This commit was manufactured by cvs2git to create tag 'tb_20250414'.tb_20250414

author: cvs2svn <admin@example.com> 2025-04-14 17:32:06 +0000
committer: cvs2svn <admin@example.com> 2025-04-14 17:32:06 +0000
commit: b1ddde874c215cc8891531ed92876f091b7eb83e (patch)
tree: edb6da6af7e865d488dc1a29309f1e1ec226e603 /src/lib/libtls/tls_internal.h
parent: f0a36529837a161734c802ae4c42e84e42347be2 (diff)
download: openbsd-tb_20250414.tar.gz
openbsd-tb_20250414.tar.bz2
openbsd-tb_20250414.zip
1 files changed, 0 insertions, 330 deletions
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
deleted file mode 100644
index 8e566a34e0..0000000000
--- a/src/lib/libtls/tls_internal.h
+++ /dev/null
@@ -1,330 +0,0 @@
-/* $OpenBSD: tls_internal.h,v 1.86 2024/12/10 08:40:30 tb Exp $ */
-/*
- * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
- * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#ifndef HEADER_TLS_INTERNAL_H
-#define HEADER_TLS_INTERNAL_H
-#include <pthread.h>
-#include <arpa/inet.h>
-#include <netinet/in.h>
-#include <openssl/ssl.h>
-__BEGIN_HIDDEN_DECLS
-#ifndef TLS_DEFAULT_CA_FILE
-#define TLS_DEFAULT_CA_FILE     "/etc/ssl/cert.pem"
-#endif
-#define TLS_CIPHERS_DEFAULT     "TLSv1.3:TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
-#define TLS_CIPHERS_COMPAT      "HIGH:!aNULL"
-#define TLS_CIPHERS_LEGACY      "HIGH:MEDIUM:!aNULL"
-#define TLS_CIPHERS_ALL         "ALL:!aNULL:!eNULL"
-#define TLS_ECDHE_CURVES        "X25519,P-256,P-384"
-union tls_addr {
-        struct in_addr ip4;
-        struct in6_addr ip6;
-};
-struct tls_error {
-        char *msg;
-        int code;
-        int errno_value;
-        int tls;
-};
-struct tls_keypair {
-        struct tls_keypair *next;
-        char *cert_mem;
-        size_t cert_len;
-        char *key_mem;
-        size_t key_len;
-        char *ocsp_staple;
-        size_t ocsp_staple_len;
-        char *pubkey_hash;
-};
-#define TLS_MIN_SESSION_TIMEOUT (4)
-#define TLS_MAX_SESSION_TIMEOUT (24 * 60 * 60)
-#define TLS_NUM_TICKETS                         4
-#define TLS_TICKET_NAME_SIZE                    16
-#define TLS_TICKET_AES_SIZE                     32
-#define TLS_TICKET_HMAC_SIZE                    16
-struct tls_ticket_key {
-        /* The key_name must be 16 bytes according to -lssl */
-        unsigned char   key_name[TLS_TICKET_NAME_SIZE];
-        unsigned char   aes_key[TLS_TICKET_AES_SIZE];
-        unsigned char   hmac_key[TLS_TICKET_HMAC_SIZE];
-        time_t          time;
-};
-typedef int (*tls_sign_cb)(void *_cb_arg, const char *_pubkey_hash,
-    const uint8_t *_input, size_t _input_len, int _padding_type,
-    uint8_t **_out_signature, size_t *_out_signature_len);
-struct tls_config {
-        struct tls_error error;
-        pthread_mutex_t mutex;
-        int refcount;
-        char *alpn;
-        size_t alpn_len;
-        const char *ca_path;
-        char *ca_mem;
-        size_t ca_len;
-        const char *ciphers;
-        int ciphers_server;
-        char *crl_mem;
-        size_t crl_len;
-        int dheparams;
-        int *ecdhecurves;
-        size_t ecdhecurves_len;
-        struct tls_keypair *keypair;
-        int ocsp_require_stapling;
-        uint32_t protocols;
-        unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH];
-        int session_fd;
-        int session_lifetime;
-        struct tls_ticket_key ticket_keys[TLS_NUM_TICKETS];
-        uint32_t ticket_keyrev;
-        int ticket_autorekey;
-        int verify_cert;
-        int verify_client;
-        int verify_depth;
-        int verify_name;
-        int verify_time;
-        int skip_private_key_check;
-        int use_fake_private_key;
-        tls_sign_cb sign_cb;
-        void *sign_cb_arg;
-};
-struct tls_conninfo {
-        char *alpn;
-        char *cipher;
-        int cipher_strength;
-        char *servername;
-        int session_resumed;
-        char *version;
-        char *common_name;
-        char *hash;
-        char *issuer;
-        char *subject;
