]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/crypto/tls.h
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Return success/failure result from tls_prf_sha256()
[thirdparty/hostap.git] / src / crypto / tls.h
CommitLineData
6fc6879b 1/*
81c85c06 2 * SSL/TLS interface definition
080585c0 3 * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
9#ifndef TLS_H
10#define TLS_H
11
12struct tls_connection;
13
1046db8b 14struct tls_random {
6fc6879b
JM		 15 const u8 *client_random;
16 size_t client_random_len;
17 const u8 *server_random;
18 size_t server_random_len;
6fc6879b
JM		 19};
20
00468b46 21enum tls_event {
dd7fec1f 22 TLS_CERT_CHAIN_SUCCESS,
00468b46 23 TLS_CERT_CHAIN_FAILURE,
dd7fec1f
PS		 24 TLS_PEER_CERTIFICATE,
25 TLS_ALERT
00468b46
JM		 26};
27
28/*
29 * Note: These are used as identifier with external programs and as such, the
30 * values must not be changed.
31 */
32enum tls_fail_reason {
33 TLS_FAIL_UNSPECIFIED = 0,
34 TLS_FAIL_UNTRUSTED = 1,
35 TLS_FAIL_REVOKED = 2,
36 TLS_FAIL_NOT_YET_VALID = 3,
37 TLS_FAIL_EXPIRED = 4,
38 TLS_FAIL_SUBJECT_MISMATCH = 5,
39 TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
40 TLS_FAIL_BAD_CERTIFICATE = 7,
01f809c7 41 TLS_FAIL_SERVER_CHAIN_PROBE = 8,
cebee30f
JM		 42 TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
43 TLS_FAIL_DOMAIN_MISMATCH = 10,
4eb8cfe0 44 TLS_FAIL_INSUFFICIENT_KEY_LEN = 11,
841205a1 45 TLS_FAIL_DN_MISMATCH = 12,
00468b46
JM		 46};
47
d07d3fbd
JM		 48
49#define TLS_MAX_ALT_SUBJECT 10
50
bc0634da
JM		 51struct tls_cert_data {
52 int depth;
53 const char *subject;
54 const struct wpabuf *cert;
55 const u8 *hash;
56 size_t hash_len;
57 const char *altsubject[TLS_MAX_ALT_SUBJECT];
58 int num_altsubject;
59 const char *serial_num;
21f1a1e6 60 int tod;
bc0634da
JM		 61};
62
00468b46
JM		 63union tls_event_data {
64 struct {
65 int depth;
66 const char *subject;
67 enum tls_fail_reason reason;
68 const char *reason_txt;
69 const struct wpabuf *cert;
70 } cert_fail;
71
bc0634da 72 struct tls_cert_data peer_cert;
dd7fec1f
PS		 73
74 struct {
75 int is_local;
76 const char *type;
77 const char *description;
78 } alert;
00468b46
JM		 79};
80
6fc6879b
JM		 81struct tls_config {
82 const char *opensc_engine_path;
83 const char *pkcs11_engine_path;
84 const char *pkcs11_module_path;
76f04b38 85 int fips_mode;
1b414f59 86 int cert_in_cb;
b7328434 87 const char *openssl_ciphers;
681e199d 88 unsigned int tls_session_lifetime;
159a7fbd 89 unsigned int crl_reload_interval;
6418400d 90 unsigned int tls_flags;
00468b46
JM		 91
92 void (*event_cb)(void *ctx, enum tls_event ev,
93 union tls_event_data *data);
94 void *cb_ctx;
6fc6879b
JM		 95};
96
29446569
JM		 97#define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0)
98#define TLS_CONN_DISABLE_TIME_CHECKS BIT(1)
e866f39f 99#define TLS_CONN_DISABLE_SESSION_TICKET BIT(2)
080585c0
JM		 100#define TLS_CONN_REQUEST_OCSP BIT(3)
101#define TLS_CONN_REQUIRE_OCSP BIT(4)
e9a6f183
DS		 102#define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
103#define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
d4913c58 104#define TLS_CONN_EAP_FAST BIT(7)
5650d379 105#define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
3c108b75 106#define TLS_CONN_EXT_CERT_CHECK BIT(9)
d6b536f7 107#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
60ed2f24 108#define TLS_CONN_SUITEB BIT(11)
2ed70c75 109#define TLS_CONN_SUITEB_NO_ECDH BIT(12)
bbbc7e80 110#define TLS_CONN_DISABLE_TLSv1_3 BIT(13)
cc9c4fec
JM		 111#define TLS_CONN_ENABLE_TLSv1_0 BIT(14)
112#define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
113#define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
3ec65a8e 114#define TLS_CONN_TEAP_ANON_DH BIT(17)
29446569 115
6fc6879b
JM		 116/**
