diff options
Diffstat (limited to 'contrib/hostapd/tls.h')
-rw-r--r-- | contrib/hostapd/tls.h | 312 |
1 files changed, 312 insertions, 0 deletions
diff --git a/contrib/hostapd/tls.h b/contrib/hostapd/tls.h new file mode 100644 index 000000000000..99c9b332360a --- /dev/null +++ b/contrib/hostapd/tls.h @@ -0,0 +1,312 @@ +#ifndef TLS_H +#define TLS_H + +struct tls_connection; + +struct tls_keys { + const u8 *master_key; + size_t master_key_len; + const u8 *client_random; + size_t client_random_len; + const u8 *server_random; + size_t server_random_len; +}; + +/** + * tls_init - initialize TLS library + * + * Returns: Context data to be used as @tls_ctx in calls to other functions, + * or %NULL on failure. + * + * Called once during program startup. + */ +void * tls_init(void); + +/** + * tls_deinit - deinitialize TLS library + * @tls_ctx: TLS context data from tls_init() + * + * Called once during program shutdown. + */ +void tls_deinit(void *tls_ctx); + +/** + * tls_get_errors - process pending errors + * @tls_ctx: TLS context data from tls_init() + * + * Returns: Number of found error, 0 if no errors detected. + * + * Process all pending TLS errors. + */ +int tls_get_errors(void *tls_ctx); + +/** + * tls_connection_init - initialize a new TLS connection + * @tls_ctx: TLS context data from tls_init() + * + * Returns: Connection context data, @conn for other function calls + */ +struct tls_connection * tls_connection_init(void *tls_ctx); + +/** + * tls_connection_deinit - free TLS connection data + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * + * Release all resources allocated for TLS connection. + */ +void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn); + +/** + * tls_connection_established - has the TLS connection been completed? + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * + * Returns: 1 if TLS connection has been completed, 0 if not. + */ +int tls_connection_established(void *tls_ctx, struct tls_connection *conn); + +/** + * tls_connection_shutdown - shutdown TLS connection data. + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * + * Returns: 0 on success, -1 on failure + * + * Shutdown current TLS connection without releasing all resources. New + * connection can be started by using the same @conn without having to call + * tls_connection_init() or setting certificates etc. again. The new + * connection should try to use session resumption. + */ +int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn); + +/** + * tls_connection_ca_cert - set trusted CA certificate for TLS connection + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @ca_cert: File name for CA certificate in PEM or DER format + * @subject_match: String to match in the subject of the peer certificate or + * %NULL to allow all subjects + * + * Returns: 0 on success, -1 on failure + */ +int tls_connection_ca_cert(void *tls_ctx, struct tls_connection *conn, + const char *ca_cert, const char *subject_match); + +/** + * tls_global_ca_cert - set trusted CA certificate for all TLS connections + * @tls_ctx: TLS context data from tls_init() + * @ca_cert: File name for CA certificate in PEM or DER format + * %NULL to allow all subjects + * + * Returns: 0 on success, -1 on failure + */ +int tls_global_ca_cert(void *tls_ctx, const char *ca_cert); + +/** + * tls_connection_ca_cert - set trusted CA certificate for TLS connection + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @verify_peer: 1 = verify peer certificate + * @subject_match: String to match in the subject of the peer certificate or + * %NULL to allow all subjects + * + * Returns: 0 on success, -1 on failure + */ +int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn, + int verify_peer, const char *subject_match); + +/** + * tls_connection_client_cert - set client certificate for TLS connection + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @client_cert: File name for client certificate in PEM or DER format + * + * Returns: 0 on success, -1 on failure + */ +int tls_connection_client_cert(void *tls_ctx, struct tls_connection *conn, + const char *client_cert); + +/** + * tls_global_client_cert - set client certificate for all TLS connections + * @tls_ctx: TLS context data from tls_init() + * @client_cert: File name for client certificate in PEM or DER format + * + * Returns: 0 on success, -1 on failure + */ +int tls_global_client_cert(void *tls_ctx, const char *client_cert); + +/** + * tls_connection_private_key - set private key for TLS connection + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @private_key: File name for client private key in PEM or DER format + * @private_key_passwd: Passphrase for decrypted private key, %NULL if no + * passphrase is used. + * + * Returns: 0 on success, -1 on failure + */ +int tls_connection_private_key(void *tls_ctx, struct tls_connection *conn, + const char *private_key, + const char *private_key_passwd); + +/** + * tls_global_private_key - set