Gitiles
Code Review Sign In
192.168.1.100 / T800_MD / b0f5b85a5b9d69cbfa1dd990d559a4a9c7d8f2a6 / . / mcu / interface / driver / cipher / include / ssl_api.h
blob: 25fd30f10840836bf861cb899929932103a0743b [file] [log] [blame]
rjw6c1fd8f2022-11-30 14:33:01 +0800[diff] [blame]1/*****************************************************************************
2* Copyright Statement:
3* --------------------
4* This software is protected by Copyright and the information contained
5* herein is confidential. The software may not be copied and the information
6* contained herein may not be used or disclosed except with the written
7* permission of MediaTek Inc. (C) 2005
8*
9* BY OPENING THIS FILE, BUYER HEREBY UNEQUIVOCALLY ACKNOWLEDGES AND AGREES
10* THAT THE SOFTWARE/FIRMWARE AND ITS DOCUMENTATIONS ("MEDIATEK SOFTWARE")
11* RECEIVED FROM MEDIATEK AND/OR ITS REPRESENTATIVES ARE PROVIDED TO BUYER ON
12* AN "AS-IS" BASIS ONLY. MEDIATEK EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES,
13* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF
14* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT.
15* NEITHER DOES MEDIATEK PROVIDE ANY WARRANTY WHATSOEVER WITH RESPECT TO THE
16* SOFTWARE OF ANY THIRD PARTY WHICH MAY BE USED BY, INCORPORATED IN, OR
17* SUPPLIED WITH THE MEDIATEK SOFTWARE, AND BUYER AGREES TO LOOK ONLY TO SUCH
18* THIRD PARTY FOR ANY WARRANTY CLAIM RELATING THERETO. MEDIATEK SHALL ALSO
19* NOT BE RESPONSIBLE FOR ANY MEDIATEK SOFTWARE RELEASES MADE TO BUYER'S
20* SPECIFICATION OR TO CONFORM TO A PARTICULAR STANDARD OR OPEN FORUM.
21*
22* BUYER'S SOLE AND EXCLUSIVE REMEDY AND MEDIATEK'S ENTIRE AND CUMULATIVE
23* LIABILITY WITH RESPECT TO THE MEDIATEK SOFTWARE RELEASED HEREUNDER WILL BE,
24* AT MEDIATEK'S OPTION, TO REVISE OR REPLACE THE MEDIATEK SOFTWARE AT ISSUE,
25* OR REFUND ANY SOFTWARE LICENSE FEES OR SERVICE CHARGE PAID BY BUYER TO
26* MEDIATEK FOR SUCH MEDIATEK SOFTWARE AT ISSUE.
27*
28* THE TRANSACTION CONTEMPLATED HEREUNDER SHALL BE CONSTRUED IN ACCORDANCE
29* WITH THE LAWS OF THE STATE OF CALIFORNIA, USA, EXCLUDING ITS CONFLICT OF
30* LAWS PRINCIPLES. ANY DISPUTES, CONTROVERSIES OR CLAIMS ARISING THEREOF AND
31* RELATED THERETO SHALL BE SETTLED BY ARBITRATION IN SAN FRANCISCO, CA, UNDER
32* THE RULES OF THE INTERNATIONAL CHAMBER OF COMMERCE (ICC).
33*
34*****************************************************************************/
35
36/*******************************************************************************
37 * Filename:
38 * ---------
39 * ssl_api.h
40 *
41 * Project:
42 * --------
43 * MAUI
44 *
45 * Description:
46 * ------------
47 * This file contains function prototypes, constants for SSL API.
48 *
49 * Author:
50 * -------
51 * -------
52 *
53 *==============================================================================
54 * HISTORY
55 * Below this line, this part is controlled by PVCS VM. DO NOT MODIFY!!
56 *------------------------------------------------------------------------------
57 * removed!
58 *
59 * removed!
60 * removed!
61 * removed!
62 * removed!
63 *
64 * removed!
65 * removed!
66 * removed!
67 *
68 * removed!
69 * removed!
70 * removed!
71 *
72 * removed!
73 * removed!
74 * removed!
75 *
76 * removed!
77 * removed!
78 * removed!
79 *
80 * removed!
81 * removed!
82 * removed!
83 *
84 * removed!
85 * removed!
86 * removed!
87 *
88 * removed!
89 * removed!
90 * removed!
91 *
92 * removed!
93 * removed!
94 * removed!
95 *
96 * removed!
97 * removed!
98 * removed!
99 *
100 * removed!
101 * removed!
102 * removed!
103 *
104 * removed!
105 * removed!
106 * removed!
107 *
108 * removed!
109 * removed!
110 * removed!
111 *
112 * removed!
113 * removed!
114 * removed!
115 *
116 * removed!
117 * removed!
118 * removed!
119 *
120 * removed!
121 * removed!
122 * removed!
123 *
124 * removed!
125 * removed!
126 * removed!
127 *
128 * removed!
129 * removed!
130 * removed!
131 *
132 * removed!
133 * removed!
134 * removed!
135 *
136 * removed!
137 * removed!
138 * removed!
139 *
140 * removed!
141 * removed!
142 * removed!
143 *
144 * removed!
145 * removed!
146 * removed!
147 *
148 * removed!
149 * removed!
150 * removed!
151 *
152 * removed!
153 * removed!
154 * removed!
155 *
156 * removed!
157 * removed!
158 * removed!
159 *
160 * removed!
161 * removed!
162 * removed!
163 *
164 * removed!
165 * removed!
166 * removed!
167 *
168 * removed!
169 * removed!
170 * removed!
171 *
172 * removed!
173 * removed!
174 * removed!
175 *
176 * removed!
177 * removed!
178 * removed!
179 *
180 *
181 *------------------------------------------------------------------------------
182 * Upper this line, this part is controlled by PVCS VM. DO NOT MODIFY!!
183 *==============================================================================
184 *******************************************************************************/
185#ifndef _SSL_API_H
186#define _SSL_API_H
187
188#include "ssl_consts.h"
189#include "ssl_enums.h"
190#include "ssl_structs.h"
191#include "ssl_callback.h"
192
193#include "kal_general_types.h"
194
195
196/*****************************************************************************
197 * <GROUP Protocol Methods>
198 * FUNCTION
199 * sec_sslv2_client_method
200 * DESCRIPTION
201 * Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
202 * PARAMETERS
203 * void.
204 * RETURNS
205 * Constructor as a parameter to sec_ssl_ctx_new() to create a client side
206 * SSL context be able to handle SSLv2 messges.
207 * SEE ALSO
208 * sec_ssl_ctx_new
209 *****************************************************************************/
210extern const ssl_method *sec_sslv2_client_method(void);
211
212
213
214/*****************************************************************************
215 * <GROUP Protocol Methods>
216 * FUNCTION
217 * sec_sslv3_client_method
218 * DESCRIPTION
219 * Constructor for the SSLv3 SSL_METHOD structure for a dedicated client.
220 * PARAMETERS
221 * void.
222 * RETURNS
223 * Constructor as a parameter to sec_ssl_ctx_new() to create a client side
224 * SSL context be able to handle SSLv3 messges.
