Annotation of embedaddon/strongswan/src/libtls/tls_crypto.h, revision 1.1.1.2
1.1 misho 1: /*
1.1.1.2 ! misho 2: * Copyright (C) 2020 Tobias Brunner
! 3: * Copyright (C) 2020-2021 Pascal Knecht
! 4: * Copyright (C) 2020 Méline Sieber
! 5: * HSR Hochschule fuer Technik Rapperswil
! 6: *
1.1 misho 7: * Copyright (C) 2010 Martin Willi
8: * Copyright (C) 2010 revosec AG
9: *
10: * This program is free software; you can redistribute it and/or modify it
11: * under the terms of the GNU General Public License as published by the
12: * Free Software Foundation; either version 2 of the License, or (at your
13: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14: *
15: * This program is distributed in the hope that it will be useful, but
16: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18: * for more details.
19: */
20:
21: /**
22: * @defgroup tls_crypto tls_crypto
23: * @{ @ingroup libtls
24: */
25:
26: #ifndef TLS_CRYPTO_H_
27: #define TLS_CRYPTO_H_
28:
29: typedef struct tls_crypto_t tls_crypto_t;
30: typedef enum tls_cipher_suite_t tls_cipher_suite_t;
31: typedef enum tls_hash_algorithm_t tls_hash_algorithm_t;
1.1.1.2 ! misho 32: typedef enum tls_signature_scheme_t tls_signature_scheme_t;
1.1 misho 33: typedef enum tls_client_certificate_type_t tls_client_certificate_type_t;
34: typedef enum tls_ecc_curve_type_t tls_ecc_curve_type_t;
1.1.1.2 ! misho 35: typedef enum tls_named_group_t tls_named_group_t;
1.1 misho 36: typedef enum tls_ansi_point_format_t tls_ansi_point_format_t;
37: typedef enum tls_ec_point_format_t tls_ec_point_format_t;
38:
39: #include "tls.h"
40: #include "tls_prf.h"
41: #include "tls_protection.h"
42:
43: #include <library.h>
44:
45: #include <credentials/keys/private_key.h>
46:
47: /**
48: * TLS cipher suites
49: */
50: enum tls_cipher_suite_t {
1.1.1.2 ! misho 51: TLS_NULL_WITH_NULL_NULL = 0x0000,
! 52: TLS_RSA_WITH_NULL_MD5 = 0x0001,
! 53: TLS_RSA_WITH_NULL_SHA = 0x0002,
! 54: TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
! 55: TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
! 56: TLS_RSA_WITH_RC4_128_SHA = 0x0005,
! 57: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006,
! 58: TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007,
! 59: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008,
! 60: TLS_RSA_WITH_DES_CBC_SHA = 0x0009,
! 61: TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
! 62: TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B,
! 63: TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C,
! 64: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D,
! 65: TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E,
! 66: TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F,
! 67: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010,
! 68: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011,
! 69: TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012,
! 70: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013,
! 71: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014,
! 72: TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015,
! 73: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016,
! 74: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
! 75: TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
! 76: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019,
! 77: TLS_DH_anon_WITH_DES_CBC_SHA = 0x001A,
! 78: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B,
! 79:
! 80: TLS_KRB5_WITH_DES_CBC_SHA = 0x001E,
! 81: TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F,
! 82: TLS_KRB5_WITH_RC4_128_SHA = 0x0020,
! 83: TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021,
! 84: TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022,
! 85: TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023,
! 86: TLS_KRB5_WITH_RC4_128_MD5 = 0x0024,
! 87: TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025,
! 88: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026,
! 89: TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027,
! 90: TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028,
! 91: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029,
! 92: TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A,
! 93: TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B,
! 94: TLS_PSK_WITH_NULL_SHA = 0x002C,
! 95: TLS_DHE_PSK_WITH_NULL_SHA = 0x002D,
! 96: TLS_RSA_PSK_WITH_NULL_SHA = 0x002E,
! 97: TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
! 98: TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030,
! 99: TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031,
! 100: TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032,
! 101: TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
! 102: TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034,
! 103: TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
! 104: TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036,
! 105: TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037,
! 106: TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038,
! 107: TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
! 108: TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A,
! 109: TLS_RSA_WITH_NULL_SHA256 = 0x003B,
