summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_backend.h
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2018-03-04 22:22:32 +0100
committerBernhard Schmidt <berni@debian.org>2018-03-04 22:22:32 +0100
commit70bdede29c1725428ff5d1edd12303ba5474d2a3 (patch)
tree118c2b9adb156a129bd0a04d980f00ba01fc8264 /src/openvpn/ssl_backend.h
parentbd24a09dcb08e98bba26e316fd46e1b5d0590afb (diff)
parentcf55ab99392458e723c7ebcc32c19bbd225b1f4b (diff)
Update upstream source from tag 'upstream/2.4.5'
Update to upstream version '2.4.5' with Debian dir bfadc11012753514e3836a4dc88a94fd7d0f8314
Diffstat (limited to 'src/openvpn/ssl_backend.h')
-rw-r--r--src/openvpn/ssl_backend.h26
1 files changed, 21 insertions, 5 deletions
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index aba5a4d..e704de8 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -5,8 +5,8 @@
* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
- * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com>
+ * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
+ * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
@@ -114,6 +114,7 @@ void tls_clear_error(void);
#define TLS_VER_1_0 1
#define TLS_VER_1_1 2
#define TLS_VER_1_2 3
+#define TLS_VER_1_3 4
int tls_version_parse(const char *vstr, const char *extra);
/**
@@ -164,8 +165,10 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx);
*
* @param ctx TLS context to set options on
* @param ssl_flags SSL flags to set
+ *
+ * @return true on success, false otherwise.
*/
-void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
+bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
/**
* Restrict the list of ciphers that can be used within the TLS context.
@@ -177,6 +180,16 @@ void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
/**
+ * Set the TLS certificate profile. The profile defines which crypto
+ * algorithms may be used in the supplied certificate.
+ *
+ * @param ctx TLS context to restrict, must be valid.
+ * @param profile The profile name ('preferred', 'legacy' or 'suiteb').
+ * Defaults to 'preferred' if NULL.
+ */
+void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile);
+
+/**
* Check our certificate notBefore and notAfter fields, and warn if the cert is
* either not yet valid or has expired. Note that this is a non-fatal error,
* since we compare against the system time, which might be incorrect.
@@ -505,9 +518,12 @@ void print_details(struct key_state_ssl *ks_ssl, const char *prefix);
* Show the TLS ciphers that are available for us to use in the OpenSSL
* library.
*
- * @param - list of allowed TLS cipher, or NULL.
+ * @param cipher_list list of allowed TLS cipher, or NULL.
+ * @param tls_cert_profile TLS certificate crypto profile name.
*/
-void show_available_tls_ciphers(const char *tls_ciphers);
+void
+show_available_tls_ciphers(const char *cipher_list,
+ const char *tls_cert_profile);
/*
* Show the available elliptic curves in the crypto library