2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single TCP/UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
8
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9
* Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
11
* This program is free software; you can redistribute it and/or modify
12
* it under the terms of the GNU General Public License version 2
13
* as published by the Free Software Foundation.
15
* This program is distributed in the hope that it will be useful,
16
* but WITHOUT ANY WARRANTY; without even the implied warranty of
17
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
* GNU General Public License for more details.
20
* You should have received a copy of the GNU General Public License
21
* along with this program (see the file COPYING included with this
22
* distribution); if not, write to the Free Software Foundation, Inc.,
23
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27
* @file Control Channel SSL library backend module
31
#ifndef SSL_BACKEND_H_
32
#define SSL_BACKEND_H_
36
#ifdef ENABLE_CRYPTO_OPENSSL
37
#include "ssl_openssl.h"
38
#include "ssl_verify_openssl.h"
40
#ifdef ENABLE_CRYPTO_POLARSSL
41
#include "ssl_polarssl.h"
42
#include "ssl_verify_polarssl.h"
47
* Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name
49
* @param cipher_name Can be either OpenSSL or IANA cipher name
50
* @return tls_cipher_name_pair* if found, NULL otherwise
52
typedef struct { const char *openssl_name; const char *iana_name; } tls_cipher_name_pair;
53
const tls_cipher_name_pair *tls_get_cipher_name_pair (const char *cipher_name, size_t len);
57
* Functions implemented in ssl.c for use by the backend SSL library
62
* Callback to retrieve the user's password
64
* @param buf Buffer to return the password in
65
* @param size Size of the buffer
66
* @param rwflag Unused, needed for OpenSSL compatibility
67
* @param u Unused, needed for OpenSSL compatibility
69
int pem_password_callback (char *buf, int size, int rwflag, void *u);
73
* Functions used in ssl.c which must be implemented by the backend SSL library
78
* Perform any static initialisation necessary by the library.
79
* Called on OpenVPN initialisation
84
* Free any global SSL library-specific data structures.
88
* Clear the underlying SSL library's error state.
90
void tls_clear_error();
93
* Initialise a library-specific TLS context for a server.
95
* @param ctx TLS context to initialise
97
void tls_ctx_server_new(struct tls_root_ctx *ctx);
100
* Initialises a library-specific TLS context for a client.
102
* @param ctx TLS context to initialise
104
void tls_ctx_client_new(struct tls_root_ctx *ctx);
107
* Frees the library-specific TLSv1 context
109
* @param ctx TLS context to free
111
void tls_ctx_free(struct tls_root_ctx *ctx);
114
* Checks whether the given TLS context is initialised
116
* @param ctx TLS context to check
118
* @return true if the context is initialised, false if not.
120
bool tls_ctx_initialised(struct tls_root_ctx *ctx);
123
* Set any library specific options.
125
* Examples include disabling session caching, the password callback to use,
126
* and session verification parameters.
128
* @param ctx TLS context to set options on
129
* @param ssl_flags SSL flags to set
131
void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags);
134
* Restrict the list of ciphers that can be used within the TLS context.
136
* @param ctx TLS context to restrict
137
* @param ciphers String containing : delimited cipher names.
139
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
142
* Load Diffie Hellman Parameters, and load them into the library-specific
145
* @param ctx TLS context to use
146
* @param dh_file The file name to load the parameters from, or
147
* "[[INLINE]]" in the case of inline files.
148
* @param dh_file_inline A string containing the parameters
150
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
151
const char *dh_file_inline);
154
* Load PKCS #12 file for key, cert and (optionally) CA certs, and add to
155
* library-specific TLS context.
157
* @param ctx TLS context to use
158
* @param pkcs12_file The file name to load the information from, or
159
* "[[INLINE]]" in the case of inline files.
160
* @param pkcs12_file_inline A string containing the information
162
* @return 1 if an error occurred, 0 if parsing was
165
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
166
const char *pkcs12_file_inline, bool load_ca_file
170
* Use Windows cryptoapi for key and cert, and add to library-specific TLS
173
* @param ctx TLS context to use
174
* @param crypto_api_cert String representing the certificate to load.
176
#ifdef ENABLE_CRYPTOAPI
177
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert);
181
* Load certificate file into the given TLS context. If the given certificate
182
* file contains a certificate chain, load the whole chain.
184
* If the x509 parameter is not NULL, the certificate will be returned in it.
186
* @param ctx TLS context to use
187
* @param cert_file The file name to load the certificate from, or
188
* "[[INLINE]]" in the case of inline files.
189
* @param cert_file_inline A string containing the certificate
190
* @param x509 An optional certificate, if x509 is NULL,
191
* do nothing, if x509 is not NULL, *x509 will be
192
* allocated and filled with the loaded certificate.
193
* *x509 must be NULL.
195
void tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
196
const char *cert_file_inline, openvpn_x509_cert_t **x509
200
* Free the given certificate
202
* @param x509 certificate to free
204
void tls_ctx_free_cert_file (openvpn_x509_cert_t *x509);
207
* Load private key file into the given TLS context.
209
* @param ctx TLS context to use
210
* @param priv_key_file The file name to load the private key from, or
211
* "[[INLINE]]" in the case of inline files.
212
* @param priv_key_file_inline A string containing the private key
214
* @return 1 if an error occurred, 0 if parsing was
217
int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
218
const char *priv_key_file_inline
221
#ifdef MANAGMENT_EXTERNAL_KEY
224
* Tell the management interface to load the external private key matching
225
* the given certificate.
227
* @param ctx TLS context to use
228
* @param cert The certificate file to load the private key for
229
* "[[INLINE]]" in the case of inline files.
231
* @return 1 if an error occurred, 0 if parsing was
234
int tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, openvpn_x509_cert_t *cert);
239
* Load certificate authority certificates from the given file or path.
