Transport Layer Security Protocol. More...
#include <stdint.h>#include <ipxe/refcnt.h>#include <ipxe/interface.h>#include <ipxe/process.h>#include <ipxe/crypto.h>#include <ipxe/md5.h>#include <ipxe/sha1.h>#include <ipxe/x509.h>#include <ipxe/privkey.h>#include <ipxe/pending.h>#include <ipxe/iobuf.h>#include <ipxe/tables.h>Go to the source code of this file.
Data Structures | |
| struct | tls_header |
| A TLS header. More... | |
| struct | tls_auth_header |
| TLS authentication header. More... | |
| struct | tls_verify_data |
| TLS verification data. More... | |
| struct | tls_key_exchange_algorithm |
| A TLS key exchange algorithm. More... | |
| struct | tls_cipher_suite |
| A TLS cipher suite. More... | |
| struct | tls_named_curve |
| A TLS named curve. More... | |
| struct | tls_cipherspec |
| A TLS cipher specification. More... | |
| struct | tls_cipherspec_pair |
| A TLS cipher specification pair. More... | |
| struct | tls_signature_hash_id |
| A TLS signature and hash algorithm identifier. More... | |
| struct | tls_signature_hash_algorithm |
| A TLS signature algorithm. More... | |
| struct | tls_client_random |
| TLS client random data. More... | |
| struct | md5_sha1_context |
| An MD5+SHA1 context. More... | |
| struct | md5_sha1_digest |
| An MD5+SHA1 digest. More... | |
| struct | tls_session |
| A TLS session. More... | |
| struct | tls_tx |
| TLS transmit state. More... | |
| struct | tls_rx |
| TLS receive state. More... | |
| struct | tls_client |
| TLS client state. More... | |
| struct | tls_server |
| TLS server state. More... | |
| struct | tls_connection |
| A TLS connection. More... | |
Enumerations | |
| enum | tls_rx_state { TLS_RX_HEADER = 0 , TLS_RX_DATA } |
| TLS RX state machine state. More... | |
| enum | tls_tx_pending { TLS_TX_CLIENT_HELLO = 0x0001 , TLS_TX_CERTIFICATE = 0x0002 , TLS_TX_CLIENT_KEY_EXCHANGE = 0x0004 , TLS_TX_CERTIFICATE_VERIFY = 0x0008 , TLS_TX_CHANGE_CIPHER = 0x0010 , TLS_TX_FINISHED = 0x0020 } |
| TLS TX pending flags. More... | |
Functions | |
| FILE_LICENCE (GPL2_OR_LATER_OR_UBDL) | |
| FILE_SECBOOT (PERMITTED) | |
| int | add_tls (struct interface *xfer, const char *name, struct x509_root *root, struct private_key *key) |
| Add TLS on an interface. | |
Variables | |
| struct tls_key_exchange_algorithm | tls_pubkey_exchange_algorithm |
| Public key exchange algorithm. | |
| struct tls_key_exchange_algorithm | tls_dhe_exchange_algorithm |
| Ephemeral Diffie-Hellman key exchange algorithm. | |
| struct tls_key_exchange_algorithm | tls_ecdhe_exchange_algorithm |
| Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm. | |
Detailed Description
Transport Layer Security Protocol.
Definition in file tls.h.
Macro Definition Documentation
◆ TLS_VERSION_TLS_1_1
◆ TLS_VERSION_TLS_1_2
| #define TLS_VERSION_TLS_1_2 0x0303 |
TLS version 1.2.
Definition at line 48 of file tls.h.
Referenced by tls_prf(), tls_select_cipher(), tls_send_certificate_verify(), and tls_verify_dh_params().
◆ TLS_VERSION_MAX
| #define TLS_VERSION_MAX TLS_VERSION_TLS_1_2 |
Maximum supported TLS version.
Definition at line 51 of file tls.h.
Referenced by add_tls(), tls_client_hello(), and tls_send_client_key_exchange_pubkey().
