18d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt/* 28d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * TLS interface functions and an internal TLS implementation 3c55524ad84d13014e8019491c2b17e5dcf13545aDmitry Shmidt * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 48d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * 5c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt * This software may be distributed under the terms of the BSD license. 6c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt * See README for more details. 78d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * 88d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * This file interface functions for hostapd/wpa_supplicant to use the 98d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * integrated TLSv1 implementation. 108d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt */ 118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "includes.h" 138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "common.h" 158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "tls.h" 168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "tls/tlsv1_client.h" 178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#include "tls/tlsv1_server.h" 188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtstatic int tls_ref_count = 0; 218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtstruct tls_global { 238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt int server; 248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tlsv1_credentials *server_cred; 258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt int check_crl; 268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt}; 278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtstruct tls_connection { 298d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tlsv1_client *client; 308d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tlsv1_server *server; 318d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt}; 328d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 338d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 348d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtvoid * tls_init(const struct tls_config *conf) 358d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 368d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_global *global; 378d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 388d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tls_ref_count == 0) { 398d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 408d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_client_global_init()) 418d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 428d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 438d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 448d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_server_global_init()) 458d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 468d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 478d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 488d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tls_ref_count++; 498d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 508d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt global = os_zalloc(sizeof(*global)); 518d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (global == NULL) 528d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 538d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 548d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return global; 558d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 568d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 578d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtvoid tls_deinit(void *ssl_ctx) 588d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 598d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_global *global = ssl_ctx; 608d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tls_ref_count--; 618d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tls_ref_count == 0) { 628d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 638d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_client_global_deinit(); 648d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 658d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 668d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_cred_free(global->server_cred); 678d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_server_global_deinit(); 688d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 698d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 708d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(global); 718d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 728d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 738d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 748d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_get_errors(void *tls_ctx) 758d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 768d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 778d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 788d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 798d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 808d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtstruct tls_connection * tls_connection_init(void *tls_ctx) 818d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 828d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_connection *conn; 838d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_global *global = tls_ctx; 848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 858d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt conn = os_zalloc(sizeof(*conn)); 868d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn == NULL) 878d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 888d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 898d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 908d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (!global->server) { 918d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt conn->client = tlsv1_client_init(); 928d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client == NULL) { 938d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(conn); 948d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 958d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 968d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 978d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 988d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 998d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (global->server) { 1008d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt conn->server = tlsv1_server_init(global->server_cred); 1018d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server == NULL) { 1028d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(conn); 1038d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 1048d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 1058d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 1068d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 1078d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1088d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return conn; 1098d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 1108d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtvoid tls_connection_deinit(void *tls_ctx, struct tls_connection *conn) 1138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 1148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn == NULL) 1158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return; 1168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 1178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) 1188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_client_deinit(conn->client); 1198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 1208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 1218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) 1228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_server_deinit(conn->server); 1238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 1248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(conn); 1258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 1268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_established(void *tls_ctx, struct tls_connection *conn) 1298d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 1308d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 1318d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) 1328d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_client_established(conn->client); 1338d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 1348d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 1358d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) 1368d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_server_established(conn->server); 1378d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 1388d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 1398d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 1408d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1418d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1428d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn) 1438d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 1448d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 1458d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) 1468d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_client_shutdown(conn->client); 1478d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 1488d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 1498d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) 1508d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_server_shutdown(conn->server); 1518d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 1528d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 1538d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 1548d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1558d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1568d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, 1578d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const struct tls_connection_params *params) 1588d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 1598d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 1608d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tlsv1_credentials *cred; 1618d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1628d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client == NULL) 1638d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 1648d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1658d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt cred = tlsv1_cred_alloc(); 