11/*
2- * Copyright (c) 2007, Cameron Rich
2+ * Copyright (c) 2007-2016 , Cameron Rich
33 *
44 * All rights reserved.
55 *
@@ -75,6 +75,7 @@ extern "C" {
7575// struct SSL_CTX_;
7676typedef struct SSL_CTX_ SSL_CTX ;
7777typedef struct SSL_ SSL ;
78+ typedef struct SSL_EXTENSIONS_ SSL_EXTENSIONS ;
7879
7980/* The optional parameters that can be given to the client/server SSL engine */
8081#define SSL_CLIENT_AUTHENTICATION 0x00010000
@@ -93,13 +94,16 @@ typedef struct SSL_ SSL;
9394#define SSL_ERROR_DEAD -2
9495#define SSL_CLOSE_NOTIFY -3
9596#define SSL_ERROR_CONN_LOST -256
97+ #define SSL_ERROR_RECORD_OVERFLOW -257
9698#define SSL_ERROR_SOCK_SETUP_FAILURE -258
9799#define SSL_ERROR_INVALID_HANDSHAKE -260
98100#define SSL_ERROR_INVALID_PROT_MSG -261
99101#define SSL_ERROR_INVALID_HMAC -262
100102#define SSL_ERROR_INVALID_VERSION -263
103+ #define SSL_ERROR_UNSUPPORTED_EXTENSION -264
101104#define SSL_ERROR_INVALID_SESSION -265
102105#define SSL_ERROR_NO_CIPHER -266
106+ #define SSL_ERROR_INVALID_CERT_HASH_ALG -267
103107#define SSL_ERROR_BAD_CERTIFICATE -268
104108#define SSL_ERROR_INVALID_KEY -269
105109#define SSL_ERROR_FINISHED_INVALID -271
@@ -117,19 +121,25 @@ typedef struct SSL_ SSL;
117121#define SSL_ALERT_CLOSE_NOTIFY 0
118122#define SSL_ALERT_UNEXPECTED_MESSAGE 10
119123#define SSL_ALERT_BAD_RECORD_MAC 20
124+ #define SSL_ALERT_RECORD_OVERFLOW 22
120125#define SSL_ALERT_HANDSHAKE_FAILURE 40
121126#define SSL_ALERT_BAD_CERTIFICATE 42
127+ #define SSL_ALERT_UNSUPPORTED_CERTIFICATE 43
128+ #define SSL_ALERT_CERTIFICATE_EXPIRED 45
129+ #define SSL_ALERT_CERTIFICATE_UNKNOWN 46
122130#define SSL_ALERT_ILLEGAL_PARAMETER 47
131+ #define SSL_ALERT_UNKNOWN_CA 48
123132#define SSL_ALERT_DECODE_ERROR 50
124133#define SSL_ALERT_DECRYPT_ERROR 51
125134#define SSL_ALERT_INVALID_VERSION 70
126135#define SSL_ALERT_NO_RENEGOTIATION 100
136+ #define SSL_ALERT_UNSUPPORTED_EXTENSION 110
127137
128138/* The ciphers that are supported */
129139#define SSL_AES128_SHA 0x2f
130140#define SSL_AES256_SHA 0x35
131- #define SSL_RC4_128_SHA 0x05
132- #define SSL_RC4_128_MD5 0x04
141+ #define SSL_AES128_SHA256 0x3c
142+ #define SSL_AES256_SHA256 0x3d
133143
134144/* build mode ids' */
135145#define SSL_BUILD_SKELETON_MODE 0x01
@@ -218,6 +228,36 @@ EXP_FUNC SSL_CTX * STDCALL ssl_ctx_new(uint32_t options, int num_sessions);
218228 */
219229EXP_FUNC void STDCALL ssl_ctx_free (SSL_CTX * ssl_ctx );
220230
231+ /**
232+ * @brief Allocates new SSL extensions structure and returns pointer to it
233+ *
234+ * @return ssl_ext Pointer to SSL_EXTENSIONS structure
235+ *
236+ */
237+ EXP_FUNC SSL_EXTENSIONS * STDCALL ssl_ext_new ();
238+
239+ /**
240+ * @brief Set the host name for SNI extension
241+ * @param ssl_ext pointer returned by ssl_ext_new
242+ * @param host_name pointer to a zero-terminated string containing host name
243+ */
244+ EXP_FUNC void STDCALL ssl_ext_set_host_name (SSL_EXTENSIONS * ext , const char * host_name );
245+
