585 lines
34 KiB
C
585 lines
34 KiB
C
/*
|
|
* JS update 14.04.2024
|
|
* Doplnene IDs pre algoritmy ML-KEM a ML-DSA
|
|
*/
|
|
|
|
/*
|
|
* JS update 29.02.2024
|
|
* Navysenie premennej TLS_X509_MAX_FIELD
|
|
* Zmeny premennych spojenych s PQ algoritmami (pre CRYPTO_SETTING == POST_QUANTUM)
|
|
* Pridana tabulka pre s velkostami verejnych a sukromnych klucov KEM protokolov a certifikatov, s velkostami sifrovanej spravy a certifikatov
|
|
* Navysenie poctu podporovanych KEM protokolov a algoritmov pre certifikaty
|
|
* Pridane ID pre nove PQ algoritmy
|
|
*/
|
|
|
|
/**
|
|
* @file tls1_3.h
|
|
* @author Mike Scott
|
|
* @brief Main TLS 1.3 Header File for constants and structures
|
|
*
|
|
*/
|
|
|
|
#ifndef TLS1_3_H
|
|
#define TLS1_3_H
|
|
|
|
#include <stdint.h>
|
|
#include "tls_octads.h"
|
|
#include "tls_sockets.h"
|
|
|
|
typedef uint8_t byte; /**< 8-bit unsigned integer */
|
|
typedef int8_t sign8 ; /**< 8-bit signed integer */
|
|
typedef int16_t sign16; /**< 16-bit signed integer */
|
|
typedef int32_t sign32; /**< 32-bit signed integer */
|
|
typedef int64_t sign64; /**< 64-bit signed integer */
|
|
typedef uint32_t unsign32 ; /**< 32-bit unsigned integer */
|
|
typedef uint64_t unsign64; /**< 64-bit unsigned integer */
|
|
|
|
// Terminal Output
|
|
#define IO_NONE 0 /**< Run silently */
|
|
#define IO_APPLICATION 1 /**< just print application traffic */
|
|
#define IO_PROTOCOL 2 /**< print protocol progress + application traffic */
|
|
#define IO_DEBUG 3 /**< print lots of debug information + protocol progress + application progress */
|
|
#define IO_WIRE 4 /**< print lots of debug information + protocol progress + application progress + bytes on the wire */
|
|
|
|
// // Supported CRYPTO_SETTINGs
|
|
#define TINY_ECC 1 /**< ECC keys only */
|
|
#define TYPICAL 2 /**< Mixture of RSA and ECC - for use with most standard web servers */
|
|
#define POST_QUANTUM 3 /**< Post quantum (Dilithium+Kyber?) */
|
|
#define HYBRID 4 /**< Hybrid, Kyber/Dilithium + X25519 */
|
|
#define EDDSA 0 /**< experimental EDDSA certificate chain used */
|
|
|
|
// Client Certificate Chain + Key
|
|
#define NOCERT 0 /**< Don't have a Client Cert */
|
|
#define RSA_SS 1 /**< self signed RSA cert */
|
|
#define ECC_SS 2 /**< self signed ECC cert */
|
|
#define DLT_SS 3 /**< self signed Dilithium cert */
|
|
#define HYB_SS 6 /**< self signed Hybrid cert (Dilithium+ECC) */
|
|
#define HW_1 4 /**< RP2040 1 Hardware cert */
|
|
#define HW_2 5 /**< RP2040 2 Hardware cert */
|
|
#define EDD_SS 7 /**< self signed Ed25519 cert */
|
|
|
|
// THESE ARE IMPORTANT USER DEFINED SETTINGS ***********************************
|
|
|
|
// Note that favourite group (as used in client hello) is determined by the SAL ordering - see tls_sal.cpp
|
|
// If server does not support it, an expensive Handshake Retry will be required
|
|
// So best to place a popular group (such as X25519) at top of list in SAL
|
|
|
|
#define VERBOSITY IO_APPLICATION /**< Set to level of output information desired - see above */
|
|
#define THIS_YEAR 2023 /**< Set to this year - crudely used to deprecate old certificates */
|
|
|
|
#define POST_HS_AUTH /**< Willing to do post handshake authentication */
|
|
#define CLIENT_CERT RSA_SS /**< Indicate capability of authenticating with a cert plus signing key */
|
|
|
|
#define CRYPTO_SETTING POST_QUANTUM /**< Determine Cryptography settings */
|
|
// Supported protocols
|
|
#define TLS_APPLICATION_PROTOCOL (char *)("http/1.1") /**< Support ALPN protocol */
|
|
#define ALLOW_SELF_SIGNED /**< allow self-signed server cert */
|
|
//#define NO_CERT_CHECKS /**< Don't do any checks on server certs - useful for Anvil testing */
|
|
#define TRY_EARLY_DATA /**< Try to send early data on resumptions */
|
|
|
|
//#define ENABLE_HEARTBEATS /**< Enable heartbeats */
|
|
//#define PEER_CAN_HEARTBEAT /**< Allow peer to heartbeat */
|
|
|
|
// Note that BUFF, Certificates and crypto keys can be quite large, and therefore maybe better taken from the heap
|
|
// on systems with a shallow stack. Define this to use the heap.
