syslog-ng source
tls-context.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2002-2013 Balabit
3  * Copyright (c) 1998-2011 Balázs Scheidler
4  *
5  * This library is free software; you can redistribute it and/or
6  * modify it under the terms of the GNU Lesser General Public
7  * License as published by the Free Software Foundation; either
8  * version 2.1 of the License, or (at your option) any later version.
9  *
10  * This library is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13  * Lesser General Public License for more details.
14  *
15  * You should have received a copy of the GNU Lesser General Public
16  * License along with this library; if not, write to the Free Software
17  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
18  *
19  * As an additional exemption you are allowed to compile & link against the
20  * OpenSSL libraries as published by the OpenSSL project. See the file
21  * COPYING for details.
22  */
23 
24 #ifndef TLSCONTEXT_H_INCLUDED
25 #define TLSCONTEXT_H_INCLUDED
26 
27 #include "transport/tls-verifier.h"
28 #include "transport/tls-session.h"
29 #include "messages.h"
30 
31 typedef enum
32 {
33  TM_CLIENT,
34  TM_SERVER,
35  TM_MAX
36 } TLSMode;
37 
38 typedef enum
39 {
40  TVM_NONE,
41  TVM_TRUSTED = 0x0001,
42  TVM_UNTRUSTED = 0x0002,
43  TVM_OPTIONAL = 0x0010,
44  TVM_REQUIRED = 0x0020,
45 } TLSVerifyMode;
46 
47 typedef enum
48 {
49  TSO_NONE,
50  TSO_NOSSLv2 = 0x0001,
51  TSO_NOSSLv3 = 0x0002,
52  TSO_NOTLSv1 = 0x0004,
53  TSO_NOTLSv11 = 0x0008,
54  TSO_NOTLSv12 = 0x0010,
55  TSO_NOTLSv13 = 0x0020,
56  TSO_IGNORE_UNEXPECTED_EOF = 0x0040,
57  TSO_IGNORE_HOSTNAME_MISMATCH = 0x0080,
58  TSO_IGNORE_VALIDITY_PERIOD = 0x0100,
59 } TLSSslOptions;
60 
61 typedef enum
62 {
63  TLS_CONTEXT_SETUP_OK,
64  TLS_CONTEXT_SETUP_ERROR,
65  TLS_CONTEXT_SETUP_BAD_PASSWORD
66 } TLSContextSetupResult;
67 
68 struct _TLSContext
69 {
70  GAtomicCounter ref_cnt;
71  TLSMode mode;
72  gint verify_mode;
73  gchar *key_file;
74  struct
75  {
76  gchar *keylog_file_path;
77  FILE *keylog_file;
78  GMutex keylog_file_lock;
79  };
80  gchar *cert_file;
81  gchar *dhparam_file;
82  gchar *pkcs12_file;
83  gchar *ca_dir;
84  gchar *crl_dir;
85  gchar *ca_file;
86  gchar *cipher_suite;
87  gchar *tls13_cipher_suite;
88  gchar *sigalgs;
89  gchar *client_sigalgs;
90  gchar *ecdh_curve_list;
91  gchar *sni;
92  gboolean ocsp_stapling_verify;
93  gboolean extended_key_usage_verify;
94  gboolean allow_compress;
95 
96  SSL_CTX *ssl_ctx;
97  GList *conf_cmds_list;
98  GList *trusted_fingerprint_list;
99  GList *trusted_dn_list;
100  gint ssl_options;
101  gint ssl_version;
102  gchar *location;
103 };
104 
105 
106 
107 #define TLSCONTEXT_ERROR tls_context_error_quark()
108 GQuark tls_context_error_quark(void);
109 
110 enum TLSContextError
111 {
112  TLSCONTEXT_UNSUPPORTED,
113  TLSCONTEXT_INTERNAL_ERROR,
114 };
115 
116 gboolean tls_context_set_verify_mode_by_name(TLSContext *self, const gchar *mode_str);
117 gboolean tls_context_set_ssl_options_by_name(TLSContext *self, GList *options);
118 gboolean tls_context_set_ssl_version_by_name(TLSContext *self, const gchar *value);
119 gint tls_context_get_verify_mode(const TLSContext *self);
120 void tls_context_set_verify_mode(TLSContext *self, gint verify_mode);
121 gboolean tls_context_ignore_hostname_mismatch(TLSContext *self);
122 gboolean tls_context_ignore_validity_period(TLSContext *self);
123 void tls_context_set_key_file(TLSContext *self, const gchar *key_file);
124 void tls_context_set_cert_file(TLSContext *self, const gchar *cert_file);
125 gboolean tls_context_set_keylog_file(TLSContext *self, gchar *keylog_file_path, GError **error);
