1*de0e0e4dSAntonio Huete Jimenez /* $OpenBSD: tls.h,v 1.62 2022/03/24 15:56:34 tb Exp $ */ 2f5b1c8a1SJohn Marino /* 3f5b1c8a1SJohn Marino * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4f5b1c8a1SJohn Marino * 5f5b1c8a1SJohn Marino * Permission to use, copy, modify, and distribute this software for any 6f5b1c8a1SJohn Marino * purpose with or without fee is hereby granted, provided that the above 7f5b1c8a1SJohn Marino * copyright notice and this permission notice appear in all copies. 8f5b1c8a1SJohn Marino * 9f5b1c8a1SJohn Marino * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10f5b1c8a1SJohn Marino * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11f5b1c8a1SJohn Marino * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12f5b1c8a1SJohn Marino * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13f5b1c8a1SJohn Marino * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14f5b1c8a1SJohn Marino * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15f5b1c8a1SJohn Marino * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16f5b1c8a1SJohn Marino */ 17f5b1c8a1SJohn Marino 18f5b1c8a1SJohn Marino #ifndef HEADER_TLS_H 19f5b1c8a1SJohn Marino #define HEADER_TLS_H 20f5b1c8a1SJohn Marino 21f5b1c8a1SJohn Marino #ifdef __cplusplus 22f5b1c8a1SJohn Marino extern "C" { 23f5b1c8a1SJohn Marino #endif 24f5b1c8a1SJohn Marino 2572c33676SMaxim Ag #ifdef _MSC_VER 2672c33676SMaxim Ag #ifndef LIBRESSL_INTERNAL 2772c33676SMaxim Ag #include <basetsd.h> 2872c33676SMaxim Ag typedef SSIZE_T ssize_t; 2972c33676SMaxim Ag #endif 3072c33676SMaxim Ag #endif 3172c33676SMaxim Ag 32f5b1c8a1SJohn Marino #include <sys/types.h> 33f5b1c8a1SJohn Marino 34f5b1c8a1SJohn Marino #include <stddef.h> 35f5b1c8a1SJohn Marino #include <stdint.h> 36f5b1c8a1SJohn Marino 37cca6fc52SDaniel Fojt #define TLS_API 20200120 38f5b1c8a1SJohn Marino 39f5b1c8a1SJohn Marino #define TLS_PROTOCOL_TLSv1_0 (1 << 1) 40f5b1c8a1SJohn Marino #define TLS_PROTOCOL_TLSv1_1 (1 << 2) 41f5b1c8a1SJohn Marino #define TLS_PROTOCOL_TLSv1_2 (1 << 3) 42cca6fc52SDaniel Fojt #define TLS_PROTOCOL_TLSv1_3 (1 << 4) 43cca6fc52SDaniel Fojt 44f5b1c8a1SJohn Marino #define TLS_PROTOCOL_TLSv1 \ 45cca6fc52SDaniel Fojt (TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|\ 46cca6fc52SDaniel Fojt TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3) 47f5b1c8a1SJohn Marino 48f5b1c8a1SJohn Marino #define TLS_PROTOCOLS_ALL TLS_PROTOCOL_TLSv1 49cca6fc52SDaniel Fojt #define TLS_PROTOCOLS_DEFAULT (TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3) 50f5b1c8a1SJohn Marino 51f5b1c8a1SJohn Marino #define TLS_WANT_POLLIN -2 52f5b1c8a1SJohn Marino #define TLS_WANT_POLLOUT -3 53f5b1c8a1SJohn Marino 5472c33676SMaxim Ag /* RFC 6960 Section 2.3 */ 5572c33676SMaxim Ag #define TLS_OCSP_RESPONSE_SUCCESSFUL 0 5672c33676SMaxim Ag #define TLS_OCSP_RESPONSE_MALFORMED 1 5772c33676SMaxim Ag #define TLS_OCSP_RESPONSE_INTERNALERROR 2 5872c33676SMaxim Ag #define TLS_OCSP_RESPONSE_TRYLATER 3 5972c33676SMaxim Ag #define TLS_OCSP_RESPONSE_SIGREQUIRED 4 6072c33676SMaxim Ag #define TLS_OCSP_RESPONSE_UNAUTHORIZED 5 6172c33676SMaxim Ag 6272c33676SMaxim Ag /* RFC 6960 Section 2.2 */ 6372c33676SMaxim Ag #define TLS_OCSP_CERT_GOOD 0 6472c33676SMaxim Ag #define TLS_OCSP_CERT_REVOKED 1 6572c33676SMaxim Ag #define TLS_OCSP_CERT_UNKNOWN 2 6672c33676SMaxim Ag 6772c33676SMaxim Ag /* RFC 5280 Section 5.3.1 */ 6872c33676SMaxim Ag #define TLS_CRL_REASON_UNSPECIFIED 0 6972c33676SMaxim Ag #define TLS_CRL_REASON_KEY_COMPROMISE 1 7072c33676SMaxim Ag #define TLS_CRL_REASON_CA_COMPROMISE 