diff --git a/hal/inc/tls_ciphers.h b/hal/inc/tls_ciphers.h new file mode 100644 index 00000000..63918f1e --- /dev/null +++ b/hal/inc/tls_ciphers.h @@ -0,0 +1,262 @@ +#ifndef IANA_TLS_CIPHER_SUITES_H_ +#define IANA_TLS_CIPHER_SUITES_H_ + +#ifdef __cplusplus +extern "C" { +#endif + +#define TLS_NULL_WITH_NULL_NULL 0x0000 +#define TLS_RSA_WITH_NULL_MD5 0x0001 +#define TLS_RSA_WITH_NULL_SHA 0x0002 +#define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003 +#define TLS_RSA_WITH_RC4_128_MD5 0x0004 +#define TLS_RSA_WITH_RC4_128_SHA 0x0005 +#define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006 +#define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007 +#define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008 +#define TLS_RSA_WITH_DES_CBC_SHA 0x0009 +#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A +#define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000B +#define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000C +#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D +#define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000E +#define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000F +#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 +#define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011 +#define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 +#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 +#define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014 +#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 +#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 +#define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 0x0017 +#define TLS_DH_anon_WITH_RC4_128_MD5 0x0018 +#define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 0x0019 +#define TLS_DH_anon_WITH_DES_CBC_SHA 0x001A +#define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001B +#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 +#define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034 +#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 +#define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A +#define TLS_RSA_WITH_NULL_SHA256 0x003B +#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C +#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 +#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 +#define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042 +#define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0043 +#define TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0044 +#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0045 +#define TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA 0x0046 +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068 +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069 +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B +#define TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C +#define TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D +#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 +#define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0085 +#define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0086 +#define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087 +#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088 +#define TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA 0x0089 +#define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 +#define TLS_DH_DSS_WITH_SEED_CBC_SHA 0x0097 +#define TLS_DH_RSA_WITH_SEED_CBC_SHA 0x0098 +#define TLS_DHE_DSS_WITH_SEED_CBC_SHA 0x0099 +#define TLS_DHE_RSA_WITH_SEED_CBC_SHA 0x009A +#define TLS_DH_anon_WITH_SEED_CBC_SHA 0x009B +#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C +#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D +#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E +#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F +#define TLS_DH_RSA_WITH_AES_128_GCM_SHA256 0x00A0 +#define TLS_DH_RSA_WITH_AES_256_GCM_SHA384 0x00A1 +#define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 +#define TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3 +#define TLS_DH_DSS_WITH_AES_128_GCM_SHA256 0x00A4 +#define TLS_DH_DSS_WITH_AES_256_GCM_SHA384 0x00A5 +#define TLS_DH_anon_WITH_AES_128_GCM_SHA256 0x00A6 +#define TLS_DH_anon_WITH_AES_256_GCM_SHA384 0x00A7 +#define TLS_PSK_WITH_AES_128_CBC_SHA 0x008C +#define TLS_PSK_WITH_AES_256_CBC_SHA 0x008D +#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x008E +#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x008F +#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA 