tls.h (6403B)
1 #ifndef TLS_H 2 #define TLS_H 3 4 #include <stdint.h> 5 #include <stdlib.h> 6 7 /* tls 1.3 8 * -- 9 * see: https://datatracker.ietf.org/doc/html/rfc8446 10 */ 11 12 /* record - tls record layer funcitons */ 13 14 #define TLS_INNER_PLAINTEXT_MAX_SIZE (1 << 14) // 16K 15 16 #define TLS_RECORD_CONTENT_TYPE_SIZE 1 17 #define TLS_RECORD_AEAD_EXPANSION_SIZE 255 18 19 #define TLS_RECORD_MAX_SIZE \ 20 (TLS_INNER_PLAINTEXT_MAX_SIZE \ 21 + TLS_RECORD_CONTENT_TYPE_SIZE \ 22 + TLS_RECORD_AEAD_EXPANSION_SIZE) 23 24 enum tls_content_type { 25 TLS_CONTENT_INVALID = 0, 26 TLS_CONTENT_CHANGE_CIPHER_SPEC = 20, 27 TLS_CONTENT_ALERT = 21, 28 TLS_CONTENT_HANDSHAKE = 22, 29 TLS_CONTENT_APPLICATION_DATA = 23, 30 _TLS_CONTENT_MAX = 255, 31 }; 32 33 struct tls_plaintext { 34 enum tls_content_type type; 35 uint16_t protocol_version; 36 uint16_t length; 37 uint8_t *fragment; 38 }; 39 40 struct tls_inner_plaintext { 41 uint8_t *fragment; 42 /* uint16_t length = tls_plaintext.length; */ 43 enum tls_content_type type; 44 uint8_t padding; 45 }; 46 47 struct tls_ciphertext { 48 /* enum tls_content_type type = TLS_CONTENT_APPLICATION_DATA; */ 49 /* uint16_t protocol_version = 0x0303 */ 50 uint16_t length; 51 uint8_t *encrypted; 52 }; 53 54 /* tls - tls functions */ 55 56 enum tls_version { 57 TLS_VERSION_1_3, 58 }; 59 60 enum tls_handshake_type { 61 TLS_HANDSHAKE_CLIENT_HELLO = 1, 62 TLS_HANDSHAKE_SERVER_HELLO = 2, 63 TLS_HANDSHAKE_NEW_SESSION_TICKET = 4, 64 TLS_HANDSHAKE_END_OF_EARLY_DATA = 5, 65 TLS_HANDSHAKE_ENCRYPTED_EXTENISONS = 8, 66 TLS_HANDSHAKE_CERTIFICATE = 11, 67 TLS_HANDSHAKE_CERTIFICATE_REQUEST = 13, 68 TLS_HANDSHAKE_CERTIFICATE_VERIFY = 15, 69 TLS_HANDSHAKE_FINISHED = 20, 70 TLS_HANDSHAKE_KEY_UPDATE = 24, 71 TLS_HANDSHAKE_MESSAGE_HASH = 254, 72 _TLS_HANDSHAKE_MAX = 255 73 }; 74 75 struct tls_handshake { 76 enum tls_handshake_type type; 77 uint32_t length; 78 }; 79 80 enum tls_extension_type { 81 TLS_EXTENSION_SERVER_NAME = 0, 82 TLS_EXTENSION_MAX_FRAGMENT_LENGTH = 1, 83 TLS_EXTENSION_STATUS_REQUEST = 5, 84 TLS_EXTENSION_SUPPORTED_GROUPS = 10, 85 TLS_EXTENSION_SIGNATURE_ALGORITHMS = 13, 86 TLS_EXTENSION_USE_SRTP = 14, 87 TLS_EXTENSION_HEARTBEAT = 15, 88 TLS_EXTENSION_ALPN = 16, 89 TLS_EXTENSION_SIGNED_CERTIFICATE_TIMESTAMP = 18, 90 TLS_EXTENSION_CLIENT_CERTIFICATE_TYPE = 19, 91 TLS_EXTENSION_SERVER_CERTIFICATE_TYPE = 20, 92 TLS_EXTENSION_PADDING = 21, 93 TLS_EXTENSION_PSK = 41, 94 TLS_EXTENSION_EARLY_DATA = 42, 95 TLS_EXTENSION_SUPPORTED_VERSIONS = 43, 96 TLS_EXTENSION_COOKIE = 44, 97 TLS_EXTENSION_PSK_KEX_MODES = 45, 98 TLS_EXTENSION_CERTIFICATE_AUTHORITIES = 47, 99 TLS_EXTENSION_OID_FILTERS = 48, 100 TLS_EXTENSION_POST_HANDSHAKE_AUTH = 49, 101 TLS_EXTENSION_SIGNATURE_ALGORITHMS_CERT = 50, 102 TLS_EXTENSION_KEY_SHARE = 51, 103 _TLS_EXTENSION_MAX = 65535, 104 }; 105 106 struct tls_cookie { 107 uint8_t *cookie; 108 }; 109 110 enum tls_signature_scheme { 111 TLS_SIGNATURE_RSA_PKCS1_SHA256 = 0x0401, 112 TLS_SIGNATURE_RSA_PKCS1_SHA384 = 0x0501, 113 TLS_SIGNATURE_RSA_PKCS1_SHA512 = 0x0601, 114 115 TLS_SIGNATURE_ECDSA_SECP256R1_SHA256 = 0x0403, 116 TLS_SIGNATURE_ECDSA_SECP384R1_SHA384 = 0x0503, 117 TLS_SIGNATURE_ECDSA_SECP521R1_SHA512 = 0x0603, 118 119 TLS_SIGNATURE_RSA_PSS_RSAE_SHA256 = 0x0804, 120 TLS_SIGNATURE_RSA_PSS_RSAE_SHA384 = 0x0805, 121 TLS_SIGNATURE_RSA_PSS_RSAE_SHA512 = 0x0806, 122 123 TLS_SIGNATURE_ED25519 = 0x0807, 124 TLS_SIGNATURE_ED448 = 0x0808, 125 126 TLS_SIGNATURE_RSA_PSS_PSS_SHA256 = 0x0809, 127 TLS_SIGNATURE_RSA_PSS_PSS_SHA384 = 0x080a, 128 TLS_SIGNATURE_RSA_PSS_PSS_SHA512 = 0x080b, 129 130 TLS_SIGNATURE_RSA_PKCS1_SHA1 = 0x0201, 131 TLS_SIGNATURE_ECDSA_SHA1 = 0x0203, 132 }; 133 134 enum tls_named_group { 135 TLS_NAMED_GROUP_SECP256R1 = 0x0017, 136 TLS_NAMED_GROUP_SECP384R1 = 0x0018, 137 TLS_NAMED_GROUP_SECP521R1 = 0x0019, 138 139 TLS_NAMED_GROUP_X25519 = 0x001d, 140 TLS_NAMED_GROUP_X448 = 0x001e, 141 142 TLS_NAMED_GROUP_FFDHE2048 = 0x0100, 143 TLS_NAMED_GROUP_FFDHE3072 = 0x0101, 144 TLS_NAMED_GROUP_FFDHE4096 = 0x0102, 145 TLS_NAMED_GROUP_FFDHE6144 = 0x0103, 146 TLS_NAMED_GROUP_FFDHE8192 = 0x0104, 147 148 TLS_NAMED_GROUP_FFDHE_PRIVATE_USE_MIN = 0x01fc, 149 TLS_NAMED_GROUP_FFDHE_PRIVATE_USE_MAX = 0x01fe, 150 151 TLS_NAMED_GROUP_ECDHE_PRIVATE_USE_MIN = 0xfe00, 152 TLS_NAMED_GROUP_ECDHE_PRIVATE_USE_MAX = 0xfeff, 153 }; 154 155 struct tls_key_share_entry { 156 enum tls_named_group group; 157 uint8_t *key_exchange; 158 }; 159 160 enum tls_psk_kex_modes { 161 TLS_PSK_KEX = 0, 162 TLS_PSK_DHE_KEX = 1, 163 _TLS_PSK_MAX = 255, 164 }; 165 166 struct tls_psk_identity { 167 uint8_t *identity; 168 uint32_t obfuscated_ticket_age; 169 }; 170 171 struct tls_psk_binder_entry { 172 uint8_t *data; 173 }; 174 175 enum tls_certificate_type { 176 TLS_CERTIFICATE_X509 = 