Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / b16f349c1f80fe6a9513d405f780d26842ad062c / . / src / session_wrapper.h
blob: 654a7d15055f269687ce7f46b227ec8cb614e345 [file] [log] [blame]
/**
* @file session_wrapper.h
* @author Roman Janota <janota@cesnet.cz>
* @brief libnetconf2 - header for wrapped TLS library function calls (currently OpenSSL and MbedTLS)
*
* @copyright
* Copyright (c) 2024 CESNET, z.s.p.o.
*
* This source code is licensed under BSD 3-Clause License (the "License").
* You may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://opensource.org/licenses/BSD-3-Clause
*/
#ifndef _SESSION_WRAPPER_H_
#define _SESSION_WRAPPER_H_
#include <stdlib.h>
#include "config.h"
#ifdef HAVE_LIBMBEDTLS
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/entropy.h>
#include <mbedtls/pk.h>
#include <mbedtls/ssl.h>
#include <mbedtls/x509_crl.h>
#include <mbedtls/x509_crt.h>
/**
* @brief Context from which a TLS session may be created.
*/
struct nc_tls_ctx {
int *sock; /**< Socket FD. */
mbedtls_entropy_context *entropy; /**< Entropy. */
mbedtls_ctr_drbg_context *ctr_drbg; /**< Random bit generator. */
mbedtls_x509_crt *cert; /**< Certificate. */
mbedtls_pk_context *pkey; /**< Private key. */
mbedtls_x509_crt *cert_store; /**< CA certificates store. */
mbedtls_x509_crl *crl_store; /**< CRL store. */
};
#else
#include <openssl/evp.h>
#include <openssl/ssl.h>
#include <openssl/x509.h>
/**
* @brief Context from which a TLS session may be created.
*/
struct nc_tls_ctx {
X509 *cert; /**< Certificate. */
EVP_PKEY *pkey; /**< Private key. */
X509_STORE *cert_store; /**< CA certificate store. */
X509_STORE *crl_store; /**< CRL store. */
};
#endif
/**
* @brief Server side TLS verify callback data.
*/
struct nc_tls_verify_cb_data {
struct nc_session *session; /**< NETCONF session. */
struct nc_server_tls_opts *opts; /**< TLS server options. */
struct nc_ctn_data {
char *username; /**< Username. */
int matched_ctns; /**< OR'd values of currently matched CTN types. */
int matched_ctn_type[6]; /**< Currently matched CTN types (order matters). */
int matched_ctn_count; /**< Number of matched CTN types. */
} ctn_data;
};
/**
* @brief Creates a new TLS session from the given configuration.
*
* @param[in] tls_cfg TLS configuration.
* @return New TLS session on success, NULL on fail.
*/
void * nc_tls_session_new_wrap(void *tls_cfg);
/**
* @brief Destroys a TLS session.
*
* @param[in] tls_session TLS session to destroy.
*/
void nc_tls_session_destroy_wrap(void *tls_session);
/**
* @brief Creates a new TLS configuration.
*
* @param[in] side Side of the TLS connection.
* @return New TLS configuration on success, NULL on fail.
*/
void * nc_tls_config_new_wrap(int side);
/**
* @brief Destroys a TLS configuration.
*
* @param[in] tls_cfg TLS configuration to destroy.
*/
void nc_tls_config_destroy_wrap(void *tls_cfg);
/**
* @brief Creates a new TLS certificate.
*
* @return New TLS certificate on success, NULL on fail.
*/
void * nc_tls_cert_new_wrap(void);
/**
* @brief Destroys a TLS certificate.
*
* @param[in] cert TLS certificate to destroy.
*/
void nc_tls_cert_destroy_wrap(void *cert);
/**
* @brief Destroys a TLS private key.
*
* @param[in] pkey TLS private key to destroy.
*/
void nc_tls_privkey_destroy_wrap(void *pkey);
/**
* @brief Creates a new TLS certificate store.
*
* @return New TLS certificate store on success, NULL on fail.
*/
void * nc_tls_cert_store_new_wrap(void);
/**
* @brief Destroys a TLS certificate store.
*
* @param[in] cert_store TLS certificate store to destroy.
*/
void nc_tls_cert_store_destroy_wrap(void *cert_store);
/**
* @brief Creates a new CRL store.
*
* @return New CRL store on success, NULL on fail.
*/
void * nc_tls_crl_store_new_wrap(void);
/**
* @brief Destroys a CRL store.
*
* @param[in] crl_store CRL store to destroy.
