1 /*
2  * Copyright (C) Tildeslash Ltd. All rights reserved.
3  *
4  * This program is free software: you can redistribute it and/or modify
5  * it under the terms of the GNU Affero General Public License version 3.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU Affero General Public License
13  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
14  *
15  * In addition, as a special exception, the copyright holders give
16  * permission to link the code of portions of this program with the
17  * OpenSSL library under certain conditions as described in each
18  * individual source file, and distribute linked combinations
19  * including the two.
20  *
21  * You must obey the GNU Affero General Public License in all respects
22  * for all of the code used other than OpenSSL.
23  */
24 
25 #ifndef SSL_H
26 #define SSL_H
27 
28 
29 #include "config.h"
30 
31 
32 typedef enum {
33         SSL_Disabled = 0,
34         SSL_Enabled,
35         SSL_StartTLS
36 } __attribute__((__packed__)) Ssl_Flags;
37 
38 
39 typedef enum {
40         SSL_Auto    = 0x0,
41         SSL_V2      = 0x1,
42         SSL_V3      = 0x2,
43         SSL_TLSV1   = 0x4,
44         SSL_TLSV11  = 0x8,
45         SSL_TLSV12  = 0x10,
46         SSL_TLSV13  = 0x20
47 } __attribute__((__packed__)) Ssl_Version;
48 
49 
50 typedef struct SslOptions_T {
51         Ssl_Flags flags;                                            /**< SSL flags */
52         short version;                       /**< The list of allowed SSL versions */
53         short verify;             /**< true if certificate verification is enabled */
54         short allowSelfSigned;     /**< true if self signed certificate is allowed */
55         short checksumType;                                     /**< Checksum type */
56         char *checksum;     /**< The expected checksum of the server's certificate */
57         char *pemfile;                            /**< Optional server certificate */
58         char *pemchain;         /**< Optional alternative server certificate chain */
59         char *pemkey;                 /**< Optional alternative server private key */
60         char *clientpemfile;                      /**< Optional client certificate */
61         char *ciphers;                               /**< Allowed SSL ciphers list */
62         char *CACertificateFile;             /**< Path to CA certificates PEM file */
63         char *CACertificatePath;            /**< Path to CA certificates directory */
64 } *SslOptions_T;
65 
66 
67 #define T Ssl_T
68 typedef struct T *T;
69 
70 
71 /*
72  * The list of all ciphers suites in order of strength except those containing anonymous DH ciphers, low bit-size ciphers, export-crippled ciphersm the MD5 hash algorithm and weak DES, RC4 and 3DES ciphers.
73  */
74 #define CIPHER_LIST "ALL:!DES:!RC4:!aNULL:!LOW:!EXP:!IDEA:!MD5:!3DES:@STRENGTH"
75 
76 
77 /**
78  * Prepare for the beginning of active use of the OpenSSL library
79  */
80 void Ssl_start(void);
81 
82 
83 /**
84  * Gracefully terminate the active use of the OpenSSL library
85  */
86 void Ssl_stop(void);
87 
88 
89 /**
90  * Cleanup thread's error queue.
91  */
92 void Ssl_threadCleanup(void);
93 
94 
95 #ifdef OPENSSL_FIPS
96 /**
97  * Enable or disable FIPS-140 mode
98  * @param enabled true to enable FIPS-140 mode
99  */
100 void Ssl_setFipsMode(bool enabled);
101 #endif
102 
103 
104 /**
105  * Create a new SSL connection object
106  * @param options SSL options
107  * @return a new SSL connection object or NULL if failed
108  */
109 T Ssl_new(SslOptions_T options);
110 
111 
112 /**
113  * Free an SSL connection object
114  * @param C A reference to SSL connection object
115  */
116 void Ssl_free(T *C);
117 
118 
119 /**
120  * Connect a socket using SSL. If name is set and TLS is used,
121  * the Server Name Indication (SNI) TLS extension is enabled.
122  * @param C An SSL connection object
123  * @param socket A socket
124  * @param timeout Milliseconds to wait for connection to be established
125  * @param name A server name string (optional)
126  * @exception IOException or AssertException if failed
127  */
128 void Ssl_connect(T C, int socket, int timeout, const char *name);
129 
130 
131 /**
132  * Close an SSL connection
133  * @param C An SSL connection object
134  */
135 void Ssl_close(T C);
136 
137 
138 /**
139  * Write <code>size</code> bytes from <code>b</code> to an encrypted channel
140  * @param C An SSL connection object
141  * @param b The data to be written
142  * @param size Number of bytes in b
143  * @param timeout Milliseconds to wait for data to be written
144  * @return Number of bytes written or -1 if failed
145  */
146 int Ssl_write(T C, const void *b, int size, int timeout);
147 
148 
149 /**
150  * Read <code>size</code> bytes to <code>b</code> from an encrypted channel
151  * @param C An SSL connection object
152  * @param b A byte buffer
153  * @param size The size of the buffer b
154  * @param timeout Milliseconds to wait for data to be read
155  * @return Number of bytes read or -1 if failed
156  */
157 int Ssl_read(T C, void *b, int size, int timeout);
158 
159 
160 /**
161  * Get days the certificate remains valid.
162  * @param C An SSL connection object
163  * @return Number of valid days
164  * @exception IOException if failed
165  */
166 int Ssl_getCertificateValidDays(T C);
167 
168 
169 /**
170  * Print SSL options string representation to the given buffer.
171  * @param options SSL options object
172  * @param b A string buffer
173  * @param size The size of the buffer b
174  * @return Buffer with string representation of SSL options
175  */
176 char *Ssl_printOptions(SslOptions_T options, char *b, int size);
177 
178 
179 #undef T
180 #endif
181 
182