iostream-ssl.h revision 15aa67e8a9dd7fc631d58ce13c54fe004bb4d0c1
#ifndef IOSTREAM_SSL_H
#define IOSTREAM_SSL_H
struct ssl_iostream;
struct ssl_iostream_context;
struct ssl_iostream_cert {
const char *cert;
const char *key;
const char *key_password;
};
struct ssl_iostream_settings {
/* NOTE: when updating, remember to update:
ssl_iostream_settings_string_offsets[],
ssl_iostream_settings_drop_stream_only() */
const char *protocols; /* both */
const char *cipher_list; /* both */
const char *curve_list; /* both */
/* alternative cert is for providing certificate using
different key algorithm */
const char *dh; /* context-only */
const char *cert_username_field; /* both */
const char *crypto_device; /* context-only */
bool skip_crl_check; /* context-only */
bool verify_remote_cert; /* neither/both */
bool allow_invalid_cert; /* stream-only */
bool prefer_server_ciphers; /* both */
bool compression; /* context-only */
bool tickets; /* context-only */
};
/* Load SSL module */
int ssl_module_load(const char **error_r);
/* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
becomes available via ssl_iostream_get_last_error(). The callback most
likely should be calling ssl_iostream_check_cert_validity(). */
typedef int
/* Called when TLS SNI becomes available. */
void *context);
/* Explicitly initialize SSL library globally. This is also done automatically
when the first SSL connection is created, but it may be useful to call it
earlier in case of chrooting. After the initialization is successful, any
further calls will just be ignored. Returns 0 on success, -1 on error. */
const char **error_r);
const struct ssl_iostream_settings *set,
struct ssl_iostream **iostream_r,
const char **error_r);
const struct ssl_iostream_settings *set,
struct ssl_iostream **iostream_r,
const char **error_r);
/* returned input and output streams must also be unreferenced */
/* shutdown SSL connection and unreference ssl iostream */
/* If verbose logging is enabled, use the specified log prefix */
const char *prefix);
/* Call the given callback when SSL handshake finishes. The callback must
verify whether the certificate and its hostname is valid. If there is no
callback, the default is to use ssl_iostream_check_cert_validity() with the
same host as given to io_stream_create_ssl_client() */
void *context);
/* Call the given callback when client sends SNI. The callback can change the
ssl_iostream's context (with different certificates) by using
ssl_iostream_change_context(). */
void *context);
struct ssl_iostream_context *ctx);
/* Returns TRUE if the remote cert is invalid, or handshake callback returned
failure. */
/* Returns TRUE if the given name matches the SSL stream's certificate.
The returned reason is a human-readable string explaining what exactly
matched the name, or why nothing matched. Note that this function works
only if the certificate was valid - using it when certificate is invalid
will always return FALSE before even checking the hostname. */
const char **reason_r);
struct ssl_iostream_context **ctx_r,
const char **error_r);
struct ssl_iostream_context **ctx_r,
const char **error_r);
/* FIXME: temporarily for backwards compatibility, remove later */
const struct ssl_iostream_settings *old_set);
struct ssl_iostream_settings *dest,
const struct ssl_iostream_settings *src);
/* Persistent cache of ssl_iostream_contexts. The context is permanently stored
until ssl_iostream_context_cache_free() is called. The returned context
must be unreferenced by the caller. */
struct ssl_iostream_context **ctx_r,
const char **error_r);
struct ssl_iostream_context **ctx_r,
const char **error_r);
void ssl_iostream_context_cache_free(void);
#endif