1*de0e0e4dSAntonio Huete Jimenez /* $OpenBSD: tls13_internal.h,v 1.101 2022/07/24 14:28:16 jsing Exp $ */ 272c33676SMaxim Ag /* 372c33676SMaxim Ag * Copyright (c) 2018 Bob Beck <beck@openbsd.org> 472c33676SMaxim Ag * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> 572c33676SMaxim Ag * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 672c33676SMaxim Ag * 772c33676SMaxim Ag * Permission to use, copy, modify, and/or distribute this software for any 872c33676SMaxim Ag * purpose with or without fee is hereby granted, provided that the above 972c33676SMaxim Ag * copyright notice and this permission notice appear in all copies. 1072c33676SMaxim Ag * 1172c33676SMaxim Ag * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 1272c33676SMaxim Ag * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 1372c33676SMaxim Ag * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 1472c33676SMaxim Ag * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 1572c33676SMaxim Ag * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 1672c33676SMaxim Ag * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 1772c33676SMaxim Ag * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 1872c33676SMaxim Ag */ 1972c33676SMaxim Ag 2072c33676SMaxim Ag #ifndef HEADER_TLS13_INTERNAL_H 2172c33676SMaxim Ag #define HEADER_TLS13_INTERNAL_H 2272c33676SMaxim Ag 2372c33676SMaxim Ag #include <openssl/evp.h> 2472c33676SMaxim Ag #include <openssl/ssl.h> 2572c33676SMaxim Ag 2672c33676SMaxim Ag #include "bytestring.h" 27*de0e0e4dSAntonio Huete Jimenez #include "tls_internal.h" 2872c33676SMaxim Ag 2972c33676SMaxim Ag __BEGIN_HIDDEN_DECLS 3072c33676SMaxim Ag 3172c33676SMaxim Ag #define TLS13_HS_CLIENT 1 3272c33676SMaxim Ag #define TLS13_HS_SERVER 2 3372c33676SMaxim Ag 3472c33676SMaxim Ag #define TLS13_IO_SUCCESS 1 3572c33676SMaxim Ag #define TLS13_IO_EOF 0 3672c33676SMaxim Ag #define TLS13_IO_FAILURE -1 37cca6fc52SDaniel Fojt #define TLS13_IO_ALERT -2 38cca6fc52SDaniel Fojt #define TLS13_IO_WANT_POLLIN -3 39cca6fc52SDaniel Fojt #define TLS13_IO_WANT_POLLOUT -4 40cca6fc52SDaniel Fojt #define TLS13_IO_WANT_RETRY -5 /* Retry the previous call immediately. */ 41cca6fc52SDaniel Fojt #define TLS13_IO_USE_LEGACY -6 428edacedfSDaniel Fojt #define TLS13_IO_RECORD_VERSION -7 438edacedfSDaniel Fojt #define TLS13_IO_RECORD_OVERFLOW -8 44cca6fc52SDaniel Fojt 45cca6fc52SDaniel Fojt #define TLS13_ERR_VERIFY_FAILED 16 46cca6fc52SDaniel Fojt #define TLS13_ERR_HRR_FAILED 17 47cca6fc52SDaniel Fojt #define TLS13_ERR_TRAILING_DATA 18 48cca6fc52SDaniel Fojt #define TLS13_ERR_NO_SHARED_CIPHER 19 498edacedfSDaniel Fojt #define TLS13_ERR_NO_CERTIFICATE 20 50cca6fc52SDaniel Fojt #define TLS13_ERR_NO_PEER_CERTIFICATE 21 5172c33676SMaxim Ag 528edacedfSDaniel Fojt #define TLS13_ALERT_LEVEL_WARNING 1 538edacedfSDaniel Fojt #define TLS13_ALERT_LEVEL_FATAL 2 548edacedfSDaniel Fojt 558edacedfSDaniel Fojt #define TLS13_ALERT_CLOSE_NOTIFY 0 568edacedfSDaniel Fojt #define TLS13_ALERT_UNEXPECTED_MESSAGE 10 578edacedfSDaniel Fojt #define TLS13_ALERT_BAD_RECORD_MAC 20 588edacedfSDaniel Fojt #define TLS13_ALERT_RECORD_OVERFLOW 22 598edacedfSDaniel Fojt #define TLS13_ALERT_HANDSHAKE_FAILURE 40 608edacedfSDaniel Fojt #define TLS13_ALERT_BAD_CERTIFICATE 42 618edacedfSDaniel Fojt #define TLS13_ALERT_UNSUPPORTED_CERTIFICATE 43 628edacedfSDaniel Fojt #define