2
0

tls1.h 8.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289
  1. /*
  2. * Copyright (c) 2007, Cameron Rich
  3. *
  4. * All rights reserved.
  5. *
  6. * Redistribution and use in source and binary forms, with or without
  7. * modification, are permitted provided that the following conditions are met:
  8. *
  9. * * Redistributions of source code must retain the above copyright notice,
  10. * this list of conditions and the following disclaimer.
  11. * * Redistributions in binary form must reproduce the above copyright notice,
  12. * this list of conditions and the following disclaimer in the documentation
  13. * and/or other materials provided with the distribution.
  14. * * Neither the name of the axTLS project nor the names of its contributors
  15. * may be used to endorse or promote products derived from this software
  16. * without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
  22. * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  23. * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  24. * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  25. * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  26. * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  27. * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  28. * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. */
  30. /**
  31. * @file tls1.h
  32. *
  33. * @brief The definitions for the TLS library.
  34. */
  35. #ifndef HEADER_SSL_LIB_H
  36. #define HEADER_SSL_LIB_H
  37. #ifdef __cplusplus
  38. extern "C" {
  39. #endif
  40. #include "version.h"
  41. #include "crypto.h"
  42. #include "os_port.h"
  43. #include "crypto_misc.h"
  44. #define SSL_RANDOM_SIZE 32
  45. #define SSL_SECRET_SIZE 48
  46. #define SSL_FINISHED_HASH_SIZE 12
  47. #define SSL_RECORD_SIZE 5
  48. #define SSL_SERVER_READ 0
  49. #define SSL_SERVER_WRITE 1
  50. #define SSL_CLIENT_READ 2
  51. #define SSL_CLIENT_WRITE 3
  52. #define SSL_HS_HDR_SIZE 4
  53. /* the flags we use while establishing a connection */
  54. #define SSL_NEED_RECORD 0x0001
  55. #define SSL_TX_ENCRYPTED 0x0002
  56. #define SSL_RX_ENCRYPTED 0x0004
  57. #define SSL_SESSION_RESUME 0x0008
  58. #define SSL_IS_CLIENT 0x0010
  59. #define SSL_HAS_CERT_REQ 0x0020
  60. /* some macros to muck around with flag bits */
  61. #define SET_SSL_FLAG(A) (ssl->flag |= A)
  62. #define CLR_SSL_FLAG(A) (ssl->flag &= ~A)
  63. #define IS_SET_SSL_FLAG(A) (ssl->flag & A)
  64. #define MAX_KEY_BYTE_SIZE 512 /* for a 4096 bit key */
  65. #define RT_MAX_PLAIN_LENGTH 16384
  66. #define RT_EXTRA 1024
  67. #define BM_RECORD_OFFSET 5
  68. #ifdef CONFIG_SSL_SKELETON_MODE
  69. #define NUM_PROTOCOLS 1
  70. #else
  71. #define NUM_PROTOCOLS 4
  72. #endif
  73. #define PARANOIA_CHECK(A, B) if (A < B) { \
  74. ret = SSL_ERROR_INVALID_HANDSHAKE; goto error; }
  75. /* protocol types */
  76. enum
  77. {
  78. PT_CHANGE_CIPHER_SPEC = 20,
  79. PT_ALERT_PROTOCOL,
  80. PT_HANDSHAKE_PROTOCOL,
  81. PT_APP_PROTOCOL_DATA
  82. };
  83. /* handshaking types */
  84. enum
  85. {
  86. HS_HELLO_REQUEST,
