2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * @defgroup tls_crypto tls_crypto
24 typedef struct tls_crypto_t tls_crypto_t
;
25 typedef enum tls_cipher_suite_t tls_cipher_suite_t
;
26 typedef enum tls_hash_algorithm_t tls_hash_algorithm_t
;
27 typedef enum tls_signature_algorithm_t tls_signature_algorithm_t
;
28 typedef enum tls_client_certificate_type_t tls_client_certificate_type_t
;
29 typedef enum tls_ecc_curve_type_t tls_ecc_curve_type_t
;
30 typedef enum tls_named_curve_t tls_named_curve_t
;
34 #include "tls_protection.h"
38 #include <credentials/keys/private_key.h>
43 enum tls_cipher_suite_t
{
44 TLS_NULL_WITH_NULL_NULL
= 0x0000,
45 TLS_RSA_WITH_NULL_MD5
= 0x0001,
46 TLS_RSA_WITH_NULL_SHA
= 0x0002,
47 TLS_RSA_EXPORT_WITH_RC4_40_MD5
= 0x0003,
48 TLS_RSA_WITH_RC4_128_MD5
= 0x0004,
49 TLS_RSA_WITH_RC4_128_SHA
= 0x0005,
50 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
= 0x0006,
51 TLS_RSA_WITH_IDEA_CBC_SHA
= 0x0007,
52 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
= 0x0008,
53 TLS_RSA_WITH_DES_CBC_SHA
= 0x0009,
54 TLS_RSA_WITH_3DES_EDE_CBC_SHA
= 0x000A,
55 TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
= 0x000B,
56 TLS_DH_DSS_WITH_DES_CBC_SHA
= 0x000C,
57 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
= 0x000D,
58 TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
= 0x000E,
59 TLS_DH_RSA_WITH_DES_CBC_SHA
= 0x000F,
60 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
= 0x0010,
61 TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
= 0x0011,
62 TLS_DHE_DSS_WITH_DES_CBC_SHA
= 0x0012,
63 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
= 0x0013,
64 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
= 0x0014,
65 TLS_DHE_RSA_WITH_DES_CBC_SHA
= 0x0015,
66 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
= 0x0016,
67 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
= 0x0017,
68 TLS_DH_anon_WITH_RC4_128_MD5
= 0x0018,
69 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
= 0x0019,
70 TLS_DH_anon_WITH_DES_CBC_SHA
= 0x001A,
71 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
= 0x001B,
73 TLS_KRB5_WITH_DES_CBC_SHA
= 0x001E,
74 TLS_KRB5_WITH_3DES_EDE_CBC_SHA
= 0x001F,
75 TLS_KRB5_WITH_RC4_128_SHA
= 0x0020,
76 TLS_KRB5_WITH_IDEA_CBC_SHA
= 0x0021,
77 TLS_KRB5_WITH_DES_CBC_MD5
= 0x0022,
78 TLS_KRB5_WITH_3DES_EDE_CBC_MD5
= 0x0023,
79 TLS_KRB5_WITH_RC4_128_MD5
= 0x0024,
80 TLS_KRB5_WITH_IDEA_CBC_MD5
= 0x0025,
81 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
= 0x0026,
82 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA
= 0x0027,
83 TLS_KRB5_EXPORT_WITH_RC4_40_SHA
= 0x0028,
84 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
= 0x0029,
85 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
= 0x002A,
86 TLS_KRB5_EXPORT_WITH_RC4_40_MD5
= 0x002B,
87 TLS_PSK_WITH_NULL_SHA
= 0x002C,
88 TLS_DHE_PSK_WITH_NULL_SHA
= 0x002D,
89 TLS_RSA_PSK_WITH_NULL_SHA
= 0x002E,
90 TLS_RSA_WITH_AES_128_CBC_SHA
= 0x002F,
91 TLS_DH_DSS_WITH_AES_128_CBC_SHA
= 0x0030,
92 TLS_DH_RSA_WITH_AES_128_CBC_SHA
= 0x0031,
93 TLS_DHE_DSS_WITH_AES_128_CBC_SHA
= 0x0032,
94 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
= 0x0033,
95 TLS_DH_anon_WITH_AES_128_CBC_SHA
= 0x0034,
96 TLS_RSA_WITH_AES_256_CBC_SHA
= 0x0035,
97 TLS_DH_DSS_WITH_AES_256_CBC_SHA
= 0x0036,
98 TLS_DH_RSA_WITH_AES_256_CBC_SHA
= 0x0037,
99 TLS_DHE_DSS_WITH_AES_256_CBC_SHA
= 0x0038,
100 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
= 0x0039,
101 TLS_DH_anon_WITH_AES_256_CBC_SHA
= 0x003A,
102 TLS_RSA_WITH_NULL_SHA256
= 0x003B,
103 TLS_RSA_WITH_AES_128_CBC_SHA256