-        uint8_t *peer_cert;
-        size_t peer_cert_len;
-        time_t notbefore;
-        time_t notafter;
-};
-#define TLS_CLIENT              (1 << 0)
-#define TLS_SERVER              (1 << 1)
-#define TLS_SERVER_CONN         (1 << 2)
-#define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0)
-#define TLS_CONNECTED           (1 << 1)
-#define TLS_HANDSHAKE_COMPLETE  (1 << 2)
-#define TLS_SSL_NEEDS_SHUTDOWN  (1 << 3)
-struct tls_ocsp_result {
-        const char *result_msg;
-        int response_status;
-        int cert_status;
-        int crl_reason;
-        time_t this_update;
-        time_t next_update;
-        time_t revocation_time;
-};
-struct tls_ocsp {
-        /* responder location */
-        char *ocsp_url;
-        /* cert data, this struct does not own these */
-        X509 *main_cert;
-        STACK_OF(X509) *extra_certs;
-        struct tls_ocsp_result *ocsp_result;
-};
-struct tls_sni_ctx {
-        struct tls_sni_ctx *next;
-        struct tls_keypair *keypair;
-        SSL_CTX *ssl_ctx;
-        X509 *ssl_cert;
-};
-struct tls {
-        struct tls_config *config;
-        struct tls_keypair *keypair;
-        struct tls_error error;
-        uint32_t flags;
-        uint32_t state;
-        char *servername;
-        int socket;
-        SSL *ssl_conn;
-        SSL_CTX *ssl_ctx;
-        struct tls_sni_ctx *sni_ctx;
-        X509 *ssl_peer_cert;
-        STACK_OF(X509) *ssl_peer_chain;
-        struct tls_conninfo *conninfo;
-        struct tls_ocsp *ocsp;
-        tls_read_cb read_cb;
-        tls_write_cb write_cb;
-        void *cb_arg;
-};
-int tls_set_mem(char **_dest, size_t *_destlen, const void *_src,
-    size_t _srclen);
-int tls_set_string(const char **_dest, const char *_src);
-struct tls_keypair *tls_keypair_new(void);
-void tls_keypair_clear_key(struct tls_keypair *_keypair);
-void tls_keypair_free(struct tls_keypair *_keypair);
-int tls_keypair_set_cert_file(struct tls_keypair *_keypair,
-    struct tls_error *_error, const char *_cert_file);
-int tls_keypair_set_cert_mem(struct tls_keypair *_keypair,
-    struct tls_error *_error, const uint8_t *_cert, size_t _len);
-int tls_keypair_set_key_file(struct tls_keypair *_keypair,
-    struct tls_error *_error, const char *_key_file);
-int tls_keypair_set_key_mem(struct tls_keypair *_keypair,
-    struct tls_error *_error, const uint8_t *_key, size_t _len);
-int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,
-    struct tls_error *_error, const char *_ocsp_file);
-int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,
-    struct tls_error *_error, const uint8_t *_staple, size_t _len);
-int tls_keypair_load_cert(struct tls_keypair *_keypair,
-    struct tls_error *_error, X509 **_cert);
-struct tls_sni_ctx *tls_sni_ctx_new(void);
-void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
-struct tls_config *tls_config_new_internal(void);
-struct tls *tls_new(void);
-struct tls *tls_server_conn(struct tls *ctx);
-int tls_get_common_name(struct tls *_ctx, X509 *_cert, const char *_in_name,
-    char **_out_common_name);
-int tls_check_name(struct tls *ctx, X509 *cert, const char *servername,
-    int *match);
-int tls_configure_server(struct tls *ctx);
-int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx);
-int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
-    struct tls_keypair *keypair, int required);
-int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify);
-int tls_handshake_client(struct tls *ctx);
-int tls_handshake_server(struct tls *ctx);
-int tls_config_load_file(struct tls_error *error, const char *filetype,
-    const char *filename, char **buf, size_t *len);
-int tls_config_ticket_autorekey(struct tls_config *config);
-int tls_host_port(const char *hostport, char **host, char **port);
-int tls_set_cbs(struct tls *ctx,
-    tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg);
-void tls_error_clear(struct tls_error *error);
-int tls_error_set(struct tls_error *error, int code, const char *fmt, ...)
