summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_backend.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/openvpn/ssl_backend.h')
-rw-r--r--src/openvpn/ssl_backend.h214
1 files changed, 109 insertions, 105 deletions
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index 3fbd2b4..206400f 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -5,8 +5,8 @@
* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
- * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
+ * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
@@ -57,11 +57,11 @@ struct tls_session;
/**
* Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name
*
- * @param cipher_name Can be either OpenSSL or IANA cipher name
- * @return tls_cipher_name_pair* if found, NULL otherwise
+ * @param cipher_name Can be either OpenSSL or IANA cipher name
+ * @return tls_cipher_name_pair* if found, NULL otherwise
*/
typedef struct { const char *openssl_name; const char *iana_name; } tls_cipher_name_pair;
-const tls_cipher_name_pair *tls_get_cipher_name_pair (const char *cipher_name, size_t len);
+const tls_cipher_name_pair *tls_get_cipher_name_pair(const char *cipher_name, size_t len);
/*
*
@@ -72,12 +72,12 @@ const tls_cipher_name_pair *tls_get_cipher_name_pair (const char *cipher_name, s
/**
* Callback to retrieve the user's password
*
- * @param buf Buffer to return the password in
- * @param size Size of the buffer
- * @param rwflag Unused, needed for OpenSSL compatibility
- * @param u Unused, needed for OpenSSL compatibility
+ * @param buf Buffer to return the password in
+ * @param size Size of the buffer
+ * @param rwflag Unused, needed for OpenSSL compatibility
+ * @param u Unused, needed for OpenSSL compatibility
*/
-int pem_password_callback (char *buf, int size, int rwflag, void *u);
+int pem_password_callback(char *buf, int size, int rwflag, void *u);
/*
*
@@ -95,6 +95,7 @@ void tls_init_lib();
* Free any global SSL library-specific data structures.
*/
void tls_free_lib();
+
/**
* Clear the underlying SSL library's error state.
*/
@@ -103,10 +104,10 @@ void tls_clear_error();
/**
* Parse a TLS version specifier
*
- * @param vstr The TLS version string
- * @param extra An optional extra parameter, may be NULL
+ * @param vstr The TLS version string
+ * @param extra An optional extra parameter, may be NULL
*
- * @return One of the TLS_VER_x constants or TLS_VER_BAD
+ * @return One of the TLS_VER_x constants or TLS_VER_BAD
* if a parse error should be flagged.
*/
#define TLS_VER_BAD -1
@@ -120,7 +121,7 @@ int tls_version_parse(const char *vstr, const char *extra);
* Return the maximum TLS version (as a TLS_VER_x constant)
* supported by current SSL implementation
*
- * @return One of the TLS_VER_x constants (but not TLS_VER_BAD).
+ * @return One of the TLS_VER_x constants (but not TLS_VER_BAD).
*/
int tls_version_max(void);
@@ -129,30 +130,30 @@ int tls_version_max(void);
/**
* Initialise a library-specific TLS context for a server.
*
- * @param ctx TLS context to initialise
+ * @param ctx TLS context to initialise
*/
void tls_ctx_server_new(struct tls_root_ctx *ctx);
/**
* Initialises a library-specific TLS context for a client.
*
- * @param ctx TLS context to initialise
+ * @param ctx TLS context to initialise
*/
void tls_ctx_client_new(struct tls_root_ctx *ctx);
/**
* Frees the library-specific TLSv1 context
*
- * @param ctx TLS context to free
+ * @param ctx TLS context to free
*/
void tls_ctx_free(struct tls_root_ctx *ctx);
/**
* Checks whether the given TLS context is initialised
*
- * @param ctx TLS context to check
+ * @param ctx TLS context to check
*
- * @return true if the context is initialised, false if not.
+ * @return true if the context is initialised, false if not.
*/
bool tls_ctx_initialised(struct tls_root_ctx *ctx);
@@ -162,17 +163,17 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx);
* Examples include disabling session caching, the password callback to use,
* and session verification parameters.
