wpa_supplicant / hostapd  2.5
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
tlsv1_common.h
Go to the documentation of this file.
1 
5 #ifndef TLSV1_COMMON_H
6 #define TLSV1_COMMON_H
7 
8 #include "crypto/crypto.h"
9 
10 #define TLS_VERSION_1 0x0301 /* TLSv1 */
11 #define TLS_VERSION_1_1 0x0302 /* TLSv1.1 */
12 #define TLS_VERSION_1_2 0x0303 /* TLSv1.2 */
13 #ifdef CONFIG_TLSV12
14 #define TLS_VERSION TLS_VERSION_1_2
15 #else /* CONFIG_TLSV12 */
16 #ifdef CONFIG_TLSV11
17 #define TLS_VERSION TLS_VERSION_1_1
18 #else /* CONFIG_TLSV11 */
19 #define TLS_VERSION TLS_VERSION_1
20 #endif /* CONFIG_TLSV11 */
21 #endif /* CONFIG_TLSV12 */
22 #define TLS_RANDOM_LEN 32
23 #define TLS_PRE_MASTER_SECRET_LEN 48
24 #define TLS_MASTER_SECRET_LEN 48
25 #define TLS_SESSION_ID_MAX_LEN 32
26 #define TLS_VERIFY_DATA_LEN 12
27 
28 /* HandshakeType */
29 enum {
30  TLS_HANDSHAKE_TYPE_HELLO_REQUEST = 0,
31  TLS_HANDSHAKE_TYPE_CLIENT_HELLO = 1,
32  TLS_HANDSHAKE_TYPE_SERVER_HELLO = 2,
33  TLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET = 4 /* RFC 4507 */,
34  TLS_HANDSHAKE_TYPE_CERTIFICATE = 11,
35  TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE = 12,
36  TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST = 13,
37  TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE = 14,
38  TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY = 15,
39  TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE = 16,
40  TLS_HANDSHAKE_TYPE_FINISHED = 20,
41  TLS_HANDSHAKE_TYPE_CERTIFICATE_URL = 21 /* RFC 4366 */,
42  TLS_HANDSHAKE_TYPE_CERTIFICATE_STATUS = 22 /* RFC 4366 */
43 };
44 
45 /* CipherSuite */
46 #define TLS_NULL_WITH_NULL_NULL 0x0000 /* RFC 2246 */
47 #define TLS_RSA_WITH_NULL_MD5 0x0001 /* RFC 2246 */
48 #define TLS_RSA_WITH_NULL_SHA 0x0002 /* RFC 2246 */
49 #define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003 /* RFC 2246 */
50 #define TLS_RSA_WITH_RC4_128_MD5 0x0004 /* RFC 2246 */
51 #define TLS_RSA_WITH_RC4_128_SHA 0x0005 /* RFC 2246 */
52 #define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006 /* RFC 2246 */
53 #define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007 /* RFC 2246 */
54 #define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008 /* RFC 2246 */
55 #define TLS_RSA_WITH_DES_CBC_SHA 0x0009 /* RFC 2246 */
56 #define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A /* RFC 2246 */
57 #define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000B /* RFC 2246 */
58 #define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000C /* RFC 2246 */
59 #define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D /* RFC 2246 */
60 #define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000E /* RFC 2246 */
61 #define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000F /* RFC 2246 */
62 #define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 /* RFC 2246 */
63 #define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011 /* RFC 2246 */
64 #define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 /* RFC 2246 */
65 #define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 /* RFC 2246 */
66 #define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014 /* RFC 2246 */
67 #define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 /* RFC 2246 */
68 #define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 /* RFC 2246 */
69 #define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 0x0017 /* RFC 2246 */
70 #define TLS_DH_anon_WITH_RC4_128_MD5 0x0018 /* RFC 2246 */
71 #define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 0x0019 /* RFC 2246 */
72 #define TLS_DH_anon_WITH_DES_CBC_SHA 0x001A /* RFC 2246 */
73 #define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B /* RFC 2246 */
74 #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F /* RFC 3268 */
75 #define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 /* RFC 3268 */
