16d49e1aeSJan Lentfer /* 23ff40c12SJohn Marino * SSL/TLS interface definition 33ff40c12SJohn Marino * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi> 46d49e1aeSJan Lentfer * 53ff40c12SJohn Marino * This software may be distributed under the terms of the BSD license. 63ff40c12SJohn Marino * See README for more details. 76d49e1aeSJan Lentfer */ 86d49e1aeSJan Lentfer 96d49e1aeSJan Lentfer #ifndef TLS_H 106d49e1aeSJan Lentfer #define TLS_H 116d49e1aeSJan Lentfer 126d49e1aeSJan Lentfer struct tls_connection; 136d49e1aeSJan Lentfer 14*a1157835SDaniel Fojt struct tls_random { 156d49e1aeSJan Lentfer const u8 *client_random; 166d49e1aeSJan Lentfer size_t client_random_len; 176d49e1aeSJan Lentfer const u8 *server_random; 186d49e1aeSJan Lentfer size_t server_random_len; 193ff40c12SJohn Marino }; 203ff40c12SJohn Marino 213ff40c12SJohn Marino enum tls_event { 223ff40c12SJohn Marino TLS_CERT_CHAIN_SUCCESS, 233ff40c12SJohn Marino TLS_CERT_CHAIN_FAILURE, 243ff40c12SJohn Marino TLS_PEER_CERTIFICATE, 253ff40c12SJohn Marino TLS_ALERT 263ff40c12SJohn Marino }; 273ff40c12SJohn Marino 283ff40c12SJohn Marino /* 293ff40c12SJohn Marino * Note: These are used as identifier with external programs and as such, the 303ff40c12SJohn Marino * values must not be changed. 313ff40c12SJohn Marino */ 323ff40c12SJohn Marino enum tls_fail_reason { 333ff40c12SJohn Marino TLS_FAIL_UNSPECIFIED = 0, 343ff40c12SJohn Marino TLS_FAIL_UNTRUSTED = 1, 353ff40c12SJohn Marino TLS_FAIL_REVOKED = 2, 363ff40c12SJohn Marino TLS_FAIL_NOT_YET_VALID = 3, 373ff40c12SJohn Marino TLS_FAIL_EXPIRED = 4, 383ff40c12SJohn Marino TLS_FAIL_SUBJECT_MISMATCH = 5, 393ff40c12SJohn Marino TLS_FAIL_ALTSUBJECT_MISMATCH = 6, 403ff40c12SJohn Marino TLS_FAIL_BAD_CERTIFICATE = 7, 413ff40c12SJohn Marino TLS_FAIL_SERVER_CHAIN_PROBE = 8, 423ff40c12SJohn Marino TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, 43*a1157835SDaniel Fojt TLS_FAIL_DOMAIN_MISMATCH = 10, 44*a1157835SDaniel Fojt TLS_FAIL_INSUFFICIENT_KEY_LEN = 11, 45*a1157835SDaniel Fojt TLS_FAIL_DN_MISMATCH = 12, 46*a1157835SDaniel Fojt }; 47*a1157835SDaniel Fojt 48*a1157835SDaniel Fojt 49*a1157835SDaniel Fojt #define TLS_MAX_ALT_SUBJECT 10 50*a1157835SDaniel Fojt 51*a1157835SDaniel Fojt struct tls_cert_data { 52*a1157835SDaniel Fojt int depth; 53*a1157835SDaniel Fojt const char *subject; 54*a1157835SDaniel Fojt const struct wpabuf *cert; 55*a1157835SDaniel Fojt const u8 *hash; 56*a1157835SDaniel Fojt size_t hash_len; 57*a1157835SDaniel Fojt const char *altsubject[TLS_MAX_ALT_SUBJECT]; 58*a1157835SDaniel Fojt int num_altsubject; 59*a1157835SDaniel Fojt const char *serial_num; 60*a1157835SDaniel Fojt int tod; 613ff40c12SJohn Marino }; 623ff40c12SJohn Marino 633ff40c12SJohn Marino union tls_event_data { 643ff40c12SJohn Marino struct { 653ff40c12SJohn Marino int depth; 663ff40c12SJohn Marino const char *subject; 673ff40c12SJohn Marino enum tls_fail_reason reason; 683ff40c12SJohn Marino const char *reason_txt; 693ff40c12SJohn Marino const struct wpabuf *cert; 703ff40c12SJohn Marino } cert_fail; 713ff40c12SJohn Marino 72*a1157835SDaniel Fojt struct tls_cert_data peer_cert; 733ff40c12SJohn Marino 743ff40c12SJohn Marino struct { 753ff40c12SJohn Marino int is_local; 763ff40c12SJohn Marino const char *type; 773ff40c12SJohn Marino const char *description; 783ff40c12SJohn Marino } alert; 796d49e1aeSJan Lentfer }; 806d49e1aeSJan Lentfer 816d49e1aeSJan Lentfer struct tls_config { 826d49e1aeSJan Lentfer const char *opensc_engine_path; 836d49e1aeSJan Lentfer const char *pkcs11_engine_path; 846d49e1aeSJan Lentfer const char *pkcs11_module_path; 853ff40c12SJohn Marino int fips_mode; 863ff40c12SJohn Marino int cert_in_cb; 87*a1157835SDaniel Fojt const char *openssl_ciphers; 88*a1157835SDaniel Fojt unsigned int tls_session_lifetime; 89*a1157835SDaniel Fojt unsigned int crl_reload_interval; 90*a1157835SDaniel Fojt unsigned int tls_flags; 913ff40c12SJohn Marino 923ff40c12SJohn Marino void (*event_cb)(void *ctx, enum tls_event ev, 933ff40c12SJohn Marino union tls_event_data *data); 943ff40c12SJohn Marino void *cb_ctx; 956d49e1aeSJan Lentfer }; 966d49e1aeSJan Lentfer 976d49e1aeSJan Lentfer #define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0) 986d49e1aeSJan Lentfer #define TLS_CONN_DISABLE_TIME_CHECKS BIT(1) 993ff40c12SJohn Marino #define TLS_CONN_DISABLE_SESSION_TICKET BIT(2) 1003ff40c12SJohn Marino #define TLS_CONN_REQUEST_OCSP BIT(3) 1013ff40c12SJohn Marino #define TLS_CONN_REQUIRE_OCSP BIT(4) 102*a1157835SDaniel Fojt #define TLS_CONN_DISABLE_TLSv1_1 BIT(5) 103*a1157835SDaniel Fojt #define TLS_CONN_DISABLE_TLSv1_2 BIT(6) 104*a1157835SDaniel Fojt #define TLS_CONN_EAP_FAST BIT(7) 105*a1157835SDaniel Fojt #define TLS_CONN_DISABLE_TLSv1_0 BIT(8) 106*a1157835SDaniel Fojt #define TLS_CONN_EXT_CERT_CHECK BIT(9) 107*a1157835SDaniel Fojt #define TLS_CONN_REQUIRE_OCSP_ALL BIT(10) 108*a1157835SDaniel