xref: /freebsd/crypto/krb5/src/include/k5-tls.h (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* include/k5-tls.h - internal pluggable interface for TLS */
3 /*
4  * Copyright (C) 2014 by the Massachusetts Institute of Technology.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * * Redistributions of source code must retain the above copyright
12  *   notice, this list of conditions and the following disclaimer.
13  *
14  * * Redistributions in binary form must reproduce the above copyright
15  *   notice, this list of conditions and the following disclaimer in
16  *   the documentation and/or other materials provided with the
17  *   distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23  * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30  * OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 /*
34  * This internal pluggable interface allows libkrb5 to load an in-tree module
35  * providing TLS support at runtime.  It is currently tailored for the needs of
36  * the OpenSSL module as used for HTTP proxy support.  As an internal
37  * interface, it can be changed to fit different implementations and consumers
38  * without regard for backward compatibility.
39  */
40 
41 #ifndef K5_TLS_H
42 #define K5_TLS_H
43 
44 #include "k5-int.h"
45 
46 /* An abstract type for localauth module data. */
47 typedef struct k5_tls_handle_st *k5_tls_handle;
48 
49 typedef enum {
50     DATA_READ, DONE, WANT_READ, WANT_WRITE, ERROR_TLS
51 } k5_tls_status;
52 
53 /*
54  * Create a handle for fd, where the server certificate must match servername
55  * and be trusted according to anchors.  anchors is a null-terminated list
56  * using the DIR:/FILE:/ENV: syntax borrowed from PKINIT.  If anchors is null,
57  * use the system default trust anchors.
58  */
59 typedef krb5_error_code
60 (*k5_tls_setup_fn)(krb5_context context, SOCKET fd, const char *servername,
61                    char **anchors, k5_tls_handle *handle_out);
62 
63 /*
64  * Write len bytes of data using TLS.  Return DONE if writing is complete,
65  * WANT_READ or WANT_WRITE if the underlying socket must be readable or
66  * writable to continue, and ERROR_TLS if the TLS channel or underlying socket
67  * experienced an error.  After WANT_READ or WANT_WRITE, the operation will be
68  * retried with the same arguments even if some data has already been written.
69  * (OpenSSL makes this contract easy to fulfill.  For other implementations we
70  * might want to change it.)
71  */
72 typedef k5_tls_status
73 (*k5_tls_write_fn)(krb5_context context, k5_tls_handle handle,
74                    const void *data, size_t len);
75 
76 /*
77  * Read up to data_size bytes of data using TLS.  Return DATA_READ and set
78  * *len_out if any data is read.  Return DONE if there is no more data to be
79  * read on the connection, WANT_READ or WANT_WRITE if the underlying socket
80  * must be readable or writable to continue, and ERROR_TLS if the TLS channel
81  * or underlying socket experienced an error.
82  *
83  * After DATA_READ, there may still be pending buffered data to read.  The
84  * caller must call this method again with additional buffer space before
85  * selecting for reading on the underlying socket.
86  */
87 typedef k5_tls_status
88 (*k5_tls_read_fn)(krb5_context context, k5_tls_handle handle, void *data,
89                   size_t data_size, size_t *len_out);
90 
91 /* Release a handle.  Do not pass a null pointer. */
92 typedef void
93 (*k5_tls_free_handle_fn)(krb5_context context, k5_tls_handle handle);
94 
95 /* All functions are mandatory unless they are all null, in which case the
96  * caller should assume that TLS is unsupported. */
97 typedef struct k5_tls_vtable_st {
98     k5_tls_setup_fn setup;
99     k5_tls_write_fn write;
100     k5_tls_read_fn read;
101     k5_tls_free_handle_fn free_handle;
102 } *k5_tls_vtable;
103 
104 #endif /* K5_TLS_H */
105