2 * TLS interface functions and an internal TLS implementation
3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
8 * This file interface functions for hostapd/wpa_supplicant to use the
9 * integrated TLSv1 implementation.
16 #include "tls/tlsv1_client.h"
17 #include "tls/tlsv1_server.h"
20 static int tls_ref_count = 0;
24 struct tlsv1_credentials *server_cred;
27 void (*event_cb)(void *ctx, enum tls_event ev,
28 union tls_event_data *data);
33 struct tls_connection {
34 struct tlsv1_client *client;
35 struct tlsv1_server *server;
36 struct tls_global *global;
40 void * tls_init(const struct tls_config *conf)
42 struct tls_global *global;
44 if (tls_ref_count == 0) {
45 #ifdef CONFIG_TLS_INTERNAL_CLIENT
46 if (tlsv1_client_global_init())
48 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
49 #ifdef CONFIG_TLS_INTERNAL_SERVER
50 if (tlsv1_server_global_init())
52 #endif /* CONFIG_TLS_INTERNAL_SERVER */
56 global = os_zalloc(sizeof(*global));
60 global->event_cb = conf->event_cb;
61 global->cb_ctx = conf->cb_ctx;
62 global->cert_in_cb = conf->cert_in_cb;
68 void tls_deinit(void *ssl_ctx)
70 struct tls_global *global = ssl_ctx;
72 if (tls_ref_count == 0) {
73 #ifdef CONFIG_TLS_INTERNAL_CLIENT
74 tlsv1_client_global_deinit();
75 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
76 #ifdef CONFIG_TLS_INTERNAL_SERVER
77 tlsv1_server_global_deinit();
78 #endif /* CONFIG_TLS_INTERNAL_SERVER */
80 #ifdef CONFIG_TLS_INTERNAL_SERVER
81 tlsv1_cred_free(global->server_cred);
82 #endif /* CONFIG_TLS_INTERNAL_SERVER */
87 int tls_get_errors(void *tls_ctx)
93 struct tls_connection * tls_connection_init(void *tls_ctx)
95 struct tls_connection *conn;
96 struct tls_global *global = tls_ctx;
98 conn = os_zalloc(sizeof(*conn));
101 conn->global = global;
103 #ifdef CONFIG_TLS_INTERNAL_CLIENT
104 if (!global->server) {
105 conn->client = tlsv1_client_init();
106 if (conn->client == NULL) {
110 tlsv1_client_set_cb(conn->client, global->event_cb,
111 global->cb_ctx, global->cert_in_cb);
113 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
114 #ifdef CONFIG_TLS_INTERNAL_SERVER
115 if (global->server) {
116 conn->server = tlsv1_server_init(global->server_cred);
117 if (conn->server == NULL) {
122 #endif /* CONFIG_TLS_INTERNAL_SERVER */
128 #ifdef CONFIG_TESTING_OPTIONS
129 #ifdef CONFIG_TLS_INTERNAL_SERVER
130 void tls_connection_set_test_flags(struct tls_connection *conn, u32 flags)
133 tlsv1_server_set_test_flags(conn->server, flags);
135 #endif /* CONFIG_TLS_INTERNAL_SERVER */
136 #endif /* CONFIG_TESTING_OPTIONS */
139 void tls_connection_set_log_cb(struct tls_connection *conn,
140 void (*log_cb)(void *ctx, const char *msg),
143 #ifdef CONFIG_TLS_INTERNAL_SERVER
145 tlsv1_server_set_log_cb(conn->server, log_cb, ctx);
146 #endif /* CONFIG_TLS_INTERNAL_SERVER */
150 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
154 #ifdef CONFIG_TLS_INTERNAL_CLIENT
156 tlsv1_client_deinit(conn->client);
157 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
158 #ifdef CONFIG_TLS_INTERNAL_SERVER
160 tlsv1_server_deinit(conn->server);
161 #endif /* CONFIG_TLS_INTERNAL_SERVER */
166 int tls_connection_established(void *tls_ctx, struct tls_connection *conn)
168 #ifdef CONFIG_TLS_INTERNAL_CLIENT
170 return tlsv1_client_established(conn->client);
171 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
172 #ifdef CONFIG_TLS_INTERNAL_SERVER
174 return tlsv1_server_established(conn->server);
175 #endif /* CONFIG_TLS_INTERNAL_SERVER */
180 char * tls_connection_peer_serial_num(void *tls_ctx,
181 struct tls_connection *conn)
188 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
190 #ifdef CONFIG_TLS_INTERNAL_CLIENT
192 return tlsv1_client_shutdown(conn->client);
193 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
