/src/hostap/src/crypto/tls_internal.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * TLS interface functions and an internal TLS implementation |
3 | | * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> |
4 | | * |
5 | | * This software may be distributed under the terms of the BSD license. |
6 | | * See README for more details. |
7 | | * |
8 | | * This file interface functions for hostapd/wpa_supplicant to use the |
9 | | * integrated TLSv1 implementation. |
10 | | */ |
11 | | |
12 | | #include "includes.h" |
13 | | |
14 | | #include "common.h" |
15 | | #include "tls.h" |
16 | | #include "tls/tlsv1_client.h" |
17 | | #include "tls/tlsv1_server.h" |
18 | | |
19 | | |
20 | | static int tls_ref_count = 0; |
21 | | |
22 | | struct tls_global { |
23 | | int server; |
24 | | struct tlsv1_credentials *server_cred; |
25 | | int check_crl; |
26 | | |
27 | | void (*event_cb)(void *ctx, enum tls_event ev, |
28 | | union tls_event_data *data); |
29 | | void *cb_ctx; |
30 | | int cert_in_cb; |
31 | | }; |
32 | | |
33 | | struct tls_connection { |
34 | | struct tlsv1_client *client; |
35 | | struct tlsv1_server *server; |
36 | | struct tls_global *global; |
37 | | }; |
38 | | |
39 | | |
40 | | void * tls_init(const struct tls_config *conf) |
41 | 3.93k | { |
42 | 3.93k | struct tls_global *global; |
43 | | |
44 | 3.93k | if (tls_ref_count == 0) { |
45 | 1.96k | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
46 | 1.96k | if (tlsv1_client_global_init()) |
47 | 0 | return NULL; |
48 | 1.96k | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
49 | 1.96k | #ifdef CONFIG_TLS_INTERNAL_SERVER |
50 | 1.96k | if (tlsv1_server_global_init()) |
51 | 0 | return NULL; |
52 | 1.96k | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
53 | 1.96k | } |
54 | 3.93k | tls_ref_count++; |
55 | | |
56 | 3.93k | global = os_zalloc(sizeof(*global)); |
57 | 3.93k | if (global == NULL) |
58 | 0 | return NULL; |
59 | 3.93k | if (conf) { |
60 | 3.93k | global->event_cb = conf->event_cb; |
61 | 3.93k | global->cb_ctx = conf->cb_ctx; |
62 | 3.93k | global->cert_in_cb = conf->cert_in_cb; |
63 | 3.93k | } |
64 | | |
65 | 3.93k | return global; |
66 | 3.93k | } |
67 | | |
68 | | void tls_deinit(void *ssl_ctx) |
69 | 3.93k | { |
70 | 3.93k | struct tls_global *global = ssl_ctx; |
71 | 3.93k | tls_ref_count--; |
72 | 3.93k | if (tls_ref_count == 0) { |
73 | 1.96k | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
74 | 1.96k | tlsv1_client_global_deinit(); |
75 | 1.96k | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
76 | 1.96k | #ifdef CONFIG_TLS_INTERNAL_SERVER |
77 | 1.96k | tlsv1_server_global_deinit(); |
78 | 1.96k | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
79 | 1.96k | } |
80 | 3.93k | #ifdef CONFIG_TLS_INTERNAL_SERVER |
81 | 3.93k | tlsv1_cred_free(global->server_cred); |
82 | 3.93k | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
83 | 3.93k | os_free(global); |
84 | 3.93k | } |
85 | | |
86 | | |
87 | | int tls_get_errors(void *tls_ctx) |
88 | 0 | { |
89 | 0 | return 0; |
90 | 0 | } |
91 | | |
92 | | |
93 | | struct tls_connection * tls_connection_init(void *tls_ctx) |
94 | 0 | { |
95 | 0 | struct tls_connection *conn; |
96 | 0 | struct tls_global *global = tls_ctx; |
97 | |
|
98 | 0 | conn = os_zalloc(sizeof(*conn)); |
99 | 0 | if (conn == NULL) |
100 | 0 | return NULL; |
101 | 0 | conn->global = global; |
102 | |
|
103 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
