2 * WPA Supplicant / TLS interface functions and an internal TLS implementation
3 * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
14 * This file interface functions for hostapd/wpa_supplicant to use the
15 * integrated TLSv1 implementation.
22 #include "tls/tlsv1_client.h"
23 #include "tls/tlsv1_server.h"
26 static int tls_ref_count = 0;
30 struct tlsv1_credentials *server_cred;
34 struct tls_connection {
35 struct tlsv1_client *client;
36 struct tlsv1_server *server;
40 void * tls_init(const struct tls_config *conf)
42 struct tls_global *global;
44 if (tls_ref_count == 0) {
45 #ifdef CONFIG_TLS_INTERNAL_CLIENT
46 if (tlsv1_client_global_init())
48 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
49 #ifdef CONFIG_TLS_INTERNAL_SERVER
50 if (tlsv1_server_global_init())
52 #endif /* CONFIG_TLS_INTERNAL_SERVER */
56 global = os_zalloc(sizeof(*global));
63 void tls_deinit(void *ssl_ctx)
65 struct tls_global *global = ssl_ctx;
67 if (tls_ref_count == 0) {
68 #ifdef CONFIG_TLS_INTERNAL_CLIENT
69 tlsv1_client_global_deinit();
70 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
71 #ifdef CONFIG_TLS_INTERNAL_SERVER
72 tlsv1_cred_free(global->server_cred);
73 tlsv1_server_global_deinit();
74 #endif /* CONFIG_TLS_INTERNAL_SERVER */
80 int tls_get_errors(void *tls_ctx)
86 struct tls_connection * tls_connection_init(void *tls_ctx)
88 struct tls_connection *conn;
89 struct tls_global *global = tls_ctx;
91 conn = os_zalloc(sizeof(*conn));
95 #ifdef CONFIG_TLS_INTERNAL_CLIENT
96 if (!global->server) {
97 conn->client = tlsv1_client_init();
98 if (conn->client == NULL) {
103 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
104 #ifdef CONFIG_TLS_INTERNAL_SERVER
105 if (global->server) {
106 conn->server = tlsv1_server_init(global->server_cred);
107 if (conn->server == NULL) {
112 #endif /* CONFIG_TLS_INTERNAL_SERVER */
118 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
122 #ifdef CONFIG_TLS_INTERNAL_CLIENT
124 tlsv1_client_deinit(conn->client);
125 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
126 #ifdef CONFIG_TLS_INTERNAL_SERVER
128 tlsv1_server_deinit(conn->server);
129 #endif /* CONFIG_TLS_INTERNAL_SERVER */
134 int tls_connection_established(void *tls_ctx, struct tls_connection *conn)
136 #ifdef CONFIG_TLS_INTERNAL_CLIENT
138 return tlsv1_client_established(conn->client);
139 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
140 #ifdef CONFIG_TLS_INTERNAL_SERVER
142 return tlsv1_server_established(conn->server);
143 #endif /* CONFIG_TLS_INTERNAL_SERVER */
148 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
150 #ifdef CONFIG_TLS_INTERNAL_CLIENT
152 return tlsv1_client_shutdown(conn->client);
153 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
154 #ifdef CONFIG_TLS_INTERNAL_SERVER
156 return tlsv1_server_shutdown(conn->server);
157 #endif /* CONFIG_TLS_INTERNAL_SERVER */
162 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
163 const struct tls_connection_params *params)
165 #ifdef CONFIG_TLS_INTERNAL_CLIENT
166 struct tlsv1_credentials *cred;
168 if (conn->client == NULL)
171 cred = tlsv1_cred_alloc();
175 if (tlsv1_set_ca_cert(cred, params->ca_cert,
176 params->ca_cert_blob, params->ca_cert_blob_len,
178 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
180 tlsv1_cred_free(cred);
184 if (tlsv1_set_cert(cred, params->client_cert,
185 params->client_cert_blob,
186 params->client_cert_blob_len)) {
187 wpa_printf(MSG_INFO, "TLS: Failed to configure client "
189 tlsv1_cred_free(cred);
193 if (tlsv1_set_private_key(cred, params->private_key,
194 params->private_key_passwd,
195 params->private_key_blob,
196 params->private_key_blob_len)) {
197 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
198 tlsv1_cred_free(cred);
