xref: /freebsd/contrib/wpa/src/crypto/tls_internal.c (revision 53bb5613a8a15363718b6e6de8d965bf9a2c5469)
1 /*
2  * TLS interface functions and an internal TLS implementation
3  * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  *
8  * This file interface functions for hostapd/wpa_supplicant to use the
9  * integrated TLSv1 implementation.
10  */
11 
12 #include "includes.h"
13 
14 #include "common.h"
15 #include "tls.h"
16 #include "tls/tlsv1_client.h"
17 #include "tls/tlsv1_server.h"
18 
19 
20 static int tls_ref_count = 0;
21 
22 struct tls_global {
23 	int server;
24 	struct tlsv1_credentials *server_cred;
25 	int check_crl;
26 
27 	void (*event_cb)(void *ctx, enum tls_event ev,
28 			 union tls_event_data *data);
29 	void *cb_ctx;
30 	int cert_in_cb;
31 };
32 
33 struct tls_connection {
34 	struct tlsv1_client *client;
35 	struct tlsv1_server *server;
36 	struct tls_global *global;
37 };
38 
39 
40 void * tls_init(const struct tls_config *conf)
41 {
42 	struct tls_global *global;
43 
44 	if (tls_ref_count == 0) {
45 #ifdef CONFIG_TLS_INTERNAL_CLIENT
46 		if (tlsv1_client_global_init())
47 			return NULL;
48 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
49 #ifdef CONFIG_TLS_INTERNAL_SERVER
50 		if (tlsv1_server_global_init())
51 			return NULL;
52 #endif /* CONFIG_TLS_INTERNAL_SERVER */
53 	}
54 	tls_ref_count++;
55 
56 	global = os_zalloc(sizeof(*global));
57 	if (global == NULL)
58 		return NULL;
59 	if (conf) {
60 		global->event_cb = conf->event_cb;
61 		global->cb_ctx = conf->cb_ctx;
62 		global->cert_in_cb = conf->cert_in_cb;
63 	}
64 
65 	return global;
66 }
67 
68 void tls_deinit(void *ssl_ctx)
69 {
70 	struct tls_global *global = ssl_ctx;
71 	tls_ref_count--;
72 	if (tls_ref_count == 0) {
73 #ifdef CONFIG_TLS_INTERNAL_CLIENT
74 		tlsv1_client_global_deinit();
75 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
76 #ifdef CONFIG_TLS_INTERNAL_SERVER
77 		tlsv1_server_global_deinit();
78 #endif /* CONFIG_TLS_INTERNAL_SERVER */
79 	}
80 #ifdef CONFIG_TLS_INTERNAL_SERVER
81 	tlsv1_cred_free(global->server_cred);
82 #endif /* CONFIG_TLS_INTERNAL_SERVER */
83 	os_free(global);
84 }
85 
86 
87 int tls_get_errors(void *tls_ctx)
88 {
89 	return 0;
90 }
91 
92 
93 struct tls_connection * tls_connection_init(void *tls_ctx)
94 {
95 	struct tls_connection *conn;
96 	struct tls_global *global = tls_ctx;
97 
98 	conn = os_zalloc(sizeof(*conn));
99 	if (conn == NULL)
100 		return NULL;
101 	conn->global = global;
102 
103 #ifdef CONFIG_TLS_INTERNAL_CLIENT
104 	if (!global->server) {
105 		conn->client = tlsv1_client_init();
106 		if (conn->client == NULL) {
107 			os_free(conn);
108 			return NULL;
109 		}
110 		tlsv1_client_set_cb(conn->client, global->event_cb,
111 				    global->cb_ctx, global->cert_in_cb);
112 	}
113 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
114 #ifdef CONFIG_TLS_INTERNAL_SERVER
115 	if (global->server) {
116 		conn->server = tlsv1_server_init(global->server_cred);
117 		if (conn->server == NULL) {
118 			os_free(conn);
119 			return NULL;
120 		}
121 	}
122 #endif /* CONFIG_TLS_INTERNAL_SERVER */
123 
124 	return conn;
125 }
126 
127 
128 #ifdef CONFIG_TESTING_OPTIONS
129 #ifdef CONFIG_TLS_INTERNAL_SERVER
130 void tls_connection_set_test_flags(struct tls_connection *conn, u32 flags)
131 {
132 	if (conn->server)
133 		tlsv1_server_set_test_flags(conn->server, flags);
134 }
135 #endif /* CONFIG_TLS_INTERNAL_SERVER */
136 #endif /* CONFIG_TESTING_OPTIONS */
137 
138 
139 void tls_connection_set_log_cb(struct tls_connection *conn,
140 			       void (*log_cb)(void *ctx, const char *msg),
141 			       void *ctx)