-    __attribute__((__format__ (printf, 3, 4)))
-    __attribute__((__nonnull__ (3)));
-int tls_error_setx(struct tls_error *error, int code, const char *fmt, ...)
-    __attribute__((__format__ (printf, 3, 4)))
-    __attribute__((__nonnull__ (3)));
-int tls_config_set_error(struct tls_config *cfg, int code, const char *fmt, ...)
-    __attribute__((__format__ (printf, 3, 4)))
-    __attribute__((__nonnull__ (3)));
-int tls_config_set_errorx(struct tls_config *cfg, int code, const char *fmt, ...)
-    __attribute__((__format__ (printf, 3, 4)))
-    __attribute__((__nonnull__ (3)));
-int tls_set_error(struct tls *ctx, int code, const char *fmt, ...)
-    __attribute__((__format__ (printf, 3, 4)))
-    __attribute__((__nonnull__ (3)));
-int tls_set_errorx(struct tls *ctx, int code, const char *fmt, ...)
-    __attribute__((__format__ (printf, 3, 4)))
-    __attribute__((__nonnull__ (3)));
-int tls_set_ssl_errorx(struct tls *ctx, int code, const char *fmt, ...)
-    __attribute__((__format__ (printf, 3, 4)))
-    __attribute__((__nonnull__ (3)));
-int tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret,
-    const char *prefix);
-int tls_conninfo_populate(struct tls *ctx);
-void tls_conninfo_free(struct tls_conninfo *conninfo);
-int tls_ocsp_verify_cb(SSL *ssl, void *arg);
-int tls_ocsp_stapling_cb(SSL *ssl, void *arg);
-void tls_ocsp_free(struct tls_ocsp *ctx);
-struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx);
-int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out,
-    size_t *_outlen);
-int tls_cert_hash(X509 *_cert, char **_hash);
-int tls_cert_pubkey_hash(X509 *_cert, char **_hash);
-int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u);
-RSA_METHOD *tls_signer_rsa_method(void);
-EC_KEY_METHOD *tls_signer_ecdsa_method(void);
-#define TLS_PADDING_NONE                        0
-#define TLS_PADDING_RSA_PKCS1                   1
-int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb,
-    void *_cb_arg);
-struct tls_signer* tls_signer_new(void);
-void tls_signer_free(struct tls_signer * _signer);
-const char *tls_signer_error(struct tls_signer * _signer);
-int tls_signer_add_keypair_file(struct tls_signer *_signer,
-    const char *_cert_file, const char *_key_file);
-int tls_signer_add_keypair_mem(struct tls_signer *_signer, const uint8_t *_cert,
-    size_t _cert_len, const uint8_t *_key, size_t _key_len);
-int tls_signer_sign(struct tls_signer *_signer, const char *_pubkey_hash,
-    const uint8_t *_input, size_t _input_len, int _padding_type,
-    uint8_t **_out_signature, size_t *_out_signature_len);
-__END_HIDDEN_DECLS
-/* XXX this function is not fully hidden so relayd can use it */
-void tls_config_skip_private_key_check(struct tls_config *config);
-void tls_config_use_fake_private_key(struct tls_config *config);
-#endif /* HEADER_TLS_INTERNAL_H */
author	cvs2svn <admin@example.com>	2025-04-14 17:32:06 +0000
committer	cvs2svn <admin@example.com>	2025-04-14 17:32:06 +0000
commit	b1ddde874c215cc8891531ed92876f091b7eb83e (patch)
tree	edb6da6af7e865d488dc1a29309f1e1ec226e603 /src/lib/libtls/tls_internal.h
parent	f0a36529837a161734c802ae4c42e84e42347be2 (diff)
download	openbsd-tb_20250414.tar.gz openbsd-tb_20250414.tar.bz2 openbsd-tb_20250414.zip

diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h deleted file mode 100644 index 8e566a34e0..0000000000 --- a/src/lib/libtls/tls_internal.h +++ /dev/null
@@ -1,330 +0,0 @@
1	/* $OpenBSD: tls_internal.h,v 1.86 2024/12/10 08:40:30 tb Exp $ */