2 7172c33676SMaxim Ag #define TLS_CRL_REASON_AFFILIATION_CHANGED 3 7272c33676SMaxim Ag #define TLS_CRL_REASON_SUPERSEDED 4 7372c33676SMaxim Ag #define TLS_CRL_REASON_CESSATION_OF_OPERATION 5 7472c33676SMaxim Ag #define TLS_CRL_REASON_CERTIFICATE_HOLD 6 7572c33676SMaxim Ag #define TLS_CRL_REASON_REMOVE_FROM_CRL 8 7672c33676SMaxim Ag #define TLS_CRL_REASON_PRIVILEGE_WITHDRAWN 9 7772c33676SMaxim Ag #define TLS_CRL_REASON_AA_COMPROMISE 10 7872c33676SMaxim Ag 7972c33676SMaxim Ag #define TLS_MAX_SESSION_ID_LENGTH 32 8072c33676SMaxim Ag #define TLS_TICKET_KEY_SIZE 48 8172c33676SMaxim Ag 82f5b1c8a1SJohn Marino struct tls; 83f5b1c8a1SJohn Marino struct tls_config; 84f5b1c8a1SJohn Marino 8572c33676SMaxim Ag typedef ssize_t (*tls_read_cb)(struct tls *_ctx, void *_buf, size_t _buflen, 8672c33676SMaxim Ag void *_cb_arg); 8772c33676SMaxim Ag typedef ssize_t (*tls_write_cb)(struct tls *_ctx, const void *_buf, 8872c33676SMaxim Ag size_t _buflen, void *_cb_arg); 8972c33676SMaxim Ag 90f5b1c8a1SJohn Marino int tls_init(void); 91f5b1c8a1SJohn Marino 92f5b1c8a1SJohn Marino const char *tls_config_error(struct tls_config *_config); 93f5b1c8a1SJohn Marino const char *tls_error(struct tls *_ctx); 94f5b1c8a1SJohn Marino 95f5b1c8a1SJohn Marino struct tls_config *tls_config_new(void); 96f5b1c8a1SJohn Marino void tls_config_free(struct tls_config *_config); 97f5b1c8a1SJohn Marino 9872c33676SMaxim Ag const char *tls_default_ca_cert_file(void); 9972c33676SMaxim Ag 10072c33676SMaxim Ag int tls_config_add_keypair_file(struct tls_config *_config, 10172c33676SMaxim Ag const char *_cert_file, const char *_key_file); 10272c33676SMaxim Ag int tls_config_add_keypair_mem(struct tls_config *_config, const uint8_t *_cert, 10372c33676SMaxim Ag size_t _cert_len, const uint8_t *_key, size_t _key_len); 10472c33676SMaxim Ag int tls_config_add_keypair_ocsp_file(struct tls_config *_config, 10572c33676SMaxim Ag const char *_cert_file, const char *_key_file, 10672c33676SMaxim Ag const char *_ocsp_staple_file); 10772c33676SMaxim Ag int tls_config_add_keypair_ocsp_mem(struct tls_config *_config, const uint8_t *_cert, 10872c33676SMaxim Ag size_t _cert_len, const uint8_t *_key, size_t _key_len, 10972c33676SMaxim Ag const uint8_t *_staple, size_t _staple_len); 11072c33676SMaxim Ag int tls_config_set_alpn(struct tls_config *_config, const char *_alpn); 111f5b1c8a1SJohn Marino int tls_config_set_ca_file(struct tls_config *_config, const char *_ca_file); 112f5b1c8a1SJohn Marino int tls_config_set_ca_path(struct tls_config *_config, const char *_ca_path); 113f5b1c8a1SJohn Marino int tls_config_set_ca_mem(struct tls_config *_config, const uint8_t *_ca, 114f5b1c8a1SJohn Marino size_t _len); 115f5b1c8a1SJohn Marino int tls_config_set_cert_file(struct tls_config *_config, 116f5b1c8a1SJohn Marino const char *_cert_file); 117f5b1c8a1SJohn Marino int tls_config_set_cert_mem(struct tls_config *_config, const uint8_t *_cert, 118f5b1c8a1SJohn Marino size_t _len); 119f5b1c8a1SJohn Marino int tls_config_set_ciphers(struct tls_config *_config, const char *_ciphers); 12072c33676SMaxim Ag int tls_config_set_crl_file(struct tls_config *_config, const char *_crl_file); 12172c33676SMaxim Ag int tls_config_set_crl_mem(struct tls_config *_config, const uint8_t *_crl, 12272c33676SMaxim Ag size_t _len); 123f5b1c8a1SJohn Marino int tls_config_set_dheparams(struct tls_config *_config, const char *_params); 12472c33676SMaxim Ag int tls_config_set_ecdhecurve(struct tls_config *_config, const char *_curve); 12572c33676SMaxim Ag int tls_config_set_ecdhecurves(struct