LCOV - code coverage report
Current view: top level - tls - s2n_tls_parameters.h (source / functions) Hit Total Coverage
Test: unit_test_coverage.info Lines: 25 27 92.6 %
Date: 2025-09-30 07:28:05 Functions: 0 0 -
Branches: 0 0 - 

           Branch data     Line data    Source code
       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #pragma once
      17                 :            : 
      18                 :            : #include "crypto/s2n_hash.h"
      19                 :            : 
      20                 :            : /* Codes from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5 */
      21                 :            : #define TLS_NULL_WITH_NULL_NULL         0x00, 0x00
      22                 :            : #define TLS_RSA_WITH_AES_256_CBC_SHA256 0x00, 0x3D
      23                 :            : #define TLS_RSA_WITH_AES_256_CBC_SHA    0x00, 0x35
      24                 :            : #define TLS_RSA_WITH_AES_128_CBC_SHA256 0x00, 0x3C
      25                 :            : #define TLS_RSA_WITH_AES_128_CBC_SHA    0x00, 0x2F
      26                 :            : #define TLS_RSA_WITH_3DES_EDE_CBC_SHA   0x00, 0x0A
      27                 :            : #define TLS_RSA_WITH_RC4_128_MD5        0x00, 0x04
      28                 :            : #define TLS_RSA_WITH_RC4_128_SHA        0x00, 0x05
      29                 :            : 
      30                 :            : #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA    0x00, 0x33
      31                 :            : #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x00, 0x67
      32                 :            : #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA    0x00, 0x39
      33                 :            : #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x00, 0x6B
      34                 :            : #define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA   0x00, 0x16
      35                 :            : 
      36                 :            : #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    0xC0, 0x09
      37                 :            : #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC0, 0x23
      38                 :            : #define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    0xC0, 0x0A
      39                 :            : #define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC0, 0x24
      40                 :            : 
      41                 :            : #define TLS_ECDHE_RSA_WITH_RC4_128_SHA        0xC0, 0x11
      42                 :            : #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA    0xC0, 0x13
      43                 :            : #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC0, 0x27
      44                 :            : #define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA    0xC0, 0x14
      45                 :            : #define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC0, 0x28
      46                 :            : #define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA   0xC0, 0x12
      47                 :            : 
      48                 :            : #define TLS_RSA_WITH_AES_128_GCM_SHA256         0x00, 0x9C
      49                 :            : #define TLS_RSA_WITH_AES_256_GCM_SHA384         0x00, 0x9D
      50                 :            : #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     0x00, 0x9E
      51                 :            : #define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     0x00, 0x9F
      52                 :            : #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC0, 0x2B
      53                 :            : #define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC0, 0x2C
      54                 :            : #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   0xC0, 0x2F
      55                 :            : #define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   0xC0, 0x30
      56                 :            : 
      57                 :            : #define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   0xCC, 0xA8
      58                 :            : #define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCC, 0xA9
      59                 :            : #define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     0xCC, 0xAA
      60                 :            : 
      61                 :            : /* TLS 1.2 hybrid post-quantum definitions from https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid */
      62                 :            : #define TLS_ECDHE_KYBER_RSA_WITH_AES_256_GCM_SHA384 0xFF, 0x0C
      63                 :            : #define TLS_EXTENSION_PQ_KEM_PARAMETERS             0xFE01
      64                 :            : #define TLS_PQ_KEM_EXTENSION_ID_KYBER_512_R3        28
      65                 :            : 