2	/*
3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5	*
6	* Permission to use, copy, modify, and distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#ifndef HEADER_TLS_INTERNAL_H
20	#define HEADER_TLS_INTERNAL_H
21
22	#include <pthread.h>
23
24	#include <arpa/inet.h>
25	#include <netinet/in.h>
26
27	#include <openssl/ssl.h>
28
29	__BEGIN_HIDDEN_DECLS
30
31	#ifndef TLS_DEFAULT_CA_FILE
32	#define TLS_DEFAULT_CA_FILE "/etc/ssl/cert.pem"
33	#endif
34
35	#define TLS_CIPHERS_DEFAULT "TLSv1.3:TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
36	#define TLS_CIPHERS_COMPAT "HIGH:!aNULL"
37	#define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL"
38	#define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL"
39
40	#define TLS_ECDHE_CURVES "X25519,P-256,P-384"
41
42	union tls_addr {
43	struct in_addr ip4;
44	struct in6_addr ip6;
45	};
46
47	struct tls_error {
48	char *msg;
49	int code;
50	int errno_value;
51	int tls;
52	};
53
54	struct tls_keypair {
55	struct tls_keypair *next;
56
57	char *cert_mem;
58	size_t cert_len;
59	char *key_mem;
60	size_t key_len;
61	char *ocsp_staple;
62	size_t ocsp_staple_len;
63	char *pubkey_hash;
64	};
65
66	#define TLS_MIN_SESSION_TIMEOUT (4)
67	#define TLS_MAX_SESSION_TIMEOUT (24 * 60 * 60)
68
69	#define TLS_NUM_TICKETS 4
70	#define TLS_TICKET_NAME_SIZE 16
71	#define TLS_TICKET_AES_SIZE 32
72	#define TLS_TICKET_HMAC_SIZE 16
73
74	struct tls_ticket_key {
75	/* The key_name must be 16 bytes according to -lssl */
76	unsigned char key_name[TLS_TICKET_NAME_SIZE];
77	unsigned char aes_key[TLS_TICKET_AES_SIZE];
78	unsigned char hmac_key[TLS_TICKET_HMAC_SIZE];
79	time_t time;
80	};
81
82	typedef int (tls_sign_cb)(void _cb_arg, const char *_pubkey_hash,
83	const uint8_t *_input, size_t _input_len, int _padding_type,
84	uint8_t *_out_signature, size_t _out_signature_len);
85
86	struct tls_config {
87	struct tls_error error;
88
89	pthread_mutex_t mutex;
90	int refcount;
91
92	char *alpn;
93	size_t alpn_len;
94	const char *ca_path;
95	char *ca_mem;
96	size_t ca_len;
97	const char *ciphers;
98	int ciphers_server;
99	char *crl_mem;
100	size_t crl_len;
101	int dheparams;
102	int *ecdhecurves;
103	size_t ecdhecurves_len;
104	struct tls_keypair *keypair;
105	int ocsp_require_stapling;
106	uint32_t protocols;
107	unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH];
108	int session_fd;
109	int session_lifetime;
110	struct tls_ticket_key ticket_keys[TLS_NUM_TICKETS];
111	uint32_t ticket_keyrev;
112	int ticket_autorekey;
113	int verify_cert;
114	int verify_client;
115	int verify_depth;
116	int verify_name;
117	int verify_time;
118	int skip_private_key_check;
119	int use_fake_private_key;
120	tls_sign_cb sign_cb;
121	void *sign_cb_arg;
122	};
123
124	struct tls_conninfo {
125	char *alpn;
126	char *cipher;
127	int cipher_strength;
128	char *servername;
129	int session_resumed;
130	char *version;
131
132	char *common_name;
133	char *hash;
134	char *issuer;
135	char *subject;
136
137	uint8_t *peer_cert;
138	size_t peer_cert_len;
139
140	time_t notbefore;
141	time_t notafter;
142	};
143
144	#define TLS_CLIENT (1 << 0)
145	#define TLS_SERVER (1 << 1)
146	#define TLS_SERVER_CONN (1 << 2)
147
148	#define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0)
149	#define TLS_CONNECTED (1 << 1)
150	#define TLS_HANDSHAKE_COMPLETE (1 << 2)
151	#define TLS_SSL_NEEDS_SHUTDOWN (1 << 3)
152
153	struct tls_ocsp_result {
154	const char *result_msg;
155	int response_status;
156	int cert_status;
