tuxillo's projects / dragonfly.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'vendor/OPENSSL'
[dragonfly.git] / contrib / hostapd / src / tls / tlsv1_common.h
1 /*
2  * TLSv1 common definitions
3  * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8
9 #ifndef TLSV1_COMMON_H
10 #define TLSV1_COMMON_H
11
12 #include "crypto/crypto.h"
13
14 #define TLS_VERSION_1 0x0301 /* TLSv1 */
15 #define TLS_VERSION_1_1 0x0302 /* TLSv1.1 */
16 #define TLS_VERSION_1_2 0x0303 /* TLSv1.2 */
17 #ifdef CONFIG_TLSV12
18 #define TLS_VERSION TLS_VERSION_1_2
19 #else /* CONFIG_TLSV12 */
20 #ifdef CONFIG_TLSV11
21 #define TLS_VERSION TLS_VERSION_1_1
22 #else /* CONFIG_TLSV11 */
23 #define TLS_VERSION TLS_VERSION_1
24 #endif /* CONFIG_TLSV11 */
25 #endif /* CONFIG_TLSV12 */
26 #define TLS_RANDOM_LEN 32
27 #define TLS_PRE_MASTER_SECRET_LEN 48
28 #define TLS_MASTER_SECRET_LEN 48
29 #define TLS_SESSION_ID_MAX_LEN 32
30 #define TLS_VERIFY_DATA_LEN 12
31
32 /* HandshakeType */
33 enum {
34         TLS_HANDSHAKE_TYPE_HELLO_REQUEST = 0,
35         TLS_HANDSHAKE_TYPE_CLIENT_HELLO = 1,
36         TLS_HANDSHAKE_TYPE_SERVER_HELLO = 2,
37         TLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET = 4 /* RFC 4507 */,
38         TLS_HANDSHAKE_TYPE_CERTIFICATE = 11,
39         TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE = 12,
40         TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST = 13,
41         TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE = 14,
42         TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY = 15,
43         TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE = 16,
44         TLS_HANDSHAKE_TYPE_FINISHED = 20,
45         TLS_HANDSHAKE_TYPE_CERTIFICATE_URL = 21 /* RFC 4366 */,
46         TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS = 22 /* RFC 4366 */
47 };
48
49 /* CipherSuite */
50 #define TLS_NULL_WITH_NULL_NULL                 0x0000 /* RFC 2246 */
51 #define TLS_RSA_WITH_NULL_MD5                   0x0001 /* RFC 2246 */
52 #define TLS_RSA_WITH_NULL_SHA                   0x0002 /* RFC 2246 */
53 #define TLS_RSA_EXPORT_WITH_RC4_40_MD5          0x0003 /* RFC 2246 */
54 #define TLS_RSA_WITH_RC4_128_MD5                0x0004 /* RFC 2246 */
55 #define TLS_RSA_WITH_RC4_128_SHA                0x0005 /* RFC 2246 */
56 #define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5      0x0006 /* RFC 2246 */
57 #define TLS_RSA_WITH_IDEA_CBC_SHA               0x0007 /* RFC 2246 */
58 #define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA       0x0008 /* RFC 2246 */
59 #define TLS_RSA_WITH_DES_CBC_SHA                0x0009 /* RFC 2246 */
60 #define TLS_RSA_WITH_3DES_EDE_CBC_SHA           0x000A /* RFC 2246 */
61 #define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    0x000B /* RFC 2246 */
62 #define TLS_DH_DSS_WITH_DES_CBC_SHA             0x000C /* RFC 2246 */
63 #define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        0x000D /* RFC 2246 */
64 #define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    0x000E /* RFC 2246 */
65 #define TLS_DH_RSA_WITH_DES_CBC_SHA             0x000F /* RFC 2246 */
66 #define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        0x0010 /* RFC 2246 */
67 #define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   0x0011 /* RFC 2246 */
68 #define TLS_DHE_DSS_WITH_DES_CBC_SHA            0x0012 /* RFC 2246 */
69 #define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       0x0013 /* RFC 2246 */
70 #define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   0x0014 /* RFC 2246 */
71 #define TLS_DHE_RSA_WITH_DES_CBC_SHA            0x0015 /* RFC 2246 */
72 #define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       0x0016 /* RFC 2246 */
73 #define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5      0x0017 /* RFC 2246 */
74 #define TLS_DH_anon_WITH_RC4_128_MD5            0x0018 /* RFC 2246 */
75 #define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA   0x0019 /* RFC 2246 */
