ell/tls.h - pub/scm/libs/ell/ell - Git at Google

 /*
  *  Embedded Linux library
  *
  *  Copyright (C) 2015  Intel Corporation. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
  *  License as published by the Free Software Foundation; either
  *  version 2.1 of the License, or (at your option) any later version.
  *
  *  This library is distributed in the hope that it will be useful,
  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  *  Lesser General Public License for more details.
  *
  *  You should have received a copy of the GNU Lesser General Public
  *  License along with this library; if not, write to the Free Software
  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
  */

 #ifndef __ELL_TLS_H
 #define __ELL_TLS_H

 #ifdef __cplusplus
 extern "C" {
 #endif

 enum l_tls_version {
 	L_TLS_V10 = ((3 << 8) | 1),
 	L_TLS_V11 = ((3 << 8) | 2),
 	L_TLS_V12 = ((3 << 8) | 3),
 	L_TLS_V13 = ((3 << 8) | 4),	/* Not supported */
 };

 struct l_tls;
 struct l_key;
 struct l_certchain;
 struct l_queue;

 enum l_tls_alert_desc {
 	TLS_ALERT_CLOSE_NOTIFY		= 0,
 	TLS_ALERT_UNEXPECTED_MESSAGE	= 10,
 	TLS_ALERT_BAD_RECORD_MAC	= 20,
 	TLS_ALERT_DECRYPT_FAIL_RESERVED	= 21,
 	TLS_ALERT_RECORD_OVERFLOW	= 22,
 	TLS_ALERT_DECOMPRESS_FAIL	= 30,
 	TLS_ALERT_HANDSHAKE_FAIL	= 40,
 	TLS_ALERT_NO_CERT_RESERVED	= 41,
 	TLS_ALERT_BAD_CERT		= 42,
 	TLS_ALERT_UNSUPPORTED_CERT	= 43,
 	TLS_ALERT_CERT_REVOKED		= 44,
 	TLS_ALERT_CERT_EXPIRED		= 45,
 	TLS_ALERT_CERT_UNKNOWN		= 46,
 	TLS_ALERT_ILLEGAL_PARAM		= 47,
 	TLS_ALERT_UNKNOWN_CA		= 48,
 	TLS_ALERT_ACCESS_DENIED		= 49,
 	TLS_ALERT_DECODE_ERROR		= 50,
 	TLS_ALERT_DECRYPT_ERROR		= 51,
 	TLS_ALERT_EXPORT_RES_RESERVED	= 60,
 	TLS_ALERT_PROTOCOL_VERSION	= 70,
 	TLS_ALERT_INSUFFICIENT_SECURITY	= 71,
 	TLS_ALERT_INTERNAL_ERROR	= 80,
 	TLS_ALERT_USER_CANCELED		= 90,
 	TLS_ALERT_NO_RENEGOTIATION	= 100,
 	TLS_ALERT_UNSUPPORTED_EXTENSION	= 110,
 };

 typedef void (*l_tls_write_cb_t)(const uint8_t *data, size_t len,
 					void *user_data);
 typedef void (*l_tls_ready_cb_t)(const char *peer_identity, void *user_data);
 typedef void (*l_tls_disconnect_cb_t)(enum l_tls_alert_desc reason,
 					bool remote, void *user_data);
 typedef void (*l_tls_debug_cb_t)(const char *str, void *user_data);
 typedef void (*l_tls_destroy_cb_t)(void *user_data);

 /*
  * app_data_handler gets called with newly received decrypted data.
  * tx_handler gets called to send TLS payloads off to remote end.
  * ready_handler gets called when l_tls_write calls are first accepted.
  */
 struct l_tls *l_tls_new(bool server, l_tls_write_cb_t app_data_handler,
 			l_tls_write_cb_t tx_handler,
 			l_tls_ready_cb_t ready_handler,
 			l_tls_disconnect_cb_t disconnect_handler,
 			void *user_data);

 void l_tls_free(struct l_tls *tls);