*/
void nc_tls_crl_store_destroy_wrap(void *crl_store);
/**
* @brief Converts PEM certificate data to a certificate.
*
* @param[in] cert_data PEM certificate data.
* @return New certificate on success, NULL on fail.
*/
void * nc_tls_pem_to_cert_wrap(const char *cert_data);
/**
* @brief Adds a certificate to a certificate store.
*
* @param[in] cert Certificate to add.
* @param[in] cert_store Certificate store to add the certificate to.
* @return 0 on success and the memory belongs to cert_store, non-zero on fail.
*/
int nc_tls_add_cert_to_store_wrap(void *cert, void *cert_store);
/**
* @brief Converts PEM private key data to a private key.
*
* @param[in] privkey_data PEM private key data.
* @return New private key on success, NULL on fail.
*/
void * nc_tls_pem_to_privkey_wrap(const char *privkey_data);
/**
* @brief Imports CRL from a file.
*
* @param[in] path Path to the CRL file.
* @param[in] crl_store CRL store to import the CRL to.
* @return 0 on success, non-zero on fail.
*/
int nc_tls_import_crl_path_wrap(const char *path, void *crl_store);
/**
* @brief Parses and adds a CRL to a CRL store.
*
* @param[in] crl_data CRL data.
* @param[in] size Size of the CRL data.
* @param[in] crl_store CRL store to add the CRL to.
* @return 0 on success, non-zero on fail.
*/
int nc_server_tls_add_crl_to_store_wrap(const unsigned char *crl_data, size_t size, void *crl_store);
/**
* @brief Sets the TLS version.
*
* @param[in] tls_cfg TLS configuration.
* @param[in] tls_versions Bit-field of supported TLS versions.
*
* @return 0 on success, non-zero on fail.
*/
int nc_server_tls_set_tls_versions_wrap(void *tls_cfg, unsigned int tls_versions);
/**
* @brief Set TLS server's verify flags, verify cb and its data.
*
* @param[in] tls_cfg TLS configuration.
* @param[in] cb_data Verify callback data.
*/
void nc_server_tls_set_verify_wrap(void *tls_cfg, struct nc_tls_verify_cb_data *cb_data);
/**
* @brief Set TLS client's verify flags.
*
* @param[in] tls_cfg TLS configuration.
*/
void nc_client_tls_set_verify_wrap(void *tls_cfg);
/**
* @brief Verify the certificate.
*
* @param[in] cert Certificate to verify.
* @param[in] depth Certificate depth.
* @param[in] trusted Boolean flag representing whether the certificate is trusted.
* @param[in] cb_data Data for the verify callback.
* @return 0 on success, 1 on verify fail, -1 on fatal error.
*/
int nc_server_tls_verify_cert(void *cert, int depth, int trusted, struct nc_tls_verify_cb_data *cb_data);
/**
* @brief Check if the peer certificate matches any configured ee certs.
*
* @param[in] peer_cert Peer certificate.
* @param[in] opts TLS options.
* @return 0 on success, non-zero on fail.
*/
int nc_server_tls_verify_peer_cert(void *peer_cert, struct nc_server_tls_opts *opts);
/**
* @brief Get the subject of the certificate.
*
* @param[in] cert Certificate.
* @return Subject of the certificate on success, NULL on fail.
*/
char * nc_server_tls_get_subject_wrap(void *cert);
/**
* @brief Get the issuer of the certificate.
*
* @param[in] cert Certificate.
* @return Issuer of the certificate on success, NULL on fail.
*/
char * nc_server_tls_get_issuer_wrap(void *cert);
/**
* @brief Get the Subject Alternative Names of the certificate.
*
* @param[in] cert Certificate.
* @return SANs on success, NULL on fail.
*/
void * nc_tls_get_sans_wrap(void *cert);
/**
* @brief Destroy the SANs.
*
* @param[in] sans SANs to destroy.
*/
void nc_tls_sans_destroy_wrap(void *sans);
/**
* @brief Get the number of SANs.
*
* @param[in] sans SANs.
* @return Number of SANs.
*/
int nc_tls_get_num_sans_wrap(void *sans);
/**
* @brief Get the SAN value and type in the context of CTN.
*
* @param[in] sans SANs.
* @param[in] idx Index of the SAN.
* @param[out] san_value SAN value.
* @param[out] san_type SAN type.
* @return 0 on success, non-zero on fail.
*/
int nc_tls_get_san_value_type_wrap(void *sans, int idx, char **san_value, NC_TLS_CTN_MAPTYPE *san_type);
/**
* @brief Compare two certificates.
