Annotation of embedaddon/strongswan/src/libtls/tls_crypto.h, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2010 Martin Willi
3: * Copyright (C) 2010 revosec AG
4: *
5: * This program is free software; you can redistribute it and/or modify it
6: * under the terms of the GNU General Public License as published by the
7: * Free Software Foundation; either version 2 of the License, or (at your
8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9: *
10: * This program is distributed in the hope that it will be useful, but
11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13: * for more details.
14: */
15:
16: /**
17: * @defgroup tls_crypto tls_crypto
18: * @{ @ingroup libtls
19: */
20:
21: #ifndef TLS_CRYPTO_H_
22: #define TLS_CRYPTO_H_
23:
24: typedef struct tls_crypto_t tls_crypto_t;
25: typedef enum tls_cipher_suite_t tls_cipher_suite_t;
26: typedef enum tls_hash_algorithm_t tls_hash_algorithm_t;
27: typedef enum tls_signature_algorithm_t tls_signature_algorithm_t;
28: typedef enum tls_client_certificate_type_t tls_client_certificate_type_t;
29: typedef enum tls_ecc_curve_type_t tls_ecc_curve_type_t;
30: typedef enum tls_named_curve_t tls_named_curve_t;
31: typedef enum tls_ansi_point_format_t tls_ansi_point_format_t;
32: typedef enum tls_ec_point_format_t tls_ec_point_format_t;
33:
34: #include "tls.h"
35: #include "tls_prf.h"
36: #include "tls_protection.h"
37:
38: #include <library.h>
39:
40: #include <credentials/keys/private_key.h>
41:
42: /**
43: * TLS cipher suites
44: */
45: enum tls_cipher_suite_t {
46: TLS_NULL_WITH_NULL_NULL = 0x0000,
47: TLS_RSA_WITH_NULL_MD5 = 0x0001,
48: TLS_RSA_WITH_NULL_SHA = 0x0002,
49: TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
50: TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
51: TLS_RSA_WITH_RC4_128_SHA = 0x0005,
52: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006,
53: TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007,
54: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008,
55: TLS_RSA_WITH_DES_CBC_SHA = 0x0009,
56: TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
57: TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B,
58: TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C,
59: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D,
60: TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E,
61: TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F,
62: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010,
63: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011,
64: TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012,
65: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013,
66: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014,
67: TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015,
68: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016,
69: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
70: TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
71: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019,
72: TLS_DH_anon_WITH_DES_CBC_SHA = 0x001A,
73: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B,
74:
75: TLS_KRB5_WITH_DES_CBC_SHA = 0x001E,
76: TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F,
77: TLS_KRB5_WITH_RC4_128_SHA = 0x0020,
78: TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021,
79: TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022,
80: TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023,
81: TLS_KRB5_WITH_RC4_128_MD5 = 0x0024,
82: TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025,
83: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026,
84: TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027,
85: TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028,
86: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029,
87: TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A,
88: TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B,
89: TLS_PSK_WITH_NULL_SHA = 0x002C,
90: TLS_DHE_PSK_WITH_NULL_SHA = 0x002D,
91: TLS_RSA_PSK_WITH_NULL_SHA = 0x002E,
92: TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
93: TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030,
94: TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031,
95: TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032,
96: TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
97: TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034,
98: TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
99: TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036,
100: TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037,
101: TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038,
102: TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
103: TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A,
104: TLS_RSA_WITH_NULL_SHA256 = 0x003B,
105: TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
106: TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D,
107: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E,
108: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F,
109: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040,
110: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041,
111: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042,
112: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043,
113: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044,
114: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045,
115: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046,
116:
117: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067,
118: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068,
119: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069,
120: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A,
121: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B,
122: TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x006C,
123: TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x006D,
124:
125: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084,
126: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085,
127: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086,
128: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087,
