1 /* tlspool/commands.h -- Structure definitions for the UNIX socket protocol */
4 #ifndef TLSPOOL_COMMANDS_H
5 #define TLSPOOL_COMMANDS_H
15 #define _usleep(usec) (Sleep((usec) / 1000))
16 #define poll(fds, nfds, timeout) WSAPoll(fds, nfds, timeout)
18 #else /* WINDOWS_PORT */
19 #define _usleep(usec) usleep(usec)
20 #endif /* WINDOWS_PORT */
23 #define TLSPOOL_IDENTITY_V2 "20151111api@tlspool.arpa2.net"
26 /****************************** STRUCTURES *****************************/
29 #define TLSPOOL_CTLKEYLEN 16
30 #define TLSPOOL_SERVICELEN 16
31 #define TLSPOOL_PRNGBUFLEN 350
32 #define TLSPOOL_INFOBUFLEN (350-TLSPOOL_CTLKEYLEN)
33 #define TLSPOOL_TIMEOUT_DEFAULT 0
34 #define TLSPOOL_TIMEOUT_INFINITE (~(uint32_t)0)
37 /* Windows is the only non-POSIX system, and as such, it is the only
38 * platform that does not support ancilary data (as on UNIX domain sockets).
39 * To pass a socket or file handle, different structures must be passed to
40 * the TLS Pool, and of course it is also possible to pass neither. The
41 * anciltype indicates which applies. This is used in an add-on that is
42 * always appended to the TLS Pool structure when passing it on Windows.
46 ANCIL_TYPE_SOCKET = 1,
47 ANCIL_TYPE_FILEHANDLE = 2,
49 #endif /* WINDOWS_PORT */
53 * TLS Pool communication proceeds over a UNIX file system socket, by
54 * sending and receiving messages like below.
56 * The order of events is always one where the application connecting
57 * to the socket sends messages, and the TLS Pool always sends a response.
58 * Depending on the command, this response may be fast or slow, but there
59 * will always be a response as long as the connection is kept open. If
60 * the application can handle concurrent communication, it may send
61 * more than one packet at a time. The response will always copy the
62 * pio_reqid field from the request to facilitate this; the application
63 * should ensure different pio_reqid values for simultaneously sent
64 * requests. The TLS Pool may also request follow-up action, which
65 * should also lead to exactly one action. In this case, the pio_cbid
66 * field must be copied into the new request.
68 * Command tags are 32 bit in size; this gives us the room to include
69 * version numbers for semantic variations. Implementations have the
70 * freedom to combine similar tags (usually different versions) into
71 * one piece of code. Something counts as a version when its code has
72 * been released into a code version; this does not include loose patches
73 * or sheer uploads to a file system or mailing list. Authors of new
74 * versions are kindly requested to request an update to this file on its
75 * prime location, http://github.com/vanrein/tlspool so it can serve as
76 * a global registry, ensuring portability.
77 * TODO: Consider changing to git.vanrein.org
79 * Commands would normally be deprecated for some time, i.e. recognised
80 * but not sent. After "sufficient time" has passed, a depracated tag
81 * may be retracted from an implementation. Instant retraction should
82 * only be exercised under full control of all components, or for reasons
83 * of urgency; notably, in case of security errors of the semantics (not
84 * the coding) of a command tag. This would effectively force other
85 * components to upgrade -- but this is something to be careful about;
86 * such upgrades should be readily available to all targeted users!
88 * It is generally safe to assume that applications need no protection
89 * from the TLS Pool. The opposite does not hold, as there are secrets
90 * in the pool that may be interesting to attack.
92 * When a command fails, an error must always be reported through the
93 * PIOC_ERROR_Vx command. This is the only alternative to the usual
94 * response, which may be PIOC_SUCCESS_Vx command or something defined
95 * by the command to incorporate response data.
97 * Minute variations in commands should not be signaled with different
98 * tags; instead, a flags field should be created in the payload. This
99 * is the more extensible approach. Unknown flags are reserved for future
100 * use and must always be set to zero when sending, and ignored when
101 * receiving. Such future extensions are always optional; a required
102 * change would be implemented through a new semantics version.
104 * TODO: There may be extra pieces of information, notably the sending
105 * of file descriptors is used to pass connections between processes.
111 int tlserrno; // Constrained to int32_t values
116 char YYYYMMDD_producer [8+128]; // when & who?
117 uint32_t facilities; // PIOF_FACILITY_xxx
120 struct pioc_starttls {
121 uint32_t flags; // PIOF_STARTTLS_xxx below
122 uint32_t local; // Locally defined bits
123 uint8_t ipproto; // IPPROTO_TCP, _UDP, _SCTP
124 uint16_t streamid; // Needed for SCTP
125 char localid [128]; // Local ID or empty string
126 char remoteid [128]; // Remote ID or empty string
127 uint8_t ctlkey [TLSPOOL_CTLKEYLEN]; // Key for detach
128 uint8_t service [TLSPOOL_SERVICELEN]; // Names from IANA
129 uint32_t timeout; // in ms, 0=default, ~0=infinite
132 struct pioc_pinentry {
133 uint32_t flags; // PIOF_PINENTRY_xxx below
134 uint32_t attempt; // Attempt counter -- display!
