1*03f9172cSAndroid Build Coastguard Worker /* 2*03f9172cSAndroid Build Coastguard Worker * SSL/TLS interface definition 3*03f9172cSAndroid Build Coastguard Worker * Copyright (c) 2004-2013, Jouni Malinen <[email protected]> 4*03f9172cSAndroid Build Coastguard Worker * 5*03f9172cSAndroid Build Coastguard Worker * This software may be distributed under the terms of the BSD license. 6*03f9172cSAndroid Build Coastguard Worker * See README for more details. 7*03f9172cSAndroid Build Coastguard Worker */ 8*03f9172cSAndroid Build Coastguard Worker 9*03f9172cSAndroid Build Coastguard Worker #ifndef TLS_H 10*03f9172cSAndroid Build Coastguard Worker #define TLS_H 11*03f9172cSAndroid Build Coastguard Worker 12*03f9172cSAndroid Build Coastguard Worker struct tls_connection; 13*03f9172cSAndroid Build Coastguard Worker 14*03f9172cSAndroid Build Coastguard Worker struct tls_random { 15*03f9172cSAndroid Build Coastguard Worker const u8 *client_random; 16*03f9172cSAndroid Build Coastguard Worker size_t client_random_len; 17*03f9172cSAndroid Build Coastguard Worker const u8 *server_random; 18*03f9172cSAndroid Build Coastguard Worker size_t server_random_len; 19*03f9172cSAndroid Build Coastguard Worker }; 20*03f9172cSAndroid Build Coastguard Worker 21*03f9172cSAndroid Build Coastguard Worker enum tls_event { 22*03f9172cSAndroid Build Coastguard Worker TLS_CERT_CHAIN_SUCCESS, 23*03f9172cSAndroid Build Coastguard Worker TLS_CERT_CHAIN_FAILURE, 24*03f9172cSAndroid Build Coastguard Worker TLS_PEER_CERTIFICATE, 25*03f9172cSAndroid Build Coastguard Worker TLS_ALERT, 26*03f9172cSAndroid Build Coastguard Worker TLS_UNSAFE_RENEGOTIATION_DISABLED, 27*03f9172cSAndroid Build Coastguard Worker }; 28*03f9172cSAndroid Build Coastguard Worker 29*03f9172cSAndroid Build Coastguard Worker /* 30*03f9172cSAndroid Build Coastguard Worker * Note: These are used as identifier with external programs and as such, the 31*03f9172cSAndroid Build Coastguard Worker * values must not be changed. 32*03f9172cSAndroid Build Coastguard Worker */ 33*03f9172cSAndroid Build Coastguard Worker enum tls_fail_reason { 34*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_UNSPECIFIED = 0, 35*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_UNTRUSTED = 1, 36*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_REVOKED = 2, 37*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_NOT_YET_VALID = 3, 38*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_EXPIRED = 4, 39*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_SUBJECT_MISMATCH = 5, 40*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_ALTSUBJECT_MISMATCH = 6, 41*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_BAD_CERTIFICATE = 7, 42*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_SERVER_CHAIN_PROBE = 8, 43*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, 44*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_DOMAIN_MISMATCH = 10, 45*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_INSUFFICIENT_KEY_LEN = 11, 46*03f9172cSAndroid Build Coastguard Worker TLS_FAIL_DN_MISMATCH = 12, 47*03f9172cSAndroid Build Coastguard Worker }; 48*03f9172cSAndroid Build Coastguard Worker 49*03f9172cSAndroid Build Coastguard Worker 50*03f9172cSAndroid Build Coastguard Worker #define TLS_MAX_ALT_SUBJECT 10 51*03f9172cSAndroid Build Coastguard Worker 52*03f9172cSAndroid Build Coastguard Worker struct tls_cert_data { 53*03f9172cSAndroid Build Coastguard Worker int depth; 54*03f9172cSAndroid Build Coastguard Worker const char *subject; 55*03f9172cSAndroid Build Coastguard Worker const struct wpabuf *cert; 56*03f9172cSAndroid Build Coastguard Worker const u8 *hash; 57*03f9172cSAndroid Build Coastguard Worker size_t hash_len; 58*03f9172cSAndroid Build Coastguard Worker const char *altsubject[TLS_MAX_ALT_SUBJECT]; 59*03f9172cSAndroid Build Coastguard Worker int num_altsubject; 60*03f9172cSAndroid Build Coastguard Worker const char *serial_num; 61*03f9172cSAndroid Build Coastguard Worker int tod; 62*03f9172cSAndroid Build Coastguard Worker }; 63*03f9172cSAndroid Build Coastguard Worker 64*03f9172cSAndroid Build Coastguard Worker union tls_event_data { 65*03f9172cSAndroid Build Coastguard Worker struct { 66*03f9172cSAndroid Build Coastguard Worker int depth; 67*03f9172cSAndroid Build Coastguard Worker const char *subject; 68*03f9172cSAndroid Build Coastguard Worker enum tls_fail_reason reason; 69*03f9172cSAndroid Build Coastguard Worker const char *reason_txt; 70*03f9172cSAndroid Build Coastguard Worker const struct wpabuf *cert; 71*03f9172cSAndroid Build Coastguard Worker } cert_fail; 72*03f9172cSAndroid Build Coastguard Worker 73*03f9172cSAndroid Build Coastguard Worker struct tls_cert_data peer_cert; 74*03f9172cSAndroid Build Coastguard Worker 75*03f9172cSAndroid Build Coastguard Worker struct { 76*03f9172cSAndroid Build Coastguard Worker int is_local; 77*03f9172cSAndroid Build Coastguard Worker const char *type; 78*03f9172cSAndroid Build Coastguard Worker const char *description; 79*03f9172cSAndroid Build Coastguard Worker } alert; 80*03f9172cSAndroid Build Coastguard Worker }; 81*03f9172cSAndroid Build Coastguard Worker 82*03f9172cSAndroid Build Coastguard Worker struct tls_config { 83*03f9172cSAndroid Build Coastguard Worker #ifndef CONFIG_OPENSC_ENGINE_PATH 84*03f9172cSAndroid Build Coastguard Worker const char *opensc_engine_path; 85*03f9172cSAndroid Build Coastguard Worker #endif /* CONFIG_OPENSC_ENGINE_PATH */ 86*03f9172cSAndroid Build Coastguard Worker #ifndef CONFIG_PKCS11_ENGINE_PATH 87*03f9172cSAndroid Build Coastguard Worker const char *pkcs11_engine_path; 88*03f9172cSAndroid Build Coastguard Worker #endif /* CONFIG_PKCS11_ENGINE_PATH */ 89*03f9172cSAndroid Build Coastguard Worker #ifndef CONFIG_PKCS11_MODULE_PATH 90*03f9172cSAndroid Build Coastguard Worker const char *pkcs11_module_path; 91*03f9172cSAndroid Build Coastguard Worker #endif /* CONFIG_PKCS11_MODULE_PATH */ 92*03f9172cSAndroid Build Coastguard Worker int fips_mode; 93*03f9172cSAndroid Build Coastguard Worker int cert_in_cb; 94*03f9172cSAndroid Build Coastguard Worker const char *openssl_ciphers; 95*03f9172cSAndroid Build Coastguard Worker unsigned int tls_session_lifetime; 96*03f9172cSAndroid Build Coastguard Worker unsigned int crl_reload_interval; 97*03f9172cSAndroid Build Coastguard Worker unsigned int tls_flags; 98*03f9172cSAndroid Build Coastguard Worker 99*03f9172cSAndroid Build Coastguard Worker void (*event_cb)(void *ctx, enum tls_event ev, 100*03f9172cSAndroid Build Coastguard Worker union tls_event_data *data); 101*03f9172cSAndroid Build Coastguard Worker void *cb_ctx; 102*03f9172cSAndroid Build Coastguard Worker }; 103*03f9172cSAndroid Build Coastguard Worker 104*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0) 