1#ifndef _GPXE_TLS_H 2#define _GPXE_TLS_H 3 4/** 5 * @file 6 * 7 * Transport Layer Security Protocol 8 */ 9 10FILE_LICENCE ( GPL2_OR_LATER ); 11 12#include <stdint.h> 13#include <gpxe/refcnt.h> 14#include <gpxe/filter.h> 15#include <gpxe/process.h> 16#include <gpxe/crypto.h> 17#include <gpxe/md5.h> 18#include <gpxe/sha1.h> 19#include <gpxe/x509.h> 20 21/** A TLS header */ 22struct tls_header { 23 /** Content type 24 * 25 * This is a TLS_TYPE_XXX constant 26 */ 27 uint8_t type; 28 /** Protocol version 29 * 30 * This is a TLS_VERSION_XXX constant 31 */ 32 uint16_t version; 33 /** Length of payload */ 34 uint16_t length; 35} __attribute__ (( packed )); 36 37/** TLS version 1.0 */ 38#define TLS_VERSION_TLS_1_0 0x0301 39 40/** TLS version 1.1 */ 41#define TLS_VERSION_TLS_1_1 0x0302 42 43/** Change cipher content type */ 44#define TLS_TYPE_CHANGE_CIPHER 20 45 46/** Alert content type */ 47#define TLS_TYPE_ALERT 21 48 49/** Handshake content type */ 50#define TLS_TYPE_HANDSHAKE 22 51 52/** Application data content type */ 53#define TLS_TYPE_DATA 23 54 55/* Handshake message types */ 56#define TLS_HELLO_REQUEST 0 57#define TLS_CLIENT_HELLO 1 58#define TLS_SERVER_HELLO 2 59#define TLS_CERTIFICATE 11 60#define TLS_SERVER_KEY_EXCHANGE 12 61#define TLS_CERTIFICATE_REQUEST 13 62#define TLS_SERVER_HELLO_DONE 14 63#define TLS_CERTIFICATE_VERIFY 15 64#define TLS_CLIENT_KEY_EXCHANGE 16 65#define TLS_FINISHED 20 66 67/* TLS alert levels */ 68#define TLS_ALERT_WARNING 1 69#define TLS_ALERT_FATAL 2 70 71/* TLS cipher specifications */ 72#define TLS_RSA_WITH_NULL_MD5 0x0001 73#define TLS_RSA_WITH_NULL_SHA 0x0002 74#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002f 75#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 76 77/** TLS RX state machine state */ 78enum tls_rx_state { 79 TLS_RX_HEADER = 0, 80 TLS_RX_DATA, 81}; 82 83/** TLS TX state machine state */ 84enum tls_tx_state { 85 TLS_TX_NONE = 0, 86 TLS_TX_CLIENT_HELLO, 87 TLS_TX_CLIENT_KEY_EXCHANGE, 88 TLS_TX_CHANGE_CIPHER, 89 TLS_TX_FINISHED, 90 TLS_TX_DATA 91}; 92 93/** A TLS cipher specification */ 94struct tls_cipherspec { 95 /** Public-key encryption algorithm */ 96 struct pubkey_algorithm *pubkey; 97 /** Bulk encryption cipher algorithm */ 98 struct cipher_algorithm *cipher; 99 /** MAC digest algorithm */ 100 struct digest_algorithm *digest; 101 /** Key length */ 102 size_t key_len; 103 /** Dynamically-allocated storage */ 104 void *dynamic; 105 /** Public key encryption context */ 106 void *pubkey_ctx; 107 /** Bulk encryption cipher context */ 108 void *cipher_ctx; 109 /** Next bulk encryption cipher context (TX only) */ 110 void *cipher_next_ctx; 111 /** MAC secret */ 112 void *mac_secret; 113}; 114 115/** TLS pre-master secret */ 116struct tls_pre_master_secret { 117 /** TLS version */ 118 uint16_t version; 119 /** Random data */ 120 uint8_t random[46]; 121} __attribute__ (( packed )); 122 123/** TLS client random data */ 124struct tls_client_random { 125 /** GMT Unix time */ 126 uint32_t gmt_unix_time; 127 /** Random data */ 128 uint8_t random[28]; 129} __attribute__ (( packed )); 130 131/** A TLS session */ 132struct tls_session { 133 /** Reference counter */ 134 struct refcnt refcnt; 135 136 /** Plaintext stream */ 137 struct xfer_filter_half plainstream; 138 /** Ciphertext stream */ 139 struct xfer_filter_half cipherstream; 140 141 /** Current TX cipher specification */ 142 struct tls_cipherspec tx_cipherspec; 143 /** Next TX cipher specification */ 144 struct tls_cipherspec tx_cipherspec_pending; 145 /** Current RX cipher specification */ 146 struct tls_cipherspec rx_cipherspec; 147 /** Next RX cipher specification */ 148 struct tls_cipherspec rx_cipherspec_pending; 149 /** Premaster secret */ 150 struct tls_pre_master_secret pre_master_secret; 151 /** Master secret */ 152 uint8_t master_secret[48]; 153 /** Server random bytes */ 154 uint8_t server_random[32]; 155 /** Client random bytes */ 156 struct tls_client_random client_random; 157 /** MD5 context for handshake verification */ 158 uint8_t handshake_md5_ctx[MD5_CTX_SIZE]; 159 /** SHA1 context for handshake verification */ 160 uint8_t handshake_sha1_ctx[SHA1_CTX_SIZE]; 161 162 /** Hack: server RSA public key */ 163 struct x509_rsa_public_key rsa; 164 165 /** TX sequence number */ 166 uint64_t tx_seq; 167 /** TX state */ 168 enum tls_tx_state tx_state; 169 /** TX process */ 170 struct process process; 171 172 /** RX sequence number */ 173 uint64_t rx_seq; 174 /** RX state */ 175 enum tls_rx_state rx_state; 176 /** Offset within current RX state */ 177 size_t rx_rcvd; 178 /** Current received record header */ 179 struct tls_header rx_header; 180 /** Current received raw data buffer */ 181 void *rx_data; 182}; 183 184extern int add_tls ( struct xfer_interface *xfer, 185 struct xfer_interface **next ); 186 187#endif /* _GPXE_TLS_H */ 188