  87. HS_CLIENT_HELLO,
  88. HS_SERVER_HELLO,
  89. HS_CERTIFICATE = 11,
  90. HS_SERVER_KEY_XCHG,
  91. HS_CERT_REQ,
  92. HS_SERVER_HELLO_DONE,
  93. HS_CERT_VERIFY,
  94. HS_CLIENT_KEY_XCHG,
  95. HS_FINISHED = 20
  96. };
  97. typedef struct
  98. {
  99. uint8_t cipher;
  100. uint8_t key_size;
  101. uint8_t iv_size;
  102. uint8_t key_block_size;
  103. uint8_t padding_size;
  104. uint8_t digest_size;
  105. hmac_func hmac;
  106. crypt_func encrypt;
  107. crypt_func decrypt;
  108. } cipher_info_t;
  109. struct _SSLObjLoader
  110. {
  111. uint8_t *buf;
  112. int len;
  113. };
  114. typedef struct _SSLObjLoader SSLObjLoader;
  115. typedef struct
  116. {
  117. time_t conn_time;
  118. uint8_t session_id[SSL_SESSION_ID_SIZE];
  119. uint8_t master_secret[SSL_SECRET_SIZE];
  120. } SSL_SESSION;
  121. typedef struct
  122. {
  123. uint8_t *buf;
  124. int size;
  125. } SSL_CERT;
  126. typedef struct
  127. {
  128. MD5_CTX md5_ctx;
  129. SHA1_CTX sha1_ctx;
  130. uint8_t final_finish_mac[SSL_FINISHED_HASH_SIZE];
  131. uint8_t *key_block;
  132. uint8_t master_secret[SSL_SECRET_SIZE];
  133. uint8_t client_random[SSL_RANDOM_SIZE]; /* client's random sequence */
  134. uint8_t server_random[SSL_RANDOM_SIZE]; /* server's random sequence */
  135. uint16_t bm_proc_index;
  136. } DISPOSABLE_CTX;
  137. struct _SSL
  138. {
  139. uint32_t flag;
  140. uint16_t need_bytes;
  141. uint16_t got_bytes;
  142. uint8_t record_type;
  143. uint8_t cipher;
  144. uint8_t sess_id_size;
  145. int16_t next_state;
  146. int16_t hs_status;
  147. DISPOSABLE_CTX *dc; /* temporary data which we'll get rid of soon */
  148. int client_fd;
  149. const cipher_info_t *cipher_info;
  150. void *encrypt_ctx;
  151. void *decrypt_ctx;
  152. uint8_t bm_all_data[RT_MAX_PLAIN_LENGTH+RT_EXTRA];
  153. uint8_t *bm_data;
  154. uint16_t bm_index;
  155. uint16_t bm_read_index;
  156. struct _SSL *next; /* doubly linked list */
  157. struct _SSL *prev;
  158. struct _SSL_CTX *ssl_ctx; /* back reference to a clnt/svr ctx */
  159. #ifndef CONFIG_SSL_SKELETON_MODE
  160. uint16_t session_index;
  161. SSL_SESSION *session;
  162. #endif
  163. #ifdef CONFIG_SSL_CERT_VERIFICATION
  164. X509_CTX *x509_ctx;
  165. #endif
  166. uint8_t session_id[SSL_SESSION_ID_SIZE];
  167. uint8_t client_mac[SHA1_SIZE]; /* for HMAC verification */
  168. uint8_t server_mac[SHA1_SIZE]; /* for HMAC verification */
  169. uint8_t read_sequence[8]; /* 64 bit sequence number */
  170. uint8_t write_sequence[8]; /* 64 bit sequence number */
  171. uint8_t hmac_header[SSL_RECORD_SIZE]; /* rx hmac */
  172. };
  173. typedef struct _SSL SSL;
  174. struct _SSL_CTX
  175. {
  176. uint32_t options;
  177. uint8_t chain_length;
  178. RSA_CTX *rsa_ctx;
  179. #ifdef CONFIG_SSL_CERT_VERIFICATION
  180. CA_CERT_CTX *ca_cert_ctx;
  181. #endif
  182. SSL *head;
  183. SSL *tail;
  184. SSL_CERT certs[CONFIG_SSL_MAX_CERTS];
  185. #ifndef CONFIG_SSL_SKELETON_MODE
  186. uint16_t num_sessions;
  187. SSL_SESSION **ssl_sessions;
  188. #endif
