1 /* $OpenBSD: tls_internal.h,v 1.72 2018/04/07 16:35:34 jsing Exp $ */ 2 /* 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef HEADER_TLS_INTERNAL_H 20 #define HEADER_TLS_INTERNAL_H 21 22 #include <arpa/inet.h> 23 #include <netinet/in.h> 24 25 #include <openssl/ssl.h> 26 27 __BEGIN_HIDDEN_DECLS 28 29 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" 30 31 #define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" 32 #define TLS_CIPHERS_COMPAT "HIGH:!aNULL" 33 #define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL" 34 #define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL" 35 36 #define TLS_ECDHE_CURVES "X25519,P-256,P-384" 37 38 union tls_addr { 39 struct in_addr ip4; 40 struct in6_addr ip6; 41 }; 42 43 struct tls_error { 44 char *msg; 45 int num; 46 int tls; 47 }; 48 49 struct tls_keypair { 50 struct tls_keypair *next; 51 52 char *cert_mem; 53 size_t cert_len; 54 char *key_mem; 55 size_t key_len; 56 char *ocsp_staple; 57 size_t ocsp_staple_len; 58 char *pubkey_hash; 59 }; 60 61 #define TLS_MIN_SESSION_TIMEOUT (4) 62 #define TLS_MAX_SESSION_TIMEOUT (24 * 60 * 60) 63 64 #define TLS_NUM_TICKETS 4 65 #define TLS_TICKET_NAME_SIZE 16 66 #define TLS_TICKET_AES_SIZE 32 67 #define TLS_TICKET_HMAC_SIZE 16 68 69 struct tls_ticket_key { 70 /* The key_name must be 16 bytes according to -lssl */ 71 unsigned char key_name[TLS_TICKET_NAME_SIZE]; 72 unsigned char aes_key[TLS_TICKET_AES_SIZE]; 73 unsigned char hmac_key[TLS_TICKET_HMAC_SIZE]; 74 time_t time; 75 }; 76 77 struct tls_config { 78 struct tls_error error; 79 80 int refcount; 81 82 char *alpn; 83 size_t alpn_len; 84 const char *ca_path; 85 char *ca_mem; 86 size_t ca_len; 87 const char *ciphers; 88 int ciphers_server; 89 char *crl_mem; 90 size_t crl_len; 91 int dheparams; 92 int *ecdhecurves; 93 size_t ecdhecurves_len; 94 struct tls_keypair *keypair; 95 int ocsp_require_stapling; 96 uint32_t protocols; 97 unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH]; 98 int session_fd; 99 int session_lifetime; 100 struct tls_ticket_key ticket_keys[TLS_NUM_TICKETS]; 101 uint32_t ticket_keyrev; 102 int ticket_autorekey; 103 int verify_cert; 104 int verify_client; 105 int verify_depth; 106 int verify_name; 107 int verify_time; 108 int skip_private_key_check; 109 }; 110 111 struct tls_conninfo { 112 char *alpn; 113 char *cipher; 114 char *servername; 115 int session_resumed; 116 char *version; 117 118 char *hash; 119 char *issuer; 120 char *subject; 121 122 uint8_t *peer_cert; 123 size_t peer_cert_len; 124 125 time_t notbefore; 126 time_t notafter; 127 }; 128 129 #define TLS_CLIENT (1 << 0) 130 #define TLS_SERVER (1 << 1) 131 #define TLS_SERVER_CONN (1 << 2) 132 133 #define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0) 134 #define TLS_CONNECTED (1 << 1) 135 #define TLS_HANDSHAKE_COMPLETE (1 << 2) 136 #define TLS_SSL_NEEDS_SHUTDOWN (1 << 3) 137 138 struct tls_ocsp_result { 139 const char *result_msg; 140 int response_status; 141 int cert_status; 142 int crl_reason; 143 time_t this_update; 144 time_t next_update; 145 time_t revocation_time; 146 }; 147 148 struct tls_ocsp { 149 /* responder location */ 150 char *ocsp_url; 151 152 /* cert data, this struct does not own these */ 153 X509 *main_cert; 154 STACK_OF(X509) *extra_certs; 155 156 struct tls_ocsp_result *ocsp_result; 157 }; 158 159 struct tls_sni_ctx { 160 struct tls_sni_ctx *next; 161 162 struct tls_keypair *keypair; 163 164 SSL_CTX *ssl_ctx; 165 X509 *ssl_cert; 166 }; 167 168 struct tls { 169 struct tls_config *config; 170 struct tls_keypair *keypair; 171 172 struct tls_error error; 173 174 uint32_t flags; 175 uint32_t state; 176 177 char *servername; 178 int socket; 179 180 SSL *ssl_conn; 181 SSL_CTX *ssl_ctx; 182 183 struct tls_sni_ctx *sni_ctx; 184 185 X509 *ssl_peer_cert; 186 STACK_OF(X509) *ssl_peer_chain; 187 188 struct tls_conninfo *conninfo; 189 190 struct tls_ocsp *ocsp; 191 192 tls_read_cb read_cb; 193 tls_write_cb write_cb; 194 void *cb_arg; 195 }; 196 197 int tls_set_mem(char **_dest, size_t *_destlen, const void *_src, 198 size_t _srclen); 199 int tls_set_string(const char **_dest, const char *_src); 200 201 struct