142 {
143 #ifdef CONFIG_TLS_INTERNAL_SERVER
144 	if (conn->server)
145 		tlsv1_server_set_log_cb(conn->server, log_cb, ctx);
146 #endif /* CONFIG_TLS_INTERNAL_SERVER */
147 }
148 
149 
150 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
151 {
152 	if (conn == NULL)
153 		return;
154 #ifdef CONFIG_TLS_INTERNAL_CLIENT
155 	if (conn->client)
156 		tlsv1_client_deinit(conn->client);
157 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
158 #ifdef CONFIG_TLS_INTERNAL_SERVER
159 	if (conn->server)
160 		tlsv1_server_deinit(conn->server);
161 #endif /* CONFIG_TLS_INTERNAL_SERVER */
162 	os_free(conn);
163 }
164 
165 
166 int tls_connection_established(void *tls_ctx, struct tls_connection *conn)
167 {
168 #ifdef CONFIG_TLS_INTERNAL_CLIENT
169 	if (conn->client)
170 		return tlsv1_client_established(conn->client);
171 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
172 #ifdef CONFIG_TLS_INTERNAL_SERVER
173 	if (conn->server)
174 		return tlsv1_server_established(conn->server);
175 #endif /* CONFIG_TLS_INTERNAL_SERVER */
176 	return 0;
177 }
178 
179 
180 char * tls_connection_peer_serial_num(void *tls_ctx,
181 				      struct tls_connection *conn)
182 {
183 	/* TODO */
184 	return NULL;
185 }
186 
187 
188 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
189 {
190 #ifdef CONFIG_TLS_INTERNAL_CLIENT
191 	if (conn->client)
192 		return tlsv1_client_shutdown(conn->client);
193 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
194 #ifdef CONFIG_TLS_INTERNAL_SERVER
195 	if (conn->server)
196 		return tlsv1_server_shutdown(conn->server);
197 #endif /* CONFIG_TLS_INTERNAL_SERVER */
198 	return -1;
199 }
200 
201 
202 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
203 			      const struct tls_connection_params *params)
204 {
205 #ifdef CONFIG_TLS_INTERNAL_CLIENT
206 	struct tlsv1_credentials *cred;
207 
208 	if (conn->client == NULL)
209 		return -1;
210 
211 	if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
212 		wpa_printf(MSG_INFO,
213 			   "TLS: tls_ext_cert_check=1 not supported");
214 		return -1;
215 	}
216 
217 	cred = tlsv1_cred_alloc();
218 	if (cred == NULL)
219 		return -1;
220 
221 	if (params->subject_match) {
222 		wpa_printf(MSG_INFO, "TLS: subject_match not supported");
223 		tlsv1_cred_free(cred);
224 		return -1;
225 	}
226 
227 	if (params->altsubject_match) {
228 		wpa_printf(MSG_INFO, "TLS: altsubject_match not supported");
229 		tlsv1_cred_free(cred);
230 		return -1;
231 	}
232 
233 	if (params->suffix_match) {
234 		wpa_printf(MSG_INFO, "TLS: suffix_match not supported");
235 		tlsv1_cred_free(cred);
236 		return -1;
237 	}
238 
239 	if (params->domain_match) {
240 		wpa_printf(MSG_INFO, "TLS: domain_match not supported");
241 		tlsv1_cred_free(cred);
242 		return -1;
243 	}
244 
245 	if (params->openssl_ciphers) {
246 		wpa_printf(MSG_INFO, "TLS: openssl_ciphers not supported");
247 		tlsv1_cred_free(cred);
248 		return -1;
249 	}
250 
251 	if (params->openssl_ecdh_curves) {
252 		wpa_printf(MSG_INFO, "TLS: openssl_ecdh_curves not supported");
253 		tlsv1_cred_free(cred);
254 		return -1;
255 	}
256 
257 	if (tlsv1_set_ca_cert(cred, params->ca_cert,
258 			      params->ca_cert_blob, params->ca_cert_blob_len,
259 			      params->ca_path)) {
260 		wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
261 			   "certificates");
262 		tlsv1_cred_free(cred);
263 		return -1;
264 	}
265 
266 	if (tlsv1_set_cert(cred, params->client_cert,
267 			   params->client_cert_blob,
268 			   params->client_cert_blob_len)) {
269 		wpa_printf(MSG_INFO, "TLS: Failed to configure client "
270 			   "certificate");
