1 /**************************************************************************** 2 * * 3 * SSL v3/TLS Definitions Header File * 4 * Copyright Peter Gutmann 1998-2013 * 5 * * 6 ****************************************************************************/ 7 8 #ifndef _SSL_DEFINED 9 10 #define _SSL_DEFINED 11 12 #if defined( INC_ALL ) 13 #include "scorebrd.h" 14 #else 15 #include "session/scorebrd.h" 16 #endif /* _STREAM_DEFINED */ 17 18 /**************************************************************************** 19 * * 20 * SSL Constants * 21 * * 22 ****************************************************************************/ 23 24 /* Default SSL/TLS port */ 25 26 #define SSL_PORT 443 27 28 /* SSL and TLS constants */ 29 30 #define ID_SIZE 1 /* ID byte */ 31 #define LENGTH_SIZE 3 /* 24 bits */ 32 #define SEQNO_SIZE 8 /* 64 bits */ 33 #define VERSIONINFO_SIZE 2 /* 0x03, 0x0n */ 34 #define ALERTINFO_SIZE 2 /* level + description */ 35 #define SSL_HEADER_SIZE 5 /* Type, version, length */ 36 #define SSL_NONCE_SIZE 32 /* Size of client/svr nonce */ 37 #define SSL_SECRET_SIZE 48 /* Size of premaster/master secret */ 38 #define MD5MAC_SIZE 16 /* Size of MD5 proto-HMAC/dual hash */ 39 #define SHA1MAC_SIZE 20 /* Size of SHA-1 proto-HMAC/dual hash */ 40 #define SHA2MAC_SIZE 32 /* Size of SHA-2 HMAC hash */ 41 #define GCMICV_SIZE 16 /* Size of GCM ICV */ 42 #define GCM_SALT_SIZE 4 /* Size of implicit portion of GCM IV */ 43 #define GCM_IV_SIZE 12 /* Overall size of GCM IV */ 44 #define TLS_HASHEDMAC_SIZE 12 /* Size of TLS PRF( MD5 + SHA1 ) */ 45 #define SESSIONID_SIZE 16 /* Size of session ID */ 46 #define MIN_SESSIONID_SIZE 4 /* Min.allowed session ID size */ 47 #define MAX_SESSIONID_SIZE 32 /* Max.allowed session ID size */ 48 #define MAX_KEYBLOCK_SIZE ( ( 64 + 32 + 16 ) * 2 ) 49 /* HMAC-SHA2 + AES-256 key + AES IV */ 50 #define MIN_PACKET_SIZE 4 /* Minimum SSL packet size */ 51 #define MAX_PACKET_SIZE 16384 /* Maximum SSL packet size */ 52 #define MAX_CIPHERSUITES 200 /* Max.allowed cipher suites */ 53 #ifdef USE_DH1024 54 #define TLS_DH_KEYSIZE 128 /* Size of server DH key */ 55 #else 56 #define TLS_DH_KEYSIZE 192 /* Size of server DH key */ 57 #endif /* USE_DH1024 */ 58 59 /* SSL/TLS packet/buffer size information. The extra packet size is 60 somewhat large because it can contains the packet header (5 bytes), IV 61 (0/8/16 bytes), MAC/ICV (12/16/20 bytes), and cipher block padding (up to 62 256 bytes) */ 63 64 #define EXTRA_PACKET_SIZE 512 65 66 /* SSLv2 was finally removed in MSIE and Firefox in 2008, however some 67 crufty old implementations will still send SSLv2 hellos. Define the 68 following to enable handling of SSLv2 client hellos. Note that this 69 code is not maintained, and your warranty is void when you enable SSLv2 70 hello handling */ 71 72 /* #define ALLOW_SSLV2_HELLO */ 73 74 /* By default cryptlib uses DH key agreement, it's also possible to use ECDH 75 key agreement but we disable ECDH by default in order to stick to the 76 safer DH. To use ECDH key agreement in preference to DH, uncomment the 77 following */ 78 79 /* #define PREFER_ECC */ 80 #if defined( PREFER_ECC ) && defined( _MSC_VER ) 81 #pragma message( " Building with ECC preferred for SSL." ) 82 #endif /* PREFER_ECC && Visual C++ */ 83 #if defined( PREFER_ECC ) && \ 84 !( defined( USE_ECDH ) && defined( USE_ECDSA ) ) 85 #error PREFER_ECC can only be used with ECDH and ECDSA enabled 86 #endif /* PREFER_ECC && !( USE_ECDH && USE_ECDSA ) */ 87 88 /* SSL/TLS protocol-specific flags that augment the general session flags: 89 90 FLAG_ALERTSENT: Whether we've already sent a close-alert. Keeping track 91 of this is necessary because we're required to send a close alert 92 when shutting down to prevent a truncation attack, however lower- 93 level code may have already sent an alert so we have to remember not 94 to send it twice. 95 96 FLAG_DISABLE_CERTVERIFY: Disable checking of the server certificate 97 FLAG_DISABLE_NAMEVERIFY: and/or host name. By default we check both of 98 these, but because of all of the problems surrounding certificates 99 we allow the checking to be disabled. 100 101 FLAG_CHECKREHANDSHAKE: The header-read got a handshake packet instead of 102 a data packet, when the body-read decrypts the payload it should 103 check for a rehandshake request in the payload. 104 105 FLAG_CLIAUTHSKIPPED: The client saw an auth-request from the server and 106 responded with a no-certificates alert, if we later get a close 107 alert from the server then we provide additional error information 108 indicating that this may be due to the lack of a client certificate. 109 110 SSL_PFLAG_EMS: Use extended Master Secret to protect handshake messages. 111 112 FLAG_ENCTHENMAC: Use encrypt-then-MAC rather than the standard 113 MAC-then-encrypt. 114 115 FLAG_GCM: The encryption used is GCM and not the usual CBC, which 116 unifies encryption and MACing into a single operation. 117 118 FLAG_MANUAL_CERTCHECK: Interrupt the handshake (returning 119 CRYPT_ERROR_RESOURCE) to allow the caller to check the peer's 120 cerificate. 121 122 FLAG_SUITEB_128: Enforce Suite B semantics on top of the standard TLS 123 FLAG_SUITEB_256: 1.2 + ECC + AES-GCM ones. _128 = P256 + P384, 124 _256 = P384 only */ 125 126 #define SSL_PFLAG_NONE 0x0000 /* No protocol-specific flags */ 127 #define SSL_PFLAG_ALERTSENT 0x0001 /* Close alert sent */ 128 #define SSL_PFLAG_CLIAUTHSKIPPED 0x0002 /* Client auth-req.skipped */ 129 #define SSL_PFLAG_GCM 0x0004 /* Encryption uses GCM, not CBC */ 130 #define SSL_PFLAG_SUITEB_128 0x0008 /* Enforce Suite B 128-bit semantics */ 131 #define SSL_PFLAG_SUITEB_256 0x0010 /* Enforce Suite B 256-bit semantics */ 132 #define SSL_PFLAG_CHECKREHANDSHAKE 0x0020 /* Check decrypted pkt.for rehandshake */ 133 #define SSL_PFLAG_MANUAL_CERTCHECK 0x0040 /* Interrupt handshake for cert.check */ 134 #define SSL_PFLAG_DISABLE_NAMEVERIFY 0x0080 /* Disable host name verification */ 135 #define SSL_PFLAG_DISABLE_CERTVERIFY 0x0100 /* Disable certificate verification */ 136 #define SSL_PFLAG_ENCTHENMAC 0x0200 /* Use encrypt-then-MAC */ 137 #define SSL_PFLAG_EMS 0x0400 /* Use extended Master Secret */ 138 #define SSL_PFLAG_MAX 0x07FF /* Maximum possible flag