MastersThesis/TIIGER_TLS/PQ_TIIGER_TLS/include/tls1_3.h

585 lines
34 KiB
C
Raw Normal View History

2024-04-15 09:53:30 +00:00
/*
* JS update 14.04.2024
* Doplnene IDs pre algoritmy ML-KEM a ML-DSA
*/
/*
* JS update 29.02.2024
* Navysenie premennej TLS_X509_MAX_FIELD
* Zmeny premennych spojenych s PQ algoritmami (pre CRYPTO_SETTING == POST_QUANTUM)
* Pridana tabulka pre s velkostami verejnych a sukromnych klucov KEM protokolov a certifikatov, s velkostami sifrovanej spravy a certifikatov
* Navysenie poctu podporovanych KEM protokolov a algoritmov pre certifikaty
* Pridane ID pre nove PQ algoritmy
*/
/**
* @file tls1_3.h
* @author Mike Scott
* @brief Main TLS 1.3 Header File for constants and structures
*
*/
#ifndef TLS1_3_H
#define TLS1_3_H
#include <stdint.h>
#include "tls_octads.h"
#include "tls_sockets.h"
typedef uint8_t byte; /**< 8-bit unsigned integer */
typedef int8_t sign8 ; /**< 8-bit signed integer */
typedef int16_t sign16; /**< 16-bit signed integer */
typedef int32_t sign32; /**< 32-bit signed integer */
typedef int64_t sign64; /**< 64-bit signed integer */
typedef uint32_t unsign32 ; /**< 32-bit unsigned integer */
typedef uint64_t unsign64; /**< 64-bit unsigned integer */
// Terminal Output
#define IO_NONE 0 /**< Run silently */
#define IO_APPLICATION 1 /**< just print application traffic */
#define IO_PROTOCOL 2 /**< print protocol progress + application traffic */
#define IO_DEBUG 3 /**< print lots of debug information + protocol progress + application progress */
#define IO_WIRE 4 /**< print lots of debug information + protocol progress + application progress + bytes on the wire */
// // Supported CRYPTO_SETTINGs
#define TINY_ECC 1 /**< ECC keys only */
#define TYPICAL 2 /**< Mixture of RSA and ECC - for use with most standard web servers */
#define POST_QUANTUM 3 /**< Post quantum (Dilithium+Kyber?) */
#define HYBRID 4 /**< Hybrid, Kyber/Dilithium + X25519 */
#define EDDSA 0 /**< experimental EDDSA certificate chain used */
// Client Certificate Chain + Key
#define NOCERT 0 /**< Don't have a Client Cert */
#define RSA_SS 1 /**< self signed RSA cert */
#define ECC_SS 2 /**< self signed ECC cert */
#define DLT_SS 3 /**< self signed Dilithium cert */
#define HYB_SS 6 /**< self signed Hybrid cert (Dilithium+ECC) */
#define HW_1 4 /**< RP2040 1 Hardware cert */
#define HW_2 5 /**< RP2040 2 Hardware cert */
#define EDD_SS 7 /**< self signed Ed25519 cert */
// THESE ARE IMPORTANT USER DEFINED SETTINGS ***********************************
// Note that favourite group (as used in client hello) is determined by the SAL ordering - see tls_sal.cpp
// If server does not support it, an expensive Handshake Retry will be required
// So best to place a popular group (such as X25519) at top of list in SAL
#define VERBOSITY IO_APPLICATION /**< Set to level of output information desired - see above */
#define THIS_YEAR 2023 /**< Set to this year - crudely used to deprecate old certificates */
#define POST_HS_AUTH /**< Willing to do post handshake authentication */
#define CLIENT_CERT RSA_SS /**< Indicate capability of authenticating with a cert plus signing key */
#define CRYPTO_SETTING POST_QUANTUM /**< Determine Cryptography settings */
// Supported protocols
#define TLS_APPLICATION_PROTOCOL (char *)("http/1.1") /**< Support ALPN protocol */
#define ALLOW_SELF_SIGNED /**< allow self-signed server cert */
//#define NO_CERT_CHECKS /**< Don't do any checks on server certs - useful for Anvil testing */
#define TRY_EARLY_DATA /**< Try to send early data on resumptions */
//#define ENABLE_HEARTBEATS /**< Enable heartbeats */
//#define PEER_CAN_HEARTBEAT /**< Allow peer to heartbeat */
// Note that BUFF, Certificates and crypto keys can be quite large, and therefore maybe better taken from the heap
// on systems with a shallow stack. Define this to use the heap.
