blob: 0590536d46ffb8d467ed2bbd60c48ca740b56ca5 [file] [log] [blame]
romane60ef992024-05-13 12:53:02 +02001/**
2 * @file session_wrapper.h
3 * @author Roman Janota <janota@cesnet.cz>
4 * @brief libnetconf2 - header for wrapped TLS library function calls (currently OpenSSL and MbedTLS)
5 *
6 * @copyright
7 * Copyright (c) 2024 CESNET, z.s.p.o.
8 *
9 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * https://opensource.org/licenses/BSD-3-Clause
14 */
15
roman4b64fed2024-04-05 12:28:35 +020016#ifndef _SESSION_WRAPPER_H_
17#define _SESSION_WRAPPER_H_
18
19#include <stdlib.h>
20
21#include "config.h"
22
roman25263e92024-05-13 15:43:32 +020023#ifdef HAVE_MBEDTLS
roman4b64fed2024-04-05 12:28:35 +020024
roman4b64fed2024-04-05 12:28:35 +020025#include <mbedtls/ctr_drbg.h>
romanc787d282024-04-25 16:10:46 +020026#include <mbedtls/entropy.h>
27#include <mbedtls/pk.h>
roman008cfe72024-04-05 12:36:18 +020028#include <mbedtls/ssl.h>
romanc787d282024-04-25 16:10:46 +020029#include <mbedtls/x509_crl.h>
30#include <mbedtls/x509_crt.h>
roman4b64fed2024-04-05 12:28:35 +020031
roman6da4cdb2024-05-13 13:47:39 +020032/**
33 * @brief Context from which a TLS session may be created.
34 */
roman4b64fed2024-04-05 12:28:35 +020035struct nc_tls_ctx {
roman6da4cdb2024-05-13 13:47:39 +020036 int *sock; /**< Socket FD. */
37 mbedtls_entropy_context *entropy; /**< Entropy. */
38 mbedtls_ctr_drbg_context *ctr_drbg; /**< Random bit generator. */
39 mbedtls_x509_crt *cert; /**< Certificate. */
40 mbedtls_pk_context *pkey; /**< Private key. */
41 mbedtls_x509_crt *cert_store; /**< CA certificates store. */
42 mbedtls_x509_crl *crl_store; /**< CRL store. */
roman4b64fed2024-04-05 12:28:35 +020043};
44
45#else
46
romanc787d282024-04-25 16:10:46 +020047#include <openssl/evp.h>
romanb2a73b82024-04-23 15:10:12 +020048#include <openssl/ssl.h>
romanc787d282024-04-25 16:10:46 +020049#include <openssl/x509.h>
roman4b64fed2024-04-05 12:28:35 +020050
roman6da4cdb2024-05-13 13:47:39 +020051/**
52 * @brief Context from which a TLS session may be created.
53 */
roman4b64fed2024-04-05 12:28:35 +020054struct nc_tls_ctx {
roman6da4cdb2024-05-13 13:47:39 +020055 X509 *cert; /**< Certificate. */
56 EVP_PKEY *pkey; /**< Private key. */
57 X509_STORE *cert_store; /**< CA certificate store. */
58 X509_STORE *crl_store; /**< CRL store. */
roman4b64fed2024-04-05 12:28:35 +020059};
60
61#endif
62
roman6da4cdb2024-05-13 13:47:39 +020063/**
64 * @brief Server side TLS verify callback data.
65 */
roman4b64fed2024-04-05 12:28:35 +020066struct nc_tls_verify_cb_data {
roman6da4cdb2024-05-13 13:47:39 +020067 struct nc_session *session; /**< NETCONF session. */
68 struct nc_server_tls_opts *opts; /**< TLS server options. */
roman7251b0d2024-07-04 13:25:02 +020069 void *chain; /**< Certificate chain used to verify the client cert. */
roman4b64fed2024-04-05 12:28:35 +020070};
71
romanb2a73b82024-04-23 15:10:12 +020072/**
73 * @brief Creates a new TLS session from the given configuration.
74 *
75 * @param[in] tls_cfg TLS configuration.
76 * @return New TLS session on success, NULL on fail.
77 */
roman4b64fed2024-04-05 12:28:35 +020078void * nc_tls_session_new_wrap(void *tls_cfg);
79
romanb2a73b82024-04-23 15:10:12 +020080/**
81 * @brief Destroys a TLS session.