value */ 139 140 /* Some of the flags above denote extended TLS facilities that need to be 141 preserved across session resumptions. The following value defines the 142 flags that need to be preserved across resumes */ 143 144 #define SSL_RESUMEDSESSION_FLAGS ( SSL_PFLAG_EMS | SSL_PFLAG_ENCTHENMAC ) 145 146 /* Symbolic defines for static analysis checking */ 147 148 #define SSL_FLAG_NONE SSL_PFLAG_NONE 149 #define SSL_FLAG_MAX SSL_PFLAG_MAX 150 151 /* Suite B consists of two subclasses, the 128-bit security level (AES-128 152 with P256 and SHA2-256) and the 192-bit security level (AES-256 with P384 153 and SHA2-384), in order to identify generic use of Suite B we provide a 154 pseudo-value that combines the 128-bit and 192-bit subclasses */ 155 156 #define SSL_PFLAG_SUITEB ( SSL_PFLAG_SUITEB_128 | \ 157 SSL_PFLAG_SUITEB_256 ) 158 159 /* The SSL minimmum version number is encoded as a CRYPT_SSLOPTION_MINVER_xxx 160 value, the following mask allows the version to be extracted from the SSL 161 option value */ 162 163 #define SSL_MINVER_MASK ( CRYPT_SSLOPTION_MINVER_SSLV3 | \ 164 CRYPT_SSLOPTION_MINVER_TLS10 | \ 165 CRYPT_SSLOPTION_MINVER_TLS11 | \ 166 CRYPT_SSLOPTION_MINVER_TLS12 | \ 167 CRYPT_SSLOPTION_MINVER_TLS13 ) 168 169 /* SSL/TLS message types */ 170 171 #define SSL_MSG_CHANGE_CIPHER_SPEC 20 172 #define SSL_MSG_ALERT 21 173 #define SSL_MSG_HANDSHAKE 22 174 #define SSL_MSG_APPLICATION_DATA 23 175 176 #define SSL_MSG_FIRST SSL_MSG_CHANGE_CIPHER_SPEC 177 #define SSL_MSG_LAST SSL_MSG_APPLICATION_DATA 178 179 /* Special expected packet-type values that are passed to readHSPacketSSL() 180 to handle situations where special-case handling is required for read 181 packets. The first handshake packet from the client or server is treated 182 specially in that the version number information is taken from this 183 packet, and the attempt to read the first encrypted handshake packet may 184 be met with a TCP close from the peer if it handles errors badly, in 185 which case we provide a special-case error message that indicates more 186 than just "connection closed" */ 187 188 #define SSL_MSG_FIRST_HANDSHAKE 0xFE 189 #define SSL_MSG_FIRST_ENCRHANDSHAKE 0xFF 190 #define SSL_MSG_LAST_SPECIAL SSL_MSG_FIRST_ENCRHANDSHAKE 191 #define SSL_MSG_V2HANDSHAKE 0x80 192 193 /* SSL/TLS handshake message subtypes */ 194 195 #define SSL_HAND_CLIENT_HELLO 1 196 #define SSL_HAND_SERVER_HELLO 2 197 #define SSL_HAND_CERTIFICATE 11 198 #define SSL_HAND_SERVER_KEYEXCHANGE 12 199 #define SSL_HAND_SERVER_CERTREQUEST 13 200 #define SSL_HAND_SERVER_HELLODONE 14 201 #define SSL_HAND_CLIENT_CERTVERIFY 15 202 #define SSL_HAND_CLIENT_KEYEXCHANGE 16 203 #define SSL_HAND_FINISHED 20 204 #define SSL_HAND_SUPPLEMENTAL_DATA 23 205 206 #define SSL_HAND_FIRST SSL_HAND_CLIENT_HELLO 207 #define SSL_HAND_LAST SSL_HAND_SUPPLEMENTAL_DATA 208 209 /* SSL and TLS alert levels and types */ 210 211 #define SSL_ALERTLEVEL_WARNING 1 212 #define SSL_ALERTLEVEL_FATAL 2 213 214 #define SSL_ALERT_CLOSE_NOTIFY 0 215 #define SSL_ALERT_UNEXPECTED_MESSAGE 10 216 #define SSL_ALERT_BAD_RECORD_MAC 20 217 #define TLS_ALERT_DECRYPTION_FAILED 21 218 #define TLS_ALERT_RECORD_OVERFLOW 22 219 #define SSL_ALERT_DECOMPRESSION_FAILURE 30 220 #define SSL_ALERT_HANDSHAKE_FAILURE 40 221 #define SSL_ALERT_NO_CERTIFICATE 41 222 #define SSL_ALERT_BAD_CERTIFICATE 42 223 #define SSL_ALERT_UNSUPPORTED_CERTIFICATE 43 224 #define SSL_ALERT_CERTIFICATE_REVOKED 44 225 #define SSL_ALERT_CERTIFICATE_EXPIRED 45 226 #define SSL_ALERT_CERTIFICATE_UNKNOWN 46 227 #define TLS_ALERT_ILLEGAL_PARAMETER 47 228 #define TLS_ALERT_UNKNOWN_CA 48 229 #define TLS_ALERT_ACCESS_DENIED 49 230 #define TLS_ALERT_DECODE_ERROR 50 231 #define TLS_ALERT_DECRYPT_ERROR 51 232 #define TLS_ALERT_EXPORT_RESTRICTION 60 233 #define TLS_ALERT_PROTOCOL_VERSION 70 234 #define TLS_ALERT_INSUFFICIENT_SECURITY 71 235 #define TLS_ALERT_INTERNAL_ERROR 80 236 #define TLS_ALERT_INAPPROPRIATE_FALLBACK 86 237 #define TLS_ALERT_USER_CANCELLED 90 238 #define TLS_ALERT_NO_RENEGOTIATION 100 239 #define TLS_ALERT_UNSUPPORTED_EXTENSION 110 240 #define TLS_ALERT_CERTIFICATE_UNOBTAINABLE 111 241 #define TLS_ALERT_UNRECOGNIZED_NAME 112 242 #define TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE 113 243 #define TLS_ALERT_BAD_CERTIFICATE_HASH_VALUE 114 244 #define TLS_ALERT_UNKNOWN_PSK_IDENTITY 115 245 246 #define SSL_ALERT_FIRST SSL_ALERT_CLOSE_NOTIFY 247 #define SSL_ALERT_LAST TLS_ALERT_UNKNOWN_PSK_IDENTITY 248 249 /* TLS supplemental data subtypes */ 250 251 #define TLS_SUPPDATA_USERMAPPING 0 252 253 /* SSL and TLS cipher suites */ 254 255 typedef enum { 256 /* SSLv3 cipher suites (0-10) */ 257 SSL_NULL_WITH_NULL, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, 258 SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* Non-valid/accapted suites */ 259 SSL_RSA_WITH_RC4_128_MD5, SSL_FIRST_VALID_SUITE = SSL_RSA_WITH_RC4_128_MD5, 260 SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, 261 SSL_RSA_WITH_IDEA_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 262 SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 263 264 /* TLS (RFC 2246) DH cipher suites (11-22) */ 265 TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_DSS_WITH_DES_CBC_SHA, 266 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, 267 TLS_DH_RSA_WITH_DES_CBC_SHA, TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA, 268 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_DSS_WITH_DES_CBC_SHA, 269 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, 270 TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 271 272 /* TLS (RFC 2246) anon-DH cipher suites (23-27) */ 273 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5, TLS_DH_anon_WITH_RC4_128_MD5, 274 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_anon_WITH_DES_CBC_SHA, 275 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, 276 277 /* TLS (RFC 2246) reserved cipher suites (28-29, used for Fortezza in 278 SSLv3) */ 279 TLS_reserved_1, TLS_reserved_2, 280 281 /* TLS with Kerberos (RFC 2712) suites (30-43) */ 282 TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, 283 TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_IDEA_CBC_SHA, 284 TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, 