! 110: TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
! 111: TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D,
! 112: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E,
! 113: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F,
! 114: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040,
! 115: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041,
! 116: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042,
! 117: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043,
! 118: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044,
! 119: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045,
! 120: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046,
! 121:
! 122: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067,
! 123: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068,
! 124: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069,
! 125: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A,
! 126: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B,
! 127: TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x006C,
! 128: TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x006D,
! 129:
! 130: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084,
! 131: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085,
! 132: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086,
! 133: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087,
! 134: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088,
! 135: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089,
! 136: TLS_PSK_WITH_RC4_128_SHA = 0x008A,
! 137: TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B,
! 138: TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C,
! 139: TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D,
! 140: TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E,
! 141: TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F,
! 142: TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090,
! 143: TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091,
! 144: TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092,
! 145: TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093,
! 146: TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094,
! 147: TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095,
! 148: TLS_RSA_WITH_SEED_CBC_SHA = 0x0096,
! 149: TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097,
! 150: TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098,
! 151: TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099,
! 152: TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A,
! 153: TLS_DH_anon_WITH_SEED_CBC_SHA = 0x009B,
! 154: TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C,
! 155: TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D,
! 156: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E,
! 157: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F,
! 158: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0,
! 159: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1,
! 160: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2,
! 161: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3,
! 162: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4,
! 163: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5,
! 164: TLS_DH_anon_WITH_AES_128_GCM_SHA256 = 0x00A6,
! 165: TLS_DH_anon_WITH_AES_256_GCM_SHA384 = 0x00A7,
! 166: TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8,
! 167: TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9,
! 168: TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA,
! 169: TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB,
! 170: TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC,
! 171: TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD,
! 172: TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE,
! 173: TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF,
! 174: TLS_PSK_WITH_NULL_SHA256 = 0x00B0,
! 175: TLS_PSK_WITH_NULL_SHA384 = 0x00B1,
! 176: TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2,
! 177: TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3,
! 178: TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4,
! 179: TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5,
! 180: TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6,
! 181: TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7,
! 182: TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8,
! 183: TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9,
! 184: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA,
! 185: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB,
! 186: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC,
! 187: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD,
! 188: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE,
! 189: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF,
! 190: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0,
! 191: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1,
! 192: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2,
! 193: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3,
! 194: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4,
! 195: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5,
! 196:
