1. openvpn
  2. Blame
src/openvpn/ssl_mbedtls.h
53f97e1e 
 /*
  *  OpenVPN -- An application to securely tunnel IP networks
  *             over a single TCP/UDP port, with support for SSL/TLS-based
  *             session authentication and key exchange,
  *             packet encryption, packet authentication, and
  *             packet compression.
  *
49979459 
  *  Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
  *  Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
53f97e1e 
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License version 2
  *  as published by the Free Software Foundation.
  *
  *  This program is distributed in the hope that it will be useful,
  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  *  GNU General Public License for more details.
  *
caa54ac3 
  *  You should have received a copy of the GNU General Public License along
  *  with this program; if not, write to the Free Software Foundation, Inc.,
  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
53f97e1e 
  */
 
 /**
86d8cd68 
  * @file Control Channel mbed TLS Backend
53f97e1e 
  */
86d8cd68 
 #ifndef SSL_MBEDTLS_H_
 #define SSL_MBEDTLS_H_
53f97e1e
38ace48c 
 #include "syshead.h"
86d8cd68 
 #include <mbedtls/ssl.h>
 #include <mbedtls/x509_crt.h>
53f97e1e 
 
 #if defined(ENABLE_PKCS11)
03c8bfc9 
 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
53f97e1e 
 #endif
 
 typedef struct _buffer_entry buffer_entry;
 
 struct _buffer_entry {
     size_t length;
     uint8_t *data;
     buffer_entry *next_block;
 };
 
 typedef struct {
     size_t data_start;
     buffer_entry *first_block;
     buffer_entry *last_block;
 } endless_buffer;
86d8cd68 
 typedef struct {
     endless_buffer in;
     endless_buffer out;
 } bio_ctx;
53f97e1e 
 /**
03defa3b 
  * External signing function prototype.  A function pointer to a function
  * implementing this prototype is provided to
  * tls_ctx_use_external_signing_func().
  *
  * @param sign_ctx  The context for the signing function.
  * @param src       The data to be signed,
  * @param src_len   The length of src, in bytes.
  * @param dst       The destination buffer for the signature.
  * @param dst_len   The length of the destination buffer.
  *
  * @return true if signing succeeded, false otherwise.
  */
 typedef bool (*external_sign_func)(
         void *sign_ctx, const void *src, size_t src_size,
         void *dst, size_t dst_size);
 
 /** Context used by external_pkcs1_sign() */
 struct external_context {
     size_t signature_length;
     external_sign_func sign;
     void *sign_ctx;
 };
 
 /**
53f97e1e 
  * Structure that wraps the TLS context. Contents differ depending on the
  * SSL library used.
  *
  * Either \c priv_key_pkcs11 or \c priv_key must be filled in.
  */
 struct tls_root_ctx {
81d882d5 
     bool initialised;           /**< True if the context has been initialised */
53f97e1e
81d882d5 
     int endpoint;               /**< Whether or not this is a server or a client */
53f97e1e
81d882d5 
     mbedtls_dhm_context *dhm_ctx;       /**< Diffie-Helmann-Merkle context */
     mbedtls_x509_crt *crt_chain;        /**< Local Certificate chain */
     mbedtls_x509_crt *ca_chain;         /**< CA chain for remote verification */
     mbedtls_pk_context *priv_key;       /**< Local private key */
160504a2 
     mbedtls_x509_crl *crl;              /**< Certificate Revocation List */
f3705dd1 
     time_t crl_last_mtime;              /**< CRL last modification time */
81d882d5 
     off_t crl_last_size;                /**< size of last loaded CRL */
03c8bfc9 
 #ifdef ENABLE_PKCS11
     pkcs11h_certificate_t pkcs11_cert;  /**< PKCS11 certificate */
53f97e1e 
 #endif
03defa3b 
     struct external_context external_key; /**< External key context */
81d882d5 
     int *allowed_ciphers;       /**< List of allowed ciphers for this connection */
aba75874 
     mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */
53f97e1e 
 };
 
 struct key_state_ssl {
81d882d5 
     mbedtls_ssl_config ssl_config;      /**< mbedTLS global ssl config */
     mbedtls_ssl_context *ctx;           /**< mbedTLS connection context */
86d8cd68 
     bio_ctx bio_ctx;
53f97e1e 
 };
03defa3b 
 /**
  * Call the supplied signing function to create a TLS signature during the
  * TLS handshake.
  *
  * @param ctx                   TLS context to use.
  * @param sign_func             Signing function to call.
  * @param sign_ctx              Context for the sign function.
  *
  * @return                      0 if successful, 1 if an error occurred.
  */
 int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
                                       external_sign_func sign_func,
                                       void *sign_ctx);
53f97e1e
86d8cd68 
 #endif /* SSL_MBEDTLS_H_ */