1 /* $OpenBSD: tls_internal.h,v 1.31 2016/07/07 14:09:03 jsing Exp $ */ 2 /* 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef HEADER_TLS_INTERNAL_H 20 #define HEADER_TLS_INTERNAL_H 21 22 #include <arpa/inet.h> 23 #include <netinet/in.h> 24 25 #include <openssl/ssl.h> 26 27 #ifndef _PATH_SSL_CA_FILE 28 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" 29 #endif 30 31 #define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" 32 #define TLS_CIPHERS_COMPAT "HIGH:!aNULL" 33 #define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL" 34 #define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL" 35 36 union tls_addr { 37 struct in_addr ip4; 38 struct in6_addr ip6; 39 }; 40 41 struct tls_error { 42 char *msg; 43 int num; 44 }; 45 46 struct tls_keypair { 47 struct tls_keypair *next; 48 49 const char *cert_file; 50 char *cert_mem; 51 size_t cert_len; 52 const char *key_file; 53 char *key_mem; 54 size_t key_len; 55 }; 56 57 struct tls_config { 58 struct tls_error error; 59 60 const char *ca_file; 61 const char *ca_path; 62 char *ca_mem; 63 size_t ca_len; 64 const char *ciphers; 65 int ciphers_server; 66 int dheparams; 67 int ecdhecurve; 68 struct tls_keypair *keypair; 69 uint32_t protocols; 70 int verify_cert; 71 int verify_client; 72 int verify_depth; 73 int verify_name; 74 int verify_time; 75 }; 76 77 struct tls_conninfo { 78 char *issuer; 79 char *subject; 80 char *hash; 81 char *serial; 82 char *fingerprint; 83 char *version; 84 char *cipher; 85 time_t notbefore; 86 time_t notafter; 87 }; 88 89 #define TLS_CLIENT (1 << 0) 90 #define TLS_SERVER (1 << 1) 91 #define TLS_SERVER_CONN (1 << 2) 92 93 #define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0) 94 #define TLS_HANDSHAKE_COMPLETE (1 << 1) 95 96 struct tls { 97 struct tls_config *config; 98 struct tls_error error; 99 100 uint32_t flags; 101 uint32_t state; 102 103 char *servername; 104 int socket; 105 106 SSL *ssl_conn; 107 SSL_CTX *ssl_ctx; 108 X509 *ssl_peer_cert; 109 struct tls_conninfo *conninfo; 110 }; 111 112 struct tls *tls_new(void); 113 struct tls *tls_server_conn(struct tls *ctx); 114 115 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername); 116 int tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, 117 struct tls_keypair *keypair, int required); 118 int tls_configure_server(struct tls *ctx); 119 int tls_configure_ssl(struct tls *ctx); 120 int tls_configure_ssl_verify(struct tls *ctx, int verify); 121 int tls_handshake_client(struct tls *ctx); 122 int tls_handshake_server(struct tls *ctx); 123 int tls_host_port(const char *hostport, char **host, char **port); 124 125 int tls_error_set(struct tls_error *error, const char *fmt, ...) 126 __attribute__((__format__ (printf, 2, 3))) 127 __attribute__((__nonnull__ (2))); 128 int tls_error_setx(struct tls_error *error, const char *fmt, ...) 129 __attribute__((__format__ (printf, 2, 3))) 130 __attribute__((__nonnull__ (2))); 131 int tls_config_set_error(struct tls_config *cfg, const char *fmt, ...) 132 __attribute__((__format__ (printf, 2, 3))) 133 __attribute__((__nonnull__ (2))); 134 int tls_config_set_errorx(struct tls_config *cfg, const char *fmt, ...) 135 __attribute__((__format__ (printf, 2, 3))) 136 __attribute__((__nonnull__ (2))); 137 int tls_set_error(struct tls *ctx, const char *fmt, ...) 138 __attribute__((__format__ (printf, 2, 3))) 139 __attribute__((__nonnull__ (2))); 140 int tls_set_errorx(struct tls *ctx, const char *fmt, ...) 141 __attribute__((__format__ (printf, 2, 3))) 142 __attribute__((__nonnull__ (2))); 143 144 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, 145 const char *prefix); 146 147 int tls_get_conninfo(struct tls *ctx); 148 void tls_free_conninfo(struct tls_conninfo *conninfo); 149 150 int asn1_time_parse(const char *, size_t, struct tm *, int); 151 152 #endif /* HEADER_TLS_INTERNAL_H */ 153