76 #define TLS_DH_anon_WITH_DES_CBC_SHA            0x001A /* RFC 2246 */
77 #define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       0x001B /* RFC 2246 */
78 #define TLS_RSA_WITH_AES_128_CBC_SHA            0x002F /* RFC 3268 */
79 #define TLS_DH_DSS_WITH_AES_128_CBC_SHA         0x0030 /* RFC 3268 */
80 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA         0x0031 /* RFC 3268 */
81 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA        0x0032 /* RFC 3268 */
82 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA        0x0033 /* RFC 3268 */
83 #define TLS_DH_anon_WITH_AES_128_CBC_SHA        0x0034 /* RFC 3268 */
84 #define TLS_RSA_WITH_AES_256_CBC_SHA            0x0035 /* RFC 3268 */
85 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA         0x0036 /* RFC 3268 */
86 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA         0x0037 /* RFC 3268 */
87 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA        0x0038 /* RFC 3268 */
88 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA        0x0039 /* RFC 3268 */
89 #define TLS_DH_anon_WITH_AES_256_CBC_SHA        0x003A /* RFC 3268 */
90 #define TLS_RSA_WITH_NULL_SHA256                0x003B /* RFC 5246 */
91 #define TLS_RSA_WITH_AES_128_CBC_SHA256         0x003C /* RFC 5246 */
92 #define TLS_RSA_WITH_AES_256_CBC_SHA256         0x003D /* RFC 5246 */
93 #define TLS_DH_DSS_WITH_AES_128_CBC_SHA256      0x003E /* RFC 5246 */
94 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA256      0x003F /* RFC 5246 */
95 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256     0x0040 /* RFC 5246 */
96 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     0x0067 /* RFC 5246 */
97 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA256      0x0068 /* RFC 5246 */
98 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA256      0x0069 /* RFC 5246 */
99 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256     0x006A /* RFC 5246 */
100 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     0x006B /* RFC 5246 */
101 #define TLS_DH_anon_WITH_AES_128_CBC_SHA256     0x006C /* RFC 5246 */
102 #define TLS_DH_anon_WITH_AES_256_CBC_SHA256     0x006D /* RFC 5246 */
103
104 /* CompressionMethod */
105 #define TLS_COMPRESSION_NULL 0
106
107 /* HashAlgorithm */
108 enum {
109         TLS_HASH_ALG_NONE = 0,
110         TLS_HASH_ALG_MD5 = 1,
111         TLS_HASH_ALG_SHA1 = 2,
112         TLS_HASH_ALG_SHA224 = 3,
113         TLS_HASH_ALG_SHA256 = 4,
114         TLS_HASH_ALG_SHA384 = 5,
115         TLS_HASH_ALG_SHA512 = 6
116 };
117
118 /* SignatureAlgorithm */
119 enum {
120         TLS_SIGN_ALG_ANONYMOUS = 0,
121         TLS_SIGN_ALG_RSA = 1,
122         TLS_SIGN_ALG_DSA = 2,
123         TLS_SIGN_ALG_ECDSA = 3,
124 };
125
126 /* AlertLevel */
127 #define TLS_ALERT_LEVEL_WARNING 1
128 #define TLS_ALERT_LEVEL_FATAL 2
129
130 /* AlertDescription */
131 #define TLS_ALERT_CLOSE_NOTIFY                  0
132 #define TLS_ALERT_UNEXPECTED_MESSAGE            10
133 #define TLS_ALERT_BAD_RECORD_MAC                20
134 #define TLS_ALERT_DECRYPTION_FAILED             21
135 #define TLS_ALERT_RECORD_OVERFLOW               22
136 #define TLS_ALERT_DECOMPRESSION_FAILURE         30
137 #define TLS_ALERT_HANDSHAKE_FAILURE             40
138 #define TLS_ALERT_BAD_CERTIFICATE               42
139 #define TLS_ALERT_UNSUPPORTED_CERTIFICATE       43
140 #define TLS_ALERT_CERTIFICATE_REVOKED           44
141 #define TLS_ALERT_CERTIFICATE_EXPIRED           45
142 #define TLS_ALERT_CERTIFICATE_UNKNOWN           46
143 #define TLS_ALERT_ILLEGAL_PARAMETER             47
144 #define TLS_ALERT_UNKNOWN_CA                    48
145 #define TLS_ALERT_ACCESS_DENIED                 49
146 #define TLS_ALERT_DECODE_ERROR                  50
147 #define TLS_ALERT_DECRYPT_ERROR                 51
148 #define TLS_ALERT_EXPORT_RESTRICTION            60
149 #define TLS_ALERT_PROTOCOL_VERSION              70
150 #define TLS_ALERT_INSUFFICIENT_SECURITY         71