 /* Begin sending connection setup messages to the server */
 bool l_tls_start(struct l_tls *tls);

 /* Properly disconnect a connected session */
 void l_tls_close(struct l_tls *tls);

 /* Submit plaintext data to be encrypted and transmitted */
 void l_tls_write(struct l_tls *tls, const uint8_t *data, size_t len);

 /* Submit TLS payload from underlying transport to be decrypted */
 void l_tls_handle_rx(struct l_tls *tls, const uint8_t *data, size_t len);

 /*
  * If peer is to be authenticated, supply the CA certificates.  On success
  * the l_tls object takes ownership of the queue and the individual l_cert
  * objects and they should not be freed by the caller afterwards.
  */
 bool l_tls_set_cacert(struct l_tls *tls, struct l_queue *ca_certs);

 /*
  * If we are to be authenticated, supply our certificate and private key.
  * On the client this is optional.  On success, the l_tls object takes
  * ownership of the certchain and the key objects and they should not be
  * freed by the caller afterwards.
  * TODO: it may also be useful for the caller to be able to supply one
  * certificate of each type so they can be used depending on which is compatible
  * with the negotiated parameters.
  */
 bool l_tls_set_auth_data(struct l_tls *tls,
 				struct l_certchain *certchain,
 				struct l_key *priv_key);

 void l_tls_set_version_range(struct l_tls *tls,
 				enum l_tls_version min_version,
 				enum l_tls_version max_version);

 void l_tls_set_domain_mask(struct l_tls *tls, char **mask);

 const char *l_tls_alert_to_str(enum l_tls_alert_desc desc);

 enum l_checksum_type;

 bool l_tls_prf_get_bytes(struct l_tls *tls, bool use_master_secret,
 				const char *label, uint8_t *buf, size_t len);

 bool l_tls_set_debug(struct l_tls *tls, l_tls_debug_cb_t function,
 			void *user_data, l_tls_destroy_cb_t destroy);
 bool l_tls_set_cert_dump_path(struct l_tls *tls, const char *path);

 #ifdef __cplusplus
 }
 #endif

 #endif /* __ELL_TLS_H */
	/*
	* Embedded Linux library
	*
	* Copyright (C) 2015 Intel Corporation. All rights reserved.
	*
	* This library is free software; you can redistribute it and/or
	* modify it under the terms of the GNU Lesser General Public
	* License as published by the Free Software Foundation; either
	* version 2.1 of the License, or (at your option) any later version.
	*
	* This library is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	* Lesser General Public License for more details.
	*
	* You should have received a copy of the GNU Lesser General Public
	* License along with this library; if not, write to the Free Software
	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	*/

	#ifndef __ELL_TLS_H
	#define __ELL_TLS_H

	#ifdef __cplusplus
	extern "C" {
	#endif

	enum l_tls_version {
	L_TLS_V10 = ((3 << 8) \| 1),
	L_TLS_V11 = ((3 << 8) \| 2),
	L_TLS_V12 = ((3 << 8) \| 3),
	L_TLS_V13 = ((3 << 8) \| 4), /* Not supported */
	};

	struct l_tls;
	struct l_key;
	struct l_certchain;
	struct l_queue;