|
|
|
|
//#define SHALLOW_STACK /**< Get large arrays from heap, else stack */
|
|
|
|
// comment out if no max record size. In practise TLS1.3 doesn't seem to support this record_size_limit extension, so use with caution
|
|
// #define MAX_RECORD 1024 /**< Maximum record size client is willing to receive - should be less than TLS_MAX_IBUFF_SIZE below */
|
|
// Note that if this is not used, max_fragment_size extension is tried instead, see TLS_MAX_FRAG below
|
|
|
|
// define this so that all encrypted records are padded with 0s to full length
|
|
// #define PAD_SHORT_RECORDS /**< Pad short output records */
|
|
|
|
//#define PREFER_RAW_SERVER_PUBLIC_KEY /**< Would be happy with raw public key from server */
|
|
//#define PREFER_RAW_CLIENT_PUBLIC_KEY /**< Would prefer server to accept raw public key from client */
|
|
|
|
// may need to undefine this for fuzzing
|
|
#define MERGE_MESSAGES /**< allow merging of messages into single record */
|
|
|
|
// *****************************************************************************
|
|
|
|
|
|
// Standard Hash Types
|
|
|
|
#define TLS_SHA256_T 1 /**< SHA256 hash */
|
|
#define TLS_SHA384_T 2 /**< SHA384 hash */
|
|
#define TLS_SHA512_T 3 /**< SHA512 hash */
|
|
|
|
// Some maximum sizes for stack allocated memory. Handshake will fail if these sizes are exceeded!
|
|
|
|
#define TLS_MAX_HASH_STATE 768 /**< Maximum memory required to store hash function state */
|
|
#define TLS_MAX_HASH 64 /**< Maximum hash output length in bytes */
|
|
#define TLS_MAX_KEY 32 /**< Maximum key length in bytes */
|
|
|
|
// JS zvysena hodnota kvoli CA SPHINCS+-SHAKE-128f-simple v subore tls_cacerts - "maximum size for CA root signed certs in base64"
|
|
#define TLS_X509_MAX_FIELD 30000 /**< Maximum X.509 field size */
|
|
#define TLS_MAX_EXT_LABEL 256 /**< Max external psk label size */
|
|
|
|
// Max Frag length must be less than TLS_MAX_IBUFF_SIZE
|
|
#define TLS_MAX_FRAG 2 /**< Max Fragment length desired - 1 for 512, 2 for 1024, 3 for 2048, 4 for 4096, 0 for 16384 */
|
|
|
|
#if CRYPTO_SETTING==TYPICAL
|
|
#define TLS_MAX_IBUFF_SIZE (16384+256) /**< Maximum Input/Output buffer size. We will want to reduce this as much as possible! But must be large enough to take full certificate chain */
|
|
#define TLS_MAX_PLAIN_FRAG 16384 /**< Max Plaintext Fragment size */
|
|
#define TLS_MAX_CIPHER_FRAG (16384+256) /**< Max Ciphertext Fragment size */
|
|
|
|
#define TLS_MAX_CERT_SIZE 2048 /**< I checked - current max for root CAs is 2016 */
|
|
#define TLS_MAX_CERT_B64 2800 /**< In base64 - current max for root CAs is 2688 */
|
|
#define TLS_MAX_HELLO 1024 /**< Max client hello size (less extensions) KEX public key is largest component */
|
|
|
|
#define TLS_MAX_SIG_PUB_KEY_SIZE 512 /**< Max signature public key size in bytes 4096-bit RSA */
|
|
#define TLS_MAX_SIG_SECRET_KEY_SIZE 1280 /**< Max signature private key size in bytes 4096-bit RSA */
|
|
#define TLS_MAX_SIGNATURE_SIZE 512 /**< Max digital signature size in bytes 4096-bit RSA */
|
|
#define TLS_MAX_KEX_PUB_KEY_SIZE 97 /**< Max key exchange public key size in bytes 384-bit ECC */
|
|
#define TLS_MAX_KEX_CIPHERTEXT_SIZE 97 /**< Max key exchange (KEM) ciphertext size 384-bit ECC */
|
|
#define TLS_MAX_KEX_SECRET_KEY_SIZE 48 /**< Max key exchange private key size in bytes 384-bit ECC */
|
|
#endif
|
|
|
|
|
|
/*
|
|
JS
|
|
15.04.2024
|
|
|
|
KEX algorithms
|
|
https://openquantumsafe.org/liboqs/algorithms/
|
|
+-----------------+----------+----------+-----------+---------+---------+---------+---------+---------+---------+------------------+--------------------+------------------+--------------------+-------------------+---------------------+
|
|
| Algorithm | Kyber512 | Kyber768 | Kyber1024 | BIKE-L1 | BIKE-L3 | BIKE-L5 | HQC-128 | HQC-192 | HQC-256 | FrodoKEM-640-AES | FrodoKEM-640-SHAKE | FrodoKEM-976-AES | FrodoKEM-976-SHAKE | FrodoKEM-1344-AES | FrodoKEM-1344-SHAKE |
|
|