104 | 0 | if (!global->server) { |
105 | 0 | conn->client = tlsv1_client_init(); |
106 | 0 | if (conn->client == NULL) { |
107 | 0 | os_free(conn); |
108 | 0 | return NULL; |
109 | 0 | } |
110 | 0 | tlsv1_client_set_cb(conn->client, global->event_cb, |
111 | 0 | global->cb_ctx, global->cert_in_cb); |
112 | 0 | } |
113 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
114 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
115 | 0 | if (global->server) { |
116 | 0 | conn->server = tlsv1_server_init(global->server_cred); |
117 | 0 | if (conn->server == NULL) { |
118 | 0 | os_free(conn); |
119 | 0 | return NULL; |
120 | 0 | } |
121 | 0 | } |
122 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
123 | | |
124 | 0 | return conn; |
125 | 0 | } |
126 | | |
127 | | |
128 | | #ifdef CONFIG_TESTING_OPTIONS |
129 | | #ifdef CONFIG_TLS_INTERNAL_SERVER |
130 | | void tls_connection_set_test_flags(struct tls_connection *conn, u32 flags) |
131 | | { |
132 | | if (conn->server) |
133 | | tlsv1_server_set_test_flags(conn->server, flags); |
134 | | } |
135 | | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
136 | | #endif /* CONFIG_TESTING_OPTIONS */ |
137 | | |
138 | | |
139 | | void tls_connection_set_log_cb(struct tls_connection *conn, |
140 | | void (*log_cb)(void *ctx, const char *msg), |
141 | | void *ctx) |
142 | 0 | { |
143 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
144 | 0 | if (conn->server) |
145 | 0 | tlsv1_server_set_log_cb(conn->server, log_cb, ctx); |
146 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
147 | 0 | } |
148 | | |
149 | | |
150 | | void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn) |
151 | 0 | { |
152 | 0 | if (conn == NULL) |
153 | 0 | return; |
154 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
155 | 0 | if (conn->client) |
156 | 0 | tlsv1_client_deinit(conn->client); |
157 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
158 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
159 | 0 | if (conn->server) |
160 | 0 | tlsv1_server_deinit(conn->server); |
161 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
162 | 0 | os_free(conn); |
163 | 0 | } |
164 | | |
165 | | |
166 | | int tls_connection_established(void *tls_ctx, struct tls_connection *conn) |
167 | 0 | { |
168 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
169 | 0 | if (conn->client) |
170 | 0 | return tlsv1_client_established(conn->client); |
171 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
172 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
173 | 0 | if (conn->server) |
174 | 0 | return tlsv1_server_established(conn->server); |
175 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
176 | 0 | return 0; |
177 | 0 | } |
178 | | |
179 | | |
180 | | char * tls_connection_peer_serial_num(void *tls_ctx, |
181 | | struct tls_connection *conn) |
182 | 0 | { |
183 | | /* TODO */ |
184 | 0 | return NULL; |
185 | 0 | } |
186 | | |
187 | | |
188 | | int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn) |
189 | 0 | { |
190 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
191 | 0 | if (conn->client) |
192 | 0 | return tlsv1_client_shutdown(conn->client); |
193 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
194 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
195 | 0 | if (conn->server) |
196 | 0 | return tlsv1_server_shutdown(conn->server); |
197 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
198 | 0 | return -1; |
199 | 0 | } |
