1 /* 2 * matrixssllib.h 3 * Release $Name: MATRIXSSL-3-3-0-OPEN $ 4 * 5 * Internal header file used for the MatrixSSL implementation. 6 * Only modifiers of the library should be intersted in this file 7 */ 8 /* 9 * Copyright (c) AuthenTec, Inc. 2011-2012 10 * Copyright (c) PeerSec Networks, 2002-2011 11 * All Rights Reserved 12 * 13 * The latest version of this code is available at http://www.matrixssl.org 14 * 15 * This software is open source; you can redistribute it and/or modify 16 * it under the terms of the GNU General Public License as published by 17 * the Free Software Foundation; either version 2 of the License, or 18 * (at your option) any later version. 19 * 20 * This General Public License does NOT permit incorporating this software 21 * into proprietary programs. If you are unable to comply with the GPL, a 22 * commercial license for this software may be purchased from AuthenTec at 23 * http://www.authentec.com/Products/EmbeddedSecurity/SecurityToolkits.aspx 24 * 25 * This program is distributed in WITHOUT ANY WARRANTY; without even the 26 * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 27 * See the GNU General Public License for more details. 28 * 29 * You should have received a copy of the GNU General Public License 30 * along with this program; if not, write to the Free Software 31 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 32 * http://www.gnu.org/copyleft/gpl.html 33 */ 34 /******************************************************************************/ 35 36 #ifndef _h_MATRIXSSLLIB 37 #define _h_MATRIXSSLLIB 38 39 #ifdef __cplusplus 40 extern "C" { 41 #endif 42 43 /*****************************************************************************/ 44 /* 45 Start with compile-time checks for the necessary proto and crypto support. 46 */ 47 #if !defined(USE_TLS) && defined(DISABLE_SSLV3) 48 #error "Must enable a protocol: USE_TLS enabled or DISABLE_SSLV3 disabled" 49 #endif 50 51 #if defined(USE_TLS_1_1) && !defined(USE_TLS) 52 #error "Must define USE_TLS if defining USE_TLS_1_1" 53 #endif 54 55 /******************************************************************************/ 56 /* 57 SHA1 and MD5 are essential elements for SSL key derivation during protocol 58 */ 59 #if !defined USE_MD5 || !defined USE_SHA1 60 #error "Must enable both USE_MD5 and USE_SHA1 in cryptoConfig.h for MatrixSSL" 61 #endif 62 63 #if !defined USE_CLIENT_SIDE_SSL && !defined USE_SERVER_SIDE_SSL 64 #error "Must enable either USE_CLIENT_SIDE_SSL or USE_SERVER_SIDE_SSL (or both)" 65 #endif 66 67 #ifndef USE_CERT_PARSE 68 #ifdef USE_CLIENT_SIDE_SSL 69 #error "Must enable USE_CERT_PARSE if building client with USE_CLIENT_SIDE_SSL" 70 #endif 71 #endif 72 73 /* 74 X.509 is required for all configurations of SSL below 75 */ 76 #ifndef USE_X509 77 #error "Must enable USE_X509 in cryptoConfig.h for MatrixSSL" 78 #endif 79 80 #ifdef USE_TLS 81 #ifndef USE_HMAC 82 #error "Must enable USE_HMAC in cryptoConfig.h for TLS protocol support" 83 #endif 84 #endif 85 86 /* 87 Handle the various combos of REHANDSHAKES defines 88 */ 89 #if defined(ENABLE_INSECURE_REHANDSHAKES) && defined(REQUIRE_SECURE_REHANDSHAKES) 90 #error "Can't enable both ENABLE_INSECURE_REHANDSHAKES and REQUIRE_SECURE_REHANDSHAKES" 91 #endif 92 93 #if defined(ENABLE_INSECURE_REHANDSHAKES) || defined(ENABLE_SECURE_REHANDSHAKES) 94 #define SSL_REHANDSHAKES_ENABLED 95 #endif 96 97 #if