contrib/hostapd/src/crypto/tls_internal.c

   1 /*
   2  * TLS interface functions and an internal TLS implementation
   3  * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  *
   8  * This file interface functions for hostapd/wpa_supplicant to use the
   9  * integrated TLSv1 implementation.
  10  */
  11
  12 #include "includes.h"
  13
  14 #include "common.h"
  15 #include "tls.h"
  16 #include "tls/tlsv1_client.h"
  17 #include "tls/tlsv1_server.h"
  18
  19
  20 static int tls_ref_count = 0;
  21
  22 struct tls_global {
  23         int server;
  24         struct tlsv1_credentials *server_cred;
  25         int check_crl;
  26 };
  27
  28 struct tls_connection {
  29         struct tlsv1_client *client;
  30         struct tlsv1_server *server;
  31 };
  32
  33
  34 void * tls_init(const struct tls_config *conf)
  35 {
  36         struct tls_global *global;
  37
  38         if (tls_ref_count == 0) {
  39 #ifdef CONFIG_TLS_INTERNAL_CLIENT
  40                 if (tlsv1_client_global_init())
  41                         return NULL;
  42 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
  43 #ifdef CONFIG_TLS_INTERNAL_SERVER
  44                 if (tlsv1_server_global_init())
  45                         return NULL;
  46 #endif /* CONFIG_TLS_INTERNAL_SERVER */
  47         }
  48         tls_ref_count++;
  49
  50         global = os_zalloc(sizeof(*global));
  51         if (global == NULL)
  52                 return NULL;
  53
  54         return global;
  55 }
  56
  57 void tls_deinit(void *ssl_ctx)
  58 {
  59         struct tls_global *global = ssl_ctx;
  60         tls_ref_count--;
  61         if (tls_ref_count == 0) {
  62 #ifdef CONFIG_TLS_INTERNAL_CLIENT
  63                 tlsv1_client_global_deinit();
  64 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
  65 #ifdef CONFIG_TLS_INTERNAL_SERVER
  66                 tlsv1_cred_free(global->server_cred);
  67                 tlsv1_server_global_deinit();
  68 #endif /* CONFIG_TLS_INTERNAL_SERVER */
  69         }
  70         os_free(global);
  71 }
  72
  73
  74 int tls_get_errors(void *tls_ctx)
  75 {
  76         return 0;
  77 }
  78
  79
  80 struct tls_connection * tls_connection_init(void *tls_ctx)
  81 {
  82         struct tls_connection *conn;
  83         struct tls_global *global = tls_ctx;
  84
  85         conn = os_zalloc(sizeof(*conn));
  86         if (conn == NULL)
  87                 return NULL;
  88
  89 #ifdef CONFIG_TLS_INTERNAL_CLIENT
  90         if (!global->server) {
  91                 conn->client = tlsv1_client_init();
  92                 if (conn->client == NULL) {
  93                         os_free(conn);
  94                         return NULL;
  95                 }
  96         }
  97 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
  98 #ifdef CONFIG_TLS_INTERNAL_SERVER
  99         if (global->server) {
 100                 conn->server = tlsv1_server_init(global->server_cred);
 101                 if (conn->server == NULL) {
 102                         os_free(conn);
 103                         return NULL;
 104                 }
 105         }
 106 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 107
 108         return conn;
 109 }
 110
 111
 112 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
 113 {
 114         if (conn == NULL)
 115                 return;
 116 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 117         if (conn->client)
 118                 tlsv1_client_deinit(conn->client);
 119 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 120 #ifdef CONFIG_TLS_INTERNAL_SERVER
 121         if (conn->server)
 122                 tlsv1_server_deinit(conn->server);
 123 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 124         os_free(conn);
 125 }
 126
 127
 128 int tls_connection_established(void *tls_ctx, struct tls_connection *conn)
 129 {
 130 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 131         if (conn->client)
 132                 return tlsv1_client_established(conn->client);
 133 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 134 #ifdef CONFIG_TLS_INTERNAL_SERVER
 135         if (conn->server)
 136                 return tlsv1_server_established(conn->server);
 137 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 138         return 0;
 139 }
 140
 141
 142 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
 143 {
 144 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 145         if (conn->client)
 146                 return tlsv1_client_shutdown(conn->client);
 147 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 148 #ifdef CONFIG_TLS_INTERNAL_SERVER
 149         if (conn->server)
 150                 return tlsv1_server_shutdown(conn->server);
 151 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 152         return -1;
 153 }
 154
 155
 156 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 157                               const struct tls_connection_params *params)
 158 {
 159 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 160         struct tlsv1_credentials *cred;
 161
 162         if (conn->client == NULL)
 163                 return -1;
 164
 165         cred = tlsv1_cred_alloc();
 166         if (cred == NULL)
 167                 return -1;
 168
 169         if (tlsv1_set_ca_cert(cred, params->ca_cert,
 170                               params->ca_cert_blob, params->ca_cert_blob_len,
 171                               params->ca_path)) {
 172                 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
 173                            "certificates");
 174                 tlsv1_cred_free(cred);
 175                 return -1;
 176         }
 177
 178         if (tlsv1_set_cert(cred, params->client_cert,
 179                            params->client_cert_blob,