1668d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (cred == NULL) 1678d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 1688d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1698d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_set_ca_cert(cred, params->ca_cert, 1708d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->ca_cert_blob, params->ca_cert_blob_len, 1718d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->ca_path)) { 1728d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA " 1738d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt "certificates"); 1748d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_cred_free(cred); 1758d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 1768d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 1778d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1788d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_set_cert(cred, params->client_cert, 1798d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->client_cert_blob, 1808d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->client_cert_blob_len)) { 1818d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpa_printf(MSG_INFO, "TLS: Failed to configure client " 1828d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt "certificate"); 1838d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_cred_free(cred); 1848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 1858d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 1868d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1878d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_set_private_key(cred, params->private_key, 1888d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->private_key_passwd, 1898d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->private_key_blob, 1908d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->private_key_blob_len)) { 1918d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpa_printf(MSG_INFO, "TLS: Failed to load private key"); 1928d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_cred_free(cred); 1938d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 1948d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 1958d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 1968d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob, 1978d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->dh_blob_len)) { 1988d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters"); 1998d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_cred_free(cred); 2008d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2018d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 2028d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2038d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_client_set_cred(conn->client, cred) < 0) { 2048d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_cred_free(cred); 2058d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2068d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 2078d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 208c55524ad84d13014e8019491c2b17e5dcf13545aDmitry Shmidt tlsv1_client_set_time_checks( 209c55524ad84d13014e8019491c2b17e5dcf13545aDmitry Shmidt conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS)); 210c55524ad84d13014e8019491c2b17e5dcf13545aDmitry Shmidt 2118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 2128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#else /* CONFIG_TLS_INTERNAL_CLIENT */ 2138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 2158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 2168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_global_set_params(void *tls_ctx, 2198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const struct tls_connection_params *params) 2208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 2218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 2228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_global *global = tls_ctx; 2238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tlsv1_credentials *cred; 2248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt /* Currently, global parameters are only set when running in server 2268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt * mode. */ 2278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt global->server = 1; 2288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_cred_free(global->server_cred); 2298d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt global->server_cred = cred = tlsv1_cred_alloc(); 2308d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (cred == NULL) 2318d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2328d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2338d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob, 2348d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->ca_cert_blob_len, params->ca_path)) { 2358d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA " 2368d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt "certificates"); 2378d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2388d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 2398d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2408d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob, 2418d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->client_cert_blob_len)) { 2428d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpa_printf(MSG_INFO, "TLS: Failed to configure server " 2438d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt "certificate"); 2448d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2458d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 2468d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2478d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_set_private_key(cred, params->private_key, 2488d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->private_key_passwd, 2498d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->private_key_blob, 2508d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->private_key_blob_len)) { 2518d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpa_printf(MSG_INFO, "TLS: Failed to load private key"); 2528d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2538d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 2548d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2558d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob, 2568d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt params->dh_blob_len)) { 2578d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters"); 2588d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2598d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 2608d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2618d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 2628d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#else /* CONFIG_TLS_INTERNAL_SERVER */ 2638d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2648d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 2658d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 2668d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2678d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2688d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_global_set_verify(void *tls_ctx, int check_crl) 2698d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 2708d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_global *global = tls_ctx; 2718d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt global->check_crl = check_crl; 2728d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 2738d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 2748d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2758d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2768d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn, 2778d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt int verify_peer) 2788d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 2798d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 2808d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) 2818d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_server_set_verify(conn->server, verify_peer); 2828d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 2838d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 2858d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2868d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 2878d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_get_keys(void *tls_ctx, struct tls_connection *conn, 2888d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_keys *keys) 2898d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 2908d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 2918d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) 2928d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_client_get_keys(conn->client, keys); 2938d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 2948d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 2958d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) 2968d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_server_get_keys(conn->server, keys); 2978d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 2988d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 2998d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 3008d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3018d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3028d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_prf(void *tls_ctx, struct tls_connection *conn, 3038d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const char *label, int server_random_first, 3048d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 *out, size_t out_len) 3058d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 3068d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 3078d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) { 3088d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_client_prf(conn->client, label, 3098d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt server_random_first, 3108d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt out, out_len); 3118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 3128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 3138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 3148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) { 3158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_server_prf(conn->server, label, 3168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt server_random_first, 3178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt out, out_len); 3188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 3198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 3208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 