200 | | |
201 | | |
202 | | int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, |
203 | | const struct tls_connection_params *params) |
204 | 0 | { |
205 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
206 | 0 | struct tlsv1_credentials *cred; |
207 | |
|
208 | 0 | if (conn->client == NULL) |
209 | 0 | return -1; |
210 | | |
211 | 0 | if (params->flags & TLS_CONN_EXT_CERT_CHECK) { |
212 | 0 | wpa_printf(MSG_INFO, |
213 | 0 | "TLS: tls_ext_cert_check=1 not supported"); |
214 | 0 | return -1; |
215 | 0 | } |
216 | | |
217 | 0 | cred = tlsv1_cred_alloc(); |
218 | 0 | if (cred == NULL) |
219 | 0 | return -1; |
220 | | |
221 | 0 | if (params->subject_match) { |
222 | 0 | wpa_printf(MSG_INFO, "TLS: subject_match not supported"); |
223 | 0 | tlsv1_cred_free(cred); |
224 | 0 | return -1; |
225 | 0 | } |
226 | | |
227 | 0 | if (params->altsubject_match) { |
228 | 0 | wpa_printf(MSG_INFO, "TLS: altsubject_match not supported"); |
229 | 0 | tlsv1_cred_free(cred); |
230 | 0 | return -1; |
231 | 0 | } |
232 | | |
233 | 0 | if (params->suffix_match) { |
234 | 0 | wpa_printf(MSG_INFO, "TLS: suffix_match not supported"); |
235 | 0 | tlsv1_cred_free(cred); |
236 | 0 | return -1; |
237 | 0 | } |
238 | | |
239 | 0 | if (params->domain_match) { |
240 | 0 | wpa_printf(MSG_INFO, "TLS: domain_match not supported"); |
241 | 0 | tlsv1_cred_free(cred); |
242 | 0 | return -1; |
243 | 0 | } |
244 | | |
245 | 0 | if (params->openssl_ciphers) { |
246 | 0 | wpa_printf(MSG_INFO, "TLS: openssl_ciphers not supported"); |
247 | 0 | tlsv1_cred_free(cred); |
248 | 0 | return -1; |
249 | 0 | } |
250 | | |
251 | 0 | if (params->openssl_ecdh_curves) { |
252 | 0 | wpa_printf(MSG_INFO, "TLS: openssl_ecdh_curves not supported"); |
253 | 0 | tlsv1_cred_free(cred); |
254 | 0 | return -1; |
255 | 0 | } |
256 | | |
257 | 0 | if (tlsv1_set_ca_cert(cred, params->ca_cert, |
258 | 0 | params->ca_cert_blob, params->ca_cert_blob_len, |
259 | 0 | params->ca_path)) { |
260 | 0 | wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA " |
261 | 0 | "certificates"); |
262 | 0 | tlsv1_cred_free(cred); |
263 | 0 | return -1; |
264 | 0 | } |
265 | | |
266 | 0 | if (tlsv1_set_cert(cred, params->client_cert, |
267 | 0 | params->client_cert_blob, |
268 | 0 | params->client_cert_blob_len)) { |
269 | 0 | wpa_printf(MSG_INFO, "TLS: Failed to configure client " |
270 | 0 | "certificate"); |
271 | 0 | tlsv1_cred_free(cred); |
272 | 0 | return -1; |
273 | 0 | } |
274 | | |
275 | 0 | if (tlsv1_set_private_key(cred, params->private_key, |
276 | 0 | params->private_key_passwd, |
277 | 0 | params->private_key_blob, |
278 | 0 | params->private_key_blob_len)) { |
279 | 0 | wpa_printf(MSG_INFO, "TLS: Failed to load private key"); |
280 | 0 | tlsv1_cred_free(cred); |
281 | 0 | return -1; |
282 | 0 | } |
283 | | |
284 | 0 | if (tlsv1_client_set_cred(conn->client, cred) < 0) { |
285 | 0 | tlsv1_cred_free(cred); |
286 | 0 | return -1; |
287 | 0 | } |
288 | | |
289 | 0 | tlsv1_client_set_flags(conn->client, params->flags); |
290 | |
|
291 | 0 | return 0; |
292 | | #else /* CONFIG_TLS_INTERNAL_CLIENT */ |
293 | | return -1; |
294 | | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
295 | 0 | } |
296 | | |
297 | | |
298 | | int tls_global_set_params(void *tls_ctx, |
299 | | const struct tls_connection_params *params) |
300 | 0 | { |
301 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
302 | 0 | struct tls_global *global = tls_ctx; |