126 void tls_context_set_pkcs12_file(TLSContext *self, const gchar *pkcs12_file);
127 void tls_context_set_ca_dir(TLSContext *self, const gchar *ca_dir);
128 void tls_context_set_crl_dir(TLSContext *self, const gchar *crl_dir);
129 void tls_context_set_ca_file(TLSContext *self, const gchar *ca_file);
130 void tls_context_set_cipher_suite(TLSContext *self, const gchar *cipher_suite);
131 void tls_context_set_allow_compress(TLSContext *self, gboolean allow);
132 gboolean tls_context_set_tls13_cipher_suite(TLSContext *self, const gchar *tls13_cipher_suite, GError **error);
133 gboolean tls_context_set_sigalgs(TLSContext *self, const gchar *sigalgs, GError **error);
134 gboolean tls_context_set_client_sigalgs(TLSContext *self, const gchar *sigalgs, GError **error);
135 gboolean tls_context_set_conf_cmds(TLSContext *self, GList *cmds, GError **error);
136 void tls_context_set_ecdh_curve_list(TLSContext *self, const gchar *ecdh_curve_list);
137 void tls_context_set_dhparam_file(TLSContext *self, const gchar *dhparam_file);
138 void tls_context_set_sni(TLSContext *self, const gchar *sni);
139 void tls_context_set_ocsp_stapling_verify(TLSContext *self, gboolean ocsp_stapling_verify);
140 void tls_context_set_extended_key_usage_verify(TLSContext *self, gboolean extended_key_usage_verify);
141 const gchar *tls_context_get_key_file(TLSContext *self);
142 EVTTAG *tls_context_format_tls_error_tag(TLSContext *self);
143 EVTTAG *tls_context_format_location_tag(TLSContext *self);
144 gboolean tls_context_verify_peer(TLSContext *self, X509 *peer_cert, const gchar *peer_name);
145 TLSContextSetupResult tls_context_setup_context(TLSContext *self);
146 TLSSession *tls_context_setup_session(TLSContext *self);
147 TLSContext *tls_context_new(TLSMode mode, const gchar *config_location);
148 TLSContext *tls_context_ref(TLSContext *self);
149 void tls_context_unref(TLSContext *self);
150 
151 void tls_x509_format_dn(X509_NAME *name, GString *dn);
152 
153 #endif
name
const gchar * name
Definition: debugger.c:265
mode
GProcessMode mode
Definition: gprocess.c:118
GAtomicCounter
Definition: atomic.h:31
TLSSession
Definition: tls-session.h:35
_TLSContext
Definition: tls-context.h:69
_TLSContext::trusted_fingerprint_list
GList * trusted_fingerprint_list
Definition: tls-context.h:98
_TLSContext::key_file
gchar * key_file
Definition: tls-context.h:73
_TLSContext::ecdh_curve_list
gchar * ecdh_curve_list
Definition: tls-context.h:90
_TLSContext::ref_cnt
GAtomicCounter ref_cnt
Definition: tls-context.h:70
_TLSContext::ssl_version
gint ssl_version
Definition: tls-context.h:101
_TLSContext::pkcs12_file
gchar * pkcs12_file
Definition: tls-context.h:82
_TLSContext::cipher_suite
gchar * cipher_suite
Definition: tls-context.h:86
_TLSContext::verify_mode
gint verify_mode
Definition: tls-context.h:72
_TLSContext::dhparam_file
gchar * dhparam_file
Definition: tls-context.h:81
_TLSContext::trusted_dn_list
GList * trusted_dn_list
Definition: tls-context.h:99
_TLSContext::ca_file
gchar * ca_file
Definition: tls-context.h:85
_TLSContext::ssl_ctx
SSL_CTX * ssl_ctx
Definition: tls-context.h:96
_TLSContext::keylog_file_path
gchar * keylog_file_path
Definition: tls-context.h:76
_TLSContext::keylog_file_lock
GMutex keylog_file_lock
Definition: tls-context.h:78
_TLSContext::crl_dir
gchar * crl_dir
Definition: tls-context.h:84
_TLSContext::conf_cmds_list
GList * conf_cmds_list
Definition: tls-context.h:97
_TLSContext::cert_file
gchar * cert_file
Definition: tls-context.h:80
_TLSContext::extended_key_usage_verify
gboolean extended_key_usage_verify
Definition: tls-context.h:93
_TLSContext::ocsp_stapling_verify