      66                 :            : /* TLS 1.3 hybrid post-quantum definitions are from the proposed reserved range defined
      67                 :            :  * in https://tools.ietf.org/html/draft-stebila-tls-hybrid-design. Values for interoperability are defined in
      68                 :            :  * https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md and
      69                 :            :  * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
      70                 :            :  */
      71                 :            : #define TLS_PQ_KEM_GROUP_ID_SECP256R1_MLKEM_768     0x11EB
      72                 :            : #define TLS_PQ_KEM_GROUP_ID_X25519_MLKEM_768        0x11EC
      73                 :            : #define TLS_PQ_KEM_GROUP_ID_SECP384R1_MLKEM_1024    0x11ED
      74                 :            : #define TLS_PQ_KEM_GROUP_ID_MLKEM_1024              0x0202
      75                 :            : #define TLS_PQ_KEM_GROUP_ID_X25519_KYBER_512_R3     0x2F39
      76                 :            : #define TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R3  0x2F3A
      77                 :            : #define TLS_PQ_KEM_GROUP_ID_SECP384R1_KYBER_768_R3  0x2F3C
      78                 :            : #define TLS_PQ_KEM_GROUP_ID_SECP521R1_KYBER_1024_R3 0x2F3D
      79                 :            : #define TLS_PQ_KEM_GROUP_ID_X25519_KYBER_768_R3     0x6399
      80                 :            : #define TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_768_R3  0x639A
      81                 :            : 
      82                 :            : /* From https://tools.ietf.org/html/rfc7507 */
      83                 :        146 : #define TLS_FALLBACK_SCSV                 0x56, 0x00
      84                 :      14989 : #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00, 0xff
      85                 :            : 
      86                 :            : /* TLS 1.3 cipher suites from https://tools.ietf.org/html/rfc8446#appendix-B.4 */
      87                 :            : #define TLS_AES_128_GCM_SHA256       0x13, 0x01
      88                 :            : #define TLS_AES_256_GCM_SHA384       0x13, 0x02
      89                 :            : #define TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03
      90                 :            : #define TLS_AES_128_CCM_SHA256       0x13, 0x04
      91                 :            : #define TLS_AES_128_CCM_8_SHA256     0x13, 0x05
      92                 :            : 
      93                 :            : /* TLS extensions from https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
      94                 :       1230 : #define TLS_EXTENSION_SERVER_NAME          0
      95                 :            : #define TLS_EXTENSION_MAX_FRAG_LEN         1
      96                 :            : #define TLS_EXTENSION_STATUS_REQUEST       5
      97                 :            : #define TLS_EXTENSION_SUPPORTED_GROUPS     10
      98                 :            : #define TLS_EXTENSION_EC_POINT_FORMATS     11
      99                 :            : #define TLS_EXTENSION_SIGNATURE_ALGORITHMS 13
     100                 :            : #define TLS_EXTENSION_ALPN                 16
     101                 :            : #define TLS_EXTENSION_SCT_LIST             18
     102                 :            : #define TLS_EXTENSION_EMS                  23
     103                 :            : #define TLS_EXTENSION_SESSION_TICKET       35
     104                 :        462 : #define TLS_EXTENSION_PRE_SHARED_KEY       41
     105                 :            : #define TLS_EXTENSION_CERT_AUTHORITIES     47
     106                 :            : #define TLS_EXTENSION_RENEGOTIATION_INFO   65281
     107                 :            : 
     108                 :            : /* The NPN extension was never standardized, therefore there is no official
     109                 :            :  * iana value. However, Openssl does have a chosen value for this extension 
     110                 :            :  * and that is what is used here.
     111                 :            : */
     112                 :            : #define TLS_EXTENSION_NPN 13172
     113                 :            : 
     114                 :            : /* TLS 1.3 extensions from https://tools.ietf.org/html/rfc8446#section-4.2 */
     115                 :          0 : #define TLS_EXTENSION_EARLY_DATA             42
     116                 :        647 : #define TLS_EXTENSION_SUPPORTED_VERSIONS     43
     117                 :         37 : #define TLS_EXTENSION_COOKIE                 44
     118                 :            : #define TLS_EXTENSION_PSK_KEY_EXCHANGE_MODES 45
     119                 :        647 : #define TLS_EXTENSION_KEY_SHARE              51
     120                 :            : 
