[thirdparty/hostap.git] / src / crypto / tls_internal.c

/*
 * TLS interface functions and an internal TLS implementation
 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 *
 * This file interface functions for hostapd/wpa_supplicant to use the
 * integrated TLSv1 implementation.
 */

#include "includes.h"

#include "common.h"
#include "tls.h"
#include "tls/tlsv1_client.h"
#include "tls/tlsv1_server.h"


static int tls_ref_count = 0;

struct tls_global {
	int server;
	struct tlsv1_credentials *server_cred;
	int check_crl;
};

struct tls_connection {
	struct tlsv1_client *client;
	struct tlsv1_server *server;
};


void * tls_init(const struct tls_config *conf)
{
	struct tls_global *global;

	if (tls_ref_count == 0) {
#ifdef CONFIG_TLS_INTERNAL_CLIENT
		if (tlsv1_client_global_init())
			return NULL;
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
		if (tlsv1_server_global_init())
			return NULL;
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	}
	tls_ref_count++;

	global = os_zalloc(sizeof(*global));
	if (global == NULL)
		return NULL;

	return global;
}

void tls_deinit(void *ssl_ctx)
{
	struct tls_global *global = ssl_ctx;
	tls_ref_count--;
	if (tls_ref_count == 0) {
#ifdef CONFIG_TLS_INTERNAL_CLIENT
		tlsv1_client_global_deinit();
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
		tlsv1_cred_free(global->server_cred);
		tlsv1_server_global_deinit();
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	}
	os_free(global);
}


int tls_get_errors(void *tls_ctx)
{
	return 0;
}


struct tls_connection * tls_connection_init(void *tls_ctx)
{
	struct tls_connection *conn;
	struct tls_global *global = tls_ctx;

	conn = os_zalloc(sizeof(*conn));
	if (conn == NULL)
		return NULL;

#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (!global->server) {
		conn->client = tlsv1_client_init();
		if (conn->client == NULL) {
			os_free(conn);
			return NULL;
		}
	}
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (global->server) {
		conn->server = tlsv1_server_init(global->server_cred);
		if (conn->server == NULL) {
			os_free(conn);
			return NULL;
		}
	}
#endif /* CONFIG_TLS_INTERNAL_SERVER */

	return conn;
}


void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
{
	if (conn == NULL)
		return;
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client)
		tlsv1_client_deinit(conn->client);
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server)
		tlsv1_server_deinit(conn->server);
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	os_free(conn);
}


int tls_connection_established(void *tls_ctx, struct tls_connection *conn)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client)
		return tlsv1_client_established(conn->client);
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server)
		return tlsv1_server_established(conn->server);
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return 0;
}


int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client)
		return tlsv1_client_shutdown(conn->client);
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server)
		return tlsv1_server_shutdown(conn->server);
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return -1;
}


int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
			      const struct tls_connection_params *params)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	struct tlsv1_credentials *cred;

	if (conn->client == NULL)
		return -1;

	cred = tlsv1_cred_alloc();
	if (cred == NULL)
		return -1;

	if (tlsv1_set_ca_cert(cred, params->ca_cert,
			      params->ca_cert_blob, params->ca_cert_blob_len,
			      params->ca_path)) {
		wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
			   "certificates");
		tlsv1_cred_free(cred);
		return -1;
	}

	if (tlsv1_set_cert(cred, params->client_cert,
			   params->client_cert_blob,
			   params->client_cert_blob_len)) {
		wpa_printf(MSG_INFO, "TLS: Failed to configure client "
			   "certificate");
		tlsv1_cred_free(cred);
		return -1;
	}

	if (tlsv1_set_private_key(cred, params->private_key,
				  params->private_key_passwd,
				  params->private_key_blob,
				  params->private_key_blob_len)) {
		wpa_printf(MSG_INFO, "TLS: Failed to load private key");
		tlsv1_cred_free(cred);
		return -1;
	}

	if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
			       params->dh_blob_len)) {
		wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
		tlsv1_cred_free(cred);
		return -1;
	}

	if (tlsv1_client_set_cred(conn->client, cred) < 0) {
		tlsv1_cred_free(cred);
		return -1;
	}

	tlsv1_client_set_time_checks(
		conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS));

	return 0;
#else /* CONFIG_TLS_INTERNAL_CLIENT */
	return -1;
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
}


int tls_global_set_params(void *tls_ctx,
			  const struct tls_connection_params *params)
{
#ifdef CONFIG_TLS_INTERNAL_SERVER
	struct tls_global *global = tls_ctx;
	struct tlsv1_credentials *cred;

