tunala.h revision 296465 
1/*
2 * Tunala ("Tunneler with a New Zealand accent") Written by Geoff Thorpe,
3 * but endorsed/supported by noone. Please use this is if it's useful or
4 * informative to you, but it's only here as a scratchpad for ideas about how
5 * you might (or might not) program with OpenSSL. If you deploy this is in a
6 * mission-critical environment, and have not read, understood, audited, and
7 * modified this code to your satisfaction, and the result is that all hell
8 * breaks loose and you are looking for a new employer, then it proves
9 * nothing except perhaps that Darwinism is alive and well. Let's just say,
10 * *I* don't use this in a mission-critical environment, so it would be
11 * stupid for anyone to assume that it is solid and/or tested enough when
12 * even its author doesn't place that much trust in it. You have been warned.
13 * With thanks to Cryptographic Appliances, Inc.
14 */
15
16#ifndef _TUNALA_H
17# define _TUNALA_H
18
19/* pull in autoconf fluff */
20# ifndef NO_CONFIG_H
21#  include "config.h"
22# else
23/*
24 * We don't have autoconf, we have to set all of these unless a tweaked
25 * Makefile tells us not to ...
26 */
27/* headers */
28#  ifndef NO_HAVE_SELECT
29#   define HAVE_SELECT
30#  endif
31#  ifndef NO_HAVE_SOCKET
32#   define HAVE_SOCKET
33#  endif
34#  ifndef NO_HAVE_UNISTD_H
35#   define HAVE_UNISTD_H
36#  endif
37#  ifndef NO_HAVE_FCNTL_H
38#   define HAVE_FCNTL_H
39#  endif
40#  ifndef NO_HAVE_LIMITS_H
41#   define HAVE_LIMITS_H
42#  endif
43/* features */
44#  ifndef NO_HAVE_STRSTR
45#   define HAVE_STRSTR
46#  endif
47#  ifndef NO_HAVE_STRTOUL
48#   define HAVE_STRTOUL
49#  endif
50# endif
51
52# if !defined(HAVE_SELECT) || !defined(HAVE_SOCKET)
53#  error "can't build without some network basics like select() and socket()"
54# endif
55
56# include <stdlib.h>
57# ifndef NO_SYSTEM_H
58#  include <string.h>
59#  ifdef HAVE_UNISTD_H
60#   include <unistd.h>
61#  endif
62#  ifdef HAVE_FCNTL_H
63#   include <fcntl.h>
64#  endif
65#  ifdef HAVE_LIMITS_H
66#   include <limits.h>
67#  endif
68#  include <netdb.h>
69#  include <signal.h>
70#  include <sys/socket.h>
71#  include <sys/types.h>
72#  include <netinet/in.h>
73# endif                         /* !defined(NO_SYSTEM_H) */
74
75# ifndef NO_OPENSSL
76#  include <openssl/err.h>
77#  include <openssl/engine.h>
78#  include <openssl/ssl.h>
79# endif                         /* !defined(NO_OPENSSL) */
80
81# ifndef OPENSSL_NO_BUFFER
82/*
83 * This is the generic "buffer" type that is used when feeding the
84 * state-machine. It's basically a FIFO with respect to the "adddata" &
85 * "takedata" type functions that operate on it.
86 */
87#  define MAX_DATA_SIZE 16384
88typedef struct _buffer_t {
89    unsigned char data[MAX_DATA_SIZE];
90    unsigned int used;
91    /*
92     * Statistical values - counts the total number of bytes read in and read
93     * out (respectively) since "buffer_init()"
94     */
95    unsigned long total_in, total_out;
96} buffer_t;
97
98/* Initialise a buffer structure before use */
99void buffer_init(buffer_t * buf);
100/*
101 * Cleanup a buffer structure - presently not needed, but if buffer_t is
102 * converted to using dynamic allocation, this would be required - so should
103 * be called to protect against an explosion of memory leaks later if the
104 * change is made.
105 */
106void buffer_close(buffer_t * buf);
107
108/* Basic functions to manipulate buffers */
109
110unsigned int buffer_used(buffer_t * buf); /* How much data in the buffer */
111unsigned int buffer_unused(buffer_t * buf); /* How much space in the buffer */
112int buffer_full(buffer_t * buf); /* Boolean, is it full? */
113int buffer_notfull(buffer_t * buf); /* Boolean, is it not full? */
114int buffer_empty(buffer_t * buf); /* Boolean, is it empty? */
115int buffer_notempty(buffer_t * buf); /* Boolean, is it not empty? */
116unsigned long buffer_total_in(buffer_t * buf); /* Total bytes written to
117                                                * buffer */
118unsigned long buffer_total_out(buffer_t * buf); /* Total bytes read from
119                                                 * buffer */
120
121#  if 0                         /* Currently used only within buffer.c -
122                                 * better to expose only higher-level
123                                 * functions anyway */
124/*
125 * Add data to the tail of the buffer, returns the amount that was actually
126 * added (so, you need to check if return value is less than size)
127 */
128unsigned int buffer_adddata(buffer_t * buf, const unsigned char *ptr,
129                            unsigned int size);
130
131/*
132 * Take data from the front of the buffer (and scroll the rest forward). If
133 * "ptr" is NULL, this just removes data off the front of the buffer. Return
134 * value is the amount actually removed (can be less than size if the buffer
135 * has too little data).