105*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_DISABLE_TIME_CHECKS BIT(1) 106*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_DISABLE_SESSION_TICKET BIT(2) 107*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_REQUEST_OCSP BIT(3) 108*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_REQUIRE_OCSP BIT(4) 109*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_DISABLE_TLSv1_1 BIT(5) 110*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_DISABLE_TLSv1_2 BIT(6) 111*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_EAP_FAST BIT(7) 112*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_DISABLE_TLSv1_0 BIT(8) 113*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_EXT_CERT_CHECK BIT(9) 114*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_REQUIRE_OCSP_ALL BIT(10) 115*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_SUITEB BIT(11) 116*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_SUITEB_NO_ECDH BIT(12) 117*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_DISABLE_TLSv1_3 BIT(13) 118*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_ENABLE_TLSv1_0 BIT(14) 119*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_ENABLE_TLSv1_1 BIT(15) 120*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_ENABLE_TLSv1_2 BIT(16) 121*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_TEAP_ANON_DH BIT(17) 122*03f9172cSAndroid Build Coastguard Worker #define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18) 123*03f9172cSAndroid Build Coastguard Worker 124*03f9172cSAndroid Build Coastguard Worker /** 125*03f9172cSAndroid Build Coastguard Worker * struct tls_connection_params - Parameters for TLS connection 126*03f9172cSAndroid Build Coastguard Worker * @ca_cert: File or reference name for CA X.509 certificate in PEM or DER 127*03f9172cSAndroid Build Coastguard Worker * format 128*03f9172cSAndroid Build Coastguard Worker * @ca_cert_blob: ca_cert as inlined data or %NULL if not used 129*03f9172cSAndroid Build Coastguard Worker * @ca_cert_blob_len: ca_cert_blob length 130*03f9172cSAndroid Build Coastguard Worker * @ca_path: Path to CA certificates (OpenSSL specific) 131*03f9172cSAndroid Build Coastguard Worker * @subject_match: String to match in the subject of the peer certificate or 132*03f9172cSAndroid Build Coastguard Worker * %NULL to allow all subjects 133*03f9172cSAndroid Build Coastguard Worker * @altsubject_match: String to match in the alternative subject of the peer 134*03f9172cSAndroid Build Coastguard Worker * certificate or %NULL to allow all alternative subjects 135*03f9172cSAndroid Build Coastguard Worker * @suffix_match: Semicolon deliminated string of values to suffix match against 136*03f9172cSAndroid Build Coastguard Worker * the dNSName or CN of the peer certificate or %NULL to allow all domain names. 137*03f9172cSAndroid Build Coastguard Worker * This may allow subdomains and wildcard certificates. Each domain name label 138*03f9172cSAndroid Build Coastguard Worker * must have a full case-insensitive match. 139*03f9172cSAndroid Build Coastguard Worker * @domain_match: String to match in the dNSName or CN of the peer 140*03f9172cSAndroid Build Coastguard Worker * certificate or %NULL to allow all domain names. This requires a full, 141*03f9172cSAndroid Build Coastguard Worker * case-insensitive match. 142*03f9172cSAndroid Build Coastguard Worker * 143*03f9172cSAndroid Build Coastguard Worker * More than one match string can be provided by using semicolons to 144*03f9172cSAndroid Build Coastguard Worker * separate the strings (e.g., example.org;example.com). When multiple 145*03f9172cSAndroid Build Coastguard Worker * strings are specified, a match with any one of the values is 146*03f9172cSAndroid Build Coastguard Worker * considered a sufficient match for the certificate, i.e., the 147*03f9172cSAndroid Build Coastguard Worker * conditions are ORed together. 148*03f9172cSAndroid Build Coastguard Worker * @client_cert: File or reference name for client X.509 certificate in PEM or 149*03f9172cSAndroid Build Coastguard Worker * DER format 150*03f9172cSAndroid Build Coastguard Worker * @client_cert_blob: client_cert as inlined data or %NULL if not used 151*03f9172cSAndroid Build Coastguard Worker * @client_cert_blob_len: client_cert_blob length 152*03f9172cSAndroid Build Coastguard Worker * @private_key: File or reference name for client private key in PEM or DER 153*03f9172cSAndroid Build Coastguard Worker * format (traditional format (RSA PRIVATE KEY) or PKCS#8 (PRIVATE KEY) 154*03f9172cSAndroid Build Coastguard Worker * @private_key_blob: private_key as inlined data or %NULL if not used 155*03f9172cSAndroid Build Coastguard Worker * @private_key_blob_len: private_key_blob length 156*03f9172cSAndroid Build Coastguard Worker * @private_key_passwd: Passphrase for decrypted private key, %NULL if no 157*03f9172cSAndroid Build Coastguard Worker * passphrase is used. 158*03f9172cSAndroid Build Coastguard Worker * @dh_file: File name for DH/DSA data in PEM format, or %NULL if not used 159*03f9172cSAndroid Build Coastguard Worker * @engine: 1 = use engine (e.g., a smartcard) for private key operations 160*03f9172cSAndroid Build Coastguard Worker * (this is OpenSSL specific for now) 161*03f9172cSAndroid Build Coastguard Worker * @engine_id: engine id string (this is OpenSSL specific for now) 162*03f9172cSAndroid Build Coastguard Worker * @ppin: pointer to the pin variable in the configuration 163*03f9172cSAndroid Build Coastguard Worker * (this is OpenSSL specific for now) 164*03f9172cSAndroid Build Coastguard Worker * @key_id: the private key's id when using engine (this is OpenSSL 165*03f9172cSAndroid Build Coastguard Worker * specific for now) 166*03f9172cSAndroid Build Coastguard Worker * @cert_id: the certificate's id when using engine 167*03f9172cSAndroid Build Coastguard Worker * @ca_cert_id: the CA certificate's id when using engine 168*03f9172cSAndroid Build Coastguard Worker * @openssl_ciphers: OpenSSL cipher configuration 169*03f9172cSAndroid Build Coastguard Worker * @openssl_ecdh_curves: OpenSSL ECDH curve configuration. %NULL for auto if 170*03f9172cSAndroid Build Coastguard Worker * supported, empty string to disable, or a colon-separated curve list. 171*03f9172cSAndroid Build Coastguard Worker * @flags: Parameter options (TLS_CONN_*) 172*03f9172cSAndroid Build Coastguard Worker * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response 173*03f9172cSAndroid Build Coastguard Worker * or %NULL if OCSP is not enabled 174*03f9172cSAndroid Build Coastguard Worker * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling 175*03f9172cSAndroid Build Coastguard Worker * response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if 176*03f9172cSAndroid Build Coastguard Worker * ocsp_multi is not enabled 177*03f9172cSAndroid Build Coastguard Worker * @check_cert_subject: Client certificate subject name matching string 178*03f9172cSAndroid Build Coastguard Worker * 179*03f9172cSAndroid Build Coastguard Worker * TLS connection parameters to be configured with tls_connection_set_params() 180*03f9172cSAndroid Build Coastguard Worker * and tls_global_set_params(). 