defined(REQUIRE_SECURE_REHANDSHAKES) && !defined(ENABLE_SECURE_REHANDSHAKES) 98 #define SSL_REHANDSHAKES_ENABLED 99 #define ENABLE_SECURE_REHANDSHAKES 100 #endif 101 102 /******************************************************************************/ 103 /* 104 Test specific crypto features based on which cipher suites are enabled 105 */ 106 #ifdef USE_SSL_RSA_WITH_NULL_MD5 107 #ifndef USE_RSA 108 #error "Enable USE_RSA in cryptoConfig.h for SSL_RSA_WITH_NULL_MD5 suite" 109 #endif 110 #define USE_MD5_MAC 111 #define USE_RSA_CIPHER_SUITE 112 #define REQUIRE_RSA_KEYS 113 #endif 114 115 #ifdef USE_SSL_RSA_WITH_NULL_SHA 116 #ifndef USE_RSA 117 #error "Enable USE_RSA in cryptoConfig.h for SSL_RSA_WITH_NULL_SHA suite" 118 #endif 119 #define USE_SHA_MAC 120 #define USE_RSA_CIPHER_SUITE 121 #define REQUIRE_RSA_KEYS 122 #endif 123 124 #ifdef USE_SSL_RSA_WITH_RC4_128_SHA 125 #ifndef USE_RSA 126 #error "Enable USE_RSA in cryptoConfig.h for SSL_RSA_WITH_RC4_128_SHA suite" 127 #endif 128 #ifndef USE_ARC4 129 #error "Enable USE_ARC4 in cryptoConfig.h for SSL_RSA_WITH_RC4_128_SHA suite" 130 #endif 131 #define USE_SHA_MAC 132 #define USE_RSA_CIPHER_SUITE 133 #define USE_ARC4_CIPHER_SUITE 134 #define REQUIRE_RSA_KEYS 135 #endif 136 137 #ifdef USE_SSL_RSA_WITH_RC4_128_MD5 138 #ifndef USE_RSA 139 #error "Enable USE_RSA in cryptoConfig.h for SSL_RSA_WITH_RC4_128_MD5 suite" 140 #endif 141 #ifndef USE_ARC4 142 #error "Enable USE_ARC4 in cryptoConfig.h for SSL_RSA_WITH_RC4_128_MD5 suite" 143 #endif 144 #define USE_MD5_MAC 145 #define USE_RSA_CIPHER_SUITE 146 #define USE_ARC4_CIPHER_SUITE 147 #define REQUIRE_RSA_KEYS 148 #endif 149 150 #ifdef USE_SSL_RSA_WITH_3DES_EDE_CBC_SHA 151 #ifndef USE_RSA 152 #error "Enable USE_RSA in cryptoConfig.h for SSL_RSA_WITH_3DES_EDE_CBC_SHA" 153 #endif 154 #ifndef USE_3DES 155 #error "Enable USE_3DES in cryptoConfig.h for SSL_RSA_WITH_3DES_EDE_CBC_SHA" 156 #endif 157 #define USE_SHA_MAC 158 #define USE_RSA_CIPHER_SUITE 159 #define USE_3DES_CIPHER_SUITE 160 #define REQUIRE_RSA_KEYS 161 #endif 162 163 #ifdef USE_TLS_RSA_WITH_AES_128_CBC_SHA 164 #ifndef USE_RSA 165 #error "Enable USE_RSA in cryptoConfig.h for TLS_RSA_WITH_AES_128_CBC_SHA" 166 #endif 167 #ifndef USE_AES 168 #error "Enable USE_AES in cryptoConfig.h for TLS_RSA_WITH_AES_128_CBC_SHA" 169 #endif 170 #define USE_SHA_MAC 171 #define USE_AES_CIPHER_SUITE 172 #define USE_RSA_CIPHER_SUITE 173 #define REQUIRE_RSA_KEYS 174 #endif 175 176 #ifdef USE_TLS_RSA_WITH_AES_256_CBC_SHA 177 #ifndef USE_RSA 178 #error "Enable USE_RSA in cryptoConfig.h for TLS_RSA_WITH_AES_256_CBC_SHA" 179 #endif 180 #ifndef USE_AES 181 #error "Enable USE_AES in cryptoConfig.h for TLS_RSA_WITH_AES_256_CBC_SHA" 182 #endif 183 #define USE_SHA_MAC 184 #define USE_AES_CIPHER_SUITE 185 #define USE_RSA_CIPHER_SUITE 186 #define REQUIRE_RSA_KEYS 187 #endif 188 189 /******************************************************************************/ 190 /******************************************************************************/ 191 192 /******************************************************************************/ 193 /* 194 Leave this enabled for run-time check of sslKeys_t content when a cipher 195 suite is matched. Disable only if you need to manage key material yourself. 