search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Unleashed v1.4
[unleashed.git] / lib / libtls / tls_internal.h
blobb236204e8140e19450ecf93326e3d0ab9fc1b9d6
1 /* $OpenBSD: tls_internal.h,v 1.72 2018/04/07 16:35:34 jsing Exp $ */
2 /*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #ifndef HEADER_TLS_INTERNAL_H
20 #define HEADER_TLS_INTERNAL_H
21
22 #include <arpa/inet.h>
23 #include <netinet/in.h>
24
25 #include <openssl/ssl.h>
26
27 __BEGIN_HIDDEN_DECLS
28
29 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
30
31 #define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
32 #define TLS_CIPHERS_COMPAT "HIGH:!aNULL"
33 #define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL"
34 #define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL"
35
36 #define TLS_ECDHE_CURVES "X25519,P-256,P-384"
37
38 union tls_addr {
39 struct in_addr ip4;
40 struct in6_addr ip6;
41 };
42
43 struct tls_error {
44 char *msg;
45 int num;
46 int tls;
47 };
48
49 struct tls_keypair {
50 struct tls_keypair *next;
51
52 char *cert_mem;
53 size_t cert_len;
54 char *key_mem;
55 size_t key_len;
56 char *ocsp_staple;
57 size_t ocsp_staple_len;
58 char *pubkey_hash;
59 };
60
61 #define TLS_MIN_SESSION_TIMEOUT (4)
62 #define TLS_MAX_SESSION_TIMEOUT (24 * 60 * 60)
63
64 #define TLS_NUM_TICKETS 4
65 #define TLS_TICKET_NAME_SIZE 16
66 #define TLS_TICKET_AES_SIZE 32
67 #define TLS_TICKET_HMAC_SIZE 16
68
69 struct tls_ticket_key {
70 /* The key_name must be 16 bytes according to -lssl */
71 unsigned char key_name[TLS_TICKET_NAME_SIZE];
72 unsigned char aes_key[TLS_TICKET_AES_SIZE];
73 unsigned char hmac_key[TLS_TICKET_HMAC_SIZE];
74 time_t time;
75 };
76
77 struct tls_config {
78 struct tls_error error;
79
80 int refcount;
81
82 char *alpn;
83 size_t alpn_len;
84 const char *ca_path;
85 char *ca_mem;
86 size_t ca_len;
87 const char *ciphers;
88 int ciphers_server;
89 char *crl_mem;
90 size_t crl_len;
91 int dheparams;
92 int *ecdhecurves;
93 size_t ecdhecurves_len;
94 struct tls_keypair *keypair;
95 int ocsp_require_stapling;
96 uint32_t protocols;
97 unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH];
98 int session_fd;
99 int session_lifetime;
100 struct tls_ticket_key ticket_keys[TLS_NUM_TICKETS];
101 uint32_t ticket_keyrev;
102 int ticket_autorekey;
103 int verify_cert;
104 int verify_client;
105 int verify_depth;
106 int verify_name;
107 int verify_time;
108 int skip_private_key_check;
109 };
110
111 struct tls_conninfo {
112 char *alpn;
113 char *cipher;
114 char *servername;
115 int session_resumed;
116 char *version;
117
118 char *hash;
119 char *issuer;
120 char *subject;
121
122 uint8_t *peer_cert;
123 size_t peer_cert_len;
124
125 time_t notbefore;
126 time_t notafter;
127 };
128
129 #define TLS_CLIENT (1 << 0)
130 #define TLS_SERVER (1 << 1)
131 #define TLS_SERVER_CONN (1 << 2)
132
133 #define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0)
134 #define TLS_CONNECTED (1 << 1)
135 #define TLS_HANDSHAKE_COMPLETE (1 << 2)
136 #define TLS_SSL_NEEDS_SHUTDOWN (1 << 3)
137
138 struct tls_ocsp_result {
139 const char *result_msg;
140 int response_status;
141 int cert_status;
142 int crl_reason;
143 time_t this_update;
144 time_t next_update;
145 time_t revocation_time;
146 };
147
148 struct tls_ocsp {
149 /* responder location */
150 char *ocsp_url;
151
152 /* cert data, this struct does not own these */
153 X509 *main_cert;
154 STACK_OF(X509) *extra_certs;
155
156 struct tls_ocsp_result *ocsp_result;
157 };
158
159 struct tls_sni_ctx {
160 struct tls_sni_ctx *next;
161
162 struct tls_keypair *keypair;
163
164 SSL_CTX *ssl_ctx;
165 X509 *ssl_cert;
166 };
167
168 struct tls {
169 struct tls_config *config;
170 struct tls_keypair *keypair;
171
172 struct tls_error error;
173
174 uint32_t flags;
175 uint32_t state;
176
177 char *servername;
178 int socket;
179
180 SSL *ssl_conn;
181 SSL_CTX *ssl_ctx;
182
183 struct tls_sni_ctx *sni_ctx;
184
185 X509 *ssl_peer_cert;
186 STACK_OF(X509) *ssl_peer_chain;
187
188 struct tls_conninfo *conninfo;
189
190 struct tls_ocsp *ocsp;
191
192 tls_read_cb read_cb;
193 tls_write_cb write_cb;
194 void *cb_arg;
195 };
196
197 int tls_set_mem(char **_dest, size_t *_destlen, const void *_src,
198 size_t _srclen);
