/* * Copyright (c) 2016 Thomas Pornin * * Permission is hereby granted, free of charge, to any person obtaining * a copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be * included in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ #ifndef BR_BEARSSL_SSL_H__ #define BR_BEARSSL_SSL_H__ #include #include #include "bearssl_block.h" #include "bearssl_hash.h" #include "bearssl_hmac.h" #include "bearssl_prf.h" #include "bearssl_rand.h" #include "bearssl_x509.h" #ifdef __cplusplus extern "C" { #endif /** \file bearssl_ssl.h * * # SSL * * For an overview of the SSL/TLS API, see [the BearSSL Web * site](https://www.bearssl.org/api1.html). * * The `BR_TLS_*` constants correspond to the standard cipher suites and * their values in the [IANA * registry](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4). * * The `BR_ALERT_*` constants are for standard TLS alert messages. When * a fatal alert message is sent of received, then the SSL engine context * status is set to the sum of that alert value (an integer in the 0..255 * range) and a fixed offset (`BR_ERR_SEND_FATAL_ALERT` for a sent alert, * `BR_ERR_RECV_FATAL_ALERT` for a received alert). */ /** \brief Optimal input buffer size. */ #define BR_SSL_BUFSIZE_INPUT (16384 + 325) /** \brief Optimal output buffer size. */ #define BR_SSL_BUFSIZE_OUTPUT (16384 + 85) /** \brief Optimal buffer size for monodirectional engine (shared input/output buffer). */ #define BR_SSL_BUFSIZE_MONO BR_SSL_BUFSIZE_INPUT /** \brief Optimal buffer size for bidirectional engine (single buffer split into two separate input/output buffers). */ #define BR_SSL_BUFSIZE_BIDI (BR_SSL_BUFSIZE_INPUT + BR_SSL_BUFSIZE_OUTPUT) /* * Constants for known SSL/TLS protocol versions (SSL 3.0, TLS 1.0, TLS 1.1 * and TLS 1.2). Note that though there is a constant for SSL 3.0, that * protocol version is not actually supported. */ /** \brief Protocol version: SSL 3.0 (unsupported). */ #define BR_SSL30 0x0300 /** \brief Protocol version: TLS 1.0. */ #define BR_TLS10 0x0301 /** \brief Protocol version: TLS 1.1. */ #define BR_TLS11 0x0302 /** \brief Protocol version: TLS 1.2. */ #define BR_TLS12 0x0303 /* * Error constants. They are used to report the reason why a context has * been marked as failed. * * Implementation note: SSL-level error codes should be in the 1..31 * range. The 32..63 range is for certificate decoding and validation * errors. Received fatal alerts imply an error code in the 256..511 range. */ /** \brief SSL status: no error so far (0). */ #define BR_ERR_OK 0 /** \brief SSL status: caller-provided parameter is incorrect. */ #define BR_ERR_BAD_PARAM 1 /** \brief SSL status: operation requested by the caller cannot be applied with the current context state (e.g. reading data while outgoing data is waiting to be sent). */ #define BR_ERR_BAD_STATE 2 /** \brief SSL status: incoming protocol or record version is unsupported. */ #define BR_ERR_UNSUPPORTED_VERSION 3 /** \brief SSL status: incoming record version does not match the expected version. */ #define BR_ERR_BAD_VERSION 4 /** \brief SSL status: incoming record length is invalid. */ #define BR_ERR_BAD_LENGTH 5 /** \brief SSL status: incoming record is too large to be processed, or buffer is too small for the handshake message to send. */ #define BR_ERR_TOO_LARGE 6 /** \brief SSL status: decryption found an invalid padding, or the record MAC is not correct. */ #define BR_ERR_BAD_MAC 7 /** \brief SSL status: no initial entropy was provided, and none can be obtained from the OS. */ #define BR_ERR_NO_RANDOM 8 /** \brief SSL status: incoming record type is unknown. */ #define BR_ERR_UNKNOWN_TYPE 9 /** \brief SSL status: incoming record or message has wrong type with regards to the current engine state. */ #define BR_ERR_UNEXPECTED 10 /** \brief SSL status: ChangeCipherSpec message from the peer has invalid contents. */ #define BR_ERR_BAD_CCS 12 /** \brief SSL status: alert message from the peer has invalid contents (odd length). */ #define BR_ERR_BAD_ALERT 13 /** \brief SSL status: incoming handshake message decoding failed. */ #define BR_ERR_BAD_HANDSHAKE 14 /** \brief SSL status: ServerHello contains a session ID which is larger than 32 bytes. */ #define BR_ERR_OVERSIZED_ID 15 /** \brief SSL status: server wants to use a cipher suite that we did not claim to support. This is also reported if we tried to advertise a cipher suite that we do not support. */ #define BR_ERR_BAD_CIPHER_SUITE 16 /** \brief SSL status: server wants to use a compression that we did not claim to support. */ #define BR_ERR_BAD_COMPRESSION 17 /** \brief SSL status: server's max fragment length does not match client's. */ #define BR_ERR_BAD_FRAGLEN 18 /** \brief SSL status: secure renegotiation failed. */ #define BR_ERR_BAD_SECRENEG 19 /** \brief SSL status: server sent an extension type that we did not announce, or used the same extension type several times in a single ServerHello. */ #define BR_ERR_EXTRA_EXTENSION 20 /** \brief SSL status: invalid Server Name Indication contents (when used by the server, this extension shall be empty). */ #define BR_ERR_BAD_SNI 21 /** \brief SSL status: invalid ServerHelloDone from the server (length is not 0). */ #define BR_ERR_BAD_HELLO_DONE 22 /** \brief SSL status: internal limit exceeded (e.g. server's public key is too large). */ #define BR_ERR_LIMIT_EXCEEDED 23 /** \brief SSL status: Finished message from peer does not match the expected value. */ #define BR_ERR_BAD_FINISHED 24 /** \brief SSL status: session resumption attempt with distinct version or cipher suite. */ #define BR_ERR_RESUME_MISMATCH 25 /** \brief SSL status: unsupported or invalid algorithm (ECDHE curve, signature algorithm, hash function). */ #define BR_ERR_INVALID_ALGORITHM 26 /** \brief SSL status: invalid signature (on ServerKeyExchange from server, or in CertificateVerify from client). */ #define BR_ERR_BAD_SIGNATURE 27 /** \brief SSL status: peer's public key does not have the proper type or is not allowed for requested operation. */ #define BR_ERR_WRONG_KEY_USAGE 28 /** \brief SSL status: client did not send a certificate upon request, or the client certificate could not be validated. */ #define BR_ERR_NO_CLIENT_AUTH 29 /** \brief SSL status: I/O error or premature close on underlying transport stream. This error code is set only by the simplified I/O API ("br_sslio_*"). */ #define BR_ERR_IO 31 /** \brief SSL status: base value for a received fatal alert. When a fatal alert is received from the peer, the alert value is added to this constant. */ #define BR_ERR_RECV_FATAL_ALERT 256 /** \brief SSL status: base value for a sent fatal alert. When a fatal alert is sent to the peer, the alert value is added to this constant. */ #define BR_ERR_SEND_FATAL_ALERT 512 /* ===================================================================== */ /** * \brief Decryption engine for SSL. * * When processing incoming records, the SSL engine will use a decryption * engine that uses a specific context structure, and has a set of * methods (a vtable) that follows this template. * * The decryption engine is responsible for applying decryption, verifying * MAC, and keeping track of the record sequence number. */ typedef struct br_sslrec_in_class_ br_sslrec_in_class; struct br_sslrec_in_class_ { /** * \brief Context size (in bytes). */ size_t context_size; /** * \brief Test validity of the incoming record length. * * This function returns 1 if the announced length for an * incoming record is valid, 0 otherwise, * * \param ctx decryption engine context. * \param record_len incoming record length. * \return 1 of a valid length, 0 otherwise. */ int (*check_length)(const br_sslrec_in_class *const *ctx, size_t record_len); /** * \brief Decrypt the incoming record. * * This function may assume that the record length is valid * (it has been previously tested with `check_length()`). * Decryption is done in place; `*len` is updated with the * cleartext length, and the address of the first plaintext * byte is returned. If the record is correct but empty, then * `*len` is set to 0 and a non-`NULL` pointer is returned. * * On decryption/MAC error, `NULL` is returned. * * \param ctx decryption engine context. * \param record_type record type (23 for application data, etc). * \param version record version. * \param payload address of encrypted payload. * \param len pointer to payload length (updated). * \return pointer to plaintext, or `NULL` on error. */ unsigned char *(*decrypt)(const br_sslrec_in_class **ctx, int record_type, unsigned version, void *payload, size_t *len); }; /** * \brief Encryption engine for SSL. * * When building outgoing records, the SSL engine will use an encryption * engine that uses a specific context structure, and has a set of * methods (a vtable) that follows this template. * * The encryption engine is responsible for applying encryption and MAC, * and keeping track of the record sequence number. */ typedef struct br_sslrec_out_class_ br_sslrec_out_class; struct br_sslrec_out_class_ { /** * \brief Context size (in bytes). */ size_t context_size; /** * \brief Compute maximum plaintext sizes and offsets. * * When this function is called, the `*start` and `*end` * values contain offsets designating the free area in the * outgoing buffer for plaintext data; that free area is * preceded by a 5-byte space which will receive the record * header. * * The `max_plaintext()` function is responsible for adjusting * both `*start` and `*end` to make room for any record-specific * header, MAC, padding, and possible split. * * \param ctx encryption engine context. * \param start pointer to start of plaintext offset (updated). * \param end pointer to start of plaintext offset (updated). */ void (*max_plaintext)(const br_sslrec_out_class *const *ctx, size_t *start, size_t *end); /** * \brief Perform record encryption. * * This function encrypts the record. The plaintext address and * length are provided. Returned value is the start of the * encrypted record (or sequence of records, if a split was * performed), _including_ the 5-byte header, and `*len` is * adjusted to the total size of the record(s), there again * including the header(s). * * \param ctx decryption engine context. * \param record_type record type (23 for application data, etc). * \param version record version. * \param plaintext address of plaintext. * \param len pointer to plaintext length (updated). * \return pointer to start of built record. */ unsigned char *(*encrypt)(const br_sslrec_out_class **ctx, int record_type, unsigned version, void *plaintext, size_t *len); }; /** * \brief Context for a no-encryption engine. * * The no-encryption engine processes outgoing records during the initial * handshake, before encryption is applied. */ typedef struct { /** \brief No-encryption engine vtable. */ const br_sslrec_out_class *vtable; } br_sslrec_out_clear_context; /** \brief Static, constant vtable for the no-encryption engine. */ extern const br_sslrec_out_class br_sslrec_out_clear_vtable; /* ===================================================================== */ /** * \brief Record decryption engine class, for CBC mode. * * This class type extends the decryption engine class with an * initialisation method that receives the parameters needed * for CBC processing: block cipher implementation, block cipher key, * HMAC parameters (hash function, key, MAC length), and IV. If the * IV is `NULL`, then a per-record IV will be used (TLS 1.1+). */ typedef struct br_sslrec_in_cbc_class_ br_sslrec_in_cbc_class; struct br_sslrec_in_cbc_class_ { /** * \brief Superclass, as first vtable field. */ br_sslrec_in_class inner; /** * \brief Engine initialisation method. * * This method sets the vtable field in the context. * * \param ctx context to initialise. * \param bc_impl block cipher implementation (CBC decryption). * \param bc_key block cipher key. * \param bc_key_len block cipher key length (in bytes). * \param dig_impl hash function for HMAC. * \param mac_key HMAC key. * \param mac_key_len HMAC key length (in bytes). * \param mac_out_len HMAC output length (in bytes). * \param iv initial IV (or `NULL`). */ void (*init)(const br_sslrec_in_cbc_class **ctx, const br_block_cbcdec_class *bc_impl, const void *bc_key, size_t bc_key_len, const br_hash_class *dig_impl, const void *mac_key, size_t mac_key_len, size_t mac_out_len, const void *iv); }; /** * \brief Record encryption engine class, for CBC mode. * * This class type extends the encryption engine class with an * initialisation method that receives the parameters needed * for CBC processing: block cipher implementation, block cipher key, * HMAC parameters (hash function, key, MAC length), and IV. If the * IV is `NULL`, then a per-record IV will be used (TLS 1.1+). */ typedef struct br_sslrec_out_cbc_class_ br_sslrec_out_cbc_class; struct br_sslrec_out_cbc_class_ { /** * \brief Superclass, as first vtable field. */ br_sslrec_out_class inner; /** * \brief Engine initialisation method. * * This method sets the vtable field in the context. * * \param ctx context to initialise. * \param bc_impl block cipher implementation (CBC encryption). * \param bc_key block cipher key. * \param bc_key_len block cipher key length (in bytes). * \param dig_impl hash function for HMAC. * \param mac_key HMAC key. * \param mac_key_len HMAC key length (in bytes). * \param mac_out_len HMAC output length (in bytes). * \param iv initial IV (or `NULL`). */ void (*init)(const br_sslrec_out_cbc_class **ctx, const br_block_cbcenc_class *bc_impl, const void *bc_key, size_t bc_key_len, const br_hash_class *dig_impl, const void *mac_key, size_t mac_key_len, size_t mac_out_len, const void *iv); }; /** * \brief Context structure for decrypting incoming records with * CBC + HMAC. * * The first field points to the vtable. The other fields are opaque * and shall not be accessed directly. */ typedef struct { /** \brief Pointer to vtable. */ const br_sslrec_in_cbc_class *vtable; #ifndef BR_DOXYGEN_IGNORE uint64_t seq; union { const br_block_cbcdec_class *vtable; br_aes_gen_cbcdec_keys aes; br_des_gen_cbcdec_keys des; } bc; br_hmac_key_context mac; size_t mac_len; unsigned char iv[16]; int explicit_IV; #endif } br_sslrec_in_cbc_context; /** * \brief Static, constant vtable for record decryption with CBC. */ extern const br_sslrec_in_cbc_class br_sslrec_in_cbc_vtable; /** * \brief Context structure for encrypting outgoing records with * CBC + HMAC. * * The first field points to the vtable. The other fields are opaque * and shall not be accessed directly. */ typedef struct { /** \brief Pointer to vtable. */ const br_sslrec_out_cbc_class *vtable; #ifndef BR_DOXYGEN_IGNORE uint64_t seq; union { const br_block_cbcenc_class *vtable; br_aes_gen_cbcenc_keys aes; br_des_gen_cbcenc_keys des; } bc; br_hmac_key_context mac; size_t mac_len; unsigned char iv[16]; int explicit_IV; #endif } br_sslrec_out_cbc_context; /** * \brief Static, constant vtable for record encryption with CBC. */ extern const br_sslrec_out_cbc_class br_sslrec_out_cbc_vtable; /* ===================================================================== */ /** * \brief Record decryption engine class, for GCM mode. * * This class type extends the decryption engine class with an * initialisation method that receives the parameters needed * for GCM processing: block cipher implementation, block cipher key, * GHASH implementation, and 4-byte IV. */ typedef struct br_sslrec_in_gcm_class_ br_sslrec_in_gcm_class; struct br_sslrec_in_gcm_class_ { /** * \brief Superclass, as first vtable field. */ br_sslrec_in_class inner; /** * \brief Engine initialisation method. * * This method sets the vtable field in the context. * * \param ctx context to initialise. * \param bc_impl block cipher implementation (CTR). * \param key block cipher key. * \param key_len block cipher key length (in bytes). * \param gh_impl GHASH implementation. * \param iv static IV (4 bytes). */ void (*init)(const br_sslrec_in_gcm_class **ctx, const br_block_ctr_class *bc_impl, const void *key, size_t key_len, br_ghash gh_impl, const void *iv); }; /** * \brief Record encryption engine class, for GCM mode. * * This class type extends the encryption engine class with an * initialisation method that receives the parameters needed * for GCM processing: block cipher implementation, block cipher key, * GHASH implementation, and 4-byte IV. */ typedef struct br_sslrec_out_gcm_class_ br_sslrec_out_gcm_class; struct br_sslrec_out_gcm_class_ { /** * \brief Superclass, as first vtable field. */ br_sslrec_out_class inner; /** * \brief Engine initialisation method. * * This method sets the vtable field in the context. * * \param ctx context to initialise. * \param bc_impl block cipher implementation (CTR). * \param key block cipher key. * \param key_len block cipher key length (in bytes). * \param gh_impl GHASH implementation. * \param iv static IV (4 bytes). */ void (*init)(const br_sslrec_out_gcm_class **ctx, const br_block_ctr_class *bc_impl, const void *key, size_t key_len, br_ghash gh_impl, const void *iv); }; /** * \brief Context structure for processing records with GCM. * * The same context structure is