1TLS_LOAD_FILE(3)         BSD Library Functions Manual         TLS_LOAD_FILE(3)
2

NAME

4     tls_load_file, tls_unload_file, tls_config_set_ca_file,
5     tls_config_set_ca_path, tls_config_set_ca_mem, tls_config_set_cert_file,
6     tls_config_set_cert_mem, tls_config_set_crl_file, tls_config_set_crl_mem,
7     tls_config_set_key_file, tls_config_set_key_mem,
8     tls_config_set_ocsp_staple_mem, tls_config_set_ocsp_staple_file,
9     tls_config_set_keypair_file, tls_config_set_keypair_mem,
10     tls_config_set_keypair_ocsp_file, tls_config_set_keypair_ocsp_mem,
11     tls_config_add_keypair_file, tls_config_add_keypair_ocsp_mem,
12     tls_config_add_keypair_ocsp_file, tls_config_add_keypair_mem,
13     tls_config_clear_keys, tls_config_set_verify_depth,
14     tls_config_verify_client, tls_config_verify_client_optional,
15     tls_default_ca_cert_file — TLS certificate and key configuration
16

SYNOPSIS

18     #include <tls.h>
19
20     uint8_t *
21     tls_load_file(const char *file, size_t *len, char *password);
22
23     void
24     tls_unload_file(uint8_t *buf, size_t len);
25
26     int
27     tls_config_set_ca_file(struct tls_config *config, const char *ca_file);
28
29     int
30     tls_config_set_ca_path(struct tls_config *config, const char *ca_path);
31
32     int
33     tls_config_set_ca_mem(struct tls_config *config, const uint8_t *cert,
34         size_t len);
35
36     int
37     tls_config_set_cert_file(struct tls_config *config,
38         const char *cert_file);
39
40     int
41     tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
42         size_t len);
43
44     int
45     tls_config_set_crl_file(struct tls_config *config, const char *crl_file);
46
47     int
48     tls_config_set_crl_mem(struct tls_config *config, const uint8_t *crl,
49         size_t len);
50
51     int
52     tls_config_set_key_file(struct tls_config *config, const char *key_file);
53
54     int
55     tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
56         size_t len);
57
58     int
59     tls_config_set_ocsp_staple_mem(struct tls_config *config,
60         const uint8_t *staple, size_t len);
61
62     int
63     tls_config_set_ocsp_staple_file(struct tls_config *config,
64         const char *staple_file);
65
66     int
67     tls_config_set_keypair_file(struct tls_config *config,
68         const char *cert_file, const char *key_file);
69
70     int
71     tls_config_set_keypair_mem(struct tls_config *config,
72         const uint8_t *cert, size_t cert_len, const uint8_t *key,
73         size_t key_len);
74
75     int
76     tls_config_set_keypair_ocsp_file(struct tls_config *config,
77         const char *cert_file, const char *key_file,
78         const char *staple_file);
79
80     int
81     tls_config_set_keypair_ocsp_mem(struct tls_config *config,
82         const uint8_t *cert, size_t cert_len, const uint8_t *key,
83         size_t key_len, const uint8_t *staple, size_t staple_len);
84
85     int
86     tls_config_add_keypair_file(struct tls_config *config,
87         const char *cert_file, const char *key_file);
88
89     int
90     tls_config_add_keypair_mem(struct tls_config *config,
91         const uint8_t *cert, size_t cert_len, const uint8_t *key,
92         size_t key_len);
93
94     int
95     tls_config_add_keypair_ocsp_file(struct tls_config *config,
96         const char *cert_file, const char *key_file,
97         const char *staple_file);
98
99     int
100     tls_config_add_keypair_ocsp_mem(struct tls_config *config,
101         const uint8_t *cert, size_t cert_len, const uint8_t *key,
102         size_t key_len, const uint8_t *staple, size_t staple_len);
103
104     void
105     tls_config_clear_keys(struct tls_config *config);
106
107     int
108     tls_config_set_verify_depth(struct tls_config *config, int verify_depth);
109
110     void
111     tls_config_verify_client(struct tls_config *config);
112
113     void
114     tls_config_verify_client_optional(struct tls_config *config);
115
116     const char *
117     tls_default_ca_cert_file(void);
118

