1/* 2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org> 3 * 4 * Permission is hereby granted, free of charge, to any person obtaining 5 * a copy of this software and associated documentation files (the 6 * "Software"), to deal in the Software without restriction, including 7 * without limitation the rights to use, copy, modify, merge, publish, 8 * distribute, sublicense, and/or sell copies of the Software, and to 9 * permit persons to whom the Software is furnished to do so, subject to 10 * the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25#ifndef BR_BEARSSL_SSL_H__ 26#define BR_BEARSSL_SSL_H__ 27 28#include <stddef.h> 29#include <stdint.h> 30 31#include "bearssl_block.h" 32#include "bearssl_hash.h" 33#include "bearssl_hmac.h" 34#include "bearssl_prf.h" 35#include "bearssl_rand.h" 36#include "bearssl_x509.h" 37 38#ifdef __cplusplus 39extern "C" { 40#endif 41 42/** \file bearssl_ssl.h 43 * 44 * # SSL 45 * 46 * For an overview of the SSL/TLS API, see [the BearSSL Web 47 * site](https://www.bearssl.org/api1.html). 48 * 49 * The `BR_TLS_*` constants correspond to the standard cipher suites and 50 * their values in the [IANA 51 * registry](http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4). 52 * 53 * The `BR_ALERT_*` constants are for standard TLS alert messages. When 54 * a fatal alert message is sent of received, then the SSL engine context 55 * status is set to the sum of that alert value (an integer in the 0..255 56 * range) and a fixed offset (`BR_ERR_SEND_FATAL_ALERT` for a sent alert, 57 * `BR_ERR_RECV_FATAL_ALERT` for a received alert). 58 */ 59 60/** \brief Optimal input buffer size. */ 61#define BR_SSL_BUFSIZE_INPUT (16384 + 325) 62 63/** \brief Optimal output buffer size. */ 64#define BR_SSL_BUFSIZE_OUTPUT (16384 + 85) 65 66/** \brief Optimal buffer size for monodirectional engine 67 (shared input/output buffer). */ 68#define BR_SSL_BUFSIZE_MONO BR_SSL_BUFSIZE_INPUT 69 70/** \brief Optimal buffer size for bidirectional engine 71 (single buffer split into two separate input/output buffers). */ 72#define BR_SSL_BUFSIZE_BIDI (BR_SSL_BUFSIZE_INPUT + BR_SSL_BUFSIZE_OUTPUT) 73 74/* 75 * Constants for known SSL/TLS protocol versions (SSL 3.0, TLS 1.0, TLS 1.1 76 * and TLS 1.2). Note that though there is a constant for SSL 3.0, that 77 * protocol version is not actually supported. 78 */ 79 80/** \brief Protocol version: SSL 3.0 (unsupported). */ 81#define BR_SSL30 0x0300 82/** \brief Protocol version: TLS 1.0. */ 83#define BR_TLS10 0x0301 84/** \brief Protocol version: TLS 1.1. */ 85#define BR_TLS11 0x0302 86/** \brief Protocol version: TLS 1.2. */ 87#define BR_TLS12 0x0303 88 89/* 90 * Error constants. They are used to report the reason why a context has 91 * been marked as failed. 92 * 93 * Implementation note: SSL-level error codes should be in the 1..31 94 * range. The 32..63 range is for certificate decoding and validation 95 * errors. Received fatal alerts imply an error code in the 256..511 range. 96 */ 97 98/** \brief SSL status: no error so far (0). */ 99#define BR_ERR_OK 0 100 101/** \brief SSL status: caller-provided parameter is incorrect. */ 102#define BR_ERR_BAD_PARAM 1 103 104/** \brief SSL status: operation requested by the caller cannot be applied 105 with the current context state (e.g. reading data while outgoing data 106 is waiting to be sent). */ 107#define BR_ERR_BAD_STATE 2 108 109/** \brief SSL status: incoming protocol or record version is unsupported. */ 110#define BR_ERR_UNSUPPORTED_VERSION 3 111 112/** \brief SSL status: incoming record version does not match the expected 113 version. */ 114#define BR_ERR_BAD_VERSION 4 115 116/** \brief SSL status: incoming record length is invalid. */ 117#define BR_ERR_BAD_LENGTH 5 118 119/** \brief SSL status: incoming record is too large to be processed, or 120 buffer is too small for the handshake message to send. */ 121#define BR_ERR_TOO_LARGE 6 122 123/** \brief SSL status: decryption found an invalid padding, or the record 124 MAC is not correct. */ 125#define BR_ERR_BAD_MAC 7 126 127/** \brief SSL status: no initial entropy was provided, and none can be 128 obtained from the OS. */ 129#define BR_ERR_NO_RANDOM 8 130 131/** \brief SSL status: incoming record type is unknown. */ 132#define BR_ERR_UNKNOWN_TYPE 9 133 134/** \brief SSL status: incoming record or message has wrong type with 135 regards to the current engine state. */ 136#define BR_ERR_UNEXPECTED 10 137 138/** \brief SSL status: ChangeCipherSpec message from the peer has invalid 139 contents. */ 140#define BR_ERR_BAD_CCS 12 141 142/** \brief SSL status: alert message from the peer has invalid contents 143 (odd length). */ 144#define BR_ERR_BAD_ALERT 13 145 146/** \brief SSL status: incoming handshake message decoding failed. */ 147#define BR_ERR_BAD_HANDSHAKE 14 148 149/** \brief SSL status: ServerHello contains a session ID which is larger 150 than 32 bytes. */ 151#define BR_ERR_OVERSIZED_ID 15 152 153/** \brief SSL status: server wants to use a cipher suite that we did 154 not claim to support. This is also reported if we tried to advertise 155 a cipher suite that we do not support. */ 156#define BR_ERR_BAD_CIPHER_SUITE 16 157 158/** \brief SSL status: server wants to use a compression that we did not 159 claim to support. */ 160#define BR_ERR_BAD_COMPRESSION 17 161 162/** \brief SSL status: server's max fragment length does not match 163 client's. */ 164#define BR_ERR_BAD_FRAGLEN 18 165 166/** \brief SSL status: secure renegotiation failed. */ 167#define BR_ERR_BAD_SECRENEG 19 168 169/** \brief SSL status: server sent an extension type that we did not 170 announce, or used the same extension type several times in a single 171 ServerHello. */ 172#define BR_ERR_EXTRA_EXTENSION 20 173 174/** \brief SSL status: invalid Server Name Indication contents (when 175 used by the server, this extension shall be empty). */ 176#define BR_ERR_BAD_SNI 21 177 178/** \brief SSL status: invalid ServerHelloDone from the server (length 179 is not 0). */ 180#define BR_ERR_BAD_HELLO_DONE 22 181 182/** \brief SSL status: internal limit exceeded (e.g. server's public key 183 is too large). */ 184#define BR_ERR_LIMIT_EXCEEDED 23 185 186/** \brief SSL status: Finished message from peer does not match the 187 expected value. */ 188#define BR_ERR_BAD_FINISHED 24 189 190/** \brief SSL status: session resumption attempt with distinct version 191 or cipher suite. */ 192#define BR_ERR_RESUME_MISMATCH 25 193 194/** \brief SSL status: unsupported or invalid algorithm (ECDHE curve, 195 signature algorithm, hash function). */ 196#define BR_ERR_INVALID_ALGORITHM 26 197 198/** \brief SSL status: invalid signature (on ServerKeyExchange from 199 server, or in CertificateVerify from client). */ 200#define BR_ERR_BAD_SIGNATURE 27 201 202/** \brief SSL status: peer's public key does not have the proper type 203 or is not allowed for requested operation. */ 204#define BR_ERR_WRONG_KEY_USAGE 28 205 206/** \brief SSL status: client did not send a certificate upon request, 207 or the client certificate could not be validated. */ 208#define BR_ERR_NO_CLIENT_AUTH 29 209 210/** \brief SSL status: I/O error or premature close on underlying 211 transport stream. This error code is set only by the simplified 212 I/O API ("br_sslio_*"). */ 213#define BR_ERR_IO 31 214 215/** \brief SSL status: base value for a received fatal alert. 216 217 When a fatal alert is received from the peer, the alert value 218 is added to this constant. */ 219#define BR_ERR_RECV_FATAL_ALERT 256 220 221/** \brief SSL status: base value for a sent fatal alert. 222 223 When a fatal alert is sent to the peer, the alert value is added 224 to this constant. */ 225#define BR_ERR_SEND_FATAL_ALERT 512 226 227/* ===================================================================== */ 228 229/** 230 * \brief Decryption engine for SSL. 231 * 232 * When processing incoming records, the SSL engine will use a decryption 233 * engine that uses a specific context structure, and has a set of 234 * methods (a vtable) that follows this template. 235 * 236 * The decryption engine is responsible for applying decryption, verifying 237 * MAC, and keeping track of the record sequence number. 238 */ 239typedef struct br_sslrec_in_class_ br_sslrec_in_class; 240struct br_sslrec_in_class_ { 241 /** 242 * \brief Context size (in bytes). 243 */ 244 size_t context_size; 245 246 /** 247 * \brief Test validity of the incoming record length. 248 * 249 * This function returns 1 if the announced length for an 250 * incoming record is valid, 0 otherwise, 251 * 252 * \param ctx decryption engine context. 253 * \param record_len incoming record length. 254 * \return 1 of a valid length, 0 otherwise. 255 */ 256 int (*check_length)(const br_sslrec_in_class *const *ctx, 257 size_t record_len); 258 259 /** 260 * \brief Decrypt the incoming record. 261 * 262 * This function may assume that the record length is valid 263 * (it has been previously tested with `check_length()`). 264 * Decryption is done in place; `*len` is updated with the 265 * cleartext length, and the address of the first plaintext 266 * byte is returned. If the record is correct but empty, then 267 * `*len` is set to 0 and a non-`NULL` pointer is returned. 268 * 269 * On decryption/MAC error, `NULL` is returned. 270 * 271 * \param ctx decryption engine context. 272 * \param record_type record type (23 for application data, etc). 273 * \param version record version. 274 * \param payload address of encrypted payload. 275 * \param len pointer to payload length (updated). 276 * \return pointer to plaintext, or `NULL` on error. 277 */ 278 unsigned char *(*decrypt)(const br_sslrec_in_class **ctx, 279 int record_type, unsigned version, 280 void *payload, size_t *len); 281}; 282 283/** 284 * \brief Encryption engine for SSL. 285 * 286 * When building outgoing records, the SSL engine will use an encryption 287 * engine that uses a specific context structure, and has a set of 288 * methods (a vtable) that follows this template. 289 * 290 * The encryption engine is responsible for applying encryption and MAC, 291 * and keeping track of the record sequence number. 292 */ 293typedef struct br_sslrec_out_class_ br_sslrec_out_class; 294struct br_sslrec_out_class_ { 295 /** 296 * \brief Context size (in bytes). 297 */ 298 size_t context_size; 299 300 /** 301 * \brief Compute maximum plaintext sizes and offsets. 302 * 303 * When this function is called, the `*start` and `*end` 304 * values contain offsets designating the free area in the 305 * outgoing buffer for plaintext data; that free area is 306 * preceded by a 5-byte space which will receive the record 307 * header. 308 * 309 * The `max_plaintext()` function is responsible for adjusting 310 * both `*start` and `*end` to make room for any record-specific 311 * header, MAC, padding, and possible split. 312 * 313 * \param ctx encryption engine context. 314 * \param start pointer to start of plaintext offset (updated). 315 * \param end pointer to start of plaintext offset (updated). 316 */ 317 void (*max_plaintext)(const br_sslrec_out_class *const *ctx, 318 size_t *start, size_t *end); 319 320 /** 321 * \brief Perform record encryption. 322 * 323 * This function encrypts the record. The plaintext address and 324 * length are provided. Returned value is the start of the 325 * encrypted record (or sequence of records, if a split was 326 * performed), _including_ the 5-byte header, and `*len` is 327 * adjusted to the total size of the record(s), there again 328 * including the header(s). 329 * 330 * \param ctx decryption engine context. 331 * \param record_type record type (23 for application data, etc). 332 * \param version record version. 333 * \param plaintext address of plaintext. 334 * \param len pointer to plaintext length (updated). 335 * \return pointer to start of built record. 336 */ 337 unsigned char *(*encrypt)(const br_sslrec_out_class **ctx, 338 int record_type, unsigned version, 339 void *plaintext, size_t *len); 340}; 341 342/** 343 * \brief Context for a no-encryption engine. 344 * 345 * The no-encryption engine processes outgoing records during the initial 346 * handshake, before encryption is applied. 347 */ 348typedef struct { 349 /** \brief No-encryption engine vtable. */ 350 const br_sslrec_out_class *vtable; 351} br_sslrec_out_clear_context; 352 353/** \brief Static, constant vtable for the no-encryption engine. */ 354extern const br_sslrec_out_class br_sslrec_out_clear_vtable; 355 356/* ===================================================================== */ 357 358/** 359 * \brief Record decryption engine class, for CBC mode. 360 * 361 * This class type extends the decryption engine class with an 362 * initialisation method that receives the parameters needed 363 * for CBC processing: block cipher implementation, block cipher key, 364 * HMAC parameters (hash function, key, MAC length), and IV. If the 365 * IV is `NULL`, then a per-record IV will be used (TLS 1.1+). 366 */ 367typedef struct br_sslrec_in_cbc_class_ br_sslrec_in_cbc_class; 368struct br_sslrec_in_cbc_class_ { 369 /** 370 * \brief Superclass, as first vtable field. 371 */ 372 br_sslrec_in_class inner; 373 374 /** 375 * \brief Engine initialisation method. 376 * 377 * This method sets the vtable field in the context. 378 * 379 * \param ctx context to initialise. 380 * \param bc_impl block cipher implementation (CBC decryption). 381 * \param bc_key block cipher key. 382 * \param bc_key_len block cipher key length (in bytes). 383 * \param dig_impl hash function for HMAC. 384 * \param mac_key HMAC key. 385 * \param mac_key_len HMAC key length (in bytes). 386 * \param mac_out_len HMAC output length (in bytes). 387 * \param iv initial IV (or `NULL`). 388 */ 389 void (*init)(const br_sslrec_in_cbc_class **ctx, 390 const br_block_cbcdec_class *bc_impl, 391 const void *bc_key, size_t bc_key_len, 392 const br_hash_class *dig_impl, 393 const void *mac_key, size_t mac_key_len, size_t mac_out_len, 394 const void *iv); 395}; 396 397/** 398 * \brief Record encryption engine class, for CBC mode. 399 * 400 * This class type extends the encryption engine class with an 401 * initialisation method that receives the parameters needed 402 * for CBC processing: block cipher implementation, block cipher key, 403 * HMAC parameters (hash function, key, MAC length), and IV. If the 404 * IV is `NULL`, then a per-record IV will be used (TLS 1.1+). 405 */ 406typedef struct br_sslrec_out_cbc_class_ br_sslrec_out_cbc_class; 407struct br_sslrec_out_cbc_class_ { 408 /** 409 * \brief Superclass, as first vtable field. 410 */ 411 br_sslrec_out_class inner; 412 413 /** 414 * \brief Engine initialisation method. 415 * 416 * This method sets the vtable field in the context. 417 * 418 * \param ctx context to initialise. 419 * \param bc_impl block cipher implementation (CBC encryption). 420 * \param bc_key block cipher key. 421 * \param bc_key_len block cipher key length (in bytes). 422 * \param dig_impl hash function for HMAC. 423 * \param mac_key HMAC key. 424 * \param mac_key_len HMAC key length (in bytes). 425 * \param mac_out_len HMAC output length (in bytes). 426 * \param iv initial IV (or `NULL`). 427 */ 428 void (*init)(const br_sslrec_out_cbc_class **ctx, 429 const br_block_cbcenc_class *bc_impl, 430 const void *bc_key, size_t bc_key_len, 431 const br_hash_class *dig_impl, 432 const void *mac_key, size_t mac_key_len, size_t mac_out_len, 433 const void *iv); 434}; 435 436/** 437 * \brief Context structure for decrypting incoming records with 438 * CBC + HMAC. 439 * 440 * The first field points to the vtable. The other fields are opaque 441 * and shall not be accessed directly. 442 */ 443typedef struct { 444 /** \brief Pointer to vtable. */ 445 const br_sslrec_in_cbc_class *vtable; 446#ifndef BR_DOXYGEN_IGNORE 447 uint64_t seq; 448 union { 449 const br_block_cbcdec_class *vtable; 450 br_aes_gen_cbcdec_keys aes; 451 br_des_gen_cbcdec_keys des; 452 } bc; 453 br_hmac_key_context mac; 454 size_t mac_len; 455 unsigned char iv[16]; 456 int explicit_IV; 457#endif 458} br_sslrec_in_cbc_context; 459 460/** 461 * \brief Static, constant vtable for record decryption with CBC. 462 */ 463extern const br_sslrec_in_cbc_class br_sslrec_in_cbc_vtable; 464 465/** 466 * \brief Context structure for encrypting outgoing records with 467 * CBC + HMAC. 468 * 469 * The first field points to the vtable. The other fields are opaque 470 * and shall not be accessed directly. 471 */ 472typedef struct { 473 /** \brief Pointer to vtable. */ 474 const br_sslrec_out_cbc_class *vtable; 475#ifndef BR_DOXYGEN_IGNORE 476 uint64_t seq; 477 union { 478 const br_block_cbcenc_class *vtable; 479 br_aes_gen_cbcenc_keys aes; 480 br_des_gen_cbcenc_keys des; 481 } bc; 482 br_hmac_key_context mac; 483 size_t mac_len; 484 unsigned char iv[16]; 485 int explicit_IV; 486#endif 487} br_sslrec_out_cbc_context; 488 489/** 490 * \brief Static, constant vtable for record encryption with CBC. 491 */ 492extern const br_sslrec_out_cbc_class br_sslrec_out_cbc_vtable; 493 494/* ===================================================================== */ 495 496/** 497 * \brief Record decryption engine class, for GCM mode. 498 * 499 * This class type extends the decryption engine class with an 500 * initialisation method that receives the parameters needed 501 * for GCM processing: block cipher implementation, block cipher key, 502 * GHASH implementation, and 4-byte IV. 503 */ 504typedef struct br_sslrec_in_gcm_class_ br_sslrec_in_gcm_class; 505struct br_sslrec_in_gcm_class_ { 506 /** 507 * \brief Superclass, as first vtable field. 508 */ 509 br_sslrec_in_class inner; 510 511 /** 512 * \brief Engine initialisation method. 513 * 514 * This method sets the vtable field in the context. 515 * 516 * \param ctx context to initialise. 517 * \param bc_impl block cipher implementation (CTR). 518 * \param key block cipher key. 519 * \param key_len block cipher key length (in bytes). 520 * \param gh_impl GHASH implementation. 521 * \param iv static IV (4 bytes). 522 */ 523 void (*init)(const br_sslrec_in_gcm_class **ctx, 524 const br_block_ctr_class *bc_impl, 525 const void *key, size_t key_len, 526 br_ghash gh_impl, 527 const void *iv); 528}; 529 530/** 531 * \brief Record encryption engine class, for GCM mode. 532 * 533 * This class type extends the encryption engine class with an 534 * initialisation method that receives the parameters needed 535 * for GCM processing: block cipher implementation, block cipher key, 536 * GHASH implementation, and 4-byte IV. 537 */ 538typedef struct br_sslrec_out_gcm_class_ br_sslrec_out_gcm_class; 539struct br_sslrec_out_gcm_class_ { 540 /** 541 * \brief Superclass, as first vtable field. 542 */ 543 br_sslrec_out_class inner; 544 545 /** 546 * \brief Engine initialisation method. 547 * 548 * This method sets the vtable field in the context. 549 * 550 * \param ctx context to initialise. 551 * \param bc_impl block cipher implementation (CTR). 552 * \param key block cipher key. 553 * \param key_len block cipher key length (in bytes). 554 * \param gh_impl GHASH implementation. 555 * \param iv static IV (4 bytes). 556 */ 557 void (*init)(const br_sslrec_out_gcm_class **ctx, 558 const br_block_ctr_class *bc_impl, 559 const void *key, size_t key_len, 560 br_ghash gh_impl, 561 const void *iv); 562}; 563 564/** 565 * \brief Context structure for processing records with GCM. 566 * 567 * The same context structure is used for encrypting and decrypting. 568 * 569 * The first field points to the vtable. The other fields are opaque 570 * and shall not be accessed directly. 571 */ 572typedef struct { 573 /** \brief Pointer to vtable. */ 574 union { 575 const void *gen; 576 const br_sslrec_in_gcm_class *in; 577 const br_sslrec_out_gcm_class *out; 578 } vtable; 579#ifndef BR_DOXYGEN_IGNORE 580 uint64_t seq; 581 union { 582 const br_block_ctr_class *vtable; 583 br_aes_gen_ctr_keys aes; 584 } bc; 585 br_ghash gh; 586 unsigned char iv[4]; 587 unsigned char h[16]; 588#endif 589} br_sslrec_gcm_context; 590 591/** 592 * \brief Static, constant vtable for record decryption with GCM. 593 */ 594extern const br_sslrec_in_gcm_class br_sslrec_in_gcm_vtable; 595 596/** 597 * \brief Static, constant vtable for record encryption with GCM. 598 */ 599extern const br_sslrec_out_gcm_class br_sslrec_out_gcm_vtable; 600 601/* ===================================================================== */ 602 603/** 604 * \brief Record decryption engine class, for ChaCha20+Poly1305. 