2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
25 #ifndef BR_BEARSSL_SSL_H__
26 #define BR_BEARSSL_SSL_H__
31 #include "bearssl_block.h"
32 #include "bearssl_hash.h"
33 #include "bearssl_hmac.h"
34 #include "bearssl_prf.h"
35 #include "bearssl_rand.h"
36 #include "bearssl_x509.h"
42 /** \file bearssl_ssl.h
46 * For an overview of the SSL/TLS API, see [the BearSSL Web
47 * site](https://www.bearssl.org/api1.html).
49 * The `BR_TLS_*` constants correspond to the standard cipher suites and
50 * their values in the [IANA
51 * registry](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4).
53 * The `BR_ALERT_*` constants are for standard TLS alert messages. When
54 * a fatal alert message is sent of received, then the SSL engine context
55 * status is set to the sum of that alert value (an integer in the 0..255
56 * range) and a fixed offset (`BR_ERR_SEND_FATAL_ALERT` for a sent alert,
57 * `BR_ERR_RECV_FATAL_ALERT` for a received alert).
60 /** \brief Optimal input buffer size. */
61 #define BR_SSL_BUFSIZE_INPUT (16384 + 325)
63 /** \brief Optimal output buffer size. */
64 #define BR_SSL_BUFSIZE_OUTPUT (16384 + 85)
66 /** \brief Optimal buffer size for monodirectional engine
67 (shared input/output buffer). */
68 #define BR_SSL_BUFSIZE_MONO BR_SSL_BUFSIZE_INPUT
70 /** \brief Optimal buffer size for bidirectional engine
71 (single buffer split into two separate input/output buffers). */
72 #define BR_SSL_BUFSIZE_BIDI (BR_SSL_BUFSIZE_INPUT + BR_SSL_BUFSIZE_OUTPUT)
75 * Constants for known SSL/TLS protocol versions (SSL 3.0, TLS 1.0, TLS 1.1
76 * and TLS 1.2). Note that though there is a constant for SSL 3.0, that
77 * protocol version is not actually supported.
80 /** \brief Protocol version: SSL 3.0 (unsupported). */
81 #define BR_SSL30 0x0300
82 /** \brief Protocol version: TLS 1.0. */
83 #define BR_TLS10 0x0301
84 /** \brief Protocol version: TLS 1.1. */
85 #define BR_TLS11 0x0302
86 /** \brief Protocol version: TLS 1.2. */
87 #define BR_TLS12 0x0303
90 * Error constants. They are used to report the reason why a context has
91 * been marked as failed.
93 * Implementation note: SSL-level error codes should be in the 1..31
94 * range. The 32..63 range is for certificate decoding and validation
95 * errors. Received fatal alerts imply an error code in the 256..511 range.
98 /** \brief SSL status: no error so far (0). */
101 /** \brief SSL status: caller-provided parameter is incorrect. */
102 #define BR_ERR_BAD_PARAM 1
104 /** \brief SSL status: operation requested by the caller cannot be applied
105 with the current context state (e.g. reading data while outgoing data
106 is waiting to be sent). */
107 #define BR_ERR_BAD_STATE 2
109 /** \brief SSL status: incoming protocol or record version is unsupported. */
110 #define BR_ERR_UNSUPPORTED_VERSION 3
112 /** \brief SSL status: incoming record version does not match the expected
114 #define BR_ERR_BAD_VERSION 4
116 /** \brief SSL status: incoming record length is invalid. */
117 #define BR_ERR_BAD_LENGTH 5
119 /** \brief SSL status: incoming record is too large to be processed, or
120 buffer is too small for the handshake message to send. */
121 #define BR_ERR_TOO_LARGE 6
123 /** \brief SSL status: decryption found an invalid padding, or the record
124 MAC is not correct. */
125 #define BR_ERR_BAD_MAC 7
127 /** \brief SSL status: no initial entropy was provided, and none can be
128 obtained from the OS. */
129 #define BR_ERR_NO_RANDOM 8
131 /** \brief SSL status: incoming record type is unknown. */
132 #define BR_ERR_UNKNOWN_TYPE 9
134 /** \brief SSL status: incoming record or message has wrong type with
135 regards to the current engine state. */
136 #define BR_ERR_UNEXPECTED 10
138 /** \brief SSL status: ChangeCipherSpec message from the peer has invalid
140 #define BR_ERR_BAD_CCS 12
142 /** \brief SSL status: alert message from the peer has invalid contents
144 #define BR_ERR_BAD_ALERT 13
146 /** \brief SSL status: incoming handshake message decoding failed. */
147 #define BR_ERR_BAD_HANDSHAKE 14
149 /** \brief SSL status: ServerHello contains a session ID which is larger
151 #define BR_ERR_OVERSIZED_ID 15
153 /** \brief SSL status: server wants to use a cipher suite that we did
154 not claim to support. This is also reported if we tried to advertise
155 a cipher suite that we do not support. */
156 #define BR_ERR_BAD_CIPHER_SUITE 16
158 /** \brief SSL status: server wants to use a compression that we did not
160 #define BR_ERR_BAD_COMPRESSION 17
162 /** \brief SSL status: server's max fragment length does not match
164 #define BR_ERR_BAD_FRAGLEN 18
166 /** \brief SSL status: secure renegotiation failed. */
167 #define BR_ERR_BAD_SECRENEG 19
169 /** \brief SSL status: server sent an extension type that we did not
170 announce, or used the same extension type several times in a single
172 #define BR_ERR_EXTRA_EXTENSION 20
174 /** \brief SSL status: invalid Server Name Indication contents (when
175 used by the server, this extension shall be empty). */
176 #define BR_ERR_BAD_SNI 21
178 /** \brief SSL status: invalid ServerHelloDone from the server (length
180 #define BR_ERR_BAD_HELLO_DONE 22
182 /** \brief SSL status: internal limit exceeded (e.g. server's public key
184 #define BR_ERR_LIMIT_EXCEEDED 23
186 /** \brief SSL status: Finished message from peer does not match the
188 #define BR_ERR_BAD_FINISHED 24
190 /** \brief SSL status: session resumption attempt with distinct version
192 #define BR_ERR_RESUME_MISMATCH 25
194 /** \brief SSL status: unsupported or invalid algorithm (ECDHE curve,
195 signature algorithm, hash function). */
196 #define BR_ERR_INVALID_ALGORITHM 26
198 /** \brief SSL status: invalid signature (on ServerKeyExchange from
199 server, or in CertificateVerify from client). */
200 #define BR_ERR_BAD_SIGNATURE 27
202 /** \brief SSL status: peer's public key does not have the proper type
203 or is not allowed for requested operation. */
204 #define BR_ERR_WRONG_KEY_USAGE 28
206 /** \brief SSL status: client did not send a certificate upon request,
207 or the client certificate could not be validated. */
208 #define BR_ERR_NO_CLIENT_AUTH 29
210 /** \brief SSL status: I/O error or premature close on underlying
211 transport stream. This error code is set only by the simplified
212 I/O API ("br_sslio_*"). */
215 /** \brief SSL status: base value for a received fatal alert.
217 When a fatal alert is received from the peer, the alert value
218 is added to this constant. */
219 #define BR_ERR_RECV_FATAL_ALERT 256
221 /** \brief SSL status: base value for a sent fatal alert.
223 When a fatal alert is sent to the peer, the alert value is added
225 #define BR_ERR_SEND_FATAL_ALERT 512
227 /* ===================================================================== */
230 * \brief Decryption engine for SSL.
232 * When processing incoming records, the SSL engine will use a decryption
233 * engine that uses a specific context structure, and has a set of
234 * methods (a vtable) that follows this template.
236 * The decryption engine is responsible for applying decryption, verifying
237 * MAC, and keeping track of the record sequence number.
239 typedef struct br_sslrec_in_class_ br_sslrec_in_class;
240 struct br_sslrec_in_class_ {
242 * \brief Context size (in bytes).
247 * \brief Test validity of the incoming record length.
249 * This function returns 1 if the announced length for an
250 * incoming record is valid, 0 otherwise,
252 * \param ctx decryption engine context.
253 * \param record_len incoming record length.
254 * \return 1 of a valid length, 0 otherwise.
256 int (*check_length)(const br_sslrec_in_class *const *ctx,
260 * \brief Decrypt the incoming record.
262 * This function may assume that the record length is valid
263 * (it has been previously tested with `check_length()`).
264 * Decryption is done in place; `*len` is updated with the
265 * cleartext length, and the address of the first plaintext
266 * byte is returned. If the record is correct but empty, then
267 * `*len` is set to 0 and a non-`NULL` pointer is returned.
269 * On decryption/MAC error, `NULL` is returned.
271 * \param ctx decryption engine context.
272 * \param record_type record type (23 for application data, etc).
273 * \param version record version.
274 * \param payload address of encrypted payload.
275 * \param len pointer to payload length (updated).
276 * \return pointer to plaintext, or `NULL` on error.
278 unsigned char *(*decrypt)(const br_sslrec_in_class **ctx,
279 int record_type, unsigned version,
280 void *payload, size_t *len);
284 * \brief Encryption engine for SSL.
286 * When building outgoing records, the SSL engine will use an encryption
287 * engine that uses a specific context structure, and has a set of
288 * methods (a vtable) that follows this template.
290 * The encryption engine is responsible for applying encryption and MAC,
291 * and keeping track of the record sequence number.
293 typedef struct br_sslrec_out_class_ br_sslrec_out_class;
294 struct br_sslrec_out_class_ {
296 * \brief Context size (in bytes).
301 * \brief Compute maximum plaintext sizes and offsets.
303 * When this function is called, the `*start` and `*end`
304 * values contain offsets designating the free area in the
305 * outgoing buffer for plaintext data; that free area is
306 * preceded by a 5-byte space which will receive the record
309 * The `max_plaintext()` function is responsible for adjusting
310 * both `*start` and `*end` to make room for any record-specific
311 * header, MAC, padding, and possible split.
313 * \param ctx encryption engine context.
314 * \param start pointer to start of plaintext offset (updated).
315 * \param end pointer to start of plaintext offset (updated).
317 void (*max_plaintext)(const br_sslrec_out_class *const *ctx,
318 size_t *start, size_t *end);
321 * \brief Perform record encryption.
323 * This function encrypts the record. The plaintext address and
324 * length are provided. Returned value is the start of the
325 * encrypted record (or sequence of records, if a split was
326 * performed), _including_ the 5-byte header, and `*len` is
327 * adjusted to the total size of the record(s), there again
328 * including the header(s).
330 * \param ctx decryption engine context.
331 * \param record_type record type (23 for application data, etc).
332 * \param version record version.
333 * \param plaintext address of plaintext.
334 * \param len pointer to plaintext length (updated).
335 * \return pointer to start of built record.
337 unsigned char *(*encrypt)(const br_sslrec_out_class **ctx,
338 int record_type, unsigned version,
339 void *plaintext, size_t *len);
343 * \brief Context for a no-encryption engine.
345 * The no-encryption engine processes outgoing records during the initial
346 * handshake, before encryption is applied.
349 /** \brief No-encryption engine vtable. */
350 const br_sslrec_out_class *vtable;
351 } br_sslrec_out_clear_context;
353 /** \brief Static, constant vtable for the no-encryption engine. */
354 extern const br_sslrec_out_class br_sslrec_out_clear_vtable;
356 /* ===================================================================== */
359 * \brief Record decryption engine class, for CBC mode.
361 * This class type extends the decryption engine class with an
362 * initialisation method that receives the parameters needed
363 * for CBC processing: block cipher implementation, block cipher key,
364 * HMAC parameters (hash function, key, MAC length), and IV. If the
365 * IV is `NULL`, then a per-record IV will be used (TLS 1.1+).
367 typedef struct br_sslrec_in_cbc_class_ br_sslrec_in_cbc_class;
368 struct br_sslrec_in_cbc_class_ {
370 * \brief Superclass, as first vtable field.
372 br_sslrec_in_class inner;
375 * \brief Engine initialisation method.
377 * This method sets the vtable field in the context.
379 * \param ctx context to initialise.
380 * \param bc_impl block cipher implementation (CBC decryption).
381 * \param bc_key block cipher key.
382 * \param bc_key_len block cipher key length (in bytes).
383 * \param dig_impl hash function for HMAC.
384 * \param mac_key HMAC key.
385 * \param mac_key_len HMAC key length (in bytes).
386 * \param mac_out_len HMAC output length (in bytes).
387 * \param iv initial IV (or `NULL`).
389 void (*init)(const br_sslrec_in_cbc_class **ctx,
390 const br_block_cbcdec_class *bc_impl,
391 const void *bc_key, size_t bc_key_len,
392 const br_hash_class *dig_impl,
393 const void *mac_key, size_t mac_key_len, size_t mac_out_len,
398 * \brief Record encryption engine class, for CBC mode.
400 * This class type extends the encryption engine class with an
401 * initialisation method that receives the parameters needed
402 * for CBC processing: block cipher implementation, block cipher key,
403 * HMAC parameters (hash function, key, MAC length), and IV. If the
404 * IV is `NULL`, then a per-record IV will be used (TLS 1.1+).
406 typedef struct br_sslrec_out_cbc_class_ br_sslrec_out_cbc_class;
407 struct br_sslrec_out_cbc_class_ {
409 * \brief Superclass, as first vtable field.
411 br_sslrec_out_class inner;
414 * \brief Engine initialisation method.
416 * This method sets the vtable field in the context.
418 * \param ctx context to initialise.
419 * \param bc_impl block cipher implementation (CBC encryption).
420 * \param bc_key block cipher key.
421 * \param bc_key_len block cipher key length (in bytes).
422 * \param dig_impl hash function for HMAC.
423 * \param mac_key HMAC key.
424 * \param mac_key_len HMAC key length (in bytes).
425 * \param mac_out_len HMAC output length (in bytes).
426 * \param iv initial IV (or `NULL`).
428 void (*init)(const br_sslrec_out_cbc_class **ctx,
429 const br_block_cbcenc_class *bc_impl,
430 const void *bc_key, size_t bc_key_len,
431 const br_hash_class *dig_impl,
432 const void *mac_key, size_t mac_key_len, size_t mac_out_len,
437 * \brief Context structure for decrypting incoming records with
440 * The first field points to the vtable. The other fields are opaque
441 * and shall not be accessed directly.
444 /** \brief Pointer to vtable. */
445 const br_sslrec_in_cbc_class *vtable;
446 #ifndef BR_DOXYGEN_IGNORE
449 const br_block_cbcdec_class *vtable;
450 br_aes_gen_cbcdec_keys aes;
451 br_des_gen_cbcdec_keys des;
453 br_hmac_key_context mac;
455 unsigned char iv[16];
458 } br_sslrec_in_cbc_context;
461 * \brief Static, constant vtable for record decryption with CBC.
463 extern const br_sslrec_in_cbc_class br_sslrec_in_cbc_vtable;
466 * \brief Context structure for encrypting outgoing records with
469 * The first field points to the vtable. The other fields are opaque
470 * and shall not be accessed directly.
473 /** \brief Pointer to vtable. */
474 const br_sslrec_out_cbc_class *vtable;
475 #ifndef BR_DOXYGEN_IGNORE
478 const br_block_cbcenc_class *vtable;
479 br_aes_gen_cbcenc_keys aes;
480 br_des_gen_cbcenc_keys des;
482 br_hmac_key_context mac;
484 unsigned char iv[16];
487 } br_sslrec_out_cbc_context;
490 * \brief Static, constant vtable for record encryption with CBC.
492 extern const br_sslrec_out_cbc_class br_sslrec_out_cbc_vtable;
494 /* ===================================================================== */
497 * \brief Record decryption engine class, for GCM mode.
499 * This class type extends the decryption engine class with an
500 * initialisation method that receives the parameters needed
501 * for GCM processing: block cipher implementation, block cipher key,
502 * GHASH implementation, and 4-byte IV.
504 typedef struct br_sslrec_in_gcm_class_ br_sslrec_in_gcm_class;
505 struct br_sslrec_in_gcm_class_ {
507 * \brief Superclass, as first vtable field.
509 br_sslrec_in_class inner;
512 * \brief Engine initialisation method.
514 * This method sets the vtable field in the context.
516 * \param ctx context to initialise.
517 * \param bc_impl block cipher implementation (CTR).
518 * \param key block cipher key.
519 * \param key_len block cipher key length (in bytes).
520 * \param gh_impl GHASH implementation.
521 * \param iv static IV (4 bytes).
523 void (*init)(const br_sslrec_in_gcm_class **ctx,
524 const br_block_ctr_class *bc_impl,
525 const void *key, size_t key_len,
531 * \brief Record encryption engine class, for GCM mode.
533 * This class type extends the encryption engine class with an
534 * initialisation method that receives the parameters needed
535 * for GCM processing: block cipher implementation, block cipher key,
536 * GHASH implementation, and 4-byte IV.
538 typedef struct br_sslrec_out_gcm_class_ br_sslrec_out_gcm_class;
539 struct br_sslrec_out_gcm_class_ {
541 * \brief Superclass, as first vtable field.
543 br_sslrec_out_class inner;
546 * \brief Engine initialisation method.
548 * This method sets the vtable field in the context.
550 * \param ctx context to initialise.
551 * \param bc_impl block cipher implementation (CTR).
552 * \param key block cipher key.
553 * \param key_len block cipher key length (in bytes).
554 * \param gh_impl GHASH implementation.
555 * \param iv static IV (4 bytes).
557 void (*init)(const br_sslrec_out_gcm_class **ctx,
558 const br_block_ctr_class *bc_impl,
559 const void *key, size_t key_len,
565 * \brief Context structure for processing records with GCM.
567 * The same context structure is used for encrypting and decrypting.
569 * The first field points to the vtable. The other fields are opaque
570 * and shall not be accessed directly.
573 /** \brief Pointer to vtable. */
576 const br_sslrec_in_gcm_class *in;
577 const br_sslrec_out_gcm_class *out;
579 #ifndef BR_DOXYGEN_IGNORE
582 const br_block_ctr_class *vtable;
583 br_aes_gen_ctr_keys aes;
589 } br_sslrec_gcm_context;
592 * \brief Static, constant vtable for record decryption with GCM.