136 */
137unsigned int buffer_takedata(buffer_t * buf, unsigned char *ptr,
138                             unsigned int size);
139
140/*
141 * Flushes as much data as possible out of the "from" buffer into the "to"
142 * buffer. Return value is the amount moved. The amount moved can be
143 * restricted to a maximum by specifying "cap" - setting it to -1 means no
144 * limit.
145 */
146unsigned int buffer_tobuffer(buffer_t * to, buffer_t * from, int cap);
147#  endif
148
149#  ifndef NO_IP
150/* Read or write between a file-descriptor and a buffer */
151int buffer_from_fd(buffer_t * buf, int fd);
152int buffer_to_fd(buffer_t * buf, int fd);
153#  endif                        /* !defined(NO_IP) */
154
155#  ifndef NO_OPENSSL
156/* Read or write between an SSL or BIO and a buffer */
157void buffer_from_SSL(buffer_t * buf, SSL *ssl);
158void buffer_to_SSL(buffer_t * buf, SSL *ssl);
159void buffer_from_BIO(buffer_t * buf, BIO *bio);
160void buffer_to_BIO(buffer_t * buf, BIO *bio);
161
162/* Callbacks */
163void cb_ssl_info(const SSL *s, int where, int ret);
164/* Called if output should be sent too */
165void cb_ssl_info_set_output(FILE *fp);
166int cb_ssl_verify(int ok, X509_STORE_CTX *ctx);
167void cb_ssl_verify_set_output(FILE *fp);
168void cb_ssl_verify_set_depth(unsigned int verify_depth);
169void cb_ssl_verify_set_level(unsigned int level);
170RSA *cb_generate_tmp_rsa(SSL *s, int is_export, int keylength);
171#  endif                        /* !defined(NO_OPENSSL) */
172# endif                         /* !defined(OPENSSL_NO_BUFFER) */
173
174# ifndef NO_TUNALA
175#  ifdef OPENSSL_NO_BUFFER
176#   error "TUNALA section of tunala.h requires BUFFER support"
177#  endif
178typedef struct _state_machine_t {
179    SSL *ssl;
180    BIO *bio_intossl;
181    BIO *bio_fromssl;
182    buffer_t clean_in, clean_out;
183    buffer_t dirty_in, dirty_out;
184} state_machine_t;
185typedef enum {
186    SM_CLEAN_IN, SM_CLEAN_OUT,
187    SM_DIRTY_IN, SM_DIRTY_OUT
188} sm_buffer_t;
189void state_machine_init(state_machine_t * machine);
190void state_machine_close(state_machine_t * machine);
191buffer_t *state_machine_get_buffer(state_machine_t * machine,
192                                   sm_buffer_t type);
193SSL *state_machine_get_SSL(state_machine_t * machine);
194int state_machine_set_SSL(state_machine_t * machine, SSL *ssl, int is_server);
195/* Performs the data-IO loop and returns zero if the machine should close */
196int state_machine_churn(state_machine_t * machine);
197/*
198 * Is used to handle closing conditions - namely when one side of the tunnel
199 * has closed but the other should finish flushing.
200 */
201int state_machine_close_clean(state_machine_t * machine);
202int state_machine_close_dirty(state_machine_t * machine);
203# endif                         /* !defined(NO_TUNALA) */
204
205# ifndef NO_IP
206/*
207 * Initialise anything related to the networking. This includes blocking
208 * pesky SIGPIPE signals.
209 */
210int ip_initialise(void);
211/*
212 * ip is the 4-byte ip address (eg. 127.0.0.1 is {0x7F,0x00,0x00,0x01}), port
213 * is the port to listen on (host byte order), and the return value is the
214 * file-descriptor or -1 on error.
215 */
216int ip_create_listener_split(const char *ip, unsigned short port);
217/* Same semantics as above. */
218int ip_create_connection_split(const char *ip, unsigned short port);
219/* Converts a string into the ip/port before calling the above */
220int ip_create_listener(const char *address);
221int ip_create_connection(const char *address);
222/*
223 * Just does a string conversion on its own. NB: If accept_all_ip is
224 * non-zero, then the address string could be just a port. Ie. it's suitable
225 * for a listening address but not a connecting address.
226 */
227int ip_parse_address(const char *address, const char **parsed_ip,
228                     unsigned short *port, int accept_all_ip);
229/*
230 * Accepts an incoming connection through the listener. Assumes selects and
231 * what-not have deemed it an appropriate thing to do.
232 */
233int ip_accept_connection(int listen_fd);
234# endif                         /* !defined(NO_IP) */
235
236/* These functions wrap up things that can be portability hassles. */
237int int_strtoul(const char *str, unsigned long *val);
238# ifdef HAVE_STRSTR
239#  define int_strstr strstr
240# else
241char *int_strstr(const char *haystack, const char *needle);
242# endif
243
244#endif                          /* !defined(_TUNALA_H) */
245