SSL/TLS interface functions for NSS. More...

#include "includes.h"
#include <nspr/prtypes.h>
#include <nspr/plarenas.h>
#include <nspr/plhash.h>
#include <nspr/prio.h>
#include <nspr/prclist.h>
#include <nspr/prlock.h>
#include <nspr/prinit.h>
#include <nspr/prerror.h>
#include <nspr/prmem.h>
#include <nss/nss.h>
#include <nss/nssilckt.h>
#include <nss/ssl.h>
#include <nss/pk11func.h>
#include <nss/secerr.h>
#include "common.h"
#include "tls.h"

Data Structures
struct	tls_connection
Functions
void *	tls_init (const struct tls_config *conf)
	Initialize TLS library.
void	tls_deinit (void *ssl_ctx)
	Deinitialize TLS library.
int	tls_get_errors (void *tls_ctx)
	Process pending errors.
struct tls_connection *	tls_connection_init (void *tls_ctx)
	Initialize a new TLS connection.
void	tls_connection_deinit (void tls_ctx, struct tls_connection conn)
	Free TLS connection data.
int	tls_connection_established (void tls_ctx, struct tls_connection conn)
	Has the TLS connection been completed?
int	tls_connection_shutdown (void tls_ctx, struct tls_connection conn)
	Shutdown TLS connection.
int	tls_connection_set_params (void tls_ctx, struct tls_connection conn, const struct tls_connection_params *params)
	Set TLS connection parameters.
int	tls_global_set_params (void tls_ctx, const struct tls_connection_params params)
	Set TLS parameters for all TLS connection.
int	tls_global_set_verify (void *tls_ctx, int check_crl)
	Set global certificate verification options.
int	tls_connection_set_verify (void tls_ctx, struct tls_connection conn, int verify_peer)
	Set certificate verification options.
int	tls_connection_get_keys (void tls_ctx, struct tls_connection conn, struct tls_keys *keys)
	Get master key and random data from TLS connection.
int	tls_connection_prf (void tls_ctx, struct tls_connection conn, const char label, int server_random_first, u8 out, size_t out_len)
	Use TLS-PRF to derive keying material.
struct wpabuf *	tls_connection_handshake (void tls_ctx, struct tls_connection conn, const struct wpabuf in_data, struct wpabuf *appl_data)
	Process TLS handshake (client side)
struct wpabuf *	tls_connection_server_handshake (void tls_ctx, struct tls_connection conn, const struct wpabuf in_data, struct wpabuf *appl_data)
	Process TLS handshake (server side)
struct wpabuf *	tls_connection_encrypt (void tls_ctx, struct tls_connection conn, const struct wpabuf *in_data)
	Encrypt data into TLS tunnel.
struct wpabuf *	tls_connection_decrypt (void tls_ctx, struct tls_connection conn, const struct wpabuf *in_data)
	Decrypt data from TLS tunnel.
int	tls_connection_resumed (void tls_ctx, struct tls_connection conn)
	Was session resumption used.
int	tls_connection_set_cipher_list (void tls_ctx, struct tls_connection conn, u8 *ciphers)
	Configure acceptable cipher suites.
int	tls_get_cipher (void tls_ctx, struct tls_connection conn, char *buf, size_t buflen)
	Get current cipher name.
int	tls_connection_enable_workaround (void tls_ctx, struct tls_connection conn)
	Enable TLS workaround options.
int	tls_connection_client_hello_ext (void tls_ctx, struct tls_connection conn, int ext_type, const u8 *data, size_t data_len)
	Set TLS extension for ClientHello.
int	tls_connection_get_failed (void tls_ctx, struct tls_connection conn)
	Get connection failure status.
int	tls_connection_get_read_alerts (void tls_ctx, struct tls_connection conn)
	Get connection read alert status.
int	tls_connection_get_write_alerts (void tls_ctx, struct tls_connection conn)
	Get connection write alert status.
int	tls_connection_get_keyblock_size (void tls_ctx, struct tls_connection conn)
	Get TLS key_block size.
unsigned int	tls_capabilities (void *tls_ctx)
	Get supported TLS capabilities.
int	tls_connection_set_session_ticket_cb (void tls_ctx, struct tls_connection conn, tls_session_ticket_cb cb, void *ctx)

Detailed Description

SSL/TLS interface functions for NSS.

Copyright: Copyright (c) 2009, Jouni Malinen <j@w1.fi>

This software may be distributed under the terms of the BSD license. See README for more details.

Function Documentation

unsigned int tls_capabilities ( void * tls_ctx )

Get supported TLS capabilities.