Fojt #define TLS_CONN_SUITEB BIT(11) 109*a1157835SDaniel Fojt #define TLS_CONN_SUITEB_NO_ECDH BIT(12) 110*a1157835SDaniel Fojt #define TLS_CONN_DISABLE_TLSv1_3 BIT(13) 111*a1157835SDaniel Fojt #define TLS_CONN_ENABLE_TLSv1_0 BIT(14) 112*a1157835SDaniel Fojt #define TLS_CONN_ENABLE_TLSv1_1 BIT(15) 113*a1157835SDaniel Fojt #define TLS_CONN_ENABLE_TLSv1_2 BIT(16) 114*a1157835SDaniel Fojt #define TLS_CONN_TEAP_ANON_DH BIT(17) 1156d49e1aeSJan Lentfer 1166d49e1aeSJan Lentfer /** 1176d49e1aeSJan Lentfer * struct tls_connection_params - Parameters for TLS connection 1186d49e1aeSJan Lentfer * @ca_cert: File or reference name for CA X.509 certificate in PEM or DER 1196d49e1aeSJan Lentfer * format 1206d49e1aeSJan Lentfer * @ca_cert_blob: ca_cert as inlined data or %NULL if not used 1216d49e1aeSJan Lentfer * @ca_cert_blob_len: ca_cert_blob length 1226d49e1aeSJan Lentfer * @ca_path: Path to CA certificates (OpenSSL specific) 1236d49e1aeSJan Lentfer * @subject_match: String to match in the subject of the peer certificate or 1246d49e1aeSJan Lentfer * %NULL to allow all subjects 1256d49e1aeSJan Lentfer * @altsubject_match: String to match in the alternative subject of the peer 1266d49e1aeSJan Lentfer * certificate or %NULL to allow all alternative subjects 127*a1157835SDaniel Fojt * @suffix_match: Semicolon deliminated string of values to suffix match against 128*a1157835SDaniel Fojt * the dNSName or CN of the peer certificate or %NULL to allow all domain names. 129*a1157835SDaniel Fojt * This may allow subdomains and wildcard certificates. Each domain name label 130*a1157835SDaniel Fojt * must have a full case-insensitive match. 131*a1157835SDaniel Fojt * @domain_match: String to match in the dNSName or CN of the peer 132*a1157835SDaniel Fojt * certificate or %NULL to allow all domain names. This requires a full, 133*a1157835SDaniel Fojt * case-insensitive match. 134*a1157835SDaniel Fojt * 135*a1157835SDaniel Fojt * More than one match string can be provided by using semicolons to 136*a1157835SDaniel Fojt * separate the strings (e.g., example.org;example.com). When multiple 137*a1157835SDaniel Fojt * strings are specified, a match with any one of the values is 138*a1157835SDaniel Fojt * considered a sufficient match for the certificate, i.e., the 139*a1157835SDaniel Fojt * conditions are ORed together. 1406d49e1aeSJan Lentfer * @client_cert: File or reference name for client X.509 certificate in PEM or 1416d49e1aeSJan Lentfer * DER format 1426d49e1aeSJan Lentfer * @client_cert_blob: client_cert as inlined data or %NULL if not used 1436d49e1aeSJan Lentfer * @client_cert_blob_len: client_cert_blob length 1446d49e1aeSJan Lentfer * @private_key: File or reference name for client private key in PEM or DER 1456d49e1aeSJan Lentfer * format (traditional format (RSA PRIVATE KEY) or PKCS#8 (PRIVATE KEY) 1466d49e1aeSJan Lentfer * @private_key_blob: private_key as inlined data or %NULL if not used 1476d49e1aeSJan Lentfer * @private_key_blob_len: private_key_blob length 1486d49e1aeSJan Lentfer * @private_key_passwd: Passphrase for decrypted private key, %NULL if no 1496d49e1aeSJan Lentfer * passphrase is used. 1506d49e1aeSJan Lentfer * @dh_file: File name for DH/DSA data in PEM format, or %NULL if not used 1516d49e1aeSJan Lentfer * @dh_blob: dh_file as inlined data or %NULL if not used 1526d49e1aeSJan Lentfer * @dh_blob_len: dh_blob length 1536d49e1aeSJan Lentfer * @engine: 1 = use engine (e.g., a smartcard) for private key operations 1546d49e1aeSJan Lentfer * (this is OpenSSL specific for now) 1556d49e1aeSJan Lentfer * @engine_id: engine id string (this is OpenSSL specific for now) 1566d49e1aeSJan Lentfer * @ppin: pointer to the pin variable in the configuration 1576d49e1aeSJan Lentfer * (this is OpenSSL specific for now) 1586d49e1aeSJan Lentfer * @key_id: the private key's id when using engine (this is OpenSSL 1596d49e1aeSJan Lentfer * specific for now) 1606d49e1aeSJan Lentfer * @cert_id: the certificate's id when using engine 1616d49e1aeSJan Lentfer * @ca_cert_id: the CA certificate's id when using engine 162*a1157835SDaniel Fojt * @openssl_ciphers: OpenSSL cipher configuration 163*a1157835SDaniel Fojt * @openssl_ecdh_curves: OpenSSL ECDH curve configuration. %NULL for auto if 164*a1157835SDaniel Fojt * supported, empty string to disable, or a colon-separated curve list. 1656d49e1aeSJan Lentfer * @flags: Parameter options (TLS_CONN_*) 1663ff40c12SJohn Marino * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response 1673ff40c12SJohn Marino * or %NULL if OCSP is not enabled 168*a1157835SDaniel Fojt * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling 169*a1157835SDaniel Fojt * response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if 170*a1157835SDaniel Fojt * ocsp_multi is not enabled 171*a1157835SDaniel Fojt * @check_cert_subject: Client certificate subject name matching string 1726d49e1aeSJan Lentfer * 1736d49e1aeSJan Lentfer * TLS connection parameters to be configured with tls_connection_set_params() 1746d49e1aeSJan Lentfer * and tls_global_set_params(). 