2 * Copyright (c) 2007, Cameron Rich
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
9 * * Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * * Neither the name of the axTLS project nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
22 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 * @brief The definitions for the TLS library.
36 #ifndef HEADER_SSL_LIB_H
37 #define HEADER_SSL_LIB_H
46 #include "crypto_misc.h"
48 #define SSL_RANDOM_SIZE 32
49 #define SSL_SECRET_SIZE 48
50 #define SSL_FINISHED_HASH_SIZE 12
51 #define SSL_RECORD_SIZE 5
52 #define SSL_SERVER_READ 0
53 #define SSL_SERVER_WRITE 1
54 #define SSL_CLIENT_READ 2
55 #define SSL_CLIENT_WRITE 3
56 #define SSL_HS_HDR_SIZE 4
58 /* the flags we use while establishing a connection */
59 #define SSL_NEED_RECORD 0x0001
60 #define SSL_TX_ENCRYPTED 0x0002
61 #define SSL_RX_ENCRYPTED 0x0004
62 #define SSL_SESSION_RESUME 0x0008
63 #define SSL_IS_CLIENT 0x0010
64 #define SSL_HAS_CERT_REQ 0x0020
66 /* some macros to muck around with flag bits */
67 #define SET_SSL_FLAG(A) (ssl->flag |= A)
68 #define CLR_SSL_FLAG(A) (ssl->flag &= ~A)
69 #define IS_SET_SSL_FLAG(A) (ssl->flag & A)
71 #define MAX_KEY_BYTE_SIZE 512 /* for a 4096 bit key */
72 #define RT_MAX_PLAIN_LENGTH 16384
74 #define BM_RECORD_OFFSET 5
76 #ifdef CONFIG_SSL_SKELETON_MODE
77 #define NUM_PROTOCOLS 1
79 #define NUM_PROTOCOLS 4
82 #define PARANOIA_CHECK(A, B) if (A < B) { \
83 ret = SSL_ERROR_INVALID_HANDSHAKE; goto error; }
88 PT_CHANGE_CIPHER_SPEC
= 20,
90 PT_HANDSHAKE_PROTOCOL
,
94 /* handshaking types */
103 HS_SERVER_HELLO_DONE
,
114 uint8_t key_block_size
;
115 uint8_t padding_size
;
128 typedef struct _SSLObjLoader SSLObjLoader
;
133 uint8_t session_id
[SSL_SESSION_ID_SIZE
];
134 uint8_t master_secret
[SSL_SECRET_SIZE
];
147 uint8_t final_finish_mac
[SSL_FINISHED_HASH_SIZE
];
149 uint8_t master_secret
[SSL_SECRET_SIZE
];
150 uint8_t client_random
[SSL_RANDOM_SIZE
]; /* client's random sequence */
151 uint8_t server_random
[SSL_RANDOM_SIZE
]; /* server's random sequence */
152 uint16_t bm_proc_index
;
162 uint8_t sess_id_size
;
165 DISPOSABLE_CTX
*dc
; /* temporary data which we'll get rid of soon */
167 const cipher_info_t
*cipher_info
;
170 uint8_t bm_all_data
[RT_MAX_PLAIN_LENGTH
+RT_EXTRA
];
173 uint16_t bm_read_index
;
174 struct _SSL
*next
; /* doubly linked list */
176 struct _SSL_CTX
*ssl_ctx
; /* back reference to a clnt/svr ctx */
177 #ifndef CONFIG_SSL_SKELETON_MODE
178 uint16_t session_index
;
179 SSL_SESSION
*session
;
181 #ifdef CONFIG_SSL_CERT_VERIFICATION
185 uint8_t session_id
[SSL_SESSION_ID_SIZE
];
186 uint8_t client_mac
[SHA1_SIZE
]; /* for HMAC verification */
187 uint8_t server_mac
[SHA1_SIZE
]; /* for HMAC verification */
188 uint8_t read_sequence
[8]; /* 64 bit sequence number */
189 uint8_t write_sequence
[8]; /* 64 bit sequence number */
190 uint8_t hmac_header
[SSL_RECORD_SIZE
]; /* rx hmac */
193 typedef struct _SSL SSL
;
198 uint8_t chain_length
;
200 #ifdef CONFIG_SSL_CERT_VERIFICATION
