tls.h 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603
  1. /*
  2. * SSL/TLS interface definition
  3. * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi>
  4. *
  5. * This software may be distributed under the terms of the BSD license.
  6. * See README for more details.
  7. */
  8. #ifndef TLS_H
  9. #define TLS_H
  10. struct tls_connection;
  11. struct tls_random {
  12. const u8 *client_random;
  13. size_t client_random_len;
  14. const u8 *server_random;
  15. size_t server_random_len;
  16. };
  17. enum tls_event {
  18. TLS_CERT_CHAIN_SUCCESS,
  19. TLS_CERT_CHAIN_FAILURE,
  20. TLS_PEER_CERTIFICATE,
  21. TLS_ALERT
  22. };
  23. /*
  24. * Note: These are used as identifier with external programs and as such, the
  25. * values must not be changed.
  26. */
  27. enum tls_fail_reason {
  28. TLS_FAIL_UNSPECIFIED = 0,
  29. TLS_FAIL_UNTRUSTED = 1,
  30. TLS_FAIL_REVOKED = 2,
  31. TLS_FAIL_NOT_YET_VALID = 3,
  32. TLS_FAIL_EXPIRED = 4,
  33. TLS_FAIL_SUBJECT_MISMATCH = 5,
  34. TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
  35. TLS_FAIL_BAD_CERTIFICATE = 7,
  36. TLS_FAIL_SERVER_CHAIN_PROBE = 8,
  37. TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
  38. TLS_FAIL_DOMAIN_MISMATCH = 10,
  39. };
  40. #define TLS_MAX_ALT_SUBJECT 10
  41. union tls_event_data {
  42. struct {
  43. int depth;
  44. const char *subject;
  45. enum tls_fail_reason reason;
  46. const char *reason_txt;
  47. const struct wpabuf *cert;
  48. } cert_fail;
  49. struct {
  50. int depth;
  51. const char *subject;
  52. const struct wpabuf *cert;
  53. const u8 *hash;
  54. size_t hash_len;
  55. const char *altsubject[TLS_MAX_ALT_SUBJECT];
  56. int num_altsubject;
  57. } peer_cert;
  58. struct {
  59. int is_local;
  60. const char *type;
  61. const char *description;
  62. } alert;
  63. };
  64. struct tls_config {
  65. const char *opensc_engine_path;
  66. const char *pkcs11_engine_path;
  67. const char *pkcs11_module_path;
  68. int fips_mode;
  69. int cert_in_cb;
  70. const char *openssl_ciphers;
  71. unsigned int tls_session_lifetime;
  72. void (*event_cb)(void *ctx, enum tls_event ev,
  73. union tls_event_data *data);
  74. void *cb_ctx;
  75. };
  76. #define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0)
  77. #define TLS_CONN_DISABLE_TIME_CHECKS BIT(1)
  78. #define TLS_CONN_DISABLE_SESSION_TICKET BIT(2)
  79. #define TLS_CONN_REQUEST_OCSP BIT(3)
  80. #define TLS_CONN_REQUIRE_OCSP BIT(4)
  81. #define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
  82. #define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
  83. #define TLS_CONN_EAP_FAST BIT(7)
  84. #define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
  85. #define TLS_CONN_EXT_CERT_CHECK BIT(9)
  86. #define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
  87. /**
  88. * struct tls_connection_params - Parameters for TLS connection
  89. * @ca_cert: File or reference name for CA X.509 certificate in PEM or DER
  90. * format
  91. * @ca_cert_blob: ca_cert as inlined data or %NULL if not used
  92. * @ca_cert_blob_len: ca_cert_blob length
  93. * @ca_path: Path to CA certificates (OpenSSL specific)
  94. * @subject_match: String to match in the subject of the peer certificate or
  95. * %NULL to allow all subjects
  96. * @altsubject_match: String to match in the alternative subject of the peer
  97. * certificate or %NULL to allow all alternative subjects
  98. * @suffix_match: String to suffix match in the dNSName or CN of the peer
  99. * certificate or %NULL to allow all domain names. This may allow subdomains an
  100. * wildcard certificates. Each domain name label must have a full match.