194 #ifdef CONFIG_TLS_INTERNAL_SERVER
196 return tlsv1_server_shutdown(conn->server);
197 #endif /* CONFIG_TLS_INTERNAL_SERVER */
202 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
203 const struct tls_connection_params *params)
205 #ifdef CONFIG_TLS_INTERNAL_CLIENT
206 struct tlsv1_credentials *cred;
208 if (conn->client == NULL)
211 if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
213 "TLS: tls_ext_cert_check=1 not supported");
217 cred = tlsv1_cred_alloc();
221 if (params->subject_match) {
222 wpa_printf(MSG_INFO, "TLS: subject_match not supported");
223 tlsv1_cred_free(cred);
227 if (params->altsubject_match) {
228 wpa_printf(MSG_INFO, "TLS: altsubject_match not supported");
229 tlsv1_cred_free(cred);
233 if (params->suffix_match) {
234 wpa_printf(MSG_INFO, "TLS: suffix_match not supported");
235 tlsv1_cred_free(cred);
239 if (params->domain_match) {
240 wpa_printf(MSG_INFO, "TLS: domain_match not supported");
241 tlsv1_cred_free(cred);
245 if (params->openssl_ciphers) {
246 wpa_printf(MSG_INFO, "TLS: openssl_ciphers not supported");
247 tlsv1_cred_free(cred);
251 if (tlsv1_set_ca_cert(cred, params->ca_cert,
252 params->ca_cert_blob, params->ca_cert_blob_len,
254 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
256 tlsv1_cred_free(cred);
260 if (tlsv1_set_cert(cred, params->client_cert,
261 params->client_cert_blob,
262 params->client_cert_blob_len)) {
263 wpa_printf(MSG_INFO, "TLS: Failed to configure client "
265 tlsv1_cred_free(cred);
269 if (tlsv1_set_private_key(cred, params->private_key,
270 params->private_key_passwd,
271 params->private_key_blob,
272 params->private_key_blob_len)) {
273 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
274 tlsv1_cred_free(cred);
278 if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
279 params->dh_blob_len)) {
280 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
281 tlsv1_cred_free(cred);
285 if (tlsv1_client_set_cred(conn->client, cred) < 0) {
286 tlsv1_cred_free(cred);
290 tlsv1_client_set_flags(conn->client, params->flags);
293 #else /* CONFIG_TLS_INTERNAL_CLIENT */
295 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
299 int tls_global_set_params(void *tls_ctx,
300 const struct tls_connection_params *params)
302 #ifdef CONFIG_TLS_INTERNAL_SERVER
303 struct tls_global *global = tls_ctx;
304 struct tlsv1_credentials *cred;
306 /* Currently, global parameters are only set when running in server
309 tlsv1_cred_free(global->server_cred);
310 global->server_cred = cred = tlsv1_cred_alloc();
314 if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob,
315 params->ca_cert_blob_len, params->ca_path)) {
316 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
321 if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob,
322 params->client_cert_blob_len)) {
323 wpa_printf(MSG_INFO, "TLS: Failed to configure server "
328 if (tlsv1_set_private_key(cred, params->private_key,
329 params->private_key_passwd,
330 params->private_key_blob,
331 params->private_key_blob_len)) {
332 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
336 if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
337 params->dh_blob_len)) {
338 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
342 if (params->ocsp_stapling_response)
343 cred->ocsp_stapling_response =
344 os_strdup(params->ocsp_stapling_response);
345 if (params->ocsp_stapling_response_multi)
346 cred->ocsp_stapling_response_multi =
347 os_strdup(params->ocsp_stapling_response_multi);
350 #else /* CONFIG_TLS_INTERNAL_SERVER */
352 #endif /* CONFIG_TLS_INTERNAL_SERVER */
356 int tls_global_set_verify(void *tls_ctx, int check_crl)
358 struct tls_global *global = tls_ctx;
359 global->check_crl = check_crl;
364 int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