271 		tlsv1_cred_free(cred);
272 		return -1;
273 	}
274 
275 	if (tlsv1_set_private_key(cred, params->private_key,
276 				  params->private_key_passwd,
277 				  params->private_key_blob,
278 				  params->private_key_blob_len)) {
279 		wpa_printf(MSG_INFO, "TLS: Failed to load private key");
280 		tlsv1_cred_free(cred);
281 		return -1;
282 	}
283 
284 	if (tlsv1_client_set_cred(conn->client, cred) < 0) {
285 		tlsv1_cred_free(cred);
286 		return -1;
287 	}
288 
289 	tlsv1_client_set_flags(conn->client, params->flags);
290 
291 	return 0;
292 #else /* CONFIG_TLS_INTERNAL_CLIENT */
293 	return -1;
294 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
295 }
296 
297 
298 int tls_global_set_params(void *tls_ctx,
299 			  const struct tls_connection_params *params)
300 {
301 #ifdef CONFIG_TLS_INTERNAL_SERVER
302 	struct tls_global *global = tls_ctx;
303 	struct tlsv1_credentials *cred;
304 
305 	if (params->check_cert_subject)
306 		return -1; /* not yet supported */
307 
308 	/* Currently, global parameters are only set when running in server
309 	 * mode. */
310 	global->server = 1;
311 	tlsv1_cred_free(global->server_cred);
312 	global->server_cred = cred = tlsv1_cred_alloc();
313 	if (cred == NULL)
314 		return -1;
315 
316 	if (tlsv1_set_ca_cert(cred, params->ca_cert, params->ca_cert_blob,
317 			      params->ca_cert_blob_len, params->ca_path)) {
318 		wpa_printf(MSG_INFO, "TLS: Failed to configure trusted CA "
319 			   "certificates");
320 		return -1;
321 	}
322 
323 	if (tlsv1_set_cert(cred, params->client_cert, params->client_cert_blob,
324 			   params->client_cert_blob_len)) {
325 		wpa_printf(MSG_INFO, "TLS: Failed to configure server "
326 			   "certificate");
327 		return -1;
328 	}
329 
330 	if (tlsv1_set_private_key(cred, params->private_key,
331 				  params->private_key_passwd,
332 				  params->private_key_blob,
333 				  params->private_key_blob_len)) {
334 		wpa_printf(MSG_INFO, "TLS: Failed to load private key");
335 		return -1;
336 	}
337 
338 	if (tlsv1_set_dhparams(cred, params->dh_file, NULL, 0)) {
339 		wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
340 		return -1;
341 	}
342 
343 	if (params->ocsp_stapling_response)
344 		cred->ocsp_stapling_response =
345 			os_strdup(params->ocsp_stapling_response);
346 	if (params->ocsp_stapling_response_multi)
347 		cred->ocsp_stapling_response_multi =
348 			os_strdup(params->ocsp_stapling_response_multi);
349 
350 	return 0;
351 #else /* CONFIG_TLS_INTERNAL_SERVER */
352 	return -1;
353 #endif /* CONFIG_TLS_INTERNAL_SERVER */
354 }
355 
356 
357 int tls_global_set_verify(void *tls_ctx, int check_crl, int strict)
358 {
359 	struct tls_global *global = tls_ctx;
360 	global->check_crl = check_crl;
361 	return 0;
362 }
363 
364 
365 int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
366 			      int verify_peer, unsigned int flags,
367 			      const u8 *session_ctx, size_t session_ctx_len)
368 {
369 #ifdef CONFIG_TLS_INTERNAL_SERVER
370 	if (conn->server)
371 		return tlsv1_server_set_verify(conn->server, verify_peer);
372 #endif /* CONFIG_TLS_INTERNAL_SERVER */
373 	return -1;
374 }
375 
376 
377 int tls_connection_get_random(void *tls_ctx, struct tls_connection *conn,
378 			      struct tls_random *data)
379 {
380 #ifdef CONFIG_TLS_INTERNAL_CLIENT
381 	if (conn->client)
382 		return tlsv1_client_get_random(conn->client, data);
383 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
384 #ifdef CONFIG_TLS_INTERNAL_SERVER
385 	if (conn->server)
386 		return tlsv1_server_get_random(conn->server, data);
387 #endif /* CONFIG_TLS_INTERNAL_SERVER */
388 	return -1;