! 197: TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF,
! 198:
! 199: TLS_AES_128_GCM_SHA256 = 0x1301,
! 200: TLS_AES_256_GCM_SHA384 = 0x1302,
! 201: TLS_CHACHA20_POLY1305_SHA256 = 0x1303,
! 202: TLS_AES_128_CCM_SHA256 = 0x1304,
! 203: TLS_AES_128_CCM_8_SHA256 = 0x1305,
! 204:
! 205: TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001,
! 206: TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002,
! 207: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003,
! 208: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004,
! 209: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005,
! 210: TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006,
! 211: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007,
! 212: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008,
! 213: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
! 214: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
! 215: TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B,
! 216: TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C,
! 217: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D,
! 218: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E,
! 219: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F,
! 220: TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010,
! 221: TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011,
! 222: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012,
! 223: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
! 224: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
! 225: TLS_ECDH_anon_WITH_NULL_SHA = 0xC015,
! 226: TLS_ECDH_anon_WITH_RC4_128_SHA = 0xC016,
! 227: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xC017,
! 228: TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xC018,
! 229: TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xC019,
! 230: TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A,
! 231: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B,
! 232: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C,
! 233: TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D,
! 234: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E,
! 235: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F,
! 236: TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020,
! 237: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021,
! 238: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022,
! 239: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023,
! 240: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024,
! 241: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025,
! 242: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026,
! 243: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
! 244: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028,
! 245: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029,
! 246: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A,
! 247: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B,
! 248: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C,
! 249: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D,
! 250: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E,
! 251: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F,
! 252: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030,
! 253: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031,
! 254: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032,
! 255: TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033,
! 256: TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034,
! 257: TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035,
! 258: TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036,
! 259: TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037,
! 260: TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038,
! 261: TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039,
! 262: TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A,
! 263: TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B,
! 264: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA8,
! 265: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA9,
! 266: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAA,
1.1 misho 267: };
268:
269: /**
270: * Enum names for tls_cipher_suite_t
271: */
272: extern enum_name_t *tls_cipher_suite_names;
273:
274: /**
275: * TLS HashAlgorithm identifiers
276: */
277: enum tls_hash_algorithm_t {
278: TLS_HASH_NONE = 0,
279: TLS_HASH_MD5 = 1,
280: TLS_HASH_SHA1 = 2,
281: TLS_HASH_SHA224 = 3,
282: TLS_HASH_SHA256 = 4,
283: TLS_HASH_SHA384 = 5,
284: TLS_HASH_SHA512 = 6,
285: };
286:
287: /**
288: * Enum names for tls_hash_algorithm_t
289: */
290: extern enum_name_t *tls_hash_algorithm_names;
291:
292: /**
1.1.1.2 ! misho 293: * TLS SignatureScheme identifiers
1.1 misho 294: */
1.1.1.2 ! misho 295: enum tls_signature_scheme_t {
! 296: /* legacy schemes compatible with TLS 1.2 (first byte is the hash algorithm,
! 297: * second the key type) */
! 298: TLS_SIG_RSA_PKCS1_SHA1 = 0x0201,
! 299: TLS_SIG_ECDSA_SHA1 = 0x0203,
! 300: TLS_SIG_RSA_PKCS1_SHA224 = 0x0301,
! 301: TLS_SIG_DSA_SHA224 = 0x0302,
! 302: TLS_SIG_ECDSA_SHA224 = 0x0303,
! 303: TLS_SIG_RSA_PKCS1_SHA256 = 0x0401,
! 304: TLS_SIG_DSA_SHA256 = 0x0402,