◆ TLS_TYPE_CHANGE_CIPHER
| #define TLS_TYPE_CHANGE_CIPHER 20 |
Change cipher content type.
Definition at line 54 of file tls.h.
Referenced by tls_new_record(), and tls_send_change_cipher().
◆ TLS_CHANGE_CIPHER_SPEC
| #define TLS_CHANGE_CIPHER_SPEC 1 |
Change cipher spec magic byte.
Definition at line 57 of file tls.h.
Referenced by tls_new_change_cipher(), and tls_send_change_cipher().
◆ TLS_TYPE_ALERT
| #define TLS_TYPE_ALERT 21 |
◆ TLS_TYPE_HANDSHAKE
| #define TLS_TYPE_HANDSHAKE 22 |
Handshake content type.
Definition at line 63 of file tls.h.
Referenced by tls_new_record(), tls_send_certificate(), tls_send_handshake(), and tls_send_record().
◆ TLS_TYPE_DATA
| #define TLS_TYPE_DATA 23 |
Application data content type.
Definition at line 66 of file tls.h.
Referenced by tls_new_record(), and tls_plainstream_deliver().
◆ TLS_HELLO_REQUEST
| #define TLS_HELLO_REQUEST 0 |
Definition at line 69 of file tls.h.
Referenced by tls_new_handshake().
◆ TLS_CLIENT_HELLO
| #define TLS_CLIENT_HELLO 1 |
Definition at line 70 of file tls.h.
Referenced by tls_client_hello().
◆ TLS_SERVER_HELLO
| #define TLS_SERVER_HELLO 2 |
Definition at line 71 of file tls.h.
Referenced by tls_new_handshake().
◆ TLS_NEW_SESSION_TICKET
| #define TLS_NEW_SESSION_TICKET 4 |
Definition at line 72 of file tls.h.
Referenced by tls_new_handshake().
◆ TLS_CERTIFICATE
| #define TLS_CERTIFICATE 11 |
Definition at line 73 of file tls.h.
Referenced by tls_new_handshake(), and tls_send_certificate().
◆ TLS_SERVER_KEY_EXCHANGE
| #define TLS_SERVER_KEY_EXCHANGE 12 |
Definition at line 74 of file tls.h.
Referenced by tls_new_handshake().
◆ TLS_CERTIFICATE_REQUEST
| #define TLS_CERTIFICATE_REQUEST 13 |
Definition at line 75 of file tls.h.
Referenced by tls_new_handshake().
◆ TLS_SERVER_HELLO_DONE
| #define TLS_SERVER_HELLO_DONE 14 |
Definition at line 76 of file tls.h.
Referenced by tls_new_handshake().
◆ TLS_CERTIFICATE_VERIFY
| #define TLS_CERTIFICATE_VERIFY 15 |
Definition at line 77 of file tls.h.
Referenced by tls_send_certificate_verify().
◆ TLS_CLIENT_KEY_EXCHANGE
| #define TLS_CLIENT_KEY_EXCHANGE 16 |
Definition at line 78 of file tls.h.
Referenced by tls_send_client_key_exchange_dhe(), tls_send_client_key_exchange_ecdhe(), and tls_send_client_key_exchange_pubkey().
◆ TLS_FINISHED
| #define TLS_FINISHED 20 |
Definition at line 79 of file tls.h.
Referenced by tls_new_handshake(), and tls_send_finished().
◆ TLS_ALERT_WARNING
| #define TLS_ALERT_WARNING 1 |
Definition at line 82 of file tls.h.
Referenced by tls_new_alert().
◆ TLS_ALERT_FATAL
| #define TLS_ALERT_FATAL 2 |
Definition at line 83 of file tls.h.
Referenced by tls_new_alert().