365 int verify_peer, unsigned int flags,
366 const u8 *session_ctx, size_t session_ctx_len)
368 #ifdef CONFIG_TLS_INTERNAL_SERVER
370 return tlsv1_server_set_verify(conn->server, verify_peer);
371 #endif /* CONFIG_TLS_INTERNAL_SERVER */
376 int tls_connection_get_random(void *tls_ctx, struct tls_connection *conn,
377 struct tls_random *data)
379 #ifdef CONFIG_TLS_INTERNAL_CLIENT
381 return tlsv1_client_get_random(conn->client, data);
382 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
383 #ifdef CONFIG_TLS_INTERNAL_SERVER
385 return tlsv1_server_get_random(conn->server, data);
386 #endif /* CONFIG_TLS_INTERNAL_SERVER */
391 static int tls_get_keyblock_size(struct tls_connection *conn)
393 #ifdef CONFIG_TLS_INTERNAL_CLIENT
395 return tlsv1_client_get_keyblock_size(conn->client);
396 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
397 #ifdef CONFIG_TLS_INTERNAL_SERVER
399 return tlsv1_server_get_keyblock_size(conn->server);
400 #endif /* CONFIG_TLS_INTERNAL_SERVER */
405 static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
406 const char *label, int server_random_first,
407 int skip_keyblock, u8 *out, size_t out_len)
409 int ret = -1, skip = 0;
414 skip = tls_get_keyblock_size(conn);
417 tmp_out = os_malloc(skip + out_len);
423 #ifdef CONFIG_TLS_INTERNAL_CLIENT
425 ret = tlsv1_client_prf(conn->client, label,
427 _out, skip + out_len);
429 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
430 #ifdef CONFIG_TLS_INTERNAL_SERVER
432 ret = tlsv1_server_prf(conn->server, label,
434 _out, skip + out_len);
436 #endif /* CONFIG_TLS_INTERNAL_SERVER */
437 if (ret == 0 && skip_keyblock)
438 os_memcpy(out, _out + skip, out_len);
439 bin_clear_free(tmp_out, skip);
445 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
446 const char *label, u8 *out, size_t out_len)
448 return tls_connection_prf(tls_ctx, conn, label, 0, 0, out, out_len);
452 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
453 u8 *out, size_t out_len)
455 return tls_connection_prf(tls_ctx, conn, "key expansion", 1, 1, out,
460 struct wpabuf * tls_connection_handshake(void *tls_ctx,
461 struct tls_connection *conn,
462 const struct wpabuf *in_data,
463 struct wpabuf **appl_data)
465 return tls_connection_handshake2(tls_ctx, conn, in_data, appl_data,
470 struct wpabuf * tls_connection_handshake2(void *tls_ctx,
471 struct tls_connection *conn,
472 const struct wpabuf *in_data,
473 struct wpabuf **appl_data,
476 #ifdef CONFIG_TLS_INTERNAL_CLIENT
478 size_t res_len, ad_len;
481 if (conn->client == NULL)
485 res = tlsv1_client_handshake(conn->client,
486 in_data ? wpabuf_head(in_data) : NULL,
487 in_data ? wpabuf_len(in_data) : 0,
488 &res_len, &ad, &ad_len, need_more_data);
491 out = wpabuf_alloc_ext_data(res, res_len);
499 *appl_data = wpabuf_alloc_ext_data(ad, ad_len);
500 if (*appl_data == NULL)
508 #else /* CONFIG_TLS_INTERNAL_CLIENT */
510 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
514 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
515 struct tls_connection *conn,
516 const struct wpabuf *in_data,
517 struct wpabuf **appl_data)
519 #ifdef CONFIG_TLS_INTERNAL_SERVER
524 if (conn->server == NULL)
530 res = tlsv1_server_handshake(conn->server, wpabuf_head(in_data),
531 wpabuf_len(in_data), &res_len);
532 if (res == NULL && tlsv1_server_established(conn->server))
533 return wpabuf_alloc(0);
536 out = wpabuf_alloc_ext_data(res, res_len);
543 #else /* CONFIG_TLS_INTERNAL_SERVER */
545 #endif /* CONFIG_TLS_INTERNAL_SERVER */
549 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
550 struct tls_connection *conn,
551 const struct wpabuf *in_data)
553 #ifdef CONFIG_TLS_INTERNAL_CLIENT
557 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
560 res = tlsv1_client_encrypt(conn->client, wpabuf_head(in_data),
