Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 1f69aa52ea2e0a73ac502565df8c666ee49cab6a / . / src / tls / tlsv1_common.h
blob: 027daa47fc052b1a9fd873943cf7dd2a7acf70f5 [file] [log] [blame]
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1/*
2 * TLSv1 common definitions
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame^]3 * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15#ifndef TLSV1_COMMON_H
16#define TLSV1_COMMON_H
17
18#include "crypto/crypto.h"
19
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame^]20#define TLS_VERSION_1 0x0301 /* TLSv1 */
21#define TLS_VERSION_1_1 0x0302 /* TLSv1.1 */
22#define TLS_VERSION_1_2 0x0303 /* TLSv1.2 */
23#ifdef CONFIG_TLSV12
24#define TLS_VERSION TLS_VERSION_1_2
25#else /* CONFIG_TLSV12 */
26#ifdef CONFIG_TLSV11
27#define TLS_VERSION TLS_VERSION_1_1
28#else /* CONFIG_TLSV11 */
29#define TLS_VERSION TLS_VERSION_1
30#endif /* CONFIG_TLSV11 */
31#endif /* CONFIG_TLSV12 */
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]32#define TLS_RANDOM_LEN 32
33#define TLS_PRE_MASTER_SECRET_LEN 48
34#define TLS_MASTER_SECRET_LEN 48
35#define TLS_SESSION_ID_MAX_LEN 32
36#define TLS_VERIFY_DATA_LEN 12
37
38/* HandshakeType */
39enum {
40 TLS_HANDSHAKE_TYPE_HELLO_REQUEST = 0,
41 TLS_HANDSHAKE_TYPE_CLIENT_HELLO = 1,
42 TLS_HANDSHAKE_TYPE_SERVER_HELLO = 2,
43 TLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET = 4 /* RFC 4507 */,
44 TLS_HANDSHAKE_TYPE_CERTIFICATE = 11,
45 TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE = 12,
46 TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST = 13,
47 TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE = 14,
48 TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY = 15,
49 TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE = 16,
50 TLS_HANDSHAKE_TYPE_FINISHED = 20,
51 TLS_HANDSHAKE_TYPE_CERTIFICATE_URL = 21 /* RFC 4366 */,
52 TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS = 22 /* RFC 4366 */
53};
54
55/* CipherSuite */
56#define TLS_NULL_WITH_NULL_NULL 0x0000 /* RFC 2246 */
57#define TLS_RSA_WITH_NULL_MD5 0x0001 /* RFC 2246 */
58#define TLS_RSA_WITH_NULL_SHA 0x0002 /* RFC 2246 */
59#define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003 /* RFC 2246 */
60#define TLS_RSA_WITH_RC4_128_MD5 0x0004 /* RFC 2246 */
61#define TLS_RSA_WITH_RC4_128_SHA 0x0005 /* RFC 2246 */
62#define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006 /* RFC 2246 */
63#define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007 /* RFC 2246 */
64#define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008 /* RFC 2246 */
65#define TLS_RSA_WITH_DES_CBC_SHA 0x0009 /* RFC 2246 */
66#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A /* RFC 2246 */
67#define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000B /* RFC 2246 */
68#define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000C /* RFC 2246 */
69#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D /* RFC 2246 */
70#define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000E /* RFC 2246 */
71#define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000F /* RFC 2246 */
72#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 /* RFC 2246 */
73#define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011 /* RFC 2246 */
74#define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 /* RFC 2246 */
75#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 /* RFC 2246 */
76#define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014 /* RFC 2246 */
77#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 /* RFC 2246 */
78#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 /* RFC 2246 */
79#define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 0x0017 /* RFC 2246 */
80#define TLS_DH_anon_WITH_RC4_128_MD5 0x0018 /* RFC 2246 */