1756d49e1aeSJan Lentfer * 1766d49e1aeSJan Lentfer * Certificates and private key can be configured either as a reference name 1776d49e1aeSJan Lentfer * (file path or reference to certificate store) or by providing the same data 1786d49e1aeSJan Lentfer * as a pointer to the data in memory. Only one option will be used for each 1796d49e1aeSJan Lentfer * field. 1806d49e1aeSJan Lentfer */ 1816d49e1aeSJan Lentfer struct tls_connection_params { 1826d49e1aeSJan Lentfer const char *ca_cert; 1836d49e1aeSJan Lentfer const u8 *ca_cert_blob; 1846d49e1aeSJan Lentfer size_t ca_cert_blob_len; 1856d49e1aeSJan Lentfer const char *ca_path; 1866d49e1aeSJan Lentfer const char *subject_match; 1876d49e1aeSJan Lentfer const char *altsubject_match; 1883ff40c12SJohn Marino const char *suffix_match; 189*a1157835SDaniel Fojt const char *domain_match; 1906d49e1aeSJan Lentfer const char *client_cert; 191*a1157835SDaniel Fojt const char *client_cert2; 1926d49e1aeSJan Lentfer const u8 *client_cert_blob; 1936d49e1aeSJan Lentfer size_t client_cert_blob_len; 1946d49e1aeSJan Lentfer const char *private_key; 195*a1157835SDaniel Fojt const char *private_key2; 1966d49e1aeSJan Lentfer const u8 *private_key_blob; 1976d49e1aeSJan Lentfer size_t private_key_blob_len; 1986d49e1aeSJan Lentfer const char *private_key_passwd; 199*a1157835SDaniel Fojt const char *private_key_passwd2; 2006d49e1aeSJan Lentfer const char *dh_file; 2016d49e1aeSJan Lentfer const u8 *dh_blob; 2026d49e1aeSJan Lentfer size_t dh_blob_len; 2036d49e1aeSJan Lentfer 2046d49e1aeSJan Lentfer /* OpenSSL specific variables */ 2056d49e1aeSJan Lentfer int engine; 2066d49e1aeSJan Lentfer const char *engine_id; 2076d49e1aeSJan Lentfer const char *pin; 2086d49e1aeSJan Lentfer const char *key_id; 2096d49e1aeSJan Lentfer const char *cert_id; 2106d49e1aeSJan Lentfer const char *ca_cert_id; 211*a1157835SDaniel Fojt const char *openssl_ciphers; 212*a1157835SDaniel Fojt const char *openssl_ecdh_curves; 2136d49e1aeSJan Lentfer 2146d49e1aeSJan Lentfer unsigned int flags; 2153ff40c12SJohn Marino const char *ocsp_stapling_response; 216*a1157835SDaniel Fojt const char *ocsp_stapling_response_multi; 217*a1157835SDaniel Fojt const char *check_cert_subject; 2186d49e1aeSJan Lentfer }; 2196d49e1aeSJan Lentfer 2206d49e1aeSJan Lentfer 2216d49e1aeSJan Lentfer /** 2226d49e1aeSJan Lentfer * tls_init - Initialize TLS library 2236d49e1aeSJan Lentfer * @conf: Configuration data for TLS library 2246d49e1aeSJan Lentfer * Returns: Context data to be used as tls_ctx in calls to other functions, 2256d49e1aeSJan Lentfer * or %NULL on failure. 2266d49e1aeSJan Lentfer * 2276d49e1aeSJan Lentfer * Called once during program startup and once for each RSN pre-authentication 2286d49e1aeSJan Lentfer * session. In other words, there can be two concurrent TLS contexts. If global 2296d49e1aeSJan Lentfer * library initialization is needed (i.e., one that is shared between both 2306d49e1aeSJan Lentfer * authentication types), the TLS library wrapper should maintain a reference 2316d49e1aeSJan Lentfer * counter and do global initialization only when moving from 0 to 1 reference. 2326d49e1aeSJan Lentfer */ 2336d49e1aeSJan Lentfer void * tls_init(const struct tls_config *conf); 2346d49e1aeSJan Lentfer 2356d49e1aeSJan Lentfer /** 2366d49e1aeSJan Lentfer * tls_deinit - Deinitialize TLS library 2376d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 2386d49e1aeSJan Lentfer * 2396d49e1aeSJan Lentfer * Called once during program shutdown and once for each RSN pre-authentication 2406d49e1aeSJan Lentfer * session. If global library deinitialization is needed (i.e., one that is 2416d49e1aeSJan Lentfer * shared between both authentication types), the TLS library wrapper should 2426d49e1aeSJan Lentfer * maintain a reference counter and do global deinitialization only when moving 2436d49e1aeSJan Lentfer * from 1 to 0 references. 2446d49e1aeSJan Lentfer */ 2456d49e1aeSJan Lentfer void tls_deinit(void *tls_ctx); 2466d49e1aeSJan Lentfer 2476d49e1aeSJan Lentfer /** 2486d49e1aeSJan Lentfer * tls_get_errors - Process pending errors 2496d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 2506d49e1aeSJan Lentfer * Returns: Number of found error, 0 if no errors detected. 2516d49e1aeSJan Lentfer * 2526d49e1aeSJan Lentfer * Process all pending TLS errors. 