diff options
author | Eivind Næss <eivnaes@yahoo.com> | 2021-06-24 16:06:11 -0700 |
---|---|---|
committer | Eivind Næss <eivnaes@yahoo.com> | 2021-09-27 09:17:32 -0700 |
commit | 789e867f6e51b2d3e7f6ebe723f43764d5d8b595 (patch) | |
tree | 4b58142260936a5647fe24309c678783e666bede /pppd/tls.h | |
parent | 4e2c49755175d05f7f4a3c1c70a42d2eef9d7839 (diff) | |
download | ppp-789e867f6e51b2d3e7f6ebe723f43764d5d8b595.tar.gz |
Improve the PEAP contribution by Rustam Kovhaev
These changes adds to his contribution by
* Adding options to perform CA/CRL checking and certificate validation
consistent with what is already been done for EAP-TLS
* Certificate validation is now in line with what is already been done
for EAP-TLS. Users can now set "remotename" and "tls-verify-method" to
control these.
* Validation of certificate purpose and extended key usage is controlled
by the option "tls-verify-key-usage".
* Fixing up MPPE key generation to use the new API for handling MPPE keys
* Man page is updated where appropriate for the new options.
* Added unit-tests for the PEAP code in case of crypto or parameters would
change in the future.
* Added the peap feature to configure scripts. Users can now control the
feature by specifying --enable-peap/--disable-peap.
To acheive feature parity with the EAP-TLS change, the EAP-TLS common code was
refactored into tls.c/.h such that it could be re-used in both instances.
Using PEAP/MSCHAPv2 is now supported in PPPD with this change.
Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
Diffstat (limited to 'pppd/tls.h')
-rw-r--r-- | pppd/tls.h | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/pppd/tls.h b/pppd/tls.h new file mode 100644 index 0000000..39fdef7 --- /dev/null +++ b/pppd/tls.h @@ -0,0 +1,88 @@ +/* + * Copyright (c) 2021 Eivind Næss. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The name(s) of the authors of this software must not be used to + * endorse or promote products derived from this software without + * prior written permission. + * + * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY + * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN + * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef TLS_H +#define TLS_H + +/** + * Structure used in verifying the peer certificate + */ +struct tls_info; + +/** + * Initialize the SSL library + */ +int tls_init(); + +/** + * Get the SSL_METHOD + */ +const SSL_METHOD* tls_method(); + +/** + * Configure the SSL options + */ +int tls_set_opts(SSL_CTX *ctx); + +/** + * Configure the SSL context's max TLS version + */ +int tls_set_version(SSL_CTX *ctx, const char *max_version); + +/** + * Configure the SSL context's verify callback + */ +int tls_set_verify(SSL_CTX *ctx, int depth); + +/** + * Configure the SSL verify information + */ +int tls_set_verify_info(SSL *ssl, const char *peer_name, const char *peer_cert_file, + bool client, struct tls_info **out); + +/** + * Free the tls_info structure and it's members + */ +void tls_free_verify_info(struct tls_info **in); + +/** + * Configure the SSL context's CRL details + */ +int tls_set_crl(SSL_CTX *ctx, const char *crl_dir, const char *crl_file); + +/** + * Configure the SSL context's CA verify locations + */ +int tls_set_ca(SSL_CTX *ctx, const char *ca_dir, const char *ca_file); + +/** + * Log all errors from ssl library + */ +void tls_log_sslerr( void ); + +#endif /* TLS_H */ |