1 /* $OpenBSD: tls_internal.h,v 1.86 2024/12/10 08:40:30 tb Exp $ */ 2 /* 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef HEADER_TLS_INTERNAL_H 20 #define HEADER_TLS_INTERNAL_H 21 22 #include <pthread.h> 23 24 #include <arpa/inet.h> 25 #include <netinet/in.h> 26 27 #include <openssl/ssl.h> 28 29 __BEGIN_HIDDEN_DECLS 30 31 #ifndef TLS_DEFAULT_CA_FILE 32 #define TLS_DEFAULT_CA_FILE "/etc/ssl/cert.pem" 33 #endif 34 35 #define TLS_CIPHERS_DEFAULT "TLSv1.3:TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" 36 #define TLS_CIPHERS_COMPAT "HIGH:!aNULL" 37 #define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL" 38 #define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL" 39 40 #define TLS_ECDHE_CURVES "X25519,P-256,P-384" 41 42 union tls_addr { 43 struct in_addr ip4; 44 struct in6_addr ip6; 45 }; 46 47 struct tls_error { 48 char *msg; 49 int code; 50 int errno_value; 51 int tls; 52 }; 53 54 struct tls_keypair { 55 struct tls_keypair *next; 56 57 char *cert_mem; 58 size_t cert_len; 59 char *key_mem; 60 size_t key_len; 61 char *ocsp_staple; 62 size_t ocsp_staple_len; 63 char *pubkey_hash; 64 }; 65 66 #define TLS_MIN_SESSION_TIMEOUT (4) 67 #define TLS_MAX_SESSION_TIMEOUT (24 * 60 * 60) 68 69 #define TLS_NUM_TICKETS 4 70 #define TLS_TICKET_NAME_SIZE 16 71 #define TLS_TICKET_AES_SIZE 32 72 #define TLS_TICKET_HMAC_SIZE 16 73 74 struct tls_ticket_key { 75 /* The key_name must be 16 bytes according to -lssl */ 76 unsigned char key_name[TLS_TICKET_NAME_SIZE]; 77 unsigned char aes_key[TLS_TICKET_AES_SIZE]; 78 unsigned char hmac_key[TLS_TICKET_HMAC_SIZE]; 79 time_t time; 80 }; 81 82 typedef int (*tls_sign_cb)(void *_cb_arg, const char *_pubkey_hash, 83 const uint8_t *_input, size_t _input_len, int _padding_type, 84 uint8_t **_out_signature, size_t *_out_signature_len); 85 86 struct tls_config { 87 struct tls_error error; 88 89 pthread_mutex_t mutex; 90 int refcount; 91 92 char *alpn; 93 size_t alpn_len; 94 const char *ca_path; 95 char *ca_mem; 96 size_t ca_len; 97 const char *ciphers; 98 int ciphers_server; 99 char *crl_mem; 100 size_t crl_len; 101 int dheparams; 102 int *ecdhecurves; 103 size_t ecdhecurves_len; 104 struct tls_keypair *keypair; 105 int ocsp_require_stapling; 106 uint32_t protocols; 107 unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH]; 108 int session_fd; 109 int session_lifetime; 110 struct tls_ticket_key ticket_keys[TLS_NUM_TICKETS]; 111 uint32_t ticket_keyrev; 112 int ticket_autorekey; 113 int verify_cert; 114 int verify_client; 115 int verify_depth; 116 int verify_name; 117 int verify_time; 118 int skip_private_key_check; 119 int use_fake_private_key; 120 tls_sign_cb sign_cb; 121 void *sign_cb_arg; 122 }; 123 124 struct tls_conninfo { 125 char *alpn; 126 char *cipher; 127 int cipher_strength; 128 char *servername; 129 int session_resumed; 130 char *version; 131 132 char *common_name; 133 char *hash; 134 char *issuer; 135 char *subject; 136 137 uint8_t *peer_cert; 138 size_t peer_cert_len; 139 140 time_t notbefore; 141 time_t notafter; 142 }; 143 144 #define TLS_CLIENT (1 << 0) 145 #define TLS_SERVER (1 << 1) 146 #define TLS_SERVER_CONN (1 << 2) 147 148 #define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0) 149 #define TLS_CONNECTED (1 << 1) 150 #define TLS_HANDSHAKE_COMPLETE (1 << 2) 151 #define TLS_SSL_NEEDS_SHUTDOWN (1 << 3) 152 153 struct tls_ocsp_result { 154 const char *result_msg; 155 int response_status; 156 int cert_status; 157 int crl_reason; 158 time_t this_update; 159 time_t next_update; 160 time_t revocation_time; 161 }; 162 163 struct tls_ocsp { 164 /* responder location */ 165 char *ocsp_url; 166 167 /* cert data, this struct does not own these */ 168 X509 *main_cert; 169 STACK_OF(X509) *extra_certs; 170 171 struct tls_ocsp_result *ocsp_result; 172 }; 173 174 struct tls_sni_ctx { 175 struct tls_sni_ctx *next; 176 177 struct tls_keypair *keypair; 178 179 SSL_CTX *ssl_ctx; 180 X509 *ssl_cert; 181 }; 182 183 struct tls { 184 struct tls_config *config; 185 struct tls_keypair *keypair; 186 187 struct tls_error error; 188 189 uint32_t flags; 190 uint32_t state; 191 192 char *servername; 193 int socket; 194 195 SSL *ssl_conn; 196 SSL_CTX *ssl_ctx; 197 198 struct tls_sni_ctx *sni_ctx; 199 200 X509 *ssl_peer_cert; 201 STACK_OF(X509) *ssl_peer_chain; 202 203 struct tls_conninfo *conninfo; 204 205 struct tls_ocsp *ocsp; 206 207 tls_read_cb read_cb; 208 tls_write_cb write_cb; 209 void *cb_arg; 210 }; 211 212 int tls_set_mem(char **_dest, size_t *_destlen, const void *_src, 213 size_t _srclen); 214 int tls_set_string(const char **_dest, const char *_src); 215 216 struct tls_keypair *tls_keypair_new(void); 217 void tls_keypair_clear_key(struct tls_keypair *_keypair); 218 void tls_keypair_free(struct tls_keypair *_keypair); 219 int tls_keypair_set_cert_file(struct tls_keypair *_keypair, 220 struct tls_error *_error, const char *_cert_file); 221 int tls_keypair_set_cert_mem(struct tls_keypair *_keypair, 222 struct tls_error *_error, const uint8_t *_cert, size_t _len); 223 int tls_keypair_set_key_file(struct tls_keypair *_keypair, 224 struct tls_error *_error, const char *_key_file); 225 int tls_keypair_set_key_mem(struct tls_keypair *_keypair, 226 struct tls_error *_error, const uint8_t *_key, size_t _len); 227 int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair, 228 struct tls_error *_error, const char *_ocsp_file); 229 int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair, 230 struct tls_error *_error, const uint8_t *_staple, size_t _len); 231 int tls_keypair_load_cert(struct tls_keypair *_keypair, 232 struct tls_error *_error, X509 **_cert); 233 234 struct tls_sni_ctx *tls_sni_ctx_new(void); 235 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx); 236 237 struct tls_config *tls_config_new_internal(void); 238 239 struct tls *tls_new(void); 240 struct tls *tls_server_conn(struct tls *ctx); 241 242 int tls_get_common_name(struct tls *_ctx, X509 *_cert, const char *_in_name, 243 char **_out_common_name); 244 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername, 245 int *match); 246 int tls_configure_server(struct tls *ctx); 247 248 int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx); 249 int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, 250 struct tls_keypair *keypair, int required); 251 int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify); 252 253 int tls_handshake_client(struct tls *ctx); 254 int tls_handshake_server(struct tls *ctx); 255 256 int tls_config_load_file(struct tls_error *error, const char *filetype, 257 const char *filename, char **buf, size_t *len); 258 int tls_config_ticket_autorekey(struct tls_config *config); 259 int tls_host_port(const char *hostport, char **host, char **port); 260 261 int tls_set_cbs(struct tls *ctx, 262 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg); 263 264 void tls_error_clear(struct tls_error *error); 265 int tls_error_set(struct tls_error *error, int code, const char *fmt, ...) 