303 | 0 | struct tlsv1_credentials *cred; |
304 | |
|
305 | 0 | if (params->check_cert_subject) |
306 | 0 | return -1; /* not yet supported */ |
307 | | |
308 | | /* Currently, global parameters are only set when running in server |
309 | | * mode. */ |
310 | 0 | global->server = 1; |
311 | 0 | tlsv1_cred_free(global->server_cred); |
312 | 0 | global->server_cred = cred = tlsv1_cred_alloc(); |
313 | 0 | if (cred == NULL) |
314 | 0 | return -1; |
315 | | |
316 | 0 | if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob, |
317 | 0 | params->ca_cert_blob_len, params->ca_path)) { |
318 | 0 | wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA " |
319 | 0 | "certificates"); |
320 | 0 | return -1; |
321 | 0 | } |
322 | | |
323 | 0 | if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob, |
324 | 0 | params->client_cert_blob_len)) { |
325 | 0 | wpa_printf(MSG_INFO, "TLS: Failed to configure server " |
326 | 0 | "certificate"); |
327 | 0 | return -1; |
328 | 0 | } |
329 | | |
330 | 0 | if (tlsv1_set_private_key(cred, params->private_key, |
331 | 0 | params->private_key_passwd, |
332 | 0 | params->private_key_blob, |
333 | 0 | params->private_key_blob_len)) { |
334 | 0 | wpa_printf(MSG_INFO, "TLS: Failed to load private key"); |
335 | 0 | return -1; |
336 | 0 | } |
337 | | |
338 | 0 | if (tlsv1_set_dhparams(cred, params->dh_file, NULL, 0)) { |
339 | 0 | wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters"); |
340 | 0 | return -1; |
341 | 0 | } |
342 | | |
343 | 0 | if (params->ocsp_stapling_response) |
344 | 0 | cred->ocsp_stapling_response = |
345 | 0 | os_strdup(params->ocsp_stapling_response); |
346 | 0 | if (params->ocsp_stapling_response_multi) |
347 | 0 | cred->ocsp_stapling_response_multi = |
348 | 0 | os_strdup(params->ocsp_stapling_response_multi); |
349 | |
|
350 | 0 | return 0; |
351 | | #else /* CONFIG_TLS_INTERNAL_SERVER */ |
352 | | return -1; |
353 | | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
354 | 0 | } |
355 | | |
356 | | |
357 | | int tls_global_set_verify(void *tls_ctx, int check_crl, int strict) |
358 | 0 | { |
359 | 0 | struct tls_global *global = tls_ctx; |
360 | 0 | global->check_crl = check_crl; |
361 | 0 | return 0; |
362 | 0 | } |
363 | | |
364 | | |
365 | | int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn, |
366 | | int verify_peer, unsigned int flags, |
367 | | const u8 *session_ctx, size_t session_ctx_len) |
368 | 0 | { |
369 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
370 | 0 | if (conn->server) |
371 | 0 | return tlsv1_server_set_verify(conn->server, verify_peer); |
372 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
373 | 0 | return -1; |
374 | 0 | } |
375 | | |
376 | | |
377 | | int tls_connection_get_random(void *tls_ctx, struct tls_connection *conn, |
378 | | struct tls_random *data) |
379 | 0 | { |
380 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
381 | 0 | if (conn->client) |
382 | 0 | return tlsv1_client_get_random(conn->client, data); |
383 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
384 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
385 | 0 | if (conn->server) |
386 | 0 | return tlsv1_server_get_random(conn->server, data); |
387 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
388 | 0 | return -1; |
389 | 0 | } |
390 | | |
391 | | |
392 | | static int tls_get_keyblock_size(struct tls_connection *conn) |
393 | 0 | { |
394 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
395 | 0 | if (conn->client) |
