tls.h (337817) | tls.h (346981) |
---|---|
1/* 2 * SSL/TLS interface definition 3 * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 --- 27 unchanged lines hidden (view full) --- 36 TLS_FAIL_NOT_YET_VALID = 3, 37 TLS_FAIL_EXPIRED = 4, 38 TLS_FAIL_SUBJECT_MISMATCH = 5, 39 TLS_FAIL_ALTSUBJECT_MISMATCH = 6, 40 TLS_FAIL_BAD_CERTIFICATE = 7, 41 TLS_FAIL_SERVER_CHAIN_PROBE = 8, 42 TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, 43 TLS_FAIL_DOMAIN_MISMATCH = 10, | 1/* 2 * SSL/TLS interface definition 3 * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 --- 27 unchanged lines hidden (view full) --- 36 TLS_FAIL_NOT_YET_VALID = 3, 37 TLS_FAIL_EXPIRED = 4, 38 TLS_FAIL_SUBJECT_MISMATCH = 5, 39 TLS_FAIL_ALTSUBJECT_MISMATCH = 6, 40 TLS_FAIL_BAD_CERTIFICATE = 7, 41 TLS_FAIL_SERVER_CHAIN_PROBE = 8, 42 TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, 43 TLS_FAIL_DOMAIN_MISMATCH = 10, |
44 TLS_FAIL_INSUFFICIENT_KEY_LEN = 11, 45 TLS_FAIL_DN_MISMATCH = 12, |
|
44}; 45 46 47#define TLS_MAX_ALT_SUBJECT 10 48 49union tls_event_data { 50 struct { 51 int depth; --- 6 unchanged lines hidden (view full) --- 58 struct { 59 int depth; 60 const char *subject; 61 const struct wpabuf *cert; 62 const u8 *hash; 63 size_t hash_len; 64 const char *altsubject[TLS_MAX_ALT_SUBJECT]; 65 int num_altsubject; | 46}; 47 48 49#define TLS_MAX_ALT_SUBJECT 10 50 51union tls_event_data { 52 struct { 53 int depth; --- 6 unchanged lines hidden (view full) --- 60 struct { 61 int depth; 62 const char *subject; 63 const struct wpabuf *cert; 64 const u8 *hash; 65 size_t hash_len; 66 const char *altsubject[TLS_MAX_ALT_SUBJECT]; 67 int num_altsubject; |
68 const char *serial_num; |
|
66 } peer_cert; 67 68 struct { 69 int is_local; 70 const char *type; 71 const char *description; 72 } alert; 73}; 74 75struct tls_config { 76 const char *opensc_engine_path; 77 const char *pkcs11_engine_path; 78 const char *pkcs11_module_path; 79 int fips_mode; 80 int cert_in_cb; 81 const char *openssl_ciphers; 82 unsigned int tls_session_lifetime; | 69 } peer_cert; 70 71 struct { 72 int is_local; 73 const char *type; 74 const char *description; 75 } alert; 76}; 77 78struct tls_config { 79 const char *opensc_engine_path; 80 const char *pkcs11_engine_path; 81 const char *pkcs11_module_path; 82 int fips_mode; 83 int cert_in_cb; 84 const char *openssl_ciphers; 85 unsigned int tls_session_lifetime; |
86 unsigned int crl_reload_interval; 87 unsigned int tls_flags; |
|
83 84 void (*event_cb)(void *ctx, enum tls_event ev, 85 union tls_event_data *data); 86 void *cb_ctx; 87}; 88 89#define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0) 90#define TLS_CONN_DISABLE_TIME_CHECKS BIT(1) 91#define TLS_CONN_DISABLE_SESSION_TICKET BIT(2) 92#define TLS_CONN_REQUEST_OCSP BIT(3) 93#define TLS_CONN_REQUIRE_OCSP BIT(4) 94#define TLS_CONN_DISABLE_TLSv1_1 BIT(5) 95#define TLS_CONN_DISABLE_TLSv1_2 BIT(6) 96#define TLS_CONN_EAP_FAST BIT(7) 97#define TLS_CONN_DISABLE_TLSv1_0 BIT(8) 98#define TLS_CONN_EXT_CERT_CHECK BIT(9) 99#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10) | 88 89 void (*event_cb)(void *ctx, enum tls_event ev, 90 union tls_event_data *data); 91 void *cb_ctx; 92}; 93 94#define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0) 95#define TLS_CONN_DISABLE_TIME_CHECKS BIT(1) 96#define TLS_CONN_DISABLE_SESSION_TICKET BIT(2) 97#define TLS_CONN_REQUEST_OCSP BIT(3) 98#define TLS_CONN_REQUIRE_OCSP BIT(4) 99#define TLS_CONN_DISABLE_TLSv1_1 BIT(5) 100#define TLS_CONN_DISABLE_TLSv1_2 BIT(6) 101#define TLS_CONN_EAP_FAST BIT(7) 102#define TLS_CONN_DISABLE_TLSv1_0 BIT(8) 103#define TLS_CONN_EXT_CERT_CHECK BIT(9) 104#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10) |
105#define TLS_CONN_SUITEB BIT(11) 106#define TLS_CONN_SUITEB_NO_ECDH BIT(12) 107#define TLS_CONN_DISABLE_TLSv1_3 BIT(13) 108#define TLS_CONN_ENABLE_TLSv1_0 BIT(14) 109#define TLS_CONN_ENABLE_TLSv1_1 BIT(15) 110#define TLS_CONN_ENABLE_TLSv1_2 BIT(16) |
|