0x0090 +#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA 0x0091 +#define TLS_PSK_WITH_AES_128_CBC_SHA256 0x00AE +#define TLS_PSK_WITH_AES_256_CBC_SHA384 0x00AF +#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 0x00B0 +#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 0x00B1 +#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 0x00B2 +#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 0x00B3 +#define TLS_PSK_WITH_NULL_SHA 0x002C +#define TLS_DHE_PSK_WITH_NULL_SHA 0x002D +#define TLS_RSA_PSK_WITH_NULL_SHA 0x002E +#define TLS_PSK_WITH_NULL_SHA256 0x00B4 +#define TLS_PSK_WITH_NULL_SHA384 0x00B5 +#define TLS_DHE_PSK_WITH_NULL_SHA256 0x00B6 +#define TLS_DHE_PSK_WITH_NULL_SHA384 0x00B7 +#define TLS_RSA_PSK_WITH_NULL_SHA256 0x00B8 +#define TLS_RSA_PSK_WITH_NULL_SHA384 0x00B9 +#define TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 +#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002 +#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003 +#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004 +#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005 +#define TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 +#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007 +#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008 +#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 +#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A +#define TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B +#define TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C +#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D +#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E +#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F +#define TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 +#define TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011 +#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012 +#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 +#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 +#define TLS_ECDH_anon_WITH_NULL_SHA 0xC015 +#define TLS_ECDH_anon_WITH_RC4_128_SHA 0xC016 +#define TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 0xC017 +#define TLS_ECDH_anon_WITH_AES_128_CBC_SHA 0xC018 +#define TLS_ECDH_anon_WITH_AES_256_CBC_SHA 0xC019 +#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 +#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 +#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025 +#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026 +#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 +#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 +#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029 +#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B +#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C +#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D +#define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E +#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F +#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 +#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 +#define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 +#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035 +#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036 +#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037 +#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 0xC038 +#define TLS_ECDHE_PSK_WITH_NULL_SHA 0xC039 +#define TLS_ECDHE_PSK_WITH_NULL_SHA256 0xC03A +#define TLS_ECDHE_PSK_WITH_NULL_SHA384 0xC03B +#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 +#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 +#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC074 +#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC075 +#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC076 +#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC077 +#define TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC078 +#define TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC079 +#define TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C +#define TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D +#define TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 0xC03E +#define TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 0xC03F +#define TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 0xC040 +#define TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 0xC041 +#define TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 0xC042 +#define TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 0xC043 +#define TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 +#define TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 +#define TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 0xC046 +#define TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 0xC047 +#define TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 +#define TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 +#define TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A +#define TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B +#define TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C +#define TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D +#define TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E +#define TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F +#define TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050 +#define TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 +#define TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 +#define TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 +#define TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 0xC054 +#define TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 0xC055 +#define TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 0xC056 +#define TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 0xC057 +#define TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 0xC058 +#define TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 0xC059 +#define TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 0xC05A +#define TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 0xC05B +#define TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C +#define TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D +#define TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E +#define TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F +#define TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060 +#define TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061 +#define TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062 +#define TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 +#define TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 +#define TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 +#define TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066 +#define TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067 +#define TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 0xC068 +#define TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 0xC069 +#define TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A +#define TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B +#define TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C +#define TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D +#define TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0xC06E +#define TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0xC06F +#define TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070 +#define TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071 +#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC076 +#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC077 +#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC078 +#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC079 +#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07A +#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07B +#define TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07C +#define TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07D +#define TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC07E +#define TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC07F +#define TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC080 +#define TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC081 +#define TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC082 +#define TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC083 +#define TLS_ECDHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC084 +#define TLS_ECDHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC085 +#define TLS_RSA_WITH_AES_128_CCM 0xC09C +#define TLS_RSA_WITH_AES_256_CCM 0xC09D +#define TLS_DHE_RSA_WITH_AES_128_CCM 0xC09E +#define TLS_DHE_RSA_WITH_AES_256_CCM 0xC09F +#define TLS_RSA_WITH_AES_128_CCM_8 0xC0A0 +#define TLS_RSA_WITH_AES_256_CCM_8 0xC0A1 +#define TLS_DHE_RSA_WITH_AES_128_CCM_8 0xC0A2 +#define TLS_DHE_RSA_WITH_AES_256_CCM_8 0xC0A3 +#define TLS_PSK_WITH_AES_128_CCM 0xC0A4 +#define TLS_PSK_WITH_AES_256_CCM 0xC0A5 +#define TLS_DHE_PSK_WITH_AES_128_CCM 0xC0A6 +#define TLS_DHE_PSK_WITH_AES_256_CCM 0xC0A7 +#define TLS_PSK_WITH_AES_128_CCM_8 0xC0A8 +#define TLS_PSK_WITH_AES_256_CCM_8 0xC0A9 +#define TLS_PSK_DHE_WITH_AES_128_CCM_8 0xC0AA +#define TLS_PSK_DHE_WITH_AES_256_CCM_8 0xC0AB +#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC + +// ... add more cipher suite codes here ... + +#ifdef __cplusplus +} +#endif + +#endif /* IANA_TLS_CIPHER_SUITES_H_ */ \ No newline at end of file diff --git a/hal/inc/tls_config.h b/hal/inc/tls_config.h index 2896a108..c91f180a 100644 --- a/hal/inc/tls_config.h +++ b/hal/inc/tls_config.h @@ -3,7 +3,7 @@ * * TLS Configuration API for protocol stacks using TCP/IP * - * Copyright 2017-2022 Michael Zillgith + * Copyright 2017-2024 Michael Zillgith * * Abstraction layer for configuration of different TLS implementations * @@ -17,6 +17,7 @@ extern "C" { #endif #include "hal_base.h" +#include "tls_ciphers.h" /** * \file tls_config.h @@ -90,6 +91,7 @@ typedef enum { #define TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED 13 #define TLS_EVENT_CODE_ALM_CERT_NOT_TRUSTED 14 #define TLS_EVENT_CODE_ALM_NO_CIPHER 15 +#define TLS_EVENT_CODE_INF_SESSION_ESTABLISHED 16 typedef struct sTLSConnection* TLSConnection; @@ -303,6 +305,23 @@ TLSConfiguration_addCRLFromFile(TLSConfiguration self, const char* filename); PAL_API void TLSConfiguration_resetCRL(TLSConfiguration self); +/** + * \brief Add an allowed ciphersuite to the list of allowed ciphersuites + * + * \param self the TLS configuration instance + * \param ciphersuite the ciphersuite to add (IANA cipher suite ID) + */ +PAL_API void +TLSConfiguration_addCipherSuite(TLSConfiguration self, int ciphersuite); + +/** + * \brief Clear the list of allowed ciphersuites + * + * \param self the TLS configuration instance + */ +PAL_API void +TLSConfiguration_clearCipherSuiteList(TLSConfiguration self); + /** * Release all resource allocated by the TLSConfiguration instance * diff --git a/hal/tls/mbedtls/mbedtls_config.h b/hal/tls/mbedtls/mbedtls_config.h index 4cb77222..f294c9d0 100644 --- a/hal/tls/mbedtls/mbedtls_config.h +++ b/hal/tls/mbedtls/mbedtls_config.h @@ -17,6 +17,8 @@ #define MBEDTLS_SSL_PROTO_TLS1_1 #define MBEDTLS_SSL_PROTO_TLS1 #define MBEDTLS_SSL_RENEGOTIATION +#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES +#define MBEDTLS_CIPHER_NULL_CIPHER #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES diff --git a/hal/tls/mbedtls/tls_mbedtls.c b/hal/tls/mbedtls/tls_mbedtls.c index 06b98234..7470e3d2 100644 --- a/hal/tls/mbedtls/tls_mbedtls.c +++ b/hal/tls/mbedtls/tls_mbedtls.c @@ -3,7 +3,7 @@ * * TLS API for TCP/IP protocol stacks * - * Copyright 2017-2022 Michael Zillgith + * Copyright 2017-2024 Michael Zillgith * * Implementation of the TLS abstraction layer for mbedtls * @@ -20,7 +20,6 @@ #include "mbedtls/platform.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" -#include "mbedtls/certs.h" #include "mbedtls/x509.h" #include "mbedtls/ssl.h" #include "mbedtls/net_sockets.h" @@ -86,6 +85,9 @@ struct sTLSConfiguration { bool useSessionResumption; int sessionResumptionInterval; /* session resumption interval in seconds */ + + int* ciphersuites; + int maxCiphersuites; }; struct sTLSSocket { @@ -115,9 +117,10 @@ raiseSecurityEvent(TLSConfiguration config, TLSEventLevel eventCategory, int eve static bool compareCertificates(mbedtls_x509_crt *crt1, mbedtls_x509_crt *crt2) { - if (crt1 != NULL && crt2 != NULL) { - - if (crt1->sig.len == crt2->sig.len) { + if (crt1 != NULL && crt2 != NULL) + { + if (crt1->sig.len == crt2->sig.len) + { if (memcmp(crt1->sig.p, crt2->sig.p, crt1->sig.len) == 0) return true; } @@ -142,28 +145,32 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth DEBUG_PRINT("TLS", "%s\n", buffer); - if (self->tlsConfig->chainValidation == false) { + if (self->tlsConfig->chainValidation == false) + { if (certificate_depth != 0) *flags = 0; } - if (certificate_depth == 0) { - if (self->tlsConfig->allowOnlyKnownCertificates) { - + if (certificate_depth == 0) + { + if (self->tlsConfig->allowOnlyKnownCertificates) + { DEBUG_PRINT("TLS", "Check against list of allowed certs\n"); bool certMatches = false; LinkedList certList = LinkedList_getNext(self->tlsConfig->allowedCertificates); - while (certList) { + while (certList) + { mbedtls_x509_crt* allowedCert = (mbedtls_x509_crt*) LinkedList_getData(certList); DEBUG_PRINT("TLS", "Compare With:\n"); mbedtls_x509_crt_info(buffer, 