diff options
| author | Bernhard Schmidt <berni@debian.org> | 2020-08-15 21:29:54 +0200 |
|---|---|---|
| committer | Bernhard Schmidt <berni@debian.org> | 2020-08-15 21:29:54 +0200 |
| commit | 7c229d538824cb679351220ad8911f7b2daa7c23 (patch) | |
| tree | 5c4d64b60da9018c7db3a9335a9787d326beade3 /src/openvpn/ssl_mbedtls.h | |
| parent | d3986a312f5fbcfd0e78e6b147eef419fb4e5f54 (diff) | |
| parent | 1079962e4c06f88a54e50d997c1b7e84303d30b4 (diff) | |
Update upstream source from tag 'upstream/2.5_beta1'
Update to upstream version '2.5~beta1'
with Debian dir d53f9a482ac24eb491a294b26c24bb1d87afad24
Diffstat (limited to 'src/openvpn/ssl_mbedtls.h')
| -rw-r--r-- | src/openvpn/ssl_mbedtls.h | 53 |
1 files changed, 47 insertions, 6 deletions
diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index f99aba1..0525134 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -33,9 +33,10 @@ #include <mbedtls/ssl.h> #include <mbedtls/x509_crt.h> +#include <mbedtls/version.h> #if defined(ENABLE_PKCS11) -#include <mbedtls/pkcs11.h> +#include <pkcs11-helper-1.0/pkcs11h-certificate.h> #endif typedef struct _buffer_entry buffer_entry; @@ -58,6 +59,30 @@ typedef struct { } bio_ctx; /** + * External signing function prototype. A function pointer to a function + * implementing this prototype is provided to + * tls_ctx_use_external_signing_func(). + * + * @param sign_ctx The context for the signing function. + * @param src The data to be signed, + * @param src_len The length of src, in bytes. + * @param dst The destination buffer for the signature. + * @param dst_len The length of the destination buffer. + * + * @return true if signing succeeded, false otherwise. + */ +typedef bool (*external_sign_func)( + void *sign_ctx, const void *src, size_t src_size, + void *dst, size_t dst_size); + +/** Context used by external_pkcs1_sign() */ +struct external_context { + size_t signature_length; + external_sign_func sign; + void *sign_ctx; +}; + +/** * Structure that wraps the TLS context. Contents differ depending on the * SSL library used. * @@ -75,13 +100,12 @@ struct tls_root_ctx { mbedtls_x509_crl *crl; /**< Certificate Revocation List */ time_t crl_last_mtime; /**< CRL last modification time */ off_t crl_last_size; /**< size of last loaded CRL */ -#if defined(ENABLE_PKCS11) - mbedtls_pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ -#endif -#ifdef MANAGMENT_EXTERNAL_KEY - struct external_context *external_key; /**< Management external key */ +#ifdef ENABLE_PKCS11 + pkcs11h_certificate_t pkcs11_cert; /**< PKCS11 certificate */ #endif + struct external_context external_key; /**< External key context */ int *allowed_ciphers; /**< List of allowed ciphers for this connection */ + mbedtls_ecp_group_id *groups; /**< List of allowed groups for this connection */ mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */ }; @@ -89,7 +113,24 @@ struct key_state_ssl { mbedtls_ssl_config *ssl_config; /**< mbedTLS global ssl config */ mbedtls_ssl_context *ctx; /**< mbedTLS connection context */ bio_ctx *bio_ctx; + + /** Keying material exporter cache (RFC 5705). */ + uint8_t *exported_key_material; + }; +/** + * Call the supplied signing function to create a TLS signature during the + * TLS handshake. + * + * @param ctx TLS context to use. + * @param sign_func Signing function to call. + * @param sign_ctx Context for the sign function. + * + * @return 0 if successful, 1 if an error occurred. + */ +int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, + external_sign_func sign_func, + void *sign_ctx); #endif /* SSL_MBEDTLS_H_ */ |