2 * WPA Supplicant / TLS interface functions and an internal TLS implementation
3 * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
14 * This file interface functions for hostapd/wpa_supplicant to use the
15 * integrated TLSv1 implementation.
22 #include "tls/tlsv1_client.h"
23 #include "tls/tlsv1_server.h"
26 static int tls_ref_count = 0;
30 struct tlsv1_credentials *server_cred;
34 struct tls_connection {
35 struct tlsv1_client *client;
36 struct tlsv1_server *server;
40 void * tls_init(const struct tls_config *conf)
42 struct tls_global *global;
44 if (tls_ref_count == 0) {
45 #ifdef CONFIG_TLS_INTERNAL_CLIENT
46 if (tlsv1_client_global_init())
48 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
49 #ifdef CONFIG_TLS_INTERNAL_SERVER
50 if (tlsv1_server_global_init())
52 #endif /* CONFIG_TLS_INTERNAL_SERVER */
56 global = os_zalloc(sizeof(*global));
63 void tls_deinit(void *ssl_ctx)
65 struct tls_global *global = ssl_ctx;
67 if (tls_ref_count == 0) {
68 #ifdef CONFIG_TLS_INTERNAL_CLIENT
69 tlsv1_client_global_deinit();
70 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
71 #ifdef CONFIG_TLS_INTERNAL_SERVER
72 tlsv1_cred_free(global->server_cred);
73 tlsv1_server_global_deinit();
74 #endif /* CONFIG_TLS_INTERNAL_SERVER */
80 int tls_get_errors(void *tls_ctx)
86 struct tls_connection * tls_connection_init(void *tls_ctx)
88 struct tls_connection *conn;
89 struct tls_global *global = tls_ctx;
91 conn = os_zalloc(sizeof(*conn));
95 #ifdef CONFIG_TLS_INTERNAL_CLIENT
96 if (!global->server) {
97 conn->client = tlsv1_client_init();
98 if (conn->client == NULL) {
103 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
104 #ifdef CONFIG_TLS_INTERNAL_SERVER
105 if (global->server) {
106 conn->server = tlsv1_server_init(global->server_cred);
107 if (conn->server == NULL) {
112 #endif /* CONFIG_TLS_INTERNAL_SERVER */
118 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
122 #ifdef CONFIG_TLS_INTERNAL_CLIENT
124 tlsv1_client_deinit(conn->client);
125 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
126 #ifdef CONFIG_TLS_INTERNAL_SERVER
128 tlsv1_server_deinit(conn->server);
129 #endif /* CONFIG_TLS_INTERNAL_SERVER */
134 int tls_connection_established(void *tls_ctx, struct tls_connection *conn)
136 #ifdef CONFIG_TLS_INTERNAL_CLIENT
138 return tlsv1_client_established(conn->client);
139 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
140 #ifdef CONFIG_TLS_INTERNAL_SERVER
142 return tlsv1_server_established(conn->server);
143 #endif /* CONFIG_TLS_INTERNAL_SERVER */
148 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
150 #ifdef CONFIG_TLS_INTERNAL_CLIENT
152 return tlsv1_client_shutdown(conn->client);
153 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
154 #ifdef CONFIG_TLS_INTERNAL_SERVER
156 return tlsv1_server_shutdown(conn->server);
157 #endif /* CONFIG_TLS_INTERNAL_SERVER */
162 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
163 const struct tls_connection_params *params)
165 #ifdef CONFIG_TLS_INTERNAL_CLIENT
166 struct tlsv1_credentials *cred;
168 if (conn->client == NULL)
171 cred = tlsv1_cred_alloc();
175 if (tlsv1_set_ca_cert(cred, params->ca_cert,
176 params->ca_cert_blob, params->ca_cert_blob_len,
178 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
180 tlsv1_cred_free(cred);
184 if (tlsv1_set_cert(cred, params->client_cert,
185 params->client_cert_blob,
186 params->client_cert_blob_len)) {
187 wpa_printf(MSG_INFO, "TLS: Failed to configure client "
189 tlsv1_cred_free(cred);
193 if (tlsv1_set_private_key(cred, params->private_key,
194 params->private_key_passwd,
195 params->private_key_blob,
196 params->private_key_blob_len)) {
197 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
198 tlsv1_cred_free(cred);