	/* Currently, global parameters are only set when running in server
	 * mode. */
	global->server = 1;
	tlsv1_cred_free(global->server_cred);
	global->server_cred = cred = tlsv1_cred_alloc();
	if (cred == NULL)
		return -1;

	if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob,
			      params->ca_cert_blob_len, params->ca_path)) {
		wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
			   "certificates");
		return -1;
	}

	if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob,
			   params->client_cert_blob_len)) {
		wpa_printf(MSG_INFO, "TLS: Failed to configure server "
			   "certificate");
		return -1;
	}

	if (tlsv1_set_private_key(cred, params->private_key,
				  params->private_key_passwd,
				  params->private_key_blob,
				  params->private_key_blob_len)) {
		wpa_printf(MSG_INFO, "TLS: Failed to load private key");
		return -1;
	}

	if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
			       params->dh_blob_len)) {
		wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
		return -1;
	}

	return 0;
#else /* CONFIG_TLS_INTERNAL_SERVER */
	return -1;
#endif /* CONFIG_TLS_INTERNAL_SERVER */
}


int tls_global_set_verify(void *tls_ctx, int check_crl)
{
	struct tls_global *global = tls_ctx;
	global->check_crl = check_crl;
	return 0;
}


int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
			      int verify_peer)
{
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server)
		return tlsv1_server_set_verify(conn->server, verify_peer);
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return -1;
}


int tls_connection_get_keys(void *tls_ctx, struct tls_connection *conn,
			    struct tls_keys *keys)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client)
		return tlsv1_client_get_keys(conn->client, keys);
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server)
		return tlsv1_server_get_keys(conn->server, keys);
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return -1;
}


int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
		       const char *label, int server_random_first,
		       u8 *out, size_t out_len)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client) {
		return tlsv1_client_prf(conn->client, label,
					server_random_first,
					out, out_len);
	}
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server) {
		return tlsv1_server_prf(conn->server, label,
					server_random_first,
					out, out_len);
	}
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return -1;
}


struct wpabuf * tls_connection_handshake(void *tls_ctx,
					 struct tls_connection *conn,
					 const struct wpabuf *in_data,
					 struct wpabuf **appl_data)
{
	return tls_connection_handshake2(tls_ctx, conn, in_data, appl_data,
					 NULL);
}


struct wpabuf * tls_connection_handshake2(void *tls_ctx,
					  struct tls_connection *conn,
					  const struct wpabuf *in_data,
					  struct wpabuf **appl_data,
					  int *need_more_data)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	u8 *res, *ad;
	size_t res_len, ad_len;
	struct wpabuf *out;

	if (conn->client == NULL)
		return NULL;

	ad = NULL;
	res = tlsv1_client_handshake(conn->client,
				     in_data ? wpabuf_head(in_data) : NULL,
				     in_data ? wpabuf_len(in_data) : 0,
				     &res_len, &ad, &ad_len, need_more_data);
	if (res == NULL)
		return NULL;
	out = wpabuf_alloc_ext_data(res, res_len);
	if (out == NULL) {
		os_free(res);
		os_free(ad);
		return NULL;
	}
	if (appl_data) {
		if (ad) {
			*appl_data = wpabuf_alloc_ext_data(ad, ad_len);
			if (*appl_data == NULL)
				os_free(ad);
		} else
			*appl_data = NULL;
	} else
		os_free(ad);

	return out;
#else /* CONFIG_TLS_INTERNAL_CLIENT */
	return NULL;
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
}


struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
						struct tls_connection *conn,
						const struct wpabuf *in_data,
						struct wpabuf **appl_data)
{
#ifdef CONFIG_TLS_INTERNAL_SERVER
	u8 *res;
	size_t res_len;
	struct wpabuf *out;

	if (conn->server == NULL)
		return NULL;

	if (appl_data)
		*appl_data = NULL;

	res = tlsv1_server_handshake(conn->server, wpabuf_head(in_data),
				     wpabuf_len(in_data), &res_len);
	if (res == NULL && tlsv1_server_established(conn->server))
		return wpabuf_alloc(0);
	if (res == NULL)
		return NULL;
	out = wpabuf_alloc_ext_data(res, res_len);
	if (out == NULL) {
		os_free(res);
		return NULL;
	}