tls_keypair *tls_keypair_new(void); 202 void tls_keypair_clear_key(struct tls_keypair *_keypair); 203 void tls_keypair_free(struct tls_keypair *_keypair); 204 int tls_keypair_set_cert_file(struct tls_keypair *_keypair, 205 struct tls_error *_error, const char *_cert_file); 206 int tls_keypair_set_cert_mem(struct tls_keypair *_keypair, 207 struct tls_error *_error, const uint8_t *_cert, size_t _len); 208 int tls_keypair_set_key_file(struct tls_keypair *_keypair, 209 struct tls_error *_error, const char *_key_file); 210 int tls_keypair_set_key_mem(struct tls_keypair *_keypair, 211 struct tls_error *_error, const uint8_t *_key, size_t _len); 212 int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair, 213 struct tls_error *_error, const char *_ocsp_file); 214 int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair, 215 struct tls_error *_error, const uint8_t *_staple, size_t _len); 216 int tls_keypair_load_cert(struct tls_keypair *_keypair, 217 struct tls_error *_error, X509 **_cert); 218 219 struct tls_sni_ctx *tls_sni_ctx_new(void); 220 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx); 221 222 struct tls_config *tls_config_new_internal(void); 223 224 struct tls *tls_new(void); 225 struct tls *tls_server_conn(struct tls *ctx); 226 227 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername, 228 int *match); 229 int tls_configure_server(struct tls *ctx); 230 231 int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx); 232 int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, 233 struct tls_keypair *keypair, int required); 234 int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify); 235 236 int tls_handshake_client(struct tls *ctx); 237 int tls_handshake_server(struct tls *ctx); 238 239 int tls_config_load_file(struct tls_error *error, const char *filetype, 240 const char *filename, char **buf, size_t *len); 241 int tls_config_ticket_autorekey(struct tls_config *config); 242 int tls_host_port(const char *hostport, char **host, char **port); 243 244 int tls_set_cbs(struct tls *ctx, 245 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg); 246 247 void tls_error_clear(struct tls_error *error); 248 int tls_error_set(struct tls_error *error, const char *fmt, ...) 249 __attribute__((__format__ (printf, 2, 3))) 250 __attribute__((__nonnull__ (2))); 251 int tls_error_setx(struct tls_error *error, const char *fmt, ...) 252 __attribute__((__format__ (printf, 2, 3))) 253 __attribute__((__nonnull__ (2))); 254 int tls_config_set_error(struct tls_config *cfg, const char *fmt, ...) 255 __attribute__((__format__ (printf, 2, 3))) 256 __attribute__((__nonnull__ (2))); 257 int tls_config_set_errorx(struct tls_config *cfg, const char *fmt, ...) 258 __attribute__((__format__ (printf, 2, 3))) 259 __attribute__((__nonnull__ (2))); 260 int tls_set_error(struct tls *ctx, const char *fmt, ...) 261 __attribute__((__format__ (printf, 2, 3))) 262 __attribute__((__nonnull__ (2))); 263 int tls_set_errorx(struct tls *ctx, const char *fmt, ...) 264 __attribute__((__format__ (printf, 2, 3))) 265 __attribute__((__nonnull__ (2))); 266 int tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...) 267 __attribute__((__format__ (printf, 2, 3))) 268 __attribute__((__nonnull__ (2))); 269 270 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, 271 const char *prefix); 272 273 int tls_conninfo_populate(struct tls *ctx); 274 void tls_conninfo_free(struct tls_conninfo *conninfo); 275 276 int tls_ocsp_verify_cb(SSL *ssl, void *arg); 277 int tls_ocsp_stapling_cb(SSL *ssl, void *arg); 278 void tls_ocsp_free(struct tls_ocsp *ctx); 279 struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx); 280 int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out, 281 size_t *_outlen); 282 int tls_cert_hash(X509 *_cert, char **_hash); 283 int tls_cert_pubkey_hash(X509 *_cert, char **_hash); 284 285 int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u); 286 287 __END_HIDDEN_DECLS 288 289 /* XXX this function is not fully hidden so relayd can use it */ 290 void tls_config_skip_private_key_check(struct tls_config *config); 291 292 #endif /* HEADER_TLS_INTERNAL_H */ 293