Implemented TLS session resumption both as client and as server
[strongswan.git] / src / libtls / tls.h
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup libtls libtls
18 *
19 * @addtogroup libtls
20 * TLS implementation on top of libstrongswan
21 *
22 * @defgroup tls tls
23 * @{ @ingroup libtls
24 */
25
26 #ifndef TLS_H_
27 #define TLS_H_
28
29 typedef enum tls_version_t tls_version_t;
30 typedef enum tls_content_type_t tls_content_type_t;
31 typedef enum tls_handshake_type_t tls_handshake_type_t;
32 typedef enum tls_purpose_t tls_purpose_t;
33 typedef struct tls_t tls_t;
34
35 #include <library.h>
36
37 #include "tls_application.h"
38 #include "tls_cache.h"
39
40 /**
41 * TLS/SSL version numbers
42 */
43 enum tls_version_t {
44 SSL_2_0 = 0x0200,
45 SSL_3_0 = 0x0300,
46 TLS_1_0 = 0x0301,
47 TLS_1_1 = 0x0302,
48 TLS_1_2 = 0x0303,
49 };
50
51 /**
52 * Enum names for tls_version_t
53 */
54 extern enum_name_t *tls_version_names;
55
56 /**
57 * TLS higher level content type
58 */
59 enum tls_content_type_t {
60 TLS_CHANGE_CIPHER_SPEC = 20,
61 TLS_ALERT = 21,
62 TLS_HANDSHAKE = 22,
63 TLS_APPLICATION_DATA = 23,
64 };
65
66 /**
67 * Enum names for tls_content_type_t
68 */
69 extern enum_name_t *tls_content_type_names;
70
71 /**
72 * TLS handshake subtype
73 */
74 enum tls_handshake_type_t {
75 TLS_HELLO_REQUEST = 0,
76 TLS_CLIENT_HELLO = 1,
77 TLS_SERVER_HELLO = 2,
78 TLS_CERTIFICATE = 11,
79 TLS_SERVER_KEY_EXCHANGE = 12,
80 TLS_CERTIFICATE_REQUEST = 13,
81 TLS_SERVER_HELLO_DONE = 14,
82 TLS_CERTIFICATE_VERIFY = 15,
83 TLS_CLIENT_KEY_EXCHANGE = 16,
84 TLS_FINISHED = 20,
85 };
86
87 /**
88 * Enum names for tls_handshake_type_t
89 */
90 extern enum_name_t *tls_handshake_type_names;
91
92 /**
93 * Purpose the TLS stack is initiated for.
94 */
95 enum tls_purpose_t {
96 /** authentication in EAP-TLS */
97 TLS_PURPOSE_EAP_TLS,
98 /** outer authentication and protection in EAP-TTLS */
99 TLS_PURPOSE_EAP_TTLS,
100 /** outer authentication and protection in EAP-PEAP */
101 TLS_PURPOSE_EAP_PEAP,
102 /** non-EAP TLS */
103 TLS_PURPOSE_GENERIC,
104 /** EAP binding for TNC */
105 TLS_PURPOSE_EAP_TNC
106 };
107
108 /**
109 * TLS Hello extension types.
110 */
111 enum tls_extension_t {
112 /** Server name the client wants to talk to */
113 TLS_EXT_SERVER_NAME = 0,
114 /** request a maximum fragment size */
115 TLS_EXT_MAX_FRAGMENT_LENGTH = 1,
116 /** indicate client certificate URL support */
117 TLS_EXT_CLIENT_CERTIFICATE_URL = 2,
118 /** list of CA the client trusts */
119 TLS_EXT_TRUSTED_CA_KEYS = 3,
120 /** request MAC truncation to 80-bit */
121 TLS_EXT_TRUNCATED_HMAC = 4,
122 /** list of OCSP responders the client trusts */
123 TLS_EXT_STATUS_REQUEST = 5,
124 /** list of supported elliptic curves */
125 TLS_EXT_ELLIPTIC_CURVES = 10,
126 /** supported point formats */
127 TLS_EXT_EC_POINT_FORMATS = 11,
128 /** list supported signature algorithms */
129 TLS_EXT_SIGNATURE_ALGORITHMS = 13,
130 /** cryptographic binding for RFC 5746 renegotiation indication */
131 TLS_EXT_RENEGOTIATION_INFO = 65281,
132 };
133
134 enum tls_name_type_t {
135 TLS_NAME_TYPE_HOST_NAME = 0,
136 };
137
138 /**
139 * Enum names for tls_extension_t
140 */
141 extern enum_name_t *tls_extension_names;
142
143 /**
144 * A bottom-up driven TLS stack, suitable for EAP implementations.