201 CA_CERT_CTX
*ca_cert_ctx
;
205 SSL_CERT certs
[CONFIG_SSL_MAX_CERTS
];
206 #ifndef CONFIG_SSL_SKELETON_MODE
207 uint16_t num_sessions
;
208 SSL_SESSION
**ssl_sessions
;
210 #ifdef CONFIG_SSL_CTX_MUTEXING
211 SSL_CTX_MUTEX_TYPE mutex
;
213 #ifdef CONFIG_OPENSSL_COMPATIBLE
218 typedef struct _SSL_CTX SSL_CTX
;
220 /* backwards compatibility */
221 typedef struct _SSL_CTX SSLCTX
;
223 extern const uint8_t ssl_prot_prefs
[NUM_PROTOCOLS
];
225 SSL
*ssl_new(SSL_CTX
*ssl_ctx
, int client_fd
);
226 void disposable_new(SSL
*ssl
);
227 void disposable_free(SSL
*ssl
);
228 int send_packet(SSL
*ssl
, uint8_t protocol
,
229 const uint8_t *in
, int length
);
230 int do_svr_handshake(SSL
*ssl
, int handshake_type
, uint8_t *buf
, int hs_len
);
231 int do_clnt_handshake(SSL
*ssl
, int handshake_type
, uint8_t *buf
, int hs_len
);
232 int process_finished(SSL
*ssl
, int hs_len
);
233 int process_sslv23_client_hello(SSL
*ssl
);
234 int send_alert(SSL
*ssl
, int error_code
);
235 int send_finished(SSL
*ssl
);
236 int send_certificate(SSL
*ssl
);
237 int basic_read(SSL
*ssl
, uint8_t **in_data
);
238 int send_change_cipher_spec(SSL
*ssl
);
239 void finished_digest(SSL
*ssl
, const char *label
, uint8_t *digest
);
240 void generate_master_secret(SSL
*ssl
, const uint8_t *premaster_secret
);
241 void add_packet(SSL
*ssl
, const uint8_t *pkt
, int len
);
242 int add_cert(SSL_CTX
*ssl_ctx
, const uint8_t *buf
, int len
);
243 int add_private_key(SSL_CTX
*ssl_ctx
, SSLObjLoader
*ssl_obj
);
244 void ssl_obj_free(SSLObjLoader
*ssl_obj
);
245 int pkcs8_decode(SSL_CTX
*ssl_ctx
, SSLObjLoader
*ssl_obj
, const char *password
);
246 int pkcs12_decode(SSL_CTX
*ssl_ctx
, SSLObjLoader
*ssl_obj
, const char *password
);
247 int load_key_certs(SSL_CTX
*ssl_ctx
);
248 #ifdef CONFIG_SSL_CERT_VERIFICATION
249 int add_cert_auth(SSL_CTX
*ssl_ctx
, const uint8_t *buf
, int len
);
250 void remove_ca_certs(CA_CERT_CTX
*ca_cert_ctx
);
252 #ifdef CONFIG_SSL_ENABLE_CLIENT
253 int do_client_connect(SSL
*ssl
);
256 #ifdef CONFIG_SSL_FULL_MODE
257 void DISPLAY_STATE(SSL
*ssl
, int is_send
, uint8_t state
, int not_ok
);
258 void DISPLAY_BYTES(SSL
*ssl
, const char *format
,
259 const uint8_t *data
, int size
, ...);
260 void DISPLAY_CERT(SSL
*ssl
, const X509_CTX
*x509_ctx
);
261 void DISPLAY_RSA(SSL
*ssl
, const RSA_CTX
*rsa_ctx
);
262 void DISPLAY_ALERT(SSL
*ssl
, int alert
);
264 #define DISPLAY_STATE(A,B,C,D)
265 #define DISPLAY_CERT(A,B)
266 #define DISPLAY_RSA(A,B)
267 #define DISPLAY_ALERT(A, B)
269 void DISPLAY_BYTES(SSL
*ssl
, const char *format
,/* win32 has no variadic macros */
270 const uint8_t *data
, int size
, ...);
272 #define DISPLAY_BYTES(A,B,C,D,...)
276 #ifdef CONFIG_SSL_CERT_VERIFICATION
277 int process_certificate(SSL
*ssl
, X509_CTX
**x509_ctx
);
280 SSL_SESSION
*ssl_session_update(int max_sessions
,
281 SSL_SESSION
*ssl_sessions
[], SSL
*ssl
,
282 const uint8_t *session_id
);
283 void kill_ssl_session(SSL_SESSION
**ssl_sessions
, SSL
*ssl
);