src/crypto/tls_internal.c

   1 /*
   2  * WPA Supplicant / TLS interface functions and an internal TLS implementation
   3  * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  *
  14  * This file interface functions for hostapd/wpa_supplicant to use the
  15  * integrated TLSv1 implementation.
  16  */
  17
  18 #include "includes.h"
  19
  20 #include "common.h"
  21 #include "tls.h"
  22 #include "tls/tlsv1_client.h"
  23 #include "tls/tlsv1_server.h"
  24
  25
  26 static int tls_ref_count = 0;
  27
  28 struct tls_global {
  29         int server;
  30         struct tlsv1_credentials *server_cred;
  31         int check_crl;
  32 };
  33
  34 struct tls_connection {
  35         struct tlsv1_client *client;
  36         struct tlsv1_server *server;
  37 };
  38
  39
  40 void * tls_init(const struct tls_config *conf)
  41 {
  42         struct tls_global *global;
  43
  44         if (tls_ref_count == 0) {
  45 #ifdef CONFIG_TLS_INTERNAL_CLIENT
  46                 if (tlsv1_client_global_init())
  47                         return NULL;
  48 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
  49 #ifdef CONFIG_TLS_INTERNAL_SERVER
  50                 if (tlsv1_server_global_init())
  51                         return NULL;
  52 #endif /* CONFIG_TLS_INTERNAL_SERVER */
  53         }
  54         tls_ref_count++;
  55
  56         global = os_zalloc(sizeof(*global));
  57         if (global == NULL)
  58                 return NULL;
  59
  60         return global;
  61 }
  62
  63 void tls_deinit(void *ssl_ctx)
  64 {
  65         struct tls_global *global = ssl_ctx;
  66         tls_ref_count--;
  67         if (tls_ref_count == 0) {
  68 #ifdef CONFIG_TLS_INTERNAL_CLIENT
  69                 tlsv1_client_global_deinit();
  70 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
  71 #ifdef CONFIG_TLS_INTERNAL_SERVER
  72                 tlsv1_cred_free(global->server_cred);
  73                 tlsv1_server_global_deinit();
  74 #endif /* CONFIG_TLS_INTERNAL_SERVER */
  75         }
  76         os_free(global);
  77 }
  78
  79
  80 int tls_get_errors(void *tls_ctx)
  81 {
  82         return 0;
  83 }
  84
  85
  86 struct tls_connection * tls_connection_init(void *tls_ctx)
  87 {
  88         struct tls_connection *conn;
  89         struct tls_global *global = tls_ctx;
  90
  91         conn = os_zalloc(sizeof(*conn));
  92         if (conn == NULL)
  93                 return NULL;
  94
  95 #ifdef CONFIG_TLS_INTERNAL_CLIENT
  96         if (!global->server) {
  97                 conn->client = tlsv1_client_init();
  98                 if (conn->client == NULL) {
  99                         os_free(conn);
 100                         return NULL;
 101                 }
 102         }
 103 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 104 #ifdef CONFIG_TLS_INTERNAL_SERVER
 105         if (global->server) {
 106                 conn->server = tlsv1_server_init(global->server_cred);
 107                 if (conn->server == NULL) {
 108                         os_free(conn);
 109                         return NULL;
 110                 }
 111         }
 112 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 113
 114         return conn;
 115 }
 116
 117
 118 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
 119 {
 120         if (conn == NULL)
 121                 return;
 122 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 123         if (conn->client)
 124                 tlsv1_client_deinit(conn->client);
 125 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 126 #ifdef CONFIG_TLS_INTERNAL_SERVER
 127         if (conn->server)
 128                 tlsv1_server_deinit(conn->server);
 129 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 130         os_free(conn);
 131 }
 132
 133
 134 int tls_connection_established(void *tls_ctx, struct tls_connection *conn)
 135 {
 136 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 137         if (conn->client)
 138                 return tlsv1_client_established(conn->client);
 139 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 140 #ifdef CONFIG_TLS_INTERNAL_SERVER
 141         if (conn->server)
 142                 return tlsv1_server_established(conn->server);
 143 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 144         return 0;
 145 }
 146
 147
 148 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
 149 {
 150 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 151         if (conn->client)
 152                 return tlsv1_client_shutdown(conn->client);
 153 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 154 #ifdef CONFIG_TLS_INTERNAL_SERVER
 155         if (conn->server)
 156                 return tlsv1_server_shutdown(conn->server);
 157 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 158         return -1;
 159 }
 160
 161
 162 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 163                               const struct tls_connection_params *params)
 164 {
 165 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 166         struct tlsv1_credentials *cred;