129: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088,
130: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089,
131: TLS_PSK_WITH_RC4_128_SHA = 0x008A,
132: TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B,
133: TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C,
134: TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D,
135: TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E,
136: TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F,
137: TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090,
138: TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091,
139: TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092,
140: TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093,
141: TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094,
142: TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095,
143: TLS_RSA_WITH_SEED_CBC_SHA = 0x0096,
144: TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097,
145: TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098,
146: TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099,
147: TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A,
148: TLS_DH_anon_WITH_SEED_CBC_SHA = 0x009B,
149: TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C,
150: TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D,
151: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E,
152: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F,
153: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0,
154: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1,
155: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2,
156: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3,
157: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4,
158: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5,
159: TLS_DH_anon_WITH_AES_128_GCM_SHA256 = 0x00A6,
160: TLS_DH_anon_WITH_AES_256_GCM_SHA384 = 0x00A7,
161: TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8,
162: TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9,
163: TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA,
164: TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB,
165: TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC,
166: TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD,
167: TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE,
168: TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF,
169: TLS_PSK_WITH_NULL_SHA256 = 0x00B0,
170: TLS_PSK_WITH_NULL_SHA384 = 0x00B1,
171: TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2,
172: TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3,
173: TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4,
174: TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5,
175: TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6,
176: TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7,
177: TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8,
178: TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9,
179: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA,
180: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB,
181: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC,
182: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD,
183: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE,
184: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF,
185: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0,
186: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1,
187: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2,
188: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3,
189: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4,
190: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5,
191:
192: TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF,
193:
194: TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001,
195: TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002,
196: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003,
197: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004,
198: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005,
199: TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006,
200: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007,
201: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008,
202: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
203: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
204: TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B,
205: TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C,
206: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D,
207: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E,
208: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F,
209: TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010,
210: TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011,
211: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012,
212: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
213: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
214: TLS_ECDH_anon_WITH_NULL_SHA = 0xC015,
215: TLS_ECDH_anon_WITH_RC4_128_SHA = 0xC016,
216: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xC017,
217: TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xC018,
218: TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xC019,
219: TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A,
220: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B,
221: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C,
222: TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D,
223: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E,
224: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F,
225: TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020,
226: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021,
227: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022,
228: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023,
229: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024,
230: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025,
231: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026,
232: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
233: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028,
