TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / cdc26ae099ff89a6184eebfcffd7414acd54c424^! / . / include / mbedtls / ssl.h
commitcdc26ae099ff89a6184eebfcffd7414acd54c424[log] [tgz]
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>Fri Jun 19 12:16:31 2015 +0200
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>Mon Jun 22 14:52:40 2015 +0200
tree5f0a8459c6d2ff6a273a3faed0138ef39973ab0d
parenta752d8780ceac07146b9b8b4620f82913034c4de [diff] [blame]
Add mbedtls_ssl_set_hs_authmode

While at it, fix the following:
- on server with RSA_PSK, we don't want to set flags (client auth happens via
  the PSK, no cert is expected).
- use safer tests (eg == OPTIONAL vs != REQUIRED)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index abe7d28..5a3de90 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -166,6 +166,7 @@
 #define MBEDTLS_SSL_VERIFY_NONE                 0
 #define MBEDTLS_SSL_VERIFY_OPTIONAL             1
 #define MBEDTLS_SSL_VERIFY_REQUIRED             2
+#define MBEDTLS_SSL_VERIFY_UNSET                3 /* Used only for sni_authmode */
 
 #define MBEDTLS_SSL_LEGACY_RENEGOTIATION        0
 #define MBEDTLS_SSL_SECURE_RENEGOTIATION        1
@@ -1621,6 +1622,19 @@
                                   mbedtls_x509_crl *ca_crl );
 
 /**
+ * \brief          Set authmode for the current handshake.
+ *
+ * \note           Same as \c mbedtls_ssl_conf_authmode() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param authmode MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL or
+ *                 MBEDTLS_SSL_VERIFY_REQUIRED
+ */
+void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
+                                  int authmode );
+
+/**
  * \brief          Set server side ServerName TLS extension callback
  *                 (optional, server-side only).
  *
@@ -1629,12 +1643,15 @@
  *                 during a handshake. The ServerName callback has the
  *                 following parameters: (void *parameter, mbedtls_ssl_context *ssl,
  *                 const unsigned char *hostname, size_t len). If a suitable
- *                 certificate is found, the callback should set the
+ *                 certificate is found, the callback must set the
  *                 certificate(s) and key(s) to use with \c
  *                 mbedtls_ssl_set_hs_own_cert() (can be called repeatedly),
- *                 and optionally adjust the CA with \c
- *                 mbedtls_ssl_set_hs_ca_chain() and return 0. The callback
- *                 should return -1 to abort the handshake at this point.
+ *                 and may optionally adjust the CA and associated CRL with \c
+ *                 mbedtls_ssl_set_hs_ca_chain() as well as the client
+ *                 authentication mode with \c mbedtls_ssl_set_hs_authmode(),
+ *                 then must return 0. If no matching name is found, the
+ *                 callback must either set a default cert, or
+ *                 return non-zero to abort the handshake at this point.
  *
  * \param conf     SSL configuration
  * \param f_sni    verification function