2 * TLS interface functions and an internal TLS implementation
3 * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
14 * This file interface functions for hostapd/wpa_supplicant to use the
15 * integrated TLSv1 implementation.
22 #include "tls/tlsv1_client.h"
23 #include "tls/tlsv1_server.h"
26 static int tls_ref_count = 0;
30 struct tlsv1_credentials *server_cred;
34 struct tls_connection {
35 struct tlsv1_client *client;
36 struct tlsv1_server *server;
40 void * tls_init(const struct tls_config *conf)
42 struct tls_global *global;
44 if (tls_ref_count == 0) {
45 #ifdef CONFIG_TLS_INTERNAL_CLIENT
46 if (tlsv1_client_global_init())
48 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
49 #ifdef CONFIG_TLS_INTERNAL_SERVER
50 if (tlsv1_server_global_init())
52 #endif /* CONFIG_TLS_INTERNAL_SERVER */
56 global = os_zalloc(sizeof(*global));
63 void tls_deinit(void *ssl_ctx)
65 struct tls_global *global = ssl_ctx;
67 if (tls_ref_count == 0) {
68 #ifdef CONFIG_TLS_INTERNAL_CLIENT
69 tlsv1_client_global_deinit();
70 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
71 #ifdef CONFIG_TLS_INTERNAL_SERVER
72 tlsv1_cred_free(global->server_cred);
73 tlsv1_server_global_deinit();
74 #endif /* CONFIG_TLS_INTERNAL_SERVER */
80 int tls_get_errors(void *tls_ctx)
86 struct tls_connection * tls_connection_init(void *tls_ctx)
88 struct tls_connection *conn;
89 struct tls_global *global = tls_ctx;
91 conn = os_zalloc(sizeof(*conn));
95 #ifdef CONFIG_TLS_INTERNAL_CLIENT
96 if (!global->server) {
97 conn->client = tlsv1_client_init();
98 if (conn->client == NULL) {
103 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
104 #ifdef CONFIG_TLS_INTERNAL_SERVER
105 if (global->server) {
106 conn->server = tlsv1_server_init(global->server_cred);
107 if (conn->server == NULL) {
112 #endif /* CONFIG_TLS_INTERNAL_SERVER */
118 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
122 #ifdef CONFIG_TLS_INTERNAL_CLIENT
124 tlsv1_client_deinit(conn->client);
125 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
126 #ifdef CONFIG_TLS_INTERNAL_SERVER
128 tlsv1_server_deinit(conn->server);
129 #endif /* CONFIG_TLS_INTERNAL_SERVER */
134 int tls_connection_established(void *tls_ctx, struct tls_connection *conn)
136 #ifdef CONFIG_TLS_INTERNAL_CLIENT
138 return tlsv1_client_established(conn->client);
139 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
140 #ifdef CONFIG_TLS_INTERNAL_SERVER
142 return tlsv1_server_established(conn->server);
143 #endif /* CONFIG_TLS_INTERNAL_SERVER */
148 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
150 #ifdef CONFIG_TLS_INTERNAL_CLIENT
152 return tlsv1_client_shutdown(conn->client);
153 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
154 #ifdef CONFIG_TLS_INTERNAL_SERVER
156 return tlsv1_server_shutdown(conn->server);
157 #endif /* CONFIG_TLS_INTERNAL_SERVER */
162 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
163 const struct tls_connection_params *params)
165 #ifdef CONFIG_TLS_INTERNAL_CLIENT
166 struct tlsv1_credentials *cred;
168 if (conn->client == NULL)
171 cred = tlsv1_cred_alloc();
175 if (tlsv1_set_ca_cert(cred, params->ca_cert,
176 params->ca_cert_blob, params->ca_cert_blob_len,
178 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
180 tlsv1_cred_free(cred);
184 if (tlsv1_set_cert(cred, params->client_cert,
185 params->client_cert_blob,
186 params->client_cert_blob_len)) {
187 wpa_printf(MSG_INFO, "TLS: Failed to configure client "
189 tlsv1_cred_free(cred);
193 if (tlsv1_set_private_key(cred, params->private_key,
194 params->private_key_passwd,
195 params->private_key_blob,
196 params->private_key_blob_len)) {
197 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
198 tlsv1_cred_free(cred);
202 if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
203 params->dh_blob_len)) {
204 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
205 tlsv1_cred_free(cred);