151 #define TLS_ALERT_INTERNAL_ERROR                80
152 #define TLS_ALERT_USER_CANCELED                 90
153 #define TLS_ALERT_NO_RENEGOTIATION              100
154 #define TLS_ALERT_UNSUPPORTED_EXTENSION         110 /* RFC 4366 */
155 #define TLS_ALERT_CERTIFICATE_UNOBTAINABLE      111 /* RFC 4366 */
156 #define TLS_ALERT_UNRECOGNIZED_NAME             112 /* RFC 4366 */
157 #define TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE       113 /* RFC 4366 */
158 #define TLS_ALERT_BAD_CERTIFICATE_HASH_VALUE    114 /* RFC 4366 */
159
160 /* ChangeCipherSpec */
161 enum {
162         TLS_CHANGE_CIPHER_SPEC = 1
163 };
164
165 /* TLS Extensions */
166 #define TLS_EXT_SERVER_NAME                     0 /* RFC 4366 */
167 #define TLS_EXT_MAX_FRAGMENT_LENGTH             1 /* RFC 4366 */
168 #define TLS_EXT_CLIENT_CERTIFICATE_URL          2 /* RFC 4366 */
169 #define TLS_EXT_TRUSTED_CA_KEYS                 3 /* RFC 4366 */
170 #define TLS_EXT_TRUNCATED_HMAC                  4 /* RFC 4366 */
171 #define TLS_EXT_STATUS_REQUEST                  5 /* RFC 4366 */
172 #define TLS_EXT_SESSION_TICKET                  35 /* RFC 4507 */
173
174 #define TLS_EXT_PAC_OPAQUE TLS_EXT_SESSION_TICKET /* EAP-FAST terminology */
175
176
177 typedef enum {
178         TLS_KEY_X_NULL,
179         TLS_KEY_X_RSA,
180         TLS_KEY_X_RSA_EXPORT,
181         TLS_KEY_X_DH_DSS_EXPORT,
182         TLS_KEY_X_DH_DSS,
183         TLS_KEY_X_DH_RSA_EXPORT,
184         TLS_KEY_X_DH_RSA,
185         TLS_KEY_X_DHE_DSS_EXPORT,
186         TLS_KEY_X_DHE_DSS,
187         TLS_KEY_X_DHE_RSA_EXPORT,
188         TLS_KEY_X_DHE_RSA,
189         TLS_KEY_X_DH_anon_EXPORT,
190         TLS_KEY_X_DH_anon
191 } tls_key_exchange;
192
193 typedef enum {
194         TLS_CIPHER_NULL,
195         TLS_CIPHER_RC4_40,
196         TLS_CIPHER_RC4_128,
197         TLS_CIPHER_RC2_CBC_40,
198         TLS_CIPHER_IDEA_CBC,
199         TLS_CIPHER_DES40_CBC,
200         TLS_CIPHER_DES_CBC,
201         TLS_CIPHER_3DES_EDE_CBC,
202         TLS_CIPHER_AES_128_CBC,
203         TLS_CIPHER_AES_256_CBC
204 } tls_cipher;
205
206 typedef enum {
207         TLS_HASH_NULL,
208         TLS_HASH_MD5,
209         TLS_HASH_SHA,
210         TLS_HASH_SHA256
211 } tls_hash;
212
213 struct tls_cipher_suite {
214         u16 suite;
215         tls_key_exchange key_exchange;
216         tls_cipher cipher;
217         tls_hash hash;
218 };
219
220 typedef enum {
221         TLS_CIPHER_STREAM,
222         TLS_CIPHER_BLOCK
223 } tls_cipher_type;
224
225 struct tls_cipher_data {
226         tls_cipher cipher;
227         tls_cipher_type type;
228         size_t key_material;
229         size_t expanded_key_material;
230         size_t block_size; /* also iv_size */
231         enum crypto_cipher_alg alg;
232 };
233
234
235 struct tls_verify_hash {
236         struct crypto_hash *md5_client;
237         struct crypto_hash *sha1_client;
238         struct crypto_hash *sha256_client;
239         struct crypto_hash *md5_server;
240         struct crypto_hash *sha1_server;
241         struct crypto_hash *sha256_server;
242         struct crypto_hash *md5_cert;
243         struct crypto_hash *sha1_cert;
244         struct crypto_hash *sha256_cert;
245 };
246
247
248 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite);
249 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher);
250 int tls_server_key_exchange_allowed(tls_cipher cipher);
251 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk);
252 int tls_verify_hash_init(struct tls_verify_hash *verify);
253 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
254                          size_t len);
255 void tls_verify_hash_free(struct tls_verify_hash *verify);
256 int tls_version_ok(u16 ver);
257 const char * tls_version_str(u16 ver);
258 int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
259             const u8 *seed, size_t seed_len, u8 *out, size_t outlen);
260
261 #endif /* TLSV1_COMMON_H */
WIP repository