	enum l_tls_alert_desc {
	TLS_ALERT_CLOSE_NOTIFY = 0,
	TLS_ALERT_UNEXPECTED_MESSAGE = 10,
	TLS_ALERT_BAD_RECORD_MAC = 20,
	TLS_ALERT_DECRYPT_FAIL_RESERVED = 21,
	TLS_ALERT_RECORD_OVERFLOW = 22,
	TLS_ALERT_DECOMPRESS_FAIL = 30,
	TLS_ALERT_HANDSHAKE_FAIL = 40,
	TLS_ALERT_NO_CERT_RESERVED = 41,
	TLS_ALERT_BAD_CERT = 42,
	TLS_ALERT_UNSUPPORTED_CERT = 43,
	TLS_ALERT_CERT_REVOKED = 44,
	TLS_ALERT_CERT_EXPIRED = 45,
	TLS_ALERT_CERT_UNKNOWN = 46,
	TLS_ALERT_ILLEGAL_PARAM = 47,
	TLS_ALERT_UNKNOWN_CA = 48,
	TLS_ALERT_ACCESS_DENIED = 49,
	TLS_ALERT_DECODE_ERROR = 50,
	TLS_ALERT_DECRYPT_ERROR = 51,
	TLS_ALERT_EXPORT_RES_RESERVED = 60,
	TLS_ALERT_PROTOCOL_VERSION = 70,
	TLS_ALERT_INSUFFICIENT_SECURITY = 71,
	TLS_ALERT_INTERNAL_ERROR = 80,
	TLS_ALERT_USER_CANCELED = 90,
	TLS_ALERT_NO_RENEGOTIATION = 100,
	TLS_ALERT_UNSUPPORTED_EXTENSION = 110,
	};

	typedef void (l_tls_write_cb_t)(const uint8_t data, size_t len,
	void *user_data);
	typedef void (l_tls_ready_cb_t)(const char peer_identity, void *user_data);
	typedef void (*l_tls_disconnect_cb_t)(enum l_tls_alert_desc reason,
	bool remote, void *user_data);
	typedef void (l_tls_debug_cb_t)(const char str, void *user_data);
	typedef void (l_tls_destroy_cb_t)(void user_data);

	/*
	* app_data_handler gets called with newly received decrypted data.
	* tx_handler gets called to send TLS payloads off to remote end.
	* ready_handler gets called when l_tls_write calls are first accepted.
	*/
	struct l_tls *l_tls_new(bool server, l_tls_write_cb_t app_data_handler,
	l_tls_write_cb_t tx_handler,
	l_tls_ready_cb_t ready_handler,
	l_tls_disconnect_cb_t disconnect_handler,
	void *user_data);

	void l_tls_free(struct l_tls *tls);

	/* Begin sending connection setup messages to the server */
	bool l_tls_start(struct l_tls *tls);

	/* Properly disconnect a connected session */
	void l_tls_close(struct l_tls *tls);

	/* Submit plaintext data to be encrypted and transmitted */
	void l_tls_write(struct l_tls tls, const uint8_t data, size_t len);

	/* Submit TLS payload from underlying transport to be decrypted */
	void l_tls_handle_rx(struct l_tls tls, const uint8_t data, size_t len);

	/*
	* If peer is to be authenticated, supply the CA certificates. On success
	* the l_tls object takes ownership of the queue and the individual l_cert
	* objects and they should not be freed by the caller afterwards.
	*/
	bool l_tls_set_cacert(struct l_tls tls, struct l_queue ca_certs);

	/*
	* If we are to be authenticated, supply our certificate and private key.
	* On the client this is optional. On success, the l_tls object takes
	* ownership of the certchain and the key objects and they should not be
	* freed by the caller afterwards.
	* TODO: it may also be useful for the caller to be able to supply one
	* certificate of each type so they can be used depending on which is compatible
	* with the negotiated parameters.
	*/
	bool l_tls_set_auth_data(struct l_tls *tls,
	struct l_certchain *certchain,
	struct l_key *priv_key);

	void l_tls_set_version_range(struct l_tls *tls,
	enum l_tls_version min_version,
	enum l_tls_version max_version);

	void l_tls_set_domain_mask(struct l_tls tls, char *mask);

	const char *l_tls_alert_to_str(enum l_tls_alert_desc desc);

	enum l_checksum_type;

	bool l_tls_prf_get_bytes(struct l_tls *tls, bool use_master_secret,
	const char label, uint8_t buf, size_t len);

	bool l_tls_set_debug(struct l_tls *tls, l_tls_debug_cb_t function,
	void *user_data, l_tls_destroy_cb_t destroy);
	bool l_tls_set_cert_dump_path(struct l_tls tls, const char path);

	#ifdef __cplusplus
	}
	#endif

	#endif /* __ELL_TLS_H */