  189. #ifdef CONFIG_SSL_CTX_MUTEXING
  190. SSL_CTX_MUTEX_TYPE mutex;
  191. #endif
  192. #ifdef CONFIG_OPENSSL_COMPATIBLE
  193. void *bonus_attr;
  194. #endif
  195. };
  196. typedef struct _SSL_CTX SSL_CTX;
  197. /* backwards compatibility */
  198. typedef struct _SSL_CTX SSLCTX;
  199. extern const uint8_t ssl_prot_prefs[NUM_PROTOCOLS];
  200. SSL *ssl_new(SSL_CTX *ssl_ctx, int client_fd);
  201. void disposable_new(SSL *ssl);
  202. void disposable_free(SSL *ssl);
  203. int send_packet(SSL *ssl, uint8_t protocol,
  204. const uint8_t *in, int length);
  205. int do_svr_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len);
  206. int do_clnt_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len);
  207. int process_finished(SSL *ssl, int hs_len);
  208. int process_sslv23_client_hello(SSL *ssl);
  209. int send_alert(SSL *ssl, int error_code);
  210. int send_finished(SSL *ssl);
  211. int send_certificate(SSL *ssl);
  212. int basic_read(SSL *ssl, uint8_t **in_data);
  213. int send_change_cipher_spec(SSL *ssl);
  214. void finished_digest(SSL *ssl, const char *label, uint8_t *digest);
  215. void generate_master_secret(SSL *ssl, const uint8_t *premaster_secret);
  216. void add_packet(SSL *ssl, const uint8_t *pkt, int len);
  217. int add_cert(SSL_CTX *ssl_ctx, const uint8_t *buf, int len);
  218. int add_private_key(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj);
  219. void ssl_obj_free(SSLObjLoader *ssl_obj);
  220. int pkcs8_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password);
  221. int pkcs12_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password);
  222. int load_key_certs(SSL_CTX *ssl_ctx);
  223. #ifdef CONFIG_SSL_CERT_VERIFICATION
  224. int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len);
  225. void remove_ca_certs(CA_CERT_CTX *ca_cert_ctx);
  226. #endif
  227. #ifdef CONFIG_SSL_ENABLE_CLIENT
  228. int do_client_connect(SSL *ssl);
  229. #endif
  230. #ifdef CONFIG_SSL_FULL_MODE
  231. void DISPLAY_STATE(SSL *ssl, int is_send, uint8_t state, int not_ok);
  232. void DISPLAY_BYTES(SSL *ssl, const char *format,
  233. const uint8_t *data, int size, ...);
  234. void DISPLAY_CERT(SSL *ssl, const X509_CTX *x509_ctx);
  235. void DISPLAY_RSA(SSL *ssl, const RSA_CTX *rsa_ctx);
  236. void DISPLAY_ALERT(SSL *ssl, int alert);
  237. #else
  238. #define DISPLAY_STATE(A,B,C,D)
  239. #define DISPLAY_CERT(A,B)
  240. #define DISPLAY_RSA(A,B)
  241. #define DISPLAY_ALERT(A, B)
  242. #ifdef WIN32
  243. void DISPLAY_BYTES(SSL *ssl, const char *format,/* win32 has no variadic macros */
  244. const uint8_t *data, int size, ...);
  245. #else
  246. #define DISPLAY_BYTES(A,B,C,D,...)
  247. #endif
  248. #endif
  249. #ifdef CONFIG_SSL_CERT_VERIFICATION
  250. int process_certificate(SSL *ssl, X509_CTX **x509_ctx);
  251. #endif
  252. SSL_SESSION *ssl_session_update(int max_sessions,
  253. SSL_SESSION *ssl_sessions[], SSL *ssl,
  254. const uint8_t *session_id);
  255. void kill_ssl_session(SSL_SESSION **ssl_sessions, SSL *ssl);
  256. #ifdef __cplusplus
  257. }
  258. #endif
  259. #endif