181*03f9172cSAndroid Build Coastguard Worker * 182*03f9172cSAndroid Build Coastguard Worker * Certificates and private key can be configured either as a reference name 183*03f9172cSAndroid Build Coastguard Worker * (file path or reference to certificate store) or by providing the same data 184*03f9172cSAndroid Build Coastguard Worker * as a pointer to the data in memory. Only one option will be used for each 185*03f9172cSAndroid Build Coastguard Worker * field. 186*03f9172cSAndroid Build Coastguard Worker */ 187*03f9172cSAndroid Build Coastguard Worker struct tls_connection_params { 188*03f9172cSAndroid Build Coastguard Worker const char *ca_cert; 189*03f9172cSAndroid Build Coastguard Worker const u8 *ca_cert_blob; 190*03f9172cSAndroid Build Coastguard Worker size_t ca_cert_blob_len; 191*03f9172cSAndroid Build Coastguard Worker const char *ca_path; 192*03f9172cSAndroid Build Coastguard Worker const char *subject_match; 193*03f9172cSAndroid Build Coastguard Worker const char *altsubject_match; 194*03f9172cSAndroid Build Coastguard Worker const char *suffix_match; 195*03f9172cSAndroid Build Coastguard Worker const char *domain_match; 196*03f9172cSAndroid Build Coastguard Worker const char *client_cert; 197*03f9172cSAndroid Build Coastguard Worker const char *client_cert2; 198*03f9172cSAndroid Build Coastguard Worker const u8 *client_cert_blob; 199*03f9172cSAndroid Build Coastguard Worker size_t client_cert_blob_len; 200*03f9172cSAndroid Build Coastguard Worker const char *private_key; 201*03f9172cSAndroid Build Coastguard Worker const char *private_key2; 202*03f9172cSAndroid Build Coastguard Worker const u8 *private_key_blob; 203*03f9172cSAndroid Build Coastguard Worker size_t private_key_blob_len; 204*03f9172cSAndroid Build Coastguard Worker const char *private_key_passwd; 205*03f9172cSAndroid Build Coastguard Worker const char *private_key_passwd2; 206*03f9172cSAndroid Build Coastguard Worker const char *dh_file; 207*03f9172cSAndroid Build Coastguard Worker 208*03f9172cSAndroid Build Coastguard Worker /* OpenSSL specific variables */ 209*03f9172cSAndroid Build Coastguard Worker int engine; 210*03f9172cSAndroid Build Coastguard Worker const char *engine_id; 211*03f9172cSAndroid Build Coastguard Worker const char *pin; 212*03f9172cSAndroid Build Coastguard Worker const char *key_id; 213*03f9172cSAndroid Build Coastguard Worker const char *cert_id; 214*03f9172cSAndroid Build Coastguard Worker const char *ca_cert_id; 215*03f9172cSAndroid Build Coastguard Worker const char *openssl_ciphers; 216*03f9172cSAndroid Build Coastguard Worker const char *openssl_ecdh_curves; 217*03f9172cSAndroid Build Coastguard Worker 218*03f9172cSAndroid Build Coastguard Worker unsigned int flags; 219*03f9172cSAndroid Build Coastguard Worker const char *ocsp_stapling_response; 220*03f9172cSAndroid Build Coastguard Worker const char *ocsp_stapling_response_multi; 221*03f9172cSAndroid Build Coastguard Worker const char *check_cert_subject; 222*03f9172cSAndroid Build Coastguard Worker }; 223*03f9172cSAndroid Build Coastguard Worker 224*03f9172cSAndroid Build Coastguard Worker 225*03f9172cSAndroid Build Coastguard Worker /** 226*03f9172cSAndroid Build Coastguard Worker * tls_init - Initialize TLS library 227*03f9172cSAndroid Build Coastguard Worker * @conf: Configuration data for TLS library 228*03f9172cSAndroid Build Coastguard Worker * Returns: Context data to be used as tls_ctx in calls to other functions, 229*03f9172cSAndroid Build Coastguard Worker * or %NULL on failure. 230*03f9172cSAndroid Build Coastguard Worker * 231*03f9172cSAndroid Build Coastguard Worker * Called once during program startup and once for each RSN pre-authentication 232*03f9172cSAndroid Build Coastguard Worker * session. In other words, there can be two concurrent TLS contexts. If global 233*03f9172cSAndroid Build Coastguard Worker * library initialization is needed (i.e., one that is shared between both 234*03f9172cSAndroid Build Coastguard Worker * authentication types), the TLS library wrapper should maintain a reference 235*03f9172cSAndroid Build Coastguard Worker * counter and do global initialization only when moving from 0 to 1 reference. 236*03f9172cSAndroid Build Coastguard Worker */ 237*03f9172cSAndroid Build Coastguard Worker void * tls_init(const struct tls_config *conf); 238*03f9172cSAndroid Build Coastguard Worker 239*03f9172cSAndroid Build Coastguard Worker /** 240*03f9172cSAndroid Build Coastguard Worker * tls_deinit - Deinitialize TLS library 241*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 242*03f9172cSAndroid Build Coastguard Worker * 243*03f9172cSAndroid Build Coastguard Worker * Called once during program shutdown and once for each RSN pre-authentication 244*03f9172cSAndroid Build Coastguard Worker * session. If global library deinitialization is needed (i.e., one that is 245*03f9172cSAndroid Build Coastguard Worker * shared between both authentication types), the TLS library wrapper should 246*03f9172cSAndroid Build Coastguard Worker * maintain a reference counter and do global deinitialization only when moving 247*03f9172cSAndroid Build Coastguard Worker * from 1 to 0 references. 248*03f9172cSAndroid Build Coastguard Worker */ 249*03f9172cSAndroid Build Coastguard Worker void tls_deinit(void *tls_ctx); 250*03f9172cSAndroid Build Coastguard Worker 251*03f9172cSAndroid Build Coastguard Worker /** 252*03f9172cSAndroid Build Coastguard Worker * tls_get_errors - Process pending errors 253*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 254*03f9172cSAndroid Build Coastguard Worker * Returns: Number of found error, 0 if no errors detected. 255*03f9172cSAndroid Build Coastguard Worker * 256*03f9172cSAndroid Build Coastguard Worker * Process all pending TLS errors. 257*03f9172cSAndroid Build Coastguard Worker */ 258*03f9172cSAndroid Build Coastguard Worker int tls_get_errors(void *tls_ctx); 259*03f9172cSAndroid Build Coastguard Worker 260*03f9172cSAndroid Build Coastguard Worker /** 261*03f9172cSAndroid Build Coastguard Worker * tls_connection_init - Initialize a new TLS connection 262*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 263*03f9172cSAndroid Build Coastguard Worker * Returns: Connection context data, conn for other function calls 264*03f9172cSAndroid Build Coastguard Worker */ 265*03f9172cSAndroid Build Coastguard Worker struct tls_connection * tls_connection_init(void *tls_ctx); 266*03f9172cSAndroid Build Coastguard Worker 267*03f9172cSAndroid Build Coastguard Worker /** 268*03f9172cSAndroid Build Coastguard Worker * tls_connection_deinit - Free TLS connection data 269*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 270*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 271*03f9172cSAndroid Build Coastguard Worker * 272*03f9172cSAndroid Build Coastguard Worker * Release all resources allocated for TLS connection. 