TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 77a43580da3e370285fc380afb8e8584a203549a / . / include / polarssl / ssl.h
blob: 9bcc0737afc6123ac65464d2170b900f9a4d41ec [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/**
2 * \file ssl.h
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]3 *
Paul Bakkerfc8c4362010-03-21 17:37:16 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]5 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]6 *
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]21#ifndef POLARSSL_SSL_H
22#define POLARSSL_SSL_H
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]23
24#include <time.h>
25
Paul Bakker8e831ed2009-01-03 21:24:11 +0000[diff] [blame]26#include "polarssl/net.h"
27#include "polarssl/dhm.h"
28#include "polarssl/rsa.h"
29#include "polarssl/md5.h"
30#include "polarssl/sha1.h"
31#include "polarssl/x509.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker13e2dfe2009-07-28 07:18:38 +0000[diff] [blame]33/*
34 * SSL Error codes
35 */
Paul Bakker3391b122009-07-28 20:11:54 +0000[diff] [blame]36#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE -0x1000
37#define POLARSSL_ERR_SSL_BAD_INPUT_DATA -0x1800
38#define POLARSSL_ERR_SSL_INVALID_MAC -0x2000
39#define POLARSSL_ERR_SSL_INVALID_RECORD -0x2800
40#define POLARSSL_ERR_SSL_INVALID_MODULUS_SIZE -0x3000
41#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER -0x3800
42#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x4000
43#define POLARSSL_ERR_SSL_NO_SESSION_FOUND -0x4800
44#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x5000
45#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x5800
46#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x6000
47#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x6800
48#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7000
49#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE -0x7800
50#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE -0x8000
51#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED -0x8800
52#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY -0x9000
53#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO -0x9800
54#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO -0xA000
55#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE -0xA800
56#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST -0xB000
57#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE -0xB800
58#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE -0xC000
59#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE -0xC800
60#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY -0xD000
61#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC -0xD800
62#define POLARSSL_ERR_SSL_BAD_HS_FINISHED -0xE000
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63
64/*
65 * Various constants
66 */
67#define SSL_MAJOR_VERSION_3 3
68#define SSL_MINOR_VERSION_0 0 /*!< SSL v3.0 */
69#define SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 */
70#define SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 */
71
72#define SSL_IS_CLIENT 0
73#define SSL_IS_SERVER 1
74#define SSL_COMPRESS_NULL 0
75
76#define SSL_VERIFY_NONE 0
77#define SSL_VERIFY_OPTIONAL 1
78#define SSL_VERIFY_REQUIRED 2
79
80#define SSL_MAX_CONTENT_LEN 16384
81
82/*
83 * Allow an extra 512 bytes for the record header
84 * and encryption overhead (counter + MAC + padding).
