wpa_supplicant / hostapd  2.5
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
Data Structures | Macros | Typedefs | Enumerations | Functions
tls.h File Reference

SSL/TLS interface definition. More...

Go to the source code of this file.

Data Structures

struct  tls_random
 
union  tls_event_data
 
struct  tls_config
 
struct  tls_connection_params
 Parameters for TLS connection. More...
 

Macros

#define TLS_MAX_ALT_SUBJECT   10
 
#define TLS_CONN_ALLOW_SIGN_RSA_MD5   BIT(0)
 
#define TLS_CONN_DISABLE_TIME_CHECKS   BIT(1)
 
#define TLS_CONN_DISABLE_SESSION_TICKET   BIT(2)
 
#define TLS_CONN_REQUEST_OCSP   BIT(3)
 
#define TLS_CONN_REQUIRE_OCSP   BIT(4)
 
#define TLS_CONN_DISABLE_TLSv1_1   BIT(5)
 
#define TLS_CONN_DISABLE_TLSv1_2   BIT(6)
 
#define TLS_CONN_EAP_FAST   BIT(7)
 
#define TLS_CONN_DISABLE_TLSv1_0   BIT(8)
 
#define TLS_BREAK_VERIFY_DATA   BIT(0)
 
#define TLS_BREAK_SRV_KEY_X_HASH   BIT(1)
 
#define TLS_BREAK_SRV_KEY_X_SIGNATURE   BIT(2)
 
#define TLS_DHE_PRIME_511B   BIT(3)
 
#define TLS_DHE_PRIME_767B   BIT(4)
 
#define TLS_DHE_PRIME_15   BIT(5)
 
#define TLS_DHE_PRIME_58B   BIT(6)
 
#define TLS_DHE_NON_PRIME   BIT(7)
 

Typedefs

typedef int(* tls_session_ticket_cb )(void *ctx, const u8 *ticket, size_t len, const u8 *client_random, const u8 *server_random, u8 *master_secret)
 

Enumerations

enum  tls_event { TLS_CERT_CHAIN_SUCCESS, TLS_CERT_CHAIN_FAILURE, TLS_PEER_CERTIFICATE, TLS_ALERT }
 
enum  tls_fail_reason {
  TLS_FAIL_UNSPECIFIED = 0, TLS_FAIL_UNTRUSTED = 1, TLS_FAIL_REVOKED = 2, TLS_FAIL_NOT_YET_VALID = 3,
  TLS_FAIL_EXPIRED = 4, TLS_FAIL_SUBJECT_MISMATCH = 5, TLS_FAIL_ALTSUBJECT_MISMATCH = 6, TLS_FAIL_BAD_CERTIFICATE = 7,
  TLS_FAIL_SERVER_CHAIN_PROBE = 8, TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, TLS_FAIL_DOMAIN_MISMATCH = 10
}
 
enum  { TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN = -4, TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED = -3, TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED = -2 }
 
enum  {
  TLS_CIPHER_NONE, TLS_CIPHER_RC4_SHA, TLS_CIPHER_AES128_SHA, TLS_CIPHER_RSA_DHE_AES128_SHA,
  TLS_CIPHER_ANON_DH_AES128_SHA
}
 

Functions

void * tls_init (const struct tls_config *conf)
 Initialize TLS library. More...
 
void tls_deinit (void *tls_ctx)
 Deinitialize TLS library. More...
 
int tls_get_errors (void *tls_ctx)
 Process pending errors. More...
 
struct tls_connectiontls_connection_init (void *tls_ctx)
 Initialize a new TLS connection. More...
 
void tls_connection_deinit (void *tls_ctx, struct tls_connection *conn)
 Free TLS connection data. More...
 
int tls_connection_established (void *tls_ctx, struct tls_connection *conn)
 Has the TLS connection been completed? More...
 
int tls_connection_shutdown (void *tls_ctx, struct tls_connection *conn)
 Shutdown TLS connection. More...
 
int __must_check tls_connection_set_params (void *tls_ctx, struct tls_connection *conn, const struct tls_connection_params *params)
 Set TLS connection parameters. More...
 
int __must_check tls_global_set_params (void *tls_ctx, const struct tls_connection_params *params)
 Set TLS parameters for all TLS connection. More...
 
int __must_check tls_global_set_verify (void *tls_ctx, int check_crl)
 Set global certificate verification options. More...
 