82 *
83 * @param[in] tls_session TLS session to destroy.
84 */
roman4b64fed2024-04-05 12:28:35 +020085void nc_tls_session_destroy_wrap(void *tls_session);
86
romanb2a73b82024-04-23 15:10:12 +020087/**
88 * @brief Creates a new TLS configuration.
89 *
90 * @param[in] side Side of the TLS connection.
91 * @return New TLS configuration on success, NULL on fail.
92 */
93void * nc_tls_config_new_wrap(int side);
roman4b64fed2024-04-05 12:28:35 +020094
romanb2a73b82024-04-23 15:10:12 +020095/**
96 * @brief Destroys a TLS configuration.
97 *
98 * @param[in] tls_cfg TLS configuration to destroy.
99 */
roman4b64fed2024-04-05 12:28:35 +0200100void nc_tls_config_destroy_wrap(void *tls_cfg);
101
romanb2a73b82024-04-23 15:10:12 +0200102/**
103 * @brief Creates a new TLS certificate.
104 *
105 * @return New TLS certificate on success, NULL on fail.
106 */
romanb87aa452024-05-13 12:58:00 +0200107void * nc_tls_cert_new_wrap(void);
roman4b64fed2024-04-05 12:28:35 +0200108
romanb2a73b82024-04-23 15:10:12 +0200109/**
110 * @brief Destroys a TLS certificate.
111 *
112 * @param[in] cert TLS certificate to destroy.
113 */
roman4b64fed2024-04-05 12:28:35 +0200114void nc_tls_cert_destroy_wrap(void *cert);
115
romanb2a73b82024-04-23 15:10:12 +0200116/**
117 * @brief Destroys a TLS private key.
118 *
119 * @param[in] pkey TLS private key to destroy.
120 */
roman4b64fed2024-04-05 12:28:35 +0200121void nc_tls_privkey_destroy_wrap(void *pkey);
122
romanb2a73b82024-04-23 15:10:12 +0200123/**
124 * @brief Creates a new TLS certificate store.
125 *
126 * @return New TLS certificate store on success, NULL on fail.
127 */
romanb87aa452024-05-13 12:58:00 +0200128void * nc_tls_cert_store_new_wrap(void);
roman4b64fed2024-04-05 12:28:35 +0200129
romanb2a73b82024-04-23 15:10:12 +0200130/**
131 * @brief Destroys a TLS certificate store.
132 *
133 * @param[in] cert_store TLS certificate store to destroy.
134 */
roman4b64fed2024-04-05 12:28:35 +0200135void nc_tls_cert_store_destroy_wrap(void *cert_store);
136
romanb2a73b82024-04-23 15:10:12 +0200137/**
138 * @brief Creates a new CRL store.
139 *
140 * @return New CRL store on success, NULL on fail.
141 */
romanb87aa452024-05-13 12:58:00 +0200142void * nc_tls_crl_store_new_wrap(void);
roman4b64fed2024-04-05 12:28:35 +0200143
romanb2a73b82024-04-23 15:10:12 +0200144/**
145 * @brief Destroys a CRL store.
146 *
147 * @param[in] crl_store CRL store to destroy.
148 */
149void nc_tls_crl_store_destroy_wrap(void *crl_store);
roman4b64fed2024-04-05 12:28:35 +0200150
romanb2a73b82024-04-23 15:10:12 +0200151/**
152 * @brief Converts PEM certificate data to a certificate.
153 *
154 * @param[in] cert_data PEM certificate data.
155 * @return New certificate on success, NULL on fail.
156 */
roman4b64fed2024-04-05 12:28:35 +0200157void * nc_tls_pem_to_cert_wrap(const char *cert_data);
158
romanb2a73b82024-04-23 15:10:12 +0200159/**
160 * @brief Adds a certificate to a certificate store.
161 *
162 * @param[in] cert Certificate to add.
163 * @param[in] cert_store Certificate store to add the certificate to.
164 * @return 0 on success and the memory belongs to cert_store, non-zero on fail.
165 */
166int nc_tls_add_cert_to_store_wrap(void *cert, void *cert_store);
roman4b64fed2024-04-05 12:28:35 +0200167
romanb2a73b82024-04-23 15:10:12 +0200168/**
169 * @brief Converts PEM private key data to a private key.
170 *
171 * @param[in] privkey_data PEM private key data.
172 * @return New private key on success, NULL on fail.