  101. * @domain_match: String to match in the dNSName or CN of the peer
  102. * certificate or %NULL to allow all domain names. This requires a full,
  103. * case-insensitive match.
  104. * @client_cert: File or reference name for client X.509 certificate in PEM or
  105. * DER format
  106. * @client_cert_blob: client_cert as inlined data or %NULL if not used
  107. * @client_cert_blob_len: client_cert_blob length
  108. * @private_key: File or reference name for client private key in PEM or DER
  109. * format (traditional format (RSA PRIVATE KEY) or PKCS#8 (PRIVATE KEY)
  110. * @private_key_blob: private_key as inlined data or %NULL if not used
  111. * @private_key_blob_len: private_key_blob length
  112. * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
  113. * passphrase is used.
  114. * @dh_file: File name for DH/DSA data in PEM format, or %NULL if not used
  115. * @dh_blob: dh_file as inlined data or %NULL if not used
  116. * @dh_blob_len: dh_blob length
  117. * @engine: 1 = use engine (e.g., a smartcard) for private key operations
  118. * (this is OpenSSL specific for now)
  119. * @engine_id: engine id string (this is OpenSSL specific for now)
  120. * @ppin: pointer to the pin variable in the configuration
  121. * (this is OpenSSL specific for now)
  122. * @key_id: the private key's id when using engine (this is OpenSSL
  123. * specific for now)
  124. * @cert_id: the certificate's id when using engine
  125. * @ca_cert_id: the CA certificate's id when using engine
  126. * @openssl_ciphers: OpenSSL cipher configuration
  127. * @flags: Parameter options (TLS_CONN_*)
  128. * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response
  129. * or %NULL if OCSP is not enabled
  130. * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling
  131. * response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if
  132. * ocsp_multi is not enabled
  133. *
  134. * TLS connection parameters to be configured with tls_connection_set_params()
  135. * and tls_global_set_params().
  136. *
  137. * Certificates and private key can be configured either as a reference name
  138. * (file path or reference to certificate store) or by providing the same data
  139. * as a pointer to the data in memory. Only one option will be used for each
  140. * field.
  141. */
  142. struct tls_connection_params {
  143. const char *ca_cert;
  144. const u8 *ca_cert_blob;
  145. size_t ca_cert_blob_len;
  146. const char *ca_path;
  147. const char *subject_match;
  148. const char *altsubject_match;
  149. const char *suffix_match;
  150. const char *domain_match;
  151. const char *client_cert;
  152. const u8 *client_cert_blob;
  153. size_t client_cert_blob_len;
  154. const char *private_key;
  155. const u8 *private_key_blob;
  156. size_t private_key_blob_len;
  157. const char *private_key_passwd;
  158. const char *dh_file;
  159. const u8 *dh_blob;
  160. size_t dh_blob_len;
  161. /* OpenSSL specific variables */
  162. int engine;
  163. const char *engine_id;
  164. const char *pin;
  165. const char *key_id;
  166. const char *cert_id;
  167. const char *ca_cert_id;
  168. const char *openssl_ciphers;
  169. unsigned int flags;
  170. const char *ocsp_stapling_response;
  171. const char *ocsp_stapling_response_multi;
  172. };
  173. /**
  174. * tls_init - Initialize TLS library
  175. * @conf: Configuration data for TLS library
  176. * Returns: Context data to be used as tls_ctx in calls to other functions,
  177. * or %NULL on failure.
  178. *
  179. * Called once during program startup and once for each RSN pre-authentication
  180. * session. In other words, there can be two concurrent TLS contexts. If global
  181. * library initialization is needed (i.e., one that is shared between both
  182. * authentication types), the TLS library wrapper should maintain a reference
  183. * counter and do global initialization only when moving from 0 to 1 reference.
