tls.h File Reference

WPA Supplicant / SSL/TLS interface definition. More...

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Defines

#define TLS_CAPABILITY_IA   0x0001

Enumerations

enum  { TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED = -3, TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED = -2 }
enum  {
  TLS_CIPHER_NONE, TLS_CIPHER_RC4_SHA, TLS_CIPHER_AES128_SHA, TLS_CIPHER_RSA_DHE_AES128_SHA,
  TLS_CIPHER_ANON_DH_AES128_SHA
}

Functions

void * tls_init (const struct tls_config *conf)
 Initialize TLS library.
void tls_deinit (void *tls_ctx)
 Deinitialize TLS library.
int tls_get_errors (void *tls_ctx)
 Process pending errors.
tls_connection * tls_connection_init (void *tls_ctx)
 Initialize a new TLS connection.
void tls_connection_deinit (void *tls_ctx, struct tls_connection *conn)
 Free TLS connection data.
int tls_connection_established (void *tls_ctx, struct tls_connection *conn)
 Has the TLS connection been completed?
int tls_connection_shutdown (void *tls_ctx, struct tls_connection *conn)
 Shutdown TLS connection.
int tls_connection_set_params (void *tls_ctx, struct tls_connection *conn, const struct tls_connection_params *params)
 Set TLS connection parameters.
int tls_global_set_params (void *tls_ctx, const struct tls_connection_params *params)
 Set TLS parameters for all TLS connection.
int tls_global_set_verify (void *tls_ctx, int check_crl)
 Set global certificate verification options.
int tls_connection_set_verify (void *tls_ctx, struct tls_connection *conn, int verify_peer)
 Set certificate verification options.
int tls_connection_set_ia (void *tls_ctx, struct tls_connection *conn, int tls_ia)
 Set TLS/IA parameters.
int tls_connection_get_keys (void *tls_ctx, struct tls_connection *conn, struct tls_keys *keys)
 Get master key and random data from TLS connection.
int tls_connection_prf (void *tls_ctx, struct tls_connection *conn, const char *label, int server_random_first, u8 *out, size_t out_len)
 Use TLS-PRF to derive keying material.
u8 * tls_connection_handshake (void *tls_ctx, struct tls_connection *conn, const u8 *in_data, size_t in_len, size_t *out_len, u8 **appl_data, size_t *appl_data_len)
 Process TLS handshake (client side).
u8 * tls_connection_server_handshake (void *tls_ctx, struct tls_connection *conn, const u8 *in_data, size_t in_len, size_t *out_len)
 Process TLS handshake (server side).
int tls_connection_encrypt (void *tls_ctx, struct tls_connection *conn, const u8 *in_data, size_t in_len, u8 *out_data, size_t out_len)
 Encrypt data into TLS tunnel.
int tls_connection_decrypt (void *tls_ctx, struct tls_connection *conn, const u8 *in_data, size_t in_len, u8 *out_data, size_t out_len)
 Decrypt data from TLS tunnel.
int tls_connection_resumed (void *tls_ctx, struct tls_connection *conn)
 Was session resumption used.
int tls_connection_set_master_key (void *tls_ctx, struct tls_connection *conn, const u8 *key, size_t key_len)
 Configure master secret for TLS connection.
int tls_connection_set_cipher_list (void *tls_ctx, struct tls_connection *conn, u8 *ciphers)
 Configure acceptable cipher suites.
int tls_get_cipher (void *tls_ctx, struct tls_connection *conn, char *buf, size_t buflen)
 Get current cipher name.
int tls_connection_enable_workaround (void *tls_ctx, struct tls_connection *conn)
 Enable TLS workaround options.
int tls_connection_client_hello_ext (void *tls_ctx, struct tls_connection *conn, int ext_type, const u8 *data, size_t data_len)
 Set TLS extension for ClientHello.
int tls_connection_get_failed (void *tls_ctx, struct tls_connection *conn)
 Get connection failure status.
int tls_connection_get_read_alerts (void *tls_ctx, struct tls_connection *conn)
 Get connection read alert status.
int tls_connection_get_write_alerts (void *tls_ctx, struct tls_connection *conn)
 Get connection write alert status.
int tls_connection_get_keyblock_size (void *tls_ctx, struct tls_connection *conn)
 Get TLS key_block size.
unsigned int tls_capabilities (void *tls_ctx)
 Get supported TLS capabilities.
int tls_connection_ia_send_phase_finished (void *tls_ctx, struct tls_connection *conn, int final, u8 *out_data, size_t out_len)
 Send a TLS/IA PhaseFinished message.
int tls_connection_ia_final_phase_finished (void *tls_ctx, struct tls_connection *conn)
 Has final phase been completed.
int tls_connection_ia_permute_inner_secret (void *tls_ctx, struct tls_connection *conn, const u8 *key, size_t key_len)
 Permute TLS/IA inner secret.