used for encrypting and decrypting. * * The first field points to the vtable. The other fields are opaque * and shall not be accessed directly. */ typedef struct { /** \brief Pointer to vtable. */ union { const void *gen; const br_sslrec_in_gcm_class *in; const br_sslrec_out_gcm_class *out; } vtable; #ifndef BR_DOXYGEN_IGNORE uint64_t seq; union { const br_block_ctr_class *vtable; br_aes_gen_ctr_keys aes; } bc; br_ghash gh; unsigned char iv[4]; unsigned char h[16]; #endif } br_sslrec_gcm_context; /** * \brief Static, constant vtable for record decryption with GCM. */ extern const br_sslrec_in_gcm_class br_sslrec_in_gcm_vtable; /** * \brief Static, constant vtable for record encryption with GCM. */ extern const br_sslrec_out_gcm_class br_sslrec_out_gcm_vtable; /* ===================================================================== */ /** * \brief Record decryption engine class, for ChaCha20+Poly1305. * * This class type extends the decryption engine class with an * initialisation method that receives the parameters needed * for ChaCha20+Poly1305 processing: ChaCha20 implementation, * Poly1305 implementation, key, and 12-byte IV. */ typedef struct br_sslrec_in_chapol_class_ br_sslrec_in_chapol_class; struct br_sslrec_in_chapol_class_ { /** * \brief Superclass, as first vtable field. */ br_sslrec_in_class inner; /** * \brief Engine initialisation method. * * This method sets the vtable field in the context. * * \param ctx context to initialise. * \param ichacha ChaCha20 implementation. * \param ipoly Poly1305 implementation. * \param key secret key (32 bytes). * \param iv static IV (12 bytes). */ void (*init)(const br_sslrec_in_chapol_class **ctx, br_chacha20_run ichacha, br_poly1305_run ipoly, const void *key, const void *iv); }; /** * \brief Record encryption engine class, for ChaCha20+Poly1305. * * This class type extends the encryption engine class with an * initialisation method that receives the parameters needed * for ChaCha20+Poly1305 processing: ChaCha20 implementation, * Poly1305 implementation, key, and 12-byte IV. */ typedef struct br_sslrec_out_chapol_class_ br_sslrec_out_chapol_class; struct br_sslrec_out_chapol_class_ { /** * \brief Superclass, as first vtable field. */ br_sslrec_out_class inner; /** * \brief Engine initialisation method. * * This method sets the vtable field in the context. * * \param ctx context to initialise. * \param ichacha ChaCha20 implementation. * \param ipoly Poly1305 implementation. * \param key secret key (32 bytes). * \param iv static IV (12 bytes). */ void (*init)(const br_sslrec_out_chapol_class **ctx, br_chacha20_run ichacha, br_poly1305_run ipoly, const void *key, const void *iv); }; /** * \brief Context structure for processing records with ChaCha20+Poly1305. * * The same context structure is used for encrypting and decrypting. * * The first field points to the vtable. The other fields are opaque * and shall not be accessed directly. */ typedef struct { /** \brief Pointer to vtable. */ union { const void *gen; const br_sslrec_in_chapol_class *in; const br_sslrec_out_chapol_class *out; } vtable; #ifndef BR_DOXYGEN_IGNORE uint64_t seq; unsigned char key[32]; unsigned char iv[12]; br_chacha20_run ichacha; br_poly1305_run ipoly; #endif } br_sslrec_chapol_context; /** * \brief Static, constant vtable for record decryption with ChaCha20+Poly1305. */ extern const br_sslrec_in_chapol_class br_sslrec_in_chapol_vtable; /** * \brief Static, constant vtable for record encryption with ChaCha20+Poly1305. */ extern const br_sslrec_out_chapol_class br_sslrec_out_chapol_vtable; /* ===================================================================== */ /** * \brief Type for session parameters, to be saved for session resumption. */ typedef struct { /** \brief Session ID buffer. */ unsigned char session_id[32]; /** \brief Session ID length (in bytes, at most 32). */ unsigned char session_id_len; /** \brief Protocol version. */ uint16_t version; /** \brief Cipher suite. */ uint16_t cipher_suite; /** \brief Master secret. */ unsigned char master_secret[48]; } br_ssl_session_parameters; #ifndef BR_DOXYGEN_IGNORE /* * Maximum numnber of cipher suites supported by a client or server. */ #define BR_MAX_CIPHER_SUITES 40 #endif /** * \brief Context structure for SSL engine. * * This strucuture is common to the client and server; both the client * context (`br_ssl_client_context`) and the server context * (`br_ssl_server_context`) include a `br_ssl_engine_context` as their * first field. * * The engine context manages records, including alerts, closures, and * transitions to new encryption/MAC algorithms. Processing of handshake * records is delegated to externally provided code. This structure * should not be used directly. * * Structure contents are opaque and shall not be accessed directly. */ typedef struct { #ifndef BR_DOXYGEN_IGNORE /* * The error code. When non-zero, then the state is "failed" and * no I/O may occur until reset. */ int err; /* * Configured I/O buffers. They are either disjoint, or identical. */ unsigned char *ibuf, *obuf; size_t ibuf_len, obuf_len; /* * Maximum fragment length applies to outgoing records; incoming * records can be processed as long as they fit in the input * buffer. It is guaranteed that incoming records at least as big * as max_frag_len can be processed. */ uint16_t max_frag_len; unsigned char log_max_frag_len; unsigned char peer_log_max_frag_len; /* * Buffering management registers. */ size_t ixa, ixb, ixc; size_t oxa, oxb, oxc; unsigned char iomode; unsigned char incrypt; /* * Shutdown flag: when set to non-zero, incoming record bytes * will not be accepted anymore. This is used after a close_notify * has been received: afterwards, the engine no longer claims that * it could receive bytes from the transport medium. */ unsigned char shutdown_recv; /* * 'record_type_in' is set to the incoming record type when the * record header has been received. * 'record_type_out' is used to make the next outgoing record * header when it is ready to go. */ unsigned char record_type_in, record_type_out; /* * When a record is received, its version is extracted: * -- if 'version_in' is 0, then it is set to the received version; * -- otherwise, if the received version is not identical to * the 'version_in' contents, then a failure is reported. * * This implements the SSL requirement that all records shall * use the negotiated protocol version, once decided (in the * ServerHello). It is up to the handshake handler to adjust this * field when necessary. */ uint16_t version_in; /* * 'version_out' is used when the next outgoing record is ready * to go. */ uint16_t version_out; /* * Record handler contexts. */ union { const br_sslrec_in_class *vtable; br_sslrec_in_cbc_context cbc; br_sslrec_gcm_context gcm; br_sslrec_chapol_context chapol; } in; union { const br_sslrec_out_class *vtable; br_sslrec_out_clear_context clear; br_sslrec_out_cbc_context cbc; br_sslrec_gcm_context gcm; br_sslrec_chapol_context chapol; } out; /* * The "application data" flag. Value: * 0 handshake is in process, no application data acceptable * 1 application data can be sent and received * 2 closing, no application data can be sent, but some * can still be received (and discarded) */ unsigned char application_data; /* * Context RNG. * * rng_init_done is initially 0. It is set to 1 when the * basic structure of the RNG is set, and 2 when some * entropy has been pushed in. The value 2 marks the RNG * as "properly seeded". * * rng_os_rand_done is initially 0. It is set to 1 when * some seeding from the OS or hardware has been attempted. */ br_hmac_drbg_context rng; int rng_init_done; int rng_os_rand_done; /* * Supported minimum and maximum versions, and cipher suites. */ uint16_t version_min; uint16_t version_max; uint16_t suites_buf[BR_MAX_CIPHER_SUITES]; unsigned char suites_num; /* * For clients, the server name to send as a SNI extension. For * servers, the name received in the SNI extension (if any). */ char server_name[256]; /* * "Security parameters". These are filled by the handshake * handler, and used when switching encryption state. */ unsigned char client_random[32]; unsigned char server_random[32]; br_ssl_session_parameters session; /* * ECDHE elements: curve and point from the peer. The server also * uses that buffer for the point to send to the client. */ unsigned char ecdhe_curve; unsigned char ecdhe_point[133]; unsigned char ecdhe_point_len; /* * Secure renegotiation (RFC 5746): 'reneg' can be: * 0 first handshake (server support is not known) * 1 peer does not support secure renegotiation * 2 peer supports secure renegotiation * * The saved_finished buffer contains the client and the * server "Finished" values from the last handshake, in * that order (12 bytes each). */ unsigned char reneg; unsigned char saved_finished[24]; /* * Behavioural flags. */ uint32_t flags; /* * Context variables for the handshake processor. The 'pad' must * be large enough to accommodate an RSA-encrypted pre-master * secret, or an RSA signature; since we want to support up to * RSA-4096, this means at least 512 bytes. (Other pad usages * require its length to be at least 256.) */ struct { uint32_t *dp; uint32_t *rp; const unsigned char *ip; } cpu; uint32_t dp_stack[32]; uint32_t rp_stack[32]; unsigned char pad[512]; unsigned char *hbuf_in, *hbuf_out, *saved_hbuf_out; size_t hlen_in, hlen_out; void (*hsrun)(void *ctx); /* * The 'action' value communicates OOB information between the * engine and the handshake processor. * * From the engine: * 0 invocation triggered by I/O * 1 invocation triggered by explicit close * 2 invocation triggered by explicit renegotiation */ unsigned char action; /* * State for alert messages. Value is either 0, or the value of * the alert level byte (level is either 1 for warning, or 2 for * fatal; we convert all other values to 'fatal'). */ unsigned char alert; /* * Closure flags. This flag is set when a close_notify has been * received from the peer. */ unsigned char close_received; /* * Multi-hasher for the handshake messages. The handshake handler * is responsible for resetting it when appropriate. */ br_multihash_context mhash; /* * Pointer to the X.509 engine. The engine is supposed to be * already initialized. It is used to validate the peer's * certificate. */ const br_x509_class **x509ctx; /* * Certificate chain to send. This is used by both client and * server, when they send their respective Certificate messages. * If chain_len is 0, then chain may be NULL. */ const br_x509_certificate *chain; size_t chain_len; const unsigned char *cert_cur; size_t cert_len; /* * List of supported protocol names (ALPN extension). If unset, * (number of names is 0), then: * - the client sends no ALPN extension; * - the server ignores any incoming ALPN extension. * * Otherwise: * - the client sends an ALPN extension with all the names; * - the server selects the first protocol in its list that * the client also supports, or fails (fatal alert 120) * if the client sends an ALPN extension and there is no * match. * * The 'selected_protocol' field contains 1+n if the matching * name has index n in the list (the value is 0 if no match was * performed, e.g. the peer did not send an ALPN extension). */ const char **protocol_names; uint16_t protocol_names_num; uint16_t selected_protocol; /* * Pointers to implementations; left to NULL for unsupported * functions. For the raw hash functions, implementations are * referenced from the multihasher (mhash field). */ br_tls_prf_impl prf10; br_tls_prf_impl prf_sha256; br_tls_prf_impl prf_sha384; const br_block_cbcenc_class *iaes_cbcenc; const br_block_cbcdec_class *iaes_cbcdec; const br_block_ctr_class *iaes_ctr; const br_block_cbcenc_class *ides_cbcenc; const br_block_cbcdec_class *ides_cbcdec; br_ghash ighash; br_chacha20_run ichacha; br_poly1305_run ipoly; const br_sslrec_in_cbc_class *icbc_in; const br_sslrec_out_cbc_class *icbc_out; const br_sslrec_in_gcm_class *igcm_in; const br_sslrec_out_gcm_class *igcm_out; const br_sslrec_in_chapol_class *ichapol_in; const br_sslrec_out_chapol_class *ichapol_out; const br_ec_impl *iec; br_rsa_pkcs1_vrfy irsavrfy; br_ecdsa_vrfy iecdsa; #endif } br_ssl_engine_context; /** * \brief Get currently defined engine behavioural flags. * * \param cc SSL engine context. * \return the flags. */ static inline uint32_t br_ssl_engine_get_flags(br_ssl_engine_context *cc) { return cc->flags; } /** * \brief Set all engine behavioural flags. * * \param cc SSL engine context. * \param flags new value for all flags. */ static inline void br_ssl_engine_set_all_flags(br_ssl_engine_context *cc, uint32_t flags) { cc->flags = flags; } /** * \brief Set some engine behavioural flags. * * The flags set in the `flags` parameter are set in the context; other * flags are untouched. * * \param cc SSL engine context. * \param flags additional set flags. */ static inline void br_ssl_engine_add_flags(br_ssl_engine_context *cc, uint32_t flags) { cc->flags |= flags; } /** * \brief Clear some engine behavioural flags. * * The flags set in the `flags` parameter are cleared from the context; other * flags are untouched. * * \param cc SSL engine context. * \param flags flags to remove. */ static inline void br_ssl_engine_remove_flags(br_ssl_engine_context *cc, uint32_t flags) { cc->flags &= ~flags; } /** * \brief Behavioural flag: enforce server preferences. * * If this flag is set, then the server will enforce its own cipher suite * preference order; otherwise, it follows the client preferences. */ #define BR_OPT_ENFORCE_SERVER_PREFERENCES ((uint32_t)1 << 0) /** * \brief Behavioural flag: disable renegotiation. * * If this flag is set, then renegotiations are rejected unconditionally: * they won't be honoured if asked for programmatically, and requests from * the peer are rejected. */ #define BR_OPT_NO_RENEGOTIATION ((uint32_t)1 << 1) /** * \brief Behavioural flag: tolerate lack of client authentication. * * If this flag is set in a server and the server requests a client * certificate, but the authentication fails (the client does not send * a certificate, or the client's certificate chain cannot be validated), * then the connection keeps on. Without this flag, a failed client * authentication terminates the connection. * * Notes: * * - If the client's certificate can be validated and its public key is * supported, then a wrong signature value terminates the connection * regardless of that flag. * * - If using full-static ECDH, then a failure to validate the client's * certificate prevents the handshake from succeeding. */ #define BR_OPT_TOLERATE_NO_CLIENT_AUTH ((uint32_t)1 << 2) /** * \brief Behavioural flag: fail on application protocol mismatch. * * The ALPN extension ([RFC 7301](https://tools.ietf.org/html/rfc7301)) * allows the client to send a list of application protocol names, and * the server to select one. A mismatch is one of the following occurrences: * * - On the client: the client sends a list of names, the server * responds with a protocol name which is _not_ part of the list of * names sent by the client. * * - On the server: the client sends a list of names, and the server * is also configured with a list of names, but there is no common * protocol name between the two lists. * * Normal behaviour in case of mismatch is to report no matching name * (`br_ssl_engine_get_selected_protocol()` returns `NULL`) and carry on. * If the flag is set, then a mismatch implies a protocol failure (if * the mismatch is detected by the server, it will send a fatal alert). * * Note: even with this flag, `br_ssl_engine_get_selected_protocol()` * may still return `NULL` if the client or the server does not send an * ALPN extension at all. */ #define BR_OPT_FAIL_ON_ALPN_MISMATCH ((uint32_t)1 << 3) /** * \brief Set the minimum and maximum supported protocol versions. * * The two provided versions MUST be supported by the implementation * (i.e. TLS 1.0, 1.1 and 1.2), and `version_max` MUST NOT be lower * than `version_min`. * * \param cc SSL engine context. * \param version_min minimum supported TLS version. * \param version_max maximum supported TLS version. */ static inline void br_ssl_engine_set_versions(br_ssl_engine_context *cc, unsigned version_min, unsigned version_max) { cc->version_min = version_min; cc->version_max = version_max; } /** * \brief Set the list of cipher suites advertised by this context. * * The provided array is copied into the context. It is the caller * responsibility to ensure that all provided suites will be supported * by the context. The engine context has enough room to receive _all_ * suites supported by the implementation. The provided array MUST NOT * contain duplicates. * * If the engine is for a client, the "signaling" pseudo-cipher suite * `TLS_FALLBACK_SCSV` can be added at the end of the list, if the * calling application is performing a voluntary downgrade (voluntary * downgrades are not recommended, but if such a downgrade is done, then * adding the fallback pseudo-suite is a good idea). * * \param cc SSL engine context. * \param suites cipher suites. * \param suites_num number of cipher suites. */ void