 180                            params->client_cert_blob_len)) {
 181                 wpa_printf(MSG_INFO, "TLS: Failed to configure client "
 182                            "certificate");
 183                 tlsv1_cred_free(cred);
 184                 return -1;
 185         }
 186
 187         if (tlsv1_set_private_key(cred, params->private_key,
 188                                   params->private_key_passwd,
 189                                   params->private_key_blob,
 190                                   params->private_key_blob_len)) {
 191                 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
 192                 tlsv1_cred_free(cred);
 193                 return -1;
 194         }
 195
 196         if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
 197                                params->dh_blob_len)) {
 198                 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
 199                 tlsv1_cred_free(cred);
 200                 return -1;
 201         }
 202
 203         if (tlsv1_client_set_cred(conn->client, cred) < 0) {
 204                 tlsv1_cred_free(cred);
 205                 return -1;
 206         }
 207
 208         tlsv1_client_set_time_checks(
 209                 conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS));
 210
 211         return 0;
 212 #else /* CONFIG_TLS_INTERNAL_CLIENT */
 213         return -1;
 214 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 215 }
 216
 217
 218 int tls_global_set_params(void *tls_ctx,
 219                           const struct tls_connection_params *params)
 220 {
 221 #ifdef CONFIG_TLS_INTERNAL_SERVER
 222         struct tls_global *global = tls_ctx;
 223         struct tlsv1_credentials *cred;
 224
 225         /* Currently, global parameters are only set when running in server
 226          * mode. */
 227         global->server = 1;
 228         tlsv1_cred_free(global->server_cred);
 229         global->server_cred = cred = tlsv1_cred_alloc();
 230         if (cred == NULL)
 231                 return -1;
 232
 233         if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob,
 234                               params->ca_cert_blob_len, params->ca_path)) {
 235                 wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
 236                            "certificates");
 237                 return -1;
 238         }
 239
 240         if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob,
 241                            params->client_cert_blob_len)) {
 242                 wpa_printf(MSG_INFO, "TLS: Failed to configure server "
 243                            "certificate");
 244                 return -1;
 245         }
 246
 247         if (tlsv1_set_private_key(cred, params->private_key,
 248                                   params->private_key_passwd,
 249                                   params->private_key_blob,
 250                                   params->private_key_blob_len)) {
 251                 wpa_printf(MSG_INFO, "TLS: Failed to load private key");
 252                 return -1;
 253         }
 254
 255         if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
 256                                params->dh_blob_len)) {
 257                 wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
 258                 return -1;
 259         }
 260
 261         return 0;
 262 #else /* CONFIG_TLS_INTERNAL_SERVER */
 263         return -1;
 264 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 265 }
 266
 267
 268 int tls_global_set_verify(void *tls_ctx, int check_crl)
 269 {
 270         struct tls_global *global = tls_ctx;
 271         global->check_crl = check_crl;
 272         return 0;
 273 }
 274
 275
 276 int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
 277                               int verify_peer)
 278 {
 279 #ifdef CONFIG_TLS_INTERNAL_SERVER
 280         if (conn->server)
 281                 return tlsv1_server_set_verify(conn->server, verify_peer);
 282 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 283         return -1;
 284 }
 285
 286
 287 int tls_connection_get_keys(void *tls_ctx, struct tls_connection *conn,
 288                             struct tls_keys *keys)
 289 {
 290 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 291         if (conn->client)
 292                 return tlsv1_client_get_keys(conn->client, keys);
 293 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 294 #ifdef CONFIG_TLS_INTERNAL_SERVER
 295         if (conn->server)
 296                 return tlsv1_server_get_keys(conn->server, keys);
 297 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 298         return -1;
 299 }
 300
 301
 302 int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
 303                        const char *label, int server_random_first,
 304                        u8 *out, size_t out_len)
 305 {
 306 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 307         if (conn->client) {
 308                 return tlsv1_client_prf(conn->client, label,
 309                                         server_random_first,
 310                                         out, out_len);
 311         }
 312 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 313 #ifdef CONFIG_TLS_INTERNAL_SERVER
 314         if (conn->server) {
 315                 return tlsv1_server_prf(conn->server, label,
 316                                         server_random_first,
 317                                         out, out_len);
 318         }
 319 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 320         return -1;
 321 }
 322
 323
 324 struct wpabuf * tls_connection_handshake(void *tls_ctx,
 325                                          struct tls_connection *conn,
 326                                          const struct wpabuf *in_data,