135 uint32_t timeout_us; // Timeout in microseconds
136 char pin [128]; // Empty string means no PIN
137 char prompt [128]; // Prompt from TLS Pool
138 char token_manuf[32 + 1 + 3]; // PKCS #11 token manufacturer
139 char token_model[16 + 1 + 3]; // PKCS #11 token model
140 char token_serial[16 + 1 + 3]; // PKCS #11 token serial number
141 char token_label[32 + 1 + 3]; // PKCS #11 token label
144 struct pioc_lidentry {
145 uint32_t flags; // PIOF_LIDENTRY_xxx below
146 uint16_t maxlevels; // Max # iterations for concrete ID
147 uint32_t timeout; // Regtimeout[s] or resptimeout
148 char localid [128]; // Local ID or empty string
149 char remoteid [128]; // Remote ID or empty string
152 struct pioc_control {
153 uint32_t flags; // PIOF_CONTROL_xxx, none yet
154 uint8_t ctlkey [TLSPOOL_CTLKEYLEN]; // Control key
155 char name [128]; // A name field
159 int16_t in1_len, in2_len, prng_len;
160 uint8_t buffer [TLSPOOL_PRNGBUFLEN]; // ctlkey, in1, in2
164 uint8_t ctlkey [TLSPOOL_CTLKEYLEN]; // Control key
166 uint16_t len; // ~0 for "no value provided"
167 uint8_t buffer [TLSPOOL_INFOBUFLEN];
170 struct tlspool_command {
171 uint16_t pio_reqid; // Request->Response request identifier
172 uint16_t pio_cbid; // Response->Request callback identifier
173 uint32_t pio_cmd; // Command tag with semantic version
175 struct pioc_error pioc_error;
176 struct pioc_ping pioc_ping;
177 struct pioc_starttls pioc_starttls;
178 struct pioc_pinentry pioc_pinentry;
179 struct pioc_lidentry pioc_lidentry;
180 struct pioc_control pioc_control;
181 struct pioc_prng pioc_prng;
182 struct pioc_info pioc_info;
185 union { HANDLE hPipe; uint64_t _pad1; };
186 enum anciltype pio_ancil_type;
187 union pio_ancil_data {
188 HANDLE pioa_filehandle;
189 WSAPROTOCOL_INFOW pioa_socket;
196 typedef struct pioc_ping pingpool_t;
197 typedef struct pioc_starttls starttls_t;
198 typedef struct pioc_pinentry pinentry_t;
199 typedef struct pioc_lidentry lidentry_t;
202 /******************************** COMMANDS *******************************/
205 /* An error packet is sent if the other party is unwilling to continue
206 * the current exchange. It explains why, through a code and message,
207 * in the pioc_error type. Error codes are defined in <errno.h> or
208 * the are generated with com_err (see below).
210 #define PIOC_SUCCESS_V2 0x00000000
213 /* An error packet is sent if the other party is unwilling to continue
214 * the current exchange. It explains why, through a code and message,
215 * in the pioc_error type. Error codes are defined in <errno.h> or
216 * the are generated from error tables with compile_et, part of the
217 * com_err suite. The use of com_err is to merge ranges of error
218 * codes from a variety of sources.
220 * We no longer support values other than valid int32_t values in the
221 * integer field. We never used that either, since we focussed on
222 * values taken from <errno.h>. We make this explicit because we
223 * intend to focus on embedded systems, and although DER can pack any
224 * INTEGER size, we want to limit what these systems need to handle
225 * to what is usable for us and practical for them.
227 * Similar to this range limit, com_err was conceived in 1989, when
228 * 32-bit integers were called long and when (apparently) int32_t
229 * integers were not heard of. The specification is clear however,
230 * that error tables need 3 or 4 character names and produce error
231 * codes with a table code in the top 24 bits and a code within the
232 * error range in the bottom 8 bits. This still works today; there
233 * are 16,777,215 (not counting range 0 which is reserved for POSIX
234 * errors from <errno.h>) and the risk of clashes is only 50% when
235 * more than 4000 libraries are merged in one application.
237 * The limit also makes it possible to move values without loss,
238 * tlserrno <- errno <- tlserrno <- errno <- ...
240 * Note that we are storing values in errno that cannot be resolved
241 * with strerror() or perror() but that require their substitutes
242 * error_message() and com_err() from the com_err suite.
244 * Finally, any POSIX error codes unequal to 0, usually in the range
245 * 1..255, are generated locally. The TLS Pool no longer generates
246 * these codes, in light of upcoming support for remote access.
248 #define PIOC_ERROR_V2 0x00000001
251 /* A simple command to exchange courtesy, keepalives and potentially
252 * identifying information of the peers. The same packet is used in
255 * The string in pioc_ping.YYYYMMDD_producer describes the sender's
256 * semantics with an identity comprising of a YYYYMMDD timestamp for
257 * the software semantics version, plus a domain or user@domain identity
258 * representing the producer at that time, terminated with '\0'.