br_ssl_engine_set_suites(br_ssl_engine_context *cc, const uint16_t *suites, size_t suites_num); /** * \brief Set the X.509 engine. * * The caller shall ensure that the X.509 engine is properly initialised. * * \param cc SSL engine context. * \param x509ctx X.509 certificate validation context. */ static inline void br_ssl_engine_set_x509(br_ssl_engine_context *cc, const br_x509_class **x509ctx) { cc->x509ctx = x509ctx; } /** * \brief Set the supported protocol names. * * Protocol names are part of the ALPN extension ([RFC * 7301](https://tools.ietf.org/html/rfc7301)). Each protocol name is a * character string, containing no more than 255 characters (256 with the * terminating zero). When names are set, then: * * - The client will send an ALPN extension, containing the names. If * the server responds with an ALPN extension, the client will verify * that the response contains one of its name, and report that name * through `br_ssl_engine_get_selected_protocol()`. * * - The server will parse incoming ALPN extension (from clients), and * try to find a common protocol; if none is found, the connection * is aborted with a fatal alert. On match, a response ALPN extension * is sent, and name is reported through * `br_ssl_engine_get_selected_protocol()`. * * The provided array is linked in, and must remain valid while the * connection is live. * * Names MUST NOT be empty. Names MUST NOT be longer than 255 characters * (excluding the terminating 0). * * \param ctx SSL engine context. * \param names list of protocol names (zero-terminated). * \param num number of protocol names (MUST be 1 or more). */ static inline void br_ssl_engine_set_protocol_names(br_ssl_engine_context *ctx, const char **names, size_t num) { ctx->protocol_names = names; ctx->protocol_names_num = num; } /** * \brief Get the selected protocol. * * If this context was initialised with a non-empty list of protocol * names, and both client and server sent ALPN extensions during the * handshake, and a common name was found, then that name is returned. * Otherwise, `NULL` is returned. * * The returned pointer is one of the pointers provided to the context * with `br_ssl_engine_set_protocol_names()`. * * \return the selected protocol, or `NULL`. */ static inline const char * br_ssl_engine_get_selected_protocol(br_ssl_engine_context *ctx) { unsigned k; k = ctx->selected_protocol; return (k == 0 || k == 0xFFFF) ? NULL : ctx->protocol_names[k - 1]; } /** * \brief Set a hash function implementation (by ID). * * Hash functions set with this call will be used for SSL/TLS specific * usages, not X.509 certificate validation. Only "standard" hash functions * may be set (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512). If `impl` * is `NULL`, then the hash function support is removed, not added. * * \param ctx SSL engine context. * \param id hash function identifier. * \param impl hash function implementation (or `NULL`). */ static inline void br_ssl_engine_set_hash(br_ssl_engine_context *ctx, int id, const br_hash_class *impl) { br_multihash_setimpl(&ctx->mhash, id, impl); } /** * \brief Get a hash function implementation (by ID). * * This function retrieves a hash function implementation which was * set with `br_ssl_engine_set_hash()`. * * \param ctx SSL engine context. * \param id hash function identifier. * \return the hash function implementation (or `NULL`). */ static inline const br_hash_class * br_ssl_engine_get_hash(br_ssl_engine_context *ctx, int id) { return br_multihash_getimpl(&ctx->mhash, id); } /** * \brief Set the PRF implementation (for TLS 1.0 and 1.1). * * This function sets (or removes, if `impl` is `NULL`) the implemenation * for the PRF used in TLS 1.0 and 1.1. * * \param cc SSL engine context. * \param impl PRF implementation (or `NULL`). */ static inline void br_ssl_engine_set_prf10(br_ssl_engine_context *cc, br_tls_prf_impl impl) { cc->prf10 = impl; } /** * \brief Set the PRF implementation with SHA-256 (for TLS 1.2). * * This function sets (or removes, if `impl` is `NULL`) the implemenation * for the SHA-256 variant of the PRF used in TLS 1.2. * * \param cc SSL engine context. * \param impl PRF implementation (or `NULL`). */ static inline void br_ssl_engine_set_prf_sha256(br_ssl_engine_context *cc, br_tls_prf_impl impl) { cc->prf_sha256 = impl; } /** * \brief Set the PRF implementation with SHA-384 (for TLS 1.2). * * This function sets (or removes, if `impl` is `NULL`) the implemenation * for the SHA-384 variant of the PRF used in TLS 1.2. * * \param cc SSL engine context. * \param impl PRF implementation (or `NULL`). */ static inline void br_ssl_engine_set_prf_sha384(br_ssl_engine_context *cc, br_tls_prf_impl impl) { cc->prf_sha384 = impl; } /** * \brief Set the AES/CBC implementations. * * \param cc SSL engine context. * \param impl_enc AES/CBC encryption implementation (or `NULL`). * \param impl_dec AES/CBC decryption implementation (or `NULL`). */ static inline void br_ssl_engine_set_aes_cbc(br_ssl_engine_context *cc, const br_block_cbcenc_class *impl_enc, const br_block_cbcdec_class *impl_dec) { cc->iaes_cbcenc = impl_enc; cc->iaes_cbcdec = impl_dec; } /** * \brief Set the "default" AES/CBC implementations. * * This function configures in the engine the AES implementations that * should provide best runtime performance on the local system, while * still being safe (in particular, constant-time). It also sets the * handlers for CBC records. * * \param cc SSL engine context. */ void br_ssl_engine_set_default_aes_cbc(br_ssl_engine_context *cc); /** * \brief Set the AES/CTR implementation. * * \param cc SSL engine context. * \param impl AES/CTR encryption/decryption implementation (or `NULL`). */ static inline void br_ssl_engine_set_aes_ctr(br_ssl_engine_context *cc, const br_block_ctr_class *impl) { cc->iaes_ctr = impl; } /** * \brief Set the "default" implementations for AES/GCM (AES/CTR + GHASH). * * This function configures in the engine the AES/CTR and GHASH * implementation that should provide best runtime performance on the local * system, while still being safe (in particular, constant-time). It also * sets the handlers for GCM records. * * \param cc SSL engine context. */ void br_ssl_engine_set_default_aes_gcm(br_ssl_engine_context *cc); /** * \brief Set the DES/CBC implementations. * * \param cc SSL engine context. * \param impl_enc DES/CBC encryption implementation (or `NULL`). * \param impl_dec DES/CBC decryption implementation (or `NULL`). */ static inline void br_ssl_engine_set_des_cbc(br_ssl_engine_context *cc, const br_block_cbcenc_class *impl_enc, const br_block_cbcdec_class *impl_dec) { cc->ides_cbcenc = impl_enc; cc->ides_cbcdec = impl_dec; } /** * \brief Set the "default" DES/CBC implementations. * * This function configures in the engine the DES implementations that * should provide best runtime performance on the local system, while * still being safe (in particular, constant-time). It also sets the * handlers for CBC records. * * \param cc SSL engine context. */ void br_ssl_engine_set_default_des_cbc(br_ssl_engine_context *cc); /** * \brief Set the GHASH implementation (used in GCM mode). * * \param cc SSL engine context. * \param impl GHASH implementation (or `NULL`). */ static inline void br_ssl_engine_set_ghash(br_ssl_engine_context *cc, br_ghash impl) { cc->ighash = impl; } /** * \brief Set the ChaCha20 implementation. * * \param cc SSL engine context. * \param ichacha ChaCha20 implementation (or `NULL`). */ static inline void br_ssl_engine_set_chacha20(br_ssl_engine_context *cc, br_chacha20_run ichacha) { cc->ichacha = ichacha; } /** * \brief Set the Poly1305 implementation. * * \param cc SSL engine context. * \param ipoly Poly1305 implementation (or `NULL`). */ static inline void br_ssl_engine_set_poly1305(br_ssl_engine_context *cc, br_poly1305_run ipoly) { cc->ipoly = ipoly; } /** * \brief Set the "default" ChaCha20 and Poly1305 implementations. * * This function configures in the engine the ChaCha20 and Poly1305 * implementations that should provide best runtime performance on the * local system, while still being safe (in particular, constant-time). * It also sets the handlers for ChaCha20+Poly1305 records. * * \param cc SSL engine context. */ void br_ssl_engine_set_default_chapol(br_ssl_engine_context *cc); /** * \brief Set the record encryption and decryption engines for CBC + HMAC. * * \param cc SSL engine context. * \param impl_in record CBC decryption implementation (or `NULL`). * \param impl_out record CBC encryption implementation (or `NULL`). */ static inline void br_ssl_engine_set_cbc(br_ssl_engine_context *cc, const br_sslrec_in_cbc_class *impl_in, const br_sslrec_out_cbc_class *impl_out) { cc->icbc_in = impl_in; cc->icbc_out = impl_out; } /** * \brief Set the record encryption and decryption engines for GCM. * * \param cc SSL engine context. * \param impl_in record GCM decryption implementation (or `NULL`). * \param impl_out record GCM encryption implementation (or `NULL`). */ static inline void br_ssl_engine_set_gcm(br_ssl_engine_context *cc, const br_sslrec_in_gcm_class *impl_in, const br_sslrec_out_gcm_class *impl_out) { cc->igcm_in = impl_in; cc->igcm_out = impl_out; } /** * \brief Set the record encryption and decryption engines for * ChaCha20+Poly1305. * * \param cc SSL engine context. * \param impl_in record ChaCha20 decryption implementation (or `NULL`). * \param impl_out record ChaCha20 encryption implementation (or `NULL`). */ static inline void br_ssl_engine_set_chapol(br_ssl_engine_context *cc, const br_sslrec_in_chapol_class *impl_in, const br_sslrec_out_chapol_class *impl_out) { cc->ichapol_in = impl_in; cc->ichapol_out = impl_out; } /** * \brief Set the EC implementation. * * The elliptic curve implementation will be used for ECDH and ECDHE * cipher suites, and for ECDSA support. * * \param cc SSL engine context. * \param iec EC implementation (or `NULL`). */ static inline void br_ssl_engine_set_ec(br_ssl_engine_context *cc, const br_ec_impl *iec) { cc->iec = iec; } /** * \brief Set the "default" EC implementation. * * This function sets the elliptic curve implementation for ECDH and * ECDHE cipher suites, and for ECDSA support. It selects the fastest * implementation on the current system. * * \param cc SSL engine context. */ void br_ssl_engine_set_default_ec(br_ssl_engine_context *cc); /** * \brief Get the EC implementation configured in the provided engine. * * \param cc SSL engine context. * \return the EC implementation. */ static inline const br_ec_impl * br_ssl_engine_get_ec(br_ssl_engine_context *cc) { return cc->iec; } /** * \brief Set the RSA signature verification implementation. * * On the client, this is used to verify the server's signature on its * ServerKeyExchange message (for ECDHE_RSA cipher suites). On the server, * this is used to verify the client's CertificateVerify message (if a * client certificate is requested, and that certificate contains a RSA key). * * \param cc SSL engine context. * \param irsavrfy RSA signature verification implementation. */ static inline void br_ssl_engine_set_rsavrfy(br_ssl_engine_context *cc, br_rsa_pkcs1_vrfy irsavrfy) { cc->irsavrfy = irsavrfy; } /** * \brief Set the "default" RSA implementation (signature verification). * * This function sets the RSA implementation (signature verification) * to the fastest implementation available on the current platform. * * \param cc SSL engine context. */ void br_ssl_engine_set_default_rsavrfy(br_ssl_engine_context *cc); /** * \brief Get the RSA implementation (signature verification) configured * in the provided engine. * * \param cc SSL engine context. * \return the RSA signature verification implementation. */ static inline br_rsa_pkcs1_vrfy br_ssl_engine_get_rsavrfy(br_ssl_engine_context *cc) { return cc->irsavrfy; } /* * \brief Set the ECDSA implementation (signature verification). * * On the client, this is used to verify the server's signature on its * ServerKeyExchange message (for ECDHE_ECDSA cipher suites). On the server, * this is used to verify the client's CertificateVerify message (if a * client certificate is requested, that certificate contains an EC key, * and full-static ECDH is not used). * * The ECDSA implementation will use the EC core implementation configured * in the engine context. * * \param cc client context. * \param iecdsa ECDSA verification implementation. */ static inline void br_ssl_engine_set_ecdsa(br_ssl_engine_context *cc, br_ecdsa_vrfy iecdsa) { cc->iecdsa = iecdsa; } /** * \brief Set the "default" ECDSA implementation (signature verification). * * This function sets the ECDSA implementation (signature verification) * to the fastest implementation available on the current platform. This * call also sets the elliptic curve implementation itself, there again * to the fastest EC implementation available. * * \param cc SSL engine context. */ void br_ssl_engine_set_default_ecdsa(br_ssl_engine_context *cc); /** * \brief Get the ECDSA implementation (signature verification) configured * in the provided engine. * * \param cc SSL engine context. * \return the ECDSA signature verification implementation. */ static inline br_ecdsa_vrfy br_ssl_engine_get_ecdsa(br_ssl_engine_context *cc) { return cc->iecdsa; } /** * \brief Set the I/O buffer for the SSL engine. * * Once this call has been made, `br_ssl_client_reset()` or * `br_ssl_server_reset()` MUST be called before using the context. * * The provided buffer will be used as long as the engine context is * used. The caller is responsible for keeping it available. * * If `bidi` is 0, then the engine will operate in half-duplex mode * (it won't be able to send data while there is unprocessed incoming * data in the buffer, and it won't be able to receive data while there * is unsent data in the buffer). The optimal buffer size in half-duplex * mode is `BR_SSL_BUFSIZE_MONO`; if the buffer is larger, then extra * bytes are ignored. If the buffer is smaller, then this limits the * capacity of the engine to support all allowed record sizes. * * If `bidi` is 1, then the engine will split the buffer into two * parts, for separate handling of outgoing and incoming data. This * enables full-duplex processing, but requires more RAM. The optimal * buffer size in full-duplex mode is `BR_SSL_BUFSIZE_BIDI`; if the * buffer is larger, then extra bytes are ignored. If the buffer is * smaller, then the split will favour the incoming part, so that * interoperability is maximised. * * \param cc SSL engine context * \param iobuf I/O buffer. * \param iobuf_len I/O buffer length (in bytes). * \param bidi non-zero for full-duplex mode. */ void br_ssl_engine_set_buffer(br_ssl_engine_context *cc, void *iobuf, size_t iobuf_len, int bidi); /** * \brief Set the I/O buffers for the SSL engine. * * Once this call has been made, `br_ssl_client_reset()` or * `br_ssl_server_reset()` MUST be called before using the context. * * This function is similar to `br_ssl_engine_set_buffer()`, except * that it enforces full-duplex mode, and the two I/O buffers are * provided as separate chunks. * * The macros `BR_SSL_BUFSIZE_INPUT` and `BR_SSL_BUFSIZE_OUTPUT` * evaluate to the optimal (maximum) sizes for the input and output * buffer, respectively. * * \param cc SSL engine context * \param ibuf input buffer. * \param ibuf_len input buffer length (in bytes). * \param obuf output buffer. * \param obuf_len output buffer length (in bytes). */ void br_ssl_engine_set_buffers_bidi(br_ssl_engine_context *cc, void *ibuf, size_t ibuf_len, void *obuf, size_t obuf_len); /** * \brief Inject some "initial entropy" in the context. * * This entropy will be added to what can be obtained from the * underlying operating system, if that OS is supported. * * This function may be called several times; all injected entropy chunks * are cumulatively mixed. * * If entropy gathering from the OS is supported and compiled in, then this * step is optional. Otherwise, it is mandatory to inject randomness, and * the caller MUST take care to push (as one or several successive calls) * enough entropy to achieve cryptographic resistance (at least 80 bits, * preferably 128 or more). The engine will report an error if no entropy * was provided and none can be obtained from the OS. * * Take care that this function cannot assess the cryptographic quality of * the provided bytes. * * In all generality, "entropy" must here be considered to mean "that * which the attacker cannot predict". If your OS/architecture does not * have a suitable source of randomness, then you can make do with the * combination of a large enough secret value (possibly a copy of an * asymmetric private key that you also store on the system) AND a * non-repeating value (e.g. current time, provided that the local clock * cannot be reset or altered by the attacker). * * \param cc SSL engine context. * \param data extra entropy to inject. * \param len length of the extra data (in bytes). */ void br_ssl_engine_inject_entropy(br_ssl_engine_context *cc, const void *data, size_t len); /** * \brief Get the "server name" in this engine. * * For clients, this is the name provided with `br_ssl_client_reset()`; * for