605 * 606 * This class type extends the decryption engine class with an 607 * initialisation method that receives the parameters needed 608 * for ChaCha20+Poly1305 processing: ChaCha20 implementation, 609 * Poly1305 implementation, key, and 12-byte IV. 610 */ 611typedef struct br_sslrec_in_chapol_class_ br_sslrec_in_chapol_class; 612struct br_sslrec_in_chapol_class_ { 613 /** 614 * \brief Superclass, as first vtable field. 615 */ 616 br_sslrec_in_class inner; 617 618 /** 619 * \brief Engine initialisation method. 620 * 621 * This method sets the vtable field in the context. 622 * 623 * \param ctx context to initialise. 624 * \param ichacha ChaCha20 implementation. 625 * \param ipoly Poly1305 implementation. 626 * \param key secret key (32 bytes). 627 * \param iv static IV (12 bytes). 628 */ 629 void (*init)(const br_sslrec_in_chapol_class **ctx, 630 br_chacha20_run ichacha, 631 br_poly1305_run ipoly, 632 const void *key, const void *iv); 633}; 634 635/** 636 * \brief Record encryption engine class, for ChaCha20+Poly1305. 637 * 638 * This class type extends the encryption engine class with an 639 * initialisation method that receives the parameters needed 640 * for ChaCha20+Poly1305 processing: ChaCha20 implementation, 641 * Poly1305 implementation, key, and 12-byte IV. 642 */ 643typedef struct br_sslrec_out_chapol_class_ br_sslrec_out_chapol_class; 644struct br_sslrec_out_chapol_class_ { 645 /** 646 * \brief Superclass, as first vtable field. 647 */ 648 br_sslrec_out_class inner; 649 650 /** 651 * \brief Engine initialisation method. 652 * 653 * This method sets the vtable field in the context. 654 * 655 * \param ctx context to initialise. 656 * \param ichacha ChaCha20 implementation. 657 * \param ipoly Poly1305 implementation. 658 * \param key secret key (32 bytes). 659 * \param iv static IV (12 bytes). 660 */ 661 void (*init)(const br_sslrec_out_chapol_class **ctx, 662 br_chacha20_run ichacha, 663 br_poly1305_run ipoly, 664 const void *key, const void *iv); 665}; 666 667/** 668 * \brief Context structure for processing records with ChaCha20+Poly1305. 669 * 670 * The same context structure is used for encrypting and decrypting. 671 * 672 * The first field points to the vtable. The other fields are opaque 673 * and shall not be accessed directly. 674 */ 675typedef struct { 676 /** \brief Pointer to vtable. */ 677 union { 678 const void *gen; 679 const br_sslrec_in_chapol_class *in; 680 const br_sslrec_out_chapol_class *out; 681 } vtable; 682#ifndef BR_DOXYGEN_IGNORE 683 uint64_t seq; 684 unsigned char key[32]; 685 unsigned char iv[12]; 686 br_chacha20_run ichacha; 687 br_poly1305_run ipoly; 688#endif 689} br_sslrec_chapol_context; 690 691/** 692 * \brief Static, constant vtable for record decryption with ChaCha20+Poly1305. 693 */ 694extern const br_sslrec_in_chapol_class br_sslrec_in_chapol_vtable; 695 696/** 697 * \brief Static, constant vtable for record encryption with ChaCha20+Poly1305. 698 */ 699extern const br_sslrec_out_chapol_class br_sslrec_out_chapol_vtable; 700 701/* ===================================================================== */ 702 703/** 704 * \brief Record decryption engine class, for CCM mode. 705 * 706 * This class type extends the decryption engine class with an 707 * initialisation method that receives the parameters needed 708 * for CCM processing: block cipher implementation, block cipher key, 709 * and 4-byte IV. 710 */ 711typedef struct br_sslrec_in_ccm_class_ br_sslrec_in_ccm_class; 712struct br_sslrec_in_ccm_class_ { 713 /** 714 * \brief Superclass, as first vtable field. 715 */ 716 br_sslrec_in_class inner; 717 718 /** 719 * \brief Engine initialisation method. 720 * 721 * This method sets the vtable field in the context. 722 * 723 * \param ctx context to initialise. 724 * \param bc_impl block cipher implementation (CTR+CBC). 725 * \param key block cipher key. 726 * \param key_len block cipher key length (in bytes). 727 * \param iv static IV (4 bytes). 728 * \param tag_len tag length (in bytes) 729 */ 730 void (*init)(const br_sslrec_in_ccm_class **ctx, 731 const br_block_ctrcbc_class *bc_impl, 732 const void *key, size_t key_len, 733 const void *iv, size_t tag_len); 734}; 735 736/** 737 * \brief Record encryption engine class, for CCM mode. 738 * 739 * This class type extends the encryption engine class with an 740 * initialisation method that receives the parameters needed 741 * for CCM processing: block cipher implementation, block cipher key, 742 * and 4-byte IV. 743 */ 744typedef struct br_sslrec_out_ccm_class_ br_sslrec_out_ccm_class; 745struct br_sslrec_out_ccm_class_ { 746 /** 747 * \brief Superclass, as first vtable field. 748 */ 749 br_sslrec_out_class inner; 750 751 /** 752 * \brief Engine initialisation method. 753 * 754 * This method sets the vtable field in the context. 755 * 756 * \param ctx context to initialise. 757 * \param bc_impl block cipher implementation (CTR+CBC). 758 * \param key block cipher key. 759 * \param key_len block cipher key length (in bytes). 760 * \param iv static IV (4 bytes). 761 * \param tag_len tag length (in bytes) 762 */ 763 void (*init)(const br_sslrec_out_ccm_class **ctx, 764 const br_block_ctrcbc_class *bc_impl, 765 const void *key, size_t key_len, 766 const void *iv, size_t tag_len); 767}; 768 769/** 770 * \brief Context structure for processing records with CCM. 771 * 772 * The same context structure is used for encrypting and decrypting. 773 * 774 * The first field points to the vtable. The other fields are opaque 775 * and shall not be accessed directly. 776 */ 777typedef struct { 778 /** \brief Pointer to vtable. */ 779 union { 780 const void *gen; 781 const br_sslrec_in_ccm_class *in; 782 const br_sslrec_out_ccm_class *out; 783 } vtable; 784#ifndef BR_DOXYGEN_IGNORE 785 uint64_t seq; 786 union { 787 const br_block_ctrcbc_class *vtable; 788 br_aes_gen_ctrcbc_keys aes; 789 } bc; 790 unsigned char iv[4]; 791 size_t tag_len; 792#endif 793} br_sslrec_ccm_context; 794 795/** 796 * \brief Static, constant vtable for record decryption with CCM. 797 */ 798extern const br_sslrec_in_ccm_class br_sslrec_in_ccm_vtable; 799 800/** 801 * \brief Static, constant vtable for record encryption with CCM. 802 */ 803extern const br_sslrec_out_ccm_class br_sslrec_out_ccm_vtable; 804 805/* ===================================================================== */ 806 807/** 808 * \brief Type for session parameters, to be saved for session resumption. 809 */ 810typedef struct { 811 /** \brief Session ID buffer. */ 812 unsigned char session_id[32]; 813 /** \brief Session ID length (in bytes, at most 32). */ 814 unsigned char session_id_len; 815 /** \brief Protocol version. */ 816 uint16_t version; 817 /** \brief Cipher suite. */ 818 uint16_t cipher_suite; 819 /** \brief Master secret. */ 820 unsigned char master_secret[48]; 821} br_ssl_session_parameters; 822 823#ifndef BR_DOXYGEN_IGNORE 824/* 825 * Maximum number of cipher suites supported by a client or server. 826 */ 827#define BR_MAX_CIPHER_SUITES 48 828#endif 829 830/** 831 * \brief Context structure for SSL engine. 832 * 833 * This strucuture is common to the client and server; both the client 834 * context (`br_ssl_client_context`) and the server context 835 * (`br_ssl_server_context`) include a `br_ssl_engine_context` as their 836 * first field. 837 * 838 * The engine context manages records, including alerts, closures, and 839 * transitions to new encryption/MAC algorithms. Processing of handshake 840 * records is delegated to externally provided code. This structure 841 * should not be used directly. 842 * 843 * Structure contents are opaque and shall not be accessed directly. 844 */ 845typedef struct { 846#ifndef BR_DOXYGEN_IGNORE 847 /* 848 * The error code. When non-zero, then the state is "failed" and 849 * no I/O may occur until reset. 850 */ 851 int err; 852 853 /* 854 * Configured I/O buffers. They are either disjoint, or identical. 855 */ 856 unsigned char *ibuf, *obuf; 857 size_t ibuf_len, obuf_len; 858 859 /* 860 * Maximum fragment length applies to outgoing records; incoming 861 * records can be processed as long as they fit in the input 862 * buffer. It is guaranteed that incoming records at least as big 863 * as max_frag_len can be processed. 864 */ 865 uint16_t max_frag_len; 866 unsigned char log_max_frag_len; 867 unsigned char peer_log_max_frag_len; 868 869 /* 870 * Buffering management registers. 871 */ 872 size_t ixa, ixb, ixc; 873 size_t oxa, oxb, oxc; 874 unsigned char iomode; 875 unsigned char incrypt; 876 877 /* 878 * Shutdown flag: when set to non-zero, incoming record bytes 879 * will not be accepted anymore. This is used after a close_notify 880 * has been received: afterwards, the engine no longer claims that 881 * it could receive bytes from the transport medium. 882 */ 883 unsigned char shutdown_recv; 884 885 /* 886 * 'record_type_in' is set to the incoming record type when the 887 * record header has been received. 888 * 'record_type_out' is used to make the next outgoing record 889 * header when it is ready to go. 890 */ 891 unsigned char record_type_in, record_type_out; 892 893 /* 894 * When a record is received, its version is extracted: 895 * -- if 'version_in' is 0, then it is set to the received version; 896 * -- otherwise, if the received version is not identical to 897 * the 'version_in' contents, then a failure is reported. 898 * 899 * This implements the SSL requirement that all records shall 900 * use the negotiated protocol version, once decided (in the 901 * ServerHello). It is up to the handshake handler to adjust this 902 * field when necessary. 903 */ 904 uint16_t version_in; 905 906 /* 907 * 'version_out' is used when the next outgoing record is ready 908 * to go. 909 */ 910 uint16_t version_out; 911 912 /* 913 * Record handler contexts. 914 */ 915 union { 916 const br_sslrec_in_class *vtable; 917 br_sslrec_in_cbc_context cbc; 918 br_sslrec_gcm_context gcm; 919 br_sslrec_chapol_context chapol; 920 br_sslrec_ccm_context ccm; 921 } in; 922 union { 923 const br_sslrec_out_class *vtable; 924 br_sslrec_out_clear_context clear; 925 br_sslrec_out_cbc_context cbc; 926 br_sslrec_gcm_context gcm; 927 br_sslrec_chapol_context chapol; 928 br_sslrec_ccm_context ccm; 929 } out; 930 931 /* 932 * The "application data" flag. Value: 933 * 0 handshake is in process, no application data acceptable 934 * 1 application data can be sent and received 935 * 2 closing, no application data can be sent, but some 936 * can still be received (and discarded) 937 */ 938 unsigned char application_data; 939 940 /* 941 * Context RNG. 942 * 943 * rng_init_done is initially 0. It is set to 1 when the 944 * basic structure of the RNG is set, and 2 when some 945 * entropy has been pushed in. The value 2 marks the RNG 946 * as "properly seeded". 947 * 948 * rng_os_rand_done is initially 0. It is set to 1 when 949 * some seeding from the OS or hardware has been attempted. 950 */ 951 br_hmac_drbg_context rng; 952 int rng_init_done; 953 int rng_os_rand_done; 954 955 /* 956 * Supported minimum and maximum versions, and cipher suites. 957 */ 958 uint16_t version_min; 959 uint16_t version_max; 960 uint16_t suites_buf[BR_MAX_CIPHER_SUITES]; 961 unsigned char suites_num; 962 963 /* 964 * For clients, the server name to send as a SNI extension. For 965 * servers, the name received in the SNI extension (if any). 966 */ 967 char server_name[256]; 968 969 /* 970 * "Security parameters". These are filled by the handshake 971 * handler, and used when switching encryption state. 972 */ 973 unsigned char client_random[32]; 974 unsigned char server_random[32]; 975 br_ssl_session_parameters session; 976 977 /* 978 * ECDHE elements: curve and point from the peer. The server also 979 * uses that buffer for the point to send to the client. 980 */ 981 unsigned char ecdhe_curve; 982 unsigned char ecdhe_point[133]; 983 unsigned char ecdhe_point_len; 984 985 /* 986 * Secure renegotiation (RFC 5746): 'reneg' can be: 987 * 0 first handshake (server support is not known) 988 * 1 peer does not support secure renegotiation 989 * 2 peer supports secure renegotiation 990 * 991 * The saved_finished buffer contains the client and the 992 * server "Finished" values from the last handshake, in 993 * that order (12 bytes each). 994 */ 995 unsigned char reneg; 996 unsigned char saved_finished[24]; 997 998 /* 999 * Behavioural flags. 1000 */ 1001 uint32_t flags; 1002 1003 /* 1004 * Context variables for the handshake processor. The 'pad' must 1005 * be large enough to accommodate an RSA-encrypted pre-master 1006 * secret, or an RSA signature; since we want to support up to 1007 * RSA-4096, this means at least 512 bytes. (Other pad usages 1008 * require its length to be at least 256.) 1009 */ 1010 struct { 1011 uint32_t *dp; 1012 uint32_t *rp; 1013 const unsigned char *ip; 1014 } cpu; 1015 uint32_t dp_stack[32]; 1016 uint32_t rp_stack[32]; 1017 unsigned char pad[512]; 1018 unsigned char *hbuf_in, *hbuf_out, *saved_hbuf_out; 1019 size_t hlen_in, hlen_out; 1020 void (*hsrun)(void *ctx); 1021 1022 /* 1023 * The 'action' value communicates OOB information between the 1024 * engine and the handshake processor. 1025 * 1026 * From the engine: 1027 * 0 invocation triggered by I/O 1028 * 1 invocation triggered by explicit close 1029 * 2 invocation triggered by explicit renegotiation 1030 */ 1031 unsigned char action; 1032 1033 /* 1034 * State for alert messages. Value is either 0, or the value of 1035 * the alert level byte (level is either 1 for warning, or 2 for 1036 * fatal; we convert all other values to 'fatal'). 1037 */ 1038 unsigned char alert; 1039 1040 /* 1041 * Closure flags. This flag is set when a close_notify has been 1042 * received from the peer. 1043 */ 1044 unsigned char close_received; 1045 1046 /* 1047 * Multi-hasher for the handshake messages. The handshake handler 1048 * is responsible for resetting it when appropriate. 1049 */ 1050 br_multihash_context mhash; 1051 1052 /* 1053 * Pointer to the X.509 engine. The engine is supposed to be 1054 * already initialized. It is used to validate the peer's 1055 * certificate. 1056 */ 1057 const br_x509_class **x509ctx; 1058 1059 /* 1060 * Certificate chain to send. This is used by both client and 1061 * server, when they send their respective Certificate messages. 1062 * If chain_len is 0, then chain may be NULL. 1063 */ 1064 const br_x509_certificate *chain; 1065 size_t chain_len; 1066 const unsigned char *cert_cur; 1067 size_t cert_len; 1068 1069 /* 1070 * List of supported protocol names (ALPN extension). If unset, 1071 * (number of names is 0), then: 1072 * - the client sends no ALPN extension; 1073 * - the server ignores any incoming ALPN extension. 1074 * 1075 * Otherwise: 1076 * - the client sends an ALPN extension with all the names; 1077 * - the server selects the first protocol in its list that 1078 * the client also supports, or fails (fatal alert 120) 1079 * if the client sends an ALPN extension and there is no 1080 * match. 1081 * 1082 * The 'selected_protocol' field contains 1+n if the matching 1083 * name has index n in the list (the value is 0 if no match was 1084 * performed, e.g. the peer did not send an ALPN extension). 1085 */ 1086 const char **protocol_names; 1087 uint16_t protocol_names_num; 1088 uint16_t selected_protocol; 1089 1090 /* 1091 * Pointers to implementations; left to NULL for unsupported 1092 * functions. For the raw hash functions, implementations are 1093 * referenced from the multihasher (mhash field). 1094 */ 1095 br_tls_prf_impl prf10; 1096 br_tls_prf_impl prf_sha256; 1097 br_tls_prf_impl prf_sha384; 1098 const br_block_cbcenc_class *iaes_cbcenc; 1099 const br_block_cbcdec_class *iaes_cbcdec; 1100 const br_block_ctr_class *iaes_ctr; 1101 const br_block_ctrcbc_class *iaes_ctrcbc; 1102 const br_block_cbcenc_class *ides_cbcenc; 1103 const br_block_cbcdec_class *ides_cbcdec; 1104 br_ghash ighash; 1105 br_chacha20_run ichacha; 1106 br_poly1305_run ipoly; 1107 const br_sslrec_in_cbc_class *icbc_in; 1108 const br_sslrec_out_cbc_class *icbc_out; 1109 const br_sslrec_in_gcm_class *igcm_in; 1110 const br_sslrec_out_gcm_class *igcm_out; 1111 const br_sslrec_in_chapol_class *ichapol_in; 1112 const br_sslrec_out_chapol_class *ichapol_out; 1113 const br_sslrec_in_ccm_class *iccm_in; 1114 const br_sslrec_out_ccm_class *iccm_out; 1115 const br_ec_impl *iec; 1116 br_rsa_pkcs1_vrfy irsavrfy; 1117 br_ecdsa_vrfy iecdsa; 1118#endif 1119} br_ssl_engine_context; 1120 1121/** 1122 * \brief Get currently defined engine behavioural flags. 1123 * 1124 * \param cc SSL engine context. 1125 * \return the flags. 1126 */ 1127static inline uint32_t 1128br_ssl_engine_get_flags(br_ssl_engine_context *cc) 1129{ 1130 return cc->flags; 1131} 1132 1133/** 1134 * \brief Set all engine behavioural flags. 1135 * 1136 * \param cc SSL engine context. 1137 * \param flags new value for all flags. 1138 */ 1139static inline void 1140br_ssl_engine_set_all_flags(br_ssl_engine_context *cc, uint32_t flags) 1141{ 1142 cc->flags = flags; 1143} 1144 1145/** 1146 * \brief Set some engine behavioural flags. 1147 * 1148 * The flags set in the `flags` parameter are set in the context; other 1149 * flags are untouched. 1150 * 1151 * \param cc SSL engine context. 1152 * \param flags additional set flags. 1153 */ 1154static inline void 1155br_ssl_engine_add_flags(br_ssl_engine_context *cc, uint32_t flags) 1156{ 1157 cc->flags |= flags; 1158} 1159 1160/** 1161 * \brief Clear some engine behavioural flags. 1162 * 1163 * The flags set in the `flags` parameter are cleared from the context; other 1164 * flags are untouched. 1165 * 1166 * \param cc SSL engine context. 1167 * \param flags flags to remove. 1168 */ 1169static inline void 1170br_ssl_engine_remove_flags(br_ssl_engine_context *cc, uint32_t flags) 1171{ 1172 cc->flags &= ~flags; 1173} 1174 1175/** 1176 * \brief Behavioural flag: enforce server preferences. 1177 * 1178 * If this flag is set, then the server will enforce its own cipher suite 1179 * preference order; otherwise, it follows the client preferences. 1180 */ 1181#define BR_OPT_ENFORCE_SERVER_PREFERENCES ((uint32_t)1 << 0) 1182 1183/** 1184 * \brief Behavioural flag: disable renegotiation. 1185 * 1186 * If this flag is set, then renegotiations are rejected unconditionally: 1187 * they won't be honoured if asked for programmatically, and requests from 1188 * the peer are rejected. 1189 */ 1190#define BR_OPT_NO_RENEGOTIATION ((uint32_t)1 << 1) 1191 1192/** 1193 * \brief Behavioural flag: tolerate lack of client authentication. 1194 * 1195 * If this flag is set in a server and the server requests a client 1196 * certificate, but the authentication fails (the client does not send 1197 * a certificate, or the client's certificate chain cannot be validated), 1198 * then the connection keeps on. Without this flag, a failed client 1199 * authentication terminates the connection. 1200 * 1201 * Notes: 1202 * 1203 * - If the client's certificate can be validated and its public key is 1204 * supported, then a wrong signature value terminates the connection 1205 * regardless of that flag. 1206 * 1207 * - If using full-static ECDH, then a failure to validate the client's 1208 * certificate prevents the handshake from succeeding. 1209 */ 1210#define BR_OPT_TOLERATE_NO_CLIENT_AUTH ((uint32_t)1 << 2) 1211 1212/** 1213 * \brief Behavioural flag: fail on application protocol mismatch. 1214 * 1215 * The ALPN extension ([RFC 7301](https://tools.ietf.org/html/rfc7301)) 1216 * allows the client to send a list of application protocol names, and 1217 * the server to select one. A mismatch is one of the following occurrences: 1218 * 1219 * - On the client: the client sends a list of names, the server 1220 * responds with a protocol name which is _not_ part of the list of 1221 * names sent by the client. 1222 * 1223 * - On the server: the client sends a list of names, and the server 1224 * is also configured with a list of names, but there is no common 1225 * protocol name between the two lists. 