117 * struct tls_connection_params - Parameters for TLS connection
118 * @ca_cert: File or reference name for CA X.509 certificate in PEM or DER
119 * format
120 * @ca_cert_blob: ca_cert as inlined data or %NULL if not used
121 * @ca_cert_blob_len: ca_cert_blob length
122 * @ca_path: Path to CA certificates (OpenSSL specific)
123 * @subject_match: String to match in the subject of the peer certificate or
124 * %NULL to allow all subjects
125 * @altsubject_match: String to match in the alternative subject of the peer
126 * certificate or %NULL to allow all alternative subjects
242e8572
JM		 127 * @suffix_match: Semicolon deliminated string of values to suffix match against
128 * the dNSName or CN of the peer certificate or %NULL to allow all domain names.
129 * This may allow subdomains and wildcard certificates. Each domain name label
130 * must have a full case-insensitive match.
cebee30f
JM		 131 * @domain_match: String to match in the dNSName or CN of the peer
132 * certificate or %NULL to allow all domain names. This requires a full,
133 * case-insensitive match.
242e8572
JM		 134 *
135 * More than one match string can be provided by using semicolons to
136 * separate the strings (e.g., example.org;example.com). When multiple
137 * strings are specified, a match with any one of the values is
138 * considered a sufficient match for the certificate, i.e., the
139 * conditions are ORed together.
6fc6879b
JM		 140 * @client_cert: File or reference name for client X.509 certificate in PEM or
141 * DER format
142 * @client_cert_blob: client_cert as inlined data or %NULL if not used
143 * @client_cert_blob_len: client_cert_blob length
144 * @private_key: File or reference name for client private key in PEM or DER
145 * format (traditional format (RSA PRIVATE KEY) or PKCS#8 (PRIVATE KEY)
146 * @private_key_blob: private_key as inlined data or %NULL if not used
147 * @private_key_blob_len: private_key_blob length
148 * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
149 * passphrase is used.
150 * @dh_file: File name for DH/DSA data in PEM format, or %NULL if not used
151 * @dh_blob: dh_file as inlined data or %NULL if not used
152 * @dh_blob_len: dh_blob length
153 * @engine: 1 = use engine (e.g., a smartcard) for private key operations
154 * (this is OpenSSL specific for now)
155 * @engine_id: engine id string (this is OpenSSL specific for now)
156 * @ppin: pointer to the pin variable in the configuration
157 * (this is OpenSSL specific for now)
e59c91af
DS		 158 * @key_id: the private key's id when using engine (this is OpenSSL
159 * specific for now)
160 * @cert_id: the certificate's id when using engine
161 * @ca_cert_id: the CA certificate's id when using engine
b7328434 162 * @openssl_ciphers: OpenSSL cipher configuration
0521c6eb
HV		 163 * @openssl_ecdh_curves: OpenSSL ECDH curve configuration. %NULL for auto if
164 * supported, empty string to disable, or a colon-separated curve list.
29446569 165 * @flags: Parameter options (TLS_CONN_*)
080585c0
JM		 166 * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response
167 * or %NULL if OCSP is not enabled
5addb0df
JM		 168 * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling
169 * response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if
170 * ocsp_multi is not enabled
841205a1 171 * @check_cert_subject: Client certificate subject name matching string
6fc6879b
JM		 172 *
173 * TLS connection parameters to be configured with tls_connection_set_params()
174 * and tls_global_set_params().
175 *
176 * Certificates and private key can be configured either as a reference name
177 * (file path or reference to certificate store) or by providing the same data
178 * as a pointer to the data in memory. Only one option will be used for each
179 * field.
