From 95f5f6d1c3aec1cb62525f5162e71a4157aca717 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 10:42:27 +0200 Subject: Merging upstream version 3.9.0. Signed-off-by: Daniel Baumann --- src/tls/tls.h | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) (limited to 'src/tls/tls.h') diff --git a/src/tls/tls.h b/src/tls/tls.h index 73eebae..3ec41ba 100644 --- a/src/tls/tls.h +++ b/src/tls/tls.h @@ -78,6 +78,7 @@ extern const char *str_tls_level(int); #include /* OPENSSL_VERSION_NUMBER */ #include #include +#include /* TLS extensions */ /* Appease indent(1) */ #define x509_stack_t STACK_OF(X509) @@ -203,8 +204,8 @@ extern void tls_dane_flush(void); extern TLS_DANE *tls_dane_alloc(void); extern void tls_tlsa_free(TLS_TLSA *); extern void tls_dane_free(TLS_DANE *); -extern void tls_dane_add_fpt_digests(TLS_DANE *, const char *, const char *, - int); +extern void tls_dane_add_fpt_digests(TLS_DANE *, int, const char *, + const char *, int); extern TLS_DANE *tls_dane_resolve(unsigned, const char *, DNS_RR *, int); extern int tls_dane_load_trustfile(TLS_DANE *, const char *); @@ -232,6 +233,8 @@ typedef struct { const char *kex_name; /* shared key-exchange algorithm */ const char *kex_curve; /* shared key-exchange ECDHE curve */ int kex_bits; /* shared FFDHE key exchange bits */ + int ctos_rpk; /* Did the client send an RPK? */ + int stoc_rpk; /* Did the server send an RPK? */ const char *clnt_sig_name; /* client's signature key algorithm */ const char *clnt_sig_curve; /* client's ECDSA curve name */ int clnt_sig_bits; /* client's RSA signature key bits */ @@ -264,13 +267,17 @@ typedef struct { * Peer status bits. TLS_CERT_FLAG_MATCHED implies TLS_CERT_FLAG_TRUSTED * only in the case of a hostname match. */ -#define TLS_CERT_FLAG_PRESENT (1<<0) +#define TLS_CRED_FLAG_CERT (1<<0) #define TLS_CERT_FLAG_ALTNAME (1<<1) #define TLS_CERT_FLAG_TRUSTED (1<<2) #define TLS_CERT_FLAG_MATCHED (1<<3) #define TLS_CERT_FLAG_SECURED (1<<4) +#define TLS_CRED_FLAG_RPK (1<<5) +#define TLS_CRED_FLAG_ANY (TLS_CRED_FLAG_CERT|TLS_CRED_FLAG_RPK) -#define TLS_CERT_IS_PRESENT(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_PRESENT)) +#define TLS_CRED_IS_PRESENT(c) ((c) && ((c)->peer_status&TLS_CRED_FLAG_ANY)) +#define TLS_CERT_IS_PRESENT(c) ((c) && ((c)->peer_status&TLS_CRED_FLAG_CERT)) +#define TLS_RPK_IS_PRESENT(c) ((c) && ((c)->peer_status&TLS_CRED_FLAG_RPK)) #define TLS_CERT_IS_ALTNAME(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_ALTNAME)) #define TLS_CERT_IS_TRUSTED(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_TRUSTED)) #define TLS_CERT_IS_MATCHED(c) ((c) && ((c)->peer_status&TLS_CERT_FLAG_MATCHED)) @@ -472,6 +479,7 @@ typedef struct { VSTREAM *stream; int fd; /* Event-driven file descriptor */ int timeout; + int enable_rpk; /* Solicit server raw public keys */ int tls_level; /* Security level */ const char *nexthop; /* destination domain */ const char *host; /* MX hostname */ @@ -508,12 +516,12 @@ extern TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *, a6, a7, a8, a9, a10, a11, a12, a13, a14)) #define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ - a10, a11, a12, a13, a14, a15, a16, a17) \ + a10, a11, a12, a13, a14, a15, a16, a17, a18) \ tls_client_start((((props)->a1), ((props)->a2), ((props)->a3), \ ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \ - ((props)->a16), ((props)->a17), (props))) + ((props)->a16), ((props)->a17), ((props)->a18), (props))) /* * tls_server.c @@ -546,6 +554,7 @@ typedef struct { VSTREAM *stream; /* Client stream */ int fd; /* Event-driven file descriptor */ int timeout; /* TLS handshake timeout */ + int enable_rpk; /* Solicit client raw public keys */ int requirecert; /* Insist on client cert? */ const char *serverid; /* Server instance (salt cache key) */ const char *namaddr; /* Client nam[addr] for logging */ @@ -570,10 +579,12 @@ extern TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *); ((props)->a16), ((props)->a17), ((props)->a18), ((props)->a19), \ ((props)->a20), (props))) -#define TLS_SERVER_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10) \ +#define TLS_SERVER_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ + a10, a11) \ tls_server_start((((props)->a1), ((props)->a2), ((props)->a3), \ ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ - ((props)->a8), ((props)->a9), ((props)->a10), (props))) + ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ + (props))) /* * tls_session.c @@ -660,7 +671,7 @@ extern TLS_TLSA *tlsa_prepend(TLS_TLSA *, uint8_t, uint8_t, uint8_t, extern const EVP_MD *tls_digest_byname(const char *, EVP_MD_CTX **); extern char *tls_digest_encode(const unsigned char *, int); extern char *tls_cert_fprint(X509 *, const char *); -extern char *tls_pkey_fprint(X509 *, const char *); +extern char *tls_pkey_fprint(EVP_PKEY *, const char *); extern char *tls_serverid_digest(TLS_SESS_STATE *, const TLS_CLIENT_START_PROPS *, const char *); @@ -696,6 +707,8 @@ extern long tls_bio_dump_cb(BIO *, int, const char *, int, long, long); #endif extern const EVP_MD *tls_validate_digest(const char *); +extern void tls_enable_client_rpk(SSL_CTX *, SSL *); +extern void tls_enable_server_rpk(SSL_CTX *, SSL *); /* * tls_seed.c -- cgit v1.2.3