+-----------------+----------+----------+-----------+---------+---------+---------+---------+---------+---------+------------------+--------------------+------------------+--------------------+-------------------+---------------------+
|
|
| Public key size | 800 | 1184 | 1568 | 1541 | 3083 | 5122 | 2249 | 4522 | 7245 | 9616 | 9616 | 15632 | 15632 | 21520 | 21520 |
|
|
+-----------------+----------+----------+-----------+---------+---------+---------+---------+---------+---------+------------------+--------------------+------------------+--------------------+-------------------+---------------------+
|
|
| Secret key size | 1632 | 2400 | 3168 | 5223 | 10105 | 16494 | 2289 | 4562 | 7285 | 19888 | 19888 | 31296 | 31296 | 43088 | 43088 |
|
|
+-----------------+----------+----------+-----------+---------+---------+---------+---------+---------+---------+------------------+--------------------+------------------+--------------------+-------------------+---------------------+
|
|
| Ciphertext size | 768 | 1088 | 1568 | 1573 | 3115 | 5154 | 4481 | 9026 | 14469 | 9720 | 9720 | 15744 | 15744 | 21632 | 21632 |
|
|
+-----------------+----------+----------+-----------+---------+---------+---------+---------+---------+---------+------------------+--------------------+------------------+--------------------+-------------------+---------------------+
|
|
*BIKE nie je dostupny na Windowse
|
|
ML-KEM - rovnaký ako KYBER
|
|
+-----------------+-----------+-----------+------------+
|
|
| Algorithm | ML-KEM512 | ML-KEM768 | ML-KEM1024 |
|
|
+-----------------+-----------+-----------+------------+
|
|
| Public key size | 800 | 1184 | 1568 |
|
|
+-----------------+-----------+-----------+------------+
|
|
| Secret key size | 1632 | 2400 | 3168 |
|
|
+-----------------+-----------+-----------+------------+
|
|
| Ciphertext size | 768 | 1088 | 1568 |
|
|
+-----------------+-----------+-----------+------------+
|
|
|
|
|
|
|
|
Signature algorithms
|
|
https://openquantumsafe.org/liboqs/algorithms/
|
|
+-----------------+------------+------------+------------+-----------+------------+---------------------------+---------------------------+----------------------------+
|
|
| Algorithm | DILITHIUM2 | DILITHIUM3 | DILITHIUM5 | FALCON512 | FALCON1024 | SPHINCS+-SHA2-128f-simple | SPHINCS+-SHA2-128s-simple | SPHINCS+-SHAKE-128f-simple |
|
|
+-----------------+------------+------------+------------+-----------+------------+---------------------------+---------------------------+----------------------------+
|
|
| Public key size | 1312 | 1952 | 2592 | 897 | 1793 | 32 | 32 | 32 |
|
|
+-----------------+------------+------------+------------+-----------+------------+---------------------------+---------------------------+----------------------------+
|
|
| Secret key size | 2528 | 4000 | 4864 | 1281 | 2305 | 64 | 64 | 64 |
|
|
+-----------------+------------+------------+------------+-----------+------------+---------------------------+---------------------------+----------------------------+
|
|
| Signature size | 2420 | 3293 | 4595 | 666 | 1280 | 17088 | 7856 | 17088 |
|
|
+-----------------+------------+------------+------------+-----------+------------+---------------------------+---------------------------+----------------------------+
|
|
ML-DSA - rovnaký ako DILITHIUM
|
|
+-----------------+-----------+-----------+------------+
|
|
| Algorithm | ML-DSA44 | ML-DSA65 | ML-DSA87 |
|
|
+-----------------+-----------+-----------+------------+
|
|
| Public key size | 1312 | 1952 | 2592 |
|
|
+-----------------+-----------+-----------+------------+
|
|
| Secret key size | 2528 | 4000 | 4864 |
|
|
+-----------------+-----------+-----------+------------+
|
|
| Ciphertext size | 2420 | 3293 | 4595 |
|
|
+-----------------+-----------+-----------+------------+
|
|
|
|
*/
|
|
|
|
#if CRYPTO_SETTING == POST_QUANTUM
|
|
|
|
// JS MAX_IBUFF_SIZE zmeneny na 52295 kvoli SPHINCS_SHAKE_128F_SIMPLE, najvacsi vygenerovany certchain
|
|