180 */
181struct tls_connection_params {
182 const char *ca_cert;
183 const u8 *ca_cert_blob;
184 size_t ca_cert_blob_len;
185 const char *ca_path;
186 const char *subject_match;
187 const char *altsubject_match;
01f809c7 188 const char *suffix_match;
cebee30f 189 const char *domain_match;
6fc6879b
JM		 190 const char *client_cert;
191 const u8 *client_cert_blob;
192 size_t client_cert_blob_len;
193 const char *private_key;
194 const u8 *private_key_blob;
195 size_t private_key_blob_len;
196 const char *private_key_passwd;
197 const char *dh_file;
198 const u8 *dh_blob;
199 size_t dh_blob_len;
6fc6879b
JM		 200
201 /* OpenSSL specific variables */
202 int engine;
203 const char *engine_id;
204 const char *pin;
205 const char *key_id;
e59c91af
DS		 206 const char *cert_id;
207 const char *ca_cert_id;
b7328434 208 const char *openssl_ciphers;
0521c6eb 209 const char *openssl_ecdh_curves;
29446569
JM		 210
211 unsigned int flags;
080585c0 212 const char *ocsp_stapling_response;
5addb0df 213 const char *ocsp_stapling_response_multi;
841205a1 214 const char *check_cert_subject;
6fc6879b
JM		 215};
216
217
218/**
219 * tls_init - Initialize TLS library
220 * @conf: Configuration data for TLS library
221 * Returns: Context data to be used as tls_ctx in calls to other functions,
222 * or %NULL on failure.
223 *
224 * Called once during program startup and once for each RSN pre-authentication
225 * session. In other words, there can be two concurrent TLS contexts. If global
226 * library initialization is needed (i.e., one that is shared between both
227 * authentication types), the TLS library wrapper should maintain a reference
228 * counter and do global initialization only when moving from 0 to 1 reference.
229 */
230void * tls_init(const struct tls_config *conf);
231
232/**
233 * tls_deinit - Deinitialize TLS library
234 * @tls_ctx: TLS context data from tls_init()
235 *
236 * Called once during program shutdown and once for each RSN pre-authentication
237 * session. If global library deinitialization is needed (i.e., one that is
238 * shared between both authentication types), the TLS library wrapper should
239 * maintain a reference counter and do global deinitialization only when moving
240 * from 1 to 0 references.
241 */
242void tls_deinit(void *tls_ctx);
243
244/**
245 * tls_get_errors - Process pending errors
246 * @tls_ctx: TLS context data from tls_init()
247 * Returns: Number of found error, 0 if no errors detected.
248 *
249 * Process all pending TLS errors.
250 */
251int tls_get_errors(void *tls_ctx);
252
253/**
254 * tls_connection_init - Initialize a new TLS connection
255 * @tls_ctx: TLS context data from tls_init()
256 * Returns: Connection context data, conn for other function calls
257 */
258struct tls_connection * tls_connection_init(void *tls_ctx);
259
260/**
261 * tls_connection_deinit - Free TLS connection data
262 * @tls_ctx: TLS context data from tls_init()
263 * @conn: Connection context data from tls_connection_init()
264 *
265 * Release all resources allocated for TLS connection.
266 */
267void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn);
268
269/**
270 * tls_connection_established - Has the TLS connection been completed?
271 * @tls_ctx: TLS context data from tls_init()
272 * @conn: Connection context data from tls_connection_init()
273 * Returns: 1 if TLS connection has been completed, 0 if not.
274 */
275int tls_connection_established(void *tls_ctx, struct tls_connection *conn);
276
0ec3e77a
JM		 277/**
278 * tls_connection_peer_serial_num - Fetch peer certificate serial number
279 * @tls_ctx: TLS context data from tls_init()
280 * @conn: Connection context data from tls_connection_init()
281 * Returns: Allocated string buffer containing the peer certificate serial
282 * number or %NULL on error.
283 *
284 * The caller is responsible for freeing the returned buffer with os_free().
