search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
preprocessor cleanup: __lint
[unleashed/tickless.git] / lib / libtls / tls_internal.h
blobfbb139c84ad2b333c1c766b62e09a9e001e48a53
1 /* $OpenBSD: tls_internal.h,v 1.53 2017/01/29 17:52:11 beck Exp $ */
2 /*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #ifndef HEADER_TLS_INTERNAL_H
20 #define HEADER_TLS_INTERNAL_H
21
22 #include <arpa/inet.h>
23 #include <netinet/in.h>
24
25 #include <openssl/ssl.h>
26
27 __BEGIN_HIDDEN_DECLS
28
29 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
30
31 #define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
32 #define TLS_CIPHERS_COMPAT "HIGH:!aNULL"
33 #define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL"
34 #define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL"
35
36 union tls_addr {
37 struct in_addr ip4;
38 struct in6_addr ip6;
39 };
40
41 struct tls_error {
42 char *msg;
43 int num;
44 int tls;
45 };
46
47 struct tls_keypair {
48 struct tls_keypair *next;
49
50 char *cert_mem;
51 size_t cert_len;
52 char *key_mem;
53 size_t key_len;
54 char *ocsp_staple;
55 size_t ocsp_staple_len;
56 };
57
58 #define TLS_MIN_SESSION_TIMEOUT (4)
59 #define TLS_MAX_SESSION_TIMEOUT (24 * 60 * 60)
60
61 #define TLS_NUM_TICKETS 4
62 #define TLS_TICKET_NAME_SIZE 16
63 #define TLS_TICKET_AES_SIZE 32
64 #define TLS_TICKET_HMAC_SIZE 16
65
66 struct tls_ticket_key {
67 /* The key_name must be 16 bytes according to -lssl */
68 unsigned char key_name[TLS_TICKET_NAME_SIZE];
69 unsigned char aes_key[TLS_TICKET_AES_SIZE];
70 unsigned char hmac_key[TLS_TICKET_HMAC_SIZE];
71 time_t time;
72 };
73
74 struct tls_config {
75 struct tls_error error;
76
77 char *alpn;
78 size_t alpn_len;
79 const char *ca_path;
80 char *ca_mem;
81 size_t ca_len;
82 const char *ciphers;
83 int ciphers_server;
84 int dheparams;
85 int ecdhecurve;
86 struct tls_keypair *keypair;
87 int ocsp_require_stapling;
88 uint32_t protocols;
89 unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH];
90 int session_lifetime;
91 struct tls_ticket_key ticket_keys[TLS_NUM_TICKETS];
92 uint32_t ticket_keyrev;
93 int ticket_autorekey;
94 int verify_cert;
95 int verify_client;
96 int verify_depth;
97 int verify_name;
98 int verify_time;
99 };
100
101 struct tls_conninfo {
102 char *alpn;
103 char *cipher;
104 char *servername;
105 char *version;
106
107 char *hash;
108 char *issuer;
109 char *subject;
110
111 time_t notbefore;
112 time_t notafter;
113 };
114
115 #define TLS_CLIENT (1 << 0)
116 #define TLS_SERVER (1 << 1)
117 #define TLS_SERVER_CONN (1 << 2)
118
119 #define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0)
120 #define TLS_HANDSHAKE_COMPLETE (1 << 1)
121 #define TLS_SSL_NEEDS_SHUTDOWN (1 << 2)
122
123 struct tls_ocsp_result {
124 const char *result_msg;
125 int response_status;
126 int cert_status;
127 int crl_reason;
128 time_t this_update;
129 time_t next_update;
130 time_t revocation_time;
131 };
132
133 struct tls_ocsp {
134 /* responder location */
135 char *ocsp_url;
136
137 /* cert data, this struct does not own these */
138 X509 *main_cert;
139 STACK_OF(X509) *extra_certs;
140
141 struct tls_ocsp_result *ocsp_result;
142 };
143
144 struct tls_sni_ctx {
145 struct tls_sni_ctx *next;
146
147 SSL_CTX *ssl_ctx;
148 X509 *ssl_cert;
149 };
150
151 struct tls {
152 struct tls_config *config;
153 struct tls_error error;
154
155 uint32_t flags;
156 uint32_t state;
157
158 char *servername;
159 int socket;
160
161 SSL *ssl_conn;
162 SSL_CTX *ssl_ctx;
163
164 struct tls_sni_ctx *sni_ctx;
165
166 X509 *ssl_peer_cert;
167
168 struct tls_conninfo *conninfo;
169
170 struct tls_ocsp *ocsp;
171
172 tls_read_cb read_cb;
173 tls_write_cb write_cb;
174 void *cb_arg;
175 };
176
177 struct tls_sni_ctx *tls_sni_ctx_new(void);
178 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
179
180 struct tls *tls_new(void);
181 struct tls *tls_server_conn(struct tls *ctx);
182
183 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername);
184 int tls_configure_server(struct tls *ctx);
185
186 int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx);
187 int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
188 struct tls_keypair *keypair, int required);
189 int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify);
190
191 int tls_handshake_client(struct tls *ctx);
192 int tls_handshake_server(struct tls *ctx);
193
194 int tls_config_load_file(struct tls_error *error, const char *filetype,
195 const char *filename, char **buf, size_t *len);
196 int tls_config_ticket_autorekey(struct tls_config *config);
197 int tls_host_port(const char *hostport, char **host, char **port);
198
199 int tls_set_cbs(struct tls *ctx,
200 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg);
201
202 void tls_error_clear(struct tls_error *error);
203 int tls_error_set(struct tls_error *error, const char *fmt, ...)
204 __attribute__((__format__ (printf, 2, 3)))
205 __attribute__((__nonnull__ (2)));
206 int tls_error_setx(struct tls_error *error, const char *fmt, ...)
207 __attribute__((__format__ (printf, 2, 3)))
208 __attribute__((__nonnull__ (2)));
209 int tls_config_set_error(struct tls_config *cfg, const char *fmt, ...)
210 __attribute__((__format__ (printf, 2, 3)))
211 __attribute__((__nonnull__ (2)));
212 int tls_config_set_errorx(struct tls_config *cfg, const char *fmt, ...)
213 __attribute__((__format__ (printf, 2, 3)))
214 __attribute__((__nonnull__ (2)));
215 int tls_set_error(struct tls *ctx, const char *fmt, ...)
216 __attribute__((__format__ (printf, 2, 3)))
217 __attribute__((__nonnull__ (2)));
218 int tls_set_errorx(struct tls *ctx, const char *fmt, ...)
219 __attribute__((__format__ (printf, 2, 3)))
220 __attribute__((__nonnull__ (2)));
221 int tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...)
222 __attribute__((__format__ (printf, 2, 3)))
223 __attribute__((__nonnull__ (2)));
224
225 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
226 const char *prefix);
227
228 int tls_conninfo_populate(struct tls *ctx);
229 void tls_conninfo_free(struct tls_conninfo *conninfo);
230
231 int tls_ocsp_verify_cb(SSL *ssl, void *arg);
232 int tls_ocsp_stapling_cb(SSL *ssl, void *arg);
233 void tls_ocsp_free(struct tls_ocsp *ctx);
234 struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx);
235
236 __END_HIDDEN_DECLS
237
238 #endif /* HEADER_TLS_INTERNAL_H */
unleashed repo fork