173 */
roman4b64fed2024-04-05 12:28:35 +0200174void * nc_tls_pem_to_privkey_wrap(const char *privkey_data);
175
romanb2a73b82024-04-23 15:10:12 +0200176/**
romanb2a73b82024-04-23 15:10:12 +0200177 * @brief Parses and adds a CRL to a CRL store.
178 *
179 * @param[in] crl_data CRL data.
180 * @param[in] size Size of the CRL data.
181 * @param[in] crl_store CRL store to add the CRL to.
182 * @return 0 on success, non-zero on fail.
183 */
184int nc_server_tls_add_crl_to_store_wrap(const unsigned char *crl_data, size_t size, void *crl_store);
roman4b64fed2024-04-05 12:28:35 +0200185
romanb2a73b82024-04-23 15:10:12 +0200186/**
187 * @brief Sets the TLS version.
188 *
189 * @param[in] tls_cfg TLS configuration.
190 * @param[in] tls_versions Bit-field of supported TLS versions.
191 *
192 * @return 0 on success, non-zero on fail.
193 */
roman4b64fed2024-04-05 12:28:35 +0200194int nc_server_tls_set_tls_versions_wrap(void *tls_cfg, unsigned int tls_versions);
195
romanb2a73b82024-04-23 15:10:12 +0200196/**
197 * @brief Set TLS server's verify flags, verify cb and its data.
198 *
199 * @param[in] tls_cfg TLS configuration.
200 * @param[in] cb_data Verify callback data.
201 */
202void nc_server_tls_set_verify_wrap(void *tls_cfg, struct nc_tls_verify_cb_data *cb_data);
roman4b64fed2024-04-05 12:28:35 +0200203
romanb2a73b82024-04-23 15:10:12 +0200204/**
205 * @brief Set TLS client's verify flags.
206 *
207 * @param[in] tls_cfg TLS configuration.
208 */
209void nc_client_tls_set_verify_wrap(void *tls_cfg);
210
211/**
212 * @brief Verify the certificate.
213 *
214 * @param[in] cert Certificate to verify.
215 * @param[in] depth Certificate depth.
roman7ffd2fc2024-05-13 13:48:34 +0200216 * @param[in] trusted Boolean flag representing whether the certificate is trusted.
romanb2a73b82024-04-23 15:10:12 +0200217 * @param[in] cb_data Data for the verify callback.
218 * @return 0 on success, 1 on verify fail, -1 on fatal error.
219 */
roman7ffd2fc2024-05-13 13:48:34 +0200220int nc_server_tls_verify_cert(void *cert, int depth, int trusted, struct nc_tls_verify_cb_data *cb_data);
roman4b64fed2024-04-05 12:28:35 +0200221
romanb2a73b82024-04-23 15:10:12 +0200222/**
223 * @brief Check if the peer certificate matches any configured ee certs.
224 *
225 * @param[in] peer_cert Peer certificate.
226 * @param[in] opts TLS options.
227 * @return 0 on success, non-zero on fail.
228 */
229int nc_server_tls_verify_peer_cert(void *peer_cert, struct nc_server_tls_opts *opts);
230
231/**
232 * @brief Get the subject of the certificate.
233 *
234 * @param[in] cert Certificate.
235 * @return Subject of the certificate on success, NULL on fail.
236 */
roman4b64fed2024-04-05 12:28:35 +0200237char * nc_server_tls_get_subject_wrap(void *cert);
238
romanb2a73b82024-04-23 15:10:12 +0200239/**
240 * @brief Get the issuer of the certificate.
241 *
242 * @param[in] cert Certificate.
243 * @return Issuer of the certificate on success, NULL on fail.
244 */
roman4b64fed2024-04-05 12:28:35 +0200245char * nc_server_tls_get_issuer_wrap(void *cert);
246
romanb2a73b82024-04-23 15:10:12 +0200247/**
248 * @brief Get the Subject Alternative Names of the certificate.
249 *
250 * @param[in] cert Certificate.
251 * @return SANs on success, NULL on fail.
252 */
253void * nc_tls_get_sans_wrap(void *cert);
roman4b64fed2024-04-05 12:28:35 +0200254
romanb2a73b82024-04-23 15:10:12 +0200255/**
256 * @brief Destroy the SANs.
257 *
258 * @param[in] sans SANs to destroy.
259 */
260void nc_tls_sans_destroy_wrap(void *sans);
261
262/**
263 * @brief Get the number of SANs.