202 if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
203 params->dh_blob_len)) {
204 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
205 tlsv1_cred_free(cred);
209 if (tlsv1_client_set_cred(conn->client, cred) < 0) {
210 tlsv1_cred_free(cred);
215 #else /* CONFIG_TLS_INTERNAL_CLIENT */
217 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
221 int tls_global_set_params(void *tls_ctx,
222 const struct tls_connection_params *params)
224 #ifdef CONFIG_TLS_INTERNAL_SERVER
225 struct tls_global *global = tls_ctx;
226 struct tlsv1_credentials *cred;
228 /* Currently, global parameters are only set when running in server
231 tlsv1_cred_free(global->server_cred);
232 global->server_cred = cred = tlsv1_cred_alloc();
236 if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob,
237 params->ca_cert_blob_len, params->ca_path)) {
238 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
243 if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob,
244 params->client_cert_blob_len)) {
245 wpa_printf(MSG_INFO, "TLS: Failed to configure server "
250 if (tlsv1_set_private_key(cred, params->private_key,
251 params->private_key_passwd,
252 params->private_key_blob,
253 params->private_key_blob_len)) {
254 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
258 if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
259 params->dh_blob_len)) {
260 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
265 #else /* CONFIG_TLS_INTERNAL_SERVER */
267 #endif /* CONFIG_TLS_INTERNAL_SERVER */
271 int tls_global_set_verify(void *tls_ctx, int check_crl)
273 struct tls_global *global = tls_ctx;
274 global->check_crl = check_crl;
279 int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
282 #ifdef CONFIG_TLS_INTERNAL_SERVER
284 return tlsv1_server_set_verify(conn->server, verify_peer);
285 #endif /* CONFIG_TLS_INTERNAL_SERVER */
290 int tls_connection_set_ia(void *tls_ctx, struct tls_connection *conn,
297 int tls_connection_get_keys(void *tls_ctx, struct tls_connection *conn,
298 struct tls_keys *keys)
300 #ifdef CONFIG_TLS_INTERNAL_CLIENT
302 return tlsv1_client_get_keys(conn->client, keys);
303 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
304 #ifdef CONFIG_TLS_INTERNAL_SERVER
306 return tlsv1_server_get_keys(conn->server, keys);
307 #endif /* CONFIG_TLS_INTERNAL_SERVER */
312 int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
313 const char *label, int server_random_first,
314 u8 *out, size_t out_len)
316 #ifdef CONFIG_TLS_INTERNAL_CLIENT
318 return tlsv1_client_prf(conn->client, label,
322 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
323 #ifdef CONFIG_TLS_INTERNAL_SERVER
325 return tlsv1_server_prf(conn->server, label,
329 #endif /* CONFIG_TLS_INTERNAL_SERVER */
334 u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn,
335 const u8 *in_data, size_t in_len,
336 size_t *out_len, u8 **appl_data,
337 size_t *appl_data_len)
339 #ifdef CONFIG_TLS_INTERNAL_CLIENT
340 if (conn->client == NULL)
346 wpa_printf(MSG_DEBUG, "TLS: %s(in_data=%p in_len=%lu)",
347 __func__, in_data, (unsigned long) in_len);
348 return tlsv1_client_handshake(conn->client, in_data, in_len, out_len,
349 appl_data, appl_data_len);
350 #else /* CONFIG_TLS_INTERNAL_CLIENT */
352 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
356 u8 * tls_connection_server_handshake(void *tls_ctx,
357 struct tls_connection *conn,
358 const u8 *in_data, size_t in_len,
361 #ifdef CONFIG_TLS_INTERNAL_SERVER
363 if (conn->server == NULL)
366 wpa_printf(MSG_DEBUG, "TLS: %s(in_data=%p in_len=%lu)",
367 __func__, in_data, (unsigned long) in_len);
368 out = tlsv1_server_handshake(conn->server, in_data, in_len, out_len);
369 if (out == NULL && tlsv1_server_established(conn->server))
372 #else /* CONFIG_TLS_INTERNAL_SERVER */
374 #endif /* CONFIG_TLS_INTERNAL_SERVER */
