Embed:
(wiki syntax)
Show/hide line numbers
tls.h
Go to the documentation of this file.
00001 /** 00002 * @file tls.h 00003 * @brief TLS (Transport Layer Security) 00004 * 00005 * @section License 00006 * 00007 * Copyright (C) 2010-2017 Oryx Embedded SARL. All rights reserved. 00008 * 00009 * This file is part of CycloneSSL Open. 00010 * 00011 * This program is free software; you can redistribute it and/or 00012 * modify it under the terms of the GNU General Public License 00013 * as published by the Free Software Foundation; either version 2 00014 * of the License, or (at your option) any later version. 00015 * 00016 * This program is distributed in the hope that it will be useful, 00017 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00018 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00019 * GNU General Public License for more details. 00020 * 00021 * You should have received a copy of the GNU General Public License 00022 * along with this program; if not, write to the Free Software Foundation, 00023 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 00024 * 00025 * @author Oryx Embedded SARL (www.oryx-embedded.com) 00026 * @version 1.7.6 00027 **/ 00028 00029 #ifndef _TLS_H 00030 #define _TLS_H 00031 00032 //Dependencies 00033 #include "os_port.h" 00034 #include "crypto.h" 00035 #include "tls_config.h" 00036 #include "hmac.h" 00037 #include "rsa.h" 00038 #include "dsa.h" 00039 #include "ecdsa.h" 00040 #include "dh.h" 00041 #include "ecdh.h" 00042 #include "cipher_mode_gcm.h" 00043 00044 //TLS version numbers 00045 #define SSL_VERSION_3_0 0x0300 00046 #define TLS_VERSION_1_0 0x0301 00047 #define TLS_VERSION_1_1 0x0302 00048 #define TLS_VERSION_1_2 0x0303 00049 00050 //Enable SSL/TLS support 00051 #ifndef TLS_SUPPORT 00052 #define TLS_SUPPORT ENABLED 00053 #elif (TLS_SUPPORT != ENABLED && TLS_SUPPORT != DISABLED) 00054 #error TLS_SUPPORT parameter is not valid 00055 #endif 00056 00057 //Client mode of operation 00058 #ifndef TLS_CLIENT_SUPPORT 00059 #define TLS_CLIENT_SUPPORT ENABLED 00060 #elif (TLS_CLIENT_SUPPORT != ENABLED && TLS_CLIENT_SUPPORT != DISABLED) 00061 #error TLS_CLIENT_SUPPORT parameter is not valid 00062 #endif 00063 00064 //Server mode of operation 00065 #ifndef TLS_SERVER_SUPPORT 00066 #define TLS_SERVER_SUPPORT ENABLED 00067 #elif (TLS_SERVER_SUPPORT != ENABLED && TLS_SERVER_SUPPORT != DISABLED) 00068 #error TLS_SERVER_SUPPORT parameter is not valid 00069 #endif 00070 00071 //Minimum version that can be negotiated 00072 #ifndef TLS_MIN_VERSION 00073 #define TLS_MIN_VERSION TLS_VERSION_1_0 00074 #elif (TLS_MIN_VERSION < SSL_VERSION_3_0) 00075 #error TLS_MIN_VERSION parameter is not valid 00076 #endif 00077 00078 //Maximum version that can be negotiated 00079 #ifndef TLS_MAX_VERSION 00080 #define TLS_MAX_VERSION TLS_VERSION_1_2 00081 #elif (TLS_MAX_VERSION > TLS_VERSION_1_2 || TLS_MAX_VERSION < TLS_MIN_VERSION) 00082 #error TLS_MAX_VERSION parameter is not valid 00083 #endif 00084 00085 //Session resumption mechanism 00086 #ifndef TLS_SESSION_RESUME_SUPPORT 00087 #define TLS_SESSION_RESUME_SUPPORT ENABLED 00088 #elif (TLS_SESSION_RESUME_SUPPORT != ENABLED && TLS_SESSION_RESUME_SUPPORT != DISABLED) 00089 #error TLS_SESSION_RESUME_SUPPORT parameter is not valid 00090 #endif 00091 00092 //Lifetime of session cache entries 00093 #ifndef TLS_SESSION_CACHE_LIFETIME 00094 #define TLS_SESSION_CACHE_LIFETIME 3600000 00095 #elif (TLS_SESSION_CACHE_LIFETIME < 1000) 00096 #error TLS_SESSION_CACHE_LIFETIME parameter is not valid 00097 #endif 00098 00099 //SNI (Server Name Indication) extension 00100 #ifndef TLS_SNI_SUPPORT 00101 #define TLS_SNI_SUPPORT ENABLED 00102 #elif (TLS_SNI_SUPPORT != ENABLED && TLS_SNI_SUPPORT != DISABLED) 00103 #error TLS_SNI_SUPPORT parameter is not valid 00104 #endif 00105 00106 //ALPN (Application-Layer Protocol Negotiation) extension 00107 #ifndef TLS_ALPN_SUPPORT 00108 #define TLS_ALPN_SUPPORT DISABLED 00109 #elif (TLS_ALPN_SUPPORT != ENABLED && TLS_ALPN_SUPPORT != DISABLED) 00110 #error TLS_ALPN_SUPPORT parameter is not valid 00111 #endif 00112 00113 //Maximum number of certificates the end entity can load 00114 #ifndef TLS_MAX_CERTIFICATES 00115 #define TLS_MAX_CERTIFICATES 3 00116 #elif (TLS_MAX_CERTIFICATES < 1) 00117 #error TLS_MAX_CERTIFICATES parameter is not valid 00118 #endif 00119 00120 //RSA key exchange support 00121 #ifndef TLS_RSA_SUPPORT 00122 #define TLS_RSA_SUPPORT ENABLED 00123 #elif (TLS_RSA_SUPPORT != ENABLED && TLS_RSA_SUPPORT != DISABLED) 00124 #error TLS_RSA_SUPPORT parameter is not valid 00125 #endif 00126 00127 //DHE_RSA key exchange support 00128 #ifndef TLS_DHE_RSA_SUPPORT 00129 #define TLS_DHE_RSA_SUPPORT ENABLED 00130 #elif (TLS_DHE_RSA_SUPPORT != ENABLED && TLS_DHE_RSA_SUPPORT != DISABLED) 00131 #error TLS_DHE_RSA_SUPPORT parameter is not valid 00132 #endif 00133 00134 //DHE_DSS key exchange support 00135 #ifndef TLS_DHE_DSS_SUPPORT 00136 #define TLS_DHE_DSS_SUPPORT ENABLED 00137 #elif (TLS_DHE_DSS_SUPPORT != ENABLED && TLS_DHE_DSS_SUPPORT != DISABLED) 00138 #error TLS_DHE_DSS_SUPPORT parameter is not valid 00139 #endif 00140 00141 //DH_anon key exchange support 00142 #ifndef TLS_DH_ANON_SUPPORT 00143 #define TLS_DH_ANON_SUPPORT DISABLED 00144 #elif (TLS_DH_ANON_SUPPORT != ENABLED && TLS_DH_ANON_SUPPORT != DISABLED) 00145 #error TLS_DH_ANON_SUPPORT parameter is not valid 00146 #endif 00147 00148 //ECDHE_RSA key exchange support 00149 #ifndef TLS_ECDHE_RSA_SUPPORT 00150 #define TLS_ECDHE_RSA_SUPPORT ENABLED 00151 #elif (TLS_ECDHE_RSA_SUPPORT != ENABLED && TLS_ECDHE_RSA_SUPPORT != DISABLED) 00152 #error TLS_ECDHE_RSA_SUPPORT parameter is not valid 00153 #endif 00154 00155 //ECDHE_ECDSA key exchange support 00156 #ifndef TLS_ECDHE_ECDSA_SUPPORT 00157 #define TLS_ECDHE_ECDSA_SUPPORT ENABLED 00158 #elif (TLS_ECDHE_ECDSA_SUPPORT != ENABLED && TLS_ECDHE_ECDSA_SUPPORT != DISABLED) 00159 #error TLS_ECDHE_ECDSA_SUPPORT parameter is not valid 00160 #endif 00161 00162 //ECDH_anon key exchange support 00163 #ifndef TLS_ECDH_ANON_SUPPORT 00164 #define TLS_ECDH_ANON_SUPPORT DISABLED 00165 #elif (TLS_ECDH_ANON_SUPPORT != ENABLED && TLS_ECDH_ANON_SUPPORT != DISABLED) 00166 #error TLS_ECDH_ANON_SUPPORT parameter is not valid 00167 #endif 00168 00169 //PSK key exchange support 00170 #ifndef TLS_PSK_SUPPORT 00171 #define TLS_PSK_SUPPORT DISABLED 00172 #elif (TLS_PSK_SUPPORT != ENABLED && TLS_PSK_SUPPORT != DISABLED) 00173 #error TLS_PSK_SUPPORT parameter is not valid 00174 #endif 00175 00176 //RSA_PSK key exchange support 00177 #ifndef TLS_RSA_PSK_SUPPORT 00178 #define TLS_RSA_PSK_SUPPORT DISABLED 00179 #elif (TLS_RSA_PSK_SUPPORT != ENABLED && TLS_RSA_PSK_SUPPORT != DISABLED) 00180 #error TLS_RSA_PSK_SUPPORT parameter is not valid 00181 #endif 00182 00183 //DHE_PSK key exchange support 00184 #ifndef TLS_DHE_PSK_SUPPORT 00185 #define TLS_DHE_PSK_SUPPORT DISABLED 00186 #elif (TLS_DHE_PSK_SUPPORT != ENABLED && TLS_DHE_PSK_SUPPORT != DISABLED) 00187 #error TLS_DHE_PSK_SUPPORT parameter is not valid 00188 #endif 00189 00190 //ECDHE_PSK key exchange support 00191 #ifndef TLS_ECDHE_PSK_SUPPORT 00192 #define TLS_ECDHE_PSK_SUPPORT DISABLED 00193 #elif (TLS_ECDHE_PSK_SUPPORT != ENABLED && TLS_ECDHE_PSK_SUPPORT != DISABLED) 00194 #error TLS_ECDHE_PSK_SUPPORT parameter is not valid 00195 #endif 00196 00197 //RSA signature capability 00198 #ifndef TLS_RSA_SIGN_SUPPORT 00199 #define TLS_RSA_SIGN_SUPPORT ENABLED 00200 #elif (TLS_RSA_SIGN_SUPPORT != ENABLED && TLS_RSA_SIGN_SUPPORT != DISABLED) 00201 #error TLS_RSA_SIGN_SUPPORT parameter is not valid 00202 #endif 00203 00204 //DSA signature capability 00205 #ifndef TLS_DSA_SIGN_SUPPORT 00206 #define TLS_DSA_SIGN_SUPPORT ENABLED 00207 #elif (TLS_DSA_SIGN_SUPPORT != ENABLED && TLS_DSA_SIGN_SUPPORT != DISABLED) 00208 #error TLS_DSA_SIGN_SUPPORT parameter is not valid 00209 #endif 00210 00211 //ECDSA signature capability 00212 #ifndef TLS_ECDSA_SIGN_SUPPORT 00213 #define TLS_ECDSA_SIGN_SUPPORT ENABLED 00214 #elif (TLS_ECDSA_SIGN_SUPPORT != ENABLED && TLS_ECDSA_SIGN_SUPPORT != DISABLED) 00215 #error TLS_ECDSA_SIGN_SUPPORT parameter is not valid 00216 #endif 00217 00218 //Stream cipher support 00219 #ifndef TLS_STREAM_CIPHER_SUPPORT 00220 #define TLS_STREAM_CIPHER_SUPPORT ENABLED 00221 #elif (TLS_STREAM_CIPHER_SUPPORT != ENABLED && TLS_STREAM_CIPHER_SUPPORT != DISABLED) 00222 #error TLS_STREAM_CIPHER_SUPPORT parameter is not valid 00223 #endif 00224 00225 //CBC block cipher support 00226 #ifndef TLS_CBC_CIPHER_SUPPORT 00227 #define TLS_CBC_CIPHER_SUPPORT ENABLED 00228 #elif (TLS_CBC_CIPHER_SUPPORT != ENABLED && TLS_CBC_CIPHER_SUPPORT != DISABLED) 00229 #error TLS_CBC_CIPHER_SUPPORT parameter is not valid 00230 #endif 00231 00232 //CCM AEAD support 00233 #ifndef TLS_CCM_CIPHER_SUPPORT 00234 #define TLS_CCM_CIPHER_SUPPORT ENABLED 00235 #elif (TLS_CCM_CIPHER_SUPPORT != ENABLED && TLS_CCM_CIPHER_SUPPORT != DISABLED) 00236 #error TLS_CCM_CIPHER_SUPPORT parameter is not valid 00237 #endif 00238 00239 //CCM_8 AEAD support 00240 #ifndef TLS_CCM_8_CIPHER_SUPPORT 00241 #define TLS_CCM_8_CIPHER_SUPPORT DISABLED 00242 #elif (TLS_CCM_8_CIPHER_SUPPORT != ENABLED && TLS_CCM_8_CIPHER_SUPPORT != DISABLED) 00243 #error TLS_CCM_8_CIPHER_SUPPORT parameter is not valid 00244 #endif 00245 00246 //GCM AEAD support 00247 #ifndef TLS_GCM_CIPHER_SUPPORT 00248 #define TLS_GCM_CIPHER_SUPPORT ENABLED 00249 #elif (TLS_GCM_CIPHER_SUPPORT != ENABLED && TLS_GCM_CIPHER_SUPPORT != DISABLED) 00250 #error TLS_GCM_CIPHER_SUPPORT parameter is not valid 00251 #endif 00252 00253 //ChaCha20Poly1305 AEAD support 00254 #ifndef TLS_CHACHA20_POLY1305_SUPPORT 00255 #define TLS_CHACHA20_POLY1305_SUPPORT DISABLED 00256 #elif (TLS_CHACHA20_POLY1305_SUPPORT != ENABLED && TLS_CHACHA20_POLY1305_SUPPORT != DISABLED) 00257 #error TLS_CHACHA20_POLY1305_SUPPORT parameter is not valid 00258 #endif 00259 00260 //RC4 cipher support 00261 #ifndef TLS_RC4_SUPPORT 00262 #define TLS_RC4_SUPPORT DISABLED 00263 #elif (TLS_RC4_SUPPORT != ENABLED && TLS_RC4_SUPPORT != DISABLED) 00264 #error TLS_RC4_SUPPORT parameter is not valid 00265 #endif 00266 00267 //IDEA cipher support 00268 #ifndef TLS_IDEA_SUPPORT 00269 #define TLS_IDEA_SUPPORT DISABLED 00270 #elif (TLS_IDEA_SUPPORT != ENABLED && TLS_IDEA_SUPPORT != DISABLED) 00271 #error TLS_IDEA_SUPPORT parameter is not valid 00272 #endif 00273 00274 //DES cipher support 00275 #ifndef TLS_DES_SUPPORT 00276 #define TLS_DES_SUPPORT DISABLED 00277 #elif (TLS_DES_SUPPORT != ENABLED && TLS_DES_SUPPORT != DISABLED) 00278 #error TLS_DES_SUPPORT parameter is not valid 00279 #endif 00280 00281 //Triple DES cipher support 00282 #ifndef TLS_3DES_SUPPORT 00283 #define TLS_3DES_SUPPORT ENABLED 00284 #elif (TLS_3DES_SUPPORT != ENABLED && TLS_3DES_SUPPORT != DISABLED) 00285 #error TLS_3DES_SUPPORT parameter is not valid 00286 #endif 00287 00288 //AES cipher support 00289 #ifndef TLS_AES_SUPPORT 00290 #define TLS_AES_SUPPORT ENABLED 00291 #elif (TLS_AES_SUPPORT != ENABLED && TLS_AES_SUPPORT != DISABLED) 00292 #error TLS_AES_SUPPORT parameter is not valid 00293 #endif 00294 00295 //Camellia cipher support 00296 #ifndef TLS_CAMELLIA_SUPPORT 00297 #define TLS_CAMELLIA_SUPPORT ENABLED 00298 #elif (TLS_CAMELLIA_SUPPORT != ENABLED && TLS_CAMELLIA_SUPPORT != DISABLED) 00299 #error TLS_CAMELLIA_SUPPORT parameter is not valid 00300 #endif 00301 00302 //SEED cipher support 00303 #ifndef TLS_SEED_SUPPORT 00304 #define TLS_SEED_SUPPORT ENABLED 00305 #elif (TLS_SEED_SUPPORT != ENABLED && TLS_SEED_SUPPORT != DISABLED) 00306 #error TLS_SEED_SUPPORT parameter is not valid 00307 #endif 00308 00309 //ARIA cipher support 00310 #ifndef TLS_ARIA_SUPPORT 00311 #define TLS_ARIA_SUPPORT ENABLED 00312 #elif (TLS_ARIA_SUPPORT != ENABLED && TLS_ARIA_SUPPORT != DISABLED) 00313 #error TLS_ARIA_SUPPORT parameter is not valid 00314 #endif 00315 00316 //MD5 hash support 00317 #ifndef TLS_MD5_SUPPORT 00318 #define TLS_MD5_SUPPORT DISABLED 00319 #elif (TLS_MD5_SUPPORT != ENABLED && TLS_MD5_SUPPORT != DISABLED) 00320 #error TLS_MD5_SUPPORT parameter is not valid 00321 #endif 00322 00323 //SHA-1 hash support 00324 #ifndef TLS_SHA1_SUPPORT 00325 #define TLS_SHA1_SUPPORT ENABLED 00326 #elif (TLS_SHA1_SUPPORT != ENABLED && TLS_SHA1_SUPPORT != DISABLED) 00327 #error TLS_SHA1_SUPPORT parameter is not valid 00328 #endif 00329 00330 //SHA-224 hash support 00331 #ifndef TLS_SHA224_SUPPORT 00332 #define TLS_SHA224_SUPPORT ENABLED 00333 #elif (TLS_SHA224_SUPPORT != ENABLED && TLS_SHA224_SUPPORT != DISABLED) 00334 #error TLS_SHA224_SUPPORT parameter is not valid 00335 #endif 00336 00337 //SHA-256 hash support 00338 #ifndef TLS_SHA256_SUPPORT 00339 #define TLS_SHA256_SUPPORT ENABLED 00340 #elif (TLS_SHA256_SUPPORT != ENABLED && TLS_SHA256_SUPPORT != DISABLED) 