Cast first argument for %.*s to int
[strongswan.git] / src / libtls / tls.h
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup libtls libtls
18 *
19 * @addtogroup libtls
20 * TLS implementation on top of libstrongswan
21 *
22 * @defgroup tls tls
23 * @{ @ingroup libtls
24 */
25
26 #ifndef TLS_H_
27 #define TLS_H_
28
29 /**
30 * Maximum size of a TLS fragment
31 * as defined by section 6.2.1. "Fragmentation" of RFC 5246 TLS 1.2
32 */
33 #define TLS_MAX_FRAGMENT_LEN 16384
34
35 typedef enum tls_version_t tls_version_t;
36 typedef enum tls_content_type_t tls_content_type_t;
37 typedef enum tls_handshake_type_t tls_handshake_type_t;
38 typedef enum tls_purpose_t tls_purpose_t;
39 typedef struct tls_t tls_t;
40
41 #include <library.h>
42
43 #include "tls_application.h"
44 #include "tls_cache.h"
45
46 /**
47 * TLS/SSL version numbers
48 */
49 enum tls_version_t {
50 SSL_2_0 = 0x0200,
51 SSL_3_0 = 0x0300,
52 TLS_1_0 = 0x0301,
53 TLS_1_1 = 0x0302,
54 TLS_1_2 = 0x0303,
55 };
56
57 /**
58 * Enum names for tls_version_t
59 */
60 extern enum_name_t *tls_version_names;
61
62 /**
63 * TLS higher level content type
64 */
65 enum tls_content_type_t {
66 TLS_CHANGE_CIPHER_SPEC = 20,
67 TLS_ALERT = 21,
68 TLS_HANDSHAKE = 22,
69 TLS_APPLICATION_DATA = 23,
70 };
71
72 /**
73 * Enum names for tls_content_type_t
74 */
75 extern enum_name_t *tls_content_type_names;
76
77 /**
78 * TLS handshake subtype
79 */
80 enum tls_handshake_type_t {
81 TLS_HELLO_REQUEST = 0,
82 TLS_CLIENT_HELLO = 1,
83 TLS_SERVER_HELLO = 2,
84 TLS_CERTIFICATE = 11,
85 TLS_SERVER_KEY_EXCHANGE = 12,
86 TLS_CERTIFICATE_REQUEST = 13,
87 TLS_SERVER_HELLO_DONE = 14,
88 TLS_CERTIFICATE_VERIFY = 15,
89 TLS_CLIENT_KEY_EXCHANGE = 16,
90 TLS_FINISHED = 20,
91 };
92
93 /**
94 * Enum names for tls_handshake_type_t
95 */
96 extern enum_name_t *tls_handshake_type_names;
97
98 /**
99 * Purpose the TLS stack is initiated for.
100 */
101 enum tls_purpose_t {
102 /** authentication in EAP-TLS */
103 TLS_PURPOSE_EAP_TLS,
104 /** outer authentication and protection in EAP-TTLS */
105 TLS_PURPOSE_EAP_TTLS,
106 /** outer authentication and protection in EAP-PEAP */
107 TLS_PURPOSE_EAP_PEAP,
108 /** non-EAP TLS */
109 TLS_PURPOSE_GENERIC,
110 /** EAP binding for TNC */
111 TLS_PURPOSE_EAP_TNC
112 };
113
114 /**
115 * TLS Hello extension types.
116 */
117 enum tls_extension_t {
118 /** Server name the client wants to talk to */
119 TLS_EXT_SERVER_NAME = 0,
120 /** request a maximum fragment size */
121 TLS_EXT_MAX_FRAGMENT_LENGTH = 1,
122 /** indicate client certificate URL support */
123 TLS_EXT_CLIENT_CERTIFICATE_URL = 2,
124 /** list of CA the client trusts */
125 TLS_EXT_TRUSTED_CA_KEYS = 3,
126 /** request MAC truncation to 80-bit */
127 TLS_EXT_TRUNCATED_HMAC = 4,
128 /** list of OCSP responders the client trusts */
129 TLS_EXT_STATUS_REQUEST = 5,
130 /** list of supported elliptic curves */
131 TLS_EXT_ELLIPTIC_CURVES = 10,
132 /** supported point formats */
133 TLS_EXT_EC_POINT_FORMATS = 11,
134 /** list supported signature algorithms */
135 TLS_EXT_SIGNATURE_ALGORITHMS = 13,
136 /** cryptographic binding for RFC 5746 renegotiation indication */
137 TLS_EXT_RENEGOTIATION_INFO = 65281,
138 };
139
140 enum tls_name_type_t {
141 TLS_NAME_TYPE_HOST_NAME = 0,
142 };
143
144 /**
145 * Enum names for tls_extension_t
146 */
147 extern enum_name_t *tls_extension_names;
148
149 /**
150 * A bottom-up driven TLS stack, suitable for EAP implementations.
