contrib/hostapd/src/tls/tlsv1_common.h

   1 /*
   2  * TLSv1 common definitions
   3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #ifndef TLSV1_COMMON_H
  16 #define TLSV1_COMMON_H
  17
  18 #include "crypto.h"
  19
  20 #define TLS_VERSION 0x0301 /* TLSv1 */
  21 #define TLS_RANDOM_LEN 32
  22 #define TLS_PRE_MASTER_SECRET_LEN 48
  23 #define TLS_MASTER_SECRET_LEN 48
  24 #define TLS_SESSION_ID_MAX_LEN 32
  25 #define TLS_VERIFY_DATA_LEN 12
  26
  27 /* HandshakeType */
  28 enum {
  29         TLS_HANDSHAKE_TYPE_HELLO_REQUEST = 0,
  30         TLS_HANDSHAKE_TYPE_CLIENT_HELLO = 1,
  31         TLS_HANDSHAKE_TYPE_SERVER_HELLO = 2,
  32         TLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET = 4 /* RFC 4507 */,
  33         TLS_HANDSHAKE_TYPE_CERTIFICATE = 11,
  34         TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE = 12,
  35         TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST = 13,
  36         TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE = 14,
  37         TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY = 15,
  38         TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE = 16,
  39         TLS_HANDSHAKE_TYPE_FINISHED = 20,
  40         TLS_HANDSHAKE_TYPE_CERTIFICATE_URL = 21 /* RFC 4366 */,
  41         TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS = 22 /* RFC 4366 */
  42 };
  43
  44 /* CipherSuite */
  45 #define TLS_NULL_WITH_NULL_NULL                 0x0000 /* RFC 2246 */
  46 #define TLS_RSA_WITH_NULL_MD5                   0x0001 /* RFC 2246 */
  47 #define TLS_RSA_WITH_NULL_SHA                   0x0002 /* RFC 2246 */
  48 #define TLS_RSA_EXPORT_WITH_RC4_40_MD5          0x0003 /* RFC 2246 */
  49 #define TLS_RSA_WITH_RC4_128_MD5                0x0004 /* RFC 2246 */
  50 #define TLS_RSA_WITH_RC4_128_SHA                0x0005 /* RFC 2246 */
  51 #define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5      0x0006 /* RFC 2246 */
  52 #define TLS_RSA_WITH_IDEA_CBC_SHA               0x0007 /* RFC 2246 */
  53 #define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA       0x0008 /* RFC 2246 */
  54 #define TLS_RSA_WITH_DES_CBC_SHA                0x0009 /* RFC 2246 */
  55 #define TLS_RSA_WITH_3DES_EDE_CBC_SHA           0x000A /* RFC 2246 */
  56 #define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    0x000B /* RFC 2246 */
  57 #define TLS_DH_DSS_WITH_DES_CBC_SHA             0x000C /* RFC 2246 */
  58 #define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        0x000D /* RFC 2246 */
  59 #define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    0x000E /* RFC 2246 */
  60 #define TLS_DH_RSA_WITH_DES_CBC_SHA             0x000F /* RFC 2246 */
  61 #define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        0x0010 /* RFC 2246 */
  62 #define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   0x0011 /* RFC 2246 */
  63 #define TLS_DHE_DSS_WITH_DES_CBC_SHA            0x0012 /* RFC 2246 */
  64 #define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       0x0013 /* RFC 2246 */
  65 #define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   0x0014 /* RFC 2246 */
  66 #define TLS_DHE_RSA_WITH_DES_CBC_SHA            0x0015 /* RFC 2246 */