285 */
286char * tls_connection_peer_serial_num(void *tls_ctx,
287 struct tls_connection *conn);
288
6fc6879b
JM		 289/**
290 * tls_connection_shutdown - Shutdown TLS connection
291 * @tls_ctx: TLS context data from tls_init()
292 * @conn: Connection context data from tls_connection_init()
293 * Returns: 0 on success, -1 on failure
294 *
295 * Shutdown current TLS connection without releasing all resources. New
296 * connection can be started by using the same conn without having to call
297 * tls_connection_init() or setting certificates etc. again. The new
298 * connection should try to use session resumption.
299 */
300int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn);
301
302enum {
fd4fb281 303 TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN = -4,
6fc6879b
JM		 304 TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED = -3,
305 TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED = -2
306};
307
308/**
309 * tls_connection_set_params - Set TLS connection parameters
310 * @tls_ctx: TLS context data from tls_init()
311 * @conn: Connection context data from tls_connection_init()
312 * @params: Connection parameters
313 * Returns: 0 on success, -1 on failure,
fd4fb281
MG		 314 * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine
315 * failure, or
6fc6879b 316 * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the
fd4fb281
MG		 317 * PKCS#11 engine private key, or
318 * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine
319 * failure.
6fc6879b
JM		 320 */
321int __must_check
322tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
323 const struct tls_connection_params *params);
324
325/**
326 * tls_global_set_params - Set TLS parameters for all TLS connection
327 * @tls_ctx: TLS context data from tls_init()
328 * @params: Global TLS parameters
329 * Returns: 0 on success, -1 on failure,
fd4fb281
MG		 330 * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine
331 * failure, or
6fc6879b 332 * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the
fd4fb281
MG		 333 * PKCS#11 engine private key, or
334 * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine
335 * failure.
6fc6879b
JM		 336 */
337int __must_check tls_global_set_params(
338 void *tls_ctx, const struct tls_connection_params *params);
339
340/**
341 * tls_global_set_verify - Set global certificate verification options
342 * @tls_ctx: TLS context data from tls_init()
343 * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate,
344 * 2 = verify CRL for all certificates
dd5d325b 345 * @strict: 0 = allow CRL time errors, 1 = do not allow CRL time errors
6fc6879b
JM		 346 * Returns: 0 on success, -1 on failure
347 */
dd5d325b
SV		 348int __must_check tls_global_set_verify(void *tls_ctx, int check_crl,
349 int strict);
6fc6879b
JM		 350
351/**
352 * tls_connection_set_verify - Set certificate verification options
353 * @tls_ctx: TLS context data from tls_init()
354 * @conn: Connection context data from tls_connection_init()
355 * @verify_peer: 1 = verify peer certificate
bfbebd26
JM		 356 * @flags: Connection flags (TLS_CONN_*)
357 * @session_ctx: Session caching context or %NULL to use default
358 * @session_ctx_len: Length of @session_ctx in bytes.
6fc6879b
JM		 359 * Returns: 0 on success, -1 on failure
360 */
361int __must_check tls_connection_set_verify(void *tls_ctx,
362 struct tls_connection *conn,
bfbebd26
JM		 363 int verify_peer,
364 unsigned int flags,
365 const u8 *session_ctx,
366 size_t session_ctx_len);
6fc6879b 367
6fc6879b 368/**
1046db8b 369 * tls_connection_get_random - Get random data from TLS connection
6fc6879b
JM		 370 * @tls_ctx: TLS context data from tls_init()
371 * @conn: Connection context data from tls_connection_init()
1046db8b 372 * @data: Structure of client/server random data (filled on success)
6fc6879b
JM		 373 * Returns: 0 on success, -1 on failure
374 */
1046db8b 375int __must_check tls_connection_get_random(void *tls_ctx,
6fc6879b 376 struct tls_connection *conn,
1046db8b 377 struct tls_random *data);
6fc6879b
JM		 378
379/**
73581707 380 * tls_connection_export_key - Derive keying material from a TLS connection
6fc6879b
JM		 381 * @tls_ctx: TLS context data from tls_init()
382 * @conn: Connection context data from tls_connection_init()
383 * @label: Label (e.g., description of the key) for PRF
a916ff5c
EO		 384 * @context: Optional extra upper-layer context (max len 2^16)
385 * @context_len: The length of the context value
6fc6879b
JM		 386 * @out: Buffer for output data from TLS-PRF
387 * @out_len: Length of the output buffer
388 * Returns: 0 on success, -1 on failure
389 *
a916ff5c
EO		 390 * Exports keying material using the mechanism described in RFC 5705. If
391 * context is %NULL, context is not provided; otherwise, context is provided
392 * (including the case of empty context with context_len == 0).
