source4/lib/tls/tls.h

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    transport layer security handling code
   5
   6    Copyright (C) Andrew Tridgell 2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #ifndef _TLS_H_
  23 #define _TLS_H_
  24
  25 #include "lib/socket/socket.h"
  26
  27 struct loadparm_context;
  28
  29 /*
  30   call tls_initialise() once per task to startup the tls subsystem
  31 */
  32 struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
  33
  34 /*
  35   call tls_init_server() on each new server connection
  36
  37   the 'plain_chars' parameter is a list of chars that when they occur
  38   as the first character from the client on the connection tell the
  39   tls code that this is a non-tls connection. This can be used to have
  40   tls and non-tls servers on the same port. If this is NULL then only
  41   tls connections will be allowed
  42 */
  43 struct socket_context *tls_init_server(struct tls_params *parms,
  44                                     struct socket_context *sock,
  45                                     struct tevent_fd *fde,
  46                                     const char *plain_chars);
  47
  48 void tls_cert_generate(TALLOC_CTX *mem_ctx,
  49                        const char *hostname,
  50                        const char *keyfile, const char *certfile,
  51                        const char *cafile);
  52
  53 /*
  54   return True if a connection used tls
  55 */
  56 bool tls_enabled(struct socket_context *tls);
  57
  58
  59 const struct socket_ops *socket_tls_ops(enum socket_type type);
  60
  61 struct tstream_context;
  62 struct tstream_tls_params;
  63
  64 enum tls_verify_peer_state {
  65         TLS_VERIFY_PEER_NO_CHECK = 0,
  66 #define TLS_VERIFY_PEER_NO_CHECK_STRING "no_check"
  67
  68         TLS_VERIFY_PEER_CA_ONLY = 10,
  69 #define TLS_VERIFY_PEER_CA_ONLY_STRING "ca_only"
  70
  71         TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE = 20,
  72 #define TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE_STRING \
  73                 "ca_and_name_if_available"
  74
  75         TLS_VERIFY_PEER_CA_AND_NAME = 30,
  76 #define TLS_VERIFY_PEER_CA_AND_NAME_STRING "ca_and_name"
  77
  78         TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE = 9999,
  79 #define TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE_STRING \
  80                 "as_strict_as_possible"
  81 };
  82
  83 const char *tls_verify_peer_string(enum tls_verify_peer_state verify_peer);
  84
  85 NTSTATUS tstream_tls_params_client(TALLOC_CTX *mem_ctx,
  86                                    const char *ca_file,
  87                                    const char *crl_file,
  88                                    const char *tls_priority,
  89                                    enum tls_verify_peer_state verify_peer,
  90                                    const char *peer_name,
  91                                    struct tstream_tls_params **_tlsp);
  92
  93 NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
  94                                    const char *dns_host_name,
  95                                    bool enabled,
  96                                    const char *key_file,
  97                                    const char *cert_file,
  98                                    const char *ca_file,
  99                                    const char *crl_file,
 100                                    const char *dhp_file,
 101                                    const char *tls_priority,
 102                                    struct tstream_tls_params **_params);
 103
 104 bool tstream_tls_params_enabled(struct tstream_tls_params *params);
 105
 106 struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
 107                                              struct tevent_context *ev,
 108                                              struct tstream_context *plain_stream,
 109                                              struct tstream_tls_params *tls_params,
 110                                              const char *location);
 111 #define tstream_tls_connect_send(mem_ctx, ev, plain_stream, tls_params) \
 112         _tstream_tls_connect_send(mem_ctx, ev, plain_stream, tls_params, __location__)
 113
 114 int tstream_tls_connect_recv(struct tevent_req *req,
 115                              int *perrno,
 116                              TALLOC_CTX *mem_ctx,
 117                              struct tstream_context **tls_stream);
 118
 119 struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx,
 120                                             struct tevent_context *ev,
 121                                             struct tstream_context *plain_stream,
 122                                             struct tstream_tls_params *tls_params,
 123                                             const char *location);
 124 #define tstream_tls_accept_send(mem_ctx, ev, plain_stream, tls_params) \
 125         _tstream_tls_accept_send(mem_ctx, ev, plain_stream, tls_params, __location__)
 126
 127 int tstream_tls_accept_recv(struct tevent_req *req,
 128                             int *perrno,
 129                             TALLOC_CTX *mem_ctx,
 130                             struct tstream_context **tls_stream);
 131
 132 #endif /* _TLS_H_ */