  67 #define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       0x0016 /* RFC 2246 */
  68 #define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5      0x0017 /* RFC 2246 */
  69 #define TLS_DH_anon_WITH_RC4_128_MD5            0x0018 /* RFC 2246 */
  70 #define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA   0x0019 /* RFC 2246 */
  71 #define TLS_DH_anon_WITH_DES_CBC_SHA            0x001A /* RFC 2246 */
  72 #define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       0x001B /* RFC 2246 */
  73 #define TLS_RSA_WITH_AES_128_CBC_SHA            0x002F /* RFC 3268 */
  74 #define TLS_DH_DSS_WITH_AES_128_CBC_SHA         0x0030 /* RFC 3268 */
  75 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA         0x0031 /* RFC 3268 */
  76 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA        0x0032 /* RFC 3268 */
  77 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA        0x0033 /* RFC 3268 */
  78 #define TLS_DH_anon_WITH_AES_128_CBC_SHA        0x0034 /* RFC 3268 */
  79 #define TLS_RSA_WITH_AES_256_CBC_SHA            0x0035 /* RFC 3268 */
  80 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA         0x0036 /* RFC 3268 */
  81 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA         0x0037 /* RFC 3268 */
  82 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA        0x0038 /* RFC 3268 */
  83 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA        0x0039 /* RFC 3268 */
  84 #define TLS_DH_anon_WITH_AES_256_CBC_SHA        0x003A /* RFC 3268 */
  85
  86 /* CompressionMethod */
  87 #define TLS_COMPRESSION_NULL 0
  88
  89 /* AlertLevel */
  90 #define TLS_ALERT_LEVEL_WARNING 1
  91 #define TLS_ALERT_LEVEL_FATAL 2
  92
  93 /* AlertDescription */
  94 #define TLS_ALERT_CLOSE_NOTIFY                  0
  95 #define TLS_ALERT_UNEXPECTED_MESSAGE            10
  96 #define TLS_ALERT_BAD_RECORD_MAC                20
  97 #define TLS_ALERT_DECRYPTION_FAILED             21
  98 #define TLS_ALERT_RECORD_OVERFLOW               22
  99 #define TLS_ALERT_DECOMPRESSION_FAILURE         30
 100 #define TLS_ALERT_HANDSHAKE_FAILURE             40
 101 #define TLS_ALERT_BAD_CERTIFICATE               42
 102 #define TLS_ALERT_UNSUPPORTED_CERTIFICATE       43
 103 #define TLS_ALERT_CERTIFICATE_REVOKED           44
 104 #define TLS_ALERT_CERTIFICATE_EXPIRED           45
 105 #define TLS_ALERT_CERTIFICATE_UNKNOWN           46
 106 #define TLS_ALERT_ILLEGAL_PARAMETER             47
 107 #define TLS_ALERT_UNKNOWN_CA                    48
 108 #define TLS_ALERT_ACCESS_DENIED                 49
 109 #define TLS_ALERT_DECODE_ERROR                  50
 110 #define TLS_ALERT_DECRYPT_ERROR                 51
 111 #define TLS_ALERT_EXPORT_RESTRICTION            60
 112 #define TLS_ALERT_PROTOCOL_VERSION              70
 113 #define TLS_ALERT_INSUFFICIENT_SECURITY         71
 114 #define TLS_ALERT_INTERNAL_ERROR                80
 115 #define TLS_ALERT_USER_CANCELED                 90
 116 #define TLS_ALERT_NO_RENEGOTIATION              100
 117 #define TLS_ALERT_UNSUPPORTED_EXTENSION         110 /* RFC 4366 */
 118 #define TLS_ALERT_CERTIFICATE_UNOBTAINABLE      111 /* RFC 4366 */
 119 #define TLS_ALERT_UNRECOGNIZED_NAME             112 /* RFC 4366 */