1023, " ", allowedCert); DEBUG_PRINT("TLS", "%s\n", buffer); - if (compareCertificates(allowedCert, crt)) { + if (compareCertificates(allowedCert, crt)) + { certMatches = true; break; } @@ -173,7 +180,8 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth if (certMatches) *flags = 0; - else { + else + { raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED, "Alarm: certificate validation: trusted individual certificate not available", self); *flags |= MBEDTLS_X509_BADCERT_OTHER; @@ -181,20 +189,19 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth } } - if (self->storePeerCert) { - - if (*flags == 0) { - + if (self->storePeerCert) + { + if (*flags == 0) + { self->peerCertLength = 0; self->peerCert = (uint8_t*) GLOBAL_MALLOC(crt->raw.len); - if (self->peerCert) { + if (self->peerCert) + { self->peerCertLength = (int)crt->raw.len; memcpy(self->peerCert, crt->raw.p, self->peerCertLength); } - } - } } @@ -207,10 +214,12 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth static bool TLSConfiguration_setupComplete(TLSConfiguration self) { - if (self->setupComplete == false) { + if (self->setupComplete == false) + { mbedtls_ssl_conf_ca_chain( &(self->conf), &(self->cacerts), &(self->crl) ); - if (self->ownCertificate.version > 0) { + if (self->ownCertificate.version > 0) + { int ret = mbedtls_ssl_conf_own_cert( &(self->conf), &(self->ownCertificate), &(self->ownKey)); if (ret != 0) { @@ -219,11 +228,13 @@ TLSConfiguration_setupComplete(TLSConfiguration self) } } - if (self->useSessionResumption) { + if (self->useSessionResumption) + { if (self->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) { } - else { + else + { mbedtls_ssl_cache_init( &(self->cache) ); self->cache.timeout = self->sessionResumptionInterval; @@ -234,18 +245,71 @@ TLSConfiguration_setupComplete(TLSConfiguration self) } } + mbedtls_ssl_conf_ciphersuites(&(self->conf), self->ciphersuites); + self->setupComplete = true; } return true; } +void +TLSConfiguration_addCipherSuite(TLSConfiguration self, int ciphersuite) +{ + /* search last index */ + int nextIndex = 0; + int i; + + for (i = 0; i < self->maxCiphersuites; i++) + { + if (self->ciphersuites[i] == 0) + { + nextIndex = i; + break; + } + } + + if (nextIndex == self->maxCiphersuites) + { + /* reallocate space for ciphersuites list */ + int newMaxCiphersuites = self->maxCiphersuites + 10; + + int* newCiphersuites = (int*)GLOBAL_CALLOC(newMaxCiphersuites, sizeof(int)); + + if (newCiphersuites) + { + for (i = 0; i < self->maxCiphersuites; i++) + { + newCiphersuites[i] = self->ciphersuites[i]; + } + + GLOBAL_FREEMEM(self->ciphersuites); + self->ciphersuites = newCiphersuites; + self->maxCiphersuites = newMaxCiphersuites; + + TLSConfiguration_addCipherSuite(self, ciphersuite); + } + } + else + { + self->ciphersuites[nextIndex] = ciphersuite; + self->ciphersuites[nextIndex + 1] = 0; + } +} + +void +TLSConfiguration_clearCipherSuiteList(TLSConfiguration self) +{ + self->ciphersuites[0] = 0; +} + TLSConfiguration TLSConfiguration_create() { TLSConfiguration self = (TLSConfiguration) GLOBAL_CALLOC(1, sizeof(struct sTLSConfiguration)); - if (self != NULL) { + if (self != NULL) + { mbedtls_ssl_config_init( &(self->conf) ); mbedtls_x509_crt_init( &(self->ownCertificate) ); mbedtls_x509_crt_init( &(self->cacerts) ); @@ -267,10 +331,7 @@ TLSConfiguration_create() mbedtls_ssl_conf_renegotiation(&(self->conf), MBEDTLS_SSL_RENEGOTIATION_ENABLED); - /* static int hashes[] = {3,4,5,6,7,8,0}; */ - /* mbedtls_ssl_conf_sig_hashes(&(self->conf), hashes); */ - - self->minVersion = TLS_VERSION_TLS_1_0; + self->minVersion = TLS_VERSION_TLS_1_2; self->maxVersion = TLS_VERSION_NOT_SELECTED; self->renegotiationTimeInMs = -1; /* no automatic renegotiation */ @@ -289,6 +350,31 @@ TLSConfiguration_create() self->sessionResumptionInterval = 21600; /* default value: 6h */ self->savedSession = NULL; self->savedSessionTime = 0; + + self->ciphersuites = (int*)GLOBAL_CALLOC(20, sizeof(int)); + + if (self->ciphersuites) + { + self->maxCiphersuites = 20; + + /* mandatory cipher suites by IEC 62351-4:2018 */ + self->ciphersuites[0] = MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256; + /* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_GCM_SHA256; */ /* weak - not supported? */ + self->ciphersuites[1] = MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256; + self->ciphersuites[2] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; + + /* recommended cipher suites by IEC 62351-4:2018 */ + + /* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_CBC_SHA256; */ /* weak - not supported?