273*03f9172cSAndroid Build Coastguard Worker */ 274*03f9172cSAndroid Build Coastguard Worker void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn); 275*03f9172cSAndroid Build Coastguard Worker 276*03f9172cSAndroid Build Coastguard Worker /** 277*03f9172cSAndroid Build Coastguard Worker * tls_connection_established - Has the TLS connection been completed? 278*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 279*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 280*03f9172cSAndroid Build Coastguard Worker * Returns: 1 if TLS connection has been completed, 0 if not. 281*03f9172cSAndroid Build Coastguard Worker */ 282*03f9172cSAndroid Build Coastguard Worker int tls_connection_established(void *tls_ctx, struct tls_connection *conn); 283*03f9172cSAndroid Build Coastguard Worker 284*03f9172cSAndroid Build Coastguard Worker /** 285*03f9172cSAndroid Build Coastguard Worker * tls_connection_peer_serial_num - Fetch peer certificate serial number 286*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 287*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 288*03f9172cSAndroid Build Coastguard Worker * Returns: Allocated string buffer containing the peer certificate serial 289*03f9172cSAndroid Build Coastguard Worker * number or %NULL on error. 290*03f9172cSAndroid Build Coastguard Worker * 291*03f9172cSAndroid Build Coastguard Worker * The caller is responsible for freeing the returned buffer with os_free(). 292*03f9172cSAndroid Build Coastguard Worker */ 293*03f9172cSAndroid Build Coastguard Worker char * tls_connection_peer_serial_num(void *tls_ctx, 294*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn); 295*03f9172cSAndroid Build Coastguard Worker 296*03f9172cSAndroid Build Coastguard Worker /** 297*03f9172cSAndroid Build Coastguard Worker * tls_connection_shutdown - Shutdown TLS connection 298*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 299*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 300*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 301*03f9172cSAndroid Build Coastguard Worker * 302*03f9172cSAndroid Build Coastguard Worker * Shutdown current TLS connection without releasing all resources. New 303*03f9172cSAndroid Build Coastguard Worker * connection can be started by using the same conn without having to call 304*03f9172cSAndroid Build Coastguard Worker * tls_connection_init() or setting certificates etc. again. The new 305*03f9172cSAndroid Build Coastguard Worker * connection should try to use session resumption. 306*03f9172cSAndroid Build Coastguard Worker */ 307*03f9172cSAndroid Build Coastguard Worker int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn); 308*03f9172cSAndroid Build Coastguard Worker 309*03f9172cSAndroid Build Coastguard Worker enum { 310*03f9172cSAndroid Build Coastguard Worker TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN = -4, 311*03f9172cSAndroid Build Coastguard Worker TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED = -3, 312*03f9172cSAndroid Build Coastguard Worker TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED = -2 313*03f9172cSAndroid Build Coastguard Worker }; 314*03f9172cSAndroid Build Coastguard Worker 315*03f9172cSAndroid Build Coastguard Worker /** 316*03f9172cSAndroid Build Coastguard Worker * tls_connection_set_params - Set TLS connection parameters 317*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 318*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 319*03f9172cSAndroid Build Coastguard Worker * @params: Connection parameters 320*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure, 321*03f9172cSAndroid Build Coastguard Worker * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine 322*03f9172cSAndroid Build Coastguard Worker * failure, or 323*03f9172cSAndroid Build Coastguard Worker * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the 324*03f9172cSAndroid Build Coastguard Worker * PKCS#11 engine private key, or 325*03f9172cSAndroid Build Coastguard Worker * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine 326*03f9172cSAndroid Build Coastguard Worker * failure. 327*03f9172cSAndroid Build Coastguard Worker */ 328*03f9172cSAndroid Build Coastguard Worker int __must_check 329*03f9172cSAndroid Build Coastguard Worker tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, 330*03f9172cSAndroid Build Coastguard Worker const struct tls_connection_params *params); 331*03f9172cSAndroid Build Coastguard Worker 332*03f9172cSAndroid Build Coastguard Worker /** 333*03f9172cSAndroid Build Coastguard Worker * tls_global_set_params - Set TLS parameters for all TLS connection 334*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 335*03f9172cSAndroid Build Coastguard Worker * @params: Global TLS parameters 336*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure, 337*03f9172cSAndroid Build Coastguard Worker * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine 338*03f9172cSAndroid Build Coastguard Worker * failure, or 339*03f9172cSAndroid Build Coastguard Worker * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the 340*03f9172cSAndroid Build Coastguard Worker * PKCS#11 engine private key, or 341*03f9172cSAndroid Build Coastguard Worker * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine 342*03f9172cSAndroid Build Coastguard Worker * failure. 