[thirdparty/strongswan.git] / src / libtls / tls.h

/*
 * Copyright (C) 2010 Martin Willi
 * Copyright (C) 2010 revosec AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup libtls libtls
 *
 * @addtogroup libtls
 * TLS implementation on top of libstrongswan
 *
 * @defgroup tls tls
 * @{ @ingroup libtls
 */

#ifndef TLS_H_
#define TLS_H_

typedef enum tls_version_t tls_version_t;
typedef enum tls_content_type_t tls_content_type_t;
typedef enum tls_handshake_type_t tls_handshake_type_t;
typedef enum tls_purpose_t tls_purpose_t;
typedef struct tls_t tls_t;

#include <library.h>

#include "tls_application.h"
#include "tls_cache.h"

/**
 * TLS/SSL version numbers
 */
enum tls_version_t {
	SSL_2_0 = 0x0200,
	SSL_3_0 = 0x0300,
	TLS_1_0 = 0x0301,
	TLS_1_1 = 0x0302,
	TLS_1_2 = 0x0303,
};

/**
 * Enum names for tls_version_t
 */
extern enum_name_t *tls_version_names;

/**
 * TLS higher level content type
 */
enum tls_content_type_t {
	TLS_CHANGE_CIPHER_SPEC = 20,
	TLS_ALERT = 21,
	TLS_HANDSHAKE = 22,
	TLS_APPLICATION_DATA = 23,
};

/**
 * Enum names for tls_content_type_t
 */
extern enum_name_t *tls_content_type_names;

/**
 * TLS handshake subtype
 */
enum tls_handshake_type_t {
	TLS_HELLO_REQUEST = 0,
	TLS_CLIENT_HELLO = 1,
	TLS_SERVER_HELLO = 2,
	TLS_CERTIFICATE = 11,
	TLS_SERVER_KEY_EXCHANGE = 12,
	TLS_CERTIFICATE_REQUEST = 13,
	TLS_SERVER_HELLO_DONE = 14,
	TLS_CERTIFICATE_VERIFY = 15,
	TLS_CLIENT_KEY_EXCHANGE = 16,
	TLS_FINISHED = 20,
};

/**
 * Enum names for tls_handshake_type_t
 */
extern enum_name_t *tls_handshake_type_names;

/**
 * Purpose the TLS stack is initiated for.
 */
enum tls_purpose_t {
	/** authentication in EAP-TLS */
	TLS_PURPOSE_EAP_TLS,
	/** outer authentication and protection in EAP-TTLS */
	TLS_PURPOSE_EAP_TTLS,
	/** outer authentication and protection in EAP-PEAP */
	TLS_PURPOSE_EAP_PEAP,
	/** non-EAP TLS */
	TLS_PURPOSE_GENERIC,
	/** EAP binding for TNC */
	TLS_PURPOSE_EAP_TNC
};

/**
 * TLS Hello extension types.
 */
enum tls_extension_t {
	/** Server name the client wants to talk to */
	TLS_EXT_SERVER_NAME = 0,
	/** request a maximum fragment size */
	TLS_EXT_MAX_FRAGMENT_LENGTH = 1,
	/** indicate client certificate URL support */
	TLS_EXT_CLIENT_CERTIFICATE_URL = 2,
	/** list of CA the client trusts */
	TLS_EXT_TRUSTED_CA_KEYS = 3,
	/** request MAC truncation to 80-bit */
	TLS_EXT_TRUNCATED_HMAC = 4,
	/** list of OCSP responders the client trusts */
	TLS_EXT_STATUS_REQUEST = 5,
	/** list of supported elliptic curves */
	TLS_EXT_ELLIPTIC_CURVES = 10,
	/** supported point formats */
	TLS_EXT_EC_POINT_FORMATS = 11,
	/** list supported signature algorithms */
	TLS_EXT_SIGNATURE_ALGORITHMS = 13,
	/** cryptographic binding for RFC 5746 renegotiation indication */
	TLS_EXT_RENEGOTIATION_INFO = 65281,
};

enum tls_name_type_t {
	TLS_NAME_TYPE_HOST_NAME = 0,
};

/**
 * Enum names for tls_extension_t
 */
extern enum_name_t *tls_extension_names;

/**
 * A bottom-up driven TLS stack, suitable for EAP implementations.
 */
struct tls_t {

	/**
	 * Process one or more TLS records, pass it to upper layers.
	 *
	 * @param buf		TLS record data, including headers
	 * @param buflen	number of bytes in buf to process
	 * @return
	 *					- SUCCESS if TLS negotiation complete
	 *					- FAILED if TLS handshake failed
	 *					- NEED_MORE if more invocations to process/build needed
	 */
	status_t (*process)(tls_t *this, void *buf, size_t buflen);