3218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 3228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtstruct wpabuf * tls_connection_handshake(void *tls_ctx, 3258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_connection *conn, 3268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const struct wpabuf *in_data, 3278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct wpabuf **appl_data) 3288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 3291f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt return tls_connection_handshake2(tls_ctx, conn, in_data, appl_data, 3301f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt NULL); 3311f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt} 3321f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt 3331f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt 3341f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidtstruct wpabuf * tls_connection_handshake2(void *tls_ctx, 3351f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt struct tls_connection *conn, 3361f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt const struct wpabuf *in_data, 3371f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt struct wpabuf **appl_data, 3381f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt int *need_more_data) 3391f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt{ 3408d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 3418d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 *res, *ad; 3428d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt size_t res_len, ad_len; 3438d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct wpabuf *out; 3448d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3458d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client == NULL) 3468d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 3478d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3488d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt ad = NULL; 3498d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt res = tlsv1_client_handshake(conn->client, 3508d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt in_data ? wpabuf_head(in_data) : NULL, 3518d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt in_data ? wpabuf_len(in_data) : 0, 3521f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt &res_len, &ad, &ad_len, need_more_data); 3538d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (res == NULL) 3548d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 3558d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt out = wpabuf_alloc_ext_data(res, res_len); 3568d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (out == NULL) { 3578d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(res); 3588d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(ad); 3598d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 3608d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 3618d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (appl_data) { 3628d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (ad) { 3638d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt *appl_data = wpabuf_alloc_ext_data(ad, ad_len); 3648d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (*appl_data == NULL) 3658d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(ad); 3668d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } else 3678d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt *appl_data = NULL; 3688d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } else 3698d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(ad); 3708d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3718d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return out; 3728d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#else /* CONFIG_TLS_INTERNAL_CLIENT */ 3738d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 3748d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 3758d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 3768d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3778d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3788d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtstruct wpabuf * tls_connection_server_handshake(void *tls_ctx, 3798d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_connection *conn, 3808d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const struct wpabuf *in_data, 3818d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct wpabuf **appl_data) 3828d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 3838d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 3848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 *res; 3858d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt size_t res_len; 3868d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct wpabuf *out; 3878d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3888d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server == NULL) 3898d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 3908d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3918d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (appl_data) 3928d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt *appl_data = NULL; 3938d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 3948d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt res = tlsv1_server_handshake(conn->server, wpabuf_head(in_data), 3958d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_len(in_data), &res_len); 3968d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (res == NULL && tlsv1_server_established(conn->server)) 3978d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return wpabuf_alloc(0); 3988d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (res == NULL) 3998d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 4008d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt out = wpabuf_alloc_ext_data(res, res_len); 4018d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (out == NULL) { 4028d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt os_free(res); 4038d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 4048d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 4058d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 4068d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return out; 4078d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#else /* CONFIG_TLS_INTERNAL_SERVER */ 4088d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 4098d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 4108d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 4118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 4128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 4138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtstruct wpabuf * tls_connection_encrypt(void *tls_ctx, 4148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_connection *conn, 4158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const struct wpabuf *in_data) 4168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 4178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 4188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) { 4198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct wpabuf *buf; 4208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt int res; 4218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf = wpabuf_alloc(wpabuf_len(in_data) + 300); 4228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (buf == NULL) 4238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 4248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt res = tlsv1_client_encrypt(conn->client, wpabuf_head(in_data), 4258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_len(in_data), 4268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_mhead(buf), 4278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_size(buf)); 4288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (res < 0) { 4298d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_free(buf); 4308d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 4318d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 4328d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_put(buf, res); 4338d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return buf; 4348d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 4358d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 4368d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 4378d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) { 4388d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct wpabuf *buf; 4398d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt int res; 4408d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf = wpabuf_alloc(wpabuf_len(in_data) + 300); 4418d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (buf == NULL) 4428d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 4438d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt res = tlsv1_server_encrypt(conn->server, wpabuf_head(in_data), 4448d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_len(in_data), 4458d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_mhead(buf), 4468d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_size(buf)); 4478d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (res < 0) { 4488d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_free(buf); 4498d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 4508d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 4518d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_put(buf, res); 4528d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return buf; 4538d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 4548d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 4558d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 4568d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 4578d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 4588d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 4598d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtstruct wpabuf * tls_connection_decrypt(void *tls_ctx, 4608d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_connection *conn, 4618d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt const struct wpabuf *in_data) 4628d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 4631f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt return tls_connection_decrypt2(tls_ctx, conn, in_data, NULL); 4641f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt} 4651f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt 4661f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt 4671f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidtstruct wpabuf * tls_connection_decrypt2(void *tls_ctx, 4681f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt struct tls_connection *conn, 