#define TLS_MAX_IBUFF_SIZE (52295) /**< Maximum Input/Output buffer size. We will want to reduce this as much as possible! But must be large enough to take full certificate chain */
|
|
#define TLS_MAX_PLAIN_FRAG 16384 /**< Max Plaintext Fragment size */
|
|
#define TLS_MAX_CIPHER_FRAG (16384+256) /**< Max Ciphertext Fragment size */
|
|
|
|
#define TLS_MAX_CERT_SIZE 6144 /**< I checked - current max for root CAs is 2016 - but would be much bigger for Dilithium!*/
|
|
#define TLS_MAX_CERT_B64 8192 /**< In base64 - current max for root CAs is 2688 */
|
|
#define TLS_MAX_HELLO 2048 /**< Max client hello size (less extensions) KEX public key is largest component */
|
|
|
|
// JS zmenene na zaklade PQ algoritmov
|
|
#define TLS_MAX_SIG_PUB_KEY_SIZE 2592 /**< Max signature public key size in bytes */ // Najvacsi je DILITHIUM5
|
|
#define TLS_MAX_SIG_SECRET_KEY_SIZE 4864 /**< Max signature private key size in bytes */ // Najvacsi je DILITHIUM5
|
|
#define TLS_MAX_SIGNATURE_SIZE 17088 /**< Max signature size in bytes */ // Najvacsi je SPHINCS+-SHA2-128f-simple alebo SPHINCS+-SHAKE-128f-simple
|
|
|
|
// JS zmenene na zaklade PQ algoritmov
|
|
#define TLS_MAX_KEX_PUB_KEY_SIZE 21520 // Najvacsi je FrodoKEM-1344-SHAKE
|
|
#define TLS_MAX_KEX_CIPHERTEXT_SIZE 21632 // Najvacsi je FrodoKEM-1344-SHAKE
|
|
#define TLS_MAX_KEX_SECRET_KEY_SIZE 43088 // Najvacsi je FrodoKEM-1344-SHAKE
|
|
#endif
|
|
|
|
|
|
#if CRYPTO_SETTING == HYBRID
|
|
|
|
#define TLS_MAX_IBUFF_SIZE (16384+256) /**< Maximum Input/Output buffer size. We will want to reduce this as much as possible! But must be large enough to take full certificate chain */
|
|
#define TLS_MAX_PLAIN_FRAG 16384 /**< Max Plaintext Fragment size */
|
|
#define TLS_MAX_CIPHER_FRAG (16384+256) /**< Max Ciphertext Fragment size */
|
|
|
|
#define TLS_MAX_CERT_SIZE 6144 /**< I checked - current max for root CAs is 2016 - but would be much bigger for Dilithium!*/
|
|
#define TLS_MAX_CERT_B64 8192 /**< In base64 - current max for root CAs is 2688 */
|
|
#define TLS_MAX_HELLO 2048 /**< Max client hello size (less extensions) KEX public key is largest component */
|
|
|
|
// These all blow up post quantum
|
|
#define TLS_MAX_SIG_PUB_KEY_SIZE 1312+65 /**< Max signature public key size in bytes DILITHIUM2 + P256 */
|
|
#define TLS_MAX_SIG_SECRET_KEY_SIZE 2528+200 /**< Max signature private key size in bytes DILITHIUM2 + P256 (maybe includes the public key?) */
|
|
#define TLS_MAX_SIGNATURE_SIZE 2420+100 /**< Max signature size in bytes DILITHIUM2 + P256 (DER encoding for ECC sig) */
|
|
#define TLS_MAX_KEX_PUB_KEY_SIZE 1184+32 /**< Max key exchange public key size in bytes KYBER768+X25519 */
|
|
#define TLS_MAX_KEX_CIPHERTEXT_SIZE 1088+32 /**< Max key exchange (KEM) ciphertext size KYBER768+X25519 */
|
|
#define TLS_MAX_KEX_SECRET_KEY_SIZE 2400+32 /**< Max key exchange private key size in bytes KYBER768+X25519 */
|
|
#endif
|
|
|
|
#if CRYPTO_SETTING==TINY_ECC || CRYPTO_SETTING==EDDSA
|
|
#define TLS_MAX_IBUFF_SIZE (4096+256) /**< Maximum Input/Output buffer size. We will want to reduce this as much as possible! But must be large enough to take full certificate chain */
|
|
#define TLS_MAX_PLAIN_FRAG 4096 /**< Max Plaintext Fragment size */
|
|
#define TLS_MAX_CIPHER_FRAG (4096+256) /**< Max Ciphertext Fragment size */
|
|
|
|
#define TLS_MAX_CERT_SIZE 2048 /**< I checked - current max for root CAs is 2016 */
|
|
#define TLS_MAX_CERT_B64 2800 /**< In base64 - current max for root CAs is 2688 */
|
|
#define TLS_MAX_HELLO 1024 /**< Max client hello size (less extensions) KEX public key is largest component */
|
|
|
|
#define TLS_MAX_SIG_PUB_KEY_SIZE 133 /**< Max signature public key size in bytes ECC */
|
|
#define TLS_MAX_SIG_SECRET_KEY_SIZE 66 /**< Max signature private key size in bytes ECC */
|
|
#define TLS_MAX_SIGNATURE_SIZE 132 /**< Max signature size in bytes ECC */
|
|
#define TLS_MAX_KEX_PUB_KEY_SIZE 97 /**< Max key exchange public key size in bytes ECC */
|
|
#define TLS_MAX_KEX_CIPHERTEXT_SIZE 97 /**< Max key exchange (KEM) ciphertext size ECC */
|
|