tls_config *_config, const char *_curves); 126f5b1c8a1SJohn Marino int tls_config_set_key_file(struct tls_config *_config, const char *_key_file); 127f5b1c8a1SJohn Marino int tls_config_set_key_mem(struct tls_config *_config, const uint8_t *_key, 128f5b1c8a1SJohn Marino size_t _len); 129f5b1c8a1SJohn Marino int tls_config_set_keypair_file(struct tls_config *_config, 130f5b1c8a1SJohn Marino const char *_cert_file, const char *_key_file); 131f5b1c8a1SJohn Marino int tls_config_set_keypair_mem(struct tls_config *_config, const uint8_t *_cert, 132f5b1c8a1SJohn Marino size_t _cert_len, const uint8_t *_key, size_t _key_len); 13372c33676SMaxim Ag int tls_config_set_keypair_ocsp_file(struct tls_config *_config, 13472c33676SMaxim Ag const char *_cert_file, const char *_key_file, const char *_staple_file); 13572c33676SMaxim Ag int tls_config_set_keypair_ocsp_mem(struct tls_config *_config, const uint8_t *_cert, 13672c33676SMaxim Ag size_t _cert_len, const uint8_t *_key, size_t _key_len, 13772c33676SMaxim Ag const uint8_t *_staple, size_t staple_len); 13872c33676SMaxim Ag int tls_config_set_ocsp_staple_mem(struct tls_config *_config, 13972c33676SMaxim Ag const uint8_t *_staple, size_t _len); 14072c33676SMaxim Ag int tls_config_set_ocsp_staple_file(struct tls_config *_config, 14172c33676SMaxim Ag const char *_staple_file); 14272c33676SMaxim Ag int tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols); 14372c33676SMaxim Ag int tls_config_set_session_fd(struct tls_config *_config, int _session_fd); 14472c33676SMaxim Ag int tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth); 145f5b1c8a1SJohn Marino 146f5b1c8a1SJohn Marino void tls_config_prefer_ciphers_client(struct tls_config *_config); 147f5b1c8a1SJohn Marino void tls_config_prefer_ciphers_server(struct tls_config *_config); 148f5b1c8a1SJohn Marino 149f5b1c8a1SJohn Marino void tls_config_insecure_noverifycert(struct tls_config *_config); 150f5b1c8a1SJohn Marino void tls_config_insecure_noverifyname(struct tls_config *_config); 151f5b1c8a1SJohn Marino void tls_config_insecure_noverifytime(struct tls_config *_config); 152f5b1c8a1SJohn Marino void tls_config_verify(struct tls_config *_config); 153f5b1c8a1SJohn Marino 15472c33676SMaxim Ag void tls_config_ocsp_require_stapling(struct tls_config *_config); 155f5b1c8a1SJohn Marino void tls_config_verify_client(struct tls_config *_config); 156f5b1c8a1SJohn Marino void tls_config_verify_client_optional(struct tls_config *_config); 157f5b1c8a1SJohn Marino 158f5b1c8a1SJohn Marino void tls_config_clear_keys(struct tls_config *_config); 159f5b1c8a1SJohn Marino int tls_config_parse_protocols(uint32_t *_protocols, const char *_protostr); 160f5b1c8a1SJohn Marino 16172c33676SMaxim Ag int tls_config_set_session_id(struct tls_config *_config, 16272c33676SMaxim Ag const unsigned char *_session_id, size_t _len); 16372c33676SMaxim Ag int tls_config_set_session_lifetime(struct tls_config *_config, int _lifetime); 16472c33676SMaxim Ag int tls_config_add_ticket_key(struct tls_config *_config, uint32_t _keyrev, 16572c33676SMaxim Ag unsigned char *_key, size_t _keylen); 16672c33676SMaxim Ag 167f5b1c8a1SJohn Marino struct tls *tls_client(void); 168f5b1c8a1SJohn Marino struct tls *tls_server(void); 169f5b1c8a1SJohn Marino int tls_configure(struct tls *_ctx, struct tls_config *_config); 170f5b1c8a1SJohn Marino void tls_reset(struct tls *_ctx); 171f5b1c8a1SJohn Marino void tls_free(struct tls *_ctx); 172f5b1c8a1SJohn Marino 173f5b1c8a1SJohn Marino int tls_accept_fds(struct tls *_ctx, struct tls **_cctx, int _fd_read, 174f5b1c8a1SJohn Marino int _fd_write); 175f5b1c8a1SJohn Marino int tls_accept_socket(struct tls *_ctx, struct tls **_cctx, int _socket); 17672c33676SMaxim Ag int tls_accept_cbs(struct tls *_ctx, struct tls **_cctx, 17772c33676SMaxim Ag tls_read_cb _read_cb, tls_write_cb _write_cb, void *_cb_arg); 178f5b1c8a1SJohn Marino int tls_connect(struct tls *_ctx, const char *_host, const char *_port); 179f5b1c8a1SJohn Marino int tls_connect_fds(struct tls *_ctx, int _fd_read, int _fd_write, 180f5b1c8a1SJohn Marino const char *_servername); 181f5b1c8a1SJohn Marino int tls_connect_servername(struct tls *_ctx, const char *_host, 182f5b1c8a1SJohn Marino const char *_port, const char *_servername); 183f5b1c8a1SJohn Marino int tls_connect_socket(struct tls *_ctx, int _s, const char *_servername); 18472c33676SMaxim Ag int tls_connect_cbs(struct tls *_ctx, tls_read_cb _read_cb, 18572c33676SMaxim Ag tls_write_cb _write_cb, void *_cb_arg, const char *_servername); 186f5b1c8a1SJohn Marino int tls_handshake(struct tls *_ctx); 187f5b1c8a1SJohn Marino ssize_t tls_read(struct tls *_ctx, void *_buf, size_t _buflen); 188f5b1c8a1SJohn Marino ssize_t tls_write(struct tls *_ctx, const void *_buf, size_t _buflen); 189f5b1c8a1SJohn Marino int tls_close(struct tls *_ctx); 190f5b1c8a1SJohn Marino 191f5b1c8a1SJohn Marino int tls_peer_cert_provided(struct tls *_ctx); 192f5b1c8a1SJohn Marino int tls_peer_cert_contains_name(struct tls *_ctx, const char *_name); 193f5b1c8a1SJohn Marino 194f5b1c8a1SJohn Marino const char *tls_peer_cert_hash(struct tls *_ctx); 195f5b1c8a1SJohn Marino const char *tls_peer_cert_issuer(struct tls *_ctx); 196f5b1c8a1SJohn Marino const char *tls_peer_cert_subject(struct tls *_ctx); 197f5b1c8a1SJohn Marino time_t tls_peer_cert_notbefore(struct tls *_ctx); 198f5b1c8a1SJohn Marino time_t tls_peer_cert_notafter(struct tls *_ctx); 19972c33676SMaxim Ag const uint8_t *tls_peer_cert_chain_pem(struct tls *_ctx, size_t *_len); 200f5b1c8a1SJohn Marino 20172c33676SMaxim Ag const char *tls_conn_alpn_selected(struct tls *_ctx); 202f5b1c8a1SJohn Marino const char *tls_conn_cipher(struct tls *_ctx); 203cca6fc52SDaniel Fojt int tls_conn_cipher_strength(struct tls *_ctx); 20472c33676SMaxim Ag const char *tls_conn_servername(struct tls *_ctx); 20572c33676SMaxim Ag int tls_conn_session_resumed(struct tls *_ctx); 20672c33676SMaxim Ag const char *tls_conn_version(struct tls *_ctx); 207f5b1c8a1SJohn Marino 208f5b1c8a1SJohn Marino uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password); 20972c33676SMaxim Ag void tls_unload_file(uint8_t *_buf, size_t len); 21072c33676SMaxim Ag 21172c33676SMaxim Ag int tls_ocsp_process_response(struct tls *_ctx, const unsigned char *_response, 21272c33676SMaxim Ag size_t _size); 21372c33676SMaxim Ag int tls_peer_ocsp_cert_status(struct tls *_ctx); 21472c33676SMaxim Ag int tls_peer_ocsp_crl_reason(struct tls *_ctx); 21572c33676SMaxim Ag time_t tls_peer_ocsp_next_update(struct tls *_ctx); 21672c33676SMaxim Ag int tls_peer_ocsp_response_status(struct tls *_ctx); 21772c33676SMaxim Ag const char *tls_peer_ocsp_result(struct tls *_ctx); 21872c33676SMaxim Ag time_t tls_peer_ocsp_revocation_time(struct tls *_ctx); 21972c33676SMaxim Ag time_t tls_peer_ocsp_this_update(struct tls *_ctx); 22072c33676SMaxim Ag const char *tls_peer_ocsp_url(struct tls *_ctx); 221f5b1c8a1SJohn Marino 222f5b1c8a1SJohn Marino #ifdef __cplusplus 223f5b1c8a1SJohn Marino } 224f5b1c8a1SJohn Marino #endif 225f5b1c8a1SJohn Marino 226f5b1c8a1SJohn Marino #endif /* HEADER_TLS_H */ 227