gboolean ocsp_stapling_verify
Definition: tls-context.h:92
_TLSContext::sigalgs
gchar * sigalgs
Definition: tls-context.h:88
_TLSContext::keylog_file
FILE * keylog_file
Definition: tls-context.h:77
_TLSContext::ca_dir
gchar * ca_dir
Definition: tls-context.h:83
_TLSContext::allow_compress
gboolean allow_compress
Definition: tls-context.h:94
_TLSContext::ssl_options
gint ssl_options
Definition: tls-context.h:100
_TLSContext::sni
gchar * sni
Definition: tls-context.h:91
_TLSContext::client_sigalgs
gchar * client_sigalgs
Definition: tls-context.h:89
_TLSContext::location
gchar * location
Definition: tls-context.h:102
_TLSContext::mode
TLSMode mode
Definition: tls-context.h:71
_TLSContext::tls13_cipher_suite
gchar * tls13_cipher_suite
Definition: tls-context.h:87
value
GString * value
Definition: test_decode.c:28
tls_context_set_pkcs12_file
void tls_context_set_pkcs12_file(TLSContext *self, const gchar *pkcs12_file)
Definition: tls-context.c:840
tls_context_set_cipher_suite
void tls_context_set_cipher_suite(TLSContext *self, const gchar *cipher_suite)
Definition: tls-context.c:868
tls_context_setup_context
TLSContextSetupResult tls_context_setup_context(TLSContext *self)
Definition: tls-context.c:560
tls_context_set_extended_key_usage_verify
void tls_context_set_extended_key_usage_verify(TLSContext *self, gboolean extended_key_usage_verify)
Definition: tls-context.c:970
tls_context_set_allow_compress
void tls_context_set_allow_compress(TLSContext *self, gboolean allow)
Definition: tls-context.c:875
tls_context_set_tls13_cipher_suite
gboolean tls_context_set_tls13_cipher_suite(TLSContext *self, const gchar *tls13_cipher_suite, GError **error)
Definition: tls-context.c:887
tls_context_set_client_sigalgs
gboolean tls_context_set_client_sigalgs(TLSContext *self, const gchar *sigalgs, GError **error)
Definition: tls-context.c:915
tls_context_set_ocsp_stapling_verify
void tls_context_set_ocsp_stapling_verify(TLSContext *self, gboolean ocsp_stapling_verify)
Definition: tls-context.c:964
tls_context_set_verify_mode
void tls_context_set_verify_mode(TLSContext *self, gint verify_mode)
Definition: tls-context.c:766
tls_context_ref
TLSContext * tls_context_ref(TLSContext *self)
Definition: tls-context.c:1029
tls_context_set_crl_dir
void tls_context_set_crl_dir(TLSContext *self, const gchar *crl_dir)
Definition: tls-context.c:854
tls_context_verify_peer
gboolean tls_context_verify_peer(TLSContext *self, X509 *peer_cert, const gchar *peer_name)
Definition: tls-context.c:534
tls_context_set_verify_mode_by_name
gboolean tls_context_set_verify_mode_by_name(TLSContext *self, const gchar *mode_str)
Definition: tls-context.c:680
tls_context_set_ecdh_curve_list
void tls_context_set_ecdh_curve_list(TLSContext *self, const gchar *ecdh_curve_list)
Definition: tls-context.c:943
tls_context_new
TLSContext * tls_context_new(TLSMode mode, const gchar *config_location)
Definition: tls-context.c:977
tls_context_format_location_tag
EVTTAG * tls_context_format_location_tag(TLSContext *self)
Definition: tls-context.c:63
TLSContextError
TLSContextError
Definition: tls-context.h:111
TLSCONTEXT_UNSUPPORTED
@ TLSCONTEXT_UNSUPPORTED
Definition: tls-context.h:112
TLSCONTEXT_INTERNAL_ERROR
@ TLSCONTEXT_INTERNAL_ERROR
Definition: tls-context.h:113
tls_context_get_key_file
const gchar * tls_context_get_key_file(TLSContext *self)
Definition: tls-context.c:1048
tls_context_set_ca_dir
void tls_context_set_ca_dir(TLSContext *self, const gchar *ca_dir)
Definition: tls-context.c:847
tls_context_set_ssl_version_by_name
gboolean tls_context_set_ssl_version_by_name(TLSContext *self, const gchar *value)
Definition: tls-context.c:698