264 *
265 * @param[in] sans SANs.
266 * @return Number of SANs.
267 */
268int nc_tls_get_num_sans_wrap(void *sans);
269
roman3b752e12024-05-13 16:27:57 +0200270#ifdef NC_ENABLED_SSH_TLS
271
romanb2a73b82024-04-23 15:10:12 +0200272/**
273 * @brief Get the SAN value and type in the context of CTN.
274 *
275 * @param[in] sans SANs.
276 * @param[in] idx Index of the SAN.
277 * @param[out] san_value SAN value.
278 * @param[out] san_type SAN type.
279 * @return 0 on success, non-zero on fail.
280 */
281int nc_tls_get_san_value_type_wrap(void *sans, int idx, char **san_value, NC_TLS_CTN_MAPTYPE *san_type);
282
roman3b752e12024-05-13 16:27:57 +0200283#endif
284
romanb2a73b82024-04-23 15:10:12 +0200285/**
roman7251b0d2024-07-04 13:25:02 +0200286 * @brief Get the number of certificates in a certificate chain.
287 *
288 * @param[in] chain Certificate chain.
289 * @return Number of certificates in the chain.
290 */
291int nc_tls_get_num_certs_wrap(void *chain);
292
293/**
294 * @brief Get a certificate from a certificate chain.
295 *
296 * @param[in] chain Certificate chain.
297 * @param[in] idx Index of the certificate to get.
298 * @param[out] cert Certificate.
299 */
300void nc_tls_get_cert_wrap(void *chain, int idx, void **cert);
301
302/**
romanb2a73b82024-04-23 15:10:12 +0200303 * @brief Compare two certificates.
304 *
305 * @param[in] cert1 Certificate 1.
306 * @param[in] cert2 Certificate 2.
307 * @return 1 if the certificates match, 0 otherwise.
308 */
roman4b64fed2024-04-05 12:28:35 +0200309int nc_server_tls_certs_match_wrap(void *cert1, void *cert2);
310
romanb2a73b82024-04-23 15:10:12 +0200311/**
312 * @brief Get the MD5 digest of the certificate.
313 *
314 * @param[in] cert Certificate.
315 * @param[out] buf Buffer for the digest.
316 * @return 0 on success, non-zero on fail.
317 */
roman4b64fed2024-04-05 12:28:35 +0200318int nc_server_tls_md5_wrap(void *cert, unsigned char *buf);
319
romanb2a73b82024-04-23 15:10:12 +0200320/**
321 * @brief Get the SHA1 digest of the certificate.
322 *
323 * @param[in] cert Certificate.
324 * @param[out] buf Buffer for the digest.
325 * @return 0 on success, non-zero on fail.
326 */
roman4b64fed2024-04-05 12:28:35 +0200327int nc_server_tls_sha1_wrap(void *cert, unsigned char *buf);
328
romanb2a73b82024-04-23 15:10:12 +0200329/**
330 * @brief Get the SHA224 digest of the certificate.
331 *
332 * @param[in] cert Certificate.
333 * @param[out] buf Buffer for the digest.
334 * @return 0 on success, non-zero on fail.
335 */
roman4b64fed2024-04-05 12:28:35 +0200336int nc_server_tls_sha224_wrap(void *cert, unsigned char *buf);
337
romanb2a73b82024-04-23 15:10:12 +0200338/**
339 * @brief Get the SHA256 digest of the certificate.
340 *
341 * @param[in] cert Certificate.
342 * @param[out] buf Buffer for the digest.
343 * @return 0 on success, non-zero on fail.
344 */
roman4b64fed2024-04-05 12:28:35 +0200345int nc_server_tls_sha256_wrap(void *cert, unsigned char *buf);
346
romanb2a73b82024-04-23 15:10:12 +0200347/**
348 * @brief Get the SHA384 digest of the certificate.
349 *
350 * @param[in] cert Certificate.
351 * @param[out] buf Buffer for the digest.
352 * @return 0 on success, non-zero on fail.
353 */
roman4b64fed2024-04-05 12:28:35 +0200354int nc_server_tls_sha384_wrap(void *cert, unsigned char *buf);
355
romanb2a73b82024-04-23 15:10:12 +0200356/**
357 * @brief Get the SHA512 digest of the certificate.
358 *
359 * @param[in] cert Certificate.