 167
 168         if (conn->client == NULL)
 169                 return -1;
 170
 171         cred = tlsv1_cred_alloc();
 172         if (cred == NULL)
 173                 return -1;
 174
 175         if (tlsv1_set_ca_cert(cred, params->ca_cert,
 176                               params->ca_cert_blob, params->ca_cert_blob_len,
 177                               params->ca_path)) {
 178                 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
 179                            "certificates");
 180                 tlsv1_cred_free(cred);
 181                 return -1;
 182         }
 183
 184         if (tlsv1_set_cert(cred, params->client_cert,
 185                            params->client_cert_blob,
 186                            params->client_cert_blob_len)) {
 187                 wpa_printf(MSG_INFO, "TLS: Failed to configure client "
 188                            "certificate");
 189                 tlsv1_cred_free(cred);
 190                 return -1;
 191         }
 192
 193         if (tlsv1_set_private_key(cred, params->private_key,
 194                                   params->private_key_passwd,
 195                                   params->private_key_blob,
 196                                   params->private_key_blob_len)) {
 197                 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
 198                 tlsv1_cred_free(cred);
 199                 return -1;
 200         }
 201
 202         if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
 203                                params->dh_blob_len)) {
 204                 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
 205                 tlsv1_cred_free(cred);
 206                 return -1;
 207         }
 208
 209         if (tlsv1_client_set_cred(conn->client, cred) < 0) {
 210                 tlsv1_cred_free(cred);
 211                 return -1;
 212         }
 213
 214         return 0;
 215 #else /* CONFIG_TLS_INTERNAL_CLIENT */
 216         return -1;
 217 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 218 }
 219
 220
 221 int tls_global_set_params(void *tls_ctx,
 222                           const struct tls_connection_params *params)
 223 {
 224 #ifdef CONFIG_TLS_INTERNAL_SERVER
 225         struct tls_global *global = tls_ctx;
 226         struct tlsv1_credentials *cred;
 227
 228         /* Currently, global parameters are only set when running in server
 229          * mode. */
 230         global->server = 1;
 231         tlsv1_cred_free(global->server_cred);
 232         global->server_cred = cred = tlsv1_cred_alloc();
 233         if (cred == NULL)
 234                 return -1;
 235
 236         if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob,
 237                               params->ca_cert_blob_len, params->ca_path)) {
 238                 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
 239                            "certificates");
 240                 return -1;
 241         }
 242
 243         if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob,
 244                            params->client_cert_blob_len)) {
 245                 wpa_printf(MSG_INFO, "TLS: Failed to configure server "
 246                            "certificate");
 247                 return -1;
 248         }
 249
 250         if (tlsv1_set_private_key(cred, params->private_key,
 251                                   params->private_key_passwd,
 252                                   params->private_key_blob,
 253                                   params->private_key_blob_len)) {
 254                 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
 255                 return -1;
 256         }
 257
 258         if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
 259                                params->dh_blob_len)) {
 260                 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
 261                 return -1;
 262         }
 263
 264         return 0;
 265 #else /* CONFIG_TLS_INTERNAL_SERVER */
 266         return -1;
 267 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 268 }
 269
 270
 271 int tls_global_set_verify(void *tls_ctx, int check_crl)
 272 {
 273         struct tls_global *global = tls_ctx;
 274         global->check_crl = check_crl;
 275         return 0;
 276 }
 277
 278
 279 int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
 280                               int verify_peer)
 281 {
 282 #ifdef CONFIG_TLS_INTERNAL_SERVER
 283         if (conn->server)
 284                 return tlsv1_server_set_verify(conn->server, verify_peer);
 285 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 286         return -1;
 287 }
 288
 289
 290 int tls_connection_set_ia(void *tls_ctx, struct tls_connection *conn,
 291                           int tls_ia)
 292 {
 293         return -1;
 294 }
 295
 296
 297 int tls_connection_get_keys(void *tls_ctx, struct tls_connection *conn,
 298                             struct tls_keys *keys)
 299 {
