tls_openssl.c File Reference

WPA Supplicant / SSL/TLS interface functions for openssl. More...

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>
#include <openssl/x509v3.h>
#include "common.h"
#include "tls.h"

Include dependency graph for tls_openssl.c:

Go to the source code of this file.

Data Structures
struct	tls_connection
Defines
#define	OPENSSL_d2i_TYPE   unsigned char **
Functions
void *	tls_init (const struct tls_config *conf)
	Initialize TLS library.
void	tls_deinit (void *ssl_ctx)
	Deinitialize TLS library.
int	tls_get_errors (void *ssl_ctx)
	Process pending errors.
tls_connection *	tls_connection_init (void *ssl_ctx)
	Initialize a new TLS connection.
void	tls_connection_deinit (void *ssl_ctx, struct tls_connection *conn)
	Free TLS connection data.
int	tls_connection_established (void *ssl_ctx, struct tls_connection *conn)
	Has the TLS connection been completed?
int	tls_connection_shutdown (void *ssl_ctx, struct tls_connection *conn)
	Shutdown TLS connection data.
int	tls_global_ca_cert (void *_ssl_ctx, const char *ca_cert)
	Set trusted CA certificate for all TLS connections.
int	tls_global_set_verify (void *ssl_ctx, int check_crl)
	Set global certificate verification options.
int	tls_connection_set_verify (void *ssl_ctx, struct tls_connection *conn, int verify_peer)
	Set certificate verification options.
int	tls_global_client_cert (void *_ssl_ctx, const char *client_cert)
	Set client certificate for all TLS connections.
int	tls_global_private_key (void *_ssl_ctx, const char *private_key, const char *private_key_passwd)
	Set private key for all TLS connections.
int	tls_connection_get_keys (void *ssl_ctx, struct tls_connection *conn, struct tls_keys *keys)
	Get master key and random data from TLS connection.
u8 *	tls_connection_handshake (void *ssl_ctx, struct tls_connection *conn, const u8 *in_data, size_t in_len, size_t *out_len)
	Process TLS handshake (client side).
u8 *	tls_connection_server_handshake (void *ssl_ctx, struct tls_connection *conn, const u8 *in_data, size_t in_len, size_t *out_len)
	Process TLS handshake (server side).
int	tls_connection_encrypt (void *ssl_ctx, struct tls_connection *conn, const u8 *in_data, size_t in_len, u8 *out_data, size_t out_len)
	Encrypt data into TLS tunnel.
int	tls_connection_decrypt (void *ssl_ctx, struct tls_connection *conn, const u8 *in_data, size_t in_len, u8 *out_data, size_t out_len)
	Decrypt data from TLS tunnel.
int	tls_connection_resumed (void *ssl_ctx, struct tls_connection *conn)
	Was session resumption used.
int	tls_connection_set_anon_dh (void *ssl_ctx, struct tls_connection *conn)
	Configure TLS connection to use anonymous DH.
int	tls_get_cipher (void *ssl_ctx, struct tls_connection *conn, char *buf, size_t buflen)
	Get current cipher name.
int	tls_connection_enable_workaround (void *ssl_ctx, struct tls_connection *conn)
	Enable TLS workaround options.
int	tls_connection_get_failed (void *ssl_ctx, struct tls_connection *conn)
	Get connection failure status.
int	tls_connection_get_read_alerts (void *ssl_ctx, struct tls_connection *conn)
	Get connection read alert status.
int	tls_connection_get_write_alerts (void *ssl_ctx, struct tls_connection *conn)
	Get connection write alert status.
int	tls_connection_set_params (void *tls_ctx, struct tls_connection *conn, const struct tls_connection_params *params)
	Set TLS connection parameters.
int	tls_connection_get_keyblock_size (void *tls_ctx, struct tls_connection *conn)
	Get TLS key_block size.

---

Detailed Description

WPA Supplicant / SSL/TLS interface functions for openssl.

Copyright

Copyright (c) 2004-2006, Jouni Malinen <[email protected]>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation.

Alternatively, this software may be distributed under the terms of BSD license.

See README and COPYING for more details.

Definition in file tls_openssl.c.