196 Always conditional on whether certificate parsing is enabled because it 197 looks at members that only exist if certificates have been parsed 198 */ 199 #ifdef USE_CERT_PARSE 200 #define VALIDATE_KEY_MATERIAL 201 #endif /* USE_CERT_PARSE */ 202 /******************************************************************************/ 203 204 /******************************************************************************/ 205 /* SSL protocol and MatrixSSL defines */ 206 /******************************************************************************/ 207 /* 208 Maximum SSL record size, per specification 209 */ 210 #define SSL_MAX_PLAINTEXT_LEN 0x4000 /* 16KB */ 211 #define SSL_MAX_RECORD_LEN SSL_MAX_PLAINTEXT_LEN + 2048 212 #define SSL_MAX_BUF_SIZE SSL_MAX_RECORD_LEN + 0x5 213 #define SSL_MAX_DISABLED_CIPHERS 8 214 /* 215 Maximum buffer sizes for static SSL array types 216 */ 217 #define SSL_MAX_MAC_SIZE 32 218 #define SSL_MAX_IV_SIZE 16 219 #define SSL_MAX_BLOCK_SIZE 16 220 #define SSL_MAX_SYM_KEY_SIZE 32 221 222 /* 223 Negative return codes must be between -50 and -69 in the MatrixSSL module 224 */ 225 #define SSL_FULL -50 /* must call sslRead before decoding */ 226 #define SSL_PARTIAL -51 /* more data reqired to parse full msg */ 227 #define SSL_SEND_RESPONSE -52 /* decode produced output data */ 228 #define SSL_PROCESS_DATA -53 /* succesfully decoded application data */ 229 #define SSL_ALERT -54 /* we've decoded an alert */ 230 #define SSL_FILE_NOT_FOUND -55 /* File not found */ 231 #define SSL_MEM_ERROR PS_MEM_FAIL /* Memory allocation failure */ 232 233 /* 234 Magic numbers for handshake header lengths 235 */ 236 #define SSL2_HEADER_LEN 2 237 #define SSL3_HEADER_LEN 5 238 #define SSL3_HANDSHAKE_HEADER_LEN 4 239 240 /* 241 matrixSslSetSessionOption defines 242 */ 243 #define SSL_OPTION_FULL_HANDSHAKE 1 244 245 /* 246 SSL Alert levels and descriptions 247 This implementation treats all alerts that are not related to 248 certificate validation as fatal 249 */ 250 #define SSL_ALERT_LEVEL_WARNING 1 251 #define SSL_ALERT_LEVEL_FATAL 2 252 253 #define SSL_ALERT_CLOSE_NOTIFY 0 254 #define SSL_ALERT_UNEXPECTED_MESSAGE 10 255 #define SSL_ALERT_BAD_RECORD_MAC 20 256 #define SSL_ALERT_DECRYPTION_FAILED 21 257 #define SSL_ALERT_RECORD_OVERFLOW 22 258 #define SSL_ALERT_DECOMPRESSION_FAILURE 30 259 #define SSL_ALERT_HANDSHAKE_FAILURE 40 260 #define SSL_ALERT_NO_CERTIFICATE 41 261 #define SSL_ALERT_BAD_CERTIFICATE 42 262 #define SSL_ALERT_UNSUPPORTED_CERTIFICATE 43 263 #define SSL_ALERT_CERTIFICATE_REVOKED 44 264 #define SSL_ALERT_CERTIFICATE_EXPIRED 45 265 #define SSL_ALERT_CERTIFICATE_UNKNOWN 46 266 #define SSL_ALERT_ILLEGAL_PARAMETER 47 267 #define SSL_ALERT_UNKNOWN_CA 48 268 #define SSL_ALERT_ACCESS_DENIED 49 269 #define SSL_ALERT_DECODE_ERROR 50 270 #define SSL_ALERT_DECRYPT_ERROR 51 271 #define SSL_ALERT_PROTOCOL_VERSION 70 272 #define SSL_ALERT_INTERNAL_ERROR 80 273 #define SSL_ALERT_NO_RENEGOTIATION 100 274 #define SSL_ALERT_UNSUPPORTED_EXTENSION 110 275 276 /* 277 Use as return code in user validation callback to allow 278 anonymous connections to proceed. 279 MUST NOT OVERLAP WITH ANY OF THE ALERT CODES ABOVE 280 */ 281 #define SSL_ALLOW_ANON_CONNECTION 254 282 283 /* 284 Internal flags for ssl_t.flags field. 