360 * @param[out] buf Buffer for the digest.
361 * @return 0 on success, non-zero on fail.
362 */
roman4b64fed2024-04-05 12:28:35 +0200363int nc_server_tls_sha512_wrap(void *cert, unsigned char *buf);
364
romanb2a73b82024-04-23 15:10:12 +0200365/**
366 * @brief Set the FD for a TLS session.
367 *
368 * @param[in] tls_session TLS session.
369 * @param[in] sock Socket FD.
370 * @param[in] tls_ctx TLS context.
371 */
roman4b64fed2024-04-05 12:28:35 +0200372void nc_server_tls_set_fd_wrap(void *tls_session, int sock, struct nc_tls_ctx *tls_ctx);
373
romanb2a73b82024-04-23 15:10:12 +0200374/**
375 * @brief Perform a server-side step of the TLS handshake.
376 *
377 * @param[in] tls_session TLS session.
378 * @return 1 on success, 0 if the handshake is not finished, negative number on error.
379 */
roman4b64fed2024-04-05 12:28:35 +0200380int nc_server_tls_handshake_step_wrap(void *tls_session);
381
romanb2a73b82024-04-23 15:10:12 +0200382/**
383 * @brief Perform a client-side step of the TLS handshake.
384 *
385 * @param[in] tls_session TLS session.
386 * @param[in] sock Socket FD.
387 * @return 1 on success, 0 if the handshake is not finished, negative number on error.
388 */
389int nc_client_tls_handshake_step_wrap(void *tls_session, int sock);
roman4b64fed2024-04-05 12:28:35 +0200390
romanb2a73b82024-04-23 15:10:12 +0200391/**
392 * @brief Destroy a TLS context.
393 *
394 * @param[in] tls_ctx TLS context.
395 */
roman4b64fed2024-04-05 12:28:35 +0200396void nc_tls_ctx_destroy_wrap(struct nc_tls_ctx *tls_ctx);
397
romanb2a73b82024-04-23 15:10:12 +0200398/**
399 * @brief Load client's certificate and a private key.
400 *
401 * @param[in] cert_path Path to the certificate.
402 * @param[in] key_path Path to the private key.
403 * @param[out] cert Certificate.
404 * @param[out] pkey Private key.
405 * @return 0 on success, non-zero on fail.
406 */
roman4b64fed2024-04-05 12:28:35 +0200407int nc_client_tls_load_cert_key_wrap(const char *cert_path, const char *key_path, void **cert, void **pkey);
408
romanb2a73b82024-04-23 15:10:12 +0200409/**
410 * @brief Load client's trusted certificates.
411 *
412 * @param[in] cert_store Certificate store.
413 * @param[in] file_path Path to the file with trusted certificates.
414 * @param[in] dir_path Path to the directory with trusted certificates.
415 * @return 0 on success, non-zero on fail.
416 */
roman4b64fed2024-04-05 12:28:35 +0200417int nc_client_tls_load_trusted_certs_wrap(void *cert_store, const char *file_path, const char *dir_path);
418
romanb2a73b82024-04-23 15:10:12 +0200419/**
romanb2a73b82024-04-23 15:10:12 +0200420 * @brief Set the hostname for the TLS session.
421 *
422 * @param[in] tls_session TLS session.
423 * @param[in] hostname Hostname.
424 * @return 0 on success, non-zero on fail.
425 */
roman4b64fed2024-04-05 12:28:35 +0200426int nc_client_tls_set_hostname_wrap(void *tls_session, const char *hostname);
427
romanb2a73b82024-04-23 15:10:12 +0200428/**
429 * @brief Initialize a TLS context.
430 *
431 * @param[in] sock Socket FD.
432 * @param[in] cert Certificate.
433 * @param[in] pkey Private key.
434 * @param[in] cert_store Certificate store.
435 * @param[in] crl_store CRL store.
436 * @param[in,out] tls_ctx TLS context.
437 * @return 0 on success, non-zero on fail.
438 */
439int nc_tls_init_ctx_wrap(int sock, void *cert, void *pkey, void *cert_store, void *crl_store, struct nc_tls_ctx *tls_ctx);
roman4b64fed2024-04-05 12:28:35 +0200440
romanb2a73b82024-04-23 15:10:12 +0200441/**
442 * @brief Setup a TLS configuration from a TLS context.
443 *
444 * @param[in] tls_ctx TLS context.