594 extern const br_sslrec_in_gcm_class br_sslrec_in_gcm_vtable;
597 * \brief Static, constant vtable for record encryption with GCM.
599 extern const br_sslrec_out_gcm_class br_sslrec_out_gcm_vtable;
601 /* ===================================================================== */
604 * \brief Record decryption engine class, for ChaCha20+Poly1305.
606 * This class type extends the decryption engine class with an
607 * initialisation method that receives the parameters needed
608 * for ChaCha20+Poly1305 processing: ChaCha20 implementation,
609 * Poly1305 implementation, key, and 12-byte IV.
611 typedef struct br_sslrec_in_chapol_class_ br_sslrec_in_chapol_class;
612 struct br_sslrec_in_chapol_class_ {
614 * \brief Superclass, as first vtable field.
616 br_sslrec_in_class inner;
619 * \brief Engine initialisation method.
621 * This method sets the vtable field in the context.
623 * \param ctx context to initialise.
624 * \param ichacha ChaCha20 implementation.
625 * \param ipoly Poly1305 implementation.
626 * \param key secret key (32 bytes).
627 * \param iv static IV (12 bytes).
629 void (*init)(const br_sslrec_in_chapol_class **ctx,
630 br_chacha20_run ichacha,
631 br_poly1305_run ipoly,
632 const void *key, const void *iv);
636 * \brief Record encryption engine class, for ChaCha20+Poly1305.
638 * This class type extends the encryption engine class with an
639 * initialisation method that receives the parameters needed
640 * for ChaCha20+Poly1305 processing: ChaCha20 implementation,
641 * Poly1305 implementation, key, and 12-byte IV.
643 typedef struct br_sslrec_out_chapol_class_ br_sslrec_out_chapol_class;
644 struct br_sslrec_out_chapol_class_ {
646 * \brief Superclass, as first vtable field.
648 br_sslrec_out_class inner;
651 * \brief Engine initialisation method.
653 * This method sets the vtable field in the context.
655 * \param ctx context to initialise.
656 * \param ichacha ChaCha20 implementation.
657 * \param ipoly Poly1305 implementation.
658 * \param key secret key (32 bytes).
659 * \param iv static IV (12 bytes).
661 void (*init)(const br_sslrec_out_chapol_class **ctx,
662 br_chacha20_run ichacha,
663 br_poly1305_run ipoly,
664 const void *key, const void *iv);
668 * \brief Context structure for processing records with ChaCha20+Poly1305.
670 * The same context structure is used for encrypting and decrypting.
672 * The first field points to the vtable. The other fields are opaque
673 * and shall not be accessed directly.
676 /** \brief Pointer to vtable. */
679 const br_sslrec_in_chapol_class *in;
680 const br_sslrec_out_chapol_class *out;
682 #ifndef BR_DOXYGEN_IGNORE
684 unsigned char key[32];
685 unsigned char iv[12];
686 br_chacha20_run ichacha;
687 br_poly1305_run ipoly;
689 } br_sslrec_chapol_context;
692 * \brief Static, constant vtable for record decryption with ChaCha20+Poly1305.
694 extern const br_sslrec_in_chapol_class br_sslrec_in_chapol_vtable;
697 * \brief Static, constant vtable for record encryption with ChaCha20+Poly1305.
699 extern const br_sslrec_out_chapol_class br_sslrec_out_chapol_vtable;
701 /* ===================================================================== */
704 * \brief Record decryption engine class, for CCM mode.
706 * This class type extends the decryption engine class with an
707 * initialisation method that receives the parameters needed
708 * for CCM processing: block cipher implementation, block cipher key,
711 typedef struct br_sslrec_in_ccm_class_ br_sslrec_in_ccm_class;
712 struct br_sslrec_in_ccm_class_ {
714 * \brief Superclass, as first vtable field.
716 br_sslrec_in_class inner;
719 * \brief Engine initialisation method.
721 * This method sets the vtable field in the context.
723 * \param ctx context to initialise.
724 * \param bc_impl block cipher implementation (CTR+CBC).
725 * \param key block cipher key.
726 * \param key_len block cipher key length (in bytes).
727 * \param iv static IV (4 bytes).
728 * \param tag_len tag length (in bytes)
730 void (*init)(const br_sslrec_in_ccm_class **ctx,
731 const br_block_ctrcbc_class *bc_impl,
732 const void *key, size_t key_len,
733 const void *iv, size_t tag_len);
737 * \brief Record encryption engine class, for CCM mode.
739 * This class type extends the encryption engine class with an
740 * initialisation method that receives the parameters needed
741 * for CCM processing: block cipher implementation, block cipher key,
744 typedef struct br_sslrec_out_ccm_class_ br_sslrec_out_ccm_class;
745 struct br_sslrec_out_ccm_class_ {
747 * \brief Superclass, as first vtable field.
749 br_sslrec_out_class inner;
752 * \brief Engine initialisation method.
754 * This method sets the vtable field in the context.
756 * \param ctx context to initialise.
757 * \param bc_impl block cipher implementation (CTR+CBC).
758 * \param key block cipher key.
759 * \param key_len block cipher key length (in bytes).
760 * \param iv static IV (4 bytes).
761 * \param tag_len tag length (in bytes)
763 void (*init)(const br_sslrec_out_ccm_class **ctx,
764 const br_block_ctrcbc_class *bc_impl,
765 const void *key, size_t key_len,
766 const void *iv, size_t tag_len);
770 * \brief Context structure for processing records with CCM.
772 * The same context structure is used for encrypting and decrypting.
774 * The first field points to the vtable. The other fields are opaque
775 * and shall not be accessed directly.
778 /** \brief Pointer to vtable. */
781 const br_sslrec_in_ccm_class *in;
782 const br_sslrec_out_ccm_class *out;
784 #ifndef BR_DOXYGEN_IGNORE
787 const br_block_ctrcbc_class *vtable;
788 br_aes_gen_ctrcbc_keys aes;
793 } br_sslrec_ccm_context;
796 * \brief Static, constant vtable for record decryption with CCM.
798 extern const br_sslrec_in_ccm_class br_sslrec_in_ccm_vtable;
801 * \brief Static, constant vtable for record encryption with CCM.
803 extern const br_sslrec_out_ccm_class br_sslrec_out_ccm_vtable;
805 /* ===================================================================== */
808 * \brief Type for session parameters, to be saved for session resumption.
811 /** \brief Session ID buffer. */
812 unsigned char session_id[32];
813 /** \brief Session ID length (in bytes, at most 32). */
814 unsigned char session_id_len;
815 /** \brief Protocol version. */
817 /** \brief Cipher suite. */
818 uint16_t cipher_suite;
819 /** \brief Master secret. */
820 unsigned char master_secret[48];
821 } br_ssl_session_parameters;
823 #ifndef BR_DOXYGEN_IGNORE
825 * Maximum number of cipher suites supported by a client or server.
827 #define BR_MAX_CIPHER_SUITES 48
831 * \brief Context structure for SSL engine.
833 * This strucuture is common to the client and server; both the client
834 * context (`br_ssl_client_context`) and the server context
835 * (`br_ssl_server_context`) include a `br_ssl_engine_context` as their
838 * The engine context manages records, including alerts, closures, and
839 * transitions to new encryption/MAC algorithms. Processing of handshake
840 * records is delegated to externally provided code. This structure
841 * should not be used directly.
843 * Structure contents are opaque and shall not be accessed directly.
846 #ifndef BR_DOXYGEN_IGNORE
848 * The error code. When non-zero, then the state is "failed" and
849 * no I/O may occur until reset.
854 * Configured I/O buffers. They are either disjoint, or identical.
856 unsigned char *ibuf, *obuf;
857 size_t ibuf_len, obuf_len;
860 * Maximum fragment length applies to outgoing records; incoming
861 * records can be processed as long as they fit in the input
862 * buffer. It is guaranteed that incoming records at least as big
863 * as max_frag_len can be processed.
865 uint16_t max_frag_len;
866 unsigned char log_max_frag_len;
867 unsigned char peer_log_max_frag_len;
870 * Buffering management registers.
872 size_t ixa, ixb, ixc;
873 size_t oxa, oxb, oxc;
874 unsigned char iomode;
875 unsigned char incrypt;
878 * Shutdown flag: when set to non-zero, incoming record bytes
879 * will not be accepted anymore. This is used after a close_notify
880 * has been received: afterwards, the engine no longer claims that
881 * it could receive bytes from the transport medium.
883 unsigned char shutdown_recv;
886 * 'record_type_in' is set to the incoming record type when the
887 * record header has been received.
888 * 'record_type_out' is used to make the next outgoing record
889 * header when it is ready to go.
891 unsigned char record_type_in, record_type_out;
894 * When a record is received, its version is extracted:
895 * -- if 'version_in' is 0, then it is set to the received version;
896 * -- otherwise, if the received version is not identical to
897 * the 'version_in' contents, then a failure is reported.
899 * This implements the SSL requirement that all records shall
900 * use the negotiated protocol version, once decided (in the
901 * ServerHello). It is up to the handshake handler to adjust this
902 * field when necessary.
907 * 'version_out' is used when the next outgoing record is ready
910 uint16_t version_out;
913 * Record handler contexts.
916 const br_sslrec_in_class *vtable;
917 br_sslrec_in_cbc_context cbc;
918 br_sslrec_gcm_context gcm;
919 br_sslrec_chapol_context chapol;
920 br_sslrec_ccm_context ccm;
923 const br_sslrec_out_class *vtable;
924 br_sslrec_out_clear_context clear;
925 br_sslrec_out_cbc_context cbc;
926 br_sslrec_gcm_context gcm;
927 br_sslrec_chapol_context chapol;
928 br_sslrec_ccm_context ccm;
932 * The "application data" flag. Value:
933 * 0 handshake is in process, no application data acceptable
934 * 1 application data can be sent and received
935 * 2 closing, no application data can be sent, but some
936 * can still be received (and discarded)
938 unsigned char application_data;
943 * rng_init_done is initially 0. It is set to 1 when the
944 * basic structure of the RNG is set, and 2 when some
945 * entropy has been pushed in. The value 2 marks the RNG
946 * as "properly seeded".
948 * rng_os_rand_done is initially 0. It is set to 1 when
949 * some seeding from the OS or hardware has been attempted.
951 br_hmac_drbg_context rng;
953 int rng_os_rand_done;
956 * Supported minimum and maximum versions, and cipher suites.
958 uint16_t version_min;
959 uint16_t version_max;
960 uint16_t suites_buf[BR_MAX_CIPHER_SUITES];
961 unsigned char suites_num;
964 * For clients, the server name to send as a SNI extension. For
965 * servers, the name received in the SNI extension (if any).
967 char server_name[256];
970 * "Security parameters". These are filled by the handshake
971 * handler, and used when switching encryption state.
973 unsigned char client_random[32];
974 unsigned char server_random[32];
975 br_ssl_session_parameters session;
978 * ECDHE elements: curve and point from the peer. The server also
979 * uses that buffer for the point to send to the client.
981 unsigned char ecdhe_curve;
982 unsigned char ecdhe_point[133];
983 unsigned char ecdhe_point_len;
986 * Secure renegotiation (RFC 5746): 'reneg' can be:
987 * 0 first handshake (server support is not known)
988 * 1 peer does not support secure renegotiation
989 * 2 peer supports secure renegotiation
991 * The saved_finished buffer contains the client and the
992 * server "Finished" values from the last handshake, in
993 * that order (12 bytes each).
996 unsigned char saved_finished[24];
1004 * Context variables for the handshake processor. The 'pad' must
1005 * be large enough to accommodate an RSA-encrypted pre-master
1006 * secret, or an RSA signature; since we want to support up to
1007 * RSA-4096, this means at least 512 bytes. (Other pad usages
1008 * require its length to be at least 256.)
1013 const unsigned char *ip;
1015 uint32_t dp_stack[32];
1016 uint32_t rp_stack[32];
1017 unsigned char pad[512];
1018 unsigned char *hbuf_in, *hbuf_out, *saved_hbuf_out;
1019 size_t hlen_in, hlen_out;
1020 void (*hsrun)(void *ctx);
1023 * The 'action' value communicates OOB information between the
1024 * engine and the handshake processor.
1027 * 0 invocation triggered by I/O
1028 * 1 invocation triggered by explicit close
1029 * 2 invocation triggered by explicit renegotiation
1031 unsigned char action;
1034 * State for alert messages. Value is either 0, or the value of
1035 * the alert level byte (level is either 1 for warning, or 2 for
1036 * fatal; we convert all other values to 'fatal').
1038 unsigned char alert;
1041 * Closure flags. This flag is set when a close_notify has been
1042 * received from the peer.
1044 unsigned char close_received;
1047 * Multi-hasher for the handshake messages. The handshake handler
1048 * is responsible for resetting it when appropriate.
1050 br_multihash_context mhash;
1053 * Pointer to the X.509 engine. The engine is supposed to be
1054 * already initialized. It is used to validate the peer's
1057 const br_x509_class **x509ctx;
1060 * Certificate chain to send. This is used by both client and
1061 * server, when they send their respective Certificate messages.
1062 * If chain_len is 0, then chain may be NULL.
1064 const br_x509_certificate *chain;
1066 const unsigned char *cert_cur;
1070 * List of supported protocol names (ALPN extension). If unset,
1071 * (number of names is 0), then:
1072 * - the client sends no ALPN extension;
1073 * - the server ignores any incoming ALPN extension.
1076 * - the client sends an ALPN extension with all the names;
1077 * - the server selects the first protocol in its list that
1078 * the client also supports, or fails (fatal alert 120)
1079 * if the client sends an ALPN extension and there is no
1082 * The 'selected_protocol' field contains 1+n if the matching
1083 * name has index n in the list (the value is 0 if no match was
1084 * performed, e.g. the peer did not send an ALPN extension).
1086 const char **protocol_names;
1087 uint16_t protocol_names_num;
1088 uint16_t selected_protocol;
1091 * Pointers to implementations; left to NULL for unsupported
1092 * functions. For the raw hash functions, implementations are
1093 * referenced from the multihasher (mhash field).
1095 br_tls_prf_impl prf10;
1096 br_tls_prf_impl prf_sha256;
1097 br_tls_prf_impl prf_sha384;
1098 const br_block_cbcenc_class *iaes_cbcenc;
1099 const br_block_cbcdec_class *iaes_cbcdec;
1100 const br_block_ctr_class *iaes_ctr;
1101 const br_block_ctrcbc_class *iaes_ctrcbc;
1102 const br_block_cbcenc_class *ides_cbcenc;
1103 const br_block_cbcdec_class *ides_cbcdec;
1105 br_chacha20_run ichacha;
1106 br_poly1305_run ipoly;
1107 const br_sslrec_in_cbc_class *icbc_in;
1108 const br_sslrec_out_cbc_class *icbc_out;
1109 const br_sslrec_in_gcm_class *igcm_in;
1110 const br_sslrec_out_gcm_class *igcm_out;
1111 const br_sslrec_in_chapol_class *ichapol_in;
1112 const br_sslrec_out_chapol_class *ichapol_out;
1113 const br_sslrec_in_ccm_class *iccm_in;
1114 const br_sslrec_out_ccm_class *iccm_out;
1115 const br_ec_impl *iec;
1116 br_rsa_pkcs1_vrfy irsavrfy;
1117 br_ecdsa_vrfy iecdsa;
1119 } br_ssl_engine_context;
1122 * \brief Get currently defined engine behavioural flags.
1124 * \param cc SSL engine context.
1125 * \return the flags.
1127 static inline uint32_t
1128 br_ssl_engine_get_flags(br_ssl_engine_context *cc)
1134 * \brief Set all engine behavioural flags.
1136 * \param cc SSL engine context.
1137 * \param flags new value for all flags.
1140 br_ssl_engine_set_all_flags(br_ssl_engine_context *cc, uint32_t flags)
1146 * \brief Set some engine behavioural flags.
1148 * The flags set in the `flags` parameter are set in the context; other
1149 * flags are untouched.
1151 * \param cc SSL engine context.
1152 * \param flags additional set flags.
1155 br_ssl_engine_add_flags(br_ssl_engine_context *cc, uint32_t flags)
1161 * \brief Clear some engine behavioural flags.
1163 * The flags set in the `flags` parameter are cleared from the context; other
1164 * flags are untouched.
1166 * \param cc SSL engine context.
1167 * \param flags flags to remove.
1170 br_ssl_engine_remove_flags(br_ssl_engine_context *cc, uint32_t flags)
1172 cc->flags &= ~flags;
1176 * \brief Behavioural flag: enforce server preferences.
1178 * If this flag is set, then the server will enforce its own cipher suite
1179 * preference order; otherwise, it follows the client preferences.
1181 #define BR_OPT_ENFORCE_SERVER_PREFERENCES ((uint32_t)1 << 0)
1184 * \brief Behavioural flag: disable renegotiation.
1186 * If this flag is set, then renegotiations are rejected unconditionally:
1187 * they won't be honoured if asked for programmatically, and requests from
1188 * the peer are rejected.
1190 #define BR_OPT_NO_RENEGOTIATION ((uint32_t)1 << 1)
1193 * \brief Behavioural flag: tolerate lack of client authentication.
1195 * If this flag is set in a server and the server requests a client
1196 * certificate, but the authentication fails (the client does not send
1197 * a certificate, or the client's certificate chain cannot be validated),
1198 * then the connection keeps on. Without this flag, a failed client
1199 * authentication terminates the connection.
1203 * - If the client's certificate can be validated and its public key is
1204 * supported, then a wrong signature value terminates the connection
1205 * regardless of that flag.
1207 * - If using full-static ECDH, then a failure to validate the client's
1208 * certificate prevents the handshake from succeeding.
1210 #define BR_OPT_TOLERATE_NO_CLIENT_AUTH ((uint32_t)1 << 2)
1213 * \brief Behavioural flag: fail on application protocol mismatch.