225 * SEE ALSO
226 * sec_ssl_ctx_new
227 *****************************************************************************/
228extern const ssl_method *sec_sslv3_client_method(void);
229
230
231
232/*****************************************************************************
233 * <GROUP Protocol Methods>
234 * FUNCTION
235 * sec_tlsv1_client_method
236 * DESCRIPTION
237 * Constructor for the TLSv1 SSL_METHOD structure for a dedicated client.
238 * PARAMETERS
239 * void.
240 * RETURNS
241 * Constructor as a parameter to sec_ssl_ctx_new() to create a client side
242 * SSL context be able to handle TLSv1 messges.
243 * SEE ALSO
244 * sec_ssl_ctx_new
245 *****************************************************************************/
246extern const ssl_method *sec_tlsv1_client_method(void);
247
248#ifdef __OPENSSL_TLS12__
249extern const ssl_method *sec_tlsv1_1_client_method(void);
250
251extern const ssl_method *sec_tlsv1_2_client_method(void);
252#endif
253
254
255/*****************************************************************************
256 * <GROUP Protocol Methods>
257 * FUNCTION
258 * sec_sslv23_client_method
259 * DESCRIPTION
260 * Constructor for the SSLv2 and SSLv3 SSL_METHOD structure for a
261 * dedicated client.
262 * PARAMETERS
263 * void.
264 * RETURNS
265 * Constructor as a parameter to sec_ssl_ctx_new() to create a client side
266 * SSL context be able to handle both SSLv2 and SSLv3 messges.
267 * SEE ALSO
268 * sec_ssl_ctx_new
269 *****************************************************************************/
270extern const ssl_method *sec_sslv23_client_method(void);
271
272
273
274/*****************************************************************************
275 * <GROUP Protocol Methods>
276 * FUNCTION
277 * sec_tlsv1_sslv3_client_method
278 * DESCRIPTION
279 * Constructor for the TLSv1 and SSLv3 SSL_METHOD structure for a
280 * dedicated client.
281 * PARAMETERS
282 * void.
283 * RETURNS
284 * Constructor as a parameter to sec_ssl_ctx_new() to create a client side
285 * SSL context be able to handle both TLSv1 and SSLv3 messges.
286 * SEE ALSO
287 * sec_ssl_ctx_new
288 *****************************************************************************/
289extern const ssl_method *sec_tlsv1_sslv3_client_method(void);
290
291
292
293/*****************************************************************************
294 * <GROUP Protocol Methods>
295 * FUNCTION
296 * sec_sslv2_server_method
297 * DESCRIPTION
298 * Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
299 * PARAMETERS
300 * void.
301 * RETURNS
302 * Constructor as a parameter to sec_ssl_ctx_new() to create a server side
303 * SSL context be able to handle SSLv2 messges.
304 * SEE ALSO
305 * sec_ssl_ctx_new
306 *****************************************************************************/
307extern const ssl_method *sec_sslv2_server_method(void);
308
309
310
311/*****************************************************************************
312 * <GROUP Protocol Methods>
313 * FUNCTION
314 * sec_sslv3_server_method
315 * DESCRIPTION
316 * Constructor for the SSLv3 SSL_METHOD structure for a dedicated server.
317 * PARAMETERS
318 * void.
319 * RETURNS
320 * Constructor as a parameter to sec_ssl_ctx_new() to create a server side
321 * SSL context be able to handle SSLv3 messges.
322 * SEE ALSO
323 * sec_ssl_ctx_new
324 *****************************************************************************/
325extern const ssl_method *sec_sslv3_server_method(void);
326
327
328
329/*****************************************************************************
330 * <GROUP Protocol Methods>
331 * FUNCTION
332 * sec_tlsv1_server_method
333 * DESCRIPTION
334 * Constructor for the TLSv1 SSL_METHOD structure for a dedicated server.
335 * PARAMETERS
336 * void.
337 * RETURNS
338 * Constructor as a parameter to sec_ssl_ctx_new() to create a server side
339 * SSL context be able to handle TLSv1 messges.
340 * SEE ALSO
341 * sec_ssl_ctx_new
342 *****************************************************************************/
343extern const ssl_method *sec_tlsv1_server_method(void);
344
345
346
347/*****************************************************************************
348 * <GROUP Protocol Methods>
349 * FUNCTION
350 * sec_sslv23_server_method
351 * DESCRIPTION
352 * Constructor for the SSLv2 and SSLv3 SSL_METHOD structure for a
353 * dedicated server.
354 * PARAMETERS
355 * void.
356 * RETURNS
357 * Constructor as a parameter to sec_ssl_ctx_new() to create a server side
358 * SSL context be able to handle both SSLv2 and SSLv3 messges.
359 * SEE ALSO
360 * sec_ssl_ctx_new
361 *****************************************************************************/
362extern const ssl_method *sec_sslv23_server_method(void);
363
364
365
366/*****************************************************************************
367 * <GROUP Protocol Methods>
368 * FUNCTION
369 * sec_tlsv1_sslv3_server_method
370 * DESCRIPTION
371 * Constructor for the TLSv1 and SSLv3 SSL_METHOD structure for a
372 * dedicated server.
373 * PARAMETERS
374 * void.
375 * RETURNS
376 * Constructor as a parameter to sec_ssl_ctx_new() to create a server side
377 * SSL context be able to handle both TLSv1 and SSLv3 messges.
378 * SEE ALSO
379 * sec_ssl_ctx_new
380 *****************************************************************************/
381extern const ssl_method *sec_tlsv1_sslv3_server_method(void);
382
383
384
385/*****************************************************************************
386 * <GROUP SSL Context APIs>
387 * FUNCTION
388 * sec_ssl_ctx_new
389 * DESCRIPTION
390 * Crete a new SSL context object as framework for TLS/SSL enabled functions.
391 * PARAMETERS
392 * method : [IN] SSL context constructor such as
393 * sec_sslv3_client_method() or sec_sslv23_client_method(), etc.
394 * RETURNS
395 * If an SSL context is created successfully, a pointer to the created
396 * SSL context is returned. Otherwise, NULL is returned if SSL context
397 * is not created.
398 *****************************************************************************/
399extern ssl_ctx*
400sec_ssl_ctx_new(const ssl_method *method);
401
402
403
404/*****************************************************************************
405 * <GROUP SSL Context APIs>
406 * FUNCTION
407 * sec_ssl_ctx_free
408 * DESCRIPTION
409 * Free an allocated SSL context object.
410 * PARAMETERS
411 * ctx : [IN] pointer to SSL context to be freed.
412 * RETURNS
413 * This function returns no diagnostic information.
414 *****************************************************************************/
415extern void sec_ssl_ctx_free(ssl_ctx *ctx);
416
417
418
419/*****************************************************************************
420 * <GROUP SSL Context APIs>
421 * FUNCTION
422 * sec_ssl_ctx_set_prng
423 * DESCRIPTION
424 * Set the pseudo-rnadom-number-generator provider (callback function)
425 * used by the context.
426 * PARAMETERS
427 * ctx : [IN] Pointer to SSL context.
428 * prng : [IN] Pseudo-number-number-generator provider.
429 * RETURN VALUES
430 * SEC_ERROR_NONE : Success.
