OpenVPN
ssl_mbedtls.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifndef SSL_MBEDTLS_H_
30 #define SSL_MBEDTLS_H_
31 
32 #include "syshead.h"
33 
34 #include <mbedtls/ssl.h>
35 #include <mbedtls/x509_crt.h>
36 #include <mbedtls/version.h>
37 
38 #if defined(ENABLE_PKCS11)
39 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
40 #endif
41 
42 typedef struct _buffer_entry buffer_entry;
43 
44 struct _buffer_entry {
45  size_t length;
46  uint8_t *data;
48 };
49 
50 typedef struct {
51  size_t data_start;
55 
56 typedef struct {
59 } bio_ctx;
60 
74 typedef bool (*external_sign_func)(
75  void *sign_ctx, const void *src, size_t src_size,
76  void *dst, size_t dst_size);
77 
82  void *sign_ctx;
83 };
84 
85 #ifdef HAVE_EXPORT_KEYING_MATERIAL
86 
89 struct tls_key_cache {
90  unsigned char client_server_random[64];
91  mbedtls_tls_prf_types tls_prf_type;
92  unsigned char master_secret[48];
93 };
94 #else /* ifdef HAVE_EXPORT_KEYING_MATERIAL */
95 struct tls_key_cache { };
96 #endif
97 
104 struct tls_root_ctx {
105  bool initialised;
107  int endpoint;
109  mbedtls_dhm_context *dhm_ctx;
110  mbedtls_x509_crt *crt_chain;
111  mbedtls_x509_crt *ca_chain;
112  mbedtls_pk_context *priv_key;
113  mbedtls_x509_crl *crl;
114  time_t crl_last_mtime;
116 #ifdef ENABLE_PKCS11
117  pkcs11h_certificate_t pkcs11_cert;
118 #endif
121  mbedtls_ecp_group_id *groups;
122  mbedtls_x509_crt_profile cert_profile;
123 };
124 
126  mbedtls_ssl_config *ssl_config;
127  mbedtls_ssl_context *ctx;
129 
131 };
132 
144  external_sign_func sign_func,
145  void *sign_ctx);
146 
147 static inline void
149 {
150 }
151 #endif /* SSL_MBEDTLS_H_ */
key_state_ssl
Definition: ssl_mbedtls.h:125
tls_root_ctx::external_key
struct external_context external_key
External key context.
Definition: ssl_mbedtls.h:119
external_context
Context used by external_pkcs1_sign()
Definition: ssl_mbedtls.h:79
tls_root_ctx::groups
mbedtls_ecp_group_id * groups
List of allowed groups for this connection.
Definition: ssl_mbedtls.h:121
tls_root_ctx::cert_profile
mbedtls_x509_crt_profile cert_profile
Allowed certificate types.
Definition: ssl_mbedtls.h:122
bio_ctx::out
endless_buffer out
Definition: ssl_mbedtls.h:58
tls_root_ctx::ca_chain
mbedtls_x509_crt * ca_chain
CA chain for remote verification.
Definition: ssl_mbedtls.h:111
tls_root_ctx::crl_last_mtime
time_t crl_last_mtime
CRL last modification time.
Definition: ssl_mbedtls.h:114
endless_buffer
Definition: ssl_mbedtls.h:50
external_context::signature_length
size_t signature_length
Definition: ssl_mbedtls.h:80
external_context::sign_ctx
void * sign_ctx
Definition: ssl_mbedtls.h:82
_buffer_entry::next_block
buffer_entry * next_block
Definition: ssl_mbedtls.h:47
tls_root_ctx::dhm_ctx
mbedtls_dhm_context * dhm_ctx
Diffie-Helmann-Merkle context.
Definition: ssl_mbedtls.h:109
_buffer_entry
Definition: ssl_mbedtls.h:44
key_state_ssl::ssl_config
mbedtls_ssl_config * ssl_config
mbedTLS global ssl config
Definition: ssl_mbedtls.h:126
external_sign_func
bool(* external_sign_func)(void *sign_ctx, const void *src, size_t src_size, void *dst, size_t dst_size)
External signing function prototype.
Definition: ssl_mbedtls.h:74
tls_root_ctx::crl_last_size
off_t crl_last_size
size of last loaded CRL
Definition: ssl_mbedtls.h:115
_buffer_entry::length
size_t length
Definition: ssl_mbedtls.h:45
tls_root_ctx::priv_key
mbedtls_pk_context * priv_key
Local private key.
Definition: ssl_mbedtls.h:112
endless_buffer::first_block
buffer_entry * first_block
Definition: ssl_mbedtls.h:52
external_context::sign
external_sign_func sign
Definition: ssl_mbedtls.h:81
tls_root_ctx::crt_chain
mbedtls_x509_crt * crt_chain
Local Certificate chain.
Definition: ssl_mbedtls.h:110
tls_clear_error
static void tls_clear_error(void)
Definition: ssl_mbedtls.h:148
_buffer_entry::data
uint8_t * data
Definition: ssl_mbedtls.h:46
tls_root_ctx::initialised
bool initialised
True if the context has been initialised.
Definition: ssl_mbedtls.h:105
tls_key_cache
Definition: ssl_mbedtls.h:95
syshead.h
tls_root_ctx::endpoint
int endpoint
Whether or not this is a server or a client.
Definition: ssl_mbedtls.h:107
endless_buffer::last_block
buffer_entry * last_block
Definition: ssl_mbedtls.h:53
tls_root_ctx::crl
mbedtls_x509_crl * crl
Certificate Revocation List.
Definition: ssl_mbedtls.h:113
bio_ctx
Definition: ssl_mbedtls.h:56
tls_root_ctx
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:104
key_state_ssl::bio_ctx
bio_ctx * bio_ctx
Definition: ssl_mbedtls.h:128
tls_root_ctx::allowed_ciphers
int * allowed_ciphers
List of allowed ciphers for this connection.
Definition: ssl_mbedtls.h:120
key_state_ssl::ctx
mbedtls_ssl_context * ctx
mbedTLS connection context
Definition: ssl_mbedtls.h:127
buffer_entry
Definition: buffer.h:1120
endless_buffer::data_start
size_t data_start
Definition: ssl_mbedtls.h:51
tls_ctx_use_external_signing_func
int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, external_sign_func sign_func, void *sign_ctx)
Call the supplied signing function to create a TLS signature during the TLS handshake.
bio_ctx::in
endless_buffer in
Definition: ssl_mbedtls.h:57