343*03f9172cSAndroid Build Coastguard Worker */ 344*03f9172cSAndroid Build Coastguard Worker int __must_check tls_global_set_params( 345*03f9172cSAndroid Build Coastguard Worker void *tls_ctx, const struct tls_connection_params *params); 346*03f9172cSAndroid Build Coastguard Worker 347*03f9172cSAndroid Build Coastguard Worker /** 348*03f9172cSAndroid Build Coastguard Worker * tls_global_set_verify - Set global certificate verification options 349*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 350*03f9172cSAndroid Build Coastguard Worker * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate, 351*03f9172cSAndroid Build Coastguard Worker * 2 = verify CRL for all certificates 352*03f9172cSAndroid Build Coastguard Worker * @strict: 0 = allow CRL time errors, 1 = do not allow CRL time errors 353*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 354*03f9172cSAndroid Build Coastguard Worker */ 355*03f9172cSAndroid Build Coastguard Worker int __must_check tls_global_set_verify(void *tls_ctx, int check_crl, 356*03f9172cSAndroid Build Coastguard Worker int strict); 357*03f9172cSAndroid Build Coastguard Worker 358*03f9172cSAndroid Build Coastguard Worker /** 359*03f9172cSAndroid Build Coastguard Worker * tls_connection_set_verify - Set certificate verification options 360*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 361*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 362*03f9172cSAndroid Build Coastguard Worker * @verify_peer: 0 = do not verify peer certificate, 1 = verify peer 363*03f9172cSAndroid Build Coastguard Worker * certificate (require it to be provided), 2 = verify peer certificate if 364*03f9172cSAndroid Build Coastguard Worker * provided 365*03f9172cSAndroid Build Coastguard Worker * @flags: Connection flags (TLS_CONN_*) 366*03f9172cSAndroid Build Coastguard Worker * @session_ctx: Session caching context or %NULL to use default 367*03f9172cSAndroid Build Coastguard Worker * @session_ctx_len: Length of @session_ctx in bytes. 368*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 369*03f9172cSAndroid Build Coastguard Worker */ 370*03f9172cSAndroid Build Coastguard Worker int __must_check tls_connection_set_verify(void *tls_ctx, 371*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 372*03f9172cSAndroid Build Coastguard Worker int verify_peer, 373*03f9172cSAndroid Build Coastguard Worker unsigned int flags, 374*03f9172cSAndroid Build Coastguard Worker const u8 *session_ctx, 375*03f9172cSAndroid Build Coastguard Worker size_t session_ctx_len); 376*03f9172cSAndroid Build Coastguard Worker 377*03f9172cSAndroid Build Coastguard Worker /** 378*03f9172cSAndroid Build Coastguard Worker * tls_connection_get_random - Get random data from TLS connection 379*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 380*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 381*03f9172cSAndroid Build Coastguard Worker * @data: Structure of client/server random data (filled on success) 382*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 383*03f9172cSAndroid Build Coastguard Worker */ 384*03f9172cSAndroid Build Coastguard Worker int __must_check tls_connection_get_random(void *tls_ctx, 385*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 386*03f9172cSAndroid Build Coastguard Worker struct tls_random *data); 387*03f9172cSAndroid Build Coastguard Worker 388*03f9172cSAndroid Build Coastguard Worker /** 389*03f9172cSAndroid Build Coastguard Worker * tls_connection_export_key - Derive keying material from a TLS connection 390*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 391*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 392*03f9172cSAndroid Build Coastguard Worker * @label: Label (e.g., description of the key) for PRF 393*03f9172cSAndroid Build Coastguard Worker * @context: Optional extra upper-layer context (max len 2^16) 394*03f9172cSAndroid Build Coastguard Worker * @context_len: The length of the context value 395*03f9172cSAndroid Build Coastguard Worker * @out: Buffer for output data from TLS-PRF 396*03f9172cSAndroid Build Coastguard Worker * @out_len: Length of the output buffer 397*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 398*03f9172cSAndroid Build Coastguard Worker * 399*03f9172cSAndroid Build Coastguard Worker * Exports keying material using the mechanism described in RFC 5705. If 400*03f9172cSAndroid Build Coastguard Worker * context is %NULL, context is not provided; otherwise, context is provided 401*03f9172cSAndroid Build Coastguard Worker * (including the case of empty context with context_len == 0). 402*03f9172cSAndroid Build Coastguard Worker */ 403*03f9172cSAndroid Build Coastguard Worker int __must_check tls_connection_export_key(void *tls_ctx, 404*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 405*03f9172cSAndroid Build Coastguard Worker const char *label, 406*03f9172cSAndroid Build Coastguard Worker const u8 *context, 407*03f9172cSAndroid Build Coastguard Worker size_t context_len, 408*03f9172cSAndroid Build Coastguard Worker u8 *out, size_t out_len); 409*03f9172cSAndroid Build Coastguard Worker 410*03f9172cSAndroid Build Coastguard Worker /** 411*03f9172cSAndroid Build Coastguard Worker * tls_connection_get_eap_fast_key - Derive key material for EAP-FAST 412*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 413*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 414*03f9172cSAndroid Build Coastguard Worker * @out: Buffer for output data from TLS-PRF 415*03f9172cSAndroid Build Coastguard Worker * @out_len: Length of the output buffer 416*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 417*03f9172cSAndroid Build Coastguard Worker * 418*03f9172cSAndroid Build Coastguard Worker * Exports key material after the normal TLS key block for use with 419*03f9172cSAndroid Build Coastguard Worker * EAP-FAST. Most callers will want tls_connection_export_key(), but EAP-FAST 420*03f9172cSAndroid Build Coastguard Worker * uses a different legacy mechanism. 421*03f9172cSAndroid Build Coastguard Worker */ 422*03f9172cSAndroid Build Coastguard Worker int __must_check tls_connection_get_eap_fast_key(void *tls_ctx, 423*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 424*03f9172cSAndroid Build Coastguard Worker u8 *out, size_t out_len); 425*03f9172cSAndroid Build Coastguard Worker 426*03f9172cSAndroid Build Coastguard Worker /** 427*03f9172cSAndroid Build Coastguard Worker * tls_connection_handshake - Process TLS handshake (client side) 428*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 429*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 430*03f9172cSAndroid Build Coastguard Worker * @in_data: Input data from TLS server 431*03f9172cSAndroid Build Coastguard Worker * @appl_data: Pointer to application data pointer, or %NULL if dropped 432*03f9172cSAndroid Build Coastguard Worker * Returns: Output data, %NULL on failure 433*03f9172cSAndroid Build Coastguard Worker * 434*03f9172cSAndroid Build Coastguard Worker * The caller is responsible for freeing the returned output data. If the final 435*03f9172cSAndroid Build Coastguard Worker * handshake message includes application data, this is decrypted and 436*03f9172cSAndroid Build Coastguard Worker * appl_data (if not %NULL) is set to point this data. The caller is 437*03f9172cSAndroid Build Coastguard Worker * responsible for freeing appl_data. 438*03f9172cSAndroid Build Coastguard Worker * 439*03f9172cSAndroid Build Coastguard Worker * This function is used during TLS handshake. The first call is done with 440*03f9172cSAndroid Build Coastguard Worker * in_data == %NULL and the library is expected to return ClientHello packet. 