2 * TLS interface functions and an internal TLS implementation
3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
8 * This file interface functions for hostapd/wpa_supplicant to use the
9 * integrated TLSv1 implementation.
16 #include "tls/tlsv1_client.h"
17 #include "tls/tlsv1_server.h"
20 static int tls_ref_count = 0;
24 struct tlsv1_credentials *server_cred;
28 struct tls_connection {
29 struct tlsv1_client *client;
30 struct tlsv1_server *server;
31 struct tls_global *global;
35 void * tls_init(const struct tls_config *conf)
37 struct tls_global *global;
39 if (tls_ref_count == 0) {
40 #ifdef CONFIG_TLS_INTERNAL_CLIENT
41 if (tlsv1_client_global_init())
43 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
44 #ifdef CONFIG_TLS_INTERNAL_SERVER
45 if (tlsv1_server_global_init())
47 #endif /* CONFIG_TLS_INTERNAL_SERVER */
51 global = os_zalloc(sizeof(*global));
58 void tls_deinit(void *ssl_ctx)
60 struct tls_global *global = ssl_ctx;
62 if (tls_ref_count == 0) {
63 #ifdef CONFIG_TLS_INTERNAL_CLIENT
64 tlsv1_client_global_deinit();
65 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
66 #ifdef CONFIG_TLS_INTERNAL_SERVER
67 tlsv1_cred_free(global->server_cred);
68 tlsv1_server_global_deinit();
69 #endif /* CONFIG_TLS_INTERNAL_SERVER */
75 int tls_get_errors(void *tls_ctx)
81 struct tls_connection * tls_connection_init(void *tls_ctx)
83 struct tls_connection *conn;
84 struct tls_global *global = tls_ctx;
86 conn = os_zalloc(sizeof(*conn));
89 conn->global = global;
91 #ifdef CONFIG_TLS_INTERNAL_CLIENT
92 if (!global->server) {
93 conn->client = tlsv1_client_init();
94 if (conn->client == NULL) {
99 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
100 #ifdef CONFIG_TLS_INTERNAL_SERVER
101 if (global->server) {
102 conn->server = tlsv1_server_init(global->server_cred);
103 if (conn->server == NULL) {
108 #endif /* CONFIG_TLS_INTERNAL_SERVER */
114 #ifdef CONFIG_TESTING_OPTIONS
115 #ifdef CONFIG_TLS_INTERNAL_SERVER
116 void tls_connection_set_test_flags(struct tls_connection *conn, u32 flags)
119 tlsv1_server_set_test_flags(conn->server, flags);
121 #endif /* CONFIG_TLS_INTERNAL_SERVER */
122 #endif /* CONFIG_TESTING_OPTIONS */
125 void tls_connection_set_log_cb(struct tls_connection *conn,
126 void (*log_cb)(void *ctx, const char *msg),
129 #ifdef CONFIG_TLS_INTERNAL_SERVER
131 tlsv1_server_set_log_cb(conn->server, log_cb, ctx);
132 #endif /* CONFIG_TLS_INTERNAL_SERVER */
136 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
140 #ifdef CONFIG_TLS_INTERNAL_CLIENT
142 tlsv1_client_deinit(conn->client);
143 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
144 #ifdef CONFIG_TLS_INTERNAL_SERVER
146 tlsv1_server_deinit(conn->server);
147 #endif /* CONFIG_TLS_INTERNAL_SERVER */
152 int tls_connection_established(void *tls_ctx, struct tls_connection *conn)
154 #ifdef CONFIG_TLS_INTERNAL_CLIENT
156 return tlsv1_client_established(conn->client);
157 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
158 #ifdef CONFIG_TLS_INTERNAL_SERVER
160 return tlsv1_server_established(conn->server);
161 #endif /* CONFIG_TLS_INTERNAL_SERVER */
166 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
168 #ifdef CONFIG_TLS_INTERNAL_CLIENT
170 return tlsv1_client_shutdown(conn->client);
171 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
172 #ifdef CONFIG_TLS_INTERNAL_SERVER
174 return tlsv1_server_shutdown(conn->server);
175 #endif /* CONFIG_TLS_INTERNAL_SERVER */
180 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
181 const struct tls_connection_params *params)
183 #ifdef CONFIG_TLS_INTERNAL_CLIENT
184 struct tlsv1_credentials *cred;
186 if (conn->client == NULL)
189 cred = tlsv1_cred_alloc();
193 if (params->subject_match) {
194 wpa_printf(MSG_INFO, "TLS: subject_match not supported");
195 tlsv1_cred_free(cred);
199 if (params->altsubject_match) {
200 wpa_printf(MSG_INFO, "TLS: altsubject_match not supported");
201 tlsv1_cred_free(cred);
205 if (params->suffix_match) {
206 wpa_printf(MSG_INFO, "TLS: suffix_match not supported");
207 tlsv1_cred_free(cred);
211 if (params->domain_match) {
212 wpa_printf(MSG_INFO, "TLS: domain_match not supported");
213 tlsv1_cred_free(cred);
217 if (params->openssl_ciphers) {
218 wpa_printf(MSG_INFO, "TLS: openssl_ciphers not supported");
219 tlsv1_cred_free(cred);
223 if (tlsv1_set_ca_cert(cred, params->ca_cert,
224 params->ca_cert_blob, params->ca_cert_blob_len,
226 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
228 tlsv1_cred_free(cred);
232 if (tlsv1_set_cert(cred, params->client_cert,
233 params->client_cert_blob,
