|
Packit |
fd8b60 |
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
Packit |
fd8b60 |
/* include/k5-tls.h - internal pluggable interface for TLS */
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Copyright (C) 2014 by the Massachusetts Institute of Technology.
|
|
Packit |
fd8b60 |
* All rights reserved.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* Redistribution and use in source and binary forms, with or without
|
|
Packit |
fd8b60 |
* modification, are permitted provided that the following conditions
|
|
Packit |
fd8b60 |
* are met:
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* * Redistributions of source code must retain the above copyright
|
|
Packit |
fd8b60 |
* notice, this list of conditions and the following disclaimer.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* * Redistributions in binary form must reproduce the above copyright
|
|
Packit |
fd8b60 |
* notice, this list of conditions and the following disclaimer in
|
|
Packit |
fd8b60 |
* the documentation and/or other materials provided with the
|
|
Packit |
fd8b60 |
* distribution.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
Packit |
fd8b60 |
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
Packit |
fd8b60 |
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
Packit |
fd8b60 |
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
Packit |
fd8b60 |
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
|
Packit |
fd8b60 |
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
Packit |
fd8b60 |
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
Packit |
fd8b60 |
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
Packit |
fd8b60 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
Packit |
fd8b60 |
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
Packit |
fd8b60 |
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
Packit |
fd8b60 |
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* This internal pluggable interface allows libkrb5 to load an in-tree module
|
|
Packit |
fd8b60 |
* providing TLS support at runtime. It is currently tailored for the needs of
|
|
Packit |
fd8b60 |
* the OpenSSL module as used for HTTP proxy support. As an internal
|
|
Packit |
fd8b60 |
* interface, it can be changed to fit different implementations and consumers
|
|
Packit |
fd8b60 |
* without regard for backward compatibility.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#ifndef K5_TLS_H
|
|
Packit |
fd8b60 |
#define K5_TLS_H
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#include "k5-int.h"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* An abstract type for localauth module data. */
|
|
Packit |
fd8b60 |
typedef struct k5_tls_handle_st *k5_tls_handle;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
typedef enum {
|
|
Packit |
fd8b60 |
DATA_READ, DONE, WANT_READ, WANT_WRITE, ERROR_TLS
|
|
Packit |
fd8b60 |
} k5_tls_status;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Create a handle for fd, where the server certificate must match servername
|
|
Packit |
fd8b60 |
* and be trusted according to anchors. anchors is a null-terminated list
|
|
Packit |
fd8b60 |
* using the DIR:/FILE:/ENV: syntax borrowed from PKINIT. If anchors is null,
|
|
Packit |
fd8b60 |
* use the system default trust anchors.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
typedef krb5_error_code
|
|
Packit |
fd8b60 |
(*k5_tls_setup_fn)(krb5_context context, SOCKET fd, const char *servername,
|
|
Packit |
fd8b60 |
char **anchors, k5_tls_handle *handle_out);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Write len bytes of data using TLS. Return DONE if writing is complete,
|
|
Packit |
fd8b60 |
* WANT_READ or WANT_WRITE if the underlying socket must be readable or
|
|
Packit |
fd8b60 |
* writable to continue, and ERROR_TLS if the TLS channel or underlying socket
|
|
Packit |
fd8b60 |
* experienced an error. After WANT_READ or WANT_WRITE, the operation will be
|
|
Packit |
fd8b60 |
* retried with the same arguments even if some data has already been written.
|
|
Packit |
fd8b60 |
* (OpenSSL makes this contract easy to fulfill. For other implementations we
|
|
Packit |
fd8b60 |
* might want to change it.)
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
typedef k5_tls_status
|
|
Packit |
fd8b60 |
(*k5_tls_write_fn)(krb5_context context, k5_tls_handle handle,
|
|
Packit |
fd8b60 |
const void *data, size_t len);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/*
|
|
Packit |
fd8b60 |
* Read up to data_size bytes of data using TLS. Return DATA_READ and set
|
|
Packit |
fd8b60 |
* *len_out if any data is read. Return DONE if there is no more data to be
|
|
Packit |
fd8b60 |
* read on the connection, WANT_READ or WANT_WRITE if the underlying socket
|
|
Packit |
fd8b60 |
* must be readable or writable to continue, and ERROR_TLS if the TLS channel
|
|
Packit |
fd8b60 |
* or underlying socket experienced an error.
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
* After DATA_READ, there may still be pending buffered data to read. The
|
|
Packit |
fd8b60 |
* caller must call this method again with additional buffer space before
|
|
Packit |
fd8b60 |
* selecting for reading on the underlying socket.
|
|
Packit |
fd8b60 |
*/
|
|
Packit |
fd8b60 |
typedef k5_tls_status
|
|
Packit |
fd8b60 |
(*k5_tls_read_fn)(krb5_context context, k5_tls_handle handle, void *data,
|
|
Packit |
fd8b60 |
size_t data_size, size_t *len_out);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* Release a handle. Do not pass a null pointer. */
|
|
Packit |
fd8b60 |
typedef void
|
|
Packit |
fd8b60 |
(*k5_tls_free_handle_fn)(krb5_context context, k5_tls_handle handle);
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
/* All functions are mandatory unless they are all null, in which case the
|
|
Packit |
fd8b60 |
* caller should assume that TLS is unsupported. */
|
|
Packit |
fd8b60 |
typedef struct k5_tls_vtable_st {
|
|
Packit |
fd8b60 |
k5_tls_setup_fn setup;
|
|
Packit |
fd8b60 |
k5_tls_write_fn write;
|
|
Packit |
fd8b60 |
k5_tls_read_fn read;
|
|
Packit |
fd8b60 |
k5_tls_free_handle_fn free_handle;
|
|
Packit |
fd8b60 |
} *k5_tls_vtable;
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
#endif /* K5_TLS_H */
|