85 */
86#define SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + 512)
87
88/*
89 * Supported ciphersuites
90 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]91#define SSL_RSA_RC4_128_MD5 4
92#define SSL_RSA_RC4_128_SHA 5
93#define SSL_RSA_DES_168_SHA 10
94#define SSL_EDH_RSA_DES_168_SHA 22
95#define SSL_RSA_AES_128_SHA 47
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame^]96#define SSL_EDH_RSA_AES_128_SHA 51
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]97#define SSL_RSA_AES_256_SHA 53
98#define SSL_EDH_RSA_AES_256_SHA 57
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]99
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]100#define SSL_RSA_CAMELLIA_128_SHA 0x41
Paul Bakker77a43582010-06-15 21:32:46 +0000[diff] [blame^]101#define SSL_EDH_RSA_CAMELLIA_128_SHA 0x45
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]102#define SSL_RSA_CAMELLIA_256_SHA 0x84
103#define SSL_EDH_RSA_CAMELLIA_256_SHA 0x88
Paul Bakkerb5ef0ba2009-01-11 20:25:36 +0000[diff] [blame]104
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]105/*
106 * Message, alert and handshake types
107 */
108#define SSL_MSG_CHANGE_CIPHER_SPEC 20
109#define SSL_MSG_ALERT 21
110#define SSL_MSG_HANDSHAKE 22
111#define SSL_MSG_APPLICATION_DATA 23
112
113#define SSL_ALERT_CLOSE_NOTIFY 0
114#define SSL_ALERT_WARNING 1
115#define SSL_ALERT_FATAL 2
116#define SSL_ALERT_NO_CERTIFICATE 41
117
118#define SSL_HS_HELLO_REQUEST 0
119#define SSL_HS_CLIENT_HELLO 1
120#define SSL_HS_SERVER_HELLO 2
121#define SSL_HS_CERTIFICATE 11
122#define SSL_HS_SERVER_KEY_EXCHANGE 12
123#define SSL_HS_CERTIFICATE_REQUEST 13
124#define SSL_HS_SERVER_HELLO_DONE 14
125#define SSL_HS_CERTIFICATE_VERIFY 15
126#define SSL_HS_CLIENT_KEY_EXCHANGE 16
127#define SSL_HS_FINISHED 20
128
129/*
130 * TLS extensions
131 */
132#define TLS_EXT_SERVERNAME 0
133#define TLS_EXT_SERVERNAME_HOSTNAME 0
134
135/*
136 * SSL state machine
137 */
138typedef enum
139{
140 SSL_HELLO_REQUEST,
141 SSL_CLIENT_HELLO,
142 SSL_SERVER_HELLO,
143 SSL_SERVER_CERTIFICATE,
144 SSL_SERVER_KEY_EXCHANGE,
145 SSL_CERTIFICATE_REQUEST,
146 SSL_SERVER_HELLO_DONE,
147 SSL_CLIENT_CERTIFICATE,
148 SSL_CLIENT_KEY_EXCHANGE,
149 SSL_CERTIFICATE_VERIFY,
150 SSL_CLIENT_CHANGE_CIPHER_SPEC,
151 SSL_CLIENT_FINISHED,
152 SSL_SERVER_CHANGE_CIPHER_SPEC,
153 SSL_SERVER_FINISHED,
154 SSL_FLUSH_BUFFERS,
155 SSL_HANDSHAKE_OVER
156}
157ssl_states;
158
159typedef struct _ssl_session ssl_session;
160typedef struct _ssl_context ssl_context;
161
162/*
163 * This structure is used for session resuming.
164 */
165struct _ssl_session
166{
167 time_t start; /*!< starting time */
168 int cipher; /*!< chosen cipher */
169 int length; /*!< session id length */
170 unsigned char id[32]; /*!< session identifier */
171 unsigned char master[48]; /*!< the master secret */
172 ssl_session *next; /*!< next session entry */
173};
174
175struct _ssl_context
176{
177 /*
178 * Miscellaneous
179 */
180 int state; /*!< SSL handshake: current state */
181
182 int major_ver; /*!< equal to SSL_MAJOR_VERSION_3 */
183 int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */
184
185 int max_major_ver; /*!< max. major version from client */
186 int max_minor_ver; /*!< max. minor version from client */
187
188 /*
189 * Callbacks (RNG, debug, I/O)
190 */
191 int (*f_rng)(void *);
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]192 void (*f_dbg)(void *, int, const char *);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]193 int (*f_recv)(void *, unsigned char *, int);
194 int (*f_send)(void *, unsigned char *, int);
195
196 void *p_rng; /*!< context for the RNG function */
197 void *p_dbg; /*!< context for the debug function */
198 void *p_recv; /*!< context for reading operations */
199 void *p_send; /*!< context for writing operations */
200
201 /*
202 * Session layer
203 */
204 int resume; /*!< session resuming flag */
205 int timeout; /*!< sess. expiration time */