260 * The facilities make it possible to ask the TLS Pool which extended
261 * facilities will be supported. The compile-time constant
262 * PIOF_FACILITY_ALL_CURRENT is usually sent to the TLS Pool, which
263 * will only reset bits from what it receives. The default behaviour
264 * is a bit-wise and with the TLS Pool's own PIOF_FACILITY_ALL_CURRENT
265 * but configuration may lead to a further reduction of usable
268 #define PIOC_PING_V2 0x00000010
271 /* Start a TLS handshake. This uses PIO_STARTTLS_xxx flags, defined below.
272 * One of the things these flags set is the acceptable roles of the local
273 * and remote node -- client, server or peer (for which both are acceptable).
274 * The local definitions of the TLS Pool define part of the semantics.
276 * The payload data is defined in pioc_starttls and is the same
277 * for clients, servers and peers, and for request and response. Clients
278 * usually know the remoteid, and should fill that field instead of
279 * leaving it an empty string. They may already present their localid
280 * or leave it open for possible interaction during the TLS exchange.
282 #define PIOC_STARTTLS_V2 0x00000024
285 /* When a client initiates TLS, it may have started off with an empty
286 * string as its localid. When a server serves a multitude of domains,
287 * it may have done the same. This can lead to a response by the TLS
288 * daemon, proposing a localid that can be modified by the application
289 * and sent back in the same message format. The remoteid is sent
290 * by the TLS Pool as extra information, but it is an empty string if
291 * the information is unavailable.
293 * Various sources may supply a local identity; it may arrive in a
294 * Server Name Indication over TLS, it may be suggested by the disclose.db
295 * with potentially registered LIDENTRY extension. The outcome of these
296 * sources is presented through this command.
298 * This callback is only made when PIOF_STARTTLS_LOCALID_CHECK is set.
299 * Then, be prepared to receive zero or more of these proposals in the course
300 * of a TLS handshake. Especially when rejecting one localid there may
301 * be ways for the TLS Pool to propose other localid values.
302 * The payload used is the pioc_starttls, but only the localid and
303 * remoteid are meaningful when sent by the TLS Pool, and only the
304 * localid is interpreted when it returns to the TLS Pool. In all these
305 * identity strings, the empty string is used to indicate absense of an
308 * When this callback passes a file descriptor to the TLS Pool, it will be
309 * interpreted as the plaintext file descriptor and an implied acceptance
310 * of the local identity presented, regardless of the localid returned.
312 #define PIOC_STARTTLS_LOCALID_V2 0x00000028
315 /* The PIN entry command. The data stored in tlscmd_pinentry determines
316 * what happens exactly. When sent to the TLS Pool it can provide a
317 * non-empty PIN, which only makes sense in response to a PIOC_PINENTRY_V2
318 * from the TLS Pool. An empty PIN always means that no PIN is being
319 * provided, possibly due to cancellation by the user. All
320 * token-descriptive are terminated with a NUL-character, unlike in
321 * PKCS #11 where they have a fixed length. Trailing spaces available
322 * in the PKCS #11 level token description have been stripped off.
324 #define PIOC_PINENTRY_V2 0x00000029
327 /* The named connect command. This is used in callbacks from the TLS Pool,
328 * to ask the application for a file descriptor. Since this is normally called
329 * after the TLS handshake has succeeded, there is no danger of leaking
330 * information early; visibility and accessibility are usually arranged
331 * through PIOC_LIDENTRY_xxx callbacks or the disclose.db but not here. See
332 * PIOF_STARTTLS_LOCALID_CHECK for an earlier, optional callback with
333 * PIOC_STARTTLS_LOCALID_V2 though.
335 * The use of this callback is to provide a second file descriptor to the
336 * TLS Pool, and it is called exactly once as part of a successful TLS
337 * connection setup. The information in the tlsdata_t reflects localid and
338 * remoteid information from the handshake.
340 #define PIOC_PLAINTEXT_CONNECT_V2 0x0000002a
343 /* Generate a pseudo-random sequence based on session cryptographic keys.
344 * In the case of TLS, this adheres to RFC 5705; other protocols may or
345 * may not support a similar mechanism, in which case an error is returned.
347 * This leans on access privileges to an existing connection at a meta-level,
348 * for which we use the customary ctlkey verification mechanism. Note that
349 * random material may be used for security purposes, such as finding the
350 * same session key for both sides deriving from prior key negotiation; the
351 * protection of a ctlkey for such applications is important.
353 * This command provides a struct pioc_prng holding the following information:
354 * - in1_len, in2_len hold lengths < 255 with input strings
355 * - buffer holds the ctlkey and then in1_len + in2_len bytes of input data
356 * - negative values in in1_len and/or in2_len suppress that field
357 * - prng_len holds the requested number of pseudo-random bytes
359 * If the operation succeeds, a struct_pioc_prng is returned holding:
360 * - prng_len holds the provided number of pseudo-random bytes
361 * - buffer holds these bytes (and has overwritten the rest of the buffer)
363 * The RFC 5705 implementation for TLS specifically uses:
364 * - in1_len is the length of the exporter label
365 * - in2_len is negative for no context or it is a context length
367 * Note a few restrictions to the generality of this operation:
368 * - it limits the input sizes
369 * - it limits the retrievable pseuo-random data to a prefix
371 * The TLS Pool may limit certain TLS PRNG labels, in adherence to the
372 * IANA-maintained TLS Exporter Label Registry. It additionally supports
373 * the EXPERIMENTAL label prefix specified in RFC 5705.