396 | 0 | return tlsv1_client_get_keyblock_size(conn->client); |
397 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
398 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
399 | 0 | if (conn->server) |
400 | 0 | return tlsv1_server_get_keyblock_size(conn->server); |
401 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
402 | 0 | return -1; |
403 | 0 | } |
404 | | |
405 | | |
406 | | static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn, |
407 | | const char *label, const u8 *context, |
408 | | size_t context_len, int server_random_first, |
409 | | int skip_keyblock, u8 *out, size_t out_len) |
410 | 0 | { |
411 | 0 | int ret = -1, skip = 0; |
412 | 0 | u8 *tmp_out = NULL; |
413 | 0 | u8 *_out = out; |
414 | |
|
415 | 0 | if (skip_keyblock) { |
416 | 0 | skip = tls_get_keyblock_size(conn); |
417 | 0 | if (skip < 0) |
418 | 0 | return -1; |
419 | 0 | tmp_out = os_malloc(skip + out_len); |
420 | 0 | if (!tmp_out) |
421 | 0 | return -1; |
422 | 0 | _out = tmp_out; |
423 | 0 | } |
424 | | |
425 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
426 | 0 | if (conn->client) { |
427 | 0 | ret = tlsv1_client_prf(conn->client, label, context, |
428 | 0 | context_len, server_random_first, |
429 | 0 | _out, skip + out_len); |
430 | 0 | } |
431 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
432 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
433 | 0 | if (conn->server) { |
434 | 0 | ret = tlsv1_server_prf(conn->server, label, context, |
435 | 0 | context_len, server_random_first, |
436 | 0 | _out, skip + out_len); |
437 | 0 | } |
438 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
439 | 0 | if (ret == 0 && skip_keyblock) |
440 | 0 | os_memcpy(out, _out + skip, out_len); |
441 | 0 | bin_clear_free(tmp_out, skip); |
442 | |
|
443 | 0 | return ret; |
444 | 0 | } |
445 | | |
446 | | |
447 | | int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, |
448 | | const char *label, const u8 *context, |
449 | | size_t context_len, u8 *out, size_t out_len) |
450 | 0 | { |
451 | 0 | return tls_connection_prf(tls_ctx, conn, label, context, context_len, |
452 | 0 | 0, 0, out, out_len); |
453 | 0 | } |
454 | | |
455 | | |
456 | | int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn, |
457 | | u8 *out, size_t out_len) |
458 | 0 | { |
459 | 0 | return tls_connection_prf(tls_ctx, conn, "key expansion", NULL, 0, |
460 | 0 | 1, 1, out, out_len); |
461 | 0 | } |
462 | | |
463 | | |
464 | | struct wpabuf * tls_connection_handshake(void *tls_ctx, |
465 | | struct tls_connection *conn, |
466 | | const struct wpabuf *in_data, |
467 | | struct wpabuf **appl_data) |
468 | 0 | { |
469 | 0 | return tls_connection_handshake2(tls_ctx, conn, in_data, appl_data, |
470 | 0 | NULL); |
471 | 0 | } |
472 | | |
473 | | |
474 | | struct wpabuf * tls_connection_handshake2(void *tls_ctx, |
475 | | struct tls_connection *conn, |
476 | | const struct wpabuf *in_data, |
477 | | struct wpabuf **appl_data, |
478 | | int *need_more_data) |
479 | 0 | { |
480 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
481 | 0 | u8 *res, *ad; |
482 | 0 | size_t res_len, ad_len; |
483 | 0 | struct wpabuf *out; |
484 | |
|
485 | 0 | if (conn->client == NULL) |
486 | 0 | return NULL; |
487 | | |
488 | 0 | ad = NULL; |
489 | 0 | res = tlsv1_client_handshake(conn->client, |
490 | 0 | in_data ? wpabuf_head(in_data) : NULL, |
491 | 0 | in_data ? wpabuf_len(in_data) : 0, |
492 | 0 | &res_len, &ad, &ad_len, need_more_data); |