#define TLS_MAX_KEX_SECRET_KEY_SIZE 48 /**< Max key exchange private key size in bytes ECC */
|
|
#endif
|
|
|
|
// Certificate size limits
|
|
#define TLS_MAX_SERVER_CHAIN_LEN 2 /**< Maximum Server Certificate chain length - omitting root CA */
|
|
#define TLS_MAX_SERVER_CHAIN_SIZE (TLS_MAX_SERVER_CHAIN_LEN*TLS_MAX_CERT_SIZE) /**< Maximum Server Certificate chain length in bytes */
|
|
#define TLS_MAX_CLIENT_CHAIN_LEN 1 /**< Maximum Client Certificate chain length - one self signed here */
|
|
#define TLS_MAX_CLIENT_CHAIN_SIZE (TLS_MAX_CLIENT_CHAIN_LEN*TLS_MAX_CERT_SIZE) /**< Maximum Client Certificate chain length in bytes */
|
|
|
|
#define TLS_MAX_SHARED_SECRET_SIZE 256 /**< Max key exchange Shared secret size */
|
|
|
|
// Both of these are bumped up by PQ IBE and Hybrid
|
|
#define TLS_MAX_TICKET_SIZE 4196 /**< maximum resumption ticket size - beware some servers send much bigger tickets! */
|
|
#define TLS_MAX_EXTENSIONS 61440 /**< Max extensions size */ // add 0 at the end, after hqc256 unable to perform
|
|
|
|
#define TLS_MAX_ECC_FIELD 66 /**< Max ECC field size in bytes */
|
|
#define TLS_MAX_IV_SIZE 12 /**< Max IV size in bytes */
|
|
#define TLS_MAX_TAG_SIZE 16 /**< Max HMAC tag length in bytes */
|
|
#define TLS_MAX_COOKIE 128 /**< Max Cookie size */
|
|
|
|
#define TLS_MAX_OUTPUT_RECORD_SIZE 1024 /**< Max output record size */
|
|
#define TLS_MAX_OBUFF_SIZE (TLS_MAX_OUTPUT_RECORD_SIZE+TLS_MAX_TAG_SIZE+6) /**< Max output buffer size */
|
|
|
|
#define TLS_MAX_SERVER_NAME 128 /**< Max server name size in bytes */
|
|
|
|
// JS zvyseny maximalny pocet podporovanych KEX/KEM a DSA
|
|
#define TLS_MAX_SUPPORTED_GROUPS 18 /**< Max number of supported crypto groups */
|
|
#define TLS_MAX_SUPPORTED_SIGS 17 /**< Max number of supported signature schemes */
|
|
|
|
#define TLS_MAX_PSK_MODES 2 /**< Max preshared key modes */
|
|
#define TLS_MAX_CIPHER_SUITES 5 /**< Max number of supported cipher suites */
|
|
|
|
// Cipher Suites
|
|
#define TLS_AES_128_GCM_SHA256 0x1301 /**< AES128/SHA256/GCM cipher suite - this is only one which MUST be implemented */
|
|
#define TLS_AES_256_GCM_SHA384 0x1302 /**< AES256/SHA384/GCM cipher suite */
|
|
#define TLS_CHACHA20_POLY1305_SHA256 0x1303 /**< CHACHA20/SHA256/POLY1305 cipher suite */
|
|
#define TLS_AES_128_CCM_SHA256 0x1304 /**< AES/SHA256/CCM cipher suite - optional */
|
|
#define TLS_AES_128_CCM_8_SHA256 0x1305 /**< AES/SHA256/CCM 8 cipher suite - optional */
|
|
|
|
// Key exchange groups
|
|
#define X25519 0x001d /**< X25519 elliptic curve key exchange */
|
|
#define SECP256R1 0x0017 /**< NIST SECP256R1 elliptic curve key exchange */
|
|
#define SECP384R1 0x0018 /**< NIST SECP384R1 elliptic curve key exchange */
|
|
#define SECP521R1 0x0019 /**< NIST SECP521R1 elliptic curve key exchange */
|
|
#define X448 0x001e /**< X448 elliptic curve key exchange */
|
|
|
|
// JS pridane ID pre PQ algoritmy
|
|
// Ide o experimentalne ID, zalozene na zaklade oqsprovidera 0.5.3 https://github.com/open-quantum-safe/oqs-provider/blob/main/ALGORITHMS.md#oids (29.02.2024)
|
|
// Ine aplikacie mozu pouzivat rozdielne ID - napr. HQC protokol funguje pri pouziti openssl s_server ale nie je kompatibilny s test serverom https://test.openquantumsafe.org/
|
|
// V pripade standardizacie moze prist k zmene ID
|
|
#define KYBER512 0x023A
|
|
#define KYBER768 0x023C /**< Kyber PQ key exchange - NOTE I just made this up! Not generally recognised! */ // POZNAMKA - liboqs 0x023C (povodne 0x4242)
|
|
#define KYBER1024 0x023D
|
|
#define MLKEM512 0x0247
|
|
#define MLKEM768 0x0248
|
|
#define MLKEM1024 0x0249
|
|
#define BIKEL1 0x0241
|
|
#define BIKEL3 0x0242
|
|
#define BIKEL5 0x0243
|
|
#define HQC128 0x0244
|
|
#define HQC192 0x0245
|
|
#define HQC256 0x0246
|
|
#define FRODO640AES 0x0200
|
|
#define FRODO640SHAKE 0x0201
|
|
#define FRODO976AES 0x0202
|
|
#define FRODO976SHAKE 0x0203
|
|
#define FRODO1344AES 0x0204
|
|
#define FRODO1344SHAKE 0x0205
|
|
#define HYBRID_KX 0x421d /**< Hybrid key exchange, Kyber+X25519 */
