ssl_mbedtls.h

Go to the documentation of this file.

/*
 *  OpenVPN -- An application to securely tunnel IP networks
 *             over a single TCP/UDP port, with support for SSL/TLS-based
 *             session authentication and key exchange,
 *             packet encryption, packet authentication, and
 *             packet compression.
 *
 *  Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
 *  Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
#ifndef SSL_MBEDTLS_H_
#define SSL_MBEDTLS_H_
 
#include "syshead.h"
 
#include <mbedtls/ssl.h>
#include <mbedtls/x509_crt.h>
#include <mbedtls/version.h>
 
#if defined(ENABLE_PKCS11)
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
#endif
 
#include "mbedtls_compat.h"
 
typedef struct _buffer_entry buffer_entry;
 
struct _buffer_entry {
    size_t length;
    uint8_t *data;
    buffer_entry *next_block;
};
 
typedef struct {
    size_t data_start;
    buffer_entry *first_block;
    buffer_entry *last_block;
} endless_buffer;
 
typedef struct {
    endless_buffer in;
    endless_buffer out;
} bio_ctx;
 
typedef bool (*external_sign_func)(
    void *sign_ctx, const void *src, size_t src_size,
    void *dst, size_t dst_size);
 
struct external_context {
    size_t signature_length;
    external_sign_func sign;
    void *sign_ctx;
};
 
#ifdef HAVE_EXPORT_KEYING_MATERIAL
struct tls_key_cache {
    unsigned char client_server_random[64];
    mbedtls_tls_prf_types tls_prf_type;
    unsigned char master_secret[48];
};
#else  /* ifdef HAVE_EXPORT_KEYING_MATERIAL */
struct tls_key_cache { };
#endif
 
struct tls_root_ctx {
    bool initialised;           
    int endpoint;               
    mbedtls_dhm_context *dhm_ctx;       
    mbedtls_x509_crt *crt_chain;        
    mbedtls_x509_crt *ca_chain;         
    mbedtls_pk_context *priv_key;       
    mbedtls_x509_crl *crl;              
    time_t crl_last_mtime;              
    off_t crl_last_size;                
#ifdef ENABLE_PKCS11
    pkcs11h_certificate_t pkcs11_cert;  
#endif
    struct external_context external_key; 
    int *allowed_ciphers;       
    mbedtls_compat_group_id *groups;     
    mbedtls_x509_crt_profile cert_profile; 
};
 
struct key_state_ssl {
    mbedtls_ssl_config *ssl_config;     
    mbedtls_ssl_context *ctx;           
    bio_ctx *bio_ctx;
 
    struct tls_key_cache tls_key_cache;
};
 
int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
                                      external_sign_func sign_func,
                                      void *sign_ctx);
 
static inline void
tls_clear_error(void)
{
}
#endif /* SSL_MBEDTLS_H_ */