234 params->client_cert_blob_len)) {
235 wpa_printf(MSG_INFO, "TLS: Failed to configure client "
237 tlsv1_cred_free(cred);
241 if (tlsv1_set_private_key(cred, params->private_key,
242 params->private_key_passwd,
243 params->private_key_blob,
244 params->private_key_blob_len)) {
245 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
246 tlsv1_cred_free(cred);
250 if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
251 params->dh_blob_len)) {
252 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
253 tlsv1_cred_free(cred);
257 if (tlsv1_client_set_cred(conn->client, cred) < 0) {
258 tlsv1_cred_free(cred);
262 tlsv1_client_set_time_checks(
263 conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS));
266 #else /* CONFIG_TLS_INTERNAL_CLIENT */
268 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
272 int tls_global_set_params(void *tls_ctx,
273 const struct tls_connection_params *params)
275 #ifdef CONFIG_TLS_INTERNAL_SERVER
276 struct tls_global *global = tls_ctx;
277 struct tlsv1_credentials *cred;
279 /* Currently, global parameters are only set when running in server
282 tlsv1_cred_free(global->server_cred);
283 global->server_cred = cred = tlsv1_cred_alloc();
287 if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob,
288 params->ca_cert_blob_len, params->ca_path)) {
289 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
294 if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob,
295 params->client_cert_blob_len)) {
296 wpa_printf(MSG_INFO, "TLS: Failed to configure server "
301 if (tlsv1_set_private_key(cred, params->private_key,
302 params->private_key_passwd,
303 params->private_key_blob,
304 params->private_key_blob_len)) {
305 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
309 if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
310 params->dh_blob_len)) {
311 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
316 #else /* CONFIG_TLS_INTERNAL_SERVER */
318 #endif /* CONFIG_TLS_INTERNAL_SERVER */
322 int tls_global_set_verify(void *tls_ctx, int check_crl)
324 struct tls_global *global = tls_ctx;
325 global->check_crl = check_crl;
330 int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
331 int verify_peer, unsigned int flags,
332 const u8 *session_ctx, size_t session_ctx_len)
334 #ifdef CONFIG_TLS_INTERNAL_SERVER
336 return tlsv1_server_set_verify(conn->server, verify_peer);
337 #endif /* CONFIG_TLS_INTERNAL_SERVER */
342 int tls_connection_get_random(void *tls_ctx, struct tls_connection *conn,
343 struct tls_random *data)
345 #ifdef CONFIG_TLS_INTERNAL_CLIENT
347 return tlsv1_client_get_random(conn->client, data);
348 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
349 #ifdef CONFIG_TLS_INTERNAL_SERVER
351 return tlsv1_server_get_random(conn->server, data);
352 #endif /* CONFIG_TLS_INTERNAL_SERVER */
357 static int tls_get_keyblock_size(struct tls_connection *conn)
359 #ifdef CONFIG_TLS_INTERNAL_CLIENT
361 return tlsv1_client_get_keyblock_size(conn->client);
362 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
363 #ifdef CONFIG_TLS_INTERNAL_SERVER
365 return tlsv1_server_get_keyblock_size(conn->server);
366 #endif /* CONFIG_TLS_INTERNAL_SERVER */
371 int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
372 const char *label, int server_random_first,
373 int skip_keyblock, u8 *out, size_t out_len)
375 int ret = -1, skip = 0;
380 skip = tls_get_keyblock_size(conn);
383 tmp_out = os_malloc(skip + out_len);
389 #ifdef CONFIG_TLS_INTERNAL_CLIENT
391 ret = tlsv1_client_prf(conn->client, label,
395 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
396 #ifdef CONFIG_TLS_INTERNAL_SERVER
398 ret = tlsv1_server_prf(conn->server, label,
402 #endif /* CONFIG_TLS_INTERNAL_SERVER */
403 if (ret == 0 && skip_keyblock)
404 os_memcpy(out, _out + skip, out_len);
405 bin_clear_free(tmp_out, skip);
411 struct wpabuf * tls_connection_handshake(void *tls_ctx,
412 struct tls_connection *conn,
413 const struct wpabuf *in_data,
414 struct wpabuf **appl_data)
416 return tls_connection_handshake2(tls_ctx, conn, in_data, appl_data,
421 struct wpabuf * tls_connection_handshake2(void *tls_ctx,
422 struct tls_connection *conn,
423 const struct wpabuf *in_data,
424 struct wpabuf **appl_data,
427 #ifdef CONFIG_TLS_INTERNAL_CLIENT
429 size_t res_len, ad_len;
432 if (conn->client == NULL)
436 res = tlsv1_client_handshake(conn->client,
437 in_data ? wpabuf_head(in_data) : NULL,
438 in_data ? wpabuf_len(in_data) : 0,
439 &res_len, &ad, &ad_len, need_more_data);
442 out = wpabuf_alloc_ext_data(res, res_len);
450 *appl_data = wpabuf_alloc_ext_data(ad, ad_len);