6fc6879b 393 */
73581707
DB		 394int __must_check tls_connection_export_key(void *tls_ctx,
395 struct tls_connection *conn,
396 const char *label,
a916ff5c
EO		 397 const u8 *context,
398 size_t context_len,
73581707
DB		 399 u8 *out, size_t out_len);
400
401/**
402 * tls_connection_get_eap_fast_key - Derive key material for EAP-FAST
403 * @tls_ctx: TLS context data from tls_init()
404 * @conn: Connection context data from tls_connection_init()
405 * @out: Buffer for output data from TLS-PRF
406 * @out_len: Length of the output buffer
407 * Returns: 0 on success, -1 on failure
408 *
409 * Exports key material after the normal TLS key block for use with
410 * EAP-FAST. Most callers will want tls_connection_export_key(), but EAP-FAST
411 * uses a different legacy mechanism.
412 */
413int __must_check tls_connection_get_eap_fast_key(void *tls_ctx,
414 struct tls_connection *conn,
415 u8 *out, size_t out_len);
6fc6879b
JM		 416
417/**
418 * tls_connection_handshake - Process TLS handshake (client side)
419 * @tls_ctx: TLS context data from tls_init()
420 * @conn: Connection context data from tls_connection_init()
81c85c06 421 * @in_data: Input data from TLS server
6fc6879b 422 * @appl_data: Pointer to application data pointer, or %NULL if dropped
81c85c06 423 * Returns: Output data, %NULL on failure
6fc6879b 424 *
81c85c06 425 * The caller is responsible for freeing the returned output data. If the final
6fc6879b 426 * handshake message includes application data, this is decrypted and
81c85c06
JM		 427 * appl_data (if not %NULL) is set to point this data. The caller is
428 * responsible for freeing appl_data.
6fc6879b
JM		 429 *
430 * This function is used during TLS handshake. The first call is done with
431 * in_data == %NULL and the library is expected to return ClientHello packet.
432 * This packet is then send to the server and a response from server is given
433 * to TLS library by calling this function again with in_data pointing to the
434 * TLS message from the server.
435 *
436 * If the TLS handshake fails, this function may return %NULL. However, if the
437 * TLS library has a TLS alert to send out, that should be returned as the
438 * output data. In this case, tls_connection_get_failed() must return failure
439 * (> 0).
440 *
441 * tls_connection_established() should return 1 once the TLS handshake has been
442 * completed successfully.
443 */
81c85c06
JM		 444struct wpabuf * tls_connection_handshake(void *tls_ctx,
445 struct tls_connection *conn,
446 const struct wpabuf *in_data,
447 struct wpabuf **appl_data);
6fc6879b 448
dbdcfa39
JM		 449struct wpabuf * tls_connection_handshake2(void *tls_ctx,
450 struct tls_connection *conn,
451 const struct wpabuf *in_data,
452 struct wpabuf **appl_data,
453 int *more_data_needed);
454
6fc6879b
JM		 455/**
456 * tls_connection_server_handshake - Process TLS handshake (server side)
457 * @tls_ctx: TLS context data from tls_init()
458 * @conn: Connection context data from tls_connection_init()
459 * @in_data: Input data from TLS peer
81c85c06
JM		 460 * @appl_data: Pointer to application data pointer, or %NULL if dropped
461 * Returns: Output data, %NULL on failure
6fc6879b 462 *
81c85c06 463 * The caller is responsible for freeing the returned output data.
6fc6879b 464 */
81c85c06
JM		 465struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
466 struct tls_connection *conn,
467 const struct wpabuf *in_data,
468 struct wpabuf **appl_data);
6fc6879b
JM		 469
470/**
471 * tls_connection_encrypt - Encrypt data into TLS tunnel
472 * @tls_ctx: TLS context data from tls_init()
473 * @conn: Connection context data from tls_connection_init()
81c85c06
JM		 474 * @in_data: Plaintext data to be encrypted
475 * Returns: Encrypted TLS data or %NULL on failure
6fc6879b
JM		 476 *
477 * This function is used after TLS handshake has been completed successfully to
81c85c06
JM		 478 * send data in the encrypted tunnel. The caller is responsible for freeing the
479 * returned output data.
