1 /* 2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"). 5 * You may not use this file except in compliance with the License. 6 * A copy of the License is located at 7 * 8 * http://aws.amazon.com/apache2.0 9 * 10 * or in the "license" file accompanying this file. This file is distributed 11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 12 * express or implied. See the License for the specific language governing 13 * permissions and limitations under the License. 14 */ 15 16 #pragma once 17 18 #include "crypto/s2n_hash.h" 19 20 /* Codes from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5 */ 21 #define TLS_NULL_WITH_NULL_NULL 0x00, 0x00 22 #define TLS_RSA_WITH_AES_256_CBC_SHA256 0x00, 0x3D 23 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x00, 0x35 24 #define TLS_RSA_WITH_AES_128_CBC_SHA256 0x00, 0x3C 25 #define TLS_RSA_WITH_AES_128_CBC_SHA 0x00, 0x2F 26 #define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x00, 0x0A 27 #define TLS_RSA_WITH_RC4_128_MD5 0x00, 0x04 28 #define TLS_RSA_WITH_RC4_128_SHA 0x00, 0x05 29 30 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x00, 0x33 31 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x00, 0x67 32 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x00, 0x39 33 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x00, 0x6B 34 #define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x00, 0x16 35 36 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC0, 0x09 37 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC0, 0x23 38 #define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC0, 0x0A 39 #define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC0, 0x24 40 41 #define TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC0, 0x11 42 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC0, 0x13 43 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC0, 0x27 44 #define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC0, 0x14 45 #define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC0, 0x28 46 #define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC0, 0x12 47 48 #define TLS_RSA_WITH_AES_128_GCM_SHA256 0x00, 0x9C 49 #define TLS_RSA_WITH_AES_256_GCM_SHA384 0x00, 0x9D 50 #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x00, 0x9E 51 #define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x00, 0x9F 52 #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC0, 0x2B 53 #define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC0, 0x2C 54 #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC0, 0x2F 55 #define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC0, 0x30 56 57 #define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCC, 0xA8 58 #define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCC, 0xA9 59 #define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCC, 0xAA 60 61 /* TLS 1.2 hybrid post-quantum definitions from https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid */ 62 #define TLS_ECDHE_BIKE_RSA_WITH_AES_256_GCM_SHA384 0xFF, 0x04 63 #define TLS_ECDHE_SIKE_RSA_WITH_AES_256_GCM_SHA384 0xFF, 0x08 64 #define TLS_ECDHE_KYBER_RSA_WITH_AES_256_GCM_SHA384 0xFF, 0x0C 65 #define TLS_EXTENSION_PQ_KEM_PARAMETERS 0xFE01 66 #define TLS_PQ_KEM_EXTENSION_ID_BIKE1_L1_R1 1 67 #define TLS_PQ_KEM_EXTENSION_ID_BIKE1_L1_R2 13 68 #define TLS_PQ_KEM_EXTENSION_ID_BIKE1_L1_R3 25 69 #define TLS_PQ_KEM_EXTENSION_ID_SIKE_P503_R1 10 70 #define TLS_PQ_KEM_EXTENSION_ID_SIKE_P434_R3 19 71 #define TLS_PQ_KEM_EXTENSION_ID_KYBER_512_R2 23 72 #define TLS_PQ_KEM_EXTENSION_ID_KYBER_512_90S_R2 24 73 #define TLS_PQ_KEM_EXTENSION_ID_KYBER_512_R3 28 74 75 /* TLS 1.3 hybrid post-quantum definitions are from the proposed reserved range defined 76 * in https://tools.ietf.org/html/draft-stebila-tls-hybrid-design. Values for interoperability are defined in 77 * https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-kem-info.md */ 78 #define TLS_PQ_KEM_GROUP_ID_X25519_SIKE_P434_R3 0x2F27 79 #define TLS_PQ_KEM_GROUP_ID_SECP256R1_SIKE_P434_R3 0x2F1F 80 #define