389 }
390 
391 
392 static int tls_get_keyblock_size(struct tls_connection *conn)
393 {
394 #ifdef CONFIG_TLS_INTERNAL_CLIENT
395 	if (conn->client)
396 		return tlsv1_client_get_keyblock_size(conn->client);
397 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
398 #ifdef CONFIG_TLS_INTERNAL_SERVER
399 	if (conn->server)
400 		return tlsv1_server_get_keyblock_size(conn->server);
401 #endif /* CONFIG_TLS_INTERNAL_SERVER */
402 	return -1;
403 }
404 
405 
406 static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
407 			      const char *label, const u8 *context,
408 			      size_t context_len, int server_random_first,
409 			      int skip_keyblock, u8 *out, size_t out_len)
410 {
411 	int ret = -1, skip = 0;
412 	u8 *tmp_out = NULL;
413 	u8 *_out = out;
414 
415 	if (skip_keyblock) {
416 		skip = tls_get_keyblock_size(conn);
417 		if (skip < 0)
418 			return -1;
419 		tmp_out = os_malloc(skip + out_len);
420 		if (!tmp_out)
421 			return -1;
422 		_out = tmp_out;
423 	}
424 
425 #ifdef CONFIG_TLS_INTERNAL_CLIENT
426 	if (conn->client) {
427 		ret = tlsv1_client_prf(conn->client, label, context,
428 				       context_len, server_random_first,
429 				       _out, skip + out_len);
430 	}
431 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
432 #ifdef CONFIG_TLS_INTERNAL_SERVER
433 	if (conn->server) {
434 		ret = tlsv1_server_prf(conn->server, label, context,
435 				       context_len, server_random_first,
436 				       _out, skip + out_len);
437 	}
438 #endif /* CONFIG_TLS_INTERNAL_SERVER */
439 	if (ret == 0 && skip_keyblock)
440 		os_memcpy(out, _out + skip, out_len);
441 	bin_clear_free(tmp_out, skip);
442 
443 	return ret;
444 }
445 
446 
447 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
448 			      const char *label, const u8 *context,
449 			      size_t context_len, u8 *out, size_t out_len)
450 {
451 	return tls_connection_prf(tls_ctx, conn, label, context, context_len,
452 				  0, 0, out, out_len);
453 }
454 
455 
456 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
457 				    u8 *out, size_t out_len)
458 {
459 	return tls_connection_prf(tls_ctx, conn, "key expansion", NULL, 0,
460 				  1, 1, out, out_len);
461 }
462 
463 
464 struct wpabuf * tls_connection_handshake(void *tls_ctx,
465 					 struct tls_connection *conn,
466 					 const struct wpabuf *in_data,
467 					 struct wpabuf **appl_data)
468 {
469 	return tls_connection_handshake2(tls_ctx, conn, in_data, appl_data,
470 					 NULL);
471 }
472 
473 
474 struct wpabuf * tls_connection_handshake2(void *tls_ctx,
475 					  struct tls_connection *conn,
476 					  const struct wpabuf *in_data,
477 					  struct wpabuf **appl_data,
478 					  int *need_more_data)
479 {
480 #ifdef CONFIG_TLS_INTERNAL_CLIENT
481 	u8 *res, *ad;
482 	size_t res_len, ad_len;
483 	struct wpabuf *out;
484 
485 	if (conn->client == NULL)
486 		return NULL;
487 
488 	ad = NULL;
489 	res = tlsv1_client_handshake(conn->client,
490 				     in_data ? wpabuf_head(in_data) : NULL,
491 				     in_data ? wpabuf_len(in_data) : 0,
492 				     &res_len, &ad, &ad_len, need_more_data);
493 	if (res == NULL)
494 		return NULL;
495 	out = wpabuf_alloc_ext_data(res, res_len);
496 	if (out == NULL) {
497 		os_free(res);
498 		os_free(ad);
499 		return NULL;
500 	}
501 	if (appl_data) {
502 		if (ad) {
503 			*appl_data = wpabuf_alloc_ext_data(ad, ad_len);
504 			if (*appl_data == NULL)
505 				os_free(ad);
506 		} else
507 			*appl_data = NULL;
508 	} else
509 		os_free(ad);
510 
511 	return out;
512 #else /* CONFIG_TLS_INTERNAL_CLIENT */
513 	return NULL;
514 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