202 if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
203 params->dh_blob_len)) {
204 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
205 tlsv1_cred_free(cred);
209 if (tlsv1_client_set_cred(conn->client, cred) < 0) {
210 tlsv1_cred_free(cred);
215 #else /* CONFIG_TLS_INTERNAL_CLIENT */
217 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
221 int tls_global_set_params(void *tls_ctx,
222 const struct tls_connection_params *params)
224 #ifdef CONFIG_TLS_INTERNAL_SERVER
225 struct tls_global *global = tls_ctx;
226 struct tlsv1_credentials *cred;
228 /* Currently, global parameters are only set when running in server
231 tlsv1_cred_free(global->server_cred);
232 global->server_cred = cred = tlsv1_cred_alloc();
236 if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob,
237 params->ca_cert_blob_len, params->ca_path)) {
238 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
243 if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob,
244 params->client_cert_blob_len)) {
245 wpa_printf(MSG_INFO, "TLS: Failed to configure server "
250 if (tlsv1_set_private_key(cred, params->private_key,
251 params->private_key_passwd,
252 params->private_key_blob,
253 params->private_key_blob_len)) {
254 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
258 if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
259 params->dh_blob_len)) {
260 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
265 #else /* CONFIG_TLS_INTERNAL_SERVER */
267 #endif /* CONFIG_TLS_INTERNAL_SERVER */
271 int tls_global_set_verify(void *tls_ctx, int check_crl)
273 struct tls_global *global = tls_ctx;
274 global->check_crl = check_crl;
279 int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
282 #ifdef CONFIG_TLS_INTERNAL_SERVER
284 return tlsv1_server_set_verify(conn->server, verify_peer);
285 #endif /* CONFIG_TLS_INTERNAL_SERVER */
290 int tls_connection_set_ia(void *tls_ctx, struct tls_connection *conn,
297 int tls_connection_get_keys(void *tls_ctx, struct tls_connection *conn,
298 struct tls_keys *keys)
300 #ifdef CONFIG_TLS_INTERNAL_CLIENT
302 return tlsv1_client_get_keys(conn->client, keys);
303 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
304 #ifdef CONFIG_TLS_INTERNAL_SERVER
306 return tlsv1_server_get_keys(conn->server, keys);
307 #endif /* CONFIG_TLS_INTERNAL_SERVER */
312 int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
313 const char *label, int server_random_first,
314 u8 *out, size_t out_len)
316 #ifdef CONFIG_TLS_INTERNAL_CLIENT
318 return tlsv1_client_prf(conn->client, label,
322 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
323 #ifdef CONFIG_TLS_INTERNAL_SERVER
325 return tlsv1_server_prf(conn->server, label,
329 #endif /* CONFIG_TLS_INTERNAL_SERVER */
334 u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn,
335 const u8 *in_data, size_t in_len,
336 size_t *out_len, u8 **appl_data,
337 size_t *appl_data_len)
339 #ifdef CONFIG_TLS_INTERNAL_CLIENT
340 if (conn->client == NULL)
346 wpa_printf(MSG_DEBUG, "TLS: %s(in_data=%p in_len=%lu)",
347 __func__, in_data, (unsigned long) in_len);
348 return tlsv1_client_handshake(conn->client, in_data, in_len, out_len,
349 appl_data, appl_data_len);
350 #else /* CONFIG_TLS_INTERNAL_CLIENT */
352 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
356 u8 * tls_connection_server_handshake(void *tls_ctx,
357 struct tls_connection *conn,
358 const u8 *in_data, size_t in_len,
361 #ifdef CONFIG_TLS_INTERNAL_SERVER
363 if (conn->server == NULL)
366 wpa_printf(MSG_DEBUG, "TLS: %s(in_data=%p in_len=%lu)",
367 __func__, in_data, (unsigned long) in_len);
368 out = tlsv1_server_handshake(conn->server, in_data, in_len, out_len);
369 if (out == NULL && tlsv1_server_established(conn->server)) {
374 #else /* CONFIG_TLS_INTERNAL_SERVER */
376 #endif /* CONFIG_TLS_INTERNAL_SERVER */