431 * SEC_ERROR_PTR : No valid pointer.
432 * SEC_ERROR_MEM : Memory allocation failure.
433 *****************************************************************************/
434extern kal_int32
435sec_ssl_ctx_set_prng(ssl_ctx *ctx, const sec_ssl_prng_generator prng);
436
437
438
439/*****************************************************************************
440 * <GROUP SSL Context APIs>
441 * FUNCTION
442 * sec_ssl_ctx_set_cipher_list
443 * DESCRIPTION
444 * Set list of available SSL ciphersuites.
445 * PARAMETERS
446 * ctx : [IN] Pointer to SSL context.
447 * ciphers : [IN] List of ciphers.
448 * num : [IN] Number of ciphers in the list.
449 * EXAMPLE
450 * <code>
451 * sec_cipher_enum ciphers[] =
452 * {AES128_SHA, AES256-SHA, RC4_MD5, RC4_SHA, DES_CBC3_SHA};
453 * rc = sec_ssl_ctx_set_cipher_list(*globalCtx,
454 * ciphers,
455 * sizoef(ciphers) / sizoef(sec_cipher_enum));
456 * </code>
457 * RETURN VALUES
458 * 1 : Success.
459 * 0 : Fail.
460 *****************************************************************************/
461extern kal_int32
462sec_ssl_ctx_set_cipher_list(ssl_ctx *ctx, const sec_cipher_enum ciphers[],
463 const kal_int32 num);
464
465
466
467/*****************************************************************************
468 * <GROUP SSL Context APIs>
469 * FUNCTION
470 * sec_ssl_ctx_set_default_passwd_cb
471 * DESCRIPTION
472 * Set the default password callback called when loading/storing a PEM
473 * certificate with encryption.
474 * PARAMETERS
475 * ctx : [IN] Pointer to SSL context
476 * cb : [IN] Callback function to hand back the password to be used
477 * during decryption.
478 * On invocation, a pointer to 'userdata' is provided.
479 * The callback function must write the password into the
480 * provided buffer 'buf'.
481 * RETURNS
482 * This function returns no diagnostic information.
483 * SEE ALSO
484 * sec_ssl_ctx_set_default_passwd_cb_userdata
485 *****************************************************************************/
486extern void
487sec_ssl_ctx_set_default_passwd_cb(ssl_ctx *ctx, ssl_password_cb cb);
488
489
490
491/*****************************************************************************
492 * <GROUP SSL Context APIs>
493 * FUNCTION
494 * sec_ssl_ctx_set_default_passwd_cb_userdata
495 * DESCRIPTION
496 * Set a pointer to userdata which will be provided to the password callback
497 * on invocation.
498 * PARAMETERS
499 * ctx : [IN] Pointer to SSL context.
500 * u : [IN] Ask for the password once, then keep it in memory and use
501 * it several times. The password could be stored into the
502 * 'userdata' and pem_passwd_cb() returns the password already
503 * stored.
504 * RETURNS
505 * This function returns no diagnostic information.
506 * SEE ALSO
507 * sec_ssl_ctx_set_default_passwd_cb
508 *****************************************************************************/
509extern void
510sec_ssl_ctx_set_default_passwd_cb_userdata(ssl_ctx *ctx, void *u);
511
512
513
514/*****************************************************************************
515 * <GROUP SSL Context APIs>
516 * FUNCTION
517 * sec_ssl_ctx_use_privatekey_file
518 * DESCRIPTION
519 * Adds the first private key found in 'file' to 'ctx'.
520 * PARAMETERS
521 * ctx : [IN] Pointer to SSL context.
522 * file : [IN] File storing the private key to be loaded.
523 * type : [IN] SEC_SSL_FILETYPE_PEM, or SEC_SSL_FILETYPE_ASN1.
524 * RETURN VALUES
525 * SEC_ERROR_NONE : Success.
526 * SEC_ERROR_NULL_PTR : Invalid NULL argument is passed in.
527 * SEC_ERROR_FS : File access error.
528 * otherwise : other internal errors.
529 *****************************************************************************/
530extern kal_int32
531sec_ssl_ctx_use_privatekey_file(ssl_ctx *ctx, const kal_wchar *file,
532 ssl_filetype_enum type);
533
534
535
536/*****************************************************************************
537 * <GROUP SSL Context APIs>
538 * FUNCTION
539 * sec_ssl_ctx_use_certificate_file
540 * DESCRIPTION
541 * Loads the first certificate stored in file into ctx.
542 * PARAMETERS
543 * ctx : [IN] Pointer to SSL context.
544 * file : [IN] File storing the private key to be loaded.
545 * type : [IN] SEC_SSL_FILETYPE_PEM, or SEC_SSL_FILETYPE_ASN1.
546 * RETURN VALUES
547 * SEC_ERROR_NONE : Success.
548 * SEC_ERROR_NULL_PTR : Invalid NULL argument is passed in.
549 * SEC_ERROR_FS : File access error.
550 * otherwise : Other internal errors.
551 *****************************************************************************/
552extern kal_int32
553sec_ssl_ctx_use_certificate_file(ssl_ctx *ctx, const kal_wchar *file,
554 ssl_filetype_enum type);
555
556
557
558/*****************************************************************************
559 * <GROUP SSL Context APIs>
560 * FUNCTION
561 * sec_ssl_ctx_load_verify_locations
562 * DESCRIPTION
563 * Set default locations for trusted CA certificate.
564 * PARAMETERS
565 * ctx : [IN] Pointer to SSL context.
566 * ca_file : [IN] If ca_file is not NULL, it points to a file of CA
567 * certificates in PEM format. The file can contain several
568 * CA certificates identified by -----BEGIN CERTIFICATE-----
569 * and -----END CERTIFICATE-----.
570 * ca_path : [IN] If ca_path is not NULL, it points to a directory
571 * containing CA certificates in PEM format. The files each
572 * contain one CA certificate. The files are lookedup by the
573 * CA subject name hash value.
574 * RETURN VALUES
575 * SEC_ERROR_NONE : Success.
576 * SEC_ERROR_NULL_PTR : Invalid NULL argument is passed in.
577 * SEC_ERROR_FS : File access error.
578 * otherwise : Other internal errors.
579 *****************************************************************************/
580extern kal_int32
581sec_ssl_ctx_load_verify_locations(ssl_ctx *ctx,
582 const kal_wchar *ca_file,
583 const kal_wchar *ca_path);
584
585
586/*****************************************************************************
587 * <GROUP SSL Context APIs>
588 * FUNCTION
589 * sec_ssl_ctx_set_client_auth_modes
590 * DESCRIPTION
591 * Set client authentication mode.
592 * PARAMETERS
593 * ctx : [IN] Pointer to SSL context.
594 * modes : [IN] Client authentication modes,
595 * ended with CLIENT_AUTH_MODE_END.
596 * RETURN VALUES
597 * SEC_ERROR_NONE : Success.
598 * SEC_ERROR_PTR : No pointer is passed to internal SSL library.
599 * SEC_ERROR_SSL_NEEDS_CIPHER : No client authentication mode is provided.
600 * SEC_ERROR_SSL_BAD_SIDE : Incorrect side for authentication modes.