445 * @param[in] side Side of the TLS connection.
446 * @param[in,out] tls_cfg TLS configuration.
447 * @return 0 on success, non-zero on fail.
448 */
449int nc_tls_setup_config_from_ctx_wrap(struct nc_tls_ctx *tls_ctx, int side, void *tls_cfg);
450
451/**
452 * @brief Get the error code from a TLS session's verification.
453 *
454 * @param[in] tls_session TLS session.
455 * @return Error code, 0 indicates success.
456 */
roman4b64fed2024-04-05 12:28:35 +0200457uint32_t nc_tls_get_verify_result_wrap(void *tls_session);
458
romanb2a73b82024-04-23 15:10:12 +0200459/**
460 * @brief Get the error string from a TLS session's verification.
461 *
462 * @param[in] err_code Error code.
463 * @return Error string.
464 */
465char * nc_tls_verify_error_string_wrap(uint32_t err_code);
roman4b64fed2024-04-05 12:28:35 +0200466
romanb2a73b82024-04-23 15:10:12 +0200467/**
468 * @brief Print the TLS session's connection error.
469 *
470 * @param[in] connect_ret Error code.
471 * @param[in] peername Peername.
472 * @param[in] tls_session TLS session.
473 */
474void nc_client_tls_print_connect_err_wrap(int connect_ret, const char *peername, void *tls_session);
roman4b64fed2024-04-05 12:28:35 +0200475
romanb2a73b82024-04-23 15:10:12 +0200476/**
477 * @brief Print the TLS session's accept error.
478 *
479 * @param[in] accept_ret Error code.
480 * @param[in] tls_session TLS session.
481 */
482void nc_server_tls_print_accept_err_wrap(int accept_ret, void *tls_session);
roman4b64fed2024-04-05 12:28:35 +0200483
romanb2a73b82024-04-23 15:10:12 +0200484/**
485 * @brief Checks if the DER data is a SubjectPublicKeyInfo public key.
486 *
487 * @param[in] der DER data.
488 * @param[in] len Length of the DER data.
489 *
490 * @return 1 if the data is a SubjectPublicKeyInfo public key, 0 if not, -1 on error.
491 */
492int nc_tls_is_der_subpubkey_wrap(unsigned char *der, long len);
roman4b64fed2024-04-05 12:28:35 +0200493
494/**
495 * @brief Decodes base64 to binary.
496 *
497 * @param[in] base64 Base64 string.
498 * @param[out] bin Binary result, memory managed by the caller.
499 * @return Length of the binary data on success, -1 on error.
500 */
romanb2a73b82024-04-23 15:10:12 +0200501int nc_base64_decode_wrap(const char *base64, unsigned char **bin);
roman4b64fed2024-04-05 12:28:35 +0200502
romanb2a73b82024-04-23 15:10:12 +0200503/**
504 * @brief Encodes binary to base64.
505 *
506 * @param[in] bin Binary data.
507 * @param[in] len Length of the binary data.
508 * @param[out] base64 NULL terminated Base64 result, memory managed by the caller.
509 * @return 0 on success, -1 on error.
510 */
roman4b64fed2024-04-05 12:28:35 +0200511int nc_base64_encode_wrap(const unsigned char *bin, size_t len, char **base64);
512
romanb2a73b82024-04-23 15:10:12 +0200513/**
514 * @brief Reads data from a TLS session.
515 *
516 * @param[in] session NETCONF session.
517 * @param[out] buf Buffer for the data.
518 * @param[in] size Size of the buffer.
519 * @return Number of bytes read on success, -1 on error.
520 */
roman4b64fed2024-04-05 12:28:35 +0200521int nc_tls_read_wrap(struct nc_session *session, unsigned char *buf, size_t size);
522
romanb2a73b82024-04-23 15:10:12 +0200523/**
524 * @brief Writes data to a TLS session.
525 *
526 * @param[in] session NETCONF session.
527 * @param[in] buf Data to write.
528 * @param[in] size Size of the data.
529 * @return Number of bytes written on success, -1 on error.
530 */
roman4b64fed2024-04-05 12:28:35 +0200531int nc_tls_write_wrap(struct nc_session *session, const unsigned char *buf, size_t size);
532
romanb2a73b82024-04-23 15:10:12 +0200533/**
534 * @brief Get the number of pending bytes in a TLS session.
535 *
536 * @param[in] tls_session TLS session.
537 * @return Number of pending bytes.
