tls.h 4.15 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
/*  Copyright (C) 2016 American Civil Liberties Union (ACLU)

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#pragma once

#include <uv.h>
20
#include <gnutls/gnutls.h>
21
#include <libknot/packet/pkt.h>
Ondřej Surý's avatar
Ondřej Surý committed
22
#include "lib/defines.h"
23 24
#include "lib/generic/array.h"
#include "lib/generic/map.h"
Ondřej Surý's avatar
Ondřej Surý committed
25 26

#define MAX_TLS_PADDING KR_EDNS_PAYLOAD
27
#define TLS_MAX_UNCORK_RETRIES 100
28 29

struct tls_ctx_t;
30
struct tls_client_ctx_t;
31
struct tls_credentials {
32 33 34 35
	int count;
	char *tls_cert;
	char *tls_key;
	gnutls_certificate_credentials_t credentials;
36
	time_t valid_until;
37
	char *ephemeral_servicename;
38
};
39

40 41
struct tls_client_paramlist_entry {
	array_t(const char *) ca_files;
42
	array_t(const char *) hostnames;
43 44 45 46 47 48 49
	array_t(const char *) pins;
	gnutls_certificate_credentials_t credentials;
};

typedef enum tls_client_hs_state {
	TLS_HS_NOT_STARTED = 0,
	TLS_HS_IN_PROGRESS,
50 51
	TLS_HS_DONE,
	TLS_HS_LAST
52 53 54 55
} tls_client_hs_state_t;

typedef int (*tls_handshake_cb) (struct session *session, int status);

56
/*! Create an empty TLS context in query context */
57
struct tls_ctx_t* tls_new(struct worker_ctx *worker);
58 59

/*! Close a TLS context */
60 61
void tls_free(struct tls_ctx_t* tls);

62
/*! Push new data to TLS context for sending */
63
int tls_push(struct qr_task *task, uv_handle_t* handle, knot_pkt_t * pkt);
64

65 66 67
/*! Unwrap incoming data from a TLS stream and pass them to TCP session.
 * @return the number of newly-completed requests (>=0) or an error code
 */
68
int tls_process(struct worker_ctx *worker, uv_stream_t *handle, const uint8_t *buf, ssize_t nread);
69

70
/*! Set TLS certificate and key from files. */
71
int tls_certificate_set(struct network *net, const char *tls_cert, const char *tls_key);
72 73

/*! Borrow TLS credentials for context. */
74
struct tls_credentials *tls_credentials_reserve(struct tls_credentials *tls_credentials);
75 76

/*! Release TLS credentials for context (decrements refcount or frees). */
77
int tls_credentials_release(struct tls_credentials *tls_credentials);
78 79

/*! Free TLS credentials, must not be called if it holds positive refcount. */
80
void tls_credentials_free(struct tls_credentials *tls_credentials);
81 82

/*! Log DNS-over-TLS OOB key-pin form of current credentials:
83 84
 * https://tools.ietf.org/html/rfc7858#appendix-A */
void tls_credentials_log_pins(struct tls_credentials *tls_credentials);
85 86 87

/*! Generate new ephemeral TLS credentials. */
struct tls_credentials * tls_get_ephemeral_credentials(struct engine *engine);
88 89 90 91

/*! Set TLS authentication parameters for given address. */
int tls_client_params_set(map_t *tls_client_paramlist,
			  const char *addr, uint16_t port,
92
			  const char *ca_file, const char *hostname, const char *pin);
93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114

/*! Free TLS authentication parameters. */
int tls_client_params_free(map_t *tls_client_paramlist);

/*! Allocate new client TLS context */
struct tls_client_ctx_t *tls_client_ctx_new(const struct tls_client_paramlist_entry *entry);

int tls_client_process(struct worker_ctx *worker, uv_stream_t *handle,
		       const uint8_t *buf, ssize_t nread);

/*! Free client TLS context */
void tls_client_ctx_free(struct tls_client_ctx_t *ctx);

int tls_client_connect_start(struct tls_client_ctx_t *ctx, struct session *session,
			     tls_handshake_cb handshake_cb);

void tls_client_close(struct tls_client_ctx_t *ctx);

int tls_client_push(struct qr_task *task, uv_handle_t *handle, knot_pkt_t *pkt);

tls_client_hs_state_t tls_client_get_hs_state(const struct tls_client_ctx_t *ctx);

115 116
int tls_client_set_hs_state(struct tls_client_ctx_t *ctx, tls_client_hs_state_t state);

117
int tls_client_ctx_set_params(struct tls_client_ctx_t *ctx,
118 119
			      const struct tls_client_paramlist_entry *entry,
			      struct session *session);