441*03f9172cSAndroid Build Coastguard Worker * This packet is then send to the server and a response from server is given 442*03f9172cSAndroid Build Coastguard Worker * to TLS library by calling this function again with in_data pointing to the 443*03f9172cSAndroid Build Coastguard Worker * TLS message from the server. 444*03f9172cSAndroid Build Coastguard Worker * 445*03f9172cSAndroid Build Coastguard Worker * If the TLS handshake fails, this function may return %NULL. However, if the 446*03f9172cSAndroid Build Coastguard Worker * TLS library has a TLS alert to send out, that should be returned as the 447*03f9172cSAndroid Build Coastguard Worker * output data. In this case, tls_connection_get_failed() must return failure 448*03f9172cSAndroid Build Coastguard Worker * (> 0). 449*03f9172cSAndroid Build Coastguard Worker * 450*03f9172cSAndroid Build Coastguard Worker * tls_connection_established() should return 1 once the TLS handshake has been 451*03f9172cSAndroid Build Coastguard Worker * completed successfully. 452*03f9172cSAndroid Build Coastguard Worker */ 453*03f9172cSAndroid Build Coastguard Worker struct wpabuf * tls_connection_handshake(void *tls_ctx, 454*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 455*03f9172cSAndroid Build Coastguard Worker const struct wpabuf *in_data, 456*03f9172cSAndroid Build Coastguard Worker struct wpabuf **appl_data); 457*03f9172cSAndroid Build Coastguard Worker 458*03f9172cSAndroid Build Coastguard Worker struct wpabuf * tls_connection_handshake2(void *tls_ctx, 459*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 460*03f9172cSAndroid Build Coastguard Worker const struct wpabuf *in_data, 461*03f9172cSAndroid Build Coastguard Worker struct wpabuf **appl_data, 462*03f9172cSAndroid Build Coastguard Worker int *more_data_needed); 463*03f9172cSAndroid Build Coastguard Worker 464*03f9172cSAndroid Build Coastguard Worker /** 465*03f9172cSAndroid Build Coastguard Worker * tls_connection_server_handshake - Process TLS handshake (server side) 466*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 467*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 468*03f9172cSAndroid Build Coastguard Worker * @in_data: Input data from TLS peer 469*03f9172cSAndroid Build Coastguard Worker * @appl_data: Pointer to application data pointer, or %NULL if dropped 470*03f9172cSAndroid Build Coastguard Worker * Returns: Output data, %NULL on failure 471*03f9172cSAndroid Build Coastguard Worker * 472*03f9172cSAndroid Build Coastguard Worker * The caller is responsible for freeing the returned output data. 473*03f9172cSAndroid Build Coastguard Worker */ 474*03f9172cSAndroid Build Coastguard Worker struct wpabuf * tls_connection_server_handshake(void *tls_ctx, 475*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 476*03f9172cSAndroid Build Coastguard Worker const struct wpabuf *in_data, 477*03f9172cSAndroid Build Coastguard Worker struct wpabuf **appl_data); 478*03f9172cSAndroid Build Coastguard Worker 479*03f9172cSAndroid Build Coastguard Worker /** 480*03f9172cSAndroid Build Coastguard Worker * tls_connection_encrypt - Encrypt data into TLS tunnel 481*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 482*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 483*03f9172cSAndroid Build Coastguard Worker * @in_data: Plaintext data to be encrypted 484*03f9172cSAndroid Build Coastguard Worker * Returns: Encrypted TLS data or %NULL on failure 485*03f9172cSAndroid Build Coastguard Worker * 486*03f9172cSAndroid Build Coastguard Worker * This function is used after TLS handshake has been completed successfully to 487*03f9172cSAndroid Build Coastguard Worker * send data in the encrypted tunnel. The caller is responsible for freeing the 488*03f9172cSAndroid Build Coastguard Worker * returned output data. 489*03f9172cSAndroid Build Coastguard Worker */ 490*03f9172cSAndroid Build Coastguard Worker struct wpabuf * tls_connection_encrypt(void *tls_ctx, 491*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 492*03f9172cSAndroid Build Coastguard Worker const struct wpabuf *in_data); 493*03f9172cSAndroid Build Coastguard Worker 494*03f9172cSAndroid Build Coastguard Worker /** 495*03f9172cSAndroid Build Coastguard Worker * tls_connection_decrypt - Decrypt data from TLS tunnel 496*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 497*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 498*03f9172cSAndroid Build Coastguard Worker * @in_data: Encrypted TLS data 499*03f9172cSAndroid Build Coastguard Worker * Returns: Decrypted TLS data or %NULL on failure 500*03f9172cSAndroid Build Coastguard Worker * 501*03f9172cSAndroid Build Coastguard Worker * This function is used after TLS handshake has been completed successfully to 502*03f9172cSAndroid Build Coastguard Worker * receive data from the encrypted tunnel. The caller is responsible for 503*03f9172cSAndroid Build Coastguard Worker * freeing the returned output data. 504*03f9172cSAndroid Build Coastguard Worker */ 505*03f9172cSAndroid Build Coastguard Worker struct wpabuf * tls_connection_decrypt(void *tls_ctx, 506*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 507*03f9172cSAndroid Build Coastguard Worker const struct wpabuf *in_data); 508*03f9172cSAndroid Build Coastguard Worker 509*03f9172cSAndroid Build Coastguard Worker struct wpabuf * tls_connection_decrypt2(void *tls_ctx, 510*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 511*03f9172cSAndroid Build Coastguard Worker const struct wpabuf *in_data, 512*03f9172cSAndroid Build Coastguard Worker int *more_data_needed); 513*03f9172cSAndroid Build Coastguard Worker 514*03f9172cSAndroid Build Coastguard Worker /** 515*03f9172cSAndroid Build Coastguard Worker * tls_connection_resumed - Was session resumption used 516*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 517*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 518*03f9172cSAndroid Build Coastguard Worker * Returns: 1 if current session used session resumption, 0 if not 519*03f9172cSAndroid Build Coastguard Worker */ 520*03f9172cSAndroid Build Coastguard Worker int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn); 521*03f9172cSAndroid Build Coastguard Worker 522*03f9172cSAndroid Build Coastguard Worker enum { 523*03f9172cSAndroid Build Coastguard Worker TLS_CIPHER_NONE, 524*03f9172cSAndroid Build Coastguard Worker TLS_CIPHER_RC4_SHA /* 0x0005 */, 525*03f9172cSAndroid Build Coastguard Worker TLS_CIPHER_AES128_SHA /* 0x002f */, 526*03f9172cSAndroid Build Coastguard Worker TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */, 527*03f9172cSAndroid Build Coastguard Worker TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */, 528*03f9172cSAndroid Build Coastguard Worker TLS_CIPHER_RSA_DHE_AES256_SHA /* 0x0039 */, 529*03f9172cSAndroid Build Coastguard Worker TLS_CIPHER_AES256_SHA /* 0x0035 */, 530*03f9172cSAndroid Build Coastguard Worker }; 531*03f9172cSAndroid Build Coastguard Worker 532*03f9172cSAndroid Build Coastguard Worker /** 533*03f9172cSAndroid Build Coastguard Worker * tls_connection_set_cipher_list - Configure acceptable cipher suites 534*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 535*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 536*03f9172cSAndroid Build Coastguard Worker * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers 537*03f9172cSAndroid Build Coastguard Worker * (TLS_CIPHER_*). 