OpenVPN
ssl_backend.h
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
30#ifndef SSL_BACKEND_H_
31#define SSL_BACKEND_H_
32
33#include "buffer.h"
34
35#ifdef ENABLE_CRYPTO_OPENSSL
36#include "ssl_openssl.h"
37#include "ssl_verify_openssl.h"
38#define SSLAPI SSLAPI_OPENSSL
39#endif
40#ifdef ENABLE_CRYPTO_MBEDTLS
41#include "ssl_mbedtls.h"
42#include "ssl_verify_mbedtls.h"
43#define SSLAPI SSLAPI_MBEDTLS
44#endif
45
46/* Ensure that SSLAPI got a sane value if SSL is disabled or unknown */
47#ifndef SSLAPI
48#define SSLAPI SSLAPI_NONE
49#endif
50
54struct tls_session;
55
56/*
57 *
58 * Functions implemented in ssl.c for use by the backend SSL library
59 *
60 */
61
70int pem_password_callback(char *buf, int size, int rwflag, void *u);
71
72/*
73 *
74 * Functions used in ssl.c which must be implemented by the backend SSL library
75 *
76 */
77
82void tls_init_lib(void);
83
87void tls_free_lib(void);
88
92void tls_clear_error(void);
93
103#define TLS_VER_BAD -1
104#define TLS_VER_UNSPEC 0 /* default */
105#define TLS_VER_1_0 1
106#define TLS_VER_1_1 2
107#define TLS_VER_1_2 3
108#define TLS_VER_1_3 4
109int tls_version_parse(const char *vstr, const char *extra);
110
117int tls_version_max(void);
118
124void tls_ctx_server_new(struct tls_root_ctx *ctx);
125
131void tls_ctx_client_new(struct tls_root_ctx *ctx);
132
138void tls_ctx_free(struct tls_root_ctx *ctx);
139
147bool tls_ctx_initialised(struct tls_root_ctx *ctx);
148
160bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
161
170void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
171
180void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers);
181
190void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile);
191
200void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups);
201
209void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx);
210
221void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline);
222
230void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name);
231
247int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline,
248 bool load_ca_file);
249
257#ifdef ENABLE_CRYPTOAPI
258void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert);
259
260#endif /* _WIN32 */
261
272void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline);
273
286int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
287 bool priv_key_file_inline);
288
289#ifdef ENABLE_MANAGEMENT
290
300
301#endif /* ENABLE_MANAGEMENT */
302
318void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline,
319 const char *ca_path, bool tls_server);
320
334void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file,
335 bool extra_certs_file_inline);
336
337#ifdef ENABLE_CRYPTO_MBEDTLS
344void tls_ctx_personalise_random(struct tls_root_ctx *ctx);
345
346#endif
347
348/* **************************************
349 *
350 * Key-state specific functions
351 *
352 ***************************************/
353
363void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx,
364 bool is_server, struct tls_session *session);
365
370void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl);
371
377void key_state_ssl_free(struct key_state_ssl *ks_ssl);
378
387void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
388 bool crl_inline);
389
390#define EXPORT_KEY_DATA_LABEL "EXPORTER-OpenVPN-datakeys"
391#define EXPORT_P2P_PEERID_LABEL "EXPORTER-OpenVPN-p2p-peerid"
392#define EXPORT_DYNAMIC_TLS_CRYPT_LABEL "EXPORTER-OpenVPN-dynamic-tls-crypt"
405bool key_state_export_keying_material(struct tls_session *session, const char *label,
406 size_t label_size, void *ekm, size_t ekm_size);
407
408/**************************************************************************/
432int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf);
433
449int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len);
450
468int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf);
469
470
494int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf);
495
513int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf);
514
519/* **************************************
520 *
521 * Information functions
522 *
523 * Print information for the end user.
524 *
525 ***************************************/
526
530void print_details(struct key_state_ssl *ks_ssl, const char *prefix);
531
542void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile,
543 bool tls13);
544
548void show_available_curves(void);
549
554const char *get_ssl_library_version(void);
555
556#endif /* SSL_BACKEND_H_ */
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
void tls_clear_error(void)
Clear the underlying SSL library's error state.
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition ssl.c:260
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition ssl_openssl.c:98
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:421
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition ssl_openssl.c:91
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
Control Channel mbed TLS Backend.
Control Channel OpenSSL Backend.
Control Channel Verification Module mbed TLS backend.
Control Channel Verification Module OpenSSL backend.
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
Structure that wraps the TLS context.
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490