  184. */
  185. void * tls_init(const struct tls_config *conf);
  186. /**
  187. * tls_deinit - Deinitialize TLS library
  188. * @tls_ctx: TLS context data from tls_init()
  189. *
  190. * Called once during program shutdown and once for each RSN pre-authentication
  191. * session. If global library deinitialization is needed (i.e., one that is
  192. * shared between both authentication types), the TLS library wrapper should
  193. * maintain a reference counter and do global deinitialization only when moving
  194. * from 1 to 0 references.
  195. */
  196. void tls_deinit(void *tls_ctx);
  197. /**
  198. * tls_get_errors - Process pending errors
  199. * @tls_ctx: TLS context data from tls_init()
  200. * Returns: Number of found error, 0 if no errors detected.
  201. *
  202. * Process all pending TLS errors.
  203. */
  204. int tls_get_errors(void *tls_ctx);
  205. /**
  206. * tls_connection_init - Initialize a new TLS connection
  207. * @tls_ctx: TLS context data from tls_init()
  208. * Returns: Connection context data, conn for other function calls
  209. */
  210. struct tls_connection * tls_connection_init(void *tls_ctx);
  211. /**
  212. * tls_connection_deinit - Free TLS connection data
  213. * @tls_ctx: TLS context data from tls_init()
  214. * @conn: Connection context data from tls_connection_init()
  215. *
  216. * Release all resources allocated for TLS connection.
  217. */
  218. void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn);
  219. /**
  220. * tls_connection_established - Has the TLS connection been completed?
  221. * @tls_ctx: TLS context data from tls_init()
  222. * @conn: Connection context data from tls_connection_init()
  223. * Returns: 1 if TLS connection has been completed, 0 if not.
  224. */
  225. int tls_connection_established(void *tls_ctx, struct tls_connection *conn);
  226. /**
  227. * tls_connection_shutdown - Shutdown TLS connection
  228. * @tls_ctx: TLS context data from tls_init()
  229. * @conn: Connection context data from tls_connection_init()
  230. * Returns: 0 on success, -1 on failure
  231. *
  232. * Shutdown current TLS connection without releasing all resources. New
  233. * connection can be started by using the same conn without having to call
  234. * tls_connection_init() or setting certificates etc. again. The new
  235. * connection should try to use session resumption.
  236. */
  237. int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn);
  238. enum {
  239. TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN = -4,
  240. TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED = -3,
  241. TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED = -2
  242. };
  243. /**
  244. * tls_connection_set_params - Set TLS connection parameters
  245. * @tls_ctx: TLS context data from tls_init()
  246. * @conn: Connection context data from tls_connection_init()
  247. * @params: Connection parameters
  248. * Returns: 0 on success, -1 on failure,
  249. * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine
  250. * failure, or
  251. * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the
  252. * PKCS#11 engine private key, or
  253. * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine
  254. * failure.
  255. */
  256. int __must_check
  257. tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
  258. const struct tls_connection_params *params);
  259. /**
  260. * tls_global_set_params - Set TLS parameters for all TLS connection
  261. * @tls_ctx: TLS context data from tls_init()
  262. * @params: Global TLS parameters
  263. * Returns: 0 on success, -1 on failure,
  264. * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine
  265. * failure, or
  266. * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the
  267. * PKCS#11 engine private key, or
  268. * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine
  269. * failure.
  270. */
  271. int __must_check tls_global_set_params(
  272. void *tls_ctx, const struct tls_connection_params *params);
  273. /**
  274. * tls_global_set_verify - Set global certificate verification options
  275. * @tls_ctx: TLS context data from tls_init()
  276. * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate,
  277. * 2 = verify CRL for all certificates
  278. * Returns: 0 on success, -1 on failure
  279. */
  280. int __must_check tls_global_set_verify(void *tls_ctx, int check_crl);
  281. /**
  282. * tls_connection_set_verify - Set certificate verification options
  283. * @tls_ctx: TLS context data from tls_init()
  284. * @conn: Connection context data from tls_connection_init()
  285. * @verify_peer: 1 = verify peer certificate
  286. * @flags: Connection flags (TLS_CONN_*)
  287. * @session_ctx: Session caching context or %NULL to use default
  288. * @session_ctx_len: Length of @session_ctx in bytes.
