00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015 #ifndef TLS_H
00016 #define TLS_H
00017
00018 struct tls_connection;
00019
00020 struct tls_keys {
00021 const u8 *master_key;
00022 size_t master_key_len;
00023 const u8 *client_random;
00024 size_t client_random_len;
00025 const u8 *server_random;
00026 size_t server_random_len;
00027 const u8 *inner_secret;
00028 size_t inner_secret_len;
00029 };
00030
00031 enum tls_event {
00032 TLS_CERT_CHAIN_FAILURE,
00033 TLS_PEER_CERTIFICATE
00034 };
00035
00036
00037
00038
00039
00040 enum tls_fail_reason {
00041 TLS_FAIL_UNSPECIFIED = 0,
00042 TLS_FAIL_UNTRUSTED = 1,
00043 TLS_FAIL_REVOKED = 2,
00044 TLS_FAIL_NOT_YET_VALID = 3,
00045 TLS_FAIL_EXPIRED = 4,
00046 TLS_FAIL_SUBJECT_MISMATCH = 5,
00047 TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
00048 TLS_FAIL_BAD_CERTIFICATE = 7,
00049 TLS_FAIL_SERVER_CHAIN_PROBE = 8
00050 };
00051
00052 union tls_event_data {
00053 struct {
00054 int depth;
00055 const char *subject;
00056 enum tls_fail_reason reason;
00057 const char *reason_txt;
00058 const struct wpabuf *cert;
00059 } cert_fail;
00060
00061 struct {
00062 int depth;
00063 const char *subject;
00064 const struct wpabuf *cert;
00065 const u8 *hash;
00066 size_t hash_len;
00067 } peer_cert;
00068 };
00069
00070 struct tls_config {
00071 const char *opensc_engine_path;
00072 const char *pkcs11_engine_path;
00073 const char *pkcs11_module_path;
00074 int fips_mode;
00075
00076 void (*event_cb)(void *ctx, enum tls_event ev,
00077 union tls_event_data *data);
00078 void *cb_ctx;
00079 };
00080
00081 #define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0)
00082 #define TLS_CONN_DISABLE_TIME_CHECKS BIT(1)
00083
00128 struct tls_connection_params {
00129 const char *ca_cert;
00130 const u8 *ca_cert_blob;
00131 size_t ca_cert_blob_len;
00132 const char *ca_path;
00133 const char *subject_match;
00134 const char *altsubject_match;
00135 const char *client_cert;
00136 const u8 *client_cert_blob;
00137 size_t client_cert_blob_len;
00138 const char *private_key;
00139 const u8 *private_key_blob;
00140 size_t private_key_blob_len;
00141 const char *private_key_passwd;
00142 const char *dh_file;
00143 const u8 *dh_blob;
00144 size_t dh_blob_len;
00145 int tls_ia;
00146
00147
00148 int engine;
00149 const char *engine_id;
00150 const char *pin;
00151 const char *key_id;
00152 const char *cert_id;
00153 const char *ca_cert_id;
00154
00155 unsigned int flags;
00156 };
00157
00158
00171 void * tls_init(const struct tls_config *conf);
00172
00183 void tls_deinit(void *tls_ctx);
00184
00192 int tls_get_errors(void *tls_ctx);
00193
00199 struct tls_connection * tls_connection_init(void *tls_ctx);
00200
00208 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn);
00209
00216 int tls_connection_established(void *tls_ctx, struct tls_connection *conn);
00217
00229 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn);
00230
00231 enum {
00232 TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED = -3,
00233 TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED = -2
00234 };
00235
00247 int __must_check
00248 tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
00249 const struct tls_connection_params *params);
00250
00261 int __must_check tls_global_set_params(
00262 void *tls_ctx, const struct tls_connection_params *params);
00263
00271 int __must_check tls_global_set_verify(void *tls_ctx, int check_crl);
00272
00280 int __must_check tls_connection_set_verify(void *tls_ctx,
00281 struct tls_connection *conn,
00282 int verify_peer);
00283
00294 int __must_check tls_connection_set_ia(void *tls_ctx,
00295 struct tls_connection *conn,
00296 int tls_ia);
00297
00305 int __must_check tls_connection_get_keys(void *tls_ctx,
00306 struct tls_connection *conn,
00307 struct tls_keys *keys);
00308
00329 int __must_check tls_connection_prf(void *tls_ctx,
00330 struct tls_connection *conn,
00331 const char *label,
00332 int server_random_first,
00333 u8 *out, size_t out_len);
00334
00362 struct wpabuf * tls_connection_handshake(void *tls_ctx,
00363 struct tls_connection *conn,
00364 const struct wpabuf *in_data,
00365 struct wpabuf **appl_data);
00366
00377 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
00378 struct tls_connection *conn,
00379 const struct wpabuf *in_data,
00380 struct wpabuf **appl_data);
00381
00393 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
00394 struct tls_connection *conn,
00395 const struct wpabuf *in_data);
00396
00408 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
00409 struct tls_connection *conn,
00410 const struct wpabuf *in_data);
00411
00418 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn);
00419
00420 enum {
00421 TLS_CIPHER_NONE,
00422 TLS_CIPHER_RC4_SHA ,
00423 TLS_CIPHER_AES128_SHA ,
00424 TLS_CIPHER_RSA_DHE_AES128_SHA ,
00425 TLS_CIPHER_ANON_DH_AES128_SHA
00426 };
00427
00436 int __must_check tls_connection_set_cipher_list(void *tls_ctx,
00437 struct tls_connection *conn,
00438 u8 *ciphers);
00439
00450 int __must_check tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
00451 char *buf, size_t buflen);
00452
00462 int __must_check tls_connection_enable_workaround(void *tls_ctx,
00463 struct tls_connection *conn);
00464
00474 int __must_check tls_connection_client_hello_ext(void *tls_ctx,
00475 struct tls_connection *conn,
00476 int ext_type, const u8 *data,
00477 size_t data_len);
00478
00486 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn);
00487
00495 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn);
00496
00504 int tls_connection_get_write_alerts(void *tls_ctx,
00505 struct tls_connection *conn);
00506
00514 int tls_connection_get_keyblock_size(void *tls_ctx,
00515 struct tls_connection *conn);
00516
00517 #define TLS_CAPABILITY_IA 0x0001
00518
00523 unsigned int tls_capabilities(void *tls_ctx);
00524
00535 struct wpabuf * tls_connection_ia_send_phase_finished(
00536 void *tls_ctx, struct tls_connection *conn, int final);
00537
00545 int __must_check tls_connection_ia_final_phase_finished(
00546 void *tls_ctx, struct tls_connection *conn);
00547
00557 int __must_check tls_connection_ia_permute_inner_secret(
00558 void *tls_ctx, struct tls_connection *conn,
00559 const u8 *key, size_t key_len);
00560
00561 typedef int (*tls_session_ticket_cb)
00562 (void *ctx, const u8 *ticket, size_t len, const u8 *client_random,
00563 const u8 *server_random, u8 *master_secret);
00564
00565 int __must_check tls_connection_set_session_ticket_cb(
00566 void *tls_ctx, struct tls_connection *conn,
00567 tls_session_ticket_cb cb, void *ctx);
00568
00569 #endif