]>
Commit | Line | Data |
---|---|---|
f7f63c52 MW |
1 | /* |
2 | * Copyright (C) 2010 Martin Willi | |
3 | * Copyright (C) 2010 revosec AG | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify it | |
6 | * under the terms of the GNU General Public License as published by the | |
7 | * Free Software Foundation; either version 2 of the License, or (at your | |
8 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
9 | * | |
10 | * This program is distributed in the hope that it will be useful, but | |
11 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
12 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
13 | * for more details. | |
14 | */ | |
15 | ||
16 | /** | |
0f82a470 MW |
17 | * @defgroup libtls libtls |
18 | * | |
19 | * @addtogroup libtls | |
20 | * TLS implementation on top of libstrongswan | |
f7f63c52 MW |
21 | * |
22 | * @defgroup tls tls | |
0f82a470 | 23 | * @{ @ingroup libtls |
f7f63c52 MW |
24 | */ |
25 | ||
26 | #ifndef TLS_H_ | |
27 | #define TLS_H_ | |
28 | ||
29 | typedef enum tls_version_t tls_version_t; | |
30 | typedef enum tls_content_type_t tls_content_type_t; | |
31 | typedef enum tls_handshake_type_t tls_handshake_type_t; | |
96b2fbcc | 32 | typedef enum tls_purpose_t tls_purpose_t; |
dcbbeb2d | 33 | typedef struct tls_t tls_t; |
f7f63c52 MW |
34 | |
35 | #include <library.h> | |
36 | ||
1327839d | 37 | #include "tls_application.h" |
6a5c86b7 | 38 | #include "tls_cache.h" |
1327839d | 39 | |
f7f63c52 MW |
40 | /** |
41 | * TLS/SSL version numbers | |
42 | */ | |
43 | enum tls_version_t { | |
44 | SSL_2_0 = 0x0200, | |
45 | SSL_3_0 = 0x0300, | |
46 | TLS_1_0 = 0x0301, | |
47 | TLS_1_1 = 0x0302, | |
48 | TLS_1_2 = 0x0303, | |
49 | }; | |
50 | ||
51 | /** | |
52 | * Enum names for tls_version_t | |
53 | */ | |
54 | extern enum_name_t *tls_version_names; | |
55 | ||
56 | /** | |
57 | * TLS higher level content type | |
58 | */ | |
59 | enum tls_content_type_t { | |
60 | TLS_CHANGE_CIPHER_SPEC = 20, | |
61 | TLS_ALERT = 21, | |
62 | TLS_HANDSHAKE = 22, | |
63 | TLS_APPLICATION_DATA = 23, | |
64 | }; | |
65 | ||
66 | /** | |
67 | * Enum names for tls_content_type_t | |
68 | */ | |
69 | extern enum_name_t *tls_content_type_names; | |
70 | ||
71 | /** | |
72 | * TLS handshake subtype | |
73 | */ | |
74 | enum tls_handshake_type_t { | |
75 | TLS_HELLO_REQUEST = 0, | |
76 | TLS_CLIENT_HELLO = 1, | |
77 | TLS_SERVER_HELLO = 2, | |
78 | TLS_CERTIFICATE = 11, | |
79 | TLS_SERVER_KEY_EXCHANGE = 12, | |
80 | TLS_CERTIFICATE_REQUEST = 13, | |
81 | TLS_SERVER_HELLO_DONE = 14, | |
82 | TLS_CERTIFICATE_VERIFY = 15, | |
83 | TLS_CLIENT_KEY_EXCHANGE = 16, | |
84 | TLS_FINISHED = 20, | |
85 | }; | |
86 | ||
87 | /** | |
88 | * Enum names for tls_handshake_type_t | |
89 | */ | |
90 | extern enum_name_t *tls_handshake_type_names; | |
91 | ||
96b2fbcc MW |
92 | /** |
93 | * Purpose the TLS stack is initiated for. | |
94 | */ | |
95 | enum tls_purpose_t { | |
96 | /** authentication in EAP-TLS */ | |
97 | TLS_PURPOSE_EAP_TLS, | |
98 | /** outer authentication and protection in EAP-TTLS */ | |