538*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 539*03f9172cSAndroid Build Coastguard Worker */ 540*03f9172cSAndroid Build Coastguard Worker int __must_check tls_connection_set_cipher_list(void *tls_ctx, 541*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 542*03f9172cSAndroid Build Coastguard Worker u8 *ciphers); 543*03f9172cSAndroid Build Coastguard Worker 544*03f9172cSAndroid Build Coastguard Worker /** 545*03f9172cSAndroid Build Coastguard Worker * tls_get_version - Get the current TLS version number 546*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 547*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 548*03f9172cSAndroid Build Coastguard Worker * @buf: Buffer for returning the TLS version number 549*03f9172cSAndroid Build Coastguard Worker * @buflen: buf size 550*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 551*03f9172cSAndroid Build Coastguard Worker * 552*03f9172cSAndroid Build Coastguard Worker * Get the currently used TLS version number. 553*03f9172cSAndroid Build Coastguard Worker */ 554*03f9172cSAndroid Build Coastguard Worker int __must_check tls_get_version(void *tls_ctx, struct tls_connection *conn, 555*03f9172cSAndroid Build Coastguard Worker char *buf, size_t buflen); 556*03f9172cSAndroid Build Coastguard Worker 557*03f9172cSAndroid Build Coastguard Worker /** 558*03f9172cSAndroid Build Coastguard Worker * tls_get_cipher - Get current cipher name 559*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 560*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 561*03f9172cSAndroid Build Coastguard Worker * @buf: Buffer for the cipher name 562*03f9172cSAndroid Build Coastguard Worker * @buflen: buf size 563*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 564*03f9172cSAndroid Build Coastguard Worker * 565*03f9172cSAndroid Build Coastguard Worker * Get the name of the currently used cipher. 566*03f9172cSAndroid Build Coastguard Worker */ 567*03f9172cSAndroid Build Coastguard Worker int __must_check tls_get_cipher(void *tls_ctx, struct tls_connection *conn, 568*03f9172cSAndroid Build Coastguard Worker char *buf, size_t buflen); 569*03f9172cSAndroid Build Coastguard Worker 570*03f9172cSAndroid Build Coastguard Worker /** 571*03f9172cSAndroid Build Coastguard Worker * tls_connection_enable_workaround - Enable TLS workaround options 572*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 573*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 574*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 575*03f9172cSAndroid Build Coastguard Worker * 576*03f9172cSAndroid Build Coastguard Worker * This function is used to enable connection-specific workaround options for 577*03f9172cSAndroid Build Coastguard Worker * buffer SSL/TLS implementations. 578*03f9172cSAndroid Build Coastguard Worker */ 579*03f9172cSAndroid Build Coastguard Worker int __must_check tls_connection_enable_workaround(void *tls_ctx, 580*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn); 581*03f9172cSAndroid Build Coastguard Worker 582*03f9172cSAndroid Build Coastguard Worker /** 583*03f9172cSAndroid Build Coastguard Worker * tls_connection_client_hello_ext - Set TLS extension for ClientHello 584*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 585*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 586*03f9172cSAndroid Build Coastguard Worker * @ext_type: Extension type 587*03f9172cSAndroid Build Coastguard Worker * @data: Extension payload (%NULL to remove extension) 588*03f9172cSAndroid Build Coastguard Worker * @data_len: Extension payload length 589*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure 590*03f9172cSAndroid Build Coastguard Worker */ 591*03f9172cSAndroid Build Coastguard Worker int __must_check tls_connection_client_hello_ext(void *tls_ctx, 592*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn, 593*03f9172cSAndroid Build Coastguard Worker int ext_type, const u8 *data, 594*03f9172cSAndroid Build Coastguard Worker size_t data_len); 595*03f9172cSAndroid Build Coastguard Worker 596*03f9172cSAndroid Build Coastguard Worker /** 597*03f9172cSAndroid Build Coastguard Worker * tls_connection_get_failed - Get connection failure status 598*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 599*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 600*03f9172cSAndroid Build Coastguard Worker * 601*03f9172cSAndroid Build Coastguard Worker * Returns >0 if connection has failed, 0 if not. 602*03f9172cSAndroid Build Coastguard Worker */ 603*03f9172cSAndroid Build Coastguard Worker int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn); 604*03f9172cSAndroid Build Coastguard Worker 605*03f9172cSAndroid Build Coastguard Worker /** 606*03f9172cSAndroid Build Coastguard Worker * tls_connection_get_read_alerts - Get connection read alert status 607*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 608*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 609*03f9172cSAndroid Build Coastguard Worker * Returns: Number of times a fatal read (remote end reported error) has 610*03f9172cSAndroid Build Coastguard Worker * happened during this connection. 611*03f9172cSAndroid Build Coastguard Worker */ 612*03f9172cSAndroid Build Coastguard Worker int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn); 613*03f9172cSAndroid Build Coastguard Worker 614*03f9172cSAndroid Build Coastguard Worker /** 615*03f9172cSAndroid Build Coastguard Worker * tls_connection_get_write_alerts - Get connection write alert status 616*03f9172cSAndroid Build Coastguard Worker * @tls_ctx: TLS context data from tls_init() 617*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 618*03f9172cSAndroid Build Coastguard Worker * Returns: Number of times a fatal write (locally detected error) has happened 619*03f9172cSAndroid Build Coastguard Worker * during this connection. 