206 ssl_session *session; /*!< current session data */
207 int (*s_get)(ssl_context *); /*!< (server) get callback */
208 int (*s_set)(ssl_context *); /*!< (server) set callback */
209
210 /*
211 * Record layer (incoming data)
212 */
213 unsigned char *in_ctr; /*!< 64-bit incoming message counter */
214 unsigned char *in_hdr; /*!< 5-byte record header (in_ctr+8) */
215 unsigned char *in_msg; /*!< the message contents (in_hdr+5) */
216 unsigned char *in_offt; /*!< read offset in application data */
217
218 int in_msgtype; /*!< record header: message type */
219 int in_msglen; /*!< record header: message length */
220 int in_left; /*!< amount of data read so far */
221
222 int in_hslen; /*!< current handshake message length */
223 int nb_zero; /*!< # of 0-length encrypted messages */
224
225 /*
226 * Record layer (outgoing data)
227 */
228 unsigned char *out_ctr; /*!< 64-bit outgoing message counter */
229 unsigned char *out_hdr; /*!< 5-byte record header (out_ctr+8) */
230 unsigned char *out_msg; /*!< the message contents (out_hdr+5) */
231
232 int out_msgtype; /*!< record header: message type */
233 int out_msglen; /*!< record header: message length */
234 int out_left; /*!< amount of data not yet written */
235
236 /*
237 * PKI layer
238 */
239 rsa_context *rsa_key; /*!< own RSA private key */
240 x509_cert *own_cert; /*!< own X.509 certificate */
241 x509_cert *ca_chain; /*!< own trusted CA chain */
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]242 x509_crl *ca_crl; /*!< trusted CA CRLs */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]243 x509_cert *peer_cert; /*!< peer X.509 cert chain */
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]244 const char *peer_cn; /*!< expected peer CN */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]245
246 int endpoint; /*!< 0: client, 1: server */
247 int authmode; /*!< verification mode */
248 int client_auth; /*!< flag for client auth. */
249 int verify_result; /*!< verification result */
250
251 /*
252 * Crypto layer
253 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]254 dhm_context dhm_ctx; /*!< DHM key exchange */
255 md5_context fin_md5; /*!< Finished MD5 checksum */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]256 sha1_context fin_sha1; /*!< Finished SHA-1 checksum */
257
258 int do_crypt; /*!< en(de)cryption flag */
259 int *ciphers; /*!< allowed ciphersuites */
260 int pmslen; /*!< premaster length */
261 int keylen; /*!< symmetric key length */
262 int minlen; /*!< min. ciphertext length */
263 int ivlen; /*!< IV length */
264 int maclen; /*!< MAC length */
265
266 unsigned char randbytes[64]; /*!< random bytes */
267 unsigned char premaster[256]; /*!< premaster secret */
268
269 unsigned char iv_enc[16]; /*!< IV (encryption) */
270 unsigned char iv_dec[16]; /*!< IV (decryption) */
271
272 unsigned char mac_enc[32]; /*!< MAC (encryption) */
273 unsigned char mac_dec[32]; /*!< MAC (decryption) */
274
275 unsigned long ctx_enc[128]; /*!< encryption context */
276 unsigned long ctx_dec[128]; /*!< decryption context */
277
278 /*
279 * TLS extensions
280 */
281 unsigned char *hostname;
282 unsigned long hostname_len;
283};
284
285#ifdef __cplusplus
286extern "C" {
287#endif
288
289extern int ssl_default_ciphers[];
290
291/**
292 * \brief Initialize an SSL context
293 *
294 * \param ssl SSL context
295 *
296 * \return 0 if successful, or 1 if memory allocation failed
297 */
298int ssl_init( ssl_context *ssl );
299
300/**
301 * \brief Set the current endpoint type
302 *
303 * \param ssl SSL context
304 * \param endpoint must be SSL_IS_CLIENT or SSL_IS_SERVER
305 */
306void ssl_set_endpoint( ssl_context *ssl, int endpoint );
307
308/**
309 * \brief Set the certificate verification mode
310 *
311 * \param ssl SSL context
312 * \param mode can be:
313 *
314 * SSL_VERIFY_NONE: peer certificate is not checked (default),
315 * this is insecure and SHOULD be avoided.