601 *****************************************************************************/
602extern kal_int32
603sec_ssl_ctx_set_client_auth_modes(ssl_ctx *ctx,
604 const ssl_auth_mode_enum modes[]);
605
606
607/*****************************************************************************
608 * <GROUP SSL Context APIs>
609 * FUNCTION
610 * sec_ssl_ctx_set_io_funcs
611 * DESCRIPTION
612 * Set I/O functions to the SSL context.
613 * PARAMETERS
614 * ctx : [IN] Pointer to SSL context.
615 * read_cb : [IN] Read callback to retrieve data to be processed by SSL
616 * library.
617 * write_cb : [IN] Write callback to write SSL library processed data.
618 *
619 * RETURN VALUES
620 * SEC_ERROR_NONE : Success.
621 * SEC_ERROR_NULL_PTR : Passed invalid SSL context argument.
622 * SEC_ERROR_PTR : No pointer is passed to internal SSL library.
623 *****************************************************************************/
624extern kal_int32
625sec_ssl_ctx_set_io_funcs(ssl_ctx *ctx,
626 const sec_ssl_read_cb read_cb,
627 const sec_ssl_write_cb write_cb);
628
629
630
631/*****************************************************************************
632 * <GROUP SSL Context APIs>
633 * FUNCTION
634 * sec_ssl_ctx_set_alert_func
635 * DESCRIPTION
636 * Set callback function to be invoked while received alert from peer.
637 * PARAMETERS
638 * ctx : [IN] Pointer to SSL context.
639 * alert_cb : [IN] Application's alert callback to be invoked by SSL library.
640 *
641 * RETURN VALUES
642 * This function returns no diagnostic information.
643 *****************************************************************************/
644extern void
645sec_ssl_ctx_set_alert_func(ssl_ctx *ctx, const sec_ssl_alert_func alert_cb);
646
647
648
649/*****************************************************************************
650 * <GROUP SSL Context APIs>
651 * FUNCTION
652 * sec_ssl_ctx_set_cert_verify_callback
653 * DESCRIPTION
654 * Set certificate verification callback on validating the peer certificate.
655 * PARAMETERS
656 * ctx : [IN] Pointer to SSL context.
657 * cert_cb : [IN] Read callback to retrieve data to be processed by SSL
658 * library.
659 * arg : [IN] Write callback to write SSL library processed data.
660 * RETURN VALUES
661 * This function returns no diagnostic information.
662 *****************************************************************************/
663extern void
664sec_ssl_ctx_set_cert_verify_callback(ssl_ctx *ctx,
665 const sec_ssl_cert_verify_callback cert_cb,
666 void *arg);
667
668
669
670/*****************************************************************************
671 * <GROUP SSL Context APIs>
672 * FUNCTION
673 * sec_ssl_ctx_set_new_ssl_option
674 * DESCRIPTION
675 * Set parameters for creating SSL connection context.
676 *
677 * Because some additional parameters need to be configured before creatig a
678 * connection context from global context, this function has to be called
679 * before calling sec_ssl_new() to set the required options.
680 * PARAMETERS
681 * ctx : [IN] Pointer to SSL context.
682 * def_readbuf_len : [IN] Default size (bytes) of the buffer to read SSL
683 * record, if zero is set to this argument, use
684 * default 4096 bytes.
685 * max_readbuf_len : [IN] Max size (bytes) of the buffer to read SSL record
686 * if zero is set to this argument, use default 32768
687 * bytes.
688 * write_frag_len : [IN] Max size of the data record passed to
689 * sec_ssl_write(). If zero is set to this argument,
690 * use default 4096 bytes.
691 * peer : [IN] For client side applications, this is optional
692 * containing the session key passed to
693 * ssl_GetSessionFunc().
694 * For server side, this contains the session id to be
695 * used for non-resumed sessions.
696 * io_ref : [IN] I/O callback reference.
697 * alert_ref : [IN] Alert callback reference.
698 * RETURN VALUES
699 * SEC_ERROR_NONE : success
700 * SEC_ERROR_NULL_PTR : Passed null SSL context pointer
701 *****************************************************************************/
702extern kal_int32
703sec_ssl_ctx_set_new_ssl_option(ssl_ctx *ctx,
704 const kal_uint16 def_readbuf_len,
705 const kal_uint16 max_readbuf_len,
706 const kal_uint16 write_frag_len,
707 const sec_sess_rec peer,
708 void *const io_ref,
709 void *const alert_ref);
710
711
712
713/*****************************************************************************
714 * <GROUP SSL Connection APIs>
715 * FUNCTION
716 * sec_ssl_new
717 * DESCRIPTION
718 * Create SSL connection context.
719 * PARAMETERS
720 * ctx : [IN] pointer to SSL connection context.
721 * RETURNS
722 * Return a pointer to allocated SSL connection context on success,
723 * otherwise, return NULL.
724 *****************************************************************************/
725extern ssl_conn* sec_ssl_new(ssl_ctx *ctx);
726
727
728
729/*****************************************************************************
730 * <GROUP SSL Connection APIs>
731 * FUNCTION
732 * sec_ssl_free
733 * DESCRIPTION
734 * Free SSL connection context.
735 *
736 * <i> Note: </i>
737 * You should call sec_ssl_shutdown() before calling this function.
738 * PARAMETERS
739 * ssl : [IN] Pointer to SSL connection context.
740 * RETURNS
741 * This function returns no diagnostic information.
742 *****************************************************************************/
743extern void sec_ssl_free(ssl_conn *ssl);
744
745
746
747/*****************************************************************************
748 * <GROUP SSL Connection APIs>
749 * FUNCTION
750 * sec_ssl_disable_client_auth
751 * DESCRIPTION
752 * In normal case, if application does not set local identiy and server
753 * sends client authentication request, handshake process will return
754 * SEC_ERROR_LOCAL_IDENTITY_REQUESTED.
755 *
756 * If application would like to proceed without setting client authentication
757 * while receiving client authentication, call this API to skip the check
758 * in the library.
759 * PARAMETERS
760 * ssl : [IN] Pointer to SSL connection context.
761 * RETURN VALUES
762 * 1 : Success.
763 * 0 : Fail.
764 *****************************************************************************/
765extern kal_int32 sec_ssl_disable_client_auth(ssl_conn *ssl);
766
767
768/*****************************************************************************
769 * <GROUP SSL Connection APIs>
770 * FUNCTION
771 * sec_ssl_ocsp_stapling
772 * DESCRIPTION
773 * Set OCSP stapling attributes. Note that this API is only available when
774 * __OCSP_SUPPORT__ is defined.
775 * PARAMETERS
776 * ssl : [IN] Pointer to SSL connection context.
777 * use_ocsp : [IN] enable OCSP stapling or not
778 * must_pass : [IN] Must pass OCSP stapling
779 * RETURNS
780 * 1 : Success.
781 * 0 : Fail.
782 *****************************************************************************/
783extern kal_int32
784sec_ssl_ocsp_stapling(ssl_conn *ssl, kal_bool use_ocsp, kal_bool must_pass);
785
786
787/*****************************************************************************
788 * <GROUP SSL Connection APIs>
789 * FUNCTION
790 * sec_ssl_is_ocsp_stapling_verified
791 * DESCRIPTION
792 * Get the OCSP stapling verification result.