1215 * The ALPN extension ([RFC 7301](https://tools.ietf.org/html/rfc7301))
1216 * allows the client to send a list of application protocol names, and
1217 * the server to select one. A mismatch is one of the following occurrences:
1219 * - On the client: the client sends a list of names, the server
1220 * responds with a protocol name which is _not_ part of the list of
1221 * names sent by the client.
1223 * - On the server: the client sends a list of names, and the server
1224 * is also configured with a list of names, but there is no common
1225 * protocol name between the two lists.
1227 * Normal behaviour in case of mismatch is to report no matching name
1228 * (`br_ssl_engine_get_selected_protocol()` returns `NULL`) and carry on.
1229 * If the flag is set, then a mismatch implies a protocol failure (if
1230 * the mismatch is detected by the server, it will send a fatal alert).
1232 * Note: even with this flag, `br_ssl_engine_get_selected_protocol()`
1233 * may still return `NULL` if the client or the server does not send an
1234 * ALPN extension at all.
1236 #define BR_OPT_FAIL_ON_ALPN_MISMATCH ((uint32_t)1 << 3)
1239 * \brief Set the minimum and maximum supported protocol versions.
1241 * The two provided versions MUST be supported by the implementation
1242 * (i.e. TLS 1.0, 1.1 and 1.2), and `version_max` MUST NOT be lower
1243 * than `version_min`.
1245 * \param cc SSL engine context.
1246 * \param version_min minimum supported TLS version.
1247 * \param version_max maximum supported TLS version.
1250 br_ssl_engine_set_versions(br_ssl_engine_context *cc,
1251 unsigned version_min, unsigned version_max)
1253 cc->version_min = (uint16_t)version_min;
1254 cc->version_max = (uint16_t)version_max;
1258 * \brief Set the list of cipher suites advertised by this context.
1260 * The provided array is copied into the context. It is the caller
1261 * responsibility to ensure that all provided suites will be supported
1262 * by the context. The engine context has enough room to receive _all_
1263 * suites supported by the implementation. The provided array MUST NOT
1264 * contain duplicates.
1266 * If the engine is for a client, the "signaling" pseudo-cipher suite
1267 * `TLS_FALLBACK_SCSV` can be added at the end of the list, if the
1268 * calling application is performing a voluntary downgrade (voluntary
1269 * downgrades are not recommended, but if such a downgrade is done, then
1270 * adding the fallback pseudo-suite is a good idea).
1272 * \param cc SSL engine context.
1273 * \param suites cipher suites.
1274 * \param suites_num number of cipher suites.
1276 void br_ssl_engine_set_suites(br_ssl_engine_context *cc,
1277 const uint16_t *suites, size_t suites_num);
1280 * \brief Set the X.509 engine.
1282 * The caller shall ensure that the X.509 engine is properly initialised.
1284 * \param cc SSL engine context.
1285 * \param x509ctx X.509 certificate validation context.
1288 br_ssl_engine_set_x509(br_ssl_engine_context *cc, const br_x509_class **x509ctx)
1290 cc->x509ctx = x509ctx;
1294 * \brief Set the supported protocol names.
1296 * Protocol names are part of the ALPN extension ([RFC
1297 * 7301](https://tools.ietf.org/html/rfc7301)). Each protocol name is a
1298 * character string, containing no more than 255 characters (256 with the
1299 * terminating zero). When names are set, then:
1301 * - The client will send an ALPN extension, containing the names. If
1302 * the server responds with an ALPN extension, the client will verify
1303 * that the response contains one of its name, and report that name
1304 * through `br_ssl_engine_get_selected_protocol()`.
1306 * - The server will parse incoming ALPN extension (from clients), and
1307 * try to find a common protocol; if none is found, the connection
1308 * is aborted with a fatal alert. On match, a response ALPN extension
1309 * is sent, and name is reported through
1310 * `br_ssl_engine_get_selected_protocol()`.
1312 * The provided array is linked in, and must remain valid while the
1313 * connection is live.
1315 * Names MUST NOT be empty. Names MUST NOT be longer than 255 characters
1316 * (excluding the terminating 0).
1318 * \param ctx SSL engine context.
1319 * \param names list of protocol names (zero-terminated).
1320 * \param num number of protocol names (MUST be 1 or more).
1323 br_ssl_engine_set_protocol_names(br_ssl_engine_context *ctx,
1324 const char **names, size_t num)
1326 ctx->protocol_names = names;
1327 ctx->protocol_names_num = (uint16_t)num;
1331 * \brief Get the selected protocol.
1333 * If this context was initialised with a non-empty list of protocol
1334 * names, and both client and server sent ALPN extensions during the
1335 * handshake, and a common name was found, then that name is returned.
1336 * Otherwise, `NULL` is returned.
1338 * The returned pointer is one of the pointers provided to the context
1339 * with `br_ssl_engine_set_protocol_names()`.
1341 * \return the selected protocol, or `NULL`.
1343 static inline const char *
1344 br_ssl_engine_get_selected_protocol(br_ssl_engine_context *ctx)
1348 k = ctx->selected_protocol;
1349 return (k == 0 || k == 0xFFFF) ? NULL : ctx->protocol_names[k - 1];
1353 * \brief Set a hash function implementation (by ID).
1355 * Hash functions set with this call will be used for SSL/TLS specific
1356 * usages, not X.509 certificate validation. Only "standard" hash functions
1357 * may be set (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512). If `impl`
1358 * is `NULL`, then the hash function support is removed, not added.
1360 * \param ctx SSL engine context.
1361 * \param id hash function identifier.
1362 * \param impl hash function implementation (or `NULL`).
1365 br_ssl_engine_set_hash(br_ssl_engine_context *ctx,
1366 int id, const br_hash_class *impl)
1368 br_multihash_setimpl(&ctx->mhash, id, impl);
1372 * \brief Get a hash function implementation (by ID).
1374 * This function retrieves a hash function implementation which was
1375 * set with `br_ssl_engine_set_hash()`.
1377 * \param ctx SSL engine context.
1378 * \param id hash function identifier.
1379 * \return the hash function implementation (or `NULL`).
1381 static inline const br_hash_class *
1382 br_ssl_engine_get_hash(br_ssl_engine_context *ctx, int id)
1384 return br_multihash_getimpl(&ctx->mhash, id);
1388 * \brief Set the PRF implementation (for TLS 1.0 and 1.1).
1390 * This function sets (or removes, if `impl` is `NULL`) the implementation
1391 * for the PRF used in TLS 1.0 and 1.1.
1393 * \param cc SSL engine context.
1394 * \param impl PRF implementation (or `NULL`).
1397 br_ssl_engine_set_prf10(br_ssl_engine_context *cc, br_tls_prf_impl impl)
1403 * \brief Set the PRF implementation with SHA-256 (for TLS 1.2).
1405 * This function sets (or removes, if `impl` is `NULL`) the implementation
1406 * for the SHA-256 variant of the PRF used in TLS 1.2.
1408 * \param cc SSL engine context.
1409 * \param impl PRF implementation (or `NULL`).
1412 br_ssl_engine_set_prf_sha256(br_ssl_engine_context *cc, br_tls_prf_impl impl)
1414 cc->prf_sha256 = impl;
1418 * \brief Set the PRF implementation with SHA-384 (for TLS 1.2).
1420 * This function sets (or removes, if `impl` is `NULL`) the implementation
1421 * for the SHA-384 variant of the PRF used in TLS 1.2.
1423 * \param cc SSL engine context.
1424 * \param impl PRF implementation (or `NULL`).
1427 br_ssl_engine_set_prf_sha384(br_ssl_engine_context *cc, br_tls_prf_impl impl)
1429 cc->prf_sha384 = impl;
1433 * \brief Set the AES/CBC implementations.
1435 * \param cc SSL engine context.
1436 * \param impl_enc AES/CBC encryption implementation (or `NULL`).
1437 * \param impl_dec AES/CBC decryption implementation (or `NULL`).
1440 br_ssl_engine_set_aes_cbc(br_ssl_engine_context *cc,
1441 const br_block_cbcenc_class *impl_enc,
1442 const br_block_cbcdec_class *impl_dec)
1444 cc->iaes_cbcenc = impl_enc;
1445 cc->iaes_cbcdec = impl_dec;
1449 * \brief Set the "default" AES/CBC implementations.
1451 * This function configures in the engine the AES implementations that
1452 * should provide best runtime performance on the local system, while
1453 * still being safe (in particular, constant-time). It also sets the
1454 * handlers for CBC records.
1456 * \param cc SSL engine context.
1458 void br_ssl_engine_set_default_aes_cbc(br_ssl_engine_context *cc);
1461 * \brief Set the AES/CTR implementation.
1463 * \param cc SSL engine context.
1464 * \param impl AES/CTR encryption/decryption implementation (or `NULL`).
1467 br_ssl_engine_set_aes_ctr(br_ssl_engine_context *cc,
1468 const br_block_ctr_class *impl)
1470 cc->iaes_ctr = impl;
1474 * \brief Set the "default" implementations for AES/GCM (AES/CTR + GHASH).
1476 * This function configures in the engine the AES/CTR and GHASH
1477 * implementation that should provide best runtime performance on the local
1478 * system, while still being safe (in particular, constant-time). It also
1479 * sets the handlers for GCM records.
1481 * \param cc SSL engine context.
1483 void br_ssl_engine_set_default_aes_gcm(br_ssl_engine_context *cc);
1486 * \brief Set the DES/CBC implementations.
1488 * \param cc SSL engine context.
1489 * \param impl_enc DES/CBC encryption implementation (or `NULL`).
1490 * \param impl_dec DES/CBC decryption implementation (or `NULL`).
1493 br_ssl_engine_set_des_cbc(br_ssl_engine_context *cc,
1494 const br_block_cbcenc_class *impl_enc,
1495 const br_block_cbcdec_class *impl_dec)
1497 cc->ides_cbcenc = impl_enc;
1498 cc->ides_cbcdec = impl_dec;
1502 * \brief Set the "default" DES/CBC implementations.
1504 * This function configures in the engine the DES implementations that
1505 * should provide best runtime performance on the local system, while
1506 * still being safe (in particular, constant-time). It also sets the
1507 * handlers for CBC records.
1509 * \param cc SSL engine context.
1511 void br_ssl_engine_set_default_des_cbc(br_ssl_engine_context *cc);
1514 * \brief Set the GHASH implementation (used in GCM mode).
1516 * \param cc SSL engine context.
1517 * \param impl GHASH implementation (or `NULL`).
1520 br_ssl_engine_set_ghash(br_ssl_engine_context *cc, br_ghash impl)
1526 * \brief Set the ChaCha20 implementation.
1528 * \param cc SSL engine context.
1529 * \param ichacha ChaCha20 implementation (or `NULL`).
1532 br_ssl_engine_set_chacha20(br_ssl_engine_context *cc,
1533 br_chacha20_run ichacha)
1535 cc->ichacha = ichacha;
1539 * \brief Set the Poly1305 implementation.
1541 * \param cc SSL engine context.
1542 * \param ipoly Poly1305 implementation (or `NULL`).
1545 br_ssl_engine_set_poly1305(br_ssl_engine_context *cc,
1546 br_poly1305_run ipoly)
1552 * \brief Set the "default" ChaCha20 and Poly1305 implementations.
1554 * This function configures in the engine the ChaCha20 and Poly1305
1555 * implementations that should provide best runtime performance on the
1556 * local system, while still being safe (in particular, constant-time).
1557 * It also sets the handlers for ChaCha20+Poly1305 records.
1559 * \param cc SSL engine context.
1561 void br_ssl_engine_set_default_chapol(br_ssl_engine_context *cc);
1564 * \brief Set the AES/CTR+CBC implementation.
1566 * \param cc SSL engine context.
1567 * \param impl AES/CTR+CBC encryption/decryption implementation (or `NULL`).
1570 br_ssl_engine_set_aes_ctrcbc(br_ssl_engine_context *cc,
1571 const br_block_ctrcbc_class *impl)
1573 cc->iaes_ctrcbc = impl;
1577 * \brief Set the "default" implementations for AES/CCM.
1579 * This function configures in the engine the AES/CTR+CBC
1580 * implementation that should provide best runtime performance on the local
1581 * system, while still being safe (in particular, constant-time). It also
1582 * sets the handlers for CCM records.
1584 * \param cc SSL engine context.
1586 void br_ssl_engine_set_default_aes_ccm(br_ssl_engine_context *cc);
1589 * \brief Set the record encryption and decryption engines for CBC + HMAC.
1591 * \param cc SSL engine context.
1592 * \param impl_in record CBC decryption implementation (or `NULL`).
1593 * \param impl_out record CBC encryption implementation (or `NULL`).
1596 br_ssl_engine_set_cbc(br_ssl_engine_context *cc,
1597 const br_sslrec_in_cbc_class *impl_in,
1598 const br_sslrec_out_cbc_class *impl_out)
1600 cc->icbc_in = impl_in;
1601 cc->icbc_out = impl_out;
1605 * \brief Set the record encryption and decryption engines for GCM.
1607 * \param cc SSL engine context.
1608 * \param impl_in record GCM decryption implementation (or `NULL`).
1609 * \param impl_out record GCM encryption implementation (or `NULL`).
1612 br_ssl_engine_set_gcm(br_ssl_engine_context *cc,
1613 const br_sslrec_in_gcm_class *impl_in,
1614 const br_sslrec_out_gcm_class *impl_out)
1616 cc->igcm_in = impl_in;
1617 cc->igcm_out = impl_out;
1621 * \brief Set the record encryption and decryption engines for CCM.
1623 * \param cc SSL engine context.
1624 * \param impl_in record CCM decryption implementation (or `NULL`).
1625 * \param impl_out record CCM encryption implementation (or `NULL`).
1628 br_ssl_engine_set_ccm(br_ssl_engine_context *cc,
1629 const br_sslrec_in_ccm_class *impl_in,
1630 const br_sslrec_out_ccm_class *impl_out)
1632 cc->iccm_in = impl_in;
1633 cc->iccm_out = impl_out;
1637 * \brief Set the record encryption and decryption engines for
1638 * ChaCha20+Poly1305.
1640 * \param cc SSL engine context.
1641 * \param impl_in record ChaCha20 decryption implementation (or `NULL`).
1642 * \param impl_out record ChaCha20 encryption implementation (or `NULL`).
1645 br_ssl_engine_set_chapol(br_ssl_engine_context *cc,
1646 const br_sslrec_in_chapol_class *impl_in,
1647 const br_sslrec_out_chapol_class *impl_out)
1649 cc->ichapol_in = impl_in;
1650 cc->ichapol_out = impl_out;
1654 * \brief Set the EC implementation.
1656 * The elliptic curve implementation will be used for ECDH and ECDHE
1657 * cipher suites, and for ECDSA support.
1659 * \param cc SSL engine context.
1660 * \param iec EC implementation (or `NULL`).
1663 br_ssl_engine_set_ec(br_ssl_engine_context *cc, const br_ec_impl *iec)
1669 * \brief Set the "default" EC implementation.
1671 * This function sets the elliptic curve implementation for ECDH and
1672 * ECDHE cipher suites, and for ECDSA support. It selects the fastest
1673 * implementation on the current system.
1675 * \param cc SSL engine context.
1677 void br_ssl_engine_set_default_ec(br_ssl_engine_context *cc);
1680 * \brief Get the EC implementation configured in the provided engine.
1682 * \param cc SSL engine context.
1683 * \return the EC implementation.
1685 static inline const br_ec_impl *
1686 br_ssl_engine_get_ec(br_ssl_engine_context *cc)
1692 * \brief Set the RSA signature verification implementation.
1694 * On the client, this is used to verify the server's signature on its
1695 * ServerKeyExchange message (for ECDHE_RSA cipher suites). On the server,
1696 * this is used to verify the client's CertificateVerify message (if a
1697 * client certificate is requested, and that certificate contains a RSA key).
1699 * \param cc SSL engine context.
1700 * \param irsavrfy RSA signature verification implementation.
1703 br_ssl_engine_set_rsavrfy(br_ssl_engine_context *cc, br_rsa_pkcs1_vrfy irsavrfy)
1705 cc->irsavrfy = irsavrfy;
1709 * \brief Set the "default" RSA implementation (signature verification).
1711 * This function sets the RSA implementation (signature verification)
1712 * to the fastest implementation available on the current platform.
1714 * \param cc SSL engine context.
1716 void br_ssl_engine_set_default_rsavrfy(br_ssl_engine_context *cc);
1719 * \brief Get the RSA implementation (signature verification) configured
1720 * in the provided engine.
1722 * \param cc SSL engine context.
1723 * \return the RSA signature verification implementation.
1725 static inline br_rsa_pkcs1_vrfy
1726 br_ssl_engine_get_rsavrfy(br_ssl_engine_context *cc)
1728 return cc->irsavrfy;
1732 * \brief Set the ECDSA implementation (signature verification).
1734 * On the client, this is used to verify the server's signature on its
1735 * ServerKeyExchange message (for ECDHE_ECDSA cipher suites). On the server,
1736 * this is used to verify the client's CertificateVerify message (if a
1737 * client certificate is requested, that certificate contains an EC key,
1738 * and full-static ECDH is not used).
1740 * The ECDSA implementation will use the EC core implementation configured
1741 * in the engine context.
1743 * \param cc client context.
1744 * \param iecdsa ECDSA verification implementation.
1747 br_ssl_engine_set_ecdsa(br_ssl_engine_context *cc, br_ecdsa_vrfy iecdsa)
1749 cc->iecdsa = iecdsa;
1753 * \brief Set the "default" ECDSA implementation (signature verification).
1755 * This function sets the ECDSA implementation (signature verification)
1756 * to the fastest implementation available on the current platform. This
1757 * call also sets the elliptic curve implementation itself, there again
1758 * to the fastest EC implementation available.
1760 * \param cc SSL engine context.
