Merged ECDSA-based key-exchange and ciphersuites into development
Conflicts:
include/polarssl/config.h
library/ssl_cli.c
library/ssl_srv.c
library/ssl_tls.c
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 799c031..c1a1269 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -364,6 +364,28 @@
#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
/**
+ * \def POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+ *
+ * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS
+ *
+ * Requires: POLARSSL_ECDH_C, POLARSSL_ECDSA_C, POLARSSL_X509_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ * TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+ * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ * TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+ * TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+ */
+#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+
+/**
* \def POLARSSL_ERROR_STRERROR_BC
*
* Make available the backward compatible error_strerror() next to the
@@ -1129,6 +1151,21 @@
#define POLARSSL_PEM_C
/**
+ * \def POLARSSL_PK_C
+ *
+ * Enable the generic public (asymetric) key layer.
+ *
+ * Module: library/pk.c
+ * Caller: library/x509parse.c
+ * library/ssl_tls.c
+ * library/ssl_cli.c
+ * library/ssl_srv.c
+ *
+ * Uncomment to enable generic public key wrappers.
+ */
+#define POLARSSL_PK_C
+
+/**
* \def POLARSSL_PKCS5_C
*
* Enable PKCS#5 functions
@@ -1146,11 +1183,10 @@
*
* Enable wrapper for PKCS#11 smartcard support.
*
- * Module: library/ssl_srv.c
- * Caller: library/ssl_cli.c
- * library/ssl_srv.c
+ * Module: library/pkcs11.c
+ * Caller: library/pk.c
*
- * Requires: POLARSSL_SSL_TLS_C
+ * Requires: POLARSSL_PK_C
*
* This module enables SSL/TLS PKCS #11 smartcard support.
* Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
@@ -1283,8 +1319,8 @@
* Caller: library/ssl_cli.c
* library/ssl_srv.c
*
- * Requires: POLARSSL_CIPHER_C and at least one of the
- * POLARSSL_SSL_PROTO_* defines
+ * Requires: POLARSSL_CIPHER_C, POLARSSL_PK_C, POLARSSL_MD_C
+ * and at least one of the POLARSSL_SSL_PROTO_* defines
*
* This module is required for SSL/TLS.
*/
@@ -1324,7 +1360,7 @@
* library/ssl_tls.c
*
* Requires: POLARSSL_ASN1_PARSE_C, POLARSSL_BIGNUM_C, POLARSSL_OID_C,
- * POLARSSL_RSA_C
+ * POLARSSL_PK_C
*
* This module is required for X.509 certificate parsing.
*/
@@ -1477,6 +1513,12 @@
#error "POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
#endif
+#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
+ ( !defined(POLARSSL_ECDH_C) || !defined(POLARSSL_ECDSA_C) || \
+ !defined(POLARSSL_X509_PARSE_C) )
+#error "POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
+#endif
+
#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_PARSE_C) )
#error "POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites"
@@ -1499,7 +1541,7 @@
#error "POLARSSL_PEM_C defined, but not all prerequisites"
#endif
-#if defined(POLARSSL_PKCS11_C) && !defined(POLARSSL_SSL_TLS_C)
+#if defined(POLARSSL_PKCS11_C) && !defined(POLARSSL_PK_C)
#error "POLARSSL_PKCS11_C defined, but not all prerequisites"
#endif
@@ -1512,7 +1554,8 @@
#error "POLARSSL_SSL_CLI_C defined, but not all prerequisites"
#endif
-#if defined(POLARSSL_SSL_TLS_C) && !defined(POLARSSL_CIPHER_C)
+#if defined(POLARSSL_SSL_TLS_C) && ( !defined(POLARSSL_CIPHER_C) || \
+ !defined(POLARSSL_PK_C) || !defined(POLARSSL_MD_C) )