375 * Be advised that the size of buffer may increase in future releases. So,
376 * be sure to use TLSPOOL_PRNGBUFLEN which holds the header-file defined size.
378 #define PIOC_PRNG_V2 0x0000002b
381 /* Exchange information about the connection, usually representative
382 * of data fields in credentials. The same information exchange may
383 * serve to read, write or check data, inasfar as it is appropriate
384 * for the kind of information.
386 * The kind of information is a constant PIOK_INFO_xxx as defined
387 * below. The TLS Pool is often authoritative for a kind of
388 * information, but that may not always be the case. What is
389 * always the case is that the authoritative party sends only
390 * data that makes sense. What it receives however, may be seen
393 * The pioc_info structure that holds the information contains not
394 * just an info_kind, but also an info_len with the number of bytes
395 * for the information (which is limited in size).
397 * The info_len can be set to ~0 to indicate that the field must
398 * be considered absent. This is not the same as setting the length
399 * to zero, which might indicate that an empty string is defined.
400 * If you want to ask for information, set info_len to ~0; if you
401 * want to check a value, set info_len to a lower value, perhaps 0.
402 * A check will report an error, while a query would deliver a
403 * desired field. Which makes sense depends on the info_kind.
405 * There is no registry of supported forms of PIOK_INFO_xxx, but
406 * you can simply try the forms that you find interesting.
408 * This could easily detoriorate into a generic carrier for a
409 * protocol, with damaging impact on the internal structure
410 * of the TLS Pool. So don't go there. When more commands are
411 * needed, than add a PIOC_ value that does not occur here yet.
413 * Examples of proper use of pioc_info are for name forms and for
414 * channel binding information. See PIOK_INFO_xxx for concrete
417 * The design of this facility is not keen on iteration. Talk to
418 * us if you think this is wrong. But keep in mind that this
419 * calls for more state maintenance in the TLS Pool and perhaps
420 * a loss of clarity in callback handling in the Asynchronous API.
422 #define PIOC_INFO_V2 0x0000002c
425 /* Detach the connection decribed by the given ctlkey value. The value for
426 * each connection is provided by the client during the STARTTLS setup.
427 * When the ctlkey is not found, an error is returned, otherwise SUCCESS.
428 * See also the PIOF_STARTTLS_DETACH flag, which performs this action as part
429 * of the STARTTLS setup.
431 #define PIOC_CONTROL_DETACH_V2 0x00000100
434 /* Reattach a connection described by the given ctlkey value. This can be
435 * issued over any client connection to the TLS Pool to regain control over
436 * a TLS/plaintext connection, but only if no controlling client is attached
437 * yet. The command returns an ERROR or SUCCESS.
439 #define PIOC_CONTROL_REATTACH_V2 0x00000101
442 /* Register a LIDENTRY extension with the given flags to indicate the desired
443 * callbacks. Only one application may register for such callbacks, and the
444 * registration will provide callbacks for as long as the connection to the
445 * TLS Pool is kept alive. The command never returns; it provides callbacks.
447 * The data field for this command is pioc_lidentry, of which only the flags
448 * are interpreted; and of those, only the ones that impact registration.
450 * Presently, callbacks may be expected to follow a sequence, where zero or
451 * more database entries may be sent preceding the actual callback that asks
452 * for the desired localid to use. This means that other TLS handshakes that
453 * desire to be in the same sequence are locked out, and that may be overruled
454 * at a later time, if we need to provide better interaction.
456 #define PIOC_LIDENTRY_REGISTER_V2 0x00000200
459 /* Callback to the LIDENTRY extension, as well as its non-ERROR responses, use
460 * the PIOC_LIDENTRY_CALLBACK_V2 command with the pioc_lidentry data format.
462 #define PIOC_LIDENTRY_CALLBACK_V2 0x00000201
465 /* This command bit that marks a command as local. Local commands are always
466 * a bit of a risk, and should incorporate some way of identifying the
467 * source of the command, or would otherwise be wise to exercise complete
468 * control over the visibility of the extension code. Picking rather
469 * arbitrary codes may also help somewhat.
471 #define PIOC_LOCAL 0x80000000
474 /*************************** PIOF_FACILITY_xxx FLAGS **************************/
477 /* The PIOF_FACILITY_xxx facilities are sent and received in pioc_ping.
479 * When sent to the TLS Pool, this expresses the facilities that the
480 * application is interested in. A customary practice is to set this
481 * to PIOF_FACILITY_ALL_CURRENT to incorporate all the compile-time
482 * facilities known to the TLS Pool client.
484 * The TLS Pool will respond by resetting those facilities that it will
485 * not support. This may be due to the PIOF_FACILITY_ALL_CURRENT at the
486 * time it was built, or to explicit configuration that denies certain
487 * facilities and/or that only allows certain other facilities.
489 * The facilities that are currently specified, though not necessarily
490 * implemented and incorporated into PIOF_FACILITY_ALL_CURRENT, are:
492 * PIOF_FACILITY_STARTTLS -- support for the PIOC_STARTTLS command
493 * PIOF_FACILITY_STARTGSS -- support for the PIOC_STARTGSS command
494 * PIOF_FACILITY_STARTSSH -- support for the PIOC_STARTSSH command
496 * Note that the interpretation of flags sent from the TLS Pool, as well
497 * as those sent to the TLS Pool, are subject to the API version that is
498 * reported by the the PING command.