Detailed Description

WPA Supplicant / SSL/TLS interface definition.

Copyright
Copyright (c) 2004-2006, Jouni Malinen <[email protected]>
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation.

Alternatively, this software may be distributed under the terms of BSD license.

See README and COPYING for more details.

Definition in file tls.h.


Function Documentation

unsigned int tls_capabilities void *  tls_ctx  ) 
 

Get supported TLS capabilities.

Parameters:
tls_ctx TLS context data from tls_init()
Returns:
Bit field of supported TLS capabilities (TLS_CAPABILITY_*)

Definition at line 1231 of file tls_gnutls.c.

int tls_connection_client_hello_ext void *  tls_ctx,
struct tls_connection *  conn,
int  ext_type,
const u8 *  data,
size_t  data_len
 

Set TLS extension for ClientHello.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
ext_type Extension type
data Extension payload (NULL to remove extension)
data_len Extension payload length
Returns:
0 on success, -1 on failure

Definition at line 1190 of file tls_gnutls.c.

int tls_connection_decrypt void *  tls_ctx,
struct tls_connection *  conn,
const u8 *  in_data,
size_t  in_len,
u8 *  out_data,
size_t  out_len
 

Decrypt data from TLS tunnel.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
in_data Pointer to input buffer (encrypted TLS data)
in_len Input buffer length
out_data Pointer to output buffer (decrypted data from TLS tunnel)
out_len Maximum out_data length
Returns:
Number of bytes written to out_data, -1 on failure
This function is used after TLS handshake has been completed successfully to receive data from the encrypted tunnel.

Definition at line 1067 of file tls_gnutls.c.

void tls_connection_deinit void *  tls_ctx,
struct tls_connection *  conn
 

Free TLS connection data.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
Release all resources allocated for TLS connection.

Definition at line 361 of file tls_gnutls.c.

int tls_connection_enable_workaround void *  tls_ctx,
struct tls_connection *  conn
 

Enable TLS workaround options.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
Returns:
0 on success, -1 on failure
This function is used to enable connection-specific workaround options for buffer SSL/TLS implementations.

Definition at line 1182 of file tls_gnutls.c.

int tls_connection_encrypt void *  tls_ctx,
struct tls_connection *  conn,
const u8 *  in_data,
size_t  in_len,
u8 *  out_data,
size_t  out_len
 

Encrypt data into TLS tunnel.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
in_data Pointer to plaintext data to be encrypted
in_len Input buffer length
out_data Pointer to output buffer (encrypted TLS data)
out_len Maximum out_data length
Returns:
Number of bytes written to out_data, -1 on failure
This function is used after TLS handshake has been completed successfully to send data in the encrypted tunnel.

Definition at line 1038 of file tls_gnutls.c.

int tls_connection_established void *  tls_ctx,
struct tls_connection *  conn
 

Has the TLS connection been completed?

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
Returns:
1 if TLS connection has been completed, 0 if not.

Definition at line 388 of file tls_gnutls.c.

int tls_connection_get_failed void *  tls_ctx,
struct tls_connection *  conn
 

Get connection failure status.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
Returns >0 if connection has failed, 0 if not.

Definition at line 1199 of file tls_gnutls.c.

int tls_connection_get_keyblock_size void *  tls_ctx,
struct tls_connection *  conn
 

Get TLS key_block size.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
Returns:
Size of the key_block for the negotiated cipher suite or -1 on failure

Definition at line 1223 of file tls_gnutls.c.

int tls_connection_get_keys void *  tls_ctx,
struct tls_connection *  conn,
struct tls_keys *  keys
 

Get master key and random data from TLS connection.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
keys Structure of key/random data (filled on success)
Returns:
0 on success, -1 on failure

Definition at line 790 of file tls_gnutls.c.

int tls_connection_get_read_alerts void *  tls_ctx,
struct tls_connection *  conn
 

Get connection read alert status.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
Returns:
Number of times a fatal read (remote end reported error) has happened during this connection.

Definition at line 1207 of file tls_gnutls.c.

int tls_connection_get_write_alerts void *  tls_ctx,
struct tls_connection *  conn
 

Get connection write alert status.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
Returns:
Number of times a fatal write (locally detected error) has happened during this connection.