81#define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 0x0019 /* RFC 2246 */
82#define TLS_DH_anon_WITH_DES_CBC_SHA 0x001A /* RFC 2246 */
83#define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B /* RFC 2246 */
84#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F /* RFC 3268 */
85#define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 /* RFC 3268 */
86#define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 /* RFC 3268 */
87#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 /* RFC 3268 */
88#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 /* RFC 3268 */
89#define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034 /* RFC 3268 */
90#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 /* RFC 3268 */
91#define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 /* RFC 3268 */
92#define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 /* RFC 3268 */
93#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 /* RFC 3268 */
94#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 /* RFC 3268 */
95#define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A /* RFC 3268 */
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame^]96#define TLS_RSA_WITH_NULL_SHA256 0x003B /* RFC 5246 */
97#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C /* RFC 5246 */
98#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D /* RFC 5246 */
99#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E /* RFC 5246 */
100#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F /* RFC 5246 */
101#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 /* RFC 5246 */
102#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 /* RFC 5246 */
103#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068 /* RFC 5246 */
104#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069 /* RFC 5246 */
105#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A /* RFC 5246 */
106#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B /* RFC 5246 */
107#define TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C /* RFC 5246 */
108#define TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D /* RFC 5246 */
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]109
110/* CompressionMethod */
111#define TLS_COMPRESSION_NULL 0
112
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame^]113/* HashAlgorithm */
114enum {
115 TLS_HASH_ALG_NONE = 0,
116 TLS_HASH_ALG_MD5 = 1,
117 TLS_HASH_ALG_SHA1 = 2,
118 TLS_HASH_ALG_SHA224 = 3,
119 TLS_HASH_ALG_SHA256 = 4,
120 TLS_HASH_ALG_SHA384 = 5,
121 TLS_HASH_ALG_SHA512 = 6
122};
123
124/* SignatureAlgorithm */
125enum {
126 TLS_SIGN_ALG_ANONYMOUS = 0,
127 TLS_SIGN_ALG_RSA = 1,
128 TLS_SIGN_ALG_DSA = 2,
129 TLS_SIGN_ALG_ECDSA = 3,
130};
131
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]132/* AlertLevel */
133#define TLS_ALERT_LEVEL_WARNING 1
134#define TLS_ALERT_LEVEL_FATAL 2
135
136/* AlertDescription */
137#define TLS_ALERT_CLOSE_NOTIFY 0
138#define TLS_ALERT_UNEXPECTED_MESSAGE 10
139#define TLS_ALERT_BAD_RECORD_MAC 20
140#define TLS_ALERT_DECRYPTION_FAILED 21
141#define TLS_ALERT_RECORD_OVERFLOW 22
142#define TLS_ALERT_DECOMPRESSION_FAILURE 30
143#define TLS_ALERT_HANDSHAKE_FAILURE 40
144#define TLS_ALERT_BAD_CERTIFICATE 42
145#define TLS_ALERT_UNSUPPORTED_CERTIFICATE 43
146#define TLS_ALERT_CERTIFICATE_REVOKED 44
147#define TLS_ALERT_CERTIFICATE_EXPIRED 45
148#define TLS_ALERT_CERTIFICATE_UNKNOWN 46
149#define TLS_ALERT_ILLEGAL_PARAMETER 47
150#define TLS_ALERT_UNKNOWN_CA 48
151#define TLS_ALERT_ACCESS_DENIED 49
152#define TLS_ALERT_DECODE_ERROR 50
153#define TLS_ALERT_DECRYPT_ERROR 51
154#define TLS_ALERT_EXPORT_RESTRICTION 60
155#define TLS_ALERT_PROTOCOL_VERSION 70
156#define TLS_ALERT_INSUFFICIENT_SECURITY 71
157#define TLS_ALERT_INTERNAL_ERROR 80
158#define TLS_ALERT_USER_CANCELED 90