380 int tls_connection_encrypt(void *tls_ctx, struct tls_connection *conn,
381 const u8 *in_data, size_t in_len,
382 u8 *out_data, size_t out_len)
384 #ifdef CONFIG_TLS_INTERNAL_CLIENT
386 return tlsv1_client_encrypt(conn->client, in_data, in_len,
389 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
390 #ifdef CONFIG_TLS_INTERNAL_SERVER
392 return tlsv1_server_encrypt(conn->server, in_data, in_len,
395 #endif /* CONFIG_TLS_INTERNAL_SERVER */
400 int tls_connection_decrypt(void *tls_ctx, struct tls_connection *conn,
401 const u8 *in_data, size_t in_len,
402 u8 *out_data, size_t out_len)
404 #ifdef CONFIG_TLS_INTERNAL_CLIENT
406 return tlsv1_client_decrypt(conn->client, in_data, in_len,
409 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
410 #ifdef CONFIG_TLS_INTERNAL_SERVER
412 return tlsv1_server_decrypt(conn->server, in_data, in_len,
415 #endif /* CONFIG_TLS_INTERNAL_SERVER */
420 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn)
422 #ifdef CONFIG_TLS_INTERNAL_CLIENT
424 return tlsv1_client_resumed(conn->client);
425 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
426 #ifdef CONFIG_TLS_INTERNAL_SERVER
428 return tlsv1_server_resumed(conn->server);
429 #endif /* CONFIG_TLS_INTERNAL_SERVER */
434 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
437 #ifdef CONFIG_TLS_INTERNAL_CLIENT
439 return tlsv1_client_set_cipher_list(conn->client, ciphers);
440 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
441 #ifdef CONFIG_TLS_INTERNAL_SERVER
443 return tlsv1_server_set_cipher_list(conn->server, ciphers);
444 #endif /* CONFIG_TLS_INTERNAL_SERVER */
449 int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
450 char *buf, size_t buflen)
454 #ifdef CONFIG_TLS_INTERNAL_CLIENT
456 return tlsv1_client_get_cipher(conn->client, buf, buflen);
457 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
458 #ifdef CONFIG_TLS_INTERNAL_SERVER
460 return tlsv1_server_get_cipher(conn->server, buf, buflen);
461 #endif /* CONFIG_TLS_INTERNAL_SERVER */
466 int tls_connection_enable_workaround(void *tls_ctx,
467 struct tls_connection *conn)
473 int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn,
474 int ext_type, const u8 *data,
477 #ifdef CONFIG_TLS_INTERNAL_CLIENT
479 return tlsv1_client_hello_ext(conn->client, ext_type,
482 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
487 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn)
493 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn)
499 int tls_connection_get_write_alerts(void *tls_ctx,
500 struct tls_connection *conn)
506 int tls_connection_get_keyblock_size(void *tls_ctx,
507 struct tls_connection *conn)
509 #ifdef CONFIG_TLS_INTERNAL_CLIENT
511 return tlsv1_client_get_keyblock_size(conn->client);
512 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
513 #ifdef CONFIG_TLS_INTERNAL_SERVER
515 return tlsv1_server_get_keyblock_size(conn->server);
516 #endif /* CONFIG_TLS_INTERNAL_SERVER */
521 unsigned int tls_capabilities(void *tls_ctx)
527 int tls_connection_ia_send_phase_finished(void *tls_ctx,
528 struct tls_connection *conn,
530 u8 *out_data, size_t out_len)
536 int tls_connection_ia_final_phase_finished(void *tls_ctx,
537 struct tls_connection *conn)
543 int tls_connection_ia_permute_inner_secret(void *tls_ctx,
544 struct tls_connection *conn,
545 const u8 *key, size_t key_len)
551 int tls_connection_set_session_ticket_cb(void *tls_ctx,
552 struct tls_connection *conn,
553 tls_session_ticket_cb cb,
556 #ifdef CONFIG_TLS_INTERNAL_CLIENT
558 tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx);
561 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
562 #ifdef CONFIG_TLS_INTERNAL_SERVER
564 tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx);
567 #endif /* CONFIG_TLS_INTERNAL_SERVER */