= 0x003C,
104 TLS_RSA_WITH_AES_256_CBC_SHA256
= 0x003D,
105 TLS_DH_DSS_WITH_AES_128_CBC_SHA256
= 0x003E,
106 TLS_DH_RSA_WITH_AES_128_CBC_SHA256
= 0x003F,
107 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
= 0x0040,
108 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
= 0x0041,
109 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
= 0x0042,
110 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
= 0x0043,
111 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
= 0x0044,
112 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
= 0x0045,
113 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
= 0x0046,
115 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
= 0x0067,
116 TLS_DH_DSS_WITH_AES_256_CBC_SHA256
= 0x0068,
117 TLS_DH_RSA_WITH_AES_256_CBC_SHA256
= 0x0069,
118 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
= 0x006A,
119 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
= 0x006B,
120 TLS_DH_anon_WITH_AES_128_CBC_SHA256
= 0x006C,
121 TLS_DH_anon_WITH_AES_256_CBC_SHA256
= 0x006D,
123 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
= 0x0084,
124 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
= 0x0085,
125 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
= 0x0086,
126 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
= 0x0087,
127 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
= 0x0088,
128 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
= 0x0089,
129 TLS_PSK_WITH_RC4_128_SHA
= 0x008A,
130 TLS_PSK_WITH_3DES_EDE_CBC_SHA
= 0x008B,
131 TLS_PSK_WITH_AES_128_CBC_SHA
= 0x008C,
132 TLS_PSK_WITH_AES_256_CBC_SHA
= 0x008D,
133 TLS_DHE_PSK_WITH_RC4_128_SHA
= 0x008E,
134 TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
= 0x008F,
135 TLS_DHE_PSK_WITH_AES_128_CBC_SHA
= 0x0090,
136 TLS_DHE_PSK_WITH_AES_256_CBC_SHA
= 0x0091,
137 TLS_RSA_PSK_WITH_RC4_128_SHA
= 0x0092,
138 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
= 0x0093,
139 TLS_RSA_PSK_WITH_AES_128_CBC_SHA
= 0x0094,
140 TLS_RSA_PSK_WITH_AES_256_CBC_SHA
= 0x0095,
141 TLS_RSA_WITH_SEED_CBC_SHA
= 0x0096,
142 TLS_DH_DSS_WITH_SEED_CBC_SHA
= 0x0097,
143 TLS_DH_RSA_WITH_SEED_CBC_SHA
= 0x0098,
144 TLS_DHE_DSS_WITH_SEED_CBC_SHA
= 0x0099,
145 TLS_DHE_RSA_WITH_SEED_CBC_SHA
= 0x009A,
146 TLS_DH_anon_WITH_SEED_CBC_SHA
= 0x009B,
147 TLS_RSA_WITH_AES_128_GCM_SHA256
= 0x009C,
148 TLS_RSA_WITH_AES_256_GCM_SHA384
= 0x009D,
149 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
= 0x009E,
150 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
= 0x009F,
151 TLS_DH_RSA_WITH_AES_128_GCM_SHA256
= 0x00A0,
152 TLS_DH_RSA_WITH_AES_256_GCM_SHA384
= 0x00A1,
153 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
= 0x00A2,
154 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
= 0x00A3,
155 TLS_DH_DSS_WITH_AES_128_GCM_SHA256
= 0x00A4,
156 TLS_DH_DSS_WITH_AES_256_GCM_SHA384
= 0x00A5,
157 TLS_DH_anon_WITH_AES_128_GCM_SHA256
= 0x00A6,
158 TLS_DH_anon_WITH_AES_256_GCM_SHA384
= 0x00A7,
159 TLS_PSK_WITH_AES_128_GCM_SHA256
= 0x00A8,
160 TLS_PSK_WITH_AES_256_GCM_SHA384
= 0x00A9,
161 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
= 0x00AA,
162 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
= 0x00AB,
163 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
= 0x00AC,
164 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
= 0x00AD,
165 TLS_PSK_WITH_AES_128_CBC_SHA256
= 0x00AE,
166 TLS_PSK_WITH_AES_256_CBC_SHA384
= 0x00AF,
167 TLS_PSK_WITH_NULL_SHA256
= 0x00B0,
168 TLS_PSK_WITH_NULL_SHA384
= 0x00B1,
169 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
= 0x00B2,