1226 * 1227 * Normal behaviour in case of mismatch is to report no matching name 1228 * (`br_ssl_engine_get_selected_protocol()` returns `NULL`) and carry on. 1229 * If the flag is set, then a mismatch implies a protocol failure (if 1230 * the mismatch is detected by the server, it will send a fatal alert). 1231 * 1232 * Note: even with this flag, `br_ssl_engine_get_selected_protocol()` 1233 * may still return `NULL` if the client or the server does not send an 1234 * ALPN extension at all. 1235 */ 1236#define BR_OPT_FAIL_ON_ALPN_MISMATCH ((uint32_t)1 << 3) 1237 1238/** 1239 * \brief Set the minimum and maximum supported protocol versions. 1240 * 1241 * The two provided versions MUST be supported by the implementation 1242 * (i.e. TLS 1.0, 1.1 and 1.2), and `version_max` MUST NOT be lower 1243 * than `version_min`. 1244 * 1245 * \param cc SSL engine context. 1246 * \param version_min minimum supported TLS version. 1247 * \param version_max maximum supported TLS version. 1248 */ 1249static inline void 1250br_ssl_engine_set_versions(br_ssl_engine_context *cc, 1251 unsigned version_min, unsigned version_max) 1252{ 1253 cc->version_min = (uint16_t)version_min; 1254 cc->version_max = (uint16_t)version_max; 1255} 1256 1257/** 1258 * \brief Set the list of cipher suites advertised by this context. 1259 * 1260 * The provided array is copied into the context. It is the caller 1261 * responsibility to ensure that all provided suites will be supported 1262 * by the context. The engine context has enough room to receive _all_ 1263 * suites supported by the implementation. The provided array MUST NOT 1264 * contain duplicates. 1265 * 1266 * If the engine is for a client, the "signaling" pseudo-cipher suite 1267 * `TLS_FALLBACK_SCSV` can be added at the end of the list, if the 1268 * calling application is performing a voluntary downgrade (voluntary 1269 * downgrades are not recommended, but if such a downgrade is done, then 1270 * adding the fallback pseudo-suite is a good idea). 1271 * 1272 * \param cc SSL engine context. 1273 * \param suites cipher suites. 1274 * \param suites_num number of cipher suites. 1275 */ 1276void br_ssl_engine_set_suites(br_ssl_engine_context *cc, 1277 const uint16_t *suites, size_t suites_num); 1278 1279/** 1280 * \brief Set the X.509 engine. 1281 * 1282 * The caller shall ensure that the X.509 engine is properly initialised. 1283 * 1284 * \param cc SSL engine context. 1285 * \param x509ctx X.509 certificate validation context. 1286 */ 1287static inline void 1288br_ssl_engine_set_x509(br_ssl_engine_context *cc, const br_x509_class **x509ctx) 1289{ 1290 cc->x509ctx = x509ctx; 1291} 1292 1293/** 1294 * \brief Set the supported protocol names. 1295 * 1296 * Protocol names are part of the ALPN extension ([RFC 1297 * 7301](https://tools.ietf.org/html/rfc7301)). Each protocol name is a 1298 * character string, containing no more than 255 characters (256 with the 1299 * terminating zero). When names are set, then: 1300 * 1301 * - The client will send an ALPN extension, containing the names. If 1302 * the server responds with an ALPN extension, the client will verify 1303 * that the response contains one of its name, and report that name 1304 * through `br_ssl_engine_get_selected_protocol()`. 1305 * 1306 * - The server will parse incoming ALPN extension (from clients), and 1307 * try to find a common protocol; if none is found, the connection 1308 * is aborted with a fatal alert. On match, a response ALPN extension 1309 * is sent, and name is reported through 1310 * `br_ssl_engine_get_selected_protocol()`. 1311 * 1312 * The provided array is linked in, and must remain valid while the 1313 * connection is live. 1314 * 1315 * Names MUST NOT be empty. Names MUST NOT be longer than 255 characters 1316 * (excluding the terminating 0). 1317 * 1318 * \param ctx SSL engine context. 1319 * \param names list of protocol names (zero-terminated). 1320 * \param num number of protocol names (MUST be 1 or more). 1321 */ 1322static inline void 1323br_ssl_engine_set_protocol_names(br_ssl_engine_context *ctx, 1324 const char **names, size_t num) 1325{ 1326 ctx->protocol_names = names; 1327 ctx->protocol_names_num = (uint16_t)num; 1328} 1329 1330/** 1331 * \brief Get the selected protocol. 1332 * 1333 * If this context was initialised with a non-empty list of protocol 1334 * names, and both client and server sent ALPN extensions during the 1335 * handshake, and a common name was found, then that name is returned. 1336 * Otherwise, `NULL` is returned. 1337 * 1338 * The returned pointer is one of the pointers provided to the context 1339 * with `br_ssl_engine_set_protocol_names()`. 1340 * 1341 * \return the selected protocol, or `NULL`. 1342 */ 1343static inline const char * 1344br_ssl_engine_get_selected_protocol(br_ssl_engine_context *ctx) 1345{ 1346 unsigned k; 1347 1348 k = ctx->selected_protocol; 1349 return (k == 0 || k == 0xFFFF) ? NULL : ctx->protocol_names[k - 1]; 1350} 1351 1352/** 1353 * \brief Set a hash function implementation (by ID). 1354 * 1355 * Hash functions set with this call will be used for SSL/TLS specific 1356 * usages, not X.509 certificate validation. Only "standard" hash functions 1357 * may be set (MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512). If `impl` 1358 * is `NULL`, then the hash function support is removed, not added. 1359 * 1360 * \param ctx SSL engine context. 1361 * \param id hash function identifier. 1362 * \param impl hash function implementation (or `NULL`). 1363 */ 1364static inline void 1365br_ssl_engine_set_hash(br_ssl_engine_context *ctx, 1366 int id, const br_hash_class *impl) 1367{ 1368 br_multihash_setimpl(&ctx->mhash, id, impl); 1369} 1370 1371/** 1372 * \brief Get a hash function implementation (by ID). 1373 * 1374 * This function retrieves a hash function implementation which was 1375 * set with `br_ssl_engine_set_hash()`. 1376 * 1377 * \param ctx SSL engine context. 1378 * \param id hash function identifier. 1379 * \return the hash function implementation (or `NULL`). 1380 */ 1381static inline const br_hash_class * 1382br_ssl_engine_get_hash(br_ssl_engine_context *ctx, int id) 1383{ 1384 return br_multihash_getimpl(&ctx->mhash, id); 1385} 1386 1387/** 1388 * \brief Set the PRF implementation (for TLS 1.0 and 1.1). 1389 * 1390 * This function sets (or removes, if `impl` is `NULL`) the implementation 1391 * for the PRF used in TLS 1.0 and 1.1. 1392 * 1393 * \param cc SSL engine context. 1394 * \param impl PRF implementation (or `NULL`). 1395 */ 1396static inline void 1397br_ssl_engine_set_prf10(br_ssl_engine_context *cc, br_tls_prf_impl impl) 1398{ 1399 cc->prf10 = impl; 1400} 1401 1402/** 1403 * \brief Set the PRF implementation with SHA-256 (for TLS 1.2). 1404 * 1405 * This function sets (or removes, if `impl` is `NULL`) the implementation 1406 * for the SHA-256 variant of the PRF used in TLS 1.2. 1407 * 1408 * \param cc SSL engine context. 1409 * \param impl PRF implementation (or `NULL`). 1410 */ 1411static inline void 1412br_ssl_engine_set_prf_sha256(br_ssl_engine_context *cc, br_tls_prf_impl impl) 1413{ 1414 cc->prf_sha256 = impl; 1415} 1416 1417/** 1418 * \brief Set the PRF implementation with SHA-384 (for TLS 1.2). 1419 * 1420 * This function sets (or removes, if `impl` is `NULL`) the implementation 1421 * for the SHA-384 variant of the PRF used in TLS 1.2. 1422 * 1423 * \param cc SSL engine context. 1424 * \param impl PRF implementation (or `NULL`). 1425 */ 1426static inline void 1427br_ssl_engine_set_prf_sha384(br_ssl_engine_context *cc, br_tls_prf_impl impl) 1428{ 1429 cc->prf_sha384 = impl; 1430} 1431 1432/** 1433 * \brief Set the AES/CBC implementations. 1434 * 1435 * \param cc SSL engine context. 1436 * \param impl_enc AES/CBC encryption implementation (or `NULL`). 1437 * \param impl_dec AES/CBC decryption implementation (or `NULL`). 1438 */ 1439static inline void 1440br_ssl_engine_set_aes_cbc(br_ssl_engine_context *cc, 1441 const br_block_cbcenc_class *impl_enc, 1442 const br_block_cbcdec_class *impl_dec) 1443{ 1444 cc->iaes_cbcenc = impl_enc; 1445 cc->iaes_cbcdec = impl_dec; 1446} 1447 1448/** 1449 * \brief Set the "default" AES/CBC implementations. 1450 * 1451 * This function configures in the engine the AES implementations that 1452 * should provide best runtime performance on the local system, while 1453 * still being safe (in particular, constant-time). It also sets the 1454 * handlers for CBC records. 1455 * 1456 * \param cc SSL engine context. 1457 */ 1458void br_ssl_engine_set_default_aes_cbc(br_ssl_engine_context *cc); 1459 1460/** 1461 * \brief Set the AES/CTR implementation. 1462 * 1463 * \param cc SSL engine context. 1464 * \param impl AES/CTR encryption/decryption implementation (or `NULL`). 1465 */ 1466static inline void 1467br_ssl_engine_set_aes_ctr(br_ssl_engine_context *cc, 1468 const br_block_ctr_class *impl) 1469{ 1470 cc->iaes_ctr = impl; 1471} 1472 1473/** 1474 * \brief Set the "default" implementations for AES/GCM (AES/CTR + GHASH). 1475 * 1476 * This function configures in the engine the AES/CTR and GHASH 1477 * implementation that should provide best runtime performance on the local 1478 * system, while still being safe (in particular, constant-time). It also 1479 * sets the handlers for GCM records. 1480 * 1481 * \param cc SSL engine context. 1482 */ 1483void br_ssl_engine_set_default_aes_gcm(br_ssl_engine_context *cc); 1484 1485/** 1486 * \brief Set the DES/CBC implementations. 1487 * 1488 * \param cc SSL engine context. 1489 * \param impl_enc DES/CBC encryption implementation (or `NULL`). 1490 * \param impl_dec DES/CBC decryption implementation (or `NULL`). 1491 */ 1492static inline void 1493br_ssl_engine_set_des_cbc(br_ssl_engine_context *cc, 1494 const br_block_cbcenc_class *impl_enc, 1495 const br_block_cbcdec_class *impl_dec) 1496{ 1497 cc->ides_cbcenc = impl_enc; 1498 cc->ides_cbcdec = impl_dec; 1499} 1500 1501/** 1502 * \brief Set the "default" DES/CBC implementations. 1503 * 1504 * This function configures in the engine the DES implementations that 1505 * should provide best runtime performance on the local system, while 1506 * still being safe (in particular, constant-time). It also sets the 1507 * handlers for CBC records. 1508 * 1509 * \param cc SSL engine context. 1510 */ 1511void br_ssl_engine_set_default_des_cbc(br_ssl_engine_context *cc); 1512 1513/** 1514 * \brief Set the GHASH implementation (used in GCM mode). 1515 * 1516 * \param cc SSL engine context. 1517 * \param impl GHASH implementation (or `NULL`). 1518 */ 1519static inline void 1520br_ssl_engine_set_ghash(br_ssl_engine_context *cc, br_ghash impl) 1521{ 1522 cc->ighash = impl; 1523} 1524 1525/** 1526 * \brief Set the ChaCha20 implementation. 1527 * 1528 * \param cc SSL engine context. 1529 * \param ichacha ChaCha20 implementation (or `NULL`). 1530 */ 1531static inline void 1532br_ssl_engine_set_chacha20(br_ssl_engine_context *cc, 1533 br_chacha20_run ichacha) 1534{ 1535 cc->ichacha = ichacha; 1536} 1537 1538/** 1539 * \brief Set the Poly1305 implementation. 1540 * 1541 * \param cc SSL engine context. 1542 * \param ipoly Poly1305 implementation (or `NULL`). 1543 */ 1544static inline void 1545br_ssl_engine_set_poly1305(br_ssl_engine_context *cc, 1546 br_poly1305_run ipoly) 1547{ 1548 cc->ipoly = ipoly; 1549} 1550 1551/** 1552 * \brief Set the "default" ChaCha20 and Poly1305 implementations. 1553 * 1554 * This function configures in the engine the ChaCha20 and Poly1305 1555 * implementations that should provide best runtime performance on the 1556 * local system, while still being safe (in particular, constant-time). 1557 * It also sets the handlers for ChaCha20+Poly1305 records. 1558 * 1559 * \param cc SSL engine context. 1560 */ 1561void br_ssl_engine_set_default_chapol(br_ssl_engine_context *cc); 1562 1563/** 1564 * \brief Set the AES/CTR+CBC implementation. 1565 * 1566 * \param cc SSL engine context. 1567 * \param impl AES/CTR+CBC encryption/decryption implementation (or `NULL`). 1568 */ 1569static inline void 1570br_ssl_engine_set_aes_ctrcbc(br_ssl_engine_context *cc, 1571 const br_block_ctrcbc_class *impl) 1572{ 1573 cc->iaes_ctrcbc = impl; 1574} 1575 1576/** 1577 * \brief Set the "default" implementations for AES/CCM. 1578 * 1579 * This function configures in the engine the AES/CTR+CBC 1580 * implementation that should provide best runtime performance on the local 1581 * system, while still being safe (in particular, constant-time). It also 1582 * sets the handlers for CCM records. 1583 * 1584 * \param cc SSL engine context. 1585 */ 1586void br_ssl_engine_set_default_aes_ccm(br_ssl_engine_context *cc); 1587 1588/** 1589 * \brief Set the record encryption and decryption engines for CBC + HMAC. 1590 * 1591 * \param cc SSL engine context. 1592 * \param impl_in record CBC decryption implementation (or `NULL`). 1593 * \param impl_out record CBC encryption implementation (or `NULL`). 1594 */ 1595static inline void 1596br_ssl_engine_set_cbc(br_ssl_engine_context *cc, 1597 const br_sslrec_in_cbc_class *impl_in, 1598 const br_sslrec_out_cbc_class *impl_out) 1599{ 1600 cc->icbc_in = impl_in; 1601 cc->icbc_out = impl_out; 1602} 1603 1604/** 1605 * \brief Set the record encryption and decryption engines for GCM. 1606 * 1607 * \param cc SSL engine context. 1608 * \param impl_in record GCM decryption implementation (or `NULL`). 1609 * \param impl_out record GCM encryption implementation (or `NULL`). 1610 */ 1611static inline void 1612br_ssl_engine_set_gcm(br_ssl_engine_context *cc, 1613 const br_sslrec_in_gcm_class *impl_in, 1614 const br_sslrec_out_gcm_class *impl_out) 1615{ 1616 cc->igcm_in = impl_in; 1617 cc->igcm_out = impl_out; 1618} 1619 1620/** 1621 * \brief Set the record encryption and decryption engines for CCM. 1622 * 1623 * \param cc SSL engine context. 1624 * \param impl_in record CCM decryption implementation (or `NULL`). 1625 * \param impl_out record CCM encryption implementation (or `NULL`). 1626 */ 1627static inline void 1628br_ssl_engine_set_ccm(br_ssl_engine_context *cc, 1629 const br_sslrec_in_ccm_class *impl_in, 1630 const br_sslrec_out_ccm_class *impl_out) 1631{ 1632 cc->iccm_in = impl_in; 1633 cc->iccm_out = impl_out; 1634} 1635 1636/** 1637 * \brief Set the record encryption and decryption engines for 1638 * ChaCha20+Poly1305. 1639 * 1640 * \param cc SSL engine context. 1641 * \param impl_in record ChaCha20 decryption implementation (or `NULL`). 1642 * \param impl_out record ChaCha20 encryption implementation (or `NULL`). 1643 */ 1644static inline void 1645br_ssl_engine_set_chapol(br_ssl_engine_context *cc, 1646 const br_sslrec_in_chapol_class *impl_in, 1647 const br_sslrec_out_chapol_class *impl_out) 1648{ 1649 cc->ichapol_in = impl_in; 1650 cc->ichapol_out = impl_out; 1651} 1652 1653/** 1654 * \brief Set the EC implementation. 1655 * 1656 * The elliptic curve implementation will be used for ECDH and ECDHE 1657 * cipher suites, and for ECDSA support. 1658 * 1659 * \param cc SSL engine context. 1660 * \param iec EC implementation (or `NULL`). 1661 */ 1662static inline void 1663br_ssl_engine_set_ec(br_ssl_engine_context *cc, const br_ec_impl *iec) 1664{ 1665 cc->iec = iec; 1666} 1667 1668/** 1669 * \brief Set the "default" EC implementation. 1670 * 1671 * This function sets the elliptic curve implementation for ECDH and 1672 * ECDHE cipher suites, and for ECDSA support. It selects the fastest 1673 * implementation on the current system. 1674 * 1675 * \param cc SSL engine context. 1676 */ 1677void br_ssl_engine_set_default_ec(br_ssl_engine_context *cc); 1678 1679/** 1680 * \brief Get the EC implementation configured in the provided engine. 1681 * 1682 * \param cc SSL engine context. 1683 * \return the EC implementation. 1684 */ 1685static inline const br_ec_impl * 1686br_ssl_engine_get_ec(br_ssl_engine_context *cc) 1687{ 1688 return cc->iec; 1689} 1690 1691/** 1692 * \brief Set the RSA signature verification implementation. 1693 * 1694 * On the client, this is used to verify the server's signature on its 1695 * ServerKeyExchange message (for ECDHE_RSA cipher suites). On the server, 1696 * this is used to verify the client's CertificateVerify message (if a 1697 * client certificate is requested, and that certificate contains a RSA key). 1698 * 1699 * \param cc SSL engine context. 1700 * \param irsavrfy RSA signature verification implementation. 1701 */ 1702static inline void 1703br_ssl_engine_set_rsavrfy(br_ssl_engine_context *cc, br_rsa_pkcs1_vrfy irsavrfy) 1704{ 1705 cc->irsavrfy = irsavrfy; 1706} 1707 1708/** 1709 * \brief Set the "default" RSA implementation (signature verification). 1710 * 1711 * This function sets the RSA implementation (signature verification) 1712 * to the fastest implementation available on the current platform. 1713 * 1714 * \param cc SSL engine context. 1715 */ 1716void br_ssl_engine_set_default_rsavrfy(br_ssl_engine_context *cc); 1717 1718/** 1719 * \brief Get the RSA implementation (signature verification) configured 1720 * in the provided engine. 1721 * 1722 * \param cc SSL engine context. 1723 * \return the RSA signature verification implementation. 1724 */ 1725static inline br_rsa_pkcs1_vrfy 1726br_ssl_engine_get_rsavrfy(br_ssl_engine_context *cc) 1727{ 1728 return cc->irsavrfy; 1729} 1730 1731/* 1732 * \brief Set the ECDSA implementation (signature verification). 1733 * 1734 * On the client, this is used to verify the server's signature on its 1735 * ServerKeyExchange message (for ECDHE_ECDSA cipher suites). On the server, 1736 * this is used to verify the client's CertificateVerify message (if a 1737 * client certificate is requested, that certificate contains an EC key, 1738 * and full-static ECDH is not used). 1739 * 1740 * The ECDSA implementation will use the EC core implementation configured 1741 * in the engine context. 1742 * 1743 * \param cc client context. 1744 * \param iecdsa ECDSA verification implementation. 1745 */ 1746static inline void 1747br_ssl_engine_set_ecdsa(br_ssl_engine_context *cc, br_ecdsa_vrfy iecdsa) 1748{ 1749 cc->iecdsa = iecdsa; 1750} 1751 1752/** 1753 * \brief Set the "default" ECDSA implementation (signature verification). 1754 * 1755 * This function sets the ECDSA implementation (signature verification) 1756 * to the fastest implementation available on the current platform. This 1757 * call also sets the elliptic curve implementation itself, there again 1758 * to the fastest EC implementation available. 1759 * 1760 * \param cc SSL engine context. 1761 */ 1762void br_ssl_engine_set_default_ecdsa(br_ssl_engine_context *cc); 1763 1764/** 1765 * \brief Get the ECDSA implementation (signature verification) configured 1766 * in the provided engine. 1767 * 1768 * \param cc SSL engine context. 1769 * \return the ECDSA signature verification implementation. 1770 */ 1771static inline br_ecdsa_vrfy 1772br_ssl_engine_get_ecdsa(br_ssl_engine_context *cc) 1773{ 1774 return cc->iecdsa; 1775} 1776 1777/** 1778 * \brief Set the I/O buffer for the SSL engine. 1779 * 1780 * Once this call has been made, `br_ssl_client_reset()` or 1781 * `br_ssl_server_reset()` MUST be called before using the context. 1782 * 1783 * The provided buffer will be used as long as the engine context is 1784 * used. The caller is responsible for keeping it available. 1785 * 1786 * If `bidi` is 0, then the engine will operate in half-duplex mode 1787 * (it won't be able to send data while there is unprocessed incoming 1788 * data in the buffer, and it won't be able to receive data while there 1789 * is unsent data in the buffer). The optimal buffer size in half-duplex 1790 * mode is `BR_SSL_BUFSIZE_MONO`; if the buffer is larger, then extra 1791 * bytes are ignored. If the buffer is smaller, then this limits the 1792 * capacity of the engine to support all allowed record sizes. 1793 * 1794 * If `bidi` is 1, then the engine will split the buffer into two 1795 * parts, for separate handling of outgoing and incoming data. This 1796 * enables full-duplex processing, but requires more RAM. The optimal 1797 * buffer size in full-duplex mode is `BR_SSL_BUFSIZE_BIDI`; if the 1798 * buffer is larger, then extra bytes are ignored. If the buffer is 1799 * smaller, then the split will favour the incoming part, so that 1800 * interoperability is maximised. 1801 * 1802 * \param cc SSL engine context 1803 * \param iobuf I/O buffer. 