	/**
	 * Query upper layer for one or more TLS records, build fragments.
	 *
	 * The TLS stack automatically fragments the records to the given buffer
	 * size. Fragmentation is indicated by the reclen ouput parameter and
	 * the return value. For the first fragment of a TLS record, a non-zero
	 * record length is returned in reclen. If more fragments follow, NEED_MORE
	 * is returned. A return value of ALREADY_DONE indicates that the final
	 * fragment has been returned.
	 *
	 * @param buf		buffer to write TLS record fragments to
	 * @param buflen	size of buffer, receives bytes written
	 * @param msglen	receives size of all TLS fragments
	 * @return
	 *					- SUCCESS if TLS negotiation complete
	 *					- FAILED if TLS handshake failed
	 *					- INVALID_STATE if more input data required
	 *					- NEED_MORE if more fragments available
	 *					- ALREADY_DONE if the last available fragment returned
	 */
	status_t (*build)(tls_t *this, void *buf, size_t *buflen, size_t *msglen);

	/**
	 * Check if TLS stack is acting as a server.
	 *
	 * @return			TRUE if server, FALSE if peer
	 */
	bool (*is_server)(tls_t *this);

	/**
	 * Get the negotiated TLS/SSL version.
	 *
	 * @return			negotiated TLS version
	 */
	tls_version_t (*get_version)(tls_t *this);

	/**
	 * Set the negotiated TLS/SSL version.
	 *
	 * @param version	negotiated TLS version
	 * @return			TRUE if version acceptable
	 */
	bool (*set_version)(tls_t *this, tls_version_t version);

	/**
	 * Get the purpose of this TLS stack instance.
	 *
	 * @return			purpose given during construction
	 */
	tls_purpose_t (*get_purpose)(tls_t *this);

	/**
	 * Check if TLS negotiation completed successfully.
	 *
	 * @return			TRUE if TLS negotiation and authentication complete
	 */
	bool (*is_complete)(tls_t *this);

	/**
	 * Get the MSK for EAP-TLS.
	 *
	 * @return			MSK, internal data
	 */
	chunk_t (*get_eap_msk)(tls_t *this);

	/**
	 * Destroy a tls_t.
	 */
	void (*destroy)(tls_t *this);
};

/**
 * Dummy libtls initialization function needed for integrity test
 */
void libtls_init(void);

/**
 * Create a tls instance.
 *
 * @param is_server			TRUE to act as server, FALSE for client
 * @param server			server identity
 * @param peer				peer identity, NULL for no client authentication
 * @param purpose			purpose this TLS stack instance is used for
 * @param application		higher layer application or NULL if none
 * @param cache				session cache to use, or NULL
 * @return					TLS stack
 */
tls_t *tls_create(bool is_server, identification_t *server,
				  identification_t *peer, tls_purpose_t purpose,
				  tls_application_t *application, tls_cache_t *cache);

