Moved TLS stack to its own library
[strongswan.git] / src / libtls / tls_crypto.h
1 /*
2 * Copyright (C) 2010 Martin Willi
3 * Copyright (C) 2010 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup tls_crypto tls_crypto
18 * @{ @ingroup libtls
19 */
20
21 #ifndef TLS_CRYPTO_H_
22 #define TLS_CRYPTO_H_
23
24 typedef struct tls_crypto_t tls_crypto_t;
25 typedef enum tls_cipher_suite_t tls_cipher_suite_t;
26
27 #include "tls.h"
28 #include "tls_prf.h"
29 #include "tls_protection.h"
30
31 #include <credentials/keys/private_key.h>
32
33 /**
34 * TLS cipher suites
35 */
36 enum tls_cipher_suite_t {
37 TLS_NULL_WITH_NULL_NULL = 0x00,
38 TLS_RSA_WITH_NULL_MD5 = 0x01,
39 TLS_RSA_WITH_NULL_SHA = 0x02,
40 TLS_RSA_WITH_NULL_SHA256 = 0x3B,
41 TLS_RSA_WITH_RC4_128_MD5 = 0x04,
42 TLS_RSA_WITH_RC4_128_SHA = 0x05,
43 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x0A,
44 TLS_RSA_WITH_AES_128_CBC_SHA = 0x2F,
45 TLS_RSA_WITH_AES_256_CBC_SHA = 0x35,
46 TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x3C,
47 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x3D,
48 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x0D,
49 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x10,
50 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x13,
51 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16,
52 TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x30,
53 TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x31,
54 TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x32,
55 TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x33,
56 TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x36,
57 TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x37,
58 TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x38,
59 TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x39,
60 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x3E,
61 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x3F,
62 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x40,
63 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x67,
64 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x68,
65 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x69,
66 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x6A,
67 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x6B,
68 TLS_DH_ANON_WITH_RC4_128_MD5 = 0x18,
69 TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x1B,
70 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x34,
71 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x3A,
72 TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x6C,
73 TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x6D,
74 };
75
76 /**
77 * TLS crypto helper functions.
78 */
79 struct tls_crypto_t {
80
81 /**
82 * Get a list of supported TLS cipher suites.
83 *
84 * @param suites list of suites, points to internal data
85 * @return number of suites returned
86 */
87 int (*get_cipher_suites)(tls_crypto_t *this, tls_cipher_suite_t **suites);
88
89 /**
90 * Select and store a cipher suite from a given list of candidates.
91 *
92 * @param suites list of candidates to select from
93 * @param count number of suites
94 * @return selected suite, 0 if none acceptable
95 */
96 tls_cipher_suite_t (*select_cipher_suite)(tls_crypto_t *this,
97 tls_cipher_suite_t *suites, int count);
98
99 /**
100 * Set the protection layer of the TLS stack to control it.
101 *
102 * @param protection protection layer to work on
103 */
104 void (*set_protection)(tls_crypto_t *this, tls_protection_t *protection);
105
106 /**
107 * Store exchanged handshake data, used for cryptographic operations.
108 *
109 * @param type handshake sub type
110 * @param data data to append to handshake buffer
111 */
112 void (*append_handshake)(tls_crypto_t *this,
113 tls_handshake_type_t type, chunk_t data);
114
115 /**
116 * Create a signature of the handshake data using a given private key.
117 *
118 * @param key private key to use for signature
119 * @param writer TLS writer to write signature to
120 * @return TRUE if signature create successfully
121 */
122 bool (*sign_handshake)(tls_crypto_t *this, private_key_t *key,
123 tls_writer_t *writer);
124
125 /**
126 * Verify the signature over handshake data using a given public key.
127 *
128 * @param key public key to verify signature with
129 * @param reader TLS reader to read signature from
130 * @return TRUE if signature valid
131 */
132 bool (*verify_handshake)(tls_crypto_t *this, public_key_t *key,
133 tls_reader_t *reader);
134
135 /**
136 * Calculate the data of a TLS finished message.
137 *
138 * @param label ASCII label to use for calculation
139 * @param out buffer to write finished data to
140 * @return TRUE if calculation successful
141 */
142 bool (*calculate_finished)(tls_crypto_t *this, char *label, char out[12]);
143
144 /**
145 * Derive the master secret, MAC and encryption keys.
146 *
147 * @param premaster premaster secret
148 * @param client_random random data from client hello
149 * @param server_random random data from server hello
150 */
151 void (*derive_secrets)(tls_crypto_t *this, chunk_t premaster,
152 chunk_t client_random, chunk_t server_random);
153
154 /**
155 * Change the cipher used at protection layer.
156 *
157 * @param inbound TRUE to change inbound cipher, FALSE for outbound
158 */
159 void (*change_cipher)(tls_crypto_t *this, bool inbound);
160
161 /**
162 * Derive the EAP-TLS MSK.
163 *
164 * @param client_random random data from client hello
165 * @param server_random random data from server hello
166 */
167 void (*derive_eap_msk)(tls_crypto_t *this,
168 chunk_t client_random, chunk_t server_random);
169
170 /**
171 * Get the MSK to use in EAP-TLS.
172 *
173 * @return MSK, points to internal data
174 */
175 chunk_t (*get_eap_msk)(tls_crypto_t *this);
176
177 /**
178 * Destroy a tls_crypto_t.
179 */
180 void (*destroy)(tls_crypto_t *this);
181 };
182
183 /**
184 * Create a tls_crypto instance.
185 */
186 tls_crypto_t *tls_crypto_create(tls_t *tls);
187
188 #endif /** TLS_CRYPTO_H_ @}*/