Mercurial > dovecot > core-2.2

annotate src/lib-ssl-iostream/iostream-ssl.h @ 23017:c1d36f2575c7 default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
lib-imap: Fix "Don't accept strings with NULs" cherry-pick
author Timo Sirainen <timo.sirainen@open-xchange.com>
date Thu, 29 Aug 2019 09:55:25 +0300
parents 01e96a26135c
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
1 #ifndef IOSTREAM_SSL_H
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
2 #define IOSTREAM_SSL_H
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
3
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
4 struct ssl_iostream;
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
5 struct ssl_iostream_context;
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
6
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
7 struct ssl_iostream_settings {
14723
69626d2ce3f0 lib-ssl-iostream: Added protocols setting.
Timo Sirainen <tss@iki.fi>
parents: 14720
diff changeset
8 const char *protocols;
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
9 const char *cipher_list;
16232
f0c997709b4d Added ssl_client_ca_file to specify the CA certs as a file instead of as a dir.
Timo Sirainen <tss@iki.fi>
parents: 16161
diff changeset
10 const char *ca, *ca_file, *ca_dir; /* context-only */
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
11 const char *cert;
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
12 const char *key;
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
13 const char *key_password;
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
14 const char *cert_username_field;
14723
69626d2ce3f0 lib-ssl-iostream: Added protocols setting.
Timo Sirainen <tss@iki.fi>
parents: 14720
diff changeset
15 const char *crypto_device; /* context-only */
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
16
14723
69626d2ce3f0 lib-ssl-iostream: Added protocols setting.
Timo Sirainen <tss@iki.fi>
parents: 14720
diff changeset
17 bool verbose, verbose_invalid_cert; /* stream-only */
69626d2ce3f0 lib-ssl-iostream: Added protocols setting.
Timo Sirainen <tss@iki.fi>
parents: 14720
diff changeset
18 bool verify_remote_cert; /* neither/both */
69626d2ce3f0 lib-ssl-iostream: Added protocols setting.
Timo Sirainen <tss@iki.fi>
parents: 14720
diff changeset
19 bool require_valid_cert; /* stream-only */
16804
897484f45a87 Added ssl_prefer_server_ciphers setting.
Timo Sirainen <tss@iki.fi>
parents: 16244
diff changeset
20 bool prefer_server_ciphers;
17585
cea292767b95 openssl: optionally disable TLS compression
Phil Carmody <phil@dovecot.fi>
parents: 16804
diff changeset
21 bool compression;
19326
098de79b89c8 ssl_options: Added support for no_ticket
Timo Sirainen <tss@iki.fi>
parents: 18050
diff changeset
22 bool tickets;
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
23 };
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
24
16154
970914436288 lib-ssl-iostream: ssl_iostream_set_handshake_callback() API changed.
Timo Sirainen <tss@iki.fi>
parents: 16145
diff changeset
25 /* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
22747
01e96a26135c lib-ssl-iostream: Verify SSL server's hostname against cert if it's non-NULL
Timo Sirainen <timo.sirainen@dovecot.fi>
parents: 19326
diff changeset
26 becomes available via ssl_iostream_get_last_error(). The callback most
01e96a26135c lib-ssl-iostream: Verify SSL server's hostname against cert if it's non-NULL
Timo Sirainen <timo.sirainen@dovecot.fi>
parents: 19326
diff changeset
27 likely should be calling ssl_iostream_check_cert_validity(). */
16154
970914436288 lib-ssl-iostream: ssl_iostream_set_handshake_callback() API changed.
Timo Sirainen <tss@iki.fi>
parents: 16145
diff changeset
28 typedef int
970914436288 lib-ssl-iostream: ssl_iostream_set_handshake_callback() API changed.
Timo Sirainen <tss@iki.fi>
parents: 16145
diff changeset
29 ssl_iostream_handshake_callback_t(const char **error_r, void *context);
970914436288 lib-ssl-iostream: ssl_iostream_set_handshake_callback() API changed.
Timo Sirainen <tss@iki.fi>
parents: 16145
diff changeset
30
16159
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
31 int io_stream_create_ssl_client(struct ssl_iostream_context *ctx, const char *host,
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
32 const struct ssl_iostream_settings *set,
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
33 struct istream **input, struct ostream **output,
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
34 struct ssl_iostream **iostream_r,
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
35 const char **error_r);
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
36 int io_stream_create_ssl_server(struct ssl_iostream_context *ctx,
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
37 const struct ssl_iostream_settings *set,
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
38 struct istream **input, struct ostream **output,
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
39 struct ssl_iostream **iostream_r,
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
40 const char **error_r);
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
41 /* returned input and output streams must also be unreferenced */
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
42 void ssl_iostream_unref(struct ssl_iostream **ssl_io);
14720
ff479f84022f lib-ssl-iostream: Added ssl_iostream_destroy() to do a clean SSL shutdown.
Timo Sirainen <tss@iki.fi>
parents: 13774
diff changeset
43 /* shutdown SSL connection and unreference ssl iostream */
ff479f84022f lib-ssl-iostream: Added ssl_iostream_destroy() to do a clean SSL shutdown.
