle
03644  *                 #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging
03645  *                 purposes, as it is an expected return value rather than an
03646  *                 actual error, but you still need to reset/free the context.
03647  *
03648  * \note           Remarks regarding event-driven DTLS:
03649  *                 If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
03650  *                 from the underlying transport layer is currently being processed,
03651  *                 and it is safe to idle until the timer or the underlying transport
03652  *                 signal a new event. This is not true for a successful handshake,
03653  *                 in which case the datagram of the underlying transport that is
03654  *                 currently being processed might or might not contain further
03655  *                 DTLS records.
03656  */
03657 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl );
03658 
03659 /**
03660  * \brief          Perform a single step of the SSL handshake
03661  *
03662  * \note           The state of the context (ssl->state) will be at
03663  *                 the next state after this function returns \c 0. Do not
03664  *                 call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
03665  *
03666  * \param ssl      SSL context
03667  *
03668  * \return         See mbedtls_ssl_handshake().
03669  *
03670  * \warning        If this function returns something other than \c 0,
03671  *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
03672  *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
03673  *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
03674  *                 the SSL context for reading or writing, and either free it
03675  *                 or call \c mbedtls_ssl_session_reset() on it before
03676  *                 re-using it for a new connection; the current connection
03677  *                 must be closed.
03678  */
03679 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl );
03680 
03681 #if defined(MBEDTLS_SSL_RENEGOTIATION)
03682 /**
03683  * \brief          Initiate an SSL renegotiation on the running connection.
03684  *                 Client: perform the renegotiation right now.
03685  *                 Server: request renegotiation, which will be performed
03686  *                 during the next call to mbedtls_ssl_read() if honored by
03687  *                 client.
03688  *
03689  * \param ssl      SSL context
03690  *
03691  * \return         0 if successful, or any mbedtls_ssl_handshake() return
03692  *                 value except #MBEDTLS_ERR_SSL_CLIENT_RECONNECT that can't
03693  *                 happen during a renegotiation.
03694  *
03695  * \warning        If this function returns something other than \c 0,
03696  *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
03697  *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
03698  *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
03699  *                 the SSL context for reading or writing, and either free it
03700  *                 or call \c mbedtls_ssl_session_reset() on it before
03701  *                 re-using it for a new connection; the current connection
03702  *                 must be closed.
03703  *
03704  */
03705 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl );
03706 #endif /* MBEDTLS_SSL_RENEGOTIATION */
03707 
03708 /**
03709  * \brief          Read at most 'len' application data bytes
03710  *
03711  * \param ssl      SSL context
03712  * \param buf      buffer that will hold the data
03713  * \param len      maximum number of bytes to read
03714  *
03715  * \return         The (positive) number of bytes read if successful.
03716  * \return         \c 0 if the read end of the underlying transport was closed
03717  *                 - in this case you must stop using the context (see below).
03718  * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
03719  *                 if the handshake is incomplete and waiting for data to
03720  *                 be available for reading from or writing to the underlying
03721  *                 transport - in this case you must call this function again
03722  *                 when the underlying transport is ready for the operation.
03723  * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
03724  *                 operation is in progress (see
03725  *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
03726  *                 must call this function again when the operation is ready.
03727  * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
03728  *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
03729  *                 in this case you must call this function again to complete
03730  *                 the handshake when you're done attending other tasks.
03731  * \return         #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
03732  *                 side of a DTLS connection and the client is initiating a
03733  *                 new connection using the same source port. See below.
03734  * \return         Another SSL error code - in this case you must stop using
03735  *                 the context (see below).
03736  *
03737  * \warning        If this function returns something other than
03738  *                 a positive value,
03739  *                 #MBEDTLS_ERR_SSL_WANT_READ,
03740  *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
03741  *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
03742  *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
03743  *                 #MBEDTLS_ERR_SSL_CLIENT_RECONNECT,
03744  *                 you must stop using the SSL context for reading or writing,
03745  *                 and either free it or call \c mbedtls_ssl_session_reset()
03746  *                 on it before re-using it for a new connection; the current
03747  *                 connection must be closed.
03748  *
03749  * \note           When this function returns #MBEDTLS_ERR_SSL_CLIENT_RECONNECT
03750  *                 (which can only happen server-side), it means that a client
03751  *                 is initiating a new connection using the same source port.
03752  *                 You can either treat that as a connection close and wait
03753  *                 for the client to resend a ClientHello, or directly
03754  *                 continue with \c mbedtls_ssl_handshake() with the same
03755  *                 context (as it has been reset internally). Either way, you
03756  *                 must make sure this is seen by the application as a new
03757  *                 connection: application state, if any, should be reset, and
03758  *                 most importantly the identity of the client must be checked
03759  *                 again. WARNING: not validating the identity of the client
03760  *                 again, or not transmitting the new identity to the
03761  *                 application layer, would allow authentication bypass!