//#define SHALLOW_STACK /**< Get large arrays from heap, else stack */
// comment out if no max record size. In practise TLS1.3 doesn't seem to support this record_size_limit extension, so use with caution
// #define MAX_RECORD 1024 /**< Maximum record size client is willing to receive - should be less than TLS_MAX_IBUFF_SIZE below */
// Note that if this is not used, max_fragment_size extension is tried instead, see TLS_MAX_FRAG below
// define this so that all encrypted records are padded with 0s to full length
// #define PAD_SHORT_RECORDS /**< Pad short output records */
//#define PREFER_RAW_SERVER_PUBLIC_KEY /**< Would be happy with raw public key from server */
//#define PREFER_RAW_CLIENT_PUBLIC_KEY /**< Would prefer server to accept raw public key from client */
// may need to undefine this for fuzzing
#define MERGE_MESSAGES /**< allow merging of messages into single record */
// *****************************************************************************
// Standard Hash Types
#define TLS_SHA256_T 1 /**< SHA256 hash */
#define TLS_SHA384_T 2 /**< SHA384 hash */
#define TLS_SHA512_T 3 /**< SHA512 hash */
// Some maximum sizes for stack allocated memory. Handshake will fail if these sizes are exceeded!
#define TLS_MAX_HASH_STATE 768 /**< Maximum memory required to store hash function state */
#define TLS_MAX_HASH 64 /**< Maximum hash output length in bytes */
#define TLS_MAX_KEY 32 /**< Maximum key length in bytes */
// JS zvysena hodnota kvoli CA SPHINCS+-SHAKE-128f-simple v subore tls_cacerts - "maximum size for CA root signed certs in base64"
#define TLS_X509_MAX_FIELD 30000 /**< Maximum X.509 field size */
#define TLS_MAX_EXT_LABEL 256 /**< Max external psk label size */
// Max Frag length must be less than TLS_MAX_IBUFF_SIZE
#define TLS_MAX_FRAG 2 /**< Max Fragment length desired - 1 for 512, 2 for 1024, 3 for 2048, 4 for 4096, 0 for 16384 */
#if CRYPTO_SETTING==TYPICAL
#define TLS_MAX_IBUFF_SIZE (16384+256) /**< Maximum Input/Output buffer size. We will want to reduce this as much as possible! But must be large enough to take full certificate chain */
#define TLS_MAX_PLAIN_FRAG 16384 /**< Max Plaintext Fragment size */
#define TLS_MAX_CIPHER_FRAG (16384+256) /**< Max Ciphertext Fragment size */
#define TLS_MAX_CERT_SIZE 2048 /**< I checked - current max for root CAs is 2016 */
#define TLS_MAX_CERT_B64 2800 /**< In base64 - current max for root CAs is 2688 */
#define TLS_MAX_HELLO 1024 /**< Max client hello size (less extensions) KEX public key is largest component */
#define TLS_MAX_SIG_PUB_KEY_SIZE 512 /**< Max signature public key size in bytes 4096-bit RSA */
#define TLS_MAX_SIG_SECRET_KEY_SIZE 1280 /**< Max signature private key size in bytes 4096-bit RSA */
#define TLS_MAX_SIGNATURE_SIZE 512 /**< Max digital signature size in bytes 4096-bit RSA */
#define TLS_MAX_KEX_PUB_KEY_SIZE 97 /**< Max key exchange public key size in bytes 384-bit ECC */
#define TLS_MAX_KEX_CIPHERTEXT_SIZE 97 /**< Max key exchange (KEM) ciphertext size 384-bit ECC */
#define TLS_MAX_KEX_SECRET_KEY_SIZE 48 /**< Max key exchange private key size in bytes 384-bit ECC */
#endif
/*
JS
15.04.2024
KEX algorithms
https://openquantumsafe.org/liboqs/algorithms/
+-----------------+----------+----------+-----------+---------+---------+---------+---------+---------+---------+------------------+--------------------+------------------+--------------------+-------------------+---------------------+
| Algorithm | Kyber512 | Kyber768 | Kyber1024 | BIKE-L1 | BIKE-L3 | BIKE-L5 | HQC-128 | HQC-192 | HQC-256 | FrodoKEM-640-AES | FrodoKEM-640-SHAKE | FrodoKEM-976-AES | FrodoKEM-976-SHAKE | FrodoKEM-1344-AES | FrodoKEM-1344-SHAKE |