538 */
539int nc_tls_get_num_pending_bytes_wrap(void *tls_session);
roman4b64fed2024-04-05 12:28:35 +0200540
romanb2a73b82024-04-23 15:10:12 +0200541/**
542 * @brief Get the file descriptor of a TLS session.
543 *
544 * @param[in] session NETCONF session.
545 * @return File descriptor, -1 on error.
546 */
roman4b64fed2024-04-05 12:28:35 +0200547int nc_tls_get_fd_wrap(const struct nc_session *session);
548
romanb2a73b82024-04-23 15:10:12 +0200549/**
550 * @brief Close a TLS session.
551 *
552 * @param[in] tls_session TLS session.
553 */
roman4b64fed2024-04-05 12:28:35 +0200554void nc_tls_close_notify_wrap(void *tls_session);
555
romanb2a73b82024-04-23 15:10:12 +0200556/**
557 * @brief Import a private key from a file.
558 *
559 * @param[in] privkey_path Path to the private key file.
560 * @return Imported private key on success, NULL on fail.
561 */
562void * nc_tls_import_privkey_file_wrap(const char *privkey_path);
roman4b64fed2024-04-05 12:28:35 +0200563
romanb2a73b82024-04-23 15:10:12 +0200564/**
565 * @brief Import a certificate from a file.
566 *
567 * @param[in] cert_path Path to the certificate file.
568 * @return Imported certificate on success, NULL on fail.
569 */
roman4b64fed2024-04-05 12:28:35 +0200570void * nc_tls_import_cert_file_wrap(const char *cert_path);
571
romanb2a73b82024-04-23 15:10:12 +0200572/**
573 * @brief Export a private key to a PEM string.
574 *
575 * @param[in] pkey Private key.
576 * @return PEM string on success, NULL on fail.
577 */
578char * nc_tls_export_privkey_pem_wrap(void *pkey);
roman4b64fed2024-04-05 12:28:35 +0200579
romanb2a73b82024-04-23 15:10:12 +0200580/**
581 * @brief Export a certificate to a PEM string.
582 *
583 * @param[in] cert Certificate.
584 * @return PEM string on success, NULL on fail.
585 */
586char * nc_tls_export_cert_pem_wrap(void *cert);
roman4b64fed2024-04-05 12:28:35 +0200587
romanb2a73b82024-04-23 15:10:12 +0200588/**
589 * @brief Export a public key to a PEM string.
590 *
591 * @param[in] pkey Public key.
592 * @return PEM string on success, NULL on fail.
593 */
594char * nc_tls_export_pubkey_pem_wrap(void *pkey);
roman4b64fed2024-04-05 12:28:35 +0200595
romanb2a73b82024-04-23 15:10:12 +0200596/**
597 * @brief Check if a private key is RSA.
598 *
599 * @param[in] pkey Private key.
600 * @return 1 if the private key is RSA, 0 if not.
601 */
roman4b64fed2024-04-05 12:28:35 +0200602int nc_tls_privkey_is_rsa_wrap(void *pkey);
603
romanb2a73b82024-04-23 15:10:12 +0200604/**
605 * @brief Get the RSA public key parameters from a private key.
606 *
607 * @param[in] pkey Private key.
608 * @param[out] e Exponent.
609 * @param[out] n Modulus.
610 * @return 0 on success, non-zero on fail.
611 */
roman4b64fed2024-04-05 12:28:35 +0200612int nc_tls_get_rsa_pubkey_params_wrap(void *pkey, void **e, void **n);
613
romanb2a73b82024-04-23 15:10:12 +0200614/**
615 * @brief Destroy an MPI.
616 *
617 * @param[in] mpi MPI.
618 */
619void nc_tls_destroy_mpi_wrap(void *mpi);
620
621/**
622 * @brief Check if a private key is EC.
623 *
624 * @param[in] pkey Private key.
625 * @return 1 if the private key is EC, 0 if not.
626 */
roman4b64fed2024-04-05 12:28:35 +0200627int nc_tls_privkey_is_ec_wrap(void *pkey);
628
romanb2a73b82024-04-23 15:10:12 +0200629/**
630 * @brief Get the group name of an EC private key.
631 *
632 * @param[in] pkey Private key.
633 * @return Group name on success, NULL on fail.