568 wpabuf_put(buf, res);
571 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
572 #ifdef CONFIG_TLS_INTERNAL_SERVER
576 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
579 res = tlsv1_server_encrypt(conn->server, wpabuf_head(in_data),
587 wpabuf_put(buf, res);
590 #endif /* CONFIG_TLS_INTERNAL_SERVER */
595 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
596 struct tls_connection *conn,
597 const struct wpabuf *in_data)
599 return tls_connection_decrypt2(tls_ctx, conn, in_data, NULL);
603 struct wpabuf * tls_connection_decrypt2(void *tls_ctx,
604 struct tls_connection *conn,
605 const struct wpabuf *in_data,
611 #ifdef CONFIG_TLS_INTERNAL_CLIENT
613 return tlsv1_client_decrypt(conn->client, wpabuf_head(in_data),
617 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
618 #ifdef CONFIG_TLS_INTERNAL_SERVER
622 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
625 res = tlsv1_server_decrypt(conn->server, wpabuf_head(in_data),
633 wpabuf_put(buf, res);
636 #endif /* CONFIG_TLS_INTERNAL_SERVER */
641 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn)
643 #ifdef CONFIG_TLS_INTERNAL_CLIENT
645 return tlsv1_client_resumed(conn->client);
646 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
647 #ifdef CONFIG_TLS_INTERNAL_SERVER
649 return tlsv1_server_resumed(conn->server);
650 #endif /* CONFIG_TLS_INTERNAL_SERVER */
655 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
658 #ifdef CONFIG_TLS_INTERNAL_CLIENT
660 return tlsv1_client_set_cipher_list(conn->client, ciphers);
661 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
662 #ifdef CONFIG_TLS_INTERNAL_SERVER
664 return tlsv1_server_set_cipher_list(conn->server, ciphers);
665 #endif /* CONFIG_TLS_INTERNAL_SERVER */
670 int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
671 char *buf, size_t buflen)
675 #ifdef CONFIG_TLS_INTERNAL_CLIENT
677 return tlsv1_client_get_version(conn->client, buf, buflen);
678 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
683 int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
684 char *buf, size_t buflen)
688 #ifdef CONFIG_TLS_INTERNAL_CLIENT
690 return tlsv1_client_get_cipher(conn->client, buf, buflen);
691 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
692 #ifdef CONFIG_TLS_INTERNAL_SERVER
694 return tlsv1_server_get_cipher(conn->server, buf, buflen);
695 #endif /* CONFIG_TLS_INTERNAL_SERVER */
700 int tls_connection_enable_workaround(void *tls_ctx,
701 struct tls_connection *conn)
707 int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn,
708 int ext_type, const u8 *data,
711 #ifdef CONFIG_TLS_INTERNAL_CLIENT
713 return tlsv1_client_hello_ext(conn->client, ext_type,
716 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
721 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn)
727 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn)
733 int tls_connection_get_write_alerts(void *tls_ctx,
734 struct tls_connection *conn)
740 int tls_connection_set_session_ticket_cb(void *tls_ctx,
741 struct tls_connection *conn,
742 tls_session_ticket_cb cb,
745 #ifdef CONFIG_TLS_INTERNAL_CLIENT
747 tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx);
750 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
751 #ifdef CONFIG_TLS_INTERNAL_SERVER
753 tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx);
756 #endif /* CONFIG_TLS_INTERNAL_SERVER */
761 int tls_get_library_version(char *buf, size_t buf_len)
763 return os_snprintf(buf, buf_len, "internal");
767 void tls_connection_set_success_data(struct tls_connection *conn,
773 void tls_connection_set_success_data_resumed(struct tls_connection *conn)
778 const struct wpabuf *
779 tls_connection_get_success_data(struct tls_connection *conn)
785 void tls_connection_remove_session(struct tls_connection *conn)