99 | TLS_PURPOSE_EAP_TTLS, | |
1bee89d3 AS |
100 | /** outer authentication and protection in EAP-PEAP */ |
101 | TLS_PURPOSE_EAP_PEAP, | |
69e8bb2e | 102 | /** non-EAP TLS */ |
bda7d9d9 | 103 | TLS_PURPOSE_GENERIC, |
d2b1d437 AS |
104 | /** EAP binding for TNC */ |
105 | TLS_PURPOSE_EAP_TNC | |
96b2fbcc MW |
106 | }; |
107 | ||
731611c5 MW |
108 | /** |
109 | * TLS Hello extension types. | |
110 | */ | |
111 | enum tls_extension_t { | |
6cf85b35 MW |
112 | /** Server name the client wants to talk to */ |
113 | TLS_EXT_SERVER_NAME = 0, | |
114 | /** request a maximum fragment size */ | |
115 | TLS_EXT_MAX_FRAGMENT_LENGTH = 1, | |
116 | /** indicate client certificate URL support */ | |
117 | TLS_EXT_CLIENT_CERTIFICATE_URL = 2, | |
118 | /** list of CA the client trusts */ | |
119 | TLS_EXT_TRUSTED_CA_KEYS = 3, | |
120 | /** request MAC truncation to 80-bit */ | |
121 | TLS_EXT_TRUNCATED_HMAC = 4, | |
122 | /** list of OCSP responders the client trusts */ | |
123 | TLS_EXT_STATUS_REQUEST = 5, | |
124 | /** list of supported elliptic curves */ | |
37a59a8f MW |
125 | TLS_EXT_ELLIPTIC_CURVES = 10, |
126 | /** supported point formats */ | |
127 | TLS_EXT_EC_POINT_FORMATS = 11, | |
6cf85b35 | 128 | /** list supported signature algorithms */ |
731611c5 | 129 | TLS_EXT_SIGNATURE_ALGORITHMS = 13, |
a9ee43e9 AS |
130 | /** cryptographic binding for RFC 5746 renegotiation indication */ |
131 | TLS_EXT_RENEGOTIATION_INFO = 65281, | |
731611c5 MW |
132 | }; |
133 | ||
1c21f47a MW |
134 | enum tls_name_type_t { |
135 | TLS_NAME_TYPE_HOST_NAME = 0, | |
136 | }; | |
137 | ||
731611c5 MW |
138 | /** |
139 | * Enum names for tls_extension_t | |
140 | */ | |
141 | extern enum_name_t *tls_extension_names; | |
142 | ||
dcbbeb2d MW |
143 | /** |
144 | * A bottom-up driven TLS stack, suitable for EAP implementations. | |
145 | */ | |
146 | struct tls_t { | |
147 | ||
148 | /** | |
14758000 | 149 | * Process one or more TLS records, pass it to upper layers. |
dcbbeb2d | 150 | * |
ecd98efa MW |
151 | * @param buf TLS record data, including headers |
152 | * @param buflen number of bytes in buf to process | |
dcbbeb2d MW |
153 | * @return |
154 | * - SUCCESS if TLS negotiation complete | |
155 | * - FAILED if TLS handshake failed | |
156 | * - NEED_MORE if more invocations to process/build needed | |
157 | */ | |
ecd98efa | 158 | status_t (*process)(tls_t *this, void *buf, size_t buflen); |
dcbbeb2d MW |
159 | |
160 | /** | |
ecd98efa | 161 | * Query upper layer for one or more TLS records, build fragments. |
dcbbeb2d | 162 | * |
ecd98efa MW |
163 | * The TLS stack automatically fragments the records to the given buffer |
164 | * size. Fragmentation is indicated by the reclen ouput parameter and | |
165 | * the return value. For the first fragment of a TLS record, a non-zero | |
166 | * record length is returned in reclen. If more fragments follow, NEED_MORE | |
167 | * is returned. A return value of ALREADY_DONE indicates that the final | |
168 | * fragment has been returned. | |
169 | * | |
170 | * @param buf buffer to write TLS record fragments to | |