+-----------------+----------+----------+-----------+---------+---------+---------+---------+---------+---------+------------------+--------------------+------------------+--------------------+-------------------+---------------------+
| Public key size | 800 | 1184 | 1568 | 1541 | 3083 | 5122 | 2249 | 4522 | 7245 | 9616 | 9616 | 15632 | 15632 | 21520 | 21520 |
+-----------------+----------+----------+-----------+---------+---------+---------+---------+---------+---------+------------------+--------------------+------------------+--------------------+-------------------+---------------------+
| Secret key size | 1632 | 2400 | 3168 | 5223 | 10105 | 16494 | 2289 | 4562 | 7285 | 19888 | 19888 | 31296 | 31296 | 43088 | 43088 |
+-----------------+----------+----------+-----------+---------+---------+---------+---------+---------+---------+------------------+--------------------+------------------+--------------------+-------------------+---------------------+
| Ciphertext size | 768 | 1088 | 1568 | 1573 | 3115 | 5154 | 4481 | 9026 | 14469 | 9720 | 9720 | 15744 | 15744 | 21632 | 21632 |
+-----------------+----------+----------+-----------+---------+---------+---------+---------+---------+---------+------------------+--------------------+------------------+--------------------+-------------------+---------------------+
*BIKE nie je dostupny na Windowse
ML-KEM - rovnaký ako KYBER
+-----------------+-----------+-----------+------------+
| Algorithm | ML-KEM512 | ML-KEM768 | ML-KEM1024 |
+-----------------+-----------+-----------+------------+
| Public key size | 800 | 1184 | 1568 |
+-----------------+-----------+-----------+------------+
| Secret key size | 1632 | 2400 | 3168 |
+-----------------+-----------+-----------+------------+
| Ciphertext size | 768 | 1088 | 1568 |
+-----------------+-----------+-----------+------------+
Signature algorithms
https://openquantumsafe.org/liboqs/algorithms/
+-----------------+------------+------------+------------+-----------+------------+---------------------------+---------------------------+----------------------------+
| Algorithm | DILITHIUM2 | DILITHIUM3 | DILITHIUM5 | FALCON512 | FALCON1024 | SPHINCS+-SHA2-128f-simple | SPHINCS+-SHA2-128s-simple | SPHINCS+-SHAKE-128f-simple |
+-----------------+------------+------------+------------+-----------+------------+---------------------------+---------------------------+----------------------------+
| Public key size | 1312 | 1952 | 2592 | 897 | 1793 | 32 | 32 | 32 |
+-----------------+------------+------------+------------+-----------+------------+---------------------------+---------------------------+----------------------------+
| Secret key size | 2528 | 4000 | 4864 | 1281 | 2305 | 64 | 64 | 64 |
+-----------------+------------+------------+------------+-----------+------------+---------------------------+---------------------------+----------------------------+
| Signature size | 2420 | 3293 | 4595 | 666 | 1280 | 17088 | 7856 | 17088 |
+-----------------+------------+------------+------------+-----------+------------+---------------------------+---------------------------+----------------------------+
ML-DSA - rovnaký ako DILITHIUM
+-----------------+-----------+-----------+------------+
| Algorithm | ML-DSA44 | ML-DSA65 | ML-DSA87 |
+-----------------+-----------+-----------+------------+
| Public key size | 1312 | 1952 | 2592 |
+-----------------+-----------+-----------+------------+
| Secret key size | 2528 | 4000 | 4864 |
+-----------------+-----------+-----------+------------+
| Ciphertext size | 2420 | 3293 | 4595 |
+-----------------+-----------+-----------+------------+
*/
#if CRYPTO_SETTING == POST_QUANTUM
// JS MAX_IBUFF_SIZE zmeneny na 52295 kvoli SPHINCS_SHAKE_128F_SIMPLE, najvacsi vygenerovany certchain
