1 files changed, 316 insertions, 0 deletions
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
new file mode 100644
index 0000000000..faa9b99539
--- /dev/null
+++ b/src/lib/libtls/tls_init.3
@@ -0,0 +1,316 @@
+.\" $OpenBSD: tls_init.3,v 1.1 2014/10/31 13:46:17 jsing Exp $
+.\"
+.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: October 31 2014 $
+.Dt TLS 3
+.Os
+.Sh NAME
+.Nm tls_init ,
+.Nm tls_error ,
+.Nm tls_config_new ,
+.Nm tls_config_free ,
+.Nm tls_config_set_ca_file ,
+.Nm tls_config_set_ca_path ,
+.Nm tls_config_set_cert_file ,
+.Nm tls_config_set_cert_mem ,
+.Nm tls_config_set_ciphers ,
+.Nm tls_config_set_ecdhcurve ,
+.Nm tls_config_set_key_file ,
+.Nm tls_config_set_key_mem ,
+.Nm tls_config_set_protocols ,
+.Nm tls_config_set_verify_depth ,
+.Nm tls_config_clear_keys ,
+.Nm tls_config_insecure_noverifyhost ,
+.Nm tls_config_insecure_noverifycert ,
+.Nm tls_config_verify ,
+.Nm tls_client ,
+.Nm tls_server ,
+.Nm tls_configure ,
+.Nm tls_reset ,
+.Nm tls_close ,
+.Nm tls_free ,
+.Nm tls_connect ,
+.Nm tls_connect_socket ,
+.Nm tls_read ,
+.Nm tls_write ,
+.Nd tls TLS client and server API
+.Sh SYNOPSIS
+.In tls.h
+.Ft "int"
+.Fn tls_init "void"
+.Ft "const char *"
+.Fn tls_error "struct tls *ctx"
+.Ft "struct tls_config *"
+.Fn tls_config_new "void"
+.Ft "void"
+.Fn tls_config_free "struct tls_config *config"
+.Ft "int"
+.Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file"
+.Ft "int"
+.Fn tls_config_set_ca_path "struct tls_config *config" "const char *ca_path"
+.Ft "int"
+.Fn tls_config_set_cert_file "struct tls_config *config" "const char *cert_file"
+.Ft "int"
+.Fn tls_config_set_cert_mem  "struct tls_config *config" "const uint8_t *cert" "size_t len"
+.Ft "int"
+.Fn tls_config_set_ciphers "struct tls_config *config" "const char *ciphers"
+.Ft "int"
+.Fn tls_config_set_ecdhcurve "struct tls_config *config" "const char *name"
+.Ft "int"
+.Fn tls_config_set_key_file "struct tls_config *config" "const char *key_file"
+.Ft "int"
+.Fn tls_config_set_key_mem "struct tls_config *config" "const uint8_t *key" "size_t len"
+.Ft "int"
+.Fn tls_config_set_protocols "struct tls_config *config" "uint32_t protocols"
+.Ft "int"
+.Fn tls_config_set_verify_depth "struct tls_config *config" "int verify_depth"
+.Ft "void"
+.Fn tls_config_clear_keys "struct tls_config *config"
+.Ft "void"
+.Fn tls_config_insecure_noverifyhost "struct tls_config *config"
+.Ft "void"
+.Fn tls_config_insecure_noverifycert "struct tls_config *config"
+.Ft "void"
+.Fn tls_config_verify "struct tls_config *config"
+.Ft "struct tls *"
+.Fn tls_client void
+.Ft "struct tls *"
+.Fn tls_server void
+.Ft "int"
+.Fn tls_configure "struct tls *ctx" "struct tls_config *config"
+.Ft "void"
+.Fn tls_reset "struct tls *ctx"
+.Ft "int"
+.Fn tls_close "struct tls *ctx"
+.Ft "void"
+.Fn tls_free "struct tls *ctx"
+.Ft "int"
+.Fn tls_connect "struct tls *ctx" "const char *host" "const char *port"
+.Ft "int"
+.Fn tls_connect_socket "struct tls *ctx" "int s" "const char *hostname"
+.Ft "int"
+.Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t *outlen"
+.Ft "int"
+.Fn tls_write "struct tls *ctx" "const void *buf" "size_t buflen"
+.Sh DESCRIPTION
+The
+.Nm tls
+family of functions establishes a secure communications channel
+using the TLS socket protocol.