100 101/** 102 * struct tls_connection_params - Parameters for TLS connection 103 * @ca_cert: File or reference name for CA X.509 certificate in PEM or DER 104 * format 105 * @ca_cert_blob: ca_cert as inlined data or %NULL if not used 106 * @ca_cert_blob_len: ca_cert_blob length 107 * @ca_path: Path to CA certificates (OpenSSL specific) 108 * @subject_match: String to match in the subject of the peer certificate or 109 * %NULL to allow all subjects 110 * @altsubject_match: String to match in the alternative subject of the peer 111 * certificate or %NULL to allow all alternative subjects | 111 112/** 113 * struct tls_connection_params - Parameters for TLS connection 114 * @ca_cert: File or reference name for CA X.509 certificate in PEM or DER 115 * format 116 * @ca_cert_blob: ca_cert as inlined data or %NULL if not used 117 * @ca_cert_blob_len: ca_cert_blob length 118 * @ca_path: Path to CA certificates (OpenSSL specific) 119 * @subject_match: String to match in the subject of the peer certificate or 120 * %NULL to allow all subjects 121 * @altsubject_match: String to match in the alternative subject of the peer 122 * certificate or %NULL to allow all alternative subjects |
112 * @suffix_match: String to suffix match in the dNSName or CN of the peer 113 * certificate or %NULL to allow all domain names. This may allow subdomains an 114 * wildcard certificates. Each domain name label must have a full match. | 123 * @suffix_match: Semicolon deliminated string of values to suffix match against 124 * the dNSName or CN of the peer certificate or %NULL to allow all domain names. 125 * This may allow subdomains and wildcard certificates. Each domain name label 126 * must have a full case-insensitive match. |
115 * @domain_match: String to match in the dNSName or CN of the peer 116 * certificate or %NULL to allow all domain names. This requires a full, 117 * case-insensitive match. | 127 * @domain_match: String to match in the dNSName or CN of the peer 128 * certificate or %NULL to allow all domain names. This requires a full, 129 * case-insensitive match. |
130 * 131 * More than one match string can be provided by using semicolons to 132 * separate the strings (e.g., example.org;example.com). When multiple 133 * strings are specified, a match with any one of the values is 134 * considered a sufficient match for the certificate, i.e., the 135 * conditions are ORed together. |
|
118 * @client_cert: File or reference name for client X.509 certificate in PEM or 119 * DER format 120 * @client_cert_blob: client_cert as inlined data or %NULL if not used 121 * @client_cert_blob_len: client_cert_blob length 122 * @private_key: File or reference name for client private key in PEM or DER 123 * format (traditional format (RSA PRIVATE KEY) or PKCS#8 (PRIVATE KEY) 124 * @private_key_blob: private_key as inlined data or %NULL if not used 125 * @private_key_blob_len: private_key_blob length --- 7 unchanged lines hidden (view full) --- 133 * @engine_id: engine id string (this is OpenSSL specific for now) 134 * @ppin: pointer to the pin variable in the configuration 135 * (this is OpenSSL specific for now) 136 * @key_id: the private key's id when using engine (this is OpenSSL 137 * specific for now) 138 * @cert_id: the certificate's id when using engine 139 * @ca_cert_id: the CA certificate's id when using engine 140 * @openssl_ciphers: OpenSSL cipher configuration | 136 * @client_cert: File or reference name for client X.509 certificate in PEM or 137 * DER format 138 * @client_cert_blob: client_cert as inlined data or %NULL if not used 139 * @client_cert_blob_len: client_cert_blob length 140 * @private_key: File or reference name for client private key in PEM or DER 141 * format (traditional format (RSA PRIVATE KEY) or PKCS#8 (PRIVATE KEY) 142 * @private_key_blob: private_key as inlined data or %NULL if not used 143 * @private_key_blob_len: private_key_blob length --- 7 unchanged lines hidden (view full) --- 151 * @engine_id: engine id string (this is OpenSSL specific for now) 152 * @ppin: pointer to the pin variable in the configuration 153 * (this is OpenSSL specific for now) 154 * @key_id: the private key's id when using engine (this is OpenSSL 155 * specific for now) 156 * @cert_id: the certificate's id when using engine 157 * @ca_cert_id: the CA certificate's id when using engine 158 * @openssl_ciphers: OpenSSL cipher configuration |
159 * @openssl_ecdh_curves: OpenSSL ECDH curve configuration. %NULL for auto if 160 * supported, empty string to disable, or a colon-separated curve list. |
|
141 * @flags: Parameter options (TLS_CONN_*) 142 * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response 143 * or %NULL if OCSP is not enabled 144 * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling 145 * response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if 146 * ocsp_multi is not enabled | 161 * @flags: Parameter options (TLS_CONN_*) 162 * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response 163 * or %NULL if OCSP is not enabled 164 * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling 165 * response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if 166 * ocsp_multi is not enabled |
