1 /*
2  *  OpenVPN -- An application to securely tunnel IP networks
3  *             over a single TCP/UDP port, with support for SSL/TLS-based
4  *             session authentication and key exchange,
5  *             packet encryption, packet authentication, and
6  *             packet compression.
7  *
8  *  Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *  Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  *
11  *  This program is free software; you can redistribute it and/or modify
12  *  it under the terms of the GNU General Public License version 2
13  *  as published by the Free Software Foundation.
14  *
15  *  This program is distributed in the hope that it will be useful,
16  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
17  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18  *  GNU General Public License for more details.
19  *
20  *  You should have received a copy of the GNU General Public License along
21  *  with this program; if not, write to the Free Software Foundation, Inc.,
22  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 /**
26  * @file Control Channel mbed TLS Backend
27  */
28 
29 #ifndef SSL_MBEDTLS_H_
30 #define SSL_MBEDTLS_H_
31 
32 #include "syshead.h"
33 
34 #include <mbedtls/ssl.h>
35 #include <mbedtls/x509_crt.h>
36 #include <mbedtls/version.h>
37 
38 #if defined(ENABLE_PKCS11)
39 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
40 #endif
41 
42 typedef struct _buffer_entry buffer_entry;
43 
44 struct _buffer_entry {
45     size_t length;
46     uint8_t *data;
47     buffer_entry *next_block;
48 };
49 
50 typedef struct {
51     size_t data_start;
52     buffer_entry *first_block;
53     buffer_entry *last_block;
54 } endless_buffer;
55 
56 typedef struct {
57     endless_buffer in;
58     endless_buffer out;
59 } bio_ctx;
60 
61 /**
62  * External signing function prototype.  A function pointer to a function
63  * implementing this prototype is provided to
64  * tls_ctx_use_external_signing_func().
65  *
66  * @param sign_ctx  The context for the signing function.
67  * @param src       The data to be signed,
68  * @param src_len   The length of src, in bytes.
69  * @param dst       The destination buffer for the signature.
70  * @param dst_len   The length of the destination buffer.
71  *
72  * @return true if signing succeeded, false otherwise.
73  */
74 typedef bool (*external_sign_func)(
75     void *sign_ctx, const void *src, size_t src_size,
76     void *dst, size_t dst_size);
77 
78 /** Context used by external_pkcs1_sign() */
79 struct external_context {
80     size_t signature_length;
81     external_sign_func sign;
82     void *sign_ctx;
83 };
84 
85 #ifdef HAVE_EXPORT_KEYING_MATERIAL
86 /** struct to cache TLS secrets for keying material exporter (RFC 5705).
87  * The constants (64 and 48) are inherent to TLS version and
88  * the whole keying material export will likely change when they change */
89 struct tls_key_cache {
90     unsigned char client_server_random[64];
91     mbedtls_tls_prf_types tls_prf_type;
92     unsigned char master_secret[48];
93 };
94 #else
95 struct tls_key_cache { };
96 #endif
97 
98 /**
99  * Structure that wraps the TLS context. Contents differ depending on the
100  * SSL library used.
101  *
102  * Either \c priv_key_pkcs11 or \c priv_key must be filled in.
103  */
104 struct tls_root_ctx {
105     bool initialised;           /**< True if the context has been initialised */
106 
107     int endpoint;               /**< Whether or not this is a server or a client */
108 
109     mbedtls_dhm_context *dhm_ctx;       /**< Diffie-Helmann-Merkle context */
110     mbedtls_x509_crt *crt_chain;        /**< Local Certificate chain */
111     mbedtls_x509_crt *ca_chain;         /**< CA chain for remote verification */
112     mbedtls_pk_context *priv_key;       /**< Local private key */
113     mbedtls_x509_crl *crl;              /**< Certificate Revocation List */
114     time_t crl_last_mtime;              /**< CRL last modification time */
115     off_t crl_last_size;                /**< size of last loaded CRL */
116 #ifdef ENABLE_PKCS11
117     pkcs11h_certificate_t pkcs11_cert;  /**< PKCS11 certificate */
118 #endif
119     struct external_context external_key; /**< External key context */
120     int *allowed_ciphers;       /**< List of allowed ciphers for this connection */
121     mbedtls_ecp_group_id *groups;     /**< List of allowed groups for this connection */
122     mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */
123 };
124 
125 struct key_state_ssl {
126     mbedtls_ssl_config *ssl_config;     /**< mbedTLS global ssl config */
127     mbedtls_ssl_context *ctx;           /**< mbedTLS connection context */
128     bio_ctx *bio_ctx;
129 
130     struct tls_key_cache tls_key_cache;
131 };
132 
133 /**
134  * Call the supplied signing function to create a TLS signature during the
135  * TLS handshake.
136  *
137  * @param ctx                   TLS context to use.
138  * @param sign_func             Signing function to call.
139  * @param sign_ctx              Context for the sign function.
140  *
141  * @return                      0 if successful, 1 if an error occurred.
142  */
143 int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
144                                       external_sign_func sign_func,
145                                       void *sign_ctx);
146 
147 #endif /* SSL_MBEDTLS_H_ */
148