#define TLS_MAX_IBUFF_SIZE (52295) /**< Maximum Input/Output buffer size. We will want to reduce this as much as possible! But must be large enough to take full certificate chain */
#define TLS_MAX_PLAIN_FRAG 16384 /**< Max Plaintext Fragment size */
#define TLS_MAX_CIPHER_FRAG (16384+256) /**< Max Ciphertext Fragment size */
#define TLS_MAX_CERT_SIZE 6144 /**< I checked - current max for root CAs is 2016 - but would be much bigger for Dilithium!*/
#define TLS_MAX_CERT_B64 8192 /**< In base64 - current max for root CAs is 2688 */
#define TLS_MAX_HELLO 2048 /**< Max client hello size (less extensions) KEX public key is largest component */
// JS zmenene na zaklade PQ algoritmov
#define TLS_MAX_SIG_PUB_KEY_SIZE 2592 /**< Max signature public key size in bytes */ // Najvacsi je DILITHIUM5
#define TLS_MAX_SIG_SECRET_KEY_SIZE 4864 /**< Max signature private key size in bytes */ // Najvacsi je DILITHIUM5
#define TLS_MAX_SIGNATURE_SIZE 17088 /**< Max signature size in bytes */ // Najvacsi je SPHINCS+-SHA2-128f-simple alebo SPHINCS+-SHAKE-128f-simple
// JS zmenene na zaklade PQ algoritmov
#define TLS_MAX_KEX_PUB_KEY_SIZE 21520 // Najvacsi je FrodoKEM-1344-SHAKE
#define TLS_MAX_KEX_CIPHERTEXT_SIZE 21632 // Najvacsi je FrodoKEM-1344-SHAKE
#define TLS_MAX_KEX_SECRET_KEY_SIZE 43088 // Najvacsi je FrodoKEM-1344-SHAKE
#endif
#if CRYPTO_SETTING == HYBRID
#define TLS_MAX_IBUFF_SIZE (16384+256) /**< Maximum Input/Output buffer size. We will want to reduce this as much as possible! But must be large enough to take full certificate chain */
#define TLS_MAX_PLAIN_FRAG 16384 /**< Max Plaintext Fragment size */
#define TLS_MAX_CIPHER_FRAG (16384+256) /**< Max Ciphertext Fragment size */
#define TLS_MAX_CERT_SIZE 6144 /**< I checked - current max for root CAs is 2016 - but would be much bigger for Dilithium!*/
#define TLS_MAX_CERT_B64 8192 /**< In base64 - current max for root CAs is 2688 */
#define TLS_MAX_HELLO 2048 /**< Max client hello size (less extensions) KEX public key is largest component */
// These all blow up post quantum
#define TLS_MAX_SIG_PUB_KEY_SIZE 1312+65 /**< Max signature public key size in bytes DILITHIUM2 + P256 */
#define TLS_MAX_SIG_SECRET_KEY_SIZE 2528+200 /**< Max signature private key size in bytes DILITHIUM2 + P256 (maybe includes the public key?) */
#define TLS_MAX_SIGNATURE_SIZE 2420+100 /**< Max signature size in bytes DILITHIUM2 + P256 (DER encoding for ECC sig) */
#define TLS_MAX_KEX_PUB_KEY_SIZE 1184+32 /**< Max key exchange public key size in bytes KYBER768+X25519 */
#define TLS_MAX_KEX_CIPHERTEXT_SIZE 1088+32 /**< Max key exchange (KEM) ciphertext size KYBER768+X25519 */
#define TLS_MAX_KEX_SECRET_KEY_SIZE 2400+32 /**< Max key exchange private key size in bytes KYBER768+X25519 */
#endif
#if CRYPTO_SETTING==TINY_ECC || CRYPTO_SETTING==EDDSA
#define TLS_MAX_IBUFF_SIZE (4096+256) /**< Maximum Input/Output buffer size. We will want to reduce this as much as possible! But must be large enough to take full certificate chain */
#define TLS_MAX_PLAIN_FRAG 4096 /**< Max Plaintext Fragment size */
#define TLS_MAX_CIPHER_FRAG (4096+256) /**< Max Ciphertext Fragment size */
#define TLS_MAX_CERT_SIZE 2048 /**< I checked - current max for root CAs is 2016 */
#define TLS_MAX_CERT_B64 2800 /**< In base64 - current max for root CAs is 2688 */
#define TLS_MAX_HELLO 1024 /**< Max client hello size (less extensions) KEX public key is largest component */
#define TLS_MAX_SIG_PUB_KEY_SIZE 133 /**< Max signature public key size in bytes ECC */
#define TLS_MAX_SIG_SECRET_KEY_SIZE 66 /**< Max signature private key size in bytes ECC */
#define TLS_MAX_SIGNATURE_SIZE 132 /**< Max signature size in bytes ECC */
#define TLS_MAX_KEX_PUB_KEY_SIZE 97 /**< Max key exchange public key size in bytes ECC */