int __must_check tls_connection_set_verify (void *tls_ctx, struct tls_connection *conn, int verify_peer, unsigned int flags, const u8 *session_ctx, size_t session_ctx_len)
 Set certificate verification options. More...
 
int __must_check tls_connection_get_random (void *tls_ctx, struct tls_connection *conn, struct tls_random *data)
 Get random data from TLS connection. More...
 
int __must_check tls_connection_prf (void *tls_ctx, struct tls_connection *conn, const char *label, int server_random_first, int skip_keyblock, u8 *out, size_t out_len)
 Use TLS-PRF to derive keying material. More...
 
struct wpabuftls_connection_handshake (void *tls_ctx, struct tls_connection *conn, const struct wpabuf *in_data, struct wpabuf **appl_data)
 Process TLS handshake (client side) More...
 
struct wpabuftls_connection_handshake2 (void *tls_ctx, struct tls_connection *conn, const struct wpabuf *in_data, struct wpabuf **appl_data, int *more_data_needed)
 
struct wpabuftls_connection_server_handshake (void *tls_ctx, struct tls_connection *conn, const struct wpabuf *in_data, struct wpabuf **appl_data)
 Process TLS handshake (server side) More...
 
struct wpabuftls_connection_encrypt (void *tls_ctx, struct tls_connection *conn, const struct wpabuf *in_data)
 Encrypt data into TLS tunnel. More...
 
struct wpabuftls_connection_decrypt (void *tls_ctx, struct tls_connection *conn, const struct wpabuf *in_data)
 Decrypt data from TLS tunnel. More...
 
struct wpabuftls_connection_decrypt2 (void *tls_ctx, struct tls_connection *conn, const struct wpabuf *in_data, int *more_data_needed)
 
int tls_connection_resumed (void *tls_ctx, struct tls_connection *conn)
 Was session resumption used. More...
 
int __must_check tls_connection_set_cipher_list (void *tls_ctx, struct tls_connection *conn, u8 *ciphers)
 Configure acceptable cipher suites. More...
 
int __must_check tls_get_version (void *tls_ctx, struct tls_connection *conn, char *buf, size_t buflen)
 Get the current TLS version number. More...
 
int __must_check tls_get_cipher (void *tls_ctx, struct tls_connection *conn, char *buf, size_t buflen)
 Get current cipher name. More...
 
int __must_check tls_connection_enable_workaround (void *tls_ctx, struct tls_connection *conn)
 Enable TLS workaround options. More...
 
int __must_check tls_connection_client_hello_ext (void *tls_ctx, struct tls_connection *conn, int ext_type, const u8 *data, size_t data_len)
 Set TLS extension for ClientHello. More...
 
int tls_connection_get_failed (void *tls_ctx, struct tls_connection *conn)
 Get connection failure status. More...
 
int tls_connection_get_read_alerts (void *tls_ctx, struct tls_connection *conn)
 Get connection read alert status. More...
 
int tls_connection_get_write_alerts (void *tls_ctx, struct tls_connection *conn)
 Get connection write alert status. More...
 
int __must_check tls_connection_set_session_ticket_cb (void *tls_ctx, struct tls_connection *conn, tls_session_ticket_cb cb, void *ctx)
 
void tls_connection_set_log_cb (struct tls_connection *conn, void(*log_cb)(void *ctx, const char *msg), void *ctx)
 
void tls_connection_set_test_flags (struct tls_connection *conn, u32 flags)
 
int tls_get_library_version (char *buf, size_t buf_len)
 
void tls_connection_set_success_data (struct tls_connection *conn, struct wpabuf *data)
 
void tls_connection_set_success_data_resumed (struct tls_connection *conn)
 
const struct wpabuftls_connection_get_success_data (struct tls_connection *conn)
 
void tls_connection_remove_session (struct tls_connection *conn)
 

Detailed Description

SSL/TLS interface definition.

