tls.h

IEEE 802.11a/b/g 服务器端AP

 * Returns: 0 on success, -1 on failure
 *
 * This function is optional to implement if tls_connection_get_keys() provides
 * access to master secret and server/client random values. If these values are
 * not exported from the TLS library, tls_connection_prf() is required so that
 * further keying material can be derived from the master secret. If not
 * implemented, the function will still need to be defined, but it can just
 * return -1. Example implementation of this function is in tls_prf() function
 * when it is called with seed set to client_random|server_random (or
 * server_random|client_random).
 */
int __must_check  tls_connection_prf(void *tls_ctx,
				     struct tls_connection *conn,
				     const char *label,
				     int server_random_first,
				     u8 *out, size_t out_len);

/**
 * tls_connection_handshake - Process TLS handshake (client side)
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * @in_data: Input data from TLS peer
 * @in_len: Input data length
 * @out_len: Length of the output buffer.
 * @appl_data: Pointer to application data pointer, or %NULL if dropped
 * @appl_data_len: Pointer to variable that is set to appl_data length
 * Returns: Pointer to output data, %NULL on failure
 *
 * Caller is responsible for freeing returned output data. If the final
 * handshake message includes application data, this is decrypted and
 * appl_data (if not %NULL) is set to point this data. Caller is responsible
 * for freeing appl_data.
 *
 * This function is used during TLS handshake. The first call is done with
 * in_data == %NULL and the library is expected to return ClientHello packet.
 * This packet is then send to the server and a response from server is given
 * to TLS library by calling this function again with in_data pointing to the
 * TLS message from the server.
 *
 * If the TLS handshake fails, this function may return %NULL. However, if the
 * TLS library has a TLS alert to send out, that should be returned as the
 * output data. In this case, tls_connection_get_failed() must return failure
 * (> 0).
 *
 * tls_connection_established() should return 1 once the TLS handshake has been
 * completed successfully.
 */
u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn,
			      const u8 *in_data, size_t in_len,
			      size_t *out_len, u8 **appl_data,
			      size_t *appl_data_len);

/**
 * tls_connection_server_handshake - Process TLS handshake (server side)
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * @in_data: Input data from TLS peer
 * @in_len: Input data length
 * @out_len: Length of the output buffer.
 * Returns: pointer to output data, %NULL on failure
 *
 * Caller is responsible for freeing returned output data.
 */
u8 * tls_connection_server_handshake(void *tls_ctx,
				     struct tls_connection *conn,
				     const u8 *in_data, size_t in_len,
				     size_t *out_len);

/**
 * tls_connection_encrypt - Encrypt data into TLS tunnel
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * @in_data: Pointer to plaintext data to be encrypted
 * @in_len: Input buffer length
 * @out_data: Pointer to output buffer (encrypted TLS data)
 * @out_len: Maximum out_data length 
 * Returns: Number of bytes written to out_data, -1 on failure
 *
 * This function is used after TLS handshake has been completed successfully to
 * send data in the encrypted tunnel.
 */
int __must_check tls_connection_encrypt(void *tls_ctx,
					struct tls_connection *conn,
					const u8 *in_data, size_t in_len,
					u8 *out_data, size_t out_len);

/**
 * tls_connection_decrypt - Decrypt data from TLS tunnel
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * @in_data: Pointer to input buffer (encrypted TLS data)
 * @in_len: Input buffer length
 * @out_data: Pointer to output buffer (decrypted data from TLS tunnel)
 * @out_len: Maximum out_data length
 * Returns: Number of bytes written to out_data, -1 on failure
 *
 * This function is used after TLS handshake has been completed successfully to
 * receive data from the encrypted tunnel.
 */
int __must_check tls_connection_decrypt(void *tls_ctx,
					struct tls_connection *conn,
					const u8 *in_data, size_t in_len,
					u8 *out_data, size_t out_len);

/**
 * tls_connection_resumed - Was session resumption used
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * Returns: 1 if current session used session resumption, 0 if not
 */
int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn);

enum {
	TLS_CIPHER_NONE,
	TLS_CIPHER_RC4_SHA /* 0x0005 */,
	TLS_CIPHER_AES128_SHA /* 0x002f */,
	TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */,
	TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */
};