+Both clients and servers are supported.
+.Pp
+The
+.Fn tls_init
+function should be called once before any function is used.
+.Pp
+Before a connection is created, a configuration must be created.
+The
+.Fn tls_config_new
+function returns a new default configuration that can be used for future
+connections.
+Several functions exist to change the options of the configuration; see below.
+.Pp
+A
+.Em tls
+connection is represented as a
+.Em context .
+A new
+.Em context
+is created by either the
+.Fn tls_client
+or
+.Fn tls_server
+functions.
+The context can then be configured with the function
+.Fn tls_configure .
+The same
+.Em tls_config
+object can be used to configure multiple contexts.
+.Pp
+A client connection is initiated after configuration by calling
+.Fn tls_connect .
+This function will create a new socket, connect to the specified host and
+port, and then establish a secure connection.
+An already existing socket can be upgraded to a secure connection by calling
+.Fn tls_connect_socket .
+.Pp
+Two functions are provided for input and output,
+.Fn tls_read
+and
+.Fn tls_write .
+.Pp
+After use, a tls
+.Em context
+should be closed with
+.Fn tls_close ,
+and then freed by calling
+.Fn tls_free .
+When no more contexts are to be created, the
+.Em tls_config
+object should be freed by calling
+.Fn tls_config_free .
+.Sh FUNCTIONS
+The
+.Fn tls_init
+function initializes global data structures.
+It should be called once before any other functions.
+.Pp
+The following functions create and free configuration objects.
+.Bl -bullet -offset four
+.It
+.Fn tls_config_new
+allocates a new default configuration object.
+.It
+.Fn tls_config_free
+frees a configuration object.
+.El
+.Pp
+The following functions modify a configuration by setting parameters.
+Configuration options may apply to only clients or only servers or both.
+.Bl -bullet -offset four
+.It
+.Fn tls_config_set_ca_file
+sets the filename used to load a file
+containing the root certificates.
+.Em (Client)
+.It
+.Fn tls_config_set_ca_path
+sets the path (directory) which should be searched for root
+certificates.
+.Em (Client)
+.It
+.Fn tls_config_set_cert_file
+sets file from which the public certificate will be read.
+.Em (Client and server)
+.It
+.Fn tls_config_set_cert_mem
+sets the public certificate directly from memory.
+.Em (Client and server)
+.It
+.Fn tls_config_set_ciphers
+sets the list of ciphers that may be used.
+.Em (Client and server)
+.It
+.Fn tls_config_set_key_file
+sets the file from which the private key will be read.
+.Em (Server)
+.It
+.Fn tls_config_set_key_mem
+directly sets the private key from memory.
+.Em (Server)
+.It
+.Fn tls_config_set_protocols
+sets which versions of the protocol may be used.
+Possible values are the bitwise OR of:
+.Pp
+.Bl -tag -width "TLS_PROTOCOL_TLSv1_2" -offset indent -compact
+.It Dv TLS_PROTOCOL_TLSv1_0
+.It Dv TLS_PROTOCOL_TLSv1_1
+.It Dv TLS_PROTOCOL_TLSv1_2
+.El
+.Pp
+Additionally, the values
+.Dv TLS_PROTOCOL_TLSv1
+(all TLS versions) and
+.Dv TLS_PROTOCOLS_DEFAULT
+(currently all TLS versions) may be used.
+.Em (Client and server)
+.It
+.Fn tls_config_clear_keys
+clears any secret keys from memory.
+.Em (Server)
+.It
+.Fn tls_config_insecure_noverifyhost
+disables hostname verification.
+Be careful when using this option.
+.Em (Client)
+.It
+.Fn tls_config_insecure_noverifycert
+disables certificate verification.
+Be extremely careful when using this option.
+.Em (Client)
+.It
+.Fn tls_config_verify
+reenables hostname and certificate verification.
+.Em (Client)
+.El
+.Pp
+The following functions create, prepare, and free a connection context.
+.Bl -bullet -offset four
+.It
+.Fn tls_client
+creates a new tls context for client connections.
+.It
+.Fn tls_server
+creates a new tls context for server connections.
+.It
+.Fn tls_configure
+readies a tls context for use by applying the configuration
+options.