#endif /** TLS_H_ @}*/
Commit	Line	Data
f7f63c52 MW	1	/*
	2	* Copyright (C) 2010 Martin Willi
	3	* Copyright (C) 2010 revosec AG
	4	*
	5	* This program is free software; you can redistribute it and/or modify it
	6	* under the terms of the GNU General Public License as published by the
	7	* Free Software Foundation; either version 2 of the License, or (at your
	8	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	9	*
	10	* This program is distributed in the hope that it will be useful, but
	11	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	12	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	13	* for more details.
	14	*/
	15
	16	/**
0f82a470 MW	17	* @defgroup libtls libtls
	18	*
	19	* @addtogroup libtls
	20	* TLS implementation on top of libstrongswan
f7f63c52 MW	21	*
f7f63c52 MW	22	* @defgroup tls tls
0f82a470	23	* @{ @ingroup libtls
f7f63c52 MW	24	*/
	25
	26	#ifndef TLS_H_
	27	#define TLS_H_
	28
	29	typedef enum tls_version_t tls_version_t;
	30	typedef enum tls_content_type_t tls_content_type_t;
	31	typedef enum tls_handshake_type_t tls_handshake_type_t;
96b2fbcc	32	typedef enum tls_purpose_t tls_purpose_t;
dcbbeb2d	33	typedef struct tls_t tls_t;
f7f63c52 MW	34
	35	#include <library.h>
	36
1327839d	37	#include "tls_application.h"
6a5c86b7	38	#include "tls_cache.h"
1327839d	39
f7f63c52 MW	40	/**
	41	* TLS/SSL version numbers
	42	*/
	43	enum tls_version_t {
	44	SSL_2_0 = 0x0200,
	45	SSL_3_0 = 0x0300,
	46	TLS_1_0 = 0x0301,
	47	TLS_1_1 = 0x0302,
	48	TLS_1_2 = 0x0303,
	49	};
	50
	51	/**
	52	* Enum names for tls_version_t
	53	*/
	54	extern enum_name_t *tls_version_names;
	55
	56	/**
	57	* TLS higher level content type
	58	*/
	59	enum tls_content_type_t {
	60	TLS_CHANGE_CIPHER_SPEC = 20,
	61	TLS_ALERT = 21,
	62	TLS_HANDSHAKE = 22,
	63	TLS_APPLICATION_DATA = 23,
	64	};
	65
	66	/**
	67	* Enum names for tls_content_type_t
	68	*/
	69	extern enum_name_t *tls_content_type_names;
	70
	71	/**
	72	* TLS handshake subtype
	73	*/
	74	enum tls_handshake_type_t {
	75	TLS_HELLO_REQUEST = 0,
	76	TLS_CLIENT_HELLO = 1,
	77	TLS_SERVER_HELLO = 2,
	78	TLS_CERTIFICATE = 11,
	79	TLS_SERVER_KEY_EXCHANGE = 12,
	80	TLS_CERTIFICATE_REQUEST = 13,
	81	TLS_SERVER_HELLO_DONE = 14,
	82	TLS_CERTIFICATE_VERIFY = 15,
	83	TLS_CLIENT_KEY_EXCHANGE = 16,
	84	TLS_FINISHED = 20,
	85	};
	86
	87	/**
	88	* Enum names for tls_handshake_type_t
	89	*/
	90	extern enum_name_t *tls_handshake_type_names;
	91
96b2fbcc MW	92	/**
	93	* Purpose the TLS stack is initiated for.
	94	*/
	95	enum tls_purpose_t {
	96	/** authentication in EAP-TLS */
	97	TLS_PURPOSE_EAP_TLS,
	98	/** outer authentication and protection in EAP-TTLS */
	99	TLS_PURPOSE_EAP_TTLS,
1bee89d3 AS	100	/** outer authentication and protection in EAP-PEAP */
1bee89d3 AS	101	TLS_PURPOSE_EAP_PEAP,
69e8bb2e	102	/** non-EAP TLS */
bda7d9d9	103	TLS_PURPOSE_GENERIC,
d2b1d437 AS	104	/** EAP binding for TNC */
d2b1d437 AS	105	TLS_PURPOSE_EAP_TNC
96b2fbcc MW	106	};
96b2fbcc MW	107
731611c5 MW	108	/**
	109	* TLS Hello extension types.
	110	*/
	111	enum tls_extension_t {
6cf85b35 MW	112	/** Server name the client wants to talk to */
	113	TLS_EXT_SERVER_NAME = 0,
	114	/** request a maximum fragment size */
	115	TLS_EXT_MAX_FRAGMENT_LENGTH = 1,
	116	/** indicate client certificate URL support */
	117	TLS_EXT_CLIENT_CERTIFICATE_URL = 2,
	118	/** list of CA the client trusts */
	119	TLS_EXT_TRUSTED_CA_KEYS = 3,
	120	/** request MAC truncation to 80-bit */
	121	TLS_EXT_TRUNCATED_HMAC = 4,
	122	/** list of OCSP responders the client trusts */
	123	TLS_EXT_STATUS_REQUEST = 5,
	124	/** list of supported elliptic curves */
37a59a8f MW	125	TLS_EXT_ELLIPTIC_CURVES = 10,
	126	/** supported point formats */
	127	TLS_EXT_EC_POINT_FORMATS = 11,
6cf85b35	128	/** list supported signature algorithms */
731611c5	129	TLS_EXT_SIGNATURE_ALGORITHMS = 13,
a9ee43e9 AS	130	/** cryptographic binding for RFC 5746 renegotiation indication */
a9ee43e9 AS	131	TLS_EXT_RENEGOTIATION_INFO = 65281,
731611c5 MW	132	};
731611c5 MW	133
1c21f47a MW	134	enum tls_name_type_t {