6fc6879b 480 */
81c85c06
JM		 481struct wpabuf * tls_connection_encrypt(void *tls_ctx,
482 struct tls_connection *conn,
483 const struct wpabuf *in_data);
6fc6879b
JM		 484
485/**
486 * tls_connection_decrypt - Decrypt data from TLS tunnel
487 * @tls_ctx: TLS context data from tls_init()
488 * @conn: Connection context data from tls_connection_init()
81c85c06
JM		 489 * @in_data: Encrypted TLS data
490 * Returns: Decrypted TLS data or %NULL on failure
6fc6879b
JM		 491 *
492 * This function is used after TLS handshake has been completed successfully to
81c85c06
JM		 493 * receive data from the encrypted tunnel. The caller is responsible for
494 * freeing the returned output data.
6fc6879b 495 */
81c85c06
JM		 496struct wpabuf * tls_connection_decrypt(void *tls_ctx,
497 struct tls_connection *conn,
498 const struct wpabuf *in_data);
6fc6879b 499
dbdcfa39
JM		 500struct wpabuf * tls_connection_decrypt2(void *tls_ctx,
501 struct tls_connection *conn,
502 const struct wpabuf *in_data,
503 int *more_data_needed);
504
6fc6879b
JM		 505/**
506 * tls_connection_resumed - Was session resumption used
507 * @tls_ctx: TLS context data from tls_init()
508 * @conn: Connection context data from tls_connection_init()
509 * Returns: 1 if current session used session resumption, 0 if not
510 */
511int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn);
512
513enum {
514 TLS_CIPHER_NONE,
515 TLS_CIPHER_RC4_SHA /* 0x0005 */,
516 TLS_CIPHER_AES128_SHA /* 0x002f */,
517 TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */,
750f5d99
JM		 518 TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */,
519 TLS_CIPHER_RSA_DHE_AES256_SHA /* 0x0039 */,
520 TLS_CIPHER_AES256_SHA /* 0x0035 */,
6fc6879b
JM		 521};
522
523/**
524 * tls_connection_set_cipher_list - Configure acceptable cipher suites
525 * @tls_ctx: TLS context data from tls_init()
526 * @conn: Connection context data from tls_connection_init()
527 * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers
528 * (TLS_CIPHER_*).
529 * Returns: 0 on success, -1 on failure
530 */
531int __must_check tls_connection_set_cipher_list(void *tls_ctx,
532 struct tls_connection *conn,
533 u8 *ciphers);
534
fe1bf329
JM		 535/**
536 * tls_get_version - Get the current TLS version number
537 * @tls_ctx: TLS context data from tls_init()
538 * @conn: Connection context data from tls_connection_init()
539 * @buf: Buffer for returning the TLS version number
540 * @buflen: buf size
541 * Returns: 0 on success, -1 on failure
542 *
543 * Get the currently used TLS version number.
544 */
545int __must_check tls_get_version(void *tls_ctx, struct tls_connection *conn,
546 char *buf, size_t buflen);
547
6fc6879b
JM		 548/**
549 * tls_get_cipher - Get current cipher name
550 * @tls_ctx: TLS context data from tls_init()
551 * @conn: Connection context data from tls_connection_init()
552 * @buf: Buffer for the cipher name
553 * @buflen: buf size
554 * Returns: 0 on success, -1 on failure
555 *
556 * Get the name of the currently used cipher.
557 */
558int __must_check tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
559 char *buf, size_t buflen);
560
561/**
562 * tls_connection_enable_workaround - Enable TLS workaround options
563 * @tls_ctx: TLS context data from tls_init()
564 * @conn: Connection context data from tls_connection_init()
565 * Returns: 0 on success, -1 on failure
566 *
567 * This function is used to enable connection-specific workaround options for
568 * buffer SSL/TLS implementations.