servers, this is the name received from the client as part of the * ClientHello message. If there is no such name (e.g. the client did * not send an SNI extension) then the returned string is empty * (returned pointer points to a byte of value 0). * * The returned pointer refers to a buffer inside the context, which may * be overwritten as part of normal SSL activity (even within the same * connection, if a renegotiation occurs). * * \param cc SSL engine context. * \return the server name (possibly empty). */ static inline const char * br_ssl_engine_get_server_name(const br_ssl_engine_context *cc) { return cc->server_name; } /** * \brief Get the protocol version. * * This function returns the protocol version that is used by the * engine. That value is set after sending (for a server) or receiving * (for a client) the ServerHello message. * * \param cc SSL engine context. * \return the protocol version. */ static inline unsigned br_ssl_engine_get_version(const br_ssl_engine_context *cc) { return cc->session.version; } /** * \brief Get a copy of the session parameters. * * The session parameters are filled during the handshake, so this * function shall not be called before completion of the handshake. * The initial handshake is completed when the context first allows * application data to be injected. * * This function copies the current session parameters into the provided * structure. Beware that the session parameters include the master * secret, which is sensitive data, to handle with great care. * * \param cc SSL engine context. * \param pp destination structure for the session parameters. */ static inline void br_ssl_engine_get_session_parameters(const br_ssl_engine_context *cc, br_ssl_session_parameters *pp) { memcpy(pp, &cc->session, sizeof *pp); } /** * \brief Set the session parameters to the provided values. * * This function is meant to be used in the client, before doing a new * handshake; a session resumption will be attempted with these * parameters. In the server, this function has no effect. * * \param cc SSL engine context. * \param pp source structure for the session parameters. */ static inline void br_ssl_engine_set_session_parameters(br_ssl_engine_context *cc, const br_ssl_session_parameters *pp) { memcpy(&cc->session, pp, sizeof *pp); } /** * \brief Get identifier for the curve used for key exchange. * * If the cipher suite uses ECDHE, then this function returns the * identifier for the curve used for transient parameters. This is * defined during the course of the handshake, when the ServerKeyExchange * is sent (on the server) or received (on the client). If the * cipher suite does not use ECDHE (e.g. static ECDH, or RSA key * exchange), then this value is indeterminate. * * @param cc SSL engine context. * @return the ECDHE curve identifier. */ static inline int br_ssl_engine_get_ecdhe_curve(br_ssl_engine_context *cc) { return cc->ecdhe_curve; } /** * \brief Get the current engine state. * * An SSL engine (client or server) has, at any time, a state which is * the combination of zero, one or more of these flags: * * - `BR_SSL_CLOSED` * * Engine is finished, no more I/O (until next reset). * * - `BR_SSL_SENDREC` * * Engine has some bytes to send to the peer. * * - `BR_SSL_RECVREC` * * Engine expects some bytes from the peer. * * - `BR_SSL_SENDAPP` * * Engine may receive application data to send (or flush). * * - `BR_SSL_RECVAPP` * * Engine has obtained some application data from the peer, * that should be read by the caller. * * If no flag at all is set (state value is 0), then the engine is not * fully initialised yet. * * The `BR_SSL_CLOSED` flag is exclusive; when it is set, no other flag * is set. To distinguish between a normal closure and an error, use * `br_ssl_engine_last_error()`. * * Generally speaking, `BR_SSL_SENDREC` and `BR_SSL_SENDAPP` are mutually * exclusive: the input buffer, at any point, either accumulates * plaintext data, or contains an assembled record that is being sent. * Similarly, `BR_SSL_RECVREC` and `BR_SSL_RECVAPP` are mutually exclusive. * This may change in a future library version. * * \param cc SSL engine context. * \return the current engine state. */ unsigned br_ssl_engine_current_state(const br_ssl_engine_context *cc); /** \brief SSL engine state: closed or failed. */ #define BR_SSL_CLOSED 0x0001 /** \brief SSL engine state: record data is ready to be sent to the peer. */ #define BR_SSL_SENDREC 0x0002 /** \brief SSL engine state: engine may receive records from the peer. */ #define BR_SSL_RECVREC 0x0004 /** \brief SSL engine state: engine may accept application data to send. */ #define BR_SSL_SENDAPP 0x0008 /** \brief SSL engine state: engine has received application data. */ #define BR_SSL_RECVAPP 0x0010 /** * \brief Get the engine error indicator. * * The error indicator is `BR_ERR_OK` (0) if no error was encountered * since the last call to `br_ssl_client_reset()` or * `br_ssl_server_reset()`. Other status values are "sticky": they * remain set, and prevent all I/O activity, until cleared. Only the * reset calls clear the error indicator. * * \param cc SSL engine context. * \return 0, or a non-zero error code. */ static inline int br_ssl_engine_last_error(const br_ssl_engine_context *cc) { return cc->err; } /* * There are four I/O operations, each identified by a symbolic name: * * sendapp inject application data in the engine * recvapp retrieving application data from the engine * sendrec sending records on the transport medium * recvrec receiving records from the transport medium * * Terminology works thus: in a layered model where the SSL engine sits * between the application and the network, "send" designates operations * where bytes flow from application to network, and "recv" for the * reverse operation. Application data (the plaintext that is to be * conveyed through SSL) is "app", while encrypted records are "rec". * Note that from the SSL engine point of view, "sendapp" and "recvrec" * designate bytes that enter the engine ("inject" operation), while * "recvapp" and "sendrec" designate bytes that exit the engine * ("extract" operation). * * For the operation 'xxx', two functions are defined: * * br_ssl_engine_xxx_buf * Returns a pointer and length to the buffer to use for that * operation. '*len' is set to the number of bytes that may be read * from the buffer (extract operation) or written to the buffer * (inject operation). If no byte may be exchanged for that operation * at that point, then '*len' is set to zero, and NULL is returned. * The engine state is unmodified by this call. * * br_ssl_engine_xxx_ack * Informs the engine that 'len' bytes have been read from the buffer * (extract operation) or written to the buffer (inject operation). * The 'len' value MUST NOT be zero. The 'len' value MUST NOT exceed * that which was obtained from a preceeding br_ssl_engine_xxx_buf() * call. */ /** * \brief Get buffer for application data to send. * * If the engine is ready to accept application data to send to the * peer, then this call returns a pointer to the buffer where such * data shall be written, and its length is written in `*len`. * Otherwise, `*len` is set to 0 and `NULL` is returned. * * \param cc SSL engine context. * \param len receives the application data output buffer length, or 0. * \return the application data output buffer, or `NULL`. */ unsigned char *br_ssl_engine_sendapp_buf( const br_ssl_engine_context *cc, size_t *len); /** * \brief Inform the engine of some new application data. * * After writing `len` bytes in the buffer returned by * `br_ssl_engine_sendapp_buf()`, the application shall call this * function to trigger any relevant processing. The `len` parameter * MUST NOT be 0, and MUST NOT exceed the value obtained in the * `br_ssl_engine_sendapp_buf()` call. * * \param cc SSL engine context. * \param len number of bytes pushed (not zero). */ void br_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len); /** * \brief Get buffer for received application data. * * If the engine has received application data from the peer, hen this * call returns a pointer to the buffer from where such data shall be * read, and its length is written in `*len`. Otherwise, `*len` is set * to 0 and `NULL` is returned. * * \param cc SSL engine context. * \param len receives the application data input buffer length, or 0. * \return the application data input buffer, or `NULL`. */ unsigned char *br_ssl_engine_recvapp_buf( const br_ssl_engine_context *cc, size_t *len); /** * \brief Acknowledge some received application data. * * After reading `len` bytes from the buffer returned by * `br_ssl_engine_recvapp_buf()`, the application shall call this * function to trigger any relevant processing. The `len` parameter * MUST NOT be 0, and MUST NOT exceed the value obtained in the * `br_ssl_engine_recvapp_buf()` call. * * \param cc SSL engine context. * \param len number of bytes read (not zero). */ void br_ssl_engine_recvapp_ack(br_ssl_engine_context *cc, size_t len); /** * \brief Get buffer for record data to send. * * If the engine has prepared some records to send to the peer, then this * call returns a pointer to the buffer from where such data shall be * read, and its length is written in `*len`. Otherwise, `*len` is set * to 0 and `NULL` is returned. * * \param cc SSL engine context. * \param len receives the record data output buffer length, or 0. * \return the record data output buffer, or `NULL`. */ unsigned char *br_ssl_engine_sendrec_buf( const br_ssl_engine_context *cc, size_t *len); /** * \brief Acknowledge some sent record data. * * After reading `len` bytes from the buffer returned by * `br_ssl_engine_sendrec_buf()`, the application shall call this * function to trigger any relevant processing. The `len` parameter * MUST NOT be 0, and MUST NOT exceed the value obtained in the * `br_ssl_engine_sendrec_buf()` call. * * \param cc SSL engine context. * \param len number of bytes read (not zero). */ void br_ssl_engine_sendrec_ack(br_ssl_engine_context *cc, size_t len); /** * \brief Get buffer for incoming records. * * If the engine is ready to accept records from the peer, then this * call returns a pointer to the buffer where such data shall be * written, and its length is written in `*len`. Otherwise, `*len` is * set to 0 and `NULL` is returned. * * \param cc SSL engine context. * \param len receives the record data input buffer length, or 0. * \return the record data input buffer, or `NULL`. */ unsigned char *br_ssl_engine_recvrec_buf( const br_ssl_engine_context *cc, size_t *len); /** * \brief Inform the engine of some new record data. * * After writing `len` bytes in the buffer returned by * `br_ssl_engine_recvrec_buf()`, the application shall call this * function to trigger any relevant processing. The `len` parameter * MUST NOT be 0, and MUST NOT exceed the value obtained in the * `br_ssl_engine_recvrec_buf()` call. * * \param cc SSL engine context. * \param len number of bytes pushed (not zero). */ void br_ssl_engine_recvrec_ack(br_ssl_engine_context *cc, size_t len); /** * \brief Flush buffered application data. * * If some application data has been buffered in the engine, then wrap * it into a record and mark it for sending. If no application data has * been buffered but the engine would be ready to accept some, AND the * `force` parameter is non-zero, then an empty record is assembled and * marked for sending. In all other cases, this function does nothing. * * Empty records are technically legal, but not all existing SSL/TLS * implementations support them. Empty records can be useful as a * transparent "keep-alive" mechanism to maintain some low-level * network activity. * * \param cc SSL engine context. * \param force non-zero to force sending an empty record. */ void br_ssl_engine_flush(br_ssl_engine_context *cc, int force); /** * \brief Initiate a closure. * * If, at that point, the context is open and in ready state, then a * `close_notify` alert is assembled and marked for sending; this * triggers the closure protocol. Otherwise, no such alert is assembled. * * \param cc SSL engine context. */ void br_ssl_engine_close(br_ssl_engine_context *cc); /** * \brief Initiate a renegotiation. * * If the engine is failed or closed, or if the peer is known not to * support secure renegotiation (RFC 5746), or if renegotiations have * been disabled with the `BR_OPT_NO_RENEGOTIATION` flag, or if there * is buffered incoming application data, then this function returns 0 * and nothing else happens. * * Otherwise, this function returns 1, and a renegotiation attempt is * triggered (if a handshake is already ongoing at that point, then * no new handshake is triggered). * * \param cc SSL engine context. * \return 1 on success, 0 on error. */ int br_ssl_engine_renegotiate(br_ssl_engine_context *cc); /** * \brief Export key material from a connected SSL engine (RFC 5705). * * This calls compute a secret key of arbitrary length from the master * secret of a connected SSL engine. If the provided context is not * currently in "application data" state (initial handshake is not * finished, another handshake is ongoing, or the connection failed or * was closed), then this function returns 0. Otherwise, a secret key of * length `len` bytes is computed and written in the buffer pointed to * by `dst`, and 1 is returned. * * The computed key follows the specification described in RFC 5705. * That RFC includes two key computations, with and without a "context * value". If `context` is `NULL`, then the variant without context is * used; otherwise, the `context_len` bytes located at the address * pointed to by `context` are used in the computation. Note that it * is possible to have a "with context" key with a context length of * zero bytes, by setting `context` to a non-`NULL` value but * `context_len` to 0. * * When context bytes are used, the context length MUST NOT exceed * 65535 bytes. * * \param cc SSL engine context. * \param dst destination buffer for exported key. * \param len exported key length (in bytes). * \param label disambiguation label. * \param context context value (or `NULL`). * \param context_len context length (in bytes). * \return 1 on success, 0 on error. */ int br_ssl_key_export(br_ssl_engine_context *cc, void *dst, size_t len, const char *label, const void *context, size_t context_len); /* * Pre-declaration for the SSL client context. */ typedef struct br_ssl_client_context_ br_ssl_client_context; /** * \brief Type for the client certificate, if requested by the server. */ typedef struct { /** * \brief Authentication type. * * This is either `BR_AUTH_RSA` (RSA signature), `BR_AUTH_ECDSA` * (ECDSA signature), or `BR_AUTH_ECDH` (static ECDH key exchange). */ int auth_type; /** * \brief Hash function for computing the CertificateVerify. * * This is the symbolic identifier for the hash function that * will be used to produce the hash of handshake messages, to * be signed into the CertificateVerify. For full static ECDH * (client and server certificates are both EC in the same * curve, and static ECDH is used), this value is set to -1. * * Take care that with TLS 1.0 and 1.1, that value MUST match * the protocol requirements: value must be 0 (MD5+SHA-1) for * a RSA signature, or 2 (SHA-1) for an ECDSA signature. Only * TLS 1.2 allows for other hash functions. */ int hash_id; /** * \brief Certificate chain to send to the server. * * This is an array of `br_x509_certificate` objects, each * normally containing a DER-encoded certificate. The client * code does not try to decode these elements. If there is no * chain to send to the server, then this pointer shall be * set to `NULL`. */ const br_x509_certificate *chain; /** * \brief Certificate chain length (number of certificates). * * If there is no chain to send to the server, then this value * shall be set to 0. */ size_t chain_len; } br_ssl_client_certificate; /* * Note: the constants below for signatures match the TLS constants. */ /** \brief Client authentication type: static ECDH. */ #define BR_AUTH_ECDH 0 /** \brief Client authentication type: RSA signature. */ #define BR_AUTH_RSA 1 /** \brief Client authentication type: ECDSA signature. */ #define BR_AUTH_ECDSA 3 /** * \brief Class type for a certificate handler (client side). * * A certificate handler selects a client certificate chain to send to * the server, upon explicit request from that server. It receives * the list of trust anchor DN from the server, and supported types * of certificates and signatures, and returns the chain to use. It * is also invoked to perform the corresponding private key operation * (a signature, or an ECDH computation). * * The SSL client engine will first push the trust anchor DN with * `start_name_list()`, `start_name()`, `append_name()`, `end_name()` * and `end_name_list()`. Then it will call `choose()`, to select the * actual chain (and signature/hash algorithms). Finally, it will call * either `do_sign()` or `do_keyx()`, depending on the algorithm choices. */ typedef struct br_ssl_client_certificate_class_ br_ssl_client_certificate_class; struct br_ssl_client_certificate_class_ { /** * \brief Context size (in bytes). */ size_t context_size; /** * \brief Begin reception of a list of trust anchor names. This * is called while parsing the incoming CertificateRequest. * * \param pctx certificate handler context. */ void (*start_name_list)(const br_ssl_client_certificate_class **pctx); /** * \brief Begin reception of a new trust anchor name. * * The total encoded name length is provided; it is less than * 65535 bytes. * * \param pctx certificate handler context. * \param len encoded name length (in bytes). */ void (*start_name)(const br_ssl_client_certificate_class **pctx, size_t len); /** * \brief Receive some more bytes for the current trust anchor name. * * The provided reference (`data`) points to a transient buffer * they may be reused as soon as this function returns. The chunk * length (`len`) is never zero. * * \param pctx certificate handler context. * \param data anchor name chunk. * \param len anchor name chunk length (in bytes). */ void (*append_name)(const br_ssl_client_certificate_class **pctx, const unsigned char *data, size_t len); /** * \brief End current trust anchor name. * * This function is called when all the encoded anchor name data * has been provided. * * \param pctx certificate handler context. */ void (*end_name)(const br_ssl_client_certificate_class **pctx); /** * \brief End list of trust anchor names. * * This function is called when all the anchor names in the * CertificateRequest message have been obtained. * * \param pctx certificate handler context. */ void (*end_name_list)(const br_ssl_client_certificate_class **pctx); /** * \brief Select client certificate and algorithms. * * This callback function shall fill the provided `choices` * structure with the selected algorithms and certificate chain. * The `hash_id`, `chain` and `chain_len` fields must be set. If * the client cannot or does not wish to send a certificate, * then it shall set `chain` to `NULL` and `chain_len` to 0. * * The `auth_types` parameter describes the authentication types, * signature algorithms and hash functions that are supported by * both the client context and the server, and compatible with * the current protocol version. This is a bit field with the * following contents: * * - If RSA signatures with hash function x are supported, then * bit x is set. * * - If ECDSA signatures with hash function x are supported, * then bit 8+x is set. * * - If static ECDH is supported, with a RSA-signed certificate, * then bit 16 is set. * * - If static ECDH is supported, with an ECDSA-signed certificate, * then bit 17 is set. * * Notes: * * - When using TLS 1.0 or 1.1, the hash function for RSA * signatures is always the special MD5+SHA-1 (id 0), and the * hash function for ECDSA signatures is always SHA-1 (id 2). * * - When using TLS 1.2, the list of hash functions is trimmed * down to include only hash functions that the client context * can support. The actual server list can be obtained with * `br_ssl_client_get_server_hashes()`; that list may be used * to select the certificate chain to send to the server. * * \param pctx certificate handler context. * \param cc SSL client context. * \param auth_types supported authentication types and algorithms. * \param choices destination structure for the policy choices. */ void (*choose)(const br_ssl_client_certificate_class **pctx, const br_ssl_client_context *cc, uint32_t auth_types, br_ssl_client_certificate *choices); /** * \brief Perform key exchange (client part). * * This callback is invoked in case of a full static ECDH key * exchange: * * - the cipher suite uses `ECDH_RSA` or `ECDH_ECDSA`; * * - the server requests a client certificate; * * - the client has, and sends, a client certificate that * uses an EC key in the same curve as the server's key, * and chooses static ECDH (the `hash_id` field in the choice * structure was set to -1). * * In that situation, this callback is invoked to compute the * client-side ECDH: the provided `data` (of length `*len` bytes) * is the server's public key point (as decoded from its * certificate), and the client shall multiply that point with * its own private key, and write back the X coordinate of the * resulting point in the same buffer, starting at offset 0. * The `*len` value shall be modified to designate the actual * length of the X coordinate. * * The callback must uphold the following: * * - If the input array does not have the proper length for * an encoded curve point, then an error (0) shall be reported. * * - If the input array has the proper length, then processing * MUST be constant-time, even if the data is not a valid * encoded point. * * - This callback MUST check that the input point is valid. * * Returned value is 1 on success, 0 on error. * * \param pctx certificate handler context. * \param data server public key point. * \param len public key point length / X coordinate length. * \return 1 on success, 0 on error. */ uint32_t (*do_keyx)(const br_ssl_client_certificate_class **pctx, unsigned char *data, size_t *len); /** * \brief Perform a signature (client authentication). * * This callback is invoked when a client certificate was sent, * and static ECDH is not used. It shall compute a signature, * using the client's private key, over the provided hash value * (which is the hash of all previous handshake messages). * * On input, the hash value to sign is in `data`, of size * `hv_len`; the involved hash function is identified by * `hash_id`. The signature shall be computed and written * back into `data`; the total size of that buffer is `len` * bytes. * * This callback shall verify that the signature length does not * exceed `len` bytes, and abstain from writing the signature if * it does not fit. * * For RSA signatures, the `hash_id` may be 0, in which case * this is the special header-less signature specified in TLS 1.0 * and 1.1, with a 36-byte hash value. Otherwise, normal PKCS#1 * v1.5 signatures shall be computed. * * For ECDSA signatures, the signature value shall use the ASN.1 * based encoding. * * Returned value is the signature length (in bytes), or 0 on error. * * \param pctx certificate handler context. * \param hash_id hash function identifier. * \param hv_len hash value length (in bytes). * \param data input/output buffer (hash value, then signature). * \param len total buffer length (in bytes). * \return signature length (in bytes) on success, or 0 on error. */ size_t (*do_sign)(const br_ssl_client_certificate_class **pctx, int hash_id, size_t hv_len, unsigned char *data, size_t len); }; /** * \brief A single-chain RSA client certificate handler. * * This handler uses a single certificate chain, with a RSA * signature. The list of trust anchor DN is ignored. * * Apart from the first field (vtable pointer), its contents are * opaque and shall not be accessed directly. */ typedef struct { /** \brief Pointer to vtable. */ const br_ssl_client_certificate_class *vtable; #ifndef BR_DOXYGEN_IGNORE const br_x509_certificate *chain; size_t chain_len; const br_rsa_private_key *sk; br_rsa_pkcs1_sign irsasign; #endif } br_ssl_client_certificate_rsa_context; /** * \brief A single-chain EC client certificate handler. * * This handler uses a single certificate chain, with a RSA * signature. The list of trust anchor DN is ignored. * * This handler may support both static ECDH, and ECDSA signatures * (either usage may be selectively disabled). * * Apart from the first field (vtable pointer), its contents are * opaque and shall not be accessed directly. */ typedef struct { /** \brief Pointer to vtable. */ const br_ssl_client_certificate_class *vtable; #ifndef BR_DOXYGEN_IGNORE const br_x509_certificate *chain; size_t chain_len; const br_ec_private_key *sk; unsigned allowed_usages; unsigned issuer_key_type; const br_multihash_context *mhash; const br_ec_impl *iec; br_ecdsa_sign iecdsa; #endif } br_ssl_client_certificate_ec_context; /** * \brief Context structure for a SSL client. * * The first field (called `eng`) is the SSL engine; all functions that * work on a `br_ssl_engine_context` structure shall take as parameter * a pointer to that field. The other structure fields are opaque and * must not be accessed directly. */ struct br_ssl_client_context_ { /** * \brief The encapsulated engine context. */ br_ssl_engine_context eng; #ifndef BR_DOXYGEN_IGNORE /* * Minimum ClientHello length; padding with an extension (RFC * 7685) is added if necessary to match at least that length. * Such padding is nominally unnecessary, but it has been used * to work around some server implementation bugs. */ uint16_t min_clienthello_len; /* * Bit field for algoithms (hash + signature) supported by the * server when requesting a client certificate. */ uint32_t hashes; /* * Server's public key curve. */ int server_curve; /* * Context for certificate handler. */ const br_ssl_client_certificate_class **client_auth_vtable; /* * Client authentication type. */ unsigned char auth_type; /* * Hash function to use for the client signature. This is 0xFF * if static ECDH is used. */ unsigned char hash_id; /* * For the core certificate handlers, thus avoiding (in most * cases) the need for an externally provided policy context. */ union { const br_ssl_client_certificate_class *vtable; br_ssl_client_certificate_rsa_context single_rsa; br_ssl_client_certificate_ec_context single_ec; } client_auth; /* * Implementations. */ br_rsa_public irsapub; #endif }; /** * \brief Get the hash functions and signature algorithms supported by * the server. * * This value is a bit field: * * - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`, * then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1, * or 2 to 6 for the SHA family). * * - If ECDSA is suported with hash function of ID `x`, then bit `8+x` * is set. * * - Newer algorithms are symbolic 16-bit identifiers that do not * represent signature algorithm and hash function separately. If * the TLS-level identifier is `0x0800+x` for a `x` in the 0..15 * range, then bit `16+x` is set. * * "New algorithms" are currently defined only in draft documents, so * this support is subject to possible change. Right now (early 2017), * this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA * on Curve448) to bit 24. If the identifiers on the wire change in * future document, then the decoding mechanism in BearSSL will be * amended to keep mapping ed25519 and ed448 on bits 23 and 24, * respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not * guaranteed yet. * * \param cc client context. * \return the server-supported hash functions and signature algorithms. */ static inline uint32_t br_ssl_client_get_server_hashes(const br_ssl_client_context *cc) { return cc->hashes; } /** * \brief Get the server key curve. * * This function returns the ID for the curve used by the server's public * key. This is set when the server's certificate chain is processed; * this value is 0 if the server's key is not an EC key. * * \return the server's public key curve ID, or 0. */ static inline int br_ssl_client_get_server_curve(const br_ssl_client_context *cc) { return cc->server_curve; } /* * Each br_ssl_client_init_xxx() function sets the list of supported * cipher suites and used implementations, as specified by the profile * name 'xxx'. Defined profile names are: * * full all supported versions and suites; constant-time implementations * TODO: add other profiles */ /** * \brief SSL client profile: full. * * This function initialises the provided SSL client context with * all supported algorithms and cipher suites. It also initialises * a companion X.509 validation engine with all supported algorithms, * and the provided trust anchors; the X.509 engine will be used by * the client context to validate the server's certificate. * * \param cc client context to initialise. * \param xc X.509 validation context to initialise. * \param trust_anchors trust anchors to use. * \param trust_anchors_num number of trust anchors. */ void br_ssl_client_init_full(br_ssl_client_context *cc, br_x509_minimal_context *xc, const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num); /** * \brief Clear the complete contents of a SSL client context. * * Everything is cleared, including the reference to the configured buffer, * implementations, cipher suites and state. This is a preparatory step * to assembling a custom profile. * * \param cc client context to clear. */ void br_ssl_client_zero(br_ssl_client_context *cc); /** * \brief Set an externally provided client certificate handler context. * * The handler's methods are invoked when the server requests a client * certificate. * * \param cc client context. * \param pctx certificate handler context (pointer to its vtable field). */ static inline void br_ssl_client_set_client_certificate(br_ssl_client_context *cc, const br_ssl_client_certificate_class **pctx) { cc->client_auth_vtable = pctx; } /** * \brief Set the RSA public-key operations implementation. * * This will be used to encrypt the pre-master secret with the server's * RSA public key (RSA-encryption cipher suites only). * * \param cc client context. * \param irsapub RSA public-key encryption implementation. */ static inline void br_ssl_client_set_rsapub(br_ssl_client_context *cc, br_rsa_public irsapub) { cc->irsapub = irsapub; } /** * \brief Set the "default" RSA implementation for public-key operations. * * This sets the RSA implementation in the client context (for encrypting * the pre-master secret, in `TLS_RSA_*` cipher suites) to the fastest * available on the current platform. * * \param cc client context. */ void br_ssl_client_set_default_rsapub(br_ssl_client_context *cc); /** * \brief Set the minimum ClientHello length (RFC 7685 padding). * * If this value is set and the ClientHello would be shorter, then * the Pad ClientHello extension will be added with enough padding bytes * to reach the target size. Because of the extension header, the resulting * size will sometimes be slightly more than `len` bytes if the target * size cannot be exactly met. * * The target length relates to the _contents_ of the ClientHello, not * counting its 4-byte header. For instance, if `len` is set to 512, * then the padding will bring the ClientHello size to 516 bytes with its * header, and 521 bytes when counting the 5-byte record header. * * \param cc client context. * \param len minimum ClientHello length (in bytes). */ static inline void br_ssl_client_set_min_clienthello_len(br_ssl_client_context *cc, uint16_t len) { cc->min_clienthello_len = len; } /** * \brief Prepare or reset a client context for a new connection. * * The `server_name` parameter is used to fill the SNI extension; the * X.509 "minimal" engine will also match that name against the server * names included in the server's certificate. If the parameter is * `NULL` then no SNI extension will be sent, and the X.509 "minimal" * engine (if used for server certificate validation) will not check * presence of any specific name in the received certificate. * * Therefore, setting the `server_name` to `NULL` shall be reserved * to cases where alternate or additional methods are used to ascertain * that the right server public key is used (e.g. a "known key" model). * * If `resume_session` is non-zero and the context was previously used * then the session parameters may be reused (depending on whether the * server previously sent a non-empty session ID, and accepts the session * resumption). The session parameters for session resumption can also * be set explicitly with `br_ssl_engine_set_session_parameters()`. * * On failure, the context is marked as failed, and this function * returns 0. A possible failure condition is when no initial entropy * was injected, and none could be obtained from the OS (either OS * randomness gathering is not supported, or it failed). * * \param cc client context. * \param server_name target server name, or `NULL`. * \param resume_session non-zero to try session resumption. * \return 0 on failure, 1 on success. */ int br_ssl_client_reset(br_ssl_client_context *cc, const char *server_name, int resume_session); /** * \brief Forget any session in the context. * * This means that the next handshake that uses this context will * necessarily be a full handshake (this applies both to new connections * and to renegotiations). * * \param cc client context. */ static inline void br_ssl_client_forget_session(br_ssl_client_context *cc) { cc->eng.session.session_id_len = 0; } /** * \brief Set client certificate chain and key (single RSA case). * * This function sets a client certificate chain, that the client will * send to the server whenever a client certificate is requested. This * certificate uses an RSA public key; the corresponding private key is * invoked for authentication. Trust anchor names sent by the server are * ignored. * * The provided chain and private key are linked in the client context; * they must remain valid as long as they may be used, i.e. normally * for the duration of the connection, since they might be invoked * again upon renegotiations. * * \param cc SSL client context. * \param chain client certificate chain (SSL