1762 void br_ssl_engine_set_default_ecdsa(br_ssl_engine_context *cc);
1765 * \brief Get the ECDSA implementation (signature verification) configured
1766 * in the provided engine.
1768 * \param cc SSL engine context.
1769 * \return the ECDSA signature verification implementation.
1771 static inline br_ecdsa_vrfy
1772 br_ssl_engine_get_ecdsa(br_ssl_engine_context *cc)
1778 * \brief Set the I/O buffer for the SSL engine.
1780 * Once this call has been made, `br_ssl_client_reset()` or
1781 * `br_ssl_server_reset()` MUST be called before using the context.
1783 * The provided buffer will be used as long as the engine context is
1784 * used. The caller is responsible for keeping it available.
1786 * If `bidi` is 0, then the engine will operate in half-duplex mode
1787 * (it won't be able to send data while there is unprocessed incoming
1788 * data in the buffer, and it won't be able to receive data while there
1789 * is unsent data in the buffer). The optimal buffer size in half-duplex
1790 * mode is `BR_SSL_BUFSIZE_MONO`; if the buffer is larger, then extra
1791 * bytes are ignored. If the buffer is smaller, then this limits the
1792 * capacity of the engine to support all allowed record sizes.
1794 * If `bidi` is 1, then the engine will split the buffer into two
1795 * parts, for separate handling of outgoing and incoming data. This
1796 * enables full-duplex processing, but requires more RAM. The optimal
1797 * buffer size in full-duplex mode is `BR_SSL_BUFSIZE_BIDI`; if the
1798 * buffer is larger, then extra bytes are ignored. If the buffer is
1799 * smaller, then the split will favour the incoming part, so that
1800 * interoperability is maximised.
1802 * \param cc SSL engine context
1803 * \param iobuf I/O buffer.
1804 * \param iobuf_len I/O buffer length (in bytes).
1805 * \param bidi non-zero for full-duplex mode.
1807 void br_ssl_engine_set_buffer(br_ssl_engine_context *cc,
1808 void *iobuf, size_t iobuf_len, int bidi);
1811 * \brief Set the I/O buffers for the SSL engine.
1813 * Once this call has been made, `br_ssl_client_reset()` or
1814 * `br_ssl_server_reset()` MUST be called before using the context.
1816 * This function is similar to `br_ssl_engine_set_buffer()`, except
1817 * that it enforces full-duplex mode, and the two I/O buffers are
1818 * provided as separate chunks.
1820 * The macros `BR_SSL_BUFSIZE_INPUT` and `BR_SSL_BUFSIZE_OUTPUT`
1821 * evaluate to the optimal (maximum) sizes for the input and output
1822 * buffer, respectively.
1824 * \param cc SSL engine context
1825 * \param ibuf input buffer.
1826 * \param ibuf_len input buffer length (in bytes).
1827 * \param obuf output buffer.
1828 * \param obuf_len output buffer length (in bytes).
1830 void br_ssl_engine_set_buffers_bidi(br_ssl_engine_context *cc,
1831 void *ibuf, size_t ibuf_len, void *obuf, size_t obuf_len);
1834 * \brief Inject some "initial entropy" in the context.
1836 * This entropy will be added to what can be obtained from the
1837 * underlying operating system, if that OS is supported.
1839 * This function may be called several times; all injected entropy chunks
1840 * are cumulatively mixed.
1842 * If entropy gathering from the OS is supported and compiled in, then this
1843 * step is optional. Otherwise, it is mandatory to inject randomness, and
1844 * the caller MUST take care to push (as one or several successive calls)
1845 * enough entropy to achieve cryptographic resistance (at least 80 bits,
1846 * preferably 128 or more). The engine will report an error if no entropy
1847 * was provided and none can be obtained from the OS.
1849 * Take care that this function cannot assess the cryptographic quality of
1850 * the provided bytes.
1852 * In all generality, "entropy" must here be considered to mean "that
1853 * which the attacker cannot predict". If your OS/architecture does not
1854 * have a suitable source of randomness, then you can make do with the
1855 * combination of a large enough secret value (possibly a copy of an
1856 * asymmetric private key that you also store on the system) AND a
1857 * non-repeating value (e.g. current time, provided that the local clock
1858 * cannot be reset or altered by the attacker).
1860 * \param cc SSL engine context.
1861 * \param data extra entropy to inject.
1862 * \param len length of the extra data (in bytes).
1864 void br_ssl_engine_inject_entropy(br_ssl_engine_context *cc,
1865 const void *data, size_t len);
1868 * \brief Get the "server name" in this engine.
1870 * For clients, this is the name provided with `br_ssl_client_reset()`;
1871 * for servers, this is the name received from the client as part of the
1872 * ClientHello message. If there is no such name (e.g. the client did
1873 * not send an SNI extension) then the returned string is empty
1874 * (returned pointer points to a byte of value 0).
1876 * The returned pointer refers to a buffer inside the context, which may
1877 * be overwritten as part of normal SSL activity (even within the same
1878 * connection, if a renegotiation occurs).
1880 * \param cc SSL engine context.
1881 * \return the server name (possibly empty).
1883 static inline const char *
1884 br_ssl_engine_get_server_name(const br_ssl_engine_context *cc)
1886 return cc->server_name;
1890 * \brief Get the protocol version.
1892 * This function returns the protocol version that is used by the
1893 * engine. That value is set after sending (for a server) or receiving
1894 * (for a client) the ServerHello message.
1896 * \param cc SSL engine context.
1897 * \return the protocol version.
1899 static inline unsigned
1900 br_ssl_engine_get_version(const br_ssl_engine_context *cc)
1902 return cc->session.version;
1906 * \brief Get a copy of the session parameters.
1908 * The session parameters are filled during the handshake, so this
1909 * function shall not be called before completion of the handshake.
1910 * The initial handshake is completed when the context first allows
1911 * application data to be injected.
1913 * This function copies the current session parameters into the provided
1914 * structure. Beware that the session parameters include the master
1915 * secret, which is sensitive data, to handle with great care.
1917 * \param cc SSL engine context.
1918 * \param pp destination structure for the session parameters.
1921 br_ssl_engine_get_session_parameters(const br_ssl_engine_context *cc,
1922 br_ssl_session_parameters *pp)
1924 memcpy(pp, &cc->session, sizeof *pp);
1928 * \brief Set the session parameters to the provided values.
1930 * This function is meant to be used in the client, before doing a new
1931 * handshake; a session resumption will be attempted with these
1932 * parameters. In the server, this function has no effect.
1934 * \param cc SSL engine context.
1935 * \param pp source structure for the session parameters.
1938 br_ssl_engine_set_session_parameters(br_ssl_engine_context *cc,
1939 const br_ssl_session_parameters *pp)
1941 memcpy(&cc->session, pp, sizeof *pp);
1945 * \brief Get identifier for the curve used for key exchange.
1947 * If the cipher suite uses ECDHE, then this function returns the
1948 * identifier for the curve used for transient parameters. This is
1949 * defined during the course of the handshake, when the ServerKeyExchange
1950 * is sent (on the server) or received (on the client). If the
1951 * cipher suite does not use ECDHE (e.g. static ECDH, or RSA key
1952 * exchange), then this value is indeterminate.
1954 * @param cc SSL engine context.
1955 * @return the ECDHE curve identifier.
1958 br_ssl_engine_get_ecdhe_curve(br_ssl_engine_context *cc)
1960 return cc->ecdhe_curve;
1964 * \brief Get the current engine state.
1966 * An SSL engine (client or server) has, at any time, a state which is
1967 * the combination of zero, one or more of these flags:
1971 * Engine is finished, no more I/O (until next reset).
1973 * - `BR_SSL_SENDREC`
1975 * Engine has some bytes to send to the peer.
1977 * - `BR_SSL_RECVREC`
1979 * Engine expects some bytes from the peer.
1981 * - `BR_SSL_SENDAPP`
1983 * Engine may receive application data to send (or flush).
1985 * - `BR_SSL_RECVAPP`
1987 * Engine has obtained some application data from the peer,
1988 * that should be read by the caller.
1990 * If no flag at all is set (state value is 0), then the engine is not
1991 * fully initialised yet.
1993 * The `BR_SSL_CLOSED` flag is exclusive; when it is set, no other flag
1994 * is set. To distinguish between a normal closure and an error, use
1995 * `br_ssl_engine_last_error()`.
1997 * Generally speaking, `BR_SSL_SENDREC` and `BR_SSL_SENDAPP` are mutually
1998 * exclusive: the input buffer, at any point, either accumulates
1999 * plaintext data, or contains an assembled record that is being sent.
2000 * Similarly, `BR_SSL_RECVREC` and `BR_SSL_RECVAPP` are mutually exclusive.
2001 * This may change in a future library version.
2003 * \param cc SSL engine context.
2004 * \return the current engine state.
2006 unsigned br_ssl_engine_current_state(const br_ssl_engine_context *cc);
2008 /** \brief SSL engine state: closed or failed. */
2009 #define BR_SSL_CLOSED 0x0001
2010 /** \brief SSL engine state: record data is ready to be sent to the peer. */
2011 #define BR_SSL_SENDREC 0x0002
2012 /** \brief SSL engine state: engine may receive records from the peer. */
2013 #define BR_SSL_RECVREC 0x0004
2014 /** \brief SSL engine state: engine may accept application data to send. */
2015 #define BR_SSL_SENDAPP 0x0008
2016 /** \brief SSL engine state: engine has received application data. */
2017 #define BR_SSL_RECVAPP 0x0010
2020 * \brief Get the engine error indicator.
2022 * The error indicator is `BR_ERR_OK` (0) if no error was encountered
2023 * since the last call to `br_ssl_client_reset()` or
2024 * `br_ssl_server_reset()`. Other status values are "sticky": they
2025 * remain set, and prevent all I/O activity, until cleared. Only the
2026 * reset calls clear the error indicator.
2028 * \param cc SSL engine context.
2029 * \return 0, or a non-zero error code.
2032 br_ssl_engine_last_error(const br_ssl_engine_context *cc)
2038 * There are four I/O operations, each identified by a symbolic name:
2040 * sendapp inject application data in the engine
2041 * recvapp retrieving application data from the engine
2042 * sendrec sending records on the transport medium
2043 * recvrec receiving records from the transport medium
2045 * Terminology works thus: in a layered model where the SSL engine sits
2046 * between the application and the network, "send" designates operations
2047 * where bytes flow from application to network, and "recv" for the
2048 * reverse operation. Application data (the plaintext that is to be
2049 * conveyed through SSL) is "app", while encrypted records are "rec".
2050 * Note that from the SSL engine point of view, "sendapp" and "recvrec"
2051 * designate bytes that enter the engine ("inject" operation), while
2052 * "recvapp" and "sendrec" designate bytes that exit the engine
2053 * ("extract" operation).
2055 * For the operation 'xxx', two functions are defined:
2057 * br_ssl_engine_xxx_buf
2058 * Returns a pointer and length to the buffer to use for that
2059 * operation. '*len' is set to the number of bytes that may be read
2060 * from the buffer (extract operation) or written to the buffer
2061 * (inject operation). If no byte may be exchanged for that operation
2062 * at that point, then '*len' is set to zero, and NULL is returned.
2063 * The engine state is unmodified by this call.
2065 * br_ssl_engine_xxx_ack
2066 * Informs the engine that 'len' bytes have been read from the buffer
2067 * (extract operation) or written to the buffer (inject operation).
2068 * The 'len' value MUST NOT be zero. The 'len' value MUST NOT exceed
2069 * that which was obtained from a preceding br_ssl_engine_xxx_buf()
2074 * \brief Get buffer for application data to send.
2076 * If the engine is ready to accept application data to send to the
2077 * peer, then this call returns a pointer to the buffer where such
2078 * data shall be written, and its length is written in `*len`.
2079 * Otherwise, `*len` is set to 0 and `NULL` is returned.
2081 * \param cc SSL engine context.
2082 * \param len receives the application data output buffer length, or 0.
2083 * \return the application data output buffer, or `NULL`.
2085 unsigned char *br_ssl_engine_sendapp_buf(
2086 const br_ssl_engine_context *cc, size_t *len);
2089 * \brief Inform the engine of some new application data.
2091 * After writing `len` bytes in the buffer returned by
2092 * `br_ssl_engine_sendapp_buf()`, the application shall call this
2093 * function to trigger any relevant processing. The `len` parameter
2094 * MUST NOT be 0, and MUST NOT exceed the value obtained in the
2095 * `br_ssl_engine_sendapp_buf()` call.
2097 * \param cc SSL engine context.
2098 * \param len number of bytes pushed (not zero).
2100 void br_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len);
2103 * \brief Get buffer for received application data.
2105 * If the engine has received application data from the peer, then this
2106 * call returns a pointer to the buffer from where such data shall be
2107 * read, and its length is written in `*len`. Otherwise, `*len` is set
2108 * to 0 and `NULL` is returned.
2110 * \param cc SSL engine context.
2111 * \param len receives the application data input buffer length, or 0.
2112 * \return the application data input buffer, or `NULL`.
2114 unsigned char *br_ssl_engine_recvapp_buf(
2115 const br_ssl_engine_context *cc, size_t *len);
2118 * \brief Acknowledge some received application data.
2120 * After reading `len` bytes from the buffer returned by
2121 * `br_ssl_engine_recvapp_buf()`, the application shall call this
2122 * function to trigger any relevant processing. The `len` parameter
2123 * MUST NOT be 0, and MUST NOT exceed the value obtained in the
2124 * `br_ssl_engine_recvapp_buf()` call.
2126 * \param cc SSL engine context.
2127 * \param len number of bytes read (not zero).
2129 void br_ssl_engine_recvapp_ack(br_ssl_engine_context *cc, size_t len);
2132 * \brief Get buffer for record data to send.
2134 * If the engine has prepared some records to send to the peer, then this
2135 * call returns a pointer to the buffer from where such data shall be
2136 * read, and its length is written in `*len`. Otherwise, `*len` is set
2137 * to 0 and `NULL` is returned.
2139 * \param cc SSL engine context.
2140 * \param len receives the record data output buffer length, or 0.
2141 * \return the record data output buffer, or `NULL`.
2143 unsigned char *br_ssl_engine_sendrec_buf(
2144 const br_ssl_engine_context *cc, size_t *len);
2147 * \brief Acknowledge some sent record data.
2149 * After reading `len` bytes from the buffer returned by
2150 * `br_ssl_engine_sendrec_buf()`, the application shall call this
2151 * function to trigger any relevant processing. The `len` parameter
2152 * MUST NOT be 0, and MUST NOT exceed the value obtained in the
2153 * `br_ssl_engine_sendrec_buf()` call.
2155 * \param cc SSL engine context.
2156 * \param len number of bytes read (not zero).
2158 void br_ssl_engine_sendrec_ack(br_ssl_engine_context *cc, size_t len);
2161 * \brief Get buffer for incoming records.
2163 * If the engine is ready to accept records from the peer, then this
2164 * call returns a pointer to the buffer where such data shall be
2165 * written, and its length is written in `*len`. Otherwise, `*len` is
2166 * set to 0 and `NULL` is returned.
2168 * \param cc SSL engine context.
2169 * \param len receives the record data input buffer length, or 0.
2170 * \return the record data input buffer, or `NULL`.
2172 unsigned char *br_ssl_engine_recvrec_buf(
2173 const br_ssl_engine_context *cc, size_t *len);
2176 * \brief Inform the engine of some new record data.
2178 * After writing `len` bytes in the buffer returned by
2179 * `br_ssl_engine_recvrec_buf()`, the application shall call this
2180 * function to trigger any relevant processing. The `len` parameter
2181 * MUST NOT be 0, and MUST NOT exceed the value obtained in the
2182 * `br_ssl_engine_recvrec_buf()` call.
2184 * \param cc SSL engine context.
2185 * \param len number of bytes pushed (not zero).
2187 void br_ssl_engine_recvrec_ack(br_ssl_engine_context *cc, size_t len);
2190 * \brief Flush buffered application data.
2192 * If some application data has been buffered in the engine, then wrap
2193 * it into a record and mark it for sending. If no application data has
2194 * been buffered but the engine would be ready to accept some, AND the
2195 * `force` parameter is non-zero, then an empty record is assembled and
2196 * marked for sending. In all other cases, this function does nothing.
2198 * Empty records are technically legal, but not all existing SSL/TLS
2199 * implementations support them. Empty records can be useful as a
2200 * transparent "keep-alive" mechanism to maintain some low-level
2203 * \param cc SSL engine context.
2204 * \param force non-zero to force sending an empty record.
2206 void br_ssl_engine_flush(br_ssl_engine_context *cc, int force);
2209 * \brief Initiate a closure.
2211 * If, at that point, the context is open and in ready state, then a
2212 * `close_notify` alert is assembled and marked for sending; this
2213 * triggers the closure protocol. Otherwise, no such alert is assembled.
2215 * \param cc SSL engine context.
2217 void br_ssl_engine_close(br_ssl_engine_context *cc);
2220 * \brief Initiate a renegotiation.
2222 * If the engine is failed or closed, or if the peer is known not to
2223 * support secure renegotiation (RFC 5746), or if renegotiations have
2224 * been disabled with the `BR_OPT_NO_RENEGOTIATION` flag, or if there
2225 * is buffered incoming application data, then this function returns 0
2226 * and nothing else happens.
2228 * Otherwise, this function returns 1, and a renegotiation attempt is
2229 * triggered (if a handshake is already ongoing at that point, then
2230 * no new handshake is triggered).
2232 * \param cc SSL engine context.
2233 * \return 1 on success, 0 on error.
2235 int br_ssl_engine_renegotiate(br_ssl_engine_context *cc);
2238 * \brief Export key material from a connected SSL engine (RFC 5705).
2240 * This calls compute a secret key of arbitrary length from the master
2241 * secret of a connected SSL engine. If the provided context is not
2242 * currently in "application data" state (initial handshake is not
2243 * finished, another handshake is ongoing, or the connection failed or
2244 * was closed), then this function returns 0. Otherwise, a secret key of
2245 * length `len` bytes is computed and written in the buffer pointed to
2246 * by `dst`, and 1 is returned.