170 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
= 0x00B3,
171 TLS_DHE_PSK_WITH_NULL_SHA256
= 0x00B4,
172 TLS_DHE_PSK_WITH_NULL_SHA384
= 0x00B5,
173 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
= 0x00B6,
174 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
= 0x00B7,
175 TLS_RSA_PSK_WITH_NULL_SHA256
= 0x00B8,
176 TLS_RSA_PSK_WITH_NULL_SHA384
= 0x00B9,
177 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
= 0x00BA,
178 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256
= 0x00BB,
179 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256
= 0x00BC,
180 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256
= 0x00BD,
181 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
= 0x00BE,
182 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256
= 0x00BF,
183 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
= 0x00C0,
184 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256
= 0x00C1,
185 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256
= 0x00C2,
186 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256
= 0x00C3,
187 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
= 0x00C4,
188 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
= 0x00C5,
190 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
= 0x00FF,
192 TLS_ECDH_ECDSA_WITH_NULL_SHA
= 0xC001,
193 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
= 0xC002,
194 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
= 0xC003,
195 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
= 0xC004,
196 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
= 0xC005,
197 TLS_ECDHE_ECDSA_WITH_NULL_SHA
= 0xC006,
198 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
= 0xC007,
199 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
= 0xC008,
200 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
= 0xC009,
201 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
= 0xC00A,
202 TLS_ECDH_RSA_WITH_NULL_SHA
= 0xC00B,
203 TLS_ECDH_RSA_WITH_RC4_128_SHA
= 0xC00C,
204 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
= 0xC00D,
205 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
= 0xC00E,
206 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
= 0xC00F,
207 TLS_ECDHE_RSA_WITH_NULL_SHA
= 0xC010,
208 TLS_ECDHE_RSA_WITH_RC4_128_SHA
= 0xC011,
209 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
= 0xC012,
210 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
= 0xC013,
211 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
= 0xC014,
212 TLS_ECDH_anon_WITH_NULL_SHA
= 0xC015,
213 TLS_ECDH_anon_WITH_RC4_128_SHA
= 0xC016,
214 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
= 0xC017,
215 TLS_ECDH_anon_WITH_AES_128_CBC_SHA
= 0xC018,
216 TLS_ECDH_anon_WITH_AES_256_CBC_SHA
= 0xC019,
217 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA
= 0xC01A,
218 TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
= 0xC01B,
219 TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
= 0xC01C,
220 TLS_SRP_SHA_WITH_AES_128_CBC_SHA
= 0xC01D,
221 TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
= 0xC01E,
222 TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
= 0xC01F,
223 TLS_SRP_SHA_WITH_AES_256_CBC_SHA
= 0xC020,
224 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
= 0xC021,
225 TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
= 0xC022,
226 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
= 0xC023,
227 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
= 0xC024,
228 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
= 0xC025,
229 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