159#define TLS_ALERT_NO_RENEGOTIATION 100
160#define TLS_ALERT_UNSUPPORTED_EXTENSION 110 /* RFC 4366 */
161#define TLS_ALERT_CERTIFICATE_UNOBTAINABLE 111 /* RFC 4366 */
162#define TLS_ALERT_UNRECOGNIZED_NAME 112 /* RFC 4366 */
163#define TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE 113 /* RFC 4366 */
164#define TLS_ALERT_BAD_CERTIFICATE_HASH_VALUE 114 /* RFC 4366 */
165
166/* ChangeCipherSpec */
167enum {
168 TLS_CHANGE_CIPHER_SPEC = 1
169};
170
171/* TLS Extensions */
172#define TLS_EXT_SERVER_NAME 0 /* RFC 4366 */
173#define TLS_EXT_MAX_FRAGMENT_LENGTH 1 /* RFC 4366 */
174#define TLS_EXT_CLIENT_CERTIFICATE_URL 2 /* RFC 4366 */
175#define TLS_EXT_TRUSTED_CA_KEYS 3 /* RFC 4366 */
176#define TLS_EXT_TRUNCATED_HMAC 4 /* RFC 4366 */
177#define TLS_EXT_STATUS_REQUEST 5 /* RFC 4366 */
178#define TLS_EXT_SESSION_TICKET 35 /* RFC 4507 */
179
180#define TLS_EXT_PAC_OPAQUE TLS_EXT_SESSION_TICKET /* EAP-FAST terminology */
181
182
183typedef enum {
184 TLS_KEY_X_NULL,
185 TLS_KEY_X_RSA,
186 TLS_KEY_X_RSA_EXPORT,
187 TLS_KEY_X_DH_DSS_EXPORT,
188 TLS_KEY_X_DH_DSS,
189 TLS_KEY_X_DH_RSA_EXPORT,
190 TLS_KEY_X_DH_RSA,
191 TLS_KEY_X_DHE_DSS_EXPORT,
192 TLS_KEY_X_DHE_DSS,
193 TLS_KEY_X_DHE_RSA_EXPORT,
194 TLS_KEY_X_DHE_RSA,
195 TLS_KEY_X_DH_anon_EXPORT,
196 TLS_KEY_X_DH_anon
197} tls_key_exchange;
198
199typedef enum {
200 TLS_CIPHER_NULL,
201 TLS_CIPHER_RC4_40,
202 TLS_CIPHER_RC4_128,
203 TLS_CIPHER_RC2_CBC_40,
204 TLS_CIPHER_IDEA_CBC,
205 TLS_CIPHER_DES40_CBC,
206 TLS_CIPHER_DES_CBC,
207 TLS_CIPHER_3DES_EDE_CBC,
208 TLS_CIPHER_AES_128_CBC,
209 TLS_CIPHER_AES_256_CBC
210} tls_cipher;
211
212typedef enum {
213 TLS_HASH_NULL,
214 TLS_HASH_MD5,
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame^]215 TLS_HASH_SHA,
216 TLS_HASH_SHA256
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]217} tls_hash;
218
219struct tls_cipher_suite {
220 u16 suite;
221 tls_key_exchange key_exchange;
222 tls_cipher cipher;
223 tls_hash hash;
224};
225
226typedef enum {
227 TLS_CIPHER_STREAM,
228 TLS_CIPHER_BLOCK
229} tls_cipher_type;
230
231struct tls_cipher_data {
232 tls_cipher cipher;
233 tls_cipher_type type;
234 size_t key_material;
235 size_t expanded_key_material;
236 size_t block_size; /* also iv_size */
237 enum crypto_cipher_alg alg;
238};
239
240
241struct tls_verify_hash {
242 struct crypto_hash *md5_client;
243 struct crypto_hash *sha1_client;
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame^]244 struct crypto_hash *sha256_client;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]245 struct crypto_hash *md5_server;
246 struct crypto_hash *sha1_server;
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame^]247 struct crypto_hash *sha256_server;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]248 struct crypto_hash *md5_cert;
249 struct crypto_hash *sha1_cert;
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame^]250 struct crypto_hash *sha256_cert;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]251};
252
253
254const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite);
255const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher);
256int tls_server_key_exchange_allowed(tls_cipher cipher);
257int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk);
258int tls_verify_hash_init(struct tls_verify_hash *verify);
259void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
260 size_t len);
261void tls_verify_hash_free(struct tls_verify_hash *verify);
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame^]262int tls_version_ok(u16 ver);
263const char * tls_version_str(u16 ver);
264int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
265 const u8 *seed, size_t seed_len, u8 *out, size_t outlen);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]266
267#endif /* TLSV1_COMMON_H */