501 #define PIOF_FACILITY_ALL_CURRENT 0x00000001
502 #define PIOF_FACILITY_STARTTLS 0x00000001
503 #define PIOF_FACILITY_STARTGSS 0x00000002
504 #define PIOF_FACILITY_STARTSSH 0x00000004
507 /*************************** PIOF_STARTTLS_xxx FLAGS **************************/
510 /* PIOF_STARTTLS_xxx flags are sent and received in pioc_starttls.
512 * When sent to the TLS Pool, they may provide it some freedom; when
513 * it is still set in the response then this freedom has been exercised.
515 * Other flags indicate additional requirements. When these are not met,
516 * an error will be raised. Their meaning in the response is meaningless.
520 /* PIOF_STARTTLS_xxxROLE_xxx flags define whether the local or remote should
521 * act as a client or as a server. This is the TLS relationship, and may or
522 * may not match the transport connection over which TLS runs.
524 * Each side may be setup to act as a peer, which means it will mirror the
525 * other side. When either side is setup as a peer, the TLS Pool will begin
526 * as a client, but employ a TLS extension that can ignore the ClientHello
527 * from one of the sides -- this is not currently a part of TLS, but may be
528 * added later on, in support of peer-to-peer connections as drafted in
529 * draft-vanrein-tls-p2p.
531 * At some point, the TLS transaction has an obvious client and server side,
532 * even in peer-to-peer connections, and a normal handshake commences. But
533 * the remote role helps to decide which forms of identity are acceptable,
534 * and when a remote peer effectively became a server it may still present
535 * a client credential, and the similar freedom may also be assumed by the
536 * local side, although the "right" kind of credential is preferred.
539 #define PIOF_STARTTLS_LOCALROLE_CLIENT 0x00000001
540 #define PIOF_STARTTLS_LOCALROLE_SERVER 0x00000002
541 #define PIOF_STARTTLS_LOCALROLE_PEER 0x00000003
543 #define PIOF_STARTTLS_REMOTEROLE_CLIENT 0x00000004
544 #define PIOF_STARTTLS_REMOTEROLE_SERVER 0x00000008
545 #define PIOF_STARTTLS_REMOTEROLE_PEER 0x0000000c
547 #define PIOF_STARTTLS_BOTHROLES_PEER 0x0000000f
550 /* PIOF_STARTTLS_DTLS requests to setup DTLS instead of TLS.
552 #define PIOF_STARTTLS_DTLS 0x00000100
555 /* PIOF_STARTTLS_WITHOUT_SNI can be used for client-side STARTTLS as an
556 * indication that if the remotid is present then its domain should not
557 * be passed over to the other side as a Server Name Indication. This
558 * is not a common structure for all protocols, but is sent by default
559 * because it is an indicative TLS option. Note that it is useful
560 * for xxxxs: protocols, which immediately start TLS, but usually not
561 * needed for protocols that issue a STARTTLS command during a normal
562 * exchange. Anyhow, this is application-determined.
563 * If the remoteid contains a user@ part, it is not sent as part of
564 * the SNI information, because that would violate the format. That
565 * is a missed opportunity though.
567 #define PIOF_STARTTLS_WITHOUT_SNI 0x00000200
570 /* PIOF_STARTTLS_IGNORE_CACHES requires the TLS Pool to perform the
571 * validation here and now. It will not accept cached results from
572 * recent encounters as sufficient proof that the remote peer has
573 * the acclaimed identity. This can be used at places in an
574 * interaction where the identity of the remote peer must be firmly
575 * established. Note that bypassing the caches dramatically increases
576 * the amount of work for the TLS Pool, and should thus be used with
577 * care. Note that the validation outcome may still be cached, for
578 * future use when the peer relation is more relaxed.
580 #define PIOF_STARTTLS_IGNORE_CACHES 0x00000400
583 /* PIOF_STARTTLS_REQUEST_REMOTEID means that the TLS Pool should not
584 * strictly require, but merely request a remote identity. This is
585 * useful if the remote peer is a client who may not have a certificate
586 * to authenticate with, and should still be able to access the service
587 * over TLS. It is also useful to permit anonymous TLS connections to
588 * remote clients or servers if both sides agree to that.
590 * Note that a bidirectionally unauthenticated TLS connection is not
591 * protected from man in the middle attacks, although its encryption
592 * may protect against passive observers.
594 * This flag is overridden by PIOF_STARTTLS_IGNORE_REMOTEID.
596 #define PIOF_STARTTLS_REQUEST_REMOTEID 0x00000800
599 /* PIOF_STARTTLS_IGNORE_REMOTEID means that the TLS Pool need not bother
600 * to even request a remote identity. If one is provided, it is not
601 * validated. This is useful if the local application cannot use the
602 * remote identity in any useful way. It is also useful to permit
603 * anonymous TLS connections to remote clients or servers if both sides
606 * Note that a bidirectionally unauthenticated TLS connection is not
607 * protected from man in the middle attacks, although it does warrant
608 * against passive observers.
610 * This flag overrides PIOF_STARTTLS_REQUEST_REMOTEID.