◆ TLS_RSA_WITH_NULL_MD5
◆ TLS_RSA_WITH_NULL_SHA
◆ TLS_RSA_WITH_AES_128_CBC_SHA
| #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002f |
Definition at line 88 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 |
Definition at line 89 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_RSA_WITH_AES_256_CBC_SHA
| #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 |
Definition at line 90 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 |
Definition at line 91 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_RSA_WITH_AES_128_CBC_SHA256
| #define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003c |
Definition at line 92 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_RSA_WITH_AES_256_CBC_SHA256
| #define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003d |
Definition at line 93 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 |
Definition at line 94 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006b |
Definition at line 95 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_RSA_WITH_AES_128_GCM_SHA256
| #define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009c |
Definition at line 96 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_RSA_WITH_AES_256_GCM_SHA384
| #define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009d |
Definition at line 97 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009e |
Definition at line 98 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| #define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009f |
Definition at line 99 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
| #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xc009 |
Definition at line 100 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
| #define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xc00a |
Definition at line 101 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xc013 |
Definition at line 102 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| #define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xc014 |
Definition at line 103 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xc023 |
Definition at line 104 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| #define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xc024 |
Definition at line 105 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xc027 |
Definition at line 106 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| #define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xc028 |
Definition at line 107 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xc02b |
Definition at line 108 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
| #define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xc02c |
Definition at line 109 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xc02f |
Definition at line 110 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| #define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xc030 |
Definition at line 111 of file tls.h.
Referenced by __tls_cipher_suite().
◆ TLS_MD5_ALGORITHM
◆ TLS_SHA1_ALGORITHM
◆ TLS_SHA224_ALGORITHM
◆ TLS_SHA256_ALGORITHM
◆ TLS_SHA384_ALGORITHM
◆ TLS_SHA512_ALGORITHM
◆ TLS_RSA_ALGORITHM
◆ TLS_ECDSA_ALGORITHM
◆ TLS_SERVER_NAME
| #define TLS_SERVER_NAME 0 |
Definition at line 126 of file tls.h.
Referenced by tls_client_hello().
◆ TLS_SERVER_NAME_HOST_NAME
| #define TLS_SERVER_NAME_HOST_NAME 0 |
Definition at line 127 of file tls.h.
Referenced by tls_client_hello().
◆ TLS_MAX_FRAGMENT_LENGTH
| #define TLS_MAX_FRAGMENT_LENGTH 1 |
Definition at line 130 of file tls.h.
Referenced by tls_client_hello().
◆ TLS_MAX_FRAGMENT_LENGTH_512
◆ TLS_MAX_FRAGMENT_LENGTH_1024
◆ TLS_MAX_FRAGMENT_LENGTH_2048
◆ TLS_MAX_FRAGMENT_LENGTH_4096
◆ TLS_NAMED_CURVE
| #define TLS_NAMED_CURVE 10 |
Definition at line 137 of file tls.h.
Referenced by tls_client_hello().
◆ TLS_NAMED_CURVE_SECP256R1
| #define TLS_NAMED_CURVE_SECP256R1 23 |
Definition at line 138 of file tls.h.
Referenced by __tls_named_curve().
◆ TLS_NAMED_CURVE_SECP384R1
| #define TLS_NAMED_CURVE_SECP384R1 24 |
Definition at line 139 of file tls.h.
Referenced by __tls_named_curve().
◆ TLS_NAMED_CURVE_X25519
| #define TLS_NAMED_CURVE_X25519 29 |
Definition at line 140 of file tls.h.
Referenced by __tls_named_curve().
◆ TLS_SIGNATURE_ALGORITHMS
| #define TLS_SIGNATURE_ALGORITHMS 13 |
Definition at line 143 of file tls.h.
Referenced by tls_client_hello().
◆ TLS_EXTENDED_MASTER_SECRET
| #define TLS_EXTENDED_MASTER_SECRET 23 |
Definition at line 146 of file tls.h.
Referenced by tls_client_hello(), and tls_new_server_hello().
