source: lib/ssl_client.h @ 91ae87d

Last change on this file since 91ae87d was 200e151, checked in by Wilmer van der Gaast <wilmer@…>, at 2011-12-23T22:40:17Z

tls_verify correction: Don't fail cert verification in non-GnuTLS modules
unless "cafile" setting is enabled.
  • Property mode set to 100644
File size: 4.8 KB
RevLine 
[b7d3cc34]1  /********************************************************************\
2  * BitlBee -- An IRC to other IM-networks gateway                     *
3  *                                                                    *
4  * Copyright 2002-2004 Wilmer van der Gaast and others                *
5  \********************************************************************/
6
7/* SSL module                                                           */
8
9/*
10  This program is free software; you can redistribute it and/or modify
11  it under the terms of the GNU General Public License as published by
12  the Free Software Foundation; either version 2 of the License, or
13  (at your option) any later version.
14
15  This program is distributed in the hope that it will be useful,
16  but WITHOUT ANY WARRANTY; without even the implied warranty of
17  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18  GNU General Public License for more details.
19
20  You should have received a copy of the GNU General Public License with
21  the Debian GNU/Linux distribution in /usr/share/common-licenses/GPL;
22  if not, write to the Free Software Foundation, Inc., 59 Temple Place,
23  Suite 330, Boston, MA  02111-1307  USA
24*/
25
[0aaca60]26/* ssl_client makes it easier to open SSL connections to servers. (It
27   doesn't offer SSL server functionality yet, but it could be useful
28   to add it later.) Different ssl_client modules are available, and
29   ssl_client tries to make them all behave the same. It's very simple
30   and basic, it just imitates the proxy_connect() function from the
31   Gaim libs and passes the socket to the program once the handshake
32   is completed. */
33
[b7d3cc34]34#include <glib.h>
35#include "proxy.h"
36
[0aaca60]37/* Some generic error codes. Especially SSL_AGAIN is important if you
38   want to do asynchronous I/O. */
[701acdd4]39#define SSL_OK            0
40#define SSL_NOHANDSHAKE   1
41#define SSL_AGAIN         2
[486ddb5]42#define VERIFY_CERT_ERROR 2
43#define VERIFY_CERT_INVALID 4
44#define VERIFY_CERT_REVOKED 8
45#define VERIFY_CERT_SIGNER_NOT_FOUND 16
46#define VERIFY_CERT_SIGNER_NOT_CA 32
47#define VERIFY_CERT_INSECURE_ALGORITHM 64
48#define VERIFY_CERT_NOT_ACTIVATED 128
49#define VERIFY_CERT_EXPIRED 256
50#define VERIFY_CERT_WRONG_HOSTNAME 512
[701acdd4]51
52extern int ssl_errno;
53
[0aaca60]54/* This is what your callback function should look like. */
[486ddb5]55typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition);
[b7d3cc34]56
[0aaca60]57
[ba5add7]58/* Perform any global initialization the SSL library might need. */
59G_MODULE_EXPORT void ssl_init( void );
60
[0aaca60]61/* Connect to host:port, call the given function when the connection is
62   ready to be used for SSL traffic. This is all done asynchronously, no
63   blocking I/O! (Except for the DNS lookups, for now...) */
[a72dc2b]64G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data );
[0aaca60]65
[42127dc]66/* Start an SSL session on an existing fd. Useful for STARTTLS functionality,
67   for example in Jabber. */
[486ddb5]68G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data );
[42127dc]69
[0aaca60]70/* Obviously you need special read/write functions to read data. */
[b7d3cc34]71G_MODULE_EXPORT int ssl_read( void *conn, char *buf, int len );
72G_MODULE_EXPORT int ssl_write( void *conn, const char *buf, int len );
[0aaca60]73
[80acb6d]74/* Now needed by most SSL libs. See for more info:
75   http://www.gnu.org/software/gnutls/manual/gnutls.html#index-gnutls_005frecord_005fcheck_005fpending-209
76   http://www.openssl.org/docs/ssl/SSL_pending.html
77   
78   Required because OpenSSL empties the TCP buffer completely but doesn't
79   necessarily give us all the unencrypted data. Or maybe you didn't ask
80   for all of it because your buffer is too small.
81   
82   Returns 0 if there's nothing left, 1 if there's more data. */
[8a2221a7]83G_MODULE_EXPORT int ssl_pending( void *conn );
84
[0aaca60]85/* Abort the SSL connection and disconnect the socket. Do not use close()
86   directly, both the SSL library and the peer will be unhappy! */
[b7d3cc34]87G_MODULE_EXPORT void ssl_disconnect( void *conn_ );
[0aaca60]88
89/* Get the fd for this connection, you will usually need it for event
90   handling. */
[b7d3cc34]91G_MODULE_EXPORT int ssl_getfd( void *conn );
[0aaca60]92
[e046390]93/* This function returns B_EV_IO_READ/WRITE. With SSL connections it's
[0aaca60]94   possible that something has to be read while actually were trying to
95   write something (think about key exchange/refresh/etc). So when an
96   SSL operation returned SSL_AGAIN, *always* use this function when
97   adding an event handler to the queue. (And it should perform exactly
98   the same action as the handler that just received the SSL_AGAIN.) */
[ba9edaa]99G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn );
[523fb23]100
[78b8401]101/* Converts a verification bitfield passed to ssl_input_function into
102   a more useful string. Or NULL if it had no useful bits set. */
103G_MODULE_EXPORT char *ssl_verify_strerror( int code );
104
[523fb23]105G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res);
Note: See TracBrowser for help on using the repository browser.