Timo Sirainen <tss@iki.fi>
parents: 13774
diff changeset
44 void ssl_iostream_destroy(struct ssl_iostream **ssl_io);
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
45
16159
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
46 /* If verbose logging is enabled, use the specified log prefix */
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
47 void ssl_iostream_set_log_prefix(struct ssl_iostream *ssl_io,
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
48 const char *prefix);
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
49
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
50 int ssl_iostream_handshake(struct ssl_iostream *ssl_io);
22747
01e96a26135c lib-ssl-iostream: Verify SSL server's hostname against cert if it's non-NULL
Timo Sirainen <timo.sirainen@dovecot.fi>
parents: 19326
diff changeset
51 /* Call the given callback when SSL handshake finishes. The callback must
01e96a26135c lib-ssl-iostream: Verify SSL server's hostname against cert if it's non-NULL
Timo Sirainen <timo.sirainen@dovecot.fi>
parents: 19326
diff changeset
52 verify whether the certificate and its hostname is valid. If there is no
01e96a26135c lib-ssl-iostream: Verify SSL server's hostname against cert if it's non-NULL
Timo Sirainen <timo.sirainen@dovecot.fi>
parents: 19326
diff changeset
53 callback, the default is to use ssl_iostream_check_cert_validity() with the
01e96a26135c lib-ssl-iostream: Verify SSL server's hostname against cert if it's non-NULL
Timo Sirainen <timo.sirainen@dovecot.fi>
parents: 19326
diff changeset
54 same host as given to io_stream_create_ssl_client() */
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
55 void ssl_iostream_set_handshake_callback(struct ssl_iostream *ssl_io,
16154
970914436288 lib-ssl-iostream: ssl_iostream_set_handshake_callback() API changed.
Timo Sirainen <tss@iki.fi>
parents: 16145
diff changeset
56 ssl_iostream_handshake_callback_t *callback,
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
57 void *context);
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
58
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
59 bool ssl_iostream_is_handshaked(const struct ssl_iostream *ssl_io);
16244
c7555e6d13fd lib-ssl-iostream: Added ssl_iostream_has_handshake_failed()
Timo Sirainen <tss@iki.fi>
parents: 16232
diff changeset
60 /* Returns TRUE if the remote cert is invalid, or handshake callback returned
c7555e6d13fd lib-ssl-iostream: Added ssl_iostream_has_handshake_failed()
Timo Sirainen <tss@iki.fi>
parents: 16232
diff changeset
61 failure. */
c7555e6d13fd lib-ssl-iostream: Added ssl_iostream_has_handshake_failed()
Timo Sirainen <tss@iki.fi>
parents: 16232
diff changeset
62 bool ssl_iostream_has_handshake_failed(const struct ssl_iostream *ssl_io);
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
63 bool ssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io);
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
64 bool ssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io);
16161
ef939a32de27 lib-ssl-iostream: Simplified certificate validation. Also give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 16159
diff changeset
65 int ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
ef939a32de27 lib-ssl-iostream: Simplified certificate validation. Also give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 16159
diff changeset
66 const char *host, const char **error_r);
13404
c3dc563c9800 lib-ssl-iostream: Added ssl_iostream_cert_match_name()
Timo Sirainen <tss@iki.fi>
parents: 12616
diff changeset
67 int ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name);
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
68 const char *ssl_iostream_get_peer_name(struct ssl_iostream *ssl_io);
16159
f4bac0352464 lib-ssl-iostream: Added support for TLS SNI, which caused some API changes.
Timo Sirainen <tss@iki.fi>
parents: 16154
diff changeset
69 const char *ssl_iostream_get_server_name(struct ssl_iostream *ssl_io);
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
70 const char *ssl_iostream_get_security_string(struct ssl_iostream *ssl_io);
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
71 const char *ssl_iostream_get_last_error(struct ssl_iostream *ssl_io);
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
72
18050
f7ebc677fdb9 lib-ssl-iostream: Added dh_length parameter to ssl_iostream_generate_params()
Timo Sirainen <tss@iki.fi>
parents: 17585
diff changeset
73 int ssl_iostream_generate_params(buffer_t *output, unsigned int dh_length,
f7ebc677fdb9 lib-ssl-iostream: Added dh_length parameter to ssl_iostream_generate_params()
Timo Sirainen <tss@iki.fi>
parents: 17585
diff changeset
74 const char **error_r);
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
75 int ssl_iostream_context_import_params(struct ssl_iostream_context *ctx,
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
76 const buffer_t *input);
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
77
16145
02f6b66458b1 lib-ssl-iostream: API changes to return error strings if init() functions fail.
Timo Sirainen <tss@iki.fi>
parents: 14723
diff changeset
78 int ssl_iostream_context_init_client(const struct ssl_iostream_settings *set,
02f6b66458b1 lib-ssl-iostream: API changes to return error strings if init() functions fail.
Timo Sirainen <tss@iki.fi>
parents: 14723
diff changeset
79 struct ssl_iostream_context **ctx_r,
02f6b66458b1 lib-ssl-iostream: API changes to return error strings if init() functions fail.
Timo Sirainen <tss@iki.fi>
parents: 14723
diff changeset
80 const char **error_r);
02f6b66458b1 lib-ssl-iostream: API changes to return error strings if init() functions fail.
Timo Sirainen <tss@iki.fi>
parents: 14723
diff changeset
81 int ssl_iostream_context_init_server(const struct ssl_iostream_settings *set,
02f6b66458b1 lib-ssl-iostream: API changes to return error strings if init() functions fail.
Timo Sirainen <tss@iki.fi>
parents: 14723
diff changeset
82 struct ssl_iostream_context **ctx_r,
02f6b66458b1 lib-ssl-iostream: API changes to return error strings if init() functions fail.
Timo Sirainen <tss@iki.fi>
parents: 14723
diff changeset
83 const char **error_r);
12616
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
84 void ssl_iostream_context_deinit(struct ssl_iostream_context **ctx);
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
85
bd23d4e10fa1 Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
86 #endif