TLS13_ALERT_CERTIFICATE_REVOKED 44 638edacedfSDaniel Fojt #define TLS13_ALERT_CERTIFICATE_EXPIRED 45 648edacedfSDaniel Fojt #define TLS13_ALERT_CERTIFICATE_UNKNOWN 46 658edacedfSDaniel Fojt #define TLS13_ALERT_ILLEGAL_PARAMETER 47 668edacedfSDaniel Fojt #define TLS13_ALERT_UNKNOWN_CA 48 678edacedfSDaniel Fojt #define TLS13_ALERT_ACCESS_DENIED 49 688edacedfSDaniel Fojt #define TLS13_ALERT_DECODE_ERROR 50 698edacedfSDaniel Fojt #define TLS13_ALERT_DECRYPT_ERROR 51 708edacedfSDaniel Fojt #define TLS13_ALERT_PROTOCOL_VERSION 70 718edacedfSDaniel Fojt #define TLS13_ALERT_INSUFFICIENT_SECURITY 71 728edacedfSDaniel Fojt #define TLS13_ALERT_INTERNAL_ERROR 80 738edacedfSDaniel Fojt #define TLS13_ALERT_INAPPROPRIATE_FALLBACK 86 748edacedfSDaniel Fojt #define TLS13_ALERT_USER_CANCELED 90 758edacedfSDaniel Fojt #define TLS13_ALERT_MISSING_EXTENSION 109 768edacedfSDaniel Fojt #define TLS13_ALERT_UNSUPPORTED_EXTENSION 110 778edacedfSDaniel Fojt #define TLS13_ALERT_UNRECOGNIZED_NAME 112 788edacedfSDaniel Fojt #define TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE 113 798edacedfSDaniel Fojt #define TLS13_ALERT_UNKNOWN_PSK_IDENTITY 115 808edacedfSDaniel Fojt #define TLS13_ALERT_CERTIFICATE_REQUIRED 116 818edacedfSDaniel Fojt #define TLS13_ALERT_NO_APPLICATION_PROTOCOL 120 828edacedfSDaniel Fojt 838edacedfSDaniel Fojt #define TLS13_INFO_HANDSHAKE_STARTED SSL_CB_HANDSHAKE_START 848edacedfSDaniel Fojt #define TLS13_INFO_HANDSHAKE_COMPLETED SSL_CB_HANDSHAKE_DONE 85*de0e0e4dSAntonio Huete Jimenez #define TLS13_INFO_ACCEPT_LOOP SSL_CB_ACCEPT_LOOP 86*de0e0e4dSAntonio Huete Jimenez #define TLS13_INFO_CONNECT_LOOP SSL_CB_CONNECT_LOOP 87*de0e0e4dSAntonio Huete Jimenez #define TLS13_INFO_ACCEPT_EXIT SSL_CB_ACCEPT_EXIT 88*de0e0e4dSAntonio Huete Jimenez #define TLS13_INFO_CONNECT_EXIT SSL_CB_CONNECT_EXIT 898edacedfSDaniel Fojt 9072c33676SMaxim Ag typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg); 91*de0e0e4dSAntonio Huete Jimenez typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg); 92cca6fc52SDaniel Fojt typedef void (*tls13_phh_sent_cb)(void *_cb_arg); 93cca6fc52SDaniel Fojt typedef void (*tls13_handshake_message_cb)(void *_cb_arg); 948edacedfSDaniel Fojt typedef void (*tls13_info_cb)(void *_cb_arg, int _state, int _ret); 958edacedfSDaniel Fojt typedef int (*tls13_ocsp_status_cb)(void *_cb_arg); 9672c33676SMaxim Ag 97cca6fc52SDaniel Fojt /* 98*de0e0e4dSAntonio Huete Jimenez * PSK support. 99cca6fc52SDaniel Fojt */ 10072c33676SMaxim Ag 101*de0e0e4dSAntonio Huete Jimenez /* 102*de0e0e4dSAntonio Huete Jimenez * Known PskKeyExchangeMode values. 103*de0e0e4dSAntonio Huete Jimenez * https://www.iana.org/assignments/tls-parameters/#tls-pskkeyexchangemode 104*de0e0e4dSAntonio Huete Jimenez */ 105*de0e0e4dSAntonio Huete Jimenez #define TLS13_PSK_KE 0 106*de0e0e4dSAntonio Huete Jimenez #define TLS13_PSK_DHE_KE 1 10772c33676SMaxim Ag 108cca6fc52SDaniel Fojt /* 109cca6fc52SDaniel Fojt * Secrets. 