iostream-ssl.h revision 976dee5384c4827dc648c9bc53825390521c388e
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi const char *cert;
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi const char *key;
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi /* NOTE: when updating, remember to update:
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi ssl_iostream_settings_string_offsets[],
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi ssl_iostream_settings_drop_stream_only() */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi const char *ca, *ca_file, *ca_dir; /* context-only */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi /* alternative cert is for providing certificate using
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi different key algorithm */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi bool verbose, verbose_invalid_cert; /* stream-only */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* Load SSL module */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi becomes available via ssl_iostream_get_last_error(). The callback most
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi likely should be calling ssl_iostream_check_cert_validity(). */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashissl_iostream_handshake_callback_t(const char **error_r, void *context);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* Called when TLS SNI becomes available. */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashitypedef int ssl_iostream_sni_callback_t(const char *name, const char **error_r,
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* Explicitly initialize SSL library globally. This is also done automatically
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi when the first SSL connection is created, but it may be useful to call it
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi earlier in case of chrooting. After the initialization is successful, any
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi further calls will just be ignored. Returns 0 on success, -1 on error. */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashiint io_stream_ssl_global_init(const struct ssl_iostream_settings *set,
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi const char **error_r);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashiint io_stream_create_ssl_client(struct ssl_iostream_context *ctx, const char *host,
6687002a066d64aaa3a076a2cebf8ca517276f17takashi const char **error_r);
99cef7b4ddb1c9b2a05ea664fc04dcc83a63e8benilgunint io_stream_create_ssl_server(struct ssl_iostream_context *ctx,
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi const char **error_r);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* returned input and output streams must also be unreferenced */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashivoid ssl_iostream_unref(struct ssl_iostream **ssl_io);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* shutdown SSL connection and unreference ssl iostream */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashivoid ssl_iostream_destroy(struct ssl_iostream **ssl_io);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* If verbose logging is enabled, use the specified log prefix */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashivoid ssl_iostream_set_log_prefix(struct ssl_iostream *ssl_io,
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi const char *prefix);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashiint ssl_iostream_handshake(struct ssl_iostream *ssl_io);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* Call the given callback when SSL handshake finishes. The callback must
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi verify whether the certificate and its hostname is valid. If there is no
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi callback, the default is to use ssl_iostream_check_cert_validity() with the
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi same host as given to io_stream_create_ssl_client() */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashivoid ssl_iostream_set_handshake_callback(struct ssl_iostream *ssl_io,
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* Call the given callback when client sends SNI. The callback can change the
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi ssl_iostream's context (with different certificates) by using
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi ssl_iostream_change_context(). */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashivoid ssl_iostream_set_sni_callback(struct ssl_iostream *ssl_io,
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashivoid ssl_iostream_change_context(struct ssl_iostream *ssl_io,
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashibool ssl_iostream_is_handshaked(const struct ssl_iostream *ssl_io);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* Returns TRUE if the remote cert is invalid, or handshake callback returned
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi failure. */
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashibool ssl_iostream_has_handshake_failed(const struct ssl_iostream *ssl_io);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashibool ssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashibool ssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io);
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashiint ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi/* Returns TRUE if the given name matches the SSL stream's certificate.
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi The returned reason is a human-readable string explaining what exactly
c8015dcc4e7280b5b55144555bb0b734d37fdcc6takashi matched the name, or why nothing matched. Note that this function works
const char **reason_r);
const char **error_r);
const char **error_r);
const char **error_r);
const char **error_r);
void ssl_iostream_context_cache_free(void);