#error "POLARSSL_SSL_TLS_C defined, but not all prerequisites"
#endif
@@ -1549,7 +1592,7 @@
#if defined(POLARSSL_X509_PARSE_C) && ( !defined(POLARSSL_BIGNUM_C) || \
!defined(POLARSSL_OID_C) || !defined(POLARSSL_ASN1_PARSE_C) || \
- !defined(POLARSSL_RSA_C) )
+ !defined(POLARSSL_PK_C) )
#error "POLARSSL_X509_PARSE_C defined, but not all prerequisites"
#endif
diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h
index 36c6185..ad31bff 100644
--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@@ -34,8 +34,9 @@
*/
#define POLARSSL_ERR_ECP_BAD_INPUT_DATA -0x4F80 /**< Bad input parameters to function. */
#define POLARSSL_ERR_ECP_BUFFER_TOO_SMALL -0x4F00 /**< The buffer is too small to write to. */
-#define POLARSSL_ERR_ECP_GENERIC -0x4E80 /**< Generic ECP error */
+#define POLARSSL_ERR_ECP_GENERIC -0x4E80 /**< Generic ECP error. */
#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE -0x4E00 /**< Requested curve not available. */
+#define POLARSSL_ERR_ECP_VERIFY_FAILED -0x4E00 /**< The signature is not valid. */
#ifdef __cplusplus
extern "C" {
diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h
index fb0e92e..4ff4747 100644
--- a/include/polarssl/pk.h
+++ b/include/polarssl/pk.h
@@ -82,6 +82,7 @@
POLARSSL_PK_ECKEY,
POLARSSL_PK_ECKEY_DH,
POLARSSL_PK_ECDSA,
+ POLARSSL_PK_RSA_ALT,
} pk_type_t;
/**
@@ -129,6 +130,25 @@
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len );
+ /** Make signature */
+ int (*sign_func)( void *ctx, md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
+
+ /** Decrypt message */
+ int (*decrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
+
+ /** Encrypt message */
+ int (*encrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
+
/** Allocate a new context */
void * (*ctx_alloc_func)( void );
@@ -150,6 +170,18 @@
} pk_context;
/**
+ * \brief Types for RSA-alt abstraction
+ */
+typedef int (*pk_rsa_alt_decrypt_func)( void *ctx, int mode, size_t *olen,
+ const unsigned char *input, unsigned char *output,
+ size_t output_max_len );
+typedef int (*pk_rsa_alt_sign_func)( void *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ int mode, int hash_id, unsigned int hashlen,
+ const unsigned char *hash, unsigned char *sig );
+typedef size_t (*pk_rsa_alt_key_len_func)( void *ctx );
+
+/**
* \brief Return information associated with the given PK type
*
* \param type PK type to search for.
@@ -164,6 +196,11 @@
void pk_init( pk_context *ctx );
/**
+ * \brief Free a pk_context
+ */
+void pk_free( pk_context *ctx );
+
+/**
* \brief Initialize a PK context with the information given
* and allocates the type-specific PK subcontext.
*
@@ -173,13 +210,30 @@
* \return 0 on success,
* POLARSSL_ERR_PK_BAD_INPUT_DATA on invalid input,
* POLARSSL_ERR_PK_MALLOC_FAILED on allocation failure.
+ *
+ * \note For contexts holding an RSA-alt key, use
+ * \c pk_init_ctx_rsa_alt() instead.
*/
int pk_init_ctx( pk_context *ctx, const pk_info_t *info );
/**
- * \brief Free a pk_context
+ * \brief Initialiaze an RSA-alt context
+ *
+ * \param ctx Context to initialize. Must be empty (type NONE).
+ * \param key RSA key pointer
+ * \param decrypt_func Decryption function
+ * \param sign_func Signing function
+ * \param key_len_func Function returning key length
+ *
+ * \return 0 on success, or POLARSSL_ERR_PK_BAD_INPUT_DATA if the
+ * context wasn't already initialized as RSA_ALT.