110cca6fc52SDaniel Fojt */ 11172c33676SMaxim Ag struct tls13_secret { 11272c33676SMaxim Ag uint8_t *data; 11372c33676SMaxim Ag size_t len; 11472c33676SMaxim Ag }; 11572c33676SMaxim Ag 11672c33676SMaxim Ag /* RFC 8446 Section 7.1 Page 92 */ 11772c33676SMaxim Ag struct tls13_secrets { 11872c33676SMaxim Ag const EVP_MD *digest; 11972c33676SMaxim Ag int resumption; 12072c33676SMaxim Ag int init_done; 12172c33676SMaxim Ag int early_done; 12272c33676SMaxim Ag int handshake_done; 12372c33676SMaxim Ag int schedule_done; 12472c33676SMaxim Ag int insecure; /* Set by tests */ 12572c33676SMaxim Ag struct tls13_secret zeros; 12672c33676SMaxim Ag struct tls13_secret empty_hash; 12772c33676SMaxim Ag struct tls13_secret extracted_early; 12872c33676SMaxim Ag struct tls13_secret binder_key; 12972c33676SMaxim Ag struct tls13_secret client_early_traffic; 13072c33676SMaxim Ag struct tls13_secret early_exporter_master; 13172c33676SMaxim Ag struct tls13_secret derived_early; 13272c33676SMaxim Ag struct tls13_secret extracted_handshake; 13372c33676SMaxim Ag struct tls13_secret client_handshake_traffic; 13472c33676SMaxim Ag struct tls13_secret server_handshake_traffic; 13572c33676SMaxim Ag struct tls13_secret derived_handshake; 13672c33676SMaxim Ag struct tls13_secret extracted_master; 13772c33676SMaxim Ag struct tls13_secret client_application_traffic; 13872c33676SMaxim Ag struct tls13_secret server_application_traffic; 13972c33676SMaxim Ag struct tls13_secret exporter_master; 14072c33676SMaxim Ag struct tls13_secret resumption_master; 14172c33676SMaxim Ag }; 14272c33676SMaxim Ag 143*de0e0e4dSAntonio Huete Jimenez int tls13_secret_init(struct tls13_secret *secret, size_t len); 144*de0e0e4dSAntonio Huete Jimenez void tls13_secret_cleanup(struct tls13_secret *secret); 14572c33676SMaxim Ag struct tls13_secrets *tls13_secrets_create(const EVP_MD *digest, 14672c33676SMaxim Ag int resumption); 14772c33676SMaxim Ag void tls13_secrets_destroy(struct tls13_secrets *secrets); 14872c33676SMaxim Ag 14972c33676SMaxim Ag int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, 15072c33676SMaxim Ag const struct tls13_secret *secret, const char *label, 15172c33676SMaxim Ag const struct tls13_secret *context); 1522eb7d3b8SDaniel Fojt int tls13_hkdf_expand_label_with_length(struct tls13_secret *out, 1532eb7d3b8SDaniel Fojt const EVP_MD *digest, const struct tls13_secret *secret, 1542eb7d3b8SDaniel Fojt const uint8_t *label, size_t label_len, const struct tls13_secret *context); 1552eb7d3b8SDaniel Fojt 1562eb7d3b8SDaniel Fojt int tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, 1572eb7d3b8SDaniel Fojt const struct tls13_secret *secret, const char *label, 1582eb7d3b8SDaniel Fojt const struct tls13_secret *context); 1592eb7d3b8SDaniel Fojt int tls13_derive_secret_with_label_length(struct tls13_secret *out, 1602eb7d3b8SDaniel Fojt const EVP_MD *digest, const struct tls13_secret *secret, 1612eb7d3b8SDaniel Fojt const uint8_t *label, size_t label_len, const struct tls13_secret *context); 16272c33676SMaxim Ag 16372c33676SMaxim Ag int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk, 16472c33676SMaxim Ag size_t psk_len, const struct tls13_secret *context); 16572c33676SMaxim Ag int tls13_derive_handshake_secrets(struct tls13_secrets *secrets, 16672c33676SMaxim Ag const uint8_t *ecdhe, size_t ecdhe_len, const struct tls13_secret *context); 16772c33676SMaxim Ag int tls13_derive_application_secrets(struct tls13_secrets *secrets, 16872c33676SMaxim Ag const struct tls13_secret *context); 169cca6fc52SDaniel Fojt int tls13_update_client_traffic_secret(struct tls13_secrets *secrets); 170cca6fc52SDaniel Fojt int tls13_update_server_traffic_secret(struct tls13_secrets *secrets); 171cca6fc52SDaniel Fojt 172cca6fc52SDaniel Fojt /* 17372c33676SMaxim Ag * Record Layer. 