     121                 :            : /* TLS 1.3 pre-shared key exchange modes from https://tools.ietf.org/html/rfc8446#section-4.2.9 */
     122                 :            : #define TLS_PSK_KE_MODE     0
     123                 :       1151 : #define TLS_PSK_DHE_KE_MODE 1
     124                 :            : 
     125                 :            : /**
     126                 :            :  *= https://www.rfc-editor.org/rfc/rfc9001#8.2
     127                 :            :  *#   enum {
     128                 :            :  *#      quic_transport_parameters(0x39), (65535)
     129                 :            :  *#   } ExtensionType;
     130                 :            :  */
     131                 :            : #define TLS_EXTENSION_QUIC_TRANSPORT_PARAMETERS 0x39
     132                 :            : 
     133                 :            : /* TLS SignatureScheme (Backwards compatible with SigHash and SigAlg values above) */
     134                 :            : /* Defined here: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme */
     135                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1   0x0201
     136                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224 0x0301
     137                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256 0x0401
     138                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384 0x0501
     139                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512 0x0601
     140                 :            : 
     141                 :            : /* In TLS 1.0 and 1.1 the hard-coded default scheme was RSA_PKCS1_MD5_SHA1, but there's no IANA defined backwards
     142                 :            :  * compatible value for that Scheme for TLS 1.2 and 1.3. So we define an internal value in the private range that won't
     143                 :            :  * match anything in the valid range so that all TLS Versions can use the same SignatureScheme negotiation abstraction
     144                 :            :  * layer. This scheme isn't in any preference list, so it can't be negotiated even if a client sent it in its pref list. */
     145                 :            : #define TLS_SIGNATURE_SCHEME_PRIVATE_INTERNAL_RSA_PKCS1_MD5_SHA1 0xFFFF
     146                 :            : 
     147                 :            : /* TLS 1.2 Backwards Compatible ECDSA Schemes */
     148                 :            : #define TLS_SIGNATURE_SCHEME_ECDSA_SHA1   0x0203
     149                 :            : #define TLS_SIGNATURE_SCHEME_ECDSA_SHA224 0x0303
     150                 :            : #define TLS_SIGNATURE_SCHEME_ECDSA_SHA256 0x0403
     151                 :            : #define TLS_SIGNATURE_SCHEME_ECDSA_SHA384 0x0503
     152                 :            : #define TLS_SIGNATURE_SCHEME_ECDSA_SHA512 0x0603
     153                 :            : 
     154                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256 0x0804
     155                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384 0x0805
     156                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512 0x0806
     157                 :            : #define TLS_SIGNATURE_SCHEME_ED25519             0x0807
     158                 :            : #define TLS_SIGNATURE_SCHEME_ED448               0x0808
     159                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256  0x0809
     160                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384  0x080A
     161                 :            : #define TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512  0x080B
     162                 :            : 
     163                 :            : /* ML-DSA: post-quantum signature schemes */
     164                 :            : #define TLS_SIGNATURE_SCHEME_MLDSA44 0x0904
     165                 :            : #define TLS_SIGNATURE_SCHEME_MLDSA65 0x0905
     166                 :            : #define TLS_SIGNATURE_SCHEME_MLDSA87 0x0906
     167                 :            : 
     168                 :            : #define TLS_SIGNATURE_SCHEME_LEN          2
     169                 :       7694 : #define TLS_SIGNATURE_SCHEME_LIST_MAX_LEN 128
     170                 :            : 
     171                 :            : /* The TLS record types we support */
     172                 :            : #define SSLv2_CLIENT_HELLO     1
     173                 :     665425 : #define TLS_CHANGE_CIPHER_SPEC 20
     174                 :     350985 : #define TLS_ALERT              21
     175                 :     471052 : #define TLS_HANDSHAKE          22
     176                 :    1099719 : #define TLS_APPLICATION_DATA   23
     177                 :            : 
     178                 :            : /* Elliptic curve formats from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-9
     179                 :            :  * Only uncompressed is supported.
