00001 
00002 
00003 
00004 
00005 
00006 
00007 
00008 
00009 
00010 
00011 
00012 
00013 
00014 
00015 #ifndef TLS_H
00016 #define TLS_H
00017 
00018 struct tls_connection;
00019 
00020 struct tls_keys {
00021         const u8 *master_key; 
00022         size_t master_key_len;
00023         const u8 *client_random;
00024         size_t client_random_len;
00025         const u8 *server_random;
00026         size_t server_random_len;
00027         const u8 *inner_secret; 
00028         size_t inner_secret_len;
00029 };
00030 
00031 enum tls_event {
00032         TLS_CERT_CHAIN_FAILURE,
00033         TLS_PEER_CERTIFICATE
00034 };
00035 
00036 
00037 
00038 
00039 
00040 enum tls_fail_reason {
00041         TLS_FAIL_UNSPECIFIED = 0,
00042         TLS_FAIL_UNTRUSTED = 1,
00043         TLS_FAIL_REVOKED = 2,
00044         TLS_FAIL_NOT_YET_VALID = 3,
00045         TLS_FAIL_EXPIRED = 4,
00046         TLS_FAIL_SUBJECT_MISMATCH = 5,
00047         TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
00048         TLS_FAIL_BAD_CERTIFICATE = 7,
00049         TLS_FAIL_SERVER_CHAIN_PROBE = 8
00050 };
00051 
00052 union tls_event_data {
00053         struct {
00054                 int depth;
00055                 const char *subject;
00056                 enum tls_fail_reason reason;
00057                 const char *reason_txt;
00058                 const struct wpabuf *cert;
00059         } cert_fail;
00060 
00061         struct {
00062                 int depth;
00063                 const char *subject;
00064                 const struct wpabuf *cert;
00065                 const u8 *hash;
00066                 size_t hash_len;
00067         } peer_cert;
00068 };
00069 
00070 struct tls_config {
00071         const char *opensc_engine_path;
00072         const char *pkcs11_engine_path;
00073         const char *pkcs11_module_path;
00074         int fips_mode;
00075 
00076         void (*event_cb)(void *ctx, enum tls_event ev,
00077                          union tls_event_data *data);
00078         void *cb_ctx;
00079 };
00080 
00081 #define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0)
00082 #define TLS_CONN_DISABLE_TIME_CHECKS BIT(1)
00083 
00128 struct tls_connection_params {
00129         const char *ca_cert;
00130         const u8 *ca_cert_blob;
00131         size_t ca_cert_blob_len;
00132         const char *ca_path;
00133         const char *subject_match;
00134         const char *altsubject_match;
00135         const char *client_cert;
00136         const u8 *client_cert_blob;
00137         size_t client_cert_blob_len;
00138         const char *private_key;
00139         const u8 *private_key_blob;
00140         size_t private_key_blob_len;
00141         const char *private_key_passwd;
00142         const char *dh_file;
00143         const u8 *dh_blob;
00144         size_t dh_blob_len;
00145         int tls_ia;
00146 
00147         
00148         int engine;
00149         const char *engine_id;
00150         const char *pin;
00151         const char *key_id;
00152         const char *cert_id;
00153         const char *ca_cert_id;
00154 
00155         unsigned int flags;
00156 };
00157 
00158 
00171 void * tls_init(const struct tls_config *conf);
00172 
00183 void tls_deinit(void *tls_ctx);
00184 
00192 int tls_get_errors(void *tls_ctx);
00193 
00199 struct tls_connection * tls_connection_init(void *tls_ctx);
00200 
00208 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn);
00209 
00216 int tls_connection_established(void *tls_ctx, struct tls_connection *conn);
00217 
00229 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn);
00230 
00231 enum {
00232         TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED = -3,
00233         TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED = -2
00234 };
00235 
00247 int __must_check
00248 tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
00249                           const struct tls_connection_params *params);
00250 
00261 int __must_check tls_global_set_params(
00262         void *tls_ctx, const struct tls_connection_params *params);
00263 
00271 int __must_check tls_global_set_verify(void *tls_ctx, int check_crl);
00272 
00280 int __must_check tls_connection_set_verify(void *tls_ctx,
00281                                            struct tls_connection *conn,