493 | 0 | if (res == NULL) |
494 | 0 | return NULL; |
495 | 0 | out = wpabuf_alloc_ext_data(res, res_len); |
496 | 0 | if (out == NULL) { |
497 | 0 | os_free(res); |
498 | 0 | os_free(ad); |
499 | 0 | return NULL; |
500 | 0 | } |
501 | 0 | if (appl_data) { |
502 | 0 | if (ad) { |
503 | 0 | *appl_data = wpabuf_alloc_ext_data(ad, ad_len); |
504 | 0 | if (*appl_data == NULL) |
505 | 0 | os_free(ad); |
506 | 0 | } else |
507 | 0 | *appl_data = NULL; |
508 | 0 | } else |
509 | 0 | os_free(ad); |
510 | |
|
511 | 0 | return out; |
512 | | #else /* CONFIG_TLS_INTERNAL_CLIENT */ |
513 | | return NULL; |
514 | | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
515 | 0 | } |
516 | | |
517 | | |
518 | | struct wpabuf * tls_connection_server_handshake(void *tls_ctx, |
519 | | struct tls_connection *conn, |
520 | | const struct wpabuf *in_data, |
521 | | struct wpabuf **appl_data) |
522 | 0 | { |
523 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
524 | 0 | u8 *res; |
525 | 0 | size_t res_len; |
526 | 0 | struct wpabuf *out; |
527 | |
|
528 | 0 | if (conn->server == NULL) |
529 | 0 | return NULL; |
530 | | |
531 | 0 | if (appl_data) |
532 | 0 | *appl_data = NULL; |
533 | |
|
534 | 0 | res = tlsv1_server_handshake(conn->server, wpabuf_head(in_data), |
535 | 0 | wpabuf_len(in_data), &res_len); |
536 | 0 | if (res == NULL && tlsv1_server_established(conn->server)) |
537 | 0 | return wpabuf_alloc(0); |
538 | 0 | if (res == NULL) |
539 | 0 | return NULL; |
540 | 0 | out = wpabuf_alloc_ext_data(res, res_len); |
541 | 0 | if (out == NULL) { |
542 | 0 | os_free(res); |
543 | 0 | return NULL; |
544 | 0 | } |
545 | | |
546 | 0 | return out; |
547 | | #else /* CONFIG_TLS_INTERNAL_SERVER */ |
548 | | return NULL; |
549 | | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
550 | 0 | } |
551 | | |
552 | | |
553 | | struct wpabuf * tls_connection_encrypt(void *tls_ctx, |
554 | | struct tls_connection *conn, |
555 | | const struct wpabuf *in_data) |
556 | 0 | { |
557 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
558 | 0 | if (conn->client) { |
559 | 0 | struct wpabuf *buf; |
560 | 0 | int res; |
561 | 0 | buf = wpabuf_alloc(wpabuf_len(in_data) + 300); |
562 | 0 | if (buf == NULL) |
563 | 0 | return NULL; |
564 | 0 | res = tlsv1_client_encrypt(conn->client, wpabuf_head(in_data), |
565 | 0 | wpabuf_len(in_data), |
566 | 0 | wpabuf_mhead(buf), |
567 | 0 | wpabuf_size(buf)); |
568 | 0 | if (res < 0) { |
569 | 0 | wpabuf_free(buf); |
570 | 0 | return NULL; |
571 | 0 | } |
572 | 0 | wpabuf_put(buf, res); |
573 | 0 | return buf; |
574 | 0 | } |
575 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
576 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
577 | 0 | if (conn->server) { |
578 | 0 | struct wpabuf *buf; |
579 | 0 | int res; |
580 | 0 | buf = wpabuf_alloc(wpabuf_len(in_data) + 300); |
581 | 0 | if (buf == NULL) |
582 | 0 | return NULL; |
583 | 0 | res = tlsv1_server_encrypt(conn->server, wpabuf_head(in_data), |
584 | 0 | wpabuf_len(in_data), |
585 | 0 | wpabuf_mhead(buf), |
586 | 0 | wpabuf_size(buf)); |
587 | 0 | if (res < 0) { |
588 | 0 | wpabuf_free(buf); |
589 | 0 | return NULL; |
590 | 0 | } |
591 | 0 | wpabuf_put(buf, res); |
592 | 0 | return buf; |
593 | 0 | } |
594 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
595 | 0 | return NULL; |
596 | 0 | } |
597 | | |
598 | | |
599 | | struct wpabuf * tls_connection_decrypt(void *tls_ctx, |
600 | | struct tls_connection *conn, |