17472c33676SMaxim Ag */ 17572c33676SMaxim Ag struct tls13_record_layer; 17672c33676SMaxim Ag 1778edacedfSDaniel Fojt struct tls13_record_layer_callbacks { 178*de0e0e4dSAntonio Huete Jimenez /* Wire callbacks. */ 179*de0e0e4dSAntonio Huete Jimenez tls_read_cb wire_read; 180*de0e0e4dSAntonio Huete Jimenez tls_write_cb wire_write; 181*de0e0e4dSAntonio Huete Jimenez tls_flush_cb wire_flush; 182*de0e0e4dSAntonio Huete Jimenez 183*de0e0e4dSAntonio Huete Jimenez /* Interceptors. */ 184*de0e0e4dSAntonio Huete Jimenez tls_handshake_read_cb handshake_read; 185*de0e0e4dSAntonio Huete Jimenez tls_handshake_write_cb handshake_write; 186*de0e0e4dSAntonio Huete Jimenez tls_traffic_key_cb set_read_traffic_key; 187*de0e0e4dSAntonio Huete Jimenez tls_traffic_key_cb set_write_traffic_key; 188*de0e0e4dSAntonio Huete Jimenez tls_alert_send_cb alert_send; 189*de0e0e4dSAntonio Huete Jimenez 190*de0e0e4dSAntonio Huete Jimenez /* Notification callbacks. */ 1918edacedfSDaniel Fojt tls13_alert_cb alert_recv; 1928edacedfSDaniel Fojt tls13_alert_cb alert_sent; 1938edacedfSDaniel Fojt tls13_phh_recv_cb phh_recv; 1948edacedfSDaniel Fojt tls13_phh_sent_cb phh_sent; 1958edacedfSDaniel Fojt }; 1968edacedfSDaniel Fojt 1978edacedfSDaniel Fojt struct tls13_record_layer *tls13_record_layer_new( 1988edacedfSDaniel Fojt const struct tls13_record_layer_callbacks *callbacks, void *cb_arg); 19972c33676SMaxim Ag void tls13_record_layer_free(struct tls13_record_layer *rl); 200*de0e0e4dSAntonio Huete Jimenez void tls13_record_layer_set_callbacks(struct tls13_record_layer *rl, 201*de0e0e4dSAntonio Huete Jimenez const struct tls13_record_layer_callbacks *callbacks, void *cb_arg); 202cca6fc52SDaniel Fojt void tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow); 203cca6fc52SDaniel Fojt void tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow); 204*de0e0e4dSAntonio Huete Jimenez void tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs); 20572c33676SMaxim Ag void tls13_record_layer_set_aead(struct tls13_record_layer *rl, 20672c33676SMaxim Ag const EVP_AEAD *aead); 20772c33676SMaxim Ag void tls13_record_layer_set_hash(struct tls13_record_layer *rl, 20872c33676SMaxim Ag const EVP_MD *hash); 209cca6fc52SDaniel Fojt void tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, 210cca6fc52SDaniel Fojt uint16_t version); 2118edacedfSDaniel Fojt void tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry); 21272c33676SMaxim Ag void tls13_record_layer_handshake_completed(struct tls13_record_layer *rl); 21372c33676SMaxim Ag int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 214*de0e0e4dSAntonio Huete Jimenez struct tls13_secret *read_key, enum ssl_encryption_level_t read_level); 21572c33676SMaxim Ag int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 216*de0e0e4dSAntonio Huete Jimenez struct tls13_secret *write_key, enum ssl_encryption_level_t write_level); 217cca6fc52SDaniel Fojt ssize_t tls13_record_layer_send_pending(struct tls13_record_layer *rl); 218cca6fc52SDaniel Fojt ssize_t tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs); 219*de0e0e4dSAntonio Huete Jimenez ssize_t tls13_record_layer_flush(struct tls13_record_layer *rl); 22072c33676SMaxim Ag 22172c33676SMaxim Ag ssize_t tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); 22272c33676SMaxim Ag ssize_t tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 