order: EE comes first). * \param chain_len client chain length (number of certificates). * \param sk client private key. * \param irsasign RSA signature implementation (PKCS#1 v1.5). */ void br_ssl_client_set_single_rsa(br_ssl_client_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_rsa_private_key *sk, br_rsa_pkcs1_sign irsasign); /* * \brief Set the client certificate chain and key (single EC case). * * This function sets a client certificate chain, that the client will * send to the server whenever a client certificate is requested. This * certificate uses an EC public key; the corresponding private key is * invoked for authentication. Trust anchor names sent by the server are * ignored. * * The provided chain and private key are linked in the client context; * they must remain valid as long as they may be used, i.e. normally * for the duration of the connection, since they might be invoked * again upon renegotiations. * * The `allowed_usages` is a combination of usages, namely * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`. The `BR_KEYTYPE_KEYX` * value allows full static ECDH, while the `BR_KEYTYPE_SIGN` value * allows ECDSA signatures. If ECDSA signatures are used, then an ECDSA * signature implementation must be provided; otherwise, the `iecdsa` * parameter may be 0. * * The `cert_issuer_key_type` value is either `BR_KEYTYPE_RSA` or * `BR_KEYTYPE_EC`; it is the type of the public key used the the CA * that issued (signed) the client certificate. That value is used with * full static ECDH: support of the certificate by the server depends * on how the certificate was signed. (Note: when using TLS 1.2, this * parameter is ignored; but its value matters for TLS 1.0 and 1.1.) * * \param cc server context. * \param chain server certificate chain to send. * \param chain_len chain length (number of certificates). * \param sk server private key (EC). * \param allowed_usages allowed private key usages. * \param cert_issuer_key_type issuing CA's key type. * \param iec EC core implementation. * \param iecdsa ECDSA signature implementation ("asn1" format). */ void br_ssl_client_set_single_ec(br_ssl_client_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_ec_private_key *sk, unsigned allowed_usages, unsigned cert_issuer_key_type, const br_ec_impl *iec, br_ecdsa_sign iecdsa); /** * \brief Type for a "translated cipher suite", as an array of two * 16-bit integers. * * The first element is the cipher suite identifier (as used on the wire). * The second element is the concatenation of four 4-bit elements which * characterise the cipher suite contents. In most to least significant * order, these 4-bit elements are: * * - Bits 12 to 15: key exchange + server key type * * | val | symbolic constant | suite type | details | * | :-- | :----------------------- | :---------- | :----------------------------------------------- | * | 0 | `BR_SSLKEYX_RSA` | RSA | RSA key exchange, key is RSA (encryption) | * | 1 | `BR_SSLKEYX_ECDHE_RSA` | ECDHE_RSA | ECDHE key exchange, key is RSA (signature) | * | 2 | `BR_SSLKEYX_ECDHE_ECDSA` | ECDHE_ECDSA | ECDHE key exchange, key is EC (signature) | * | 3 | `BR_SSLKEYX_ECDH_RSA` | ECDH_RSA | Key is EC (key exchange), cert signed with RSA | * | 4 | `BR_SSLKEYX_ECDH_ECDSA` | ECDH_ECDSA | Key is EC (key exchange), cert signed with ECDSA | * * - Bits 8 to 11: symmetric encryption algorithm * * | val | symbolic constant | symmetric encryption | key strength (bits) | * | :-- | :--------------------- | :------------------- | :------------------ | * | 0 | `BR_SSLENC_3DES_CBC` | 3DES/CBC | 168 | * | 1 | `BR_SSLENC_AES128_CBC` | AES-128/CBC | 128 | * | 2 | `BR_SSLENC_AES256_CBC` | AES-256/CBC | 256 | * | 3 | `BR_SSLENC_AES128_GCM` | AES-128/GCM | 128 | * | 4 | `BR_SSLENC_AES256_GCM` | AES-256/GCM | 256 | * | 5 | `BR_SSLENC_CHACHA20` | ChaCha20/Poly1305 | 256 | * * - Bits 4 to 7: MAC algorithm * * | val | symbolic constant | MAC type | details | * | :-- | :----------------- | :----------- | :------------------------------------ | * | 0 | `BR_SSLMAC_AEAD` | AEAD | No dedicated MAC (encryption is AEAD) | * | 2 | `BR_SSLMAC_SHA1` | HMAC/SHA-1 | Value matches `br_sha1_ID` | * | 4 | `BR_SSLMAC_SHA256` | HMAC/SHA-256 | Value matches `br_sha256_ID` | * | 5 | `BR_SSLMAC_SHA384` | HMAC/SHA-384 | Value matches `br_sha384_ID` | * * - Bits 0 to 3: hash function for PRF when used with TLS-1.2 * * | val | symbolic constant | hash function | details | * | :-- | :----------------- | :------------ | :----------------------------------- | * | 4 | `BR_SSLPRF_SHA256` | SHA-256 | Value matches `br_sha256_ID` | * | 5 | `BR_SSLPRF_SHA384` | SHA-384 | Value matches `br_sha384_ID` | * * For instance, cipher suite `TLS_RSA_WITH_AES_128_GCM_SHA256` has * standard identifier 0x009C, and is translated to 0x0304, for, in * that order: RSA key exchange (0), AES-128/GCM (3), AEAD integrity (0), * SHA-256 in the TLS PRF (4). */ typedef uint16_t br_suite_translated[2]; #ifndef BR_DOXYGEN_IGNORE /* * Constants are already documented in the br_suite_translated type. */ #define BR_SSLKEYX_RSA 0 #define BR_SSLKEYX_ECDHE_RSA 1 #define BR_SSLKEYX_ECDHE_ECDSA 2 #define BR_SSLKEYX_ECDH_RSA 3 #define BR_SSLKEYX_ECDH_ECDSA 4 #define BR_SSLENC_3DES_CBC 0 #define BR_SSLENC_AES128_CBC 1 #define BR_SSLENC_AES256_CBC 2 #define BR_SSLENC_AES128_GCM 3 #define BR_SSLENC_AES256_GCM 4 #define BR_SSLENC_CHACHA20 5 #define BR_SSLMAC_AEAD 0 #define BR_SSLMAC_SHA1 br_sha1_ID #define BR_SSLMAC_SHA256 br_sha256_ID #define BR_SSLMAC_SHA384 br_sha384_ID #define BR_SSLPRF_SHA256 br_sha256_ID #define BR_SSLPRF_SHA384 br_sha384_ID #endif /* * Pre-declaration for the SSL server context. */ typedef struct br_ssl_server_context_ br_ssl_server_context; /** * \brief Type for the server policy choices, taken after analysis of * the client message (ClientHello). */ typedef struct { /** * \brief Cipher suite to use with that client. */ uint16_t cipher_suite; /** * \brief Hash function or algorithm for signing the ServerKeyExchange. * * This parameter is ignored for `TLS_RSA_*` and `TLS_ECDH_*` * cipher suites; it is used only for `TLS_ECDHE_*` suites, in * which the server _signs_ the ephemeral EC Diffie-Hellman * parameters sent to the client. * * This identifier must be one of the following values: * * - `0xFF00 + id`, where `id` is a hash function identifier * (0 for MD5+SHA-1, or 2 to 6 for one of the SHA functions); * * - a full 16-bit identifier, lower than `0xFF00`. * * If the first option is used, then the SSL engine will * compute the hash of the data that is to be signed, with the * designated hash function. The `do_sign()` method will be * invoked with that hash value provided in the the `data` * buffer. * * If the second option is used, then the SSL engine will NOT * compute a hash on the data; instead, it will provide the * to-be-signed data itself in `data`, i.e. the concatenation of * the client random, server random, and encoded ECDH * parameters. Furthermore, with TLS-1.2 and later, the 16-bit * identifier will be used "as is" in the protocol, in the * SignatureAndHashAlgorithm; for instance, `0x0401` stands for * RSA PKCS#1 v1.5 signature (the `01`) with SHA-256 as hash * function (the `04`). * * Take care that with TLS 1.0 and 1.1, the hash function is * constrainted by the protocol: RSA signature must use * MD5+SHA-1 (so use `0xFF00`), while ECDSA must use SHA-1 * (`0xFF02`). Since TLS 1.0 and 1.1 don't include a * SignatureAndHashAlgorithm field in their ServerKeyExchange * messages, any value below `0xFF00` will be usable to send the * raw ServerKeyExchange data to the `do_sign()` callback, but * that callback must still follow the protocol requirements * when generating the signature. */ unsigned algo_id; /** * \brief Certificate chain to send to the client. * * This is an array of `br_x509_certificate` objects, each * normally containing a DER-encoded certificate. The server * code does not try to decode these elements. */ const br_x509_certificate *chain; /** * \brief Certificate chain length (number of certificates). */ size_t chain_len; } br_ssl_server_choices; /** * \brief Class type for a policy handler (server side). * * A policy handler selects the policy parameters for a connection * (cipher suite and other algorithms, and certificate chain to send to * the client); it also performs the server-side computations involving * its permanent private key. * * The SSL server engine will invoke first `choose()`, once the * ClientHello message has been received, then either `do_keyx()` * `do_sign()`, depending on the cipher suite. */ typedef struct br_ssl_server_policy_class_ br_ssl_server_policy_class; struct br_ssl_server_policy_class_ { /** * \brief Context size (in bytes). */ size_t context_size; /** * \brief Select algorithms and certificates for this connection. * * This callback function shall fill the provided `choices` * structure with the policy choices for this connection. This * entails selecting the cipher suite, hash function for signing * the ServerKeyExchange (applicable only to ECDHE cipher suites), * and certificate chain to send. * * The callback receives a pointer to the server context that * contains the relevant data. In particular, the functions * `br_ssl_server_get_client_suites()`, * `br_ssl_server_get_client_hashes()` and * `br_ssl_server_get_client_curves()` can be used to obtain * the cipher suites, hash functions and elliptic curves * supported by both the client and server, respectively. The * `br_ssl_engine_get_version()` and `br_ssl_engine_get_server_name()` * functions yield the protocol version and requested server name * (SNI), respectively. * * This function may modify its context structure (`pctx`) in * arbitrary ways to keep track of its own choices. * * This function shall return 1 if appropriate policy choices * could be made, or 0 if this connection cannot be pursued. * * \param pctx policy context. * \param cc SSL server context. * \param choices destination structure for the policy choices. * \return 1 on success, 0 on error. */ int (*choose)(const br_ssl_server_policy_class **pctx, const br_ssl_server_context *cc, br_ssl_server_choices *choices); /** * \brief Perform key exchange (server part). * * This callback is invoked to perform the server-side cryptographic * operation for a key exchange that is not ECDHE. This callback * uses the private key. * * **For RSA key exchange**, the provided `data` (of length `*len` * bytes) shall be decrypted with the server's private key, and * the 48-byte premaster secret copied back to the first 48 bytes * of `data`. * * - The caller makes sure that `*len` is at least 59 bytes. * * - This callback MUST check that the provided length matches * that of the key modulus; it shall report an error otherwise. * * - If the length matches that of the RSA key modulus, then * processing MUST be constant-time, even if decryption fails, * or the padding is incorrect, or the plaintext message length * is not exactly 48 bytes. * * - This callback needs not check the two first bytes of the * obtained pre-master secret (the caller will do that). * * - If an error is reported (0), then what the callback put * in the first 48 bytes of `data` is unimportant (the caller * will use random bytes instead). * * **For ECDH key exchange**, the provided `data` (of length `*len` * bytes) is the elliptic curve point from the client. The * callback shall multiply it with its private key, and store * the resulting X coordinate in `data`, starting at offset 0, * and set `*len` to the length of the X coordinate. * * - If the input array does not have the proper length for * an encoded curve point, then an error (0) shall be reported. * * - If the input array has the proper length, then processing * MUST be constant-time, even if the data is not a valid * encoded point. * * - This callback MUST check that the input point is valid. * * Returned value is 1 on success, 0 on error. * * \param pctx policy context. * \param data key exchange data from the client. * \param len key exchange data length (in bytes). * \return 1 on success, 0 on error. */ uint32_t (*do_keyx)(const br_ssl_server_policy_class **pctx, unsigned char *data, size_t *len); /** * \brief Perform a signature (for a ServerKeyExchange message). * * This callback function is invoked for ECDHE cipher suites. On * input, the hash value or message to sign is in `data`, of * size `hv_len`; the involved hash function or algorithm is * identified by `algo_id`. The signature shall be computed and * written back into `data`; the total size of that buffer is * `len` bytes. * * This callback shall verify that the signature length does not * exceed `len` bytes, and abstain from writing the signature if * it does not fit. * * The `algo_id` value matches that which was written in the * `choices` structures by the `choose()` callback. This will be * one of the following: * * - `0xFF00 + id` for a hash function identifier `id`. In * that case, the `data` buffer contains a hash value * already computed over the data that is to be signed, * of length `hv_len`. The `id` may be 0 to designate the * special MD5+SHA-1 concatenation (old-style RSA signing). * * - Another value, lower than `0xFF00`. The `data` buffer * then contains the raw, non-hashed data to be signed * (concatenation of the client and server randoms and * ECDH parameters). The callback is responsible to apply * any relevant hashing as part of the signing process. * * Returned value is the signature length (in bytes), or 0 on error. * * \param pctx policy context. * \param algo_id hash function / algorithm identifier. * \param data input/output buffer (message/hash, then signature). * \param hv_len hash value or message length (in bytes). * \param len total buffer length (in bytes). * \return signature length (in bytes) on success, or 0 on error. */ size_t (*do_sign)(const br_ssl_server_policy_class **pctx, unsigned algo_id, unsigned char *data, size_t hv_len, size_t len); }; /** * \brief A single-chain RSA policy handler. * * This policy context uses a single certificate chain, and a RSA * private key. The context can be restricted to only signatures or * only key exchange. * * Apart from the first field (vtable pointer), its contents are * opaque and shall not be accessed directly. */ typedef struct { /** \brief Pointer to vtable. */ const br_ssl_server_policy_class *vtable; #ifndef BR_DOXYGEN_IGNORE const br_x509_certificate *chain; size_t chain_len; const br_rsa_private_key *sk; unsigned allowed_usages; br_rsa_private irsacore; br_rsa_pkcs1_sign irsasign; #endif } br_ssl_server_policy_rsa_context; /** * \brief A single-chain EC policy handler. * * This policy context uses a single certificate chain, and an EC * private key. The context can be restricted to only signatures or * only key exchange. * * Due to how TLS is defined, this context must be made aware whether * the server certificate was itself signed with RSA or ECDSA. The code * does not try to decode the certificate to obtain that information. * * Apart from the first field (vtable pointer), its contents are * opaque and shall not be accessed directly. */ typedef struct { /** \brief Pointer to vtable. */ const br_ssl_server_policy_class *vtable; #ifndef BR_DOXYGEN_IGNORE const br_x509_certificate *chain; size_t chain_len; const br_ec_private_key *sk; unsigned allowed_usages; unsigned cert_issuer_key_type; const br_multihash_context *mhash; const br_ec_impl *iec; br_ecdsa_sign iecdsa; #endif } br_ssl_server_policy_ec_context; /** * \brief Class type for a session parameter cache. * * Session parameters are saved in the cache with `save()`, and * retrieved with `load()`. The cache implementation can apply any * storage and eviction strategy that it sees fit. The SSL server * context that performs the request is provided, so that its * functionalities may be used by the implementation (e.g. hash * functions or random number generation). */ typedef struct br_ssl_session_cache_class_ br_ssl_session_cache_class; struct br_ssl_session_cache_class_ { /** * \brief Context size (in bytes). */ size_t context_size; /** * \brief Record a session. * * This callback should record the provided session parameters. * The `params` structure is transient, so its contents shall * be copied into the cache. The session ID has been randomly * generated and always has length exactly 32 bytes. * * \param ctx session cache context. * \param server_ctx SSL server context. * \param params session parameters to save. */ void (*save)(const br_ssl_session_cache_class **ctx, br_ssl_server_context *server_ctx, const br_ssl_session_parameters *params); /** * \brief Lookup a session in the cache. * * The session ID to lookup is in `params` and always has length * exactly 32 bytes. If the session parameters are found in the * cache, then the parameters shall be copied into the `params` * structure. Returned value is 1 on successful lookup, 0 * otherwise. * * \param ctx session cache context. * \param server_ctx SSL server context. * \param params destination for session parameters. * \return 1 if found, 0 otherwise. */ int (*load)(const