*
- * @param ctx TLS context to set options on
- * @param ssl_flags SSL flags to set
+ * @param ctx TLS context to set options on
+ * @param ssl_flags SSL flags to set
*/
-void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags);
+void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
/**
* Restrict the list of ciphers that can be used within the TLS context.
*
- * @param ctx TLS context to restrict, must be valid.
- * @param ciphers String containing : delimited cipher names, or NULL to use
- * sane defaults.
+ * @param ctx TLS context to restrict, must be valid.
+ * @param ciphers String containing : delimited cipher names, or NULL to use
+ * sane defaults.
*/
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
@@ -181,21 +182,21 @@ void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
* either not yet valid or has expired. Note that this is a non-fatal error,
* since we compare against the system time, which might be incorrect.
*
- * @param ctx TLS context to get our certificate from.
+ * @param ctx TLS context to get our certificate from.
*/
-void tls_ctx_check_cert_time (const struct tls_root_ctx *ctx);
+void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx);
/**
* Load Diffie Hellman Parameters, and load them into the library-specific
* TLS context.
*
- * @param ctx TLS context to use
- * @param dh_file The file name to load the parameters from, or
- * "[[INLINE]]" in the case of inline files.
- * @param dh_file_inline A string containing the parameters
+ * @param ctx TLS context to use
+ * @param dh_file The file name to load the parameters from, or
+ * "[[INLINE]]" in the case of inline files.
+ * @param dh_file_inline A string containing the parameters
*/
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
- const char *dh_file_inline);
+ const char *dh_file_inline);
/**
* Load Elliptic Curve Parameters, and load them into the library-specific
@@ -205,61 +206,62 @@ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
* @param curve_name The name of the elliptic curve to load.
*/
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
- );
+ );
/**
* Load PKCS #12 file for key, cert and (optionally) CA certs, and add to
* library-specific TLS context.
*
- * @param ctx TLS context to use
- * @param pkcs12_file The file name to load the information from, or
- * "[[INLINE]]" in the case of inline files.
- * @param pkcs12_file_inline A string containing the information
+ * @param ctx TLS context to use
+ * @param pkcs12_file The file name to load the information from, or
+ * "[[INLINE]]" in the case of inline files.
+ * @param pkcs12_file_inline A string containing the information
*
- * @return 1 if an error occurred, 0 if parsing was
- * successful.
+ * @return 1 if an error occurred, 0 if parsing was
+ * successful.
*/
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
- const char *pkcs12_file_inline, bool load_ca_file
- );
+ const char *pkcs12_file_inline, bool load_ca_file
+ );
/**
* Use Windows cryptoapi for key and cert, and add to library-specific TLS
* context.
*
- * @param ctx TLS context to use
- * @param crypto_api_cert String representing the certificate to load.
+ * @param ctx TLS context to use
+ * @param crypto_api_cert String representing the certificate to load.
*/
#ifdef ENABLE_CRYPTOAPI
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert);
+
#endif /* _WIN32 */
/**
* Load certificate file into the given TLS context. If the given certificate
* file contains a certificate chain, load the whole chain.
*
- * @param ctx TLS context to use
- * @param cert_file The file name to load the certificate from, or
- * "[[INLINE]]" in the case of inline files.
- * @param cert_file_inline A string containing the certificate
+ * @param ctx TLS context to use
+ * @param cert_file The file name to load the certificate from, or
+ * "[[INLINE]]" in the case of inline files.
+ * @param cert_file_inline A string containing the certificate
*/
-void tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
- const char *cert_file_inline);
+void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file,
+ const char *cert_file_inline);
/**
* Load private key file into the given TLS context.
*
- * @param ctx TLS context to use
- * @param priv_key_file The file name to load the private key from, or
- * "[[INLINE]]" in the case of inline files.
- * @param priv_key_file_inline A string containing the private key
+ * @param ctx TLS context to use
+ * @param priv_key_file The file name to load the private key from, or
+ * "[[INLINE]]" in the case of inline files.
