/* Copyright (c) 2012, Jacob Appelbaum
 * Copyright (c) 2012, The Tor Project, Inc. */
/* See LICENSE for licensing information */

/**
  * \file tlsdate-helper.h
  * \brief The secondary header for our clock helper.
  **/

#ifndef TLSDATEHELPER_H
#define TLSDATEHELPER_H

#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#ifdef TARGET_OS_HAIKU
#include <posix/string.h>
#include <bsd/string.h>
#endif
#include <unistd.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <time.h>
#include <pwd.h>
#include <grp.h>
#include <arpa/inet.h>
#include <ctype.h>
#ifdef HAVE_PRCTL
#include <sys/prctl.h>
#endif

#ifndef USE_POLARSSL
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#endif

int verbose;
int verbose_debug;

#include "src/util.h"

/** Name of user that we feel safe to run SSL handshake with. */
#ifndef UNPRIV_USER
#define UNPRIV_USER "nobody"
#endif
#ifndef UNPRIV_GROUP
#define UNPRIV_GROUP "nogroup"
#endif

// We should never accept a time before we were compiled
// We measure in seconds since the epoch - eg: echo `date '+%s'`
// We set this manually to ensure others can reproduce a build;
// automation of this will make every build different!
#ifndef RECENT_COMPILE_DATE
#define RECENT_COMPILE_DATE 1342323666L
#endif

#ifndef MAX_REASONABLE_TIME
#define MAX_REASONABLE_TIME 1999991337L
#endif

#ifndef MIN_PUB_KEY_LEN
#define MIN_PUB_KEY_LEN (uint32_t) 1023
#endif

#ifndef MIN_ECC_PUB_KEY_LEN
#define MIN_ECC_PUB_KEY_LEN (uint32_t) 160
#endif

#ifndef MAX_ECC_PUB_KEY_LEN
#define MAX_ECC_PUB_KEY_LEN (uint32_t) 521
#endif
// After the duration of the TLS handshake exceeds this threshold
// (in msec), a warning is printed.
#define TLS_RTT_THRESHOLD      2000

// After the duration of the TLS handshake exceeds this threshold
// (in msec), we consider the operation to have failed.
#define TLS_RTT_UNREASONABLE      30000

// RFC 5280 says...
// ub-common-name-length INTEGER ::= 64
#define MAX_CN_NAME_LENGTH 64

// RFC 1034 and posix say...
#define TLSDATE_HOST_NAME_MAX 255

// To support our RFC 2595 wildcard verification
#define RFC2595_MIN_LABEL_COUNT 3

// Define a max length for the HTTP Date: header
#define MAX_DATE_LINE_LEN 32

// Define a max length for HTTP headers
#define MAX_HTTP_HEADERS_SIZE 8192

// Define our basic HTTP request
#define HTTP_REQUEST    \
  "HEAD / HTTP/1.1\r\n" \
  "User-Agent: %s\r\n"  \
  "Host: %s\r\n"        \
  "\r\n"

static int ca_racket;

static const char *host;

static const char *hostname_to_verify;

static const char *port;

static const char *protocol;

static char *proxy;

static const char *ca_cert_container;
#ifndef USE_POLARSSL
void openssl_time_callback (const SSL* ssl, int where, int ret);
uint32_t get_certificate_keybits (EVP_PKEY *public_key);
uint32_t check_cn (SSL *ssl, const char *hostname);
uint32_t check_san (SSL *ssl, const char *hostname);
long openssl_check_against_host_and_verify (SSL *ssl);
uint32_t check_name (SSL *ssl, const char *hostname);
uint32_t verify_signature (SSL *ssl, const char *hostname);
void check_key_length (SSL *ssl);
void inspect_key (SSL *ssl, const char *hostname);
void check_key_length (SSL *ssl);
void inspect_key (SSL *ssl, const char *hostname);
#endif
uint32_t dns_label_count (char *label, char *delim);
uint32_t check_wildcard_match_rfc2595 (const char *orig_hostname,
                                       const char *orig_cert_wild_card);
static void run_ssl (uint32_t *time_map, int time_is_an_illusion, int http);

#endif