	return out;
#else /* CONFIG_TLS_INTERNAL_SERVER */
	return NULL;
#endif /* CONFIG_TLS_INTERNAL_SERVER */
}


struct wpabuf * tls_connection_encrypt(void *tls_ctx,
				       struct tls_connection *conn,
				       const struct wpabuf *in_data)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client) {
		struct wpabuf *buf;
		int res;
		buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
		if (buf == NULL)
			return NULL;
		res = tlsv1_client_encrypt(conn->client, wpabuf_head(in_data),
					   wpabuf_len(in_data),
					   wpabuf_mhead(buf),
					   wpabuf_size(buf));
		if (res < 0) {
			wpabuf_free(buf);
			return NULL;
		}
		wpabuf_put(buf, res);
		return buf;
	}
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server) {
		struct wpabuf *buf;
		int res;
		buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
		if (buf == NULL)
			return NULL;
		res = tlsv1_server_encrypt(conn->server, wpabuf_head(in_data),
					   wpabuf_len(in_data),
					   wpabuf_mhead(buf),
					   wpabuf_size(buf));
		if (res < 0) {
			wpabuf_free(buf);
			return NULL;
		}
		wpabuf_put(buf, res);
		return buf;
	}
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return NULL;
}


struct wpabuf * tls_connection_decrypt(void *tls_ctx,
				       struct tls_connection *conn,
				       const struct wpabuf *in_data)
{
	return tls_connection_decrypt2(tls_ctx, conn, in_data, NULL);
}


struct wpabuf * tls_connection_decrypt2(void *tls_ctx,
					struct tls_connection *conn,
					const struct wpabuf *in_data,
					int *need_more_data)
{
	if (need_more_data)
		*need_more_data = 0;

#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client) {
		return tlsv1_client_decrypt(conn->client, wpabuf_head(in_data),
					    wpabuf_len(in_data),
					    need_more_data);
	}
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server) {
		struct wpabuf *buf;
		int res;
		buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
		if (buf == NULL)
			return NULL;
		res = tlsv1_server_decrypt(conn->server, wpabuf_head(in_data),
					   wpabuf_len(in_data),
					   wpabuf_mhead(buf),
					   wpabuf_size(buf));
		if (res < 0) {
			wpabuf_free(buf);
			return NULL;
		}
		wpabuf_put(buf, res);
		return buf;
	}
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return NULL;
}


int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client)
		return tlsv1_client_resumed(conn->client);
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server)
		return tlsv1_server_resumed(conn->server);
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return -1;
}


int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
				   u8 *ciphers)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client)
		return tlsv1_client_set_cipher_list(conn->client, ciphers);
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server)
		return tlsv1_server_set_cipher_list(conn->server, ciphers);
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return -1;
}


int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
		   char *buf, size_t buflen)
{
	if (conn == NULL)
		return -1;
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client)
		return tlsv1_client_get_cipher(conn->client, buf, buflen);
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server)
		return tlsv1_server_get_cipher(conn->server, buf, buflen);
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return -1;
}


int tls_connection_enable_workaround(void *tls_ctx,
				     struct tls_connection *conn)
{
	return -1;
}


int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn,
				    int ext_type, const u8 *data,
				    size_t data_len)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client) {
		return tlsv1_client_hello_ext(conn->client, ext_type,
					      data, data_len);
	}
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	return -1;
}


int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn)
{
	return 0;
}


int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn)
{
	return 0;
}


int tls_connection_get_write_alerts(void *tls_ctx,
				    struct tls_connection *conn)
{
	return 0;
}


int tls_connection_get_keyblock_size(void *tls_ctx,
				     struct tls_connection *conn)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client)
		return tlsv1_client_get_keyblock_size(conn->client);
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server)
		return tlsv1_server_get_keyblock_size(conn->server);
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return -1;
}