620*03f9172cSAndroid Build Coastguard Worker */ 621*03f9172cSAndroid Build Coastguard Worker int tls_connection_get_write_alerts(void *tls_ctx, 622*03f9172cSAndroid Build Coastguard Worker struct tls_connection *conn); 623*03f9172cSAndroid Build Coastguard Worker 624*03f9172cSAndroid Build Coastguard Worker typedef int (*tls_session_ticket_cb) 625*03f9172cSAndroid Build Coastguard Worker (void *ctx, const u8 *ticket, size_t len, const u8 *client_random, 626*03f9172cSAndroid Build Coastguard Worker const u8 *server_random, u8 *master_secret); 627*03f9172cSAndroid Build Coastguard Worker 628*03f9172cSAndroid Build Coastguard Worker int __must_check tls_connection_set_session_ticket_cb( 629*03f9172cSAndroid Build Coastguard Worker void *tls_ctx, struct tls_connection *conn, 630*03f9172cSAndroid Build Coastguard Worker tls_session_ticket_cb cb, void *ctx); 631*03f9172cSAndroid Build Coastguard Worker 632*03f9172cSAndroid Build Coastguard Worker void tls_connection_set_log_cb(struct tls_connection *conn, 633*03f9172cSAndroid Build Coastguard Worker void (*log_cb)(void *ctx, const char *msg), 634*03f9172cSAndroid Build Coastguard Worker void *ctx); 635*03f9172cSAndroid Build Coastguard Worker 636*03f9172cSAndroid Build Coastguard Worker #define TLS_BREAK_VERIFY_DATA BIT(0) 637*03f9172cSAndroid Build Coastguard Worker #define TLS_BREAK_SRV_KEY_X_HASH BIT(1) 638*03f9172cSAndroid Build Coastguard Worker #define TLS_BREAK_SRV_KEY_X_SIGNATURE BIT(2) 639*03f9172cSAndroid Build Coastguard Worker #define TLS_DHE_PRIME_511B BIT(3) 640*03f9172cSAndroid Build Coastguard Worker #define TLS_DHE_PRIME_767B BIT(4) 641*03f9172cSAndroid Build Coastguard Worker #define TLS_DHE_PRIME_15 BIT(5) 642*03f9172cSAndroid Build Coastguard Worker #define TLS_DHE_PRIME_58B BIT(6) 643*03f9172cSAndroid Build Coastguard Worker #define TLS_DHE_NON_PRIME BIT(7) 644*03f9172cSAndroid Build Coastguard Worker 645*03f9172cSAndroid Build Coastguard Worker void tls_connection_set_test_flags(struct tls_connection *conn, u32 flags); 646*03f9172cSAndroid Build Coastguard Worker 647*03f9172cSAndroid Build Coastguard Worker int tls_get_library_version(char *buf, size_t buf_len); 648*03f9172cSAndroid Build Coastguard Worker 649*03f9172cSAndroid Build Coastguard Worker void tls_connection_set_success_data(struct tls_connection *conn, 650*03f9172cSAndroid Build Coastguard Worker struct wpabuf *data); 651*03f9172cSAndroid Build Coastguard Worker 652*03f9172cSAndroid Build Coastguard Worker void tls_connection_set_success_data_resumed(struct tls_connection *conn); 653*03f9172cSAndroid Build Coastguard Worker 654*03f9172cSAndroid Build Coastguard Worker const struct wpabuf * 655*03f9172cSAndroid Build Coastguard Worker tls_connection_get_success_data(struct tls_connection *conn); 656*03f9172cSAndroid Build Coastguard Worker 657*03f9172cSAndroid Build Coastguard Worker void tls_connection_remove_session(struct tls_connection *conn); 658*03f9172cSAndroid Build Coastguard Worker 659*03f9172cSAndroid Build Coastguard Worker /** 660*03f9172cSAndroid Build Coastguard Worker * tls_get_tls_unique - Fetch "tls-unique" for channel binding 661*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 662*03f9172cSAndroid Build Coastguard Worker * @buf: Buffer for returning the value 663*03f9172cSAndroid Build Coastguard Worker * @max_len: Maximum length of the buffer in bytes 664*03f9172cSAndroid Build Coastguard Worker * Returns: Number of bytes written to buf or -1 on error 665*03f9172cSAndroid Build Coastguard Worker * 666*03f9172cSAndroid Build Coastguard Worker * This function can be used to fetch "tls-unique" (RFC 5929, Section 3) which 667*03f9172cSAndroid Build Coastguard Worker * is the first TLS Finished message sent in the most recent TLS handshake of 668*03f9172cSAndroid Build Coastguard Worker * the TLS connection. 669*03f9172cSAndroid Build Coastguard Worker */ 670*03f9172cSAndroid Build Coastguard Worker int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len); 671*03f9172cSAndroid Build Coastguard Worker 672*03f9172cSAndroid Build Coastguard Worker /** 673*03f9172cSAndroid Build Coastguard Worker * tls_connection_get_cipher_suite - Get current TLS cipher suite 674*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 675*03f9172cSAndroid Build Coastguard Worker * Returns: TLS cipher suite of the current connection or 0 on error 676*03f9172cSAndroid Build Coastguard Worker */ 677*03f9172cSAndroid Build Coastguard Worker u16 tls_connection_get_cipher_suite(struct tls_connection *conn); 678*03f9172cSAndroid Build Coastguard Worker 679*03f9172cSAndroid Build Coastguard Worker /** 680*03f9172cSAndroid Build Coastguard Worker * tls_connection_get_peer_subject - Get peer subject 681*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 682*03f9172cSAndroid Build Coastguard Worker * Returns: Peer subject or %NULL if not authenticated or not available 683*03f9172cSAndroid Build Coastguard Worker */ 684*03f9172cSAndroid Build Coastguard Worker const char * tls_connection_get_peer_subject(struct tls_connection *conn); 685*03f9172cSAndroid Build Coastguard Worker 686*03f9172cSAndroid Build Coastguard Worker /** 687*03f9172cSAndroid Build Coastguard Worker * tls_connection_get_own_cert_used - Was own certificate used 688*03f9172cSAndroid Build Coastguard Worker * @conn: Connection context data from tls_connection_init() 689*03f9172cSAndroid Build Coastguard Worker * Returns: true if own certificate was used during authentication 690*03f9172cSAndroid Build Coastguard Worker */ 691*03f9172cSAndroid Build Coastguard Worker bool tls_connection_get_own_cert_used(struct tls_connection *conn); 692*03f9172cSAndroid Build Coastguard Worker 693*03f9172cSAndroid Build Coastguard Worker /** 694*03f9172cSAndroid Build Coastguard Worker * tls_register_cert_callback - Register a callback to retrieve certificates 695*03f9172cSAndroid Build Coastguard Worker * @cb: Callback object to register 696*03f9172cSAndroid Build Coastguard Worker */ 697*03f9172cSAndroid Build Coastguard Worker typedef ssize_t (*tls_get_certificate_cb) 698*03f9172cSAndroid Build Coastguard Worker (void* ctx, const char* alias, uint8_t** value); 699*03f9172cSAndroid Build Coastguard Worker 700*03f9172cSAndroid Build Coastguard Worker void tls_register_cert_callback(tls_get_certificate_cb cb); 701*03f9172cSAndroid Build Coastguard Worker 702*03f9172cSAndroid Build Coastguard Worker /** 703*03f9172cSAndroid Build Coastguard Worker * tls_register_openssl_failure_callback - Register a callback to indicate 704*03f9172cSAndroid Build Coastguard Worker * that an OpenSSL failure has occurred 705*03f9172cSAndroid Build Coastguard Worker * @cb: Callback object to register 706*03f9172cSAndroid Build Coastguard Worker */ 707*03f9172cSAndroid Build Coastguard Worker typedef void (*tls_openssl_failure_cb) 708*03f9172cSAndroid Build Coastguard Worker (void* ctx, const char* msg); 709*03f9172cSAndroid Build Coastguard Worker 710*03f9172cSAndroid Build Coastguard Worker void tls_register_openssl_failure_callback(tls_openssl_failure_cb cb); 711*03f9172cSAndroid Build Coastguard Worker 712*03f9172cSAndroid Build Coastguard Worker #endif /* TLS_H */ 713