451 if (*appl_data == NULL)
459 #else /* CONFIG_TLS_INTERNAL_CLIENT */
461 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
465 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
466 struct tls_connection *conn,
467 const struct wpabuf *in_data,
468 struct wpabuf **appl_data)
470 #ifdef CONFIG_TLS_INTERNAL_SERVER
475 if (conn->server == NULL)
481 res = tlsv1_server_handshake(conn->server, wpabuf_head(in_data),
482 wpabuf_len(in_data), &res_len);
483 if (res == NULL && tlsv1_server_established(conn->server))
484 return wpabuf_alloc(0);
487 out = wpabuf_alloc_ext_data(res, res_len);
494 #else /* CONFIG_TLS_INTERNAL_SERVER */
496 #endif /* CONFIG_TLS_INTERNAL_SERVER */
500 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
501 struct tls_connection *conn,
502 const struct wpabuf *in_data)
504 #ifdef CONFIG_TLS_INTERNAL_CLIENT
508 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
511 res = tlsv1_client_encrypt(conn->client, wpabuf_head(in_data),
519 wpabuf_put(buf, res);
522 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
523 #ifdef CONFIG_TLS_INTERNAL_SERVER
527 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
530 res = tlsv1_server_encrypt(conn->server, wpabuf_head(in_data),
538 wpabuf_put(buf, res);
541 #endif /* CONFIG_TLS_INTERNAL_SERVER */
546 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
547 struct tls_connection *conn,
548 const struct wpabuf *in_data)
550 return tls_connection_decrypt2(tls_ctx, conn, in_data, NULL);
554 struct wpabuf * tls_connection_decrypt2(void *tls_ctx,
555 struct tls_connection *conn,
556 const struct wpabuf *in_data,
562 #ifdef CONFIG_TLS_INTERNAL_CLIENT
564 return tlsv1_client_decrypt(conn->client, wpabuf_head(in_data),
568 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
569 #ifdef CONFIG_TLS_INTERNAL_SERVER
573 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
576 res = tlsv1_server_decrypt(conn->server, wpabuf_head(in_data),
584 wpabuf_put(buf, res);
587 #endif /* CONFIG_TLS_INTERNAL_SERVER */
592 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn)
594 #ifdef CONFIG_TLS_INTERNAL_CLIENT
596 return tlsv1_client_resumed(conn->client);
597 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
598 #ifdef CONFIG_TLS_INTERNAL_SERVER
600 return tlsv1_server_resumed(conn->server);
601 #endif /* CONFIG_TLS_INTERNAL_SERVER */
606 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
609 #ifdef CONFIG_TLS_INTERNAL_CLIENT
611 return tlsv1_client_set_cipher_list(conn->client, ciphers);
612 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
613 #ifdef CONFIG_TLS_INTERNAL_SERVER
615 return tlsv1_server_set_cipher_list(conn->server, ciphers);
616 #endif /* CONFIG_TLS_INTERNAL_SERVER */
621 int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
622 char *buf, size_t buflen)
629 int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
630 char *buf, size_t buflen)
634 #ifdef CONFIG_TLS_INTERNAL_CLIENT
636 return tlsv1_client_get_cipher(conn->client, buf, buflen);
637 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
638 #ifdef CONFIG_TLS_INTERNAL_SERVER
640 return tlsv1_server_get_cipher(conn->server, buf, buflen);
641 #endif /* CONFIG_TLS_INTERNAL_SERVER */
646 int tls_connection_enable_workaround(void *tls_ctx,
647 struct tls_connection *conn)
653 int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn,
654 int ext_type, const u8 *data,
657 #ifdef CONFIG_TLS_INTERNAL_CLIENT
659 return tlsv1_client_hello_ext(conn->client, ext_type,
662 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
667 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn)
673 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn)
679 int tls_connection_get_write_alerts(void *tls_ctx,
680 struct tls_connection *conn)
686 int tls_connection_set_session_ticket_cb(void *tls_ctx,
687 struct tls_connection *conn,
688 tls_session_ticket_cb cb,
691 #ifdef CONFIG_TLS_INTERNAL_CLIENT
693 tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx);
696 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
697 #ifdef CONFIG_TLS_INTERNAL_SERVER
699 tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx);
702 #endif /* CONFIG_TLS_INTERNAL_SERVER */
707 int tls_get_library_version(char *buf, size_t buf_len)
709 return os_snprintf(buf, buf_len, "internal");
713 void tls_connection_set_success_data(struct tls_connection *conn,
719 void tls_connection_set_success_data_resumed(struct tls_connection *conn)
724 const struct wpabuf *
725 tls_connection_get_success_data(struct tls_connection *conn)
731 void tls_connection_remove_session(struct tls_connection *conn)