601 | | const struct wpabuf *in_data) |
602 | 0 | { |
603 | 0 | return tls_connection_decrypt2(tls_ctx, conn, in_data, NULL); |
604 | 0 | } |
605 | | |
606 | | |
607 | | struct wpabuf * tls_connection_decrypt2(void *tls_ctx, |
608 | | struct tls_connection *conn, |
609 | | const struct wpabuf *in_data, |
610 | | int *need_more_data) |
611 | 0 | { |
612 | 0 | if (need_more_data) |
613 | 0 | *need_more_data = 0; |
614 | |
|
615 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
616 | 0 | if (conn->client) { |
617 | 0 | return tlsv1_client_decrypt(conn->client, wpabuf_head(in_data), |
618 | 0 | wpabuf_len(in_data), |
619 | 0 | need_more_data); |
620 | 0 | } |
621 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
622 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
623 | 0 | if (conn->server) { |
624 | 0 | struct wpabuf *buf; |
625 | 0 | int res; |
626 | 0 | buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3); |
627 | 0 | if (buf == NULL) |
628 | 0 | return NULL; |
629 | 0 | res = tlsv1_server_decrypt(conn->server, wpabuf_head(in_data), |
630 | 0 | wpabuf_len(in_data), |
631 | 0 | wpabuf_mhead(buf), |
632 | 0 | wpabuf_size(buf)); |
633 | 0 | if (res < 0) { |
634 | 0 | wpabuf_free(buf); |
635 | 0 | return NULL; |
636 | 0 | } |
637 | 0 | wpabuf_put(buf, res); |
638 | 0 | return buf; |
639 | 0 | } |
640 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
641 | 0 | return NULL; |
642 | 0 | } |
643 | | |
644 | | |
645 | | int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn) |
646 | 0 | { |
647 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
648 | 0 | if (conn->client) |
649 | 0 | return tlsv1_client_resumed(conn->client); |
650 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
651 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
652 | 0 | if (conn->server) |
653 | 0 | return tlsv1_server_resumed(conn->server); |
654 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
655 | 0 | return -1; |
656 | 0 | } |
657 | | |
658 | | |
659 | | int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, |
660 | | u8 *ciphers) |
661 | 0 | { |
662 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
663 | 0 | if (conn->client) |
664 | 0 | return tlsv1_client_set_cipher_list(conn->client, ciphers); |
665 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
666 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
667 | 0 | if (conn->server) |
668 | 0 | return tlsv1_server_set_cipher_list(conn->server, ciphers); |
669 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
670 | 0 | return -1; |
671 | 0 | } |
672 | | |
673 | | |
674 | | int tls_get_version(void *ssl_ctx, struct tls_connection *conn, |
675 | | char *buf, size_t buflen) |
676 | 0 | { |
677 | 0 | if (conn == NULL) |
678 | 0 | return -1; |
679 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
680 | 0 | if (conn->client) |
681 | 0 | return tlsv1_client_get_version(conn->client, buf, buflen); |
682 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
683 | 0 | return -1; |
684 | 0 | } |
685 | | |
686 | | |
687 | | int tls_get_cipher(void *tls_ctx, struct tls_connection *conn, |
688 | | char *buf, size_t buflen) |
689 | 0 | { |
690 | 0 | if (conn == NULL) |
691 | 0 | return -1; |
692 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
693 | 0 | if (conn->client) |
694 | 0 | return tlsv1_client_get_cipher(conn->client, buf, buflen); |
695 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