br_ssl_session_cache_class **ctx, br_ssl_server_context *server_ctx, br_ssl_session_parameters *params); }; /** * \brief Context for a basic cache system. * * The system stores session parameters in a buffer provided at * initialisation time. Each entry uses exactly 100 bytes, and * buffer sizes up to 4294967295 bytes are supported. * * Entries are evicted with a LRU (Least Recently Used) policy. A * search tree is maintained to keep lookups fast even with large * caches. * * Apart from the first field (vtable pointer), the structure * contents are opaque and shall not be accessed directly. */ typedef struct { /** \brief Pointer to vtable. */ const br_ssl_session_cache_class *vtable; #ifndef BR_DOXYGEN_IGNORE unsigned char *store; size_t store_len, store_ptr; unsigned char index_key[32]; const br_hash_class *hash; int init_done; uint32_t head, tail, root; #endif } br_ssl_session_cache_lru; /** * \brief Initialise a LRU session cache with the provided storage space. * * The provided storage space must remain valid as long as the cache * is used. Arbitrary lengths are supported, up to 4294967295 bytes; * each entry uses up exactly 100 bytes. * * \param cc session cache context. * \param store storage space for cached entries. * \param store_len storage space length (in bytes). */ void br_ssl_session_cache_lru_init(br_ssl_session_cache_lru *cc, unsigned char *store, size_t store_len); /** * \brief Forget an entry in an LRU session cache. * * The session cache context must have been initialised. The entry * with the provided session ID (of exactly 32 bytes) is looked for * in the cache; if located, it is disabled. * * \param cc session cache context. * \param id session ID to forget. */ void br_ssl_session_cache_lru_forget( br_ssl_session_cache_lru *cc, const unsigned char *id); /** * \brief Context structure for a SSL server. * * The first field (called `eng`) is the SSL engine; all functions that * work on a `br_ssl_engine_context` structure shall take as parameter * a pointer to that field. The other structure fields are opaque and * must not be accessed directly. */ struct br_ssl_server_context_ { /** * \brief The encapsulated engine context. */ br_ssl_engine_context eng; #ifndef BR_DOXYGEN_IGNORE /* * Maximum version from the client. */ uint16_t client_max_version; /* * Session cache. */ const br_ssl_session_cache_class **cache_vtable; /* * Translated cipher suites supported by the client. The list * is trimmed to include only the cipher suites that the * server also supports; they are in the same order as in the * client message. */ br_suite_translated client_suites[BR_MAX_CIPHER_SUITES]; unsigned char client_suites_num; /* * Hash functions supported by the client, with ECDSA and RSA * (bit mask). For hash function with id 'x', set bit index is * x for RSA, x+8 for ECDSA. For newer algorithms, with ID * 0x08**, bit 16+k is set for algorithm 0x0800+k. */ uint32_t hashes; /* * Curves supported by the client (bit mask, for named curves). */ uint32_t curves; /* * Context for chain handler. */ const br_ssl_server_policy_class **policy_vtable; uint16_t sign_hash_id; /* * For the core handlers, thus avoiding (in most cases) the * need for an externally provided policy context. */ union { const br_ssl_server_policy_class *vtable; br_ssl_server_policy_rsa_context single_rsa; br_ssl_server_policy_ec_context single_ec; } chain_handler; /* * Buffer for the ECDHE private key. */ unsigned char ecdhe_key[70]; size_t ecdhe_key_len; /* * Trust anchor names for client authentication. "ta_names" and * "tas" cannot be both non-NULL. */ const br_x500_name *ta_names; const br_x509_trust_anchor *tas; size_t num_tas; size_t cur_dn_index; const unsigned char *cur_dn; size_t cur_dn_len; /* * Buffer for the hash value computed over all handshake messages * prior to CertificateVerify, and identifier for the hash function. */ unsigned char hash_CV[64]; size_t hash_CV_len; int hash_CV_id; /* * Server-specific implementations. * (none for now) */ #endif }; /* * Each br_ssl_server_init_xxx() function sets the list of supported * cipher suites and used implementations, as specified by the profile * name 'xxx'. Defined profile names are: * * full_rsa all supported algorithm, server key type is RSA * full_ec all supported algorithm, server key type is EC * TODO: add other profiles * * Naming scheme for "minimal" profiles: min123 * * -- character 1: key exchange * r = RSA * e = ECDHE_RSA * f = ECDHE_ECDSA * u = ECDH_RSA * v = ECDH_ECDSA * -- character 2: version / PRF * 0 = TLS 1.0 / 1.1 with MD5+SHA-1 * 2 = TLS 1.2 with SHA-256 * 3 = TLS 1.2 with SHA-384 * -- character 3: encryption * a = AES/CBC * d = 3DES/CBC * g = AES/GCM * c = ChaCha20+Poly1305 */ /** * \brief SSL server profile: full_rsa. * * This function initialises the provided SSL server context with * all supported algorithms and cipher suites that rely on a RSA * key pair. * * \param cc server context to initialise. * \param chain server certificate chain. * \param chain_len certificate chain length (number of certificate). * \param sk RSA private key. */ void br_ssl_server_init_full_rsa(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_rsa_private_key *sk); /** * \brief SSL server profile: full_ec. * * This function initialises the provided SSL server context with * all supported algorithms and cipher suites that rely on an EC * key pair. * * The key type of the CA that issued the server's certificate must * be provided, since it matters for ECDH cipher suites (ECDH_RSA * suites require a RSA-powered CA). The key type is either * `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`. * * \param cc server context to initialise. * \param chain server certificate chain. * \param chain_len chain length (number of certificates). * \param cert_issuer_key_type certificate issuer's key type. * \param sk EC private key. */ void br_ssl_server_init_full_ec(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, unsigned cert_issuer_key_type, const br_ec_private_key *sk); /** * \brief SSL server profile: minr2g. * * This profile uses only TLS_RSA_WITH_AES_128_GCM_SHA256. Server key is * RSA, and RSA key exchange is used (not forward secure, but uses little * CPU in the client). * * \param cc server context to initialise. * \param chain server certificate chain. * \param chain_len certificate chain length (number of certificate). * \param sk RSA private key. */ void br_ssl_server_init_minr2g(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_rsa_private_key *sk); /** * \brief SSL server profile: mine2g. * * This profile uses only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Server key * is RSA, and ECDHE key exchange is used. This suite provides forward * security, with a higher CPU expense on the client, and a somewhat * larger code footprint (compared to "minr2g"). * * \param cc server context to initialise. * \param chain server certificate chain. * \param chain_len certificate chain length (number of certificate). * \param sk RSA private key. */ void br_ssl_server_init_mine2g(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_rsa_private_key *sk); /** * \brief SSL server profile: minf2g. * * This profile uses only TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. * Server key is EC, and ECDHE key exchange is used. This suite provides * forward security, with a higher CPU expense on the client and server * (by a factor of about 3 to 4), and a somewhat larger code footprint * (compared to "minu2g" and "minv2g"). * * \param cc server context to initialise. * \param chain server certificate chain. * \param chain_len certificate chain length (number of certificate). * \param sk EC private key. */ void br_ssl_server_init_minf2g(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_ec_private_key *sk); /** * \brief SSL server profile: minu2g. * * This profile uses only TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256. * Server key is EC, and ECDH key exchange is used; the issuing CA used * a RSA key. * * The "minu2g" and "minv2g" profiles do not provide forward secrecy, * but are the lightest on the server (for CPU usage), and are rather * inexpensive on the client as well. * * \param cc server context to initialise. * \param chain server certificate chain. * \param chain_len certificate chain length (number of certificate). * \param sk EC private key. */ void br_ssl_server_init_minu2g(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_ec_private_key *sk); /** * \brief SSL server profile: minv2g. * * This profile uses only TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256. * Server key is EC, and ECDH key exchange is used; the issuing CA used * an EC key. * * The "minu2g" and "minv2g" profiles do not provide forward secrecy, * but are the lightest on the server (for CPU usage), and are rather * inexpensive on the client as well. * * \param cc server context to initialise. * \param chain server certificate chain. * \param chain_len certificate chain length (number of certificate). * \param sk EC private key. */ void br_ssl_server_init_minv2g(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_ec_private_key *sk); /** * \brief SSL server profile: mine2c. * * This profile uses only TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256. * Server key is RSA, and ECDHE key exchange is used. This suite * provides forward security. * * \param cc server context to initialise. * \param chain server certificate chain. * \param chain_len certificate chain length (number of certificate). * \param sk RSA private key. */ void br_ssl_server_init_mine2c(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_rsa_private_key *sk); /** * \brief SSL server profile: minf2c. * * This profile uses only TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256. * Server key is EC, and ECDHE key exchange is used. This suite provides * forward security. * * \param cc server context to initialise. * \param chain server certificate chain. * \param chain_len certificate chain length (number of certificate). * \param sk EC private key. */ void br_ssl_server_init_minf2c(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_ec_private_key *sk); /** * \brief Get the supported client suites. * * This function shall be called only after the ClientHello has been * processed, typically from the policy engine. The returned array * contains the cipher suites that are supported by both the client * and the server; these suites are in client preference order, unless * the `BR_OPT_ENFORCE_SERVER_PREFERENCES` flag was set, in which case * they are in server preference order. * * The suites are _translated_, which means that each suite is given * as two 16-bit integers: the standard suite identifier, and its * translated version, broken down into its individual components, * as explained with the `br_suite_translated` type. * * The returned array is allocated in the context and will be rewritten * by each handshake. * * \param cc server context. * \param num receives the array size (number of suites). * \return the translated common cipher suites, in preference order. */ static inline const br_suite_translated * br_ssl_server_get_client_suites(const br_ssl_server_context *cc, size_t *num) { *num = cc->client_suites_num; return cc->client_suites; } /** * \brief Get the hash functions and signature algorithms supported by * the client. * * This value is a bit field: * * - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`, * then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1, * or 2 to 6 for the SHA family). * * - If ECDSA is suported with hash function of ID `x`, then bit `8+x` * is set. * * - Newer algorithms are symbolic 16-bit identifiers that do not * represent signature algorithm and hash function separately. If * the TLS-level identifier is `0x0800+x` for a `x` in the 0..15 * range, then bit `16+x` is set. * * "New algorithms" are currently defined only in draft documents, so * this support is subject to possible change. Right now (early 2017), * this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA * on Curve448) to bit 24. If the identifiers on the wire change in * future document, then the decoding mechanism in BearSSL will be * amended to keep mapping ed25519 and ed448 on bits 23 and 24, * respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not * guaranteed yet. * * \param cc server context. * \return the client-supported hash functions and signature algorithms. */ static inline uint32_t br_ssl_server_get_client_hashes(const br_ssl_server_context *cc) { return cc->hashes; } /** * \brief Get the elliptic curves supported by the client. * * This is a bit field (bit x is set if curve of ID x is supported). * * \param cc server context. * \return the client-supported elliptic curves. */ static inline uint32_t br_ssl_server_get_client_curves(const br_ssl_server_context *cc) { return cc->curves; } /** * \brief Clear the complete contents of a SSL server context. * * Everything is cleared, including the reference to the configured buffer, * implementations, cipher suites and state. This is a preparatory step * to assembling a custom profile. * * \param cc server context to clear. */ void br_ssl_server_zero(br_ssl_server_context *cc); /** * \brief Set an externally provided policy context. * * The policy context's methods are invoked to decide the cipher suite * and certificate chain, and to perform operations involving the server's * private key. * * \param cc server context. * \param pctx policy context (pointer to its vtable field). */ static inline void br_ssl_server_set_policy(br_ssl_server_context *cc, const br_ssl_server_policy_class **pctx) { cc->policy_vtable = pctx; } /** * \brief Set the server certificate chain and key (single RSA case). * * This function uses a policy context included in the server context. * It configures use of a single server certificate chain with a RSA * private key. The `allowed_usages` is a combination of usages, namely * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables * the corresponding cipher suites (i.e. `TLS_RSA_*` use the RSA key for * key exchange, while `TLS_ECDHE_RSA_*` use the RSA key for signatures). * * \param cc server context. * \param chain server certificate chain to send to the client. * \param chain_len chain length (number of certificates). * \param sk server private key (RSA). * \param allowed_usages allowed private key usages. * \param irsacore RSA core implementation. * \param irsasign RSA signature implementation (PKCS#1 v1.5). */ void br_ssl_server_set_single_rsa(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_rsa_private_key *sk, unsigned allowed_usages, br_rsa_private irsacore, br_rsa_pkcs1_sign irsasign); /** * \brief Set the server certificate chain and key (single EC case). * * This function uses a policy context included in the server context. * It configures use of a single server certificate chain with an EC * private key. The `allowed_usages` is a combination of usages, namely * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables * the corresponding cipher suites (i.e. `TLS_ECDH_*` use the EC key for * key exchange, while `TLS_ECDHE_ECDSA_*` use the EC key for signatures). * * In order to support `TLS_ECDH_*` cipher suites (non-ephemeral ECDH), * the algorithm type of the key used by the issuing CA to sign the * server's certificate must be provided, as `cert_issuer_key_type` * parameter (this value is either `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`). * * \param cc server context. * \param chain server certificate chain to send. * \param chain_len chain length (number of certificates). * \param sk server private key (EC). * \param allowed_usages allowed private key usages. * \param cert_issuer_key_type issuing CA's key type. * \param iec EC core implementation. * \param iecdsa ECDSA signature implementation ("asn1" format). */ void br_ssl_server_set_single_ec(br_ssl_server_context *cc, const br_x509_certificate *chain, size_t chain_len, const br_ec_private_key *sk, unsigned allowed_usages, unsigned cert_issuer_key_type, const br_ec_impl *iec, br_ecdsa_sign iecdsa); /** * \brief Activate client certificate authentication. * * The trust anchor encoded X.500 names (DN) to send to the client are * provided. A client certificate will be requested and validated through * the X.509 validator configured in the SSL engine. If `num` is 0, then * client certificate authentication is disabled. * * If the client does not send a certificate, or on validation failure, * the handshake aborts. Unauthenticated clients can be tolerated by * setting the `BR_OPT_TOLERATE_NO_CLIENT_AUTH` flag. * * The provided array is linked in, not copied, so that pointer must * remain valid as long as anchor names may be used. * * \param cc server context. * \param ta_names encoded trust anchor names. * \param num number of encoded trust anchor names. */ static inline void br_ssl_server_set_trust_anchor_names(br_ssl_server_context *cc, const br_x500_name *ta_names, size_t num) { cc->ta_names = ta_names; cc->tas = NULL; cc->num_tas = num; } /** * \brief Activate client certificate authentication. * * This