209 if (tlsv1_client_set_cred(conn->client, cred) < 0) {
210 tlsv1_cred_free(cred);
215 #else /* CONFIG_TLS_INTERNAL_CLIENT */
217 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
221 int tls_global_set_params(void *tls_ctx,
222 const struct tls_connection_params *params)
224 #ifdef CONFIG_TLS_INTERNAL_SERVER
225 struct tls_global *global = tls_ctx;
226 struct tlsv1_credentials *cred;
228 /* Currently, global parameters are only set when running in server
231 tlsv1_cred_free(global->server_cred);
232 global->server_cred = cred = tlsv1_cred_alloc();
236 if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob,
237 params->ca_cert_blob_len, params->ca_path)) {
238 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
243 if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob,
244 params->client_cert_blob_len)) {
245 wpa_printf(MSG_INFO, "TLS: Failed to configure server "
250 if (tlsv1_set_private_key(cred, params->private_key,
251 params->private_key_passwd,
252 params->private_key_blob,
253 params->private_key_blob_len)) {
254 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
258 if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
259 params->dh_blob_len)) {
260 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
265 #else /* CONFIG_TLS_INTERNAL_SERVER */
267 #endif /* CONFIG_TLS_INTERNAL_SERVER */
271 int tls_global_set_verify(void *tls_ctx, int check_crl)
273 struct tls_global *global = tls_ctx;
274 global->check_crl = check_crl;
279 int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
282 #ifdef CONFIG_TLS_INTERNAL_SERVER
284 return tlsv1_server_set_verify(conn->server, verify_peer);
285 #endif /* CONFIG_TLS_INTERNAL_SERVER */
290 int tls_connection_set_ia(void *tls_ctx, struct tls_connection *conn,
297 int tls_connection_get_keys(void *tls_ctx, struct tls_connection *conn,
298 struct tls_keys *keys)
300 #ifdef CONFIG_TLS_INTERNAL_CLIENT
302 return tlsv1_client_get_keys(conn->client, keys);
303 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
304 #ifdef CONFIG_TLS_INTERNAL_SERVER
306 return tlsv1_server_get_keys(conn->server, keys);
307 #endif /* CONFIG_TLS_INTERNAL_SERVER */
312 int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
313 const char *label, int server_random_first,
314 u8 *out, size_t out_len)
316 #ifdef CONFIG_TLS_INTERNAL_CLIENT
318 return tlsv1_client_prf(conn->client, label,
322 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
323 #ifdef CONFIG_TLS_INTERNAL_SERVER
325 return tlsv1_server_prf(conn->server, label,
329 #endif /* CONFIG_TLS_INTERNAL_SERVER */
334 struct wpabuf * tls_connection_handshake(void *tls_ctx,
335 struct tls_connection *conn,
336 const struct wpabuf *in_data,
337 struct wpabuf **appl_data)
339 #ifdef CONFIG_TLS_INTERNAL_CLIENT
341 size_t res_len, ad_len;
344 if (conn->client == NULL)
348 res = tlsv1_client_handshake(conn->client,
349 in_data ? wpabuf_head(in_data) : NULL,
350 in_data ? wpabuf_len(in_data) : 0,
351 &res_len, &ad, &ad_len);
354 out = wpabuf_alloc_ext_data(res, res_len);
362 *appl_data = wpabuf_alloc_ext_data(ad, ad_len);
363 if (*appl_data == NULL)
371 #else /* CONFIG_TLS_INTERNAL_CLIENT */
373 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
377 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
378 struct tls_connection *conn,
379 const struct wpabuf *in_data,
380 struct wpabuf **appl_data)
382 #ifdef CONFIG_TLS_INTERNAL_SERVER
387 if (conn->server == NULL)
393 res = tlsv1_server_handshake(conn->server, wpabuf_head(in_data),
394 wpabuf_len(in_data), &res_len);
395 if (res == NULL && tlsv1_server_established(conn->server))
396 return wpabuf_alloc(0);
399 out = wpabuf_alloc_ext_data(res, res_len);
406 #else /* CONFIG_TLS_INTERNAL_SERVER */
408 #endif /* CONFIG_TLS_INTERNAL_SERVER */
412 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
413 struct tls_connection *conn,
414 const struct wpabuf *in_data)
416 #ifdef CONFIG_TLS_INTERNAL_CLIENT
