summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libressl/ressl.3318
1 files changed, 318 insertions, 0 deletions
diff --git a/src/lib/libressl/ressl.3 b/src/lib/libressl/ressl.3
new file mode 100644
index 0000000000..634dcdbc33
--- /dev/null
+++ b/src/lib/libressl/ressl.3
@@ -0,0 +1,318 @@
1.\" $OpenBSD: ressl.3,v 1.1 2014/10/08 14:40:01 tedu Exp $
2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25.\"
26.Dd $Mdocdate: October 8 2014 $
27.Dt RESSL 3
28.Os
29.Sh NAME
30.Nm ressl_init ,
31.Nm ressl_error ,
32.Nm ressl_config_new ,
33.Nm ressl_config_free ,
34.Nm ressl_config_set_ca_file ,
35.Nm ressl_config_set_ca_path ,
36.Nm ressl_config_set_cert_file ,
37.Nm ressl_config_set_cert_mem ,
38.Nm ressl_config_set_ciphers ,
39.Nm ressl_config_set_ecdhcurve ,
40.Nm ressl_config_set_key_file ,
41.Nm ressl_config_set_key_mem ,
42.Nm ressl_config_set_protocols ,
43.Nm ressl_config_set_verify_depth ,
44.Nm ressl_config_clear_keys ,
45.Nm ressl_config_insecure_noverifyhost ,
46.Nm ressl_config_insecure_noverifycert ,
47.Nm ressl_config_verify ,
48.Nm ressl_client ,
49.Nm ressl_server ,
50.Nm ressl_configure ,
51.Nm ressl_reset ,
52.Nm ressl_free ,
53.Nm ressl_accept ,
54.Nm ressl_accept_socket ,
55.Nm ressl_connect ,
56.Nm ressl_connect_socket ,
57.Nm ressl_listen ,
58.Nm ressl_read ,
59.Nm ressl_write ,
60.Nm ressl_close
61.Nd Ressl TLS client and server
62.Sh SYNOPSIS
63.In ressl.h
64.Ft "int"
65.Fn ressl_init "void"
66.Ft "const char *"
67.Fn ressl_error "struct ressl *ctx"
68.Ft "struct ressl_config *"
69.Fn ressl_config_new "void"
70.Ft "void"
71.Fn ressl_config_free "struct ressl_config *config"
72.Ft "int"
73.Fn ressl_config_set_ca_file "struct ressl_config *config" "const char *ca_file"
74.Ft "int"
75.Fn ressl_config_set_ca_path "struct ressl_config *config" "const char *ca_path"
76.Ft "int"
77.Fn ressl_config_set_cert_file "struct ressl_config *config" "const char *cert_file"
78.Ft "int"
79.Fn ressl_config_set_cert_mem "struct ressl_config *config" "const uint8_t *cert" "size_t len"
80.Ft "int"
81.Fn ressl_config_set_ciphers "struct ressl_config *config" "const char *ciphers"
82.Ft "int"
83.Fn ressl_config_set_ecdhcurve "struct ressl_config *config" "const char *name"
84.Ft "int"
85.Fn ressl_config_set_key_file "struct ressl_config *config" "const char *key_file"
86.Ft "int"
87.Fn ressl_config_set_key_mem "struct ressl_config *config" "const uint8_t *key" "size_t len"
88.Ft "int"
89.Fn ressl_config_set_protocols "struct ressl_config *config" "uint32_t protocols"
90.Ft "int"
91.Fn ressl_config_set_verify_depth "struct ressl_config *config" "int verify_depth"
92.Ft "void"
93.Fn ressl_config_clear_keys "struct ressl_config *config"
94.Ft "void"
95.Fn ressl_config_insecure_noverifyhost "struct ressl_config *config"
96.Ft "void"
97.Fn ressl_config_insecure_noverifycert "struct ressl_config *config"
98.Ft "void"
99.Fn ressl_config_verify "struct ressl_config *config"
100.Ft "struct ressl *"
101.Fn ressl_client void
102.Ft "struct ressl *"
103.Fn ressl_server void
104.Ft "int"
105.Fn ressl_configure "struct ressl *ctx" "struct ressl_config *config"
106.Ft "void"
107.Fn ressl_reset "struct ressl *ctx"
108.Ft "void"
109.Fn ressl_free "struct ressl *ctx"
110.Ft "int"
111.Fn ressl_accept "struct ressl *ctx" "struct ressl **cctx"
112.Ft "int"
113.Fn ressl_accept_socket "struct ressl *ctx" "struct ressl **cctx" "int socket"
114.Ft "int"
115.Fn ressl_connect "struct ressl *ctx" "const char *host" "const char *port"
116.Ft "int"
117.Fn ressl_connect_socket "struct ressl *ctx" "int s" "const char *hostname"
118.Ft "int"
119.Fn ressl_listen "struct ressl *ctx" "const char *host" "const char *port" "int af"
120.Ft "int"
121.Fn ressl_read "struct ressl *ctx" "void *buf" "size_t buflen" "size_t *outlen"
122.Ft "int"
123.Fn ressl_write "struct ressl *ctx" "const void *buf" "size_t buflen"
124.Ft "int"
125.Fn ressl_close "struct ressl *ctx"
126.Sh DESCRIPTION
127The
128.Lb ressl
129family of functions establishes a secure communications channel
130using the TLS socket protocol.