1804 * \param iobuf_len I/O buffer length (in bytes). 1805 * \param bidi non-zero for full-duplex mode. 1806 */ 1807void br_ssl_engine_set_buffer(br_ssl_engine_context *cc, 1808 void *iobuf, size_t iobuf_len, int bidi); 1809 1810/** 1811 * \brief Set the I/O buffers for the SSL engine. 1812 * 1813 * Once this call has been made, `br_ssl_client_reset()` or 1814 * `br_ssl_server_reset()` MUST be called before using the context. 1815 * 1816 * This function is similar to `br_ssl_engine_set_buffer()`, except 1817 * that it enforces full-duplex mode, and the two I/O buffers are 1818 * provided as separate chunks. 1819 * 1820 * The macros `BR_SSL_BUFSIZE_INPUT` and `BR_SSL_BUFSIZE_OUTPUT` 1821 * evaluate to the optimal (maximum) sizes for the input and output 1822 * buffer, respectively. 1823 * 1824 * \param cc SSL engine context 1825 * \param ibuf input buffer. 1826 * \param ibuf_len input buffer length (in bytes). 1827 * \param obuf output buffer. 1828 * \param obuf_len output buffer length (in bytes). 1829 */ 1830void br_ssl_engine_set_buffers_bidi(br_ssl_engine_context *cc, 1831 void *ibuf, size_t ibuf_len, void *obuf, size_t obuf_len); 1832 1833/** 1834 * \brief Inject some "initial entropy" in the context. 1835 * 1836 * This entropy will be added to what can be obtained from the 1837 * underlying operating system, if that OS is supported. 1838 * 1839 * This function may be called several times; all injected entropy chunks 1840 * are cumulatively mixed. 1841 * 1842 * If entropy gathering from the OS is supported and compiled in, then this 1843 * step is optional. Otherwise, it is mandatory to inject randomness, and 1844 * the caller MUST take care to push (as one or several successive calls) 1845 * enough entropy to achieve cryptographic resistance (at least 80 bits, 1846 * preferably 128 or more). The engine will report an error if no entropy 1847 * was provided and none can be obtained from the OS. 1848 * 1849 * Take care that this function cannot assess the cryptographic quality of 1850 * the provided bytes. 1851 * 1852 * In all generality, "entropy" must here be considered to mean "that 1853 * which the attacker cannot predict". If your OS/architecture does not 1854 * have a suitable source of randomness, then you can make do with the 1855 * combination of a large enough secret value (possibly a copy of an 1856 * asymmetric private key that you also store on the system) AND a 1857 * non-repeating value (e.g. current time, provided that the local clock 1858 * cannot be reset or altered by the attacker). 1859 * 1860 * \param cc SSL engine context. 1861 * \param data extra entropy to inject. 1862 * \param len length of the extra data (in bytes). 1863 */ 1864void br_ssl_engine_inject_entropy(br_ssl_engine_context *cc, 1865 const void *data, size_t len); 1866 1867/** 1868 * \brief Get the "server name" in this engine. 1869 * 1870 * For clients, this is the name provided with `br_ssl_client_reset()`; 1871 * for servers, this is the name received from the client as part of the 1872 * ClientHello message. If there is no such name (e.g. the client did 1873 * not send an SNI extension) then the returned string is empty 1874 * (returned pointer points to a byte of value 0). 1875 * 1876 * The returned pointer refers to a buffer inside the context, which may 1877 * be overwritten as part of normal SSL activity (even within the same 1878 * connection, if a renegotiation occurs). 1879 * 1880 * \param cc SSL engine context. 1881 * \return the server name (possibly empty). 1882 */ 1883static inline const char * 1884br_ssl_engine_get_server_name(const br_ssl_engine_context *cc) 1885{ 1886 return cc->server_name; 1887} 1888 1889/** 1890 * \brief Get the protocol version. 1891 * 1892 * This function returns the protocol version that is used by the 1893 * engine. That value is set after sending (for a server) or receiving 1894 * (for a client) the ServerHello message. 1895 * 1896 * \param cc SSL engine context. 1897 * \return the protocol version. 1898 */ 1899static inline unsigned 1900br_ssl_engine_get_version(const br_ssl_engine_context *cc) 1901{ 1902 return cc->session.version; 1903} 1904 1905/** 1906 * \brief Get a copy of the session parameters. 1907 * 1908 * The session parameters are filled during the handshake, so this 1909 * function shall not be called before completion of the handshake. 1910 * The initial handshake is completed when the context first allows 1911 * application data to be injected. 1912 * 1913 * This function copies the current session parameters into the provided 1914 * structure. Beware that the session parameters include the master 1915 * secret, which is sensitive data, to handle with great care. 1916 * 1917 * \param cc SSL engine context. 1918 * \param pp destination structure for the session parameters. 1919 */ 1920static inline void 1921br_ssl_engine_get_session_parameters(const br_ssl_engine_context *cc, 1922 br_ssl_session_parameters *pp) 1923{ 1924 memcpy(pp, &cc->session, sizeof *pp); 1925} 1926 1927/** 1928 * \brief Set the session parameters to the provided values. 1929 * 1930 * This function is meant to be used in the client, before doing a new 1931 * handshake; a session resumption will be attempted with these 1932 * parameters. In the server, this function has no effect. 1933 * 1934 * \param cc SSL engine context. 1935 * \param pp source structure for the session parameters. 1936 */ 1937static inline void 1938br_ssl_engine_set_session_parameters(br_ssl_engine_context *cc, 1939 const br_ssl_session_parameters *pp) 1940{ 1941 memcpy(&cc->session, pp, sizeof *pp); 1942} 1943 1944/** 1945 * \brief Get identifier for the curve used for key exchange. 1946 * 1947 * If the cipher suite uses ECDHE, then this function returns the 1948 * identifier for the curve used for transient parameters. This is 1949 * defined during the course of the handshake, when the ServerKeyExchange 1950 * is sent (on the server) or received (on the client). If the 1951 * cipher suite does not use ECDHE (e.g. static ECDH, or RSA key 1952 * exchange), then this value is indeterminate. 1953 * 1954 * @param cc SSL engine context. 1955 * @return the ECDHE curve identifier. 1956 */ 1957static inline int 1958br_ssl_engine_get_ecdhe_curve(br_ssl_engine_context *cc) 1959{ 1960 return cc->ecdhe_curve; 1961} 1962 1963/** 1964 * \brief Get the current engine state. 1965 * 1966 * An SSL engine (client or server) has, at any time, a state which is 1967 * the combination of zero, one or more of these flags: 1968 * 1969 * - `BR_SSL_CLOSED` 1970 * 1971 * Engine is finished, no more I/O (until next reset). 1972 * 1973 * - `BR_SSL_SENDREC` 1974 * 1975 * Engine has some bytes to send to the peer. 1976 * 1977 * - `BR_SSL_RECVREC` 1978 * 1979 * Engine expects some bytes from the peer. 1980 * 1981 * - `BR_SSL_SENDAPP` 1982 * 1983 * Engine may receive application data to send (or flush). 1984 * 1985 * - `BR_SSL_RECVAPP` 1986 * 1987 * Engine has obtained some application data from the peer, 1988 * that should be read by the caller. 1989 * 1990 * If no flag at all is set (state value is 0), then the engine is not 1991 * fully initialised yet. 1992 * 1993 * The `BR_SSL_CLOSED` flag is exclusive; when it is set, no other flag 1994 * is set. To distinguish between a normal closure and an error, use 1995 * `br_ssl_engine_last_error()`. 1996 * 1997 * Generally speaking, `BR_SSL_SENDREC` and `BR_SSL_SENDAPP` are mutually 1998 * exclusive: the input buffer, at any point, either accumulates 1999 * plaintext data, or contains an assembled record that is being sent. 2000 * Similarly, `BR_SSL_RECVREC` and `BR_SSL_RECVAPP` are mutually exclusive. 2001 * This may change in a future library version. 2002 * 2003 * \param cc SSL engine context. 2004 * \return the current engine state. 2005 */ 2006unsigned br_ssl_engine_current_state(const br_ssl_engine_context *cc); 2007 2008/** \brief SSL engine state: closed or failed. */ 2009#define BR_SSL_CLOSED 0x0001 2010/** \brief SSL engine state: record data is ready to be sent to the peer. */ 2011#define BR_SSL_SENDREC 0x0002 2012/** \brief SSL engine state: engine may receive records from the peer. */ 2013#define BR_SSL_RECVREC 0x0004 2014/** \brief SSL engine state: engine may accept application data to send. */ 2015#define BR_SSL_SENDAPP 0x0008 2016/** \brief SSL engine state: engine has received application data. */ 2017#define BR_SSL_RECVAPP 0x0010 2018 2019/** 2020 * \brief Get the engine error indicator. 2021 * 2022 * The error indicator is `BR_ERR_OK` (0) if no error was encountered 2023 * since the last call to `br_ssl_client_reset()` or 2024 * `br_ssl_server_reset()`. Other status values are "sticky": they 2025 * remain set, and prevent all I/O activity, until cleared. Only the 2026 * reset calls clear the error indicator. 2027 * 2028 * \param cc SSL engine context. 2029 * \return 0, or a non-zero error code. 2030 */ 2031static inline int 2032br_ssl_engine_last_error(const br_ssl_engine_context *cc) 2033{ 2034 return cc->err; 2035} 2036 2037/* 2038 * There are four I/O operations, each identified by a symbolic name: 2039 * 2040 * sendapp inject application data in the engine 2041 * recvapp retrieving application data from the engine 2042 * sendrec sending records on the transport medium 2043 * recvrec receiving records from the transport medium 2044 * 2045 * Terminology works thus: in a layered model where the SSL engine sits 2046 * between the application and the network, "send" designates operations 2047 * where bytes flow from application to network, and "recv" for the 2048 * reverse operation. Application data (the plaintext that is to be 2049 * conveyed through SSL) is "app", while encrypted records are "rec". 2050 * Note that from the SSL engine point of view, "sendapp" and "recvrec" 2051 * designate bytes that enter the engine ("inject" operation), while 2052 * "recvapp" and "sendrec" designate bytes that exit the engine 2053 * ("extract" operation). 2054 * 2055 * For the operation 'xxx', two functions are defined: 2056 * 2057 * br_ssl_engine_xxx_buf 2058 * Returns a pointer and length to the buffer to use for that 2059 * operation. '*len' is set to the number of bytes that may be read 2060 * from the buffer (extract operation) or written to the buffer 2061 * (inject operation). If no byte may be exchanged for that operation 2062 * at that point, then '*len' is set to zero, and NULL is returned. 2063 * The engine state is unmodified by this call. 2064 * 2065 * br_ssl_engine_xxx_ack 2066 * Informs the engine that 'len' bytes have been read from the buffer 2067 * (extract operation) or written to the buffer (inject operation). 2068 * The 'len' value MUST NOT be zero. The 'len' value MUST NOT exceed 2069 * that which was obtained from a preceding br_ssl_engine_xxx_buf() 2070 * call. 2071 */ 2072 2073/** 2074 * \brief Get buffer for application data to send. 2075 * 2076 * If the engine is ready to accept application data to send to the 2077 * peer, then this call returns a pointer to the buffer where such 2078 * data shall be written, and its length is written in `*len`. 2079 * Otherwise, `*len` is set to 0 and `NULL` is returned. 2080 * 2081 * \param cc SSL engine context. 2082 * \param len receives the application data output buffer length, or 0. 2083 * \return the application data output buffer, or `NULL`. 2084 */ 2085unsigned char *br_ssl_engine_sendapp_buf( 2086 const br_ssl_engine_context *cc, size_t *len); 2087 2088/** 2089 * \brief Inform the engine of some new application data. 2090 * 2091 * After writing `len` bytes in the buffer returned by 2092 * `br_ssl_engine_sendapp_buf()`, the application shall call this 2093 * function to trigger any relevant processing. The `len` parameter 2094 * MUST NOT be 0, and MUST NOT exceed the value obtained in the 2095 * `br_ssl_engine_sendapp_buf()` call. 2096 * 2097 * \param cc SSL engine context. 2098 * \param len number of bytes pushed (not zero). 2099 */ 2100void br_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len); 2101 2102/** 2103 * \brief Get buffer for received application data. 2104 * 2105 * If the engine has received application data from the peer, then this 2106 * call returns a pointer to the buffer from where such data shall be 2107 * read, and its length is written in `*len`. Otherwise, `*len` is set 2108 * to 0 and `NULL` is returned. 2109 * 2110 * \param cc SSL engine context. 2111 * \param len receives the application data input buffer length, or 0. 2112 * \return the application data input buffer, or `NULL`. 2113 */ 2114unsigned char *br_ssl_engine_recvapp_buf( 2115 const br_ssl_engine_context *cc, size_t *len); 2116 2117/** 2118 * \brief Acknowledge some received application data. 2119 * 2120 * After reading `len` bytes from the buffer returned by 2121 * `br_ssl_engine_recvapp_buf()`, the application shall call this 2122 * function to trigger any relevant processing. The `len` parameter 2123 * MUST NOT be 0, and MUST NOT exceed the value obtained in the 2124 * `br_ssl_engine_recvapp_buf()` call. 2125 * 2126 * \param cc SSL engine context. 2127 * \param len number of bytes read (not zero). 2128 */ 2129void br_ssl_engine_recvapp_ack(br_ssl_engine_context *cc, size_t len); 2130 2131/** 2132 * \brief Get buffer for record data to send. 2133 * 2134 * If the engine has prepared some records to send to the peer, then this 2135 * call returns a pointer to the buffer from where such data shall be 2136 * read, and its length is written in `*len`. Otherwise, `*len` is set 2137 * to 0 and `NULL` is returned. 2138 * 2139 * \param cc SSL engine context. 2140 * \param len receives the record data output buffer length, or 0. 2141 * \return the record data output buffer, or `NULL`. 2142 */ 2143unsigned char *br_ssl_engine_sendrec_buf( 2144 const br_ssl_engine_context *cc, size_t *len); 2145 2146/** 2147 * \brief Acknowledge some sent record data. 2148 * 2149 * After reading `len` bytes from the buffer returned by 2150 * `br_ssl_engine_sendrec_buf()`, the application shall call this 2151 * function to trigger any relevant processing. The `len` parameter 2152 * MUST NOT be 0, and MUST NOT exceed the value obtained in the 2153 * `br_ssl_engine_sendrec_buf()` call. 2154 * 2155 * \param cc SSL engine context. 2156 * \param len number of bytes read (not zero). 2157 */ 2158void br_ssl_engine_sendrec_ack(br_ssl_engine_context *cc, size_t len); 2159 2160/** 2161 * \brief Get buffer for incoming records. 2162 * 2163 * If the engine is ready to accept records from the peer, then this 2164 * call returns a pointer to the buffer where such data shall be 2165 * written, and its length is written in `*len`. Otherwise, `*len` is 2166 * set to 0 and `NULL` is returned. 2167 * 2168 * \param cc SSL engine context. 2169 * \param len receives the record data input buffer length, or 0. 2170 * \return the record data input buffer, or `NULL`. 2171 */ 2172unsigned char *br_ssl_engine_recvrec_buf( 2173 const br_ssl_engine_context *cc, size_t *len); 2174 2175/** 2176 * \brief Inform the engine of some new record data. 2177 * 2178 * After writing `len` bytes in the buffer returned by 2179 * `br_ssl_engine_recvrec_buf()`, the application shall call this 2180 * function to trigger any relevant processing. The `len` parameter 2181 * MUST NOT be 0, and MUST NOT exceed the value obtained in the 2182 * `br_ssl_engine_recvrec_buf()` call. 2183 * 2184 * \param cc SSL engine context. 2185 * \param len number of bytes pushed (not zero). 2186 */ 2187void br_ssl_engine_recvrec_ack(br_ssl_engine_context *cc, size_t len); 2188 2189/** 2190 * \brief Flush buffered application data. 2191 * 2192 * If some application data has been buffered in the engine, then wrap 2193 * it into a record and mark it for sending. If no application data has 2194 * been buffered but the engine would be ready to accept some, AND the 2195 * `force` parameter is non-zero, then an empty record is assembled and 2196 * marked for sending. In all other cases, this function does nothing. 2197 * 2198 * Empty records are technically legal, but not all existing SSL/TLS 2199 * implementations support them. Empty records can be useful as a 2200 * transparent "keep-alive" mechanism to maintain some low-level 2201 * network activity. 2202 * 2203 * \param cc SSL engine context. 2204 * \param force non-zero to force sending an empty record. 2205 */ 2206void br_ssl_engine_flush(br_ssl_engine_context *cc, int force); 2207 2208/** 2209 * \brief Initiate a closure. 2210 * 2211 * If, at that point, the context is open and in ready state, then a 2212 * `close_notify` alert is assembled and marked for sending; this 2213 * triggers the closure protocol. Otherwise, no such alert is assembled. 2214 * 2215 * \param cc SSL engine context. 2216 */ 2217void br_ssl_engine_close(br_ssl_engine_context *cc); 2218 2219/** 2220 * \brief Initiate a renegotiation. 2221 * 2222 * If the engine is failed or closed, or if the peer is known not to 2223 * support secure renegotiation (RFC 5746), or if renegotiations have 2224 * been disabled with the `BR_OPT_NO_RENEGOTIATION` flag, or if there 2225 * is buffered incoming application data, then this function returns 0 2226 * and nothing else happens. 2227 * 2228 * Otherwise, this function returns 1, and a renegotiation attempt is 2229 * triggered (if a handshake is already ongoing at that point, then 2230 * no new handshake is triggered). 2231 * 2232 * \param cc SSL engine context. 2233 * \return 1 on success, 0 on error. 2234 */ 2235int br_ssl_engine_renegotiate(br_ssl_engine_context *cc); 2236 2237/** 2238 * \brief Export key material from a connected SSL engine (RFC 5705). 2239 * 2240 * This calls compute a secret key of arbitrary length from the master 2241 * secret of a connected SSL engine. If the provided context is not 2242 * currently in "application data" state (initial handshake is not 2243 * finished, another handshake is ongoing, or the connection failed or 2244 * was closed), then this function returns 0. Otherwise, a secret key of 2245 * length `len` bytes is computed and written in the buffer pointed to 2246 * by `dst`, and 1 is returned. 2247 * 2248 * The computed key follows the specification described in RFC 5705. 2249 * That RFC includes two key computations, with and without a "context 2250 * value". If `context` is `NULL`, then the variant without context is 2251 * used; otherwise, the `context_len` bytes located at the address 2252 * pointed to by `context` are used in the computation. Note that it 2253 * is possible to have a "with context" key with a context length of 2254 * zero bytes, by setting `context` to a non-`NULL` value but 2255 * `context_len` to 0. 2256 * 2257 * When context bytes are used, the context length MUST NOT exceed 2258 * 65535 bytes. 2259 * 2260 * \param cc SSL engine context. 2261 * \param dst destination buffer for exported key. 2262 * \param len exported key length (in bytes). 2263 * \param label disambiguation label. 2264 * \param context context value (or `NULL`). 2265 * \param context_len context length (in bytes). 2266 * \return 1 on success, 0 on error. 2267 */ 2268int br_ssl_key_export(br_ssl_engine_context *cc, 2269 void *dst, size_t len, const char *label, 2270 const void *context, size_t context_len); 2271 2272/* 2273 * Pre-declaration for the SSL client context. 2274 */ 2275typedef struct br_ssl_client_context_ br_ssl_client_context; 2276 2277/** 2278 * \brief Type for the client certificate, if requested by the server. 2279 */ 2280typedef struct { 2281 /** 2282 * \brief Authentication type. 2283 * 2284 * This is either `BR_AUTH_RSA` (RSA signature), `BR_AUTH_ECDSA` 2285 * (ECDSA signature), or `BR_AUTH_ECDH` (static ECDH key exchange). 2286 */ 2287 int auth_type; 2288 2289 /** 2290 * \brief Hash function for computing the CertificateVerify. 2291 * 2292 * This is the symbolic identifier for the hash function that 2293 * will be used to produce the hash of handshake messages, to 2294 * be signed into the CertificateVerify. For full static ECDH 2295 * (client and server certificates are both EC in the same 2296 * curve, and static ECDH is used), this value is set to -1. 2297 * 2298 * Take care that with TLS 1.0 and 1.1, that value MUST match 2299 * the protocol requirements: value must be 0 (MD5+SHA-1) for 2300 * a RSA signature, or 2 (SHA-1) for an ECDSA signature. Only 2301 * TLS 1.2 allows for other hash functions. 