Definition at line 1215 of file tls_gnutls.c.

u8* tls_connection_handshake void *  tls_ctx,
struct tls_connection *  conn,
const u8 *  in_data,
size_t  in_len,
size_t *  out_len,
u8 **  appl_data,
size_t *  appl_data_len
 

Process TLS handshake (client side).

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
in_data Input data from TLS peer
in_len Input data length
out_len Length of the output buffer.
appl_data Pointer to application data pointer, or NULL if dropped
appl_data_len Pointer to variable that is set to appl_data length
Returns:
Pointer to output data, NULL on failure
Caller is responsible for freeing returned output data. If the final handshake message includes application data, this is decrypted and appl_data (if not NULL) is set to point this data. Caller is responsible for freeing appl_data.

This function is used during TLS handshake. The first call is done with in_data == NULL and the library is expected to return ClientHello packet. This packet is then send to the server and a response from server is given to TLS library by calling this function again with in_data pointing to the TLS message from the server.

If the TLS handshake fails, this function may return NULL. However, if the TLS library has a TLS alert to send out, that should be returned as the output data. In this case, tls_connection_get_failed() must return failure (> 0).

tls_connection_established() should return 1 once the TLS handshake has been completed successfully.

Definition at line 930 of file tls_gnutls.c.

Here is the call graph for this function:

int tls_connection_ia_final_phase_finished void *  tls_ctx,
struct tls_connection *  conn
 

Has final phase been completed.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
Returns:
1 if valid FinalPhaseFinished has been received, 0 if not, or -1 on failure

Definition at line 1328 of file tls_gnutls.c.

int tls_connection_ia_permute_inner_secret void *  tls_ctx,
struct tls_connection *  conn,
const u8 *  key,
size_t  key_len
 

Permute TLS/IA inner secret.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
key Session key material (session_key vectors with 2-octet length), or NULL if no session key was generating in the current phase
key_len Length of session key material
Returns:
0 on success, -1 on failure

Definition at line 1338 of file tls_gnutls.c.

int tls_connection_ia_send_phase_finished void *  tls_ctx,
struct tls_connection *  conn,
int  final,
u8 *  out_data,
size_t  out_len
 

Send a TLS/IA PhaseFinished message.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
final 1 = FinalPhaseFinished, 0 = IntermediatePhaseFinished
out_data Pointer to output buffer (encrypted TLS/IA data)
out_len Maximum out_data length
Returns:
Number of bytes written to out_data on success, -1 on failure
This function is used to send the TLS/IA end phase message, e.g., when the EAP server completes EAP-TTLSv1.

Definition at line 1280 of file tls_gnutls.c.

struct tls_connection* tls_connection_init void *  tls_ctx  ) 
 

Initialize a new TLS connection.

Parameters:
tls_ctx TLS context data from tls_init()
Returns:
Connection context data, conn for other function calls

Definition at line 325 of file tls_gnutls.c.

Here is the call graph for this function:

int tls_connection_prf void *  tls_ctx,
struct tls_connection *  conn,
const char *  label,
int  server_random_first,
u8 *  out,
size_t  out_len
 

Use TLS-PRF to derive keying material.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
label Label (e.g., description of the key) for PRF
server_random_first seed is 0 = client_random|server_random, 1 = server_random|client_random
out Buffer for output data from TLS-PRF
out_len Length of the output buffer
Returns:
0 on success, -1 on failure
This function is optional to implement if tls_connection_get_keys() provides access to master secret and server/client random values. If these values are not exported from the TLS library, tls_connection_prf() is required so that further keying material can be derived from the master secret. If not implemented, the function will still need to be defined, but it can just return -1. Example implementation of this function is in tls_prf() function when it is called with seed set to client_random|server_random (or server_random|client_random).

Definition at line 827 of file tls_gnutls.c.

int tls_connection_resumed void *  tls_ctx,
struct tls_connection *  conn
 

Was session resumption used.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
Returns:
1 if current session used session resumption, 0 if not

Definition at line 1149 of file tls_gnutls.c.

u8* tls_connection_server_handshake void *  tls_ctx,
struct tls_connection *  conn,
const u8 *  in_data,
size_t  in_len,
size_t *  out_len
 

Process TLS handshake (server side).

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
in_data Input data from TLS peer
in_len Input data length
out_len Length of the output buffer.
Returns:
pointer to output data, NULL on failure
Caller is responsible for freeing returned output data.

Definition at line 1028 of file tls_gnutls.c.

Here is the call graph for this function:

int tls_connection_set_cipher_list void *  tls_ctx,
struct tls_connection *  conn,
u8 *  ciphers
 

Configure acceptable cipher suites.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
ciphers Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers (TLS_CIPHER_*).
Returns:
0 on success, -1 on failure

Definition at line 1165 of file tls_gnutls.c.