793 * Note that this API is only available when __OCSP_SUPPORT__ is defined.
794 * PARAMETERS
795 * ssl : [IN] Pointer to SSL connection context.
796 * RETURNS
797 * KAL_TRUE : Success.
798 * KAL_FALSE : Fail.
799 *****************************************************************************/
800extern kal_bool sec_ssl_is_ocsp_stapling_verified(ssl_conn *ssl);
801
802
803/*****************************************************************************
804 * <GROUP SSL Connection APIs>
805 * FUNCTION
806 * sec_ssl_invalidate_session_entry
807 * DESCRIPTION
808 * Invalidate the session cache of the connection
809 * PARAMETERS
810 * ssl : [IN] Pointer to SSL connection context.
811 * RETURNS
812 * void
813 *****************************************************************************/
814extern void sec_ssl_invalidate_session_entry(ssl_conn *ssl);
815
816
817/*****************************************************************************
818 * <GROUP SSL Connection APIs>
819 * FUNCTION
820 * sec_ssl_connect
821 * DESCRIPTION
822 * Perform SSL handshake for client side.
823 *
824 * Application should call this API repeatedly until the the return error
825 * code is not WOULD_BLOCK.
826 * On error, call sec_ssl_get_error() to find out the reason.
827 * PARAMETERS
828 * ssl : [IN] Pointer to SSL connection context.
829 * RETURN VALUES
830 * 1 : The TLS/SSL handshake was successfully complete, a TLS/SSL
831 * connection has been established.
832 * 0 : The TLS/SSL handshake was not successful but was shut down
833 * controlled and by the specifications of the TLS/SSL protocol.
834 * <0 : The TLS/SSL handshake was not successful, because a fatal error
835 * occurred either at the protocol level or a connection failure
836 * occurred. The shutdown was not clean.
837 *****************************************************************************/
838extern kal_int32 sec_ssl_connect(ssl_conn *ssl);
839
840
841
842/*****************************************************************************
843 * <GROUP SSL Connection APIs>
844 * FUNCTION
845 * sec_ssl_accept
846 * DESCRIPTION
847 * Perform SSL handshake for server side.
848 *
849 * Application should call this API repeatedly until the the return error
850 * code is not WOULD_BLOCK.
851 * On error, call sec_ssl_get_error() to find out the reason.
852 * PARAMETERS
853 * ssl : [IN] Pointer to SSL connection context.
854 * RETURN VALUES
855 * 1 : The TLS/SSL handshake was successfully complete, a TLS/SSL
856 * connection has been established.
857 * 0 : The TLS/SSL handshake was not successful but was shut down
858 * controlled and by the specifications of the TLS/SSL protocol.
859 * <0 : The TLS/SSL handshake was not successful, because a fatal error
860 * occurred either at the protocol level or a connection failure
861 * occurred. The shutdown was not clean.
862 *****************************************************************************/
863extern kal_int32 sec_ssl_accept(ssl_conn *ssl);
864
865
866
867/*****************************************************************************
868 * <GROUP SSL Connection APIs>
869 * FUNCTION
870 * sec_ssl_renegotiate
871 * DESCRIPTION
872 * Requests a renegotiation of the handshake.
873 * Server side: cause data tobe transferred across the connection using the
874 * I/O write callback.
875 * Client side: does not transfer any data.
876 *
877 * After requesting renegotiation, sec_ssl_do_handshake() must be called
878 * to correctly process the renegotiation procedure.
879 * PARAMETERS
880 * ssl : [IN] Pointer to SSL connection context.
881 * RETURN VALUES
882 * 1 : Success.
883 * 0 : SSL error, call sec_ssl_get_error() to find out the reason.
884 * -1 : Invalid ssl pointer.
885 * SEE ALSO
886 * sec_ssl_do_handshake
887 *****************************************************************************/
888extern kal_int32 sec_ssl_renegotiate(ssl_conn *ssl);
889
890
891
892/*****************************************************************************
893 * <GROUP SSL Connection APIs>
894 * FUNCTION
895 * sec_ssl_do_handshake
896 * DESCRIPTION
897 * Perform SSL rehandshake.
898 *
899 * Application should call this API repeatedly until the the return error
900 * code is not WOULD_BLOCK.
901 * On error, call sec_ssl_get_error() to find out the reason.
902 * PARAMETERS
903 * ssl : [IN] Pointer to SSL connection context.
904 * RETURN VALUES
905 * 1 : The TLS/SSL handshake was successfully complete, a TLS/SSL
906 * connection has been established.
907 * 0 : The TLS/SSL handshake was not successful but was shut down
908 * controlled and by the specifications of the TLS/SSL protocol.
909 * <0 : The TLS/SSL handshake was not successful, because a fatal error
910 * occurred either at the protocol level or a connection failure
911 * occurred. The shutdown was not clean.
912 * SEE ALSO
913 * sec_ssl_renegotiate
914 *****************************************************************************/
915extern kal_int32 sec_ssl_do_handshake(ssl_conn *ssl);
916
917
918/*****************************************************************************
919 * <GROUP SSL Connection APIs>
920 * FUNCTION
921 * sec_ssl_session_reused
922 * DESCRIPTION
923 * To know whether the session is resumed.
924 *
925 * During the negotiation, a client can propose to reuse a session.
926 * The server then looks up the session in its cache. If both client and
927 * server agree on the session, it will be reused and a flag is being set
928 * that can be queried by the application.
929 * PARAMETERS
930 * ssl : [IN] pointer to SSL connection context.
931 * RETURN VALUES
932 * 1 : Session is resumed.
933 * 0 : Session is not resumed.
934 * -1 : Error cases, use sec_ssl_get_error() to find out the reason.
935 *****************************************************************************/
936extern kal_int32 sec_ssl_session_reused(ssl_conn *ssl);
937
938
939
940/*****************************************************************************
941 * <GROUP SSL Connection APIs>
942 * FUNCTION
943 * sec_ssl_session_established
944 * DESCRIPTION
945 * To know whether the session is established.
946 * PARAMETERS
947 * ssl : [IN] pointer to SSL connection context.
948 * RETURN VALUES
949 * 1 : Session is established.
950 * 0 : Session is not estbalished.
951 *****************************************************************************/
952extern kal_int32 sec_ssl_session_established(ssl_conn *ssl);
953
954
955
956/*****************************************************************************
957 * <GROUP SSL Connection APIs>
958 * FUNCTION
959 * sec_ssl_get_master_secret
960 * DESCRIPTION
961 * To retrieve the negotiated master secret
962 *
963 * Gets the negotiated master secret for the connection context after
964 * handshake completed, this
965 * PARAMETERS
966 * ssl : [IN] pointer to SSL connection context
967 * secret_buf_len : [IN] size of buffer provided for storing returned P.M.S.
968 * secret : [OUT] pointer to buffer for storing returned P.M.S.
969 * secret_len : [OUT] length of returned P.M.S.
970 * RETURN VALUES
971 * SEC_ERROR_NULL_PTR : NULL SSL context pointer.