2536d49e1aeSJan Lentfer */ 2546d49e1aeSJan Lentfer int tls_get_errors(void *tls_ctx); 2556d49e1aeSJan Lentfer 2566d49e1aeSJan Lentfer /** 2576d49e1aeSJan Lentfer * tls_connection_init - Initialize a new TLS connection 2586d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 2596d49e1aeSJan Lentfer * Returns: Connection context data, conn for other function calls 2606d49e1aeSJan Lentfer */ 2616d49e1aeSJan Lentfer struct tls_connection * tls_connection_init(void *tls_ctx); 2626d49e1aeSJan Lentfer 2636d49e1aeSJan Lentfer /** 2646d49e1aeSJan Lentfer * tls_connection_deinit - Free TLS connection data 2656d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 2666d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 2676d49e1aeSJan Lentfer * 2686d49e1aeSJan Lentfer * Release all resources allocated for TLS connection. 2696d49e1aeSJan Lentfer */ 2706d49e1aeSJan Lentfer void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn); 2716d49e1aeSJan Lentfer 2726d49e1aeSJan Lentfer /** 2736d49e1aeSJan Lentfer * tls_connection_established - Has the TLS connection been completed? 2746d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 2756d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 2766d49e1aeSJan Lentfer * Returns: 1 if TLS connection has been completed, 0 if not. 2776d49e1aeSJan Lentfer */ 2786d49e1aeSJan Lentfer int tls_connection_established(void *tls_ctx, struct tls_connection *conn); 2796d49e1aeSJan Lentfer 2806d49e1aeSJan Lentfer /** 281*a1157835SDaniel Fojt * tls_connection_peer_serial_num - Fetch peer certificate serial number 282*a1157835SDaniel Fojt * @tls_ctx: TLS context data from tls_init() 283*a1157835SDaniel Fojt * @conn: Connection context data from tls_connection_init() 284*a1157835SDaniel Fojt * Returns: Allocated string buffer containing the peer certificate serial 285*a1157835SDaniel Fojt * number or %NULL on error. 286*a1157835SDaniel Fojt * 287*a1157835SDaniel Fojt * The caller is responsible for freeing the returned buffer with os_free(). 288*a1157835SDaniel Fojt */ 289*a1157835SDaniel Fojt char * tls_connection_peer_serial_num(void *tls_ctx, 290*a1157835SDaniel Fojt struct tls_connection *conn); 291*a1157835SDaniel Fojt 292*a1157835SDaniel Fojt /** 2936d49e1aeSJan Lentfer * tls_connection_shutdown - Shutdown TLS connection 2946d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 2956d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 2966d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure 2976d49e1aeSJan Lentfer * 2986d49e1aeSJan Lentfer * Shutdown current TLS connection without releasing all resources. New 2996d49e1aeSJan Lentfer * connection can be started by using the same conn without having to call 3006d49e1aeSJan Lentfer * tls_connection_init() or setting certificates etc. again. The new 3016d49e1aeSJan Lentfer * connection should try to use session resumption. 3026d49e1aeSJan Lentfer */ 3036d49e1aeSJan Lentfer int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn); 3046d49e1aeSJan Lentfer 3056d49e1aeSJan Lentfer enum { 306*a1157835SDaniel Fojt TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN = -4, 3076d49e1aeSJan Lentfer TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED = -3, 3086d49e1aeSJan Lentfer TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED = -2 3096d49e1aeSJan Lentfer }; 3106d49e1aeSJan Lentfer 3116d49e1aeSJan Lentfer /** 3126d49e1aeSJan Lentfer * tls_connection_set_params - Set TLS connection parameters 3136d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 3146d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 3156d49e1aeSJan Lentfer * @params: Connection parameters 3166d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure, 317*a1157835SDaniel Fojt * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine 318*a1157835SDaniel Fojt * failure, or 3196d49e1aeSJan Lentfer * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the 320*a1157835SDaniel Fojt * PKCS#11 engine private key, or 321*a1157835SDaniel Fojt * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine 322*a1157835SDaniel Fojt * failure. 3236d49e1aeSJan Lentfer */ 3246d49e1aeSJan Lentfer int __must_check 3256d49e1aeSJan Lentfer tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, 3266d49e1aeSJan Lentfer const struct tls_connection_params *params); 3276d49e1aeSJan Lentfer 3286d49e1aeSJan Lentfer /** 3296d49e1aeSJan Lentfer * tls_global_set_params - Set TLS parameters for all TLS connection 3306d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 3316d49e1aeSJan Lentfer * @params: Global TLS parameters 3326d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure, 333*a1157835SDaniel Fojt * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine 334*a1157835SDaniel Fojt * failure, or 3356d49e1aeSJan Lentfer * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the 336*a1157835SDaniel Fojt * PKCS#11 engine private key, or 337*a1157835SDaniel Fojt * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine 338*a1157835SDaniel Fojt * failure. 