tee_tlssocket.h

Go to the documentation of this file.

#ifndef __TEE_ISOCKET_TLS__
#define __TEE_ISOCKET_TLS__

#include "tee_isocket.h"

enum {
    TEE_ISOCKET_TLS_API_VERSION = 0x01030000 
};

enum {
    TEE_ISOCKET_PROTOCOLID_TLS = 0x67 
};

enum {
    TEE_ISOCKET_TLS_ERROR_REJECTED_SUITE    = 0xF1030001, 
    TEE_ISOCKET_TLS_ERROR_VERSION           = 0xF1030002, 
    TEE_ISOCKET_TLS_ERROR_UNSUPPORTED_SUITE = 0xF1030003, 
    TEE_ISOCKET_TLS_ERROR_HANDSHAKE         = 0xF1030004, 
    TEE_ISOCKET_TLS_ERROR_AUTHENTICATION    = 0xF1030005, 
    TEE_ISOCKET_TLS_ERROR_DATA              = 0xF1030006, 
};

typedef enum TEE_tlsSocket_tlsVersion_e {
    TEE_TLS_VERSION_ALL     = 0, 
    TEE_TLS_VERSION_1v2     = 1, 
} TEE_tlsSocket_tlsVersion;

typedef enum TEE_tlsSocket_CipherSuites_e {
    TLS_NULL_WITH_NULL_NULL             = 0x0000, /* LIST TERMINATION */
    TLS_RSA_WITH_3DES_EDE_CBC_SHA       = 0x000A, /* [RFC5246] */
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA   = 0x0013, /* [RFC5246] */
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA   = 0x0016, /* [RFC5246] */
    TLS_RSA_WITH_AES_128_CBC_SHA        = 0x002F, /* [RFC5246] */
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA    = 0x0032, /* [RFC5246] */
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA    = 0x0033, /* [RFC5246] */
    TLS_RSA_WITH_AES_256_CBC_SHA        = 0x0035, /* [RFC5246] */
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA    = 0x0038, /* [RFC5246] */
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA    = 0x0039, /* [RFC5246] */
    TLS_RSA_WITH_AES_128_CBC_SHA256     = 0x003C, /* [RFC5246] */
    TLS_RSA_WITH_AES_256_CBC_SHA256     = 0x003D, /* [RFC5246] */
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040, /* [RFC5246] */
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067, /* [RFC5246] */
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A, /* [RFC5246] */
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B, /* [RFC5246] */

    TLS_PSK_WITH_3DES_EDE_CBC_SHA       = 0x008B, /* [RFC4279] */
    TLS_PSK_WITH_AES_128_CBC_SHA        = 0x008C, /* [RFC4279] */
    TLS_PSK_WITH_AES_256_CBC_SHA        = 0x008D, /* [RFC4279] */
    TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA   = 0x008F, /* [RFC4279] */
    TLS_DHE_PSK_WITH_AES_128_CBC_SHA    = 0x0090, /* [RFC4279] */
    TLS_DHE_PSK_WITH_AES_256_CBC_SHA    = 0x0091, /* [RFC4279] */
    TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA   = 0x0093, /* [RFC4279] */
    TLS_RSA_PSK_WITH_AES_128_CBC_SHA    = 0x0094, /* [RFC4279] */
    TLS_RSA_PSK_WITH_AES_256_CBC_SHA    = 0x0095, /* [RFC4279] */

    TLS_RSA_WITH_AES_128_GCM_SHA256     = 0x009C, /* [RFC5288] */
    TLS_RSA_WITH_AES_256_GCM_SHA384     = 0x009D, /* [RFC5288] */
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E, /* [RFC5288] */
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F, /* [RFC5288] */
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2, /* [RFC5288] */
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3, /* [RFC5288] */

    TLS_PSK_WITH_AES_128_GCM_SHA256     = 0x00A8, /* [RFC5487] */
    TLS_PSK_WITH_AES_256_GCM_SHA384     = 0x00A9, /* [RFC5487] */
    TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA, /* [RFC5487] */
    TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB, /* [RFC5487] */
    TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC, /* [RFC5487] */
    TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD, /* [RFC5487] */
    TLS_PSK_WITH_AES_128_CBC_SHA256     = 0x00AE, /* [RFC5487] */
    TLS_PSK_WITH_AES_256_CBC_SHA384     = 0x00AF, /* [RFC5487] */
    TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2, /* [RFC5487] */
    TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3, /* [RFC5487] */
    TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6, /* [RFC5487] */
    TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7, /* [RFC5487] */