972 * SEC_ERROR_NONE : Success.
973 * SEC_ERROR_PTR : NULL pointer was passed to internal library.
974 * SEC_ERROR_BAD_LEN : Secret_buf_len is too small to return secret.
975 * SEC_ERROR_SSL_HSHK_REQUIRED : Handshake must be performed fist.
976 * SEE ALSO
977 * sec_ssl_get_client_random, sec_ssl_get_server_random
978 *****************************************************************************/
979extern kal_int32
980sec_ssl_get_master_secret(ssl_conn *ssl,
981 kal_uint16 secret_buf_len,
982 kal_uint8 *secret,
983 kal_uint16* secret_len);
984
985
986
987/*****************************************************************************
988 * <GROUP SSL Connection APIs>
989 * FUNCTION
990 * sec_ssl_get_client_random
991 * DESCRIPTION
992 * To retrieve the selected random number by local
993 *
994 * Gets the random field which was encoded in the "client_hello" handshake
995 * message. This function is intended for applications to derive key material
996 * used in EAP-TLS or similar protocols.
997 * PARAMETERS
998 * ssl : [IN] Pointer to SSL connection context.
999 * rand_buf_len : [IN] Size of buffer provided for storing returned random.
1000 * rand_buf : [OUT] Pointer to buffer for storing returned random.
1001 * rand_len : [OUT] Length of returned random.
1002 * RETURN VALUES
1003 * SEC_ERROR_NULL_PTR : NULL SSL context pointer.
1004 * SEC_ERROR_NONE : Success.
1005 * SEC_ERROR_PTR : NULL pointer was passed to internal library.
1006 * SEC_ERROR_BAD_LEN : Secret_buf_len is too small to return secret.
1007 * SEC_ERROR_SSL_HSHK_REQUIRED : Handshake must be performed fist.
1008 * SEC_ERROR_SSL_PROTOCOL_VER : Protocol version is smaller than TLS v1.0.
1009 * SEE ALSO
1010 * sec_ssl_get_server_random, sec_ssl_get_master_secret
1011 *****************************************************************************/
1012extern kal_int32
1013sec_ssl_get_client_random(ssl_conn *ssl,
1014 kal_uint16 rand_buf_len,
1015 kal_uint8 *rand_buf,
1016 kal_uint16* rand_len);
1017
1018extern kal_int32
1019sec_ssl_get_session_id(ssl_conn *ssl,
1020 kal_uint16 session_id_buf_len,
1021 kal_uint8 *session_id,
1022 kal_uint16 *session_id_len);
1023
1024
1025/*****************************************************************************
1026 * <GROUP SSL Connection APIs>
1027 * FUNCTION
1028 * sec_ssl_get_server_random
1029 * DESCRIPTION
1030 * To retrieve the selected random number by the remote side
1031 *
1032 * Gets the random field which was encoded in the "server_hello" handshake
1033 * message. This function is intended for applications to derive key material
1034 * used in EAP-TLS or similar protocols.
1035 * PARAMETERS
1036 * ssl : [IN] Pointer to SSL connection context.
1037 * rand_buf_len : [IN] Size of buffer provided for storing returned random.
1038 * rand_buf : [OUT] Pointer to buffer for storing returned random.
1039 * rand_len : [OUT] Length of returned random.
1040 * RETURN VALUES
1041 * SEC_ERROR_NULL_PTR : NULL SSL context pointer.
1042 * SEC_ERROR_NONE : Success.
1043 * SEC_ERROR_PTR : NULL pointer was passed to internal library.
1044 * SEC_ERROR_BAD_LEN : Secret_buf_len is too small to return secret.
1045 * SEC_ERROR_SSL_HSHK_REQUIRED : Handshake must be performed fist.
1046 * SEC_ERROR_SSL_PROTOCOL_VER : Protocol version is smaller than TLS v1.0.
1047 * SEE ALSO
1048 * sec_ssl_get_client_random, sec_ssl_get_master_secret
1049 *****************************************************************************/
1050extern kal_int32
1051sec_ssl_get_server_random(ssl_conn *ssl,
1052 kal_uint16 rand_buf_len,
1053 kal_uint8 *rand_buf,
1054 kal_uint16* rand_len);
1055
1056
1057
1058/*****************************************************************************
1059 * <GROUP SSL Connection APIs>
1060 * FUNCTION
1061 * sec_ssl_check_peer_cert_cname
1062 * DESCRIPTION
1063 * To check the Common Name from received peer certificate
1064 * PARAMETERS
1065 * ssl : [IN] pointer to SSL connection context.
1066 * cname : [IN] string of destination srever name,
1067 * or set to NULL to disable this function.
1068 * RETURN VALUES
1069 * SEC_ERROR_NULL_PTR : NULL SSL context pointer.
1070 * SEC_ERROR_NONE : Success.
1071 *****************************************************************************/
1072extern kal_int32
1073sec_ssl_check_peer_cert_cname(ssl_conn *const ssl, const kal_char *const cname);
1074
1075
1076
1077/*****************************************************************************
1078 * <GROUP SSL Connection APIs>
1079 * FUNCTION
1080 * sec_ssl_read
1081 * DESCRIPTION
1082 * Read data from SSL connection.
1083 *
1084 * sec_ssl_read() works based on the SSL/TLS records. The data are received
1085 * in records (with a maximum record size of 16kB for SSLv3/TLSv1).
1086 * Only when a record has been completely received, it can be processed
1087 * (decryption and check of integrity). Therefore data that was not retrieved
1088 * at the last call of sec_ssl_read() can still be buffered inside the SSL
1089 * layer and will be retrieved on the next call to sec_ssl_read().
1090 * If num is higher than the number of bytes buffered, sec_ssl_read() will
1091 * return with the bytes buffered.
1092 * PARAMETERS
1093 * ssl : [IN] pointer to SSL connection context.
1094 * buf : [IN] buffer to put decrypted application data.
1095 * num : [IN] size of buf in bytes.
1096 * RETURN VALUES
1097 * >=0 : Operation successfully, return the bytes actually read from
1098 * SSL connection.
1099 * -1 : Not successful, error occured or action must be taken by the
1100 * calling process, call sec_ssl_get_error() to get the reason.
1101 * -2 : Not successful, connection closed.
1102 *****************************************************************************/
1103extern kal_int32 sec_ssl_read(ssl_conn *ssl, void *buf, kal_int32 num);
1104
1105
1106
1107/*****************************************************************************
1108 * <GROUP SSL Connection APIs>
1109 * FUNCTION
1110 * sec_ssl_write
1111 * DESCRIPTION
1112 * Write data to SSL connection.
1113 *
1114 * sec_ssl_write() will only return with success, when the complete contents
1115 * of buf of length num has been written.
1116 * PARAMETERS
1117 * ssl : [IN] Pointer to SSL connection context
1118 * buf : [IN] Buffer holding application data to be encrypted
1119 * num : [IN] Size of buf in bytes
1120 * RETURN VALUES
1121 * >0 : Operation successfully, return the bytes actually read from
1122 * SSL connection.
1123 * 0 : Not successful, connection closed.
