1 files changed, 109 insertions, 0 deletions
diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h
new file mode 100644
index 000000000..92a040f3f
--- /dev/null
+++ b/src/libpttls/pt_tls.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls libpttls
+ *
+ * @addtogroup pt_tls
+ * @{
+ */
+
+#ifndef PT_TLS_H_
+#define PT_TLS_H_
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <tls_socket.h>
+
+/**
+ * PT-TLS version we support
+ */
+#define PT_TLS_VERSION 1
+
+/**
+ * Length of a PT-TLS header
+ */
+#define PT_TLS_HEADER_LEN 16
+
+typedef enum pt_tls_message_type_t pt_tls_message_type_t;
+typedef enum pt_tls_sasl_result_t pt_tls_sasl_result_t;
+typedef enum pt_tls_auth_t pt_tls_auth_t;
+
+/**
+ * Message types, as defined by NEA PT-TLS
+ */
+enum pt_tls_message_type_t {
+	PT_TLS_EXPERIMENTAL = 0,
+	PT_TLS_VERSION_REQUEST = 1,
+	PT_TLS_VERSION_RESPONSE = 2,
+	PT_TLS_SASL_MECHS = 3,
+	PT_TLS_SASL_MECH_SELECTION = 4,
+	PT_TLS_SASL_AUTH_DATA = 5,
+	PT_TLS_SASL_RESULT = 6,
+	PT_TLS_PB_TNC_BATCH = 7,
+	PT_TLS_ERROR = 8,
+};
+
+/**
+ * Result code for a single SASL mechansim, as sent in PT_TLS_SASL_RESULT
+ */
+enum pt_tls_sasl_result_t {
+	PT_TLS_SASL_RESULT_SUCCESS = 0,
+	PT_TLS_SASL_RESULT_FAILURE = 1,
+	PT_TLS_SASL_RESULT_ABORT = 2,
+	PT_TLS_SASL_RESULT_MECH_FAILURE = 3,
+};
+
+/**
+ * Client authentication to require as PT-TLS server.
+ */
+enum pt_tls_auth_t {
+	/** don't require TLS client certificate or request SASL authentication */
+	PT_TLS_AUTH_NONE,
+	/** require TLS certificate authentication, no SASL */
+	PT_TLS_AUTH_TLS,
+	/** do SASL regardless of TLS certificate authentication */
+	PT_TLS_AUTH_SASL,
+	/* if client does not authenticate with a TLS certificate, request SASL */
+	PT_TLS_AUTH_TLS_OR_SASL,
+	/* require both, TLS certificate authentication and SASL */
+	PT_TLS_AUTH_TLS_AND_SASL,
+};
+
+/**
+ * Read a PT-TLS message, create reader over Message Value.
+ *
+ * @param tls			TLS socket to read from
+ * @param vendor		receives Message Type Vendor ID from header
+ * @param type			receives Message Type from header
+ * @param identifier	receives Message Identifer
+ * @return				reader over message value, NULL on error
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+						  u_int32_t *type, u_int32_t *identifier);
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer.
+ *
+ * @param tls			TLS socket to write to
+ * @param writer		prepared Message value to write
+ * @param type			Message Type to write
+ * @param identifier	Message Identifier to write
+ * @return				TRUE if data written successfully
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+				  pt_tls_message_type_t type, u_int32_t identifier);
+
+#endif /** PT_TLS_H_ @}*/