private key for all TLS connections + * @tls_ctx: TLS context data from tls_init() + * @private_key: File name for client private key in PEM or DER format + * @private_key_passwd: Passphrase for decrypted private key, %NULL if no + * passphrase is used. + * + * Returns: 0 on success, -1 on failure + */ +int tls_global_private_key(void *tls_ctx, const char *private_key, + const char *private_key_passwd); + +/** + * tls_connection_dh - set DH/DSA parameters for TLS connection + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @dh_file: File name for DH/DSA data in PEM format. + * + * Returns: 0 on success, -1 on failure + */ +int tls_connection_dh(void *tls_ctx, struct tls_connection *conn, + const char *dh_file); + +/** + * tls_connection_get_keys - get master key and random data from TLS connection + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @keys: Structure of key/random data (filled on success) + * + * Returns: 0 on success, -1 on failure + */ +int tls_connection_get_keys(void *tls_ctx, struct tls_connection *conn, + struct tls_keys *keys); + +/** + * tls_connection_handshake - process TLS handshake (client side) + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @in_data: Input data from TLS peer + * @in_len: Input data length + * @out_len: Length of the output buffer. + * + * Returns: pointer to output data, %NULL on failure + * + * Caller is responsible for freeing returned output data. + */ +u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn, + const u8 *in_data, size_t in_len, + size_t *out_len); + +/** + * tls_connection_servr_handshake - process TLS handshake (server side) + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @in_data: Input data from TLS peer + * @in_len: Input data length + * @out_len: Length of the output buffer. + * + * Returns: pointer to output data, %NULL on failure + * + * Caller is responsible for freeing returned output data. + */ +u8 * tls_connection_server_handshake(void *tls_ctx, + struct tls_connection *conn, + const u8 *in_data, size_t in_len, + size_t *out_len); + +/** + * tls_connection_encrypt - encrypt data into TLS tunnel + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @in_data: Pointer to plaintext data to be encrypted + * @in_len: Input buffer length + * @out_data: Pointer to output buffer (encrypted TLS data) + * @out_len: Maximum @out_data length + * + * Returns: Number of bytes written to @out_data, -1 on failure + */ +int tls_connection_encrypt(void *tls_ctx, struct tls_connection *conn, + u8 *in_data, size_t in_len, + u8 *out_data, size_t out_len); + +/** + * tls_connection_decrypt - decrypt data from TLS tunnel + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @in_data: Pointer to input buffer (encrypted TLS data) + * @in_len: Input buffer length + * @out_data: Pointer to output buffer (decrypted data from TLS tunnel) + * @out_len: Maximum @out_data length + * + * Returns: Number of bytes written to @out_data, -1 on failure + */ +int tls_connection_decrypt(void *tls_ctx, struct tls_connection *conn, + u8 *in_data, size_t in_len, + u8 *out_data, size_t out_len); + +/** + * tls_connection_resumed - was session resumption used + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * + * Returns: 1 if current session used session resumption, 0 if not + */ +int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn); + +/** + * tls_connection_set_master_key - configure master secret for TLS connection + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * @key: TLS pre-master-secret + * @key_len: length of @key in bytes + * + * Returns: 0 on success, -1 on failure + */ +int tls_connection_set_master_key(void *ssl_ctx, struct tls_connection *conn, + const u8 *key, size_t key_len); + +/** + * tls_connection_set_anon_dh - configure TLS connection to use anonymous DH + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * + * Returns: 0 on success, -1 on failure + * + * TODO: consider changing this to more generic routine for configuring allowed + * ciphers + */ +int tls_connection_set_anon_dh(void *ssl_ctx, struct tls_connection *conn); + +/** + * tls_get_cipher - get current cipher name + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * + * Returns: 0 on success, -1 on failure + * + * Get the name of the currently used cipher. + */ +int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn, + char *buf, size_t buflen); + +/** + * tls_connection_enable_workaround - enable TLS workaround options + * @tls_ctx: TLS context data from tls_init() + * @conn: Connection context data from tls_connection_init() + * + * Returns: 0 on success, -1 on failure + * + * This function is used to enable connection-specific workaround options for + * buffer SSL/TLS implementations. + */ +int tls_connection_enable_workaround(void *ssl_ctx, + struct tls_connection *conn); + +int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn, + int ext_type, const u8 *data, + size_t data_len); + +#endif /* TLS_H */ |