634 */
roman4b64fed2024-04-05 12:28:35 +0200635char * nc_tls_get_ec_group_wrap(void *pkey);
636
romanb2a73b82024-04-23 15:10:12 +0200637/**
638 * @brief Get the EC public key parameters from a private key.
639 *
640 * @param[in] pkey Private key.
641 * @param[out] q Public key point.
642 * @param[out] q_grp Public key group.
643 * @return 0 on success, non-zero on fail.
644 */
645int nc_tls_get_ec_pubkey_params_wrap(void *pkey, void **q, void **q_grp);
roman4b64fed2024-04-05 12:28:35 +0200646
romanb2a73b82024-04-23 15:10:12 +0200647/**
648 * @brief Convert an EC point to binary.
649 *
650 * @param[in] q EC point.
651 * @param[in] q_grp EC group.
652 * @param[out] bin Binary point.
653 * @param[out] bin_len Length of the binary point.
654 * @return 0 on success, non-zero on fail.
655 */
656int nc_tls_ec_point_to_bin_wrap(void *q, void *q_grp, unsigned char **bin, int *bin_len);
roman4b64fed2024-04-05 12:28:35 +0200657
romanb2a73b82024-04-23 15:10:12 +0200658/**
659 * @brief Destroy an EC point.
660 *
661 * @param[in] p EC point.
662 */
663void nc_tls_ec_point_destroy_wrap(void *p);
roman4b64fed2024-04-05 12:28:35 +0200664
romanb2a73b82024-04-23 15:10:12 +0200665/**
666 * @brief Destroy an EC group.
667 *
668 * @param[in] grp EC group.
669 */
670void nc_tls_ec_group_destroy_wrap(void *grp);
671
672/**
673 * @brief Convert an MPI to binary.
674 *
675 * @param[in] mpi MPI.
676 * @param[out] bin Binary buffer.
677 * @param[out] bin_len Length of the binary.
678 * @return 0 on success, 1 on error.
679 */
680int nc_tls_mpi2bin_wrap(void *mpi, unsigned char **bin, int *bin_len);
681
682/**
683 * @brief Import a public key from a file.
684 *
685 * @param[in] pubkey_path Path to the public key file.
686 * @return Imported public key on success, NULL on fail.
687 */
roman4b64fed2024-04-05 12:28:35 +0200688void * nc_tls_import_pubkey_file_wrap(const char *pubkey_path);
689
romanb2a73b82024-04-23 15:10:12 +0200690/**
roman15fbc592024-07-02 16:01:23 +0200691 * @brief Get all the URIs from the CRLDistributionPoints x509v3 extensions.
romanb2a73b82024-04-23 15:10:12 +0200692 *
roman15fbc592024-07-02 16:01:23 +0200693 * @param[in] leaf_cert Server/client certificate.
romanb2a73b82024-04-23 15:10:12 +0200694 * @param[in] cert_store Certificate store.
695 * @param[out] uris URIs to download the CRLs from.
696 * @param[out] uri_count Number of URIs found.
697 * @return 0 on success, non-zero on fail.
698 */
roman15fbc592024-07-02 16:01:23 +0200699int nc_server_tls_get_crl_distpoint_uris_wrap(void *leaf_cert, void *cert_store, char ***uris, int *uri_count);
roman4b64fed2024-04-05 12:28:35 +0200700
romanb2a73b82024-04-23 15:10:12 +0200701/**
702 * @brief Process a cipher suite so that it can be set by the underlying TLS lib.
703 *
704 * @param[in] cipher Cipher suite identity value.
705 * @param[out] out Processed cipher suite.
706 * @return 0 on success, 1 on fail.
707 */
708int nc_tls_process_cipher_suite_wrap(const char *cipher, char **out);
709
710/**
711 * @brief Append a cipher suite to the list of cipher suites.
712 *
713 * @param[in] opts TLS options.
714 * @param[in] cipher_suite Cipher suite to append.
715 * @return 0 on success, 1 on fail.
716 */
717int nc_tls_append_cipher_suite_wrap(struct nc_server_tls_opts *opts, const char *cipher_suite);
718
719/**
720 * @brief Set the list of cipher suites for the TLS configuration.
721 *
722 * @param[in] tls_cfg TLS configuration.
723 * @param[in] cipher_suites List of cipher suites.
724 */
725void nc_server_tls_set_cipher_suites_wrap(void *tls_cfg, void *cipher_suites);
726
roman4b64fed2024-04-05 12:28:35 +0200727#endif