lib/libssl/tls13_internal.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241

/* $OpenBSD: tls13_internal.h,v 1.18 2019/02/14 17:50:07 jsing Exp $ */
/*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#ifndef HEADER_TLS13_INTERNAL_H
#define HEADER_TLS13_INTERNAL_H

#include <openssl/evp.h>
#include <openssl/ssl.h>

#include "bytestring.h"

__BEGIN_HIDDEN_DECLS

#define TLS13_HS_CLIENT		1
#define TLS13_HS_SERVER		2

#define TLS13_IO_SUCCESS	 1
#define TLS13_IO_EOF		 0
#define TLS13_IO_FAILURE	-1
#define TLS13_IO_WANT_POLLIN	-2
#define TLS13_IO_WANT_POLLOUT	-3

typedef int (*tls13_alert_cb)(uint8_t _alert_level, uint8_t _alert_desc,
    void *_cb_arg);
typedef int (*tls13_post_handshake_cb)(void *_cb_arg);
typedef ssize_t (*tls13_read_cb)(void *_buf, size_t _buflen, void *_cb_arg);
typedef ssize_t (*tls13_write_cb)(const void *_buf, size_t _buflen,
    void *_cb_arg);

struct tls13_buffer;

struct tls13_buffer *tls13_buffer_new(size_t init_size);
void tls13_buffer_free(struct tls13_buffer *buf);
ssize_t tls13_buffer_extend(struct tls13_buffer *buf, size_t len,
    tls13_read_cb read_cb, void *cb_arg);
void tls13_buffer_cbs(struct tls13_buffer *buf, CBS *cbs);
int tls13_buffer_finish(struct tls13_buffer *buf, uint8_t **out,
    size_t *out_len);

struct tls13_secret {
	uint8_t *data;
	size_t len;
};

/* RFC 8446 Section 7.1  Page 92 */
struct tls13_secrets {
	const EVP_MD *digest;
	int resumption;
	int init_done;
	int early_done;
	int handshake_done;
	int schedule_done;
	int insecure; /* Set by tests */
	struct tls13_secret zeros;
	struct tls13_secret empty_hash;
	struct tls13_secret extracted_early;
	struct tls13_secret binder_key;
	struct tls13_secret client_early_traffic;
	struct tls13_secret early_exporter_master;
	struct tls13_secret derived_early;
	struct tls13_secret extracted_handshake;
	struct tls13_secret client_handshake_traffic;
	struct tls13_secret server_handshake_traffic;
	struct tls13_secret derived_handshake;
	struct tls13_secret extracted_master;
	struct tls13_secret client_application_traffic;
	struct tls13_secret server_application_traffic;
	struct tls13_secret exporter_master;
	struct tls13_secret resumption_master;
};

struct tls13_secrets *tls13_secrets_create(const EVP_MD *digest,
    int resumption);
void tls13_secrets_destroy(struct tls13_secrets *secrets);

int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
    const struct tls13_secret *secret, const char *label,
    const struct tls13_secret *context);

int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk,
    size_t psk_len, const struct tls13_secret *context);
int tls13_derive_handshake_secrets(struct tls13_secrets *secrets,
    const uint8_t *ecdhe, size_t ecdhe_len, const struct tls13_secret *context);
int tls13_derive_application_secrets(struct tls13_secrets *secrets,
    const struct tls13_secret *context);

/*
 * Record Layer.
 */
struct tls13_record_layer;

struct tls13_record_layer *tls13_record_layer_new(tls13_read_cb wire_read,
    tls13_write_cb wire_write, tls13_alert_cb alert_cb,
    tls13_post_handshake_cb post_handshake_cb, void *cb_arg);
void tls13_record_layer_free(struct tls13_record_layer *rl);
void tls13_record_layer_set_aead(struct tls13_record_layer *rl,
    const EVP_AEAD *aead);
void tls13_record_layer_set_hash(struct tls13_record_layer *rl,
    const EVP_MD *hash);
void tls13_record_layer_handshake_completed(struct tls13_record_layer *rl);
int tls13_record_layer_set_traffic_keys(struct tls13_record_layer *rl,
    struct tls13_secret *read_key, struct tls13_secret *write_key);

ssize_t tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n);
ssize_t tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf,
    size_t n);
ssize_t tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n);
ssize_t tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf,
    size_t n);

