tlsv1_common.h revision 1f69aa52ea2e0a73ac502565df8c666ee49cab6a
1/* 2 * TLSv1 common definitions 3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#ifndef TLSV1_COMMON_H 16#define TLSV1_COMMON_H 17 18#include "crypto/crypto.h" 19 20#define TLS_VERSION_1 0x0301 /* TLSv1 */ 21#define TLS_VERSION_1_1 0x0302 /* TLSv1.1 */ 22#define TLS_VERSION_1_2 0x0303 /* TLSv1.2 */ 23#ifdef CONFIG_TLSV12 24#define TLS_VERSION TLS_VERSION_1_2 25#else /* CONFIG_TLSV12 */ 26#ifdef CONFIG_TLSV11 27#define TLS_VERSION TLS_VERSION_1_1 28#else /* CONFIG_TLSV11 */ 29#define TLS_VERSION TLS_VERSION_1 30#endif /* CONFIG_TLSV11 */ 31#endif /* CONFIG_TLSV12 */ 32#define TLS_RANDOM_LEN 32 33#define TLS_PRE_MASTER_SECRET_LEN 48 34#define TLS_MASTER_SECRET_LEN 48 35#define TLS_SESSION_ID_MAX_LEN 32 36#define TLS_VERIFY_DATA_LEN 12 37 38/* HandshakeType */ 39enum { 40 TLS_HANDSHAKE_TYPE_HELLO_REQUEST = 0, 41 TLS_HANDSHAKE_TYPE_CLIENT_HELLO = 1, 42 TLS_HANDSHAKE_TYPE_SERVER_HELLO = 2, 43 TLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET = 4 /* RFC 4507 */, 44 TLS_HANDSHAKE_TYPE_CERTIFICATE = 11, 45 TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE = 12, 46 TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST = 13, 47 TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE = 14, 48 TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY = 15, 49 TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE = 16, 50 TLS_HANDSHAKE_TYPE_FINISHED = 20, 51 TLS_HANDSHAKE_TYPE_CERTIFICATE_URL = 21 /* RFC 4366 */, 52 TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS = 22 /* RFC 4366 */ 53}; 54 55/* CipherSuite */ 56#define TLS_NULL_WITH_NULL_NULL 0x0000 /* RFC 2246 */ 57#define TLS_RSA_WITH_NULL_MD5 0x0001 /* RFC 2246 */ 58#define TLS_RSA_WITH_NULL_SHA 0x0002 /* RFC 2246 */ 59#define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003 /* RFC 2246 */ 60#define TLS_RSA_WITH_RC4_128_MD5 0x0004 /* RFC 2246 */ 61#define TLS_RSA_WITH_RC4_128_SHA 0x0005 /* RFC 2246 */ 62#define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006 /* RFC 2246 */ 63#define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007 /* RFC 2246 */ 64#define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008 /* RFC 2246 */ 65#define TLS_RSA_WITH_DES_CBC_SHA 0x0009 /* RFC 2246 */ 66#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A /* RFC 2246 */ 67#define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000B /* RFC 2246 */ 68#define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000C /* RFC 2246 */ 69#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D /* RFC 2246 */ 70#define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000E /* RFC 2246 */ 71#define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000F /* RFC 2246 */ 72#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 /* RFC 2246 */ 73#define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011 /* RFC 2246 */ 74#define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 /* RFC 2246 */ 75#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 /* RFC 2246 */ 76#define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014 /* RFC 2246 */ 77#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 /* RFC 2246 */ 78#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 /* RFC 2246 */ 79#define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 0x0017 /* RFC 2246 */ 80#define TLS_DH_anon_WITH_RC4_128_MD5 0x0018 /* RFC 2246 */ 81#define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 0x0019 /* RFC 2246 */ 82#define TLS_DH_anon_WITH_DES_CBC_SHA 0x001A /* RFC 2246 */ 83#define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B /* RFC 2246 */ 84#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F /* RFC 3268 */ 85#define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 /* RFC 3268 */ 86#define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 /* RFC 3268 */ 87#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 /* RFC 3268 */ 88#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 /* RFC 3268 */ 89#define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034 /* RFC 3268 */ 90#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 /* RFC 3268 */ 91#define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 /* RFC 3268 */ 92#define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 /* RFC 3268 */ 93#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 /* RFC 3268 */ 94#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 /* RFC 3268 */ 95#define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A /* RFC 3268 */ 96#define TLS_RSA_WITH_NULL_SHA256 0x003B /* RFC 5246 */ 97#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C /* RFC 5246 */ 98#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D /* RFC 5246 */ 99#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E /* RFC 5246 */ 100#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F /* RFC 5246 */ 101#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 /* RFC 5246 */ 102#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 /* RFC 5246 */ 103#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068 /* RFC 5246 */ 104#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069 /* RFC 5246 */ 105#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A /* RFC 5246 */ 106#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B /* RFC 5246 */ 107#define TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C /* RFC 5246 */ 108#define TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D /* RFC 5246 */ 109 110/* CompressionMethod */ 111#define TLS_COMPRESSION_NULL 0 112 113/* HashAlgorithm */ 114enum { 115 TLS_HASH_ALG_NONE = 0, 116 TLS_HASH_ALG_MD5 = 1, 117 TLS_HASH_ALG_SHA1 = 2, 118 TLS_HASH_ALG_SHA224 = 3, 119 TLS_HASH_ALG_SHA256 = 4, 120 TLS_HASH_ALG_SHA384 = 5, 121 TLS_HASH_ALG_SHA512 = 6 122}; 123 124/* SignatureAlgorithm */ 125enum { 126 TLS_SIGN_ALG_ANONYMOUS = 0, 127 TLS_SIGN_ALG_RSA = 1, 128 TLS_SIGN_ALG_DSA = 2, 129 TLS_SIGN_ALG_ECDSA = 3, 130}; 131 132/* AlertLevel */ 133#define TLS_ALERT_LEVEL_WARNING 1 134#define TLS_ALERT_LEVEL_FATAL 2 135 136/* AlertDescription */ 137#define TLS_ALERT_CLOSE_NOTIFY 0 138#define TLS_ALERT_UNEXPECTED_MESSAGE 10 139#define TLS_ALERT_BAD_RECORD_MAC 20 140#define TLS_ALERT_DECRYPTION_FAILED 21 141#define TLS_ALERT_RECORD_OVERFLOW 22 142#define TLS_ALERT_DECOMPRESSION_FAILURE 30 143#define TLS_ALERT_HANDSHAKE_FAILURE 40 144#define TLS_ALERT_BAD_CERTIFICATE 42 145#define TLS_ALERT_UNSUPPORTED_CERTIFICATE 43 146#define TLS_ALERT_CERTIFICATE_REVOKED 44 147#define TLS_ALERT_CERTIFICATE_EXPIRED 45 148#define TLS_ALERT_CERTIFICATE_UNKNOWN 46 149#define TLS_ALERT_ILLEGAL_PARAMETER 47 150#define TLS_ALERT_UNKNOWN_CA 48 151#define TLS_ALERT_ACCESS_DENIED 49 152#define TLS_ALERT_DECODE_ERROR 50 153#define TLS_ALERT_DECRYPT_ERROR 51 154#define TLS_ALERT_EXPORT_RESTRICTION 