241
* Note that not all SSL libraries support loading from a path.
243
* @param ctx TLS context to use
244
* @param ca_file The file name to load the CAs from, or
245
* "[[INLINE]]" in the case of inline files.
246
* @param ca_file_inline A string containing the CAs
247
* @param ca_path The path to load the CAs from
249
void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
250
const char *ca_file_inline, const char *ca_path, bool tls_server
254
* Load extra certificate authority certificates from the given file or path.
255
* These Load extra certificates that are part of our own certificate
256
* chain but shouldn't be included in the verify chain.
259
* @param ctx TLS context to use
260
* @param extra_certs_file The file name to load the certs from, or
261
* "[[INLINE]]" in the case of inline files.
262
* @param extra_certs_file_inline A string containing the certs
264
void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file,
265
const char *extra_certs_file_inline
268
#ifdef ENABLE_CRYPTO_POLARSSL
270
* Add a personalisation string to the PolarSSL RNG, based on the certificate
271
* loaded into the given context.
273
* @param ctx TLS context to use
275
void tls_ctx_personalise_random(struct tls_root_ctx *ctx);
278
/* **************************************
280
* Key-state specific functions
282
***************************************/
285
* Initialise the SSL channel part of the given key state. Settings will be
286
* loaded from a previously initialised TLS context.
288
* @param ks_ssl The SSL channel's state info to initialise
289
* @param ssl_ctx The TLS context to use when initialising the channel.
290
* @param is_server Initialise a server?
291
* @param session The session associated with the given key_state
293
void key_state_ssl_init(struct key_state_ssl *ks_ssl,
294
const struct tls_root_ctx *ssl_ctx, bool is_server, void *session);
297
* Free the SSL channel part of the given key state.
299
* @param ks_ssl The SSL channel's state info to free
301
void key_state_ssl_free(struct key_state_ssl *ks_ssl);
303
/**************************************************************************/
304
/** @addtogroup control_tls
307
/** @name Functions for packets to be sent to a remote OpenVPN peer
311
* Insert a plaintext buffer into the TLS module.
313
* After successfully processing the data, the data in \a buf is zeroized,
314
* its length set to zero, and a value of \c 1 is returned.
316
* @param ks_ssl - The security parameter state for this %key
318
* @param buf - The plaintext message to process.
320
* @return The return value indicates whether the data was successfully
322
* - \c 1: All the data was processed successfully.
323
* - \c 0: The data was not processed, this function should be called
324
* again later to retry.
325
* - \c -1: An error occurred.
327
int key_state_write_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf);
330
* Insert plaintext data into the TLS module.
332
* @param ks_ssl - The security parameter state for this %key
334
* @param data - A pointer to the data to process.
335
* @param len - The length in bytes of the data to process.
337
* @return The return value indicates whether the data was successfully
339
* - \c 1: All the data was processed successfully.
340
* - \c 0: The data was not processed, this function should be called
341
* again later to retry.
342
* - \c -1: An error occurred.
344
int key_state_write_plaintext_const (struct key_state_ssl *ks_ssl,
345
const uint8_t *data, int len);
348
* Extract ciphertext data from the TLS module.
350
* If the \a buf buffer has a length other than zero, this function does
351
* not perform any action and returns 0.
353
* @param ks_ssl - The security parameter state for this %key
355
* @param buf - A buffer in which to store the ciphertext.
356
* @param maxlen - The maximum number of bytes to extract.
358
* @return The return value indicates whether the data was successfully
360
* - \c 1: Data was extracted successfully.
361
* - \c 0: No data was extracted, this function should be called again
363
* - \c -1: An error occurred.
365
int key_state_read_ciphertext (struct key_state_ssl *ks_ssl, struct buffer *buf,
368
/** @} name Functions for packets to be sent to a remote OpenVPN peer */
371
/** @name Functions for packets received from a remote OpenVPN peer
375
* Insert a ciphertext buffer into the TLS module.
377
* After successfully processing the data, the data in \a buf is zeroized,
378
* its length set to zero, and a value of \c 1 is returned.
380
* @param ks_ssl - The security parameter state for this %key
382
* @param buf - The ciphertext message to process.
384
* @return The return value indicates whether the data was successfully
386
* - \c 1: All the data was processed successfully.
387
* - \c 0: The data was not processed, this function should be called
388
* again later to retry.
389
* - \c -1: An error occurred.
391
int key_state_write_ciphertext (struct key_state_ssl *ks_ssl,
395
* Extract plaintext data from the TLS module.
397
* If the \a buf buffer has a length other than zero, this function does
398
* not perform any action and returns 0.
400
* @param ks_ssl - The security parameter state for this %key
402
* @param buf - A buffer in which to store the plaintext.
403
* @param maxlen - The maximum number of bytes to extract.
405
* @return The return value indicates whether the data was successfully
407
* - \c 1: Data was extracted successfully.
408
* - \c 0: No data was extracted, this function should be called again
410
* - \c -1: An error occurred.
412
int key_state_read_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf,
415
/** @} name Functions for packets received from a remote OpenVPN peer */
417
/** @} addtogroup control_tls */
419
/* **************************************
421
* Information functions
423
* Print information for the end user.
425
***************************************/
428
* Print a one line summary of SSL/TLS session handshake.
430
void print_details (struct key_state_ssl * ks_ssl, const char *prefix);
433
* Show the TLS ciphers that are available for us to use in the OpenSSL
436
void show_available_tls_ciphers ();
439
* The OpenSSL library has a notion of preference in TLS ciphers. Higher
440
* preference == more secure. Return the highest preference cipher.
442
void get_highest_preference_tls_cipher (char *buf, int size);
444
#endif /* SSL_BACKEND_H_ */