xref: /openbsd-src/lib/libtls/tls_internal.h (revision fb8aa7497fded39583f40e800732f9c046411717) 
1 /* $OpenBSD: tls_internal.h,v 1.29 2016/05/27 14:38:40 jsing Exp $ */
2 /*
3  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #ifndef HEADER_TLS_INTERNAL_H
20 #define HEADER_TLS_INTERNAL_H
21 
22 #include <arpa/inet.h>
23 #include <netinet/in.h>
24 
25 #include <openssl/ssl.h>
26 
27 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
28 
29 #define TLS_CIPHERS_COMPAT	"ALL:!aNULL:!eNULL"
30 #define TLS_CIPHERS_DEFAULT	"TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
31 
32 union tls_addr {
33 	struct in_addr ip4;
34 	struct in6_addr ip6;
35 };
36 
37 struct tls_error {
38 	char *msg;
39 	int num;
40 };
41 
42 struct tls_keypair {
43 	struct tls_keypair *next;
44 
45 	const char *cert_file;
46 	char *cert_mem;
47 	size_t cert_len;
48 	const char *key_file;
49 	char *key_mem;
50 	size_t key_len;
51 };
52 
53 struct tls_config {
54 	struct tls_error error;
55 
56 	const char *ca_file;
57 	const char *ca_path;
58 	char *ca_mem;
59 	size_t ca_len;
60 	const char *ciphers;
61 	int ciphers_server;
62 	int dheparams;
63 	int ecdhecurve;
64 	struct tls_keypair *keypair;
65 	uint32_t protocols;
66 	int verify_cert;
67 	int verify_client;
68 	int verify_depth;
69 	int verify_name;
70 	int verify_time;
71 };
72 
73 struct tls_conninfo {
74 	char *issuer;
75 	char *subject;
76 	char *hash;
77 	char *serial;
78 	char *fingerprint;
79 	char *version;
80 	char *cipher;
81 	time_t notbefore;
82 	time_t notafter;
83 };
84 
85 #define TLS_CLIENT		(1 << 0)
86 #define TLS_SERVER		(1 << 1)
87 #define TLS_SERVER_CONN		(1 << 2)
88 
89 #define TLS_EOF_NO_CLOSE_NOTIFY	(1 << 0)
90 #define TLS_HANDSHAKE_COMPLETE	(1 << 1)
91 
92 struct tls {
93 	struct tls_config *config;
94 	struct tls_error error;
95 
96 	uint32_t flags;
97 	uint32_t state;
98 
99 	char *servername;
100 	int socket;
101 
102 	SSL *ssl_conn;
103 	SSL_CTX *ssl_ctx;
104 	X509 *ssl_peer_cert;
105 	struct tls_conninfo *conninfo;
106 };
107 
108 struct tls *tls_new(void);
109 struct tls *tls_server_conn(struct tls *ctx);
110 
111 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername);
112 int tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
113     struct tls_keypair *keypair, int required);
114 int tls_configure_server(struct tls *ctx);
115 int tls_configure_ssl(struct tls *ctx);
116 int tls_configure_ssl_verify(struct tls *ctx, int verify);
117 int tls_handshake_client(struct tls *ctx);
118 int tls_handshake_server(struct tls *ctx);
119 int tls_host_port(const char *hostport, char **host, char **port);
120 
121 int tls_error_set(struct tls_error *error, const char *fmt, ...)
122     __attribute__((__format__ (printf, 2, 3)))
123     __attribute__((__nonnull__ (2)));
124 int tls_error_setx(struct tls_error *error, const char *fmt, ...)
125     __attribute__((__format__ (printf, 2, 3)))
126     __attribute__((__nonnull__ (2)));
127 int tls_config_set_error(struct tls_config *cfg, const char *fmt, ...)
128     __attribute__((__format__ (printf, 2, 3)))
129     __attribute__((__nonnull__ (2)));
130 int tls_config_set_errorx(struct tls_config *cfg, const char *fmt, ...)
131     __attribute__((__format__ (printf, 2, 3)))
132     __attribute__((__nonnull__ (2)));
133 int tls_set_error(struct tls *ctx, const char *fmt, ...)
134     __attribute__((__format__ (printf, 2, 3)))
135     __attribute__((__nonnull__ (2)));
136 int tls_set_errorx(struct tls *ctx, const char *fmt, ...)
137     __attribute__((__format__ (printf, 2, 3)))
138     __attribute__((__nonnull__ (2)));
139 
140 int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
141     const char *prefix);
142 
143 int tls_get_conninfo(struct tls *ctx);
144 void tls_free_conninfo(struct tls_conninfo *conninfo);
145 
146 int asn1_time_parse(const char *, size_t, struct tm *, int);
147 
148 #endif /* HEADER_TLS_INTERNAL_H */
149