2302 */ 2303 int hash_id; 2304 2305 /** 2306 * \brief Certificate chain to send to the server. 2307 * 2308 * This is an array of `br_x509_certificate` objects, each 2309 * normally containing a DER-encoded certificate. The client 2310 * code does not try to decode these elements. If there is no 2311 * chain to send to the server, then this pointer shall be 2312 * set to `NULL`. 2313 */ 2314 const br_x509_certificate *chain; 2315 2316 /** 2317 * \brief Certificate chain length (number of certificates). 2318 * 2319 * If there is no chain to send to the server, then this value 2320 * shall be set to 0. 2321 */ 2322 size_t chain_len; 2323 2324} br_ssl_client_certificate; 2325 2326/* 2327 * Note: the constants below for signatures match the TLS constants. 2328 */ 2329 2330/** \brief Client authentication type: static ECDH. */ 2331#define BR_AUTH_ECDH 0 2332/** \brief Client authentication type: RSA signature. */ 2333#define BR_AUTH_RSA 1 2334/** \brief Client authentication type: ECDSA signature. */ 2335#define BR_AUTH_ECDSA 3 2336 2337/** 2338 * \brief Class type for a certificate handler (client side). 2339 * 2340 * A certificate handler selects a client certificate chain to send to 2341 * the server, upon explicit request from that server. It receives 2342 * the list of trust anchor DN from the server, and supported types 2343 * of certificates and signatures, and returns the chain to use. It 2344 * is also invoked to perform the corresponding private key operation 2345 * (a signature, or an ECDH computation). 2346 * 2347 * The SSL client engine will first push the trust anchor DN with 2348 * `start_name_list()`, `start_name()`, `append_name()`, `end_name()` 2349 * and `end_name_list()`. Then it will call `choose()`, to select the 2350 * actual chain (and signature/hash algorithms). Finally, it will call 2351 * either `do_sign()` or `do_keyx()`, depending on the algorithm choices. 2352 */ 2353typedef struct br_ssl_client_certificate_class_ br_ssl_client_certificate_class; 2354struct br_ssl_client_certificate_class_ { 2355 /** 2356 * \brief Context size (in bytes). 2357 */ 2358 size_t context_size; 2359 2360 /** 2361 * \brief Begin reception of a list of trust anchor names. This 2362 * is called while parsing the incoming CertificateRequest. 2363 * 2364 * \param pctx certificate handler context. 2365 */ 2366 void (*start_name_list)(const br_ssl_client_certificate_class **pctx); 2367 2368 /** 2369 * \brief Begin reception of a new trust anchor name. 2370 * 2371 * The total encoded name length is provided; it is less than 2372 * 65535 bytes. 2373 * 2374 * \param pctx certificate handler context. 2375 * \param len encoded name length (in bytes). 2376 */ 2377 void (*start_name)(const br_ssl_client_certificate_class **pctx, 2378 size_t len); 2379 2380 /** 2381 * \brief Receive some more bytes for the current trust anchor name. 2382 * 2383 * The provided reference (`data`) points to a transient buffer 2384 * they may be reused as soon as this function returns. The chunk 2385 * length (`len`) is never zero. 2386 * 2387 * \param pctx certificate handler context. 2388 * \param data anchor name chunk. 2389 * \param len anchor name chunk length (in bytes). 2390 */ 2391 void (*append_name)(const br_ssl_client_certificate_class **pctx, 2392 const unsigned char *data, size_t len); 2393 2394 /** 2395 * \brief End current trust anchor name. 2396 * 2397 * This function is called when all the encoded anchor name data 2398 * has been provided. 2399 * 2400 * \param pctx certificate handler context. 2401 */ 2402 void (*end_name)(const br_ssl_client_certificate_class **pctx); 2403 2404 /** 2405 * \brief End list of trust anchor names. 2406 * 2407 * This function is called when all the anchor names in the 2408 * CertificateRequest message have been obtained. 2409 * 2410 * \param pctx certificate handler context. 2411 */ 2412 void (*end_name_list)(const br_ssl_client_certificate_class **pctx); 2413 2414 /** 2415 * \brief Select client certificate and algorithms. 2416 * 2417 * This callback function shall fill the provided `choices` 2418 * structure with the selected algorithms and certificate chain. 2419 * The `hash_id`, `chain` and `chain_len` fields must be set. If 2420 * the client cannot or does not wish to send a certificate, 2421 * then it shall set `chain` to `NULL` and `chain_len` to 0. 2422 * 2423 * The `auth_types` parameter describes the authentication types, 2424 * signature algorithms and hash functions that are supported by 2425 * both the client context and the server, and compatible with 2426 * the current protocol version. This is a bit field with the 2427 * following contents: 2428 * 2429 * - If RSA signatures with hash function x are supported, then 2430 * bit x is set. 2431 * 2432 * - If ECDSA signatures with hash function x are supported, 2433 * then bit 8+x is set. 2434 * 2435 * - If static ECDH is supported, with a RSA-signed certificate, 2436 * then bit 16 is set. 2437 * 2438 * - If static ECDH is supported, with an ECDSA-signed certificate, 2439 * then bit 17 is set. 2440 * 2441 * Notes: 2442 * 2443 * - When using TLS 1.0 or 1.1, the hash function for RSA 2444 * signatures is always the special MD5+SHA-1 (id 0), and the 2445 * hash function for ECDSA signatures is always SHA-1 (id 2). 2446 * 2447 * - When using TLS 1.2, the list of hash functions is trimmed 2448 * down to include only hash functions that the client context 2449 * can support. The actual server list can be obtained with 2450 * `br_ssl_client_get_server_hashes()`; that list may be used 2451 * to select the certificate chain to send to the server. 2452 * 2453 * \param pctx certificate handler context. 2454 * \param cc SSL client context. 2455 * \param auth_types supported authentication types and algorithms. 2456 * \param choices destination structure for the policy choices. 2457 */ 2458 void (*choose)(const br_ssl_client_certificate_class **pctx, 2459 const br_ssl_client_context *cc, uint32_t auth_types, 2460 br_ssl_client_certificate *choices); 2461 2462 /** 2463 * \brief Perform key exchange (client part). 2464 * 2465 * This callback is invoked in case of a full static ECDH key 2466 * exchange: 2467 * 2468 * - the cipher suite uses `ECDH_RSA` or `ECDH_ECDSA`; 2469 * 2470 * - the server requests a client certificate; 2471 * 2472 * - the client has, and sends, a client certificate that 2473 * uses an EC key in the same curve as the server's key, 2474 * and chooses static ECDH (the `hash_id` field in the choice 2475 * structure was set to -1). 2476 * 2477 * In that situation, this callback is invoked to compute the 2478 * client-side ECDH: the provided `data` (of length `*len` bytes) 2479 * is the server's public key point (as decoded from its 2480 * certificate), and the client shall multiply that point with 2481 * its own private key, and write back the X coordinate of the 2482 * resulting point in the same buffer, starting at offset 0. 2483 * The `*len` value shall be modified to designate the actual 2484 * length of the X coordinate. 2485 * 2486 * The callback must uphold the following: 2487 * 2488 * - If the input array does not have the proper length for 2489 * an encoded curve point, then an error (0) shall be reported. 2490 * 2491 * - If the input array has the proper length, then processing 2492 * MUST be constant-time, even if the data is not a valid 2493 * encoded point. 2494 * 2495 * - This callback MUST check that the input point is valid. 2496 * 2497 * Returned value is 1 on success, 0 on error. 2498 * 2499 * \param pctx certificate handler context. 2500 * \param data server public key point. 2501 * \param len public key point length / X coordinate length. 2502 * \return 1 on success, 0 on error. 2503 */ 2504 uint32_t (*do_keyx)(const br_ssl_client_certificate_class **pctx, 2505 unsigned char *data, size_t *len); 2506 2507 /** 2508 * \brief Perform a signature (client authentication). 2509 * 2510 * This callback is invoked when a client certificate was sent, 2511 * and static ECDH is not used. It shall compute a signature, 2512 * using the client's private key, over the provided hash value 2513 * (which is the hash of all previous handshake messages). 2514 * 2515 * On input, the hash value to sign is in `data`, of size 2516 * `hv_len`; the involved hash function is identified by 2517 * `hash_id`. The signature shall be computed and written 2518 * back into `data`; the total size of that buffer is `len` 2519 * bytes. 2520 * 2521 * This callback shall verify that the signature length does not 2522 * exceed `len` bytes, and abstain from writing the signature if 2523 * it does not fit. 2524 * 2525 * For RSA signatures, the `hash_id` may be 0, in which case 2526 * this is the special header-less signature specified in TLS 1.0 2527 * and 1.1, with a 36-byte hash value. Otherwise, normal PKCS#1 2528 * v1.5 signatures shall be computed. 2529 * 2530 * For ECDSA signatures, the signature value shall use the ASN.1 2531 * based encoding. 2532 * 2533 * Returned value is the signature length (in bytes), or 0 on error. 2534 * 2535 * \param pctx certificate handler context. 2536 * \param hash_id hash function identifier. 2537 * \param hv_len hash value length (in bytes). 2538 * \param data input/output buffer (hash value, then signature). 2539 * \param len total buffer length (in bytes). 2540 * \return signature length (in bytes) on success, or 0 on error. 2541 */ 2542 size_t (*do_sign)(const br_ssl_client_certificate_class **pctx, 2543 int hash_id, size_t hv_len, unsigned char *data, size_t len); 2544}; 2545 2546/** 2547 * \brief A single-chain RSA client certificate handler. 2548 * 2549 * This handler uses a single certificate chain, with a RSA 2550 * signature. The list of trust anchor DN is ignored. 2551 * 2552 * Apart from the first field (vtable pointer), its contents are 2553 * opaque and shall not be accessed directly. 2554 */ 2555typedef struct { 2556 /** \brief Pointer to vtable. */ 2557 const br_ssl_client_certificate_class *vtable; 2558#ifndef BR_DOXYGEN_IGNORE 2559 const br_x509_certificate *chain; 2560 size_t chain_len; 2561 const br_rsa_private_key *sk; 2562 br_rsa_pkcs1_sign irsasign; 2563#endif 2564} br_ssl_client_certificate_rsa_context; 2565 2566/** 2567 * \brief A single-chain EC client certificate handler. 2568 * 2569 * This handler uses a single certificate chain, with a RSA 2570 * signature. The list of trust anchor DN is ignored. 2571 * 2572 * This handler may support both static ECDH, and ECDSA signatures 2573 * (either usage may be selectively disabled). 2574 * 2575 * Apart from the first field (vtable pointer), its contents are 2576 * opaque and shall not be accessed directly. 2577 */ 2578typedef struct { 2579 /** \brief Pointer to vtable. */ 2580 const br_ssl_client_certificate_class *vtable; 2581#ifndef BR_DOXYGEN_IGNORE 2582 const br_x509_certificate *chain; 2583 size_t chain_len; 2584 const br_ec_private_key *sk; 2585 unsigned allowed_usages; 2586 unsigned issuer_key_type; 2587 const br_multihash_context *mhash; 2588 const br_ec_impl *iec; 2589 br_ecdsa_sign iecdsa; 2590#endif 2591} br_ssl_client_certificate_ec_context; 2592 2593/** 2594 * \brief Context structure for a SSL client. 2595 * 2596 * The first field (called `eng`) is the SSL engine; all functions that 2597 * work on a `br_ssl_engine_context` structure shall take as parameter 2598 * a pointer to that field. The other structure fields are opaque and 2599 * must not be accessed directly. 2600 */ 2601struct br_ssl_client_context_ { 2602 /** 2603 * \brief The encapsulated engine context. 2604 */ 2605 br_ssl_engine_context eng; 2606 2607#ifndef BR_DOXYGEN_IGNORE 2608 /* 2609 * Minimum ClientHello length; padding with an extension (RFC 2610 * 7685) is added if necessary to match at least that length. 2611 * Such padding is nominally unnecessary, but it has been used 2612 * to work around some server implementation bugs. 2613 */ 2614 uint16_t min_clienthello_len; 2615 2616 /* 2617 * Bit field for algoithms (hash + signature) supported by the 2618 * server when requesting a client certificate. 2619 */ 2620 uint32_t hashes; 2621 2622 /* 2623 * Server's public key curve. 2624 */ 2625 int server_curve; 2626 2627 /* 2628 * Context for certificate handler. 2629 */ 2630 const br_ssl_client_certificate_class **client_auth_vtable; 2631 2632 /* 2633 * Client authentication type. 2634 */ 2635 unsigned char auth_type; 2636 2637 /* 2638 * Hash function to use for the client signature. This is 0xFF 2639 * if static ECDH is used. 2640 */ 2641 unsigned char hash_id; 2642 2643 /* 2644 * For the core certificate handlers, thus avoiding (in most 2645 * cases) the need for an externally provided policy context. 2646 */ 2647 union { 2648 const br_ssl_client_certificate_class *vtable; 2649 br_ssl_client_certificate_rsa_context single_rsa; 2650 br_ssl_client_certificate_ec_context single_ec; 2651 } client_auth; 2652 2653 /* 2654 * Implementations. 2655 */ 2656 br_rsa_public irsapub; 2657#endif 2658}; 2659 2660/** 2661 * \brief Get the hash functions and signature algorithms supported by 2662 * the server. 2663 * 2664 * This value is a bit field: 2665 * 2666 * - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`, 2667 * then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1, 2668 * or 2 to 6 for the SHA family). 2669 * 2670 * - If ECDSA is supported with hash function of ID `x`, then bit `8+x` 2671 * is set. 2672 * 2673 * - Newer algorithms are symbolic 16-bit identifiers that do not 2674 * represent signature algorithm and hash function separately. If 2675 * the TLS-level identifier is `0x0800+x` for a `x` in the 0..15 2676 * range, then bit `16+x` is set. 2677 * 2678 * "New algorithms" are currently defined only in draft documents, so 2679 * this support is subject to possible change. Right now (early 2017), 2680 * this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA 2681 * on Curve448) to bit 24. If the identifiers on the wire change in 2682 * future document, then the decoding mechanism in BearSSL will be 2683 * amended to keep mapping ed25519 and ed448 on bits 23 and 24, 2684 * respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not 2685 * guaranteed yet. 2686 * 2687 * \param cc client context. 2688 * \return the server-supported hash functions and signature algorithms. 2689 */ 2690static inline uint32_t 2691br_ssl_client_get_server_hashes(const br_ssl_client_context *cc) 2692{ 2693 return cc->hashes; 2694} 2695 2696/** 2697 * \brief Get the server key curve. 2698 * 2699 * This function returns the ID for the curve used by the server's public 2700 * key. This is set when the server's certificate chain is processed; 2701 * this value is 0 if the server's key is not an EC key. 2702 * 2703 * \return the server's public key curve ID, or 0. 2704 */ 2705static inline int 2706br_ssl_client_get_server_curve(const br_ssl_client_context *cc) 2707{ 2708 return cc->server_curve; 2709} 2710 2711/* 2712 * Each br_ssl_client_init_xxx() function sets the list of supported 2713 * cipher suites and used implementations, as specified by the profile 2714 * name 'xxx'. Defined profile names are: 2715 * 2716 * full all supported versions and suites; constant-time implementations 2717 * TODO: add other profiles 2718 */ 2719 2720/** 2721 * \brief SSL client profile: full. 2722 * 2723 * This function initialises the provided SSL client context with 2724 * all supported algorithms and cipher suites. It also initialises 2725 * a companion X.509 validation engine with all supported algorithms, 2726 * and the provided trust anchors; the X.509 engine will be used by 2727 * the client context to validate the server's certificate. 2728 * 2729 * \param cc client context to initialise. 2730 * \param xc X.509 validation context to initialise. 2731 * \param trust_anchors trust anchors to use. 2732 * \param trust_anchors_num number of trust anchors. 2733 */ 2734void br_ssl_client_init_full(br_ssl_client_context *cc, 2735 br_x509_minimal_context *xc, 2736 const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num); 2737 2738/** 2739 * \brief Clear the complete contents of a SSL client context. 2740 * 2741 * Everything is cleared, including the reference to the configured buffer, 2742 * implementations, cipher suites and state. This is a preparatory step 2743 * to assembling a custom profile. 2744 * 2745 * \param cc client context to clear. 2746 */ 2747void br_ssl_client_zero(br_ssl_client_context *cc); 2748 2749/** 2750 * \brief Set an externally provided client certificate handler context. 2751 * 2752 * The handler's methods are invoked when the server requests a client 2753 * certificate. 2754 * 2755 * \param cc client context. 2756 * \param pctx certificate handler context (pointer to its vtable field). 2757 */ 2758static inline void 2759br_ssl_client_set_client_certificate(br_ssl_client_context *cc, 2760 const br_ssl_client_certificate_class **pctx) 2761{ 2762 cc->client_auth_vtable = pctx; 2763} 2764 2765/** 2766 * \brief Set the RSA public-key operations implementation. 2767 * 2768 * This will be used to encrypt the pre-master secret with the server's 2769 * RSA public key (RSA-encryption cipher suites only). 2770 * 2771 * \param cc client context. 2772 * \param irsapub RSA public-key encryption implementation. 2773 */ 2774static inline void 2775br_ssl_client_set_rsapub(br_ssl_client_context *cc, br_rsa_public irsapub) 2776{ 2777 cc->irsapub = irsapub; 2778} 2779 2780/** 2781 * \brief Set the "default" RSA implementation for public-key operations. 2782 * 2783 * This sets the RSA implementation in the client context (for encrypting 2784 * the pre-master secret, in `TLS_RSA_*` cipher suites) to the fastest 2785 * available on the current platform. 2786 * 2787 * \param cc client context. 2788 */ 2789void br_ssl_client_set_default_rsapub(br_ssl_client_context *cc); 2790 2791/** 2792 * \brief Set the minimum ClientHello length (RFC 7685 padding). 2793 * 2794 * If this value is set and the ClientHello would be shorter, then 2795 * the Pad ClientHello extension will be added with enough padding bytes 2796 * to reach the target size. Because of the extension header, the resulting 2797 * size will sometimes be slightly more than `len` bytes if the target 2798 * size cannot be exactly met. 2799 * 2800 * The target length relates to the _contents_ of the ClientHello, not 2801 * counting its 4-byte header. For instance, if `len` is set to 512, 2802 * then the padding will bring the ClientHello size to 516 bytes with its 2803 * header, and 521 bytes when counting the 5-byte record header. 2804 * 2805 * \param cc client context. 2806 * \param len minimum ClientHello length (in bytes). 2807 */ 2808static inline void 2809br_ssl_client_set_min_clienthello_len(br_ssl_client_context *cc, uint16_t len) 2810{ 2811 cc->min_clienthello_len = len; 2812} 2813 2814/** 2815 * \brief Prepare or reset a client context for a new connection. 2816 * 2817 * The `server_name` parameter is used to fill the SNI extension; the 2818 * X.509 "minimal" engine will also match that name against the server 2819 * names included in the server's certificate. If the parameter is 2820 * `NULL` then no SNI extension will be sent, and the X.509 "minimal" 2821 * engine (if used for server certificate validation) will not check 2822 * presence of any specific name in the received certificate. 2823 * 2824 * Therefore, setting the `server_name` to `NULL` shall be reserved 2825 * to cases where alternate or additional methods are used to ascertain 2826 * that the right server public key is used (e.g. a "known key" model). 2827 * 2828 * If `resume_session` is non-zero and the context was previously used 2829 * then the session parameters may be reused (depending on whether the 2830 * server previously sent a non-empty session ID, and accepts the session 2831 * resumption). The session parameters for session resumption can also 2832 * be set explicitly with `br_ssl_engine_set_session_parameters()`. 2833 * 2834 * On failure, the context is marked as failed, and this function 2835 * returns 0. A possible failure condition is when no initial entropy 2836 * was injected, and none could be obtained from the OS (either OS 2837 * randomness gathering is not supported, or it failed). 