167 * @check_cert_subject: Client certificate subject name matching string |
|
147 * 148 * TLS connection parameters to be configured with tls_connection_set_params() 149 * and tls_global_set_params(). 150 * 151 * Certificates and private key can be configured either as a reference name 152 * (file path or reference to certificate store) or by providing the same data 153 * as a pointer to the data in memory. Only one option will be used for each 154 * field. --- 21 unchanged lines hidden (view full) --- 176 /* OpenSSL specific variables */ 177 int engine; 178 const char *engine_id; 179 const char *pin; 180 const char *key_id; 181 const char *cert_id; 182 const char *ca_cert_id; 183 const char *openssl_ciphers; | 168 * 169 * TLS connection parameters to be configured with tls_connection_set_params() 170 * and tls_global_set_params(). 171 * 172 * Certificates and private key can be configured either as a reference name 173 * (file path or reference to certificate store) or by providing the same data 174 * as a pointer to the data in memory. Only one option will be used for each 175 * field. --- 21 unchanged lines hidden (view full) --- 197 /* OpenSSL specific variables */ 198 int engine; 199 const char *engine_id; 200 const char *pin; 201 const char *key_id; 202 const char *cert_id; 203 const char *ca_cert_id; 204 const char *openssl_ciphers; |
205 const char *openssl_ecdh_curves; |
|
184 185 unsigned int flags; 186 const char *ocsp_stapling_response; 187 const char *ocsp_stapling_response_multi; | 206 207 unsigned int flags; 208 const char *ocsp_stapling_response; 209 const char *ocsp_stapling_response_multi; |
210 const char *check_cert_subject; |
|
188}; 189 190 191/** 192 * tls_init - Initialize TLS library 193 * @conf: Configuration data for TLS library 194 * Returns: Context data to be used as tls_ctx in calls to other functions, 195 * or %NULL on failure. --- 47 unchanged lines hidden (view full) --- 243 * tls_connection_established - Has the TLS connection been completed? 244 * @tls_ctx: TLS context data from tls_init() 245 * @conn: Connection context data from tls_connection_init() 246 * Returns: 1 if TLS connection has been completed, 0 if not. 247 */ 248int tls_connection_established(void *tls_ctx, struct tls_connection *conn); 249 250/** | 211}; 212 213 214/** 215 * tls_init - Initialize TLS library 216 * @conf: Configuration data for TLS library 217 * Returns: Context data to be used as tls_ctx in calls to other functions, 218 * or %NULL on failure. --- 47 unchanged lines hidden (view full) --- 266 * tls_connection_established - Has the TLS connection been completed? 267 * @tls_ctx: TLS context data from tls_init() 268 * @conn: Connection context data from tls_connection_init() 269 * Returns: 1 if TLS connection has been completed, 0 if not. 270 */ 271int tls_connection_established(void *tls_ctx, struct tls_connection *conn); 272 273/** |
274 * tls_connection_peer_serial_num - Fetch peer certificate serial number 275 * @tls_ctx: TLS context data from tls_init() 276 * @conn: Connection context data from tls_connection_init() 277 * Returns: Allocated string buffer containing the peer certificate serial 278 * number or %NULL on error. 279 * 280 * The caller is responsible for freeing the returned buffer with os_free(). 281 */ 282char * tls_connection_peer_serial_num(void *tls_ctx, 283 struct tls_connection *conn); 284 285/** |
|
251 * tls_connection_shutdown - Shutdown TLS connection 252 * @tls_ctx: TLS context data from tls_init() 253 * @conn: Connection context data from tls_connection_init() 254 * Returns: 0 on success, -1 on failure 255 * 256 * Shutdown current TLS connection without releasing all resources. New 257 * connection can be started by using the same conn without having to call 258 * tls_connection_init() or setting certificates etc. again. The new --- 39 unchanged lines hidden (view full) --- 298int __must_check tls_global_set_params( 299 void *tls_ctx, const struct tls_connection_params *params); 300 301/** 302 * tls_global_set_verify - Set global certificate verification options 303 * @tls_ctx: TLS context data from tls_init() 304 * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate, 