2248 * The computed key follows the specification described in RFC 5705.
2249 * That RFC includes two key computations, with and without a "context
2250 * value". If `context` is `NULL`, then the variant without context is
2251 * used; otherwise, the `context_len` bytes located at the address
2252 * pointed to by `context` are used in the computation. Note that it
2253 * is possible to have a "with context" key with a context length of
2254 * zero bytes, by setting `context` to a non-`NULL` value but
2255 * `context_len` to 0.
2257 * When context bytes are used, the context length MUST NOT exceed
2260 * \param cc SSL engine context.
2261 * \param dst destination buffer for exported key.
2262 * \param len exported key length (in bytes).
2263 * \param label disambiguation label.
2264 * \param context context value (or `NULL`).
2265 * \param context_len context length (in bytes).
2266 * \return 1 on success, 0 on error.
2268 int br_ssl_key_export(br_ssl_engine_context *cc,
2269 void *dst, size_t len, const char *label,
2270 const void *context, size_t context_len);
2273 * Pre-declaration for the SSL client context.
2275 typedef struct br_ssl_client_context_ br_ssl_client_context;
2278 * \brief Type for the client certificate, if requested by the server.
2282 * \brief Authentication type.
2284 * This is either `BR_AUTH_RSA` (RSA signature), `BR_AUTH_ECDSA`
2285 * (ECDSA signature), or `BR_AUTH_ECDH` (static ECDH key exchange).
2290 * \brief Hash function for computing the CertificateVerify.
2292 * This is the symbolic identifier for the hash function that
2293 * will be used to produce the hash of handshake messages, to
2294 * be signed into the CertificateVerify. For full static ECDH
2295 * (client and server certificates are both EC in the same
2296 * curve, and static ECDH is used), this value is set to -1.
2298 * Take care that with TLS 1.0 and 1.1, that value MUST match
2299 * the protocol requirements: value must be 0 (MD5+SHA-1) for
2300 * a RSA signature, or 2 (SHA-1) for an ECDSA signature. Only
2301 * TLS 1.2 allows for other hash functions.
2306 * \brief Certificate chain to send to the server.
2308 * This is an array of `br_x509_certificate` objects, each
2309 * normally containing a DER-encoded certificate. The client
2310 * code does not try to decode these elements. If there is no
2311 * chain to send to the server, then this pointer shall be
2314 const br_x509_certificate *chain;
2317 * \brief Certificate chain length (number of certificates).
2319 * If there is no chain to send to the server, then this value
2320 * shall be set to 0.
2324 } br_ssl_client_certificate;
2327 * Note: the constants below for signatures match the TLS constants.
2330 /** \brief Client authentication type: static ECDH. */
2331 #define BR_AUTH_ECDH 0
2332 /** \brief Client authentication type: RSA signature. */
2333 #define BR_AUTH_RSA 1
2334 /** \brief Client authentication type: ECDSA signature. */
2335 #define BR_AUTH_ECDSA 3
2338 * \brief Class type for a certificate handler (client side).
2340 * A certificate handler selects a client certificate chain to send to
2341 * the server, upon explicit request from that server. It receives
2342 * the list of trust anchor DN from the server, and supported types
2343 * of certificates and signatures, and returns the chain to use. It
2344 * is also invoked to perform the corresponding private key operation
2345 * (a signature, or an ECDH computation).
2347 * The SSL client engine will first push the trust anchor DN with
2348 * `start_name_list()`, `start_name()`, `append_name()`, `end_name()`
2349 * and `end_name_list()`. Then it will call `choose()`, to select the
2350 * actual chain (and signature/hash algorithms). Finally, it will call
2351 * either `do_sign()` or `do_keyx()`, depending on the algorithm choices.
2353 typedef struct br_ssl_client_certificate_class_ br_ssl_client_certificate_class;
2354 struct br_ssl_client_certificate_class_ {
2356 * \brief Context size (in bytes).
2358 size_t context_size;
2361 * \brief Begin reception of a list of trust anchor names. This
2362 * is called while parsing the incoming CertificateRequest.
2364 * \param pctx certificate handler context.
2366 void (*start_name_list)(const br_ssl_client_certificate_class **pctx);
2369 * \brief Begin reception of a new trust anchor name.
2371 * The total encoded name length is provided; it is less than
2374 * \param pctx certificate handler context.
2375 * \param len encoded name length (in bytes).
2377 void (*start_name)(const br_ssl_client_certificate_class **pctx,
2381 * \brief Receive some more bytes for the current trust anchor name.
2383 * The provided reference (`data`) points to a transient buffer
2384 * they may be reused as soon as this function returns. The chunk
2385 * length (`len`) is never zero.
2387 * \param pctx certificate handler context.
2388 * \param data anchor name chunk.
2389 * \param len anchor name chunk length (in bytes).
2391 void (*append_name)(const br_ssl_client_certificate_class **pctx,
2392 const unsigned char *data, size_t len);
2395 * \brief End current trust anchor name.
2397 * This function is called when all the encoded anchor name data
2398 * has been provided.
2400 * \param pctx certificate handler context.
2402 void (*end_name)(const br_ssl_client_certificate_class **pctx);
2405 * \brief End list of trust anchor names.
2407 * This function is called when all the anchor names in the
2408 * CertificateRequest message have been obtained.
2410 * \param pctx certificate handler context.
2412 void (*end_name_list)(const br_ssl_client_certificate_class **pctx);
2415 * \brief Select client certificate and algorithms.
2417 * This callback function shall fill the provided `choices`
2418 * structure with the selected algorithms and certificate chain.
2419 * The `hash_id`, `chain` and `chain_len` fields must be set. If
2420 * the client cannot or does not wish to send a certificate,
2421 * then it shall set `chain` to `NULL` and `chain_len` to 0.
2423 * The `auth_types` parameter describes the authentication types,
2424 * signature algorithms and hash functions that are supported by
2425 * both the client context and the server, and compatible with
2426 * the current protocol version. This is a bit field with the
2427 * following contents:
2429 * - If RSA signatures with hash function x are supported, then
2432 * - If ECDSA signatures with hash function x are supported,
2433 * then bit 8+x is set.
2435 * - If static ECDH is supported, with a RSA-signed certificate,
2436 * then bit 16 is set.
2438 * - If static ECDH is supported, with an ECDSA-signed certificate,
2439 * then bit 17 is set.
2443 * - When using TLS 1.0 or 1.1, the hash function for RSA
2444 * signatures is always the special MD5+SHA-1 (id 0), and the
2445 * hash function for ECDSA signatures is always SHA-1 (id 2).
2447 * - When using TLS 1.2, the list of hash functions is trimmed
2448 * down to include only hash functions that the client context
2449 * can support. The actual server list can be obtained with
2450 * `br_ssl_client_get_server_hashes()`; that list may be used
2451 * to select the certificate chain to send to the server.
2453 * \param pctx certificate handler context.
2454 * \param cc SSL client context.
2455 * \param auth_types supported authentication types and algorithms.
2456 * \param choices destination structure for the policy choices.
2458 void (*choose)(const br_ssl_client_certificate_class **pctx,
2459 const br_ssl_client_context *cc, uint32_t auth_types,
2460 br_ssl_client_certificate *choices);
2463 * \brief Perform key exchange (client part).
2465 * This callback is invoked in case of a full static ECDH key
2468 * - the cipher suite uses `ECDH_RSA` or `ECDH_ECDSA`;
2470 * - the server requests a client certificate;
2472 * - the client has, and sends, a client certificate that
2473 * uses an EC key in the same curve as the server's key,
2474 * and chooses static ECDH (the `hash_id` field in the choice
2475 * structure was set to -1).
2477 * In that situation, this callback is invoked to compute the
2478 * client-side ECDH: the provided `data` (of length `*len` bytes)
2479 * is the server's public key point (as decoded from its
2480 * certificate), and the client shall multiply that point with
2481 * its own private key, and write back the X coordinate of the
2482 * resulting point in the same buffer, starting at offset 0.
2483 * The `*len` value shall be modified to designate the actual
2484 * length of the X coordinate.
2486 * The callback must uphold the following:
2488 * - If the input array does not have the proper length for
2489 * an encoded curve point, then an error (0) shall be reported.
2491 * - If the input array has the proper length, then processing
2492 * MUST be constant-time, even if the data is not a valid
2495 * - This callback MUST check that the input point is valid.
2497 * Returned value is 1 on success, 0 on error.
2499 * \param pctx certificate handler context.
2500 * \param data server public key point.
2501 * \param len public key point length / X coordinate length.
2502 * \return 1 on success, 0 on error.
2504 uint32_t (*do_keyx)(const br_ssl_client_certificate_class **pctx,
2505 unsigned char *data, size_t *len);
2508 * \brief Perform a signature (client authentication).
2510 * This callback is invoked when a client certificate was sent,
2511 * and static ECDH is not used. It shall compute a signature,
2512 * using the client's private key, over the provided hash value
2513 * (which is the hash of all previous handshake messages).
2515 * On input, the hash value to sign is in `data`, of size
2516 * `hv_len`; the involved hash function is identified by
2517 * `hash_id`. The signature shall be computed and written
2518 * back into `data`; the total size of that buffer is `len`
2521 * This callback shall verify that the signature length does not
2522 * exceed `len` bytes, and abstain from writing the signature if
2525 * For RSA signatures, the `hash_id` may be 0, in which case
2526 * this is the special header-less signature specified in TLS 1.0
2527 * and 1.1, with a 36-byte hash value. Otherwise, normal PKCS#1
2528 * v1.5 signatures shall be computed.
2530 * For ECDSA signatures, the signature value shall use the ASN.1
2533 * Returned value is the signature length (in bytes), or 0 on error.
2535 * \param pctx certificate handler context.
2536 * \param hash_id hash function identifier.
2537 * \param hv_len hash value length (in bytes).
2538 * \param data input/output buffer (hash value, then signature).
2539 * \param len total buffer length (in bytes).
2540 * \return signature length (in bytes) on success, or 0 on error.
2542 size_t (*do_sign)(const br_ssl_client_certificate_class **pctx,
2543 int hash_id, size_t hv_len, unsigned char *data, size_t len);
2547 * \brief A single-chain RSA client certificate handler.
2549 * This handler uses a single certificate chain, with a RSA
2550 * signature. The list of trust anchor DN is ignored.
2552 * Apart from the first field (vtable pointer), its contents are
2553 * opaque and shall not be accessed directly.
2556 /** \brief Pointer to vtable. */
2557 const br_ssl_client_certificate_class *vtable;
2558 #ifndef BR_DOXYGEN_IGNORE
2559 const br_x509_certificate *chain;
2561 const br_rsa_private_key *sk;
2562 br_rsa_pkcs1_sign irsasign;
2564 } br_ssl_client_certificate_rsa_context;
2567 * \brief A single-chain EC client certificate handler.
2569 * This handler uses a single certificate chain, with a RSA
2570 * signature. The list of trust anchor DN is ignored.
2572 * This handler may support both static ECDH, and ECDSA signatures
2573 * (either usage may be selectively disabled).
2575 * Apart from the first field (vtable pointer), its contents are
2576 * opaque and shall not be accessed directly.
2579 /** \brief Pointer to vtable. */
2580 const br_ssl_client_certificate_class *vtable;
2581 #ifndef BR_DOXYGEN_IGNORE
2582 const br_x509_certificate *chain;
2584 const br_ec_private_key *sk;
2585 unsigned allowed_usages;
2586 unsigned issuer_key_type;
2587 const br_multihash_context *mhash;
2588 const br_ec_impl *iec;
2589 br_ecdsa_sign iecdsa;
2591 } br_ssl_client_certificate_ec_context;
2594 * \brief Context structure for a SSL client.
2596 * The first field (called `eng`) is the SSL engine; all functions that
2597 * work on a `br_ssl_engine_context` structure shall take as parameter
2598 * a pointer to that field. The other structure fields are opaque and
2599 * must not be accessed directly.
2601 struct br_ssl_client_context_ {
2603 * \brief The encapsulated engine context.
2605 br_ssl_engine_context eng;
2607 #ifndef BR_DOXYGEN_IGNORE
2609 * Minimum ClientHello length; padding with an extension (RFC
2610 * 7685) is added if necessary to match at least that length.
2611 * Such padding is nominally unnecessary, but it has been used
2612 * to work around some server implementation bugs.
2614 uint16_t min_clienthello_len;
2617 * Bit field for algoithms (hash + signature) supported by the
2618 * server when requesting a client certificate.
2623 * Server's public key curve.
2628 * Context for certificate handler.
2630 const br_ssl_client_certificate_class **client_auth_vtable;
2633 * Client authentication type.
2635 unsigned char auth_type;
2638 * Hash function to use for the client signature. This is 0xFF
2639 * if static ECDH is used.
2641 unsigned char hash_id;
2644 * For the core certificate handlers, thus avoiding (in most
2645 * cases) the need for an externally provided policy context.
2648 const br_ssl_client_certificate_class *vtable;
2649 br_ssl_client_certificate_rsa_context single_rsa;
2650 br_ssl_client_certificate_ec_context single_ec;
2656 br_rsa_public irsapub;
2661 * \brief Get the hash functions and signature algorithms supported by
2664 * This value is a bit field:
2666 * - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`,
2667 * then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1,
2668 * or 2 to 6 for the SHA family).
2670 * - If ECDSA is supported with hash function of ID `x`, then bit `8+x`
2673 * - Newer algorithms are symbolic 16-bit identifiers that do not
2674 * represent signature algorithm and hash function separately. If
2675 * the TLS-level identifier is `0x0800+x` for a `x` in the 0..15
2676 * range, then bit `16+x` is set.
2678 * "New algorithms" are currently defined only in draft documents, so
2679 * this support is subject to possible change. Right now (early 2017),
2680 * this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA
2681 * on Curve448) to bit 24. If the identifiers on the wire change in
2682 * future document, then the decoding mechanism in BearSSL will be
2683 * amended to keep mapping ed25519 and ed448 on bits 23 and 24,
2684 * respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not
2687 * \param cc client context.
2688 * \return the server-supported hash functions and signature algorithms.
2690 static inline uint32_t
2691 br_ssl_client_get_server_hashes(const br_ssl_client_context *cc)
2697 * \brief Get the server key curve.
2699 * This function returns the ID for the curve used by the server's public
2700 * key. This is set when the server's certificate chain is processed;
2701 * this value is 0 if the server's key is not an EC key.
2703 * \return the server's public key curve ID, or 0.
2706 br_ssl_client_get_server_curve(const br_ssl_client_context *cc)
2708 return cc->server_curve;
2712 * Each br_ssl_client_init_xxx() function sets the list of supported
2713 * cipher suites and used implementations, as specified by the profile
2714 * name 'xxx'. Defined profile names are:
2716 * full all supported versions and suites; constant-time implementations
2717 * TODO: add other profiles
2721 * \brief SSL client profile: full.
2723 * This function initialises the provided SSL client context with
2724 * all supported algorithms and cipher suites. It also initialises
2725 * a companion X.509 validation engine with all supported algorithms,
2726 * and the provided trust anchors; the X.509 engine will be used by
2727 * the client context to validate the server's certificate.
2729 * \param cc client context to initialise.
2730 * \param xc X.509 validation context to initialise.
2731 * \param trust_anchors trust anchors to use.
2732 * \param trust_anchors_num number of trust anchors.
2734 void br_ssl_client_init_full(br_ssl_client_context *cc,
2735 br_x509_minimal_context *xc,
2736 const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);
2739 * \brief Clear the complete contents of a SSL client context.
2741 * Everything is cleared, including the reference to the configured buffer,
2742 * implementations, cipher suites and state. This is a preparatory step
2743 * to assembling a custom profile.
2745 * \param cc client context to clear.
2747 void br_ssl_client_zero(br_ssl_client_context *cc);
2750 * \brief Set an externally provided client certificate handler context.
2752 * The handler's methods are invoked when the server requests a client
2755 * \param cc client context.
2756 * \param pctx certificate handler context (pointer to its vtable field).
2759 br_ssl_client_set_client_certificate(br_ssl_client_context *cc,
2760 const br_ssl_client_certificate_class **pctx)
2762 cc->client_auth_vtable = pctx;
2766 * \brief Set the RSA public-key operations implementation.
2768 * This will be used to encrypt the pre-master secret with the server's
2769 * RSA public key (RSA-encryption cipher suites only).
2771 * \param cc client context.
2772 * \param irsapub RSA public-key encryption implementation.
2775 br_ssl_client_set_rsapub(br_ssl_client_context *cc, br_rsa_public irsapub)
2777 cc->irsapub = irsapub;
2781 * \brief Set the "default" RSA implementation for public-key operations.
2783 * This sets the RSA implementation in the client context (for encrypting
2784 * the pre-master secret, in `TLS_RSA_*` cipher suites) to the fastest
2785 * available on the current platform.
2787 * \param cc client context.
2789 void br_ssl_client_set_default_rsapub(br_ssl_client_context *cc);
2792 * \brief Set the minimum ClientHello length (RFC 7685 padding).
2794 * If this value is set and the ClientHello would be shorter, then
2795 * the Pad ClientHello extension will be added with enough padding bytes
2796 * to reach the target size. Because of the extension header, the resulting
2797 * size will sometimes be slightly more than `len` bytes if the target
2798 * size cannot be exactly met.
2800 * The target length relates to the _contents_ of the ClientHello, not
2801 * counting its 4-byte header. For instance, if `len` is set to 512,
2802 * then the padding will bring the ClientHello size to 516 bytes with its
2803 * header, and 521 bytes when counting the 5-byte record header.
2805 * \param cc client context.
2806 * \param len minimum ClientHello length (in bytes).
2809 br_ssl_client_set_min_clienthello_len(br_ssl_client_context *cc, uint16_t len)
2811 cc->min_clienthello_len = len;
2815 * \brief Prepare or reset a client context for a new connection.