00282                                            int verify_peer);
00283 
00294 int __must_check tls_connection_set_ia(void *tls_ctx,
00295                                        struct tls_connection *conn,
00296                                        int tls_ia);
00297 
00305 int __must_check tls_connection_get_keys(void *tls_ctx,
00306                                          struct tls_connection *conn,
00307                                          struct tls_keys *keys);
00308 
00329 int __must_check  tls_connection_prf(void *tls_ctx,
00330                                      struct tls_connection *conn,
00331                                      const char *label,
00332                                      int server_random_first,
00333                                      u8 *out, size_t out_len);
00334 
00362 struct wpabuf * tls_connection_handshake(void *tls_ctx,
00363                                          struct tls_connection *conn,
00364                                          const struct wpabuf *in_data,
00365                                          struct wpabuf **appl_data);
00366 
00377 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
00378                                                 struct tls_connection *conn,
00379                                                 const struct wpabuf *in_data,
00380                                                 struct wpabuf **appl_data);
00381 
00393 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
00394                                        struct tls_connection *conn,
00395                                        const struct wpabuf *in_data);
00396 
00408 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
00409                                        struct tls_connection *conn,
00410                                        const struct wpabuf *in_data);
00411 
00418 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn);
00419 
00420 enum {
00421         TLS_CIPHER_NONE,
00422         TLS_CIPHER_RC4_SHA ,
00423         TLS_CIPHER_AES128_SHA ,
00424         TLS_CIPHER_RSA_DHE_AES128_SHA ,
00425         TLS_CIPHER_ANON_DH_AES128_SHA 
00426 };
00427 
00436 int __must_check tls_connection_set_cipher_list(void *tls_ctx,
00437                                                 struct tls_connection *conn,
00438                                                 u8 *ciphers);
00439 
00450 int __must_check tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
00451                                 char *buf, size_t buflen);
00452 
00462 int __must_check tls_connection_enable_workaround(void *tls_ctx,
00463                                                   struct tls_connection *conn);
00464 
00474 int __must_check tls_connection_client_hello_ext(void *tls_ctx,
00475                                                  struct tls_connection *conn,
00476                                                  int ext_type, const u8 *data,
00477                                                  size_t data_len);
00478 
00486 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn);
00487 
00495 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn);
00496 
00504 int tls_connection_get_write_alerts(void *tls_ctx,
00505                                     struct tls_connection *conn);
00506 
00514 int tls_connection_get_keyblock_size(void *tls_ctx,
00515                                      struct tls_connection *conn);
00516 
00517 #define TLS_CAPABILITY_IA 0x0001 
00518 
00523 unsigned int tls_capabilities(void *tls_ctx);
00524 
00535 struct wpabuf * tls_connection_ia_send_phase_finished(
00536         void *tls_ctx, struct tls_connection *conn, int final);
00537 
00545 int __must_check tls_connection_ia_final_phase_finished(
00546         void *tls_ctx, struct tls_connection *conn);
00547 
00557 int __must_check tls_connection_ia_permute_inner_secret(
00558         void *tls_ctx, struct tls_connection *conn,
00559         const u8 *key, size_t key_len);
00560 
00561 typedef int (*tls_session_ticket_cb)
00562 (void *ctx, const u8 *ticket, size_t len, const u8 *client_random,
00563  const u8 *server_random, u8 *master_secret);
00564 
00565 int __must_check  tls_connection_set_session_ticket_cb(
00566         void *tls_ctx, struct tls_connection *conn,
00567         tls_session_ticket_cb cb, void *ctx);
00568 
00569 #endif