*
* @param[in] cert1 Certificate 1.
* @param[in] cert2 Certificate 2.
* @return 1 if the certificates match, 0 otherwise.
*/
int nc_server_tls_certs_match_wrap(void *cert1, void *cert2);
/**
* @brief Get the MD5 digest of the certificate.
*
* @param[in] cert Certificate.
* @param[out] buf Buffer for the digest.
* @return 0 on success, non-zero on fail.
*/
int nc_server_tls_md5_wrap(void *cert, unsigned char *buf);
/**
* @brief Get the SHA1 digest of the certificate.
*
* @param[in] cert Certificate.
* @param[out] buf Buffer for the digest.
* @return 0 on success, non-zero on fail.
*/
int nc_server_tls_sha1_wrap(void *cert, unsigned char *buf);
/**
* @brief Get the SHA224 digest of the certificate.
*
* @param[in] cert Certificate.
* @param[out] buf Buffer for the digest.
* @return 0 on success, non-zero on fail.
*/
int nc_server_tls_sha224_wrap(void *cert, unsigned char *buf);
/**
* @brief Get the SHA256 digest of the certificate.
*
* @param[in] cert Certificate.
* @param[out] buf Buffer for the digest.
* @return 0 on success, non-zero on fail.
*/
int nc_server_tls_sha256_wrap(void *cert, unsigned char *buf);
/**
* @brief Get the SHA384 digest of the certificate.
*
* @param[in] cert Certificate.
* @param[out] buf Buffer for the digest.
* @return 0 on success, non-zero on fail.
*/
int nc_server_tls_sha384_wrap(void *cert, unsigned char *buf);
/**
* @brief Get the SHA512 digest of the certificate.
*
* @param[in] cert Certificate.
* @param[out] buf Buffer for the digest.
* @return 0 on success, non-zero on fail.
*/
int nc_server_tls_sha512_wrap(void *cert, unsigned char *buf);
/**
* @brief Set the FD for a TLS session.
*
* @param[in] tls_session TLS session.
* @param[in] sock Socket FD.
* @param[in] tls_ctx TLS context.
*/
void nc_server_tls_set_fd_wrap(void *tls_session, int sock, struct nc_tls_ctx *tls_ctx);
/**
* @brief Perform a server-side step of the TLS handshake.
*
* @param[in] tls_session TLS session.
* @return 1 on success, 0 if the handshake is not finished, negative number on error.
*/
int nc_server_tls_handshake_step_wrap(void *tls_session);
/**
* @brief Perform a client-side step of the TLS handshake.
*
* @param[in] tls_session TLS session.
* @param[in] sock Socket FD.
* @return 1 on success, 0 if the handshake is not finished, negative number on error.
*/
int nc_client_tls_handshake_step_wrap(void *tls_session, int sock);
/**
* @brief Destroy a TLS context.
*
* @param[in] tls_ctx TLS context.
*/
void nc_tls_ctx_destroy_wrap(struct nc_tls_ctx *tls_ctx);
/**
* @brief Load client's certificate and a private key.
*
* @param[in] cert_path Path to the certificate.
* @param[in] key_path Path to the private key.
* @param[out] cert Certificate.
* @param[out] pkey Private key.
* @return 0 on success, non-zero on fail.
*/
int nc_client_tls_load_cert_key_wrap(const char *cert_path, const char *key_path, void **cert, void **pkey);
/**
* @brief Load client's trusted certificates.
*
* @param[in] cert_store Certificate store.
* @param[in] file_path Path to the file with trusted certificates.
* @param[in] dir_path Path to the directory with trusted certificates.
* @return 0 on success, non-zero on fail.
*/
int nc_client_tls_load_trusted_certs_wrap(void *cert_store, const char *file_path, const char *dir_path);
/**
* @brief Load client's CRLs.
*
* @param[in] crl_store CRL store.
* @param[in] file_path Path to the file with CRLs.
* @param[in] dir_path Path to the directory with CRLs.
* @return 0 on success, non-zero on fail.
*/
int nc_client_tls_load_crl_wrap(void *crl_store, const char *file_path, const char *dir_path);
/**
* @brief Set the hostname for the TLS session.
*
* @param[in] tls_session TLS session.
* @param[in] hostname Hostname.
* @return 0 on success, non-zero on fail.
*/
int nc_client_tls_set_hostname_wrap(void *tls_session, const char *hostname);
/**
* @brief Initialize a TLS context.
*
* @param[in] sock Socket FD.