    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   = 0xC008, /* [RFC4492] */
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    = 0xC009, /* [RFC4492] */
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    = 0xC00A, /* [RFC4492] */
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     = 0xC012, /* [RFC4492] */
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      = 0xC013, /* [RFC4492] */
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      = 0xC014, /* [RFC4492] */

    TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA       = 0xC01A, /* [RFC5054] */
    TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA   = 0xC01B, /* [RFC5054] */
    TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA   = 0xC01C, /* [RFC5054] */
    TLS_SRP_SHA_WITH_AES_128_CBC_SHA        = 0xC01D, /* [RFC5054] */
    TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA    = 0xC01E, /* [RFC5054] */
    TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA    = 0xC01F, /* [RFC5054] */
    TLS_SRP_SHA_WITH_AES_256_CBC_SHA        = 0xC020, /* [RFC5054] */
    TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA    = 0xC021, /* [RFC5054] */
    TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA    = 0xC022, /* [RFC5054] */

    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023, /* [RFC5289] */
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024, /* [RFC5289] */
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   = 0xC027, /* [RFC5289] */
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   = 0xC028, /* [RFC5289] */
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B, /* [RFC5289] */
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C, /* [RFC5289] */
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   = 0xC02F, /* [RFC5289] */
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   = 0xC030, /* [RFC5289] */
    TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA     = 0xC034, /* [RFC5489] */
    TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA      = 0xC035, /* [RFC5489] */
    TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA      = 0xC036, /* [RFC5489] */
    TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256   = 0xC037, /* [RFC5489] */
    TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384   = 0xC038, /* [RFC5489] */

    TLS_RSA_WITH_AES_128_CCM            = 0xC09C, /* [RFC6655] */
    TLS_RSA_WITH_AES_256_CCM            = 0xC09D, /* [RFC6655] */
    TLS_DHE_RSA_WITH_AES_128_CCM        = 0xC09E, /* [RFC6655] */
    TLS_DHE_RSA_WITH_AES_256_CCM        = 0xC09F, /* [RFC6655] */
    TLS_PSK_WITH_AES_128_CCM            = 0xC0A4, /* [RFC6655] */
    TLS_PSK_WITH_AES_256_CCM            = 0xC0A5, /* [RFC6655] */
    TLS_DHE_PSK_WITH_AES_128_CCM        = 0xC0A6, /* [RFC6655] */
    TLS_DHE_PSK_WITH_AES_256_CCM        = 0xC0A7, /* [RFC6655] */
} TEE_tlsSocket_CipherSuites;

typedef struct TEE_tlsSocket_PSK_Info_s {
    TEE_ObjectHandle    pskKey;
    char                *pskIdentity;
} TEE_tlsSocket_PSK_Info;

typedef struct TEE_tlsSocket_SRP_Info_s {
    char                *srpPassword;
    char                *srpIdentity;
} TEE_tlsSocket_SRP_Info;

typedef struct TEE_tlsSocket_ClientPDC_s {
    TEE_ObjectHandle    privateKey;
    char                *bulkCertChain;
    uint32_t            bulkSize;
} TEE_tlsSocket_ClientPDC;

typedef struct TEE_tlsSocket_ServerPDC_s {
    TEE_ObjectHandle    publicKey;
    char                *bulkCertChain;
    uint32_t            bulkSize;
} TEE_tlsSocket_ServerPDC;

typedef struct TEE_tlsSocket_CertStorageCred_s {
} TEE_tlsSocket_CertStorageCred;

typedef enum TEE_tlsSocket_ClientCredentialType_e {
    TEE_TLS_CLIENT_CRED_NONE    = 0, 
    TEE_TLS_CLIENT_CRED_PDC     = 1, 
    TEE_TLS_CLIENT_CRED_CSC     = 2, 
} TEE_tlsSocket_ClientCredentialType;

typedef enum TEE_tlsSocket_ServerCredentialType_e {
    TEE_TLS_SERVER_CRED_PDC     = 0, 
    TEE_TLS_SERVER_CRED_CSC     = 1, 
} TEE_tlsSocket_ServerCredentialType;