3396d49e1aeSJan Lentfer */ 3406d49e1aeSJan Lentfer int __must_check tls_global_set_params( 3416d49e1aeSJan Lentfer void *tls_ctx, const struct tls_connection_params *params); 3426d49e1aeSJan Lentfer 3436d49e1aeSJan Lentfer /** 3446d49e1aeSJan Lentfer * tls_global_set_verify - Set global certificate verification options 3456d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 3466d49e1aeSJan Lentfer * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate, 3476d49e1aeSJan Lentfer * 2 = verify CRL for all certificates 348*a1157835SDaniel Fojt * @strict: 0 = allow CRL time errors, 1 = do not allow CRL time errors 3496d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure 3506d49e1aeSJan Lentfer */ 351*a1157835SDaniel Fojt int __must_check tls_global_set_verify(void *tls_ctx, int check_crl, 352*a1157835SDaniel Fojt int strict); 3536d49e1aeSJan Lentfer 3546d49e1aeSJan Lentfer /** 3556d49e1aeSJan Lentfer * tls_connection_set_verify - Set certificate verification options 3566d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 3576d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 3586d49e1aeSJan Lentfer * @verify_peer: 1 = verify peer certificate 359*a1157835SDaniel Fojt * @flags: Connection flags (TLS_CONN_*) 360*a1157835SDaniel Fojt * @session_ctx: Session caching context or %NULL to use default 361*a1157835SDaniel Fojt * @session_ctx_len: Length of @session_ctx in bytes. 3626d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure 3636d49e1aeSJan Lentfer */ 3646d49e1aeSJan Lentfer int __must_check tls_connection_set_verify(void *tls_ctx, 3656d49e1aeSJan Lentfer struct tls_connection *conn, 366*a1157835SDaniel Fojt int verify_peer, 367*a1157835SDaniel Fojt unsigned int flags, 368*a1157835SDaniel Fojt const u8 *session_ctx, 369*a1157835SDaniel Fojt size_t session_ctx_len); 3706d49e1aeSJan Lentfer 3716d49e1aeSJan Lentfer /** 372*a1157835SDaniel Fojt * tls_connection_get_random - Get random data from TLS connection 3736d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 3746d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 375*a1157835SDaniel Fojt * @data: Structure of client/server random data (filled on success) 3766d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure 3776d49e1aeSJan Lentfer */ 378*a1157835SDaniel Fojt int __must_check tls_connection_get_random(void *tls_ctx, 3796d49e1aeSJan Lentfer struct tls_connection *conn, 380*a1157835SDaniel Fojt struct tls_random *data); 3816d49e1aeSJan Lentfer 3826d49e1aeSJan Lentfer /** 383*a1157835SDaniel Fojt * tls_connection_export_key - Derive keying material from a TLS connection 3846d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 3856d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 3866d49e1aeSJan Lentfer * @label: Label (e.g., description of the key) for PRF 387*a1157835SDaniel Fojt * @context: Optional extra upper-layer context (max len 2^16) 388*a1157835SDaniel Fojt * @context_len: The length of the context value 3896d49e1aeSJan Lentfer * @out: Buffer for output data from TLS-PRF 3906d49e1aeSJan Lentfer * @out_len: Length of the output buffer 3916d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure 3926d49e1aeSJan Lentfer * 393*a1157835SDaniel Fojt * Exports keying material using the mechanism described in RFC 5705. If 394*a1157835SDaniel Fojt * context is %NULL, context is not provided; otherwise, context is provided 395*a1157835SDaniel Fojt * (including the case of empty context with context_len == 0). 3966d49e1aeSJan Lentfer */ 397*a1157835SDaniel Fojt int __must_check tls_connection_export_key(void *tls_ctx, 3986d49e1aeSJan Lentfer struct tls_connection *conn, 3996d49e1aeSJan Lentfer const char *label, 400*a1157835SDaniel Fojt const u8 *context, 401*a1157835SDaniel Fojt size_t context_len, 402*a1157835SDaniel Fojt u8 *out, size_t out_len); 403*a1157835SDaniel Fojt 404*a1157835SDaniel Fojt /** 405*a1157835SDaniel Fojt * tls_connection_get_eap_fast_key - Derive key material for EAP-FAST 406*a1157835SDaniel Fojt * @tls_ctx: TLS context data from tls_init() 407*a1157835SDaniel Fojt * @conn: Connection context data from tls_connection_init() 408*a1157835SDaniel Fojt * @out: Buffer for output data from TLS-PRF 409*a1157835SDaniel Fojt * @out_len: Length of the output buffer 410*a1157835SDaniel Fojt * Returns: 0 on success, -1 on failure 411*a1157835SDaniel Fojt * 412*a1157835SDaniel Fojt * Exports key material after the normal TLS key block for use with 413*a1157835SDaniel Fojt * EAP-FAST. Most callers will want tls_connection_export_key(), but EAP-FAST 414*a1157835SDaniel Fojt * uses a different legacy mechanism. 