285 */ 286 #define SSL_FLAGS_SERVER 0x000001 287 #define SSL_FLAGS_READ_SECURE 0x000002 288 #define SSL_FLAGS_WRITE_SECURE 0x000004 289 #define SSL_FLAGS_RESUMED 0x000008 290 #define SSL_FLAGS_CLOSED 0x000010 291 #define SSL_FLAGS_NEED_ENCODE 0x000020 292 #define SSL_FLAGS_ERROR 0x000040 293 #define SSL_FLAGS_TLS 0x000080 294 #define SSL_FLAGS_CLIENT_AUTH 0x000100 295 #define SSL_FLAGS_ANON_CIPHER 0x000200 296 #define SSL_FLAGS_FALSE_START 0x000400 297 #define SSL_FLAGS_TLS_1_1 0x000800 298 #define SSL_FLAGS_TLS_1_2 0x400000 299 300 /* 301 Buffer flags (ssl->bFlags) 302 */ 303 #define BFLAG_CLOSE_AFTER_SENT 0x01 304 #define BFLAG_HS_COMPLETE 0x02 305 #define BFLAG_STOP_BEAST 0x04 306 307 /* 308 Number of bytes server must send before creating a re-handshake credit 309 */ 310 #define DEFAULT_RH_CREDITS 1 /* Allow for one rehandshake by default */ 311 #define BYTES_BEFORE_RH_CREDIT 20 * 1024 * 1024 312 313 /* 314 Cipher types 315 */ 316 #define CS_NULL 0 317 #define CS_RSA 1 318 319 /* 320 These are defines rather than enums because we want to store them as char, 321 not int32 (enum size) 322 */ 323 #define SSL_RECORD_TYPE_CHANGE_CIPHER_SPEC 20 324 #define SSL_RECORD_TYPE_ALERT 21 325 #define SSL_RECORD_TYPE_HANDSHAKE 22 326 #define SSL_RECORD_TYPE_APPLICATION_DATA 23 327 328 #define SSL_HS_HELLO_REQUEST 0 329 #define SSL_HS_CLIENT_HELLO 1 330 #define SSL_HS_SERVER_HELLO 2 331 #define SSL_HS_HELLO_VERIFY_REQUEST 3 332 #define SSL_HS_CERTIFICATE 11 333 #define SSL_HS_SERVER_KEY_EXCHANGE 12 334 #define SSL_HS_CERTIFICATE_REQUEST 13 335 #define SSL_HS_SERVER_HELLO_DONE 14 336 #define SSL_HS_CERTIFICATE_VERIFY 15 337 #define SSL_HS_CLIENT_KEY_EXCHANGE 16 338 #define SSL_HS_FINISHED 20 339 #define SSL_HS_DONE 255 /* Handshake complete (internal) */ 340 341 #define INIT_ENCRYPT_CIPHER 0 342 #define INIT_DECRYPT_CIPHER 1 343 344 #define HMAC_CREATE 1 345 #define HMAC_VERIFY 2 346 347 348 349 /* 350 Additional ssl alert value, indicating no error has ocurred. 351 */ 352 #define SSL_ALERT_NONE 255 /* No error */ 353 354 #define SSL_HS_RANDOM_SIZE 32 355 #define SSL_HS_RSA_PREMASTER_SIZE 48 356 357 #define SSL2_MAJ_VER 2 358 #define SSL3_MAJ_VER 3 359 #define SSL3_MIN_VER 0 360 #define TLS_MIN_VER 1 361 #define TLS_1_1_MIN_VER 2 362 #define TLS_1_2_MIN_VER 3 363 364 365 #ifdef USE_TLS 366 #define TLS_HS_FINISHED_SIZE 12 367 #define TLS_MAJ_VER 3 368 #endif /* USE_TLS */ 369 370 /* 371 SSL cipher suite specification IDs 372 */ 373 #define SSL_NULL_WITH_NULL_NULL 0x0000 374 #define SSL_RSA_WITH_NULL_MD5 0x0001 375 #define SSL_RSA_WITH_NULL_SHA 0x0002 376 #define SSL_RSA_WITH_RC4_128_MD5 0x0004 377 #define SSL_RSA_WITH_RC4_128_SHA 0x0005 378 #define SSL_RSA_WITH_3DES_EDE_CBC_SHA 0x000A /* 10 */ 379 #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F /* 47 */ 380 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 /* 53 */ 381 #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF 382 383 384 /* 385 Supported HELLO extensions 386 */ 387 #define EXT_RENEGOTIATION_INFO 0xFF01 388 #define EXT_SIGNATURE_ALGORITHMS 0x00D 389 390 /* 391 Maximum key block size for any defined cipher 392 This must be validated if new ciphers are added 393 Value is largest total among all cipher suites for 394 2*macSize + 2*keySize + 2*ivSize 395 */ 396 #define SSL_MAX_KEY_BLOCK_SIZE 2*32 + 2*32 + 2*16 + SHA1_HASH_SIZE 397 398 /* 399 Master secret is 48 bytes, sessionId is 32 bytes max 400 */ 401 #define SSL_HS_MASTER_SIZE 48 402 #define SSL_MAX_SESSION_ID_SIZE 32 403 404 405 406 #ifndef USE_SSL_HANDSHAKE_MSG_TRACE 407 #define psTraceHs(x) 408 #define psTraceStrHs(x, y) 409 #else 410 #define psTraceHs(x) _psTrace(x) 411 #define psTraceStrHs(x, y) _psTraceStr(x, y) 412 #endif /* USE_SSL_HANDSHAKE_MSG_TRACE */ 413 414 #ifndef USE_SSL_INFORMATIONAL_TRACE 415 #define psTraceInfo(x) 416 #define psTraceStrInfo(x, y) 417 #define psTraceIntInfo(x, y) 418 #else 419 #define psTraceInfo(x) _psTrace(x) 420 #define psTraceStrInfo(x, y) _psTraceStr(x, y) 421 #define psTraceIntInfo(x, y) _psTraceInt(x, y) 422 #endif /* USE_SSL_INFORMATIONAL_TRACE */ 423 424 /******************************************************************************/ 425 426 typedef psBuf_t sslBuf_t; 427 428 /******************************************************************************/ 429 430 /******************************************************************************/ 431 /* 432 SSL certificate public-key structure 433 */ 434 typedef struct { 435 psPool_t *pool; 436 #ifdef USE_SERVER_SIDE_SSL 437 psX509Cert_t *cert; 438 psPubKey_t *privKey; 439 #endif /* USE_SERVER_SIDE_SSL */ 440 #ifdef USE_CLIENT_SIDE_SSL 441 psX509Cert_t *CAcerts; 442 #endif /* USE_CLIENT_SIDE_SSL */ 443 } sslKeys_t; 444 445 /******************************************************************************/ 446 447 /******************************************************************************/ 448 /* 449 SSL record and session structures 450 */ 451 typedef struct { 452 unsigned short len; 453 unsigned char majVer; 454 unsigned char minVer; 455 #ifdef USE_CERT_CHAIN_PARSING 456 unsigned short hsBytesHashed; 457 unsigned short hsBytesParsed; 458 unsigned short trueLen; 459 unsigned char partial; 460 unsigned char certPad; 461 #endif 462 unsigned char type; 463 unsigned char pad[3]; /* Padding for 64 bit compat */ 464 } sslRec_t; 465 466 typedef struct { 467 unsigned char clientRandom[SSL_HS_RANDOM_SIZE]; /* From ClientHello */ 468 unsigned char serverRandom[SSL_HS_RANDOM_SIZE]; /* From ServerHello */ 469 unsigned char masterSecret[SSL_HS_MASTER_SIZE]; 470 unsigned char *premaster; /* variable size */ 471 uint32 premasterSize; 472 473 unsigned char keyBlock[SSL_MAX_KEY_BLOCK_SIZE]; /* Storage for the next six items */ 474 unsigned char *wMACptr; 475 unsigned char *rMACptr; 476 unsigned char *wKeyptr; 477 unsigned char *rKeyptr; 478 unsigned char *wIVptr; 479 unsigned char *rIVptr; 480 481 /* All maximum sizes for current cipher suites */ 482 unsigned char writeMAC[SSL_MAX_MAC_SIZE]; 483 unsigned char readMAC[SSL_MAX_MAC_SIZE]; 484 unsigned char writeKey[SSL_MAX_SYM_KEY_SIZE]; 485 unsigned char readKey[SSL_MAX_SYM_KEY_SIZE]; 486 unsigned char writeIV[SSL_MAX_IV_SIZE]; 487 unsigned char readIV[SSL_MAX_IV_SIZE]; 488 489 unsigned char seq[8]; 490 unsigned char remSeq[8]; 491 492 #ifdef USE_CLIENT_SIDE_SSL 493 psX509Cert_t *cert; 494 int32 (*validateCert)(void *ssl, psX509Cert_t *certInfo, int32 alert); 495 #endif /* USE_CLIENT_SIDE_SSL */ 496 497 #ifdef USE_CLIENT_SIDE_SSL 498 int32 certMatch; 499 #endif /* USE_CLIENT_SIDE_SSL */ 500 501 psDigestContext_t msgHashMd5; 502 psDigestContext_t msgHashSha1; 503 504 psCipherContext_t encryptCtx; 505 psCipherContext_t decryptCtx; 506 507 #ifdef USE_TLS_1_1 508 int32 explicitIv; 509 #endif /* USE_TLS_1_1 */ 510 int32 anon; 511 } sslSec_t; 512 513 typedef struct { 514 uint16 ident; /* Official cipher ID */ 515 uint16 type; /* Key exchange method */ 516 uint32 flags; /* from CRYPTO_FLAGS_* */ 517 unsigned char macSize; 518 unsigned char keySize; 519 unsigned char ivSize; 520 unsigned char blockSize; 521 /* Init function */ 522 int32 (*init)(sslSec_t *sec, int32 type, uint32 keysize); 