+ * @param priv_key_file_inline A string containing the private key
*
- * @return 1 if an error occurred, 0 if parsing was
- * successful.
+ * @return 1 if an error occurred, 0 if parsing was
+ * successful.
*/
-int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
- const char *priv_key_file_inline
- );
+int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
+ const char *priv_key_file_inline
+ );
#ifdef MANAGMENT_EXTERNAL_KEY
@@ -267,16 +269,17 @@ int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
* Tell the management interface to load the given certificate and the external
* private key matching the given certificate.
*
- * @param ctx TLS context to use
- * @param cert_file The file name to load the certificate from, or
- * "[[INLINE]]" in the case of inline files.
- * @param cert_file_inline A string containing the certificate
+ * @param ctx TLS context to use
+ * @param cert_file The file name to load the certificate from, or
+ * "[[INLINE]]" in the case of inline files.
+ * @param cert_file_inline A string containing the certificate
*
- * @return 1 if an error occurred, 0 if parsing was
- * successful.
+ * @return 1 if an error occurred, 0 if parsing was
+ * successful.
*/
-int tls_ctx_use_external_private_key (struct tls_root_ctx *ctx,
- const char *cert_file, const char *cert_file_inline);
+int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
+ const char *cert_file, const char *cert_file_inline);
+
#endif
@@ -285,15 +288,15 @@ int tls_ctx_use_external_private_key (struct tls_root_ctx *ctx,
*
* Note that not all SSL libraries support loading from a path.
*
- * @param ctx TLS context to use
- * @param ca_file The file name to load the CAs from, or
- * "[[INLINE]]" in the case of inline files.
- * @param ca_file_inline A string containing the CAs
- * @param ca_path The path to load the CAs from
+ * @param ctx TLS context to use
+ * @param ca_file The file name to load the CAs from, or
+ * "[[INLINE]]" in the case of inline files.
+ * @param ca_file_inline A string containing the CAs
+ * @param ca_path The path to load the CAs from
*/
-void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
- const char *ca_file_inline, const char *ca_path, bool tls_server
- );
+void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
+ const char *ca_file_inline, const char *ca_path, bool tls_server
+ );
/**
* Load extra certificate authority certificates from the given file or path.
@@ -301,23 +304,24 @@ void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
* chain but shouldn't be included in the verify chain.
*
*
- * @param ctx TLS context to use
- * @param extra_certs_file The file name to load the certs from, or
- * "[[INLINE]]" in the case of inline files.
- * @param extra_certs_file_inline A string containing the certs
+ * @param ctx TLS context to use
+ * @param extra_certs_file The file name to load the certs from, or
+ * "[[INLINE]]" in the case of inline files.
+ * @param extra_certs_file_inline A string containing the certs
*/
-void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file,
- const char *extra_certs_file_inline
- );
+void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file,
+ const char *extra_certs_file_inline
+ );
#ifdef ENABLE_CRYPTO_MBEDTLS
/**
* Add a personalisation string to the mbed TLS RNG, based on the certificate
* loaded into the given context.
*
- * @param ctx TLS context to use
+ * @param ctx TLS context to use
*/
void tls_ctx_personalise_random(struct tls_root_ctx *ctx);
+
#endif
/* **************************************
@@ -330,18 +334,18 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx);
* Initialise the SSL channel part of the given key state. Settings will be
* loaded from a previously initialised TLS context.
*
- * @param ks_ssl The SSL channel's state info to initialise
- * @param ssl_ctx The TLS context to use when initialising the channel.
- * @param is_server Initialise a server?
- * @param session The session associated with the given key_state
+ * @param ks_ssl The SSL channel's state info to initialise
+ * @param ssl_ctx The TLS context to use when initialising the channel.
+ * @param is_server Initialise a server?
+ * @param session The session associated with the given key_state
*/
void key_state_ssl_init(struct key_state_ssl *ks_ssl,
- const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session);
+ const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session);
/**
* Free the SSL channel part of the given key state.