00341 #error TLS_SHA256_SUPPORT parameter is not valid 00342 #endif 00343 00344 //SHA-384 hash support 00345 #ifndef TLS_SHA384_SUPPORT 00346 #define TLS_SHA384_SUPPORT ENABLED 00347 #elif (TLS_SHA384_SUPPORT != ENABLED && TLS_SHA384_SUPPORT != DISABLED) 00348 #error TLS_SHA384_SUPPORT parameter is not valid 00349 #endif 00350 00351 //SHA-512 hash support 00352 #ifndef TLS_SHA512_SUPPORT 00353 #define TLS_SHA512_SUPPORT ENABLED 00354 #elif (TLS_SHA512_SUPPORT != ENABLED && TLS_SHA512_SUPPORT != DISABLED) 00355 #error TLS_SHA512_SUPPORT parameter is not valid 00356 #endif 00357 00358 //secp160k1 elliptic curve support 00359 #ifndef TLS_SECP160K1_SUPPORT 00360 #define TLS_SECP160K1_SUPPORT DISABLED 00361 #elif (TLS_SECP160K1_SUPPORT != ENABLED && TLS_SECP160K1_SUPPORT != DISABLED) 00362 #error TLS_SECP160K1_SUPPORT parameter is not valid 00363 #endif 00364 00365 //secp160r1 elliptic curve support 00366 #ifndef TLS_SECP160R1_SUPPORT 00367 #define TLS_SECP160R1_SUPPORT DISABLED 00368 #elif (TLS_SECP160R1_SUPPORT != ENABLED && TLS_SECP160R1_SUPPORT != DISABLED) 00369 #error TLS_SECP160R1_SUPPORT parameter is not valid 00370 #endif 00371 00372 //secp160r2 elliptic curve support 00373 #ifndef TLS_SECP160R2_SUPPORT 00374 #define TLS_SECP160R2_SUPPORT DISABLED 00375 #elif (TLS_SECP160R2_SUPPORT != ENABLED && TLS_SECP160R2_SUPPORT != DISABLED) 00376 #error TLS_SECP160R2_SUPPORT parameter is not valid 00377 #endif 00378 00379 //secp192k1 elliptic curve support 00380 #ifndef TLS_SECP192K1_SUPPORT 00381 #define TLS_SECP192K1_SUPPORT DISABLED 00382 #elif (TLS_SECP192K1_SUPPORT != ENABLED && TLS_SECP192K1_SUPPORT != DISABLED) 00383 #error TLS_SECP192K1_SUPPORT parameter is not valid 00384 #endif 00385 00386 //secp192r1 elliptic curve support 00387 #ifndef TLS_SECP192R1_SUPPORT 00388 #define TLS_SECP192R1_SUPPORT ENABLED 00389 #elif (TLS_SECP192R1_SUPPORT != ENABLED && TLS_SECP192R1_SUPPORT != DISABLED) 00390 #error TLS_SECP192R1_SUPPORT parameter is not valid 00391 #endif 00392 00393 //secp224k1 elliptic curve support 00394 #ifndef TLS_SECP224K1_SUPPORT 00395 #define TLS_SECP224K1_SUPPORT DISABLED 00396 #elif (TLS_SECP224K1_SUPPORT != ENABLED && TLS_SECP224K1_SUPPORT != DISABLED) 00397 #error TLS_SECP224K1_SUPPORT parameter is not valid 00398 #endif 00399 00400 //secp224r1 elliptic curve support 00401 #ifndef TLS_SECP224R1_SUPPORT 00402 #define TLS_SECP224R1_SUPPORT ENABLED 00403 #elif (TLS_SECP224R1_SUPPORT != ENABLED && TLS_SECP224R1_SUPPORT != DISABLED) 00404 #error TLS_SECP224R1_SUPPORT parameter is not valid 00405 #endif 00406 00407 //secp256k1 elliptic curve support 00408 #ifndef TLS_SECP256K1_SUPPORT 00409 #define TLS_SECP256K1_SUPPORT DISABLED 00410 #elif (TLS_SECP256K1_SUPPORT != ENABLED && TLS_SECP256K1_SUPPORT != DISABLED) 00411 #error TLS_SECP256K1_SUPPORT parameter is not valid 00412 #endif 00413 00414 //secp256r1 elliptic curve support 00415 #ifndef TLS_SECP256R1_SUPPORT 00416 #define TLS_SECP256R1_SUPPORT ENABLED 00417 #elif (TLS_SECP256R1_SUPPORT != ENABLED && TLS_SECP256R1_SUPPORT != DISABLED) 00418 #error TLS_SECP256R1_SUPPORT parameter is not valid 00419 #endif 00420 00421 //secp384r1 elliptic curve support 00422 #ifndef TLS_SECP384R1_SUPPORT 00423 #define TLS_SECP384R1_SUPPORT ENABLED 00424 #elif (TLS_SECP384R1_SUPPORT != ENABLED && TLS_SECP384R1_SUPPORT != DISABLED) 00425 #error TLS_SECP384R1_SUPPORT parameter is not valid 00426 #endif 00427 00428 //secp521r1 elliptic curve support 00429 #ifndef TLS_SECP521R1_SUPPORT 00430 #define TLS_SECP521R1_SUPPORT ENABLED 00431 #elif (TLS_SECP521R1_SUPPORT != ENABLED && TLS_SECP521R1_SUPPORT != DISABLED) 00432 #error TLS_SECP521R1_SUPPORT parameter is not valid 00433 #endif 00434 00435 //brainpoolP256r1 elliptic curve support 00436 #ifndef TLS_BRAINPOOLP256R1_SUPPORT 00437 #define TLS_BRAINPOOLP256R1_SUPPORT DISABLED 00438 #elif (TLS_BRAINPOOLP256R1_SUPPORT != ENABLED && TLS_BRAINPOOLP256R1_SUPPORT != DISABLED) 00439 #error TLS_BRAINPOOLP256R1_SUPPORT parameter is not valid 00440 #endif 00441 00442 //brainpoolP384r1 elliptic curve support 00443 #ifndef TLS_BRAINPOOLP384R1_SUPPORT 00444 #define TLS_BRAINPOOLP384R1_SUPPORT DISABLED 00445 #elif (TLS_BRAINPOOLP384R1_SUPPORT != ENABLED && TLS_BRAINPOOLP384R1_SUPPORT != DISABLED) 00446 #error TLS_BRAINPOOLP384R1_SUPPORT parameter is not valid 00447 #endif 00448 00449 //brainpoolP512r1 elliptic curve support 00450 #ifndef TLS_BRAINPOOLP512R1_SUPPORT 00451 #define TLS_BRAINPOOLP512R1_SUPPORT DISABLED 00452 #elif (TLS_BRAINPOOLP512R1_SUPPORT != ENABLED && TLS_BRAINPOOLP512R1_SUPPORT != DISABLED) 00453 #error TLS_BRAINPOOLP512R1_SUPPORT parameter is not valid 00454 #endif 00455 00456 //Minimum acceptable size for Diffie-Hellman prime modulus 00457 #ifndef TLS_MIN_DH_MODULUS_SIZE 00458 #define TLS_MIN_DH_MODULUS_SIZE 1024 00459 #elif (TLS_MIN_DH_MODULUS_SIZE < 512) 00460 #error TLS_MIN_DH_MODULUS_SIZE parameter is not valid 00461 #endif 00462 00463 //Maximum acceptable size for Diffie-Hellman prime modulus 00464 #ifndef TLS_MAX_DH_MODULUS_SIZE 00465 #define TLS_MAX_DH_MODULUS_SIZE 4096 00466 #elif (TLS_MAX_DH_MODULUS_SIZE < TLS_MIN_DH_MODULUS_SIZE) 00467 #error TLS_MAX_DH_MODULUS_SIZE parameter is not valid 00468 #endif 00469 00470 //Minimum acceptable size for RSA modulus 00471 #ifndef TLS_MIN_RSA_MODULUS_SIZE 00472 #define TLS_MIN_RSA_MODULUS_SIZE 1024 00473 #elif (TLS_MIN_RSA_MODULUS_SIZE < 512) 00474 #error TLS_MIN_RSA_MODULUS_SIZE parameter is not valid 00475 #endif 00476 00477 //Maximum acceptable size for RSA modulus 00478 #ifndef TLS_MAX_RSA_MODULUS_SIZE 00479 #define TLS_MAX_RSA_MODULUS_SIZE 4096 00480 #elif (TLS_MAX_RSA_MODULUS_SIZE < TLS_MIN_RSA_MODULUS_SIZE) 00481 #error TLS_MAX_RSA_MODULUS_SIZE parameter is not valid 00482 #endif 00483 00484 //Minimum acceptable size for DSA prime modulus 00485 #ifndef TLS_MIN_DSA_MODULUS_SIZE 00486 #define TLS_MIN_DSA_MODULUS_SIZE 1024 00487 #elif (TLS_MIN_DSA_MODULUS_SIZE < 512) 00488 #error TLS_MIN_DSA_MODULUS_SIZE parameter is not valid 00489 #endif 00490 00491 //Maximum acceptable size for DSA prime modulus 00492 #ifndef TLS_MAX_DSA_MODULUS_SIZE 00493 #define TLS_MAX_DSA_MODULUS_SIZE 4096 00494 #elif (TLS_MAX_DSA_MODULUS_SIZE < TLS_MIN_DSA_MODULUS_SIZE) 00495 #error TLS_MAX_DSA_MODULUS_SIZE parameter is not valid 00496 #endif 00497 00498 //Maximum size for premaster secret 00499 #ifndef