#define TLS_MAX_KEX_CIPHERTEXT_SIZE 97 /**< Max key exchange (KEM) ciphertext size ECC */
#define TLS_MAX_KEX_SECRET_KEY_SIZE 48 /**< Max key exchange private key size in bytes ECC */
#endif
// Certificate size limits
#define TLS_MAX_SERVER_CHAIN_LEN 2 /**< Maximum Server Certificate chain length - omitting root CA */
#define TLS_MAX_SERVER_CHAIN_SIZE (TLS_MAX_SERVER_CHAIN_LEN*TLS_MAX_CERT_SIZE) /**< Maximum Server Certificate chain length in bytes */
#define TLS_MAX_CLIENT_CHAIN_LEN 1 /**< Maximum Client Certificate chain length - one self signed here */
#define TLS_MAX_CLIENT_CHAIN_SIZE (TLS_MAX_CLIENT_CHAIN_LEN*TLS_MAX_CERT_SIZE) /**< Maximum Client Certificate chain length in bytes */
#define TLS_MAX_SHARED_SECRET_SIZE 256 /**< Max key exchange Shared secret size */
// Both of these are bumped up by PQ IBE and Hybrid
#define TLS_MAX_TICKET_SIZE 4196 /**< maximum resumption ticket size - beware some servers send much bigger tickets! */
#define TLS_MAX_EXTENSIONS 61440 /**< Max extensions size */ // add 0 at the end, after hqc256 unable to perform
#define TLS_MAX_ECC_FIELD 66 /**< Max ECC field size in bytes */
#define TLS_MAX_IV_SIZE 12 /**< Max IV size in bytes */
#define TLS_MAX_TAG_SIZE 16 /**< Max HMAC tag length in bytes */
#define TLS_MAX_COOKIE 128 /**< Max Cookie size */
#define TLS_MAX_OUTPUT_RECORD_SIZE 1024 /**< Max output record size */
#define TLS_MAX_OBUFF_SIZE (TLS_MAX_OUTPUT_RECORD_SIZE+TLS_MAX_TAG_SIZE+6) /**< Max output buffer size */
#define TLS_MAX_SERVER_NAME 128 /**< Max server name size in bytes */
// JS zvyseny maximalny pocet podporovanych KEX/KEM a DSA
#define TLS_MAX_SUPPORTED_GROUPS 18 /**< Max number of supported crypto groups */
#define TLS_MAX_SUPPORTED_SIGS 17 /**< Max number of supported signature schemes */
#define TLS_MAX_PSK_MODES 2 /**< Max preshared key modes */
#define TLS_MAX_CIPHER_SUITES 5 /**< Max number of supported cipher suites */
// Cipher Suites
#define TLS_AES_128_GCM_SHA256 0x1301 /**< AES128/SHA256/GCM cipher suite - this is only one which MUST be implemented */
#define TLS_AES_256_GCM_SHA384 0x1302 /**< AES256/SHA384/GCM cipher suite */
#define TLS_CHACHA20_POLY1305_SHA256 0x1303 /**< CHACHA20/SHA256/POLY1305 cipher suite */
#define TLS_AES_128_CCM_SHA256 0x1304 /**< AES/SHA256/CCM cipher suite - optional */
#define TLS_AES_128_CCM_8_SHA256 0x1305 /**< AES/SHA256/CCM 8 cipher suite - optional */
// Key exchange groups
#define X25519 0x001d /**< X25519 elliptic curve key exchange */
#define SECP256R1 0x0017 /**< NIST SECP256R1 elliptic curve key exchange */
#define SECP384R1 0x0018 /**< NIST SECP384R1 elliptic curve key exchange */
#define SECP521R1 0x0019 /**< NIST SECP521R1 elliptic curve key exchange */
#define X448 0x001e /**< X448 elliptic curve key exchange */
// JS pridane ID pre PQ algoritmy
// Ide o experimentalne ID, zalozene na zaklade oqsprovidera 0.5.3 https://github.com/open-quantum-safe/oqs-provider/blob/main/ALGORITHMS.md#oids (29.02.2024)
// Ine aplikacie mozu pouzivat rozdielne ID - napr. HQC protokol funguje pri pouziti openssl s_server ale nie je kompatibilny s test serverom https://test.openquantumsafe.org/
// V pripade standardizacie moze prist k zmene ID
#define KYBER512 0x023A
#define KYBER768 0x023C /**< Kyber PQ key exchange - NOTE I just made this up! Not generally recognised! */ // POZNAMKA - liboqs 0x023C (povodne 0x4242)
#define KYBER1024 0x023D
#define MLKEM512 0x0247
#define MLKEM768 0x0248
#define MLKEM1024 0x0249
#define BIKEL1 0x0241
#define BIKEL3 0x0242
#define BIKEL5 0x0243
#define HQC128 0x0244
#define HQC192 0x0245
#define HQC256 0x0246
#define FRODO640AES 0x0200
#define FRODO640SHAKE 0x0201
#define FRODO976AES 0x0202
#define FRODO976SHAKE 0x0203
#define FRODO1344AES 0x0204