316 *
317 * SSL_VERIFY_OPTIONAL: peer certificate is checked, however the
318 * handshake continues even if verification failed;
319 * ssl_get_verify_result() can be called after the
320 * handshake is complete.
321 *
322 * SSL_VERIFY_REQUIRED: peer *must* present a valid certificate,
323 * handshake is aborted if verification failed.
324 */
325void ssl_set_authmode( ssl_context *ssl, int authmode );
326
327/**
328 * \brief Set the random number generator callback
329 *
330 * \param ssl SSL context
331 * \param f_rng RNG function
332 * \param p_rng RNG parameter
333 */
334void ssl_set_rng( ssl_context *ssl,
335 int (*f_rng)(void *),
336 void *p_rng );
337
338/**
339 * \brief Set the debug callback
340 *
341 * \param ssl SSL context
342 * \param f_dbg debug function
343 * \param p_dbg debug parameter
344 */
345void ssl_set_dbg( ssl_context *ssl,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]346 void (*f_dbg)(void *, int, const char *),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347 void *p_dbg );
348
349/**
350 * \brief Set the underlying BIO read and write callbacks
351 *
352 * \param ssl SSL context
353 * \param f_recv read callback
354 * \param p_recv read parameter
355 * \param f_send write callback
356 * \param p_send write parameter
357 */
358void ssl_set_bio( ssl_context *ssl,
359 int (*f_recv)(void *, unsigned char *, int), void *p_recv,
360 int (*f_send)(void *, unsigned char *, int), void *p_send );
361
362/**
363 * \brief Set the session callbacks (server-side only)
364 *
365 * \param ssl SSL context
366 * \param s_get session get callback
367 * \param s_set session set callback
368 */
369void ssl_set_scb( ssl_context *ssl,
370 int (*s_get)(ssl_context *),
371 int (*s_set)(ssl_context *) );
372
373/**
374 * \brief Set the session resuming flag, timeout and data
375 *
376 * \param ssl SSL context
377 * \param resume if 0 (default), the session will not be resumed
378 * \param timeout session timeout in seconds, or 0 (no timeout)
379 * \param session session context
380 */
381void ssl_set_session( ssl_context *ssl, int resume, int timeout,
382 ssl_session *session );
383
384/**
385 * \brief Set the list of allowed ciphersuites
386 *
387 * \param ssl SSL context
388 * \param ciphers 0-terminated list of allowed ciphers
389 */
390void ssl_set_ciphers( ssl_context *ssl, int *ciphers );
391
392/**
393 * \brief Set the data required to verify peer certificate
394 *
395 * \param ssl SSL context
396 * \param ca_chain trusted CA chain
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]397 * \param ca_crl trusted CA CRLs
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]398 * \param peer_cn expected peer CommonName (or NULL)
399 *
400 * \note TODO: add two more parameters: depth and crl
401 */
402void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
Paul Bakker57b79142010-03-24 06:51:15 +0000[diff] [blame]403 x509_crl *ca_crl, const char *peer_cn );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]404
405/**
406 * \brief Set own certificate and private key
407 *
408 * \param ssl SSL context
409 * \param own_cert own public certificate
410 * \param rsa_key own private RSA key
411 */
412void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
413 rsa_context *rsa_key );
414
415/**
416 * \brief Set the Diffie-Hellman public P and G values,
417 * read as hexadecimal strings (server-side only)
418 *
419 * \param ssl SSL context
420 * \param dhm_P Diffie-Hellman-Merkle modulus
421 * \param dhm_G Diffie-Hellman-Merkle generator
422 *
423 * \return 0 if successful
424 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]425int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426
427/**
428 * \brief Set hostname for ServerName TLS Extension
429 *
430 *
431 * \param ssl SSL context
432 * \param hostname the server hostname
433 *
434 * \return 0 if successful
435 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]436int ssl_set_hostname( ssl_context *ssl, const char *hostname );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]437