Here is the call graph for this function:

int tls_connection_set_ia void *  tls_ctx,
struct tls_connection *  conn,
int  tls_ia
 

Set TLS/IA parameters.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
tls_ia 1 = enable TLS/IA
Returns:
0 on success, -1 on failure
This function is used to configure TLS/IA in server mode where tls_connection_set_params() is not used.

Definition at line 1243 of file tls_gnutls.c.

int tls_connection_set_master_key void *  tls_ctx,
struct tls_connection *  conn,
const u8 *  key,
size_t  key_len
 

Configure master secret for TLS connection.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
key TLS pre-master-secret
key_len length of key in bytes
Returns:
0 on success, -1 on failure

Definition at line 1157 of file tls_gnutls.c.

int tls_connection_set_params void *  tls_ctx,
struct tls_connection *  conn,
const struct tls_connection_params params
 

Set TLS connection parameters.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
params Connection parameters
Returns:
0 on success, -1 on failure, TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on possible PIN error causing PKCS#11 engine failure, or TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the PKCS#11 engine private key.

Definition at line 548 of file tls_gnutls.c.

Here is the call graph for this function:

int tls_connection_set_verify void *  tls_ctx,
struct tls_connection *  conn,
int  verify_peer
 

Set certificate verification options.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
verify_peer 1 = verify peer certificate
Returns:
0 on success, -1 on failure

Definition at line 775 of file tls_gnutls.c.

int tls_connection_shutdown void *  tls_ctx,
struct tls_connection *  conn
 

Shutdown TLS connection.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
Returns:
0 on success, -1 on failure
Shutdown current TLS connection without releasing all resources. New connection can be started by using the same conn without having to call tls_connection_init() or setting certificates etc. again. The new connection should try to use session resumption.

Definition at line 394 of file tls_gnutls.c.

void tls_deinit void *  tls_ctx  ) 
 

Deinitialize TLS library.

Parameters:
tls_ctx TLS context data from tls_init()
Called once during program shutdown and once for each RSN pre-authentication session. If global library deinitialization is needed (i.e., one that is shared between both authentication types), the TLS library wrapper should maintain a reference counter and do global deinitialization only when moving from 1 to 0 references.

Definition at line 215 of file tls_gnutls.c.

int tls_get_cipher void *  tls_ctx,
struct tls_connection *  conn,
char *  buf,
size_t  buflen
 

Get current cipher name.

Parameters:
tls_ctx TLS context data from tls_init()
conn Connection context data from tls_connection_init()
buf Buffer for the cipher name
buflen buf size
Returns:
0 on success, -1 on failure
Get the name of the currently used cipher.

Definition at line 1173 of file tls_gnutls.c.

int tls_get_errors void *  tls_ctx  ) 
 

Process pending errors.

Parameters:
tls_ctx TLS context data from tls_init()
Returns:
Number of found error, 0 if no errors detected.
Process all pending TLS errors.

Definition at line 231 of file tls_gnutls.c.

Here is the call graph for this function:

int tls_global_set_params void *  tls_ctx,
const struct tls_connection_params params
 

Set TLS parameters for all TLS connection.

Parameters:
tls_ctx TLS context data from tls_init()
params Global TLS parameters
Returns:
0 on success, -1 on failure, TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on possible PIN error causing PKCS#11 engine failure, or TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the PKCS#11 engine private key.

Definition at line 674 of file tls_gnutls.c.

Here is the call graph for this function:

int tls_global_set_verify void *  tls_ctx,
int  check_crl
 

Set global certificate verification options.

Parameters:
tls_ctx TLS context data from tls_init()
check_crl 0 = do not verify CRLs, 1 = verify CRL for the user certificate, 2 = verify CRL for all certificates
Returns:
0 on success, -1 on failure

Definition at line 768 of file tls_gnutls.c.

void* tls_init const struct tls_config *  conf  ) 
 

Initialize TLS library.

Parameters:
conf Configuration data for TLS library
Returns:
Context data to be used as tls_ctx in calls to other functions, or NULL on failure.
Called once during program startup and once for each RSN pre-authentication session. In other words, there can be two concurrent TLS contexts. If global library initialization is needed (i.e., one that is shared between both authentication types), the TLS library wrapper should maintain a reference counter and do global initialization only when moving from 0 to 1 reference.

Definition at line 163 of file tls_gnutls.c.

Here is the call graph for this function:


Generated on Sun Dec 31 13:46:06 2006 for hostapd by  doxygen 1.4.2