  289. * Returns: 0 on success, -1 on failure
  290. */
  291. int __must_check tls_connection_set_verify(void *tls_ctx,
  292. struct tls_connection *conn,
  293. int verify_peer,
  294. unsigned int flags,
  295. const u8 *session_ctx,
  296. size_t session_ctx_len);
  297. /**
  298. * tls_connection_get_random - Get random data from TLS connection
  299. * @tls_ctx: TLS context data from tls_init()
  300. * @conn: Connection context data from tls_connection_init()
  301. * @data: Structure of client/server random data (filled on success)
  302. * Returns: 0 on success, -1 on failure
  303. */
  304. int __must_check tls_connection_get_random(void *tls_ctx,
  305. struct tls_connection *conn,
  306. struct tls_random *data);
  307. /**
  308. * tls_connection_export_key - Derive keying material from a TLS connection
  309. * @tls_ctx: TLS context data from tls_init()
  310. * @conn: Connection context data from tls_connection_init()
  311. * @label: Label (e.g., description of the key) for PRF
  312. * @out: Buffer for output data from TLS-PRF
  313. * @out_len: Length of the output buffer
  314. * Returns: 0 on success, -1 on failure
  315. *
  316. * Exports keying material using the mechanism described in RFC 5705.
  317. */
  318. int __must_check tls_connection_export_key(void *tls_ctx,
  319. struct tls_connection *conn,
  320. const char *label,
  321. u8 *out, size_t out_len);
  322. /**
  323. * tls_connection_get_eap_fast_key - Derive key material for EAP-FAST
  324. * @tls_ctx: TLS context data from tls_init()
  325. * @conn: Connection context data from tls_connection_init()
  326. * @out: Buffer for output data from TLS-PRF
  327. * @out_len: Length of the output buffer
  328. * Returns: 0 on success, -1 on failure
  329. *
  330. * Exports key material after the normal TLS key block for use with
  331. * EAP-FAST. Most callers will want tls_connection_export_key(), but EAP-FAST
  332. * uses a different legacy mechanism.
  333. */
  334. int __must_check tls_connection_get_eap_fast_key(void *tls_ctx,
  335. struct tls_connection *conn,
  336. u8 *out, size_t out_len);
  337. /**
  338. * tls_connection_handshake - Process TLS handshake (client side)
  339. * @tls_ctx: TLS context data from tls_init()
  340. * @conn: Connection context data from tls_connection_init()
  341. * @in_data: Input data from TLS server
  342. * @appl_data: Pointer to application data pointer, or %NULL if dropped
  343. * Returns: Output data, %NULL on failure
  344. *
  345. * The caller is responsible for freeing the returned output data. If the final
  346. * handshake message includes application data, this is decrypted and
  347. * appl_data (if not %NULL) is set to point this data. The caller is
  348. * responsible for freeing appl_data.
  349. *
  350. * This function is used during TLS handshake. The first call is done with
  351. * in_data == %NULL and the library is expected to return ClientHello packet.
  352. * This packet is then send to the server and a response from server is given
  353. * to TLS library by calling this function again with in_data pointing to the
  354. * TLS message from the server.
  355. *
  356. * If the TLS handshake fails, this function may return %NULL. However, if the
  357. * TLS library has a TLS alert to send out, that should be returned as the
  358. * output data. In this case, tls_connection_get_failed() must return failure
  359. * (> 0).
  360. *
  361. * tls_connection_established() should return 1 once the TLS handshake has been
  362. * completed successfully.
  363. */
  364. struct wpabuf * tls_connection_handshake(void *tls_ctx,
  365. struct tls_connection *conn,
  366. const struct wpabuf *in_data,
  367. struct wpabuf **appl_data);
  368. struct wpabuf * tls_connection_handshake2(void *tls_ctx,
  369. struct tls_connection *conn,
  370. const struct wpabuf *in_data,
  371. struct wpabuf **appl_data,
  372. int *more_data_needed);
  373. /**
  374. * tls_connection_server_handshake - Process TLS handshake (server side)
  375. * @tls_ctx: TLS context data from tls_init()
  376. * @conn: Connection context data from tls_connection_init()
  377. * @in_data: Input data from TLS peer
  378. * @appl_data: Pointer to application data pointer, or %NULL if dropped
  379. * Returns: Output data, %NULL on failure
  380. *
  381. * The caller is responsible for freeing the returned output data.