612 #define PIOF_STARTTLS_IGNORE_REMOTEID 0x00001000
615 /* PIOF_STARTTLS_DETACH instructs the TLS Pool to detach the TLS session
616 * from the client connection over which it was setup. This means that
617 * no more control commands can be sent in relation to the TLS session
618 * until a client connection issues a successful PIOC_CONTROL_REATTACH_V2.
620 * In many applications, this flag will be combined with PIOF_STARTTLS_FORK
621 * which has an independent meaning; FORK applies to the independent
622 * life of a TLS session that is run by the TLS Pool, and DETACH applies to
623 * the ability to send control commands in relation to a TLS session.
625 * The TLS Pool also implements one relationship between FORK and DETACH;
626 * after a FORK, the close-down of the client that setup a connection will
627 * automatically cause a DETACH of those TLS sessions.
629 * When the PIOC_STARTTLS_xxx exchange starts, the value in ctlkey is stored
630 * fur future reference; control can be regained from any TLS Pool client
631 * connection that presents the ctlkey in PIOC_CONTROL_REATTACH_V2.
633 * See also the PIOC_CONTROL_DETACH_V2 command, which performs the action as
634 * a separate command.
636 #define PIOF_STARTTLS_DETACH 0x00002000
639 /* PIOF_STARTTLS_FORK instructs the TLS Pool that the TLS session should
640 * continue to run when the client connection over which it was setup closes.
641 * By default, TLS sessions are terminated when their requesting client
642 * disappears, for instance due to termination of the requesting program.
644 * FORK and DETACH are different concepts; FORK applies to the independent
645 * life of a TLS session that is run by the TLS Pool, and DETACH applies to
646 * the ability to send control commands in relation to a TLS session. Many
647 * applications will use the two combined. The TLS Pool also implements one
648 * relation; after a FORK, the close-down of the client that setup a
649 * connection will automatically cause a DETACH of those TLS sessions.
651 #define PIOF_STARTTLS_FORK 0x00004000
654 /* PIOF_STARTTLS_DOMAIN_REPRESENTS_USER indicates that the remote identity
655 * need not be the expected user@domain, but that the domain is acceptable
656 * as well. This is a common flag on protocols such as SMTP, where a
657 * server represents all users under its domain, and authenticates as the
658 * domain instead of as the user. Note that the flag applies equally well
659 * to clients as it does to servers. If an application does not supply
660 * this flag, it must supply any remote_id field for a STARTTLS exchange in
661 * the exact format as it is supported by the server. The returned remote_id
662 * will always be the exact identity as provided by the server.
664 #define PIOF_STARTTLS_DOMAIN_REPRESENTS_USER 0x00008000
667 /* PIOF_STARTTLS_LOCALID_CHECK requests that a local identity is provided
668 * to the application before it is accepted; this mechanism allows the
669 * application to check such things as its list of virtual host names, and
670 * whether these can be served. When this flag is set, the callback command
671 * PIOC_STARTTLS_LOCALID_V2 is sent before presenting the local identity.
672 * The local identity that is being checked is the outcome from the disclose.db
673 * with possible extensions by a registered LIDENTRY extension.
675 #define PIOF_STARTTLS_LOCALID_CHECK 0x00010000
678 /* PIOF_STARTTLS_RENEGOTIATE takes a previously agreed TLS connection and
679 * renegotiates identities as specified in this STARTTLS request. The
680 * ctlkey field indicates an attached TLS connection that is to be
681 * renegotiated; this field will not be modified in the course of this
682 * run of the STARTTLS command.
684 #define PIOF_STARTTLS_RENEGOTIATE 0x00020000
687 /* PIOF_STARTTLS_LOCALID_ONTHEFLY indicates that the localid credentials in the
688 * STARTTLS request should be generated on the fly. This may restrict the number
689 * of technologies available, and it usually requires the remote end to accept
690 * certificates signed by the TLS Pool, usually under a signing key/certificate
691 * as setup in etc/tlspool.conf with tls_onthefly_signcert and _signkey. Note
692 * that if these are not configured, the STARTTLS request will usually fail.
694 #define PIOF_STARTTLS_LOCALID_ONTHEFLY 0x00040000
698 /*************************** PIOF_LIDENTRY_xxx FLAGS **************************/
701 /* The flags below set the behaviour while searching the disclose.db for entries
702 * that map a remote identity to a list of local identities. It indicates which
703 * values may be passed without interaction by the LIDENTRY extension; by
704 * default, the registration of a LIDENTRY extension implies that all attempts
705 * to determine a local identity pass through the extension; the _SKIP_ flags
706 * indicate which entries may be implicitly skipped when they *all* apply.
708 * PIOF_LIDENTRY_SKIP_USER indicates that part of the skip condition is that
709 * any username is not removed; variants with just a domain name are also
710 * considered skippable under this flag;
712 * PIOF_LIDENTRY_SKIP_DOMAIN_xxx indicates whether the domain may be changed;
713 * use _SAME and/or _ONEUP to indicate 0 and 1 levels up from the concrete
714 * domain name; the _SUB variation combines _SAME and _ONEUP.