TLS_PQ_KEM_GROUP_ID_X25519_BIKE1_L1_R2 0x2F28 81 #define TLS_PQ_KEM_GROUP_ID_SECP256R1_BIKE1_L1_R2 0x2F23 82 #define TLS_PQ_KEM_GROUP_ID_X25519_KYBER_512_R2 0x2F26 83 #define TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R2 0x2F0F 84 #define TLS_PQ_KEM_GROUP_ID_X25519_BIKE_L1_R3 0x2F37 85 #define TLS_PQ_KEM_GROUP_ID_SECP256R1_BIKE_L1_R3 0x2F38 86 #define TLS_PQ_KEM_GROUP_ID_X25519_KYBER_512_R3 0x2F39 87 #define TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R3 0x2F3A 88 89 90 /* From https://tools.ietf.org/html/rfc7507 */ 91 #define TLS_FALLBACK_SCSV 0x56, 0x00 92 #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00, 0xff 93 94 /* TLS 1.3 cipher suites from https://tools.ietf.org/html/rfc8446#appendix-B.4 */ 95 #define TLS_AES_128_GCM_SHA256 0x13, 0x01 96 #define TLS_AES_256_GCM_SHA384 0x13, 0x02 97 #define TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 98 #define TLS_AES_128_CCM_SHA256 0x13, 0x04 99 #define TLS_AES_128_CCM_8_SHA256 0x13, 0x05 100 101 /* TLS extensions from https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */ 102 #define TLS_EXTENSION_SERVER_NAME 0 103 #define TLS_EXTENSION_MAX_FRAG_LEN 1 104 #define TLS_EXTENSION_STATUS_REQUEST 5 105 #define TLS_EXTENSION_SUPPORTED_GROUPS 10 106 #define TLS_EXTENSION_EC_POINT_FORMATS 11 107 #define TLS_EXTENSION_SIGNATURE_ALGORITHMS 13 108 #define TLS_EXTENSION_ALPN 16 109 #define TLS_EXTENSION_SCT_LIST 18 110 #define TLS_EXTENSION_EMS 23 111 #define TLS_EXTENSION_SESSION_TICKET 35 112 #define TLS_EXTENSION_PRE_SHARED_KEY 41 113 #define TLS_EXTENSION_CERT_AUTHORITIES 47 114 #define TLS_EXTENSION_RENEGOTIATION_INFO 65281 115 116 /* TLS 1.3 extensions from https://tools.ietf.org/html/rfc8446#section-4.2 */ 117 #define TLS_EXTENSION_EARLY_DATA 42 118 #define TLS_EXTENSION_SUPPORTED_VERSIONS 43 119 #define TLS_EXTENSION_COOKIE 44 120 #define TLS_EXTENSION_PSK_KEY_EXCHANGE_MODES 45 121 #define TLS_EXTENSION_KEY_SHARE 51 122 123 /* TLS 1.3 pre-shared key exchange modes from https://tools.ietf.org/html/rfc8446#section-4.2.9 */ 124 #define TLS_PSK_KE_MODE 0 125 #define TLS_PSK_DHE_KE_MODE 1 126 127 /** 128 *= https://tools.ietf.org/id/draft-ietf-quic-tls-32.txt#8.2 129 *# enum { 130 *# quic_transport_parameters(0xffa5), (65535) 131 *# } ExtensionType; 132 */ 133 #define TLS_QUIC_TRANSPORT_PARAMETERS 0xffa5 134 135 /* TLS SignatureScheme (Backwards compatible with SigHash and SigAlg values above) */ 136 /* Defined here: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme */ 137 #define TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1 0x0201 138 #define TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224 0x0301 139 #define TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256 0x0401 140 #define TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384 0x0501 141 #define TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512 0x0601 142 143 /* In TLS 1.0 and 1.1 the hard-coded default scheme was RSA_PKCS1_MD5_SHA1, but there's no IANA defined backwards 144 * compatible value for that Scheme for TLS 1.2 and 1.3. So we define an internal value in the private range that won't 145 * match anything in the valid range so that all TLS Versions can use the same SignatureScheme negotiation abstraction 146 * layer. This scheme isn't in any preference list, so it can't be negotiated even if a client sent it in its pref list. */ 147 #define TLS_SIGNATURE_SCHEME_PRIVATE_INTERNAL_RSA_PKCS1_MD5_SHA1 0xFFFF 148 149 /* TLS 1.2 Backwards Compatible ECDSA Schemes */ 150 #define TLS_SIGNATURE_SCHEME_ECDSA_SHA1 0x0203 151 #define TLS_SIGNATURE_SCHEME_ECDSA_SHA224 0x0303 152 #define TLS_SIGNATURE_SCHEME_ECDSA_SHA256 0x0403 153 #define TLS_SIGNATURE_SCHEME_ECDSA_SHA384 0x0503 154 #define TLS_SIGNATURE_SCHEME_ECDSA_SHA512 0x0603 155 156 /* TLS 1.3 ECDSA Signature Schemes */ 157 #define TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256 0x0403 158 #define TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384 0x0503 159 #define TLS_SIGNATURE_SCHEME_ECDSA_SECP521R1_SHA512 0x0603 160 #define TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256 0x0804 161 #define TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384 0x0805 162 #define TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512 0x0806 163 #define TLS_SIGNATURE_SCHEME_ED25519 0x0807 164 #define TLS_SIGNATURE_SCHEME_ED448 0x0808 165 #define TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256 0x0809 166 #define TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384 0x080A 167 #define TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512 0x080B 168 169 170 #define TLS_SIGNATURE_SCHEME_LEN 2 171 #define TLS_SIGNATURE_SCHEME_LIST_MAX_LEN 64 172 173 /* The TLS record types we support */ 174 #define SSLv2_CLIENT_HELLO 1 175 #define TLS_CHANGE_CIPHER_SPEC 20 176 #define TLS_ALERT 21 177 #define TLS_HANDSHAKE 22 178 #define TLS_APPLICATION_DATA 23 179 180 /* Elliptic curve formats from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-9 181 * Only uncompressed is supported. 182 */ 183 #define TLS_EC_FORMAT_UNCOMPRESSED 0 184 #define TLS_EC_FORMAT_ANSIX962_COMPRESSED_PRIME 1 185 #define TLS_EC_FORMAT_ANSIX962_COMPRESSED_CHAR2 2 186 187 /* Elliptic curves from https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 */ 188 #define TLS_EC_CURVE_SECP_256_R1 23 189 #define TLS_EC_CURVE_SECP_384_R1 24 190 #define TLS_EC_CURVE_SECP_521_R1 25 191 #define TLS_EC_CURVE_ECDH_X25519 29 192 #define TLS_EC_CURVE_ECDH_X448 30 193 194 /* Ethernet maximum transmission unit (MTU) 195 * MTU is usually associated with the Ethernet protocol, 196 * where a 1500-byte packet is the largest allowed in it 197 */ 198 #define ETH_MTU 1500 199 200 #define IP_V4_HEADER_LENGTH 20 201 #define IP_V6_HEADER_LENGTH 40 202 203 #define TCP_HEADER_LENGTH 20 204 #define TCP_OPTIONS_LENGTH 40 205 206 #define S2N_TLS_MAX_FRAG_LEN_EXT_NONE 0 207 208 /* The maximum size of an SSL2 message is 2^14 - 1, as neither of the first two 209 * bits in the length field are usable. Per; 210 * http://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html 211 * section 1.1 212 */ 213 #define S2N_SSL2_RECORD_HEADER_LENGTH 2 214 #define S2N_SSL2_MAXIMUM_MESSAGE_LENGTH 16383 215 #define S2N_SSL2_MAXIMUM_RECORD_LENGTH (S2N_SSL2_MAXIMUM_MESSAGE_LENGTH + S2N_SSL2_RECORD_HEADER_LENGTH) 216 217 /* s2n can use a "small" record length that is aligned to the dominant internet MTU; 218 * 1500 bytes, minus 20 bytes for an IP header, minus 20 bytes for a tcp 219 * header and 20 bytes for tcp/ip options (timestamp, sack etc) and a "large" record 220 * length that is designed to maximize throughput (fewer MACs per byte transferred 221 * and better efficiency of crypto engines). 222 */ 223 #define S2N_SMALL_RECORD_LENGTH (1500 - 20 - 20 - 20) 224 #define S2N_SMALL_FRAGMENT_LENGTH (S2N_SMALL_RECORD_LENGTH - S2N_TLS_RECORD_HEADER_LENGTH) 225 226 /* Testing in the wild has found 8k max record sizes give a good balance of low latency 227 * and throughput. 228 */ 229 #define S2N_DEFAULT_RECORD_LENGTH 8092 230 #define S2N_DEFAULT_FRAGMENT_LENGTH (S2N_DEFAULT_RECORD_LENGTH - S2N_TLS_RECORD_HEADER_LENGTH) 231 232 /* S2N_LARGE_RECORD_LENGTH is used for initializing output buffers, we use the largest 233 * possible value of all supported protocols to avoid branching at runtime 234 */ 235 #define S2N_LARGE_RECORD_LENGTH S2N_TLS_MAXIMUM_RECORD_LENGTH 236 #define S2N_LARGE_FRAGMENT_LENGTH S2N_TLS_MAXIMUM_FRAGMENT_LENGTH 237 238 /* Cap dynamic record resize threshold to 8M */ 239 #define S2N_TLS_MAX_RESIZE_THRESHOLD (1024 * 1024 * 8) 240 241 /* Put a 64k cap on the size of any handshake message */ 242 #define S2N_MAXIMUM_HANDSHAKE_MESSAGE_LENGTH (64 * 1024) 243 244 /* Maximum size for full encoded TLSInnerPlaintext (https://tools.ietf.org/html/rfc8446#section-5.4) */ 245 #define S2N_MAXIMUM_INNER_PLAINTEXT_LENGTH ((1 << 14) + 1) 246 247 /* Alert messages are always 2 bytes long */ 248 #define S2N_ALERT_LENGTH 2 249 250 /* Handshake messages have their own header too */ 251 #define TLS_HANDSHAKE_HEADER_LENGTH 4 252 253 #define S2N_MAX_SERVER_NAME 255 254