Function Documentation

int __must_check tls_connection_client_hello_ext ( void *  tls_ctx,
struct tls_connection conn,
int  ext_type,
const u8 *  data,
size_t  data_len 
)

Set TLS extension for ClientHello.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
ext_typeExtension type
dataExtension payload (NULL to remove extension)
data_lenExtension payload length
Returns
0 on success, -1 on failure
struct wpabuf* tls_connection_decrypt ( void *  tls_ctx,
struct tls_connection conn,
const struct wpabuf in_data 
)

Decrypt data from TLS tunnel.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
in_dataEncrypted TLS data
Returns
Decrypted TLS data or NULL on failure

This function is used after TLS handshake has been completed successfully to receive data from the encrypted tunnel. The caller is responsible for freeing the returned output data.

void tls_connection_deinit ( void *  tls_ctx,
struct tls_connection conn 
)

Free TLS connection data.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()

Release all resources allocated for TLS connection.

int __must_check tls_connection_enable_workaround ( void *  tls_ctx,
struct tls_connection conn 
)

Enable TLS workaround options.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
Returns
0 on success, -1 on failure

This function is used to enable connection-specific workaround options for buffer SSL/TLS implementations.

struct wpabuf* tls_connection_encrypt ( void *  tls_ctx,
struct tls_connection conn,
const struct wpabuf in_data 
)

Encrypt data into TLS tunnel.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
in_dataPlaintext data to be encrypted
Returns
Encrypted TLS data or NULL on failure

This function is used after TLS handshake has been completed successfully to send data in the encrypted tunnel. The caller is responsible for freeing the returned output data.

int tls_connection_established ( void *  tls_ctx,
struct tls_connection conn 
)

Has the TLS connection been completed?

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
Returns
1 if TLS connection has been completed, 0 if not.
int tls_connection_get_failed ( void *  tls_ctx,
struct tls_connection conn 
)

Get connection failure status.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()

Returns >0 if connection has failed, 0 if not.

int __must_check tls_connection_get_random ( void *  tls_ctx,
struct tls_connection conn,
struct tls_random data 
)

Get random data from TLS connection.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
dataStructure of client/server random data (filled on success)
Returns
0 on success, -1 on failure
int tls_connection_get_read_alerts ( void *  tls_ctx,
struct tls_connection conn 
)

Get connection read alert status.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
Returns
Number of times a fatal read (remote end reported error) has happened during this connection.
int tls_connection_get_write_alerts ( void *  tls_ctx,
struct tls_connection conn 
)

Get connection write alert status.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
Returns
Number of times a fatal write (locally detected error) has happened during this connection.
struct wpabuf* tls_connection_handshake ( void *  tls_ctx,
struct tls_connection conn,
const struct wpabuf in_data,
struct wpabuf **  appl_data 
)

Process TLS handshake (client side)

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
in_dataInput data from TLS server
appl_dataPointer to application data pointer, or NULL if dropped
Returns
Output data, NULL on failure

The caller is responsible for freeing the returned output data. If the final handshake message includes application data, this is decrypted and appl_data (if not NULL) is set to point this data. The caller is responsible for freeing appl_data.

This function is used during TLS handshake. The first call is done with in_data == NULL and the library is expected to return ClientHello packet. This packet is then send to the server and a response from server is given to TLS library by calling this function again with in_data pointing to the TLS message from the server.

If the TLS handshake fails, this function may return NULL. However, if the TLS library has a TLS alert to send out, that should be returned as the output data. In this case, tls_connection_get_failed() must return failure (> 0).

tls_connection_established() should return 1 once the TLS handshake has been completed successfully.

struct tls_connection* tls_connection_init ( void *  tls_ctx)

Initialize a new TLS connection.

Parameters
tls_ctxTLS context data from tls_init()
Returns
Connection context data, conn for other function calls
int __must_check tls_connection_prf ( void *  tls_ctx,
struct tls_connection conn,
const char *  label,
int  server_random_first,
int  skip_keyblock,
u8 *  out,
size_t  out_len 
)

Use TLS-PRF to derive keying material.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
labelLabel (e.g., description of the key) for PRF
server_random_firstseed is 0 = client_random|server_random, 1 = server_random|client_random
skip_keyblockSkip TLS key block from the beginning of PRF output
outBuffer for output data from TLS-PRF
out_lenLength of the output buffer
Returns
0 on success, -1 on failure

tls_connection_prf() is required so that further keying material can be derived from the master secret. Example implementation of this function is in tls_prf_sha1_md5() when it is called with seed set to client_random|server_random (or server_random|client_random). For TLSv1.2 and newer, a different PRF is needed, though.

int tls_connection_resumed ( void *  tls_ctx,
struct tls_connection conn 
)