523 /* Cipher functions */ 524 int32 (*encrypt)(psCipherContext_t *ctx, unsigned char *in, 525 unsigned char *out, uint32 len); 526 int32 (*decrypt)(psCipherContext_t *ctx, unsigned char *in, 527 unsigned char *out, uint32 len); 528 int32 (*generateMac)(void *ssl, unsigned char type, unsigned char *data, 529 uint32 len, unsigned char *mac); 530 int32 (*verifyMac)(void *ssl, unsigned char type, unsigned char *data, 531 uint32 len, unsigned char *mac); 532 } sslCipherSpec_t; 533 534 typedef struct { 535 unsigned char id[SSL_MAX_SESSION_ID_SIZE]; 536 unsigned char masterSecret[SSL_HS_MASTER_SIZE]; 537 uint32 cipherId; 538 } sslSessionId_t; 539 540 typedef struct { 541 unsigned char id[SSL_MAX_SESSION_ID_SIZE]; 542 unsigned char masterSecret[SSL_HS_MASTER_SIZE]; 543 sslCipherSpec_t *cipher; 544 unsigned char majVer; 545 unsigned char minVer; 546 psTime_t startTime; 547 psTime_t accessTime; 548 int32 inUse; 549 } sslSessionEntry_t; 550 551 typedef struct tlsHelloExt { 552 psPool_t *pool; 553 int32 extType; 554 uint32 extLen; 555 unsigned char *extData; 556 struct tlsHelloExt *next; 557 } tlsExtension_t; 558 559 typedef struct ssl { 560 sslRec_t rec; /* Current SSL record information*/ 561 562 sslSec_t sec; /* Security structure */ 563 564 sslKeys_t *keys; /* SSL public and private keys */ 565 566 psPool_t *sPool; /* SSL session pool */ 567 psPool_t *hsPool; /* Full session handshake pool */ 568 569 unsigned char sessionIdLen; 570 char sessionId[SSL_MAX_SESSION_ID_SIZE]; 571 sslSessionId_t *sid; 572 #ifdef USE_SERVER_SIDE_SSL 573 uint16 disabledCiphers[SSL_MAX_DISABLED_CIPHERS]; 574 #endif /* USE_SERVER_SIDE_SSL */ 575 576 unsigned char *inbuf; 577 unsigned char *outbuf; 578 int32 inlen; /* Bytes unprocessed in inbuf */ 579 int32 outlen; /* Bytes unsent in outbuf */ 580 int32 insize; /* Total allocated size of inbuf */ 581 int32 outsize; /* Total allocated size of outbuf */ 582 uint32 bFlags; /* Buffer related flags */ 583 584 /* Pointer to the negotiated cipher information */ 585 sslCipherSpec_t *cipher; 586 587 /* Symmetric cipher callbacks 588 589 We duplicate these here from 'cipher' because we need to set the 590 various callbacks at different times in the handshake protocol 591 Also, there are 64 bit alignment issues in using the function pointers 592 within 'cipher' directly 593 */ 594 int32 (*encrypt)(psCipherContext_t *ctx, unsigned char *in, 595 unsigned char *out, uint32 len); 596 int32 (*decrypt)(psCipherContext_t *ctx, unsigned char *in, 597 unsigned char *out, uint32 len); 598 /* Message Authentication Codes */ 599 int32 (*generateMac)(void *ssl, unsigned char type, unsigned char *data, 600 uint32 len, unsigned char *mac); 601 int32 (*verifyMac)(void *ssl, unsigned char type, unsigned char *data, 602 uint32 len, unsigned char *mac); 603 604 /* Current encryption/decryption parameters */ 605 unsigned char enMacSize; 606 unsigned char enIvSize; 607 unsigned char enBlockSize; 608 unsigned char deMacSize; 609 unsigned char deIvSize; 610 unsigned char deBlockSize; 611 612 int32 flags; 613 int32 hsState; /* Next expected handshake message type */ 614 int32 err; /* SSL errno of last api call */ 615 int32 ignoredMessageCount; 616 617 unsigned char reqMajVer; 618 unsigned char reqMinVer; 619 unsigned char majVer; 620 unsigned char minVer; 621 622 #ifdef ENABLE_SECURE_REHANDSHAKES 623 unsigned char myVerifyData[MD5_HASH_SIZE + SHA1_HASH_SIZE]; /*SSLv3 