696 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
697 | 0 | if (conn->server) |
698 | 0 | return tlsv1_server_get_cipher(conn->server, buf, buflen); |
699 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
700 | 0 | return -1; |
701 | 0 | } |
702 | | |
703 | | |
704 | | int tls_connection_enable_workaround(void *tls_ctx, |
705 | | struct tls_connection *conn) |
706 | 0 | { |
707 | 0 | return -1; |
708 | 0 | } |
709 | | |
710 | | |
711 | | int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn, |
712 | | int ext_type, const u8 *data, |
713 | | size_t data_len) |
714 | 0 | { |
715 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
716 | 0 | if (conn->client) { |
717 | 0 | return tlsv1_client_hello_ext(conn->client, ext_type, |
718 | 0 | data, data_len); |
719 | 0 | } |
720 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
721 | 0 | return -1; |
722 | 0 | } |
723 | | |
724 | | |
725 | | int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn) |
726 | 0 | { |
727 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
728 | 0 | if (conn->server) |
729 | 0 | return tlsv1_server_get_failed(conn->server); |
730 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
731 | 0 | return 0; |
732 | 0 | } |
733 | | |
734 | | |
735 | | int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn) |
736 | 0 | { |
737 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
738 | 0 | if (conn->server) |
739 | 0 | return tlsv1_server_get_read_alerts(conn->server); |
740 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
741 | 0 | return 0; |
742 | 0 | } |
743 | | |
744 | | |
745 | | int tls_connection_get_write_alerts(void *tls_ctx, |
746 | | struct tls_connection *conn) |
747 | 0 | { |
748 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
749 | 0 | if (conn->server) |
750 | 0 | return tlsv1_server_get_write_alerts(conn->server); |
751 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
752 | 0 | return 0; |
753 | 0 | } |
754 | | |
755 | | |
756 | | int tls_connection_set_session_ticket_cb(void *tls_ctx, |
757 | | struct tls_connection *conn, |
758 | | tls_session_ticket_cb cb, |
759 | | void *ctx) |
760 | 0 | { |
761 | 0 | #ifdef CONFIG_TLS_INTERNAL_CLIENT |
762 | 0 | if (conn->client) { |
763 | 0 | tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx); |
764 | 0 | return 0; |
765 | 0 | } |
766 | 0 | #endif /* CONFIG_TLS_INTERNAL_CLIENT */ |
767 | 0 | #ifdef CONFIG_TLS_INTERNAL_SERVER |
768 | 0 | if (conn->server) { |
769 | 0 | tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx); |
770 | 0 | return 0; |
771 | 0 | } |
772 | 0 | #endif /* CONFIG_TLS_INTERNAL_SERVER */ |
773 | 0 | return -1; |
774 | 0 | } |
775 | | |
776 | | |
777 | | int tls_get_library_version(char *buf, size_t buf_len) |
778 | 0 | { |
779 | 0 | return os_snprintf(buf, buf_len, "internal"); |
780 | 0 | } |
781 | | |
782 | | |
783 | | void tls_connection_set_success_data(struct tls_connection *conn, |
784 | | struct wpabuf *data) |
785 | 0 | { |
786 | 0 | wpabuf_free(data); |
787 | 0 | } |
788 | | |
789 | | |
790 | | void tls_connection_set_success_data_resumed(struct tls_connection *conn) |
791 | 0 | { |
792 | 0 | } |
793 | | |
794 | | |
795 | | const struct wpabuf * |
796 | | tls_connection_get_success_data(struct tls_connection *conn) |
797 | 0 | { |
798 | 0 | return NULL; |
799 | 0 | } |
800 | | |
801 | | |
802 | | void tls_connection_remove_session(struct tls_connection *conn) |
803 | 0 | { |
804 | 0 | } |