DESCRIPTION

120     tls_load_file() loads a certificate or key from disk into memory to be
121     used with tls_config_set_ca_mem(), tls_config_set_cert_mem(),
122     tls_config_set_crl_mem() or tls_config_set_key_mem().  A private key will
123     be decrypted if the optional password argument is specified.
124
125     tls_unload_file() unloads the memory that was returned from an earlier
126     tls_load_file() call, ensuring that the memory contents is discarded.
127
128     tls_default_ca_cert_file() returns the path of the file that contains the
129     default root certificates.
130
131     tls_config_set_ca_file() sets the filename used to load a file containing
132     the root certificates.
133
134     tls_config_set_ca_path() sets the path (directory) which should be
135     searched for root certificates.
136
137     tls_config_set_ca_mem() sets the root certificates directly from memory.
138
139     tls_config_set_cert_file() sets file from which the public certificate
140     will be read.
141
142     tls_config_set_cert_mem() sets the public certificate directly from mem‐
143     ory.
144
145     tls_config_set_crl_file() sets the filename used to load a file contain‐
146     ing the Certificate Revocation List (CRL).
147
148     tls_config_set_crl_mem() sets the CRL directly from memory.
149
150     tls_config_set_key_file() sets the file from which the private key will
151     be read.
152
153     tls_config_set_key_mem() directly sets the private key from memory.
154
155     tls_config_set_ocsp_staple_file() sets a DER-encoded OCSP response to be
156     stapled during the TLS handshake from the specified file.
157
158     tls_config_set_ocsp_staple_mem() sets a DER-encoded OCSP response to be
159     stapled during the TLS handshake from memory.
160
161     tls_config_set_keypair_file() sets the files from which the public cer‐
162     tificate, and private key will be read.
163
164     tls_config_set_keypair_mem() directly sets the public certificate, and
165     private key from memory.
166
167     tls_config_set_keypair_ocsp_file() sets the files from which the public
168     certificate, private key, and DER-encoded OCSP staple will be read.
169
170     tls_config_set_keypair_ocsp_mem() directly sets the public certificate,
171     private key, and DER-encoded OCSP staple from memory.
172
173     tls_config_add_keypair_file() adds an additional public certificate, and
174     private key from the specified files, used as an alternative certificate
175     for Server Name Indication (server only).
176
177     tls_config_add_keypair_mem() adds an additional public certificate, and
178     private key from memory, used as an alternative certificate for Server
179     Name Indication (server only).
180
181     tls_config_add_keypair_ocsp_file() adds an additional public certificate,
182     private key, and DER-encoded OCSP staple from the specified files, used
183     as an alternative certificate for Server Name Indication (server only).
184
185     tls_config_add_keypair_ocsp_mem() adds an additional public certificate,
186     private key, and DER-encoded OCSP staple from memory, used as an alterna‐
187     tive certificate for Server Name Indication (server only).
188
189     tls_config_clear_keys() clears any secret keys from memory.
190
191     tls_config_set_verify_depth() limits the number of intermediate certifi‐
192     cates that will be followed during certificate validation.
193
194     tls_config_verify_client() enables client certificate verification,
195     requiring the client to send a certificate (server only).
196
197     tls_config_verify_client_optional() enables client certificate verifica‐
198     tion, without requiring the client to send a certificate (server only).
199

RETURN VALUES

201     tls_load_file() returns NULL on error or an out of memory condition.
202
203     The other functions return 0 on success or -1 on error.
204

SEE ALSO

206     tls_config_ocsp_require_stapling(3), tls_config_set_protocols(3),
207     tls_config_set_session_id(3), tls_configure(3), tls_init(3)
208

HISTORY

210     tls_config_set_ca_file(), tls_config_set_ca_path(),
211     tls_config_set_cert_file(), tls_config_set_cert_mem(),
212     tls_config_set_key_file(), tls_config_set_key_mem(), and
213     tls_config_set_verify_depth() appeared in OpenBSD 5.6 and got their final
214     names in OpenBSD 5.7.
215
216     tls_load_file(), tls_config_set_ca_mem(), and tls_config_clear_keys()
217     appeared in OpenBSD 5.7.
218
219     tls_config_verify_client() and tls_config_verify_client_optional()
220     appeared in OpenBSD 5.9.
221
222     tls_config_set_keypair_file() and tls_config_set_keypair_mem() appeared
223     in OpenBSD 6.0, and tls_config_add_keypair_file() and
224     tls_config_add_keypair_mem() in OpenBSD 6.1.
225
226     tls_config_set_crl_file() and tls_config_set_crl_mem() appeared in
227     OpenBSD 6.2.
228

AUTHORS

230     Joel Sing <jsing@openbsd.org> with contibutions from
231     Ted Unangst <tedu@openbsd.org> and
232     Bob Beck <beck@openbsd.org>.
233
234     tls_load_file() and tls_config_set_ca_mem() were written by
235     Reyk Floeter <reyk@openbsd.org>.
236
237BSD                            November 29, 2018                           BSD
Impressum