378 int tls_connection_encrypt(void *tls_ctx, struct tls_connection *conn,
379 const u8 *in_data, size_t in_len,
380 u8 *out_data, size_t out_len)
382 #ifdef CONFIG_TLS_INTERNAL_CLIENT
384 return tlsv1_client_encrypt(conn->client, in_data, in_len,
387 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
388 #ifdef CONFIG_TLS_INTERNAL_SERVER
390 return tlsv1_server_encrypt(conn->server, in_data, in_len,
393 #endif /* CONFIG_TLS_INTERNAL_SERVER */
398 int tls_connection_decrypt(void *tls_ctx, struct tls_connection *conn,
399 const u8 *in_data, size_t in_len,
400 u8 *out_data, size_t out_len)
402 #ifdef CONFIG_TLS_INTERNAL_CLIENT
404 return tlsv1_client_decrypt(conn->client, in_data, in_len,
407 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
408 #ifdef CONFIG_TLS_INTERNAL_SERVER
410 return tlsv1_server_decrypt(conn->server, in_data, in_len,
413 #endif /* CONFIG_TLS_INTERNAL_SERVER */
418 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn)
420 #ifdef CONFIG_TLS_INTERNAL_CLIENT
422 return tlsv1_client_resumed(conn->client);
423 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
424 #ifdef CONFIG_TLS_INTERNAL_SERVER
426 return tlsv1_server_resumed(conn->server);
427 #endif /* CONFIG_TLS_INTERNAL_SERVER */
432 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
435 #ifdef CONFIG_TLS_INTERNAL_CLIENT
437 return tlsv1_client_set_cipher_list(conn->client, ciphers);
438 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
439 #ifdef CONFIG_TLS_INTERNAL_SERVER
441 return tlsv1_server_set_cipher_list(conn->server, ciphers);
442 #endif /* CONFIG_TLS_INTERNAL_SERVER */
447 int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
448 char *buf, size_t buflen)
452 #ifdef CONFIG_TLS_INTERNAL_CLIENT
454 return tlsv1_client_get_cipher(conn->client, buf, buflen);
455 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
456 #ifdef CONFIG_TLS_INTERNAL_SERVER
458 return tlsv1_server_get_cipher(conn->server, buf, buflen);
459 #endif /* CONFIG_TLS_INTERNAL_SERVER */
464 int tls_connection_enable_workaround(void *tls_ctx,
465 struct tls_connection *conn)
471 int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn,
472 int ext_type, const u8 *data,
475 #ifdef CONFIG_TLS_INTERNAL_CLIENT
477 return tlsv1_client_hello_ext(conn->client, ext_type,
480 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
485 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn)
491 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn)
497 int tls_connection_get_write_alerts(void *tls_ctx,
498 struct tls_connection *conn)
504 int tls_connection_get_keyblock_size(void *tls_ctx,
505 struct tls_connection *conn)
507 #ifdef CONFIG_TLS_INTERNAL_CLIENT
509 return tlsv1_client_get_keyblock_size(conn->client);
510 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
511 #ifdef CONFIG_TLS_INTERNAL_SERVER
513 return tlsv1_server_get_keyblock_size(conn->server);
514 #endif /* CONFIG_TLS_INTERNAL_SERVER */
519 unsigned int tls_capabilities(void *tls_ctx)
525 int tls_connection_ia_send_phase_finished(void *tls_ctx,
526 struct tls_connection *conn,
528 u8 *out_data, size_t out_len)
534 int tls_connection_ia_final_phase_finished(void *tls_ctx,
535 struct tls_connection *conn)
541 int tls_connection_ia_permute_inner_secret(void *tls_ctx,
542 struct tls_connection *conn,
543 const u8 *key, size_t key_len)
549 int tls_connection_set_session_ticket_cb(void *tls_ctx,
550 struct tls_connection *conn,
551 tls_session_ticket_cb cb,
554 #ifdef CONFIG_TLS_INTERNAL_CLIENT
556 tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx);
559 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
560 #ifdef CONFIG_TLS_INTERNAL_SERVER
562 tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx);
565 #endif /* CONFIG_TLS_INTERNAL_SERVER */