◆ TLS_SESSION_TICKET
| #define TLS_SESSION_TICKET 35 |
Definition at line 149 of file tls.h.
Referenced by tls_client_hello().
◆ TLS_RENEGOTIATION_INFO
| #define TLS_RENEGOTIATION_INFO 0xff01 |
Definition at line 152 of file tls.h.
Referenced by tls_client_hello(), and tls_new_server_hello().
◆ TLS_CIPHER_SUITES
| #define TLS_CIPHER_SUITES __table ( struct tls_cipher_suite, "tls_cipher_suites" ) |
TLS cipher suite table.
Definition at line 224 of file tls.h.
Referenced by tls_client_hello(), and tls_find_cipher_suite().
◆ __tls_cipher_suite
| #define __tls_cipher_suite | ( | pref | ) |
Declare a TLS cipher suite.
Definition at line 228 of file tls.h.
Referenced by __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), and __tls_cipher_suite().
◆ TLS_NAMED_CURVE_TYPE
| #define TLS_NAMED_CURVE_TYPE 3 |
TLS named curved type.
Definition at line 232 of file tls.h.
Referenced by tls_send_client_key_exchange_ecdhe().
◆ TLS_POINT_FORMAT_UNCOMPRESSED
| #define TLS_POINT_FORMAT_UNCOMPRESSED 4 |
TLS uncompressed curve point format.
Definition at line 235 of file tls.h.
Referenced by __tls_named_curve().
◆ TLS_NAMED_CURVES
| #define TLS_NAMED_CURVES __table ( struct tls_named_curve, "tls_named_curves" ) |
TLS named curve table.
Definition at line 250 of file tls.h.
Referenced by tls_client_hello(), and tls_find_named_curve().
◆ __tls_named_curve
| #define __tls_named_curve | ( | pref | ) |
Declare a TLS named curve.
Definition at line 254 of file tls.h.
Referenced by __tls_named_curve().
◆ TLS_SIG_HASH_ALGORITHMS
| #define TLS_SIG_HASH_ALGORITHMS |
TLS signature hash algorithm table.
Note that the default (TLSv1.1 and earlier) algorithm using MD5+SHA1 is never explicitly specified.
Definition at line 302 of file tls.h.
Referenced by tls_client_hello(), tls_signature_hash_algorithm(), tls_signature_hash_digest(), and tls_signature_hash_pubkey().
◆ __tls_sig_hash_algorithm
| #define __tls_sig_hash_algorithm __table_entry ( TLS_SIG_HASH_ALGORITHMS, 01 ) |
◆ MD5_SHA1_CTX_SIZE
| #define MD5_SHA1_CTX_SIZE sizeof ( struct md5_sha1_context ) |
◆ MD5_SHA1_DIGEST_SIZE
| #define MD5_SHA1_DIGEST_SIZE sizeof ( struct md5_sha1_digest ) |
◆ TLS_MAX_FRAGMENT_LENGTH_VALUE
| #define TLS_MAX_FRAGMENT_LENGTH_VALUE TLS_MAX_FRAGMENT_LENGTH_4096 |
Advertised maximum fragment length.
Definition at line 484 of file tls.h.
Referenced by tls_client_hello().
◆ TLS_TX_BUFSIZE
| #define TLS_TX_BUFSIZE 4096 |
TX maximum fragment length.
TLS requires us to limit our transmitted records to the maximum fragment length that we attempt to negotiate, even if the server does not respect this choice.
Definition at line 492 of file tls.h.
Referenced by tls_iob_reserved(), and tls_send_record().
◆ TLS_RX_BUFSIZE
| #define TLS_RX_BUFSIZE 4096 |
RX I/O buffer size.
The maximum fragment length extension is optional, and many common implementations (including OpenSSL) do not support it. We must therefore be prepared to receive records of up to 16kB in length. The chance of an allocation of this size failing is non-negligible, so we must split received data into smaller allocations.
Definition at line 502 of file tls.h.