2838 * 2839 * \param cc client context. 2840 * \param server_name target server name, or `NULL`. 2841 * \param resume_session non-zero to try session resumption. 2842 * \return 0 on failure, 1 on success. 2843 */ 2844int br_ssl_client_reset(br_ssl_client_context *cc, 2845 const char *server_name, int resume_session); 2846 2847/** 2848 * \brief Forget any session in the context. 2849 * 2850 * This means that the next handshake that uses this context will 2851 * necessarily be a full handshake (this applies both to new connections 2852 * and to renegotiations). 2853 * 2854 * \param cc client context. 2855 */ 2856static inline void 2857br_ssl_client_forget_session(br_ssl_client_context *cc) 2858{ 2859 cc->eng.session.session_id_len = 0; 2860} 2861 2862/** 2863 * \brief Set client certificate chain and key (single RSA case). 2864 * 2865 * This function sets a client certificate chain, that the client will 2866 * send to the server whenever a client certificate is requested. This 2867 * certificate uses an RSA public key; the corresponding private key is 2868 * invoked for authentication. Trust anchor names sent by the server are 2869 * ignored. 2870 * 2871 * The provided chain and private key are linked in the client context; 2872 * they must remain valid as long as they may be used, i.e. normally 2873 * for the duration of the connection, since they might be invoked 2874 * again upon renegotiations. 2875 * 2876 * \param cc SSL client context. 2877 * \param chain client certificate chain (SSL order: EE comes first). 2878 * \param chain_len client chain length (number of certificates). 2879 * \param sk client private key. 2880 * \param irsasign RSA signature implementation (PKCS#1 v1.5). 2881 */ 2882void br_ssl_client_set_single_rsa(br_ssl_client_context *cc, 2883 const br_x509_certificate *chain, size_t chain_len, 2884 const br_rsa_private_key *sk, br_rsa_pkcs1_sign irsasign); 2885 2886/* 2887 * \brief Set the client certificate chain and key (single EC case). 2888 * 2889 * This function sets a client certificate chain, that the client will 2890 * send to the server whenever a client certificate is requested. This 2891 * certificate uses an EC public key; the corresponding private key is 2892 * invoked for authentication. Trust anchor names sent by the server are 2893 * ignored. 2894 * 2895 * The provided chain and private key are linked in the client context; 2896 * they must remain valid as long as they may be used, i.e. normally 2897 * for the duration of the connection, since they might be invoked 2898 * again upon renegotiations. 2899 * 2900 * The `allowed_usages` is a combination of usages, namely 2901 * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`. The `BR_KEYTYPE_KEYX` 2902 * value allows full static ECDH, while the `BR_KEYTYPE_SIGN` value 2903 * allows ECDSA signatures. If ECDSA signatures are used, then an ECDSA 2904 * signature implementation must be provided; otherwise, the `iecdsa` 2905 * parameter may be 0. 2906 * 2907 * The `cert_issuer_key_type` value is either `BR_KEYTYPE_RSA` or 2908 * `BR_KEYTYPE_EC`; it is the type of the public key used the the CA 2909 * that issued (signed) the client certificate. That value is used with 2910 * full static ECDH: support of the certificate by the server depends 2911 * on how the certificate was signed. (Note: when using TLS 1.2, this 2912 * parameter is ignored; but its value matters for TLS 1.0 and 1.1.) 2913 * 2914 * \param cc server context. 2915 * \param chain server certificate chain to send. 2916 * \param chain_len chain length (number of certificates). 2917 * \param sk server private key (EC). 2918 * \param allowed_usages allowed private key usages. 2919 * \param cert_issuer_key_type issuing CA's key type. 2920 * \param iec EC core implementation. 2921 * \param iecdsa ECDSA signature implementation ("asn1" format). 2922 */ 2923void br_ssl_client_set_single_ec(br_ssl_client_context *cc, 2924 const br_x509_certificate *chain, size_t chain_len, 2925 const br_ec_private_key *sk, unsigned allowed_usages, 2926 unsigned cert_issuer_key_type, 2927 const br_ec_impl *iec, br_ecdsa_sign iecdsa); 2928 2929/** 2930 * \brief Type for a "translated cipher suite", as an array of two 2931 * 16-bit integers. 2932 * 2933 * The first element is the cipher suite identifier (as used on the wire). 2934 * The second element is the concatenation of four 4-bit elements which 2935 * characterise the cipher suite contents. In most to least significant 2936 * order, these 4-bit elements are: 2937 * 2938 * - Bits 12 to 15: key exchange + server key type 2939 * 2940 * | val | symbolic constant | suite type | details | 2941 * | :-- | :----------------------- | :---------- | :----------------------------------------------- | 2942 * | 0 | `BR_SSLKEYX_RSA` | RSA | RSA key exchange, key is RSA (encryption) | 2943 * | 1 | `BR_SSLKEYX_ECDHE_RSA` | ECDHE_RSA | ECDHE key exchange, key is RSA (signature) | 2944 * | 2 | `BR_SSLKEYX_ECDHE_ECDSA` | ECDHE_ECDSA | ECDHE key exchange, key is EC (signature) | 2945 * | 3 | `BR_SSLKEYX_ECDH_RSA` | ECDH_RSA | Key is EC (key exchange), cert signed with RSA | 2946 * | 4 | `BR_SSLKEYX_ECDH_ECDSA` | ECDH_ECDSA | Key is EC (key exchange), cert signed with ECDSA | 2947 * 2948 * - Bits 8 to 11: symmetric encryption algorithm 2949 * 2950 * | val | symbolic constant | symmetric encryption | key strength (bits) | 2951 * | :-- | :--------------------- | :------------------- | :------------------ | 2952 * | 0 | `BR_SSLENC_3DES_CBC` | 3DES/CBC | 168 | 2953 * | 1 | `BR_SSLENC_AES128_CBC` | AES-128/CBC | 128 | 2954 * | 2 | `BR_SSLENC_AES256_CBC` | AES-256/CBC | 256 | 2955 * | 3 | `BR_SSLENC_AES128_GCM` | AES-128/GCM | 128 | 2956 * | 4 | `BR_SSLENC_AES256_GCM` | AES-256/GCM | 256 | 2957 * | 5 | `BR_SSLENC_CHACHA20` | ChaCha20/Poly1305 | 256 | 2958 * 2959 * - Bits 4 to 7: MAC algorithm 2960 * 2961 * | val | symbolic constant | MAC type | details | 2962 * | :-- | :----------------- | :----------- | :------------------------------------ | 2963 * | 0 | `BR_SSLMAC_AEAD` | AEAD | No dedicated MAC (encryption is AEAD) | 2964 * | 2 | `BR_SSLMAC_SHA1` | HMAC/SHA-1 | Value matches `br_sha1_ID` | 2965 * | 4 | `BR_SSLMAC_SHA256` | HMAC/SHA-256 | Value matches `br_sha256_ID` | 2966 * | 5 | `BR_SSLMAC_SHA384` | HMAC/SHA-384 | Value matches `br_sha384_ID` | 2967 * 2968 * - Bits 0 to 3: hash function for PRF when used with TLS-1.2 2969 * 2970 * | val | symbolic constant | hash function | details | 2971 * | :-- | :----------------- | :------------ | :----------------------------------- | 2972 * | 4 | `BR_SSLPRF_SHA256` | SHA-256 | Value matches `br_sha256_ID` | 2973 * | 5 | `BR_SSLPRF_SHA384` | SHA-384 | Value matches `br_sha384_ID` | 2974 * 2975 * For instance, cipher suite `TLS_RSA_WITH_AES_128_GCM_SHA256` has 2976 * standard identifier 0x009C, and is translated to 0x0304, for, in 2977 * that order: RSA key exchange (0), AES-128/GCM (3), AEAD integrity (0), 2978 * SHA-256 in the TLS PRF (4). 2979 */ 2980typedef uint16_t br_suite_translated[2]; 2981 2982#ifndef BR_DOXYGEN_IGNORE 2983/* 2984 * Constants are already documented in the br_suite_translated type. 2985 */ 2986 2987#define BR_SSLKEYX_RSA 0 2988#define BR_SSLKEYX_ECDHE_RSA 1 2989#define BR_SSLKEYX_ECDHE_ECDSA 2 2990#define BR_SSLKEYX_ECDH_RSA 3 2991#define BR_SSLKEYX_ECDH_ECDSA 4 2992 2993#define BR_SSLENC_3DES_CBC 0 2994#define BR_SSLENC_AES128_CBC 1 2995#define BR_SSLENC_AES256_CBC 2 2996#define BR_SSLENC_AES128_GCM 3 2997#define BR_SSLENC_AES256_GCM 4 2998#define BR_SSLENC_CHACHA20 5 2999 3000#define BR_SSLMAC_AEAD 0 3001#define BR_SSLMAC_SHA1 br_sha1_ID 3002#define BR_SSLMAC_SHA256 br_sha256_ID 3003#define BR_SSLMAC_SHA384 br_sha384_ID 3004 3005#define BR_SSLPRF_SHA256 br_sha256_ID 3006#define BR_SSLPRF_SHA384 br_sha384_ID 3007 3008#endif 3009 3010/* 3011 * Pre-declaration for the SSL server context. 3012 */ 3013typedef struct br_ssl_server_context_ br_ssl_server_context; 3014 3015/** 3016 * \brief Type for the server policy choices, taken after analysis of 3017 * the client message (ClientHello). 3018 */ 3019typedef struct { 3020 /** 3021 * \brief Cipher suite to use with that client. 3022 */ 3023 uint16_t cipher_suite; 3024 3025 /** 3026 * \brief Hash function or algorithm for signing the ServerKeyExchange. 3027 * 3028 * This parameter is ignored for `TLS_RSA_*` and `TLS_ECDH_*` 3029 * cipher suites; it is used only for `TLS_ECDHE_*` suites, in 3030 * which the server _signs_ the ephemeral EC Diffie-Hellman 3031 * parameters sent to the client. 3032 * 3033 * This identifier must be one of the following values: 3034 * 3035 * - `0xFF00 + id`, where `id` is a hash function identifier 3036 * (0 for MD5+SHA-1, or 2 to 6 for one of the SHA functions); 3037 * 3038 * - a full 16-bit identifier, lower than `0xFF00`. 3039 * 3040 * If the first option is used, then the SSL engine will 3041 * compute the hash of the data that is to be signed, with the 3042 * designated hash function. The `do_sign()` method will be 3043 * invoked with that hash value provided in the the `data` 3044 * buffer. 3045 * 3046 * If the second option is used, then the SSL engine will NOT 3047 * compute a hash on the data; instead, it will provide the 3048 * to-be-signed data itself in `data`, i.e. the concatenation of 3049 * the client random, server random, and encoded ECDH 3050 * parameters. Furthermore, with TLS-1.2 and later, the 16-bit 3051 * identifier will be used "as is" in the protocol, in the 3052 * SignatureAndHashAlgorithm; for instance, `0x0401` stands for 3053 * RSA PKCS#1 v1.5 signature (the `01`) with SHA-256 as hash 3054 * function (the `04`). 3055 * 3056 * Take care that with TLS 1.0 and 1.1, the hash function is 3057 * constrainted by the protocol: RSA signature must use 3058 * MD5+SHA-1 (so use `0xFF00`), while ECDSA must use SHA-1 3059 * (`0xFF02`). Since TLS 1.0 and 1.1 don't include a 3060 * SignatureAndHashAlgorithm field in their ServerKeyExchange 3061 * messages, any value below `0xFF00` will be usable to send the 3062 * raw ServerKeyExchange data to the `do_sign()` callback, but 3063 * that callback must still follow the protocol requirements 3064 * when generating the signature. 3065 */ 3066 unsigned algo_id; 3067 3068 /** 3069 * \brief Certificate chain to send to the client. 3070 * 3071 * This is an array of `br_x509_certificate` objects, each 3072 * normally containing a DER-encoded certificate. The server 3073 * code does not try to decode these elements. 3074 */ 3075 const br_x509_certificate *chain; 3076 3077 /** 3078 * \brief Certificate chain length (number of certificates). 3079 */ 3080 size_t chain_len; 3081 3082} br_ssl_server_choices; 3083 3084/** 3085 * \brief Class type for a policy handler (server side). 3086 * 3087 * A policy handler selects the policy parameters for a connection 3088 * (cipher suite and other algorithms, and certificate chain to send to 3089 * the client); it also performs the server-side computations involving 3090 * its permanent private key. 3091 * 3092 * The SSL server engine will invoke first `choose()`, once the 3093 * ClientHello message has been received, then either `do_keyx()` 3094 * `do_sign()`, depending on the cipher suite. 3095 */ 3096typedef struct br_ssl_server_policy_class_ br_ssl_server_policy_class; 3097struct br_ssl_server_policy_class_ { 3098 /** 3099 * \brief Context size (in bytes). 3100 */ 3101 size_t context_size; 3102 3103 /** 3104 * \brief Select algorithms and certificates for this connection. 3105 * 3106 * This callback function shall fill the provided `choices` 3107 * structure with the policy choices for this connection. This 3108 * entails selecting the cipher suite, hash function for signing 3109 * the ServerKeyExchange (applicable only to ECDHE cipher suites), 3110 * and certificate chain to send. 3111 * 3112 * The callback receives a pointer to the server context that 3113 * contains the relevant data. In particular, the functions 3114 * `br_ssl_server_get_client_suites()`, 3115 * `br_ssl_server_get_client_hashes()` and 3116 * `br_ssl_server_get_client_curves()` can be used to obtain 3117 * the cipher suites, hash functions and elliptic curves 3118 * supported by both the client and server, respectively. The 3119 * `br_ssl_engine_get_version()` and `br_ssl_engine_get_server_name()` 3120 * functions yield the protocol version and requested server name 3121 * (SNI), respectively. 3122 * 3123 * This function may modify its context structure (`pctx`) in 3124 * arbitrary ways to keep track of its own choices. 3125 * 3126 * This function shall return 1 if appropriate policy choices 3127 * could be made, or 0 if this connection cannot be pursued. 3128 * 3129 * \param pctx policy context. 3130 * \param cc SSL server context. 3131 * \param choices destination structure for the policy choices. 3132 * \return 1 on success, 0 on error. 3133 */ 3134 int (*choose)(const br_ssl_server_policy_class **pctx, 3135 const br_ssl_server_context *cc, 3136 br_ssl_server_choices *choices); 3137 3138 /** 3139 * \brief Perform key exchange (server part). 3140 * 3141 * This callback is invoked to perform the server-side cryptographic 3142 * operation for a key exchange that is not ECDHE. This callback 3143 * uses the private key. 3144 * 3145 * **For RSA key exchange**, the provided `data` (of length `*len` 3146 * bytes) shall be decrypted with the server's private key, and 3147 * the 48-byte premaster secret copied back to the first 48 bytes 3148 * of `data`. 3149 * 3150 * - The caller makes sure that `*len` is at least 59 bytes. 3151 * 3152 * - This callback MUST check that the provided length matches 3153 * that of the key modulus; it shall report an error otherwise. 3154 * 3155 * - If the length matches that of the RSA key modulus, then 3156 * processing MUST be constant-time, even if decryption fails, 3157 * or the padding is incorrect, or the plaintext message length 3158 * is not exactly 48 bytes. 3159 * 3160 * - This callback needs not check the two first bytes of the 3161 * obtained pre-master secret (the caller will do that). 3162 * 3163 * - If an error is reported (0), then what the callback put 3164 * in the first 48 bytes of `data` is unimportant (the caller 3165 * will use random bytes instead). 3166 * 3167 * **For ECDH key exchange**, the provided `data` (of length `*len` 3168 * bytes) is the elliptic curve point from the client. The 3169 * callback shall multiply it with its private key, and store 3170 * the resulting X coordinate in `data`, starting at offset 0, 3171 * and set `*len` to the length of the X coordinate. 3172 * 3173 * - If the input array does not have the proper length for 3174 * an encoded curve point, then an error (0) shall be reported. 3175 * 3176 * - If the input array has the proper length, then processing 3177 * MUST be constant-time, even if the data is not a valid 3178 * encoded point. 3179 * 3180 * - This callback MUST check that the input point is valid. 3181 * 3182 * Returned value is 1 on success, 0 on error. 3183 * 3184 * \param pctx policy context. 3185 * \param data key exchange data from the client. 3186 * \param len key exchange data length (in bytes). 3187 * \return 1 on success, 0 on error. 3188 */ 3189 uint32_t (*do_keyx)(const br_ssl_server_policy_class **pctx, 3190 unsigned char *data, size_t *len); 3191 3192 /** 3193 * \brief Perform a signature (for a ServerKeyExchange message). 3194 * 3195 * This callback function is invoked for ECDHE cipher suites. On 3196 * input, the hash value or message to sign is in `data`, of 3197 * size `hv_len`; the involved hash function or algorithm is 3198 * identified by `algo_id`. The signature shall be computed and 3199 * written back into `data`; the total size of that buffer is 3200 * `len` bytes. 3201 * 3202 * This callback shall verify that the signature length does not 3203 * exceed `len` bytes, and abstain from writing the signature if 3204 * it does not fit. 3205 * 3206 * The `algo_id` value matches that which was written in the 3207 * `choices` structures by the `choose()` callback. This will be 3208 * one of the following: 3209 * 3210 * - `0xFF00 + id` for a hash function identifier `id`. In 3211 * that case, the `data` buffer contains a hash value 3212 * already computed over the data that is to be signed, 3213 * of length `hv_len`. The `id` may be 0 to designate the 3214 * special MD5+SHA-1 concatenation (old-style RSA signing). 3215 * 3216 * - Another value, lower than `0xFF00`. The `data` buffer 3217 * then contains the raw, non-hashed data to be signed 3218 * (concatenation of the client and server randoms and 3219 * ECDH parameters). The callback is responsible to apply 3220 * any relevant hashing as part of the signing process. 3221 * 3222 * Returned value is the signature length (in bytes), or 0 on error. 3223 * 3224 * \param pctx policy context. 3225 * \param algo_id hash function / algorithm identifier. 3226 * \param data input/output buffer (message/hash, then signature). 3227 * \param hv_len hash value or message length (in bytes). 3228 * \param len total buffer length (in bytes). 3229 * \return signature length (in bytes) on success, or 0 on error. 3230 */ 3231 size_t (*do_sign)(const br_ssl_server_policy_class **pctx, 3232 unsigned algo_id, 3233 unsigned char *data, size_t hv_len, size_t len); 3234}; 3235 3236/** 3237 * \brief A single-chain RSA policy handler. 3238 * 3239 * This policy context uses a single certificate chain, and a RSA 3240 * private key. The context can be restricted to only signatures or 3241 * only key exchange. 3242 * 3243 * Apart from the first field (vtable pointer), its contents are 3244 * opaque and shall not be accessed directly. 3245 */ 3246typedef struct { 3247 /** \brief Pointer to vtable. */ 3248 const br_ssl_server_policy_class *vtable; 3249#ifndef BR_DOXYGEN_IGNORE 3250 const br_x509_certificate *chain; 3251 size_t chain_len; 3252 const br_rsa_private_key *sk; 3253 unsigned allowed_usages; 3254 br_rsa_private irsacore; 3255 br_rsa_pkcs1_sign irsasign; 3256#endif 3257} br_ssl_server_policy_rsa_context; 3258 3259/** 3260 * \brief A single-chain EC policy handler. 3261 * 3262 * This policy context uses a single certificate chain, and an EC 3263 * private key. The context can be restricted to only signatures or 3264 * only key exchange. 3265 * 3266 * Due to how TLS is defined, this context must be made aware whether 3267 * the server certificate was itself signed with RSA or ECDSA. The code 3268 * does not try to decode the certificate to obtain that information. 3269 * 3270 * Apart from the first field (vtable pointer), its contents are 3271 * opaque and shall not be accessed directly. 3272 */ 3273typedef struct { 3274 /** \brief Pointer to vtable. */ 3275 const br_ssl_server_policy_class *vtable; 3276#ifndef BR_DOXYGEN_IGNORE 3277 const br_x509_certificate *chain; 3278 size_t chain_len; 3279 const br_ec_private_key *sk; 3280 unsigned allowed_usages; 3281 unsigned cert_issuer_key_type; 3282 const br_multihash_context *mhash; 3283 const br_ec_impl *iec; 3284 br_ecdsa_sign iecdsa; 3285#endif 3286} br_ssl_server_policy_ec_context; 3287 3288/** 3289 * \brief Class type for a session parameter cache. 3290 * 3291 * Session parameters are saved in the cache with `save()`, and 3292 * retrieved with `load()`. The cache implementation can apply any 3293 * storage and eviction strategy that it sees fit. The SSL server 3294 * context that performs the request is provided, so that its 3295 * functionalities may be used by the implementation (e.g. hash 3296 * functions or random number generation). 3297 */ 3298typedef struct br_ssl_session_cache_class_ br_ssl_session_cache_class; 3299struct br_ssl_session_cache_class_ { 3300 /** 3301 * \brief Context size (in bytes). 3302 */ 3303 size_t context_size; 3304 3305 /** 3306 * \brief Record a session. 3307 * 3308 * This callback should record the provided session parameters. 3309 * The `params` structure is transient, so its contents shall 3310 * be copied into the cache. The session ID has been randomly 3311 * generated and always has length exactly 32 bytes. 3312 * 3313 * \param ctx session cache context. 3314 * \param server_ctx SSL server context. 