415*a1157835SDaniel Fojt */ 416*a1157835SDaniel Fojt int __must_check tls_connection_get_eap_fast_key(void *tls_ctx, 417*a1157835SDaniel Fojt struct tls_connection *conn, 4186d49e1aeSJan Lentfer u8 *out, size_t out_len); 4196d49e1aeSJan Lentfer 4206d49e1aeSJan Lentfer /** 4216d49e1aeSJan Lentfer * tls_connection_handshake - Process TLS handshake (client side) 4226d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 4236d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 4243ff40c12SJohn Marino * @in_data: Input data from TLS server 4256d49e1aeSJan Lentfer * @appl_data: Pointer to application data pointer, or %NULL if dropped 4263ff40c12SJohn Marino * Returns: Output data, %NULL on failure 4276d49e1aeSJan Lentfer * 4283ff40c12SJohn Marino * The caller is responsible for freeing the returned output data. If the final 4296d49e1aeSJan Lentfer * handshake message includes application data, this is decrypted and 4303ff40c12SJohn Marino * appl_data (if not %NULL) is set to point this data. The caller is 4313ff40c12SJohn Marino * responsible for freeing appl_data. 4326d49e1aeSJan Lentfer * 4336d49e1aeSJan Lentfer * This function is used during TLS handshake. The first call is done with 4346d49e1aeSJan Lentfer * in_data == %NULL and the library is expected to return ClientHello packet. 4356d49e1aeSJan Lentfer * This packet is then send to the server and a response from server is given 4366d49e1aeSJan Lentfer * to TLS library by calling this function again with in_data pointing to the 4376d49e1aeSJan Lentfer * TLS message from the server. 4386d49e1aeSJan Lentfer * 4396d49e1aeSJan Lentfer * If the TLS handshake fails, this function may return %NULL. However, if the 4406d49e1aeSJan Lentfer * TLS library has a TLS alert to send out, that should be returned as the 4416d49e1aeSJan Lentfer * output data. In this case, tls_connection_get_failed() must return failure 4426d49e1aeSJan Lentfer * (> 0). 4436d49e1aeSJan Lentfer * 4446d49e1aeSJan Lentfer * tls_connection_established() should return 1 once the TLS handshake has been 4456d49e1aeSJan Lentfer * completed successfully. 4466d49e1aeSJan Lentfer */ 4473ff40c12SJohn Marino struct wpabuf * tls_connection_handshake(void *tls_ctx, 4483ff40c12SJohn Marino struct tls_connection *conn, 4493ff40c12SJohn Marino const struct wpabuf *in_data, 4503ff40c12SJohn Marino struct wpabuf **appl_data); 4513ff40c12SJohn Marino 4523ff40c12SJohn Marino struct wpabuf * tls_connection_handshake2(void *tls_ctx, 4533ff40c12SJohn Marino struct tls_connection *conn, 4543ff40c12SJohn Marino const struct wpabuf *in_data, 4553ff40c12SJohn Marino struct wpabuf **appl_data, 4563ff40c12SJohn Marino int *more_data_needed); 4576d49e1aeSJan Lentfer 4586d49e1aeSJan Lentfer /** 4596d49e1aeSJan Lentfer * tls_connection_server_handshake - Process TLS handshake (server side) 4606d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 4616d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 4626d49e1aeSJan Lentfer * @in_data: Input data from TLS peer 4633ff40c12SJohn Marino * @appl_data: Pointer to application data pointer, or %NULL if dropped 4643ff40c12SJohn Marino * Returns: Output data, %NULL on failure 4656d49e1aeSJan Lentfer * 4663ff40c12SJohn Marino * The caller is responsible for freeing the returned output data. 4676d49e1aeSJan Lentfer */ 4683ff40c12SJohn Marino struct wpabuf * tls_connection_server_handshake(void *tls_ctx, 4696d49e1aeSJan Lentfer struct tls_connection *conn, 4703ff40c12SJohn Marino const struct wpabuf *in_data, 4713ff40c12SJohn Marino struct wpabuf **appl_data); 4726d49e1aeSJan Lentfer 4736d49e1aeSJan Lentfer /** 4746d49e1aeSJan Lentfer * tls_connection_encrypt - Encrypt data into TLS tunnel 4756d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 4766d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 4773ff40c12SJohn Marino * @in_data: Plaintext data to be encrypted 4783ff40c12SJohn Marino * Returns: Encrypted TLS data or %NULL on failure 4796d49e1aeSJan Lentfer * 4806d49e1aeSJan Lentfer * This function is used after TLS handshake has been completed successfully to 4813ff40c12SJohn Marino * send data in the encrypted tunnel. The caller is responsible for freeing the 4823ff40c12SJohn Marino * returned output data. 4836d49e1aeSJan Lentfer */ 4843ff40c12SJohn Marino struct wpabuf * tls_connection_encrypt(void *tls_ctx, 4856d49e1aeSJan Lentfer struct tls_connection *conn, 4863ff40c12SJohn Marino const struct wpabuf *in_data); 4876d49e1aeSJan Lentfer 4886d49e1aeSJan Lentfer /** 4896d49e1aeSJan Lentfer * tls_connection_decrypt - Decrypt data from TLS tunnel 4906d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 4916d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 4923ff40c12SJohn Marino * @in_data: Encrypted TLS data 4933ff40c12SJohn Marino * Returns: Decrypted TLS data or %NULL on failure 4946d49e1aeSJan Lentfer * 4956d49e1aeSJan Lentfer * This function is used after TLS handshake has been completed successfully to 4963ff40c12SJohn Marino * receive data from the encrypted tunnel. The caller is responsible for 4973ff40c12SJohn Marino * freeing the returned output data. 4986d49e1aeSJan Lentfer */ 4993ff40c12SJohn Marino struct wpabuf * tls_connection_decrypt(void *tls_ctx, 5006d49e1aeSJan Lentfer struct tls_connection *conn, 5013ff40c12SJohn Marino const struct wpabuf *in_data); 5023ff40c12SJohn Marino 5033ff40c12SJohn