76 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 /* RFC 3268 */
77 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 /* RFC 3268 */
78 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 /* RFC 3268 */
79 #define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034 /* RFC 3268 */
80 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 /* RFC 3268 */
81 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 /* RFC 3268 */
82 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 /* RFC 3268 */
83 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 /* RFC 3268 */
84 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 /* RFC 3268 */
85 #define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A /* RFC 3268 */
86 #define TLS_RSA_WITH_NULL_SHA256 0x003B /* RFC 5246 */
87 #define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C /* RFC 5246 */
88 #define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D /* RFC 5246 */
89 #define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E /* RFC 5246 */
90 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F /* RFC 5246 */
91 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 /* RFC 5246 */
92 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 /* RFC 5246 */
93 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068 /* RFC 5246 */
94 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069 /* RFC 5246 */
95 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A /* RFC 5246 */
96 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B /* RFC 5246 */
97 #define TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C /* RFC 5246 */
98 #define TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D /* RFC 5246 */
99 
100 /* CompressionMethod */
101 #define TLS_COMPRESSION_NULL 0
102 
103 /* HashAlgorithm */
104 enum {
105  TLS_HASH_ALG_NONE = 0,
106  TLS_HASH_ALG_MD5 = 1,
107  TLS_HASH_ALG_SHA1 = 2,
108  TLS_HASH_ALG_SHA224 = 3,
109  TLS_HASH_ALG_SHA256 = 4,
110  TLS_HASH_ALG_SHA384 = 5,
111  TLS_HASH_ALG_SHA512 = 6
112 };
113 
114 /* SignatureAlgorithm */
115 enum {
116  TLS_SIGN_ALG_ANONYMOUS = 0,
117  TLS_SIGN_ALG_RSA = 1,
118  TLS_SIGN_ALG_DSA = 2,
119  TLS_SIGN_ALG_ECDSA = 3,
120 };
121 
122 /* AlertLevel */
123 #define TLS_ALERT_LEVEL_WARNING 1
124 #define TLS_ALERT_LEVEL_FATAL 2
125 
126 /* AlertDescription */
127 #define TLS_ALERT_CLOSE_NOTIFY 0
128 #define TLS_ALERT_UNEXPECTED_MESSAGE 10
129 #define TLS_ALERT_BAD_RECORD_MAC 20
130 #define TLS_ALERT_DECRYPTION_FAILED 21
131 #define TLS_ALERT_RECORD_OVERFLOW 22
132 #define TLS_ALERT_DECOMPRESSION_FAILURE 30
133 #define TLS_ALERT_HANDSHAKE_FAILURE 40
134 #define TLS_ALERT_BAD_CERTIFICATE 42
135 #define TLS_ALERT_UNSUPPORTED_CERTIFICATE 43
136 #define TLS_ALERT_CERTIFICATE_REVOKED 44
137 #define TLS_ALERT_CERTIFICATE_EXPIRED 45
138 #define TLS_ALERT_CERTIFICATE_UNKNOWN 46
139 #define TLS_ALERT_ILLEGAL_PARAMETER 47
140 #define TLS_ALERT_UNKNOWN_CA 48
141 #define TLS_ALERT_ACCESS_DENIED 49
142 #define TLS_ALERT_DECODE_ERROR 50
143 #define TLS_ALERT_DECRYPT_ERROR 51
144 #define TLS_ALERT_EXPORT_RESTRICTION 60
145 #define TLS_ALERT_PROTOCOL_VERSION 70
146 #define TLS_ALERT_INSUFFICIENT_SECURITY 71
147 #define TLS_ALERT_INTERNAL_ERROR 80
148 #define TLS_ALERT_USER_CANCELED 90
149 #define TLS_ALERT_NO_RENEGOTIATION 100
150 #define TLS_ALERT_UNSUPPORTED_EXTENSION 110 /* RFC 4366 */
151 #define TLS_ALERT_CERTIFICATE_UNOBTAINABLE 111 /* RFC 4366 */
152 #define TLS_ALERT_UNRECOGNIZED_NAME 112 /* RFC 4366 */
153 #define TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE 113 /* RFC 4366 */
154 #define TLS_ALERT_BAD_CERTIFICATE_HASH_VALUE 114 /* RFC 4366 */
155 
156 /* ChangeCipherSpec */
157 enum {
158  TLS_CHANGE_CIPHER_SPEC = 1
159 };
160 
161 /* TLS Extensions */
162 #define TLS_EXT_SERVER_NAME 0 /* RFC 4366 */
163 #define TLS_EXT_MAX_FRAGMENT_LENGTH 1 /* RFC 4366 */
164 #define TLS_EXT_CLIENT_CERTIFICATE_URL 2 /* RFC 4366 */