2817 * The `server_name` parameter is used to fill the SNI extension; the
2818 * X.509 "minimal" engine will also match that name against the server
2819 * names included in the server's certificate. If the parameter is
2820 * `NULL` then no SNI extension will be sent, and the X.509 "minimal"
2821 * engine (if used for server certificate validation) will not check
2822 * presence of any specific name in the received certificate.
2824 * Therefore, setting the `server_name` to `NULL` shall be reserved
2825 * to cases where alternate or additional methods are used to ascertain
2826 * that the right server public key is used (e.g. a "known key" model).
2828 * If `resume_session` is non-zero and the context was previously used
2829 * then the session parameters may be reused (depending on whether the
2830 * server previously sent a non-empty session ID, and accepts the session
2831 * resumption). The session parameters for session resumption can also
2832 * be set explicitly with `br_ssl_engine_set_session_parameters()`.
2834 * On failure, the context is marked as failed, and this function
2835 * returns 0. A possible failure condition is when no initial entropy
2836 * was injected, and none could be obtained from the OS (either OS
2837 * randomness gathering is not supported, or it failed).
2839 * \param cc client context.
2840 * \param server_name target server name, or `NULL`.
2841 * \param resume_session non-zero to try session resumption.
2842 * \return 0 on failure, 1 on success.
2844 int br_ssl_client_reset(br_ssl_client_context *cc,
2845 const char *server_name, int resume_session);
2848 * \brief Forget any session in the context.
2850 * This means that the next handshake that uses this context will
2851 * necessarily be a full handshake (this applies both to new connections
2852 * and to renegotiations).
2854 * \param cc client context.
2857 br_ssl_client_forget_session(br_ssl_client_context *cc)
2859 cc->eng.session.session_id_len = 0;
2863 * \brief Set client certificate chain and key (single RSA case).
2865 * This function sets a client certificate chain, that the client will
2866 * send to the server whenever a client certificate is requested. This
2867 * certificate uses an RSA public key; the corresponding private key is
2868 * invoked for authentication. Trust anchor names sent by the server are
2871 * The provided chain and private key are linked in the client context;
2872 * they must remain valid as long as they may be used, i.e. normally
2873 * for the duration of the connection, since they might be invoked
2874 * again upon renegotiations.
2876 * \param cc SSL client context.
2877 * \param chain client certificate chain (SSL order: EE comes first).
2878 * \param chain_len client chain length (number of certificates).
2879 * \param sk client private key.
2880 * \param irsasign RSA signature implementation (PKCS#1 v1.5).
2882 void br_ssl_client_set_single_rsa(br_ssl_client_context *cc,
2883 const br_x509_certificate *chain, size_t chain_len,
2884 const br_rsa_private_key *sk, br_rsa_pkcs1_sign irsasign);
2887 * \brief Set the client certificate chain and key (single EC case).
2889 * This function sets a client certificate chain, that the client will
2890 * send to the server whenever a client certificate is requested. This
2891 * certificate uses an EC public key; the corresponding private key is
2892 * invoked for authentication. Trust anchor names sent by the server are
2895 * The provided chain and private key are linked in the client context;
2896 * they must remain valid as long as they may be used, i.e. normally
2897 * for the duration of the connection, since they might be invoked
2898 * again upon renegotiations.
2900 * The `allowed_usages` is a combination of usages, namely
2901 * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`. The `BR_KEYTYPE_KEYX`
2902 * value allows full static ECDH, while the `BR_KEYTYPE_SIGN` value
2903 * allows ECDSA signatures. If ECDSA signatures are used, then an ECDSA
2904 * signature implementation must be provided; otherwise, the `iecdsa`
2905 * parameter may be 0.
2907 * The `cert_issuer_key_type` value is either `BR_KEYTYPE_RSA` or
2908 * `BR_KEYTYPE_EC`; it is the type of the public key used the the CA
2909 * that issued (signed) the client certificate. That value is used with
2910 * full static ECDH: support of the certificate by the server depends
2911 * on how the certificate was signed. (Note: when using TLS 1.2, this
2912 * parameter is ignored; but its value matters for TLS 1.0 and 1.1.)
2914 * \param cc server context.
2915 * \param chain server certificate chain to send.
2916 * \param chain_len chain length (number of certificates).
2917 * \param sk server private key (EC).
2918 * \param allowed_usages allowed private key usages.
2919 * \param cert_issuer_key_type issuing CA's key type.
2920 * \param iec EC core implementation.
2921 * \param iecdsa ECDSA signature implementation ("asn1" format).
2923 void br_ssl_client_set_single_ec(br_ssl_client_context *cc,
2924 const br_x509_certificate *chain, size_t chain_len,
2925 const br_ec_private_key *sk, unsigned allowed_usages,
2926 unsigned cert_issuer_key_type,
2927 const br_ec_impl *iec, br_ecdsa_sign iecdsa);
2930 * \brief Type for a "translated cipher suite", as an array of two
2933 * The first element is the cipher suite identifier (as used on the wire).
2934 * The second element is the concatenation of four 4-bit elements which
2935 * characterise the cipher suite contents. In most to least significant
2936 * order, these 4-bit elements are:
2938 * - Bits 12 to 15: key exchange + server key type
2940 * | val | symbolic constant | suite type | details |
2941 * | :-- | :----------------------- | :---------- | :----------------------------------------------- |
2942 * | 0 | `BR_SSLKEYX_RSA` | RSA | RSA key exchange, key is RSA (encryption) |
2943 * | 1 | `BR_SSLKEYX_ECDHE_RSA` | ECDHE_RSA | ECDHE key exchange, key is RSA (signature) |
2944 * | 2 | `BR_SSLKEYX_ECDHE_ECDSA` | ECDHE_ECDSA | ECDHE key exchange, key is EC (signature) |
2945 * | 3 | `BR_SSLKEYX_ECDH_RSA` | ECDH_RSA | Key is EC (key exchange), cert signed with RSA |
2946 * | 4 | `BR_SSLKEYX_ECDH_ECDSA` | ECDH_ECDSA | Key is EC (key exchange), cert signed with ECDSA |
2948 * - Bits 8 to 11: symmetric encryption algorithm
2950 * | val | symbolic constant | symmetric encryption | key strength (bits) |
2951 * | :-- | :--------------------- | :------------------- | :------------------ |
2952 * | 0 | `BR_SSLENC_3DES_CBC` | 3DES/CBC | 168 |
2953 * | 1 | `BR_SSLENC_AES128_CBC` | AES-128/CBC | 128 |
2954 * | 2 | `BR_SSLENC_AES256_CBC` | AES-256/CBC | 256 |
2955 * | 3 | `BR_SSLENC_AES128_GCM` | AES-128/GCM | 128 |
2956 * | 4 | `BR_SSLENC_AES256_GCM` | AES-256/GCM | 256 |
2957 * | 5 | `BR_SSLENC_CHACHA20` | ChaCha20/Poly1305 | 256 |
2959 * - Bits 4 to 7: MAC algorithm
2961 * | val | symbolic constant | MAC type | details |
2962 * | :-- | :----------------- | :----------- | :------------------------------------ |
2963 * | 0 | `BR_SSLMAC_AEAD` | AEAD | No dedicated MAC (encryption is AEAD) |
2964 * | 2 | `BR_SSLMAC_SHA1` | HMAC/SHA-1 | Value matches `br_sha1_ID` |
2965 * | 4 | `BR_SSLMAC_SHA256` | HMAC/SHA-256 | Value matches `br_sha256_ID` |
2966 * | 5 | `BR_SSLMAC_SHA384` | HMAC/SHA-384 | Value matches `br_sha384_ID` |
2968 * - Bits 0 to 3: hash function for PRF when used with TLS-1.2
2970 * | val | symbolic constant | hash function | details |
2971 * | :-- | :----------------- | :------------ | :----------------------------------- |
2972 * | 4 | `BR_SSLPRF_SHA256` | SHA-256 | Value matches `br_sha256_ID` |
2973 * | 5 | `BR_SSLPRF_SHA384` | SHA-384 | Value matches `br_sha384_ID` |
2975 * For instance, cipher suite `TLS_RSA_WITH_AES_128_GCM_SHA256` has
2976 * standard identifier 0x009C, and is translated to 0x0304, for, in
2977 * that order: RSA key exchange (0), AES-128/GCM (3), AEAD integrity (0),
2978 * SHA-256 in the TLS PRF (4).
2980 typedef uint16_t br_suite_translated[2];
2982 #ifndef BR_DOXYGEN_IGNORE
2984 * Constants are already documented in the br_suite_translated type.
2987 #define BR_SSLKEYX_RSA 0
2988 #define BR_SSLKEYX_ECDHE_RSA 1
2989 #define BR_SSLKEYX_ECDHE_ECDSA 2
2990 #define BR_SSLKEYX_ECDH_RSA 3
2991 #define BR_SSLKEYX_ECDH_ECDSA 4
2993 #define BR_SSLENC_3DES_CBC 0
2994 #define BR_SSLENC_AES128_CBC 1
2995 #define BR_SSLENC_AES256_CBC 2
2996 #define BR_SSLENC_AES128_GCM 3
2997 #define BR_SSLENC_AES256_GCM 4
2998 #define BR_SSLENC_CHACHA20 5
3000 #define BR_SSLMAC_AEAD 0
3001 #define BR_SSLMAC_SHA1 br_sha1_ID
3002 #define BR_SSLMAC_SHA256 br_sha256_ID
3003 #define BR_SSLMAC_SHA384 br_sha384_ID
3005 #define BR_SSLPRF_SHA256 br_sha256_ID
3006 #define BR_SSLPRF_SHA384 br_sha384_ID
3011 * Pre-declaration for the SSL server context.
3013 typedef struct br_ssl_server_context_ br_ssl_server_context;
3016 * \brief Type for the server policy choices, taken after analysis of
3017 * the client message (ClientHello).
3021 * \brief Cipher suite to use with that client.
3023 uint16_t cipher_suite;
3026 * \brief Hash function or algorithm for signing the ServerKeyExchange.
3028 * This parameter is ignored for `TLS_RSA_*` and `TLS_ECDH_*`
3029 * cipher suites; it is used only for `TLS_ECDHE_*` suites, in
3030 * which the server _signs_ the ephemeral EC Diffie-Hellman
3031 * parameters sent to the client.
3033 * This identifier must be one of the following values:
3035 * - `0xFF00 + id`, where `id` is a hash function identifier
3036 * (0 for MD5+SHA-1, or 2 to 6 for one of the SHA functions);
3038 * - a full 16-bit identifier, lower than `0xFF00`.
3040 * If the first option is used, then the SSL engine will
3041 * compute the hash of the data that is to be signed, with the
3042 * designated hash function. The `do_sign()` method will be
3043 * invoked with that hash value provided in the the `data`
3046 * If the second option is used, then the SSL engine will NOT
3047 * compute a hash on the data; instead, it will provide the
3048 * to-be-signed data itself in `data`, i.e. the concatenation of
3049 * the client random, server random, and encoded ECDH
3050 * parameters. Furthermore, with TLS-1.2 and later, the 16-bit
3051 * identifier will be used "as is" in the protocol, in the
3052 * SignatureAndHashAlgorithm; for instance, `0x0401` stands for
3053 * RSA PKCS#1 v1.5 signature (the `01`) with SHA-256 as hash
3054 * function (the `04`).
3056 * Take care that with TLS 1.0 and 1.1, the hash function is
3057 * constrainted by the protocol: RSA signature must use
3058 * MD5+SHA-1 (so use `0xFF00`), while ECDSA must use SHA-1
3059 * (`0xFF02`). Since TLS 1.0 and 1.1 don't include a
3060 * SignatureAndHashAlgorithm field in their ServerKeyExchange
3061 * messages, any value below `0xFF00` will be usable to send the
3062 * raw ServerKeyExchange data to the `do_sign()` callback, but
3063 * that callback must still follow the protocol requirements
3064 * when generating the signature.
3069 * \brief Certificate chain to send to the client.
3071 * This is an array of `br_x509_certificate` objects, each
3072 * normally containing a DER-encoded certificate. The server
3073 * code does not try to decode these elements.
3075 const br_x509_certificate *chain;
3078 * \brief Certificate chain length (number of certificates).
3082 } br_ssl_server_choices;
3085 * \brief Class type for a policy handler (server side).
3087 * A policy handler selects the policy parameters for a connection
3088 * (cipher suite and other algorithms, and certificate chain to send to
3089 * the client); it also performs the server-side computations involving
3090 * its permanent private key.
3092 * The SSL server engine will invoke first `choose()`, once the
3093 * ClientHello message has been received, then either `do_keyx()`
3094 * `do_sign()`, depending on the cipher suite.
3096 typedef struct br_ssl_server_policy_class_ br_ssl_server_policy_class;
3097 struct br_ssl_server_policy_class_ {
3099 * \brief Context size (in bytes).
3101 size_t context_size;
3104 * \brief Select algorithms and certificates for this connection.
3106 * This callback function shall fill the provided `choices`
3107 * structure with the policy choices for this connection. This
3108 * entails selecting the cipher suite, hash function for signing
3109 * the ServerKeyExchange (applicable only to ECDHE cipher suites),
3110 * and certificate chain to send.
3112 * The callback receives a pointer to the server context that
3113 * contains the relevant data. In particular, the functions
3114 * `br_ssl_server_get_client_suites()`,
3115 * `br_ssl_server_get_client_hashes()` and
3116 * `br_ssl_server_get_client_curves()` can be used to obtain
3117 * the cipher suites, hash functions and elliptic curves
3118 * supported by both the client and server, respectively. The
3119 * `br_ssl_engine_get_version()` and `br_ssl_engine_get_server_name()`
3120 * functions yield the protocol version and requested server name
3121 * (SNI), respectively.
3123 * This function may modify its context structure (`pctx`) in
3124 * arbitrary ways to keep track of its own choices.
3126 * This function shall return 1 if appropriate policy choices
3127 * could be made, or 0 if this connection cannot be pursued.
3129 * \param pctx policy context.
3130 * \param cc SSL server context.
3131 * \param choices destination structure for the policy choices.
3132 * \return 1 on success, 0 on error.
3134 int (*choose)(const br_ssl_server_policy_class **pctx,
3135 const br_ssl_server_context *cc,
3136 br_ssl_server_choices *choices);
3139 * \brief Perform key exchange (server part).
3141 * This callback is invoked to perform the server-side cryptographic
3142 * operation for a key exchange that is not ECDHE. This callback
3143 * uses the private key.
3145 * **For RSA key exchange**, the provided `data` (of length `*len`
3146 * bytes) shall be decrypted with the server's private key, and
3147 * the 48-byte premaster secret copied back to the first 48 bytes
3150 * - The caller makes sure that `*len` is at least 59 bytes.
3152 * - This callback MUST check that the provided length matches
3153 * that of the key modulus; it shall report an error otherwise.
3155 * - If the length matches that of the RSA key modulus, then
3156 * processing MUST be constant-time, even if decryption fails,
3157 * or the padding is incorrect, or the plaintext message length
3158 * is not exactly 48 bytes.
3160 * - This callback needs not check the two first bytes of the
3161 * obtained pre-master secret (the caller will do that).
3163 * - If an error is reported (0), then what the callback put
3164 * in the first 48 bytes of `data` is unimportant (the caller
3165 * will use random bytes instead).
3167 * **For ECDH key exchange**, the provided `data` (of length `*len`
3168 * bytes) is the elliptic curve point from the client. The
3169 * callback shall multiply it with its private key, and store
3170 * the resulting X coordinate in `data`, starting at offset 0,
3171 * and set `*len` to the length of the X coordinate.
3173 * - If the input array does not have the proper length for
3174 * an encoded curve point, then an error (0) shall be reported.
3176 * - If the input array has the proper length, then processing
3177 * MUST be constant-time, even if the data is not a valid
3180 * - This callback MUST check that the input point is valid.
3182 * Returned value is 1 on success, 0 on error.
3184 * \param pctx policy context.
3185 * \param data key exchange data from the client.
3186 * \param len key exchange data length (in bytes).
3187 * \return 1 on success, 0 on error.
3189 uint32_t (*do_keyx)(const br_ssl_server_policy_class **pctx,
3190 unsigned char *data, size_t *len);
3193 * \brief Perform a signature (for a ServerKeyExchange message).
3195 * This callback function is invoked for ECDHE cipher suites. On
3196 * input, the hash value or message to sign is in `data`, of
3197 * size `hv_len`; the involved hash function or algorithm is
3198 * identified by `algo_id`. The signature shall be computed and
3199 * written back into `data`; the total size of that buffer is
3202 * This callback shall verify that the signature length does not
3203 * exceed `len` bytes, and abstain from writing the signature if
3206 * The `algo_id` value matches that which was written in the
3207 * `choices` structures by the `choose()` callback. This will be
3208 * one of the following:
3210 * - `0xFF00 + id` for a hash function identifier `id`. In
3211 * that case, the `data` buffer contains a hash value
3212 * already computed over the data that is to be signed,
3213 * of length `hv_len`. The `id` may be 0 to designate the
3214 * special MD5+SHA-1 concatenation (old-style RSA signing).
3216 * - Another value, lower than `0xFF00`. The `data` buffer
3217 * then contains the raw, non-hashed data to be signed
3218 * (concatenation of the client and server randoms and
3219 * ECDH parameters). The callback is responsible to apply
3220 * any relevant hashing as part of the signing process.
3222 * Returned value is the signature length (in bytes), or 0 on error.
3224 * \param pctx policy context.
3225 * \param algo_id hash function / algorithm identifier.
3226 * \param data input/output buffer (message/hash, then signature).
3227 * \param hv_len hash value or message length (in bytes).
3228 * \param len total buffer length (in bytes).
3229 * \return signature length (in bytes) on success, or 0 on error.
3231 size_t (*do_sign)(const br_ssl_server_policy_class **pctx,
3233 unsigned char *data, size_t hv_len, size_t len);
3237 * \brief A single-chain RSA policy handler.