60 155#define TLS_ALERT_PROTOCOL_VERSION 70 156#define TLS_ALERT_INSUFFICIENT_SECURITY 71 157#define TLS_ALERT_INTERNAL_ERROR 80 158#define TLS_ALERT_USER_CANCELED 90 159#define TLS_ALERT_NO_RENEGOTIATION 100 160#define TLS_ALERT_UNSUPPORTED_EXTENSION 110 /* RFC 4366 */ 161#define TLS_ALERT_CERTIFICATE_UNOBTAINABLE 111 /* RFC 4366 */ 162#define TLS_ALERT_UNRECOGNIZED_NAME 112 /* RFC 4366 */ 163#define TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE 113 /* RFC 4366 */ 164#define TLS_ALERT_BAD_CERTIFICATE_HASH_VALUE 114 /* RFC 4366 */ 165 166/* ChangeCipherSpec */ 167enum { 168 TLS_CHANGE_CIPHER_SPEC = 1 169}; 170 171/* TLS Extensions */ 172#define TLS_EXT_SERVER_NAME 0 /* RFC 4366 */ 173#define TLS_EXT_MAX_FRAGMENT_LENGTH 1 /* RFC 4366 */ 174#define TLS_EXT_CLIENT_CERTIFICATE_URL 2 /* RFC 4366 */ 175#define TLS_EXT_TRUSTED_CA_KEYS 3 /* RFC 4366 */ 176#define TLS_EXT_TRUNCATED_HMAC 4 /* RFC 4366 */ 177#define TLS_EXT_STATUS_REQUEST 5 /* RFC 4366 */ 178#define TLS_EXT_SESSION_TICKET 35 /* RFC 4507 */ 179 180#define TLS_EXT_PAC_OPAQUE TLS_EXT_SESSION_TICKET /* EAP-FAST terminology */ 181 182 183typedef enum { 184 TLS_KEY_X_NULL, 185 TLS_KEY_X_RSA, 186 TLS_KEY_X_RSA_EXPORT, 187 TLS_KEY_X_DH_DSS_EXPORT, 188 TLS_KEY_X_DH_DSS, 189 TLS_KEY_X_DH_RSA_EXPORT, 190 TLS_KEY_X_DH_RSA, 191 TLS_KEY_X_DHE_DSS_EXPORT, 192 TLS_KEY_X_DHE_DSS, 193 TLS_KEY_X_DHE_RSA_EXPORT, 194 TLS_KEY_X_DHE_RSA, 195 TLS_KEY_X_DH_anon_EXPORT, 196 TLS_KEY_X_DH_anon 197} tls_key_exchange; 198 199typedef enum { 200 TLS_CIPHER_NULL, 201 TLS_CIPHER_RC4_40, 202 TLS_CIPHER_RC4_128, 203 TLS_CIPHER_RC2_CBC_40, 204 TLS_CIPHER_IDEA_CBC, 205 TLS_CIPHER_DES40_CBC, 206 TLS_CIPHER_DES_CBC, 207 TLS_CIPHER_3DES_EDE_CBC, 208 TLS_CIPHER_AES_128_CBC, 209 TLS_CIPHER_AES_256_CBC 210} tls_cipher; 211 212typedef enum { 213 TLS_HASH_NULL, 214 TLS_HASH_MD5, 215 TLS_HASH_SHA, 216 TLS_HASH_SHA256 217} tls_hash; 218 219struct tls_cipher_suite { 220 u16 suite; 221 tls_key_exchange key_exchange; 222 tls_cipher cipher; 223 tls_hash hash; 224}; 225 226typedef enum { 227 TLS_CIPHER_STREAM, 228 TLS_CIPHER_BLOCK 229} tls_cipher_type; 230 231struct tls_cipher_data { 232 tls_cipher cipher; 233 tls_cipher_type type; 234 size_t key_material; 235 size_t expanded_key_material; 236 size_t block_size; /* also iv_size */ 237 enum crypto_cipher_alg alg; 238}; 239 240 241struct tls_verify_hash { 242 struct crypto_hash *md5_client; 243 struct crypto_hash *sha1_client; 244 struct crypto_hash *sha256_client; 245 struct crypto_hash *md5_server; 246 struct crypto_hash *sha1_server; 247 struct crypto_hash *sha256_server; 248 struct crypto_hash *md5_cert; 249 struct crypto_hash *sha1_cert; 250 struct crypto_hash *sha256_cert; 251}; 252 253 254const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite); 255const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher); 256int tls_server_key_exchange_allowed(tls_cipher cipher); 257int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk); 258int tls_verify_hash_init(struct tls_verify_hash *verify); 259void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf, 260 size_t len); 261void tls_verify_hash_free(struct tls_verify_hash *verify); 262int tls_version_ok(u16 ver); 263const char * tls_version_str(u16 ver); 264int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label, 265 const u8 *seed, size_t seed_len, u8 *out, size_t outlen); 266 267#endif /* TLSV1_COMMON_H */ 268