*/ + /* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_256_GCM_SHA384; */ /* not supported?*/ + self->ciphersuites[3] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; + self->ciphersuites[4] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384; + self->ciphersuites[5] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; + + /* additional ciphersuites */ + self->ciphersuites[6] = MBEDTLS_TLS_RSA_WITH_NULL_SHA256; + self->ciphersuites[7] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; + } } return self; @@ -394,11 +480,13 @@ TLSConfiguration_addAllowedCertificate(TLSConfiguration self, uint8_t* certifica int ret = mbedtls_x509_crt_parse(cert, certificate, certLen); - if (ret == 0) { + if (ret == 0) + { LinkedList_add(self->allowedCertificates, cert); return true; } - else { + else + { GLOBAL_FREEMEM(cert); return false; } @@ -411,11 +499,13 @@ TLSConfiguration_addAllowedCertificateFromFile(TLSConfiguration self, const char int ret = mbedtls_x509_crt_parse_file(cert, filename); - if (ret == 0) { + if (ret == 0) + { LinkedList_add(self->allowedCertificates, cert); return true; } - else { + else + { GLOBAL_FREEMEM(cert); return false; } @@ -426,7 +516,8 @@ TLSConfiguration_addCACertificate(TLSConfiguration self, uint8_t* certificate, i { int ret = mbedtls_x509_crt_parse(&(self->cacerts), certificate, certLen); - if (ret != 0) { + if (ret != 0) + { DEBUG_PRINT("TLS", "mbedtls_x509_crt_parse returned -0x%x\n", -ret); return false; } @@ -458,7 +549,8 @@ udpatedCRL(TLSConfiguration self) { mbedtls_ssl_cache_entry *cur = self->cache.chain; - while (cur) { + while (cur) + { cur->timestamp = 0; cur = cur->next; } @@ -512,14 +604,18 @@ TLSConfiguration_setRenegotiationTime(TLSConfiguration self, int timeInMs) void TLSConfiguration_destroy(TLSConfiguration self) { - if (self->useSessionResumption) { - if (self->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) { - if (self->savedSession) { + if (self->useSessionResumption) + { + if (self->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) + { + if (self->savedSession) + { mbedtls_ssl_session_free(self->savedSession); GLOBAL_FREEMEM(self->savedSession); } } - else { + else + { mbedtls_ssl_cache_free(&(self->cache)); } } @@ -532,7 +628,8 @@ TLSConfiguration_destroy(TLSConfiguration self) LinkedList certElem = LinkedList_getNext(self->allowedCertificates); - while (certElem) { + while (certElem) + { mbedtls_x509_crt* cert = (mbedtls_x509_crt*) LinkedList_getData(certElem); mbedtls_x509_crt_free(cert); @@ -621,7 +718,8 @@ readFunction(void* ctx, unsigned char* buf, size_t len) { int ret = Socket_read((Socket) ctx, buf, (int)len); - if ((ret == 0) && (len > 0)) { + if ((ret == 0) && (len > 0)) + { return MBEDTLS_ERR_SSL_WANT_READ; } @@ -631,7 +729,14 @@ readFunction(void* ctx, unsigned char* buf, size_t len) static int writeFunction(void* ctx, unsigned char* buf, size_t len) { - return Socket_write((Socket)ctx, buf, (int)len); + int ret = Socket_write((Socket)ctx, buf, (int)len); + + if ((ret == 0) && (len > 0)) + { + return MBEDTLS_ERR_SSL_WANT_WRITE; + } + + return ret; } static TLSConfigVersion @@ -640,7 +745,8 @@ getTLSVersion(int majorVersion, int minorVersion) if (majorVersion != 3) { return TLS_VERSION_NOT_SELECTED; } - else { + else + { switch (minorVersion) { case 0: return TLS_VERSION_SSL_3_0; @@ -721,7 +827,8 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient self->crlUpdated = configuration->crlUpdated; - if (configuration->minVersion != TLS_VERSION_NOT_SELECTED) { + if (configuration->minVersion != TLS_VERSION_NOT_SELECTED) + { /* set minimum TLS version */ int majorVer = getMajorVersion(configuration->minVersion); @@ -730,7 +837,8 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient mbedtls_ssl_conf_min_version( &(self->conf), majorVer, minorVer); } - if (configuration->maxVersion != TLS_VERSION_NOT_SELECTED) { + if (configuration->maxVersion != TLS_VERSION_NOT_SELECTED) + { /* set maximum TLS version */ int majorVer = getMajorVersion(configuration->maxVersion); @@ -739,7 +847,8 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient mbedtls_ssl_conf_max_version( &(self->conf), majorVer, minorVer); } - if (configuration->ownCertificate.version > 0) { + if (configuration->ownCertificate.version > 0) + { ret = mbedtls_ssl_conf_own_cert( &(self->conf), &(configuration->ownCertificate), &(configuration->ownKey)); if (ret != 0) @@ -754,30 +863,31 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient mbedtls_ssl_set_bio(&(self->ssl), socket, (mbedtls_ssl_send_t*) writeFunction, (mbedtls_ssl_recv_t*) readFunction, NULL); - bool reuseSession = false; - - if (configuration->useSessionResumption) { - if (configuration->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) { - if (configuration->savedSession && configuration->savedSessionTime > 0) { - - if (Hal_getTimeInMs() < (configuration->savedSessionTime + configuration->sessionResumptionInterval * 1000)) { - + if (configuration->useSessionResumption) + { + if (configuration->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) + { + if (configuration->savedSession && configuration->savedSessionTime > 0) + { + if (Hal_getTimeInMs() < (configuration->savedSessionTime + configuration->sessionResumptionInterval * 1000)) + { ret = mbedtls_ssl_set_session(&(self->ssl), configuration->savedSession); - if (ret != 0) { + if (ret != 0) + { DEBUG_PRINT("TLS", "mbedtls_ssl_set_session returned %d\n", ret); configuration->savedSessionTime = 0; } - else { + else + { DEBUG_PRINT("TLS", "resume TLS session\n"); - reuseSession = true; } } - else { + else + { configuration->savedSessionTime = 0; DEBUG_PRINT("TLS", "cached session expired\n"); } - } } } @@ -804,22 +914,27 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient } } - if (configuration->useSessionResumption) { - if (configuration->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) { - - if (configuration->savedSession == NULL) { + if (configuration->useSessionResumption) + { + if (configuration->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) + { + if (configuration->savedSession == NULL) + { configuration->savedSession = (mbedtls_ssl_session*)GLOBAL_CALLOC(1, sizeof(mbedtls_ssl_session)); } - if (configuration->savedSession) { - - if (configuration->savedSessionTime == 0) { + if (configuration->savedSession) + { + if (configuration->savedSessionTime == 0) + { ret = mbedtls_ssl_get_session(&(self->ssl), configuration->savedSession); - if (ret != 0) { + if (ret != 0) + { DEBUG_PRINT("TLS", "mbedtls_ssl_get_session returned %d\n", ret); } - else { + else + { configuration->savedSessionTime = Hal_getTimeInMs(); } } @@ -833,6 +948,16 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient raiseSecurityEvent(configuration, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_INSECURE_TLS_VERSION, "Warning: Insecure TLS version", self); } + /* create event that TLS session is established */ + { + char msg[256]; + + const char* cipherSuite = mbedtls_ssl_get_ciphersuite(&(self->ssl)); + + snprintf(msg, 255, "Info: Session established with cipher suite %s", cipherSuite); + + raiseSecurityEvent(configuration, TLS_SEC_EVT_INFO, TLS_EVENT_CODE_INF_SESSION_ESTABLISHED, msg, self); + } } return self; @@ -853,17 +978,18 @@ TLSSocket_performHandshake(TLSSocket self) int ret = mbedtls_ssl_renegotiate(&(self->ssl)); if (ret == 0 || ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE || - ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS || ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { + ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS || ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) + { if (getTLSVersion(self->ssl.major_ver, self->ssl.minor_ver) < TLS_VERSION_TLS_1_2) { raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_INSECURE_TLS_VERSION, "Warning: Insecure TLS version", self); } - DEBUG_PRINT("TLS", "TLSSocket_performHandshake Success -> ret=%i\n", ret); raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INFO, TLS_EVENT_CODE_INF_SESSION_RENEGOTIATION, "TLS session renegotiation completed", self); return true; } - else { + else + { DEBUG_PRINT("TLS", "TLSSocket_performHandshake failed -> ret=%i\n", ret); raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_INF_SESSION_RENEGOTIATION, "Alarm: TLS session renegotiation failed", self); @@ -904,10 +1030,17 @@ startRenegotiationIfRequired(TLSSocket self) if (Hal_getTimeInMs() <= self->lastRenegotiationTime + self->tlsConfig->renegotiationTimeInMs) return true; + raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INFO, TLS_EVENT_CODE_INF_SESSION_RENEGOTIATION, "Info: session renegotiation started", self); + if (TLSSocket_performHandshake(self) == false) + { + DEBUG_PRINT("TLS", " renegotiation failed\n"); return false; + } + DEBUG_PRINT("TLS", " started renegotiation\n"); self->lastRenegotiationTime = Hal_getTimeInMs(); + return true; } @@ -1024,7 +1157,6 @@ TLSSocket_close(TLSSocket self) if (self->peerCert) GLOBAL_FREEMEM(self->peerCert); - GLOBAL_FREEMEM(self); }