! 305: TLS_SIG_ECDSA_SHA256 = 0x0403,
! 306: TLS_SIG_RSA_PKCS1_SHA384 = 0x0501,
! 307: TLS_SIG_DSA_SHA384 = 0x0502,
! 308: TLS_SIG_ECDSA_SHA384 = 0x0503,
! 309: TLS_SIG_RSA_PKCS1_SHA512 = 0x0601,
! 310: TLS_SIG_DSA_SHA512 = 0x0602,
! 311: TLS_SIG_ECDSA_SHA512 = 0x0603,
! 312: /* RSASSA-PSS for public keys with OID rsaEncryption */
! 313: TLS_SIG_RSA_PSS_RSAE_SHA256 = 0x0804,
! 314: TLS_SIG_RSA_PSS_RSAE_SHA384 = 0x0805,
! 315: TLS_SIG_RSA_PSS_RSAE_SHA512 = 0x0806,
! 316: /* EdDSA */
! 317: TLS_SIG_ED25519 = 0x0807,
! 318: TLS_SIG_ED448 = 0x0808,
! 319: /* RSASSA-PSS for public keys with OID RSASSA-PSS */
! 320: TLS_SIG_RSA_PSS_PSS_SHA256 = 0x0809,
! 321: TLS_SIG_RSA_PSS_PSS_SHA384 = 0x080a,
! 322: TLS_SIG_RSA_PSS_PSS_SHA512 = 0x080b,
1.1 misho 323: };
324:
325: /**
1.1.1.2 ! misho 326: * Enum names for tls_signature_scheme_t
1.1 misho 327: */
1.1.1.2 ! misho 328: extern enum_name_t *tls_signature_scheme_names;
1.1 misho 329:
330: /**
331: * TLS ClientCertificateType
332: */
333: enum tls_client_certificate_type_t {
334: TLS_RSA_SIGN = 1,
335: TLS_DSA_SIGN = 2,
336: TLS_RSA_FIXED_DH = 3,
337: TLS_DSS_FIXED_DH = 4,
338: TLS_RSA_EPHEMERAL_DH = 5,
339: TLS_DSS_EPHEMERAL_DH = 6,
340: TLS_FORTEZZA_DMS = 20,
341: TLS_ECDSA_SIGN = 64,
342: TLS_RSA_FIXED_ECDH = 65,
343: TLS_ECDSA_FIXED_ECDH = 66,
344: };
345:
346: /**
347: * Enum names for tls_client_certificate_type_t
348: */
349: extern enum_name_t *tls_client_certificate_type_names;
350:
351: /**
352: * TLS EccCurveType
353: */
354: enum tls_ecc_curve_type_t {
355: TLS_ECC_EXPLICIT_PRIME = 1,
356: TLS_ECC_EXPLICIT_CHAR2 = 2,
357: TLS_ECC_NAMED_CURVE = 3,
358: };
359:
360: /**
361: * Enum names for tls_ecc_curve_type_t
362: */
363: extern enum_name_t *tls_ecc_curve_type_names;
364:
365: /**
366: * TLS Named Curve identifiers
367: */
1.1.1.2 ! misho 368: enum tls_named_group_t {
1.1 misho 369: TLS_SECT163K1 = 1,
370: TLS_SECT163R1 = 2,
371: TLS_SECT163R2 = 3,
372: TLS_SECT193R1 = 4,
373: TLS_SECT193R2 = 5,
374: TLS_SECT233K1 = 6,
375: TLS_SECT233R1 = 7,
376: TLS_SECT239K1 = 8,
377: TLS_SECT283K1 = 9,
378: TLS_SECT283R1 = 10,
379: TLS_SECT409K1 = 11,
380: TLS_SECT409R1 = 12,
381: TLS_SECT571K1 = 13,
382: TLS_SECT571R1 = 14,
383: TLS_SECP160K1 = 15,
384: TLS_SECP160R1 = 16,
385: TLS_SECP160R2 = 17,
386: TLS_SECP192K1 = 18,
387: TLS_SECP192R1 = 19,
388: TLS_SECP224K1 = 20,
389: TLS_SECP224R1 = 21,
390: TLS_SECP256K1 = 22,
391: TLS_SECP256R1 = 23,
392: TLS_SECP384R1 = 24,
393: TLS_SECP521R1 = 25,
1.1.1.2 ! misho 394:
! 395: /* TLS 1.3: new ecdhe, dhe groups */
! 396: TLS_CURVE25519 = 29,
! 397: TLS_CURVE448 = 30,
! 398: TLS_FFDHE2048 = 256,
! 399: TLS_FFDHE3072 = 257,
! 400: TLS_FFDHE4096 = 258,
! 401: TLS_FFDHE6144 = 259,
! 402: TLS_FFDHE8192 = 260,
1.1 misho 403: };
404:
405: /**
1.1.1.2 ! misho 406: * Enum names for tls_named_group_t
1.1 misho 407: */
1.1.1.2 ! misho 408: extern enum_name_t *tls_named_group_names;
1.1 misho 409:
410: /**
411: * EC Point format, ANSI X9.62.
412: */
413: enum tls_ansi_point_format_t {
414: TLS_ANSI_COMPRESSED = 2,
415: TLS_ANSI_COMPRESSED_Y = 3,
416: TLS_ANSI_UNCOMPRESSED = 4,
417: TLS_ANSI_HYBRID = 6,
418: TLS_ANSI_HYBRID_Y = 7,
419: };
420:
421: /**
422: * Enum names for tls_ansi_point_format_t.
423: */
424: extern enum_name_t *tls_ansi_point_format_names;
425:
426: /**
427: * EC Point format, TLS specific identifiers.
428: */
429: enum tls_ec_point_format_t {
430: TLS_EC_POINT_UNCOMPRESSED = 0,
431: TLS_EC_POINT_ANSIX962_COMPRESSED_PRIME = 1,
432: TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2 = 2,
433: };
434:
435: /**
436: * Enum names for tls_ec_point_format_t.
437: */
438: extern enum_name_t *tls_ec_point_format_names;
439:
440: /**
441: * TLS crypto helper functions.
442: */
443: struct tls_crypto_t {
444:
445: /**
446: * Get a list of supported TLS cipher suites.
447: *
1.1.1.2 ! misho 448: * @param suites optional list of suites, points to internal data
1.1 misho 449: * @return number of suites returned
450: */
451: int (*get_cipher_suites)(tls_crypto_t *this, tls_cipher_suite_t **suites);
452:
453: /**
454: * Select and store a cipher suite from a given list of candidates.
455: *
456: * @param suites list of candidates to select from
457: * @param count number of suites
458: * @param key key type used, or KEY_ANY
459: * @return selected suite, 0 if none acceptable
460: */
461: tls_cipher_suite_t (*select_cipher_suite)(tls_crypto_t *this,
462: tls_cipher_suite_t *suites, int count,
463: key_type_t key);
464:
465: /**
466: * Get the Diffie-Hellman group to use, if any.
467: *
468: * @return Diffie Hellman group, ord MODP_NONE
469: */
470: diffie_hellman_group_t (*get_dh_group)(tls_crypto_t *this);
471:
472: /**
1.1.1.2 ! misho 473: * Write the list of supported signature schemes, either for certificates
! 474: * or for CertificateVerify messages, to writer.
1.1 misho 475: *
1.1.1.2 ! misho 476: * @param writer writer to write supported signature schemes
! 477: * @param cert TRUE to return signature schemes supported in certs
1.1 misho 478: */
1.1.1.2 ! misho 479: void (*get_signature_algorithms)(tls_crypto_t *this, bio_writer_t *writer,
! 480: bool cert);
1.1 misho 481:
482: /**
483: * Create an enumerator over supported ECDH groups.