	135	TLS_NAME_TYPE_HOST_NAME = 0,
	136	};
	137
731611c5 MW	138	/**
	139	* Enum names for tls_extension_t
	140	*/
	141	extern enum_name_t *tls_extension_names;
	142
dcbbeb2d MW	143	/**
	144	* A bottom-up driven TLS stack, suitable for EAP implementations.
	145	*/
	146	struct tls_t {
	147
	148	/**
14758000	149	* Process one or more TLS records, pass it to upper layers.
dcbbeb2d	150	*
ecd98efa MW	151	* @param buf TLS record data, including headers
ecd98efa MW	152	* @param buflen number of bytes in buf to process
dcbbeb2d MW	153	* @return
	154	* - SUCCESS if TLS negotiation complete
	155	* - FAILED if TLS handshake failed
	156	* - NEED_MORE if more invocations to process/build needed
	157	*/
ecd98efa	158	status_t (process)(tls_t this, void *buf, size_t buflen);
dcbbeb2d MW	159
dcbbeb2d MW	160	/**
ecd98efa	161	* Query upper layer for one or more TLS records, build fragments.
dcbbeb2d	162	*
ecd98efa MW	163	* The TLS stack automatically fragments the records to the given buffer
	164	* size. Fragmentation is indicated by the reclen ouput parameter and
	165	* the return value. For the first fragment of a TLS record, a non-zero
	166	* record length is returned in reclen. If more fragments follow, NEED_MORE
	167	* is returned. A return value of ALREADY_DONE indicates that the final
	168	* fragment has been returned.
	169	*
	170	* @param buf buffer to write TLS record fragments to
	171	* @param buflen size of buffer, receives bytes written
	172	* @param msglen receives size of all TLS fragments
dcbbeb2d MW	173	* @return
	174	* - SUCCESS if TLS negotiation complete
	175	* - FAILED if TLS handshake failed
ecd98efa MW	176	* - INVALID_STATE if more input data required
	177	* - NEED_MORE if more fragments available
	178	* - ALREADY_DONE if the last available fragment returned
dcbbeb2d	179	*/
ecd98efa	180	status_t (build)(tls_t this, void buf, size_t buflen, size_t *msglen);
dcbbeb2d	181
84543e6e MW	182	/**
	183	* Check if TLS stack is acting as a server.
	184	*
	185	* @return TRUE if server, FALSE if peer
	186	*/
	187	bool (is_server)(tls_t this);
	188
3e962b08 MW	189	/**
	190	* Get the negotiated TLS/SSL version.
	191	*
	192	* @return negotiated TLS version
	193	*/
	194	tls_version_t (get_version)(tls_t this);
	195
	196	/**
	197	* Set the negotiated TLS/SSL version.
	198	*
	199	* @param version negotiated TLS version
f154e304	200	* @return TRUE if version acceptable
3e962b08	201	*/
f154e304	202	bool (set_version)(tls_t this, tls_version_t version);
3e962b08	203
96b2fbcc MW	204	/**
	205	* Get the purpose of this TLS stack instance.
	206	*
	207	* @return purpose given during construction
	208	*/
	209	tls_purpose_t (get_purpose)(tls_t this);
	210
400df4ca MW	211	/**
	212	* Check if TLS negotiation completed successfully.
	213	*
84545f6e	214	* @return TRUE if TLS negotiation and authentication complete
400df4ca MW	215	*/
	216	bool (is_complete)(tls_t this);
	217
51313a39 MW	218	/**
	219	* Get the MSK for EAP-TLS.
	220	*
	221	* @return MSK, internal data
	222	*/
	223	chunk_t (get_eap_msk)(tls_t this);
	224
dcbbeb2d MW	225	/**
	226	* Destroy a tls_t.
	227	*/
	228	void (destroy)(tls_t this);
	229	};
	230
e7cb8f9b AS	231	/**
	232	* Dummy libtls initialization function needed for integrity test
	233	*/
	234	void libtls_init(void);
	235
dcbbeb2d MW	236	/**
	237	* Create a tls instance.
	238	*
b51ac45c AS	239	* @param is_server TRUE to act as server, FALSE for client
b51ac45c AS	240	* @param server server identity
69e8bb2e	241	* @param peer peer identity, NULL for no client authentication
0433b417	242	* @param purpose purpose this TLS stack instance is used for
b51ac45c	243	* @param application higher layer application or NULL if none
6a5c86b7	244	* @param cache session cache to use, or NULL
b51ac45c	245	* @return TLS stack
dcbbeb2d	246	*/
3ddd164e	247	tls_t tls_create(bool is_server, identification_t server,
96b2fbcc	248	identification_t *peer, tls_purpose_t purpose,
6a5c86b7	249	tls_application_t application, tls_cache_t cache);
dcbbeb2d	250
f7f63c52	251	#endif /** TLS_H_ @}*/