 300 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 301         if (conn->client)
 302                 return tlsv1_client_get_keys(conn->client, keys);
 303 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 304 #ifdef CONFIG_TLS_INTERNAL_SERVER
 305         if (conn->server)
 306                 return tlsv1_server_get_keys(conn->server, keys);
 307 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 308         return -1;
 309 }
 310
 311
 312 int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
 313                        const char *label, int server_random_first,
 314                        u8 *out, size_t out_len)
 315 {
 316 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 317         if (conn->client) {
 318                 return tlsv1_client_prf(conn->client, label,
 319                                         server_random_first,
 320                                         out, out_len);
 321         }
 322 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 323 #ifdef CONFIG_TLS_INTERNAL_SERVER
 324         if (conn->server) {
 325                 return tlsv1_server_prf(conn->server, label,
 326                                         server_random_first,
 327                                         out, out_len);
 328         }
 329 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 330         return -1;
 331 }
 332
 333
 334 u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn,
 335                               const u8 *in_data, size_t in_len,
 336                               size_t *out_len, u8 **appl_data,
 337                               size_t *appl_data_len)
 338 {
 339 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 340         if (conn->client == NULL)
 341                 return NULL;
 342
 343         if (appl_data)
 344                 *appl_data = NULL;
 345
 346         wpa_printf(MSG_DEBUG, "TLS: %s(in_data=%p in_len=%lu)",
 347                    __func__, in_data, (unsigned long) in_len);
 348         return tlsv1_client_handshake(conn->client, in_data, in_len, out_len,
 349                                       appl_data, appl_data_len);
 350 #else /* CONFIG_TLS_INTERNAL_CLIENT */
 351         return NULL;
 352 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 353 }
 354
 355
 356 u8 * tls_connection_server_handshake(void *tls_ctx,
 357                                      struct tls_connection *conn,
 358                                      const u8 *in_data, size_t in_len,
 359                                      size_t *out_len)
 360 {
 361 #ifdef CONFIG_TLS_INTERNAL_SERVER
 362         u8 *out;
 363         if (conn->server == NULL)
 364                 return NULL;
 365
 366         wpa_printf(MSG_DEBUG, "TLS: %s(in_data=%p in_len=%lu)",
 367                    __func__, in_data, (unsigned long) in_len);
 368         out = tlsv1_server_handshake(conn->server, in_data, in_len, out_len);
 369         if (out == NULL && tlsv1_server_established(conn->server))
 370                 out = os_malloc(1);
 371         return out;
 372 #else /* CONFIG_TLS_INTERNAL_SERVER */
 373         return NULL;
 374 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 375 }
 376
 377
 378 int tls_connection_encrypt(void *tls_ctx, struct tls_connection *conn,
 379                            const u8 *in_data, size_t in_len,
 380                            u8 *out_data, size_t out_len)
 381 {
 382 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 383         if (conn->client) {
 384                 return tlsv1_client_encrypt(conn->client, in_data, in_len,
 385                                             out_data, out_len);
 386         }
 387 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 388 #ifdef CONFIG_TLS_INTERNAL_SERVER
 389         if (conn->server) {
 390                 return tlsv1_server_encrypt(conn->server, in_data, in_len,
 391                                             out_data, out_len);
 392         }
 393 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 394         return -1;
 395 }
 396
 397
 398 int tls_connection_decrypt(void *tls_ctx, struct tls_connection *conn,
 399                            const u8 *in_data, size_t in_len,
 400                            u8 *out_data, size_t out_len)
 401 {
 402 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 403         if (conn->client) {
 404                 return tlsv1_client_decrypt(conn->client, in_data, in_len,
 405                                             out_data, out_len);
 406         }
 407 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 408 #ifdef CONFIG_TLS_INTERNAL_SERVER
 409         if (conn->server) {
 410                 return tlsv1_server_decrypt(conn->server, in_data, in_len,
 411                                             out_data, out_len);
 412         }
 413 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 414         return -1;
 415 }
 416
 417
 418 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn)
 419 {
 420 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 421         if (conn->client)