151 */
152 struct tls_t {
153
154 /**
155 * Process one or more TLS records, pass it to upper layers.
156 *
157 * @param buf TLS record data, including headers
158 * @param buflen number of bytes in buf to process
159 * @return
160 * - SUCCESS if TLS negotiation complete
161 * - FAILED if TLS handshake failed
162 * - NEED_MORE if more invocations to process/build needed
163 */
164 status_t (*process)(tls_t *this, void *buf, size_t buflen);
165
166 /**
167 * Query upper layer for one or more TLS records, build fragments.
168 *
169 * The TLS stack automatically fragments the records to the given buffer
170 * size. Fragmentation is indicated by the reclen ouput parameter and
171 * the return value. For the first fragment of a TLS record, a non-zero
172 * record length is returned in reclen. If more fragments follow, NEED_MORE
173 * is returned. A return value of ALREADY_DONE indicates that the final
174 * fragment has been returned.
175 *
176 * @param buf buffer to write TLS record fragments to
177 * @param buflen size of buffer, receives bytes written
178 * @param msglen receives size of all TLS fragments
179 * @return
180 * - SUCCESS if TLS negotiation complete
181 * - FAILED if TLS handshake failed
182 * - INVALID_STATE if more input data required
183 * - NEED_MORE if more fragments available
184 * - ALREADY_DONE if the last available fragment returned
185 */
186 status_t (*build)(tls_t *this, void *buf, size_t *buflen, size_t *msglen);
187
188 /**
189 * Check if TLS stack is acting as a server.
190 *
191 * @return TRUE if server, FALSE if peer
192 */
193 bool (*is_server)(tls_t *this);
194
195 /**
196 * Get the negotiated TLS/SSL version.
197 *
198 * @return negotiated TLS version
199 */
200 tls_version_t (*get_version)(tls_t *this);
201
202 /**
203 * Set the negotiated TLS/SSL version.
204 *
205 * @param version negotiated TLS version
206 * @return TRUE if version acceptable
207 */
208 bool (*set_version)(tls_t *this, tls_version_t version);
209
210 /**
211 * Get the purpose of this TLS stack instance.
212 *
213 * @return purpose given during construction
214 */
215 tls_purpose_t (*get_purpose)(tls_t *this);
216
217 /**
218 * Check if TLS negotiation completed successfully.
219 *
220 * @return TRUE if TLS negotiation and authentication complete
221 */
222 bool (*is_complete)(tls_t *this);
223
224 /**
225 * Get the MSK for EAP-TLS.
226 *
227 * @return MSK, internal data
228 */
229 chunk_t (*get_eap_msk)(tls_t *this);
230
231 /**
232 * Destroy a tls_t.
233 */
234 void (*destroy)(tls_t *this);
235 };
236
237 /**
238 * Dummy libtls initialization function needed for integrity test
239 */
240 void libtls_init(void);
241
242 /**
243 * Create a tls instance.
244 *
245 * @param is_server TRUE to act as server, FALSE for client
246 * @param server server identity
247 * @param peer peer identity, NULL for no client authentication
248 * @param purpose purpose this TLS stack instance is used for
249 * @param application higher layer application or NULL if none
250 * @param cache session cache to use, or NULL
251 * @return TLS stack
252 */
253 tls_t *tls_create(bool is_server, identification_t *server,
254 identification_t *peer, tls_purpose_t purpose,
255 tls_application_t *application, tls_cache_t *cache);
256
257 #endif /** TLS_H_ @}*/