*
- * @param ks_ssl The SSL channel's state info to free
+ * @param ks_ssl The SSL channel's state info to free
*/
void key_state_ssl_free(struct key_state_ssl *ks_ssl);
@@ -354,7 +358,7 @@ void key_state_ssl_free(struct key_state_ssl *ks_ssl);
* @param crl_inline A string containing the CRL
*/
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx,
- const char *crl_file, const char *crl_inline);
+ const char *crl_file, const char *crl_inline);
/**
* Keying Material Exporters [RFC 5705] allows additional keying material to be
@@ -367,7 +371,7 @@ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx,
void
key_state_export_keying_material(struct key_state_ssl *ks_ssl,
- struct tls_session *session) __attribute__((nonnull));
+ struct tls_session *session) __attribute__((nonnull));
/**************************************************************************/
/** @addtogroup control_tls
@@ -393,7 +397,7 @@ key_state_export_keying_material(struct key_state_ssl *ks_ssl,
* again later to retry.
* - \c -1: An error occurred.
*/
-int key_state_write_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf);
+int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf);
/**
* Insert plaintext data into the TLS module.
@@ -410,8 +414,8 @@ int key_state_write_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf)
* again later to retry.
* - \c -1: An error occurred.
*/
-int key_state_write_plaintext_const (struct key_state_ssl *ks_ssl,
- const uint8_t *data, int len);
+int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl,
+ const uint8_t *data, int len);
/**
* Extract ciphertext data from the TLS module.
@@ -431,8 +435,8 @@ int key_state_write_plaintext_const (struct key_state_ssl *ks_ssl,
* later to retry.
* - \c -1: An error occurred.
*/
-int key_state_read_ciphertext (struct key_state_ssl *ks_ssl, struct buffer *buf,
- int maxlen);
+int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf,
+ int maxlen);
/** @} name Functions for packets to be sent to a remote OpenVPN peer */
@@ -457,8 +461,8 @@ int key_state_read_ciphertext (struct key_state_ssl *ks_ssl, struct buffer *buf,
* again later to retry.
* - \c -1: An error occurred.
*/
-int key_state_write_ciphertext (struct key_state_ssl *ks_ssl,
- struct buffer *buf);
+int key_state_write_ciphertext(struct key_state_ssl *ks_ssl,
+ struct buffer *buf);
/**
* Extract plaintext data from the TLS module.
@@ -478,8 +482,8 @@ int key_state_write_ciphertext (struct key_state_ssl *ks_ssl,
* later to retry.
* - \c -1: An error occurred.
*/
-int key_state_read_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf,
- int maxlen);
+int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf,
+ int maxlen);
/** @} name Functions for packets received from a remote OpenVPN peer */
@@ -496,32 +500,32 @@ int key_state_read_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf,
/*
* Print a one line summary of SSL/TLS session handshake.
*/
-void print_details (struct key_state_ssl * ks_ssl, const char *prefix);
+void print_details(struct key_state_ssl *ks_ssl, const char *prefix);
/*
* Show the TLS ciphers that are available for us to use in the OpenSSL
* library.
*
- * @param - list of allowed TLS cipher, or NULL.
+ * @param - list of allowed TLS cipher, or NULL.
*/
-void show_available_tls_ciphers (const char *tls_ciphers);
+void show_available_tls_ciphers(const char *tls_ciphers);
/*
* Show the available elliptic curves in the crypto library
*/
-void show_available_curves (void);
+void show_available_curves(void);
/*
* The OpenSSL library has a notion of preference in TLS ciphers. Higher
* preference == more secure. Return the highest preference cipher.
*/
-void get_highest_preference_tls_cipher (char *buf, int size);
+void get_highest_preference_tls_cipher(char *buf, int size);
/**
* return a pointer to a static memory area containing the
* name and version number of the SSL library in use
*/
-const char * get_ssl_library_version(void);
+const char *get_ssl_library_version(void);
#endif /* ENABLE_CRYPTO */
#endif /* SSL_BACKEND_H_ */