diff options
Diffstat (limited to 'src/openvpn/ssl_backend.h')
| -rw-r--r-- | src/openvpn/ssl_backend.h | 87 |
1 files changed, 46 insertions, 41 deletions
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index c614efa..9d25321 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -5,8 +5,8 @@ * packet encryption, packet authentication, and * packet compression. * - * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> - * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com> + * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net> + * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -125,8 +125,6 @@ int tls_version_parse(const char *vstr, const char *extra); */ int tls_version_max(void); -#ifdef ENABLE_CRYPTO - /** * Initialise a library-specific TLS context for a server. * @@ -201,6 +199,16 @@ void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *cipher void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile); /** + * Set the (elliptic curve) group allowed for signatures and + * key exchange. + * + * @param ctx TLS context to restrict, must be valid. + * @param groups List of groups that will be allowed, in priority, + * separated by : + */ +void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups); + +/** * Check our certificate notBefore and notAfter fields, and warn if the cert is * either not yet valid or has expired. Note that this is a non-fatal error, * since we compare against the system time, which might be incorrect. @@ -215,11 +223,12 @@ void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx); * * @param ctx TLS context to use * @param dh_file The file name to load the parameters from, or - * "[[INLINE]]" in the case of inline files. - * @param dh_file_inline A string containing the parameters + * a string containing the parameters in the case + * of inline files. + * @param dh_file_inline True if dh_file is an inline file. */ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, - const char *dh_file_inline); + bool dh_file_inline); /** * Load Elliptic Curve Parameters, and load them into the library-specific @@ -237,15 +246,15 @@ void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name * * @param ctx TLS context to use * @param pkcs12_file The file name to load the information from, or - * "[[INLINE]]" in the case of inline files. - * @param pkcs12_file_inline A string containing the information + * a string containing the information in the case + * of inline files. + * @param pkcs12_file_inline True if pkcs12_file is an inline file. * * @return 1 if an error occurred, 0 if parsing was * successful. */ int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, - const char *pkcs12_file_inline, bool load_ca_file - ); + bool pkcs12_file_inline, bool load_ca_file); /** * Use Windows cryptoapi for key and cert, and add to library-specific TLS @@ -265,46 +274,41 @@ void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert * * @param ctx TLS context to use * @param cert_file The file name to load the certificate from, or - * "[[INLINE]]" in the case of inline files. - * @param cert_file_inline A string containing the certificate + * a string containing the certificate in the case + * of inline files. + * @param cert_file_inline True if cert_file is an inline file. */ void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, - const char *cert_file_inline); + bool cert_file_inline); /** * Load private key file into the given TLS context. * * @param ctx TLS context to use * @param priv_key_file The file name to load the private key from, or - * "[[INLINE]]" in the case of inline files. - * @param priv_key_file_inline A string containing the private key + * a string containing the private key in the case + * of inline files. + * @param priv_key_file_inline True if priv_key_file is an inline file * * @return 1 if an error occurred, 0 if parsing was * successful. */ int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, - const char *priv_key_file_inline - ); + bool priv_key_file_inline); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT /** * Tell the management interface to load the given certificate and the external * private key matching the given certificate. * * @param ctx TLS context to use - * @param cert_file The file name to load the certificate from, or - * "[[INLINE]]" in the case of inline files. - * @param cert_file_inline A string containing the certificate * - * @return 1 if an error occurred, 0 if parsing was - * successful. + * @return 1 if an error occurred, 0 if successful. */ -int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, - const char *cert_file, const char *cert_file_inline); - -#endif +int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx); +#endif /* ENABLE_MANAGEMENT */ /** * Load certificate authority certificates from the given file or path. @@ -313,13 +317,13 @@ int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, * * @param ctx TLS context to use * @param ca_file The file name to load the CAs from, or - * "[[INLINE]]" in the case of inline files. - * @param ca_file_inline A string containing the CAs + * a string containing the CAs in the case of + * inline files. + * @param ca_file_inline True if ca_file is an inline file * @param ca_path The path to load the CAs from */ void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, - const char *ca_file_inline, const char *ca_path, bool tls_server - ); + bool ca_file_inline, const char *ca_path, bool tls_server); /** * Load extra certificate authority certificates from the given file or path. @@ -329,12 +333,14 @@ void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, * * @param ctx TLS context to use * @param extra_certs_file The file name to load the certs from, or - * "[[INLINE]]" in the case of inline files. - * @param extra_certs_file_inline A string containing the certs + * a string containing the certs in the + * case of inline files. + * @param extra_certs_file_inline True if extra_certs_file is an inline + * file. */ -void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, - const char *extra_certs_file_inline - ); +void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, + const char *extra_certs_file, + bool extra_certs_file_inline); #ifdef ENABLE_CRYPTO_MBEDTLS /** @@ -377,11 +383,11 @@ void key_state_ssl_free(struct key_state_ssl *ks_ssl); * * @param ssl_ctx The TLS context to use when reloading the CRL * @param crl_file The file name to load the CRL from, or - * "[[INLINE]]" in the case of inline files. - * @param crl_inline A string containing the CRL + * an array containing the inline CRL. + * @param crl_inline True if crl_file is an inline CRL. */ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, - const char *crl_file, const char *crl_inline); + const char *crl_file, bool crl_inline); /** * Keying Material Exporters [RFC 5705] allows additional keying material to be @@ -557,5 +563,4 @@ void get_highest_preference_tls_cipher(char *buf, int size); */ const char *get_ssl_library_version(void); -#endif /* ENABLE_CRYPTO */ #endif /* SSL_BACKEND_H_ */ |