= 0xC026,
230 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
= 0xC027,
231 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
= 0xC028,
232 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
= 0xC029,
233 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
= 0xC02A,
234 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
= 0xC02B,
235 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
= 0xC02C,
236 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
= 0xC02D,
237 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
= 0xC02E,
238 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
= 0xC02F,
239 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
= 0xC030,
240 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
= 0xC031,
241 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
= 0xC032,
242 TLS_ECDHE_PSK_WITH_RC4_128_SHA
= 0xC033,
243 TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
= 0xC034,
244 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
= 0xC035,
245 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
= 0xC036,
246 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
= 0xC037,
247 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
= 0xC038,
248 TLS_ECDHE_PSK_WITH_NULL_SHA
= 0xC039,
249 TLS_ECDHE_PSK_WITH_NULL_SHA256
= 0xC03A,
250 TLS_ECDHE_PSK_WITH_NULL_SHA384
= 0xC03B
254 * Enum names for tls_cipher_suite_t
256 extern enum_name_t
*tls_cipher_suite_names
;
259 * TLS HashAlgorithm identifiers
261 enum tls_hash_algorithm_t
{
272 * Enum names for tls_hash_algorithm_t
274 extern enum_name_t
*tls_hash_algorithm_names
;
277 * TLS SignatureAlgorithm identifiers
279 enum tls_signature_algorithm_t
{
286 * Enum names for tls_signature_algorithm_t
288 extern enum_name_t
*tls_signature_algorithm_names
;
291 * TLS ClientCertificateType
293 enum tls_client_certificate_type_t
{
296 TLS_RSA_FIXED_DH
= 3,
297 TLS_DSS_FIXED_DH
= 4,
298 TLS_RSA_EPHEMERAL_DH
= 5,
299 TLS_DSS_EPHEMERAL_DH
= 6,
300 TLS_FORTEZZA_DMS
= 20,
302 TLS_RSA_FIXED_ECDH
= 65,
303 TLS_ECDSA_FIXED_ECDH
= 66,
307 * Enum names for tls_client_certificate_type_t
309 extern enum_name_t
*tls_client_certificate_type_names
;
314 enum tls_ecc_curve_type_t
{
315 TLS_ECC_EXPLICIT_PRIME
= 1,
316 TLS_ECC_EXPLICIT_CHAR2
= 2,
317 TLS_ECC_NAMED_CURVE
= 3,
321 * Enum names for tls_ecc_curve_type_t
323 extern enum_name_t
*tls_ecc_curve_type_names
;
326 * TLS Named Curve identifiers
328 enum tls_named_curve_t
{
357 * Enum names for tls_named_curve_t
359 extern enum_name_t
*tls_named_curve_names
;
362 * EC Point format, ANSI X9.62.
364 enum tls_ansi_point_format_t
{
365 TLS_ANSI_COMPRESSED
= 2,
366 TLS_ANSI_COMPRESSED_Y
= 3,
367 TLS_ANSI_UNCOMPRESSED
= 4,
369 TLS_ANSI_HYBRID_Y
= 7,
373 * Enum names for tls_ansi_point_format_t.
375 extern enum_name_t
*tls_ansi_point_format_names
;
378 * TLS crypto helper functions.
380 struct tls_crypto_t
{
383 * Get a list of supported TLS cipher suites.
385 * @param suites list of suites, points to internal data
386 * @return number of suites returned
388 int (*get_cipher_suites
)(tls_crypto_t
*this, tls_cipher_suite_t
**suites
);
391 * Select and store a cipher suite from a given list of candidates.
393 * @param suites list of candidates to select from
394 * @param count number of suites
395 * @param key key type used, or KEY_ANY
396 * @return selected suite, 0 if none acceptable
398 tls_cipher_suite_t (*select_cipher_suite
)(tls_crypto_t
*this,
399 tls_cipher_suite_t
*suites
, int count
,
403 * Get the Diffie-Hellman group to use, if any.