3315 * \param params session parameters to save. 3316 */ 3317 void (*save)(const br_ssl_session_cache_class **ctx, 3318 br_ssl_server_context *server_ctx, 3319 const br_ssl_session_parameters *params); 3320 3321 /** 3322 * \brief Lookup a session in the cache. 3323 * 3324 * The session ID to lookup is in `params` and always has length 3325 * exactly 32 bytes. If the session parameters are found in the 3326 * cache, then the parameters shall be copied into the `params` 3327 * structure. Returned value is 1 on successful lookup, 0 3328 * otherwise. 3329 * 3330 * \param ctx session cache context. 3331 * \param server_ctx SSL server context. 3332 * \param params destination for session parameters. 3333 * \return 1 if found, 0 otherwise. 3334 */ 3335 int (*load)(const br_ssl_session_cache_class **ctx, 3336 br_ssl_server_context *server_ctx, 3337 br_ssl_session_parameters *params); 3338}; 3339 3340/** 3341 * \brief Context for a basic cache system. 3342 * 3343 * The system stores session parameters in a buffer provided at 3344 * initialisation time. Each entry uses exactly 100 bytes, and 3345 * buffer sizes up to 4294967295 bytes are supported. 3346 * 3347 * Entries are evicted with a LRU (Least Recently Used) policy. A 3348 * search tree is maintained to keep lookups fast even with large 3349 * caches. 3350 * 3351 * Apart from the first field (vtable pointer), the structure 3352 * contents are opaque and shall not be accessed directly. 3353 */ 3354typedef struct { 3355 /** \brief Pointer to vtable. */ 3356 const br_ssl_session_cache_class *vtable; 3357#ifndef BR_DOXYGEN_IGNORE 3358 unsigned char *store; 3359 size_t store_len, store_ptr; 3360 unsigned char index_key[32]; 3361 const br_hash_class *hash; 3362 int init_done; 3363 uint32_t head, tail, root; 3364#endif 3365} br_ssl_session_cache_lru; 3366 3367/** 3368 * \brief Initialise a LRU session cache with the provided storage space. 3369 * 3370 * The provided storage space must remain valid as long as the cache 3371 * is used. Arbitrary lengths are supported, up to 4294967295 bytes; 3372 * each entry uses up exactly 100 bytes. 3373 * 3374 * \param cc session cache context. 3375 * \param store storage space for cached entries. 3376 * \param store_len storage space length (in bytes). 3377 */ 3378void br_ssl_session_cache_lru_init(br_ssl_session_cache_lru *cc, 3379 unsigned char *store, size_t store_len); 3380 3381/** 3382 * \brief Forget an entry in an LRU session cache. 3383 * 3384 * The session cache context must have been initialised. The entry 3385 * with the provided session ID (of exactly 32 bytes) is looked for 3386 * in the cache; if located, it is disabled. 3387 * 3388 * \param cc session cache context. 3389 * \param id session ID to forget. 3390 */ 3391void br_ssl_session_cache_lru_forget( 3392 br_ssl_session_cache_lru *cc, const unsigned char *id); 3393 3394/** 3395 * \brief Context structure for a SSL server. 3396 * 3397 * The first field (called `eng`) is the SSL engine; all functions that 3398 * work on a `br_ssl_engine_context` structure shall take as parameter 3399 * a pointer to that field. The other structure fields are opaque and 3400 * must not be accessed directly. 3401 */ 3402struct br_ssl_server_context_ { 3403 /** 3404 * \brief The encapsulated engine context. 3405 */ 3406 br_ssl_engine_context eng; 3407 3408#ifndef BR_DOXYGEN_IGNORE 3409 /* 3410 * Maximum version from the client. 3411 */ 3412 uint16_t client_max_version; 3413 3414 /* 3415 * Session cache. 3416 */ 3417 const br_ssl_session_cache_class **cache_vtable; 3418 3419 /* 3420 * Translated cipher suites supported by the client. The list 3421 * is trimmed to include only the cipher suites that the 3422 * server also supports; they are in the same order as in the 3423 * client message. 3424 */ 3425 br_suite_translated client_suites[BR_MAX_CIPHER_SUITES]; 3426 unsigned char client_suites_num; 3427 3428 /* 3429 * Hash functions supported by the client, with ECDSA and RSA 3430 * (bit mask). For hash function with id 'x', set bit index is 3431 * x for RSA, x+8 for ECDSA. For newer algorithms, with ID 3432 * 0x08**, bit 16+k is set for algorithm 0x0800+k. 3433 */ 3434 uint32_t hashes; 3435 3436 /* 3437 * Curves supported by the client (bit mask, for named curves). 3438 */ 3439 uint32_t curves; 3440 3441 /* 3442 * Context for chain handler. 3443 */ 3444 const br_ssl_server_policy_class **policy_vtable; 3445 uint16_t sign_hash_id; 3446 3447 /* 3448 * For the core handlers, thus avoiding (in most cases) the 3449 * need for an externally provided policy context. 3450 */ 3451 union { 3452 const br_ssl_server_policy_class *vtable; 3453 br_ssl_server_policy_rsa_context single_rsa; 3454 br_ssl_server_policy_ec_context single_ec; 3455 } chain_handler; 3456 3457 /* 3458 * Buffer for the ECDHE private key. 3459 */ 3460 unsigned char ecdhe_key[70]; 3461 size_t ecdhe_key_len; 3462 3463 /* 3464 * Trust anchor names for client authentication. "ta_names" and 3465 * "tas" cannot be both non-NULL. 3466 */ 3467 const br_x500_name *ta_names; 3468 const br_x509_trust_anchor *tas; 3469 size_t num_tas; 3470 size_t cur_dn_index; 3471 const unsigned char *cur_dn; 3472 size_t cur_dn_len; 3473 3474 /* 3475 * Buffer for the hash value computed over all handshake messages 3476 * prior to CertificateVerify, and identifier for the hash function. 3477 */ 3478 unsigned char hash_CV[64]; 3479 size_t hash_CV_len; 3480 int hash_CV_id; 3481 3482 /* 3483 * Server-specific implementations. 3484 * (none for now) 3485 */ 3486#endif 3487}; 3488 3489/* 3490 * Each br_ssl_server_init_xxx() function sets the list of supported 3491 * cipher suites and used implementations, as specified by the profile 3492 * name 'xxx'. Defined profile names are: 3493 * 3494 * full_rsa all supported algorithm, server key type is RSA 3495 * full_ec all supported algorithm, server key type is EC 3496 * TODO: add other profiles 3497 * 3498 * Naming scheme for "minimal" profiles: min123 3499 * 3500 * -- character 1: key exchange 3501 * r = RSA 3502 * e = ECDHE_RSA 3503 * f = ECDHE_ECDSA 3504 * u = ECDH_RSA 3505 * v = ECDH_ECDSA 3506 * -- character 2: version / PRF 3507 * 0 = TLS 1.0 / 1.1 with MD5+SHA-1 3508 * 2 = TLS 1.2 with SHA-256 3509 * 3 = TLS 1.2 with SHA-384 3510 * -- character 3: encryption 3511 * a = AES/CBC 3512 * d = 3DES/CBC 3513 * g = AES/GCM 3514 * c = ChaCha20+Poly1305 3515 */ 3516 3517/** 3518 * \brief SSL server profile: full_rsa. 3519 * 3520 * This function initialises the provided SSL server context with 3521 * all supported algorithms and cipher suites that rely on a RSA 3522 * key pair. 3523 * 3524 * \param cc server context to initialise. 3525 * \param chain server certificate chain. 3526 * \param chain_len certificate chain length (number of certificate). 3527 * \param sk RSA private key. 3528 */ 3529void br_ssl_server_init_full_rsa(br_ssl_server_context *cc, 3530 const br_x509_certificate *chain, size_t chain_len, 3531 const br_rsa_private_key *sk); 3532 3533/** 3534 * \brief SSL server profile: full_ec. 3535 * 3536 * This function initialises the provided SSL server context with 3537 * all supported algorithms and cipher suites that rely on an EC 3538 * key pair. 3539 * 3540 * The key type of the CA that issued the server's certificate must 3541 * be provided, since it matters for ECDH cipher suites (ECDH_RSA 3542 * suites require a RSA-powered CA). The key type is either 3543 * `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`. 3544 * 3545 * \param cc server context to initialise. 3546 * \param chain server certificate chain. 3547 * \param chain_len chain length (number of certificates). 3548 * \param cert_issuer_key_type certificate issuer's key type. 3549 * \param sk EC private key. 3550 */ 3551void br_ssl_server_init_full_ec(br_ssl_server_context *cc, 3552 const br_x509_certificate *chain, size_t chain_len, 3553 unsigned cert_issuer_key_type, const br_ec_private_key *sk); 3554 3555/** 3556 * \brief SSL server profile: minr2g. 3557 * 3558 * This profile uses only TLS_RSA_WITH_AES_128_GCM_SHA256. Server key is 3559 * RSA, and RSA key exchange is used (not forward secure, but uses little 3560 * CPU in the client). 3561 * 3562 * \param cc server context to initialise. 3563 * \param chain server certificate chain. 3564 * \param chain_len certificate chain length (number of certificate). 3565 * \param sk RSA private key. 3566 */ 3567void br_ssl_server_init_minr2g(br_ssl_server_context *cc, 3568 const br_x509_certificate *chain, size_t chain_len, 3569 const br_rsa_private_key *sk); 3570 3571/** 3572 * \brief SSL server profile: mine2g. 3573 * 3574 * This profile uses only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Server key 3575 * is RSA, and ECDHE key exchange is used. This suite provides forward 3576 * security, with a higher CPU expense on the client, and a somewhat 3577 * larger code footprint (compared to "minr2g"). 3578 * 3579 * \param cc server context to initialise. 3580 * \param chain server certificate chain. 3581 * \param chain_len certificate chain length (number of certificate). 3582 * \param sk RSA private key. 3583 */ 3584void br_ssl_server_init_mine2g(br_ssl_server_context *cc, 3585 const br_x509_certificate *chain, size_t chain_len, 3586 const br_rsa_private_key *sk); 3587 3588/** 3589 * \brief SSL server profile: minf2g. 3590 * 3591 * This profile uses only TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. 3592 * Server key is EC, and ECDHE key exchange is used. This suite provides 3593 * forward security, with a higher CPU expense on the client and server 3594 * (by a factor of about 3 to 4), and a somewhat larger code footprint 3595 * (compared to "minu2g" and "minv2g"). 3596 * 3597 * \param cc server context to initialise. 3598 * \param chain server certificate chain. 3599 * \param chain_len certificate chain length (number of certificate). 3600 * \param sk EC private key. 3601 */ 3602void br_ssl_server_init_minf2g(br_ssl_server_context *cc, 3603 const br_x509_certificate *chain, size_t chain_len, 3604 const br_ec_private_key *sk); 3605 3606/** 3607 * \brief SSL server profile: minu2g. 3608 * 3609 * This profile uses only TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256. 3610 * Server key is EC, and ECDH key exchange is used; the issuing CA used 3611 * a RSA key. 3612 * 3613 * The "minu2g" and "minv2g" profiles do not provide forward secrecy, 3614 * but are the lightest on the server (for CPU usage), and are rather 3615 * inexpensive on the client as well. 3616 * 3617 * \param cc server context to initialise. 3618 * \param chain server certificate chain. 3619 * \param chain_len certificate chain length (number of certificate). 3620 * \param sk EC private key. 3621 */ 3622void br_ssl_server_init_minu2g(br_ssl_server_context *cc, 3623 const br_x509_certificate *chain, size_t chain_len, 3624 const br_ec_private_key *sk); 3625 3626/** 3627 * \brief SSL server profile: minv2g. 3628 * 3629 * This profile uses only TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256. 3630 * Server key is EC, and ECDH key exchange is used; the issuing CA used 3631 * an EC key. 3632 * 3633 * The "minu2g" and "minv2g" profiles do not provide forward secrecy, 3634 * but are the lightest on the server (for CPU usage), and are rather 3635 * inexpensive on the client as well. 3636 * 3637 * \param cc server context to initialise. 3638 * \param chain server certificate chain. 3639 * \param chain_len certificate chain length (number of certificate). 3640 * \param sk EC private key. 3641 */ 3642void br_ssl_server_init_minv2g(br_ssl_server_context *cc, 3643 const br_x509_certificate *chain, size_t chain_len, 3644 const br_ec_private_key *sk); 3645 3646/** 3647 * \brief SSL server profile: mine2c. 3648 * 3649 * This profile uses only TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256. 3650 * Server key is RSA, and ECDHE key exchange is used. This suite 3651 * provides forward security. 3652 * 3653 * \param cc server context to initialise. 3654 * \param chain server certificate chain. 3655 * \param chain_len certificate chain length (number of certificate). 3656 * \param sk RSA private key. 3657 */ 3658void br_ssl_server_init_mine2c(br_ssl_server_context *cc, 3659 const br_x509_certificate *chain, size_t chain_len, 3660 const br_rsa_private_key *sk); 3661 3662/** 3663 * \brief SSL server profile: minf2c. 3664 * 3665 * This profile uses only TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256. 3666 * Server key is EC, and ECDHE key exchange is used. This suite provides 3667 * forward security. 3668 * 3669 * \param cc server context to initialise. 3670 * \param chain server certificate chain. 3671 * \param chain_len certificate chain length (number of certificate). 3672 * \param sk EC private key. 3673 */ 3674void br_ssl_server_init_minf2c(br_ssl_server_context *cc, 3675 const br_x509_certificate *chain, size_t chain_len, 3676 const br_ec_private_key *sk); 3677 3678/** 3679 * \brief Get the supported client suites. 3680 * 3681 * This function shall be called only after the ClientHello has been 3682 * processed, typically from the policy engine. The returned array 3683 * contains the cipher suites that are supported by both the client 3684 * and the server; these suites are in client preference order, unless 3685 * the `BR_OPT_ENFORCE_SERVER_PREFERENCES` flag was set, in which case 3686 * they are in server preference order. 3687 * 3688 * The suites are _translated_, which means that each suite is given 3689 * as two 16-bit integers: the standard suite identifier, and its 3690 * translated version, broken down into its individual components, 3691 * as explained with the `br_suite_translated` type. 3692 * 3693 * The returned array is allocated in the context and will be rewritten 3694 * by each handshake. 3695 * 3696 * \param cc server context. 3697 * \param num receives the array size (number of suites). 3698 * \return the translated common cipher suites, in preference order. 3699 */ 3700static inline const br_suite_translated * 3701br_ssl_server_get_client_suites(const br_ssl_server_context *cc, size_t *num) 3702{ 3703 *num = cc->client_suites_num; 3704 return cc->client_suites; 3705} 3706 3707/** 3708 * \brief Get the hash functions and signature algorithms supported by 3709 * the client. 3710 * 3711 * This value is a bit field: 3712 * 3713 * - If RSA (PKCS#1 v1.5) is supported with hash function of ID `x`, 3714 * then bit `x` is set (hash function ID is 0 for the special MD5+SHA-1, 3715 * or 2 to 6 for the SHA family). 3716 * 3717 * - If ECDSA is supported with hash function of ID `x`, then bit `8+x` 3718 * is set. 3719 * 3720 * - Newer algorithms are symbolic 16-bit identifiers that do not 3721 * represent signature algorithm and hash function separately. If 3722 * the TLS-level identifier is `0x0800+x` for a `x` in the 0..15 3723 * range, then bit `16+x` is set. 3724 * 3725 * "New algorithms" are currently defined only in draft documents, so 3726 * this support is subject to possible change. Right now (early 2017), 3727 * this maps ed25519 (EdDSA on Curve25519) to bit 23, and ed448 (EdDSA 3728 * on Curve448) to bit 24. If the identifiers on the wire change in 3729 * future document, then the decoding mechanism in BearSSL will be 3730 * amended to keep mapping ed25519 and ed448 on bits 23 and 24, 3731 * respectively. Mapping of other new algorithms (e.g. RSA/PSS) is not 3732 * guaranteed yet. 3733 * 3734 * \param cc server context. 3735 * \return the client-supported hash functions and signature algorithms. 3736 */ 3737static inline uint32_t 3738br_ssl_server_get_client_hashes(const br_ssl_server_context *cc) 3739{ 3740 return cc->hashes; 3741} 3742 3743/** 3744 * \brief Get the elliptic curves supported by the client. 3745 * 3746 * This is a bit field (bit x is set if curve of ID x is supported). 3747 * 3748 * \param cc server context. 3749 * \return the client-supported elliptic curves. 3750 */ 3751static inline uint32_t 3752br_ssl_server_get_client_curves(const br_ssl_server_context *cc) 3753{ 3754 return cc->curves; 3755} 3756 3757/** 3758 * \brief Clear the complete contents of a SSL server context. 3759 * 3760 * Everything is cleared, including the reference to the configured buffer, 3761 * implementations, cipher suites and state. This is a preparatory step 3762 * to assembling a custom profile. 3763 * 3764 * \param cc server context to clear. 3765 */ 3766void br_ssl_server_zero(br_ssl_server_context *cc); 3767 3768/** 3769 * \brief Set an externally provided policy context. 3770 * 3771 * The policy context's methods are invoked to decide the cipher suite 3772 * and certificate chain, and to perform operations involving the server's 3773 * private key. 3774 * 3775 * \param cc server context. 3776 * \param pctx policy context (pointer to its vtable field). 3777 */ 3778static inline void 3779br_ssl_server_set_policy(br_ssl_server_context *cc, 3780 const br_ssl_server_policy_class **pctx) 3781{ 3782 cc->policy_vtable = pctx; 3783} 3784 3785/** 3786 * \brief Set the server certificate chain and key (single RSA case). 3787 * 3788 * This function uses a policy context included in the server context. 3789 * It configures use of a single server certificate chain with a RSA 3790 * private key. The `allowed_usages` is a combination of usages, namely 3791 * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables 3792 * the corresponding cipher suites (i.e. `TLS_RSA_*` use the RSA key for 3793 * key exchange, while `TLS_ECDHE_RSA_*` use the RSA key for signatures). 3794 * 3795 * \param cc server context. 3796 * \param chain server certificate chain to send to the client. 3797 * \param chain_len chain length (number of certificates). 3798 * \param sk server private key (RSA). 3799 * \param allowed_usages allowed private key usages. 3800 * \param irsacore RSA core implementation. 3801 * \param irsasign RSA signature implementation (PKCS#1 v1.5). 3802 */ 3803void br_ssl_server_set_single_rsa(br_ssl_server_context *cc, 3804 const br_x509_certificate *chain, size_t chain_len, 3805 const br_rsa_private_key *sk, unsigned allowed_usages, 3806 br_rsa_private irsacore, br_rsa_pkcs1_sign irsasign); 3807 3808/** 3809 * \brief Set the server certificate chain and key (single EC case). 3810 * 3811 * This function uses a policy context included in the server context. 3812 * It configures use of a single server certificate chain with an EC 3813 * private key. The `allowed_usages` is a combination of usages, namely 3814 * `BR_KEYTYPE_KEYX` and/or `BR_KEYTYPE_SIGN`; this enables or disables 3815 * the corresponding cipher suites (i.e. `TLS_ECDH_*` use the EC key for 3816 * key exchange, while `TLS_ECDHE_ECDSA_*` use the EC key for signatures). 3817 * 3818 * In order to support `TLS_ECDH_*` cipher suites (non-ephemeral ECDH), 3819 * the algorithm type of the key used by the issuing CA to sign the 3820 * server's certificate must be provided, as `cert_issuer_key_type` 3821 * parameter (this value is either `BR_KEYTYPE_RSA` or `BR_KEYTYPE_EC`). 3822 * 3823 * \param cc server context. 3824 * \param chain server certificate chain to send. 3825 * \param chain_len chain length (number of certificates). 3826 * \param sk server private key (EC). 3827 * \param allowed_usages allowed private key usages. 3828 * \param cert_issuer_key_type issuing CA's key type. 3829 * \param iec EC core implementation. 3830 * \param iecdsa ECDSA signature implementation ("asn1" format). 3831 */ 3832void br_ssl_server_set_single_ec(br_ssl_server_context *cc, 3833 const br_x509_certificate *chain, size_t chain_len, 3834 const br_ec_private_key *sk, unsigned allowed_usages, 3835 unsigned cert_issuer_key_type, 3836 const br_ec_impl *iec, br_ecdsa_sign iecdsa); 3837 3838/** 3839 * \brief Activate client certificate authentication. 3840 * 3841 * The trust anchor encoded X.500 names (DN) to send to the client are 3842 * provided. A client certificate will be requested and validated through 3843 * the X.509 validator configured in the SSL engine. If `num` is 0, then 3844 * client certificate authentication is disabled. 3845 * 3846 * If the client does not send a certificate, or on validation failure, 3847 * the handshake aborts. Unauthenticated clients can be tolerated by 3848 * setting the `BR_OPT_TOLERATE_NO_CLIENT_AUTH` flag. 3849 * 3850 * The provided array is linked in, not copied, so that pointer must 3851 * remain valid as long as anchor names may be used. 3852 * 3853 * \param cc server context. 