aboutsummaryrefslogtreecommitdiff
path: root/contrib/hostapd/tls.h
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/hostapd/tls.h')
-rw-r--r--contrib/hostapd/tls.h312
1 files changed, 312 insertions, 0 deletions
diff --git a/contrib/hostapd/tls.h b/contrib/hostapd/tls.h
new file mode 100644
index 000000000000..99c9b332360a
--- /dev/null
+++ b/contrib/hostapd/tls.h
@@ -0,0 +1,312 @@
+#ifndef TLS_H
+#define TLS_H
+
+struct tls_connection;
+
+struct tls_keys {
+ const u8 *master_key;
+ size_t master_key_len;
+ const u8 *client_random;
+ size_t client_random_len;
+ const u8 *server_random;
+ size_t server_random_len;
+};
+
+/**
+ * tls_init - initialize TLS library
+ *
+ * Returns: Context data to be used as @tls_ctx in calls to other functions,
+ * or %NULL on failure.
+ *
+ * Called once during program startup.
+ */
+void * tls_init(void);
+
+/**
+ * tls_deinit - deinitialize TLS library
+ * @tls_ctx: TLS context data from tls_init()
+ *
+ * Called once during program shutdown.
+ */
+void tls_deinit(void *tls_ctx);
+
+/**
+ * tls_get_errors - process pending errors
+ * @tls_ctx: TLS context data from tls_init()
+ *
+ * Returns: Number of found error, 0 if no errors detected.
+ *
+ * Process all pending TLS errors.
+ */
+int tls_get_errors(void *tls_ctx);
+
+/**
+ * tls_connection_init - initialize a new TLS connection
+ * @tls_ctx: TLS context data from tls_init()
+ *
+ * Returns: Connection context data, @conn for other function calls
+ */
+struct tls_connection * tls_connection_init(void *tls_ctx);
+
+/**
+ * tls_connection_deinit - free TLS connection data
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ *
+ * Release all resources allocated for TLS connection.
+ */
+void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn);
+
+/**
+ * tls_connection_established - has the TLS connection been completed?
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ *
+ * Returns: 1 if TLS connection has been completed, 0 if not.
+ */
+int tls_connection_established(void *tls_ctx, struct tls_connection *conn);
+
+/**
+ * tls_connection_shutdown - shutdown TLS connection data.
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ *
+ * Returns: 0 on success, -1 on failure
+ *
+ * Shutdown current TLS connection without releasing all resources. New
+ * connection can be started by using the same @conn without having to call
+ * tls_connection_init() or setting certificates etc. again. The new
+ * connection should try to use session resumption.
+ */
+int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn);
+
+/**
+ * tls_connection_ca_cert - set trusted CA certificate for TLS connection
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @ca_cert: File name for CA certificate in PEM or DER format
+ * @subject_match: String to match in the subject of the peer certificate or
+ * %NULL to allow all subjects
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int tls_connection_ca_cert(void *tls_ctx, struct tls_connection *conn,
+ const char *ca_cert, const char *subject_match);
+
+/**
+ * tls_global_ca_cert - set trusted CA certificate for all TLS connections
+ * @tls_ctx: TLS context data from tls_init()
+ * @ca_cert: File name for CA certificate in PEM or DER format
+ * %NULL to allow all subjects
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int tls_global_ca_cert(void *tls_ctx, const char *ca_cert);
+
+/**
+ * tls_connection_ca_cert - set trusted CA certificate for TLS connection
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @verify_peer: 1 = verify peer certificate
+ * @subject_match: String to match in the subject of the peer certificate or
+ * %NULL to allow all subjects
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
+ int verify_peer, const char *subject_match);
+
+/**
+ * tls_connection_client_cert - set client certificate for TLS connection
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @client_cert: File name for client certificate in PEM or DER format
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int tls_connection_client_cert(void *tls_ctx, struct tls_connection *conn,
+ const char *client_cert);
+
+/**
+ * tls_global_client_cert - set client certificate for all TLS connections
+ * @tls_ctx: TLS context data from tls_init()
+ * @client_cert: File name for client certificate in PEM or DER format
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int tls_global_client_cert(void *tls_ctx, const char *client_cert);
+
+/**
+ * tls_connection_private_key - set private key for TLS connection
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @private_key: File name for client private key in PEM or DER format
+ * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
+ * passphrase is used.