TLS_MAX_PREMASTER_SECRET_SIZE 00500 #define TLS_MAX_PREMASTER_SECRET_SIZE 256 00501 #elif (TLS_MAX_PREMASTER_SECRET_SIZE < 48) 00502 #error TLS_MAX_PREMASTER_SECRET_SIZE parameter is not valid 00503 #endif 00504 00505 //Memory allocation 00506 #ifndef tlsAllocMem 00507 #define tlsAllocMem(size) osAllocMem(size) 00508 #endif 00509 00510 //Memory deallocation 00511 #ifndef tlsFreeMem 00512 #define tlsFreeMem(p) osFreeMem(p) 00513 #endif 00514 00515 //Bind TLS to a particular socket 00516 #define tlsSetSocket(context, socket) tlsSetIoCallbacks(context, (TlsIoHandle) socket, \ 00517 (TlsIoSendCallback) socketSend, (TlsIoReceiveCallback) socketReceive) 00518 00519 //Maximum plaintext record length 00520 #define TLS_MAX_RECORD_LENGTH 16384 00521 //Data overhead caused by record encryption 00522 #define TLS_MAX_RECORD_OVERHEAD 512 00523 00524 //Forward declaration of TlsContext structure 00525 struct _TlsContext; 00526 #define TlsContext struct _TlsContext 00527 00528 00529 /** 00530 * @brief TLS connection end 00531 **/ 00532 00533 typedef enum 00534 { 00535 TLS_CONNECTION_END_CLIENT = 0, 00536 TLS_CONNECTION_END_SERVER = 1 00537 } TlsConnectionEnd; 00538 00539 00540 /** 00541 * @brief Client authentication mode 00542 **/ 00543 00544 typedef enum 00545 { 00546 TLS_CLIENT_AUTH_NONE = 0, 00547 TLS_CLIENT_AUTH_OPTIONAL = 1, 00548 TLS_CLIENT_AUTH_REQUIRED = 2 00549 } TlsClientAuthMode; 00550 00551 00552 /** 00553 * @brief Flags used by read and write functions 00554 **/ 00555 00556 typedef enum 00557 { 00558 TLS_FLAG_WAIT_ALL = 0x0800, 00559 TLS_FLAG_BREAK_CHAR = 0x1000, 00560 TLS_FLAG_BREAK_CRLF = 0x100A, 00561 TLS_FLAG_WAIT_ACK = 0x2000, 00562 TLS_FLAG_BUFFER = 0x4000 00563 } TlsFlags; 00564 00565 00566 //The TLS_FLAG_BREAK macro causes the read function to stop reading 00567 //data whenever the specified break character is encountered 00568 #define TLS_FLAG_BREAK(c) (TLS_FLAG_BREAK_CHAR | LSB(c)) 00569 00570 00571 /** 00572 * @brief Content type 00573 **/ 00574 00575 typedef enum 00576 { 00577 TLS_TYPE_NONE = 0, 00578 TLS_TYPE_CHANGE_CIPHER_SPEC = 20, 00579 TLS_TYPE_ALERT = 21, 00580 TLS_TYPE_HANDSHAKE = 22, 00581 TLS_TYPE_APPLICATION_DATA = 23, 00582 TLS_TYPE_HEARTBEAT = 24 00583 } TlsContentType; 00584 00585 00586 /** 00587 * @brief Handshake message type 00588 **/ 00589 00590 typedef enum 00591 { 00592 TLS_TYPE_HELLO_REQUEST = 0, 00593 TLS_TYPE_CLIENT_HELLO = 1, 00594 TLS_TYPE_SERVER_HELLO = 2, 00595 TLS_TYPE_HELLO_VERIFY_REQUEST = 3, 00596 TLS_TYPE_NEW_SESSION_TICKET = 4, 00597 TLS_TYPE_CERTIFICATE = 11, 00598 TLS_TYPE_SERVER_KEY_EXCHANGE = 12, 00599 TLS_TYPE_CERTIFICATE_REQUEST = 13, 00600 TLS_TYPE_SERVER_HELLO_DONE = 14, 00601 TLS_TYPE_CERTIFICATE_VERIFY = 15, 00602 TLS_TYPE_CLIENT_KEY_EXCHANGE = 16, 00603 TLS_TYPE_FINISHED = 20, 00604 TLS_TYPE_CERTIFICATE_URL = 21, 00605 TLS_TYPE_CERTIFICATE_STATUS = 22, 00606 TLS_TYPE_SUPPLEMENTAL_DATA = 23 00607 } TlsMessageType; 00608 00609 00610 /** 00611 * @brief Alert level 00612 **/ 00613 00614 typedef enum 00615 { 00616 TLS_ALERT_LEVEL_WARNING = 1, 00617 TLS_ALERT_LEVEL_FATAL = 2, 00618 } TlsAlertLevel; 00619 00620 00621 /** 00622 * @brief Alert description 00623 **/ 00624 00625 typedef enum 00626 { 00627 TLS_ALERT_CLOSE_NOTIFY = 0, 00628 TLS_ALERT_UNEXPECTED_MESSAGE = 10, 00629 TLS_ALERT_BAD_RECORD_MAC = 20, 00630 TLS_ALERT_DECRYPTION_FAILED = 21, 00631 TLS_ALERT_RECORD_OVERFLOW = 22, 00632 TLS_ALERT_DECOMPRESSION_FAILURE = 30, 00633 TLS_ALERT_HANDSHAKE_FAILURE = 40, 00634 TLS_ALERT_NO_CERTIFICATE = 41, 00635 TLS_ALERT_BAD_CERTIFICATE = 42, 00636 TLS_ALERT_UNSUPPORTED_CERTIFICATE = 43, 00637 TLS_ALERT_CERTIFICATE_REVOKED = 44, 00638 TLS_ALERT_CERTIFICATE_EXPIRED = 45, 00639 TLS_ALERT_CERTIFICATE_UNKNOWN = 46, 00640 TLS_ALERT_ILLEGAL_PARAMETER = 47, 00641 TLS_ALERT_UNKNOWN_CA = 48, 00642 TLS_ALERT_ACCESS_DENIED = 49, 00643 TLS_ALERT_DECODE_ERROR = 50, 00644 TLS_ALERT_DECRYPT_ERROR = 51, 00645 TLS_ALERT_EXPORT_RESTRICTION = 60, 00646 TLS_ALERT_PROTOCOL_VERSION = 70, 00647 TLS_ALERT_INSUFFICIENT_SECURITY = 71, 00648 TLS_ALERT_INTERNAL_ERROR = 80, 00649 TLS_ALERT_INAPPROPRIATE_FALLBACK = 86, 00650 TLS_ALERT_USER_CANCELED = 90, 00651 TLS_ALERT_NO_RENEGOTIATION = 100, 00652 TLS_ALERT_UNSUPPORTED_EXTENSION = 110, 00653 TLS_ALERT_CERTIFICATE_UNOBTAINABLE = 111, 00654 TLS_ALERT_UNRECOGNIZED_NAME = 112, 00655 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE = 113, 00656 TLS_ALERT_BAD_CERTIFICATE_HASH_VALUE = 114, 00657 TLS_ALERT_UNKNOWN_PSK_IDENTITY = 115 00658 } TlsAlertDescription; 00659 00660 00661 /** 00662 * @brief Compression methods 00663 **/ 00664 00665 typedef enum 00666 { 00667 TLS_COMPRESSION_METHOD_NULL = 0, 00668 TLS_COMPRESSION_METHOD_DEFLATE = 1 00669 } TlsCompressionMethodList; 00670 00671 00672 /** 00673 * @brief Key exchange methods 00674 **/ 00675 00676 typedef enum 00677 { 00678 TLS_KEY_EXCH_NONE = 0, 00679 TLS_KEY_EXCH_RSA = 1, 00680 TLS_KEY_EXCH_DH_RSA = 2, 00681 TLS_KEY_EXCH_DHE_RSA = 3, 00682 TLS_KEY_EXCH_DH_DSS = 4, 00683 TLS_KEY_EXCH_DHE_DSS = 5, 00684 TLS_KEY_EXCH_DH_ANON = 6, 00685 TLS_KEY_EXCH_ECDH_RSA = 7, 00686 TLS_KEY_EXCH_ECDHE_RSA = 8, 00687 TLS_KEY_EXCH_ECDH_ECDSA = 9, 00688 TLS_KEY_EXCH_ECDHE_ECDSA = 10, 00689 TLS_KEY_EXCH_ECDH_ANON = 11, 00690 TLS_KEY_EXCH_PSK = 12, 00691 TLS_KEY_EXCH_RSA_PSK = 13, 00692 TLS_KEY_EXCH_DHE_PSK = 14, 00693 TLS_KEY_EXCH_ECDHE_PSK = 15, 00694 TLS_KEY_EXCH_SRP_SHA = 16, 00695 TLS_KEY_EXCH_SRP_SHA_RSA = 17, 00696 TLS_KEY_EXCH_SRP_SHA_DSS = 18 00697 } TlsKeyExchMethod; 00698 00699 00700 /** 00701 * @brief Certificate types 00702 **/ 00703 00704 typedef enum 00705 { 00706 TLS_CERT_NONE = 0, 00707 TLS_CERT_RSA_SIGN = 1, 00708 TLS_CERT_DSS_SIGN = 2, 00709 TLS_CERT_RSA_FIXED_DH = 3, 00710 TLS_CERT_DSS_FIXED_DH = 4, 00711 TLS_CERT_RSA_EPHEMERAL_DH = 5, 00712 TLS_CERT_DSS_EPHEMERAL_DH = 6, 00713 TLS_CERT_FORTEZZA_DMS = 20, 00714 TLS_CERT_ECDSA_SIGN = 64, 00715 TLS_CERT_RSA_FIXED_ECDH = 65, 00716 TLS_CERT_ECDSA_FIXED_ECDH = 66 00717 } TlsCertificateType; 00718 00719 00720 /** 00721 * @brief Hash algorithms 00722 **/ 00723 00724 typedef enum 00725 { 00726 TLS_HASH_ALGO_NONE = 0, 00727 TLS_HASH_ALGO_MD5 = 1, 00728 TLS_HASH_ALGO_SHA1 = 2, 00729 TLS_HASH_ALGO_SHA224 = 3, 00730 TLS_HASH_ALGO_SHA256 = 4, 00731 TLS_HASH_ALGO_SHA384 = 5, 00732 TLS_HASH_ALGO_SHA512 = 6 00733 } TlsHashAlgo; 00734 00735 00736 /** 00737 * @brief Signature algorithms 00738 **/ 00739 