3854 * \param ta_names encoded trust anchor names. 3855 * \param num number of encoded trust anchor names. 3856 */ 3857static inline void 3858br_ssl_server_set_trust_anchor_names(br_ssl_server_context *cc, 3859 const br_x500_name *ta_names, size_t num) 3860{ 3861 cc->ta_names = ta_names; 3862 cc->tas = NULL; 3863 cc->num_tas = num; 3864} 3865 3866/** 3867 * \brief Activate client certificate authentication. 3868 * 3869 * This is a variant for `br_ssl_server_set_trust_anchor_names()`: the 3870 * trust anchor names are provided not as an array of stand-alone names 3871 * (`br_x500_name` structures), but as an array of trust anchors 3872 * (`br_x509_trust_anchor` structures). The server engine itself will 3873 * only use the `dn` field of each trust anchor. This is meant to allow 3874 * defining a single array of trust anchors, to be used here and in the 3875 * X.509 validation engine itself. 3876 * 3877 * The provided array is linked in, not copied, so that pointer must 3878 * remain valid as long as anchor names may be used. 3879 * 3880 * \param cc server context. 3881 * \param tas trust anchors (only names are used). 3882 * \param num number of trust anchors. 3883 */ 3884static inline void 3885br_ssl_server_set_trust_anchor_names_alt(br_ssl_server_context *cc, 3886 const br_x509_trust_anchor *tas, size_t num) 3887{ 3888 cc->ta_names = NULL; 3889 cc->tas = tas; 3890 cc->num_tas = num; 3891} 3892 3893/** 3894 * \brief Configure the cache for session parameters. 3895 * 3896 * The cache context is provided as a pointer to its first field (vtable 3897 * pointer). 3898 * 3899 * \param cc server context. 3900 * \param vtable session cache context. 3901 */ 3902static inline void 3903br_ssl_server_set_cache(br_ssl_server_context *cc, 3904 const br_ssl_session_cache_class **vtable) 3905{ 3906 cc->cache_vtable = vtable; 3907} 3908 3909/** 3910 * \brief Prepare or reset a server context for handling an incoming client. 3911 * 3912 * \param cc server context. 3913 * \return 1 on success, 0 on error. 3914 */ 3915int br_ssl_server_reset(br_ssl_server_context *cc); 3916 3917/* ===================================================================== */ 3918 3919/* 3920 * Context for the simplified I/O context. The transport medium is accessed 3921 * through the low_read() and low_write() callback functions, each with 3922 * its own opaque context pointer. 3923 * 3924 * low_read() read some bytes, at most 'len' bytes, into data[]. The 3925 * returned value is the number of read bytes, or -1 on error. 3926 * The 'len' parameter is guaranteed never to exceed 20000, 3927 * so the length always fits in an 'int' on all platforms. 3928 * 3929 * low_write() write up to 'len' bytes, to be read from data[]. The 3930 * returned value is the number of written bytes, or -1 on 3931 * error. The 'len' parameter is guaranteed never to exceed 3932 * 20000, so the length always fits in an 'int' on all 3933 * parameters. 3934 * 3935 * A socket closure (if the transport medium is a socket) should be reported 3936 * as an error (-1). The callbacks shall endeavour to block until at least 3937 * one byte can be read or written; a callback returning 0 at times is 3938 * acceptable, but this normally leads to the callback being immediately 3939 * called again, so the callback should at least always try to block for 3940 * some time if no I/O can take place. 3941 * 3942 * The SSL engine naturally applies some buffering, so the callbacks need 3943 * not apply buffers of their own. 3944 */ 3945/** 3946 * \brief Context structure for the simplified SSL I/O wrapper. 3947 * 3948 * This structure is initialised with `br_sslio_init()`. Its contents 3949 * are opaque and shall not be accessed directly. 3950 */ 3951typedef struct { 3952#ifndef BR_DOXYGEN_IGNORE 3953 br_ssl_engine_context *engine; 3954 int (*low_read)(void *read_context, 3955 unsigned char *data, size_t len); 3956 void *read_context; 3957 int (*low_write)(void *write_context, 3958 const unsigned char *data, size_t len); 3959 void *write_context; 3960#endif 3961} br_sslio_context; 3962 3963/** 3964 * \brief Initialise a simplified I/O wrapper context. 3965 * 3966 * The simplified I/O wrapper offers a simpler read/write API for a SSL 3967 * engine (client or server), using the provided callback functions for 3968 * reading data from, or writing data to, the transport medium. 3969 * 3970 * The callback functions have the following semantics: 3971 * 3972 * - Each callback receives an opaque context value (of type `void *`) 3973 * that the callback may use arbitrarily (or possibly ignore). 3974 * 3975 * - `low_read()` reads at least one byte, at most `len` bytes, from 3976 * the transport medium. Read bytes shall be written in `data`. 3977 * 3978 * - `low_write()` writes at least one byte, at most `len` bytes, unto 3979 * the transport medium. The bytes to write are read from `data`. 3980 * 3981 * - The `len` parameter is never zero, and is always lower than 20000. 3982 * 3983 * - The number of processed bytes (read or written) is returned. Since 3984 * that number is less than 20000, it always fits on an `int`. 3985 * 3986 * - On error, the callbacks return -1. Reaching end-of-stream is an 3987 * error. Errors are permanent: the SSL connection is terminated. 3988 * 3989 * - Callbacks SHOULD NOT return 0. This is tolerated, as long as 3990 * callbacks endeavour to block for some non-negligible amount of 3991 * time until at least one byte can be sent or received (if a 3992 * callback returns 0, then the wrapper invokes it again 3993 * immediately). 3994 * 3995 * - Callbacks MAY return as soon as at least one byte is processed; 3996 * they MAY also insist on reading or writing _all_ requested bytes. 3997 * Since SSL is a self-terminated protocol (each record has a length 3998 * header), this does not change semantics. 3999 * 4000 * - Callbacks need not apply any buffering (for performance) since SSL 4001 * itself uses buffers. 4002 * 4003 * \param ctx wrapper context to initialise. 4004 * \param engine SSL engine to wrap. 4005 * \param low_read callback for reading data from the transport. 4006 * \param read_context context pointer for `low_read()`. 4007 * \param low_write callback for writing data on the transport. 4008 * \param write_context context pointer for `low_write()`. 4009 */ 4010void br_sslio_init(br_sslio_context *ctx, 4011 br_ssl_engine_context *engine, 4012 int (*low_read)(void *read_context, 4013 unsigned char *data, size_t len), 4014 void *read_context, 4015 int (*low_write)(void *write_context, 4016 const unsigned char *data, size_t len), 4017 void *write_context); 4018 4019/** 4020 * \brief Read some application data from a SSL connection. 4021 * 4022 * If `len` is zero, then this function returns 0 immediately. In 4023 * all other cases, it never returns 0. 4024 * 4025 * This call returns only when at least one byte has been obtained. 4026 * Returned value is the number of bytes read, or -1 on error. The 4027 * number of bytes always fits on an 'int' (data from a single SSL/TLS 4028 * record is returned). 4029 * 4030 * On error or SSL closure, this function returns -1. The caller should 4031 * inspect the error status on the SSL engine to distinguish between 4032 * normal closure and error. 4033 * 4034 * \param cc SSL wrapper context. 4035 * \param dst destination buffer for application data. 4036 * \param len maximum number of bytes to obtain. 4037 * \return number of bytes obtained, or -1 on error. 4038 */ 4039int br_sslio_read(br_sslio_context *cc, void *dst, size_t len); 4040 4041/** 4042 * \brief Read application data from a SSL connection. 4043 * 4044 * This calls returns only when _all_ requested `len` bytes are read, 4045 * or an error is reached. Returned value is 0 on success, -1 on error. 4046 * A normal (verified) SSL closure before that many bytes are obtained 4047 * is reported as an error by this function. 4048 * 4049 * \param cc SSL wrapper context. 4050 * \param dst destination buffer for application data. 4051 * \param len number of bytes to obtain. 4052 * \return 0 on success, or -1 on error. 4053 */ 4054int br_sslio_read_all(br_sslio_context *cc, void *dst, size_t len); 4055 4056/** 4057 * \brief Write some application data unto a SSL connection. 4058 * 4059 * If `len` is zero, then this function returns 0 immediately. In 4060 * all other cases, it never returns 0. 4061 * 4062 * This call returns only when at least one byte has been written. 4063 * Returned value is the number of bytes written, or -1 on error. The 4064 * number of bytes always fits on an 'int' (less than 20000). 4065 * 4066 * On error or SSL closure, this function returns -1. The caller should 4067 * inspect the error status on the SSL engine to distinguish between 4068 * normal closure and error. 4069 * 4070 * **Important:** SSL is buffered; a "written" byte is a byte that was 4071 * injected into the wrapped SSL engine, but this does not necessarily mean 4072 * that it has been scheduled for sending. Use `br_sslio_flush()` to 4073 * ensure that all pending data has been sent to the transport medium. 4074 * 4075 * \param cc SSL wrapper context. 4076 * \param src source buffer for application data. 4077 * \param len maximum number of bytes to write. 4078 * \return number of bytes written, or -1 on error. 4079 */ 4080int br_sslio_write(br_sslio_context *cc, const void *src, size_t len); 4081 4082/** 4083 * \brief Write application data unto a SSL connection. 4084 * 4085 * This calls returns only when _all_ requested `len` bytes have been 4086 * written, or an error is reached. Returned value is 0 on success, -1 4087 * on error. A normal (verified) SSL closure before that many bytes are 4088 * written is reported as an error by this function. 4089 * 4090 * **Important:** SSL is buffered; a "written" byte is a byte that was 4091 * injected into the wrapped SSL engine, but this does not necessarily mean 4092 * that it has been scheduled for sending. Use `br_sslio_flush()` to 4093 * ensure that all pending data has been sent to the transport medium. 4094 * 4095 * \param cc SSL wrapper context. 4096 * \param src source buffer for application data. 4097 * \param len number of bytes to write. 4098 * \return 0 on success, or -1 on error. 4099 */ 4100int br_sslio_write_all(br_sslio_context *cc, const void *src, size_t len); 4101 4102/** 4103 * \brief Flush pending data. 4104 * 4105 * This call makes sure that any buffered application data in the 4106 * provided context (including the wrapped SSL engine) has been sent 4107 * to the transport medium (i.e. accepted by the `low_write()` callback 4108 * method). If there is no such pending data, then this function does 4109 * nothing (and returns a success, i.e. 0). 4110 * 4111 * If the underlying transport medium has its own buffers, then it is 4112 * up to the caller to ensure the corresponding flushing. 4113 * 4114 * Returned value is 0 on success, -1 on error. 4115 * 4116 * \param cc SSL wrapper context. 4117 * \return 0 on success, or -1 on error. 4118 */ 4119int br_sslio_flush(br_sslio_context *cc); 4120 4121/** 4122 * \brief Close the SSL connection. 4123 * 4124 * This call runs the SSL closure protocol (sending a `close_notify`, 4125 * receiving the response `close_notify`). When it returns, the SSL 4126 * connection is finished. It is still up to the caller to manage the 4127 * possible transport-level termination, if applicable (alternatively, 4128 * the underlying transport stream may be reused for non-SSL messages). 4129 * 4130 * Returned value is 0 on success, -1 on error. A failure by the peer 4131 * to process the complete closure protocol (i.e. sending back the 4132 * `close_notify`) is an error. 4133 * 4134 * \param cc SSL wrapper context. 4135 * \return 0 on success, or -1 on error. 4136 */ 4137int br_sslio_close(br_sslio_context *cc); 4138 4139/* ===================================================================== */ 4140 4141/* 4142 * Symbolic constants for cipher suites. 4143 */ 4144 4145/* From RFC 5246 */ 4146#define BR_TLS_NULL_WITH_NULL_NULL 0x0000 4147#define BR_TLS_RSA_WITH_NULL_MD5 0x0001 4148#define BR_TLS_RSA_WITH_NULL_SHA 0x0002 4149#define BR_TLS_RSA_WITH_NULL_SHA256 0x003B 4150#define BR_TLS_RSA_WITH_RC4_128_MD5 0x0004 4151#define BR_TLS_RSA_WITH_RC4_128_SHA 0x0005 4152#define BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A 4153#define BR_TLS_RSA_WITH_AES_128_CBC_SHA 0x002F 4154#define BR_TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 4155#define BR_TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C 4156#define BR_TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D 4157#define BR_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D 4158#define BR_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 4159#define BR_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 4160#define BR_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 4161#define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 4162#define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 4163#define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 4164#define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 4165#define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 4166#define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 4167#define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 4168#define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 4169#define BR_TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E 4170#define BR_TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F 4171#define BR_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 4172#define BR_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 4173#define BR_TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068 4174#define BR_TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069 4175#define BR_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A 4176#define BR_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B 4177#define BR_TLS_DH_anon_WITH_RC4_128_MD5 0x0018 4178#define BR_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B 4179#define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034 4180#define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A 4181#define BR_TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C 4182#define BR_TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D 4183 4184/* From RFC 4492 */ 4185#define BR_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 4186#define BR_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002 4187#define BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003 4188#define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004 4189#define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005 4190#define BR_TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 4191#define BR_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007 4192#define BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008 4193#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 4194#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A 4195#define BR_TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B 4196#define BR_TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C 4197#define BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D 4198#define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E 4199#define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F 4200#define BR_TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 4201#define BR_TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011 4202#define BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012 4203#define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 4204#define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 4205#define BR_TLS_ECDH_anon_WITH_NULL_SHA 0xC015 4206#define BR_TLS_ECDH_anon_WITH_RC4_128_SHA 0xC016 4207#define BR_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 0xC017 4208#define BR_TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018 4209#define BR_TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019 4210 4211/* From RFC 5288 */ 4212#define BR_TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C 4213#define BR_TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D 4214#define BR_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E 4215#define BR_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F 4216#define BR_TLS_DH_RSA_WITH_AES_128_GCM_SHA256 0x00A0 4217#define BR_TLS_DH_RSA_WITH_AES_256_GCM_SHA384 0x00A1 4218#define BR_TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 4219#define BR_TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3 4220#define BR_TLS_DH_DSS_WITH_AES_128_GCM_SHA256 0x00A4 4221#define BR_TLS_DH_DSS_WITH_AES_256_GCM_SHA384 0x00A5 4222#define BR_TLS_DH_anon_WITH_AES_128_GCM_SHA256 0x00A6 4223#define BR_TLS_DH_anon_WITH_AES_256_GCM_SHA384 0x00A7 4224 4225/* From RFC 5289 */ 4226#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 4227#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 4228#define BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025 4229#define BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026 4230#define BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 4231#define BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 4232#define BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029 4233#define BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A 4234#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B 4235#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C 4236#define BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D 4237#define BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E 4238#define BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F 4239#define BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 4240#define BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 4241#define BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 4242 4243/* From RFC 6655 and 7251 */ 4244#define BR_TLS_RSA_WITH_AES_128_CCM 0xC09C 4245#define BR_TLS_RSA_WITH_AES_256_CCM 0xC09D 4246#define BR_TLS_RSA_WITH_AES_128_CCM_8 0xC0A0 4247#define BR_TLS_RSA_WITH_AES_256_CCM_8 0xC0A1 4248#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC 4249#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM 0xC0AD 4250#define BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE 4251#define BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF 4252 4253/* From RFC 7905 */ 4254#define BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 4255#define BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 4256#define BR_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA 4257#define BR_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB 4258#define BR_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC 4259#define BR_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD 4260#define BR_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE 4261 4262/* From RFC 7507 */ 4263#define BR_TLS_FALLBACK_SCSV 0x5600 4264 4265/* 4266 * Symbolic constants for alerts. 4267 */ 4268#define BR_ALERT_CLOSE_NOTIFY 0 4269#define BR_ALERT_UNEXPECTED_MESSAGE 10 4270#define BR_ALERT_BAD_RECORD_MAC 20 4271#define BR_ALERT_RECORD_OVERFLOW 22 4272#define BR_ALERT_DECOMPRESSION_FAILURE 30 4273#define BR_ALERT_HANDSHAKE_FAILURE 40 4274#define BR_ALERT_BAD_CERTIFICATE 42 4275#define BR_ALERT_UNSUPPORTED_CERTIFICATE 43 4276#define BR_ALERT_CERTIFICATE_REVOKED 44 4277#define BR_ALERT_CERTIFICATE_EXPIRED 45 4278#define BR_ALERT_CERTIFICATE_UNKNOWN 46 4279#define BR_ALERT_ILLEGAL_PARAMETER 47 4280#define BR_ALERT_UNKNOWN_CA 48 4281#define BR_ALERT_ACCESS_DENIED 49 4282#define BR_ALERT_DECODE_ERROR 50 4283#define BR_ALERT_DECRYPT_ERROR 51 4284#define BR_ALERT_PROTOCOL_VERSION 70 4285#define BR_ALERT_INSUFFICIENT_SECURITY 71 4286#define BR_ALERT_INTERNAL_ERROR 80 4287#define BR_ALERT_USER_CANCELED 90 4288#define BR_ALERT_NO_RENEGOTIATION 100 4289#define BR_ALERT_UNSUPPORTED_EXTENSION 110 4290#define BR_ALERT_NO_APPLICATION_PROTOCOL 120 4291 4292#ifdef __cplusplus 4293} 4294#endif 4295 4296#endif 4297