157	int crl_reason;
158	time_t this_update;
159	time_t next_update;
160	time_t revocation_time;
161	};
162
163	struct tls_ocsp {
164	/* responder location */
165	char *ocsp_url;
166
167	/* cert data, this struct does not own these */
168	X509 *main_cert;
169	STACK_OF(X509) *extra_certs;
170
171	struct tls_ocsp_result *ocsp_result;
172	};
173
174	struct tls_sni_ctx {
175	struct tls_sni_ctx *next;
176
177	struct tls_keypair *keypair;
178
179	SSL_CTX *ssl_ctx;
180	X509 *ssl_cert;
181	};
182
183	struct tls {
184	struct tls_config *config;
185	struct tls_keypair *keypair;
186
187	struct tls_error error;
188
189	uint32_t flags;
190	uint32_t state;
191
192	char *servername;
193	int socket;
194
195	SSL *ssl_conn;
196	SSL_CTX *ssl_ctx;
197
198	struct tls_sni_ctx *sni_ctx;
199
200	X509 *ssl_peer_cert;
201	STACK_OF(X509) *ssl_peer_chain;
202
203	struct tls_conninfo *conninfo;
204
205	struct tls_ocsp *ocsp;
206
207	tls_read_cb read_cb;
208	tls_write_cb write_cb;
209	void *cb_arg;
210	};
211
212	int tls_set_mem(char *_dest, size_t _destlen, const void *_src,
213	size_t _srclen);
214	int tls_set_string(const char *_dest, const char _src);
215
216	struct tls_keypair *tls_keypair_new(void);
217	void tls_keypair_clear_key(struct tls_keypair *_keypair);
218	void tls_keypair_free(struct tls_keypair *_keypair);
219	int tls_keypair_set_cert_file(struct tls_keypair *_keypair,
220	struct tls_error _error, const char _cert_file);
221	int tls_keypair_set_cert_mem(struct tls_keypair *_keypair,
222	struct tls_error _error, const uint8_t _cert, size_t _len);
223	int tls_keypair_set_key_file(struct tls_keypair *_keypair,
224	struct tls_error _error, const char _key_file);
225	int tls_keypair_set_key_mem(struct tls_keypair *_keypair,
226	struct tls_error _error, const uint8_t _key, size_t _len);
227	int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,
228	struct tls_error _error, const char _ocsp_file);
229	int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,
230	struct tls_error _error, const uint8_t _staple, size_t _len);
231	int tls_keypair_load_cert(struct tls_keypair *_keypair,
232	struct tls_error _error, X509 *_cert);
233
234	struct tls_sni_ctx *tls_sni_ctx_new(void);
235	void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
236
237	struct tls_config *tls_config_new_internal(void);
238
239	struct tls *tls_new(void);
240	struct tls tls_server_conn(struct tls ctx);
241
242	int tls_get_common_name(struct tls _ctx, X509 _cert, const char *_in_name,
243	char **_out_common_name);
244	int tls_check_name(struct tls ctx, X509 cert, const char *servername,
245	int *match);
246	int tls_configure_server(struct tls *ctx);
247
248	int tls_configure_ssl(struct tls ctx, SSL_CTX ssl_ctx);
249	int tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
250	struct tls_keypair *keypair, int required);
251	int tls_configure_ssl_verify(struct tls ctx, SSL_CTX ssl_ctx, int verify);
252
253	int tls_handshake_client(struct tls *ctx);
254	int tls_handshake_server(struct tls *ctx);
255
256	int tls_config_load_file(struct tls_error error, const char filetype,
257	const char filename, char buf, size_t len);
258	int tls_config_ticket_autorekey(struct tls_config *config);
259	int tls_host_port(const char hostport, char host, char *port);
260
261	int tls_set_cbs(struct tls *ctx,
262	tls_read_cb read_cb, tls_write_cb write_cb, void *cb_arg);
263
264	void tls_error_clear(struct tls_error *error);
265	int tls_error_set(struct tls_error error, int code, const char fmt, ...)