00740 typedef enum 00741 { 00742 TLS_SIGN_ALGO_ANONYMOUS = 0, 00743 TLS_SIGN_ALGO_RSA = 1, 00744 TLS_SIGN_ALGO_DSA = 2, 00745 TLS_SIGN_ALGO_ECDSA = 3 00746 } TlsSignatureAlgo; 00747 00748 00749 /** 00750 * @brief TLS extension types 00751 **/ 00752 00753 typedef enum 00754 { 00755 TLS_EXT_SERVER_NAME = 0, 00756 TLS_EXT_MAX_FRAGMENT_LENGTH = 1, 00757 TLS_EXT_CLIENT_CERTIFICATE_URL = 2, 00758 TLS_EXT_TRUSTED_CA_KEYS = 3, 00759 TLS_EXT_TRUNCATED_HMAC = 4, 00760 TLS_EXT_STATUS_REQUEST = 5, 00761 TLS_EXT_USER_MAPPING = 6, 00762 TLS_EXT_CLIENT_AUTHZ = 7, 00763 TLS_EXT_SERVER_AUTHZ = 8, 00764 TLS_EXT_CERT_TYPE = 9, 00765 TLS_EXT_ELLIPTIC_CURVES = 10, 00766 TLS_EXT_EC_POINT_FORMATS = 11, 00767 TLS_EXT_SRP = 12, 00768 TLS_EXT_SIGNATURE_ALGORITHMS = 13, 00769 TLS_EXT_USE_SRTP = 14, 00770 TLS_EXT_HEARTBEAT = 15, 00771 TLS_EXT_ALPN = 16, 00772 TLS_EXT_SESSION_TICKET = 35, 00773 TLS_EXT_RENEGOTIATION_INFO = 65281 00774 } TlsExtensionType; 00775 00776 00777 /** 00778 * @brief Name type 00779 **/ 00780 00781 typedef enum 00782 { 00783 TLS_NAME_TYPE_HOSTNAME = 0 00784 } TlsNameType; 00785 00786 00787 /** 00788 * @brief EC named curves 00789 **/ 00790 00791 typedef enum 00792 { 00793 TLS_EC_CURVE_NONE = 0, 00794 TLS_EC_CURVE_SECT163K1 = 1, //RFC 4492 00795 TLS_EC_CURVE_SECT163R1 = 2, //RFC 4492 00796 TLS_EC_CURVE_SECT163R2 = 3, //RFC 4492 00797 TLS_EC_CURVE_SECT193R1 = 4, //RFC 4492 00798 TLS_EC_CURVE_SECT193R2 = 5, //RFC 4492 00799 TLS_EC_CURVE_SECT233K1 = 6, //RFC 4492 00800 TLS_EC_CURVE_SECT233R1 = 7, //RFC 4492 00801 TLS_EC_CURVE_SECT239K1 = 8, //RFC 4492 00802 TLS_EC_CURVE_SECT283K1 = 9, //RFC 4492 00803 TLS_EC_CURVE_SECT283R1 = 10, //RFC 4492 00804 TLS_EC_CURVE_SECT409K1 = 11, //RFC 4492 00805 TLS_EC_CURVE_SECT409R1 = 12, //RFC 4492 00806 TLS_EC_CURVE_SECT571K1 = 13, //RFC 4492 00807 TLS_EC_CURVE_SECT571R1 = 14, //RFC 4492 00808 TLS_EC_CURVE_SECP160K1 = 15, //RFC 4492 00809 TLS_EC_CURVE_SECP160R1 = 16, //RFC 4492 00810 TLS_EC_CURVE_SECP160R2 = 17, //RFC 4492 00811 TLS_EC_CURVE_SECP192K1 = 18, //RFC 4492 00812 TLS_EC_CURVE_SECP192R1 = 19, //RFC 4492 00813 TLS_EC_CURVE_SECP224K1 = 20, //RFC 4492 00814 TLS_EC_CURVE_SECP224R1 = 21, //RFC 4492 00815 TLS_EC_CURVE_SECP256K1 = 22, //RFC 4492 00816 TLS_EC_CURVE_SECP256R1 = 23, //RFC 4492 00817 TLS_EC_CURVE_SECP384R1 = 24, //RFC 4492 00818 TLS_EC_CURVE_SECP521R1 = 25, //RFC 4492 00819 TLS_EC_CURVE_BRAINPOOLP256R1 = 26, //RFC 7027 00820 TLS_EC_CURVE_BRAINPOOLP384R1 = 27, //RFC 7027 00821 TLS_EC_CURVE_BRAINPOOLP512R1 = 28, //RFC 7027 00822 TLS_EC_CURVE_ECDH_X25519 = 29, //RFC draft 00823 TLS_EC_CURVE_ECDH_X448 = 30, //RFC draft 00824 TLS_EC_CURVE_FFDHE2048 = 256, //RFC 7919 00825 TLS_EC_CURVE_FFDHE3072 = 257, //RFC 7919 00826 TLS_EC_CURVE_FFDHE4096 = 258, //RFC 7919 00827 TLS_EC_CURVE_FFDHE6144 = 259, //RFC 7919 00828 TLS_EC_CURVE_FFDHE8192 = 260, //RFC 7919 00829 TLS_EC_CURVE_ARBITRARY_EXPLICIT_PRIME = 65281, //RFC 4492 00830 TLS_EC_CURVE_ARBITRARY_EXPLICIT_CHAR2 = 65282 //RFC 4492 00831 } TlsEcNamedCurve; 00832 00833 00834 /** 00835 * @brief EC point formats 00836 **/ 00837 00838 typedef enum 00839 { 00840 TLS_EC_POINT_FORMAT_UNCOMPRESSED = 0, 00841 TLS_EC_POINT_FORMAT_ANSIX962_COMPRESSED_PRIME = 1, 00842 TLS_EC_POINT_FORMAT_ANSIX962_COMPRESSED_CHAR2 = 2 00843 } TlsEcPointFormat; 00844 00845 00846 /** 00847 * @brief EC curve types 00848 **/ 00849 00850 typedef enum 00851 { 00852 TLS_EC_CURVE_TYPE_EXPLICIT_PRIME = 1, 00853 TLS_EC_CURVE_TYPE_EXPLICIT_CHAR2 = 2, 00854 TLS_EC_CURVE_TYPE_NAMED_CURVE = 3 00855 } TlsEcCurveType; 00856 00857 00858 /** 00859 * @brief TLS FSM states 00860 **/ 00861 00862 typedef enum 00863 { 00864 TLS_STATE_INIT = 0, 00865 TLS_STATE_CLIENT_HELLO = 1, 00866 TLS_STATE_SERVER_HELLO = 2, 00867 TLS_STATE_SERVER_CERTIFICATE = 3, 00868 TLS_STATE_SERVER_KEY_EXCHANGE = 4, 00869 TLS_STATE_CERTIFICATE_REQUEST = 5, 00870 TLS_STATE_SERVER_HELLO_DONE = 6, 00871 TLS_STATE_CLIENT_CERTIFICATE = 7, 00872 TLS_STATE_CLIENT_KEY_EXCHANGE = 8, 00873 TLS_STATE_CERTIFICATE_VERIFY = 9, 00874 TLS_STATE_CLIENT_CHANGE_CIPHER_SPEC = 10, 00875 TLS_STATE_CLIENT_FINISHED = 11, 00876 TLS_STATE_SERVER_CHANGE_CIPHER_SPEC = 12, 00877 TLS_STATE_SERVER_FINISHED = 13, 00878 TLS_STATE_APPLICATION_DATA = 14, 00879 TLS_STATE_CLOSING = 15, 00880 TLS_STATE_CLOSED = 16 00881 } TlsState; 00882 00883 00884 //CodeWarrior or Win32 compiler? 00885 #if defined(__CWCC__) || defined(_WIN32) 00886 #pragma pack(push, 1) 00887 #endif 00888 00889 00890 /** 00891 * @brief Random structure 00892 **/ 00893 00894 typedef __start_packed struct 00895 { 00896 uint32_t gmtUnixTime; //0-3 00897 uint8_t randomBytes[28]; //4-31 00898 } __end_packed TlsRandom; 00899 00900 00901 /** 00902 * @brief Cipher suite 00903 **/ 00904 00905 typedef uint16_t TlsCipherSuite; 00906 00907 00908 /** 00909 * @brief Cipher suites 00910 **/ 00911 00912 typedef __start_packed struct 00913 { 00914 uint16_t length; //0-1 00915 uint16_t value[]; //2 00916 } __end_packed TlsCipherSuites; 00917 00918 00919 /** 00920 * @brief Compression method 00921 **/ 00922 00923 typedef uint8_t TlsCompressionMethod; 00924 00925 00926 /** 00927 * @brief Compression methods 00928 **/ 00929 00930 typedef __start_packed struct 00931 { 00932 uint8_t length; //0 00933 uint8_t value[]; //1 00934 } __end_packed TlsCompressionMethods; 00935 00936 00937 /** 00938 * @brief Signature algorithm 00939 **/ 00940 00941 typedef __start_packed struct 00942 { 00943 uint8_t hash; //0 00944 uint8_t signature; //1 00945 } __end_packed TlsSignHashAlgo; 00946 00947 00948 /** 00949 * @brief List of signature algorithms 00950 **/ 00951 00952 typedef __start_packed struct 00953 { 00954 uint16_t length; //0-1 00955 TlsSignHashAlgo value[]; //2 00956 } __end_packed TlsSignHashAlgos; 00957 00958 00959 /** 00960 * @brief List of certificate authorities 00961 **/ 00962 00963 typedef __start_packed struct 00964 { 00965 uint16_t length; //0-1 00966 uint8_t value[]; //2 00967 } __end_packed TlsCertAuthorities; 00968 00969 00970 /** 00971 * @brief TLS extension 00972 **/ 00973 00974 typedef __start_packed struct 00975 { 00976 uint16_t type; //0-1 00977 uint16_t length; //2-3 00978 uint8_t value[]; //4 00979 } __end_packed TlsExtension; 00980 00981 00982 /** 00983 * @brief List of TLS extensions 00984 **/ 00985 00986 typedef __start_packed struct 00987 { 00988 uint16_t length; //0-1 00989 uint8_t value[]; //2 00990 } __end_packed