* @param[in] cert Certificate.
* @param[in] pkey Private key.
* @param[in] cert_store Certificate store.
* @param[in] crl_store CRL store.
* @param[in,out] tls_ctx TLS context.
* @return 0 on success, non-zero on fail.
*/
int nc_tls_init_ctx_wrap(int sock, void *cert, void *pkey, void *cert_store, void *crl_store, struct nc_tls_ctx *tls_ctx);
/**
* @brief Setup a TLS configuration from a TLS context.
*
* @param[in] tls_ctx TLS context.
* @param[in] side Side of the TLS connection.
* @param[in,out] tls_cfg TLS configuration.
* @return 0 on success, non-zero on fail.
*/
int nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx *tls_ctx, int side, void *tls_cfg);
/**
* @brief Get the error code from a TLS session's verification.
*
* @param[in] tls_session TLS session.
* @return Error code, 0 indicates success.
*/
uint32_t nc_tls_get_verify_result_wrap(void *tls_session);
/**
* @brief Get the error string from a TLS session's verification.
*
* @param[in] err_code Error code.
* @return Error string.
*/
char * nc_tls_verify_error_string_wrap(uint32_t err_code);
/**
* @brief Print the TLS session's connection error.
*
* @param[in] connect_ret Error code.
* @param[in] peername Peername.
* @param[in] tls_session TLS session.
*/
void nc_client_tls_print_connect_err_wrap(int connect_ret, const char *peername, void *tls_session);
/**
* @brief Print the TLS session's accept error.
*
* @param[in] accept_ret Error code.
* @param[in] tls_session TLS session.
*/
void nc_server_tls_print_accept_err_wrap(int accept_ret, void *tls_session);
/**
* @brief Checks if the DER data is a SubjectPublicKeyInfo public key.
*
* @param[in] der DER data.
* @param[in] len Length of the DER data.
*
* @return 1 if the data is a SubjectPublicKeyInfo public key, 0 if not, -1 on error.
*/
int nc_tls_is_der_subpubkey_wrap(unsigned char *der, long len);
/**
* @brief Decodes base64 to binary.
*
* @param[in] base64 Base64 string.
* @param[out] bin Binary result, memory managed by the caller.
* @return Length of the binary data on success, -1 on error.
*/
int nc_base64_decode_wrap(const char *base64, unsigned char **bin);
/**
* @brief Encodes binary to base64.
*
* @param[in] bin Binary data.
* @param[in] len Length of the binary data.
* @param[out] base64 NULL terminated Base64 result, memory managed by the caller.
* @return 0 on success, -1 on error.
*/
int nc_base64_encode_wrap(const unsigned char *bin, size_t len, char **base64);
/**
* @brief Reads data from a TLS session.
*
* @param[in] session NETCONF session.
* @param[out] buf Buffer for the data.
* @param[in] size Size of the buffer.
* @return Number of bytes read on success, -1 on error.
*/
int nc_tls_read_wrap(struct nc_session *session, unsigned char *buf, size_t size);
/**
* @brief Writes data to a TLS session.
*
* @param[in] session NETCONF session.
* @param[in] buf Data to write.
* @param[in] size Size of the data.
* @return Number of bytes written on success, -1 on error.
*/
int nc_tls_write_wrap(struct nc_session *session, const unsigned char *buf, size_t size);
/**
* @brief Get the number of pending bytes in a TLS session.
*
* @param[in] tls_session TLS session.
* @return Number of pending bytes.
*/
int nc_tls_get_num_pending_bytes_wrap(void *tls_session);
/**
* @brief Get the file descriptor of a TLS session.
*
* @param[in] session NETCONF session.
* @return File descriptor, -1 on error.
*/
int nc_tls_get_fd_wrap(const struct nc_session *session);
/**
* @brief Close a TLS session.
*
* @param[in] tls_session TLS session.
*/
void nc_tls_close_notify_wrap(void *tls_session);
/**
* @brief Import a private key from a file.
*
* @param[in] privkey_path Path to the private key file.
* @return Imported private key on success, NULL on fail.
*/
void * nc_tls_import_privkey_file_wrap(const char *privkey_path);
/**
* @brief Import a certificate from a file.
*
* @param[in] cert_path Path to the certificate file.
* @return Imported certificate on success, NULL on fail.
*/
void * nc_tls_import_cert_file_wrap(const char *cert_path);
/**
* @brief Export a private key to a PEM string.
*
* @param[in] pkey Private key.
* @return PEM string on success, NULL on fail.