266	__attribute__((__format__ (printf, 3, 4)))
267	__attribute__((__nonnull__ (3)));
268	int tls_error_setx(struct tls_error error, int code, const char fmt, ...)
269	__attribute__((__format__ (printf, 3, 4)))
270	__attribute__((__nonnull__ (3)));
271	int tls_config_set_error(struct tls_config cfg, int code, const char fmt, ...)
272	__attribute__((__format__ (printf, 3, 4)))
273	__attribute__((__nonnull__ (3)));
274	int tls_config_set_errorx(struct tls_config cfg, int code, const char fmt, ...)
275	__attribute__((__format__ (printf, 3, 4)))
276	__attribute__((__nonnull__ (3)));
277	int tls_set_error(struct tls ctx, int code, const char fmt, ...)
278	__attribute__((__format__ (printf, 3, 4)))
279	__attribute__((__nonnull__ (3)));
280	int tls_set_errorx(struct tls ctx, int code, const char fmt, ...)
281	__attribute__((__format__ (printf, 3, 4)))
282	__attribute__((__nonnull__ (3)));
283	int tls_set_ssl_errorx(struct tls ctx, int code, const char fmt, ...)
284	__attribute__((__format__ (printf, 3, 4)))
285	__attribute__((__nonnull__ (3)));
286
287	int tls_ssl_error(struct tls ctx, SSL ssl_conn, int ssl_ret,
288	const char *prefix);
289
290	int tls_conninfo_populate(struct tls *ctx);
291	void tls_conninfo_free(struct tls_conninfo *conninfo);
292
293	int tls_ocsp_verify_cb(SSL ssl, void arg);
294	int tls_ocsp_stapling_cb(SSL ssl, void arg);
295	void tls_ocsp_free(struct tls_ocsp *ctx);
296	struct tls_ocsp tls_ocsp_setup_from_peer(struct tls ctx);
297	int tls_hex_string(const unsigned char _in, size_t _inlen, char *_out,
298	size_t *_outlen);
299	int tls_cert_hash(X509 _cert, char *_hash);
300	int tls_cert_pubkey_hash(X509 _cert, char *_hash);
301
302	int tls_password_cb(char _buf, int _size, int _rwflag, void _u);
303
304	RSA_METHOD *tls_signer_rsa_method(void);
305	EC_KEY_METHOD *tls_signer_ecdsa_method(void);
306
307	#define TLS_PADDING_NONE 0
308	#define TLS_PADDING_RSA_PKCS1 1
309
310	int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb,
311	void *_cb_arg);
312
313	struct tls_signer* tls_signer_new(void);
314	void tls_signer_free(struct tls_signer * _signer);
315	const char tls_signer_error(struct tls_signer _signer);
316	int tls_signer_add_keypair_file(struct tls_signer *_signer,
317	const char _cert_file, const char _key_file);
318	int tls_signer_add_keypair_mem(struct tls_signer _signer, const uint8_t _cert,
319	size_t _cert_len, const uint8_t *_key, size_t _key_len);
320	int tls_signer_sign(struct tls_signer _signer, const char _pubkey_hash,
321	const uint8_t *_input, size_t _input_len, int _padding_type,
322	uint8_t *_out_signature, size_t _out_signature_len);
323
324	__END_HIDDEN_DECLS
325
326	/* XXX this function is not fully hidden so relayd can use it */
327	void tls_config_skip_private_key_check(struct tls_config *config);
328	void tls_config_use_fake_private_key(struct tls_config *config);
329
330	#endif /* HEADER_TLS_INTERNAL_H */