unsigned int tls_capabilities(void *tls_ctx)
{
	return 0;
}


int tls_connection_set_session_ticket_cb(void *tls_ctx,
					 struct tls_connection *conn,
					 tls_session_ticket_cb cb,
					 void *ctx)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
	if (conn->client) {
		tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx);
		return 0;
	}
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
	if (conn->server) {
		tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx);
		return 0;
	}
#endif /* CONFIG_TLS_INTERNAL_SERVER */
	return -1;
}
Commit	Line	Data
6fc6879b	1	/*
81c85c06	2	* TLS interface functions and an internal TLS implementation
235279e7	3	* Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
6fc6879b	4	*
0f3d578e JM	5	* This software may be distributed under the terms of the BSD license.
0f3d578e JM	6	* See README for more details.
6fc6879b JM	7	*
	8	* This file interface functions for hostapd/wpa_supplicant to use the
	9	* integrated TLSv1 implementation.
	10	*/
	11
	12	#include "includes.h"
	13
	14	#include "common.h"
	15	#include "tls.h"
	16	#include "tls/tlsv1_client.h"
	17	#include "tls/tlsv1_server.h"
	18
	19
	20	static int tls_ref_count = 0;
	21
	22	struct tls_global {
	23	int server;
	24	struct tlsv1_credentials *server_cred;
	25	int check_crl;
	26	};
	27
	28	struct tls_connection {
	29	struct tlsv1_client *client;
	30	struct tlsv1_server *server;
	31	};
	32
	33
	34	void * tls_init(const struct tls_config *conf)
	35	{
	36	struct tls_global *global;
	37
	38	if (tls_ref_count == 0) {
	39	#ifdef CONFIG_TLS_INTERNAL_CLIENT
	40	if (tlsv1_client_global_init())
	41	return NULL;
	42	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	43	#ifdef CONFIG_TLS_INTERNAL_SERVER
	44	if (tlsv1_server_global_init())
	45	return NULL;
	46	#endif /* CONFIG_TLS_INTERNAL_SERVER */
	47	}
	48	tls_ref_count++;
	49
	50	global = os_zalloc(sizeof(*global));
	51	if (global == NULL)
	52	return NULL;
	53
	54	return global;
	55	}
	56
	57	void tls_deinit(void *ssl_ctx)
	58	{
	59	struct tls_global *global = ssl_ctx;
	60	tls_ref_count--;
	61	if (tls_ref_count == 0) {
	62	#ifdef CONFIG_TLS_INTERNAL_CLIENT
	63	tlsv1_client_global_deinit();
	64	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	65	#ifdef CONFIG_TLS_INTERNAL_SERVER
	66	tlsv1_cred_free(global->server_cred);
	67	tlsv1_server_global_deinit();
	68	#endif /* CONFIG_TLS_INTERNAL_SERVER */
	69	}
	70	os_free(global);
71	}
72
73
74	int tls_get_errors(void *tls_ctx)
75	{
76	return 0;
77	}
78
79
80	struct tls_connection * tls_connection_init(void *tls_ctx)
81	{
82	struct tls_connection *conn;
83	struct tls_global *global = tls_ctx;
84
85	conn = os_zalloc(sizeof(*conn));
86	if (conn == NULL)
87	return NULL;
88
89	#ifdef CONFIG_TLS_INTERNAL_CLIENT
90	if (!global->server) {
91	conn->client = tlsv1_client_init();
92	if (conn->client == NULL) {
93	os_free(conn);
94	return NULL;
95	}
96	}
97	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
98	#ifdef CONFIG_TLS_INTERNAL_SERVER
99	if (global->server) {
100	conn->server = tlsv1_server_init(global->server_cred);
101	if (conn->server == NULL) {
102	os_free(conn);
103	return NULL;
104	}
105	}
106	#endif /* CONFIG_TLS_INTERNAL_SERVER */
107
108	return conn;
109	}
110
111
112	void tls_connection_deinit(void tls_ctx, struct tls_connection conn)
113	{
114	if (conn == NULL)
115	return;
116	#ifdef CONFIG_TLS_INTERNAL_CLIENT
117	if (conn->client)
118	tlsv1_client_deinit(conn->client);
119	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
120	#ifdef CONFIG_TLS_INTERNAL_SERVER
121	if (conn->server)