285 TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_IDEA_CBC_MD5, 286 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, 287 TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, 288 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, 289 290 /* Formerly reserved (44-46), later assigned to PSK-with-NULL suites 291 (RFC 4785) */ 292 TLS_PSK_WITH_NULL_SHA, TLS_DHE_PSK_WITH_NULL_SHA, 293 TLS_RSA_PSK_WITH_NULL_SHA, 294 295 /* TLS 1.1 (RFC 4346) cipher suites (47-58) */ 296 TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA, 297 TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 298 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, 299 TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, 300 TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 301 TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, 302 303 /* TLS 1.2 (RFC 5246) cipher suites (59-61) */ 304 TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, 305 TLS_RSA_WITH_AES_256_CBC_SHA256, 306 307 /* TLS 1.2 (RFC 5246) DH cipher suites (62-64), continued at 103 */ 308 TLS_DH_DSS_WITH_AES_128_CBC_SHA256, TLS_DH_RSA_WITH_AES_128_CBC_SHA256, 309 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 310 311 /* Camellia (RFC 4132) AES-128 suites (65-70) */ 312 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, 313 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, 314 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA, 315 316 /* Unknown/reserved suites (71-103) */ 317 318 /* More TLS 1.2 (RFC 5246) DH cipher suites (103-109) */ 319 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 103, TLS_DH_DSS_WITH_AES_256_CBC_SHA256, 320 TLS_DH_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, 321 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, 322 TLS_DH_anon_WITH_AES_256_CBC_SHA256, 323 324 /* Unknown suites (110-131) */ 325 326 /* Camellia (RFC 4132) AES-256 suites (132-137) */ 327 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 132, 328 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, 329 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 330 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA, 331 332 /* TLS-PSK (RFC 4279) cipher suites (138-149) */ 333 TLS_PSK_WITH_RC4_128_SHA, TLS_PSK_WITH_3DES_EDE_CBC_SHA, 334 TLS_PSK_WITH_AES_128_CBC_SHA, TLS_PSK_WITH_AES_256_CBC_SHA, 335 TLS_DHE_PSK_WITH_RC4_128_SHA, TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, 336 TLS_DHE_PSK_WITH_AES_128_CBC_SHA, TLS_DHE_PSK_WITH_AES_256_CBC_SHA, 337 TLS_RSA_PSK_WITH_RC4_128_SHA, TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, 338 TLS_RSA_PSK_WITH_AES_128_CBC_SHA, TLS_RSA_PSK_WITH_AES_256_CBC_SHA, 339 340 /* SEED (RFC 4162) suites (150-155) */ 341 TLS_RSA_WITH_SEED_CBC_SHA, TLS_DH_DSS_WITH_SEED_CBC_SHA, 342 TLS_DH_RSA_WITH_SEED_CBC_SHA, TLS_DHE_DSS_WITH_SEED_CBC_SHA, 343 TLS_DHE_RSA_WITH_SEED_CBC_SHA, TLS_DH_anon_WITH_SEED_CBC_SHA, 344 345 /* TLS 1.2 (RFC 5288) GCM cipher suites (156-167) */ 346 TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, 347 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 348 TLS_DH_RSA_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_256_GCM_SHA384, 349 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, 350 TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_DSS_WITH_AES_256_GCM_SHA384, 351 TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_GCM_SHA384, 352 353 /* TLS 1.2 (RFC 5487) PSK cipher suites (168-185 */ 354 TLS_PSK_WITH_AES_128_GCM_SHA256, TLS_PSK_WITH_AES_256_GCM_SHA384, 355 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, 356 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, 357 TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_PSK_WITH_AES_256_CBC_SHA384, 358 TLS_PSK_WITH_NULL_SHA256, TLS_PSK_WITH_NULL_SHA384, 359 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, 360 TLS_DHE_PSK_WITH_NULL_SHA256, TLS_DHE_PSK_WITH_NULL_SHA384, 361 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, 362 TLS_RSA_PSK_WITH_NULL_SHA256, TLS_RSA_PSK_WITH_NULL_SHA384, 363 364 /* TLS 1.2 (RFC 5932) Camellia cipher suites (186-197) */ 365 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256, 366 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, 367 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256, 368 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256, 369 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, 370 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256, 371 372 /* TLS secure-rengotiation signalling cipher suite, RFC 5746 */ 373 TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 255, 374 375 /* TLS fallback signalling cpiher suite, RFC 7507, stuffed into a gap in 376 the range starting at 22016/0x5600 */ 377 TLS_FALLBACK_SCSV = 22016, 378 379 /* TLS-ECC (RFC 4492) cipher suites. For some unknown reason these 380 start above 49152/0xC000, so the range is 49153...49177 */ 381 TLS_ECDH_ECDSA_WITH_NULL_SHA = 49153, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 382 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 383 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, 384 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 385 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 386 TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, 387 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 388 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, 389 TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 390 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 391 TLS_ECDH_anon_WITH_NULL_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, 392 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 393 TLS_ECDH_anon_WITH_AES_256_CBC_SHA, 394 395 /* TLS-SRP (RFC 5054) cipher suites, following the pattern from 396 above at 49178/0xC01A...49186 */ 397 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA, TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, 398 TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, TLS_SRP_SHA_WITH_AES_128_CBC_SHA, 399 TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA, TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA, 400 TLS_SRP_SHA_WITH_AES_256_CBC_SHA, TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA, 