|
|
|
|
// Signature algorithms for TLS1.3 and Certs that we can handle
|
|
#define ECDSA_SECP256R1_SHA256 0x0403 /**< Supported ECDSA Signature algorithm */
|
|
#define ECDSA_SECP256R1_SHA384 0x0413 /**< Non-standard ECDSA Signature algorithm */
|
|
#define ECDSA_SECP384R1_SHA384 0x0503 /**< Supported ECDSA Signature algorithm */
|
|
#define RSA_PSS_RSAE_SHA256 0x0804 /**< Supported RSA Signature algorithm */
|
|
#define RSA_PSS_RSAE_SHA384 0x0805 /**< Supported RSA Signature algorithm */
|
|
#define RSA_PSS_RSAE_SHA512 0x0806 /**< Supported RSA Signature algorithm */
|
|
#define RSA_PKCS1_SHA256 0x0401 /**< Supported RSA Signature algorithm */
|
|
#define RSA_PKCS1_SHA384 0x0501 /**< Supported RSA Signature algorithm */
|
|
#define RSA_PKCS1_SHA512 0x0601 /**< Supported RSA Signature algorithm */
|
|
#define ED25519 0x0807 /**< Ed25519 EdDSA Signature algorithm */
|
|
#define ED448 0x0808 /**< Ed448 EdDSA Signature algorithm */
|
|
|
|
// JS pridane ID pre PQ algoritmy
|
|
// Ide o experimentalne ID, zalozene na zaklade oqsprovidera 0.6.0 https://github.com/open-quantum-safe/oqs-provider/blob/0.6.0/ALGORITHMS.md (15.04.2024)
|
|
// Ine aplikacie mozu pouzivat rozdielne ID
|
|
// V pripade standardizacie moze prist k zmene ID
|
|
#define DILITHIUM2 0xfea0
|
|
#define DILITHIUM3 0xfea3
|
|
#define DILITHIUM5 0xfea5
|
|
|
|
#define MLDSA44 0xfed0
|
|
#define MLDSA65 0xfed1
|
|
#define MLDSA87 0xfed2
|
|
|
|
#define FALCON512 0xfed7
|
|
#define FALCON1024 0xfeda
|
|
#define SPHINCSSHA2128FSIMPLE 0xfeb3
|
|
#define SPHINCSSHA2128SSIMPLE 0xfeb6
|
|
#define SPHINCSSHAKE128FSIMPLE 0xfec2
|
|
#define SPHINCSSHA2192FSIMPLE 0xfeb9
|
|
|
|
#define DILITHIUM2_P256 0x09F2 /**< Dilithium2+SECP256R1 Signature algorithms - this type can be negotiated, but always implemented seperately by SAL */
|
|
|
|
// pre-shared Key (PSK) modes
|
|
#define PSKOK 0x00 /**< Preshared Key only mode */
|
|
#define PSKWECDHE 0x01 /**< Preshared Key with Diffie-Hellman key exchange mode */
|
|
|
|
// ticket origin
|
|
#define TLS_FULL_HANDSHAKE 1 /**< Came from Full Handshake */
|
|
#define TLS_EXTERNAL_PSK 2 /**< External Pre-Shared Key */
|
|
|
|
// TLS versions
|
|
#define TLS1_0 0x0301 /**< TLS 1.0 version */
|
|
#define TLS1_2 0x0303 /**< TLS 1.2 version */
|
|
#define TLS1_3 0x0304 /**< TLS 1.3 version */
|
|
|
|
#define TLS13_UPDATE_NOT_REQUESTED 0 /**< Updating my keys */
|
|
#define TLS13_UPDATE_REQUESTED 1 /**< Updating my keys and telling you to update yours */
|
|
|
|
// Extensions
|
|
#define SERVER_NAME 0x0000 /**< Server Name extension */
|
|
#define SUPPORTED_GROUPS 0x000a /**< Supported Group extension */
|
|
#define SIG_ALGS 0x000d /**< Signature algorithms extension */
|
|
#define POST_HANDSHAKE_AUTH 0x0031 /**< Post Handshake Authentication */
|
|
#define SIG_ALGS_CERT 0x0032 /**< Signature algorithms Certificate extension */
|
|
#define KEY_SHARE 0x0033 /**< Key Share extension */
|
|
#define PSK_MODE 0x002d /**< Preshared key mode extension */
|
|
#define PRESHARED_KEY 0x0029 /**< Preshared key extension */
|
|
#define TLS_VER 0x002b /**< TLS version extension */
|
|
#define COOKIE 0x002c /**< Cookie extension */
|
|
#define EARLY_DATA 0x002a /**< Early Data extension */
|
|
#define MAX_FRAG_LENGTH 0x0001 /**< max fragmentation length extension */
|
|
#define PADDING 0x0015 /**< Padding extension */
|
|
#define APP_PROTOCOL 0x0010 /**< Application Layer Protocol Negotiation (ALPN) */
|
|
#define RECORD_SIZE_LIMIT 0x001c /**< Record Size Limit */
|
|
#define CLIENT_CERT_TYPE 0x0013 /**< Client Certificate type */
|
|
#define SERVER_CERT_TYPE 0x0014 /**< Server Certificate type */
|
|
#define HEARTBEAT 0x000f /**< Heartbeat */
|
|
#define CERT_AUTHORITIES 0x002f /**< Certificate Authorities */
|
|
|
|
// record types
|
|
#define HSHAKE 0x16 /**< Handshake record */
|
|
#define APPLICATION 0x17 /**< Application record */
|
|
#define ALERT 0x15 /**< Alert record */
|
|