Parameters:

tls_ctx TLS context data from tls_init()

Returns:: Bit field of supported TLS capabilities (TLS_CAPABILITY_*)

int tls_connection_client_hello_ext	(	void *	tls_ctx,
		struct tls_connection *	conn,
		int	ext_type,
		const u8 *	data,
		size_t	data_len
	)

Set TLS extension for ClientHello.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
ext_type	Extension type
data	Extension payload (NULL to remove extension)
data_len	Extension payload length

Returns:: 0 on success, -1 on failure

struct wpabuf* tls_connection_decrypt	(	void *	tls_ctx,
		struct tls_connection *	conn,
		const struct wpabuf *	in_data
	)		`[read]`

Decrypt data from TLS tunnel.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
in_data	Encrypted TLS data

Returns:: Decrypted TLS data or NULL on failure

This function is used after TLS handshake has been completed successfully to receive data from the encrypted tunnel. The caller is responsible for freeing the returned output data.

void tls_connection_deinit	(	void *	tls_ctx,
		struct tls_connection *	conn
	)

Free TLS connection data.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()

Release all resources allocated for TLS connection.

int tls_connection_enable_workaround	(	void *	tls_ctx,
		struct tls_connection *	conn
	)

Enable TLS workaround options.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()

Returns:: 0 on success, -1 on failure

This function is used to enable connection-specific workaround options for buffer SSL/TLS implementations.

struct wpabuf* tls_connection_encrypt	(	void *	tls_ctx,
		struct tls_connection *	conn,
		const struct wpabuf *	in_data
	)		`[read]`

Encrypt data into TLS tunnel.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
in_data	Plaintext data to be encrypted

Returns:: Encrypted TLS data or NULL on failure

This function is used after TLS handshake has been completed successfully to send data in the encrypted tunnel. The caller is responsible for freeing the returned output data.

int tls_connection_established	(	void *	tls_ctx,
		struct tls_connection *	conn
	)

Has the TLS connection been completed?

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()

Returns:: 1 if TLS connection has been completed, 0 if not.

int tls_connection_get_failed	(	void *	tls_ctx,
		struct tls_connection *	conn
	)

Get connection failure status.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()

Returns >0 if connection has failed, 0 if not.

int tls_connection_get_keyblock_size	(	void *	tls_ctx,
		struct tls_connection *	conn
	)

Get TLS key_block size.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()

Returns:: Size of the key_block for the negotiated cipher suite or -1 on failure

int tls_connection_get_keys	(	void *	tls_ctx,
		struct tls_connection *	conn,
		struct tls_keys *	keys
	)

Get master key and random data from TLS connection.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
keys	Structure of key/random data (filled on success)

Returns:: 0 on success, -1 on failure

int tls_connection_get_read_alerts	(	void *	tls_ctx,
		struct tls_connection *	conn
	)

Get connection read alert status.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()

Returns:: Number of times a fatal read (remote end reported error) has happened during this connection.

int tls_connection_get_write_alerts	(	void *	tls_ctx,
		struct tls_connection *	conn
	)

Get connection write alert status.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()

Returns:: Number of times a fatal write (locally detected error) has happened during this connection.

struct wpabuf* tls_connection_handshake	(	void *	tls_ctx,
		struct tls_connection *	conn,
		const struct wpabuf *	in_data,
		struct wpabuf **	appl_data
	)		`[read]`

Process TLS handshake (client side)

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
in_data	Input data from TLS server
appl_data	Pointer to application data pointer, or NULL if dropped

Returns:: Output data, NULL on failure

The caller is responsible for freeing the returned output data. If the final handshake message includes application data, this is decrypted and appl_data (if not NULL) is set to point this data. The caller is responsible for freeing appl_data.

This function is used during TLS handshake. The first call is done with in_data == NULL and the library is expected to return ClientHello packet. This packet is then send to the server and a response from server is given to TLS library by calling this function again with in_data pointing to the TLS message from the server.

If the TLS handshake fails, this function may return NULL. However, if the TLS library has a TLS alert to send out, that should be returned as the output data. In this case, tls_connection_get_failed() must return failure (> 0).

tls_connection_established() should return 1 once the TLS handshake has been completed successfully.

struct tls_connection* tls_connection_init ( void * tls_ctx ) [read]

Initialize a new TLS connection.