 120 #define TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE       113 /* RFC 4366 */
 121 #define TLS_ALERT_BAD_CERTIFICATE_HASH_VALUE    114 /* RFC 4366 */
 122
 123 /* ChangeCipherSpec */
 124 enum {
 125         TLS_CHANGE_CIPHER_SPEC = 1
 126 };
 127
 128 /* TLS Extensions */
 129 #define TLS_EXT_SERVER_NAME                     0 /* RFC 4366 */
 130 #define TLS_EXT_MAX_FRAGMENT_LENGTH             1 /* RFC 4366 */
 131 #define TLS_EXT_CLIENT_CERTIFICATE_URL          2 /* RFC 4366 */
 132 #define TLS_EXT_TRUSTED_CA_KEYS                 3 /* RFC 4366 */
 133 #define TLS_EXT_TRUNCATED_HMAC                  4 /* RFC 4366 */
 134 #define TLS_EXT_STATUS_REQUEST                  5 /* RFC 4366 */
 135 #define TLS_EXT_SESSION_TICKET                  35 /* RFC 4507 */
 136
 137 #define TLS_EXT_PAC_OPAQUE TLS_EXT_SESSION_TICKET /* EAP-FAST terminology */
 138
 139
 140 typedef enum {
 141         TLS_KEY_X_NULL,
 142         TLS_KEY_X_RSA,
 143         TLS_KEY_X_RSA_EXPORT,
 144         TLS_KEY_X_DH_DSS_EXPORT,
 145         TLS_KEY_X_DH_DSS,
 146         TLS_KEY_X_DH_RSA_EXPORT,
 147         TLS_KEY_X_DH_RSA,
 148         TLS_KEY_X_DHE_DSS_EXPORT,
 149         TLS_KEY_X_DHE_DSS,
 150         TLS_KEY_X_DHE_RSA_EXPORT,
 151         TLS_KEY_X_DHE_RSA,
 152         TLS_KEY_X_DH_anon_EXPORT,
 153         TLS_KEY_X_DH_anon
 154 } tls_key_exchange;
 155
 156 typedef enum {
 157         TLS_CIPHER_NULL,
 158         TLS_CIPHER_RC4_40,
 159         TLS_CIPHER_RC4_128,
 160         TLS_CIPHER_RC2_CBC_40,
 161         TLS_CIPHER_IDEA_CBC,
 162         TLS_CIPHER_DES40_CBC,
 163         TLS_CIPHER_DES_CBC,
 164         TLS_CIPHER_3DES_EDE_CBC,
 165         TLS_CIPHER_AES_128_CBC,
 166         TLS_CIPHER_AES_256_CBC
 167 } tls_cipher;
 168
 169 typedef enum {
 170         TLS_HASH_NULL,
 171         TLS_HASH_MD5,
 172         TLS_HASH_SHA
 173 } tls_hash;
 174
 175 struct tls_cipher_suite {
 176         u16 suite;
 177         tls_key_exchange key_exchange;
 178         tls_cipher cipher;
 179         tls_hash hash;
 180 };
 181
 182 typedef enum {
 183         TLS_CIPHER_STREAM,
 184         TLS_CIPHER_BLOCK
 185 } tls_cipher_type;
 186
 187 struct tls_cipher_data {
 188         tls_cipher cipher;
 189         tls_cipher_type type;
 190         size_t key_material;
 191         size_t expanded_key_material;
 192         size_t block_size; /* also iv_size */
 193         enum crypto_cipher_alg alg;
 194 };
 195
 196
 197 struct tls_verify_hash {
 198         struct crypto_hash *md5_client;
 199         struct crypto_hash *sha1_client;
 200         struct crypto_hash *md5_server;
 201         struct crypto_hash *sha1_server;
 202         struct crypto_hash *md5_cert;
 203         struct crypto_hash *sha1_cert;
 204 };
 205
 206
 207 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite);
 208 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher);
 209 int tls_server_key_exchange_allowed(tls_cipher cipher);
 210 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk);
 211 int tls_verify_hash_init(struct tls_verify_hash *verify);
 212 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
 213                          size_t len);
 214 void tls_verify_hash_free(struct tls_verify_hash *verify);
 215
 216 #endif /* TLSV1_COMMON_H */