TlsExtensions; 00991 00992 00993 /** 00994 * @brief Server name 00995 **/ 00996 00997 typedef __start_packed struct 00998 { 00999 uint8_t type; //0 01000 uint16_t length; //1-2 01001 char_t hostname[]; //2 01002 } __end_packed TlsServerName; 01003 01004 01005 /** 01006 * @brief List of server names 01007 **/ 01008 01009 typedef __start_packed struct 01010 { 01011 uint16_t length; //0-1 01012 uint8_t value[]; //2 01013 } __end_packed TlsServerNameList; 01014 01015 01016 /** 01017 * @brief Protocol name 01018 **/ 01019 01020 typedef __start_packed struct 01021 { 01022 uint8_t length; //0 01023 char_t value[]; //1 01024 } __end_packed TlsProtocolName; 01025 01026 01027 /** 01028 * @brief List of protocol names 01029 **/ 01030 01031 typedef __start_packed struct 01032 { 01033 uint16_t length; //0-1 01034 uint8_t value[]; //2 01035 } __end_packed TlsProtocolNameList; 01036 01037 01038 /** 01039 * @brief List of supported elliptic curves 01040 **/ 01041 01042 typedef __start_packed struct 01043 { 01044 uint16_t length; //0-1 01045 uint16_t value[]; //2 01046 } __end_packed TlsEllipticCurveList; 01047 01048 01049 /** 01050 * @brief List of supported EC point formats 01051 **/ 01052 01053 typedef __start_packed struct 01054 { 01055 uint8_t length; //0 01056 uint8_t value[]; //1 01057 } __end_packed TlsEcPointFormatList; 01058 01059 01060 /** 01061 * @brief PSK identity 01062 **/ 01063 01064 typedef __start_packed struct 01065 { 01066 uint16_t length; //0-1 01067 uint8_t value[]; //2 01068 } __end_packed TlsPskIdentity; 01069 01070 01071 /** 01072 * @brief PSK identity hint 01073 **/ 01074 01075 typedef __start_packed struct 01076 { 01077 uint16_t length; //0-1 01078 uint8_t value[]; //2 01079 } __end_packed TlsPskIdentityHint; 01080 01081 01082 /** 01083 * @brief Digitally-signed element (SSL 3.0, TLS 1.0 and TLS 1.1) 01084 **/ 01085 01086 typedef __start_packed struct 01087 { 01088 uint16_t length; //0-1 01089 uint8_t value[]; //2 01090 } __end_packed TlsDigitalSignature; 01091 01092 01093 /** 01094 * @brief Digitally-signed element (TLS 1.2) 01095 **/ 01096 01097 typedef __start_packed struct 01098 { 01099 TlsSignHashAlgo algorithm; //0-1 01100 uint16_t length; //2-3 01101 uint8_t value[]; //4 01102 } __end_packed TlsDigitalSignature2; 01103 01104 01105 /** 01106 * @brief General format of TLS records 01107 **/ 01108 01109 typedef __start_packed struct 01110 { 01111 uint8_t type; //0 01112 uint16_t version; //1-2 01113 uint16_t length; //3-4 01114 uint8_t data[]; //5 01115 } __end_packed TlsRecord; 01116 01117 01118 /** 01119 * @brief Handshake message 01120 **/ 01121 01122 typedef __start_packed struct 01123 { 01124 uint8_t msgType; //0 01125 uint8_t length[3]; //1-3 01126 uint8_t data[]; //4 01127 } __end_packed TlsHandshake; 01128 01129 01130 /** 01131 * @brief ClientHello message 01132 **/ 01133 01134 typedef __start_packed struct 01135 { 01136 uint8_t msgType; //0 01137 uint8_t length[3]; //1-3 01138 uint16_t clientVersion; //4-5 01139 TlsRandom random; //6-37 01140 uint8_t sessionIdLength; //38 01141 uint8_t sessionId[]; //39 01142 } __end_packed TlsClientHello; 01143 01144 01145 /** 01146 * @brief ServerHello message 01147 **/ 01148 01149 typedef __start_packed struct 01150 { 01151 uint8_t msgType; //0 01152 uint8_t length[3]; //1-3 01153 uint16_t serverVersion; //4-5 01154 TlsRandom random; //6-37 01155 uint8_t sessionIdLength; //38 01156 uint8_t sessionId[]; //39 01157 } __end_packed TlsServerHello; 01158 01159 01160 /** 01161 * @brief Certificate message 01162 **/ 01163 01164 typedef __start_packed struct 01165 { 01166 uint8_t msgType; //0 01167 uint8_t length[3]; //1-3 01168 uint8_t certificateListLength[3]; //4-6 01169 uint8_t certificateList[]; //7 01170 } __end_packed TlsCertificate; 01171 01172 01173 /** 01174 * @brief ServerKeyExchange message 01175 **/ 01176 01177 typedef __start_packed struct 01178 { 01179 uint8_t msgType; //0 01180 uint8_t length[3]; //1-3 01181 uint8_t data[]; //4 01182 } __end_packed TlsServerKeyExchange; 01183 01184 01185 /** 01186 * @brief CertificateRequest message 01187 **/ 01188 01189 typedef __start_packed struct 01190 { 01191 uint8_t msgType; //0 01192 uint8_t length[3]; //1-3 01193 uint8_t certificateTypesLength; //4 01194 uint8_t certificateTypes[]; //5 01195 } __end_packed TlsCertificateRequest; 01196 01197 01198 /** 01199 * @brief ServerHelloDone message 01200 **/ 01201 01202 typedef __start_packed struct 01203 { 01204 uint8_t msgType; //0 01205 uint8_t length[3]; //1-3 01206 } __end_packed TlsServerHelloDone; 01207 01208 01209 /** 01210 * @brief ClientKeyExchange message 01211 **/ 01212 01213 typedef __start_packed struct 01214 { 01215 uint8_t msgType; //0 01216 uint8_t length[3]; //1-3 01217 uint8_t data[]; //4 01218 } __end_packed TlsClientKeyExchange; 01219 01220 01221 /** 01222 * @brief CertificateVerify message 01223 **/ 01224 01225 typedef __start_packed struct 01226 { 01227 uint8_t msgType; //0 01228 uint8_t length[3]; //1-3 01229 uint8_t signature[]; //4 01230 } __end_packed TlsCertificateVerify; 01231 01232 01233 /** 01234 * @brief Finished message 01235 **/ 01236 01237 typedef __start_packed struct 01238 { 01239 uint8_t msgType; //0 01240 uint8_t length[3]; //1-3 01241 uint8_t verifyData[]; //4 01242 } __end_packed TlsFinished; 01243 01244 01245 /** 01246 * @brief ChangeCipherSpec message 01247 **/ 01248 01249 typedef __start_packed struct 01250 { 01251 uint8_t type; //0 01252 } __end_packed TlsChangeCipherSpec; 01253 01254 01255 /** 01256 * @brief Alert message 01257 **/ 01258 01259 typedef __start_packed struct 01260 { 01261 uint8_t level; //0 01262 uint8_t description; //1 01263 } __end_packed TlsAlert; 01264 01265 01266 //CodeWarrior or Win32 compiler? 