#define CHANGE_CIPHER 0x14 /**< Change Cipher record */
|
|
#define HEART_BEAT 0x18 /**< Heart Beat Record */
|
|
// pseudo record types
|
|
#define TIMED_OUT 0x01 /**< Time-out */
|
|
|
|
// message types
|
|
#define CLIENT_HELLO 0x01 /**< Client Hello message */
|
|
#define SERVER_HELLO 0x02 /**< Server Hello message */
|
|
#define CERTIFICATE 0x0b /**< Certificate message */
|
|
#define CERT_REQUEST 0x0d /**< Certificate Request */
|
|
#define CERT_VERIFY 0x0f /**< Certificate Verify message */
|
|
#define FINISHED 0x14 /**< Handshake Finished message */
|
|
#define ENCRYPTED_EXTENSIONS 0x08 /**< Encrypted Extensions message */
|
|
#define TICKET 0x04 /**< Ticket message */
|
|
#define KEY_UPDATE 0x18 /**< Key Update message */
|
|
#define MESSAGE_HASH 0xFE /**< Special synthetic message hash message */
|
|
#define END_OF_EARLY_DATA 0x05 /**< End of Early Data message */
|
|
// pseudo message types
|
|
#define HANDSHAKE_RETRY 0x102 /**< Handshake retry */
|
|
|
|
// Causes of server error - which should generate a client alert
|
|
#define NOT_TLS1_3 -2 /**< Wrong version error, not TLS1.3 */
|
|
#define BAD_CERT_CHAIN -3 /**< Bad Certificate Chain error */
|
|
#define ID_MISMATCH -4 /**< Session ID mismatch error */
|
|
#define UNRECOGNIZED_EXT -5 /**< Unrecognised extension error */
|
|
#define BAD_HELLO -6 /**< badly formed Hello message error */
|
|
#define WRONG_MESSAGE -7 /**< Message out-of-order error */
|
|
#define MISSING_REQUEST_CONTEXT -8 /**< Request context missing error */
|
|
#define AUTHENTICATION_FAILURE -9 /**< Authentication error - AEAD Tag incorrect */
|
|
#define BAD_RECORD -10 /**< Badly formed Record received */
|
|
#define BAD_TICKET -11 /**< Badly formed Ticket received */
|
|
#define NOT_EXPECTED -12 /**< Received ack for something not requested */
|
|
#define CA_NOT_FOUND -13 /**< Certificate Authority not found */
|
|
#define CERT_OUTOFDATE -14 /**< Certificate Expired */
|
|
#define MEM_OVERFLOW -15 /**< Memory Overflow */
|
|
#define FORBIDDEN_EXTENSION -16 /**< Forbidden Encrypted Extension */
|
|
#define MAX_EXCEEDED -17 /**< Maximum record size exceeded */
|
|
#define EMPTY_CERT_CHAIN -18 /**< Empty Certificate Message */
|
|
#define SELF_SIGNED_CERT -20 /**< Self signed certificate */
|
|
#define TIME_OUT -21 /**< Time out */
|
|
#define ERROR_ALERT_RECEIVED -22 /**< Alert has been received */
|
|
#define BAD_MESSAGE -23 /**< Badly formed message */
|
|
#define CERT_VERIFY_FAIL -24 /**< Certificate Verification failure */
|
|
#define BAD_HANDSHAKE -26 /**< Could not agree */
|
|
#define BAD_REQUEST_UPDATE -27 /**< Bad Request Update value */
|
|
#define CLOSURE_ALERT_RECEIVED -28 /**< Alert has been received */
|
|
#define MISSING_EXTENSIONS -30 /**< Some mandatory extensions are missing */
|
|
// client alerts
|
|
#define ILLEGAL_PARAMETER 0x2F /**< Illegal parameter alert */
|
|
#define UNEXPECTED_MESSAGE 0x0A /**< Unexpected message alert */
|
|
#define DECRYPT_ERROR 0x33 /**< Decryption error alert */
|
|
#define BAD_CERTIFICATE 0x2A /**< Bad certificate alert */
|
|
#define UNSUPPORTED_EXTENSION 0x6E /**< Unsupported extension alert */
|
|
#define UNKNOWN_CA 0x30 /**< Unrecognised Certificate Authority */
|
|
#define CERTIFICATE_EXPIRED 0x2D /**< Certificate Expired */
|
|
#define PROTOCOL_VERSION 0x46 /**< Wrong TLS version */
|
|
#define DECODE_ERROR 0x32 /**< Decode error alert */
|
|
#define RECORD_OVERFLOW 0x16 /**< Record Overflow */
|
|
#define BAD_RECORD_MAC 0x14 /**< Bad Record Mac */
|
|
#define HANDSHAKE_FAILURE 0x28 /**< Could not agree */
|
|
#define CLOSE_NOTIFY 0x00 /**< Orderly shut down of connection */
|
|
#define MISSING_EXTENSION 0x6D; /**< Missing extension */
|
|
|
|
#define LOG_OUTPUT_TRUNCATION 256 /**< Output Hex digits before truncation */
|
|
|
|
#define TLS13_DISCONNECTED 0 /**< TLS1.3 Connection is broken */
|
|
#define TLS13_CONNECTED 1 /**< TLS1.3 Connection is made */
|
|
#define TLS13_HANDSHAKING 2 /**< TLS1.3 is handshaking */
|
|
|
|
// protocol returns..