#define FRODO1344SHAKE 0x0205
#define HYBRID_KX 0x421d /**< Hybrid key exchange, Kyber+X25519 */
// Signature algorithms for TLS1.3 and Certs that we can handle
#define ECDSA_SECP256R1_SHA256 0x0403 /**< Supported ECDSA Signature algorithm */
#define ECDSA_SECP256R1_SHA384 0x0413 /**< Non-standard ECDSA Signature algorithm */
#define ECDSA_SECP384R1_SHA384 0x0503 /**< Supported ECDSA Signature algorithm */
#define RSA_PSS_RSAE_SHA256 0x0804 /**< Supported RSA Signature algorithm */
#define RSA_PSS_RSAE_SHA384 0x0805 /**< Supported RSA Signature algorithm */
#define RSA_PSS_RSAE_SHA512 0x0806 /**< Supported RSA Signature algorithm */
#define RSA_PKCS1_SHA256 0x0401 /**< Supported RSA Signature algorithm */
#define RSA_PKCS1_SHA384 0x0501 /**< Supported RSA Signature algorithm */
#define RSA_PKCS1_SHA512 0x0601 /**< Supported RSA Signature algorithm */
#define ED25519 0x0807 /**< Ed25519 EdDSA Signature algorithm */
#define ED448 0x0808 /**< Ed448 EdDSA Signature algorithm */
// JS pridane ID pre PQ algoritmy
// Ide o experimentalne ID, zalozene na zaklade oqsprovidera 0.6.0 https://github.com/open-quantum-safe/oqs-provider/blob/0.6.0/ALGORITHMS.md (15.04.2024)
// Ine aplikacie mozu pouzivat rozdielne ID
// V pripade standardizacie moze prist k zmene ID
#define DILITHIUM2 0xfea0
#define DILITHIUM3 0xfea3
#define DILITHIUM5 0xfea5
#define MLDSA44 0xfed0
#define MLDSA65 0xfed1
#define MLDSA87 0xfed2
#define FALCON512 0xfed7
#define FALCON1024 0xfeda
#define SPHINCSSHA2128FSIMPLE 0xfeb3
#define SPHINCSSHA2128SSIMPLE 0xfeb6
#define SPHINCSSHAKE128FSIMPLE 0xfec2
#define SPHINCSSHA2192FSIMPLE 0xfeb9
#define DILITHIUM2_P256 0x09F2 /**< Dilithium2+SECP256R1 Signature algorithms - this type can be negotiated, but always implemented seperately by SAL */
// pre-shared Key (PSK) modes
#define PSKOK 0x00 /**< Preshared Key only mode */
#define PSKWECDHE 0x01 /**< Preshared Key with Diffie-Hellman key exchange mode */
// ticket origin
#define TLS_FULL_HANDSHAKE 1 /**< Came from Full Handshake */
#define TLS_EXTERNAL_PSK 2 /**< External Pre-Shared Key */
// TLS versions
#define TLS1_0 0x0301 /**< TLS 1.0 version */
#define TLS1_2 0x0303 /**< TLS 1.2 version */
#define TLS1_3 0x0304 /**< TLS 1.3 version */
#define TLS13_UPDATE_NOT_REQUESTED 0 /**< Updating my keys */
#define TLS13_UPDATE_REQUESTED 1 /**< Updating my keys and telling you to update yours */
// Extensions
#define SERVER_NAME 0x0000 /**< Server Name extension */
#define SUPPORTED_GROUPS 0x000a /**< Supported Group extension */
#define SIG_ALGS 0x000d /**< Signature algorithms extension */
#define POST_HANDSHAKE_AUTH 0x0031 /**< Post Handshake Authentication */
#define SIG_ALGS_CERT 0x0032 /**< Signature algorithms Certificate extension */
#define KEY_SHARE 0x0033 /**< Key Share extension */
#define PSK_MODE 0x002d /**< Preshared key mode extension */
#define PRESHARED_KEY 0x0029 /**< Preshared key extension */
#define TLS_VER 0x002b /**< TLS version extension */
#define COOKIE 0x002c /**< Cookie extension */
#define EARLY_DATA 0x002a /**< Early Data extension */
#define MAX_FRAG_LENGTH 0x0001 /**< max fragmentation length extension */
#define PADDING 0x0015 /**< Padding extension */
#define APP_PROTOCOL 0x0010 /**< Application Layer Protocol Negotiation (ALPN) */
#define RECORD_SIZE_LIMIT 0x001c /**< Record Size Limit */
#define CLIENT_CERT_TYPE 0x0013 /**< Client Certificate type */
#define SERVER_CERT_TYPE 0x0014 /**< Server Certificate type */
#define HEARTBEAT 0x000f /**< Heartbeat */
#define CERT_AUTHORITIES 0x002f /**< Certificate Authorities */
// record types
#define HSHAKE 0x16 /**< Handshake record */
#define APPLICATION 0x17 /**< Application record */
#define ALERT 0x15 /**< Alert record */