3239 * This policy context uses a single certificate chain, and a RSA
3240 * private key. The context can be restricted to only signatures or
3241 * only key exchange.
3243 * Apart from the first field (vtable pointer), its contents are
3244 * opaque and shall not be accessed directly.
3247 /** \brief Pointer to vtable. */
3248 const br_ssl_server_policy_class *vtable;
3249 #ifndef BR_DOXYGEN_IGNORE
3250 const br_x509_certificate *chain;
3252 const br_rsa_private_key *sk;
3253 unsigned allowed_usages;
3254 br_rsa_private irsacore;
3255 br_rsa_pkcs1_sign irsasign;
3257 } br_ssl_server_policy_rsa_context;
3260 * \brief A single-chain EC policy handler.
3262 * This policy context uses a single certificate chain, and an EC
3263 * private key. The context can be restricted to only signatures or
3264 * only key exchange.
3266 * Due to how TLS is defined, this context must be made aware whether
3267 * the server certificate was itself signed with RSA or ECDSA. The code
3268 * does not try to decode the certificate to obtain that information.
3270 * Apart from the first field (vtable pointer), its contents are
3271 * opaque and shall not be accessed directly.
3274 /** \brief Pointer to vtable. */
3275 const br_ssl_server_policy_class *vtable;
3276 #ifndef BR_DOXYGEN_IGNORE
3277 const br_x509_certificate *chain;
3279 const br_ec_private_key *sk;
3280 unsigned allowed_usages;
3281 unsigned cert_issuer_key_type;
3282 const br_multihash_context *mhash;
3283 const br_ec_impl *iec;
3284 br_ecdsa_sign iecdsa;
3286 } br_ssl_server_policy_ec_context;
3289 * \brief Class type for a session parameter cache.
3291 * Session parameters are saved in the cache with `save()`, and
3292 * retrieved with `load()`. The cache implementation can apply any
3293 * storage and eviction strategy that it sees fit. The SSL server
3294 * context that performs the request is provided, so that its
3295 * functionalities may be used by the implementation (e.g. hash
3296 * functions or random number generation).
3298 typedef struct br_ssl_session_cache_class_ br_ssl_session_cache_class;
3299 struct br_ssl_session_cache_class_ {
3301 * \brief Context size (in bytes).
3303 size_t context_size;
3306 * \brief Record a session.
3308 * This callback should record the provided session parameters.
3309 * The `params` structure is transient, so its contents shall
3310 * be copied into the cache. The session ID has been randomly
3311 * generated and always has length exactly 32 bytes.
3313 * \param ctx session cache context.
3314 * \param server_ctx SSL server context.
3315 * \param params session parameters to save.
3317 void (*save)(const br_ssl_session_cache_class **ctx,
3318 br_ssl_server_context *server_ctx,
3319 const br_ssl_session_parameters *params);
3322 * \brief Lookup a session in the cache.
3324 * The session ID to lookup is in `params` and always has length
3325 * exactly 32 bytes. If the session parameters are found in the
3326 * cache, then the parameters shall be copied into the `params`
3327 * structure. Returned value is 1 on successful lookup, 0
3330 * \param ctx session cache context.
3331 * \param server_ctx SSL server context.
3332 * \param params destination for session parameters.
3333 * \return 1 if found, 0 otherwise.
3335 int (*load)(const br_ssl_session_cache_class **ctx,
3336 br_ssl_server_context *server_ctx,
3337 br_ssl_session_parameters *params);
3341 * \brief Context for a basic cache system.
3343 * The system stores session parameters in a buffer provided at
3344 * initialisation time. Each entry uses exactly 100 bytes, and
3345 * buffer sizes up to 4294967295 bytes are supported.
3347 * Entries are evicted with a LRU (Least Recently Used) policy. A
3348 * search tree is maintained to keep lookups fast even with large
3351 * Apart from the first field (vtable pointer), the structure
3352 * contents are opaque and shall not be accessed directly.
3355 /** \brief Pointer to vtable. */
3356 const br_ssl_session_cache_class *vtable;
3357 #ifndef BR_DOXYGEN_IGNORE
3358 unsigned char *store;
3359 size_t store_len, store_ptr;
3360 unsigned char index_key[32];
3361 const br_hash_class *hash;
3363 uint32_t head, tail, root;
3365 } br_ssl_session_cache_lru;
3368 * \brief Initialise a LRU session cache with the provided storage space.
3370 * The provided storage space must remain valid as long as the cache
3371 * is used. Arbitrary lengths are supported, up to 4294967295 bytes;
3372 * each entry uses up exactly 100 bytes.
3374 * \param cc session cache context.
3375 * \param store storage space for cached entries.
3376 * \param store_len storage space length (in bytes).
3378 void br_ssl_session_cache_lru_init(br_ssl_session_cache_lru *cc,
3379 unsigned char *store, size_t store_len);
3382 * \brief Forget an entry in an LRU session cache.
3384 * The session cache context must have been initialised. The entry
3385 * with the provided session ID (of exactly 32 bytes) is looked for
3386 * in the cache; if located, it is disabled.
3388 * \param cc session cache context.
3389 * \param id session ID to forget.
3391 void br_ssl_session_cache_lru_forget(
3392 br_ssl_session_cache_lru *cc, const unsigned char *id);
3395 * \brief Context structure for a SSL server.
3397 * The first field (called `eng`) is the SSL engine; all functions that
3398 * work on a `br_ssl_engine_context` structure shall take as parameter
3399 * a pointer to that field. The other structure fields are opaque and
3400 * must not be accessed directly.
3402 struct br_ssl_server_context_ {
3404 * \brief The encapsulated engine context.
3406 br_ssl_engine_context eng;
3408 #ifndef BR_DOXYGEN_IGNORE
3410 * Maximum version from the client.
3412 uint16_t client_max_version;
3417 const br_ssl_session_cache_class **cache_vtable;
3420 * Translated cipher suites supported by the client. The list
3421 * is trimmed to include only the cipher suites that the
3422 * server also supports; they are in the same order as in the
3425 br_suite_translated client_suites[BR_MAX_CIPHER_SUITES];
3426 unsigned char client_suites_num;
3429 * Hash functions supported by the client, with ECDSA and RSA
3430 * (bit mask). For hash function with id 'x', set bit index is
3431 * x for RSA, x+8 for ECDSA. For newer algorithms, with ID
3432 * 0x08**, bit 16+k is set for algorithm 0x0800+k.
3437 * Curves supported by the client (bit mask, for named curves).
3442 * Context for chain handler.
3444 const br_ssl_server_policy_class **policy_vtable;
3445 uint16_t sign_hash_id;
3448 * For the core handlers, thus avoiding (in most cases) the
3449 * need for an externally provided policy context.
3452 const br_ssl_server_policy_class *vtable;
3453 br_ssl_server_policy_rsa_context single_rsa;
3454 br_ssl_server_policy_ec_context single_ec;
3458 * Buffer for the ECDHE private key.
3460 unsigned char ecdhe_key[70];
3461 size_t ecdhe_key_len;
3464 * Trust anchor names for client authentication. "ta_names" and
3465 * "tas" cannot be both non-NULL.
3467 const br_x500_name *ta_names;
3468 const br_x509_trust_anchor *tas;
3470 size_t cur_dn_index;
3471 const unsigned char *cur_dn;
3475 * Buffer for the hash value computed over all handshake messages
3476 * prior to CertificateVerify, and identifier for the hash function.
3478 unsigned char hash_CV[64];
3483 * Server-specific implementations.
3490 * Each br_ssl_server_init_xxx() function sets the list of supported
3491 * cipher suites and used implementations, as specified by the profile
3492 * name 'xxx'. Defined profile names are:
3494 * full_rsa all supported algorithm, server key type is RSA
3495 * full_ec all supported algorithm, server key type is EC
3496 * TODO: add other profiles
3498 * Naming scheme for "minimal" profiles: min123
3500 * -- character 1: key exchange
3506 * -- character 2: version / PRF
3507 * 0 = TLS 1.0 / 1.1 with MD5+SHA-1
3508 * 2 = TLS 1.2 with SHA-256
3509 * 3 = TLS 1.2 with SHA-384
3510 * -- character 3: encryption
3514 * c = ChaCha20+Poly1305
3518 * \brief SSL server profile: full_rsa.
3520 * This function initialises the provided SSL server context with
3521 * all supported algorithms and cipher suites that rely on a RSA
3524 * \param cc server context to initialise.
3525 * \param chain server certificate chain.
3526 * \param chain_len certificate chain length (number of certificate).
3527 * \param sk RSA private key.
3529 void br_ssl_server_init_full_rsa(br_ssl_server_context *cc,
3530 const br_x509_certificate *chain, size_t chain_len,
3531 const br_rsa_private_key *sk);
3534 * \brief SSL server profile: full_ec.
3536 * This function initialises the provided SSL server context with
3537 * all supported algorithms and cipher suites that rely on an EC
3540 * The key type of the CA that issued the server's certificate must
3541 * be provided, since it matters for ECDH cipher suites (ECDH_RSA
3542 * suites require a RSA-powered CA). The key type is either
3543 * `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`.
3545 * \param cc server context to initialise.
3546 * \param chain server certificate chain.
3547 * \param chain_len chain length (number of certificates).
3548 * \param cert_issuer_key_type certificate issuer's key type.
3549 * \param sk EC private key.
3551 void br_ssl_server_init_full_ec(br_ssl_server_context *cc,
3552 const br_x509_certificate *chain, size_t chain_len,
3553 unsigned cert_issuer_key_type, const br_ec_private_key *sk);
3556 * \brief SSL server profile: minr2g.
3558 * This profile uses only TLS_RSA_WITH_AES_128_GCM_SHA256. Server key is
3559 * RSA, and RSA key exchange is used (not forward secure, but uses little
3560 * CPU in the client).
3562 * \param cc server context to initialise.
3563 * \param chain server certificate chain.
3564 * \param chain_len certificate chain length (number of certificate).
3565 * \param sk RSA private key.
3567 void br_ssl_server_init_minr2g(br_ssl_server_context *cc,
3568 const br_x509_certificate *chain, size_t chain_len,
3569 const br_rsa_private_key *sk);
3572 * \brief SSL server profile: mine2g.
3574 * This profile uses only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Server key
3575 * is RSA, and ECDHE key exchange is used. This suite provides forward
3576 * security, with a higher CPU expense on the client, and a somewhat
3577 * larger code footprint (compared to "minr2g").
3579 * \param cc server context to initialise.
3580 * \param chain server certificate chain.
3581 * \param chain_len certificate chain length (number of certificate).
3582 * \param sk RSA private key.
3584 void br_ssl_server_init_mine2g(br_ssl_server_context *cc,
3585 const br_x509_certificate *chain, size_t chain_len,
3586 const br_rsa_private_key *sk);
3589 * \brief SSL server profile: minf2g.
3591 * This profile uses only TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
3592 * Server key is EC, and ECDHE key exchange is used. This suite provides
3593 * forward security, with a higher CPU expense on the client and server
3594 * (by a factor of about 3 to 4), and a somewhat larger code footprint
3595 * (compared to "minu2g" and "minv2g").
3597 * \param cc server context to initialise.
3598 * \param chain server certificate chain.
3599 * \param chain_len certificate chain length (number of certificate).
3600 * \param sk EC private key.
3602 void br_ssl_server_init_minf2g(br_ssl_server_context *cc,
3603 const br_x509_certificate *chain, size_t chain_len,
3604 const br_ec_private_key *sk);
3607 * \brief SSL server profile: minu2g.
3609 * This profile uses only TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256.
3610 * Server key is EC, and ECDH key exchange is used; the issuing CA used
3613 * The "minu2g" and "minv2g" profiles do not provide forward secrecy,
3614 * but are the lightest on the server (for CPU usage), and are rather
3615 * inexpensive on the client as well.
3617 * \param cc server context to initialise.
3618 * \param chain server certificate chain.
3619 * \param chain_len certificate chain length (number of certificate).
3620 * \param sk EC private key.
3622 void br_ssl_server_init_minu2g(br_ssl_server_context *cc,
3623 const br_x509_certificate *chain, size_t chain_len,
3624 const br_ec_private_key *sk);
3627 * \brief SSL server profile: minv2g.
3629 * This profile uses only TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256.
3630 * Server key is EC, and ECDH key exchange is used; the issuing CA used
3633 * The "minu2g" and "minv2g" profiles do not provide forward secrecy,
3634 * but are the lightest on the server (for CPU usage), and are rather
3635 * inexpensive on the client as well.
3637 * \param cc server context to initialise.
3638 * \param chain server certificate chain.
3639 * \param chain_len certificate chain length (number of certificate).
3640 * \param sk EC private key.
3642 void br_ssl_server_init_minv2g(br_ssl_server_context *cc,
3643 const br_x509_certificate *chain, size_t chain_len,
3644 const br_ec_private_key *sk);
3647 * \brief SSL server profile: mine2c.
3649 * This profile uses only TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
3650 * Server key is RSA, and ECDHE key exchange is used. This suite
3651 * provides forward security.
3653 * \param cc server context to initialise.
3654 * \param chain server certificate chain.
3655 * \param chain_len certificate chain length (number of certificate).
3656 * \param sk RSA private key.
3658 void br_ssl_server_init_mine2c(br_ssl_server_context *cc,
3659 const br_x509_certificate *chain, size_t chain_len,
3660 const br_rsa_private_key *sk);
3663 * \brief SSL server profile: minf2c.
3665 * This profile uses only TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256.
3666 * Server key is EC, and ECDHE key exchange is used. This suite provides
3669 * \param cc server context to initialise.
3670 * \param chain server certificate chain.
3671 * \param chain_len certificate chain length (number of certificate).
3672 * \param sk EC private key.
3674 void br_ssl_server_init_minf2c(br_ssl_server_context *cc,
3675 const br_x509_certificate *chain, size_t chain_len,
3676 const br_ec_private_key *sk);
3679 * \brief Get the supported client suites.
3681 * This function shall be called only after the ClientHello has been
3682 * processed, typically from the policy engine. The returned array
3683 * contains the cipher suites that are supported by both the client
3684 * and the server; these suites are in client preference order, unless
3685 * the `BR_OPT_ENFORCE_SERVER_PREFERENCES` flag was set, in which case
3686 * they are in server preference order.
3688 * The suites are _translated_, which means that each suite is given
3689 * as two 16-bit integers: the standard suite identifier, and its
3690 * translated version, broken down into its individual components,
3691 * as explained with the `br_suite_translated` type.
3693 * The returned array is allocated in the context and will be rewritten
3694 * by each handshake.
3696 * \param cc server context.
3697 * \param num receives the array size (number of suites).
3698 * \return the translated common cipher suites, in preference order.
3700 static inline const br_suite_translated *
3701 br_ssl_server_get_client_suites(const br_ssl_server_context *cc, size_t *num)
3703 *num = cc->client_suites_num;
3704 return cc->client_suites;
3708 * \brief Get the hash functions and signature algorithms supported by
3711 * This value is a bit field:
3713 * - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`,
3714 * then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1,
3715 * or 2 to 6 for the SHA family).
3717 * - If ECDSA is supported with hash function of ID `x`, then bit `8+x`
3720 * - Newer algorithms are symbolic 16-bit identifiers that do not
3721 * represent signature algorithm and hash function separately. If
3722 * the TLS-level identifier is `0x0800+x` for a `x` in the 0..15
3723 * range, then bit `16+x` is set.
3725 * "New algorithms" are currently defined only in draft documents, so
3726 * this support is subject to possible change. Right now (early 2017),
3727 * this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA
3728 * on Curve448) to bit 24. If the identifiers on the wire change in
3729 * future document, then the decoding mechanism in BearSSL will be
3730 * amended to keep mapping ed25519 and ed448 on bits 23 and 24,
3731 * respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not
3734 * \param cc server context.
3735 * \return the client-supported hash functions and signature algorithms.
3737 static inline uint32_t
3738 br_ssl_server_get_client_hashes(const br_ssl_server_context *cc)
3744 * \brief Get the elliptic curves supported by the client.
3746 * This is a bit field (bit x is set if curve of ID x is supported).
3748 * \param cc server context.
3749 * \return the client-supported elliptic curves.
3751 static inline uint32_t
3752 br_ssl_server_get_client_curves(const br_ssl_server_context *cc)
3758 * \brief Clear the complete contents of a SSL server context.
3760 * Everything is cleared, including the reference to the configured buffer,
3761 * implementations, cipher suites and state. This is a preparatory step
3762 * to assembling a custom profile.
3764 * \param cc server context to clear.
3766 void br_ssl_server_zero(br_ssl_server_context *cc);
3769 * \brief Set an externally provided policy context.
3771 * The policy context's methods are invoked to decide the cipher suite
3772 * and certificate chain, and to perform operations involving the server's
3775 * \param cc server context.
3776 * \param pctx policy context (pointer to its vtable field).
3779 br_ssl_server_set_policy(br_ssl_server_context *cc,
3780 const br_ssl_server_policy_class **pctx)
3782 cc->policy_vtable = pctx;
3786 * \brief Set the server certificate chain and key (single RSA case).
3788 * This function uses a policy context included in the server context.
3789 * It configures use of a single server certificate chain with a RSA
3790 * private key. The `allowed_usages` is a combination of usages, namely
3791 * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables
3792 * the corresponding cipher suites (i.e. `TLS_RSA_*` use the RSA key for
3793 * key exchange, while `TLS_ECDHE_RSA_*` use the RSA key for signatures).
3795 * \param cc server context.
3796 * \param chain server certificate chain to send to the client.
3797 * \param chain_len chain length (number of certificates).
3798 * \param sk server private key (RSA).
3799 * \param allowed_usages allowed private key usages.
3800 * \param irsacore RSA core implementation.
3801 * \param irsasign RSA signature implementation (PKCS#1 v1.5).
3803 void br_ssl_server_set_single_rsa(br_ssl_server_context *cc,
3804 const br_x509_certificate *chain, size_t chain_len,
3805 const br_rsa_private_key *sk, unsigned allowed_usages,
3806 br_rsa_private irsacore, br_rsa_pkcs1_sign irsasign);
3809 * \brief Set the server certificate chain and key (single EC case).