246+ /**
247+ * @brief Set the maximum fragment size for the fragment size negotiation extension
248+ * @param ssl_ext pointer returned by ssl_ext_new
249+ * @param fragment_size fragment size, allowed values: 2^9, 2^10 ... 2^14
250+ */
251+ EXP_FUNC void STDCALL ssl_ext_set_max_fragment_size (SSL_EXTENSIONS * ext , unsigned fragment_size );
252+
253+ /**
254+ * @brief Frees SSL extensions structure
255+ *
256+ * @param ssl_ext [in] Pointer to SSL_EXTENSION structure
257+ *
258+ */
259+ EXP_FUNC void STDCALL ssl_ext_free (SSL_EXTENSIONS * ssl_ext );
260+
221261/**
222262 * @brief (server only) Establish a new SSL connection to an SSL client.
223263 *
@@ -244,11 +284,11 @@ EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd);
244284 * can be null if no session resumption is being used or required. This option
245285 * is not used in skeleton mode.
246286 * @param sess_id_size The size of the session id (max 32)
247- * @param host_name If non-zero, host name to be sent to server for SNI support
287+ * @param ssl_ext pointer to a structure with the activated SSL extensions and their values
248288 * @return An SSL object reference. Use ssl_handshake_status() to check
249289 * if a handshake succeeded.
250290 */
251- EXP_FUNC SSL * STDCALL ssl_client_new (SSL_CTX * ssl_ctx , int client_fd , const uint8_t * session_id , uint8_t sess_id_size , const char * host_name );
291+ EXP_FUNC SSL * STDCALL ssl_client_new (SSL_CTX * ssl_ctx , int client_fd , const uint8_t * session_id , uint8_t sess_id_size , SSL_EXTENSIONS * ssl_ext );
252292
253293/**
254294 * @brief Free any used resources on this connection.
@@ -289,6 +329,15 @@ EXP_FUNC int STDCALL ssl_read(SSL *ssl, uint8_t **in_data);
289329 */
290330EXP_FUNC int STDCALL ssl_write (SSL * ssl , const uint8_t * out_data , int out_len );
291331
332+ /**
333+ * @brief Calculate the size of the encrypted data from what you are about to send
334+ * @param ssl [in] An SSL obect reference.
335+ * @param out_len [in] The number of bytes to be written.
336+ * @return The number of bytes that will be sent, or if < 0 if an error.
337+ * @see ssl.h for the error code list.
338+ */
339+ EXP_FUNC int STDCALL ssl_calculate_write_length (SSL * ssl , int out_len );
340+
292341/**
293342 * @brief Find an ssl object based on a file descriptor.
294343 *
@@ -384,6 +433,15 @@ EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl);
384433 */
385434EXP_FUNC int STDCALL ssl_match_fingerprint (const SSL * ssl , const uint8_t * fp );
386435
436+ /**
437+ * @brief Check if SHA256 hash of Subject Public Key Info matches the one given.
438+ *
439+ * @param ssl [in] An SSL object reference.
440+ * @param fp [in] SHA256 hash to match against
441+ * @return SSL_OK if the certificate is verified.
442+ */
443+ EXP_FUNC int STDCALL ssl_match_spki_sha256 (const SSL * ssl , const uint8_t * hash );
444+
387445/**
388446 * @brief Retrieve an X.509 distinguished name component.
389447 *
0 commit comments