+ *
+ * \note This function replaces \c pk_init_ctx() for RSA-alt.
*/
-void pk_free( pk_context *ctx );
+int pk_init_ctx_rsa_alt( pk_context *ctx, void * key,
+ pk_rsa_alt_decrypt_func decrypt_func,
+ pk_rsa_alt_sign_func sign_func,
+ pk_rsa_alt_key_len_func key_len_func );
/**
* \brief Get the size in bits of the underlying key
@@ -191,6 +245,17 @@
size_t pk_get_size( const pk_context *ctx );
/**
+ * \brief Get the length in bytes of the underlying key
+ * \param ctx Context to use
+ *
+ * \return Key lenght in bytes, or 0 on error
+ */
+static inline size_t pk_get_len( const pk_context *ctx )
+{
+ return( ( pk_get_size( ctx ) + 7 ) / 8 );
+}
+
+/**
* \brief Tell if a context can do the operation given by type
*
* \param ctx Context to test
@@ -205,20 +270,83 @@
* \brief Verify signature
*
* \param ctx PK context to use
- * \param md_alg Hash algorithm used
+ * \param md_alg Hash algorithm used (see notes)
* \param hash Hash of the message to sign
- * \param hash_len Hash length
+ * \param hash_len Hash length or 0 (see notes)
* \param sig Signature to verify
* \param sig_len Signature length
*
* \return 0 on success (signature is valid),
* or a specific error code.
+ *
+ * \note If hash_len is 0, then the length associated with md_alg
+ * is used instead, or an error returned if it is invalid.
+ *
+ * \note md_alg may be POLARSSL_MD_NONE, only if hash_len != 0
*/
int pk_verify( pk_context *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len );
/**
+ * \brief Make signature
+ *
+ * \param ctx PK context to use
+ * \param md_alg Hash algorithm used (see notes)
+ * \param hash Hash of the message to sign
+ * \param hash_len Hash length or 0 (see notes)
+ * \param sig Place to write the signature
+ * \param sig_len Number of bytes written
+ * \param f_rng RNG function
+ * \param p_rng RNG parameter
+ *
+ * \return 0 on success, or a specific error code.
+ *
+ * \note If hash_len is 0, then the length associated with md_alg
+ * is used instead, or an error returned if it is invalid.
+ *
+ * \note md_alg may be POLARSSL_MD_NONE, only if hash_len != 0
+ */
+int pk_sign( pk_context *ctx, md_type_t md_alg,
+ const unsigned char *hash, size_t hash_len,
+ unsigned char *sig, size_t *sig_len,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief Decrypt message
+ *
+ * \param ctx PK context to use
+ * \param input Input to decrypt
+ * \param ilen Input size
+ * \param output Decrypted output
+ * \param olen Decrypted message lenght
+ * \param osize Size of the output buffer
+ *
+ * \return 0 on success, or a specific error code.
+ */
+int pk_decrypt( pk_context *ctx,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief Encrypt message
+ *
+ * \param ctx PK context to use
+ * \param input Message to encrypt
+ * \param ilen Message size
+ * \param output Encrypted output
+ * \param olen Encrypted output length
+ * \param osize Size of the output buffer
+ *
+ * \return 0 on success, or a specific error code.