 327                                          struct wpabuf **appl_data)
 328 {
 329         return tls_connection_handshake2(tls_ctx, conn, in_data, appl_data,
 330                                          NULL);
 331 }
 332
 333
 334 struct wpabuf * tls_connection_handshake2(void *tls_ctx,
 335                                           struct tls_connection *conn,
 336                                           const struct wpabuf *in_data,
 337                                           struct wpabuf **appl_data,
 338                                           int *need_more_data)
 339 {
 340 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 341         u8 *res, *ad;
 342         size_t res_len, ad_len;
 343         struct wpabuf *out;
 344
 345         if (conn->client == NULL)
 346                 return NULL;
 347
 348         ad = NULL;
 349         res = tlsv1_client_handshake(conn->client,
 350                                      in_data ? wpabuf_head(in_data) : NULL,
 351                                      in_data ? wpabuf_len(in_data) : 0,
 352                                      &res_len, &ad, &ad_len, need_more_data);
 353         if (res == NULL)
 354                 return NULL;
 355         out = wpabuf_alloc_ext_data(res, res_len);
 356         if (out == NULL) {
 357                 os_free(res);
 358                 os_free(ad);
 359                 return NULL;
 360         }
 361         if (appl_data) {
 362                 if (ad) {
 363                         *appl_data = wpabuf_alloc_ext_data(ad, ad_len);
 364                         if (*appl_data == NULL)
 365                                 os_free(ad);
 366                 } else
 367                         *appl_data = NULL;
 368         } else
 369                 os_free(ad);
 370
 371         return out;
 372 #else /* CONFIG_TLS_INTERNAL_CLIENT */
 373         return NULL;
 374 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 375 }
 376
 377
 378 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
 379                                                 struct tls_connection *conn,
 380                                                 const struct wpabuf *in_data,
 381                                                 struct wpabuf **appl_data)
 382 {
 383 #ifdef CONFIG_TLS_INTERNAL_SERVER
 384         u8 *res;
 385         size_t res_len;
 386         struct wpabuf *out;
 387
 388         if (conn->server == NULL)
 389                 return NULL;
 390
 391         if (appl_data)
 392                 *appl_data = NULL;
 393
 394         res = tlsv1_server_handshake(conn->server, wpabuf_head(in_data),
 395                                      wpabuf_len(in_data), &res_len);
 396         if (res == NULL && tlsv1_server_established(conn->server))
 397                 return wpabuf_alloc(0);
 398         if (res == NULL)
 399                 return NULL;
 400         out = wpabuf_alloc_ext_data(res, res_len);
 401         if (out == NULL) {
 402                 os_free(res);
 403                 return NULL;
 404         }
 405
 406         return out;
 407 #else /* CONFIG_TLS_INTERNAL_SERVER */
 408         return NULL;
 409 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 410 }
 411
 412
 413 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
 414                                        struct tls_connection *conn,
 415                                        const struct wpabuf *in_data)
 416 {
 417 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 418         if (conn->client) {
 419                 struct wpabuf *buf;
 420                 int res;
 421                 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
 422                 if (buf == NULL)
 423                         return NULL;
 424                 res = tlsv1_client_encrypt(conn->client, wpabuf_head(in_data),
 425                                            wpabuf_len(in_data),
 426                                            wpabuf_mhead(buf),
 427                                            wpabuf_size(buf));
 428                 if (res < 0) {
 429                         wpabuf_free(buf);
 430                         return NULL;
 431                 }
 432                 wpabuf_put(buf, res);
 433                 return buf;
 434         }
 435 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 436 #ifdef CONFIG_TLS_INTERNAL_SERVER
 437         if (conn->server) {
 438                 struct wpabuf *buf;
 439                 int res;
 440                 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
 441                 if (buf == NULL)
 442                         return NULL;
 443                 res = tlsv1_server_encrypt(conn->server, wpabuf_head(in_data),
 444                                            wpabuf_len(in_data),
 445                                            wpabuf_mhead(buf),
 446                                            wpabuf_size(buf));
 447                 if (res < 0) {
 448                         wpabuf_free(buf);
 449                         return NULL;
 450                 }
 451                 wpabuf_put(buf, res);
 452                 return buf;
 453         }
 454 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 455         return NULL;
 456 }
 457
 458
 459 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
 460                                        struct tls_connection *conn,
 461                                        const struct wpabuf *in_data)
 462 {
 463         return tls_connection_decrypt2(tls_ctx, conn, in_data, NULL);
 464 }
 465
 466
 467 struct wpabuf * tls_connection_decrypt2(void *tls_ctx,
 468                                         struct tls_connection *conn,
 469                                         const struct wpabuf *in_data,
