1 /* $OpenBSD: tls_internal.h,v 1.50 2016/11/05 15:13:26 beck Exp $ */ 2 /* 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef HEADER_TLS_INTERNAL_H 20 #define HEADER_TLS_INTERNAL_H 21 22 #include <arpa/inet.h> 23 #include <netinet/in.h> 24 25 #include <openssl/ssl.h> 26 27 __BEGIN_HIDDEN_DECLS 28 29 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" 30 31 #define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" 32 #define TLS_CIPHERS_COMPAT "HIGH:!aNULL" 33 #define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL" 34 #define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL" 35 36 union tls_addr { 37 struct in_addr ip4; 38 struct in6_addr ip6; 39 }; 40 41 struct tls_error { 42 char *msg; 43 int num; 44 int tls; 45 }; 46 47 struct tls_keypair { 48 struct tls_keypair *next; 49 50 char *cert_mem; 51 size_t cert_len; 52 char *key_mem; 53 size_t key_len; 54 }; 55 56 struct tls_config { 57 struct tls_error error; 58 59 char *alpn; 60 size_t alpn_len; 61 const char *ca_path; 62 char *ca_mem; 63 size_t ca_len; 64 const char *ciphers; 65 int ciphers_server; 66 int dheparams; 67 int ecdhecurve; 68 struct tls_keypair *keypair; 69 int ocsp_require_stapling; 70 char *ocsp_staple; 71 size_t ocsp_staple_len; 72 uint32_t protocols; 73 int verify_cert; 74 int verify_client; 75 int verify_depth; 76 int verify_name; 77 int verify_time; 78 }; 79 80 struct tls_conninfo { 81 char *alpn; 82 char *cipher; 83 char *servername; 84 char *version; 85 86 char *hash; 87 char *issuer; 88 char *subject; 89 90 time_t notbefore; 91 time_t notafter; 92 }; 93 94 #define TLS_CLIENT (1 << 0) 95 #define TLS_SERVER (1 << 1) 96 #define TLS_SERVER_CONN (1 << 2) 97 98 #define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0) 99 #define TLS_HANDSHAKE_COMPLETE (1 << 1) 100 101 struct tls_ocsp_result { 102 const char *result_msg; 103 int response_status; 104 int cert_status; 105 int crl_reason; 106 time_t this_update; 107 time_t next_update; 108 time_t revocation_time; 109 }; 110 111 struct tls_ocsp { 112 /* responder location */ 113 char *ocsp_url; 114 115 /* cert data, this struct does not own these */ 116 X509 *main_cert; 117 STACK_OF(X509) *extra_certs; 118 119 struct tls_ocsp_result *ocsp_result; 120 }; 121 122 struct tls_sni_ctx { 123 struct tls_sni_ctx *next; 124 125 SSL_CTX *ssl_ctx; 126 X509 *ssl_cert; 127 }; 128 129 struct tls { 130 struct tls_config *config; 131 struct tls_error error; 132 133 uint32_t flags; 134 uint32_t state; 135 136 char *servername; 137 int socket; 138 139 SSL *ssl_conn; 140 SSL_CTX *ssl_ctx; 141 142 struct tls_sni_ctx *sni_ctx; 143 144 X509 *ssl_peer_cert; 145 146 struct tls_conninfo *conninfo; 147 148 struct tls_ocsp *ocsp; 149 150 tls_read_cb read_cb; 151 tls_write_cb write_cb; 152 void *cb_arg; 153 }; 154 155 struct tls_sni_ctx *tls_sni_ctx_new(void); 156 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx); 157 158 struct tls *tls_new(void); 159 struct tls *tls_server_conn(struct tls *ctx); 160 161 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername); 162 int tls_configure_server(struct tls *ctx); 163 164 int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx); 165 int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, 166 struct tls_keypair *keypair, int required); 167 int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify); 168 169 int tls_handshake_client(struct tls *ctx); 170 int tls_handshake_server(struct tls *ctx); 171 172 int tls_config_load_file(struct tls_error *error, const char *filetype, 173 const char *filename, char **buf, size_t *len); 174 int tls_host_port(const char *hostport, char **host, char **port); 175 176 int tls_set_cbs(struct tls *ctx, 177 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg); 178 179 void tls_error_clear(struct tls_error *error); 180 int tls_error_set(struct tls_error *error, const char *fmt, ...) 181 __attribute__((__format__ (printf, 2, 3))) 182 __attribute__((__nonnull__ (2))); 183 int tls_error_setx(struct tls_error *error, const char *fmt, ...) 184 __attribute__((__format__ (printf, 2, 3))) 185 __attribute__((__nonnull__ (2))); 186 int tls_config_set_error(struct tls_config *cfg, const char *fmt, ...) 187 __attribute__((__format__ (printf, 2, 3))) 188 __attribute__((__nonnull__ (2))); 189 int tls_config_set_errorx(struct tls_config *cfg, const char *fmt, ...) 190 __attribute__((__format__ (printf, 2, 3))) 191 __attribute__((__nonnull__ (2))); 192 int tls_set_error(struct tls *ctx, const char *fmt, ...) 193 __attribute__((__format__ (printf, 2, 3))) 194 __attribute__((__nonnull__ (2))); 195 int tls_set_errorx(struct tls *ctx, const char *fmt, ...) 196 __attribute__((__format__ (printf, 2, 3))) 197 __attribute__((__nonnull__ (2))); 198 int tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...) 199 __attribute__((__format__ (printf, 2, 3))) 200 __attribute__((__nonnull__ (2))); 201 202 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, 203 const char *prefix); 204 205 int tls_conninfo_populate(struct tls *ctx); 206 void tls_conninfo_free(struct tls_conninfo *conninfo); 207 208 int tls_ocsp_verify_cb(SSL *ssl, void *arg); 209 int tls_ocsp_stapling_cb(SSL *ssl, void *arg); 210 void tls_ocsp_free(struct tls_ocsp *ctx); 211 struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx); 212 213 __END_HIDDEN_DECLS 214 215 #endif /* HEADER_TLS_INTERNAL_H */ 216