01267 #if defined(__CWCC__) || defined(_WIN32) 01268 #pragma pack(pop) 01269 #endif 01270 01271 01272 /** 01273 * @brief Sequence number 01274 **/ 01275 01276 typedef uint8_t TlsSequenceNumber[8]; 01277 01278 01279 /** 01280 * @brief Handle for I/O operations 01281 **/ 01282 01283 typedef void *TlsIoHandle; 01284 01285 01286 /** 01287 * @brief Send callback function 01288 **/ 01289 01290 typedef error_t (*TlsIoSendCallback)(TlsIoHandle handle, 01291 const void *data, size_t length, size_t *written, uint_t flags); 01292 01293 01294 /** 01295 * @brief Receive callback function 01296 **/ 01297 01298 typedef error_t (*TlsIoReceiveCallback)(TlsIoHandle handle, 01299 void *data, size_t size, size_t *received, uint_t flags); 01300 01301 01302 /** 01303 * @brief Pre-shared key callback function 01304 **/ 01305 01306 typedef error_t (*TlsPskCallback)(TlsContext *context, 01307 const char_t *pskIdentity); 01308 01309 01310 /** 01311 * @brief Structure describing a cipher suite 01312 **/ 01313 01314 typedef struct 01315 { 01316 uint16_t identifier; 01317 const char_t *name; 01318 TlsKeyExchMethod keyExchMethod; 01319 const CipherAlgo *cipherAlgo; 01320 CipherMode cipherMode; 01321 const HashAlgo *hashAlgo; 01322 const HashAlgo *prfHashAlgo; 01323 uint8_t macKeyLen; 01324 uint8_t encKeyLen; 01325 uint8_t fixedIvLen; 01326 uint8_t recordIvLen; 01327 uint8_t authTagLen; 01328 uint8_t verifyDataLen; 01329 } TlsCipherSuiteInfo; 01330 01331 01332 /** 01333 * @brief TLS session 01334 **/ 01335 01336 typedef struct 01337 { 01338 uint8_t id[32]; ///<Session identifier 01339 size_t idLength; ///<Length of the session identifier 01340 systime_t timestamp; ///<Time stamp to manage entry lifetime 01341 uint16_t cipherSuite; ///<Cipher suite identifier 01342 uint8_t compressionMethod; ///<Compression method 01343 uint8_t masterSecret[48]; ///<Master secret 01344 } TlsSession; 01345 01346 01347 /** 01348 * @brief Session cache 01349 **/ 01350 01351 typedef struct 01352 { 01353 OsMutex mutex; ///<Mutex preventing simultaneous access to the cache 01354 uint_t size; ///<Maximum number of entries 01355 TlsSession sessions[]; ///<Cache entries 01356 } TlsCache; 01357 01358 01359 /** 01360 * @brief Certificate descriptor 01361 **/ 01362 01363 typedef struct 01364 { 01365 const char_t *certChain; ///<End entity certificate chain (PEM format) 01366 size_t certChainLength; ///<Length of the certificate chain 01367 const char_t *privateKey; ///<Private key (PEM format) 01368 size_t privateKeyLength; ///<Length of the private key 01369 TlsCertificateType type; ///<End entity certificate type 01370 TlsSignatureAlgo signAlgo; ///<Signature algorithm used to sign the end entity certificate 01371 TlsHashAlgo hashAlgo; ///<Hash algorithm used to sign the end entity certificate 01372 TlsEcNamedCurve namedCurve; ///<Named curve used to generate the EC public key 01373 } TlsCertDesc; 01374 01375 01376 /** 01377 * @brief TLS context 01378 * 01379 * An opaque data structure that represents a TLS connection 01380 * 01381 **/ 01382 01383 struct _TlsContext 01384 { 01385 TlsState state; ///<TLS handshake finite state machine 01386 TlsConnectionEnd entity; ///<Client or server operation 01387 01388 TlsIoHandle handle; ///<Handle for I/O operations 01389 TlsIoSendCallback sendCallback; ///<Send callback function 01390 TlsIoReceiveCallback receiveCallback; ///<Receive callback function 01391 const PrngAlgo *prngAlgo; ///<Pseudo-random number generator to be used 01392 void *prngContext; ///<Pseudo-random number generator context 01393 01394 const uint16_t *cipherSuites; ///<List of supported cipher suites 01395 uint_t numCipherSuites; ///<Number of cipher suites in the list 01396 01397 char_t *serverName; ///<Fully qualified DNS hostname of the server 01398 01399 #if (TLS_ALPN_SUPPORT == ENABLED) 01400 char_t *protocolList; ///<List of supported ALPN protocols 01401 #endif 01402 01403 #if (TLS_PSK_SUPPORT == ENABLED || TLS_RSA_PSK_SUPPORT == ENABLED || \ 01404 TLS_DHE_PSK_SUPPORT == ENABLED || TLS_ECDHE_PSK_SUPPORT == ENABLED) 01405 char_t *psk; ///<Pre-shared key 01406 size_t pskLen; ///<Length of the pre-shared key, in bytes 01407 char_t *pskIdentity; ///<PSK identity 01408 char_t *pskIdentityHint; ///<PSK identity hint 01409 TlsPskCallback pskCallback; ///<PSK callback function 01410 #endif 01411 01412 #if (TLS_DH_ANON_SUPPORT == ENABLED || TLS_DHE_RSA_SUPPORT == ENABLED || \ 01413 TLS_DHE_DSS_SUPPORT == ENABLED || TLS_DHE_PSK_SUPPORT == ENABLED) 01414 DhContext dhContext; ///<Diffie-Hellman context 01415 #endif 01416 01417 #if (TLS_ECDH_ANON_SUPPORT == ENABLED || TLS_ECDHE_RSA_SUPPORT == ENABLED || \ 01418 TLS_ECDHE_ECDSA_SUPPORT == ENABLED || TLS_ECDHE_PSK_SUPPORT == ENABLED) 01419 EcdhContext ecdhContext; ///<ECDH context 01420 #endif 01421 01422 TlsCertDesc certs[TLS_MAX_CERTIFICATES]; //End entity certificates 01423 uint_t numCerts; //Number of certificates available 01424 TlsCertDesc *cert; //Pointer to the currently selected certificate 01425 01426 const char_t *trustedCaList; ///<List of trusted CA (PEM format) 01427 size_t trustedCaListLen; ///<Number of trusted CA in the list 01428 01429 TlsCertificateType peerCertType; ///<Peer's certificate type 01430 01431 #if (TLS_RSA_SIGN_SUPPORT == ENABLED || TLS_RSA_SUPPORT == ENABLED || \ 01432 TLS_DHE_RSA_SUPPORT == ENABLED || TLS_ECDHE_RSA_SUPPORT == ENABLED) 01433 RsaPublicKey peerRsaPublicKey; ///<Peer's RSA public key 01434 #endif 01435 01436 #if (TLS_DSA_SIGN_SUPPORT == ENABLED || TLS_DHE_DSS_SUPPORT == ENABLED) 01437 DsaPublicKey peerDsaPublicKey; ///<Peer's DSA public key 01438 #endif 01439 01440 #if (TLS_ECDSA_SIGN_SUPPORT == ENABLED || TLS_ECDHE_ECDSA_SUPPORT == ENABLED) 01441 EcDomainParameters peerEcParams; ///<Peer's EC domain parameters 01442 EcPoint peerEcPublicKey; ///<Peer's EC public key 01443 #endif 01444 01445 TlsCache *cache; ///<TLS session cache 01446 01447 uint8_t sessionId[32]; ///<Session identifier 01448 size_t sessionIdLen; ///<Length of the session identifier 01449 01450 uint16_t clientVersion; ///<Latest version supported by the client 01451 uint16_t version; ///<Negotiated TLS version 01452 uint16_t cipherSuite; ///<Negotiated cipher suite 01453 uint8_t compressionMethod; ///<Negotiated compression algorithm 01454 uint16_t namedCurve; ///<Named curve 01455 01456 TlsHashAlgo signHashAlgo; ///<Hash algorithm used for signing 01457 TlsKeyExchMethod keyExchMethod; ///<Key exchange method 01458 const CipherAlgo *cipherAlgo; ///<Bulk cipher algorithm 01459 CipherMode cipherMode; ///<Cipher mode of operation 01460 const HashAlgo *hashAlgo; ///<Hash algorithm for MAC operations 01461 const HashAlgo *prfHashAlgo; ///<Hash algorithm for PRF operations 01462 size_t macKeyLen; ///<Number of bytes that are used for generating MAC keys 01463 size_t encKeyLen; ///<Number of bytes that are used for generating encryption keys 01464 size_t fixedIvLen; ///<Amount of data needed to be generated for the IV 01465 size_t recordIvLen; ///<Length