1 /* $OpenBSD: tls_internal.h,v 1.43 2016/09/04 12:26:43 bcook Exp $ */ 2 /* 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef HEADER_TLS_INTERNAL_H 20 #define HEADER_TLS_INTERNAL_H 21 22 #include <arpa/inet.h> 23 #include <netinet/in.h> 24 25 #include <openssl/ssl.h> 26 27 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" 28 29 #define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" 30 #define TLS_CIPHERS_COMPAT "HIGH:!aNULL" 31 #define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL" 32 #define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL" 33 34 union tls_addr { 35 struct in_addr ip4; 36 struct in6_addr ip6; 37 }; 38 39 struct tls_error { 40 char *msg; 41 int num; 42 }; 43 44 struct tls_keypair { 45 struct tls_keypair *next; 46 47 char *cert_mem; 48 size_t cert_len; 49 char *key_mem; 50 size_t key_len; 51 }; 52 53 struct tls_config { 54 struct tls_error error; 55 56 char *alpn; 57 size_t alpn_len; 58 const char *ca_path; 59 char *ca_mem; 60 size_t ca_len; 61 const char *ciphers; 62 int ciphers_server; 63 int dheparams; 64 int ecdhecurve; 65 struct tls_keypair *keypair; 66 uint32_t protocols; 67 int verify_cert; 68 int verify_client; 69 int verify_depth; 70 int verify_name; 71 int verify_time; 72 }; 73 74 struct tls_conninfo { 75 char *alpn; 76 char *cipher; 77 char *servername; 78 char *version; 79 80 char *hash; 81 char *issuer; 82 char *subject; 83 84 time_t notbefore; 85 time_t notafter; 86 }; 87 88 #define TLS_CLIENT (1 << 0) 89 #define TLS_SERVER (1 << 1) 90 #define TLS_SERVER_CONN (1 << 2) 91 92 #define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0) 93 #define TLS_HANDSHAKE_COMPLETE (1 << 1) 94 95 struct tls_sni_ctx { 96 struct tls_sni_ctx *next; 97 98 SSL_CTX *ssl_ctx; 99 X509 *ssl_cert; 100 }; 101 102 struct tls { 103 struct tls_config *config; 104 struct tls_error error; 105 106 uint32_t flags; 107 uint32_t state; 108 109 char *servername; 110 int socket; 111 112 SSL *ssl_conn; 113 SSL_CTX *ssl_ctx; 114 115 struct tls_sni_ctx *sni_ctx; 116 117 X509 *ssl_peer_cert; 118 119 struct tls_conninfo *conninfo; 120 121 tls_read_cb read_cb; 122 tls_write_cb write_cb; 123 void *cb_arg; 124 }; 125 126 struct tls_sni_ctx *tls_sni_ctx_new(void); 127 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx); 128 129 struct tls *tls_new(void); 130 struct tls *tls_server_conn(struct tls *ctx); 131 132 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername); 133 int tls_configure_server(struct tls *ctx); 134 135 int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx); 136 int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, 137 struct tls_keypair *keypair, int required); 138 int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify); 139 140 int tls_handshake_client(struct tls *ctx); 141 int tls_handshake_server(struct tls *ctx); 142 143 int tls_config_load_file(struct tls_error *error, const char *filetype, 144 const char *filename, char **buf, size_t *len); 145 int tls_host_port(const char *hostport, char **host, char **port); 146 147 int tls_set_cbs(struct tls *ctx, 148 tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg); 149 150 int tls_error_set(struct tls_error *error, const char *fmt, ...) 151 __attribute__((__format__ (printf, 2, 3))) 152 __attribute__((__nonnull__ (2))); 153 int tls_error_setx(struct tls_error *error, const char *fmt, ...) 154 __attribute__((__format__ (printf, 2, 3))) 155 __attribute__((__nonnull__ (2))); 156 int tls_config_set_error(struct tls_config *cfg, const char *fmt, ...) 157 __attribute__((__format__ (printf, 2, 3))) 158 __attribute__((__nonnull__ (2))); 159 int tls_config_set_errorx(struct tls_config *cfg, const char *fmt, ...) 160 __attribute__((__format__ (printf, 2, 3))) 161 __attribute__((__nonnull__ (2))); 162 int tls_set_error(struct tls *ctx, const char *fmt, ...) 163 __attribute__((__format__ (printf, 2, 3))) 164 __attribute__((__nonnull__ (2))); 165 int tls_set_errorx(struct tls *ctx, const char *fmt, ...) 166 __attribute__((__format__ (printf, 2, 3))) 167 __attribute__((__nonnull__ (2))); 168 169 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, 170 const char *prefix); 171 172 int tls_conninfo_populate(struct tls *ctx); 173 void tls_conninfo_free(struct tls_conninfo *conninfo); 174 175 int asn1_time_parse(const char *, size_t, struct tm *, int); 176 177 #endif /* HEADER_TLS_INTERNAL_H */ 178