22372c33676SMaxim Ag size_t n); 224cca6fc52SDaniel Fojt ssize_t tls13_pending_application_data(struct tls13_record_layer *rl); 225cca6fc52SDaniel Fojt ssize_t tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); 22672c33676SMaxim Ag ssize_t tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); 22772c33676SMaxim Ag ssize_t tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 22872c33676SMaxim Ag size_t n); 22972c33676SMaxim Ag 230cca6fc52SDaniel Fojt ssize_t tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc); 2318edacedfSDaniel Fojt ssize_t tls13_send_dummy_ccs(struct tls13_record_layer *rl); 232cca6fc52SDaniel Fojt 23372c33676SMaxim Ag /* 23472c33676SMaxim Ag * Handshake Messages. 23572c33676SMaxim Ag */ 23672c33676SMaxim Ag struct tls13_handshake_msg; 23772c33676SMaxim Ag 23872c33676SMaxim Ag struct tls13_handshake_msg *tls13_handshake_msg_new(void); 23972c33676SMaxim Ag void tls13_handshake_msg_free(struct tls13_handshake_msg *msg); 24072c33676SMaxim Ag void tls13_handshake_msg_data(struct tls13_handshake_msg *msg, CBS *cbs); 24172c33676SMaxim Ag uint8_t tls13_handshake_msg_type(struct tls13_handshake_msg *msg); 24272c33676SMaxim Ag int tls13_handshake_msg_content(struct tls13_handshake_msg *msg, CBS *cbs); 24372c33676SMaxim Ag int tls13_handshake_msg_start(struct tls13_handshake_msg *msg, CBB *body, 24472c33676SMaxim Ag uint8_t msg_type); 24572c33676SMaxim Ag int tls13_handshake_msg_finish(struct tls13_handshake_msg *msg); 24672c33676SMaxim Ag int tls13_handshake_msg_recv(struct tls13_handshake_msg *msg, 24772c33676SMaxim Ag struct tls13_record_layer *rl); 24872c33676SMaxim Ag int tls13_handshake_msg_send(struct tls13_handshake_msg *msg, 24972c33676SMaxim Ag struct tls13_record_layer *rl); 25072c33676SMaxim Ag 25172c33676SMaxim Ag struct tls13_handshake_stage { 25272c33676SMaxim Ag uint8_t hs_type; 25372c33676SMaxim Ag uint8_t message_number; 25472c33676SMaxim Ag }; 25572c33676SMaxim Ag 25672c33676SMaxim Ag struct ssl_handshake_tls13_st; 25772c33676SMaxim Ag 258cca6fc52SDaniel Fojt struct tls13_error { 259cca6fc52SDaniel Fojt int code; 260cca6fc52SDaniel Fojt int subcode; 261cca6fc52SDaniel Fojt int errnum; 262cca6fc52SDaniel Fojt const char *file; 263cca6fc52SDaniel Fojt int line; 264cca6fc52SDaniel Fojt char *msg; 265cca6fc52SDaniel Fojt }; 266cca6fc52SDaniel Fojt 26772c33676SMaxim Ag struct tls13_ctx { 268cca6fc52SDaniel Fojt struct tls13_error error; 269cca6fc52SDaniel Fojt 27072c33676SMaxim Ag SSL *ssl; 271*de0e0e4dSAntonio Huete Jimenez struct ssl_handshake_st *hs; 27272c33676SMaxim Ag uint8_t mode; 27372c33676SMaxim Ag struct tls13_handshake_stage handshake_stage; 2748edacedfSDaniel Fojt int handshake_started; 27572c33676SMaxim Ag int handshake_completed; 276*de0e0e4dSAntonio Huete Jimenez int need_flush; 2778edacedfSDaniel Fojt int middlebox_compat; 2788edacedfSDaniel Fojt int send_dummy_ccs; 2798edacedfSDaniel Fojt int send_dummy_ccs_after; 28072c33676SMaxim Ag 281cca6fc52SDaniel Fojt int close_notify_sent; 282cca6fc52SDaniel Fojt int close_notify_recv; 283cca6fc52SDaniel Fojt 28472c33676SMaxim Ag const EVP_AEAD *aead; 28572c33676SMaxim Ag const EVP_MD *hash; 28672c33676SMaxim Ag 28772c33676SMaxim Ag struct tls13_record_layer *rl; 28872c33676SMaxim Ag struct tls13_handshake_msg *hs_msg; 289cca6fc52SDaniel Fojt uint8_t key_update_request; 