---

Function Documentation

int tls_connection_decrypt (  void *  tls_ctx, struct tls_connection *  conn, const u8 *  in_data, size_t  in_len, u8 *  out_data, size_t  out_len )

Decrypt data from TLS tunnel. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() in_data  Pointer to input buffer (encrypted TLS data) in_len  Input buffer length out_data  Pointer to output buffer (decrypted data from TLS tunnel) out_len  Maximum out_data length Returns: Number of bytes written to out_data, -1 on failure This function is used after TLS handshake has been completed successfully to receive data from the encrypted tunnel. Definition at line 1902 of file tls_openssl.c.

void tls_connection_deinit (  void *  tls_ctx, struct tls_connection *  conn )

Free TLS connection data. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() Release all resources allocated for TLS connection. Definition at line 902 of file tls_openssl.c.

int tls_connection_enable_workaround (  void *  tls_ctx, struct tls_connection *  conn )

Enable TLS workaround options. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() Returns: 0 on success, -1 on failure This function is used to enable connection-specific workaround options for buffer SSL/TLS implementations. Definition at line 2019 of file tls_openssl.c.

int tls_connection_encrypt (  void *  tls_ctx, struct tls_connection *  conn, const u8 *  in_data, size_t  in_len, u8 *  out_data, size_t  out_len )

Encrypt data into TLS tunnel. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() in_data  Pointer to plaintext data to be encrypted in_len  Input buffer length out_data  Pointer to output buffer (encrypted TLS data) out_len  Maximum out_data length Returns: Number of bytes written to out_data, -1 on failure This function is used after TLS handshake has been completed successfully to send data in the encrypted tunnel. Definition at line 1868 of file tls_openssl.c.

int tls_connection_established (  void *  tls_ctx, struct tls_connection *  conn )

Has the TLS connection been completed? Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() Returns: 1 if TLS connection has been completed, 0 if not. Definition at line 915 of file tls_openssl.c.

int tls_connection_get_failed (  void *  tls_ctx, struct tls_connection *  conn )

Get connection failure status. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() Returns >0 if connection has failed, 0 if not. Definition at line 2048 of file tls_openssl.c.

int tls_connection_get_keyblock_size (  void *  tls_ctx, struct tls_connection *  conn )

Get TLS key_block size. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() Returns: Size of the key_block for the negotiated cipher suite or -1 on failure Definition at line 2130 of file tls_openssl.c.

int tls_connection_get_keys (  void *  tls_ctx, struct tls_connection *  conn, struct tls_keys *  keys )

Get master key and random data from TLS connection. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() keys  Structure of key/random data (filled on success) Returns: 0 on success, -1 on failure Definition at line 1730 of file tls_openssl.c.

int tls_connection_get_read_alerts (  void *  tls_ctx, struct tls_connection *  conn )

Get connection read alert status. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() Returns: Number of times a fatal read (remote end reported error) has happened during this connection. Definition at line 2056 of file tls_openssl.c.

int tls_connection_get_write_alerts (  void *  tls_ctx, struct tls_connection *  conn )

Get connection write alert status. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() Returns: Number of times a fatal write (locally detected error) has happened during this connection. Definition at line 2064 of file tls_openssl.c.

u8* tls_connection_handshake (  void *  tls_ctx, struct tls_connection *  conn, const u8 *  in_data, size_t  in_len, size_t *  out_len )

Process TLS handshake (client side). Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() in_data  Input data from TLS peer in_len  Input data length out_len  Length of the output buffer. Returns: Pointer to output data, NULL on failure Caller is responsible for freeing returned output data. This function is used during TLS handshake. The first call is done with in_data == NULL and the library is expected to return ClientHello packet. This packet is then send to the server and a response from server is given to TLS library by calling this function again with in_data pointing to the TLS message from the server. If the TLS handshake fails, this function may return NULL. However, if the TLS library has a TLS alert to send out, that should be returned as the output data. In this case, tls_connection_get_failed() must return failure (> 0). tls_connection_established() should return 1 once the TLS handshake has been completed successfully. Definition at line 1753 of file tls_openssl.c. Here is the call graph for this function:

struct tls_connection* tls_connection_init (  void *  tls_ctx  )

Initialize a new TLS connection. Parameters: tls_ctx  TLS context data from tls_init() Returns: Connection context data, conn for other function calls Definition at line 855 of file tls_openssl.c.

int tls_connection_resumed (  void *  tls_ctx, struct tls_connection *  conn )

Was session resumption used. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() Returns: 1 if current session used session resumption, 0 if not Definition at line 1932 of file tls_openssl.c.

u8* tls_connection_server_handshake (  void *  tls_ctx, struct tls_connection *  conn, const u8 *  in_data, size_t  in_len, size_t *  out_len )

Process TLS handshake (server side). Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() in_data  Input data from TLS peer in_len  Input data length out_len  Length of the output buffer. Returns: pointer to output data, NULL on failure Caller is responsible for freeing returned output data. Definition at line 1817 of file tls_openssl.c. Here is the call graph for this function:

int tls_connection_set_anon_dh (  void *  tls_ctx, struct tls_connection *  conn )