266 __attribute__((__format__ (printf, 3, 4))) 267 __attribute__((__nonnull__ (3))); 268 int tls_error_setx(struct tls_error *error, int code, const char *fmt, ...) 269 __attribute__((__format__ (printf, 3, 4))) 270 __attribute__((__nonnull__ (3))); 271 int tls_config_set_error(struct tls_config *cfg, int code, const char *fmt, ...) 272 __attribute__((__format__ (printf, 3, 4))) 273 __attribute__((__nonnull__ (3))); 274 int tls_config_set_errorx(struct tls_config *cfg, int code, const char *fmt, ...) 275 __attribute__((__format__ (printf, 3, 4))) 276 __attribute__((__nonnull__ (3))); 277 int tls_set_error(struct tls *ctx, int code, const char *fmt, ...) 278 __attribute__((__format__ (printf, 3, 4))) 279 __attribute__((__nonnull__ (3))); 280 int tls_set_errorx(struct tls *ctx, int code, const char *fmt, ...) 281 __attribute__((__format__ (printf, 3, 4))) 282 __attribute__((__nonnull__ (3))); 283 int tls_set_ssl_errorx(struct tls *ctx, int code, const char *fmt, ...) 284 __attribute__((__format__ (printf, 3, 4))) 285 __attribute__((__nonnull__ (3))); 286 287 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, 288 const char *prefix); 289 290 int tls_conninfo_populate(struct tls *ctx); 291 void tls_conninfo_free(struct tls_conninfo *conninfo); 292 293 int tls_ocsp_verify_cb(SSL *ssl, void *arg); 294 int tls_ocsp_stapling_cb(SSL *ssl, void *arg); 295 void tls_ocsp_free(struct tls_ocsp *ctx); 296 struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx); 297 int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out, 298 size_t *_outlen); 299 int tls_cert_hash(X509 *_cert, char **_hash); 300 int tls_cert_pubkey_hash(X509 *_cert, char **_hash); 301 302 int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u); 303 304 RSA_METHOD *tls_signer_rsa_method(void); 305 EC_KEY_METHOD *tls_signer_ecdsa_method(void); 306 307 #define TLS_PADDING_NONE 0 308 #define TLS_PADDING_RSA_PKCS1 1 309 310 int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb, 311 void *_cb_arg); 312 313 struct tls_signer* tls_signer_new(void); 314 void tls_signer_free(struct tls_signer * _signer); 315 const char *tls_signer_error(struct tls_signer * _signer); 316 int tls_signer_add_keypair_file(struct tls_signer *_signer, 317 const char *_cert_file, const char *_key_file); 318 int tls_signer_add_keypair_mem(struct tls_signer *_signer, const uint8_t *_cert, 319 size_t _cert_len, const uint8_t *_key, size_t _key_len); 320 int tls_signer_sign(struct tls_signer *_signer, const char *_pubkey_hash, 321 const uint8_t *_input, size_t _input_len, int _padding_type, 322 uint8_t **_out_signature, size_t *_out_signature_len); 323 324 __END_HIDDEN_DECLS 325 326 /* XXX this function is not fully hidden so relayd can use it */ 327 void tls_config_skip_private_key_check(struct tls_config *config); 328 void tls_config_use_fake_private_key(struct tls_config *config); 329 330 #endif /* HEADER_TLS_INTERNAL_H */ 331