Referenced by tls_newdata_process_header().
◆ TLS_RX_MIN_BUFSIZE
| #define TLS_RX_MIN_BUFSIZE 512 |
Minimum RX I/O buffer size.
To simplify manipulations, we ensure that no RX I/O buffer is smaller than this size. This allows us to assume that the MAC and padding are entirely contained within the final I/O buffer.
Definition at line 510 of file tls.h.
Referenced by tls_newdata_process_header().
◆ TLS_RX_ALIGN
| #define TLS_RX_ALIGN 16 |
RX I/O buffer alignment.
Definition at line 513 of file tls.h.
Referenced by tls_newdata_process_header().
Enumeration Type Documentation
◆ tls_rx_state
| enum tls_rx_state |
TLS RX state machine state.
| Enumerator | |
|---|---|
| TLS_RX_HEADER | |
| TLS_RX_DATA | |
◆ tls_tx_pending
| enum tls_tx_pending |
TLS TX pending flags.
| Enumerator | |
|---|---|
| TLS_TX_CLIENT_HELLO | |
| TLS_TX_CERTIFICATE | |
| TLS_TX_CLIENT_KEY_EXCHANGE | |
| TLS_TX_CERTIFICATE_VERIFY | |
| TLS_TX_CHANGE_CIPHER | |
| TLS_TX_FINISHED | |
Definition at line 177 of file tls.h.
Function Documentation
◆ FILE_LICENCE()
| FILE_LICENCE | ( | GPL2_OR_LATER_OR_UBDL | ) |
◆ FILE_SECBOOT()
| FILE_SECBOOT | ( | PERMITTED | ) |
◆ add_tls()
|
extern |
Add TLS on an interface.
- Parameters
-
xfer Data transfer interface name Host name root Root of trust (or NULL to use default) key Private key (or NULL to use default)
- Return values
-
rc Return status code
Definition at line 3962 of file tls.c.
References tls_cipherspec_pair::active, tls_rx::cipherspec, tls_tx::cipherspec, tls_connection::cipherstream, tls_connection::client, tls_session::conn, tls_rx::data, ENOMEM, free_tls(), tls_client_random::gmt_unix_time, tls_rx::header, INIT_LIST_HEAD, intf_init(), intf_insert(), iob_populate(), tls_rx::iobuf, key, tls_client::key, tls_connection::list, list_add_tail, malloc(), memset(), name, NULL, tls_cipherspec_pair::pending, tls_connection::plainstream, privkey_get(), tls_tx::process, process_init_stopped(), tls_client::random, tls_client_random::random, rc, ref_init, ref_put, tls_connection::refcnt, root, tls_server::root, root_certificates, tls_connection::rx, tls_connection::server, tls_connection::session, tls_cipherstream_desc, tls_clear_cipher(), tls_clear_handshake(), tls_generate_random(), tls_plainstream_desc, tls_process_desc, tls_restart(), tls_validator_desc, TLS_VERSION_MAX, tls_connection::tx, tls_server::validator, tls_connection::version, and x509_root_get().
Referenced by apply_syslogs_settings(), https_filter(), ipair_rx_session(), and REQUIRING_SYMBOL().
Variable Documentation
◆ tls_pubkey_exchange_algorithm
|
extern |
Public key exchange algorithm.
Definition at line 1486 of file tls.c.
Referenced by __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), and __tls_cipher_suite().
◆ tls_dhe_exchange_algorithm
|
extern |
Ephemeral Diffie-Hellman key exchange algorithm.
Definition at line 1701 of file tls.c.
Referenced by __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), and __tls_cipher_suite().
◆ tls_ecdhe_exchange_algorithm
|
extern |
Ephemeral Elliptic Curve Diffie-Hellman key exchange algorithm.
Definition at line 1831 of file tls.c.
Referenced by __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), __tls_cipher_suite(), and __tls_cipher_suite().
Generated by
1.14.0