 470                                         int *need_more_data)
 471 {
 472         if (need_more_data)
 473                 *need_more_data = 0;
 474
 475 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 476         if (conn->client) {
 477                 return tlsv1_client_decrypt(conn->client, wpabuf_head(in_data),
 478                                             wpabuf_len(in_data),
 479                                             need_more_data);
 480         }
 481 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 482 #ifdef CONFIG_TLS_INTERNAL_SERVER
 483         if (conn->server) {
 484                 struct wpabuf *buf;
 485                 int res;
 486                 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
 487                 if (buf == NULL)
 488                         return NULL;
 489                 res = tlsv1_server_decrypt(conn->server, wpabuf_head(in_data),
 490                                            wpabuf_len(in_data),
 491                                            wpabuf_mhead(buf),
 492                                            wpabuf_size(buf));
 493                 if (res < 0) {
 494                         wpabuf_free(buf);
 495                         return NULL;
 496                 }
 497                 wpabuf_put(buf, res);
 498                 return buf;
 499         }
 500 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 501         return NULL;
 502 }
 503
 504
 505 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn)
 506 {
 507 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 508         if (conn->client)
 509                 return tlsv1_client_resumed(conn->client);
 510 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 511 #ifdef CONFIG_TLS_INTERNAL_SERVER
 512         if (conn->server)
 513                 return tlsv1_server_resumed(conn->server);
 514 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 515         return -1;
 516 }
 517
 518
 519 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
 520                                    u8 *ciphers)
 521 {
 522 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 523         if (conn->client)
 524                 return tlsv1_client_set_cipher_list(conn->client, ciphers);
 525 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 526 #ifdef CONFIG_TLS_INTERNAL_SERVER
 527         if (conn->server)
 528                 return tlsv1_server_set_cipher_list(conn->server, ciphers);
 529 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 530         return -1;
 531 }
 532
 533
 534 int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
 535                    char *buf, size_t buflen)
 536 {
 537         if (conn == NULL)
 538                 return -1;
 539 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 540         if (conn->client)
 541                 return tlsv1_client_get_cipher(conn->client, buf, buflen);
 542 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 543 #ifdef CONFIG_TLS_INTERNAL_SERVER
 544         if (conn->server)
 545                 return tlsv1_server_get_cipher(conn->server, buf, buflen);
 546 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 547         return -1;
 548 }
 549
 550
 551 int tls_connection_enable_workaround(void *tls_ctx,
 552                                      struct tls_connection *conn)
 553 {
 554         return -1;
 555 }
 556
 557
 558 int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn,
 559                                     int ext_type, const u8 *data,
 560                                     size_t data_len)
 561 {
 562 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 563         if (conn->client) {
 564                 return tlsv1_client_hello_ext(conn->client, ext_type,
 565                                               data, data_len);
 566         }
 567 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 568         return -1;
 569 }
 570
 571
 572 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn)
 573 {
 574         return 0;
 575 }
 576
 577
 578 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn)
 579 {
 580         return 0;
 581 }
 582
 583
 584 int tls_connection_get_write_alerts(void *tls_ctx,
 585                                     struct tls_connection *conn)
 586 {
 587         return 0;
 588 }
 589
 590
 591 int tls_connection_get_keyblock_size(void *tls_ctx,
 592                                      struct tls_connection *conn)
 593 {
 594 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 595         if (conn->client)
 596                 return tlsv1_client_get_keyblock_size(conn->client);
 597 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 598 #ifdef CONFIG_TLS_INTERNAL_SERVER
 599         if (conn->server)
 600                 return tlsv1_server_get_keyblock_size(conn->server);
 601 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 602         return -1;
 603 }
 604
 605
 606 unsigned int tls_capabilities(void *tls_ctx)
 607 {
 608         return 0;
 609 }
 610
 611
 612 int tls_connection_set_session_ticket_cb(void *tls_ctx,
 613                                          struct tls_connection *conn,
 614                                          tls_session_ticket_cb cb,
 615                                          void *ctx)
 616 {
 617 #ifdef CONFIG_TLS_INTERNAL_CLIENT
 618         if (conn->client) {
 619                 tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx);
 620                 return 0;
 621         }
 622 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
 623 #ifdef CONFIG_TLS_INTERNAL_SERVER
 624         if (conn->server) {
 625                 tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx);
 626                 return 0;
 627         }
 628 #endif /* CONFIG_TLS_INTERNAL_SERVER */
 629         return -1;
 630 }