420 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
423 res = tlsv1_client_encrypt(conn->client, wpabuf_head(in_data),
431 wpabuf_put(buf, res);
434 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
435 #ifdef CONFIG_TLS_INTERNAL_SERVER
439 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
442 res = tlsv1_server_encrypt(conn->server, wpabuf_head(in_data),
450 wpabuf_put(buf, res);
453 #endif /* CONFIG_TLS_INTERNAL_SERVER */
458 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
459 struct tls_connection *conn,
460 const struct wpabuf *in_data)
462 #ifdef CONFIG_TLS_INTERNAL_CLIENT
466 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
469 res = tlsv1_client_decrypt(conn->client, wpabuf_head(in_data),
477 wpabuf_put(buf, res);
480 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
481 #ifdef CONFIG_TLS_INTERNAL_SERVER
485 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
488 res = tlsv1_server_decrypt(conn->server, wpabuf_head(in_data),
496 wpabuf_put(buf, res);
499 #endif /* CONFIG_TLS_INTERNAL_SERVER */
504 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn)
506 #ifdef CONFIG_TLS_INTERNAL_CLIENT
508 return tlsv1_client_resumed(conn->client);
509 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
510 #ifdef CONFIG_TLS_INTERNAL_SERVER
512 return tlsv1_server_resumed(conn->server);
513 #endif /* CONFIG_TLS_INTERNAL_SERVER */
518 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
521 #ifdef CONFIG_TLS_INTERNAL_CLIENT
523 return tlsv1_client_set_cipher_list(conn->client, ciphers);
524 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
525 #ifdef CONFIG_TLS_INTERNAL_SERVER
527 return tlsv1_server_set_cipher_list(conn->server, ciphers);
528 #endif /* CONFIG_TLS_INTERNAL_SERVER */
533 int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
534 char *buf, size_t buflen)
538 #ifdef CONFIG_TLS_INTERNAL_CLIENT
540 return tlsv1_client_get_cipher(conn->client, buf, buflen);
541 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
542 #ifdef CONFIG_TLS_INTERNAL_SERVER
544 return tlsv1_server_get_cipher(conn->server, buf, buflen);
545 #endif /* CONFIG_TLS_INTERNAL_SERVER */
550 int tls_connection_enable_workaround(void *tls_ctx,
551 struct tls_connection *conn)
557 int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn,
558 int ext_type, const u8 *data,
561 #ifdef CONFIG_TLS_INTERNAL_CLIENT
563 return tlsv1_client_hello_ext(conn->client, ext_type,
566 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
571 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn)
577 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn)
583 int tls_connection_get_write_alerts(void *tls_ctx,
584 struct tls_connection *conn)
590 int tls_connection_get_keyblock_size(void *tls_ctx,
591 struct tls_connection *conn)
593 #ifdef CONFIG_TLS_INTERNAL_CLIENT
595 return tlsv1_client_get_keyblock_size(conn->client);
596 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
597 #ifdef CONFIG_TLS_INTERNAL_SERVER
599 return tlsv1_server_get_keyblock_size(conn->server);
600 #endif /* CONFIG_TLS_INTERNAL_SERVER */
605 unsigned int tls_capabilities(void *tls_ctx)
611 struct wpabuf * tls_connection_ia_send_phase_finished(
612 void *tls_ctx, struct tls_connection *conn, int final)
618 int tls_connection_ia_final_phase_finished(void *tls_ctx,
619 struct tls_connection *conn)
625 int tls_connection_ia_permute_inner_secret(void *tls_ctx,
626 struct tls_connection *conn,
627 const u8 *key, size_t key_len)
633 int tls_connection_set_session_ticket_cb(void *tls_ctx,
634 struct tls_connection *conn,
635 tls_session_ticket_cb cb,
638 #ifdef CONFIG_TLS_INTERNAL_CLIENT
640 tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx);
643 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
644 #ifdef CONFIG_TLS_INTERNAL_SERVER
646 tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx);
649 #endif /* CONFIG_TLS_INTERNAL_SERVER */