  382. */
  383. struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
  384. struct tls_connection *conn,
  385. const struct wpabuf *in_data,
  386. struct wpabuf **appl_data);
  387. /**
  388. * tls_connection_encrypt - Encrypt data into TLS tunnel
  389. * @tls_ctx: TLS context data from tls_init()
  390. * @conn: Connection context data from tls_connection_init()
  391. * @in_data: Plaintext data to be encrypted
  392. * Returns: Encrypted TLS data or %NULL on failure
  393. *
  394. * This function is used after TLS handshake has been completed successfully to
  395. * send data in the encrypted tunnel. The caller is responsible for freeing the
  396. * returned output data.
  397. */
  398. struct wpabuf * tls_connection_encrypt(void *tls_ctx,
  399. struct tls_connection *conn,
  400. const struct wpabuf *in_data);
  401. /**
  402. * tls_connection_decrypt - Decrypt data from TLS tunnel
  403. * @tls_ctx: TLS context data from tls_init()
  404. * @conn: Connection context data from tls_connection_init()
  405. * @in_data: Encrypted TLS data
  406. * Returns: Decrypted TLS data or %NULL on failure
  407. *
  408. * This function is used after TLS handshake has been completed successfully to
  409. * receive data from the encrypted tunnel. The caller is responsible for
  410. * freeing the returned output data.
  411. */
  412. struct wpabuf * tls_connection_decrypt(void *tls_ctx,
  413. struct tls_connection *conn,
  414. const struct wpabuf *in_data);
  415. struct wpabuf * tls_connection_decrypt2(void *tls_ctx,
  416. struct tls_connection *conn,
  417. const struct wpabuf *in_data,
  418. int *more_data_needed);
  419. /**
  420. * tls_connection_resumed - Was session resumption used
  421. * @tls_ctx: TLS context data from tls_init()
  422. * @conn: Connection context data from tls_connection_init()
  423. * Returns: 1 if current session used session resumption, 0 if not
  424. */
  425. int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn);
  426. enum {
  427. TLS_CIPHER_NONE,
  428. TLS_CIPHER_RC4_SHA /* 0x0005 */,
  429. TLS_CIPHER_AES128_SHA /* 0x002f */,
  430. TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */,
  431. TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */,
  432. TLS_CIPHER_RSA_DHE_AES256_SHA /* 0x0039 */,
  433. TLS_CIPHER_AES256_SHA /* 0x0035 */,
  434. };
  435. /**
  436. * tls_connection_set_cipher_list - Configure acceptable cipher suites
  437. * @tls_ctx: TLS context data from tls_init()
  438. * @conn: Connection context data from tls_connection_init()
  439. * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers
  440. * (TLS_CIPHER_*).
  441. * Returns: 0 on success, -1 on failure
  442. */
  443. int __must_check tls_connection_set_cipher_list(void *tls_ctx,
  444. struct tls_connection *conn,
  445. u8 *ciphers);
  446. /**
  447. * tls_get_version - Get the current TLS version number
  448. * @tls_ctx: TLS context data from tls_init()
  449. * @conn: Connection context data from tls_connection_init()
  450. * @buf: Buffer for returning the TLS version number
  451. * @buflen: buf size
  452. * Returns: 0 on success, -1 on failure
  453. *
  454. * Get the currently used TLS version number.
  455. */
  456. int __must_check tls_get_version(void *tls_ctx, struct tls_connection *conn,
  457. char *buf, size_t buflen);
  458. /**
  459. * tls_get_cipher - Get current cipher name
  460. * @tls_ctx: TLS context data from tls_init()
  461. * @conn: Connection context data from tls_connection_init()
  462. * @buf: Buffer for the cipher name
  463. * @buflen: buf size
  464. * Returns: 0 on success, -1 on failure
  465. *
  466. * Get the name of the currently used cipher.