234: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029,
235: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A,
236: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B,
237: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C,
238: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D,
239: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E,
240: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F,
241: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030,
242: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031,
243: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032,
244: TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033,
245: TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034,
246: TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035,
247: TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036,
248: TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037,
249: TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038,
250: TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039,
251: TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A,
252: TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B
253: };
254:
255: /**
256: * Enum names for tls_cipher_suite_t
257: */
258: extern enum_name_t *tls_cipher_suite_names;
259:
260: /**
261: * TLS HashAlgorithm identifiers
262: */
263: enum tls_hash_algorithm_t {
264: TLS_HASH_NONE = 0,
265: TLS_HASH_MD5 = 1,
266: TLS_HASH_SHA1 = 2,
267: TLS_HASH_SHA224 = 3,
268: TLS_HASH_SHA256 = 4,
269: TLS_HASH_SHA384 = 5,
270: TLS_HASH_SHA512 = 6,
271: };
272:
273: /**
274: * Enum names for tls_hash_algorithm_t
275: */
276: extern enum_name_t *tls_hash_algorithm_names;
277:
278: /**
279: * TLS SignatureAlgorithm identifiers
280: */
281: enum tls_signature_algorithm_t {
282: TLS_SIG_RSA = 1,
283: TLS_SIG_DSA = 2,
284: TLS_SIG_ECDSA = 3,
285: };
286:
287: /**
288: * Enum names for tls_signature_algorithm_t
289: */
290: extern enum_name_t *tls_signature_algorithm_names;
291:
292: /**
293: * TLS ClientCertificateType
294: */
295: enum tls_client_certificate_type_t {
296: TLS_RSA_SIGN = 1,
297: TLS_DSA_SIGN = 2,
298: TLS_RSA_FIXED_DH = 3,
299: TLS_DSS_FIXED_DH = 4,
300: TLS_RSA_EPHEMERAL_DH = 5,
301: TLS_DSS_EPHEMERAL_DH = 6,
302: TLS_FORTEZZA_DMS = 20,
303: TLS_ECDSA_SIGN = 64,
304: TLS_RSA_FIXED_ECDH = 65,
305: TLS_ECDSA_FIXED_ECDH = 66,
306: };
307:
308: /**
309: * Enum names for tls_client_certificate_type_t
310: */
311: extern enum_name_t *tls_client_certificate_type_names;
312:
313: /**
314: * TLS EccCurveType
315: */
316: enum tls_ecc_curve_type_t {
317: TLS_ECC_EXPLICIT_PRIME = 1,
318: TLS_ECC_EXPLICIT_CHAR2 = 2,
319: TLS_ECC_NAMED_CURVE = 3,
320: };
321:
322: /**
323: * Enum names for tls_ecc_curve_type_t
324: */
325: extern enum_name_t *tls_ecc_curve_type_names;
326:
327: /**
328: * TLS Named Curve identifiers
329: */
330: enum tls_named_curve_t {
331: TLS_SECT163K1 = 1,
332: TLS_SECT163R1 = 2,
333: TLS_SECT163R2 = 3,
334: TLS_SECT193R1 = 4,
335: TLS_SECT193R2 = 5,
336: TLS_SECT233K1 = 6,
337: TLS_SECT233R1 = 7,
338: TLS_SECT239K1 = 8,
339: TLS_SECT283K1 = 9,
340: TLS_SECT283R1 = 10,
341: TLS_SECT409K1 = 11,
342: TLS_SECT409R1 = 12,
343: TLS_SECT571K1 = 13,
344: TLS_SECT571R1 = 14,
345: TLS_SECP160K1 = 15,
346: TLS_SECP160R1 = 16,
347: TLS_SECP160R2 = 17,
348: TLS_SECP192K1 = 18,
349: TLS_SECP192R1 = 19,
350: TLS_SECP224K1 = 20,
351: TLS_SECP224R1 = 21,
352: TLS_SECP256K1 = 22,
353: TLS_SECP256R1 = 23,
354: TLS_SECP384R1 = 24,
355: TLS_SECP521R1 = 25,
356: };
357:
358: /**
359: * Enum names for tls_named_curve_t
360: */
361: extern enum_name_t *tls_named_curve_names;
362:
363: /**
364: * EC Point format, ANSI X9.62.
365: */
366: enum tls_ansi_point_format_t {
367: TLS_ANSI_COMPRESSED = 2,
368: TLS_ANSI_COMPRESSED_Y = 3,
369: TLS_ANSI_UNCOMPRESSED = 4,
370: TLS_ANSI_HYBRID = 6,
371: TLS_ANSI_HYBRID_Y = 7,
372: };
373:
374: /**
375: * Enum names for tls_ansi_point_format_t.
376: */
377: extern enum_name_t *tls_ansi_point_format_names;
378:
379: /**
380: * EC Point format, TLS specific identifiers.
381: */
382: enum tls_ec_point_format_t {
383: TLS_EC_POINT_UNCOMPRESSED = 0,
384: TLS_EC_POINT_ANSIX962_COMPRESSED_PRIME = 1,
385: TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2 = 2,
386: };
387:
388: /**
389: * Enum names for tls_ec_point_format_t.
390: */
391: extern enum_name_t *tls_ec_point_format_names;
392:
393: /**
394: * TLS crypto helper functions.
395: */
396: struct tls_crypto_t {
397:
398: /**
399: * Get a list of supported TLS cipher suites.
400: *
401: * @param suites list of suites, points to internal data
402: * @return number of suites returned
403: */
404: int (*get_cipher_suites)(tls_crypto_t *this, tls_cipher_suite_t **suites);
405:
406: /**
407: * Select and store a cipher suite from a given list of candidates.
408: *
409: * @param suites list of candidates to select from
410: * @param count number of suites
411: * @param key key type used, or KEY_ANY
412: * @return selected suite, 0 if none acceptable
413: */
414: tls_cipher_suite_t (*select_cipher_suite)(tls_crypto_t *this,
415: tls_cipher_suite_t *suites, int count,
416: key_type_t key);
417:
418: /**
419: * Get the Diffie-Hellman group to use, if any.
420: *
421: * @return Diffie Hellman group, ord MODP_NONE
422: */
423: diffie_hellman_group_t (*get_dh_group)(tls_crypto_t *this);
424:
425: /**
426: * Write the list of supported hash/sig algorithms to writer.
427: *
428: * @param writer writer to write supported hash/sig algorithms
429: */
430: void (*get_signature_algorithms)(tls_crypto_t *this, bio_writer_t *writer);
431:
432: /**
433: * Create an enumerator over supported ECDH groups.
434: *
435: * Enumerates over (diffie_hellman_group_t, tls_named_curve_t)
436: *
437: * @return enumerator
438: */
439: enumerator_t* (*create_ec_enumerator)(tls_crypto_t *this);
440:
441: /**
442: * Set the protection layer of the TLS stack to control it.
443: *
444: * @param protection protection layer to work on
445: */
446: void (*set_protection)(tls_crypto_t *this, tls_protection_t *protection);
447:
448: /**
449: * Store exchanged handshake data, used for cryptographic operations.
