[exim-cvs] Add interface documentation for the DANE library

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Add interface documentation for the DANE library
Gitweb: http://git.exim.org/exim.git/commitdiff/946ecbe0c046adc421dd897b34ed5b68229bba22
Commit:     946ecbe0c046adc421dd897b34ed5b68229bba22
Parent:     880a1e7750a0d8935d48788e35ff03e47f7f6ada
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Jul 31 21:52:48 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Jul 31 21:52:48 2014 +0100


    Add interface documentation for the DANE library
---
 src/src/dane-openssl.c |   91 ++++++++++++++++++++++++++++++++++++++++++++++++
 src/src/tls-openssl.c  |    3 +-
 2 files changed, 93 insertions(+), 1 deletions(-)


diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index 7815570..c8099f6 100644
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -1058,6 +1058,22 @@ list_free(((dane_selector) p)->mtype, dane_mtype_free);
OPENSSL_free(p);
}

+
+
+/*
+
+Tidy up once the connection is finished with.
+
+Arguments
+  ssl        The ssl connection handle
+
+=> Before calling SSL_free()
+tls_close() and tls_getc() [the error path] are the obvious places.
+Could we do it earlier - right after verification?  In tls_client_start()
+right after SSL_connect() returns, in that case.
+
+*/
+
 void
 DANESSL_cleanup(SSL *ssl)
 {
@@ -1105,6 +1121,28 @@ while(*src)
 return head;
 }


+
+
+
+/*
+
+Call this for each TLSA record found for the target, after the
+DANE setup has been done on the ssl connection handle.
+
+Arguments:
+  ssl        Connection handle
+  usage        TLSA record field
+  selector    TLSA record field
+  mdname    ??? message digest name?
+  data        ??? TLSA record megalump?
+  dlen        length of data
+
+Return
+  -1 on error
+  0  action not taken
+  1  record accepted
+*/
+
 int
 DANESSL_add_tlsa(SSL *ssl, uint8_t usage, uint8_t selector, const char *mdname,
         unsigned const char *data, size_t dlen)
@@ -1254,6 +1292,30 @@ else if(klist)
 return 1;
 }


+
+
+
+/*
+Call this once we have an ssl connection handle but before
+making the TLS connection.
+
+=> In tls_client_start() after the call to SSL_new()
+and before the call to SSL_connect().  Exactly where
+probably does not matter.
+We probably want to keep our existing SNI handling;
+call this with NULL.
+
+Arguments:
+  ssl        Connection handle
+  sni_domain    Optional peer server name
+  hostnames    ?? list of names - but what names?
+
+Return
+  -1 on fatal error
+  0  nonfatal error
+  1  success
+*/
+
 int
 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
 {
@@ -1312,6 +1374,25 @@ if(hostnames && !(dane->hosts = host_list_init(hostnames)))
 return 1;
 }


+
+/*
+
+Call this once we have a context to work with, but
+before DANESSL_init()
+
+=> in tls_client_start(), after tls_init() call gives us the ctx,
+if we decide we want to (policy) and can (TLSA records available)
+replacing (? what about fallback) everything from testing tls_verify_hosts
+down to just before calling SSL_new() for the conn handle.
+
+Arguments
+  ctx        SSL context
+
+Return
+  -1    Error
+  1    Success
+*/
+
 int
 DANESSL_CTX_init(SSL_CTX *ctx)
 {
@@ -1383,6 +1464,15 @@ if(!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
 dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
 }


+
+
+/*
+
+Call this once. Probably early in startup will do; may need
+to be after SSL library init.
+
+*/
+
int
DANESSL_library_init(void)
{
@@ -1399,6 +1489,7 @@ DANEerr(DANE_F_SSL_DANE_LIBRARY_INIT, DANE_R_DANE_SUPPORT);
return 0;
}

+
#endif /* OPENSSL_VERSION_NUMBER */
/* vi: aw ai sw=2
*/
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 18994ea..eeff64f 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1008,13 +1008,14 @@ return i;
of the library. We allocate and return a context structure.

 Arguments:
+  ctxp            returned SSL context
   host            connected host, if client; NULL if server
   dhparam         DH parameter file
   certificate     certificate file
   privatekey      private key
   ocsp_file       file of stapling info (server); flag for require ocsp (client)
   addr            address if client; NULL if server (for some randomness)
-  cbp             place to put allocated context
+  cbp             place to put allocated callback context


 Returns:          OK/DEFER/FAIL
 */