1 /* 2 * This file is part of the openHiTLS project. 3 * 4 * openHiTLS is licensed under the Mulan PSL v2. 5 * You can use this software according to the terms and conditions of the Mulan PSL v2. 6 * You may obtain a copy of Mulan PSL v2 at: 7 * 8 * http://license.coscl.org.cn/MulanPSL2 9 * 10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, 11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, 12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. 13 * See the Mulan PSL v2 for more details. 14 */ 15 16 #ifndef TLS_CONFIG_H 17 #define TLS_CONFIG_H 18 19 #include <stdint.h> 20 #include <stdbool.h> 21 #include "hitls_build.h" 22 #include "hitls_cert_type.h" 23 #include "hitls_cert.h" 24 #include "hitls_debug.h" 25 #include "hitls_config.h" 26 #include "hitls_session.h" 27 #include "hitls_psk.h" 28 #include "hitls_security.h" 29 #include "hitls_sni.h" 30 #include "hitls_alpn.h" 31 #include "hitls_cookie.h" 32 #include "sal_atomic.h" 33 #ifdef HITLS_TLS_FEATURE_PROVIDER 34 #include "crypt_eal_provider.h" 35 #endif 36 37 #ifdef __cplusplus 38 extern "C" { 39 #endif 40 41 /** 42 * @ingroup config 43 * @brief Certificate management context 44 */ 45 typedef struct CertMgrCtxInner CERT_MgrCtx; 46 47 typedef struct TlsSessionManager TLS_SessionMgr; 48 49 /** 50 * @ingroup config 51 * @brief DTLS 1.0 52 */ 53 #define HITLS_VERSION_DTLS10 0xfeffu 54 55 #define HITLS_TICKET_KEY_NAME_SIZE 16u 56 #define HITLS_TICKET_KEY_SIZE 32u 57 #define HITLS_TICKET_IV_SIZE 16u 58 59 /* the default number of tickets of TLS1.3 server is 2 */ 60 #define HITLS_TLS13_TICKET_NUM_DEFAULT 2u 61 #define HITLS_MAX_EMPTY_RECORDS 32 62 /* max cert list is 100k */ 63 #define HITLS_MAX_CERT_LIST_DEFAULT (1024 * 100) 64 65 /** 66 * @brief Group information 67 */ 68 typedef struct { 69 char *name; // group name 70 int32_t paraId; // parameter id CRYPT_PKEY_ParaId 71 int32_t algId; // algorithm id CRYPT_PKEY_AlgId 72 int32_t secBits; // security bits 73 uint16_t groupId; // iana group id, HITLS_NamedGroup 74 int32_t pubkeyLen; // public key length(CH keyshare / SH keyshare) 75 int32_t sharedkeyLen; // shared key length 76 int32_t ciphertextLen; // ciphertext length(SH keyshare) 77 uint32_t versionBits; // TLS_VERSION_MASK 78 bool isKem; // true: KEM, false: KEX 79 } TLS_GroupInfo; 80 81 /** 82 * @brief Signature scheme information 83 */ 84 typedef struct { 85 char *name; 86 uint16_t signatureScheme; // HITLS_SignHashAlgo, IANA specified 87 int32_t keyType; // HITLS_CERT_KeyType 88 int32_t paraId; // CRYPT_PKEY_ParaId 89 int32_t signHashAlgId; // combined sign hash algorithm id 90 int32_t signAlgId; // CRYPT_PKEY_AlgId 91 int32_t hashAlgId; // CRYPT_MD_AlgId 92 int32_t secBits; // security bits 93 uint32_t certVersionBits; // TLS_VERSION_MASK 94 uint32_t chainVersionBits; // TLS_VERSION_MASK 95 } TLS_SigSchemeInfo; 96 97 #ifdef HITLS_TLS_FEATURE_PROVIDER 98 /** 99 * @brief TLS capability data 100 */ 101 typedef struct { 102 HITLS_Config *config; 103 CRYPT_EAL_ProvMgrCtx *provMgrCtx; 104 } TLS_CapabilityData; 105 #define TLS_CAPABILITY_LIST_MALLOC_SIZE 10 106 #endif 107 108 typedef struct CustomExt_Methods HITLS_CustomExts; 109 110 /** 111 * @brief TLS Global Configuration 112 */ 113 typedef struct TlsConfig { 114 BSL_SAL_RefCount references; /* reference count */ 115 HITLS_Lib_Ctx *libCtx; /* library context */ 116 const char *attrName; /* attrName */ 117 #ifdef HITLS_TLS_FEATURE_PROVIDER 118 TLS_GroupInfo *groupInfo; 119 uint32_t groupInfolen; 120 uint32_t groupInfoSize; 121 TLS_SigSchemeInfo *sigSchemeInfo; 122 uint32_t sigSchemeInfolen; 123 uint32_t sigSchemeInfoSize; 124 #endif 125 uint32_t version; /* supported proto version */ 126 uint32_t originVersionMask; /* the original supported proto version mask */ 127 uint16_t minVersion; /* min supported proto version */ 128 uint16_t maxVersion; /* max supported proto version */ 129 uint32_t modeSupport; /* support mode */ 130 131 uint16_t *tls13CipherSuites; /* tls13 cipher suite */ 132 uint32_t tls13cipherSuitesSize; 133 uint16_t *cipherSuites; /* cipher suite */ 134 uint32_t cipherSuitesSize; 135 uint8_t *pointFormats; /* ec point format */ 136 uint32_t pointFormatsSize; 137 /* According to RFC 8446 4.2.7, before TLS 1.3 is ec curves; TLS 1.3: supported groups for the key exchange */ 138 uint16_t *groups; 139 uint32_t groupsSize; 140 uint16_t *signAlgorithms; /* signature algorithm */ 141 uint32_t signAlgorithmsSize; 142 143 uint8_t *alpnList; /* application layer protocols list */ 144 uint32_t alpnListSize; /* bytes of alpn, excluding the tail 0 byte */ 145 146 HITLS_SecurityCb securityCb; /* Security callback */ 147 void *securityExData; /* Security ex data */ 148 int32_t securityLevel; /* Security level */ 149 150 uint8_t *serverName; /* server name */ 151 uint32_t serverNameSize; /* server name size */ 152 153 int32_t readAhead; /* need read more data into user buffer, nonzero indicates yes, otherwise no */ 154 uint32_t emptyRecordsNum; /* the max number of empty records can be received */ 155 156 /* TLS1.2 psk */ 157 uint8_t *pskIdentityHint; /* psk identity hint */ 158 uint32_t hintSize; 159 HITLS_PskClientCb pskClientCb; /* psk client callback */ 160 HITLS_PskServerCb pskServerCb; /* psk server callback */ 161 162 /* TLS1.3 psk */ 163 HITLS_PskFindSessionCb pskFindSessionCb; /* TLS1.3 PSK server callback */ 164 HITLS_PskUseSessionCb pskUseSessionCb; /* TLS1.3 PSK client callback */ 165 166 HITLS_DtlsTimerCb dtlsTimerCb; /* DTLS get the timeout callback */ 167 uint32_t dtlsPostHsTimeoutVal; /* DTLS over UDP completed handshake timeout */ 168 169 HITLS_CRYPT_Key *dhTmp; /* Temporary DH key set by the user */ 170 HITLS_DhTmpCb dhTmpCb; /* Temporary ECDH key set by the user */ 171 172 HITLS_InfoCb infoCb; /* information indicator callback */ 173 HITLS_MsgCb msgCb; /* message callback function cb for observing all SSL/TLS protocol messages */ 174 void *msgArg; /* set argument arg to the callback function */ 175 176 HITLS_RecordPaddingCb recordPaddingCb; /* the callback to specify the padding for TLS 1.3 records */ 177 void *recordPaddingArg; /* assign a value arg that is passed to the callback */ 178 179 uint32_t keyExchMode; /* TLS1.3 psk exchange mode */ 180 181 uint32_t maxCertList; /* the maximum size allowed for the peer's certificate chain */ 182 183 HITLS_TrustedCAList *caList; /* the list of CAs sent to the peer */ 184 CERT_MgrCtx *certMgrCtx; /* certificate management context */ 185 186 uint32_t sessionIdCtxSize; /* the size of sessionId context */ 187 uint8_t sessionIdCtx[HITLS_SESSION_ID_CTX_MAX_SIZE]; /* the sessionId context */ 188 189 uint32_t ticketNums; /* TLS1.3 ticket number */ 190 TLS_SessionMgr *sessMgr; /* session management */ 191 192 void *userData; /* user data */ 193 HITLS_ConfigUserDataFreeCb userDataFreeCb; 194 195 bool needCheckKeyUsage; /* whether to check keyusage, default on */ 196 bool needCheckPmsVersion; /* whether to verify the version in premastersecret */ 197 bool isSupportRenegotiation; /* support renegotiation */ 198 bool allowClientRenegotiate; /* allow a renegotiation initiated by the client */ 199 bool allowLegacyRenegotiate; /* whether to abort handshake when server doesn't support SecRenegotiation */ 200 bool isResumptionOnRenego; /* supports session resume during renegotiation */ 201 bool isSupportDhAuto; /* the DH parameter to be automatically selected */ 202 203 /* Certificate Verification Mode */ 204 bool isSupportClientVerify; /* Enable dual-ended authentication. only for server */ 205 bool isSupportNoClientCert; /* Authentication Passed When Client Sends Empty Certificate. only for server */ 206 bool isSupportPostHandshakeAuth; /* TLS1.3 support post handshake auth. for server and client */ 207 bool isSupportVerifyNone; /* The handshake will be continued regardless of the verification result. 208 for server and client */ 209 bool isSupportClientOnceVerify; /* only request a client certificate once during the connection. 210 only for server */ 211 212 bool isQuietShutdown; /* is support the quiet shutdown mode */ 213 bool isEncryptThenMac; /* is EncryptThenMac on */ 214 bool isFlightTransmitEnable; /* sending of handshake information in one flighttransmit */ 215 216 bool isSupportExtendMasterSecret; /* is support extended master secret */ 217 bool isSupportSessionTicket; /* is support session ticket */ 218 bool isSupportServerPreference; /* server cipher suites can be preferentially selected */ 219 220 /* DTLS */ 221 #if defined(HITLS_TLS_PROTO_DTLS12) && defined(HITLS_BSL_UIO_UDP) 222 bool isSupportDtlsCookieExchange; /* is dtls support cookie exchange */ 223 #endif 224 /** 225 * Configurations in the HITLS_Ctx are classified into private configuration and global configuration. 226 * The following parameters directly reference the global configuration in tls. 227 * Private configuration: ctx->config.tlsConfig 228 * The global configuration: ctx->globalConfig 229 * Modifying the globalConfig will affects all associated HITLS_Ctx 230 */ 231 HITLS_AlpnSelectCb alpnSelectCb; /* alpn callback */ 232 void *alpnUserData; /* the user data for alpn callback */ 233 void *sniArg; /* the args for servername callback */ 234 HITLS_SniDealCb sniDealCb; /* server name callback function */ 235 HITLS_ClientHelloCb clientHelloCb; /* ClientHello callback */ 236 void *clientHelloCbArg; /* the args for ClientHello callback */ 237 #ifdef HITLS_TLS_PROTO_DTLS12 238 HITLS_AppGenCookieCb appGenCookieCb; 239 HITLS_AppVerifyCookieCb appVerifyCookieCb; 240 #endif 241 HITLS_NewSessionCb newSessionCb; /* negotiates to generate a session */ 242 HITLS_KeyLogCb keyLogCb; /* the key log callback */ 243 bool isKeepPeerCert; /* whether to save the peer certificate */ 244 245 HITLS_CustomExts *customExts; 246 } TLS_Config; 247 248 #define LIBCTX_FROM_CONFIG(config) ((config == NULL) ? NULL : (config)->libCtx) 249 #define ATTRIBUTE_FROM_CONFIG(config) ((config == NULL) ? NULL : (config)->attrName) 250 251 #ifdef __cplusplus 252 } 253 #endif 254 255 #endif // TLS_CONFIG_H 256