290cca6fc52SDaniel Fojt uint8_t alert; 291cca6fc52SDaniel Fojt int phh_count; 292cca6fc52SDaniel Fojt time_t phh_last_seen; 293cca6fc52SDaniel Fojt 294cca6fc52SDaniel Fojt tls13_handshake_message_cb handshake_message_sent_cb; 295cca6fc52SDaniel Fojt tls13_handshake_message_cb handshake_message_recv_cb; 2968edacedfSDaniel Fojt tls13_info_cb info_cb; 2978edacedfSDaniel Fojt tls13_ocsp_status_cb ocsp_status_recv_cb; 29872c33676SMaxim Ag }; 299cca6fc52SDaniel Fojt #ifndef TLS13_PHH_LIMIT_TIME 300cca6fc52SDaniel Fojt #define TLS13_PHH_LIMIT_TIME 3600 301cca6fc52SDaniel Fojt #endif 302cca6fc52SDaniel Fojt #ifndef TLS13_PHH_LIMIT 303cca6fc52SDaniel Fojt #define TLS13_PHH_LIMIT 100 304cca6fc52SDaniel Fojt #endif 30572c33676SMaxim Ag 306*de0e0e4dSAntonio Huete Jimenez struct tls13_ctx *tls13_ctx_new(int mode, SSL *ssl); 30772c33676SMaxim Ag void tls13_ctx_free(struct tls13_ctx *ctx); 30872c33676SMaxim Ag 30972c33676SMaxim Ag const EVP_AEAD *tls13_cipher_aead(const SSL_CIPHER *cipher); 31072c33676SMaxim Ag const EVP_MD *tls13_cipher_hash(const SSL_CIPHER *cipher); 31172c33676SMaxim Ag 312*de0e0e4dSAntonio Huete Jimenez void tls13_alert_received_cb(uint8_t alert_desc, void *arg); 313*de0e0e4dSAntonio Huete Jimenez void tls13_alert_sent_cb(uint8_t alert_desc, void *arg); 314*de0e0e4dSAntonio Huete Jimenez ssize_t tls13_phh_received_cb(void *cb_arg); 315*de0e0e4dSAntonio Huete Jimenez void tls13_phh_done_cb(void *cb_arg); 316*de0e0e4dSAntonio Huete Jimenez 317*de0e0e4dSAntonio Huete Jimenez int tls13_quic_init(struct tls13_ctx *ctx); 318*de0e0e4dSAntonio Huete Jimenez 31972c33676SMaxim Ag /* 32072c33676SMaxim Ag * Legacy interfaces. 32172c33676SMaxim Ag */ 322cca6fc52SDaniel Fojt int tls13_use_legacy_client(struct tls13_ctx *ctx); 323cca6fc52SDaniel Fojt int tls13_use_legacy_server(struct tls13_ctx *ctx); 324cca6fc52SDaniel Fojt int tls13_legacy_accept(SSL *ssl); 32572c33676SMaxim Ag int tls13_legacy_connect(SSL *ssl); 32672c33676SMaxim Ag int tls13_legacy_return_code(SSL *ssl, ssize_t ret); 32772c33676SMaxim Ag ssize_t tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg); 32872c33676SMaxim Ag ssize_t tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg); 329*de0e0e4dSAntonio Huete Jimenez ssize_t tls13_legacy_wire_flush_cb(void *arg); 330cca6fc52SDaniel Fojt int tls13_legacy_pending(const SSL *ssl); 33172c33676SMaxim Ag int tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, 33272c33676SMaxim Ag int peek); 33372c33676SMaxim Ag int tls13_legacy_write_bytes(SSL *ssl, int type, const void *buf, int len); 334cca6fc52SDaniel Fojt int tls13_legacy_shutdown(SSL *ssl); 3358edacedfSDaniel Fojt int tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert); 33672c33676SMaxim Ag 33772c33676SMaxim Ag /* 33872c33676SMaxim Ag * Message Types - RFC 8446, Section B.3. 33972c33676SMaxim Ag * 34072c33676SMaxim Ag * Values listed as "_RESERVED" were used in previous versions of TLS and are 34172c33676SMaxim Ag * listed here for completeness. TLS 1.3 implementations MUST NOT send them but 34272c33676SMaxim Ag * might receive them from older TLS implementations. 