131Both clients and servers are supported.
132.Pp
133The
134.Fn ressl_init
135function should be called once before any function is used.
136.Pp
137Before a connection is created, a configuration must be created.
138The
139.Fn ressl_config_new
140function returns a new default configuration that can be used for future
141connections.
142Several functions exist to change the options of the configuration; see below.
143.Pp
144A
145.Em ressl
146connection is represented as a
147.Em context .
148A new
149.Em context
150is created by either the
151.Fn ressl_client
152or
153.Fn ressl_server
154functions.
155The context can then be configured with the function
156.Fn ressl_configure .
157The same
158.Em ressl_config
159object can be used to configure multiple contexts.
160.Pp
161A client connection is initiated after configuration by calling
162.Fn ressl_connect .
163This function will create a new socket, connect to the specified host and
164port, and then establish a secure connection.
165An already existing socket can be upgraded to a secure connection by calling
166the ressl_connect_socket function.
167.Pp
168Two functions are provided for input and output,
169.Fn ressl_read
170and
171.Fn ressl_write .
172.Pp
173After use, a ressl
174.Em context
175should be closed with
176.Fn ressl_close ,
177and then freed by calling
178.Fn ressl_free .
179When no more contexts are to be created, the
180.Em ressl_config
181object should be freed by calling
182.Fn ressl_config_free .
183.Sh FUNCTIONS
184The
185.Fn ressl_init
186function initializes global data structures.
187It should be called once before any other functions.
188.Pp
189The following functions create and free configuration objects.
190.Bl -bullet -offset four
191.It
192.Fn ressl_config_new
193allocates a new default configuration object.
194.It
195.Fn ressl_config_free
196frees a configuration object.
197.El
198.Pp
199The following functions modify a configuration by setting parameters.
200.Bl -bullet -offset four
201.It
202.Fn ressl_config_set_ca_file
203sets the filename used to load a file
204containing the root certificates.
205.Em (Client)
206.It
207.Fn ressl_config_set_ca_path
208sets the path (directory) which should be searched for root
209certificates.
210.Em (Client)
211.It
212.Fn ressl_config_set_cert_file
213sets file from which the public certificate will be read.
214.Em (Client and server)
215.It
216.Fn ressl_config_set_cert_mem
217sets the public certificate directly from memory.
218.Em (Client and server)
219.It
220.Fn ressl_config_set_ciphers
221sets the list of ciphers that may be used.
222.Em (Client and server)
223.It
224.Fn ressl_config_set_key_file
225sets the file from which the private key will be read.
226.Em (Server)
227.It
228.Fn ressl_config_set_key_mem
229directly sets the private key from memory.
230.Em (Server)
231.It
232.Fn ressl_config_set_protocols
233sets which versions of the protocol may be used.
234Possible values are the bitwise OR of:
235.Pp
236.Bl -tag -width "RESSL_PROTOCOL_TLSv1_2" -offset indent -compact
237.It Dv RESSL_PROTOCOL_SSLv3
238.It Dv RESSL_PROTOCOL_TLSv1_0
239.It Dv RESSL_PROTOCOL_TLSv1_1
240.It Dv RESSL_PROTOCOL_TLSv1_2
241.El
242.Pp
243Additionally, the values
244.Dv RESSL_PROTOCOL_TLSv1
245(all TLS versions) and
246.Dv RESSL_PROTOCOLS_DEFAULT
247(all versions) may be used.
248.Pp
249.It
250.Fn ressl_config_clear_keys
251clears any secert keys from memory.
252.Em (Server)
253.It
254.Fn ressl_config_insecure_noverifyhost
255disables hostname verification.
256Be careful when using this option.
257.Em (Client)
258.It
259.Fn ressl_config_insecure_noverifycert
260disables certificate verification.
261Be extremely careful when using this option.
262.Em (Client)
263.It
264.Fn ressl_config_verify
265reenables hostname and certificate verification.
266.El
267.Pp
268The following functions create, prepare, and free a connection context.
269.Pp
270.Bl -bullet -offset four
271.It
272.Fn ressl_client
273creates a new ressl context for client connections.
274.Pp
275.It
276.Fn ressl_server
277creates a new ressl context for server connections.
278.Pp
279.It
280.Fn ressl_configure
281readies a ressl context for use by applying the configuration
282options.
283.Pp
284.It
285.Fn ressl_free
286frees a ressl context after use.
287.El
288.Pp
289The following functions perform input and output operations.
290.Bl -bullet -offset four
291.It
292.Fn ressl_read
293reads
294.Fa buflen
295bytes of data from the socket into
296.Fa buf .
297The amount of data read is returned in
298.Fa outlen .
299.Pp
300.It
301.Fn ressl_write
302writes
303.Fa buflen
304bytes of data from
305.Fa buf
306to the socket.
307The amount of data written is returned in
308.Fa outlen .
309.El
310.Sh RETURN VALUES
311.\" XXX Is this always true?
312Functions that return
313.Vt int
314will return 0 on success and -1 on error.
315Functions that return a pointer will return NULL on error.
316.\" .Sh ERRORS
317.\" .Sh SEE ALSO
318.\" .Sh HISTORY