1124 * -1 : Not successful, error occured or action must be taken by the
1125 * calling process, call sec_ssl_get_error() to get the reason.
1126 *****************************************************************************/
1127extern kal_int32 sec_ssl_write(ssl_conn *ssl, const void* buf, kal_int32 num);
1128
1129
1130
1131/*****************************************************************************
1132 * <GROUP SSL Connection APIs>
1133 * FUNCTION
1134 * sec_ssl_want_read
1135 * DESCRIPTION
1136 * Probe the staus of the ssl reading buffer.
1137 *
1138 * There are data in the SSL buffer ready for read to the application buffer.
1139 * For socket applications, the encrypted application data might has been
1140 * read from socket receiving buffer to SSL read buffer, application can use
1141 * this API to probe the SSL buffer state.
1142 * PARAMETERS
1143 * ssl : [IN] pointer to SSL connection context
1144 * RETURN VALUES
1145 * 1 : There are data in the SSL buffer to be read for SSL application.
1146 * 0 : No data to be read.
1147 * -1 : Error occured, call sec_ssl_get_error() to get the reason.
1148 *****************************************************************************/
1149extern kal_int32 sec_ssl_want_read(ssl_conn *ssl);
1150
1151
1152
1153/*****************************************************************************
1154 * <GROUP SSL Connection APIs>
1155 * FUNCTION
1156 * sec_ssl_want_write
1157 * DESCRIPTION
1158 * Probe the staus of the ssl writing buffer.
1159 *
1160 * There are data in the SSL buffer that must be written to the underlying
1161 * layer in order to complete the actual ssl_*() operation.
1162 * PARAMETERS
1163 * ssl : [IN] Pointer to SSL connection context.
1164 * RETURN VALUES
1165 * 1 : There are data in the SSL buffer to be written to complete the
1166 * SSL_* operation.
1167 * 0 : No data to be written.
1168 * -1 : Error occured, call sec_ssl_get_error() to get the reason.
1169 *****************************************************************************/
1170extern kal_int32 sec_ssl_want_write(ssl_conn *ssl);
1171
1172
1173
1174/*****************************************************************************
1175 * <GROUP SSL Connection APIs>
1176 * FUNCTION
1177 * sec_ssl_shutdown
1178 * DESCRIPTION
1179 * Shutdown the SSL connection by sending a 'close notify' alert to peer.
1180 * PARAMETERS
1181 * ssl : [IN] Pointer to SSL connection context.
1182 * RETURN VALUES
1183 * 1 : the SSL shutdown was successfully completed
1184 * 0 : the shutdown process is not yet finished, call it one more time.
1185 * -1 : shutdown failed because a fatal error occured.
1186 *****************************************************************************/
1187extern kal_int32 sec_ssl_shutdown(ssl_conn *ssl);
1188
1189
1190
1191/*****************************************************************************
1192 * <GROUP SSL Connection APIs>
1193 * FUNCTION
1194 * sec_ssl_get_error
1195 * DESCRIPTION
1196 * Get last SSL error cause.
1197 *
1198 * sec_ssl_get_error() returns a result code for a preceding call to
1199 * ssl_connect(), ssl_accept(), ssl_do_handshake(), ssl_read(), ssl_peek(),
1200 * or ssl_write() on ssl. The value returned by that TLS/SSL I/O function
1201 * must be passed to sec_ssl_get_error() in parameter ret.
1202 * PARAMETERS
1203 * ssl : [IN] Pointer to SSL connection context.
1204 * ret : [IN] Currently not used.
1205 * RETURN VALUES
1206 * != : 0 last eror
1207 * 0 : Not valid ssl pointer
1208 * EXAMPLE
1209 * <code>
1210 * ret = sec_ssl_connect(ssl_conn);
1211 * if (ret != 1)
1212 * err = sec_ssl_get_error(ssl_conn, ret);
1213 * </code>
1214 *****************************************************************************/
1215extern kal_int32 sec_ssl_get_error(const ssl_conn *ssl, kal_int32 ret);
1216
1217
1218
1219
1220/*****************************************************************************
1221 * <GROUP SSL Connection APIs>
1222 * FUNCTION
1223 * sec_ssl_get_curr_cipher_info
1224 * DESCRIPTION
1225 * Get the negotiated cipher infomation.
1226 * The information contains:
1227 * - Protocol version,
1228 * - Encryption algorithm,
1229 * - Key exchange algorithm,
1230 * - Authentication algorithm,
1231 * - Hash algorithm.
1232 * PARAMETERS
1233 * ssl : [IN] Connection context
1234 * cipher_info : [OUT] Structure containing the info of negotiated ciphersuite
1235 * RETURN VALUES
1236 * SEC_ERROR_NONE : Success, the cert is copied to buf, with the
1237 * length returned from buflen.
1238 * SEC_ERROR_NULL_PTR : NULL pointer is passed.
1239 * SEC_ERROR_SSL_HSHK_REQUIRED : Handshake must be completed first.
1240 * SEC_ERROR_PTR : SSL internal connection context points to
1241 * NULL.
1242 * SEC_ERROR_BUFFER_SIZE : Given destination buffer is too small, the
1243 * required size is returned in the buflen
1244 * argument.
1245 *****************************************************************************/
1246extern kal_int32
1247sec_ssl_get_curr_cipher_info(const ssl_conn *ssl,
1248 sec_cipher_info_struct *cipher_info);
1249
1250
1251
1252/*****************************************************************************
1253 * <GROUP SSL Connection APIs>
1254 * FUNCTION
1255 * sec_ssl_cipher_get_version
1256 * DESCRIPTION
1257 * Get the negotiated SSL/TLS version.
1258 * PARAMETERS
1259 * ssl : [IN] Connection context
1260 * RETURNS
1261 * SSL protocol version represented in sec_proto_ver_enum.
1262 *****************************************************************************/
1263extern sec_proto_ver_enum sec_ssl_cipher_get_version(const ssl_conn *ssl);
1264
1265
1266
1267/*****************************************************************************
1268 * <GROUP SSL Connection APIs>
1269 * FUNCTION
1270 * sec_ssl_get_ciphersuite
1271 * DESCRIPTION
1272 * Get the negotiated ciphersuite.
1273 * PARAMETERS
1274 * ssl : [IN] Connection context
1275 * cipher : [OUT] Returning cipher suite enum of negotiated ciphersuite
1276 *
1277 * RETURN VALUES
1278 * SEC_ERROR_NONE : Success, the cert information is extracted.
1279 * SEC_ERROR_NULL_PTR : NULL pointer is passed in the argument.
1280 * SEC_ERROR_SSL_HSHK_REQUIRED : Handshake must be completed first.
1281 * SEC_ERROR_PTR : SSL internal connection context points to
1282 * NULL.
1283 *****************************************************************************/
1284extern kal_int32
1285sec_ssl_get_ciphersuite(const ssl_conn *ssl, sec_ciphersuites_enum *cipher);
1286
1287
1288
1289/*****************************************************************************
1290 * <GROUP SSL Connection APIs>
1291 * FUNCTION
1292 * sec_ssl_get_peer_certificate
1293 * DESCRIPTION
1294 * Get the certificate of current session.