122	tlsv1_server_deinit(conn->server);
123	#endif /* CONFIG_TLS_INTERNAL_SERVER */
124	os_free(conn);
125	}
126
127
128	int tls_connection_established(void tls_ctx, struct tls_connection conn)
129	{
130	#ifdef CONFIG_TLS_INTERNAL_CLIENT
131	if (conn->client)
132	return tlsv1_client_established(conn->client);
133	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
134	#ifdef CONFIG_TLS_INTERNAL_SERVER
135	if (conn->server)
136	return tlsv1_server_established(conn->server);
137	#endif /* CONFIG_TLS_INTERNAL_SERVER */
138	return 0;
139	}
140
141
142	int tls_connection_shutdown(void tls_ctx, struct tls_connection conn)
143	{
144	#ifdef CONFIG_TLS_INTERNAL_CLIENT
145	if (conn->client)
146	return tlsv1_client_shutdown(conn->client);
147	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
148	#ifdef CONFIG_TLS_INTERNAL_SERVER
149	if (conn->server)
150	return tlsv1_server_shutdown(conn->server);
151	#endif /* CONFIG_TLS_INTERNAL_SERVER */
152	return -1;
153	}
154
155
156	int tls_connection_set_params(void tls_ctx, struct tls_connection conn,
157	const struct tls_connection_params *params)
158	{
159	#ifdef CONFIG_TLS_INTERNAL_CLIENT
160	struct tlsv1_credentials *cred;
161
162	if (conn->client == NULL)
163	return -1;
164
165	cred = tlsv1_cred_alloc();
166	if (cred == NULL)
167	return -1;
168
169	if (tlsv1_set_ca_cert(cred, params->ca_cert,
170	params->ca_cert_blob, params->ca_cert_blob_len,
171	params->ca_path)) {
172	wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
173	"certificates");
174	tlsv1_cred_free(cred);
175	return -1;
176	}
177
178	if (tlsv1_set_cert(cred, params->client_cert,
179	params->client_cert_blob,
180	params->client_cert_blob_len)) {
181	wpa_printf(MSG_INFO, "TLS: Failed to configure client "
182	"certificate");
183	tlsv1_cred_free(cred);
184	return -1;
185	}
186
187	if (tlsv1_set_private_key(cred, params->private_key,
188	params->private_key_passwd,
189	params->private_key_blob,
190	params->private_key_blob_len)) {
191	wpa_printf(MSG_INFO, "TLS: Failed to load private key");
192	tlsv1_cred_free(cred);
193	return -1;
194	}
195
196	if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
197	params->dh_blob_len)) {
198	wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
199	tlsv1_cred_free(cred);
200	return -1;
201	}
202
203	if (tlsv1_client_set_cred(conn->client, cred) < 0) {
204	tlsv1_cred_free(cred);
205	return -1;
206	}
207
235279e7 JM	208	tlsv1_client_set_time_checks(
	209	conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS));
	210
6fc6879b JM	211	return 0;
	212	#else /* CONFIG_TLS_INTERNAL_CLIENT */
	213	return -1;
	214	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	215	}
	216
	217
	218	int tls_global_set_params(void *tls_ctx,
	219	const struct tls_connection_params *params)
	220	{
	221	#ifdef CONFIG_TLS_INTERNAL_SERVER
	222	struct tls_global *global = tls_ctx;
	223	struct tlsv1_credentials *cred;
	224
	225	/* Currently, global parameters are only set when running in server
	226	* mode. */
	227	global->server = 1;
	228	tlsv1_cred_free(global->server_cred);
	229	global->server_cred = cred = tlsv1_cred_alloc();
	230	if (cred == NULL)
	231	return -1;
	232
	233	if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob,
	234	params->ca_cert_blob_len, params->ca_path)) {
	235	wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
	236	"certificates");
	237	return -1;
	238	}
	239
	240	if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob,
	241	params->client_cert_blob_len)) {
	242	wpa_printf(MSG_INFO, "TLS: Failed to configure server "
	243	"certificate");
	244	return -1;
	245	}
	246