405 * @return Diffie Hellman group, ord MODP_NONE
407 diffie_hellman_group_t (*get_dh_group
)(tls_crypto_t
*this);
410 * Write the list of supported hash/sig algorithms to writer.
412 * @param writer writer to write supported hash/sig algorithms
414 void (*get_signature_algorithms
)(tls_crypto_t
*this, tls_writer_t
*writer
);
417 * Create an enumerator over supported ECDH groups.
419 * Enumerates over (diffie_hellman_group_t, tls_named_curve_t)
423 enumerator_t
* (*create_ec_enumerator
)(tls_crypto_t
*this);
426 * Set the protection layer of the TLS stack to control it.
428 * @param protection protection layer to work on
430 void (*set_protection
)(tls_crypto_t
*this, tls_protection_t
*protection
);
433 * Store exchanged handshake data, used for cryptographic operations.
435 * @param type handshake sub type
436 * @param data data to append to handshake buffer
438 void (*append_handshake
)(tls_crypto_t
*this,
439 tls_handshake_type_t type
, chunk_t data
);
442 * Sign a blob of data, append signature to writer.
444 * @param key private key to use for signature
445 * @param writer TLS writer to write signature to
446 * @param data data to sign
447 * @param hashsig list of TLS1.2 hash/sig algorithms to select from
448 * @return TRUE if signature create successfully
450 bool (*sign
)(tls_crypto_t
*this, private_key_t
*key
,
451 tls_writer_t
*writer
, chunk_t data
, chunk_t hashsig
);
454 * Verify a blob of data, read signature from a reader.
456 * @param key public key to verify signature with
457 * @param reader TLS reader to read signature from
458 * @param data data to verify signature
459 * @return TRUE if signature valid
461 bool (*verify
)(tls_crypto_t
*this, public_key_t
*key
,
462 tls_reader_t
*reader
, chunk_t data
);
465 * Create a signature of the handshake data using a given private key.
467 * @param key private key to use for signature
468 * @param writer TLS writer to write signature to
469 * @param hashsig list of TLS1.2 hash/sig algorithms to select from
470 * @return TRUE if signature create successfully
472 bool (*sign_handshake
)(tls_crypto_t
*this, private_key_t
*key
,
473 tls_writer_t
*writer
, chunk_t hashsig
);
476 * Verify the signature over handshake data using a given public key.
478 * @param key public key to verify signature with
479 * @param reader TLS reader to read signature from
480 * @return TRUE if signature valid
482 bool (*verify_handshake
)(tls_crypto_t
*this, public_key_t
*key
,
483 tls_reader_t
*reader
);
486 * Calculate the data of a TLS finished message.
488 * @param label ASCII label to use for calculation
489 * @param out buffer to write finished data to
490 * @return TRUE if calculation successful
492 bool (*calculate_finished
)(tls_crypto_t
*this, char *label
, char out
[12]);
495 * Derive the master secret, MAC and encryption keys.
497 * @param premaster premaster secret
498 * @param client_random random data from client hello
499 * @param server_random random data from server hello
501 void (*derive_secrets
)(tls_crypto_t
*this, chunk_t premaster
,
502 chunk_t client_random
, chunk_t server_random
);
505 * Change the cipher used at protection layer.
507 * @param inbound TRUE to change inbound cipher, FALSE for outbound
509 void (*change_cipher
)(tls_crypto_t
*this, bool inbound
);
512 * Derive the EAP-TLS MSK.
514 * @param client_random random data from client hello
515 * @param server_random random data from server hello
517 void (*derive_eap_msk
)(tls_crypto_t
*this,
518 chunk_t client_random
, chunk_t server_random
);
521 * Get the MSK to use in EAP-TLS.
523 * @return MSK, points to internal data
525 chunk_t (*get_eap_msk
)(tls_crypto_t
*this);
528 * Destroy a tls_crypto_t.
530 void (*destroy
)(tls_crypto_t
*this);
534 * Create a tls_crypto instance.
536 tls_crypto_t
*tls_crypto_create(tls_t
*tls
);
538 #endif /** TLS_CRYPTO_H_ @}*/