1295 * PARAMETERS
1296 * ssl : [IN] Connection context
1297 * cert : [OUT] Buffer to return certificate of current session
1298 * RETURN VALUES
1299 * SEC_ERROR_NONE : Success, the cert information is extracted.
1300 * SEC_ERROR_NULL_PTR : NULL pointer is passed in the argument.
1301 * SEC_ERROR_SSL_HSHK_REQUIRED : Handshake must be completed first.
1302 * SEC_ERROR_PTR : SSL internal connection context points to
1303 * NULL.
1304 *****************************************************************************/
1305extern kal_int32
1306sec_ssl_get_peer_certificate(ssl_conn *const ssl, sec_cert_struct *cert);
1307
1308
1309
1310/*****************************************************************************
1311 * <GROUP SSL Connection APIs>
1312 * FUNCTION
1313 * sec_ssl_get_certreq_auth_names
1314 * DESCRIPTION
1315 * The auth name list sent from peer in a client certificate request message.
1316 *
1317 * For client authentication, the cert types and auth names and used to
1318 * filter the local personal certificates meets the criteria to be used as
1319 * local identity. If application encountered client authentication during
1320 * handshake, it should call this API to extract the information in the
1321 * received client authentication request.
1322 *
1323 * The authentication names in received client authentication request are
1324 * returned from the auth_names parameter. The number of received auth names
1325 * are returned from auth_name_cnt as output argument. If the total number of
1326 * received auth names is larger than input auth_name_cnt, currently SSL
1327 * library supports up to 32 client auth names.
1328 * PARAMETERS
1329 * ssl : [IN] Connection context
1330 * cert_types : [OUT] A list of certificate types of certificates
1331 * requested, stored in order of the server's
1332 * preference.
1333 * auth_name_cnt : [IN/OUT] Number of entries in the certificate authorities.
1334 * a) As an input argument, which specifies the
1335 * size of "auth_names" array.
1336 * b) As an output argument, which return the number
1337 * of valid entries in the "auht_names" array.
1338 * auth_names : [OUT] A list of the distinguished names of acceptable
1339 * certificate authorities.
1340 * RETURN VALUES
1341 * SEC_ERROR_NONE : Success, the cert is copied to buf, with the
1342 * length returned from buflen.
1343 * SEC_ERROR_NULL_PTR : NULL pointer is passed.
1344 * SEC_ERROR_PTR : SSL internal connection context points to NULL.
1345 * Note that the pointers to auth_names are maintained in SSL wrapper.
1346 * The memory holding the data will freed while deleting the connection context.
1347 * So, application should be responsible for duplicating the data if necessary.
1348 *****************************************************************************/
1349extern kal_int32
1350sec_ssl_get_certreq_auth_names(ssl_conn * ssl,
1351 sec_cert_types *cert_types,
1352 kal_uint8 *auth_name_cnt,
1353 sec_auth_names auth_names[]);
1354
1355
1356
1357/*****************************************************************************
1358 * <GROUP Utility Functions>
1359 * FUNCTION
1360 * sec_ssl_extract_cert
1361 * DESCRIPTION
1362 * Extract the certificate in cert to user buffer.
1363 *
1364 * For applications would like to extract a certificate stored in
1365 * sec_cert structure to user buffer. Application should provide a buffer
1366 * to store the extracted certificate. For the first time, application does
1367 * not know the required buffer to extract the certificate, application can
1368 * pass an NULL buffer and check the value in buf_len to allocate a block of
1369 * memory with sufficient size.
1370 * PARAMETERS
1371 * cert : [IN] Source structure holding certificate to be extracted
1372 * buf : [IN] Buffer provided by user to hold the copied cert
1373 * buflen : [IN] Length of the given buffer, a argument for both
1374 * input and output.
1375 * 1. For input, it specifies the size of buffer provided
1376 * by user
1377 * 2. For ouptut:
1378 * a) in error of insufficient size, it returns the
1379 * required size for extracting the certificate
1380 * b) in success case, it contains the size of the
1381 * extracted certificate
1382 * RETURN VALUES
1383 * SEC_ERROR_NONE : Success, the cert is copied to buf, with the
1384 * length returned from buflen.
1385 * SEC_ERROR_NULL_PTR : NULL pointer is passed.
1386 * SEC_ERROR_PTR : SSL internal connection context points to NULL.
1387 * SEC_ERROR_BUFFER_SIZE : given destination buffer is too small, the required
1388 * size is returned in the buflen argument.
1389 *****************************************************************************/
1390extern kal_int32
1391sec_ssl_extract_cert(const sec_cert_struct *cert, kal_uint8 *buf, kal_uint32 *buflen);
1392
1393
1394
1395/*****************************************************************************
1396 * <GROUP Utility Functions>
1397 * FUNCTION
1398 * sec_ssl_log_plaintext
1399 * DESCRIPTION
1400 * Enable/disable plaintext logging mechanism, default if off.
1401 *
1402 * This API is used designed for debugging SSL/TLS applications.
1403 * Because all applications over SSL/TLS send and receive encrypted data in
1404 * the network, application can invoke this API to turn on the logging
1405 * mechanism to check the plaintext content in the application layer.
1406 *
1407 * For security consideration, This API will only be effective when the
1408 * global compile __PRODUCTION_RELEASE__ is not defined.
1409 *
1410 * As long as this API is invoked to turn on the logging mechanism, all data
1411 * flow over SSL/TLS in the system will be logged.
1412 *
1413 * The message will be logged as MSG_ID_APP_SSL_DATA_INPUT_MSG and
1414 * MSG_ID_APP_SSL_DATA_OUTPUT_MSG to MOD_SOC.
1415 *
1416 * Note:
1417 * 1. The ILMs only be sent when a successful SSL read()/write() is invoked.
1418 * 2. The ret field in the message is the number of data been read/write.
1419 * 3. The len field in the message is the peer buffer allocated for
1420 * sending/recving data, if the buffer called in the API is too large
1421 * (> 2048-peer_buff_struct), multiple messages will be sent in the log
1422 * 4. The mf field in the message indicates whether there are more fragments
1423 * for this read/write operation
1424 *
1425 * PARAMETERS
1426 * onoff : [IN] Switch on/off the plaintext logging mechanism.
1427 * RETURNS
1428 * This function returns no diagnostic information.
1429 *****************************************************************************/
1430extern void sec_ssl_log_plaintext(const kal_bool onoff);
1431
1432
1433
1434/*****************************************************************************
1435 * <GROUP Utility Functions>
1436 * FUNCTION
1437 * sec_ssl_clear_library_error
1438 * DESCRIPTION
1439 * Clear library error variable.
1440 * PARAMETERS
1441 * void
1442 * RETURNS
1443 * This function returns no diagnostic information.
1444 *****************************************************************************/
1445extern void sec_ssl_clear_library_error(void);
1446
1447extern void sec_ssl_init_conn_method (ssl_ctx *ctx, ssl_conn *s_conn);
1448extern void sec_ssl_set_cert_validate_status (kal_bool status, ssl_conn *s_conn);
1449extern kal_int32 sec_ssl_set_host_name(ssl_conn *s, kal_char *host);
1450#endif /* !_SSL_API_H */
1451
1452