	247	if (tlsv1_set_private_key(cred, params->private_key,
	248	params->private_key_passwd,
	249	params->private_key_blob,
	250	params->private_key_blob_len)) {
	251	wpa_printf(MSG_INFO, "TLS: Failed to load private key");
	252	return -1;
	253	}
	254
	255	if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
	256	params->dh_blob_len)) {
	257	wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
	258	return -1;
	259	}
	260
	261	return 0;
	262	#else /* CONFIG_TLS_INTERNAL_SERVER */
	263	return -1;
	264	#endif /* CONFIG_TLS_INTERNAL_SERVER */
	265	}
	266
	267
	268	int tls_global_set_verify(void *tls_ctx, int check_crl)
	269	{
	270	struct tls_global *global = tls_ctx;
	271	global->check_crl = check_crl;
	272	return 0;
	273	}
	274
275
276	int tls_connection_set_verify(void tls_ctx, struct tls_connection conn,
277	int verify_peer)
278	{
279	#ifdef CONFIG_TLS_INTERNAL_SERVER
280	if (conn->server)
281	return tlsv1_server_set_verify(conn->server, verify_peer);
282	#endif /* CONFIG_TLS_INTERNAL_SERVER */
283	return -1;
284	}
285
286
6fc6879b JM	287	int tls_connection_get_keys(void tls_ctx, struct tls_connection conn,
	288	struct tls_keys *keys)
	289	{
	290	#ifdef CONFIG_TLS_INTERNAL_CLIENT
	291	if (conn->client)
	292	return tlsv1_client_get_keys(conn->client, keys);
	293	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	294	#ifdef CONFIG_TLS_INTERNAL_SERVER
	295	if (conn->server)
	296	return tlsv1_server_get_keys(conn->server, keys);
	297	#endif /* CONFIG_TLS_INTERNAL_SERVER */
	298	return -1;
	299	}
	300
	301
	302	int tls_connection_prf(void tls_ctx, struct tls_connection conn,
	303	const char *label, int server_random_first,
	304	u8 *out, size_t out_len)
	305	{
	306	#ifdef CONFIG_TLS_INTERNAL_CLIENT
	307	if (conn->client) {
	308	return tlsv1_client_prf(conn->client, label,
	309	server_random_first,
	310	out, out_len);
	311	}
	312	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	313	#ifdef CONFIG_TLS_INTERNAL_SERVER
	314	if (conn->server) {
	315	return tlsv1_server_prf(conn->server, label,
	316	server_random_first,
	317	out, out_len);
	318	}
	319	#endif /* CONFIG_TLS_INTERNAL_SERVER */
	320	return -1;
	321	}
	322
	323
81c85c06 JM	324	struct wpabuf * tls_connection_handshake(void *tls_ctx,
	325	struct tls_connection *conn,
	326	const struct wpabuf *in_data,
	327	struct wpabuf **appl_data)
dbdcfa39 JM	328	{
	329	return tls_connection_handshake2(tls_ctx, conn, in_data, appl_data,
	330	NULL);
	331	}
	332
	333
	334	struct wpabuf * tls_connection_handshake2(void *tls_ctx,
	335	struct tls_connection *conn,
	336	const struct wpabuf *in_data,
	337	struct wpabuf **appl_data,
	338	int *need_more_data)
6fc6879b JM	339	{
6fc6879b JM	340	#ifdef CONFIG_TLS_INTERNAL_CLIENT
81c85c06 JM	341	u8 res, ad;
	342	size_t res_len, ad_len;
	343	struct wpabuf *out;
	344
6fc6879b JM	345	if (conn->client == NULL)
	346	return NULL;
	347
81c85c06 JM	348	ad = NULL;
	349	res = tlsv1_client_handshake(conn->client,
	350	in_data ? wpabuf_head(in_data) : NULL,
	351	in_data ? wpabuf_len(in_data) : 0,
dbdcfa39	352	&res_len, &ad, &ad_len, need_more_data);
81c85c06 JM	353	if (res == NULL)
	354	return NULL;
	355	out = wpabuf_alloc_ext_data(res, res_len);
	356	if (out == NULL) {
	357	os_free(res);
	358	os_free(ad);
	359	return NULL;
	360	}
	361	if (appl_data) {
	362	if (ad) {
	363	*appl_data = wpabuf_alloc_ext_data(ad, ad_len);
	364	if (*appl_data == NULL)
	365	os_free(ad);
	366	} else
	367	*appl_data = NULL;
	368	} else
	369	os_free(ad);
6fc6879b	370
81c85c06	371	return out;
6fc6879b JM	372	#else /* CONFIG_TLS_INTERNAL_CLIENT */
	373	return NULL;