     180                 :            :  */
     181                 :            : #define TLS_EC_FORMAT_UNCOMPRESSED              0
     182                 :            : #define TLS_EC_FORMAT_ANSIX962_COMPRESSED_PRIME 1
     183                 :            : #define TLS_EC_FORMAT_ANSIX962_COMPRESSED_CHAR2 2
     184                 :            : 
     185                 :            : /* Elliptic curves from https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 */
     186                 :       7658 : #define TLS_EC_CURVE_SECP_256_R1 23
     187                 :            : #define TLS_EC_CURVE_SECP_384_R1 24
     188                 :            : #define TLS_EC_CURVE_SECP_521_R1 25
     189                 :      21900 : #define TLS_EC_CURVE_ECDH_X25519 29
     190                 :       9677 : #define TLS_EC_CURVE_ECDH_X448   30
     191                 :            : 
     192                 :            : /* Ethernet maximum transmission unit (MTU)
     193                 :            :  * MTU is usually associated with the Ethernet protocol,
     194                 :            :  * where a 1500-byte packet is the largest allowed in it
     195                 :            :  */
     196                 :        325 : #define ETH_MTU 1500
     197                 :            : 
     198                 :        325 : #define IP_V4_HEADER_LENGTH 20
     199                 :          0 : #define IP_V6_HEADER_LENGTH 40
     200                 :            : 
     201                 :        325 : #define TCP_HEADER_LENGTH  20
     202                 :        325 : #define TCP_OPTIONS_LENGTH 40
     203                 :            : 
     204                 :      11602 : #define S2N_TLS_MAX_FRAG_LEN_EXT_NONE 0
     205                 :            : 
     206                 :            : /* The maximum size of an SSL2 message is 2^14 - 1, as neither of the first two
     207                 :            :  * bits in the length field are usable. Per;
     208                 :            :  * http://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
     209                 :            :  * section 1.1
     210                 :            :  */
     211                 :            : #define S2N_SSL2_RECORD_HEADER_LENGTH   2
     212                 :            : #define S2N_SSL2_MAXIMUM_MESSAGE_LENGTH 16383
     213                 :            : #define S2N_SSL2_MAXIMUM_RECORD_LENGTH  (S2N_SSL2_MAXIMUM_MESSAGE_LENGTH + S2N_SSL2_RECORD_HEADER_LENGTH)
     214                 :            : 
     215                 :            : /* s2n can use a "small" record length that is aligned to the dominant internet MTU;
     216                 :            :  * 1500 bytes, minus 20 bytes for an IP header, minus 20 bytes for a tcp
     217                 :            :  * header and 20 bytes for tcp/ip options (timestamp, sack etc) and a "large" record
     218                 :            :  * length that is designed to maximize throughput (fewer MACs per byte transferred
     219                 :            :  * and better efficiency of crypto engines).
     220                 :            :  */
     221                 :            : #define S2N_SMALL_RECORD_LENGTH   (1500 - 20 - 20 - 20)
     222                 :            : #define S2N_SMALL_FRAGMENT_LENGTH (S2N_SMALL_RECORD_LENGTH - S2N_TLS_RECORD_HEADER_LENGTH)
     223                 :            : 
     224                 :            : /* Testing in the wild has found 8k max record sizes give a good balance of low latency
     225                 :            :  * and throughput.
     226                 :            :  */
     227                 :    3421850 : #define S2N_DEFAULT_RECORD_LENGTH   8092
     228                 :    3421850 : #define S2N_DEFAULT_FRAGMENT_LENGTH (S2N_DEFAULT_RECORD_LENGTH - S2N_TLS_RECORD_HEADER_LENGTH)
     229                 :            : 
     230                 :            : /* S2N_LARGE_RECORD_LENGTH is used for initializing output buffers, we use the largest
     231                 :            :  * possible value of all supported protocols to avoid branching at runtime
     232                 :            :  */
     233                 :            : #define S2N_LARGE_RECORD_LENGTH   S2N_TLS_MAXIMUM_RECORD_LENGTH
     234                 :            : #define S2N_LARGE_FRAGMENT_LENGTH S2N_TLS_MAXIMUM_FRAGMENT_LENGTH
     235                 :            : 
     236                 :            : /* Cap dynamic record resize threshold to 8M */
     237                 :            : #define S2N_TLS_MAX_RESIZE_THRESHOLD (1024 * 1024 * 8)
     238                 :            : 
     239                 :            : /* Put a 64k cap on the size of any handshake message */
     240                 :            : #define S2N_MAXIMUM_HANDSHAKE_MESSAGE_LENGTH (64 * 1024)
     241                 :            : 
     242                 :            : /* Maximum size for full encoded TLSInnerPlaintext (https://tools.ietf.org/html/rfc8446#section-5.4) */
     243                 :            : #define S2N_MAXIMUM_INNER_PLAINTEXT_LENGTH ((1 << 14) + 1)
     244                 :            : 
     245                 :            : /* Alert messages are always 2 bytes long */
     246                 :            : #define S2N_ALERT_LENGTH 2
     247                 :            : 
     248                 :            : /* Handshake messages have their own header too */
     249                 :     187361 : #define TLS_HANDSHAKE_HEADER_LENGTH 4
     250                 :            : 
     251                 :        117 : #define S2N_MAX_SERVER_NAME 255

Generated by: LCOV version 1.14