305 * 2 = verify CRL for all certificates | 286 * tls_connection_shutdown - Shutdown TLS connection 287 * @tls_ctx: TLS context data from tls_init() 288 * @conn: Connection context data from tls_connection_init() 289 * Returns: 0 on success, -1 on failure 290 * 291 * Shutdown current TLS connection without releasing all resources. New 292 * connection can be started by using the same conn without having to call 293 * tls_connection_init() or setting certificates etc. again. The new --- 39 unchanged lines hidden (view full) --- 333int __must_check tls_global_set_params( 334 void *tls_ctx, const struct tls_connection_params *params); 335 336/** 337 * tls_global_set_verify - Set global certificate verification options 338 * @tls_ctx: TLS context data from tls_init() 339 * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate, 340 * 2 = verify CRL for all certificates |
341 * @strict: 0 = allow CRL time errors, 1 = do not allow CRL time errors |
|
306 * Returns: 0 on success, -1 on failure 307 */ | 342 * Returns: 0 on success, -1 on failure 343 */ |
308int __must_check tls_global_set_verify(void *tls_ctx, int check_crl); | 344int __must_check tls_global_set_verify(void *tls_ctx, int check_crl, 345 int strict); |
309 310/** 311 * tls_connection_set_verify - Set certificate verification options 312 * @tls_ctx: TLS context data from tls_init() 313 * @conn: Connection context data from tls_connection_init() 314 * @verify_peer: 1 = verify peer certificate 315 * @flags: Connection flags (TLS_CONN_*) 316 * @session_ctx: Session caching context or %NULL to use default --- 18 unchanged lines hidden (view full) --- 335 struct tls_connection *conn, 336 struct tls_random *data); 337 338/** 339 * tls_connection_export_key - Derive keying material from a TLS connection 340 * @tls_ctx: TLS context data from tls_init() 341 * @conn: Connection context data from tls_connection_init() 342 * @label: Label (e.g., description of the key) for PRF | 346 347/** 348 * tls_connection_set_verify - Set certificate verification options 349 * @tls_ctx: TLS context data from tls_init() 350 * @conn: Connection context data from tls_connection_init() 351 * @verify_peer: 1 = verify peer certificate 352 * @flags: Connection flags (TLS_CONN_*) 353 * @session_ctx: Session caching context or %NULL to use default --- 18 unchanged lines hidden (view full) --- 372 struct tls_connection *conn, 373 struct tls_random *data); 374 375/** 376 * tls_connection_export_key - Derive keying material from a TLS connection 377 * @tls_ctx: TLS context data from tls_init() 378 * @conn: Connection context data from tls_connection_init() 379 * @label: Label (e.g., description of the key) for PRF |
380 * @context: Optional extra upper-layer context (max len 2^16) 381 * @context_len: The length of the context value |
|
343 * @out: Buffer for output data from TLS-PRF 344 * @out_len: Length of the output buffer 345 * Returns: 0 on success, -1 on failure 346 * | 382 * @out: Buffer for output data from TLS-PRF 383 * @out_len: Length of the output buffer 384 * Returns: 0 on success, -1 on failure 385 * |
347 * Exports keying material using the mechanism described in RFC 5705. | 386 * Exports keying material using the mechanism described in RFC 5705. If 387 * context is %NULL, context is not provided; otherwise, context is provided 388 * (including the case of empty context with context_len == 0). |
348 */ 349int __must_check tls_connection_export_key(void *tls_ctx, 350 struct tls_connection *conn, 351 const char *label, | 389 */ 390int __must_check tls_connection_export_key(void *tls_ctx, 391 struct tls_connection *conn, 392 const char *label, |
393 const u8 *context, 394 size_t context_len, |
|
352 u8 *out, size_t out_len); 353 354/** 355 * tls_connection_get_eap_fast_key - Derive key material for EAP-FAST 356 * @tls_ctx: TLS context data from tls_init() 357 * @conn: Connection context data from tls_connection_init() 358 * @out: Buffer for output data from TLS-PRF 359 * @out_len: Length of the output buffer --- 244 unchanged lines hidden --- | 395 u8 *out, size_t out_len); 396 397/** 398 * tls_connection_get_eap_fast_key - Derive key material for EAP-FAST 399 * @tls_ctx: TLS context data from tls_init() 400 * @conn: Connection context data from tls_connection_init() 401 * @out: Buffer for output data from TLS-PRF 402 * @out_len: Length of the output buffer --- 244 unchanged lines hidden --- |