/**
 * tls_connection_set_cipher_list - Configure acceptable cipher suites
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers
 * (TLS_CIPHER_*).
 * Returns: 0 on success, -1 on failure
 */
int __must_check tls_connection_set_cipher_list(void *tls_ctx,
						struct tls_connection *conn,
						u8 *ciphers);

/**
 * tls_get_cipher - Get current cipher name
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * @buf: Buffer for the cipher name
 * @buflen: buf size
 * Returns: 0 on success, -1 on failure
 *
 * Get the name of the currently used cipher.
 */
int __must_check tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
				char *buf, size_t buflen);

/**
 * tls_connection_enable_workaround - Enable TLS workaround options
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * Returns: 0 on success, -1 on failure
 *
 * This function is used to enable connection-specific workaround options for
 * buffer SSL/TLS implementations.
 */
int __must_check tls_connection_enable_workaround(void *tls_ctx,
						  struct tls_connection *conn);

/**
 * tls_connection_client_hello_ext - Set TLS extension for ClientHello
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * @ext_type: Extension type
 * @data: Extension payload (%NULL to remove extension)
 * @data_len: Extension payload length
 * Returns: 0 on success, -1 on failure
 */
int __must_check tls_connection_client_hello_ext(void *tls_ctx,
						 struct tls_connection *conn,
						 int ext_type, const u8 *data,
						 size_t data_len);

/**
 * tls_connection_get_failed - Get connection failure status
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 *
 * Returns >0 if connection has failed, 0 if not.
 */
int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn);

/**
 * tls_connection_get_read_alerts - Get connection read alert status
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * Returns: Number of times a fatal read (remote end reported error) has
 * happened during this connection.
 */
int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn);

/**
 * tls_connection_get_write_alerts - Get connection write alert status
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * Returns: Number of times a fatal write (locally detected error) has happened
 * during this connection.
 */
int tls_connection_get_write_alerts(void *tls_ctx,
				    struct tls_connection *conn);

/**
 * tls_connection_get_keyblock_size - Get TLS key_block size
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * Returns: Size of the key_block for the negotiated cipher suite or -1 on
 * failure
 */
int tls_connection_get_keyblock_size(void *tls_ctx,
				     struct tls_connection *conn);

#define TLS_CAPABILITY_IA 0x0001 /* TLS Inner Application (TLS/IA) */
/**
 * tls_capabilities - Get supported TLS capabilities
 * @tls_ctx: TLS context data from tls_init()
 * Returns: Bit field of supported TLS capabilities (TLS_CAPABILITY_*)
 */
unsigned int tls_capabilities(void *tls_ctx);

/**
 * tls_connection_ia_send_phase_finished - Send a TLS/IA PhaseFinished message
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * @final: 1 = FinalPhaseFinished, 0 = IntermediatePhaseFinished
 * @out_data: Pointer to output buffer (encrypted TLS/IA data)
 * @out_len: Maximum out_data length 
 * Returns: Number of bytes written to out_data on success, -1 on failure
 *
 * This function is used to send the TLS/IA end phase message, e.g., when the
 * EAP server completes EAP-TTLSv1.
 */
int __must_check tls_connection_ia_send_phase_finished(
	void *tls_ctx, struct tls_connection *conn, int final,
	u8 *out_data, size_t out_len);

/**
 * tls_connection_ia_final_phase_finished - Has final phase been completed
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * Returns: 1 if valid FinalPhaseFinished has been received, 0 if not, or -1
 * on failure
 */
int __must_check tls_connection_ia_final_phase_finished(
	void *tls_ctx, struct tls_connection *conn);

/**
 * tls_connection_ia_permute_inner_secret - Permute TLS/IA inner secret
 * @tls_ctx: TLS context data from tls_init()
 * @conn: Connection context data from tls_connection_init()
 * @key: Session key material (session_key vectors with 2-octet length), or
 * %NULL if no session key was generating in the current phase
 * @key_len: Length of session key material
 * Returns: 0 on success, -1 on failure
 */
int __must_check tls_connection_ia_permute_inner_secret(
	void *tls_ctx, struct tls_connection *conn,
	const u8 *key, size_t key_len);

typedef int (*tls_session_ticket_cb)
(void *ctx, const u8 *ticket, size_t len, const u8 *client_random,
 const u8 *server_random, u8 *master_secret);

int __must_check  tls_connection_set_session_ticket_cb(
	void *tls_ctx, struct tls_connection *conn,
	tls_session_ticket_cb cb, void *ctx);

#endif /* TLS_H */