+ */
+int pk_encrypt( pk_context *ctx,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen, size_t osize,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
* \brief Export debug information
*
* \param ctx Context to use
diff --git a/include/polarssl/pk_wrap.h b/include/polarssl/pk_wrap.h
index a24fbd1..91a671e 100644
--- a/include/polarssl/pk_wrap.h
+++ b/include/polarssl/pk_wrap.h
@@ -32,6 +32,15 @@
#include "pk.h"
+/* Container for RSA-alt */
+typedef struct
+{
+ void *key;
+ pk_rsa_alt_decrypt_func decrypt_func;
+ pk_rsa_alt_sign_func sign_func;
+ pk_rsa_alt_key_len_func key_len_func;
+} rsa_alt_context;
+
#if defined(POLARSSL_RSA_C)
extern const pk_info_t rsa_info;
#endif
@@ -45,4 +54,6 @@
extern const pk_info_t ecdsa_info;
#endif
+extern const pk_info_t rsa_alt_info;
+
#endif /* POLARSSL_PK_WRAP_H */
diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h
index 8e52e7d..90cfd55 100644
--- a/include/polarssl/rsa.h
+++ b/include/polarssl/rsa.h
@@ -29,8 +29,6 @@
#include "config.h"
-#if defined(POLARSSL_RSA_C)
-
#include "bignum.h"
#include "md.h"
@@ -59,6 +57,12 @@
#define RSA_SIGN 1
#define RSA_CRYPT 2
+/*
+ * The above constants may be used even if the RSA module is compile out,
+ * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
+ */
+#if defined(POLARSSL_RSA_C)
+
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index f9c6b8f..56a6378 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -244,6 +244,7 @@
/*
* Supported Signature and Hash algorithms (For TLS 1.2)
+ * RFC 5246 section 7.4.1.4.1
*/
#define SSL_HASH_NONE 0
#define SSL_HASH_MD5 1
@@ -253,12 +254,16 @@
#define SSL_HASH_SHA384 5
#define SSL_HASH_SHA512 6
+#define SSL_SIG_ANON 0
#define SSL_SIG_RSA 1
+#define SSL_SIG_ECDSA 3
/*
* Client Certificate Types
+ * RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
*/
#define SSL_CERT_TYPE_RSA_SIGN 1
+#define SSL_CERT_TYPE_ECDSA_SIGN 64
/*
* Message, alert and handshake types
@@ -453,9 +458,9 @@
md_context_t md_ctx_enc; /*!< MAC (encryption) */
md_context_t md_ctx_dec; /*!< MAC (decryption) */
- /* 151 == 604 bytes is size of gcm_context (largest context in PolarSSL) */
- uint32_t ctx_enc[151]; /*!< encryption context */
- uint32_t ctx_dec[151]; /*!< decryption context */
+ /* 154 == 616 bytes is size of gcm_context (largest context in PolarSSL) */
+ uint32_t ctx_enc[154]; /*!< encryption context */
+ uint32_t ctx_dec[154]; /*!< decryption context */
/*
* Session specific compression layer
@@ -638,12 +643,8 @@
/*
* PKI layer
*/
-#if defined(POLARSSL_RSA_C)
- void *rsa_key; /*!< own RSA private key */
- rsa_decrypt_func rsa_decrypt; /*!< function for RSA decrypt*/
- rsa_sign_func rsa_sign; /*!< function for RSA sign */
- rsa_key_len_func rsa_key_len; /*!< function for RSA key len*/
-#endif /* POLARSSL_RSA_C */
+ pk_context *pk_key; /*!< own private key */
+ int pk_key_own_alloc; /*!< did we allocate pk_key? */
#if defined(POLARSSL_X509_PARSE_C)
x509_cert *own_cert; /*!< own X.509 certificate */
@@ -965,13 +966,31 @@
*
* \param ssl SSL context
* \param own_cert own public certificate chain
- * \param rsa_key own private RSA key
+ * \param pk_key own private key
*/
void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
- rsa_context *rsa_key );
+ pk_context *pk_key );
+
+#if defined(POLARSSL_RSA_C)
+/**
+ * \brief Set own certificate chain and private RSA key
+ *
+ * Note: own_cert should contain IN order from the bottom
+ * up your certificate chain. The top certificate (self-signed)
+ * can be omitted.
+ *
+ * \param ssl SSL context
+ * \param own_cert own public certificate chain
+ * \param rsa_key own private RSA key
+ *
+ * \return 0 on success, or a specific error code.
