1 /* $OpenBSD: tls13_internal.h,v 1.28 2019/04/05 20:23:38 tb Exp $ */ 2 /* 3 * Copyright (c) 2018 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> 5 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 6 * 7 * Permission to use, copy, modify, and/or distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 14 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 16 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 17 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #ifndef HEADER_TLS13_INTERNAL_H 21 #define HEADER_TLS13_INTERNAL_H 22 23 #include <openssl/evp.h> 24 #include <openssl/ssl.h> 25 26 #include "bytestring.h" 27 28 __BEGIN_HIDDEN_DECLS 29 30 #define TLS13_HS_CLIENT 1 31 #define TLS13_HS_SERVER 2 32 33 #define TLS13_IO_SUCCESS 1 34 #define TLS13_IO_EOF 0 35 #define TLS13_IO_FAILURE -1 36 #define TLS13_IO_WANT_POLLIN -2 37 #define TLS13_IO_WANT_POLLOUT -3 38 #define TLS13_IO_USE_LEGACY -4 39 40 typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg); 41 typedef int (*tls13_post_handshake_cb)(void *_cb_arg); 42 typedef ssize_t (*tls13_read_cb)(void *_buf, size_t _buflen, void *_cb_arg); 43 typedef ssize_t (*tls13_write_cb)(const void *_buf, size_t _buflen, 44 void *_cb_arg); 45 46 struct tls13_buffer; 47 48 struct tls13_buffer *tls13_buffer_new(size_t init_size); 49 void tls13_buffer_free(struct tls13_buffer *buf); 50 ssize_t tls13_buffer_extend(struct tls13_buffer *buf, size_t len, 51 tls13_read_cb read_cb, void *cb_arg); 52 void tls13_buffer_cbs(struct tls13_buffer *buf, CBS *cbs); 53 int tls13_buffer_finish(struct tls13_buffer *buf, uint8_t **out, 54 size_t *out_len); 55 56 struct tls13_secret { 57 uint8_t *data; 58 size_t len; 59 }; 60 61 /* RFC 8446 Section 7.1 Page 92 */ 62 struct tls13_secrets { 63 const EVP_MD *digest; 64 int resumption; 65 int init_done; 66 int early_done; 67 int handshake_done; 68 int schedule_done; 69 int insecure; /* Set by tests */ 70 struct tls13_secret zeros; 71 struct tls13_secret empty_hash; 72 struct tls13_secret extracted_early; 73 struct tls13_secret binder_key; 74 struct tls13_secret client_early_traffic; 75 struct tls13_secret early_exporter_master; 76 struct tls13_secret derived_early; 77 struct tls13_secret extracted_handshake; 78 struct tls13_secret client_handshake_traffic; 79 struct tls13_secret server_handshake_traffic; 80 struct tls13_secret derived_handshake; 81 struct tls13_secret extracted_master; 82 struct tls13_secret client_application_traffic; 83 struct tls13_secret server_application_traffic; 84 struct tls13_secret exporter_master; 85 struct tls13_secret resumption_master; 86 }; 87 88 struct tls13_secrets *tls13_secrets_create(const EVP_MD *digest, 89 int resumption); 90 void tls13_secrets_destroy(struct tls13_secrets *secrets); 91 92 int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, 93 const struct tls13_secret *secret, const char *label, 94 const struct tls13_secret *context); 95 96 int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk, 97 size_t psk_len, const struct tls13_secret *context); 98 int tls13_derive_handshake_secrets(struct tls13_secrets *secrets, 99 const uint8_t *ecdhe, size_t ecdhe_len, const struct tls13_secret *context); 100 int tls13_derive_application_secrets(struct tls13_secrets *secrets, 101 const struct tls13_secret *context); 102 103 /* 104 * Record Layer. 105 */ 106 struct tls13_record_layer; 107 108 struct tls13_record_layer *tls13_record_layer_new(tls13_read_cb wire_read, 109 tls13_write_cb wire_write, tls13_alert_cb alert_cb, 110 tls13_post_handshake_cb post_handshake_cb, void *cb_arg); 111 void tls13_record_layer_free(struct tls13_record_layer *rl); 112 void tls13_record_layer_set_aead(struct tls13_record_layer *rl, 113 const EVP_AEAD *aead); 114 void tls13_record_layer_set_hash(struct tls13_record_layer *rl, 115 const EVP_MD *hash); 116 void tls13_record_layer_handshake_completed(struct tls13_record_layer *rl); 117 int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, 118 struct tls13_secret *read_key); 119 int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, 120 struct tls13_secret *write_key); 121 122 ssize_t tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); 123 ssize_t tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, 124 size_t n); 125 ssize_t tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); 126 ssize_t tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, 127 size_t n); 128 129 /* 130 * Handshake Messages. 