3811 * This function uses a policy context included in the server context.
3812 * It configures use of a single server certificate chain with an EC
3813 * private key. The `allowed_usages` is a combination of usages, namely
3814 * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables
3815 * the corresponding cipher suites (i.e. `TLS_ECDH_*` use the EC key for
3816 * key exchange, while `TLS_ECDHE_ECDSA_*` use the EC key for signatures).
3818 * In order to support `TLS_ECDH_*` cipher suites (non-ephemeral ECDH),
3819 * the algorithm type of the key used by the issuing CA to sign the
3820 * server's certificate must be provided, as `cert_issuer_key_type`
3821 * parameter (this value is either `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`).
3823 * \param cc server context.
3824 * \param chain server certificate chain to send.
3825 * \param chain_len chain length (number of certificates).
3826 * \param sk server private key (EC).
3827 * \param allowed_usages allowed private key usages.
3828 * \param cert_issuer_key_type issuing CA's key type.
3829 * \param iec EC core implementation.
3830 * \param iecdsa ECDSA signature implementation ("asn1" format).
3832 void br_ssl_server_set_single_ec(br_ssl_server_context *cc,
3833 const br_x509_certificate *chain, size_t chain_len,
3834 const br_ec_private_key *sk, unsigned allowed_usages,
3835 unsigned cert_issuer_key_type,
3836 const br_ec_impl *iec, br_ecdsa_sign iecdsa);
3839 * \brief Activate client certificate authentication.
3841 * The trust anchor encoded X.500 names (DN) to send to the client are
3842 * provided. A client certificate will be requested and validated through
3843 * the X.509 validator configured in the SSL engine. If `num` is 0, then
3844 * client certificate authentication is disabled.
3846 * If the client does not send a certificate, or on validation failure,
3847 * the handshake aborts. Unauthenticated clients can be tolerated by
3848 * setting the `BR_OPT_TOLERATE_NO_CLIENT_AUTH` flag.
3850 * The provided array is linked in, not copied, so that pointer must
3851 * remain valid as long as anchor names may be used.
3853 * \param cc server context.
3854 * \param ta_names encoded trust anchor names.
3855 * \param num number of encoded trust anchor names.
3858 br_ssl_server_set_trust_anchor_names(br_ssl_server_context *cc,
3859 const br_x500_name *ta_names, size_t num)
3861 cc->ta_names = ta_names;
3867 * \brief Activate client certificate authentication.
3869 * This is a variant for `br_ssl_server_set_trust_anchor_names()`: the
3870 * trust anchor names are provided not as an array of stand-alone names
3871 * (`br_x500_name` structures), but as an array of trust anchors
3872 * (`br_x509_trust_anchor` structures). The server engine itself will
3873 * only use the `dn` field of each trust anchor. This is meant to allow
3874 * defining a single array of trust anchors, to be used here and in the
3875 * X.509 validation engine itself.
3877 * The provided array is linked in, not copied, so that pointer must
3878 * remain valid as long as anchor names may be used.
3880 * \param cc server context.
3881 * \param tas trust anchors (only names are used).
3882 * \param num number of trust anchors.
3885 br_ssl_server_set_trust_anchor_names_alt(br_ssl_server_context *cc,
3886 const br_x509_trust_anchor *tas, size_t num)
3888 cc->ta_names = NULL;
3894 * \brief Configure the cache for session parameters.
3896 * The cache context is provided as a pointer to its first field (vtable
3899 * \param cc server context.
3900 * \param vtable session cache context.
3903 br_ssl_server_set_cache(br_ssl_server_context *cc,
3904 const br_ssl_session_cache_class **vtable)
3906 cc->cache_vtable = vtable;
3910 * \brief Prepare or reset a server context for handling an incoming client.
3912 * \param cc server context.
3913 * \return 1 on success, 0 on error.
3915 int br_ssl_server_reset(br_ssl_server_context *cc);
3917 /* ===================================================================== */
3920 * Context for the simplified I/O context. The transport medium is accessed
3921 * through the low_read() and low_write() callback functions, each with
3922 * its own opaque context pointer.
3924 * low_read() read some bytes, at most 'len' bytes, into data[]. The
3925 * returned value is the number of read bytes, or -1 on error.
3926 * The 'len' parameter is guaranteed never to exceed 20000,
3927 * so the length always fits in an 'int' on all platforms.
3929 * low_write() write up to 'len' bytes, to be read from data[]. The
3930 * returned value is the number of written bytes, or -1 on
3931 * error. The 'len' parameter is guaranteed never to exceed
3932 * 20000, so the length always fits in an 'int' on all
3935 * A socket closure (if the transport medium is a socket) should be reported
3936 * as an error (-1). The callbacks shall endeavour to block until at least
3937 * one byte can be read or written; a callback returning 0 at times is
3938 * acceptable, but this normally leads to the callback being immediately
3939 * called again, so the callback should at least always try to block for
3940 * some time if no I/O can take place.
3942 * The SSL engine naturally applies some buffering, so the callbacks need
3943 * not apply buffers of their own.
3946 * \brief Context structure for the simplified SSL I/O wrapper.
3948 * This structure is initialised with `br_sslio_init()`. Its contents
3949 * are opaque and shall not be accessed directly.
3952 #ifndef BR_DOXYGEN_IGNORE
3953 br_ssl_engine_context *engine;
3954 int (*low_read)(void *read_context,
3955 unsigned char *data, size_t len);
3957 int (*low_write)(void *write_context,
3958 const unsigned char *data, size_t len);
3959 void *write_context;
3964 * \brief Initialise a simplified I/O wrapper context.
3966 * The simplified I/O wrapper offers a simpler read/write API for a SSL
3967 * engine (client or server), using the provided callback functions for
3968 * reading data from, or writing data to, the transport medium.
3970 * The callback functions have the following semantics:
3972 * - Each callback receives an opaque context value (of type `void *`)
3973 * that the callback may use arbitrarily (or possibly ignore).
3975 * - `low_read()` reads at least one byte, at most `len` bytes, from
3976 * the transport medium. Read bytes shall be written in `data`.
3978 * - `low_write()` writes at least one byte, at most `len` bytes, unto
3979 * the transport medium. The bytes to write are read from `data`.
3981 * - The `len` parameter is never zero, and is always lower than 20000.
3983 * - The number of processed bytes (read or written) is returned. Since
3984 * that number is less than 20000, it always fits on an `int`.
3986 * - On error, the callbacks return -1. Reaching end-of-stream is an
3987 * error. Errors are permanent: the SSL connection is terminated.
3989 * - Callbacks SHOULD NOT return 0. This is tolerated, as long as
3990 * callbacks endeavour to block for some non-negligible amount of
3991 * time until at least one byte can be sent or received (if a
3992 * callback returns 0, then the wrapper invokes it again
3995 * - Callbacks MAY return as soon as at least one byte is processed;
3996 * they MAY also insist on reading or writing _all_ requested bytes.
3997 * Since SSL is a self-terminated protocol (each record has a length
3998 * header), this does not change semantics.
4000 * - Callbacks need not apply any buffering (for performance) since SSL
4001 * itself uses buffers.
4003 * \param ctx wrapper context to initialise.
4004 * \param engine SSL engine to wrap.
4005 * \param low_read callback for reading data from the transport.
4006 * \param read_context context pointer for `low_read()`.
4007 * \param low_write callback for writing data on the transport.
4008 * \param write_context context pointer for `low_write()`.
4010 void br_sslio_init(br_sslio_context *ctx,
4011 br_ssl_engine_context *engine,
4012 int (*low_read)(void *read_context,
4013 unsigned char *data, size_t len),
4015 int (*low_write)(void *write_context,
4016 const unsigned char *data, size_t len),
4017 void *write_context);
4020 * \brief Read some application data from a SSL connection.
4022 * If `len` is zero, then this function returns 0 immediately. In
4023 * all other cases, it never returns 0.
4025 * This call returns only when at least one byte has been obtained.
4026 * Returned value is the number of bytes read, or -1 on error. The
4027 * number of bytes always fits on an 'int' (data from a single SSL/TLS
4028 * record is returned).
4030 * On error or SSL closure, this function returns -1. The caller should
4031 * inspect the error status on the SSL engine to distinguish between
4032 * normal closure and error.
4034 * \param cc SSL wrapper context.
4035 * \param dst destination buffer for application data.
4036 * \param len maximum number of bytes to obtain.
4037 * \return number of bytes obtained, or -1 on error.
4039 int br_sslio_read(br_sslio_context *cc, void *dst, size_t len);
4042 * \brief Read application data from a SSL connection.
4044 * This calls returns only when _all_ requested `len` bytes are read,
4045 * or an error is reached. Returned value is 0 on success, -1 on error.
4046 * A normal (verified) SSL closure before that many bytes are obtained
4047 * is reported as an error by this function.
4049 * \param cc SSL wrapper context.
4050 * \param dst destination buffer for application data.
4051 * \param len number of bytes to obtain.
4052 * \return 0 on success, or -1 on error.
4054 int br_sslio_read_all(br_sslio_context *cc, void *dst, size_t len);
4057 * \brief Write some application data unto a SSL connection.
4059 * If `len` is zero, then this function returns 0 immediately. In
4060 * all other cases, it never returns 0.
4062 * This call returns only when at least one byte has been written.
4063 * Returned value is the number of bytes written, or -1 on error. The
4064 * number of bytes always fits on an 'int' (less than 20000).
4066 * On error or SSL closure, this function returns -1. The caller should
4067 * inspect the error status on the SSL engine to distinguish between
4068 * normal closure and error.
4070 * **Important:** SSL is buffered; a "written" byte is a byte that was
4071 * injected into the wrapped SSL engine, but this does not necessarily mean
4072 * that it has been scheduled for sending. Use `br_sslio_flush()` to
4073 * ensure that all pending data has been sent to the transport medium.
4075 * \param cc SSL wrapper context.
4076 * \param src source buffer for application data.
4077 * \param len maximum number of bytes to write.
4078 * \return number of bytes written, or -1 on error.
4080 int br_sslio_write(br_sslio_context *cc, const void *src, size_t len);
4083 * \brief Write application data unto a SSL connection.
4085 * This calls returns only when _all_ requested `len` bytes have been
4086 * written, or an error is reached. Returned value is 0 on success, -1
4087 * on error. A normal (verified) SSL closure before that many bytes are
4088 * written is reported as an error by this function.
4090 * **Important:** SSL is buffered; a "written" byte is a byte that was
4091 * injected into the wrapped SSL engine, but this does not necessarily mean
4092 * that it has been scheduled for sending. Use `br_sslio_flush()` to
4093 * ensure that all pending data has been sent to the transport medium.
4095 * \param cc SSL wrapper context.
4096 * \param src source buffer for application data.
4097 * \param len number of bytes to write.
4098 * \return 0 on success, or -1 on error.
4100 int br_sslio_write_all(br_sslio_context *cc, const void *src, size_t len);
4103 * \brief Flush pending data.
4105 * This call makes sure that any buffered application data in the
4106 * provided context (including the wrapped SSL engine) has been sent
4107 * to the transport medium (i.e. accepted by the `low_write()` callback
4108 * method). If there is no such pending data, then this function does
4109 * nothing (and returns a success, i.e. 0).
4111 * If the underlying transport medium has its own buffers, then it is
4112 * up to the caller to ensure the corresponding flushing.
4114 * Returned value is 0 on success, -1 on error.
4116 * \param cc SSL wrapper context.
4117 * \return 0 on success, or -1 on error.
4119 int br_sslio_flush(br_sslio_context *cc);
4122 * \brief Close the SSL connection.
4124 * This call runs the SSL closure protocol (sending a `close_notify`,
4125 * receiving the response `close_notify`). When it returns, the SSL
4126 * connection is finished. It is still up to the caller to manage the
4127 * possible transport-level termination, if applicable (alternatively,
4128 * the underlying transport stream may be reused for non-SSL messages).
4130 * Returned value is 0 on success, -1 on error. A failure by the peer
4131 * to process the complete closure protocol (i.e. sending back the
4132 * `close_notify`) is an error.
4134 * \param cc SSL wrapper context.
4135 * \return 0 on success, or -1 on error.
4137 int br_sslio_close(br_sslio_context *cc);
4139 /* ===================================================================== */
4142 * Symbolic constants for cipher suites.
4146 #define BR_TLS_NULL_WITH_NULL_NULL 0x0000
4147 #define BR_TLS_RSA_WITH_NULL_MD5 0x0001
4148 #define BR_TLS_RSA_WITH_NULL_SHA 0x0002
4149 #define BR_TLS_RSA_WITH_NULL_SHA256 0x003B
4150 #define BR_TLS_RSA_WITH_RC4_128_MD5 0x0004
4151 #define BR_TLS_RSA_WITH_RC4_128_SHA 0x0005
4152 #define BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A
4153 #define BR_TLS_RSA_WITH_AES_128_CBC_SHA 0x002F
4154 #define BR_TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
4155 #define BR_TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C
4156 #define BR_TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D
4157 #define BR_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D
4158 #define BR_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010
4159 #define BR_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013
4160 #define BR_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016
4161 #define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030
4162 #define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031
4163 #define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032
4164 #define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033
4165 #define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036
4166 #define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037
4167 #define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038
4168 #define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039
4169 #define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E
4170 #define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F
4171 #define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040
4172 #define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067
4173 #define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068
4174 #define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069
4175 #define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A
4176 #define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B
4177 #define BR_TLS_DH_anon_WITH_RC4_128_MD5 0x0018
4178 #define BR_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B
4179 #define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034
4180 #define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A
4181 #define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C
4182 #define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D
4185 #define BR_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001
4186 #define BR_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002
4187 #define BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003
4188 #define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
4189 #define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
4190 #define BR_TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006
4191 #define BR_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007
4192 #define BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008
4193 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009
4194 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A
4195 #define BR_TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B
4196 #define BR_TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C
4197 #define BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D
4198 #define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E
4199 #define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F
4200 #define BR_TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010
4201 #define BR_TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011
4202 #define BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012
4203 #define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013
4204 #define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014
4205 #define BR_TLS_ECDH_anon_WITH_NULL_SHA 0xC015
4206 #define BR_TLS_ECDH_anon_WITH_RC4_128_SHA 0xC016
4207 #define BR_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 0xC017
4208 #define BR_TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018
4209 #define BR_TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019
4212 #define BR_TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
4213 #define BR_TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D
4214 #define BR_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
4215 #define BR_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F
4216 #define BR_TLS_DH_RSA_WITH_AES_128_GCM_SHA256 0x00A0
4217 #define BR_TLS_DH_RSA_WITH_AES_256_GCM_SHA384 0x00A1
4218 #define BR_TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2
4219 #define BR_TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3
4220 #define BR_TLS_DH_DSS_WITH_AES_128_GCM_SHA256 0x00A4
4221 #define BR_TLS_DH_DSS_WITH_AES_256_GCM_SHA384 0x00A5
4222 #define BR_TLS_DH_anon_WITH_AES_128_GCM_SHA256 0x00A6
4223 #define BR_TLS_DH_anon_WITH_AES_256_GCM_SHA384 0x00A7
4226 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
4227 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024
4228 #define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025
4229 #define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026
4230 #define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
4231 #define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028
4232 #define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029
4233 #define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A
4234 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
4235 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
4236 #define BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
4237 #define BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E
4238 #define BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
4239 #define BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030
4240 #define BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
4241 #define BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032
4243 /* From RFC 6655 and 7251 */
4244 #define BR_TLS_RSA_WITH_AES_128_CCM 0xC09C
4245 #define BR_TLS_RSA_WITH_AES_256_CCM 0xC09D
4246 #define BR_TLS_RSA_WITH_AES_128_CCM_8 0xC0A0
4247 #define BR_TLS_RSA_WITH_AES_256_CCM_8 0xC0A1
4248 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC
4249 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM 0xC0AD
4250 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE
4251 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF
4254 #define BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8
4255 #define BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9
4256 #define BR_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA
4257 #define BR_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB
4258 #define BR_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC
4259 #define BR_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD
4260 #define BR_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE
4263 #define BR_TLS_FALLBACK_SCSV 0x5600
4266 * Symbolic constants for alerts.
4268 #define BR_ALERT_CLOSE_NOTIFY 0
4269 #define BR_ALERT_UNEXPECTED_MESSAGE 10
4270 #define BR_ALERT_BAD_RECORD_MAC 20
4271 #define BR_ALERT_RECORD_OVERFLOW 22
4272 #define BR_ALERT_DECOMPRESSION_FAILURE 30
4273 #define BR_ALERT_HANDSHAKE_FAILURE 40
4274 #define BR_ALERT_BAD_CERTIFICATE 42
4275 #define BR_ALERT_UNSUPPORTED_CERTIFICATE 43
4276 #define BR_ALERT_CERTIFICATE_REVOKED 44
4277 #define BR_ALERT_CERTIFICATE_EXPIRED 45
4278 #define BR_ALERT_CERTIFICATE_UNKNOWN 46
4279 #define BR_ALERT_ILLEGAL_PARAMETER 47
4280 #define BR_ALERT_UNKNOWN_CA 48
4281 #define BR_ALERT_ACCESS_DENIED 49
4282 #define BR_ALERT_DECODE_ERROR 50
4283 #define BR_ALERT_DECRYPT_ERROR 51
4284 #define BR_ALERT_PROTOCOL_VERSION 70
4285 #define BR_ALERT_INSUFFICIENT_SECURITY 71
4286 #define BR_ALERT_INTERNAL_ERROR 80
4287 #define BR_ALERT_USER_CANCELED 90
4288 #define BR_ALERT_NO_RENEGOTIATION 100
4289 #define BR_ALERT_UNSUPPORTED_EXTENSION 110
4290 #define BR_ALERT_NO_APPLICATION_PROTOCOL 120
projects / FreeBSD / FreeBSD.git / blob