+.It
+.Fn tls_close
+closes a connection after use.
+.It
+.Fn tls_free
+frees a tls context after use.
+.El
+.Pp
+The following functions initiate a connection and perform input and output
+operations.
+.Bl -bullet -offset four
+.It
+.Fn tls_connect
+connects a client context to the server named by
+.Fa host .
+The
+.Fa port
+may be numeric or a service name.
+If it is NULL then a host of the format "hostname:port" is permitted.
+.It
+.Fn tls_connect_socket
+connects a client context to an already established socket connection.
+.It
+.Fn tls_read
+reads
+.Fa buflen
+bytes of data from the socket into
+.Fa buf .
+The amount of data read is returned in
+.Fa outlen .
+.It
+.Fn tls_write
+writes
+.Fa buflen
+bytes of data from
+.Fa buf
+to the socket.
+The amount of data written is returned in
+.Fa outlen .
+.El
+.Sh RETURN VALUES
+Functions that return
+.Vt int
+will return 0 on success and -1 on error.
+Functions that return a pointer will return NULL on error.
+.\" .Sh ERRORS
+.\" .Sh SEE ALSO
+.Sh HISTORY
+The
+.Nm tls
+API first appeared in
+.Ox 5.6
+as a response to the unnecessary challenges other APIs present in
+order to use them safely.

diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 new file mode 100644 index 0000000000..faa9b99539 --- /dev/null +++ b/src/lib/libtls/tls_init.3
@@ -0,0 +1,316 @@
	1	.\" $OpenBSD: tls_init.3,v 1.1 2014/10/31 13:46:17 jsing Exp $
	2	.\"
	3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: October 31 2014 $
	18	.Dt TLS 3
	19	.Os
	20	.Sh NAME
	21	.Nm tls_init ,
	22	.Nm tls_error ,
	23	.Nm tls_config_new ,
	24	.Nm tls_config_free ,
	25	.Nm tls_config_set_ca_file ,
	26	.Nm tls_config_set_ca_path ,
	27	.Nm tls_config_set_cert_file ,
	28	.Nm tls_config_set_cert_mem ,
	29	.Nm tls_config_set_ciphers ,
	30	.Nm tls_config_set_ecdhcurve ,
	31	.Nm tls_config_set_key_file ,
	32	.Nm tls_config_set_key_mem ,
	33	.Nm tls_config_set_protocols ,
	34	.Nm tls_config_set_verify_depth ,
	35	.Nm tls_config_clear_keys ,
	36	.Nm tls_config_insecure_noverifyhost ,
	37	.Nm tls_config_insecure_noverifycert ,
	38	.Nm tls_config_verify ,
	39	.Nm tls_client ,
	40	.Nm tls_server ,
	41	.Nm tls_configure ,
	42	.Nm tls_reset ,
	43	.Nm tls_close ,
	44	.Nm tls_free ,
	45	.Nm tls_connect ,
	46	.Nm tls_connect_socket ,
	47	.Nm tls_read ,
	48	.Nm tls_write ,
	49	.Nd tls TLS client and server API
	50	.Sh SYNOPSIS
	51	.In tls.h
	52	.Ft "int"
	53	.Fn tls_init "void"
	54	.Ft "const char *"
	55	.Fn tls_error "struct tls *ctx"
	56	.Ft "struct tls_config *"
	57	.Fn tls_config_new "void"
	58	.Ft "void"
	59	.Fn tls_config_free "struct tls_config *config"
	60	.Ft "int"
	61	.Fn tls_config_set_ca_file "struct tls_config config" "const char ca_file"
	62	.Ft "int"
	63	.Fn tls_config_set_ca_path "struct tls_config config" "const char ca_path"
	64	.Ft "int"
	65	.Fn tls_config_set_cert_file "struct tls_config config" "const char cert_file"
	66	.Ft "int"
	67	.Fn tls_config_set_cert_mem "struct tls_config config" "const uint8_t cert" "size_t len"
	68	.Ft "int"
	69	.Fn tls_config_set_ciphers "struct tls_config config" "const char ciphers"
	70	.Ft "int"
	71	.Fn tls_config_set_ecdhcurve "struct tls_config config" "const char name"
	72	.Ft "int"
	73	.Fn tls_config_set_key_file "struct tls_config config" "const char key_file"
	74	.Ft "int"
	75	.Fn tls_config_set_key_mem "struct tls_config config" "const uint8_t key" "size_t len"
	76	.Ft "int"
	77	.Fn tls_config_set_protocols "struct tls_config *config" "uint32_t protocols"
	78	.Ft "int"