165 #define TLS_EXT_TRUSTED_CA_KEYS 3 /* RFC 4366 */
166 #define TLS_EXT_TRUNCATED_HMAC 4 /* RFC 4366 */
167 #define TLS_EXT_STATUS_REQUEST 5 /* RFC 4366 */
168 #define TLS_EXT_SESSION_TICKET 35 /* RFC 4507 */
169 
170 #define TLS_EXT_PAC_OPAQUE TLS_EXT_SESSION_TICKET /* EAP-FAST terminology */
171 
172 
173 typedef enum {
174  TLS_KEY_X_NULL,
175  TLS_KEY_X_RSA,
176  TLS_KEY_X_RSA_EXPORT,
177  TLS_KEY_X_DH_DSS_EXPORT,
178  TLS_KEY_X_DH_DSS,
179  TLS_KEY_X_DH_RSA_EXPORT,
180  TLS_KEY_X_DH_RSA,
181  TLS_KEY_X_DHE_DSS_EXPORT,
182  TLS_KEY_X_DHE_DSS,
183  TLS_KEY_X_DHE_RSA_EXPORT,
184  TLS_KEY_X_DHE_RSA,
185  TLS_KEY_X_DH_anon_EXPORT,
186  TLS_KEY_X_DH_anon
187 } tls_key_exchange;
188 
189 typedef enum {
190  TLS_CIPHER_NULL,
191  TLS_CIPHER_RC4_40,
192  TLS_CIPHER_RC4_128,
193  TLS_CIPHER_RC2_CBC_40,
194  TLS_CIPHER_IDEA_CBC,
195  TLS_CIPHER_DES40_CBC,
196  TLS_CIPHER_DES_CBC,
197  TLS_CIPHER_3DES_EDE_CBC,
198  TLS_CIPHER_AES_128_CBC,
199  TLS_CIPHER_AES_256_CBC
200 } tls_cipher;
201 
202 typedef enum {
203  TLS_HASH_NULL,
204  TLS_HASH_MD5,
205  TLS_HASH_SHA,
206  TLS_HASH_SHA256
207 } tls_hash;
208 
209 struct tls_cipher_suite {
210  u16 suite;
211  tls_key_exchange key_exchange;
212  tls_cipher cipher;
213  tls_hash hash;
214 };
215 
216 typedef enum {
217  TLS_CIPHER_STREAM,
218  TLS_CIPHER_BLOCK
219 } tls_cipher_type;
220 
221 struct tls_cipher_data {
222  tls_cipher cipher;
223  tls_cipher_type type;
224  size_t key_material;
225  size_t expanded_key_material;
226  size_t block_size; /* also iv_size */
227  enum crypto_cipher_alg alg;
228 };
229 
230 
231 struct tls_verify_hash {
232  struct crypto_hash *md5_client;
233  struct crypto_hash *sha1_client;
234  struct crypto_hash *sha256_client;
235  struct crypto_hash *md5_server;
236  struct crypto_hash *sha1_server;
237  struct crypto_hash *sha256_server;
238  struct crypto_hash *md5_cert;
239  struct crypto_hash *sha1_cert;
240  struct crypto_hash *sha256_cert;
241 };
242 
243 
244 const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite);
245 const struct tls_cipher_data * tls_get_cipher_data(tls_cipher cipher);
246 int tls_server_key_exchange_allowed(tls_cipher cipher);
247 int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk);
248 int tls_verify_hash_init(struct tls_verify_hash *verify);
249 void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
250  size_t len);
251 void tls_verify_hash_free(struct tls_verify_hash *verify);
252 int tls_version_ok(u16 ver);
253 const char * tls_version_str(u16 ver);
254 int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
255  const u8 *seed, size_t seed_len, u8 *out, size_t outlen);
256 int tlsv12_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
257  const u8 *server_random,
258  const u8 *server_params,
259  size_t server_params_len, u8 *hash);
260 int tls_key_x_server_params_hash(u16 tls_version, const u8 *client_random,
261  const u8 *server_random,
262  const u8 *server_params,
263  size_t server_params_len, u8 *hash);
264 int tls_verify_signature(u16 tls_version, struct crypto_public_key *pk,
265  const u8 *data, size_t data_len,
266  const u8 *pos, size_t len, u8 *alert);
267 
268 #endif /* TLSV1_COMMON_H */
tls_cipher_data
Definition: tlsv1_common.h:221
crypto_public_key
Definition: crypto_libtomcrypt.c:403
crypto.h
Wrapper functions for crypto libraries.
tls_cipher_suite
Definition: tlsv1_common.h:209
tls_parse_cert
int tls_parse_cert(const u8 *buf, size_t len, struct crypto_public_key **pk)
Parse DER encoded X.509 certificate and get public key.
Definition: tlsv1_common.c:159
crypto_hash
Definition: crypto_internal.c:13
tls_get_cipher_suite
const struct tls_cipher_suite * tls_get_cipher_suite(u16 suite)
Get TLS cipher suite.
Definition: tlsv1_common.c:103
tls_verify_hash
Definition: tlsv1_common.h:231
Generated on Sun Sep 27 2015 22:08:07 for wpa_supplicant / hostapd by   doxygen 1.8.6