/* * * Embedded Linux library * * Copyright (C) 2011-2014 Intel Corporation. All rights reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA * */ #define TLS_MAX_VERSION L_TLS_V12 #define TLS_MIN_VERSION L_TLS_V10 enum tls_cipher_type { TLS_CIPHER_STREAM, TLS_CIPHER_BLOCK, TLS_CIPHER_AEAD, }; struct tls_bulk_encryption_algorithm { enum tls_cipher_type cipher_type; union { enum l_cipher_type l_id; enum l_aead_cipher_type l_aead_id; }; size_t key_length; size_t iv_length; size_t fixed_iv_length; size_t block_length; size_t auth_tag_length; }; /* * Support the minimum required set of handshake hash types for the * Certificate Verify digital signature and the Finished PRF seed so we * don't have to accumulate all of messages full contents until the * Finished message. If we're sent a hash of a different type (in TLS 1.2+) * and need to verify we'll give up. * SHA1 and MD5 are explicitly required by versions < 1.2 and 1.2 requires * that the Finished hash is the same as used for the PRF so we need to * keep at least the hashes our supported cipher suites specify for the PRF. */ enum handshake_hash_type { HANDSHAKE_HASH_SHA384, HANDSHAKE_HASH_SHA256, HANDSHAKE_HASH_MD5, HANDSHAKE_HASH_SHA1, __HANDSHAKE_HASH_COUNT, }; #define HANDSHAKE_HASH_MAX_SIZE 48 struct tls_hash_algorithm { uint8_t tls_id; enum handshake_hash_type type; enum l_checksum_type l_id; const char *name; }; extern const struct tls_hash_algorithm tls_handshake_hash_data[]; typedef bool (*tls_get_hash_t)(struct l_tls *tls, enum handshake_hash_type type, const uint8_t *data, size_t data_len, uint8_t *out, size_t *out_len); struct tls_signature_algorithm { uint8_t id; bool (*validate_cert_key_type)(struct l_cert *cert); ssize_t (*sign)(struct l_tls *tls, uint8_t *out, size_t out_len, tls_get_hash_t get_hash, const uint8_t *data, size_t data_len); bool (*verify)(struct l_tls *tls, const uint8_t *in, size_t in_len, tls_get_hash_t get_hash, const uint8_t *data, size_t data_len); }; struct tls_key_exchange_algorithm { bool need_ecc; bool need_ffdh; bool (*send_server_key_exchange)(struct l_tls *tls); void (*handle_server_key_exchange)(struct l_tls *tls, const uint8_t *buf, size_t len); bool (*send_client_key_exchange)(struct l_tls *tls); void (*handle_client_key_exchange)(struct l_tls *tls, const uint8_t *buf, size_t len); void (*free_params)(struct l_tls *tls); }; struct tls_mac_algorithm { uint8_t id; enum l_checksum_type hmac_type; size_t mac_length; }; struct tls_cipher_suite { uint8_t id[2]; const char *name; int verify_data_length; struct tls_bulk_encryption_algorithm *encryption; struct tls_signature_algorithm *signature; struct tls_key_exchange_algorithm *key_xchg; struct tls_mac_algorithm *mac; enum l_checksum_type prf_hmac; }; extern struct tls_cipher_suite *tls_cipher_suite_pref[]; struct tls_compression_method { int id; const char *name; }; struct tls_hello_extension { const char *name; const char *short_name; uint16_t id; ssize_t (*client_write)(struct l_tls *tls, uint8_t *buf, size_t len); /* Handle a Client Hello extension (on server), can't be NULL */ bool (*client_handle)(struct l_tls *tls, const uint8_t *buf, size_t len); /* Handle a Client Hello extension's absence (on server) */ bool (*client_handle_absent)(struct l_tls *tls); ssize_t (*server_write)(struct l_tls *tls, uint8_t *buf, size_t len); /* Handle a Server Hello extension (on client) */ bool (*server_handle)(struct l_tls *tls, const uint8_t *buf, size_t len); /* Handle a Server Hello extension's absence (on client) */ bool (*server_handle_absent)(struct l_tls *tls); }; extern const struct tls_hello_extension tls_extensions[]; struct tls_named_group { const char *name; uint16_t id; enum { TLS_GROUP_TYPE_EC, TLS_GROUP_TYPE_FF, } type; union { struct { const uint8_t *prime; size_t prime_len; unsigned int generator; } ff; }; }; enum tls_handshake_state { TLS_HANDSHAKE_WAIT_START, TLS_HANDSHAKE_WAIT_HELLO, TLS_HANDSHAKE_WAIT_CERTIFICATE, TLS_HANDSHAKE_WAIT_KEY_EXCHANGE, TLS_HANDSHAKE_WAIT_HELLO_DONE, TLS_HANDSHAKE_WAIT_CERTIFICATE_VERIFY, TLS_HANDSHAKE_WAIT_CHANGE_CIPHER_SPEC, TLS_HANDSHAKE_WAIT_FINISHED, TLS_HANDSHAKE_DONE, }; enum tls_content_type { TLS_CT_CHANGE_CIPHER_SPEC = 20, TLS_CT_ALERT = 21, TLS_CT_HANDSHAKE = 22, TLS_CT_APPLICATION_DATA = 23, }; enum tls_handshake_type { TLS_HELLO_REQUEST = 0, TLS_CLIENT_HELLO = 1, TLS_SERVER_HELLO = 2, TLS_CERTIFICATE = 11, TLS_SERVER_KEY_EXCHANGE = 12, TLS_CERTIFICATE_REQUEST = 13, TLS_SERVER_HELLO_DONE = 14, TLS_CERTIFICATE_VERIFY = 15, TLS_CLIENT_KEY_EXCHANGE = 16, TLS_FINISHED = 