max*/ 624 unsigned char peerVerifyData[MD5_HASH_SIZE + SHA1_HASH_SIZE]; 625 uint32 myVerifyDataLen; 626 uint32 peerVerifyDataLen; 627 int32 secureRenegotiationFlag; 628 #endif /* ENABLE_SECURE_REHANDSHAKES */ 629 #ifdef SSL_REHANDSHAKES_ENABLED 630 int32 rehandshakeCount; /* Make this an internal define of 1 */ 631 int32 rehandshakeBytes; /* Make this an internal define of 10MB */ 632 #endif /* SSL_REHANDSHAKES_ENABLED */ 633 int32 (*extCb)(void *ssl, unsigned short extType, 634 unsigned short extLen, void *e); 635 int32 recordHeadLen; 636 int32 hshakeHeadLen; 637 } ssl_t; 638 639 /******************************************************************************/ 640 /* 641 Former public APIS in 1.x and 2.x. Now deprecated in 3.x 642 These functions are still heavily used internally, just no longer publically 643 supported. 644 */ 645 extern int32 matrixSslDecode(ssl_t *ssl, unsigned char **buf, uint32 *len, 646 uint32 size, uint32 *remaining, uint32 *requiredLen, 647 int32 *error, unsigned char *alertLevel, 648 unsigned char *alertDescription); 649 extern int32 matrixSslEncode(ssl_t *ssl, unsigned char *buf, uint32 size, 650 unsigned char *ptBuf, uint32 *len); 651 extern int32 matrixSslGetEncodedSize(ssl_t *ssl, uint32 len); 652 extern void matrixSslSetCertValidator(ssl_t *ssl, 653 int32 (*certValidator)(void *, psX509Cert_t *, int32)); 654 extern int32 matrixSslNewSession(ssl_t **ssl, sslKeys_t *keys, 655 sslSessionId_t *session, int32 flags); 656 extern void matrixSslSetSessionOption(ssl_t *ssl, int32 option, void *arg); 657 extern int32 matrixSslHandshakeIsComplete(ssl_t *ssl); 658 typedef int32 (*sslExtCb_t)(void *, unsigned short, unsigned short, void *); 659 660 /* This used to be prefixed with 'matrix' */ 661 extern int32 sslEncodeClosureAlert(ssl_t *ssl, sslBuf_t *out, 662 uint32 *reqLen); 663 664 extern int32 matrixSslEncodeHelloRequest(ssl_t *ssl, sslBuf_t *out, 665 uint32 *reqLen); 666 extern int32 matrixSslEncodeClientHello(ssl_t *ssl, sslBuf_t *out, 667 uint32 cipherSpec, uint32 *requiredLen, 668 tlsExtension_t *userExt); 669 670 #ifdef USE_CLIENT_SIDE_SSL 671 extern int32 matrixSslGetSessionId(ssl_t *ssl, sslSessionId_t *sessionId); 672 #endif /* USE_CLIENT_SIDE_SSL */ 673 674 extern int32 matrixSslGetPrngData(unsigned char *bytes, uint32 size); 675 676 #ifdef USE_SSL_INFORMATIONAL_TRACE 677 extern void matrixSslPrintHSDetails(ssl_t *ssl); 678 #endif /* USE_SSL_INFORMATIONAL_TRACE */ 679 680 #ifdef SSL_REHANDSHAKES_ENABLED 681 PSPUBLIC void matrixSslAddRehandshakeCredits(ssl_t *ssl, int32 credits); 682 #endif 683 684 /******************************************************************************/ 685 /* 686 MatrixSSL internal cert functions 687 */ 688 typedef int32 (*sslCertCb_t)(void *, psX509Cert_t *, int32); 689 extern int32 matrixValidateCerts(psPool_t *pool, psX509Cert_t *subjectCerts, 690 psX509Cert_t *issuerCerts); 691 extern int32 matrixUserCertValidator(ssl_t *ssl, int32 alert, 692 psX509Cert_t *subjectCert, sslCertCb_t certCb); 693 694 /******************************************************************************/ 695 /* 696 sslEncode.c and sslDecode.c 697 */ 698 extern int32 psWriteRecordInfo(ssl_t *ssl, unsigned char type, int32 len, 699 unsigned char *c); 700 extern int32 psWriteHandshakeHeader(ssl_t *ssl, unsigned char type, int32 len, 701 int32 seq, int32 fragOffset, int32 fragLen, 702 unsigned char *c); 703 extern int32 