0, 177 TLS_CERTFICAITE_RAW_PUBLIC_KEY = 2, 178 _TLS_CERTIFICATE_MAX = 255, 179 }; 180 181 struct tls_new_session_ticket { 182 uint32_t lifetime; 183 uint32_t age_add; 184 uint8_t *nonce; 185 uint8_t *ticket; 186 }; 187 188 enum tls_key_update_request { 189 TLS_KEY_UPDATE_NOT_REQUESTED, 190 TLS_KEY_UPDATE_REQUESTED, 191 }; 192 193 enum tls_alert_level { 194 TLS_WARNING = 1, 195 TLS_FATAL = 2, 196 }; 197 198 enum tls_alert_description { 199 TLS_ALERT_CLOSE_NOTIFY = 0, 200 TLS_ALERT_UNEXPECTED_MESSAGE = 10, 201 TLS_ALERT_BAD_RECORD_MAC = 20, 202 TLS_ALERT_RECORD_OVERFLOW = 22, 203 TLS_ALERT_HANDSHAKE_FAILURE = 40, 204 TLS_ALERT_BAD_CERTIFICATE = 42, 205 TLS_ALERT_UNSUPPORTED_CERTIFICATE = 43, 206 TLS_ALERT_CERTIFICATE_REVOKED = 44, 207 TLS_ALERT_CERTIFICATE_EXPIRED = 45, 208 TLS_ALERT_CERTIFICATE_UNKNOWN = 46, 209 TLS_ALERT_ILLEGAL_PARAMETER = 47, 210 TLS_ALERT_UNKNOWN_CA = 48, 211 TLS_ALERT_ACCESS_DENIED = 49, 212 TLS_ALERT_DECODE_ERROR = 50, 213 TLS_ALERT_DECRYPT_ERROR = 51, 214 TLS_ALERT_PROTOCOL_VERSION = 70, 215 TLS_ALERT_INSUFFICIENT_SECURITY = 71, 216 TLS_ALERT_INTERNAL_ERROR = 80, 217 TLS_ALERT_INAPPROPRIATE_FALLBACK = 86, 218 TLS_ALERT_USER_CANCELED = 90, 219 TLS_ALERT_MISSING_EXTENSION = 109, 220 TLS_ALERT_UNSUPPORTED_EXTENSION = 110, 221 TLS_ALERT_UNRECOGNISED_NAME = 112, 222 TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE = 113, 223 TLS_ALERT_UNKNOWN_PSK_IDENTITY = 115, 224 TLS_ALERT_CERTIFICATE_REQUIRED = 116, 225 TLS_ALERT_NO_APPLICATION_PROTOCOL = 120, 226 }; 227 228 struct tls_alert { 229 enum tls_alert_level level; 230 enum tls_alert_description description; 231 }; 232 233 struct tls_session { 234 uint8_t *buf; 235 size_t cap, len; 236 }; 237 238 void 239 tls_session_init(); 240 241 void 242 tls_session_set_keys(); 243 244 void 245 tls_session_set_cert(); 246 247 void 248 tls_session_set_psk(); 249 250 void 251 tls_session_server_handshake(); 252 253 void 254 tls_session_client_handshake(); 255 256 void 257 tls_session_step(); 258 259 uint8_t * 260 tls_session_recv(); 261 262 void 263 tls_session_recv_commit(); 264 265 uint8_t * 266 tls_session_send(); 267 268 void 269 tls_session_send_commit(); 270 271 int 272 tls_session_pull(); 273 274 int 275 tls_session_push(); 276 277 int 278 tls_session_flush(); 279 280 /* crypto - replace with real crypto library */ 281 282 #include "x25519.h" 283 284 #endif /* TLS_H */