401 TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, 402 403 /* TLS-ECC (RFC 5289) SHA-2 cipher suites, following the pattern from 404 above at 49187/0xC023...49194 */ 405 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 406 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, 407 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 408 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, 409 410 /* TLS-ECC (RFC 5289) GCM cipher suites, following the pattern from above 411 at 49195/0xC02B...49202 */ 412 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 413 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 414 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 415 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 416 417 /* TLS-ECC (RFC 5489) PSK cipher suites, following the pattern from above 418 at 49203/0xC033...49211 */ 419 TLS_ECDHE_PSK_WITH_RC4_128_SHA, TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, 420 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 421 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, 422 TLS_ECDHE_PSK_WITH_NULL_SHA, TLS_ECDHE_PSK_WITH_NULL_SHA256, 423 TLS_ECDHE_PSK_WITH_NULL_SHA384, 424 425 /* Endless vanity suites, Aria, Camellia, etc */ 426 427 SSL_LAST_SUITE 428 } SSL_CIPHERSUITE_TYPE; 429 430 /* TLS extension types, from 431 http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */ 432 433 typedef enum { 434 TLS_EXT_SERVER_NAME, /* 0: Name of virtual server to contact */ 435 TLS_EXT_MAX_FRAGMENT_LENTH, /* 1: Max.fragment length if smaller than 2^14 bytes */ 436 TLS_EXT_CLIENT_CERTIFICATE_URL, /* 2: Location for server to find client certificate */ 437 TLS_EXT_TRUSTED_CA_KEYS, /* 3: Indication of which CAs clients trust */ 438 TLS_EXT_TRUNCATED_HMAC, /* 4: Use 80-bit truncated HMAC */ 439 TLS_EXT_STATUS_REQUEST, /* 5: OCSP status request from server */ 440 TLS_EXT_USER_MAPPING, /* 6: RFC 4681 mapping of user name to account */ 441 TLS_EXT_CLIENT_AUTHZ, /* 7: RFC 5878 authorisation exts */ 442 TLS_EXT_SERVER_AUTHZ, /* 8: RFC 5878 authorisation exts */ 443 TLS_EXT_CERTTYPE, /* 9: RFC 5081/6091 OpenPGP key support */ 444 TLS_EXT_ELLIPTIC_CURVES, /* 10: RFC 4492 ECDH/ECDSA support */ 445 TLS_EXT_EC_POINT_FORMATS, /* 11: RFC 4492 ECDH/ECDSA support */ 446 TLS_EXT_SRP, /* 12: RFC 5054 SRP support */ 447 TLS_EXT_SIGNATURE_ALGORITHMS,/* 13: RFC 5246 TLSv1.2 */ 448 TLS_EXT_USE_SRP, /* 14: RFC 5764, DTLS for SRTP keying */ 449 TLS_EXT_HEARTBEAT, /* 15: RFC 6520 DTLS heartbeat */ 450 TLS_EXT_ALPN, /* 16: RFC 7301 Application layer protocol negotiation */ 451 TLS_EXT_STATUS_REQUEST_V2, /* 17: RFC 6961 OCSP status request from server */ 452 TLS_EXT_CERT_TRANSPARENCY, /* 18: RFC 6962 Certificate transparency timestamp */ 453 TLS_EXT_RAWKEY_CLIENT, /* 19: RFC 7250 Raw client public key */ 454 TLS_EXT_RAWKEY_SERVER, /* 20: RFC 7250 Raw server public key */ 455 TLS_EXT_PADDING, /* 21: RFC 7685 Padding */ 456 TLS_EXT_ENCTHENMAC, /* 22: RFC 7366 Encrypt-then-MAC */ 457 TLS_EXT_EMS, /* 23: RFC 7627 Extended master secret */ 458 TLS_EXT_TEMP_TOKENBIND, /* 24: Draft, Token binding */ 459 /* 25...34 unused */ 460 TLS_EXT_SESSIONTICKET = 35, /* RFC 4507 session ticket support */ 461 /* 36....65280 unused */ 462 TLS_EXT_LAST, 463 464 /* The secure-renegotiation extension, for some unknown reason, is given 465 a value of 65281 / 0xFF01, so we define it outside the usual 466 extension range in order for the standard range-checking to be a bit 467 more sensible */ 468 TLS_EXT_SECURE_RENEG = 65281,/* RFC 5746 secure renegotiation */ 469 } TLS_EXT_TYPE; 470 471 /* SSL/TLS certificate types */ 472 473 typedef enum { 474 TLS_CERTTYPE_NONE, TLS_CERTTYPE_RSA, TLS_CERTTYPE_DSA, 475 TLS_CERTTYPE_DUMMY1 /* RSA+DH */, TLS_CERTTYPE_DUMMY2 /* DSA+DH */, 476 TLS_CERTTYPE_DUMMY3 /* RSA+EDH */, TLS_CERTTYPE_DUMMY4 /* DSA+EDH */, 477 TLS_CERTTYPE_ECDSA = 64, TLS_CERTTYPE_LAST 478 } TLS_CERTTYPE_TYPE; 479 480 /* TLS signature and hash algorithm identifiers */ 481 482 typedef enum { 483 TLS_SIGALGO_NONE, TLS_SIGALGO_RSA, TLS_SIGALGO_DSA, TLS_SIGALGO_ECDSA, 484 TLS_SIGALGO_LAST 485 } TLS_SIGALGO_TYPE; 486 487 typedef enum { 488 TLS_HASHALGO_NONE, TLS_HASHALGO_MD5, TLS_HASHALGO_SHA1, 489 TLS_HASHALGO_DUMMY1 /* SHA2-224 */, TLS_HASHALGO_SHA2, 490 TLS_HASHALGO_SHA384, TLS_HASHALGO_DUMMY3 /* SHA2-512 */, 491 TLS_HASHALGO_LAST 492 } TLS_HASHALGO_TYPE; 493 494 /* TLS ECC curve identifiers */ 495 496 typedef enum { 497 TLS_CURVE_NONE, TLS_CURVE_SECT163K1, TLS_CURVE_SECT163R1, 498 TLS_CURVE_SECT163R2, TLS_CURVE_SECT193R1, TLS_CURVE_SECT193R2, 499 TLS_CURVE_SECT233K1, TLS_CURVE_SECT233R1, TLS_CURVE_SECT239K1, 500 TLS_CURVE_SECT283K1, TLS_CURVE_SECT283R1, TLS_CURVE_SECT409K1, 501 TLS_CURVE_SECT409R1, TLS_CURVE_SECT571K1, TLS_CURVE_SECT571R1, 502 TLS_CURVE_SECP160K1, TLS_CURVE_SECP160R1, TLS_CURVE_SECP160R2, 503 TLS_CURVE_SECP192K1, TLS_CURVE_SECP192R1 /* P192 */, 504 TLS_CURVE_SECP224K1, TLS_CURVE_SECP224R1 /* P224 */, 505 TLS_CURVE_SECP256K1, TLS_CURVE_SECP256R1 /* P256 */, 506 TLS_CURVE_SECP384R1 /* P384 */, TLS_CURVE_SECP521R1 /* P521 */, 507 TLS_CURVE_BRAINPOOLP256R1 /* Brainpool P256 */, 508 TLS_CURVE_BRAINPOOLP384R1 /* Brainpool P384 */, 509 TLS_CURVE_BRAINPOOLP512R1 /* Brainpool P512 */, 510 TLS_CURVE_LAST 511 } TLS_CURVE_TYPE; 512 513 /* SSL and TLS major and minor version numbers */ 514 515 #define SSL_MAJOR_VERSION 3 516 #define SSL_MINOR_VERSION_SSL 0 517 #define SSL_MINOR_VERSION_TLS 1 518 #define SSL_MINOR_VERSION_TLS11 2 519 #define SSL_MINOR_VERSION_TLS12 3 520 521 /* SSL sender label values for the finished message MAC */ 522 523 #define SSL_SENDER_CLIENTLABEL "CLNT" 524 #define SSL_SENDER_SERVERLABEL "SRVR" 525 #define SSL_SENDERLABEL_SIZE 4 526 527 /* SSL/TLS cipher suite flags. These are: 528 529 CIPHERSUITE_PSK: Suite is a TLS-PSK suite and is used only if we're 530 using TLS-PSK. 531 532 CIPHERSUITE_DH: Suite is a DH suite. 533 534 CIPHERSUITE_ECC: Suite is an ECC suite and is used only if ECC is 535 enabled. 