tls_context_set_keylog_file
gboolean tls_context_set_keylog_file(TLSContext *self, gchar *keylog_file_path, GError **error)
Definition: tls-context.c:819
tls_context_set_ssl_options_by_name
gboolean tls_context_set_ssl_options_by_name(TLSContext *self, GList *options)
Definition: tls-context.c:721
tls_context_unref
void tls_context_unref(TLSContext *self)
Definition: tls-context.c:1040
tls_context_format_tls_error_tag
EVTTAG * tls_context_format_tls_error_tag(TLSContext *self)
Definition: tls-context.c:52
TLSMode
TLSMode
Definition: tls-context.h:32
TM_CLIENT
@ TM_CLIENT
Definition: tls-context.h:33
TM_SERVER
@ TM_SERVER
Definition: tls-context.h:34
TM_MAX
@ TM_MAX
Definition: tls-context.h:35
tls_context_set_conf_cmds
gboolean tls_context_set_conf_cmds(TLSContext *self, GList *cmds, GError **error)
Definition: tls-context.c:929
tls_context_set_sigalgs
gboolean tls_context_set_sigalgs(TLSContext *self, const gchar *sigalgs, GError **error)
Definition: tls-context.c:901
TLSVerifyMode
TLSVerifyMode
Definition: tls-context.h:39
TVM_REQUIRED
@ TVM_REQUIRED
Definition: tls-context.h:44
TVM_NONE
@ TVM_NONE
Definition: tls-context.h:40
TVM_TRUSTED
@ TVM_TRUSTED
Definition: tls-context.h:41
TVM_UNTRUSTED
@ TVM_UNTRUSTED
Definition: tls-context.h:42
TVM_OPTIONAL
@ TVM_OPTIONAL
Definition: tls-context.h:43
tls_context_set_sni
void tls_context_set_sni(TLSContext *self, const gchar *sni)
Definition: tls-context.c:957
tls_context_ignore_hostname_mismatch
gboolean tls_context_ignore_hostname_mismatch(TLSContext *self)
Definition: tls-context.c:772
TLSContextSetupResult
TLSContextSetupResult
Definition: tls-context.h:62
TLS_CONTEXT_SETUP_ERROR
@ TLS_CONTEXT_SETUP_ERROR
Definition: tls-context.h:64
TLS_CONTEXT_SETUP_BAD_PASSWORD
@ TLS_CONTEXT_SETUP_BAD_PASSWORD
Definition: tls-context.h:65
TLS_CONTEXT_SETUP_OK
@ TLS_CONTEXT_SETUP_OK
Definition: tls-context.h:63
tls_context_get_verify_mode
gint tls_context_get_verify_mode(const TLSContext *self)
Definition: tls-context.c:760
TLSSslOptions
TLSSslOptions
Definition: tls-context.h:48
TSO_NOSSLv2
@ TSO_NOSSLv2
Definition: tls-context.h:50
TSO_NOSSLv3
@ TSO_NOSSLv3
Definition: tls-context.h:51
TSO_IGNORE_HOSTNAME_MISMATCH
@ TSO_IGNORE_HOSTNAME_MISMATCH
Definition: tls-context.h:57
TSO_NOTLSv11
@ TSO_NOTLSv11
Definition: tls-context.h:53
TSO_NOTLSv13
@ TSO_NOTLSv13
Definition: tls-context.h:55
TSO_NOTLSv12
@ TSO_NOTLSv12
Definition: tls-context.h:54
TSO_IGNORE_VALIDITY_PERIOD
@ TSO_IGNORE_VALIDITY_PERIOD
Definition: tls-context.h:58
TSO_IGNORE_UNEXPECTED_EOF
@ TSO_IGNORE_UNEXPECTED_EOF
Definition: tls-context.h:56
TSO_NOTLSv1
@ TSO_NOTLSv1
Definition: tls-context.h:52
TSO_NONE
@ TSO_NONE
Definition: tls-context.h:49
tls_context_setup_session
TLSSession * tls_context_setup_session(TLSContext *self)
Definition: tls-context.c:648
tls_x509_format_dn
void tls_x509_format_dn(X509_NAME *name, GString *dn)
Definition: tls-session.c:135
tls_context_set_ca_file
void tls_context_set_ca_file(TLSContext *self, const gchar *ca_file)
Definition: tls-context.c:861
tls_context_set_dhparam_file
void tls_context_set_dhparam_file(TLSContext *self, const gchar *dhparam_file)
Definition: tls-context.c:950
tls_context_set_key_file
void tls_context_set_key_file(TLSContext *self, const gchar *key_file)
Definition: tls-context.c:809
tls_context_ignore_validity_period
gboolean tls_context_ignore_validity_period(TLSContext *self)
Definition: tls-context.c:778
tls_context_error_quark
GQuark tls_context_error_quark(void)
Definition: tls-context.c:1054
tls_context_set_cert_file
void tls_context_set_cert_file(TLSContext *self, const gchar *cert_file)
Definition: tls-context.c:833