ssl_mbedtls.h

Go to the documentation of this file.

/*
 *  OpenVPN -- An application to securely tunnel IP networks
 *             over a single TCP/UDP port, with support for SSL/TLS-based
 *             session authentication and key exchange,
 *             packet encryption, packet authentication, and
 *             packet compression.
 *
 *  Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
 *  Copyright (C) 2010-2021 Sentyron B.V. <openvpn@sentyron.com>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, see <https://www.gnu.org/licenses/>.
 */
 
#ifndef SSL_MBEDTLS_H_
#define SSL_MBEDTLS_H_
 
#include "syshead.h"
 
#include <mbedtls/ssl.h>
#include <mbedtls/x509_crt.h>
#include <mbedtls/version.h>
 
#if defined(ENABLE_PKCS11)
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
#endif
 
typedef struct _buffer_entry buffer_entry;
 
struct _buffer_entry
{
    size_t length;
    uint8_t *data;
    buffer_entry *next_block;
};
 
typedef struct
{
    size_t data_start;
    buffer_entry *first_block;
    buffer_entry *last_block;
} endless_buffer;
 
typedef struct
{
    endless_buffer in;
    endless_buffer out;
} bio_ctx;
 
typedef bool (*external_sign_func)(void *sign_ctx, const void *src, size_t src_size, void *dst,
                                   size_t dst_size);
 
struct external_context
{
    size_t signature_length;
    external_sign_func sign;
    void *sign_ctx;
};
 
#if !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
struct tls_key_cache
{
    unsigned char client_server_random[64];
    mbedtls_tls_prf_types tls_prf_type;
    unsigned char master_secret[48];
};
#else /* !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
struct tls_key_cache
{
};
#endif
 
struct tls_root_ctx
{
    bool initialised;                      
    int endpoint;                          
    mbedtls_dhm_context *dhm_ctx;          
    mbedtls_x509_crt *crt_chain;           
    mbedtls_x509_crt *ca_chain;            
    mbedtls_pk_context *priv_key;          
    mbedtls_x509_crl *crl;                 
    time_t crl_last_mtime;                 
    off_t crl_last_size;                   
#ifdef ENABLE_PKCS11
    pkcs11h_certificate_t pkcs11_cert;     
#endif
    struct external_context external_key;  
    int *allowed_ciphers;                  
    uint16_t *groups;                      
    mbedtls_x509_crt_profile cert_profile; 
};
 
struct key_state_ssl
{
    mbedtls_ssl_config *ssl_config; 
    mbedtls_ssl_context *ctx;       
    bio_ctx *bio_ctx;
 
    struct tls_key_cache tls_key_cache;
};
 
int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, external_sign_func sign_func,
                                      void *sign_ctx);
 
static inline void
tls_clear_error(void)
{
}
#endif /* SSL_MBEDTLS_H_ */