Marino struct wpabuf * tls_connection_decrypt2(void *tls_ctx, 5043ff40c12SJohn Marino struct tls_connection *conn, 5053ff40c12SJohn Marino const struct wpabuf *in_data, 5063ff40c12SJohn Marino int *more_data_needed); 5076d49e1aeSJan Lentfer 5086d49e1aeSJan Lentfer /** 5096d49e1aeSJan Lentfer * tls_connection_resumed - Was session resumption used 5106d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 5116d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 5126d49e1aeSJan Lentfer * Returns: 1 if current session used session resumption, 0 if not 5136d49e1aeSJan Lentfer */ 5146d49e1aeSJan Lentfer int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn); 5156d49e1aeSJan Lentfer 5166d49e1aeSJan Lentfer enum { 5176d49e1aeSJan Lentfer TLS_CIPHER_NONE, 5186d49e1aeSJan Lentfer TLS_CIPHER_RC4_SHA /* 0x0005 */, 5196d49e1aeSJan Lentfer TLS_CIPHER_AES128_SHA /* 0x002f */, 5206d49e1aeSJan Lentfer TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */, 521*a1157835SDaniel Fojt TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */, 522*a1157835SDaniel Fojt TLS_CIPHER_RSA_DHE_AES256_SHA /* 0x0039 */, 523*a1157835SDaniel Fojt TLS_CIPHER_AES256_SHA /* 0x0035 */, 5246d49e1aeSJan Lentfer }; 5256d49e1aeSJan Lentfer 5266d49e1aeSJan Lentfer /** 5276d49e1aeSJan Lentfer * tls_connection_set_cipher_list - Configure acceptable cipher suites 5286d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 5296d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 5306d49e1aeSJan Lentfer * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers 5316d49e1aeSJan Lentfer * (TLS_CIPHER_*). 5326d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure 5336d49e1aeSJan Lentfer */ 5346d49e1aeSJan Lentfer int __must_check tls_connection_set_cipher_list(void *tls_ctx, 5356d49e1aeSJan Lentfer struct tls_connection *conn, 5366d49e1aeSJan Lentfer u8 *ciphers); 5376d49e1aeSJan Lentfer 5386d49e1aeSJan Lentfer /** 539*a1157835SDaniel Fojt * tls_get_version - Get the current TLS version number 540*a1157835SDaniel Fojt * @tls_ctx: TLS context data from tls_init() 541*a1157835SDaniel Fojt * @conn: Connection context data from tls_connection_init() 542*a1157835SDaniel Fojt * @buf: Buffer for returning the TLS version number 543*a1157835SDaniel Fojt * @buflen: buf size 544*a1157835SDaniel Fojt * Returns: 0 on success, -1 on failure 545*a1157835SDaniel Fojt * 546*a1157835SDaniel Fojt * Get the currently used TLS version number. 547*a1157835SDaniel Fojt */ 548*a1157835SDaniel Fojt int __must_check tls_get_version(void *tls_ctx, struct tls_connection *conn, 549*a1157835SDaniel Fojt char *buf, size_t buflen); 550*a1157835SDaniel Fojt 551*a1157835SDaniel Fojt /** 5526d49e1aeSJan Lentfer * tls_get_cipher - Get current cipher name 5536d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 5546d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 5556d49e1aeSJan Lentfer * @buf: Buffer for the cipher name 5566d49e1aeSJan Lentfer * @buflen: buf size 5576d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure 5586d49e1aeSJan Lentfer * 5596d49e1aeSJan Lentfer * Get the name of the currently used cipher. 5606d49e1aeSJan Lentfer */ 5616d49e1aeSJan Lentfer int __must_check tls_get_cipher(void *tls_ctx, struct tls_connection *conn, 5626d49e1aeSJan Lentfer char *buf, size_t buflen); 5636d49e1aeSJan Lentfer 5646d49e1aeSJan Lentfer /** 5656d49e1aeSJan Lentfer * tls_connection_enable_workaround - Enable TLS workaround options 5666d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 5676d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 5686d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure 5696d49e1aeSJan Lentfer * 5706d49e1aeSJan Lentfer * This function is used to enable connection-specific workaround options for 5716d49e1aeSJan Lentfer * buffer SSL/TLS implementations. 5726d49e1aeSJan Lentfer */ 5736d49e1aeSJan Lentfer int __must_check tls_connection_enable_workaround(void *tls_ctx, 5746d49e1aeSJan Lentfer struct tls_connection *conn); 5756d49e1aeSJan Lentfer 5766d49e1aeSJan Lentfer /** 5776d49e1aeSJan Lentfer * tls_connection_client_hello_ext - Set TLS extension for ClientHello 5786d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 5796d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 5806d49e1aeSJan Lentfer * @ext_type: Extension type 5816d49e1aeSJan Lentfer * @data: Extension payload (%NULL to remove extension) 5826d49e1aeSJan Lentfer * @data_len: Extension payload length 5836d49e1aeSJan Lentfer * Returns: 0 on success, -1 on failure 5846d49e1aeSJan Lentfer */ 5856d49e1aeSJan Lentfer int __must_check tls_connection_client_hello_ext(void *tls_ctx, 5866d49e1aeSJan Lentfer struct tls_connection *conn, 5876d49e1aeSJan Lentfer int ext_type, const u8 *data, 5886d49e1aeSJan Lentfer size_t data_len); 5896d49e1aeSJan Lentfer 5906d49e1aeSJan Lentfer /** 5916d49e1aeSJan Lentfer * tls_connection_get_failed - Get connection failure status 5926d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 5936d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 5946d49e1aeSJan Lentfer * 5956d49e1aeSJan Lentfer * Returns >0 if connection has failed, 0 if not. 5966d49e1aeSJan Lentfer */ 5976d49e1aeSJan Lentfer int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn); 5986d49e1aeSJan Lentfer 5996d49e1aeSJan Lentfer /** 6006d49e1aeSJan Lentfer * tls_connection_get_read_alerts - Get connection read alert status 6016d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 6026d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 6036d49e1aeSJan Lentfer * Returns: Number of times a fatal read (remote end reported error) has 6046d49e1aeSJan Lentfer * happened during this connection. 6056d49e1aeSJan Lentfer */ 6066d49e1aeSJan Lentfer int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn); 6076d49e1aeSJan Lentfer 6086d49e1aeSJan Lentfer /** 6096d49e1aeSJan Lentfer * tls_connection_get_write_alerts - Get connection write alert status 6106d49e1aeSJan Lentfer * @tls_ctx: TLS context data from tls_init() 6116d49e1aeSJan Lentfer * @conn: Connection context data from tls_connection_init() 6126d49e1aeSJan Lentfer * Returns: Number of times a fatal write (locally detected error) has happened 6136d49e1aeSJan Lentfer * during this connection. 6146d49e1aeSJan Lentfer */ 6156d49e1aeSJan Lentfer int tls_connection_get_write_alerts(void *tls_ctx, 6166d49e1aeSJan Lentfer struct tls_connection *conn); 6176d49e1aeSJan Lentfer 6186d49e1aeSJan Lentfer typedef int (*tls_session_ticket_cb) 6196d49e1aeSJan Lentfer (void *ctx, const u8 *ticket, size_t len, const u8 *client_random, 6206d49e1aeSJan Lentfer const u8 *server_random, u8 *master_secret); 6216d49e1aeSJan Lentfer 6226d49e1aeSJan Lentfer int __must_check tls_connection_set_session_ticket_cb( 6236d49e1aeSJan Lentfer void *tls_ctx, struct tls_connection *conn, 6246d49e1aeSJan Lentfer tls_session_ticket_cb cb, void *ctx); 6256d49e1aeSJan Lentfer 626*a1157835SDaniel Fojt void tls_connection_set_log_cb(struct tls_connection *conn, 627*a1157835SDaniel Fojt void (*log_cb)(void *ctx, const char *msg), 628*a1157835SDaniel Fojt void *ctx); 629*a1157835SDaniel Fojt 630*a1157835SDaniel Fojt #define TLS_BREAK_VERIFY_DATA BIT(0) 631*a1157835SDaniel Fojt #define TLS_BREAK_SRV_KEY_X_HASH BIT(1) 632*a1157835SDaniel Fojt #define TLS_BREAK_SRV_KEY_X_SIGNATURE BIT(2) 633*a1157835SDaniel Fojt #define TLS_DHE_PRIME_511B BIT(3) 634*a1157835SDaniel Fojt #define TLS_DHE_PRIME_767B BIT(4) 635*a1157835SDaniel Fojt #define TLS_DHE_PRIME_15 BIT(5) 636*a1157835SDaniel Fojt #define TLS_DHE_PRIME_58B BIT(6) 637*a1157835SDaniel Fojt #define TLS_DHE_NON_PRIME BIT(7) 638*a1157835SDaniel Fojt 639*a1157835SDaniel Fojt void tls_connection_set_test_flags(struct tls_connection *conn, u32 flags); 640*a1157835SDaniel Fojt 641*a1157835SDaniel Fojt int tls_get_library_version(char *buf, size_t buf_len); 642*a1157835SDaniel Fojt 643*a1157835SDaniel Fojt void tls_connection_set_success_data(struct tls_connection *conn, 644*a1157835SDaniel Fojt struct wpabuf *data); 645*a1157835SDaniel Fojt 646*a1157835SDaniel Fojt void tls_connection_set_success_data_resumed(struct tls_connection *conn); 647*a1157835SDaniel Fojt 648*a1157835SDaniel Fojt const struct wpabuf * 649*a1157835SDaniel Fojt tls_connection_get_success_data(struct tls_connection *conn); 650*a1157835SDaniel Fojt 651*a1157835SDaniel Fojt void tls_connection_remove_session(struct tls_connection *conn); 652*a1157835SDaniel Fojt 653*a1157835SDaniel Fojt /** 654*a1157835SDaniel Fojt * tls_get_tls_unique - Fetch "tls-unique" for channel binding 655*a1157835SDaniel Fojt * @conn: Connection context data from tls_connection_init() 656*a1157835SDaniel Fojt * @buf: Buffer for returning the value 657*a1157835SDaniel Fojt * @max_len: Maximum length of the buffer in bytes 658*a1157835SDaniel Fojt * Returns: Number of bytes written to buf or -1 on error 659*a1157835SDaniel Fojt * 660*a1157835SDaniel Fojt * This function can be used to fetch "tls-unique" (RFC 5929, Section 3) which 661*a1157835SDaniel Fojt * is the first TLS Finished message sent in the most recent TLS handshake of 662*a1157835SDaniel Fojt * the TLS connection. 663*a1157835SDaniel Fojt */ 664*a1157835SDaniel Fojt int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len); 665*a1157835SDaniel Fojt 666*a1157835SDaniel Fojt /** 667*a1157835SDaniel Fojt * tls_connection_get_cipher_suite - Get current TLS cipher suite 668*a1157835SDaniel Fojt * @conn: Connection context data from tls_connection_init() 669*a1157835SDaniel Fojt * Returns: TLS cipher suite of the current connection or 0 on error 670*a1157835SDaniel Fojt */ 671*a1157835SDaniel Fojt u16 tls_connection_get_cipher_suite(struct tls_connection *conn); 672*a1157835SDaniel Fojt 6736d49e1aeSJan Lentfer #endif /* TLS_H */ 674