716 * PIOF_LIDENTRY_SKIP_NOTROOT indicates that the entry must not be the root
717 * domain entry; whether or not the username is removed is not of influence
718 * on the meaning of this flag.
720 * PIOF_LIDENTRY_SKIP_DBENTRY indicates that the entry must be in the database;
721 * it is implied by all the above, but has meaning when used on its own, as it
722 * permits skipping anything that is stored, without further restricting flags.
724 * These flags are used while registering a LIDENTRY extension; they are also
725 * returned in callbacks, where they refer to the remote identity selector.
726 * For example, _SKIP_USER indicates that the username part was skipped, and
727 * _SKIP_DOMAIN_ONEUP indicates that the domain name goes one up.
729 * Although the skip selection could be made in the extension, it is less
730 * efficient that way; the interaction with the extension is forced into a
731 * sequence, and concurrent contenders may therefore need to wait for the
732 * extension while it is interacting with the user. So, skipping user
733 * interaction when it is not needed is advantageous. When skipping, the
734 * disclose.db is used as a source, as if the LIDENTRY extension was not
737 #define PIOF_LIDENTRY_SKIP_DBENTRY 0x00000080 /* in all _SKIP_ */
738 #define PIOF_LIDENTRY_SKIP_USER 0x00000081
739 #define PIOF_LIDENTRY_SKIP_DOMAIN_SAME 0x00000082
740 #define PIOF_LIDENTRY_SKIP_DOMAIN_ONEUP 0x00000084
741 #define PIOF_LIDENTRY_SKIP_DOMAIN_SUB 0x00000086 /* _SAME | _ONEUP */
742 #define PIOF_LIDENTRY_SKIP_NOTROOT 0x00000088
745 /* PIOF_LIDENTRY_LIST_DBENTRY is used as a flag during PIOC_LIDENTRY_REGISTER_V2
746 * and will cause PIOC_LIDENTRY_CALLBACK_V2 callbacks for database entries at
747 * the most concrete level above the considered remoteid.
749 * Any such database entry callbacks precede the normal callback and have:
750 * - PIOF_LIDENTRY_DBENTRY set
751 * - maxlevels set to the number of levels up for this entry (0 for concrete)
752 * - remoteid set to the remoteid entry found in disclose.db
753 * - localid set to an entry found in the database
754 * The return from the callback should not be ERROR but is otherwise ignored.
756 * The final/normal callback is different:
757 * - PIOF_LIDENTRY_DBENTRY is not set
758 * - maxlevels set to the number of permissible levels up (from 0 for concrete)
759 * - remoteid set to the concrete remote identity considered
760 * - localid set to the application-suggested local identity, or empty=undef
761 * The return value from the callback should be PIOC_LIDENTRY_CALLBACK and have:
762 * - flags can hold PIOF_LIDENTRY_xxx flags suitable for callback processing
763 * - remoteid is the given concrete, or no more than maxlevels iterations up
764 * - localid is the concrete identity to disclose, unrelated to the suggested
766 #define PIOF_LIDENTRY_WANT_DBENTRY 0x00000100
767 #define PIOF_LIDENTRY_DBENTRY 0x00001000
770 /* The mask PIOF_LIDENTRY_REGFLAGS is used to mask the flags that will be
771 * reproduced in the callback flags, and should be left alone by applications
772 * as these flags will be used during re-registration. Note that this must
773 * pass through the callback interface, because the re-registration may occur
774 * after a timeout and should then ideally behave the same (if not overtaken
775 * by another process) as a timely re-registration. Modification of these
776 * flags in the callback in case of timely callback is undefined and any
777 * reliance of that is subject to possible future breakage without warning.
779 #define PIOF_LIDENTRY_REGFLAGS 0x00000fff
782 /* PIOF_LIDENTRY_DBAPPEND and PIOF_LIDENTRY_DBINSERT indicate that the provided
783 * information should be added to the database, respectively at the end or
784 * beginning of the disclose.db list of local identities for the given remote
785 * identity. When the entry is already available, the posision is not changed
786 * by default, but that will be done when PIOF_LIDENTRY_DBREORDER is set.
788 * Changes to the database are part of a database transaction that is rolled
789 * back when the TLS handshake fails. This means that providing an identity
790 * that somehow fails to work is not going to be remembered for the next time.
791 * A simple restart of the TLS handshake therefore suffices to restart the
792 * user interaction and find an alternative. Note that it is assumed that the
793 * application that uses the TLS Pool will somehow report back on the failure,
794 * and the user should therefore not be surprised to be confronted with a
795 * question that he though had been stored.
797 * Note that these flags lead to database activity; optimal efficiency
798 * requires that they are only set on PIOF_LIDENTRY_CALLBACK_V2 responses
799 * that actually write to the database -- because they return either:
800 * - a remoteid less than maxlevels steps up with _DBINSERT/_DBAPPEND
801 * - a localid with _DBINSERT/_DBAPPEND if it is not yet setup in the database
802 * - a localid whose position must be updated under _DBREORDER
804 #define PIOF_LIDENTRY_DBINSERT 0x00002000
805 #define PIOF_LIDENTRY_DBAPPEND 0x00004000
806 #define PIOF_LIDENTRY_DBREORDER 0x00008000
809 /* PIOF_LIDENTRY_NEW indicates in a response to a callback that the selected
810 * local identity should be available soon, but may not have come through yet.