03762  *
03763  * \note           Remarks regarding event-driven DTLS:
03764  *                 - If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
03765  *                   from the underlying transport layer is currently being processed,
03766  *                   and it is safe to idle until the timer or the underlying transport
03767  *                   signal a new event.
03768  *                 - This function may return MBEDTLS_ERR_SSL_WANT_READ even if data was
03769  *                   initially available on the underlying transport, as this data may have
03770  *                   been only e.g. duplicated messages or a renegotiation request.
03771  *                   Therefore, you must be prepared to receive MBEDTLS_ERR_SSL_WANT_READ even
03772  *                   when reacting to an incoming-data event from the underlying transport.
03773  *                 - On success, the datagram of the underlying transport that is currently
03774  *                   being processed may contain further DTLS records. You should call
03775  *                   \c mbedtls_ssl_check_pending to check for remaining records.
03776  *
03777  */
03778 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len );
03779 
03780 /**
03781  * \brief          Try to write exactly 'len' application data bytes
03782  *
03783  * \warning        This function will do partial writes in some cases. If the
03784  *                 return value is non-negative but less than length, the
03785  *                 function must be called again with updated arguments:
03786  *                 buf + ret, len - ret (if ret is the return value) until
03787  *                 it returns a value equal to the last 'len' argument.
03788  *
03789  * \param ssl      SSL context
03790  * \param buf      buffer holding the data
03791  * \param len      how many bytes must be written
03792  *
03793  * \return         The (non-negative) number of bytes actually written if
03794  *                 successful (may be less than \p len).
03795  * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
03796  *                 if the handshake is incomplete and waiting for data to
03797  *                 be available for reading from or writing to the underlying
03798  *                 transport - in this case you must call this function again
03799  *                 when the underlying transport is ready for the operation.
03800  * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
03801  *                 operation is in progress (see
03802  *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
03803  *                 must call this function again when the operation is ready.
03804  * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
03805  *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
03806  *                 in this case you must call this function again to complete
03807  *                 the handshake when you're done attending other tasks.
03808  * \return         Another SSL error code - in this case you must stop using
03809  *                 the context (see below).
03810  *
03811  * \warning        If this function returns something other than
03812  *                 a non-negative value,
03813  *                 #MBEDTLS_ERR_SSL_WANT_READ,
03814  *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
03815  *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
03816  *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
03817  *                 you must stop using the SSL context for reading or writing,
03818  *                 and either free it or call \c mbedtls_ssl_session_reset()
03819  *                 on it before re-using it for a new connection; the current
03820  *                 connection must be closed.
03821  *
03822  * \note           When this function returns #MBEDTLS_ERR_SSL_WANT_WRITE/READ,
03823  *                 it must be called later with the *same* arguments,
03824  *                 until it returns a value greater that or equal to 0. When
03825  *                 the function returns #MBEDTLS_ERR_SSL_WANT_WRITE there may be
03826  *                 some partial data in the output buffer, however this is not
03827  *                 yet sent.
03828  *
03829  * \note           If the requested length is greater than the maximum
03830  *                 fragment length (either the built-in limit or the one set
03831  *                 or negotiated with the peer), then:
03832  *                 - with TLS, less bytes than requested are written.
03833  *                 - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned.
03834  *                 \c mbedtls_ssl_get_max_frag_len() may be used to query the
03835  *                 active maximum fragment length.
03836  *
03837  * \note           Attempting to write 0 bytes will result in an empty TLS
03838  *                 application record being sent.
03839  */
03840 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len );
03841 
03842 /**
03843  * \brief           Send an alert message
03844  *
03845  * \param ssl       SSL context
03846  * \param level     The alert level of the message
03847  *                  (MBEDTLS_SSL_ALERT_LEVEL_WARNING or MBEDTLS_SSL_ALERT_LEVEL_FATAL)
03848  * \param message   The alert message (SSL_ALERT_MSG_*)
03849  *
03850  * \return          0 if successful, or a specific SSL error code.
03851  *
03852  * \note           If this function returns something other than 0 or
03853  *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
03854  *                 the SSL context for reading or writing, and either free it or
03855  *                 call \c mbedtls_ssl_session_reset() on it before re-using it
03856  *                 for a new connection; the current connection must be closed.
03857  */
03858 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
03859                             unsigned char level,
03860                             unsigned char message );
03861 /**
03862  * \brief          Notify the peer that the connection is being closed
03863  *
03864  * \param ssl      SSL context
03865  *
03866  * \return          0 if successful, or a specific SSL error code.