171 | * @param buflen size of buffer, receives bytes written | |
172 | * @param msglen receives size of all TLS fragments | |
dcbbeb2d MW |
173 | * @return |
174 | * - SUCCESS if TLS negotiation complete | |
175 | * - FAILED if TLS handshake failed | |
ecd98efa MW |
176 | * - INVALID_STATE if more input data required |
177 | * - NEED_MORE if more fragments available | |
178 | * - ALREADY_DONE if the last available fragment returned | |
dcbbeb2d | 179 | */ |
ecd98efa | 180 | status_t (*build)(tls_t *this, void *buf, size_t *buflen, size_t *msglen); |
dcbbeb2d | 181 | |
84543e6e MW |
182 | /** |
183 | * Check if TLS stack is acting as a server. | |
184 | * | |
185 | * @return TRUE if server, FALSE if peer | |
186 | */ | |
187 | bool (*is_server)(tls_t *this); | |
188 | ||
3e962b08 MW |
189 | /** |
190 | * Get the negotiated TLS/SSL version. | |
191 | * | |
192 | * @return negotiated TLS version | |
193 | */ | |
194 | tls_version_t (*get_version)(tls_t *this); | |
195 | ||
196 | /** | |
197 | * Set the negotiated TLS/SSL version. | |
198 | * | |
199 | * @param version negotiated TLS version | |
f154e304 | 200 | * @return TRUE if version acceptable |
3e962b08 | 201 | */ |
f154e304 | 202 | bool (*set_version)(tls_t *this, tls_version_t version); |
3e962b08 | 203 | |
96b2fbcc MW |
204 | /** |
205 | * Get the purpose of this TLS stack instance. | |
206 | * | |
207 | * @return purpose given during construction | |
208 | */ | |
209 | tls_purpose_t (*get_purpose)(tls_t *this); | |
210 | ||
400df4ca MW |
211 | /** |
212 | * Check if TLS negotiation completed successfully. | |
213 | * | |
84545f6e | 214 | * @return TRUE if TLS negotiation and authentication complete |
400df4ca MW |
215 | */ |
216 | bool (*is_complete)(tls_t *this); | |
217 | ||
51313a39 MW |
218 | /** |
219 | * Get the MSK for EAP-TLS. | |
220 | * | |
221 | * @return MSK, internal data | |
222 | */ | |
223 | chunk_t (*get_eap_msk)(tls_t *this); | |
224 | ||
dcbbeb2d MW |
225 | /** |
226 | * Destroy a tls_t. | |
227 | */ | |
228 | void (*destroy)(tls_t *this); | |
229 | }; | |
230 | ||
e7cb8f9b AS |
231 | /** |
232 | * Dummy libtls initialization function needed for integrity test | |
233 | */ | |
234 | void libtls_init(void); | |
235 | ||
dcbbeb2d MW |
236 | /** |
237 | * Create a tls instance. | |
238 | * | |
b51ac45c AS |
239 | * @param is_server TRUE to act as server, FALSE for client |
240 | * @param server server identity | |
69e8bb2e | 241 | * @param peer peer identity, NULL for no client authentication |
0433b417 | 242 | * @param purpose purpose this TLS stack instance is used for |
b51ac45c | 243 | * @param application higher layer application or NULL if none |
6a5c86b7 | 244 | * @param cache session cache to use, or NULL |
b51ac45c | 245 | * @return TLS stack |
dcbbeb2d | 246 | */ |
3ddd164e | 247 | tls_t *tls_create(bool is_server, identification_t *server, |
96b2fbcc | 248 | identification_t *peer, tls_purpose_t purpose, |
6a5c86b7 | 249 | tls_application_t *application, tls_cache_t *cache); |
dcbbeb2d | 250 | |
f7f63c52 | 251 | #endif /** TLS_H_ @}*/ |