4691f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt const struct wpabuf *in_data, 4701f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt int *need_more_data) 4711f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt{ 4721f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt if (need_more_data) 4731f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt *need_more_data = 0; 4741f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt 4758d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 4768d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) { 4771f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt return tlsv1_client_decrypt(conn->client, wpabuf_head(in_data), 4781f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt wpabuf_len(in_data), 4791f69aa52ea2e0a73ac502565df8c666ee49cab6aDmitry Shmidt need_more_data); 4808d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 4818d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 4828d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 4838d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) { 4848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct wpabuf *buf; 4858d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt int res; 4868d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3); 4878d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (buf == NULL) 4888d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 4898d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt res = tlsv1_server_decrypt(conn->server, wpabuf_head(in_data), 4908d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_len(in_data), 4918d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_mhead(buf), 4928d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_size(buf)); 4938d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (res < 0) { 4948d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_free(buf); 4958d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 4968d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 4978d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt wpabuf_put(buf, res); 4988d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return buf; 4998d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 5008d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 5018d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return NULL; 5028d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 5038d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5048d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5058d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_resumed(void *tls_ctx, struct tls_connection *conn) 5068d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 5078d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 5088d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) 5098d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_client_resumed(conn->client); 5108d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 5118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 5128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) 5138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_server_resumed(conn->server); 5148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 5158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 5168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 5178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, 5208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt u8 *ciphers) 5218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 5228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 5238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) 5248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_client_set_cipher_list(conn->client, ciphers); 5258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 5268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 5278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) 5288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_server_set_cipher_list(conn->server, ciphers); 5298d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 5308d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 5318d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 5328d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5338d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5348d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_get_cipher(void *tls_ctx, struct tls_connection *conn, 5358d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt char *buf, size_t buflen) 5368d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 5378d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn == NULL) 5388d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 5398d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 5408d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) 5418d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_client_get_cipher(conn->client, buf, buflen); 5428d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 5438d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 5448d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) 5458d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_server_get_cipher(conn->server, buf, buflen); 5468d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 5478d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 5488d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 5498d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5508d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5518d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_enable_workaround(void *tls_ctx, 5528d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_connection *conn) 5538d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 5548d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 5558d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 5568d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5578d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5588d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn, 5598d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt int ext_type, const u8 *data, 5608d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt size_t data_len) 5618d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 5628d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 5638d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) { 5648d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_client_hello_ext(conn->client, ext_type, 5658d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt data, data_len); 5668d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 5678d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 5688d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 5698d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 5708d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5718d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5728d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn) 5738d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 5748d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 5758d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 5768d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5778d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5788d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn) 5798d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 5808d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 5818d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 5828d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5838d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_get_write_alerts(void *tls_ctx, 5858d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_connection *conn) 5868d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 5878d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 5888d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 5898d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5908d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 5918d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_get_keyblock_size(void *tls_ctx, 5928d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_connection *conn) 5938d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 5948d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 5958d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) 5968d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_client_get_keyblock_size(conn->client); 5978d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 5988d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 5998d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) 6008d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return tlsv1_server_get_keyblock_size(conn->server); 6018d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 6028d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 6038d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 6048d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 6058d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 6068d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtunsigned int tls_capabilities(void *tls_ctx) 6078d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 6088d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 6098d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 6108d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 6118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 6128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtint tls_connection_set_session_ticket_cb(void *tls_ctx, 6138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt struct tls_connection *conn, 6148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tls_session_ticket_cb cb, 6158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt void *ctx) 6168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt{ 6178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_CLIENT 6188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->client) { 6198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx); 6208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 6218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 6228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_CLIENT */ 6238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#ifdef CONFIG_TLS_INTERNAL_SERVER 6248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt if (conn->server) { 6258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx); 6268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return 0; 6278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt } 6288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt#endif /* CONFIG_TLS_INTERNAL_SERVER */ 6298d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt return -1; 6308d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 631