Was session resumption used.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
Returns
1 if current session used session resumption, 0 if not
struct wpabuf* tls_connection_server_handshake ( void *  tls_ctx,
struct tls_connection conn,
const struct wpabuf in_data,
struct wpabuf **  appl_data 
)

Process TLS handshake (server side)

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
in_dataInput data from TLS peer
appl_dataPointer to application data pointer, or NULL if dropped
Returns
Output data, NULL on failure

The caller is responsible for freeing the returned output data.

int __must_check tls_connection_set_cipher_list ( void *  tls_ctx,
struct tls_connection conn,
u8 *  ciphers 
)

Configure acceptable cipher suites.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
ciphersZero (TLS_CIPHER_NONE) terminated list of allowed ciphers (TLS_CIPHER_*).
Returns
0 on success, -1 on failure
int __must_check tls_connection_set_params ( void *  tls_ctx,
struct tls_connection conn,
const struct tls_connection_params params 
)

Set TLS connection parameters.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
paramsConnection parameters
Returns
0 on success, -1 on failure, TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine failure, or TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the PKCS#11 engine private key, or TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine failure.
int __must_check tls_connection_set_verify ( void *  tls_ctx,
struct tls_connection conn,
int  verify_peer,
unsigned int  flags,
const u8 *  session_ctx,
size_t  session_ctx_len 
)

Set certificate verification options.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
verify_peer1 = verify peer certificate
flagsConnection flags (TLS_CONN_*)
session_ctxSession caching context or NULL to use default
session_ctx_lenLength of session_ctx in bytes.
Returns
0 on success, -1 on failure
int tls_connection_shutdown ( void *  tls_ctx,
struct tls_connection conn 
)

Shutdown TLS connection.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
Returns
0 on success, -1 on failure

Shutdown current TLS connection without releasing all resources. New connection can be started by using the same conn without having to call tls_connection_init() or setting certificates etc. again. The new connection should try to use session resumption.

void tls_deinit ( void *  tls_ctx)

Deinitialize TLS library.

Parameters
tls_ctxTLS context data from tls_init()

Called once during program shutdown and once for each RSN pre-authentication session. If global library deinitialization is needed (i.e., one that is shared between both authentication types), the TLS library wrapper should maintain a reference counter and do global deinitialization only when moving from 1 to 0 references.

int __must_check tls_get_cipher ( void *  tls_ctx,
struct tls_connection conn,
char *  buf,
size_t  buflen 
)

Get current cipher name.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
bufBuffer for the cipher name
buflenbuf size
Returns
0 on success, -1 on failure

Get the name of the currently used cipher.

int tls_get_errors ( void *  tls_ctx)

Process pending errors.

Parameters
tls_ctxTLS context data from tls_init()
Returns
Number of found error, 0 if no errors detected.

Process all pending TLS errors.

int __must_check tls_get_version ( void *  tls_ctx,
struct tls_connection conn,
char *  buf,
size_t  buflen 
)

Get the current TLS version number.

Parameters
tls_ctxTLS context data from tls_init()
connConnection context data from tls_connection_init()
bufBuffer for returning the TLS version number
buflenbuf size
Returns
0 on success, -1 on failure

Get the currently used TLS version number.

int __must_check tls_global_set_params ( void *  tls_ctx,
const struct tls_connection_params params 
)

Set TLS parameters for all TLS connection.

Parameters
tls_ctxTLS context data from tls_init()
paramsGlobal TLS parameters
Returns
0 on success, -1 on failure, TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine failure, or TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the PKCS#11 engine private key, or TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine failure.
int __must_check tls_global_set_verify ( void *  tls_ctx,
int  check_crl 
)

Set global certificate verification options.

Parameters
tls_ctxTLS context data from tls_init()
check_crl0 = do not verify CRLs, 1 = verify CRL for the user certificate, 2 = verify CRL for all certificates
Returns
0 on success, -1 on failure
void* tls_init ( const struct tls_config conf)

Initialize TLS library.

Parameters
confConfiguration data for TLS library
Returns
Context data to be used as tls_ctx in calls to other functions, or NULL on failure.

Called once during program startup and once for each RSN pre-authentication session. In other words, there can be two concurrent TLS contexts. If global library initialization is needed (i.e., one that is shared between both authentication types), the TLS library wrapper should maintain a reference counter and do global initialization only when moving from 0 to 1 reference.