34372c33676SMaxim Ag */ 34472c33676SMaxim Ag #define TLS13_MT_HELLO_REQUEST_RESERVED 0 34572c33676SMaxim Ag #define TLS13_MT_CLIENT_HELLO 1 34672c33676SMaxim Ag #define TLS13_MT_SERVER_HELLO 2 34772c33676SMaxim Ag #define TLS13_MT_HELLO_VERIFY_REQUEST_RESERVED 3 34872c33676SMaxim Ag #define TLS13_MT_NEW_SESSION_TICKET 4 34972c33676SMaxim Ag #define TLS13_MT_END_OF_EARLY_DATA 5 35072c33676SMaxim Ag #define TLS13_MT_HELLO_RETRY_REQUEST_RESERVED 6 35172c33676SMaxim Ag #define TLS13_MT_ENCRYPTED_EXTENSIONS 8 35272c33676SMaxim Ag #define TLS13_MT_CERTIFICATE 11 35372c33676SMaxim Ag #define TLS13_MT_SERVER_KEY_EXCHANGE_RESERVED 12 35472c33676SMaxim Ag #define TLS13_MT_CERTIFICATE_REQUEST 13 35572c33676SMaxim Ag #define TLS13_MT_SERVER_HELLO_DONE_RESERVED 14 35672c33676SMaxim Ag #define TLS13_MT_CERTIFICATE_VERIFY 15 35772c33676SMaxim Ag #define TLS13_MT_CLIENT_KEY_EXCHANGE_RESERVED 16 35872c33676SMaxim Ag #define TLS13_MT_FINISHED 20 35972c33676SMaxim Ag #define TLS13_MT_CERTIFICATE_URL_RESERVED 21 36072c33676SMaxim Ag #define TLS13_MT_CERTIFICATE_STATUS_RESERVED 22 36172c33676SMaxim Ag #define TLS13_MT_SUPPLEMENTAL_DATA_RESERVED 23 36272c33676SMaxim Ag #define TLS13_MT_KEY_UPDATE 24 36372c33676SMaxim Ag #define TLS13_MT_MESSAGE_HASH 254 36472c33676SMaxim Ag 365cca6fc52SDaniel Fojt int tls13_handshake_msg_record(struct tls13_ctx *ctx); 36672c33676SMaxim Ag int tls13_handshake_perform(struct tls13_ctx *ctx); 36772c33676SMaxim Ag 368cca6fc52SDaniel Fojt int tls13_client_init(struct tls13_ctx *ctx); 369cca6fc52SDaniel Fojt int tls13_server_init(struct tls13_ctx *ctx); 370cca6fc52SDaniel Fojt int tls13_client_connect(struct tls13_ctx *ctx); 371cca6fc52SDaniel Fojt int tls13_server_accept(struct tls13_ctx *ctx); 372cca6fc52SDaniel Fojt 373cca6fc52SDaniel Fojt int tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb); 374cca6fc52SDaniel Fojt int tls13_client_hello_sent(struct tls13_ctx *ctx); 375cca6fc52SDaniel Fojt int tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs); 376cca6fc52SDaniel Fojt int tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb); 377cca6fc52SDaniel Fojt int tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs); 378cca6fc52SDaniel Fojt int tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb); 379cca6fc52SDaniel Fojt int tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs); 380cca6fc52SDaniel Fojt int tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb); 381cca6fc52SDaniel Fojt int tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs); 382cca6fc52SDaniel Fojt int tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb); 383cca6fc52SDaniel Fojt int tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs); 384cca6fc52SDaniel Fojt int tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs); 385cca6fc52SDaniel Fojt int tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb); 38672c33676SMaxim Ag int tls13_client_finished_sent(struct tls13_ctx *ctx); 387cca6fc52SDaniel Fojt int tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs); 388cca6fc52SDaniel Fojt int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb); 389cca6fc52SDaniel Fojt int tls13_server_hello_sent(struct tls13_ctx *ctx); 390cca6fc52SDaniel Fojt int tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs); 391cca6fc52SDaniel Fojt int tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb); 3928edacedfSDaniel Fojt int tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx); 393cca6fc52SDaniel Fojt int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs); 394cca6fc52SDaniel Fojt int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb); 