summaryrefslogtreecommitdiffstats
path: root/src/libknot/quic/tls_common.h
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/libknot/quic/tls_common.h134
1 files changed, 134 insertions, 0 deletions
diff --git a/src/libknot/quic/tls_common.h b/src/libknot/quic/tls_common.h
new file mode 100644
index 0000000..934f256
--- /dev/null
+++ b/src/libknot/quic/tls_common.h
@@ -0,0 +1,134 @@
+/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+/*!
+ * \file
+ *
+ * \brief Credentials handling common to QUIC and TLS.
+ *
+ * \addtogroup quic
+ * @{
+ */
+
+#pragma once
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#define KNOT_TLS_PIN_LEN 32
+#define KNOT_TLS_PRIORITIES "-VERS-ALL:+VERS-TLS1.3:" \
+ "-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:" \
+ "+GROUP-SECP384R1:+GROUP-SECP521R1"
+
+struct gnutls_priority_st;
+struct gnutls_session_int;
+struct gnutls_x509_crt_int;
+struct knot_creds;
+
+/*!
+ * \brief Init server TLS key and certificate for DoQ.
+ *
+ * \param key_file Key PEM file path/name.
+ * \param cert_file X509 certificate PEM file path/name (NULL if auto-generated).
+ *
+ * \return Initialized creds.
+ */
+struct knot_creds *knot_creds_init(const char *key_file, const char *cert_file);
+
+/*!
+ * \brief Init peer TLS key and certificate for DoQ.
+ *
+ * \param local_creds Local credentials if server.
+ * \param peer_pin Optional peer certificate pin to check.
+ * \param peer_pin_len Length of the peer pin. Set 0 if not specified.
+ *
+ * \return Initialized creds.
+ */
+struct knot_creds *knot_creds_init_peer(const struct knot_creds *local_creds,
+ const uint8_t *peer_pin,
+ uint8_t peer_pin_len);
+
+/*!
+ * \brief Load new server TLS key and certificate for DoQ.
+ *
+ * \param creds Server credentials where key/cert pair will be updated.
+ * \param key_file Key PEM file path/name.
+ * \param cert_file X509 certificate PEM file path/name (NULL if auto-generated).
+ *
+ * \return KNOT_E*
+ */
+int knot_creds_update(struct knot_creds *creds, const char *key_file, const char *cert_file);
+
+/*!
+ * \brief Gets the certificate from credentials.
+ *
+ * \param creds TLS credentials.
+ * \param cert Output certificate.
+ *
+ * \return KNOT_E*
+ */
+int knot_creds_cert(struct knot_creds *creds, struct gnutls_x509_crt_int **cert);
+
+/*!
+ * \brief Deinit server TLS certificate for DoQ.
+ */
+void knot_creds_free(struct knot_creds *creds);
+
+/*!
+ * \brief Initialize GnuTLS session with credentials, ALPN, etc.
+ *
+ * \param session Out: initialized GnuTLS session struct.
+ * \param creds Certificate credentials.
+ * \param priority Session priority configuration.
+ * \param alpn ALPN string, first byte is the string length.
+ * \param early_data Allow early data.
+ * \param server Should be server session (otherwise client).
+ *
+ * \return KNOT_E*
+ */
+int knot_tls_session(struct gnutls_session_int **session,
+ struct knot_creds *creds,
+ struct gnutls_priority_st *priority,
+ const char *alpn,
+ bool early_data,
+ bool server);
+
+/*!
+ * \brief Gets local or remote certificate pin.
+ *
+ * \note Zero output pin_size value means no certificate available or error.
+ *
+ * \param session TLS connection.
+ * \param pin Output certificate pin.
+ * \param pin_size Input size of the storage / output size of the stored pin.
+ * \param local Local or remote certificate indication.
+ */
+void knot_tls_pin(struct gnutls_session_int *session, uint8_t *pin,
+ size_t *pin_size, bool local);
+
+/*!
+ * \brief Checks remote certificate pin in the session against credentials.
+ *
+ * \param session TLS connection.
+ * \param creds TLS credentials.
+ *
+ * \return KNOT_EOK or KNOT_EBADCERTKEY
+ */
+int knot_tls_pin_check(struct gnutls_session_int *session,
+ struct knot_creds *creds);
+
+/*! @} */