569 */
570int __must_check tls_connection_enable_workaround(void *tls_ctx,
571 struct tls_connection *conn);
572
573/**
574 * tls_connection_client_hello_ext - Set TLS extension for ClientHello
575 * @tls_ctx: TLS context data from tls_init()
576 * @conn: Connection context data from tls_connection_init()
577 * @ext_type: Extension type
578 * @data: Extension payload (%NULL to remove extension)
579 * @data_len: Extension payload length
580 * Returns: 0 on success, -1 on failure
581 */
582int __must_check tls_connection_client_hello_ext(void *tls_ctx,
583 struct tls_connection *conn,
584 int ext_type, const u8 *data,
585 size_t data_len);
586
587/**
588 * tls_connection_get_failed - Get connection failure status
589 * @tls_ctx: TLS context data from tls_init()
590 * @conn: Connection context data from tls_connection_init()
591 *
592 * Returns >0 if connection has failed, 0 if not.
593 */
594int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn);
595
596/**
597 * tls_connection_get_read_alerts - Get connection read alert status
598 * @tls_ctx: TLS context data from tls_init()
599 * @conn: Connection context data from tls_connection_init()
600 * Returns: Number of times a fatal read (remote end reported error) has
601 * happened during this connection.
602 */
603int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn);
604
605/**
606 * tls_connection_get_write_alerts - Get connection write alert status
607 * @tls_ctx: TLS context data from tls_init()
608 * @conn: Connection context data from tls_connection_init()
609 * Returns: Number of times a fatal write (locally detected error) has happened
610 * during this connection.
611 */
612int tls_connection_get_write_alerts(void *tls_ctx,
613 struct tls_connection *conn);
614
6fc6879b
JM		 615typedef int (*tls_session_ticket_cb)
616(void *ctx, const u8 *ticket, size_t len, const u8 *client_random,
617 const u8 *server_random, u8 *master_secret);
618
619int __must_check tls_connection_set_session_ticket_cb(
620 void *tls_ctx, struct tls_connection *conn,
621 tls_session_ticket_cb cb, void *ctx);
622
994afe33
JM		 623void tls_connection_set_log_cb(struct tls_connection *conn,
624 void (*log_cb)(void *ctx, const char *msg),
625 void *ctx);
626
390b9291
JM		 627#define TLS_BREAK_VERIFY_DATA BIT(0)
628#define TLS_BREAK_SRV_KEY_X_HASH BIT(1)
629#define TLS_BREAK_SRV_KEY_X_SIGNATURE BIT(2)
47bd94a0
JM		 630#define TLS_DHE_PRIME_511B BIT(3)
631#define TLS_DHE_PRIME_767B BIT(4)
632#define TLS_DHE_PRIME_15 BIT(5)
633#define TLS_DHE_PRIME_58B BIT(6)
634#define TLS_DHE_NON_PRIME BIT(7)
390b9291
JM		 635
636void tls_connection_set_test_flags(struct tls_connection *conn, u32 flags);
637
a1651451
JM		 638int tls_get_library_version(char *buf, size_t buf_len);
639
b3b8085a
JM		 640void tls_connection_set_success_data(struct tls_connection *conn,
641 struct wpabuf *data);
642
643void tls_connection_set_success_data_resumed(struct tls_connection *conn);
644
645const struct wpabuf *
646tls_connection_get_success_data(struct tls_connection *conn);
647
648void tls_connection_remove_session(struct tls_connection *conn);
649
3af37ece
JM		 650/**
651 * tls_get_tls_unique - Fetch "tls-unique" for channel binding
652 * @conn: Connection context data from tls_connection_init()
653 * @buf: Buffer for returning the value
654 * @max_len: Maximum length of the buffer in bytes
655 * Returns: Number of bytes written to buf or -1 on error
656 *
657 * This function can be used to fetch "tls-unique" (RFC 5929, Section 3) which
658 * is the first TLS Finished message sent in the most recent TLS handshake of
659 * the TLS connection.
660 */
661int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len);
662
94714ec3
JM		 663/**
664 * tls_connection_get_cipher_suite - Get current TLS cipher suite
665 * @conn: Connection context data from tls_connection_init()
666 * Returns: TLS cipher suite of the current connection or 0 on error
667 */
668u16 tls_connection_get_cipher_suite(struct tls_connection *conn);
669
6fc6879b 670#endif /* TLS_H */
Unnamed repository; edit this file 'description' to name the repository.