Parameters:

tls_ctx TLS context data from tls_init()

Returns:: Connection context data, conn for other function calls

int tls_connection_prf	(	void *	tls_ctx,
		struct tls_connection *	conn,
		const char *	label,
		int	server_random_first,
		u8 *	out,
		size_t	out_len
	)

Use TLS-PRF to derive keying material.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
label	Label (e.g., description of the key) for PRF
server_random_first	seed is 0 = client_random\|server_random, 1 = server_random\|client_random
out	Buffer for output data from TLS-PRF
out_len	Length of the output buffer

Returns:: 0 on success, -1 on failure

This function is optional to implement if tls_connection_get_keys() provides access to master secret and server/client random values. If these values are not exported from the TLS library, tls_connection_prf() is required so that further keying material can be derived from the master secret. If not implemented, the function will still need to be defined, but it can just return -1. Example implementation of this function is in tls_prf_sha1_md5() when it is called with seed set to client_random|server_random (or server_random|client_random).

int tls_connection_resumed	(	void *	tls_ctx,
		struct tls_connection *	conn
	)

Was session resumption used.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()

Returns:: 1 if current session used session resumption, 0 if not

struct wpabuf* tls_connection_server_handshake	(	void *	tls_ctx,
		struct tls_connection *	conn,
		const struct wpabuf *	in_data,
		struct wpabuf **	appl_data
	)		`[read]`

Process TLS handshake (server side)

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
in_data	Input data from TLS peer
appl_data	Pointer to application data pointer, or NULL if dropped

Returns:: Output data, NULL on failure

The caller is responsible for freeing the returned output data.

int tls_connection_set_cipher_list	(	void *	tls_ctx,
		struct tls_connection *	conn,
		u8 *	ciphers
	)

Configure acceptable cipher suites.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
ciphers	Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers (TLS_CIPHER_*).

Returns:: 0 on success, -1 on failure

int tls_connection_set_params	(	void *	tls_ctx,
		struct tls_connection *	conn,
		const struct tls_connection_params *	params
	)

Set TLS connection parameters.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
params	Connection parameters

Returns:: 0 on success, -1 on failure, TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on possible PIN error causing PKCS#11 engine failure, or TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the PKCS#11 engine private key.

int tls_connection_set_verify	(	void *	tls_ctx,
		struct tls_connection *	conn,
		int	verify_peer
	)

Set certificate verification options.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
verify_peer	1 = verify peer certificate

Returns:: 0 on success, -1 on failure

int tls_connection_shutdown	(	void *	tls_ctx,
		struct tls_connection *	conn
	)

Shutdown TLS connection.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()

Returns:: 0 on success, -1 on failure

Shutdown current TLS connection without releasing all resources. New connection can be started by using the same conn without having to call tls_connection_init() or setting certificates etc. again. The new connection should try to use session resumption.

void tls_deinit ( void * tls_ctx )

Deinitialize TLS library.

Parameters:

tls_ctx TLS context data from tls_init()

Called once during program shutdown and once for each RSN pre-authentication session. If global library deinitialization is needed (i.e., one that is shared between both authentication types), the TLS library wrapper should maintain a reference counter and do global deinitialization only when moving from 1 to 0 references.

int tls_get_cipher	(	void *	tls_ctx,
		struct tls_connection *	conn,
		char *	buf,
		size_t	buflen
	)

Get current cipher name.

Parameters:

tls_ctx	TLS context data from tls_init()
conn	Connection context data from tls_connection_init()
buf	Buffer for the cipher name
buflen	buf size

Returns:: 0 on success, -1 on failure

Get the name of the currently used cipher.

int tls_get_errors ( void * tls_ctx )

Process pending errors.

Parameters:

tls_ctx TLS context data from tls_init()

Returns:: Number of found error, 0 if no errors detected.

Process all pending TLS errors.

int tls_global_set_params	(	void *	tls_ctx,
		const struct tls_connection_params *	params
	)

Set TLS parameters for all TLS connection.

Parameters:

tls_ctx	TLS context data from tls_init()
params	Global TLS parameters

Returns:: 0 on success, -1 on failure, TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on possible PIN error causing PKCS#11 engine failure, or TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the PKCS#11 engine private key.

int tls_global_set_verify	(	void *	tls_ctx,
		int	check_crl
	)

Set global certificate verification options.

Parameters:

tls_ctx	TLS context data from tls_init()
check_crl	0 = do not verify CRLs, 1 = verify CRL for the user certificate, 2 = verify CRL for all certificates

Returns:: 0 on success, -1 on failure

void* tls_init ( const struct tls_config * conf )

Initialize TLS library.

Parameters:

conf	Configuration data for TLS library

Returns:: Context data to be used as tls_ctx in calls to other functions, or NULL on failure.

Called once during program startup and once for each RSN pre-authentication session. In other words, there can be two concurrent TLS contexts. If global library initialization is needed (i.e., one that is shared between both authentication types), the TLS library wrapper should maintain a reference counter and do global initialization only when moving from 0 to 1 reference.

tls_nss.c File Reference

Data Structures

Functions

Detailed Description

Function Documentation