	374	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	375	}
	376
	377
81c85c06 JM	378	struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
	379	struct tls_connection *conn,
	380	const struct wpabuf *in_data,
	381	struct wpabuf **appl_data)
6fc6879b JM	382	{
6fc6879b JM	383	#ifdef CONFIG_TLS_INTERNAL_SERVER
81c85c06 JM	384	u8 *res;
	385	size_t res_len;
	386	struct wpabuf *out;
	387
6fc6879b JM	388	if (conn->server == NULL)
	389	return NULL;
	390
81c85c06 JM	391	if (appl_data)
	392	*appl_data = NULL;
	393
	394	res = tlsv1_server_handshake(conn->server, wpabuf_head(in_data),
	395	wpabuf_len(in_data), &res_len);
	396	if (res == NULL && tlsv1_server_established(conn->server))
	397	return wpabuf_alloc(0);
	398	if (res == NULL)
	399	return NULL;
	400	out = wpabuf_alloc_ext_data(res, res_len);
	401	if (out == NULL) {
	402	os_free(res);
	403	return NULL;
4d4233ea	404	}
81c85c06	405
6fc6879b JM	406	return out;
	407	#else /* CONFIG_TLS_INTERNAL_SERVER */
	408	return NULL;
	409	#endif /* CONFIG_TLS_INTERNAL_SERVER */
	410	}
	411
	412
81c85c06 JM	413	struct wpabuf * tls_connection_encrypt(void *tls_ctx,
	414	struct tls_connection *conn,
	415	const struct wpabuf *in_data)
6fc6879b JM	416	{
	417	#ifdef CONFIG_TLS_INTERNAL_CLIENT
	418	if (conn->client) {
81c85c06 JM	419	struct wpabuf *buf;
	420	int res;
	421	buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
	422	if (buf == NULL)
	423	return NULL;
	424	res = tlsv1_client_encrypt(conn->client, wpabuf_head(in_data),
	425	wpabuf_len(in_data),
	426	wpabuf_mhead(buf),
	427	wpabuf_size(buf));
	428	if (res < 0) {
	429	wpabuf_free(buf);
	430	return NULL;
	431	}
	432	wpabuf_put(buf, res);
	433	return buf;
6fc6879b JM	434	}
	435	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	436	#ifdef CONFIG_TLS_INTERNAL_SERVER
	437	if (conn->server) {
81c85c06 JM	438	struct wpabuf *buf;
	439	int res;
	440	buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
	441	if (buf == NULL)
	442	return NULL;
	443	res = tlsv1_server_encrypt(conn->server, wpabuf_head(in_data),
	444	wpabuf_len(in_data),
	445	wpabuf_mhead(buf),
	446	wpabuf_size(buf));
	447	if (res < 0) {
	448	wpabuf_free(buf);
	449	return NULL;
	450	}
	451	wpabuf_put(buf, res);
	452	return buf;
6fc6879b JM	453	}
6fc6879b JM	454	#endif /* CONFIG_TLS_INTERNAL_SERVER */
81c85c06	455	return NULL;
6fc6879b JM	456	}
	457
	458
81c85c06 JM	459	struct wpabuf * tls_connection_decrypt(void *tls_ctx,
	460	struct tls_connection *conn,
	461	const struct wpabuf *in_data)
6fc6879b	462	{
dbdcfa39 JM	463	return tls_connection_decrypt2(tls_ctx, conn, in_data, NULL);
	464	}
	465
	466
	467	struct wpabuf * tls_connection_decrypt2(void *tls_ctx,
	468	struct tls_connection *conn,
	469	const struct wpabuf *in_data,
	470	int *need_more_data)
	471	{
	472	if (need_more_data)
	473	*need_more_data = 0;
	474
6fc6879b JM	475	#ifdef CONFIG_TLS_INTERNAL_CLIENT
6fc6879b JM	476	if (conn->client) {
dbdcfa39 JM	477	return tlsv1_client_decrypt(conn->client, wpabuf_head(in_data),
	478	wpabuf_len(in_data),
	479	need_more_data);
6fc6879b JM	480	}
	481	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	482	#ifdef CONFIG_TLS_INTERNAL_SERVER
	483	if (conn->server) {
81c85c06 JM	484	struct wpabuf *buf;
	485	int res;
	486	buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
	487	if (buf == NULL)
	488	return NULL;
	489	res = tlsv1_server_decrypt(conn->server, wpabuf_head(in_data),
	490	wpabuf_len(in_data),
	491	wpabuf_mhead(buf),
	492	wpabuf_size(buf));
	493	if (res < 0) {
	494	wpabuf_free(buf);
	495	return NULL;
	496	}
	497	wpabuf_put(buf, res);
	498	return buf;