 422                 return tlsv1_client_resumed(conn->client);
 423 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 424 #ifdef CONFIG_TLS_INTERNAL_SERVER
 425         if (conn->server)
 426                 return tlsv1_server_resumed(conn->server);
 427 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 428         return -1;
 429 }
 430
 431
 432 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
 433                                    u8 *ciphers)
 434 {
 435 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 436         if (conn->client)
 437                 return tlsv1_client_set_cipher_list(conn->client, ciphers);
 438 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 439 #ifdef CONFIG_TLS_INTERNAL_SERVER
 440         if (conn->server)
 441                 return tlsv1_server_set_cipher_list(conn->server, ciphers);
 442 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 443         return -1;
 444 }
 445
 446
 447 int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
 448                    char *buf, size_t buflen)
 449 {
 450         if (conn == NULL)
 451                 return -1;
 452 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 453         if (conn->client)
 454                 return tlsv1_client_get_cipher(conn->client, buf, buflen);
 455 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 456 #ifdef CONFIG_TLS_INTERNAL_SERVER
 457         if (conn->server)
 458                 return tlsv1_server_get_cipher(conn->server, buf, buflen);
 459 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 460         return -1;
 461 }
 462
 463
 464 int tls_connection_enable_workaround(void *tls_ctx,
 465                                      struct tls_connection *conn)
 466 {
 467         return -1;
 468 }
 469
 470
 471 int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn,
 472                                     int ext_type, const u8 *data,
 473                                     size_t data_len)
 474 {
 475 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 476         if (conn->client) {
 477                 return tlsv1_client_hello_ext(conn->client, ext_type,
 478                                               data, data_len);
 479         }
 480 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 481         return -1;
 482 }
 483
 484
 485 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn)
 486 {
 487         return 0;
 488 }
 489
 490
 491 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn)
 492 {
 493         return 0;
 494 }
 495
 496
 497 int tls_connection_get_write_alerts(void *tls_ctx,
 498                                     struct tls_connection *conn)
 499 {
 500         return 0;
 501 }
 502
 503
 504 int tls_connection_get_keyblock_size(void *tls_ctx,
 505                                      struct tls_connection *conn)
 506 {
 507 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 508         if (conn->client)
 509                 return tlsv1_client_get_keyblock_size(conn->client);
 510 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 511 #ifdef CONFIG_TLS_INTERNAL_SERVER
 512         if (conn->server)
 513                 return tlsv1_server_get_keyblock_size(conn->server);
 514 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 515         return -1;
 516 }
 517
 518
 519 unsigned int tls_capabilities(void *tls_ctx)
 520 {
 521         return 0;
 522 }
 523
 524
 525 int tls_connection_ia_send_phase_finished(void *tls_ctx,
 526                                           struct tls_connection *conn,
 527                                           int final,
 528                                           u8 *out_data, size_t out_len)
 529 {
 530         return -1;
 531 }
 532
 533
 534 int tls_connection_ia_final_phase_finished(void *tls_ctx,
 535                                            struct tls_connection *conn)
 536 {
 537         return -1;
 538 }
 539
 540
 541 int tls_connection_ia_permute_inner_secret(void *tls_ctx,
 542                                            struct tls_connection *conn,
 543                                            const u8 *key, size_t key_len)
 544 {
 545         return -1;
 546 }
 547
 548
 549 int tls_connection_set_session_ticket_cb(void *tls_ctx,
 550                                          struct tls_connection *conn,
 551                                          tls_session_ticket_cb cb,
 552                                          void *ctx)
 553 {
 554 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 555         if (conn->client) {
 556                 tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx);
 557                 return 0;
 558         }
 559 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 560 #ifdef CONFIG_TLS_INTERNAL_SERVER
 561         if (conn->server) {
 562                 tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx);
 563                 return 0;
 564         }
 565 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 566         return -1;
 567 }