*/
char * nc_tls_export_privkey_pem_wrap(void *pkey);
/**
* @brief Export a certificate to a PEM string.
*
* @param[in] cert Certificate.
* @return PEM string on success, NULL on fail.
*/
char * nc_tls_export_cert_pem_wrap(void *cert);
/**
* @brief Export a public key to a PEM string.
*
* @param[in] pkey Public key.
* @return PEM string on success, NULL on fail.
*/
char * nc_tls_export_pubkey_pem_wrap(void *pkey);
/**
* @brief Check if a private key is RSA.
*
* @param[in] pkey Private key.
* @return 1 if the private key is RSA, 0 if not.
*/
int nc_tls_privkey_is_rsa_wrap(void *pkey);
/**
* @brief Get the RSA public key parameters from a private key.
*
* @param[in] pkey Private key.
* @param[out] e Exponent.
* @param[out] n Modulus.
* @return 0 on success, non-zero on fail.
*/
int nc_tls_get_rsa_pubkey_params_wrap(void *pkey, void **e, void **n);
/**
* @brief Destroy an MPI.
*
* @param[in] mpi MPI.
*/
void nc_tls_destroy_mpi_wrap(void *mpi);
/**
* @brief Check if a private key is EC.
*
* @param[in] pkey Private key.
* @return 1 if the private key is EC, 0 if not.
*/
int nc_tls_privkey_is_ec_wrap(void *pkey);
/**
* @brief Get the group name of an EC private key.
*
* @param[in] pkey Private key.
* @return Group name on success, NULL on fail.
*/
char * nc_tls_get_ec_group_wrap(void *pkey);
/**
* @brief Get the EC public key parameters from a private key.
*
* @param[in] pkey Private key.
* @param[out] q Public key point.
* @param[out] q_grp Public key group.
* @return 0 on success, non-zero on fail.
*/
int nc_tls_get_ec_pubkey_params_wrap(void *pkey, void **q, void **q_grp);
/**
* @brief Convert an EC point to binary.
*
* @param[in] q EC point.
* @param[in] q_grp EC group.
* @param[out] bin Binary point.
* @param[out] bin_len Length of the binary point.
* @return 0 on success, non-zero on fail.
*/
int nc_tls_ec_point_to_bin_wrap(void *q, void *q_grp, unsigned char **bin, int *bin_len);
/**
* @brief Destroy an EC point.
*
* @param[in] p EC point.
*/
void nc_tls_ec_point_destroy_wrap(void *p);
/**
* @brief Destroy an EC group.
*
* @param[in] grp EC group.
*/
void nc_tls_ec_group_destroy_wrap(void *grp);
/**
* @brief Convert an MPI to binary.
*
* @param[in] mpi MPI.
* @param[out] bin Binary buffer.
* @param[out] bin_len Length of the binary.
* @return 0 on success, 1 on error.
*/
int nc_tls_mpi2bin_wrap(void *mpi, unsigned char **bin, int *bin_len);
/**
* @brief Import a public key from a file.
*
* @param[in] pubkey_path Path to the public key file.
* @return Imported public key on success, NULL on fail.
*/
void * nc_tls_import_pubkey_file_wrap(const char *pubkey_path);
/**
* @brief Get all the URIs from a CRL distribution points.
*
* @param[in] cert_store Certificate store.
* @param[out] uris URIs to download the CRLs from.
* @param[out] uri_count Number of URIs found.
* @return 0 on success, non-zero on fail.
*/
int nc_server_tls_get_crl_distpoint_uris_wrap(void *cert_store, char ***uris, int *uri_count);
/**
* @brief Process a cipher suite so that it can be set by the underlying TLS lib.
*
* @param[in] cipher Cipher suite identity value.
* @param[out] out Processed cipher suite.
* @return 0 on success, 1 on fail.
*/
int nc_tls_process_cipher_suite_wrap(const char *cipher, char **out);
/**
* @brief Append a cipher suite to the list of cipher suites.
*
* @param[in] opts TLS options.
* @param[in] cipher_suite Cipher suite to append.
* @return 0 on success, 1 on fail.
*/
int nc_tls_append_cipher_suite_wrap(struct nc_server_tls_opts *opts, const char *cipher_suite);
/**
* @brief Set the list of cipher suites for the TLS configuration.
*
* @param[in] tls_cfg TLS configuration.
* @param[in] cipher_suites List of cipher suites.
*/
void nc_server_tls_set_cipher_suites_wrap(void *tls_cfg, void *cipher_suites);
#endif