199 int tls_set_string(const char **_dest, const char *_src);
200
201 struct tls_keypair *tls_keypair_new(void);
202 void tls_keypair_clear_key(struct tls_keypair *_keypair);
203 void tls_keypair_free(struct tls_keypair *_keypair);
204 int tls_keypair_set_cert_file(struct tls_keypair *_keypair,
205 struct tls_error *_error, const char *_cert_file);
206 int tls_keypair_set_cert_mem(struct tls_keypair *_keypair,
207 struct tls_error *_error, const uint8_t *_cert, size_t _len);
208 int tls_keypair_set_key_file(struct tls_keypair *_keypair,
209 struct tls_error *_error, const char *_key_file);
210 int tls_keypair_set_key_mem(struct tls_keypair *_keypair,
211 struct tls_error *_error, const uint8_t *_key, size_t _len);
212 int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,
213 struct tls_error *_error, const char *_ocsp_file);
214 int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,
215 struct tls_error *_error, const uint8_t *_staple, size_t _len);
216 int tls_keypair_load_cert(struct tls_keypair *_keypair,
217 struct tls_error *_error, X509 **_cert);
218
219 struct tls_sni_ctx *tls_sni_ctx_new(void);
220 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
221
222 struct tls_config *tls_config_new_internal(void);
223
224 struct tls *tls_new(void);
225 struct tls *tls_server_conn(struct tls *ctx);
226
227 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername,
228 int *match);
229 int tls_configure_server(struct tls *ctx);
230
231 int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx);
232 int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
233 struct tls_keypair *keypair, int required);
234 int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify);
235
236 int tls_handshake_client(struct tls *ctx);
237 int tls_handshake_server(struct tls *ctx);
238
239 int tls_config_load_file(struct tls_error *error, const char *filetype,
240 const char *filename, char **buf, size_t *len);
241 int tls_config_ticket_autorekey(struct tls_config *config);
242 int tls_host_port(const char *hostport, char **host, char **port);
243
244 int tls_set_cbs(struct tls *ctx,
245 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg);
246
247 void tls_error_clear(struct tls_error *error);
248 int tls_error_set(struct tls_error *error, const char *fmt, ...)
249 __attribute__((__format__ (printf, 2, 3)))
250 __attribute__((__nonnull__ (2)));
251 int tls_error_setx(struct tls_error *error, const char *fmt, ...)
252 __attribute__((__format__ (printf, 2, 3)))
253 __attribute__((__nonnull__ (2)));
254 int tls_config_set_error(struct tls_config *cfg, const char *fmt, ...)
255 __attribute__((__format__ (printf, 2, 3)))
256 __attribute__((__nonnull__ (2)));
257 int tls_config_set_errorx(struct tls_config *cfg, const char *fmt, ...)
258 __attribute__((__format__ (printf, 2, 3)))
259 __attribute__((__nonnull__ (2)));
260 int tls_set_error(struct tls *ctx, const char *fmt, ...)
261 __attribute__((__format__ (printf, 2, 3)))
262 __attribute__((__nonnull__ (2)));
263 int tls_set_errorx(struct tls *ctx, const char *fmt, ...)
264 __attribute__((__format__ (printf, 2, 3)))
265 __attribute__((__nonnull__ (2)));
266 int tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...)
267 __attribute__((__format__ (printf, 2, 3)))
268 __attribute__((__nonnull__ (2)));
269
270 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
271 const char *prefix);
272
273 int tls_conninfo_populate(struct tls *ctx);
274 void tls_conninfo_free(struct tls_conninfo *conninfo);
275
276 int tls_ocsp_verify_cb(SSL *ssl, void *arg);
277 int tls_ocsp_stapling_cb(SSL *ssl, void *arg);
278 void tls_ocsp_free(struct tls_ocsp *ctx);
279 struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx);
280 int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out,
281 size_t *_outlen);
282 int tls_cert_hash(X509 *_cert, char **_hash);
283 int tls_cert_pubkey_hash(X509 *_cert, char **_hash);
284
285 int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u);
286
287 __END_HIDDEN_DECLS
288
289 /* XXX this function is not fully hidden so relayd can use it */
290 void tls_config_skip_private_key_check(struct tls_config *config);
291
292 #endif /* HEADER_TLS_INTERNAL_H */
Unleashed OS