536 537 CIPHERSUITE_GCM: Encryption uses GCM instead of the usual CBC. 538 539 CIPHERSUITE_TLS12: Suite is a TLS 1.2 suite and is only sent if 540 TLS 1.2 is enabled */ 541 542 #define CIPHERSUITE_FLAG_NONE 0x00 /* No suite */ 543 #define CIPHERSUITE_FLAG_PSK 0x01 /* TLS-PSK suite */ 544 #define CIPHERSUITE_FLAG_DH 0x02 /* DH suite */ 545 #define CIPHERSUITE_FLAG_ECC 0x04 /* ECC suite */ 546 #define CIPHERSUITE_FLAG_TLS12 0x08 /* TLS 1.2 suite */ 547 #define CIPHERSUITE_FLAG_GCM 0x10 /* GCM instead of CBC */ 548 #define CIPHERSUITE_FLAG_MAX 0x1F /* Maximum possible flag value */ 549 550 typedef struct { 551 /* The SSL/TLS cipher suite */ 552 const int cipherSuite; 553 #ifndef NDEBUG 554 const char *description; 555 #endif /* NDEBUG */ 556 557 /* cryptlib algorithms for the cipher suite */ 558 const CRYPT_ALGO_TYPE keyexAlgo, authAlgo, cryptAlgo, macAlgo; 559 560 /* Auxiliary information for the suite */ 561 const int macParam, cryptKeySize, macBlockSize; 562 const int flags; 563 } CIPHERSUITE_INFO; 564 565 /* When building the debug version of the code we include a text string 566 describing the cipher suite that's being processed, this makes it easier 567 to track down problems */ 568 569 #ifndef NDEBUG 570 #define DESCRIPTION( text ) text, 571 #else 572 #define DESCRIPTION( text ) 573 #endif /* NDEBUG */ 574 575 /* Check for the presence of a TLS signalling suite */ 576 577 #define isSignallingSuite( suite ) \ 578 ( ( suite ) == TLS_FALLBACK_SCSV || \ 579 ( suite ) == TLS_EMPTY_RENEGOTIATION_INFO_SCSV ) 580 581 /* If we're configured to only use Suite B algorithms, we override the 582 algoAvailable() check to report that only Suite B algorithms are 583 available */ 584 585 #ifdef CONFIG_SUITEB 586 587 #if defined( _MSC_VER ) 588 #pragma message( " Building with Suite B algorithms only." ) 589 #endif /* VC++ */ 590 591 #define algoAvailable( algo ) \ 592 ( ( ( algo ) == CRYPT_ALGO_AES || ( algo ) == CRYPT_ALGO_ECDSA || \ 593 ( algo ) == CRYPT_ALGO_ECDH || ( algo ) == CRYPT_ALGO_SHA2 || \ 594 ( algo ) == CRYPT_ALGO_HMAC_SHA2 ) ? TRUE : FALSE ) 595 596 /* Special configuration defines to enable nonstandard behaviour for 597 Suite B tests */ 598 #ifdef CONFIG_SUITEB_TESTS 599 typedef enum { 600 SUITEB_TEST_NONE, /* No special test behaviour */ 601 602 /* RFC 5430bis tests */ 603 SUITEB_TEST_CLIINVALIDCURVE,/* Client sends non-Suite B curve */ 604 SUITEB_TEST_SVRINVALIDCURVE,/* Server sends non-Suite B curve */ 605 SUITEB_TEST_BOTHCURVES, /* Client must send P256 and P384 as supp.curves */ 606 SUITEB_TEST_BOTHSIGALGOS, /* Client must send SHA256 and SHA384 as sig.algos */ 607 608 SUITEB_TEST_LAST 609 } SUITEB_TEST_VALUE; 610 611 extern SUITEB_TEST_VALUE suiteBTestValue; 612 extern BOOLEAN suiteBTestClientCert; 613 #endif /* CONFIG_SUITEB_TESTS */ 614 #endif /* Suite B algorithms only */ 615 616 /* The following macro can be used to enable dumping of PDUs to disk. As a 617 safeguard, this only works in the Win32 debug version to prevent it from 618 being accidentally enabled in any release version */ 619 620 #if defined( __WIN32__ ) && !defined( NDEBUG ) 621 #define DEBUG_DUMP_SSL( buffer1, buffer1size, buffer2, buffer2size ) \ 622 debugDumpSSL( sessionInfoPtr, buffer1, buffer1size, buffer2, buffer2size ) 623 624 STDC_NONNULL_ARG( ( 1 ) ) \ 625 void debugDumpSSL( const SESSION_INFO *sessionInfoPtr, 626 IN_BUFFER_OPT( buffer1size ) const void *buffer1, 627 IN_LENGTH_SHORT const int buffer1size, 628 IN_BUFFER_OPT( buffer2size ) const void *buffer2, 629 IN_LENGTH_SHORT_Z const int buffer2size ); 630 #else 631 #define DEBUG_DUMP_SSL( buffer1, buffer1size, buffer2, buffer2size ) 632 #endif /* Win32 debug */ 633 634 /**************************************************************************** 635 * * 636 * SSL Structures * 637 * * 638 ****************************************************************************/ 639 640 /* SSL/TLS handshake state information. This is passed around various 641 subfunctions that handle individual parts of the handshake */ 642 643 struct SL; 644 645 typedef CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 646 int ( *SSL_HANDSHAKE_FUNCTION )( INOUT SESSION_INFO *sessionInfoPtr, 647 INOUT struct SL *handshakeInfo ); 648 649 typedef struct SL { 650 /* Client and server dual-hash/hash contexts */ 651 CRYPT_CONTEXT md5context, sha1context, sha2context; 652 #ifdef CONFIG_SUITEB 653 CRYPT_CONTEXT sha384context; 654 #endif /* CONFIG_SUITEB */ 655 656 /* Client and server nonces, session ID, and hashed SNI (which is used 657 alongside the session ID for scoreboard lookup) */ 658 BUFFER_FIXED( SSL_NONCE_SIZE ) \ 659 BYTE clientNonce[ SSL_NONCE_SIZE + 8 ]; 660 BUFFER_FIXED( SSL_NONCE_SIZE ) \ 661 BYTE serverNonce[ SSL_NONCE_SIZE + 8 ]; 662 BUFFER( MAX_SESSIONID_SIZE, sessionIDlength ) \ 663 BYTE sessionID[ MAX_SESSIONID_SIZE + 8 ]; 664 int sessionIDlength; 665 BYTE hashedSNI[ KEYID_SIZE + 8 ]; 666 BOOLEAN hashedSNIpresent; 667 668 /* Session hash, the hash of all messages from Client Hello to Client 669 Keyex */ 670 CRYPT_CONTEXT sessionHashContext; 671 BUFFER( 16, CRYPT_MAX_HASHSIZE ) \ 672 BYTE sessionHash[ CRYPT_MAX_HASHSIZE + 8 ]; 673 int sessionHashSize; 674 675 /* Premaster/master secret */ 676 BUFFER( CRYPT_MAX_PKCSIZE + CRYPT_MAX_TEXTSIZE, premasterSecretSize ) \ 677 BYTE premasterSecret[ CRYPT_MAX_PKCSIZE + CRYPT_MAX_TEXTSIZE + 8 ]; 678 int premasterSecretSize; 679 680 /* Encryption/security information. The encryption algorithm (cryptAlgo) 681 and integrity algorithm (integrityAlgo) are stored with the session 682 information, although the optional integrity-algorithm parameters are 683 stored here */ 684 CRYPT_CONTEXT dhContext; /* DH context if DHE is being used */ 685 int cipherSuite; /* Selected cipher suite */ 686 CRYPT_ALGO_TYPE keyexAlgo, authAlgo;/* Selected cipher suite algos */ 687 int integrityAlgoParam; /* Optional param.for integrity algo */ 688 CRYPT_ALGO_TYPE keyexSigHashAlgo;/* Algo.for keyex authentication */ 689 int keyexSigHashAlgoParam; /* Optional params.for keyex hash */ 690 int cryptKeysize; /* Size of session key */ 691 692 /* Other information */ 693 int clientOfferedVersion; /* Prot.vers.originally offered by client */ 694 int originalVersion; /* Original version set by the user before 695 it was modified based on what the peer 696 requested */ 697 #ifdef ALLOW_SSLV2_HELLO /* 28/01/08 Disabled since it's now finally 698 removed in MSIE and Firefox */ 699 BOOLEAN isSSLv2; /* Client hello is SSLv2 */ 700 #endif /* ALLOW_SSLV2_HELLO */ 701 BOOLEAN hasExtensions; /* Hello has TLS extensions */ 702 BOOLEAN needSNIResponse; /* Server needs to respond to SNI */ 703 BOOLEAN needRenegResponse; /* Server needs to respond to reneg.ind.