/*
 * Handshake Messages.
 */
struct tls13_handshake_msg;

struct tls13_handshake_msg *tls13_handshake_msg_new(void);
void tls13_handshake_msg_free(struct tls13_handshake_msg *msg);
void tls13_handshake_msg_data(struct tls13_handshake_msg *msg, CBS *cbs);
uint8_t tls13_handshake_msg_type(struct tls13_handshake_msg *msg);
int tls13_handshake_msg_content(struct tls13_handshake_msg *msg, CBS *cbs);
int tls13_handshake_msg_start(struct tls13_handshake_msg *msg, CBB *body,
    uint8_t msg_type);
int tls13_handshake_msg_finish(struct tls13_handshake_msg *msg);
int tls13_handshake_msg_recv(struct tls13_handshake_msg *msg,
    struct tls13_record_layer *rl);
int tls13_handshake_msg_send(struct tls13_handshake_msg *msg,
    struct tls13_record_layer *rl);

struct tls13_handshake_stage {
	uint8_t	hs_type;
	uint8_t	message_number;
};

typedef struct ssl_handshake_tls13_st SSL_HANDSHAKE_TLS13;

struct tls13_ctx {
	SSL *ssl;
	SSL_HANDSHAKE_TLS13 *hs;
	uint8_t	mode;
	struct tls13_handshake_stage handshake_stage;

	const EVP_AEAD *aead;
	const EVP_MD *hash;

	struct tls13_record_layer *rl;
	struct tls13_handshake_msg *hs_msg;
};

struct tls13_ctx *tls13_ctx_new(int mode);
void tls13_ctx_free(struct tls13_ctx *ctx);

const EVP_AEAD *tls13_cipher_aead(const SSL_CIPHER *cipher);
const EVP_MD *tls13_cipher_hash(const SSL_CIPHER *cipher);

/*
 * Legacy interfaces.
 */
int tls13_legacy_connect(SSL *ssl);
int tls13_legacy_return_code(SSL *ssl, ssize_t ret);
ssize_t tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg);
ssize_t tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg);
int tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len,
    int peek);
int tls13_legacy_write_bytes(SSL *ssl, int type, const void *buf, int len);

/*
 * Message Types - RFC 8446, Section B.3.
 *
 * Values listed as "_RESERVED" were used in previous versions of TLS and are
 * listed here for completeness.  TLS 1.3 implementations MUST NOT send them but
 * might receive them from older TLS implementations.
 */
#define	TLS13_MT_HELLO_REQUEST_RESERVED		0
#define	TLS13_MT_CLIENT_HELLO			1
#define	TLS13_MT_SERVER_HELLO			2
#define	TLS13_MT_HELLO_VERIFY_REQUEST_RESERVED	3
#define	TLS13_MT_NEW_SESSION_TICKET		4
#define	TLS13_MT_END_OF_EARLY_DATA		5
#define	TLS13_MT_HELLO_RETRY_REQUEST_RESERVED	6
#define	TLS13_MT_ENCRYPTED_EXTENSIONS		8
#define	TLS13_MT_CERTIFICATE			11
#define	TLS13_MT_SERVER_KEY_EXCHANGE_RESERVED	12
#define	TLS13_MT_CERTIFICATE_REQUEST		13
#define	TLS13_MT_SERVER_HELLO_DONE_RESERVED	14
#define	TLS13_MT_CERTIFICATE_VERIFY		15
#define	TLS13_MT_CLIENT_KEY_EXCHANGE_RESERVED	16
#define	TLS13_MT_FINISHED			20
#define	TLS13_MT_CERTIFICATE_URL_RESERVED	21
#define	TLS13_MT_CERTIFICATE_STATUS_RESERVED	22
#define	TLS13_MT_SUPPLEMENTAL_DATA_RESERVED	23
#define	TLS13_MT_KEY_UPDATE			24
#define	TLS13_MT_MESSAGE_HASH			254

int tls13_handshake_perform(struct tls13_ctx *ctx);

int tls13_client_hello_send(struct tls13_ctx *ctx);
int tls13_client_hello_recv(struct tls13_ctx *ctx);
int tls13_client_hello_retry_send(struct tls13_ctx *ctx);
int tls13_client_hello_retry_recv(struct tls13_ctx *ctx);
int tls13_client_end_of_early_data_send(struct tls13_ctx *ctx);
int tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx);
int tls13_client_certificate_send(struct tls13_ctx *ctx);
int tls13_client_certificate_recv(struct tls13_ctx *ctx);
int tls13_client_certificate_verify_send(struct tls13_ctx *ctx);
int tls13_client_certificate_verify_recv(struct tls13_ctx *ctx);
int tls13_client_finished_recv(struct tls13_ctx *ctx);
int tls13_client_finished_send(struct tls13_ctx *ctx);
int tls13_client_key_update_send(struct tls13_ctx *ctx);
int tls13_client_key_update_recv(struct tls13_ctx *ctx);
int tls13_server_hello_recv(struct tls13_ctx *ctx);
int tls13_server_hello_send(struct tls13_ctx *ctx);
int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx);
int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx);
int tls13_server_certificate_recv(struct tls13_ctx *ctx);
int tls13_server_certificate_send(struct tls13_ctx *ctx);
int tls13_server_certificate_request_recv(struct tls13_ctx *ctx);
int tls13_server_certificate_request_send(struct tls13_ctx *ctx);
int tls13_server_certificate_verify_send(struct tls13_ctx *ctx);
int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx);
int tls13_server_finished_recv(struct tls13_ctx *ctx);
int tls13_server_finished_send(struct tls13_ctx *ctx);

__END_HIDDEN_DECLS

#endif