|
|
#define TLS_FAILURE 0 /**< Failed to cmake TLS1.3 connection */
|
|
#define TLS_SUCCESS 1 /**< Succeeded in making TLS1.3 connection */
|
|
#define TLS_RESUMPTION_REQUIRED 2 /**< Connection succeeded, but handshake retry was needed */
|
|
#define TLS_EARLY_DATA_ACCEPTED 3 /**< Connection succeeded, and early data was accepted */
|
|
|
|
// PSK modes
|
|
#define PSK_NOT 0 /**< No PSK */
|
|
#define PSK_KEY 1 /**< Using PSK from database */
|
|
#define PSK_IBE 2 /**< Using IBE based PSK */
|
|
|
|
// Certificate types
|
|
#define X509_CERT 0 /**< X509 Certificate-based authentication */
|
|
#define RAW_PUBLIC_KEY 2 /**< Raw Public Key based authentication */
|
|
|
|
/**
|
|
* @brief function return structure */
|
|
typedef struct
|
|
{
|
|
unsign32 val; /**< return value */
|
|
int err; /**< error return */
|
|
} ret;
|
|
|
|
/**
|
|
* @brief server encrypted extensions expectations/responses */
|
|
typedef struct
|
|
{
|
|
bool early_data; /**< true if early data accepted */
|
|
bool alpn; /**< true if ALPN accepted */
|
|
bool server_name; /**< true if server name accepted */
|
|
bool max_frag_length; /**< true if max frag length respected */
|
|
} ee_status;
|
|
|
|
/**
|
|
* @brief crypto context structure */
|
|
typedef struct
|
|
{
|
|
bool active; /**< Indicates if encryption has been activated */
|
|
char k[TLS_MAX_KEY]; /**< AEAD cryptographic Key bytes */
|
|
char iv[12]; /**< AEAD cryptographic IV bytes */
|
|
octad K; /**< Key as octad */
|
|
octad IV; /**< IV as octad */
|
|
unsign32 record; /**< current record number - to be incremented */
|
|
int suite; /**< Cipher Suite */
|
|
int taglen; /**< Tag Length */
|
|
} crypto;
|
|
|
|
/**
|
|
* @brief ticket context structure */
|
|
typedef struct
|
|
{
|
|
bool valid; /**< Is ticket valid? */
|
|
char tick[TLS_MAX_TICKET_SIZE]; /**< Ticket bytes */
|
|
char nonce[256]; /**< nonce */
|
|
char psk[TLS_MAX_HASH]; /**< pre-shared key */
|
|
octad TICK; /**< Ticket or external PSK label as octad */
|
|
octad NONCE; /**< Nonce as octad */
|
|
octad PSK; /**< PSK as octad */
|
|
unsign32 age_obfuscator; /**< ticket age obfuscator - 0 for external PSK */
|
|
unsign32 max_early_data; /**< Maximum early data allowed for this ticket */
|
|
unsign32 birth; /**< Birth time of this ticket */
|
|
int lifetime; /**< ticket lifetime */
|
|
int cipher_suite; /**< Cipher suite used */
|
|
int favourite_group; /**< the server's favourite group */
|
|
int origin; /**< Origin of initial handshake - Full or PSK? */
|
|
} ticket;
|
|
|
|
/**
|
|
* @brief Universal Hash Function */
|
|
typedef struct
|
|
{
|
|
char state[TLS_MAX_HASH_STATE]; /**< hash function state */
|
|
int htype; /**< The hash type (typically SHA256) */
|
|
} unihash;
|
|
|
|
/**
|
|
* @brief TLS1.3 session state */
|
|
typedef struct
|
|
{
|
|
int status; /**< Connection status */
|
|
int max_record; /**< max record size I should send */
|
|
Socket *sockptr; /**< Pointer to socket */
|
|
char id[32]; /**< Session ID */
|
|
char hostname[TLS_MAX_SERVER_NAME]; /**< Server name for connection */
|
|
int cipher_suite; /**< agreed cipher suite */
|
|
int favourite_group; /**< favourite key exchange group - may be changed on handshake retry */
|
|
int server_cert_type; /**< server certificate type */
|
|
int client_cert_type; /**< client certificate type */
|
|
crypto K_send; /**< Sending Key */
|
|
crypto K_recv; /**< Receiving Key */
|
|
octad HS; /**< Handshake secret */
|
|
char hs[TLS_MAX_HASH]; /**< Handshake secret data */
|
|
octad RMS; /**< Resumption Master Secret */
|
|
char rms[TLS_MAX_HASH]; /**< Resumption Master Secret data */
|
|
octad STS; /**< Server Traffic secret */
|
|
char sts[TLS_MAX_HASH]; /**< Server Traffic secret data */
|
|
octad CTS; /**< Client Traffic secret */
|
|
char cts[TLS_MAX_HASH]; /**< Client Traffic secret data */
|
|
octad CTX; /**< Certificate Request Context */
|
|
char ctx[TLS_MAX_HASH]; /**< Certificate Request Context data */
|
|
octad IBUFF; /**< Main input buffer for this connection */
|
|
octad OBUFF; /**< output buffer for this connection */
|
|
#ifndef SHALLOW_STACK
|
|
char ibuff[TLS_MAX_IBUFF_SIZE]; /**< Byte array for main input buffer for this connection */
|
|
char obuff[TLS_MAX_OBUFF_SIZE]; /**< output buffer for this connection */
|
|
#endif
|
|
int ptr; /**< pointer into IBUFF buffer */
|
|
unihash tlshash; /**< Transcript hash recorder */
|
|
ticket T; /**< resumption ticket */
|
|
bool expect_heartbeats; /**< Expect to receive heartbeats */
|
|
bool allowed_to_heartbeat; /**< Am I allowed to heartbeat? */
|
|
bool heartbeat_req_in_flight; /**< timestamp on outstanding request, otherwise 0 */
|
|
} TLS_session;
|
|
|
|
// IBUFF buffer
|
|
// xxxxxxxxxxxxxxxxxxxxxxxxxxxyyyyyyyyyyyyyyyyyyyyyyyyyyy
|
|
// -------------ptr---------->----------IBUFF.len------->
|
|
//
|
|
// when ptr becomes equal to IBUFF.len, pull in another record (and maybe decrypt it)
|
|
|
|
#endif
|