*/ 704 BOOLEAN needEncThenMACResponse; /* Server needs to respond to encThenMAC */ 705 BOOLEAN needEMSResponse; /* Server needs to respond to EMS */ 706 int failAlertType; /* Alert type to send on failure */ 707 708 /* ECC-related information. Since ECC algorithms have a huge pile of 709 parameters we need to parse any extensions that the client sends in 710 order to locate any additional information required to handle them. 711 In the worst case these can retroactively modify the already- 712 negotiated cipher suites, disabling the use of ECC algorithms after 713 they were agreed on via cipher suites. To handle this we remember 714 both the preferred mainstream suite and a pointer to the preferred 715 ECC suite in 'eccSuiteInfoPtr', if it later turns out that the use 716 of ECC is OK we reset the crypto parameters using the save ECC suite 717 pointer. 718 719 If the use of ECC isn't retroactively disabled then the eccCurveID 720 and sendECCPointExtn values indicate which curve to use and whether 721 the server needs to respond with a point-extension indicator */ 722 BOOLEAN disableECC; /* Extn.disabled use of ECC suites */ 723 CRYPT_ECCCURVE_TYPE eccCurveID; /* cryptlib ID of ECC curve to use */ 724 BOOLEAN sendECCPointExtn; /* Whether svr.has to respond with ECC point ext.*/ 725 const void *eccSuiteInfoPtr; /* ECC suite information */ 726 727 /* The packet data stream. Since SSL can encapsulate multiple handshake 728 packets within a single SSL packet, the stream has to be persistent 729 across the different handshake functions to allow the continuation of 730 packets */ 731 STREAM stream; /* Packet data stream */ 732 733 /* Function pointers to handshaking functions. These are set up as 734 required depending on whether the session is client or server */ 735 FNPTR_DECLARE( SSL_HANDSHAKE_FUNCTION, beginHandshake ); 736 FNPTR_DECLARE( SSL_HANDSHAKE_FUNCTION, exchangeKeys ); 737 } SSL_HANDSHAKE_INFO; 738 739 /**************************************************************************** 740 * * 741 * SSL/TLS Functions * 742 * * 743 ****************************************************************************/ 744 745 /* Prototypes for functions in ssl.c */ 746 747 CHECK_RETVAL_LENGTH STDC_NONNULL_ARG( ( 1 ) ) \ 748 int readUint24( INOUT STREAM *stream ); 749 STDC_NONNULL_ARG( ( 1 ) ) \ 750 int writeUint24( INOUT STREAM *stream, IN_LENGTH_Z const int length ); 751 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 4 ) ) \ 752 int readEcdhValue( INOUT STREAM *stream, 753 OUT_BUFFER( valueMaxLen, *valueLen ) void *value, 754 IN_LENGTH_SHORT_MIN( 64 ) const int valueMaxLen, 755 OUT_LENGTH_BOUNDED_Z( valueMaxLen ) int *valueLen ); 756 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3, 4 ) ) \ 757 int readSSLCertChain( INOUT SESSION_INFO *sessionInfoPtr, 758 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 759 INOUT STREAM *stream, 760 OUT_HANDLE_OPT CRYPT_CERTIFICATE *iCertChain, 761 const BOOLEAN isServer ); 762 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 763 int writeSSLCertChain( INOUT SESSION_INFO *sessionInfoPtr, 764 INOUT STREAM *stream ); 765 766 /* Prototypes for functions in ssl_cry.c */ 767 768 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 4 ) ) \ 769 int encryptData( const SESSION_INFO *sessionInfoPtr, 770 INOUT_BUFFER( dataMaxLength, *dataLength ) \ 771 BYTE *data, 772 IN_DATALENGTH const int dataMaxLength, 773 OUT_DATALENGTH_Z int *dataLength, 774 IN_DATALENGTH const int payloadLength ); 775 /* This one's a bit tricky, the input is 776 { data, payloadLength } which is padded (if necessary) 777 and the padded length returned in '*dataLength' */ 778 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 4 ) ) \ 779 int decryptData( SESSION_INFO *sessionInfoPtr, 780 INOUT_BUFFER_FIXED( dataLength ) \ 781 BYTE *data, 782 IN_DATALENGTH const int dataLength, 783 OUT_DATALENGTH_Z int *processedDataLength ); 784 /* This one's also tricky, the entire data block will be 785 processed but only 'processedDataLength' bytes of result 786 are valid output */ 787 #ifdef USE_SSL3 788 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 4 ) ) \ 789 int createMacSSL( INOUT SESSION_INFO *sessionInfoPtr, 790 INOUT_BUFFER( dataMaxLength, *dataLength ) void *data, 791 IN_DATALENGTH const int dataMaxLength, 792 OUT_DATALENGTH_Z int *dataLength, 793 IN_DATALENGTH const int payloadLength, 794 IN_RANGE( 0, 255 ) const int type ); 795 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 796 int checkMacSSL( INOUT SESSION_INFO *sessionInfoPtr, 797 IN_BUFFER( dataLength ) const void *data, 798 IN_DATALENGTH const int dataLength, 799 IN_DATALENGTH_Z const int payloadLength, 800 IN_RANGE( 0, 255 ) const int type, 801 const BOOLEAN noReportError ); 802 #endif /* USE_SSL3 */ 803 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 4 ) ) \ 804 int createMacTLS( INOUT SESSION_INFO *sessionInfoPtr, 805 INOUT_BUFFER( dataMaxLength, *dataLength ) void *data, 806 IN_DATALENGTH const int dataMaxLength, 807 OUT_DATALENGTH_Z int *dataLength, 808 IN_DATALENGTH const int payloadLength, 809 IN_RANGE( 0, 255 ) const int type ); 810 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 811 int checkMacTLS( INOUT SESSION_INFO *sessionInfoPtr, 812 IN_BUFFER( dataLength ) const void *data, 813 IN_DATALENGTH const int dataLength, 814 IN_DATALENGTH_Z const int payloadLength, 815 IN_RANGE( 0, 255 ) const int type, 816 const BOOLEAN noReportError ); 817 #ifdef USE_GCM 818 CHECK_RETVAL \ 819 int macDataTLSGCM( IN_HANDLE const CRYPT_CONTEXT iCryptContext, 820 IN_INT_Z const long seqNo, 821 IN_RANGE( SSL_MINOR_VERSION_TLS, \ 822 SSL_MINOR_VERSION_TLS12 ) const int version, 823 IN_LENGTH_Z const int payloadLength, 824 IN_RANGE( 0, 255 ) const int type ); 825 #endif /* USE_GCM */ 826 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 827 int hashHSPacketRead( const SSL_HANDSHAKE_INFO *handshakeInfo, 828 INOUT STREAM *stream ); 829 