  467. */
  468. int __must_check tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
  469. char *buf, size_t buflen);
  470. /**
  471. * tls_connection_enable_workaround - Enable TLS workaround options
  472. * @tls_ctx: TLS context data from tls_init()
  473. * @conn: Connection context data from tls_connection_init()
  474. * Returns: 0 on success, -1 on failure
  475. *
  476. * This function is used to enable connection-specific workaround options for
  477. * buffer SSL/TLS implementations.
  478. */
  479. int __must_check tls_connection_enable_workaround(void *tls_ctx,
  480. struct tls_connection *conn);
  481. /**
  482. * tls_connection_client_hello_ext - Set TLS extension for ClientHello
  483. * @tls_ctx: TLS context data from tls_init()
  484. * @conn: Connection context data from tls_connection_init()
  485. * @ext_type: Extension type
  486. * @data: Extension payload (%NULL to remove extension)
  487. * @data_len: Extension payload length
  488. * Returns: 0 on success, -1 on failure
  489. */
  490. int __must_check tls_connection_client_hello_ext(void *tls_ctx,
  491. struct tls_connection *conn,
  492. int ext_type, const u8 *data,
  493. size_t data_len);
  494. /**
  495. * tls_connection_get_failed - Get connection failure status
  496. * @tls_ctx: TLS context data from tls_init()
  497. * @conn: Connection context data from tls_connection_init()
  498. *
  499. * Returns >0 if connection has failed, 0 if not.
  500. */
  501. int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn);
  502. /**
  503. * tls_connection_get_read_alerts - Get connection read alert status
  504. * @tls_ctx: TLS context data from tls_init()
  505. * @conn: Connection context data from tls_connection_init()
  506. * Returns: Number of times a fatal read (remote end reported error) has
  507. * happened during this connection.
  508. */
  509. int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn);
  510. /**
  511. * tls_connection_get_write_alerts - Get connection write alert status
  512. * @tls_ctx: TLS context data from tls_init()
  513. * @conn: Connection context data from tls_connection_init()
  514. * Returns: Number of times a fatal write (locally detected error) has happened
  515. * during this connection.
  516. */
  517. int tls_connection_get_write_alerts(void *tls_ctx,
  518. struct tls_connection *conn);
  519. typedef int (*tls_session_ticket_cb)
  520. (void *ctx, const u8 *ticket, size_t len, const u8 *client_random,
  521. const u8 *server_random, u8 *master_secret);
  522. int __must_check tls_connection_set_session_ticket_cb(
  523. void *tls_ctx, struct tls_connection *conn,
  524. tls_session_ticket_cb cb, void *ctx);
  525. void tls_connection_set_log_cb(struct tls_connection *conn,
  526. void (*log_cb)(void *ctx, const char *msg),
  527. void *ctx);
  528. #define TLS_BREAK_VERIFY_DATA BIT(0)
  529. #define TLS_BREAK_SRV_KEY_X_HASH BIT(1)
  530. #define TLS_BREAK_SRV_KEY_X_SIGNATURE BIT(2)
  531. #define TLS_DHE_PRIME_511B BIT(3)
  532. #define TLS_DHE_PRIME_767B BIT(4)
  533. #define TLS_DHE_PRIME_15 BIT(5)
  534. #define TLS_DHE_PRIME_58B BIT(6)
  535. #define TLS_DHE_NON_PRIME BIT(7)
  536. void tls_connection_set_test_flags(struct tls_connection *conn, u32 flags);
  537. int tls_get_library_version(char *buf, size_t buf_len);
  538. void tls_connection_set_success_data(struct tls_connection *conn,
  539. struct wpabuf *data);
  540. void tls_connection_set_success_data_resumed(struct tls_connection *conn);
  541. const struct wpabuf *
  542. tls_connection_get_success_data(struct tls_connection *conn);
  543. void tls_connection_remove_session(struct tls_connection *conn);
  544. #endif /* TLS_H */