#define CHANGE_CIPHER 0x14 /**< Change Cipher record */
#define HEART_BEAT 0x18 /**< Heart Beat Record */
// pseudo record types
#define TIMED_OUT 0x01 /**< Time-out */
// message types
#define CLIENT_HELLO 0x01 /**< Client Hello message */
#define SERVER_HELLO 0x02 /**< Server Hello message */
#define CERTIFICATE 0x0b /**< Certificate message */
#define CERT_REQUEST 0x0d /**< Certificate Request */
#define CERT_VERIFY 0x0f /**< Certificate Verify message */
#define FINISHED 0x14 /**< Handshake Finished message */
#define ENCRYPTED_EXTENSIONS 0x08 /**< Encrypted Extensions message */
#define TICKET 0x04 /**< Ticket message */
#define KEY_UPDATE 0x18 /**< Key Update message */
#define MESSAGE_HASH 0xFE /**< Special synthetic message hash message */
#define END_OF_EARLY_DATA 0x05 /**< End of Early Data message */
// pseudo message types
#define HANDSHAKE_RETRY 0x102 /**< Handshake retry */
// Causes of server error - which should generate a client alert
#define NOT_TLS1_3 -2 /**< Wrong version error, not TLS1.3 */
#define BAD_CERT_CHAIN -3 /**< Bad Certificate Chain error */
#define ID_MISMATCH -4 /**< Session ID mismatch error */
#define UNRECOGNIZED_EXT -5 /**< Unrecognised extension error */
#define BAD_HELLO -6 /**< badly formed Hello message error */
#define WRONG_MESSAGE -7 /**< Message out-of-order error */
#define MISSING_REQUEST_CONTEXT -8 /**< Request context missing error */
#define AUTHENTICATION_FAILURE -9 /**< Authentication error - AEAD Tag incorrect */
#define BAD_RECORD -10 /**< Badly formed Record received */
#define BAD_TICKET -11 /**< Badly formed Ticket received */
#define NOT_EXPECTED -12 /**< Received ack for something not requested */
#define CA_NOT_FOUND -13 /**< Certificate Authority not found */
#define CERT_OUTOFDATE -14 /**< Certificate Expired */
#define MEM_OVERFLOW -15 /**< Memory Overflow */
#define FORBIDDEN_EXTENSION -16 /**< Forbidden Encrypted Extension */
#define MAX_EXCEEDED -17 /**< Maximum record size exceeded */
#define EMPTY_CERT_CHAIN -18 /**< Empty Certificate Message */
#define SELF_SIGNED_CERT -20 /**< Self signed certificate */
#define TIME_OUT -21 /**< Time out */
#define ERROR_ALERT_RECEIVED -22 /**< Alert has been received */
#define BAD_MESSAGE -23 /**< Badly formed message */
#define CERT_VERIFY_FAIL -24 /**< Certificate Verification failure */
#define BAD_HANDSHAKE -26 /**< Could not agree */
#define BAD_REQUEST_UPDATE -27 /**< Bad Request Update value */
#define CLOSURE_ALERT_RECEIVED -28 /**< Alert has been received */
#define MISSING_EXTENSIONS -30 /**< Some mandatory extensions are missing */
// client alerts
#define ILLEGAL_PARAMETER 0x2F /**< Illegal parameter alert */
#define UNEXPECTED_MESSAGE 0x0A /**< Unexpected message alert */
#define DECRYPT_ERROR 0x33 /**< Decryption error alert */
#define BAD_CERTIFICATE 0x2A /**< Bad certificate alert */
#define UNSUPPORTED_EXTENSION 0x6E /**< Unsupported extension alert */
#define UNKNOWN_CA 0x30 /**< Unrecognised Certificate Authority */
#define CERTIFICATE_EXPIRED 0x2D /**< Certificate Expired */
#define PROTOCOL_VERSION 0x46 /**< Wrong TLS version */
#define DECODE_ERROR 0x32 /**< Decode error alert */
#define RECORD_OVERFLOW 0x16 /**< Record Overflow */
#define BAD_RECORD_MAC 0x14 /**< Bad Record Mac */
#define HANDSHAKE_FAILURE 0x28 /**< Could not agree */
#define CLOSE_NOTIFY 0x00 /**< Orderly shut down of connection */
#define MISSING_EXTENSION 0x6D; /**< Missing extension */
#define LOG_OUTPUT_TRUNCATION 256 /**< Output Hex digits before truncation */
#define TLS13_DISCONNECTED 0 /**< TLS1.3 Connection is broken */
#define TLS13_CONNECTED 1 /**< TLS1.3 Connection is made */
#define TLS13_HANDSHAKING 2 /**< TLS1.3 is handshaking */
// protocol returns..