typedef struct TEE_tlsSocket_Credentials_s {
    TEE_tlsSocket_ServerCredentialType serverCredType;  
    union {
        TEE_tlsSocket_ServerPDC *serverCred;            
        TEE_tlsSocket_CertStorageCred *rootCertStore;   
    };
    TEE_tlsSocket_ClientCredentialType clientCredType;  
    union {
        TEE_tlsSocket_ClientPDC *clientCred;            
        TEE_tlsSocket_CertStorageCred *clientCertStore; 
    };
} TEE_tlsSocket_Credentials;

typedef enum TEE_tlsSocket_CallbackReasonType_e {
    TEE_ISOCKET_TLS_CB_CHECK_CERT_CHAIN     = 1,  
    TEE_ISOCKET_TLS_CB_BAD_CERT_CHAIN       = 2,  
    TEE_ISOCKET_TLS_CB_CHECK_OCSP_STATUS    = 11, 
    TEE_ISOCKET_TLS_CB_UNKNOWN_OCSP_STATUS  = 12, 
    TEE_ISOCKET_TLS_CB_REVOKED_OCSP_STATUS  = 13, 
} TEE_tlsSocket_CallbackReasonType;

typedef struct TEE_tlsSocket_CallbackInfo_s {
    TEE_tlsSocket_CallbackReasonType    reason;
    TEE_Result                          result;
    uint32_t                            protocolError;
} TEE_tlsSocket_CallbackInfo;

typedef TEE_Result (*TEE_tlsCallback)(
    TEE_iSocketHandle                   ctx,
    TEE_tlsSocket_CallbackInfo          *cbInfo,
    void                                *cbData,
    uint32_t                            *cbDataLength);

typedef enum TEE_tlsSocket_StatusRequestType_e {
    TEE_ISOCKET_TLS_OCSP_STATUS_REQUEST_NO  = 0,    
    TEE_ISOCKET_TLS_OCSP_STATUS_REQUEST     = 1,    
    //TEE_ISOCKET_TLS_OCSP_STATUS_REQUEST_V2  = 17,   // TODO: OCSP stapling V2 MULTIPLE certificate status request - RFC 6961
} TEE_tlsSocket_StatusRequestType;

typedef enum TEE_tlsSocket_ExtensionFlags_e {
    TEE_ISOCKET_TLS_CERT_NAME_CHECK_CLIENT      = 0x00000001,   
    TEE_ISOCKET_TLS_CERT_KEYUSAGE_CHECK_CLIENT  = 0x00000002,   
    TEE_ISOCKET_TLS_CERT_NOTIFY_CLIENT          = 0x00000004,   
    TEE_ISOCKET_TLS_OCSP_CHECK_CLIENT           = 0x00010000,   
    TEE_ISOCKET_TLS_OCSP_CHECK_ADVISORY         = 0x00020000,   
    TEE_ISOCKET_TLS_OCSP_CHECK_MANDATORY        = 0x00040000,   
} TEE_tlsSocket_ExtensionFlags;

enum {
    TEE_ISOCKET_TLS_MAX_ALPN_LIST_LENGTH = 16
};

typedef struct TEE_tlsSocket_Setup_s {
    uint32_t                        apiVersion;          
    TEE_tlsSocket_tlsVersion        acceptServerVersion; 
    TEE_tlsSocket_CipherSuites      *allowedCipherSuites;
    union {
        TEE_tlsSocket_PSK_Info      *PSKInfo;       
        TEE_tlsSocket_SRP_Info      *SRPInfo;       
    }; 
    TEE_tlsSocket_Credentials       *credentials;   
    TEE_iSocket                     *baseSocket;    
    TEE_iSocketHandle               *baseContext;   
    TEE_tlsSocket_ExtensionFlags    extFlags;       
    char                            *serverName;
    TEE_tlsCallback                 tlsCallback;
    char                            **alpnList;
    TEE_tlsSocket_StatusRequestType ocspStatusType;
} TEE_tlsSocket_Setup;

typedef struct TEE_tlsSocket_CB_Data_s {
    uint32_t    cb_data_size;
    uint8_t     cb_data[];
} TEE_tlsSocket_CB_Data;

enum {
    /* Retrieve channel binding information for the current connection.
     * The returned buffer can be interpreted as an instance of the structure TEE_tlsSocket_CB_Data.
     * If no channel binding information is available, the output length is 0 */
    TEE_TLS_BINDING_INFO = 0x67000001,
};

extern const TEE_iSocket *const TEE_tlsSocket DSO_EXPORT;

#endif /* !__TEE_ISOCKET_TLS__ */