484: *
1.1.1.2 ! misho 485: * Enumerates over (diffie_hellman_group_t, tls_named_group_t)
1.1 misho 486: *
487: * @return enumerator
488: */
489: enumerator_t* (*create_ec_enumerator)(tls_crypto_t *this);
490:
491: /**
492: * Set the protection layer of the TLS stack to control it.
493: *
494: * @param protection protection layer to work on
495: */
496: void (*set_protection)(tls_crypto_t *this, tls_protection_t *protection);
497:
498: /**
499: * Store exchanged handshake data, used for cryptographic operations.
500: *
501: * @param type handshake sub type
502: * @param data data to append to handshake buffer
503: */
504: void (*append_handshake)(tls_crypto_t *this,
505: tls_handshake_type_t type, chunk_t data);
506:
507: /**
1.1.1.2 ! misho 508: * Hash the stored handshake data and store it. It is optionally returned
! 509: * so it could be sent in a cookie extension.
! 510: *
! 511: * @param hash optionally returned hash (allocated)
! 512: */
! 513: bool (*hash_handshake)(tls_crypto_t *this, chunk_t *hash);
! 514:
! 515: /**
1.1 misho 516: * Sign a blob of data, append signature to writer.
517: *
518: * @param key private key to use for signature
519: * @param writer TLS writer to write signature to
520: * @param data data to sign
521: * @param hashsig list of TLS1.2 hash/sig algorithms to select from
522: * @return TRUE if signature create successfully
523: */
524: bool (*sign)(tls_crypto_t *this, private_key_t *key,
525: bio_writer_t *writer, chunk_t data, chunk_t hashsig);
526:
527: /**
528: * Verify a blob of data, read signature from a reader.
529: *
530: * @param key public key to verify signature with
531: * @param reader TLS reader to read signature from
532: * @param data data to verify signature
533: * @return TRUE if signature valid
534: */
535: bool (*verify)(tls_crypto_t *this, public_key_t *key,
536: bio_reader_t *reader, chunk_t data);
537:
538: /**
539: * Create a signature of the handshake data using a given private key.
540: *
541: * @param key private key to use for signature
542: * @param writer TLS writer to write signature to
543: * @param hashsig list of TLS1.2 hash/sig algorithms to select from
544: * @return TRUE if signature create successfully
545: */
546: bool (*sign_handshake)(tls_crypto_t *this, private_key_t *key,
547: bio_writer_t *writer, chunk_t hashsig);
548:
549: /**
550: * Verify the signature over handshake data using a given public key.
551: *
552: * @param key public key to verify signature with
553: * @param reader TLS reader to read signature from
554: * @return TRUE if signature valid
555: */
556: bool (*verify_handshake)(tls_crypto_t *this, public_key_t *key,
557: bio_reader_t *reader);
558:
559: /**
1.1.1.2 ! misho 560: * Calculate the data of a legacy TLS finished message.
1.1 misho 561: *
562: * @param label ASCII label to use for calculation
563: * @param out buffer to write finished data to
564: * @return TRUE if calculation successful
565: */
1.1.1.2 ! misho 566: bool (*calculate_finished_legacy)(tls_crypto_t *this, char *label,
! 567: char out[12]);
! 568:
! 569: /**
! 570: * Calculate the data of a TLS finished message.
! 571: *
! 572: * @param server Whether the server or client finish message is calculated
! 573: * @param out buffer to write finished data to
! 574: * @return TRUE if calculation successful
! 575: */
! 576: bool (*calculate_finished)(tls_crypto_t *this, bool server,
! 577: chunk_t *out);
1.1 misho 578:
579: /**
580: * Derive the master secret, MAC and encryption keys.
581: *
582: * @param premaster premaster secret
583: * @param session session identifier to cache master secret
584: * @param id identity the session is bound to
585: * @param client_random random data from client hello
586: * @param server_random random data from server hello
587: * @return TRUE if secrets derived successfully
588: */
589: bool (*derive_secrets)(tls_crypto_t *this, chunk_t premaster,
590: chunk_t session, identification_t *id,
591: chunk_t client_random, chunk_t server_random);
592:
593: /**
1.1.1.2 ! misho 594: * Derive the handshake keys.
! 595: *
! 596: * @param shared_secret input key material
! 597: * @return TRUE if secret derived successfully
! 598: */
! 599: bool (*derive_handshake_keys)(tls_crypto_t *this, chunk_t shared_secret);
! 600:
! 601: /**
! 602: * Derive the application keys.
