149 lines
5.4 KiB
C
149 lines
5.4 KiB
C
/**
|
|
* @file re_tls.h Interface to Transport Layer Security
|
|
*
|
|
* Copyright (C) 2010 Creytiv.com
|
|
*/
|
|
|
|
struct tls;
|
|
struct tls_conn;
|
|
struct tcp_conn;
|
|
struct udp_sock;
|
|
|
|
|
|
/** Defines the TLS method */
|
|
enum tls_method {
|
|
TLS_METHOD_TLS,
|
|
TLS_METHOD_SSLV23, /* deprecated - fallback to TLS_METHOD_TLS */
|
|
TLS_METHOD_DTLS, /* DTLS 1.0 and 1.2 */
|
|
TLS_METHOD_DTLSV1, /* deprecated - fallback to TLS_METHOD_DTLS */
|
|
TLS_METHOD_DTLSV1_2, /* deprecated - fallback to TLS_METHOD_DTLS */
|
|
};
|
|
|
|
enum tls_fingerprint {
|
|
TLS_FINGERPRINT_SHA256,
|
|
};
|
|
|
|
enum tls_keytype {
|
|
TLS_KEYTYPE_RSA,
|
|
TLS_KEYTYPE_EC,
|
|
};
|
|
|
|
enum tls_resume_mode {
|
|
TLS_RESUMPTION_NONE = 0,
|
|
TLS_RESUMPTION_IDS = (1 << 0),
|
|
TLS_RESUMPTION_TICKETS = (1 << 1),
|
|
TLS_RESUMPTION_ALL = TLS_RESUMPTION_IDS | TLS_RESUMPTION_TICKETS,
|
|
};
|
|
|
|
struct tls_conn_d {
|
|
int (*verifyh) (int ok, void *arg);
|
|
void *arg;
|
|
};
|
|
|
|
int tls_alloc(struct tls **tlsp, enum tls_method method, const char *keyfile,
|
|
const char *pwd);
|
|
int tls_add_ca(struct tls *tls, const char *cafile);
|
|
int tls_add_cafile_path(struct tls *tls, const char *cafile,
|
|
const char *capath);
|
|
int tls_add_capem(const struct tls *tls, const char *capem);
|
|
int tls_add_crlpem(const struct tls *tls, const char *pem);
|
|
int tls_set_selfsigned_rsa(struct tls *tls, const char *cn, size_t bits);
|
|
int tls_set_selfsigned_ec(struct tls *tls, const char *cn,
|
|
const char *curve_n);
|
|
int tls_set_certificate_pem(struct tls *tls, const char *cert, size_t len_cert,
|
|
const char *key, size_t len_key);
|
|
int tls_set_certificate_der(struct tls *tls, enum tls_keytype keytype,
|
|
const uint8_t *cert, size_t len_cert,
|
|
const uint8_t *key, size_t len_key);
|
|
int tls_set_certificate(struct tls *tls, const char *cert, size_t len);
|
|
int tls_set_certificate_chain_pem(struct tls *tls, const char *chain,
|
|
size_t len_chain);
|
|
int tls_set_certificate_chain(struct tls *tls, const char *path);
|
|
void tls_set_verify_client(struct tls *tls);
|
|
void tls_set_verify_client_trust_all(struct tls *tls);
|
|
int tls_set_verify_client_handler(struct tls_conn *tc, int depth,
|
|
int (*verifyh) (int ok, void *arg), void *arg);
|
|
|
|
int tls_set_srtp(struct tls *tls, const char *suites);
|
|
int tls_fingerprint(const struct tls *tls, enum tls_fingerprint type,
|
|
uint8_t *md, size_t size);
|
|
|
|
int tls_peer_fingerprint(const struct tls_conn *tc, enum tls_fingerprint type,
|
|
uint8_t *md, size_t size);
|
|
int tls_peer_common_name(const struct tls_conn *tc, char *cn, size_t size);
|
|
int tls_set_verify_purpose(struct tls *tls, const char *purpose);
|
|
int tls_peer_verify(const struct tls_conn *tc);
|
|
int tls_srtp_keyinfo(const struct tls_conn *tc, enum srtp_suite *suite,
|
|
uint8_t *cli_key, size_t cli_key_size,
|
|
uint8_t *srv_key, size_t srv_key_size);
|
|
const char *tls_cipher_name(const struct tls_conn *tc);