450: *
451: * @param type handshake sub type
452: * @param data data to append to handshake buffer
453: */
454: void (*append_handshake)(tls_crypto_t *this,
455: tls_handshake_type_t type, chunk_t data);
456:
457: /**
458: * Sign a blob of data, append signature to writer.
459: *
460: * @param key private key to use for signature
461: * @param writer TLS writer to write signature to
462: * @param data data to sign
463: * @param hashsig list of TLS1.2 hash/sig algorithms to select from
464: * @return TRUE if signature create successfully
465: */
466: bool (*sign)(tls_crypto_t *this, private_key_t *key,
467: bio_writer_t *writer, chunk_t data, chunk_t hashsig);
468:
469: /**
470: * Verify a blob of data, read signature from a reader.
471: *
472: * @param key public key to verify signature with
473: * @param reader TLS reader to read signature from
474: * @param data data to verify signature
475: * @return TRUE if signature valid
476: */
477: bool (*verify)(tls_crypto_t *this, public_key_t *key,
478: bio_reader_t *reader, chunk_t data);
479:
480: /**
481: * Create a signature of the handshake data using a given private key.
482: *
483: * @param key private key to use for signature
484: * @param writer TLS writer to write signature to
485: * @param hashsig list of TLS1.2 hash/sig algorithms to select from
486: * @return TRUE if signature create successfully
487: */
488: bool (*sign_handshake)(tls_crypto_t *this, private_key_t *key,
489: bio_writer_t *writer, chunk_t hashsig);
490:
491: /**
492: * Verify the signature over handshake data using a given public key.
493: *
494: * @param key public key to verify signature with
495: * @param reader TLS reader to read signature from
496: * @return TRUE if signature valid
497: */
498: bool (*verify_handshake)(tls_crypto_t *this, public_key_t *key,
499: bio_reader_t *reader);
500:
501: /**
502: * Calculate the data of a TLS finished message.
503: *
504: * @param label ASCII label to use for calculation
505: * @param out buffer to write finished data to
506: * @return TRUE if calculation successful
507: */
508: bool (*calculate_finished)(tls_crypto_t *this, char *label, char out[12]);
509:
510: /**
511: * Derive the master secret, MAC and encryption keys.
512: *
513: * @param premaster premaster secret
514: * @param session session identifier to cache master secret
515: * @param id identity the session is bound to
516: * @param client_random random data from client hello
517: * @param server_random random data from server hello
518: * @return TRUE if secrets derived successfully
519: */
520: bool (*derive_secrets)(tls_crypto_t *this, chunk_t premaster,
521: chunk_t session, identification_t *id,
522: chunk_t client_random, chunk_t server_random);
523:
524: /**
525: * Try to resume a TLS session, derive key material.
526: *
527: * @param session session identifier
528: * @param id identity the session is bound to
529: * @param client_random random data from client hello
530: * @param server_random random data from server hello
531: * @return selected suite
532: */
533: tls_cipher_suite_t (*resume_session)(tls_crypto_t *this, chunk_t session,
534: identification_t *id,
535: chunk_t client_random,
536: chunk_t server_random);
537:
538: /**
539: * Check if we have a session to resume as a client.
540: *
541: * @param id server identity to get a session for
542: * @return allocated session identifier, or chunk_empty
543: */
544: chunk_t (*get_session)(tls_crypto_t *this, identification_t *id);
545:
546: /**
547: * Change the cipher used at protection layer.
548: *
549: * @param inbound TRUE to change inbound cipher, FALSE for outbound
550: */
551: void (*change_cipher)(tls_crypto_t *this, bool inbound);
552:
553: /**
554: * Get the MSK to use in EAP-TLS.
555: *
556: * @return MSK, points to internal data
557: */
558: chunk_t (*get_eap_msk)(tls_crypto_t *this);
559:
560: /**
561: * Destroy a tls_crypto_t.
562: */
563: void (*destroy)(tls_crypto_t *this);
564: };
565:
566: /**
567: * Create a tls_crypto instance.
568: *
569: * @param tls TLS stack
570: * @param cache TLS session cache
571: * @return TLS crypto helper
572: */
573: tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache);
574:
575: /**
576: * Get a list of all supported TLS cipher suites.
577: *
578: * @param null include supported NULL encryption suites
579: * @param suites pointer to allocated suites array, to free(), or NULL
580: * @return number of suites supported
581: */
582: int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **suites);
583:
584: #endif /** TLS_CRYPTO_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to tls_crypto.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libtls