of the IV 01466 size_t authTagLen; ///<Length of the authentication tag 01467 size_t verifyDataLen; ///<Length of the verify data 01468 01469 //#if (TLS_MAX_VERSION >= SSL_VERSION_3_0 && TLS_MIN_VERSION <= TLS_VERSION_1_1) 01470 Md5Context *handshakeMd5Context; ///<MD5 context used to compute verify data 01471 Sha1Context *handshakeSha1Context; ///<SHA-1 context used to compute verify data 01472 //#endif 01473 01474 //#if (TLS_MAX_VERSION >= TLS_VERSION_1_2 && TLS_MIN_VERSION <= TLS_VERSION_1_2) 01475 HashContext *handshakeHashContext; ///<Hash context used to compute verify data (TLS 1.2) 01476 //#endif 01477 01478 uint8_t verifyData[64]; ///<Verify data 01479 01480 bool_t ecPointFormatExtFound; ///<The EcPointFormats extension has been received 01481 01482 TlsClientAuthMode clientAuthMode; ///<Client authentication mode 01483 bool_t clientCertRequested; ///<This flag tells whether the client certificate is requested 01484 01485 bool_t resume; ///<The connection is established by resuming a session 01486 bool_t changeCipherSpecSent; ///<A ChangeCipherSpec message has been sent 01487 bool_t changeCipherSpecReceived; ///<A ChangeCipherSpec message has been received from the peer 01488 bool_t fatalAlertSent; ///<A fatal alert message has been sent 01489 bool_t fatalAlertReceived; ///<A fatal alert message has been received from the peer 01490 bool_t closeNotifySent; ///<A closure alert has been sent 01491 bool_t closeNotifyReceived; ///<A closure alert has been received from the peer 01492 01493 HmacContext hmacContext; ///<HMAC context 01494 void *writeCipherContext; ///<Bulk cipher context for write operations 01495 void *readCipherContext; ///<Bulk cipher context for read operations 01496 #if (TLS_GCM_CIPHER_SUPPORT == ENABLED) 01497 GcmContext *writeGcmContext; ///<GCM context for write operations 01498 GcmContext *readGcmContext; ///<GCM context for read operations 01499 #endif 01500 01501 uint8_t *txBuffer; ///<TX buffer 01502 size_t txBufferSize; ///<TX buffer size 01503 TlsContentType txBufferType; ///<Type of data that resides in the TX buffer 01504 size_t txBufferLen; ///<Number of bytes that are pending to be sent 01505 size_t txBufferPos; ///<Current position in TX buffer 01506 size_t txRecordMaxLen; ///<Maximum plaintext fragment length 01507 size_t txRecordLen; ///<Length of the TLS record 01508 size_t txRecordPos; ///<Current position in the TLS record 01509 01510 uint8_t *rxBuffer; ///<RX buffer 01511 size_t rxBufferSize; ///<RX buffer size 01512 TlsContentType rxBufferType; ///<Type of data that resides in the RX buffer 01513 size_t rxBufferLen; ///<Number of bytes available for reading 01514 size_t rxBufferPos; ///<Current position in RX buffer 01515 size_t rxRecordMaxLen; ///<Maximum plaintext fragment length 01516 size_t rxRecordLen; ///<Length of the TLS record 01517 size_t rxRecordPos; ///<Current position in the TLS record 01518 01519 union 01520 { 01521 struct 01522 { 01523 TlsRandom clientRandom; ///<Client random value 01524 TlsRandom serverRandom; ///<Server random value 01525 }; 01526 uint8_t random[64]; 01527 }; 01528 01529 uint8_t premasterSecret[TLS_MAX_PREMASTER_SECRET_SIZE]; ///<Premaster secret 01530 size_t premasterSecretLen; ///<Length of the premaster secret 01531 uint8_t masterSecret[48]; ///<Master secret 01532 uint8_t keyBlock[192]; ///<Key material 01533 uint8_t *writeMacKey; ///<Write MAC key 01534 uint8_t *readMacKey; ///<Read MAC key 01535 uint8_t *writeEncKey; ///<Encryption key that serves for write operations 01536 uint8_t *readEncKey; ///<Encryption key that serves for read operations 01537 uint8_t *writeIv; ///<Write IV 01538 uint8_t *readIv; ///<Read IV 01539 01540 TlsSequenceNumber writeSeqNum; ///<Write sequence number 01541 TlsSequenceNumber readSeqNum; ///<Read sequence number 01542 }; 01543 01544 01545 //TLS application programming interface (API) 01546 TlsContext *tlsInit(void); 01547 01548 error_t tlsSetIoCallbacks(TlsContext *context, TlsIoHandle handle, 01549 TlsIoSendCallback sendCallback, TlsIoReceiveCallback receiveCallback); 01550 01551 error_t tlsSetConnectionEnd(TlsContext *context, TlsConnectionEnd entity); 01552 error_t tlsSetPrng(TlsContext *context, const PrngAlgo *prngAlgo, void *prngContext); 01553 error_t tlsSetServerName(TlsContext *context, const char_t *serverName); 01554 error_t tlsSetCache(TlsContext *context, TlsCache *cache); 01555 error_t tlsSetClientAuthMode(TlsContext *context, TlsClientAuthMode mode); 01556 01557 error_t tlsSetBufferSize(TlsContext *context, 01558 size_t txBufferSize, size_t rxBufferSize); 01559 01560 error_t tlsSetCipherSuites(TlsContext *context, 01561 const uint16_t *cipherSuites, uint_t length); 01562 01563 error_t tlsSetDhParameters(TlsContext *context, 01564 const char_t *params, size_t length); 01565 01566 error_t tlsSetAlpnProtocolList(TlsContext *context, const char_t *protocolList); 01567 const char_t *tlsGetAlpnProtocol(TlsContext *context); 01568 01569 error_t tlsSetPsk(TlsContext *context, const uint8_t *psk, size_t pskLength); 01570 error_t tlsSetPskIdentity(TlsContext *context, const char_t *pskIdentity); 01571 error_t tlsSetPskIdentityHint(TlsContext *context, const char_t *pskIdentityHint); 01572 error_t tlsSetPskCallback(TlsContext *context, TlsPskCallback pskCallback); 01573 01574 error_t tlsSetTrustedCaList(TlsContext *context, 01575 const char_t *trustedCaList, size_t length); 01576 01577 error_t tlsAddCertificate(TlsContext *context, const char_t *certChain, 01578 size_t certChainLength, const char_t *privateKey, size_t privateKeyLength); 01579 01580 error_t tlsConnect(TlsContext *context); 01581 01582 error_t tlsWrite(TlsContext *context, const void *data, 01583 size_t length, size_t *written, uint_t flags); 01584 01585 error_t tlsRead(TlsContext *context, void *data, 01586 size_t size, size_t *received, uint_t flags); 01587 01588 error_t tlsShutdown(TlsContext *context); 01589 error_t tlsShutdownEx(TlsContext *context, bool_t waitForCloseNotify); 01590 01591 void tlsFree(TlsContext *context); 01592 01593 error_t tlsSaveSession(const TlsContext *context, TlsSession *session); 01594 error_t tlsRestoreSession(TlsContext *context, const TlsSession *session); 01595 01596 TlsCache *tlsInitCache(uint_t size); 01597 void tlsFreeCache(TlsCache *cache); 01598 01599 #endif 01600
Generated on Tue Jul 12 2022 17:10:17 by
1.7.2