|
|
int tls_set_ciphers(struct tls *tls, const char *cipherv[], size_t count);
|
|
int tls_set_verify_server(struct tls_conn *tc, const char *host);
|
|
int tls_verify_client(struct tls_conn *tc);
|
|
|
|
int tls_get_issuer(struct tls *tls, struct mbuf *mb);
|
|
int tls_get_subject(struct tls *tls, struct mbuf *mb);
|
|
void tls_disable_verify_server(struct tls *tls);
|
|
void tls_enable_verify_client(struct tls *tls, bool enable);
|
|
int tls_set_resumption(struct tls *tls, const enum tls_resume_mode mode);
|
|
|
|
int tls_set_min_proto_version(struct tls *tls, int version);
|
|
int tls_set_max_proto_version(struct tls *tls, int version);
|
|
|
|
int tls_set_session_reuse(struct tls *tls, int enabled);
|
|
bool tls_get_session_reuse(const struct tls_conn *tc);
|
|
int tls_reuse_session(const struct tls_conn *tc);
|
|
bool tls_session_reused(const struct tls_conn *tc);
|
|
int tls_update_sessions(const struct tls_conn *tc);
|
|
void tls_set_posthandshake_auth(struct tls *tls, int value);
|
|
|
|
/* TCP */
|
|
|
|
int tls_conn_change_cert(struct tls_conn *tc, const char *file);
|
|
int tls_start_tcp(struct tls_conn **ptc, struct tls *tls,
|
|
struct tcp_conn *tcp, int layer);
|
|
|
|
int tls_verify_client_post_handshake(struct tls_conn *tc);
|
|
|
|
const struct tcp_conn *tls_get_tcp_conn(const struct tls_conn *tc);
|
|
|
|
|
|
/* UDP (DTLS) */
|
|
|
|
typedef void (dtls_conn_h)(const struct sa *peer, void *arg);
|
|
typedef void (dtls_estab_h)(void *arg);
|
|
typedef void (dtls_recv_h)(struct mbuf *mb, void *arg);
|
|
typedef void (dtls_close_h)(int err, void *arg);
|
|
|
|
struct dtls_sock;
|
|
|
|
int dtls_listen(struct dtls_sock **sockp, const struct sa *laddr,
|
|
struct udp_sock *us, uint32_t htsize, int layer,
|
|
dtls_conn_h *connh, void *arg);
|
|
struct udp_sock *dtls_udp_sock(struct dtls_sock *sock);
|
|
void dtls_set_mtu(struct dtls_sock *sock, size_t mtu);
|
|
int dtls_connect(struct tls_conn **ptc, struct tls *tls,
|
|
struct dtls_sock *sock, const struct sa *peer,
|
|
dtls_estab_h *estabh, dtls_recv_h *recvh,
|
|
dtls_close_h *closeh, void *arg);
|
|
int dtls_accept(struct tls_conn **ptc, struct tls *tls,
|
|
struct dtls_sock *sock,
|
|
dtls_estab_h *estabh, dtls_recv_h *recvh,
|
|
dtls_close_h *closeh, void *arg);
|
|
int dtls_send(struct tls_conn *tc, struct mbuf *mb);
|
|
void dtls_set_handlers(struct tls_conn *tc, dtls_estab_h *estabh,
|
|
dtls_recv_h *recvh, dtls_close_h *closeh, void *arg);
|
|
const struct sa *dtls_peer(const struct tls_conn *tc);
|
|
void dtls_set_peer(struct tls_conn *tc, const struct sa *peer);
|
|
void dtls_recv_packet(struct dtls_sock *sock, const struct sa *src,
|
|
struct mbuf *mb);
|
|
void dtls_set_single(struct dtls_sock *sock, bool single);
|
|
|
|
|
|
struct x509_st;
|
|
struct evp_pkey_st;
|
|
|
|
int tls_set_certificate_openssl(struct tls *tls, struct x509_st *cert,
|
|
struct evp_pkey_st *pkey, bool up_ref);
|
|
int tls_add_certf(struct tls *tls, const char *certf, const char *host);
|