Merge tag 'upstream/2.4_beta1'

Upstream version 2.4~beta1
author: Alberto Gonzalez Iniesta <agi@inittab.org> 2016-11-21 09:37:33 +0100
committer: Alberto Gonzalez Iniesta <agi@inittab.org> 2016-11-21 09:37:33 +0100
commit: 93b77cacdbb7e6f310c4e20f85c3a24ed5ba18ba (patch)
tree: 55a7688c9969ef4d01625caa58c7f679098c76eb /src/openvpn/ssl_backend.h
parent: daa9ef0efeb5e10a1b43820fbab3a4ff5fbd22f1 (diff)
parent: 20c8675ba46bda97330a4117c459a59a9f1c465e (diff)
1 files changed, 54 insertions, 13 deletions
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index 4b35e51..0777c61 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -38,10 +38,10 @@
 #include "ssl_verify_openssl.h"
 #define SSLAPI SSLAPI_OPENSSL
 #endif
-#ifdef ENABLE_CRYPTO_POLARSSL
-#include "ssl_polarssl.h"
-#include "ssl_verify_polarssl.h"
-#define SSLAPI SSLAPI_POLARSSL
+#ifdef ENABLE_CRYPTO_MBEDTLS
+#include "ssl_mbedtls.h"
+#include "ssl_verify_mbedtls.h"
+#define SSLAPI SSLAPI_MBEDTLS
 #endif
 
 /* Ensure that SSLAPI got a sane value if SSL is disabled or unknown */
@@ -124,21 +124,21 @@ int tls_version_parse(const char *vstr, const char *extra);
  */
 int tls_version_max(void);
 
+#ifdef ENABLE_CRYPTO
+
 /**
  * Initialise a library-specific TLS context for a server.
  *
  * @param ctx		TLS context to initialise
- * @param ssl_flags     SSLF_x flags from ssl_common.h
  */
-void tls_ctx_server_new(struct tls_root_ctx *ctx, unsigned int ssl_flags);
+void tls_ctx_server_new(struct tls_root_ctx *ctx);
 
 /**
  * Initialises a library-specific TLS context for a client.
  *
  * @param ctx		TLS context to initialise
- * @param ssl_flags     SSLF_x flags from ssl_common.h
  */
-void tls_ctx_client_new(struct tls_root_ctx *ctx, unsigned int ssl_flags);
+void tls_ctx_client_new(struct tls_root_ctx *ctx);
 
 /**
  * Frees the library-specific TLSv1 context
@@ -170,8 +170,9 @@ void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags);
 /**
  * Restrict the list of ciphers that can be used within the TLS context.
  *
- * @param ctx		TLS context to restrict
- * @param ciphers	String containing : delimited cipher names.
+ * @param ctx		TLS context to restrict, must be valid.
+ * @param ciphers	String containing : delimited cipher names, or NULL to use
+ *					sane defaults.
  */
 void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
 
@@ -197,6 +198,16 @@ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
     const char *dh_file_inline);
 
 /**
+ * Load Elliptic Curve Parameters, and load them into the library-specific
+ * TLS context.
+ *
+ * @param ctx          TLS context to use
+ * @param curve_name   The name of the elliptic curve to load.
+ */
+void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
+    );
+
+/**
  * Load PKCS #12 file for key, cert and (optionally) CA certs, and add to
  * library-specific TLS context.
  *
@@ -221,7 +232,7 @@ int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
  */
 #ifdef ENABLE_CRYPTOAPI
 void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert);
-#endif /* WIN32 */
+#endif /* _WIN32 */
 
 /**
  * Load certificate file into the given TLS context. If the given certificate
@@ -299,9 +310,9 @@ void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs
     const char *extra_certs_file_inline
     );
 
-#ifdef ENABLE_CRYPTO_POLARSSL
+#ifdef ENABLE_CRYPTO_MBEDTLS
 /**
- * Add a personalisation string to the PolarSSL RNG, based on the certificate
+ * Add a personalisation string to the mbed TLS RNG, based on the certificate
  * loaded into the given context.
  *
  * @param ctx			TLS context to use
@@ -334,6 +345,30 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
  */
 void key_state_ssl_free(struct key_state_ssl *ks_ssl);
 
+/**
+ * Reload the Certificate Revocation List for the SSL channel
+ *
+ * @param ssl_ctx       The TLS context to use when reloading the CRL
+ * @param crl_file      The file name to load the CRL from, or
+ *                      "[[INLINE]]" in the case of inline files.
+ * @param crl_inline    A string containing the CRL
+ */
+void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx,
+    const char *crl_file, const char *crl_inline);
+
+/**
+ * Keying Material Exporters [RFC 5705] allows additional keying material to be
+ * derived from existing TLS channel. This exported keying material can then be
+ * used for a variety of purposes.
+ *
+ * @param ks_ssl       The SSL channel's state info
+ * @param session      The session associated with the given key_state
+ */
+
+void
+key_state_export_keying_material(struct key_state_ssl *ks_ssl,
+    struct tls_session *session) __attribute__((nonnull));
+
 /**************************************************************************/
 /** @addtogroup control_tls
  *  @{ */
@@ -472,6 +507,11 @@ void print_details (struct key_state_ssl * ks_ssl, const char *prefix);
 void show_available_tls_ciphers (const char *tls_ciphers);
 
 /*
+ * Show the available elliptic curves in the crypto library
+ */
+void show_available_curves (void);
+
+/*
  * The OpenSSL library has a notion of preference in TLS ciphers.  Higher
  * preference == more secure. Return the highest preference cipher.
  */
@@ -483,4 +523,5 @@ void get_highest_preference_tls_cipher (char *buf, int size);
  */
 const char * get_ssl_library_version(void);
 
+#endif /* ENABLE_CRYPTO */
 #endif /* SSL_BACKEND_H_ */
author	Alberto Gonzalez Iniesta <agi@inittab.org>	2016-11-21 09:37:33 +0100
committer	Alberto Gonzalez Iniesta <agi@inittab.org>	2016-11-21 09:37:33 +0100
commit	93b77cacdbb7e6f310c4e20f85c3a24ed5ba18ba (patch)
tree	55a7688c9969ef4d01625caa58c7f679098c76eb /src/openvpn/ssl_backend.h
parent	daa9ef0efeb5e10a1b43820fbab3a4ff5fbd22f1 (diff)
parent	20c8675ba46bda97330a4117c459a59a9f1c465e (diff)