Merged ECDSA-based key-exchange and ciphersuites into development

Conflicts: include/polarssl/config.h library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c
2025-07-29 11:41:15 +03:00 · 2013-08-28 11:57:20 +02:00
parent a0f07478ee 70064fd721
commit 577e006c2f
30 changed files with 1706 additions and 635 deletions
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -244,6 +244,7 @@

 /*
 * Supported Signature and Hash algorithms (For TLS 1.2)
+ * RFC 5246 section 7.4.1.4.1
 */
 #define SSL_HASH_NONE                0
 #define SSL_HASH_MD5                 1
@ -253,12 +254,16 @@
 #define SSL_HASH_SHA384              5
 #define SSL_HASH_SHA512              6

+#define SSL_SIG_ANON                 0
 #define SSL_SIG_RSA                  1
+#define SSL_SIG_ECDSA                3

 /*
 * Client Certificate Types
+ * RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
 */
 #define SSL_CERT_TYPE_RSA_SIGN       1
+#define SSL_CERT_TYPE_ECDSA_SIGN    64

 /*
 * Message, alert and handshake types
@ -453,9 +458,9 @@ struct _ssl_transform
    md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
    md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */

-    /* 151 == 604 bytes is size of gcm_context (largest context in PolarSSL) */
-    uint32_t ctx_enc[151];              /*!<  encryption context      */
-    uint32_t ctx_dec[151];              /*!<  decryption context      */
+    /* 154 == 616 bytes is size of gcm_context (largest context in PolarSSL) */
+    uint32_t ctx_enc[154];              /*!<  encryption context      */
+    uint32_t ctx_dec[154];              /*!<  decryption context      */

    /*
     * Session specific compression layer
@ -638,12 +643,8 @@ struct _ssl_context
    /*
     * PKI layer
     */
-#if defined(POLARSSL_RSA_C)
-    void *rsa_key;                      /*!<  own RSA private key     */
-    rsa_decrypt_func rsa_decrypt;       /*!<  function for RSA decrypt*/
-    rsa_sign_func rsa_sign;             /*!<  function for RSA sign   */
-    rsa_key_len_func rsa_key_len;       /*!<  function for RSA key len*/
-#endif /* POLARSSL_RSA_C */
+    pk_context *pk_key;                 /*!<  own private key         */
+    int pk_key_own_alloc;               /*!<  did we allocate pk_key? */

 #if defined(POLARSSL_X509_PARSE_C)
    x509_cert *own_cert;                /*!<  own X.509 certificate   */
@ -965,13 +966,31 @@ void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
 *
 * \param ssl      SSL context
 * \param own_cert own public certificate chain
- * \param rsa_key  own private RSA key
+ * \param pk_key   own private key
 */
 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
-                       rsa_context *rsa_key );
+                       pk_context *pk_key );
+
+#if defined(POLARSSL_RSA_C)
+/**
+ * \brief          Set own certificate chain and private RSA key
+ *
+ *                 Note: own_cert should contain IN order from the bottom
+ *                 up your certificate chain. The top certificate (self-signed)
+ *                 can be omitted.
+ *
+ * \param ssl      SSL context
+ * \param own_cert own public certificate chain
+ * \param rsa_key  own private RSA key
+ *
+ * \return          0 on success, or a specific error code.
+ */
+int ssl_set_own_cert_rsa( ssl_context *ssl, x509_cert *own_cert,
+                          rsa_context *rsa_key );
+#endif /* POLARSSL_RSA_C */

 /**
- * \brief          Set own certificate and alternate non-PolarSSL private
+ * \brief          Set own certificate and alternate non-PolarSSL RSA private
 *                 key and handling callbacks, such as the PKCS#11 wrappers
 *                 or any other external private key handler.
 *                 (see the respective RSA functions in rsa.h for documentation
@ -988,12 +1007,14 @@ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
 * \param rsa_decrypt_func  alternate implementation of \c rsa_pkcs1_decrypt()
 * \param rsa_sign_func     alternate implementation of \c rsa_pkcs1_sign()
 * \param rsa_key_len_func  function returning length of RSA key in bytes
+ *
+ * \return          0 on success, or a specific error code.
 */
-void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
-                           void *rsa_key,
-                           rsa_decrypt_func rsa_decrypt,
-                           rsa_sign_func rsa_sign,
-                           rsa_key_len_func rsa_key_len );
+int ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
+                          void *rsa_key,
+                          rsa_decrypt_func rsa_decrypt,
+                          rsa_sign_func rsa_sign,
+                          rsa_key_len_func rsa_key_len );
 #endif /* POLARSSL_X509_PARSE_C */

 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
@ -1435,6 +1456,10 @@ int ssl_write_finished( ssl_context *ssl );

 void ssl_optimize_checksum( ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info );

+unsigned char ssl_sig_from_pk( pk_context *pk );
+pk_type_t ssl_pk_alg_from_sig( unsigned char sig );
+md_type_t ssl_md_alg_from_hash( unsigned char hash );
+
 #ifdef __cplusplus
 }
 #endif