438/**
439 * \brief Return the number of data bytes available to read
440 *
441 * \param ssl SSL context
442 *
443 * \return how many bytes are available in the read buffer
444 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]445int ssl_get_bytes_avail( const ssl_context *ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]446
447/**
448 * \brief Return the result of the certificate verification
449 *
450 * \param ssl SSL context
451 *
452 * \return 0 if successful, or a combination of:
453 * BADCERT_EXPIRED
454 * BADCERT_REVOKED
455 * BADCERT_CN_MISMATCH
456 * BADCERT_NOT_TRUSTED
457 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]458int ssl_get_verify_result( const ssl_context *ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459
460/**
461 * \brief Return the name of the current cipher
462 *
463 * \param ssl SSL context
464 *
465 * \return a string containing the cipher name
466 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]467const char *ssl_get_cipher( const ssl_context *ssl );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
469/**
470 * \brief Perform the SSL handshake
471 *
472 * \param ssl SSL context
473 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]474 * \return 0 if successful, POLARSSL_ERR_NET_TRY_AGAIN,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475 * or a specific SSL error code.
476 */
477int ssl_handshake( ssl_context *ssl );
478
479/**
480 * \brief Read at most 'len' application data bytes
481 *
482 * \param ssl SSL context
483 * \param buf buffer that will hold the data
484 * \param len how many bytes must be read
485 *
486 * \return This function returns the number of bytes read,
487 * or a negative error code.
488 */
489int ssl_read( ssl_context *ssl, unsigned char *buf, int len );
490
491/**
492 * \brief Write exactly 'len' application data bytes
493 *
494 * \param ssl SSL context
495 * \param buf buffer holding the data
496 * \param len how many bytes must be written
497 *
498 * \return This function returns the number of bytes written,
499 * or a negative error code.
500 *
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]501 * \note When this function returns POLARSSL_ERR_NET_TRY_AGAIN,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502 * it must be called later with the *same* arguments,
503 * until it returns a positive value.
504 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]505int ssl_write( ssl_context *ssl, const unsigned char *buf, int len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]506
507/**
508 * \brief Notify the peer that the connection is being closed
Paul Bakker13e2dfe2009-07-28 07:18:38 +0000[diff] [blame]509 *
510 * \param ssl SSL context
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]511 */
512int ssl_close_notify( ssl_context *ssl );
513
514/**
515 * \brief Free an SSL context
Paul Bakker13e2dfe2009-07-28 07:18:38 +0000[diff] [blame]516 *
517 * \param ssl SSL context
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]518 */
519void ssl_free( ssl_context *ssl );
520
521/*
522 * Internal functions (do not call directly)
523 */
524int ssl_handshake_client( ssl_context *ssl );
525int ssl_handshake_server( ssl_context *ssl );
526
527int ssl_derive_keys( ssl_context *ssl );
528void ssl_calc_verify( ssl_context *ssl, unsigned char hash[36] );
529
530int ssl_read_record( ssl_context *ssl );
531int ssl_fetch_input( ssl_context *ssl, int nb_want );
532
533int ssl_write_record( ssl_context *ssl );
534int ssl_flush_output( ssl_context *ssl );
535
536int ssl_parse_certificate( ssl_context *ssl );
537int ssl_write_certificate( ssl_context *ssl );
538
539int ssl_parse_change_cipher_spec( ssl_context *ssl );
540int ssl_write_change_cipher_spec( ssl_context *ssl );
541
542int ssl_parse_finished( ssl_context *ssl );
543int ssl_write_finished( ssl_context *ssl );
544
545#ifdef __cplusplus
546}
547#endif
548
549#endif /* ssl.h */