811 * It instructs the TLS Pool to await its arrival before proceeding.
813 * This flag is useful to end a callback (and thus free up the resource of the
814 * forced user-interaction sequence) while identities are being created in
815 * complex network infrastructures that may involve key generation, publication
816 * in identity showcases like DNS or LDAP, and whatever else is needed to have
817 * identities embedded in an infrastructure.
819 * TODO: This is unimplemented behaviour; the flag is merely allocated.
820 * The result of using this is currently immediate return of DB_NOTFOUND.
822 #define PIOF_LIDENTRY_NEW 0x00100000
825 /* PIOF_LIDENTRY_ONTHEFLY indicates in a response to callback that the selected
826 * local identity should be setup as an on-the-fly identity. This type of
827 * identity is only available locally, and uses a configured credential to
828 * vouch for the on-the-fly generated identity. The manner in which this
829 * is done depends on the kind of credential to provide.
831 * These on-the-fly identities will disappear when the TLS Pool restarts, and
832 * possibly sooner. They are to be considered usable for one connection only,
833 * although temporary caching may be used to improve efficiency. In general,
834 * do not rely on the same certificate to stay available. Also, do not expect
835 * public visibility of this identity in LDAP, DNS, or other identity showcase.
837 * Note that it should be assumed that these identities require special setup
838 * in the remote node; if it is a full-blown TLS Pool, it will not appreciate
839 * the locality of the identity, and demand more infrastructural confirmation
840 * in identity showcases. One example of its use however, is towards lame
841 * and old-fashioned remote services and towards highly structured local users,
842 * such as off-the-shelve browsers that require a HTTPS proxy.
844 * TODO: This is unimplemented behaviour; the flag is merely allocated.
845 * For now, the response is the same as in lieu of configuration of a
846 * root key and cert, namely to return DB_NOTFOUND.
848 #define PIOF_LIDENTRY_ONTHEFLY 0x00200000
852 /************************** PIOK_INFO_xxx KINDS *************************/
855 /* PIOK_INFO_CERT_SUBJECT and PIOK_INFO_CERT_ISSUER reference the
856 * subject and issuer fields of the TBSCertificate in RFC 5280.
857 * The representation is exact, which is reasonable because the
858 * contents in this structure are in DER, which is a canonical
859 * representation. Incidentally, and not widely known, the
860 * surroundings of TBSCertificate are permitted to be BER, so
861 * more loosely structured and certainly not canonical. But,
862 * since it is often generated together and because all DER is
863 * valid BER, it is usually DER. Just thought you might care.
865 * The difference between _PEERCERT_ and _MYCERT_ is that
866 * the former looks at the remote certificate and the latter
867 * at the local certificate.
869 #define PIOK_INFO_PEERCERT_SUBJECT 0x52800000
870 #define PIOK_INFO_PEERCERT_ISSUER 0x52800001
871 #define PIOK_INFO_MYCERT_SUBJECT 0x52800100
872 #define PIOK_INFO_MYCERT_ISSUER 0x52800101
875 /* PIOK_INFO_CERT_SUBJECTALTNAME references the subjectAltName field
876 * in an X.509 certificate. This can only be used as a check, and the
877 * search for an exact match. The structure of the name in info_buf
878 * must be like the GeneralName in RFC 5280. Interesting forms here
879 * are the dNSName that is in common use in a large number of server
880 * certificates, and the KRB5PrincipalName from RFC 4556 that uses the
881 * OtherName form to introduce an object identifier followed by the
882 * realm and principal name of a Kerberos identity.
884 * The difference between _PEERCERT_ and _MYCERT_ is that
885 * the former looks at the remote certificate and the latter
886 * at the local certificate.
888 #define PIOK_INFO_PEERCERT_SUBJECTALTNAME 0x52800002
889 #define PIOK_INFO_MYCERT_SUBJECTALTNAME 0x52800102
892 /* PIOK_INFO_CHANBIND_TLS_UNIQUE returns the information for
893 * channel binding in the tls-unique variant, as defined in
894 * RFC 5929. Briefly put, it exports the one-but-last of the
895 * Finished messages in TLS. It can be used to improve the
896 * binding between layers. SASL and GSS-API define a variety
897 * of mechanisms that incorporate these values into their
898 * calculations. Effectively, authentication fails when the
899 * end points wrongly assume that they are on the same channel.
901 #define PIOK_INFO_CHANBIND_TLS_UNIQUE 0x59290000
904 /* PIOK_INFO_CHANBIND_TLS_SERVER_END_POINT is a much simpler,
905 * but also much weaker alternative to the foregoing option
906 * for channel binding. Briefly put, it exports a hash of
907 * the server certificate. The certificate is taken from a
908 * TLS connection that does its own validation, but the
909 * relative weakness of this form of channel binding is that
910 * it is the same for all TLS connections to the same server.
911 * In other words, a SASL mechanism using this form of
912 * channel binding might be replayed against the same server
913 * if it was captured in spite of the TLS protection. Avoid
914 * this option if you can use tls-unique.
916 #define PIOK_INFO_CHANBIND_TLS_SERVER_END_POINT 0x59290001
924 #endif //TLSPOOL_COMMANDS_H