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 830 int hashHSPacketWrite( const SSL_HANDSHAKE_INFO *handshakeInfo, 831 INOUT STREAM *stream, 832 IN_DATALENGTH_Z const int offset ); 833 #ifdef USE_SSL3 834 CHECK_RETVAL STDC_NONNULL_ARG( ( 3, 5, 6, 8 ) ) \ 835 int completeSSLDualMAC( IN_HANDLE const CRYPT_CONTEXT md5context, 836 IN_HANDLE const CRYPT_CONTEXT sha1context, 837 OUT_BUFFER( hashValuesMaxLen, *hashValuesLen ) 838 BYTE *hashValues, 839 IN_LENGTH_SHORT_MIN( MD5MAC_SIZE + SHA1MAC_SIZE ) \ 840 const int hashValuesMaxLen, 841 OUT_LENGTH_BOUNDED_Z( hashValuesMaxLen ) \ 842 int *hashValuesLen, 843 IN_BUFFER( labelLength ) const char *label, 844 IN_RANGE( 1, 64 ) const int labelLength, 845 IN_BUFFER( masterSecretLen ) const BYTE *masterSecret, 846 IN_LENGTH_SHORT const int masterSecretLen ); 847 #endif /* USE_SSL3 */ 848 CHECK_RETVAL STDC_NONNULL_ARG( ( 3, 5, 6, 8 ) ) \ 849 int completeTLSHashedMAC( IN_HANDLE const CRYPT_CONTEXT md5context, 850 IN_HANDLE const CRYPT_CONTEXT sha1context, 851 OUT_BUFFER( hashValuesMaxLen, *hashValuesLen ) \ 852 BYTE *hashValues, 853 IN_LENGTH_SHORT_MIN( TLS_HASHEDMAC_SIZE ) \ 854 const int hashValuesMaxLen, 855 OUT_LENGTH_BOUNDED_Z( hashValuesMaxLen ) \ 856 int *hashValuesLen, 857 IN_BUFFER( labelLength ) const char *label, 858 IN_RANGE( 1, 64 ) const int labelLength, 859 IN_BUFFER( masterSecretLen ) const BYTE *masterSecret, 860 IN_LENGTH_SHORT const int masterSecretLen ); 861 CHECK_RETVAL STDC_NONNULL_ARG( ( 2, 4, 5, 7 ) ) \ 862 int completeTLS12HashedMAC( IN_HANDLE const CRYPT_CONTEXT sha2context, 863 OUT_BUFFER( hashValuesMaxLen, *hashValuesLen ) \ 864 BYTE *hashValues, 865 IN_LENGTH_SHORT_MIN( TLS_HASHEDMAC_SIZE ) \ 866 const int hashValuesMaxLen, 867 OUT_LENGTH_BOUNDED_Z( hashValuesMaxLen ) \ 868 int *hashValuesLen, 869 IN_BUFFER( labelLength ) const char *label, 870 IN_RANGE( 1, 64 ) const int labelLength, 871 IN_BUFFER( masterSecretLen ) const BYTE *masterSecret, 872 IN_LENGTH_SHORT const int masterSecretLen ); 873 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 874 int createSessionHash( const SESSION_INFO *sessionInfoPtr, 875 INOUT SSL_HANDSHAKE_INFO *handshakeInfo ); 876 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3 ) ) \ 877 int createCertVerify( const SESSION_INFO *sessionInfoPtr, 878 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 879 INOUT STREAM *stream ); 880 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3 ) ) \ 881 int checkCertVerify( INOUT SESSION_INFO *sessionInfoPtr, 882 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 883 INOUT STREAM *stream, 884 IN_LENGTH_SHORT_MIN( MIN_CRYPT_OBJECTSIZE ) \ 885 const int sigLength ); 886 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3, 4 ) ) \ 887 int createKeyexSignature( INOUT SESSION_INFO *sessionInfoPtr, 888 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 889 INOUT STREAM *stream, 890 IN_BUFFER( keyDataLength ) const void *keyData, 891 IN_LENGTH_SHORT const int keyDataLength ); 892 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3, 4 ) ) \ 893 int checkKeyexSignature( INOUT SESSION_INFO *sessionInfoPtr, 894 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 895 INOUT STREAM *stream, 896 IN_BUFFER( keyDataLength ) const void *keyData, 897 IN_LENGTH_SHORT const int keyDataLength, 898 const BOOLEAN isECC ); 899 900 /* Prototypes for functions in ssl_ext.c */ 901 902 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3 ) ) \ 903 int readExtensions( INOUT SESSION_INFO *sessionInfoPtr, 904 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 905 INOUT STREAM *stream, 906 IN_LENGTH_SHORT const int length ); 907 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 908 int writeClientExtensions( INOUT STREAM *stream, 909 INOUT SESSION_INFO *sessionInfoPtr ); 910 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 911 int writeServerExtensions( INOUT STREAM *stream, 912 INOUT SSL_HANDSHAKE_INFO *handshakeInfo ); 913 914 /* Prototypes for functions in ssl_hs.c/ssl_hsc.c */ 915 916 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3 ) ) \ 917 int processHelloSSL( INOUT SESSION_INFO *sessionInfoPtr, 918 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 919 INOUT STREAM *stream, const BOOLEAN isServer ); 920 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 921 int completeHandshakeSSL( INOUT SESSION_INFO *sessionInfoPtr, 922 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 923 const BOOLEAN isClient, 924 const BOOLEAN isResumedSession ); 925 926 /* Prototypes for functions in ssl_keymgmt.c */ 927 928 STDC_NONNULL_ARG( ( 1 ) ) \ 929 void destroySecurityContextsSSL( INOUT SESSION_INFO *sessionInfoPtr ); 930 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 931 int initHandshakeCryptInfo( INOUT SESSION_INFO *sessionInfoPtr, 932 INOUT SSL_HANDSHAKE_INFO *handshakeInfo ); 933 STDC_NONNULL_ARG( ( 1 ) ) \ 934 void destroyHandshakeCryptInfo( INOUT SSL_HANDSHAKE_INFO *handshakeInfo ); 935 CHECK_RETVAL STDC_NONNULL_ARG( ( 2 ) ) \ 936 int cloneHashContext( IN_HANDLE const CRYPT_CONTEXT hashContext, 937 OUT_HANDLE_OPT CRYPT_CONTEXT *clonedHashContext ); 938 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 939 int initDHcontextSSL( OUT_HANDLE_OPT CRYPT_CONTEXT *iCryptContext, 940 IN_BUFFER_OPT( keyDataLength ) const void *keyData, 941 IN_LENGTH_SHORT_Z const int keyDataLength, 942 IN_HANDLE_OPT const CRYPT_CONTEXT iServerKeyTemplate, 943 IN_ENUM_OPT( CRYPT_ECCCURVE ) \ 944 const CRYPT_ECCCURVE_TYPE eccParams ); 945 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 3, 4 ) ) \ 946 int createSharedPremasterSecret( OUT_BUFFER( premasterSecretMaxLength, \ 947 *premasterSecretLength ) \ 948 void *premasterSecret, 949 IN_LENGTH_SHORT \ 950 const int premasterSecretMaxLength, 951 OUT_LENGTH_BOUNDED_Z( premasterSecretMaxLength ) \ 952 int *premasterSecretLength, 953 IN_BUFFER( sharedSecretLength ) \ 954 const void *sharedSecret, 955 IN_LENGTH_SHORT const int sharedSecretLength, 956 IN_BUFFER_OPT( otherSecretLength ) \ 957 const void *otherSecret, 958 IN_LENGTH_PKC_Z const int otherSecretLength, 959 const BOOLEAN isEncodedValue ); 960 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3, 5 ) ) \ 961 int wrapPremasterSecret( INOUT SESSION_INFO *sessionInfoPtr, 962 