1 /* 2 * TLSv1 common definitions 3 * Copyright (c) 2006-2007, Jouni Malinen <j (at) w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #ifndef TLSV1_COMMON_H 16 #define TLSV1_COMMON_H 17 18 #include "crypto.h" 19 20 #define TLS_VERSION 0x0301 /* TLSv1 */ 21 #define TLS_RANDOM_LEN 32 22 #define TLS_PRE_MASTER_SECRET_LEN 48 23 #define TLS_MASTER_SECRET_LEN 48 24 #define TLS_SESSION_ID_MAX_LEN 32 25 #define TLS_VERIFY_DATA_LEN 12 26 27 /* HandshakeType */ 28 enum { 29 TLS_HANDSHAKE_TYPE_HELLO_REQUEST = 0, 30 TLS_HANDSHAKE_TYPE_CLIENT_HELLO = 1, 31 TLS_HANDSHAKE_TYPE_SERVER_HELLO = 2, 32 TLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET = 4 /* RFC 4507 */, 33 TLS_HANDSHAKE_TYPE_CERTIFICATE = 11, 34 TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE = 12, 35 TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST = 13, 36 TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE = 14, 37 TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY = 15, 38 TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE = 16, 39 TLS_HANDSHAKE_TYPE_FINISHED = 20, 40 TLS_HANDSHAKE_TYPE_CERTIFICATE_URL = 21 /* RFC 4366 */, 41 TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS = 22 /* RFC 4366 */ 42 }; 43 44 /* CipherSuite */ 45 #define TLS_NULL_WITH_NULL_NULL 0x0000 /* RFC 2246 */ 46 #define TLS_RSA_WITH_NULL_MD5 0x0001 /* RFC 2246 */ 47 #define TLS_RSA_WITH_NULL_SHA 0x0002 /* RFC 2246 */ 48 #define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003 /* RFC 2246 */ 49 #define TLS_RSA_WITH_RC4_128_MD5 0x0004 /* RFC 2246 */ 50 #define TLS_RSA_WITH_RC4_128_SHA 0x0005 /* RFC 2246 */ 51 #define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006 /* RFC 2246 */ 52 #define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007 /* RFC 2246 */ 53 #define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008 /* RFC 2246 */ 54 #define TLS_RSA_WITH_DES_CBC_SHA 0x0009 /* RFC 2246 */ 55 #define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A /* RFC 2246 */ 56 #define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000B /* RFC 2246 */ 57 #define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000C /* RFC 2246 */ 58 #define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D /* RFC 2246 */ 59 #define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000E /* RFC 2246 */ 60 #define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000F /* RFC 2246 */ 61 #define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 /* RFC 2246 */ 62 #define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011 /* RFC 2246 */ 63 #define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 /* RFC 2246 */ 64 #define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 /* RFC 2246 */ 65 #define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014 /* RFC 2246 */ 66 #define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 /* RFC 2246 */ 67 #define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 /* RFC 2246 */ 68 #define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 0x0017 /* RFC 2246 */ 69 #define TLS_DH_anon_WITH_RC4_128_MD5 0x0018 /* RFC 2246 */ 70 #define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 0x0019 /* RFC 2246 */ 71 #define TLS_DH_anon_WITH_DES_CBC_SHA 0x001A /* RFC 2246 */ 72 #define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B /* RFC 2246 */ 73 #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F /* RFC 3268 */ 74 #define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 /* RFC 3268 */ 75 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 /* RFC 3268 */ 76 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 /* RFC 3268 */ 77 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 /* RFC 3268 */ 78 #define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034 /* RFC 3268 */ 79 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 /* RFC 3268 */ 80 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 /* RFC 3268 */ 81 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 /* RFC 3268 */ 82 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 /* RFC 3268 */ 83 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 /* RFC 3268 */ 84 #define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A /* RFC 3268 */ 85 86 /* CompressionMethod */ 87 #define TLS_COMPRESSION_NULL 0 88 89 /* AlertLevel */ 90 #define TLS_ALERT_LEVEL_WARNING 1 91 #define TLS_ALERT_LEVEL_FATAL 2 92 93 /* AlertDescription */ 94 #define TLS_ALERT_CLOSE_NOTIFY 0 95 #define TLS_ALERT_UNEXPECTED_MESSAGE 10 96 #define TLS_ALERT_BAD_RECORD_MAC 20 97 #define TLS_ALERT_DECRYPTION_FAILED 21 98 #define TLS_ALERT_RECORD_OVERFLOW 22 99 #define TLS_ALERT_DECOMPRESSION_FAILURE 30 100 #define TLS_ALERT_HANDSHAKE_FAILURE 40 101 #define TLS_ALERT_BAD_CERTIFICATE 42 102 #define TLS_ALERT_UNSUPPORTED_CERTIFICATE 43 103 #define TLS_ALERT_CERTIFICATE_REVOKED 44 104 #define TLS_ALERT_CERTIFICATE_EXPIRED 45 105 #define TLS_ALERT_CERTIFICATE_UNKNOWN 46 106 #define TLS_ALERT_ILLEGAL_PARAMETER 47 107 #define TLS_ALERT_UNKNOWN_CA 48 108 #define TLS_ALERT_ACCESS_DENIED 49 109 #define TLS_ALERT_DECODE_ERROR 50 110 #define TLS_ALERT_DECRYPT_ERROR 51 111 #define TLS_ALERT_EXPORT_RESTRICTION 60 112 #define TLS_ALERT_PROTOCOL_VERSION 70 113 #define TLS_ALERT_INSUFFICIENT_SECURITY 71 114 #define TLS_ALERT_INTERNAL_ERROR 80 115 #define TLS_ALERT_USER_CANCELED 90 116 #define TLS_ALERT_NO_RENEGOTIATION 100 117 #define TLS_ALERT_UNSUPPORTED_EXTENSION 110 /* RFC 4366 */ 118 #define TLS_ALERT_CERTIFICATE_UNOBTAINABLE 111 /* RFC 4366 */ 119 #define TLS_ALERT_UNRECOGNIZED_NAME 112 /* RFC 4366 */ 120 #define TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE 113 /* RFC 4366 */ 121 #define TLS_ALERT_BAD_CERTIFICATE_HASH_VALUE 114 /* RFC 4366 */ 122 123 /* ChangeCipherSpec */ 124 enum { 125 TLS_CHANGE_CIPHER_SPEC = 1 126 }; 127 128 /* TLS Extensions */ 129 #define TLS_EXT_SERVER_NAME 0 /* RFC 4366 */ 130 #define TLS_EXT_MAX_FRAGMENT_LENGTH 1 /* RFC 4366 */ 131 #define TLS_EXT_CLIENT_CERTIFICATE_URL 2 /* RFC 4366 */ 132 #define TLS_EXT_TRUSTED_CA_KEYS 3 /* RFC 4366 */ 133 #define TLS_EXT_TRUNCATED_HMAC 4 /* RFC 4366 */ 134 #define TLS_EXT_STATUS_REQUEST 5 /* RFC 4366 */ 135 #define TLS_EXT_SESSION_TICKET 35 /* RFC 4507 */ 136 137 #define TLS_EXT_PAC_OPAQUE TLS_EXT_SESSION_TICKET /* EAP-FAST terminology */ 138 139 140 typedef enum { 141 TLS_KEY_X_NULL, 142 TLS_KEY_X_RSA, 143 TLS_KEY_X_RSA_EXPORT, 144 TLS_KEY_X_DH_DSS_EXPORT, 145 TLS_KEY_X_DH_DSS, 146 TLS_KEY_X_DH_RSA_EXPORT, 147 TLS_KEY_X_DH_RSA, 148 TLS_KEY_X_DHE_DSS_EXPORT, 149 TLS_KEY_X_DHE_DSS, 150 TLS_KEY_X_DHE_RSA_EXPORT, 151 TLS_KEY_X_DHE_RSA, 152 TLS_KEY_X_DH_anon_EXPORT, 153 TLS_KEY_X_DH_anon 154 } tls_key_exchange; 155 156 typedef enum { 157 TLS_CIPHER_NULL, 158 TLS_CIPHER_RC4_40, 159 TLS_CIPHER_RC4_128, 160 TLS_CIPHER_RC2_CBC_40, 161 TLS_CIPHER_IDEA_CBC, 162 TLS_CIPHER_DES40_CBC, 163 TLS_CIPHER_DES_CBC, 164 TLS_CIPHER_3DES_EDE_CBC, 165 TLS_CIPHER_AES_128_CBC, 166 TLS_CIPHER_AES_256_CBC 167 } tls_cipher; 168 169 typedef enum { 170 TLS_HASH_NULL, 171 TLS_HASH_MD5, 172 TLS_HASH_SHA 173 } tls_hash; 174 175 struct tls_cipher_suite { 176 u16 suite; 177 tls_key_exchange key_exchange; 178 tls_cipher cipher; 179 tls_hash hash; 180 }; 181 182 typedef enum { 183 TLS_CIPHER_STREAM, 184 TLS_CIPHER_BLOCK 185 } tls_cipher_type; 186 187 struct tls_cipher_data { 188 tls_cipher cipher; 189 tls_cipher_type type; 190 size_t key_material; 191 size_t expanded_key_material; 192 size_t block_size; /* also iv_size */ 193 enum crypto_cipher_alg alg; 194 }; 195 196 197 struct tls_verify_hash { 198 struct crypto_hash *md5_client; 199 struct crypto_hash *sha1_client; 200 struct crypto_hash *md5_server; 201 struct crypto_hash *sha1_server; 202 struct crypto_hash *md5_cert; 203 struct crypto_hash *sha1_cert; 204 }; 205 206 207 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite); 208 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher); 209 int tls_server_key_exchange_allowed(tls_cipher cipher); 210 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk); 211 int tls_verify_hash_init(struct tls_verify_hash *verify); 212 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf, 213 size_t len); 214 void tls_verify_hash_free(struct tls_verify_hash *verify); 215 216 #endif /* TLSV1_COMMON_H */ 217