395cca6fc52SDaniel Fojt int tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs); 396cca6fc52SDaniel Fojt int tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb); 397cca6fc52SDaniel Fojt int tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs); 398cca6fc52SDaniel Fojt int tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb); 399cca6fc52SDaniel Fojt int tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb); 400cca6fc52SDaniel Fojt int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs); 401cca6fc52SDaniel Fojt int tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs); 402cca6fc52SDaniel Fojt int tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb); 403cca6fc52SDaniel Fojt int tls13_server_finished_sent(struct tls13_ctx *ctx); 404cca6fc52SDaniel Fojt 405cca6fc52SDaniel Fojt void tls13_error_clear(struct tls13_error *error); 4068edacedfSDaniel Fojt int tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, 4078edacedfSDaniel Fojt int(*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb)); 408cca6fc52SDaniel Fojt 409cca6fc52SDaniel Fojt int tls13_synthetic_handshake_message(struct tls13_ctx *ctx); 4108edacedfSDaniel Fojt int tls13_clienthello_hash_init(struct tls13_ctx *ctx); 4118edacedfSDaniel Fojt void tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs); 4128edacedfSDaniel Fojt int tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data, 4138edacedfSDaniel Fojt size_t len); 4148edacedfSDaniel Fojt int tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs); 4158edacedfSDaniel Fojt int tls13_clienthello_hash_finalize(struct tls13_ctx *ctx); 4168edacedfSDaniel Fojt int tls13_clienthello_hash_validate(struct tls13_ctx *ctx); 417cca6fc52SDaniel Fojt 418cca6fc52SDaniel Fojt int tls13_error_set(struct tls13_error *error, int code, int subcode, 419cca6fc52SDaniel Fojt const char *file, int line, const char *fmt, ...); 420cca6fc52SDaniel Fojt int tls13_error_setx(struct tls13_error *error, int code, int subcode, 421cca6fc52SDaniel Fojt const char *file, int line, const char *fmt, ...); 422cca6fc52SDaniel Fojt 423cca6fc52SDaniel Fojt #define tls13_set_error(ctx, code, subcode, fmt, ...) \ 424cca6fc52SDaniel Fojt tls13_error_set(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \ 425cca6fc52SDaniel Fojt (fmt), __VA_ARGS__) 426cca6fc52SDaniel Fojt #define tls13_set_errorx(ctx, code, subcode, fmt, ...) \ 427cca6fc52SDaniel Fojt tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \ 428cca6fc52SDaniel Fojt (fmt), __VA_ARGS__) 429cca6fc52SDaniel Fojt 4302eb7d3b8SDaniel Fojt int tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, 4312eb7d3b8SDaniel Fojt const uint8_t *context_value, size_t context_value_len, uint8_t *out, 4322eb7d3b8SDaniel Fojt size_t out_len); 4332eb7d3b8SDaniel Fojt 434cca6fc52SDaniel Fojt extern const uint8_t tls13_downgrade_12[8]; 435cca6fc52SDaniel Fojt extern const uint8_t tls13_downgrade_11[8]; 436cca6fc52SDaniel Fojt extern const uint8_t tls13_hello_retry_request_hash[32]; 437cca6fc52SDaniel Fojt extern const uint8_t tls13_cert_verify_pad[64]; 438cca6fc52SDaniel Fojt extern const uint8_t tls13_cert_client_verify_context[]; 439cca6fc52SDaniel Fojt extern const uint8_t tls13_cert_server_verify_context[]; 44072c33676SMaxim Ag 44172c33676SMaxim Ag __END_HIDDEN_DECLS 44272c33676SMaxim Ag 44372c33676SMaxim Ag #endif 444