Home | History | Annotate | Download | only in gpxe 
      1 #ifndef _GPXE_TLS_H
      2 #define _GPXE_TLS_H
      3 
      4 /**
      5  * @file
      6  *
      7  * Transport Layer Security Protocol
      8  */
      9 
     10 FILE_LICENCE ( GPL2_OR_LATER );
     11 
     12 #include <stdint.h>
     13 #include <gpxe/refcnt.h>
     14 #include <gpxe/filter.h>
     15 #include <gpxe/process.h>
     16 #include <gpxe/crypto.h>
     17 #include <gpxe/md5.h>
     18 #include <gpxe/sha1.h>
     19 #include <gpxe/x509.h>
     20 
     21 /** A TLS header */
     22 struct tls_header {
     23 	/** Content type
     24 	 *
     25 	 * This is a TLS_TYPE_XXX constant
     26 	 */
     27 	uint8_t type;
     28 	/** Protocol version
     29 	 *
     30 	 * This is a TLS_VERSION_XXX constant
     31 	 */
     32 	uint16_t version;
     33 	/** Length of payload */
     34 	uint16_t length;
     35 } __attribute__ (( packed ));
     36 
     37 /** TLS version 1.0 */
     38 #define TLS_VERSION_TLS_1_0 0x0301
     39 
     40 /** TLS version 1.1 */
     41 #define TLS_VERSION_TLS_1_1 0x0302
     42 
     43 /** Change cipher content type */
     44 #define TLS_TYPE_CHANGE_CIPHER 20
     45 
     46 /** Alert content type */
     47 #define TLS_TYPE_ALERT 21
     48 
     49 /** Handshake content type */
     50 #define TLS_TYPE_HANDSHAKE 22
     51 
     52 /** Application data content type */
     53 #define TLS_TYPE_DATA 23
     54 
     55 /* Handshake message types */
     56 #define TLS_HELLO_REQUEST 0
     57 #define TLS_CLIENT_HELLO 1
     58 #define TLS_SERVER_HELLO 2
     59 #define TLS_CERTIFICATE 11
     60 #define TLS_SERVER_KEY_EXCHANGE 12
     61 #define TLS_CERTIFICATE_REQUEST 13
     62 #define TLS_SERVER_HELLO_DONE 14
     63 #define TLS_CERTIFICATE_VERIFY 15
     64 #define TLS_CLIENT_KEY_EXCHANGE 16
     65 #define TLS_FINISHED 20
     66 
     67 /* TLS alert levels */
     68 #define TLS_ALERT_WARNING 1
     69 #define TLS_ALERT_FATAL 2
     70 
     71 /* TLS cipher specifications */
     72 #define TLS_RSA_WITH_NULL_MD5 0x0001
     73 #define TLS_RSA_WITH_NULL_SHA 0x0002
     74 #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002f
     75 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
     76 
     77 /** TLS RX state machine state */
     78 enum tls_rx_state {
     79 	TLS_RX_HEADER = 0,
     80 	TLS_RX_DATA,
     81 };
     82 
     83 /** TLS TX state machine state */
     84 enum tls_tx_state {
     85 	TLS_TX_NONE = 0,
     86 	TLS_TX_CLIENT_HELLO,
     87 	TLS_TX_CLIENT_KEY_EXCHANGE,
     88 	TLS_TX_CHANGE_CIPHER,
     89 	TLS_TX_FINISHED,
     90 	TLS_TX_DATA
     91 };
     92 
     93 /** A TLS cipher specification */
     94 struct tls_cipherspec {
     95 	/** Public-key encryption algorithm */
     96 	struct pubkey_algorithm *pubkey;
     97 	/** Bulk encryption cipher algorithm */
     98 	struct cipher_algorithm *cipher;
     99 	/** MAC digest algorithm */
    100 	struct digest_algorithm *digest;
    101 	/** Key length */
    102 	size_t key_len;
    103 	/** Dynamically-allocated storage */
    104 	void *dynamic;
    105 	/** Public key encryption context */
    106 	void *pubkey_ctx;
    107 	/** Bulk encryption cipher context */
    108 	void *cipher_ctx;
    109 	/** Next bulk encryption cipher context (TX only) */
    110 	void *cipher_next_ctx;
    111 	/** MAC secret */
    112 	void *mac_secret;
    113 };
    114 
    115 /** TLS pre-master secret */
    116 struct tls_pre_master_secret {
    117 	/** TLS version */
    118 	uint16_t version;
    119 	/** Random data */
    120 	uint8_t random[46];
    121 } __attribute__ (( packed ));
    122 
    123 /** TLS client random data */
    124 struct tls_client_random {
    125 	/** GMT Unix time */
    126 	uint32_t gmt_unix_time;
    127 	/** Random data */
    128 	uint8_t random[28];
    129 } __attribute__ (( packed ));
    130 
    131 /** A TLS session */
    132 struct tls_session {
    133 	/** Reference counter */
    134 	struct refcnt refcnt;
    135 
    136 	/** Plaintext stream */
    137 	struct xfer_filter_half plainstream;
    138 	/** Ciphertext stream */
    139 	struct xfer_filter_half cipherstream;
    140 
    141 	/** Current TX cipher specification */
    142 	struct tls_cipherspec tx_cipherspec;
    143 	/** Next TX cipher specification */
    144 	struct tls_cipherspec tx_cipherspec_pending;
    145 	/** Current RX cipher specification */
    146 	struct tls_cipherspec rx_cipherspec;
    147 	/** Next RX cipher specification */
    148 	struct tls_cipherspec rx_cipherspec_pending;
    149 	/** Premaster secret */
    150 	struct tls_pre_master_secret pre_master_secret;
    151 	/** Master secret */
    152 	uint8_t master_secret[48];
    153 	/** Server random bytes */
    154 	uint8_t server_random[32];
    155 	/** Client random bytes */
    156 	struct tls_client_random client_random;
    157 	/** MD5 context for handshake verification */
    158 	uint8_t handshake_md5_ctx[MD5_CTX_SIZE];
    159 	/** SHA1 context for handshake verification */
    160 	uint8_t handshake_sha1_ctx[SHA1_CTX_SIZE];
    161 
    162 	/** Hack: server RSA public key */
    163 	struct x509_rsa_public_key rsa;
    164 
    165 	/** TX sequence number */
    166 	uint64_t tx_seq;
    167 	/** TX state */
    168 	enum tls_tx_state tx_state;
    169 	/** TX process */
    170 	struct process process;
    171 
    172 	/** RX sequence number */
    173 	uint64_t rx_seq;
    174 	/** RX state */
    175 	enum tls_rx_state rx_state;
    176 	/** Offset within current RX state */
    177 	size_t rx_rcvd;
    178 	/** Current received record header */
    179 	struct tls_header rx_header;
    180 	/** Current received raw data buffer */
    181 	void *rx_data;
    182 };
    183 
    184 extern int add_tls ( struct xfer_interface *xfer,
    185 		     struct xfer_interface **next );
    186 
    187 #endif /* _GPXE_TLS_H */
    188