diff options
Diffstat (limited to 'src/openvpn/ssl_backend.h')
| -rw-r--r-- | src/openvpn/ssl_backend.h | 214 |
1 files changed, 109 insertions, 105 deletions
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 3fbd2b4..206400f 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -5,8 +5,8 @@ * packet encryption, packet authentication, and * packet compression. * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> - * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> + * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -57,11 +57,11 @@ struct tls_session; /** * Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name * - * @param cipher_name Can be either OpenSSL or IANA cipher name - * @return tls_cipher_name_pair* if found, NULL otherwise + * @param cipher_name Can be either OpenSSL or IANA cipher name + * @return tls_cipher_name_pair* if found, NULL otherwise */ typedef struct { const char *openssl_name; const char *iana_name; } tls_cipher_name_pair; -const tls_cipher_name_pair *tls_get_cipher_name_pair (const char *cipher_name, size_t len); +const tls_cipher_name_pair *tls_get_cipher_name_pair(const char *cipher_name, size_t len); /* * @@ -72,12 +72,12 @@ const tls_cipher_name_pair *tls_get_cipher_name_pair (const char *cipher_name, s /** * Callback to retrieve the user's password * - * @param buf Buffer to return the password in - * @param size Size of the buffer - * @param rwflag Unused, needed for OpenSSL compatibility - * @param u Unused, needed for OpenSSL compatibility + * @param buf Buffer to return the password in + * @param size Size of the buffer + * @param rwflag Unused, needed for OpenSSL compatibility + * @param u Unused, needed for OpenSSL compatibility */ -int pem_password_callback (char *buf, int size, int rwflag, void *u); +int pem_password_callback(char *buf, int size, int rwflag, void *u); /* * @@ -95,6 +95,7 @@ void tls_init_lib(); * Free any global SSL library-specific data structures. */ void tls_free_lib(); + /** * Clear the underlying SSL library's error state. */ @@ -103,10 +104,10 @@ void tls_clear_error(); /** * Parse a TLS version specifier * - * @param vstr The TLS version string - * @param extra An optional extra parameter, may be NULL + * @param vstr The TLS version string + * @param extra An optional extra parameter, may be NULL * - * @return One of the TLS_VER_x constants or TLS_VER_BAD + * @return One of the TLS_VER_x constants or TLS_VER_BAD * if a parse error should be flagged. */ #define TLS_VER_BAD -1 @@ -120,7 +121,7 @@ int tls_version_parse(const char *vstr, const char *extra); * Return the maximum TLS version (as a TLS_VER_x constant) * supported by current SSL implementation * - * @return One of the TLS_VER_x constants (but not TLS_VER_BAD). + * @return One of the TLS_VER_x constants (but not TLS_VER_BAD). */ int tls_version_max(void); @@ -129,30 +130,30 @@ int tls_version_max(void); /** * Initialise a library-specific TLS context for a server. * - * @param ctx TLS context to initialise + * @param ctx TLS context to initialise */ void tls_ctx_server_new(struct tls_root_ctx *ctx); /** * Initialises a library-specific TLS context for a client. * - * @param ctx TLS context to initialise + * @param ctx TLS context to initialise */ void tls_ctx_client_new(struct tls_root_ctx *ctx); /** * Frees the library-specific TLSv1 context * - * @param ctx TLS context to free + * @param ctx TLS context to free */ void tls_ctx_free(struct tls_root_ctx *ctx); /** * Checks whether the given TLS context is initialised * - * @param ctx TLS context to check + * @param ctx TLS context to check * - * @return true if the context is initialised, false if not. + * @return true if the context is initialised, false if not. */ bool tls_ctx_initialised(struct tls_root_ctx *ctx); @@ -162,17 +163,17 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx); * Examples include disabling session caching, the password callback to use, * and session verification parameters. * - * @param ctx TLS context to set options on - * @param ssl_flags SSL flags to set + * @param ctx TLS context to set options on + * @param ssl_flags SSL flags to set */ -void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags); +void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags); /** * Restrict the list of ciphers that can be used within the TLS context. * - * @param ctx TLS context to restrict, must be valid. - * @param ciphers String containing : delimited cipher names, or NULL to use - * sane defaults. + * @param ctx TLS context to restrict, must be valid. + * @param ciphers String containing : delimited cipher names, or NULL to use + * sane defaults. */ void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers); @@ -181,21 +182,21 @@ void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers); * either not yet valid or has expired. Note that this is a non-fatal error, * since we compare against the system time, which might be incorrect. * - * @param ctx TLS context to get our certificate from. + * @param ctx TLS context to get our certificate from. */ -void tls_ctx_check_cert_time (const struct tls_root_ctx *ctx); +void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx); /** * Load Diffie Hellman Parameters, and load them into the library-specific * TLS context. * - * @param ctx TLS context to use - * @param dh_file The file name to load the parameters from, or - * "[[INLINE]]" in the case of inline files. - * @param dh_file_inline A string containing the parameters + * @param ctx TLS context to use + * @param dh_file The file name to load the parameters from, or + * "[[INLINE]]" in the case of inline files. + * @param dh_file_inline A string containing the parameters */ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, - const char *dh_file_inline); + const char *dh_file_inline); /** * Load Elliptic Curve Parameters, and load them into the library-specific @@ -205,61 +206,62 @@ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, * @param curve_name The name of the elliptic curve to load. */ void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name - ); + ); /** * Load PKCS #12 file for key, cert and (optionally) CA certs, and add to * library-specific TLS context. * - * @param ctx TLS context to use - * @param pkcs12_file The file name to load the information from, or - * "[[INLINE]]" in the case of inline files. - * @param pkcs12_file_inline A string containing the information + * @param ctx TLS context to use + * @param pkcs12_file The file name to load the information from, or + * "[[INLINE]]" in the case of inline files. + * @param pkcs12_file_inline A string containing the information * - * @return 1 if an error occurred, 0 if parsing was - * successful. + * @return 1 if an error occurred, 0 if parsing was + * successful. */ int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, - const char *pkcs12_file_inline, bool load_ca_file - ); + const char *pkcs12_file_inline, bool load_ca_file + ); /** * Use Windows cryptoapi for key and cert, and add to library-specific TLS * context. * - * @param ctx TLS context to use - * @param crypto_api_cert String representing the certificate to load. + * @param ctx TLS context to use + * @param crypto_api_cert String representing the certificate to load. */ #ifdef ENABLE_CRYPTOAPI void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert); + #endif /* _WIN32 */ /** * Load certificate file into the given TLS context. If the given certificate * file contains a certificate chain, load the whole chain. * - * @param ctx TLS context to use - * @param cert_file The file name to load the certificate from, or - * "[[INLINE]]" in the case of inline files. - * @param cert_file_inline A string containing the certificate + * @param ctx TLS context to use + * @param cert_file The file name to load the certificate from, or + * "[[INLINE]]" in the case of inline files. + * @param cert_file_inline A string containing the certificate */ -void tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file, - const char *cert_file_inline); +void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, + const char *cert_file_inline); /** * Load private key file into the given TLS context. * - * @param ctx TLS context to use - * @param priv_key_file The file name to load the private key from, or - * "[[INLINE]]" in the case of inline files. - * @param priv_key_file_inline A string containing the private key + * @param ctx TLS context to use + * @param priv_key_file The file name to load the private key from, or + * "[[INLINE]]" in the case of inline files. + * @param priv_key_file_inline A string containing the private key * - * @return 1 if an error occurred, 0 if parsing was - * successful. + * @return 1 if an error occurred, 0 if parsing was + * successful. */ -int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, - const char *priv_key_file_inline - ); +int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, + const char *priv_key_file_inline + ); #ifdef MANAGMENT_EXTERNAL_KEY @@ -267,16 +269,17 @@ int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, * Tell the management interface to load the given certificate and the external * private key matching the given certificate. * - * @param ctx TLS context to use - * @param cert_file The file name to load the certificate from, or - * "[[INLINE]]" in the case of inline files. - * @param cert_file_inline A string containing the certificate + * @param ctx TLS context to use + * @param cert_file The file name to load the certificate from, or + * "[[INLINE]]" in the case of inline files. + * @param cert_file_inline A string containing the certificate * - * @return 1 if an error occurred, 0 if parsing was - * successful. + * @return 1 if an error occurred, 0 if parsing was + * successful. */ -int tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, - const char *cert_file, const char *cert_file_inline); +int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, + const char *cert_file, const char *cert_file_inline); + #endif @@ -285,15 +288,15 @@ int tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, * * Note that not all SSL libraries support loading from a path. * - * @param ctx TLS context to use - * @param ca_file The file name to load the CAs from, or - * "[[INLINE]]" in the case of inline files. - * @param ca_file_inline A string containing the CAs - * @param ca_path The path to load the CAs from + * @param ctx TLS context to use + * @param ca_file The file name to load the CAs from, or + * "[[INLINE]]" in the case of inline files. + * @param ca_file_inline A string containing the CAs + * @param ca_path The path to load the CAs from */ -void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, - const char *ca_file_inline, const char *ca_path, bool tls_server - ); +void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, + const char *ca_file_inline, const char *ca_path, bool tls_server + ); /** * Load extra certificate authority certificates from the given file or path. @@ -301,23 +304,24 @@ void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, * chain but shouldn't be included in the verify chain. * * - * @param ctx TLS context to use - * @param extra_certs_file The file name to load the certs from, or - * "[[INLINE]]" in the case of inline files. - * @param extra_certs_file_inline A string containing the certs + * @param ctx TLS context to use + * @param extra_certs_file The file name to load the certs from, or + * "[[INLINE]]" in the case of inline files. + * @param extra_certs_file_inline A string containing the certs */ -void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file, - const char *extra_certs_file_inline - ); +void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, + const char *extra_certs_file_inline + ); #ifdef ENABLE_CRYPTO_MBEDTLS /** * Add a personalisation string to the mbed TLS RNG, based on the certificate * loaded into the given context. * - * @param ctx TLS context to use + * @param ctx TLS context to use */ void tls_ctx_personalise_random(struct tls_root_ctx *ctx); + #endif /* ************************************** @@ -330,18 +334,18 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx); * Initialise the SSL channel part of the given key state. Settings will be * loaded from a previously initialised TLS context. * - * @param ks_ssl The SSL channel's state info to initialise - * @param ssl_ctx The TLS context to use when initialising the channel. - * @param is_server Initialise a server? - * @param session The session associated with the given key_state + * @param ks_ssl The SSL channel's state info to initialise + * @param ssl_ctx The TLS context to use when initialising the channel. + * @param is_server Initialise a server? + * @param session The session associated with the given key_state */ void key_state_ssl_init(struct key_state_ssl *ks_ssl, - const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session); + const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session); /** * Free the SSL channel part of the given key state. * - * @param ks_ssl The SSL channel's state info to free + * @param ks_ssl The SSL channel's state info to free */ void key_state_ssl_free(struct key_state_ssl *ks_ssl); @@ -354,7 +358,7 @@ void key_state_ssl_free(struct key_state_ssl *ks_ssl); * @param crl_inline A string containing the CRL */ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, - const char *crl_file, const char *crl_inline); + const char *crl_file, const char *crl_inline); /** * Keying Material Exporters [RFC 5705] allows additional keying material to be @@ -367,7 +371,7 @@ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, void key_state_export_keying_material(struct key_state_ssl *ks_ssl, - struct tls_session *session) __attribute__((nonnull)); + struct tls_session *session) __attribute__((nonnull)); /**************************************************************************/ /** @addtogroup control_tls @@ -393,7 +397,7 @@ key_state_export_keying_material(struct key_state_ssl *ks_ssl, * again later to retry. * - \c -1: An error occurred. */ -int key_state_write_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf); +int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf); /** * Insert plaintext data into the TLS module. @@ -410,8 +414,8 @@ int key_state_write_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf) * again later to retry. * - \c -1: An error occurred. */ -int key_state_write_plaintext_const (struct key_state_ssl *ks_ssl, - const uint8_t *data, int len); +int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, + const uint8_t *data, int len); /** * Extract ciphertext data from the TLS module. @@ -431,8 +435,8 @@ int key_state_write_plaintext_const (struct key_state_ssl *ks_ssl, * later to retry. * - \c -1: An error occurred. */ -int key_state_read_ciphertext (struct key_state_ssl *ks_ssl, struct buffer *buf, - int maxlen); +int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf, + int maxlen); /** @} name Functions for packets to be sent to a remote OpenVPN peer */ @@ -457,8 +461,8 @@ int key_state_read_ciphertext (struct key_state_ssl *ks_ssl, struct buffer *buf, * again later to retry. * - \c -1: An error occurred. */ -int key_state_write_ciphertext (struct key_state_ssl *ks_ssl, - struct buffer *buf); +int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, + struct buffer *buf); /** * Extract plaintext data from the TLS module. @@ -478,8 +482,8 @@ int key_state_write_ciphertext (struct key_state_ssl *ks_ssl, * later to retry. * - \c -1: An error occurred. */ -int key_state_read_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf, - int maxlen); +int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf, + int maxlen); /** @} name Functions for packets received from a remote OpenVPN peer */ @@ -496,32 +500,32 @@ int key_state_read_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf, /* * Print a one line summary of SSL/TLS session handshake. */ -void print_details (struct key_state_ssl * ks_ssl, const char *prefix); +void print_details(struct key_state_ssl *ks_ssl, const char *prefix); /* * Show the TLS ciphers that are available for us to use in the OpenSSL * library. * - * @param - list of allowed TLS cipher, or NULL. + * @param - list of allowed TLS cipher, or NULL. */ -void show_available_tls_ciphers (const char *tls_ciphers); +void show_available_tls_ciphers(const char *tls_ciphers); /* * Show the available elliptic curves in the crypto library */ -void show_available_curves (void); +void show_available_curves(void); /* * The OpenSSL library has a notion of preference in TLS ciphers. Higher * preference == more secure. Return the highest preference cipher. */ -void get_highest_preference_tls_cipher (char *buf, int size); +void get_highest_preference_tls_cipher(char *buf, int size); /** * return a pointer to a static memory area containing the * name and version number of the SSL library in use */ -const char * get_ssl_library_version(void); +const char *get_ssl_library_version(void); #endif /* ENABLE_CRYPTO */ #endif /* SSL_BACKEND_H_ */ |