	79	.Fn tls_config_set_verify_depth "struct tls_config *config" "int verify_depth"
	80	.Ft "void"
	81	.Fn tls_config_clear_keys "struct tls_config *config"
	82	.Ft "void"
	83	.Fn tls_config_insecure_noverifyhost "struct tls_config *config"
	84	.Ft "void"
	85	.Fn tls_config_insecure_noverifycert "struct tls_config *config"
	86	.Ft "void"
	87	.Fn tls_config_verify "struct tls_config *config"
	88	.Ft "struct tls *"
	89	.Fn tls_client void
	90	.Ft "struct tls *"
	91	.Fn tls_server void
	92	.Ft "int"
	93	.Fn tls_configure "struct tls ctx" "struct tls_config config"
	94	.Ft "void"
	95	.Fn tls_reset "struct tls *ctx"
	96	.Ft "int"
	97	.Fn tls_close "struct tls *ctx"
	98	.Ft "void"
	99	.Fn tls_free "struct tls *ctx"
	100	.Ft "int"
	101	.Fn tls_connect "struct tls ctx" "const char host" "const char *port"
	102	.Ft "int"
	103	.Fn tls_connect_socket "struct tls ctx" "int s" "const char hostname"
	104	.Ft "int"
	105	.Fn tls_read "struct tls ctx" "void buf" "size_t buflen" "size_t *outlen"
	106	.Ft "int"
	107	.Fn tls_write "struct tls ctx" "const void buf" "size_t buflen"
	108	.Sh DESCRIPTION
	109	The
	110	.Nm tls
	111	family of functions establishes a secure communications channel
	112	using the TLS socket protocol.
	113	Both clients and servers are supported.
	114	.Pp
	115	The
	116	.Fn tls_init
	117	function should be called once before any function is used.
	118	.Pp
	119	Before a connection is created, a configuration must be created.
	120	The
	121	.Fn tls_config_new
	122	function returns a new default configuration that can be used for future
	123	connections.
	124	Several functions exist to change the options of the configuration; see below.
	125	.Pp
	126	A
	127	.Em tls
	128	connection is represented as a
	129	.Em context .
	130	A new
	131	.Em context
	132	is created by either the
	133	.Fn tls_client
	134	or
	135	.Fn tls_server
	136	functions.
	137	The context can then be configured with the function
	138	.Fn tls_configure .
	139	The same
	140	.Em tls_config
	141	object can be used to configure multiple contexts.
	142	.Pp
	143	A client connection is initiated after configuration by calling
	144	.Fn tls_connect .
	145	This function will create a new socket, connect to the specified host and
	146	port, and then establish a secure connection.
	147	An already existing socket can be upgraded to a secure connection by calling
	148	.Fn tls_connect_socket .
	149	.Pp
	150	Two functions are provided for input and output,
	151	.Fn tls_read
	152	and
	153	.Fn tls_write .
	154	.Pp
	155	After use, a tls
	156	.Em context
	157	should be closed with
	158	.Fn tls_close ,
	159	and then freed by calling
	160	.Fn tls_free .
	161	When no more contexts are to be created, the
	162	.Em tls_config
	163	object should be freed by calling
	164	.Fn tls_config_free .
	165	.Sh FUNCTIONS
	166	The
	167	.Fn tls_init
	168	function initializes global data structures.
	169	It should be called once before any other functions.
	170	.Pp
	171	The following functions create and free configuration objects.
	172	.Bl -bullet -offset four
	173	.It
	174	.Fn tls_config_new
	175	allocates a new default configuration object.
	176	.It
	177	.Fn tls_config_free
	178	frees a configuration object.
	179	.El
	180	.Pp
	181	The following functions modify a configuration by setting parameters.
	182	Configuration options may apply to only clients or only servers or both.
	183	.Bl -bullet -offset four
	184	.It
	185	.Fn tls_config_set_ca_file
	186	sets the filename used to load a file
	187	containing the root certificates.