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int tls_connection_private_key(void *tls_ctx, struct tls_connection *conn,
+ const char *private_key,
+ const char *private_key_passwd);
+
+/**
+ * tls_global_private_key - set private key for all TLS connections
+ * @tls_ctx: TLS context data from tls_init()
+ * @private_key: File name for client private key in PEM or DER format
+ * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
+ * passphrase is used.
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int tls_global_private_key(void *tls_ctx, const char *private_key,
+ const char *private_key_passwd);
+
+/**
+ * tls_connection_dh - set DH/DSA parameters for TLS connection
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @dh_file: File name for DH/DSA data in PEM format.
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int tls_connection_dh(void *tls_ctx, struct tls_connection *conn,
+ const char *dh_file);
+
+/**
+ * tls_connection_get_keys - get master key and random data from TLS connection
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @keys: Structure of key/random data (filled on success)
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int tls_connection_get_keys(void *tls_ctx, struct tls_connection *conn,
+ struct tls_keys *keys);
+
+/**
+ * tls_connection_handshake - process TLS handshake (client side)
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @in_data: Input data from TLS peer
+ * @in_len: Input data length
+ * @out_len: Length of the output buffer.
+ *
+ * Returns: pointer to output data, %NULL on failure
+ *
+ * Caller is responsible for freeing returned output data.
+ */
+u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn,
+ const u8 *in_data, size_t in_len,
+ size_t *out_len);
+
+/**
+ * tls_connection_servr_handshake - process TLS handshake (server side)
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @in_data: Input data from TLS peer
+ * @in_len: Input data length
+ * @out_len: Length of the output buffer.
+ *
+ * Returns: pointer to output data, %NULL on failure
+ *
+ * Caller is responsible for freeing returned output data.
+ */
+u8 * tls_connection_server_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const u8 *in_data, size_t in_len,
+ size_t *out_len);
+
+/**
+ * tls_connection_encrypt - encrypt data into TLS tunnel
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @in_data: Pointer to plaintext data to be encrypted
+ * @in_len: Input buffer length
+ * @out_data: Pointer to output buffer (encrypted TLS data)
+ * @out_len: Maximum @out_data length
+ *
+ * Returns: Number of bytes written to @out_data, -1 on failure
+ */
+int tls_connection_encrypt(void *tls_ctx, struct tls_connection *conn,
+ u8 *in_data, size_t in_len,
+ u8 *out_data, size_t out_len);
+
+/**
+ * tls_connection_decrypt - decrypt data from TLS tunnel
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @in_data: Pointer to input buffer (encrypted TLS data)
+ * @in_len: Input buffer length
+ * @out_data: Pointer to output buffer (decrypted data from TLS tunnel)
+ * @out_len: Maximum @out_data length
+ *
+ * Returns: Number of bytes written to @out_data, -1 on failure
+ */
+int tls_connection_decrypt(void *tls_ctx, struct tls_connection *conn,
+ u8 *in_data, size_t in_len,
+ u8 *out_data, size_t out_len);
+
+/**
+ * tls_connection_resumed - was session resumption used
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ *
+ * Returns: 1 if current session used session resumption, 0 if not
+ */
+int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn);
+
+/**
+ * tls_connection_set_master_key - configure master secret for TLS connection
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ * @key: TLS pre-master-secret
+ * @key_len: length of @key in bytes
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int tls_connection_set_master_key(void *ssl_ctx, struct tls_connection *conn,
+ const u8 *key, size_t key_len);
+
+/**
+ * tls_connection_set_anon_dh - configure TLS connection to use anonymous DH
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ *
+ * Returns: 0 on success, -1 on failure
+ *
+ * TODO: consider changing this to more generic routine for configuring allowed
+ * ciphers
+ */
+int tls_connection_set_anon_dh(void *ssl_ctx, struct tls_connection *conn);
+
+/**
+ * tls_get_cipher - get current cipher name
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ *
+ * Returns: 0 on success, -1 on failure
+ *
+ * Get the name of the currently used cipher.
+ */
+int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
+ char *buf, size_t buflen);
+
+/**
+ * tls_connection_enable_workaround - enable TLS workaround options
+ * @tls_ctx: TLS context data from tls_init()
+ * @conn: Connection context data from tls_connection_init()
+ *
+ * Returns: 0 on success, -1 on failure
+ *
+ * This function is used to enable connection-specific workaround options for
+ * buffer SSL/TLS implementations.
+ */
+int tls_connection_enable_workaround(void *ssl_ctx,
+ struct tls_connection *conn);
+
+int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
+ int ext_type, const u8 *data,
+ size_t data_len);
+
+#endif /* TLS_H */
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-14 16:24:58 +0000