#define TLS_FAILURE 0 /**< Failed to cmake TLS1.3 connection */
#define TLS_SUCCESS 1 /**< Succeeded in making TLS1.3 connection */
#define TLS_RESUMPTION_REQUIRED 2 /**< Connection succeeded, but handshake retry was needed */
#define TLS_EARLY_DATA_ACCEPTED 3 /**< Connection succeeded, and early data was accepted */
// PSK modes
#define PSK_NOT 0 /**< No PSK */
#define PSK_KEY 1 /**< Using PSK from database */
#define PSK_IBE 2 /**< Using IBE based PSK */
// Certificate types
#define X509_CERT 0 /**< X509 Certificate-based authentication */
#define RAW_PUBLIC_KEY 2 /**< Raw Public Key based authentication */
/**
* @brief function return structure */
typedef struct
{
unsign32 val; /**< return value */
int err; /**< error return */
} ret;
/**
* @brief server encrypted extensions expectations/responses */
typedef struct
{
bool early_data; /**< true if early data accepted */
bool alpn; /**< true if ALPN accepted */
bool server_name; /**< true if server name accepted */
bool max_frag_length; /**< true if max frag length respected */
} ee_status;
/**
* @brief crypto context structure */
typedef struct
{
bool active; /**< Indicates if encryption has been activated */
char k[TLS_MAX_KEY]; /**< AEAD cryptographic Key bytes */
char iv[12]; /**< AEAD cryptographic IV bytes */
octad K; /**< Key as octad */
octad IV; /**< IV as octad */
unsign32 record; /**< current record number - to be incremented */
int suite; /**< Cipher Suite */
int taglen; /**< Tag Length */
} crypto;
/**
* @brief ticket context structure */
typedef struct
{
bool valid; /**< Is ticket valid? */
char tick[TLS_MAX_TICKET_SIZE]; /**< Ticket bytes */
char nonce[256]; /**< nonce */
char psk[TLS_MAX_HASH]; /**< pre-shared key */
octad TICK; /**< Ticket or external PSK label as octad */
octad NONCE; /**< Nonce as octad */
octad PSK; /**< PSK as octad */
unsign32 age_obfuscator; /**< ticket age obfuscator - 0 for external PSK */
unsign32 max_early_data; /**< Maximum early data allowed for this ticket */
unsign32 birth; /**< Birth time of this ticket */
int lifetime; /**< ticket lifetime */
int cipher_suite; /**< Cipher suite used */
int favourite_group; /**< the server's favourite group */
int origin; /**< Origin of initial handshake - Full or PSK? */
} ticket;
/**
* @brief Universal Hash Function */
typedef struct
{
char state[TLS_MAX_HASH_STATE]; /**< hash function state */
int htype; /**< The hash type (typically SHA256) */
} unihash;
/**
* @brief TLS1.3 session state */
typedef struct
{
int status; /**< Connection status */
int max_record; /**< max record size I should send */
Socket *sockptr; /**< Pointer to socket */
char id[32]; /**< Session ID */
char hostname[TLS_MAX_SERVER_NAME]; /**< Server name for connection */
int cipher_suite; /**< agreed cipher suite */
int favourite_group; /**< favourite key exchange group - may be changed on handshake retry */
int server_cert_type; /**< server certificate type */
int client_cert_type; /**< client certificate type */
crypto K_send; /**< Sending Key */
crypto K_recv; /**< Receiving Key */
octad HS; /**< Handshake secret */
char hs[TLS_MAX_HASH]; /**< Handshake secret data */
octad RMS; /**< Resumption Master Secret */
char rms[TLS_MAX_HASH]; /**< Resumption Master Secret data */
octad STS; /**< Server Traffic secret */
char sts[TLS_MAX_HASH]; /**< Server Traffic secret data */
octad CTS; /**< Client Traffic secret */
char cts[TLS_MAX_HASH]; /**< Client Traffic secret data */
octad CTX; /**< Certificate Request Context */
char ctx[TLS_MAX_HASH]; /**< Certificate Request Context data */
octad IBUFF; /**< Main input buffer for this connection */
octad OBUFF; /**< output buffer for this connection */
#ifndef SHALLOW_STACK
char ibuff[TLS_MAX_IBUFF_SIZE]; /**< Byte array for main input buffer for this connection */
char obuff[TLS_MAX_OBUFF_SIZE]; /**< output buffer for this connection */
#endif
int ptr; /**< pointer into IBUFF buffer */
unihash tlshash; /**< Transcript hash recorder */
ticket T; /**< resumption ticket */
bool expect_heartbeats; /**< Expect to receive heartbeats */
bool allowed_to_heartbeat; /**< Am I allowed to heartbeat? */
bool heartbeat_req_in_flight; /**< timestamp on outstanding request, otherwise 0 */
} TLS_session;
// IBUFF buffer
// xxxxxxxxxxxxxxxxxxxxxxxxxxxyyyyyyyyyyyyyyyyyyyyyyyyyyy
// -------------ptr---------->----------IBUFF.len------->
//
// when ptr becomes equal to IBUFF.len, pull in another record (and maybe decrypt it)
#endif