131 */ 132 struct tls13_handshake_msg; 133 134 struct tls13_handshake_msg *tls13_handshake_msg_new(void); 135 void tls13_handshake_msg_free(struct tls13_handshake_msg *msg); 136 void tls13_handshake_msg_data(struct tls13_handshake_msg *msg, CBS *cbs); 137 uint8_t tls13_handshake_msg_type(struct tls13_handshake_msg *msg); 138 int tls13_handshake_msg_content(struct tls13_handshake_msg *msg, CBS *cbs); 139 int tls13_handshake_msg_start(struct tls13_handshake_msg *msg, CBB *body, 140 uint8_t msg_type); 141 int tls13_handshake_msg_finish(struct tls13_handshake_msg *msg); 142 int tls13_handshake_msg_recv(struct tls13_handshake_msg *msg, 143 struct tls13_record_layer *rl); 144 int tls13_handshake_msg_send(struct tls13_handshake_msg *msg, 145 struct tls13_record_layer *rl); 146 147 struct tls13_handshake_stage { 148 uint8_t hs_type; 149 uint8_t message_number; 150 }; 151 152 struct ssl_handshake_tls13_st; 153 154 struct tls13_ctx { 155 SSL *ssl; 156 struct ssl_handshake_tls13_st *hs; 157 uint8_t mode; 158 struct tls13_handshake_stage handshake_stage; 159 int handshake_completed; 160 161 const EVP_AEAD *aead; 162 const EVP_MD *hash; 163 164 struct tls13_record_layer *rl; 165 struct tls13_handshake_msg *hs_msg; 166 }; 167 168 struct tls13_ctx *tls13_ctx_new(int mode); 169 void tls13_ctx_free(struct tls13_ctx *ctx); 170 171 const EVP_AEAD *tls13_cipher_aead(const SSL_CIPHER *cipher); 172 const EVP_MD *tls13_cipher_hash(const SSL_CIPHER *cipher); 173 174 /* 175 * Legacy interfaces. 176 */ 177 int tls13_legacy_connect(SSL *ssl); 178 int tls13_legacy_return_code(SSL *ssl, ssize_t ret); 179 ssize_t tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg); 180 ssize_t tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg); 181 int tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, 182 int peek); 183 int tls13_legacy_write_bytes(SSL *ssl, int type, const void *buf, int len); 184 185 /* 186 * Message Types - RFC 8446, Section B.3. 187 * 188 * Values listed as "_RESERVED" were used in previous versions of TLS and are 189 * listed here for completeness. TLS 1.3 implementations MUST NOT send them but 190 * might receive them from older TLS implementations. 191 */ 192 #define TLS13_MT_HELLO_REQUEST_RESERVED 0 193 #define TLS13_MT_CLIENT_HELLO 1 194 #define TLS13_MT_SERVER_HELLO 2 195 #define TLS13_MT_HELLO_VERIFY_REQUEST_RESERVED 3 196 #define TLS13_MT_NEW_SESSION_TICKET 4 197 #define TLS13_MT_END_OF_EARLY_DATA 5 198 #define TLS13_MT_HELLO_RETRY_REQUEST_RESERVED 6 199 #define TLS13_MT_ENCRYPTED_EXTENSIONS 8 200 #define TLS13_MT_CERTIFICATE 11 201 #define TLS13_MT_SERVER_KEY_EXCHANGE_RESERVED 12 202 #define TLS13_MT_CERTIFICATE_REQUEST 13 203 #define TLS13_MT_SERVER_HELLO_DONE_RESERVED 14 204 #define TLS13_MT_CERTIFICATE_VERIFY 15 205 #define TLS13_MT_CLIENT_KEY_EXCHANGE_RESERVED 16 206 #define TLS13_MT_FINISHED 20 207 #define TLS13_MT_CERTIFICATE_URL_RESERVED 21 208 #define TLS13_MT_CERTIFICATE_STATUS_RESERVED 22 209 #define TLS13_MT_SUPPLEMENTAL_DATA_RESERVED 23 210 #define TLS13_MT_KEY_UPDATE 24 211 #define TLS13_MT_MESSAGE_HASH 254 212 213 int tls13_handshake_perform(struct tls13_ctx *ctx); 214 215 int tls13_client_hello_send(struct tls13_ctx *ctx); 216 int tls13_client_hello_recv(struct tls13_ctx *ctx); 217 int tls13_client_hello_retry_send(struct tls13_ctx *ctx); 218 int tls13_client_hello_retry_recv(struct tls13_ctx *ctx); 219 int tls13_client_end_of_early_data_send(struct tls13_ctx *ctx); 220 int tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx); 221 int tls13_client_certificate_send(struct tls13_ctx *ctx); 222 int tls13_client_certificate_recv(struct tls13_ctx *ctx); 223 int tls13_client_certificate_verify_send(struct tls13_ctx *ctx); 224 int tls13_client_certificate_verify_recv(struct tls13_ctx *ctx); 225 int tls13_client_finished_recv(struct tls13_ctx *ctx); 226 int tls13_client_finished_send(struct tls13_ctx *ctx); 227 int tls13_client_finished_sent(struct tls13_ctx *ctx); 228 int tls13_client_key_update_send(struct tls13_ctx *ctx); 229 int tls13_client_key_update_recv(struct tls13_ctx *ctx); 230 int tls13_server_hello_recv(struct tls13_ctx *ctx); 231 int tls13_server_hello_send(struct tls13_ctx *ctx); 232 int tls13_server_hello_retry_recv(struct tls13_ctx *ctx); 233 int tls13_server_hello_retry_send(struct tls13_ctx *ctx); 234 int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx); 235 int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx); 236 int tls13_server_certificate_recv(struct tls13_ctx *ctx); 237 int tls13_server_certificate_send(struct tls13_ctx *ctx); 238 int tls13_server_certificate_request_recv(struct tls13_ctx *ctx); 239 int tls13_server_certificate_request_send(struct tls13_ctx *ctx); 240 int tls13_server_certificate_verify_send(struct tls13_ctx *ctx); 241 int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx); 242 int tls13_server_finished_recv(struct tls13_ctx *ctx); 243 int tls13_server_finished_send(struct tls13_ctx *ctx); 244 245 __END_HIDDEN_DECLS 246 247 #endif 248