sslEncodeResponse(ssl_t *ssl, psBuf_t *out, uint32 *requiredLen); 704 extern int32 sslActivateReadCipher(ssl_t *ssl); 705 extern int32 sslActivateWriteCipher(ssl_t *ssl); 706 extern int32 sslUpdateHSHash(ssl_t *ssl, unsigned char *in, uint32 len); 707 extern int32 sslInitHSHash(ssl_t *ssl); 708 extern int32 sslSnapshotHSHash(ssl_t *ssl, unsigned char *out, int32 senderFlag); 709 extern int32 sslWritePad(unsigned char *p, unsigned char padLen); 710 extern int32 sslCreateKeys(ssl_t *ssl); 711 extern void sslResetContext(ssl_t *ssl); 712 713 #ifdef USE_SERVER_SIDE_SSL 714 extern int32 matrixRegisterSession(ssl_t *ssl); 715 extern int32 matrixResumeSession(ssl_t *ssl); 716 extern int32 matrixClearSession(ssl_t *ssl, int32 remove); 717 extern int32 matrixUpdateSession(ssl_t *ssl); 718 #endif /* USE_SERVER_SIDE_SSL */ 719 720 721 /* 722 cipherSuite.c 723 */ 724 extern sslCipherSpec_t *sslGetCipherSpec(ssl_t *ssl, uint32 cid); 725 extern int32 sslGetCipherSpecListLen(ssl_t *ssl); 726 extern int32 sslGetCipherSpecList(ssl_t *ssl, unsigned char *c, int32 len, 727 int32 addScsv); 728 extern int32 csRsaEncryptPub(psPool_t *pool, psPubKey_t *key, 729 unsigned char *in, uint32 inlen, unsigned char *out, uint32 outlen); 730 extern int32 csRsaDecryptPub(psPool_t *pool, psPubKey_t *key, 731 unsigned char *in, uint32 inlen, unsigned char *out, uint32 outlen); 732 extern int32 csRsaEncryptPriv(psPool_t *pool, psPubKey_t *key, 733 unsigned char *in, uint32 inlen, unsigned char *out, uint32 outlen); 734 extern int32 csRsaDecryptPriv(psPool_t *pool, psPubKey_t *key, 735 unsigned char *in, uint32 inlen, unsigned char *out, uint32 outlen); 736 737 738 739 #ifndef DISABLE_SSLV3 740 /******************************************************************************/ 741 /* 742 sslv3.c 743 */ 744 extern int32 sslGenerateFinishedHash(psDigestContext_t *md5, 745 psDigestContext_t *sha1, unsigned char *masterSecret, 746 unsigned char *out, int32 sender); 747 748 extern int32 sslDeriveKeys(ssl_t *ssl); 749 750 #ifdef USE_SHA_MAC 751 extern int32 ssl3HMACSha1(unsigned char *key, unsigned char *seq, 752 unsigned char type, unsigned char *data, uint32 len, 753 unsigned char *mac); 754 #endif /* USE_SHA_MAC */ 755 756 #ifdef USE_MD5_MAC 757 extern int32 ssl3HMACMd5(unsigned char *key, unsigned char *seq, 758 unsigned char type, unsigned char *data, uint32 len, 759 unsigned char *mac); 760 #endif /* USE_MD5_MAC */ 761 #endif /* DISABLE_SSLV3 */ 762 763 #ifdef USE_TLS 764 /******************************************************************************/ 765 /* 766 tls.c 767 */ 768 extern int32 tlsDeriveKeys(ssl_t *ssl); 769 extern int32 tlsGenerateFinishedHash(ssl_t *ssl, psDigestContext_t *md5, 770 psDigestContext_t *sha1, psDigestContext_t *sha256, 771 unsigned char *masterSecret, unsigned char *out, int32 sender); 772 773 extern int32 tlsHMACSha1(ssl_t *ssl, int32 mode, unsigned char type, 774 unsigned char *data, uint32 len, unsigned char *mac); 775 776 extern int32 tlsHMACMd5(ssl_t *ssl, int32 mode, unsigned char type, 777 unsigned char *data, uint32 len, unsigned char *mac); 778 779 #endif /* USE_TLS */ 780 781 782 783 784 785 786 /******************************************************************************/ 787 788 #ifdef __cplusplus 789 } 790 #endif 791 792 #endif /* _h_MATRIXSSLLIB */ 793 794 /******************************************************************************/ 795 796