20, }; struct l_tls { bool server; l_tls_write_cb_t tx, rx; l_tls_ready_cb_t ready_handle; l_tls_disconnect_cb_t disconnected; void *user_data; l_tls_debug_cb_t debug_handler; l_tls_destroy_cb_t debug_destroy; void *debug_data; char *cert_dump_path; enum l_tls_version min_version; enum l_tls_version max_version; struct l_queue *ca_certs; struct l_certchain *cert; struct l_key *priv_key; size_t priv_key_size; char **subject_mask; struct tls_cipher_suite **cipher_suite_pref_list; bool in_callback; bool pending_destroy; /* Record layer */ uint8_t *record_buf; int record_buf_len; int record_buf_max_len; bool record_flush; uint8_t *message_buf; int message_buf_len; int message_buf_max_len; enum tls_content_type message_content_type; /* Handshake protocol layer */ enum tls_handshake_state state; struct l_checksum *handshake_hash[__HANDSHAKE_HASH_COUNT]; uint8_t prev_digest[__HANDSHAKE_HASH_COUNT][HANDSHAKE_HASH_MAX_SIZE]; enum l_tls_version client_version; enum l_tls_version negotiated_version; bool cert_requested, cert_sent; bool peer_authenticated; struct l_cert *peer_cert; struct l_key *peer_pubkey; size_t peer_pubkey_size; enum handshake_hash_type signature_hash; const struct tls_hash_algorithm *prf_hmac; const struct tls_named_group *negotiated_curve; const struct tls_named_group *negotiated_ff_group; /* SecurityParameters current and pending */ struct { struct tls_cipher_suite *cipher_suite; struct tls_compression_method *compression_method; uint8_t master_secret[48]; uint8_t client_random[32]; uint8_t server_random[32]; /* * Max key block size per 6.3 v1.1 is 136 bytes but if we * allow AES_256_CBC_SHA256 with v1.0 we get 128 per section * 6.3 v1.2 + two IVs of 32 bytes. */ uint8_t key_block[192]; void *key_xchg_params; } pending; enum tls_cipher_type cipher_type[2]; struct tls_cipher_suite *cipher_suite[2]; union { struct l_cipher *cipher[2]; struct l_aead_cipher *aead_cipher[2]; }; struct l_checksum *mac[2]; size_t mac_length[2]; size_t block_length[2]; size_t record_iv_length[2]; size_t fixed_iv_length[2]; uint8_t fixed_iv[2][32]; size_t auth_tag_length[2]; uint64_t seq_num[2]; /* * Some of the key and IV parts of the "current" state are kept * inside the cipher and mac states in the kernel so we don't * duplicate them here. */ bool ready; }; bool tls10_prf(const void *secret, size_t secret_len, const char *label, const void *seed, size_t seed_len, uint8_t *out, size_t out_len); bool tls12_prf(enum l_checksum_type type, const void *secret, size_t secret_len, const char *label, const void *seed, size_t seed_len, uint8_t *out, size_t out_len); void tls_disconnect(struct l_tls *tls, enum l_tls_alert_desc desc, enum l_tls_alert_desc local_desc); void tls_tx_record(struct l_tls *tls, enum tls_content_type type, const uint8_t *data, size_t len); bool tls_handle_message(struct l_tls *tls, const uint8_t *message, int len, enum tls_content_type type, uint16_t version); #define TLS_HANDSHAKE_HEADER_SIZE 4 void tls_tx_handshake(struct l_tls *tls, int type, uint8_t *buf, size_t length); bool tls_cipher_suite_is_compatible(struct l_tls *tls, const struct tls_cipher_suite *suite, const char **error); /* Optionally limit allowed cipher suites to a custom set */ bool tls_set_cipher_suites(struct l_tls *tls, const char **suite_list); void tls_generate_master_secret(struct l_tls *tls, const uint8_t *pre_master_secret, int pre_master_secret_len); const struct tls_named_group *tls_find_group(uint16_t id); const struct tls_named_group *tls_find_ff_group(const uint8_t *prime, size_t prime_len, const uint8_t *generator, size_t generator_len); ssize_t tls_write_signature_algorithms(struct l_tls *tls, uint8_t *buf, size_t len); ssize_t tls_parse_signature_algorithms(struct l_tls *tls, const uint8_t *buf, size_t len); int tls_parse_certificate_list(const void *data, size_t len, struct l_certchain **out_certchain); #define TLS_DEBUG(fmt, args...) \ l_util_debug(tls->debug_handler, tls->debug_data, "%s:%i " fmt, \ __func__, __LINE__, ## args) #define TLS_SET_STATE(new_state) \ do { \ TLS_DEBUG("New state %s", \ tls_handshake_state_to_str(new_state)); \ tls->state = new_state; \ } while (0) #define TLS_DISCONNECT(desc, local_desc, fmt, args...) \ do { \ TLS_DEBUG("Disconnect desc=%s local-desc=%s reason=" fmt,\ l_tls_alert_to_str(desc), \ l_tls_alert_to_str(local_desc), ## args);\ tls_disconnect(tls, desc, local_desc); \ } while (0) #define TLS_VER_FMT "1.%i" #define TLS_VER_ARGS(version) (((version) & 0xff) - 1) const char *tls_handshake_state_to_str(enum tls_handshake_state state);