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 963 OUT_BUFFER( dataMaxLength, *dataLength ) void *data, 964 IN_LENGTH_SHORT const int dataMaxLength, 965 OUT_LENGTH_BOUNDED_Z( dataMaxLength ) \ 966 int *dataLength ); 967 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3 ) ) \ 968 int unwrapPremasterSecret( INOUT SESSION_INFO *sessionInfoPtr, 969 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 970 IN_BUFFER( dataLength ) const void *data, 971 IN_LENGTH_SHORT const int dataLength ); 972 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3 ) ) \ 973 int initCryptoSSL( INOUT SESSION_INFO *sessionInfoPtr, 974 INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 975 OUT_BUFFER_FIXED( masterSecretSize ) void *masterSecret, 976 IN_LENGTH_SHORT const int masterSecretSize, 977 const BOOLEAN isClient, 978 const BOOLEAN isResumedSession ); 979 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3 ) ) \ 980 int loadExplicitIV( INOUT SESSION_INFO *sessionInfoPtr, 981 INOUT STREAM *stream, 982 OUT_INT_SHORT_Z int *ivLength ); 983 984 /* Prototypes for functions in ssl_rd.c */ 985 986 CHECK_RETVAL_PTR_NONNULL \ 987 const char *getSSLPacketName( IN_RANGE( 0, 255 ) const int packetType ); 988 CHECK_RETVAL_PTR_NONNULL \ 989 const char *getSSLHSPacketName( IN_RANGE( 0, 255 ) const int packetType ); 990 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 991 int processVersionInfo( INOUT SESSION_INFO *sessionInfoPtr, 992 INOUT STREAM *stream, 993 OUT_OPT int *clientVersion, 994 const BOOLEAN generalCheckOnly ); 995 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3 ) ) \ 996 int checkPacketHeaderSSL( INOUT SESSION_INFO *sessionInfoPtr, 997 INOUT STREAM *stream, 998 OUT_DATALENGTH_Z int *packetLength ); 999 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 3 ) ) \ 1000 int checkHSPacketHeader( INOUT SESSION_INFO *sessionInfoPtr, 1001 INOUT STREAM *stream, 1002 OUT_DATALENGTH_Z int *packetLength, 1003 IN_RANGE( SSL_HAND_FIRST, \ 1004 SSL_HAND_LAST ) const int packetType, 1005 IN_LENGTH_SHORT_Z const int minSize ); 1006 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 4 ) ) \ 1007 int unwrapPacketSSL( INOUT SESSION_INFO *sessionInfoPtr, 1008 INOUT_BUFFER( dataMaxLength, \ 1009 *dataLength ) void *data, 1010 IN_DATALENGTH const int dataMaxLength, 1011 OUT_DATALENGTH_Z int *dataLength, 1012 IN_RANGE( SSL_HAND_FIRST, \ 1013 SSL_HAND_LAST ) const int packetType ); 1014 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 3 ) ) \ 1015 int readHSPacketSSL( INOUT SESSION_INFO *sessionInfoPtr, 1016 INOUT_OPT SSL_HANDSHAKE_INFO *handshakeInfo, 1017 OUT_DATALENGTH_Z int *packetLength, 1018 IN_RANGE( SSL_HAND_FIRST, \ 1019 SSL_MSG_LAST_SPECIAL ) const int packetType ); 1020 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 1021 int refreshHSStream( INOUT SESSION_INFO *sessionInfoPtr, 1022 INOUT SSL_HANDSHAKE_INFO *handshakeInfo ); 1023 1024 /* Prototypes for functions in ssl_suites.c */ 1025 1026 #ifndef CONFIG_SUITEB 1027 1028 CHECK_RETVAL \ 1029 int getCipherSuiteInfo( OUT const CIPHERSUITE_INFO ***cipherSuiteInfoPtrPtrPtr, 1030 OUT_INT_Z int *noSuiteEntries ); 1031 #else 1032 1033 #define getCipherSuiteInfo( infoPtr, noEntries, isServer ) \ 1034 getSuiteBCipherSuiteInfo( infoPtr, noEntries, isServer, suiteBinfo ) 1035 1036 CHECK_RETVAL \ 1037 int getSuiteBCipherSuiteInfo( OUT const CIPHERSUITE_INFO ***cipherSuiteInfoPtrPtrPtr, 1038 OUT_INT_Z int *noSuiteEntries, 1039 const BOOLEAN isServer, 1040 IN_FLAGS_Z( SSL ) const int suiteBinfo ); 1041 1042 #endif /* CONFIG_SUITEB */ 1043 1044 /* Prototypes for functions in ssl_svr.c */ 1045 1046 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 1047 int convertSNISessionID( INOUT SSL_HANDSHAKE_INFO *handshakeInfo, 1048 OUT_BUFFER_FIXED( idBufferLength ) BYTE *idBuffer, 1049 IN_LENGTH_FIXED( KEYID_SIZE ) const int idBufferLength ); 1050 1051 /* Prototypes for functions in ssl_wr.c */ 1052 1053 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 1054 int wrapPacketSSL( INOUT SESSION_INFO *sessionInfoPtr, 1055 INOUT STREAM *stream, 1056 IN_LENGTH_Z const int offset ); 1057 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 1058 int sendPacketSSL( INOUT SESSION_INFO *sessionInfoPtr, 1059 INOUT STREAM *stream, const BOOLEAN sendOnly ); 1060 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 1061 int openPacketStreamSSL( OUT STREAM *stream, 1062 const SESSION_INFO *sessionInfoPtr, 1063 IN_DATALENGTH_OPT const int bufferSize, 1064 IN_RANGE( SSL_HAND_FIRST, \ 1065 SSL_HAND_LAST ) const int packetType ); 1066 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2, 4 ) ) \ 1067 int continuePacketStreamSSL( INOUT STREAM *stream, 1068 const SESSION_INFO *sessionInfoPtr, 1069 IN_RANGE( SSL_HAND_FIRST, \ 1070 SSL_HAND_LAST ) const int packetType, 1071 OUT_LENGTH_SHORT_Z int *packetOffset ); 1072 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 1073 int completePacketStreamSSL( INOUT STREAM *stream, 1074 IN_LENGTH_Z const int offset ); 1075 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 3 ) ) \ 1076 int continueHSPacketStream( INOUT STREAM *stream, 1077 IN_RANGE( SSL_HAND_FIRST, \ 1078 SSL_HAND_LAST ) const int packetType, 1079 OUT_LENGTH_SHORT_Z int *packetOffset ); 1080 CHECK_RETVAL STDC_NONNULL_ARG( ( 1 ) ) \ 1081 int completeHSPacketStream( INOUT STREAM *stream, 1082 IN_LENGTH const int offset ); 1083 CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 2 ) ) \ 1084 int processAlert( INOUT SESSION_INFO *sessionInfoPtr, 1085 IN_BUFFER( headerLength ) const void *header, 1086 IN_DATALENGTH const int headerLength ); 1087 STDC_NONNULL_ARG( ( 1 ) ) \ 1088 void sendCloseAlert( INOUT SESSION_INFO *sessionInfoPtr, 1089 const BOOLEAN alertReceived ); 1090 STDC_NONNULL_ARG( ( 1 ) ) \ 1091 void sendHandshakeFailAlert( INOUT SESSION_INFO *sessionInfoPtr, 1092 IN_RANGE( SSL_ALERT_FIRST, \ 1093 SSL_ALERT_LAST ) const int alertType ); 1094 1095 /* Prototypes for session mapping functions */ 1096 1097 STDC_NONNULL_ARG( ( 1 ) ) \ 1098 void initSSLclientProcessing( INOUT SSL_HANDSHAKE_INFO *handshakeInfo ); 1099 STDC_NONNULL_ARG( ( 1 ) ) \ 1100 void initSSLserverProcessing( SSL_HANDSHAKE_INFO *handshakeInfo ); 1101 1102 #endif /* _SSL_DEFINED */ 1103