+ */
+int ssl_set_own_cert_rsa( ssl_context *ssl, x509_cert *own_cert,
+ rsa_context *rsa_key );
+#endif /* POLARSSL_RSA_C */
/**
- * \brief Set own certificate and alternate non-PolarSSL private
+ * \brief Set own certificate and alternate non-PolarSSL RSA private
* key and handling callbacks, such as the PKCS#11 wrappers
* or any other external private key handler.
* (see the respective RSA functions in rsa.h for documentation
@@ -988,12 +1007,14 @@
* \param rsa_decrypt_func alternate implementation of \c rsa_pkcs1_decrypt()
* \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign()
* \param rsa_key_len_func function returning length of RSA key in bytes
+ *
+ * \return 0 on success, or a specific error code.
*/
-void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
- void *rsa_key,
- rsa_decrypt_func rsa_decrypt,
- rsa_sign_func rsa_sign,
- rsa_key_len_func rsa_key_len );
+int ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
+ void *rsa_key,
+ rsa_decrypt_func rsa_decrypt,
+ rsa_sign_func rsa_sign,
+ rsa_key_len_func rsa_key_len );
#endif /* POLARSSL_X509_PARSE_C */
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
@@ -1435,6 +1456,10 @@
void ssl_optimize_checksum( ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info );
+unsigned char ssl_sig_from_pk( pk_context *pk );
+pk_type_t ssl_pk_alg_from_sig( unsigned char sig );
+md_type_t ssl_md_alg_from_hash( unsigned char hash );
+
#ifdef __cplusplus
}
#endif
diff --git a/include/polarssl/ssl_ciphersuites.h b/include/polarssl/ssl_ciphersuites.h
index 8a489b4..85392c1 100644
--- a/include/polarssl/ssl_ciphersuites.h
+++ b/include/polarssl/ssl_ciphersuites.h
@@ -27,6 +27,7 @@
#ifndef POLARSSL_SSL_CIPHERSUITES_H
#define POLARSSL_SSL_CIPHERSUITES_H
+#include "pk.h"
#include "cipher.h"
#include "md.h"
@@ -119,18 +120,33 @@
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC0 /**< TLS 1.2 */
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4 /**< TLS 1.2 */
+#define TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 /**< Weak! */
+#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007 /**< Not in SSL3! */
+#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008 /**< Not in SSL3! */
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 /**< Not in SSL3! */
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A /**< Not in SSL3! */
+
#define TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 /**< Weak! */
#define TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011 /**< Not in SSL3! */
#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012 /**< Not in SSL3! */
#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 /**< Not in SSL3! */
#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 /**< Not in SSL3! */
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 /**< TLS 1.2 */
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 /**< TLS 1.2 */
+
#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 /**< TLS 1.2 */
#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 /**< TLS 1.2 */
+#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B /**< TLS 1.2 */
+#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C /**< TLS 1.2 */
+
#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F /**< TLS 1.2 */
#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 /**< TLS 1.2 */
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< TLS 1.2 */
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< TLS 1.2 */
+
#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC076 /**< TLS 1.2 */
#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC077 /**< TLS 1.2 */
@@ -146,6 +162,7 @@
POLARSSL_KEY_EXCHANGE_RSA,
POLARSSL_KEY_EXCHANGE_DHE_RSA,
POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
+ POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA,
POLARSSL_KEY_EXCHANGE_PSK,
POLARSSL_KEY_EXCHANGE_DHE_PSK,
POLARSSL_KEY_EXCHANGE_RSA_PSK,
@@ -181,6 +198,8 @@
const ssl_ciphersuite_t *ssl_ciphersuite_from_string( const char *ciphersuite_name );
const ssl_ciphersuite_t *ssl_ciphersuite_from_id( int ciphersuite_id );
+pk_type_t ssl_get_ciphersuite_sig_pk_alg( const ssl_ciphersuite_t *info );
+
#ifdef __cplusplus
}
#endif