! 603: *
! 604: * @return TRUE if secret derived successfully
! 605: */
! 606: bool (*derive_app_keys)(tls_crypto_t *this);
! 607:
! 608: /**
! 609: * Update the application keys.
! 610: *
! 611: * @param inbound whether to update the in- or outbound keys
! 612: * @return TRUE if secret derived successfully
! 613: */
! 614: bool (*update_app_keys)(tls_crypto_t *this, bool inbound);
! 615:
! 616: /**
1.1 misho 617: * Try to resume a TLS session, derive key material.
618: *
619: * @param session session identifier
620: * @param id identity the session is bound to
621: * @param client_random random data from client hello
622: * @param server_random random data from server hello
623: * @return selected suite
624: */
625: tls_cipher_suite_t (*resume_session)(tls_crypto_t *this, chunk_t session,
626: identification_t *id,
627: chunk_t client_random,
628: chunk_t server_random);
629:
630: /**
631: * Check if we have a session to resume as a client.
632: *
633: * @param id server identity to get a session for
634: * @return allocated session identifier, or chunk_empty
635: */
636: chunk_t (*get_session)(tls_crypto_t *this, identification_t *id);
637:
638: /**
639: * Change the cipher used at protection layer.
640: *
641: * @param inbound TRUE to change inbound cipher, FALSE for outbound
642: */
643: void (*change_cipher)(tls_crypto_t *this, bool inbound);
644:
645: /**
646: * Get the MSK to use in EAP-TLS.
647: *
648: * @return MSK, points to internal data
649: */
650: chunk_t (*get_eap_msk)(tls_crypto_t *this);
651:
652: /**
653: * Destroy a tls_crypto_t.
654: */
655: void (*destroy)(tls_crypto_t *this);
656: };
657:
658: /**
659: * Create a tls_crypto instance.
660: *
661: * @param tls TLS stack
662: * @param cache TLS session cache
663: * @return TLS crypto helper
664: */
665: tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache);
666:
667: /**
668: * Get a list of all supported TLS cipher suites.
669: *
670: * @param null include supported NULL encryption suites
1.1.1.2 ! misho 671: * @param version TLS version
1.1 misho 672: * @param suites pointer to allocated suites array, to free(), or NULL
673: * @return number of suites supported
674: */
1.1.1.2 ! misho 675: int tls_crypto_get_supported_suites(bool null, tls_version_t version,
! 676: tls_cipher_suite_t **suites);
! 677:
! 678: /**
! 679: * Get a list of all supported TLS DH groups.
! 680: *
! 681: * @param groups pointer to allocated DH group array, to free(), or NULL
! 682: * @return number of curves supported
! 683: */
! 684: int tls_crypto_get_supported_groups(diffie_hellman_group_t **groups);
! 685:
! 686: /**
! 687: * Get a list of all supported TLS signature schemes.
! 688: *
! 689: * @param version TLS version
! 690: * @param schemes pointer to allocated signature array, to free(), or NULL
! 691: * @return number of signature schemes supported
! 692: */
! 693: int tls_crypto_get_supported_signatures(tls_version_t version,
! 694: tls_signature_scheme_t **schemes);
! 695:
! 696: /**
! 697: * Get the TLS curve of a given EC DH group
! 698: *
! 699: * @param group diffie hellman group indicator
! 700: * @return TLS group indicator
! 701: */
! 702: tls_named_group_t tls_ec_group_to_curve(diffie_hellman_group_t group);
! 703:
! 704: /**
! 705: * Get the key type from a TLS signature scheme
! 706: *
! 707: * @param sig TLS signature algorithm scheme
! 708: * @return type of a key
! 709: */
! 710: key_type_t tls_signature_scheme_to_key_type(tls_signature_scheme_t sig);
! 711:
! 712: /**
! 713: * Find a private key to encrypt/verify key exchange data
! 714: *
! 715: * @param min_version minimum negotiated TLS version
! 716: * @param max_version maximum negotiated TLS version
! 717: * @param hashsig hash and signature algorithms supported by other peer
! 718: * @param peer this peer identification
! 719: * @return enumerator over private keys,
! 720: * NULL in case no common signature scheme
! 721: */
! 722: enumerator_t *tls_create_private_key_enumerator(tls_version_t min_version,
! 723: tls_version_t max_version,
! 724: chunk_t hashsig,
! 725: identification_t *peer);
1.1 misho 726:
727: #endif /** TLS_CRYPTO_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to tls_crypto.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libtls