	188	.Em (Client)
	189	.It
	190	.Fn tls_config_set_ca_path
	191	sets the path (directory) which should be searched for root
	192	certificates.
	193	.Em (Client)
	194	.It
	195	.Fn tls_config_set_cert_file
	196	sets file from which the public certificate will be read.
	197	.Em (Client and server)
	198	.It
	199	.Fn tls_config_set_cert_mem
	200	sets the public certificate directly from memory.
	201	.Em (Client and server)
	202	.It
	203	.Fn tls_config_set_ciphers
	204	sets the list of ciphers that may be used.
	205	.Em (Client and server)
	206	.It
	207	.Fn tls_config_set_key_file
	208	sets the file from which the private key will be read.
	209	.Em (Server)
	210	.It
	211	.Fn tls_config_set_key_mem
	212	directly sets the private key from memory.
	213	.Em (Server)
	214	.It
	215	.Fn tls_config_set_protocols
	216	sets which versions of the protocol may be used.
	217	Possible values are the bitwise OR of:
	218	.Pp
	219	.Bl -tag -width "TLS_PROTOCOL_TLSv1_2" -offset indent -compact
	220	.It Dv TLS_PROTOCOL_TLSv1_0
	221	.It Dv TLS_PROTOCOL_TLSv1_1
	222	.It Dv TLS_PROTOCOL_TLSv1_2
	223	.El
	224	.Pp
	225	Additionally, the values
	226	.Dv TLS_PROTOCOL_TLSv1
	227	(all TLS versions) and
	228	.Dv TLS_PROTOCOLS_DEFAULT
	229	(currently all TLS versions) may be used.
	230	.Em (Client and server)
	231	.It
	232	.Fn tls_config_clear_keys
	233	clears any secret keys from memory.
	234	.Em (Server)
	235	.It
	236	.Fn tls_config_insecure_noverifyhost
	237	disables hostname verification.
	238	Be careful when using this option.
	239	.Em (Client)
	240	.It
	241	.Fn tls_config_insecure_noverifycert
	242	disables certificate verification.
	243	Be extremely careful when using this option.
	244	.Em (Client)
	245	.It
	246	.Fn tls_config_verify
	247	reenables hostname and certificate verification.
	248	.Em (Client)
	249	.El
	250	.Pp
	251	The following functions create, prepare, and free a connection context.
	252	.Bl -bullet -offset four
	253	.It
	254	.Fn tls_client
	255	creates a new tls context for client connections.
	256	.It
	257	.Fn tls_server
	258	creates a new tls context for server connections.
	259	.It
	260	.Fn tls_configure
	261	readies a tls context for use by applying the configuration
	262	options.
	263	.It
	264	.Fn tls_close
	265	closes a connection after use.
	266	.It
	267	.Fn tls_free
	268	frees a tls context after use.
	269	.El
	270	.Pp
	271	The following functions initiate a connection and perform input and output
	272	operations.
	273	.Bl -bullet -offset four
	274	.It
	275	.Fn tls_connect
	276	connects a client context to the server named by
	277	.Fa host .
	278	The
	279	.Fa port
	280	may be numeric or a service name.
	281	If it is NULL then a host of the format "hostname:port" is permitted.
	282	.It
	283	.Fn tls_connect_socket
	284	connects a client context to an already established socket connection.
	285	.It
	286	.Fn tls_read
	287	reads
	288	.Fa buflen
	289	bytes of data from the socket into
	290	.Fa buf .
	291	The amount of data read is returned in
	292	.Fa outlen .
	293	.It
	294	.Fn tls_write
	295	writes
	296	.Fa buflen
	297	bytes of data from
	298	.Fa buf
	299	to the socket.
	300	The amount of data written is returned in
	301	.Fa outlen .
	302	.El
	303	.Sh RETURN VALUES
	304	Functions that return
	305	.Vt int
	306	will return 0 on success and -1 on error.
	307	Functions that return a pointer will return NULL on error.
	308	.\" .Sh ERRORS
	309	.\" .Sh SEE ALSO
	310	.Sh HISTORY
	311	The
	312	.Nm tls
	313	API first appeared in
	314	.Ox 5.6
	315	as a response to the unnecessary challenges other APIs present in
	316	order to use them safely.