6fc6879b JM	499	}
6fc6879b JM	500	#endif /* CONFIG_TLS_INTERNAL_SERVER */
81c85c06	501	return NULL;
6fc6879b JM	502	}
	503
	504
	505	int tls_connection_resumed(void tls_ctx, struct tls_connection conn)
	506	{
	507	#ifdef CONFIG_TLS_INTERNAL_CLIENT
	508	if (conn->client)
	509	return tlsv1_client_resumed(conn->client);
	510	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	511	#ifdef CONFIG_TLS_INTERNAL_SERVER
	512	if (conn->server)
	513	return tlsv1_server_resumed(conn->server);
	514	#endif /* CONFIG_TLS_INTERNAL_SERVER */
	515	return -1;
	516	}
	517
	518
	519	int tls_connection_set_cipher_list(void tls_ctx, struct tls_connection conn,
	520	u8 *ciphers)
	521	{
	522	#ifdef CONFIG_TLS_INTERNAL_CLIENT
	523	if (conn->client)
	524	return tlsv1_client_set_cipher_list(conn->client, ciphers);
	525	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	526	#ifdef CONFIG_TLS_INTERNAL_SERVER
	527	if (conn->server)
	528	return tlsv1_server_set_cipher_list(conn->server, ciphers);
	529	#endif /* CONFIG_TLS_INTERNAL_SERVER */
	530	return -1;
	531	}
	532
	533
	534	int tls_get_cipher(void tls_ctx, struct tls_connection conn,
	535	char *buf, size_t buflen)
	536	{
	537	if (conn == NULL)
	538	return -1;
	539	#ifdef CONFIG_TLS_INTERNAL_CLIENT
	540	if (conn->client)
	541	return tlsv1_client_get_cipher(conn->client, buf, buflen);
	542	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	543	#ifdef CONFIG_TLS_INTERNAL_SERVER
	544	if (conn->server)
	545	return tlsv1_server_get_cipher(conn->server, buf, buflen);
	546	#endif /* CONFIG_TLS_INTERNAL_SERVER */
	547	return -1;
	548	}
	549
	550
	551	int tls_connection_enable_workaround(void *tls_ctx,
	552	struct tls_connection *conn)
	553	{
	554	return -1;
	555	}
	556
	557
	558	int tls_connection_client_hello_ext(void tls_ctx, struct tls_connection conn,
	559	int ext_type, const u8 *data,
	560	size_t data_len)
	561	{
	562	#ifdef CONFIG_TLS_INTERNAL_CLIENT
	563	if (conn->client) {
	564	return tlsv1_client_hello_ext(conn->client, ext_type,
	565	data, data_len);
566	}
567	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
568	return -1;
569	}
570
571
572	int tls_connection_get_failed(void tls_ctx, struct tls_connection conn)
573	{
574	return 0;
575	}
576
577
578	int tls_connection_get_read_alerts(void tls_ctx, struct tls_connection conn)
579	{
580	return 0;
581	}
582
583
584	int tls_connection_get_write_alerts(void *tls_ctx,
585	struct tls_connection *conn)
586	{
587	return 0;
588	}
589
590
591	int tls_connection_get_keyblock_size(void *tls_ctx,
592	struct tls_connection *conn)
593	{
594	#ifdef CONFIG_TLS_INTERNAL_CLIENT
595	if (conn->client)
596	return tlsv1_client_get_keyblock_size(conn->client);
597	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
598	#ifdef CONFIG_TLS_INTERNAL_SERVER
599	if (conn->server)
600	return tlsv1_server_get_keyblock_size(conn->server);
601	#endif /* CONFIG_TLS_INTERNAL_SERVER */
602	return -1;
603	}
604
605
606	unsigned int tls_capabilities(void *tls_ctx)
607	{
608	return 0;
609	}
610
611
6fc6879b JM	612	int tls_connection_set_session_ticket_cb(void *tls_ctx,
	613	struct tls_connection *conn,
	614	tls_session_ticket_cb cb,
	615	void *ctx)
	616	{
	617	#ifdef CONFIG_TLS_INTERNAL_CLIENT
	618	if (conn->client) {
	619	tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx);
	620	return 0;
	621	}
	622	#endif /* CONFIG_TLS_INTERNAL_CLIENT */
	623	#ifdef CONFIG_TLS_INTERNAL_SERVER
	624	if (conn->server) {
	625	tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx);
	626	return 0;
	627	}
	628	#endif /* CONFIG_TLS_INTERNAL_SERVER */
	629	return -1;
	630	}