145 */
146 struct tls_t {
147
148 /**
149 * Process one or more TLS records, pass it to upper layers.
150 *
151 * @param buf TLS record data, including headers
152 * @param buflen number of bytes in buf to process
153 * @return
154 * - SUCCESS if TLS negotiation complete
155 * - FAILED if TLS handshake failed
156 * - NEED_MORE if more invocations to process/build needed
157 */
158 status_t (*process)(tls_t *this, void *buf, size_t buflen);
159
160 /**
161 * Query upper layer for one or more TLS records, build fragments.
162 *
163 * The TLS stack automatically fragments the records to the given buffer
164 * size. Fragmentation is indicated by the reclen ouput parameter and
165 * the return value. For the first fragment of a TLS record, a non-zero
166 * record length is returned in reclen. If more fragments follow, NEED_MORE
167 * is returned. A return value of ALREADY_DONE indicates that the final
168 * fragment has been returned.
169 *
170 * @param buf buffer to write TLS record fragments to
171 * @param buflen size of buffer, receives bytes written
172 * @param msglen receives size of all TLS fragments
173 * @return
174 * - SUCCESS if TLS negotiation complete
175 * - FAILED if TLS handshake failed
176 * - INVALID_STATE if more input data required
177 * - NEED_MORE if more fragments available
178 * - ALREADY_DONE if the last available fragment returned
179 */
180 status_t (*build)(tls_t *this, void *buf, size_t *buflen, size_t *msglen);
181
182 /**
183 * Check if TLS stack is acting as a server.
184 *
185 * @return TRUE if server, FALSE if peer
186 */
187 bool (*is_server)(tls_t *this);
188
189 /**
190 * Get the negotiated TLS/SSL version.
191 *
192 * @return negotiated TLS version
193 */
194 tls_version_t (*get_version)(tls_t *this);
195
196 /**
197 * Set the negotiated TLS/SSL version.
198 *
199 * @param version negotiated TLS version
200 * @return TRUE if version acceptable
201 */
202 bool (*set_version)(tls_t *this, tls_version_t version);
203
204 /**
205 * Get the purpose of this TLS stack instance.
206 *
207 * @return purpose given during construction
208 */
209 tls_purpose_t (*get_purpose)(tls_t *this);
210
211 /**
212 * Check if TLS negotiation completed successfully.
213 *
214 * @return TRUE if TLS negotiation and authentication complete
215 */
216 bool (*is_complete)(tls_t *this);
217
218 /**
219 * Get the MSK for EAP-TLS.
220 *
221 * @return MSK, internal data
222 */
223 chunk_t (*get_eap_msk)(tls_t *this);
224
225 /**
226 * Destroy a tls_t.
227 */
228 void (*destroy)(tls_t *this);
229 };
230
231 /**
232 * Dummy libtls initialization function needed for integrity test
233 */
234 void libtls_init(void);
235
236 /**
237 * Create a tls instance.
238 *
239 * @param is_server TRUE to act as server, FALSE for client
240 * @param server server identity
241 * @param peer peer identity, NULL for no client authentication
242 * @param purpose purpose this TLS stack instance is used for
243 * @param application higher layer application or NULL if none
244 * @param cache session cache to use, or NULL
245 * @return TLS stack
246 */
247 tls_t *tls_create(bool is_server, identification_t *server,
248 identification_t *peer, tls_purpose_t purpose,
249 tls_application_t *application, tls_cache_t *cache);
250
251 #endif /** TLS_H_ @}*/