03867  *
03868  * \note           If this function returns something other than 0 or
03869  *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
03870  *                 the SSL context for reading or writing, and either free it or
03871  *                 call \c mbedtls_ssl_session_reset() on it before re-using it
03872  *                 for a new connection; the current connection must be closed.
03873  */
03874 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl );
03875 
03876 /**
03877  * \brief          Free referenced items in an SSL context and clear memory
03878  *
03879  * \param ssl      SSL context
03880  */
03881 void mbedtls_ssl_free( mbedtls_ssl_context *ssl );
03882 
03883 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
03884 /**
03885  * \brief          Save an active connection as serialized data in a buffer.
03886  *                 This allows the freeing or re-using of the SSL context
03887  *                 while still picking up the connection later in a way that
03888  *                 it entirely transparent to the peer.
03889  *
03890  * \see            mbedtls_ssl_context_load()
03891  *
03892  * \note           This feature is currently only available under certain
03893  *                 conditions, see the documentation of the return value
03894  *                 #MBEDTLS_ERR_SSL_BAD_INPUT_DATA for details.
03895  *
03896  * \note           When this function succeeds, it calls
03897  *                 mbedtls_ssl_session_reset() on \p ssl which as a result is
03898  *                 no longer associated with the connection that has been
03899  *                 serialized. This avoids creating copies of the connection
03900  *                 state. You're then free to either re-use the context
03901  *                 structure for a different connection, or call
03902  *                 mbedtls_ssl_free() on it. See the documentation of
03903  *                 mbedtls_ssl_session_reset() for more details.
03904  *
03905  * \param ssl      The SSL context to save. On success, it is no longer
03906  *                 associated with the connection that has been serialized.
03907  * \param buf      The buffer to write the serialized data to. It must be a
03908  *                 writeable buffer of at least \p buf_len bytes, or may be \c
03909  *                 NULL if \p buf_len is \c 0.
03910  * \param buf_len  The number of bytes available for writing in \p buf.
03911  * \param olen     The size in bytes of the data that has been or would have
03912  *                 been written. It must point to a valid \c size_t.
03913  *
03914  * \note           \p olen is updated to the correct value regardless of
03915  *                 whether \p buf_len was large enough. This makes it possible
03916  *                 to determine the necessary size by calling this function
03917  *                 with \p buf set to \c NULL and \p buf_len to \c 0. However,
03918  *                 the value of \p olen is only guaranteed to be correct when
03919  *                 the function returns #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL or
03920  *                 \c 0. If the return value is different, then the value of
03921  *                 \p olen is undefined.
03922  *
03923  * \return         \c 0 if successful.
03924  * \return         #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
03925  * \return         #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed
03926  *                 while reseting the context.
03927  * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if a handshake is in
03928  *                 progress, or there is pending data for reading or sending,
03929  *                 or the connection does not use DTLS 1.2 with an AEAD
03930  *                 ciphersuite, or renegotiation is enabled.
03931  */
03932 int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
03933                               unsigned char *buf,
03934                               size_t buf_len,
03935                               size_t *olen );
03936 
03937 /**
03938  * \brief          Load serialized connection data to an SSL context.
03939  *
03940  * \see            mbedtls_ssl_context_save()
03941  *
03942  * \warning        The same serialized data must never be loaded into more
03943  *                 that one context. In order to ensure that, after
03944  *                 successfully loading serialized data to an SSL context, you
03945  *                 should immediately destroy or invalidate all copies of the
03946  *                 serialized data that was loaded. Loading the same data in
03947  *                 more than one context would cause severe security failures
03948  *                 including but not limited to loss of confidentiality.
03949  *
03950  * \note           Before calling this function, the SSL context must be
03951  *                 prepared in one of the two following ways. The first way is
03952  *                 to take a context freshly initialised with
03953  *                 mbedtls_ssl_init() and call mbedtls_ssl_setup() on it with
03954  *                 the same ::mbedtls_ssl_config structure that was used in
03955  *                 the original connection. The second way is to
03956  *                 call mbedtls_ssl_session_reset() on a context that was
03957  *                 previously prepared as above but used in the meantime.
03958  *                 Either way, you must not use the context to perform a
03959  *                 handshake between calling mbedtls_ssl_setup() or
03960  *                 mbedtls_ssl_session_reset() and calling this function. You
03961  *                 may however call other setter functions in that time frame
03962  *                 as indicated in the note below.