is a variant for `br_ssl_server_set_trust_anchor_names()`: the * trust anchor names are provided not as an array of stand-alone names * (`br_x500_name` structures), but as an array of trust anchors * (`br_x509_trust_anchor` structures). The server engine itself will * only use the `dn` field of each trust anchor. This is meant to allow * defining a single array of trust anchors, to be used here and in the * X.509 validation engine itself. * * The provided array is linked in, not copied, so that pointer must * remain valid as long as anchor names may be used. * * \param cc server context. * \param tas trust anchors (only names are used). * \param num number of trust anchors. */ static inline void br_ssl_server_set_trust_anchor_names_alt(br_ssl_server_context *cc, const br_x509_trust_anchor *tas, size_t num) { cc->ta_names = NULL; cc->tas = tas; cc->num_tas = num; } /** * \brief Configure the cache for session parameters. * * The cache context is provided as a pointer to its first field (vtable * pointer). * * \param cc server context. * \param vtable session cache context. */ static inline void br_ssl_server_set_cache(br_ssl_server_context *cc, const br_ssl_session_cache_class **vtable) { cc->cache_vtable = vtable; } /** * \brief Prepare or reset a server context for handling an incoming client. * * \param cc server context. * \return 1 on success, 0 on error. */ int br_ssl_server_reset(br_ssl_server_context *cc); /* ===================================================================== */ /* * Context for the simplified I/O context. The transport medium is accessed * through the low_read() and low_write() callback functions, each with * its own opaque context pointer. * * low_read() read some bytes, at most 'len' bytes, into data[]. The * returned value is the number of read bytes, or -1 on error. * The 'len' parameter is guaranteed never to exceed 20000, * so the length always fits in an 'int' on all platforms. * * low_write() write up to 'len' bytes, to be read from data[]. The * returned value is the number of written bytes, or -1 on * error. The 'len' parameter is guaranteed never to exceed * 20000, so the length always fits in an 'int' on all * parameters. * * A socket closure (if the transport medium is a socket) should be reported * as an error (-1). The callbacks shall endeavour to block until at least * one byte can be read or written; a callback returning 0 at times is * acceptable, but this normally leads to the callback being immediately * called again, so the callback should at least always try to block for * some time if no I/O can take place. * * The SSL engine naturally applies some buffering, so the callbacks need * not apply buffers of their own. */ /** * \brief Context structure for the simplified SSL I/O wrapper. * * This structure is initialised with `br_sslio_init()`. Its contents * are opaque and shall not be accessed directly. */ typedef struct { #ifndef BR_DOXYGEN_IGNORE br_ssl_engine_context *engine; int (*low_read)(void *read_context, unsigned char *data, size_t len); void *read_context; int (*low_write)(void *write_context, const unsigned char *data, size_t len); void *write_context; #endif } br_sslio_context; /** * \brief Initialise a simplified I/O wrapper context. * * The simplified I/O wrapper offers a simpler read/write API for a SSL * engine (client or server), using the provided callback functions for * reading data from, or writing data to, the transport medium. * * The callback functions have the following semantics: * * - Each callback receives an opaque context value (of type `void *`) * that the callback may use arbitrarily (or possibly ignore). * * - `low_read()` reads at least one byte, at most `len` bytes, from * the transport medium. Read bytes shall be written in `data`. * * - `low_write()` writes at least one byte, at most `len` bytes, unto * the transport medium. The bytes to write are read from `data`. * * - The `len` parameter is never zero, and is always lower than 20000. * * - The number of processed bytes (read or written) is returned. Since * that number is less than 20000, it always fits on an `int`. * * - On error, the callbacks return -1. Reaching end-of-stream is an * error. Errors are permanent: the SSL connection is terminated. * * - Callbacks SHOULD NOT return 0. This is tolerated, as long as * callbacks endeavour to block for some non-negligible amount of * time until at least one byte can be sent or received (if a * callback returns 0, then the wrapper invokes it again * immediately). * * - Callbacks MAY return as soon as at least one byte is processed; * they MAY also insist on reading or writing _all_ requested bytes. * Since SSL is a self-terminated protocol (each record has a length * header), this does not change semantics. * * - Callbacks need not apply any buffering (for performance) since SSL * itself uses buffers. * * \param ctx wrapper context to initialise. * \param engine SSL engine to wrap. * \param low_read callback for reading data from the transport. * \param read_context context pointer for `low_read()`. * \param low_write callback for writing data on the transport. * \param write_context context pointer for `low_write()`. */ void br_sslio_init(br_sslio_context *ctx, br_ssl_engine_context *engine, int (*low_read)(void *read_context, unsigned char *data, size_t len), void *read_context, int (*low_write)(void *write_context, const unsigned char *data, size_t len), void *write_context); /** * \brief Read some application data from a SSL connection. * * If `len` is zero, then this function returns 0 immediately. In * all other cases, it never returns 0. * * This call returns only when at least one byte has been obtained. * Returned value is the number of bytes read, or -1 on error. The * number of bytes always fits on an 'int' (data from a single SSL/TLS * record is returned). * * On error or SSL closure, this function returns -1. The caller should * inspect the error status on the SSL engine to distinguish between * normal closure and error. * * \param cc SSL wrapper context. * \param dst destination buffer for application data. * \param len maximum number of bytes to obtain. * \return number of bytes obtained, or -1 on error. */ int br_sslio_read(br_sslio_context *cc, void *dst, size_t len); /** * \brief Read application data from a SSL connection. * * This calls returns only when _all_ requested `len` bytes are read, * or an error is reached. Returned value is 0 on success, -1 on error. * A normal (verified) SSL closure before that many bytes are obtained * is reported as an error by this function. * * \param cc SSL wrapper context. * \param dst destination buffer for application data. * \param len number of bytes to obtain. * \return 0 on success, or -1 on error. */ int br_sslio_read_all(br_sslio_context *cc, void *dst, size_t len); /** * \brief Write some application data unto a SSL connection. * * If `len` is zero, then this function returns 0 immediately. In * all other cases, it never returns 0. * * This call returns only when at least one byte has been written. * Returned value is the number of bytes written, or -1 on error. The * number of bytes always fits on an 'int' (less than 20000). * * On error or SSL closure, this function returns -1. The caller should * inspect the error status on the SSL engine to distinguish between * normal closure and error. * * **Important:** SSL is buffered; a "written" byte is a byte that was * injected into the wrapped SSL engine, but this does not necessarily mean * that it has been scheduled for sending. Use `br_sslio_flush()` to * ensure that all pending data has been sent to the transport medium. * * \param cc SSL wrapper context. * \param src source buffer for application data. * \param len maximum number of bytes to write. * \return number of bytes written, or -1 on error. */ int br_sslio_write(br_sslio_context *cc, const void *src, size_t len); /** * \brief Write application data unto a SSL connection. * * This calls returns only when _all_ requested `len` bytes have been * written, or an error is reached. Returned value is 0 on success, -1 * on error. A normal (verified) SSL closure before that many bytes are * written is reported as an error by this function. * * **Important:** SSL is buffered; a "written" byte is a byte that was * injected into the wrapped SSL engine, but this does not necessarily mean * that it has been scheduled for sending. Use `br_sslio_flush()` to * ensure that all pending data has been sent to the transport medium. * * \param cc SSL wrapper context. * \param src source buffer for application data. * \param len number of bytes to write. * \return 0 on success, or -1 on error. */ int br_sslio_write_all(br_sslio_context *cc, const void *src, size_t len); /** * \brief Flush pending data. * * This call makes sure that any buffered application data in the * provided context (including the wrapped SSL engine) has been sent * to the transport medium (i.e. accepted by the `low_write()` callback * method). If there is no such pending data, then this function does * nothing (and returns a success, i.e. 0). * * If the underlying transport medium has its own buffers, then it is * up to the caller to ensure the corresponding flushing. * * Returned value is 0 on success, -1 on error. * * \param cc SSL wrapper context. * \return 0 on success, or -1 on error. */ int br_sslio_flush(br_sslio_context *cc); /** * \brief Close the SSL connection. * * This call runs the SSL closure protocol (sending a `close_notify`, * receiving the response `close_notify`). When it returns, the SSL * connection is finished. It is still up to the caller to manage the * possible transport-level termination, if applicable (alternatively, * the underlying transport stream may be reused for non-SSL messages). * * Returned value is 0 on success, -1 on error. A failure by the peer * to process the complete closure protocol (i.e. sending back the * `close_notify`) is an error. * * \param cc SSL wrapper context. * \return 0 on success, or -1 on error. */ int br_sslio_close(br_sslio_context *cc); /* ===================================================================== */ /* * Symbolic constants for cipher suites. */ /* From RFC 5246 */ #define BR_TLS_NULL_WITH_NULL_NULL 0x0000 #define BR_TLS_RSA_WITH_NULL_MD5 0x0001 #define BR_TLS_RSA_WITH_NULL_SHA 0x0002 #define BR_TLS_RSA_WITH_NULL_SHA256 0x003B #define BR_TLS_RSA_WITH_RC4_128_MD5 0x0004 #define BR_TLS_RSA_WITH_RC4_128_SHA 0x0005 #define BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A #define BR_TLS_RSA_WITH_AES_128_CBC_SHA 0x002F #define BR_TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 #define BR_TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C #define BR_TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D #define BR_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D #define BR_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 #define BR_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 #define BR_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 #define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 #define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 #define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 #define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 #define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 #define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 #define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 #define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 #define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E #define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F #define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 #define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 #define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068 #define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069 #define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A #define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B #define BR_TLS_DH_anon_WITH_RC4_128_MD5 0x0018 #define BR_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B #define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034 #define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A #define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C #define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D /* From RFC 4492 */ #define BR_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 #define BR_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002 #define BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003 #define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004 #define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005 #define BR_TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 #define BR_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007 #define BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008 #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A #define BR_TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B #define BR_TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C #define BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D #define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E #define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F #define BR_TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 #define BR_TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011 #define BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012 #define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 #define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 #define BR_TLS_ECDH_anon_WITH_NULL_SHA 0xC015 #define BR_TLS_ECDH_anon_WITH_RC4_128_SHA 0xC016 #define BR_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 0xC017 #define BR_TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018 #define BR_TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019 /* From RFC 5288 */ #define BR_TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C #define BR_TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D #define BR_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E #define BR_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F #define BR_TLS_DH_RSA_WITH_AES_128_GCM_SHA256 0x00A0 #define BR_TLS_DH_RSA_WITH_AES_256_GCM_SHA384 0x00A1 #define BR_TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 #define BR_TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3 #define BR_TLS_DH_DSS_WITH_AES_128_GCM_SHA256 0x00A4 #define BR_TLS_DH_DSS_WITH_AES_256_GCM_SHA384 0x00A5 #define BR_TLS_DH_anon_WITH_AES_128_GCM_SHA256 0x00A6 #define BR_TLS_DH_anon_WITH_AES_256_GCM_SHA384 0x00A7 /* From RFC 5289 */ #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 #define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025 #define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026 #define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 #define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 #define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029 #define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A #define BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B #define BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C #define BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D #define BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E #define BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F #define BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 #define BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 #define BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 /* From RFC 7905 */ #define BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 #define BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 #define BR_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA #define BR_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB #define BR_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC #define BR_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD #define BR_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE /* From RFC 7507 */ #define BR_TLS_FALLBACK_SCSV 0x5600 /* * Symbolic constants for alerts. */ #define BR_ALERT_CLOSE_NOTIFY 0 #define BR_ALERT_UNEXPECTED_MESSAGE 10 #define BR_ALERT_BAD_RECORD_MAC 20 #define BR_ALERT_RECORD_OVERFLOW 22 #define BR_ALERT_DECOMPRESSION_FAILURE 30 #define BR_ALERT_HANDSHAKE_FAILURE 40 #define BR_ALERT_BAD_CERTIFICATE 42 #define BR_ALERT_UNSUPPORTED_CERTIFICATE 43 #define BR_ALERT_CERTIFICATE_REVOKED 44 #define BR_ALERT_CERTIFICATE_EXPIRED 45 #define BR_ALERT_CERTIFICATE_UNKNOWN 46 #define BR_ALERT_ILLEGAL_PARAMETER 47 #define BR_ALERT_UNKNOWN_CA 48 #define BR_ALERT_ACCESS_DENIED 49 #define BR_ALERT_DECODE_ERROR 50 #define BR_ALERT_DECRYPT_ERROR 51 #define BR_ALERT_PROTOCOL_VERSION 70 #define BR_ALERT_INSUFFICIENT_SECURITY 71 #define BR_ALERT_INTERNAL_ERROR 80 #define BR_ALERT_USER_CANCELED 90 #define BR_ALERT_NO_RENEGOTIATION 100 #define BR_ALERT_UNSUPPORTED_EXTENSION 110 #define BR_ALERT_NO_APPLICATION_PROTOCOL 120 #ifdef __cplusplus } #endif #endif