Configure TLS connection to use anonymous DH. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() Returns: 0 on success, -1 on failure TODO: consider changing this to more generic routine for configuring allowed ciphers Definition at line 1988 of file tls_openssl.c.

int tls_connection_set_params (  void *  tls_ctx, struct tls_connection *  conn, const struct tls_connection_params *  params )

Set TLS connection parameters. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() params  Connection parameters Returns: 0 on success, -1 on failure, TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on possible PIN error causing PKCS#11 engine failure, or TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the PKCS#11 engine private key. Definition at line 2072 of file tls_openssl.c. Here is the call graph for this function:

int tls_connection_set_verify (  void *  tls_ctx, struct tls_connection *  conn, int  verify_peer )

Set certificate verification options. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() verify_peer  1 = verify peer certificate Returns: 0 on success, -1 on failure Definition at line 1206 of file tls_openssl.c.

int tls_connection_shutdown (  void *  tls_ctx, struct tls_connection *  conn )

Shutdown TLS connection data. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() Returns: 0 on success, -1 on failure Shutdown current TLS connection without releasing all resources. New connection can be started by using the same conn without having to call tls_connection_init() or setting certificates etc. again. The new connection should try to use session resumption. Definition at line 921 of file tls_openssl.c.

void tls_deinit (  void *  tls_ctx  )

Deinitialize TLS library. Parameters: tls_ctx  TLS context data from tls_init() Called once during program shutdown and once for each RSN pre-authentication session. If global library deinitialization is needed (i.e., one that is shared between both authentication types), the TLS library wrapper should maintain a reference counter and do global deinitialization only when moving from 1 to 0 references. Definition at line 742 of file tls_openssl.c.

int tls_get_cipher (  void *  tls_ctx, struct tls_connection *  conn, char *  buf, size_t  buflen )

Get current cipher name. Parameters: tls_ctx  TLS context data from tls_init() conn  Connection context data from tls_connection_init() buf  Buffer for the cipher name buflen  buf size Returns: 0 on success, -1 on failure Get the name of the currently used cipher. Definition at line 2003 of file tls_openssl.c.

int tls_get_errors (  void *  tls_ctx  )

Process pending errors. Parameters: tls_ctx  TLS context data from tls_init() Returns: Number of found error, 0 if no errors detected. Process all pending TLS errors. Definition at line 841 of file tls_openssl.c. Here is the call graph for this function:

int tls_global_ca_cert (  void *  tls_ctx, const char *  ca_cert )

Set trusted CA certificate for all TLS connections. Parameters: tls_ctx  TLS context data from tls_init() ca_cert  File name for CA certificate in PEM or DER format NULL to allow all subjects Returns: 0 on success, -1 on failure Definition at line 1135 of file tls_openssl.c. Here is the call graph for this function:

int tls_global_client_cert (  void *  tls_ctx, const char *  client_cert )

Set client certificate for all TLS connections. Parameters: tls_ctx  TLS context data from tls_init() client_cert  File name for client certificate in PEM or DER format Returns: 0 on success, -1 on failure Definition at line 1277 of file tls_openssl.c. Here is the call graph for this function:

int tls_global_private_key (  void *  tls_ctx, const char *  private_key, const char *  private_key_passwd )

Set private key for all TLS connections. Parameters: tls_ctx  TLS context data from tls_init() private_key  File name for client private key in PEM or DER format private_key_passwd  Passphrase for decrypted private key, NULL if no passphrase is used. Returns: 0 on success, -1 on failure Definition at line 1609 of file tls_openssl.c.

int tls_global_set_verify (  void *  tls_ctx, int  check_crl )

Set global certificate verification options. Parameters: tls_ctx  TLS context data from tls_init() check_crl  0 = do not verify CRLs, 1 = verify CRL for the user certificate, 2 = verify CRL for all certificates Returns: 0 on success, -1 on failure Definition at line 1160 of file tls_openssl.c.

void* tls_init (  const struct tls_config *  conf  )

Initialize TLS library. Parameters: conf  Configuration data for TLS library Returns: Context data to be used as tls_ctx in calls to other functions, or NULL on failure. Called once during program startup and once for each RSN pre-authentication session. In other words, there can be two concurrent TLS contexts. If global library initialization is needed (i.e., one that is shared between both authentication types), the TLS library wrapper should maintain a reference counter and do global initialization only when moving from 0 to 1 reference. Definition at line 698 of file tls_openssl.c. Here is the call graph for this function:

---