03963  *
03964  * \note           Before or after calling this function successfully, you
03965  *                 also need to configure some connection-specific callbacks
03966  *                 and settings before you can use the connection again
03967  *                 (unless they were already set before calling
03968  *                 mbedtls_ssl_session_reset() and the values are suitable for
03969  *                 the present connection). Specifically, you want to call
03970  *                 at least mbedtls_ssl_set_bio() and
03971  *                 mbedtls_ssl_set_timer_cb(). All other SSL setter functions
03972  *                 are not necessary to call, either because they're only used
03973  *                 in handshakes, or because the setting is already saved. You
03974  *                 might choose to call them anyway, for example in order to
03975  *                 share code between the cases of establishing a new
03976  *                 connection and the case of loading an already-established
03977  *                 connection.
03978  *
03979  * \note           If you have new information about the path MTU, you want to
03980  *                 call mbedtls_ssl_set_mtu() after calling this function, as
03981  *                 otherwise this function would overwrite your
03982  *                 newly-configured value with the value that was active when
03983  *                 the context was saved.
03984  *
03985  * \note           When this function returns an error code, it calls
03986  *                 mbedtls_ssl_free() on \p ssl. In this case, you need to
03987  *                 prepare the context with the usual sequence starting with a
03988  *                 call to mbedtls_ssl_init() if you want to use it again.
03989  *
03990  * \param ssl      The SSL context structure to be populated. It must have
03991  *                 been prepared as described in the note above.
03992  * \param buf      The buffer holding the serialized connection data. It must
03993  *                 be a readable buffer of at least \p len bytes.
03994  * \param len      The size of the serialized data in bytes.
03995  *
03996  * \return         \c 0 if successful.
03997  * \return         #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed.
03998  * \return         #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data
03999  *                 comes from a different Mbed TLS version or build.
04000  * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
04001  */
04002 int mbedtls_ssl_context_load( mbedtls_ssl_context *ssl,
04003                               const unsigned char *buf,
04004                               size_t len );
04005 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
04006 
04007 /**
04008  * \brief          Initialize an SSL configuration context
04009  *                 Just makes the context ready for
04010  *                 mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free().
04011  *
04012  * \note           You need to call mbedtls_ssl_config_defaults() unless you
04013  *                 manually set all of the relevant fields yourself.
04014  *
04015  * \param conf     SSL configuration context
04016  */
04017 void mbedtls_ssl_config_init( mbedtls_ssl_config *conf );
04018 
04019 /**
04020  * \brief          Load reasonnable default SSL configuration values.
04021  *                 (You need to call mbedtls_ssl_config_init() first.)
04022  *
04023  * \param conf     SSL configuration context
04024  * \param endpoint MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
04025  * \param transport MBEDTLS_SSL_TRANSPORT_STREAM for TLS, or
04026  *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS
04027  * \param preset   a MBEDTLS_SSL_PRESET_XXX value
04028  *
04029  * \note           See \c mbedtls_ssl_conf_transport() for notes on DTLS.
04030  *
04031  * \return         0 if successful, or
04032  *                 MBEDTLS_ERR_XXX_ALLOC_FAILED on memory allocation error.
04033  */
04034 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
04035                                  int endpoint, int transport, int preset );
04036 
04037 /**
04038  * \brief          Free an SSL configuration context
04039  *
04040  * \param conf     SSL configuration context
04041  */
04042 void mbedtls_ssl_config_free( mbedtls_ssl_config *conf );
04043 
04044 /**
04045  * \brief          Initialize SSL session structure
04046  *
04047  * \param session  SSL session
04048  */
04049 void mbedtls_ssl_session_init( mbedtls_ssl_session *session );
04050 
04051 /**
04052  * \brief          Free referenced items in an SSL session including the
04053  *                 peer certificate and clear memory
04054  *
04055  * \note           A session object can be freed even if the SSL context
04056  *                 that was used to retrieve the session is still in use.
04057  *
04058  * \param session  SSL session
04059  */
04060 void mbedtls_ssl_session_free( mbedtls_ssl_session *session );
04061 
04062 /**
04063  * \brief          TLS-PRF function for key derivation.
04064  *
04065  * \param prf      The tls_prf type funtion type to be used.
04066  * \param secret   Secret for the key derivation function.
04067  * \param slen     Length of the secret.
04068  * \param label    String label for the key derivation function,
04069  *                 terminated with null character.
04070  * \param random   Random bytes.
04071  * \param rlen     Length of the random bytes buffer.
04072  * \param dstbuf   The buffer holding the derived key.
04073  * \param dlen     Length of the output buffer.
04074  *
04075  * \return         0 on sucess. An SSL specific error on failure.
04076  */
04077 int  mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
04078                           const unsigned char *secret, size_t slen,
04079                           const char *label,
04080                           const unsigned char *random, size_t rlen,
04081                           unsigned char *dstbuf, size_t dlen );
04082 
04083 #ifdef __cplusplus
04084 }
04085 #endif
04086 
04087 #endif /* ssl.h */