summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_backend.h
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2020-09-01 16:52:17 +0200
committerBernhard Schmidt <berni@debian.org>2020-09-01 16:52:17 +0200
commit9fc3b98112217f2d92a67977dbde0987cc7a1803 (patch)
tree29fcc8654ee65d9dd89ade797bea2f3d9dfd9cfd /src/openvpn/ssl_backend.h
parenta8758c0e03eed188dcb9da0e4fd781a67c25bf1e (diff)
parent69b02b1f7fd609d84ace13ab04697158de2418a9 (diff)
Merge branch 'debian/experimental-2.5'
Diffstat (limited to 'src/openvpn/ssl_backend.h')
-rw-r--r--src/openvpn/ssl_backend.h83
1 files changed, 44 insertions, 39 deletions
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index c614efa..7f52ab1 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -125,8 +125,6 @@ int tls_version_parse(const char *vstr, const char *extra);
*/
int tls_version_max(void);
-#ifdef ENABLE_CRYPTO
-
/**
* Initialise a library-specific TLS context for a server.
*
@@ -201,6 +199,16 @@ void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *cipher
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile);
/**
+ * Set the (elliptic curve) group allowed for signatures and
+ * key exchange.
+ *
+ * @param ctx TLS context to restrict, must be valid.
+ * @param groups List of groups that will be allowed, in priority,
+ * separated by :
+ */
+void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups);
+
+/**
* Check our certificate notBefore and notAfter fields, and warn if the cert is
* either not yet valid or has expired. Note that this is a non-fatal error,
* since we compare against the system time, which might be incorrect.
@@ -215,11 +223,12 @@ void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx);
*
* @param ctx TLS context to use
* @param dh_file The file name to load the parameters from, or
- * "[[INLINE]]" in the case of inline files.
- * @param dh_file_inline A string containing the parameters
+ * a string containing the parameters in the case
+ * of inline files.
+ * @param dh_file_inline True if dh_file is an inline file.
*/
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
- const char *dh_file_inline);
+ bool dh_file_inline);
/**
* Load Elliptic Curve Parameters, and load them into the library-specific
@@ -237,15 +246,15 @@ void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
*
* @param ctx TLS context to use
* @param pkcs12_file The file name to load the information from, or
- * "[[INLINE]]" in the case of inline files.
- * @param pkcs12_file_inline A string containing the information
+ * a string containing the information in the case
+ * of inline files.
+ * @param pkcs12_file_inline True if pkcs12_file is an inline file.
*
* @return 1 if an error occurred, 0 if parsing was
* successful.
*/
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
- const char *pkcs12_file_inline, bool load_ca_file
- );
+ bool pkcs12_file_inline, bool load_ca_file);
/**
* Use Windows cryptoapi for key and cert, and add to library-specific TLS
@@ -265,46 +274,41 @@ void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert
*
* @param ctx TLS context to use
* @param cert_file The file name to load the certificate from, or
- * "[[INLINE]]" in the case of inline files.
- * @param cert_file_inline A string containing the certificate
+ * a string containing the certificate in the case
+ * of inline files.
+ * @param cert_file_inline True if cert_file is an inline file.
*/
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file,
- const char *cert_file_inline);
+ bool cert_file_inline);
/**
* Load private key file into the given TLS context.
*
* @param ctx TLS context to use
* @param priv_key_file The file name to load the private key from, or
- * "[[INLINE]]" in the case of inline files.
- * @param priv_key_file_inline A string containing the private key
+ * a string containing the private key in the case
+ * of inline files.
+ * @param priv_key_file_inline True if priv_key_file is an inline file
*
* @return 1 if an error occurred, 0 if parsing was
* successful.
*/
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
- const char *priv_key_file_inline
- );
+ bool priv_key_file_inline);
-#ifdef MANAGMENT_EXTERNAL_KEY
+#ifdef ENABLE_MANAGEMENT
/**
* Tell the management interface to load the given certificate and the external
* private key matching the given certificate.
*
* @param ctx TLS context to use
- * @param cert_file The file name to load the certificate from, or
- * "[[INLINE]]" in the case of inline files.
- * @param cert_file_inline A string containing the certificate
*
- * @return 1 if an error occurred, 0 if parsing was
- * successful.
+ * @return 1 if an error occurred, 0 if successful.
*/
-int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
- const char *cert_file, const char *cert_file_inline);
-
-#endif
+int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx);
+#endif /* ENABLE_MANAGEMENT */
/**
* Load certificate authority certificates from the given file or path.
@@ -313,13 +317,13 @@ int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
*
* @param ctx TLS context to use
* @param ca_file The file name to load the CAs from, or
- * "[[INLINE]]" in the case of inline files.
- * @param ca_file_inline A string containing the CAs
+ * a string containing the CAs in the case of
+ * inline files.
+ * @param ca_file_inline True if ca_file is an inline file
* @param ca_path The path to load the CAs from
*/
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
- const char *ca_file_inline, const char *ca_path, bool tls_server
- );
+ bool ca_file_inline, const char *ca_path, bool tls_server);
/**
* Load extra certificate authority certificates from the given file or path.
@@ -329,12 +333,14 @@ void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
*
* @param ctx TLS context to use
* @param extra_certs_file The file name to load the certs from, or
- * "[[INLINE]]" in the case of inline files.
- * @param extra_certs_file_inline A string containing the certs
+ * a string containing the certs in the
+ * case of inline files.
+ * @param extra_certs_file_inline True if extra_certs_file is an inline
+ * file.
*/
-void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file,
- const char *extra_certs_file_inline
- );
+void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx,
+ const char *extra_certs_file,
+ bool extra_certs_file_inline);
#ifdef ENABLE_CRYPTO_MBEDTLS
/**
@@ -377,11 +383,11 @@ void key_state_ssl_free(struct key_state_ssl *ks_ssl);
*
* @param ssl_ctx The TLS context to use when reloading the CRL
* @param crl_file The file name to load the CRL from, or
- * "[[INLINE]]" in the case of inline files.
- * @param crl_inline A string containing the CRL
+ * an array containing the inline CRL.
+ * @param crl_inline True if crl_file is an inline CRL.
*/
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx,
- const char *crl_file, const char *crl_inline);
+ const char *crl_file, bool crl_inline);
/**
* Keying Material Exporters [RFC 5705] allows additional keying material to be
@@ -557,5 +563,4 @@ void get_highest_preference_tls_cipher(char *buf, int size);
*/
const char *get_ssl_library_version(void);
-#endif /* ENABLE_CRYPTO */
#endif /* SSL_BACKEND_H_ */