515 }
516 
517 
518 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
519 						struct tls_connection *conn,
520 						const struct wpabuf *in_data,
521 						struct wpabuf **appl_data)
522 {
523 #ifdef CONFIG_TLS_INTERNAL_SERVER
524 	u8 *res;
525 	size_t res_len;
526 	struct wpabuf *out;
527 
528 	if (conn->server == NULL)
529 		return NULL;
530 
531 	if (appl_data)
532 		*appl_data = NULL;
533 
534 	res = tlsv1_server_handshake(conn->server, wpabuf_head(in_data),
535 				     wpabuf_len(in_data), &res_len);
536 	if (res == NULL && tlsv1_server_established(conn->server))
537 		return wpabuf_alloc(0);
538 	if (res == NULL)
539 		return NULL;
540 	out = wpabuf_alloc_ext_data(res, res_len);
541 	if (out == NULL) {
542 		os_free(res);
543 		return NULL;
544 	}
545 
546 	return out;
547 #else /* CONFIG_TLS_INTERNAL_SERVER */
548 	return NULL;
549 #endif /* CONFIG_TLS_INTERNAL_SERVER */
550 }
551 
552 
553 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
554 				       struct tls_connection *conn,
555 				       const struct wpabuf *in_data)
556 {
557 #ifdef CONFIG_TLS_INTERNAL_CLIENT
558 	if (conn->client) {
559 		struct wpabuf *buf;
560 		int res;
561 		buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
562 		if (buf == NULL)
563 			return NULL;
564 		res = tlsv1_client_encrypt(conn->client, wpabuf_head(in_data),
565 					   wpabuf_len(in_data),
566 					   wpabuf_mhead(buf),
567 					   wpabuf_size(buf));
568 		if (res < 0) {
569 			wpabuf_free(buf);
570 			return NULL;
571 		}
572 		wpabuf_put(buf, res);
573 		return buf;
574 	}
575 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
576 #ifdef CONFIG_TLS_INTERNAL_SERVER
577 	if (conn->server) {
578 		struct wpabuf *buf;
579 		int res;
580 		buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
581 		if (buf == NULL)
582 			return NULL;
583 		res = tlsv1_server_encrypt(conn->server, wpabuf_head(in_data),
584 					   wpabuf_len(in_data),
585 					   wpabuf_mhead(buf),
586 					   wpabuf_size(buf));
587 		if (res < 0) {
588 			wpabuf_free(buf);
589 			return NULL;
590 		}
591 		wpabuf_put(buf, res);
592 		return buf;
593 	}
594 #endif /* CONFIG_TLS_INTERNAL_SERVER */
595 	return NULL;
596 }
597 
598 
599 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
600 				       struct tls_connection *conn,
601 				       const struct wpabuf *in_data)
602 {
603 	return tls_connection_decrypt2(tls_ctx, conn, in_data, NULL);
604 }
605 
606 
607 struct wpabuf * tls_connection_decrypt2(void *tls_ctx,
608 					struct tls_connection *conn,
609 					const struct wpabuf *in_data,
610 					int *need_more_data)
611 {
612 	if (need_more_data)
613 		*need_more_data = 0;
614 
615 #ifdef CONFIG_TLS_INTERNAL_CLIENT
616 	if (conn->client) {
617 		return tlsv1_client_decrypt(conn->client, wpabuf_head(in_data),
618 					    wpabuf_len(in_data),
619 					    need_more_data);
620 	}
621 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
622 #ifdef CONFIG_TLS_INTERNAL_SERVER
623 	if (conn->server) {
624 		struct wpabuf *buf;
625 		int res;
626 		buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
627 		if (buf == NULL)
628 			return NULL;
629 		res = tlsv1_server_decrypt(conn->server, wpabuf_head(in_data),
630 					   wpabuf_len(in_data),
631 					   wpabuf_mhead(buf),
632 					   wpabuf_size(buf));
633 		if (res < 0) {
634 			wpabuf_free(buf);
635 			return NULL;
636 		}
637 		wpabuf_put(buf, res);
638 		return buf;
639 	}
640 #endif /* CONFIG_TLS_INTERNAL_SERVER */
641 	return NULL;
642 }
643 
644 
645 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn)
646 {
647 #ifdef CONFIG_TLS_INTERNAL_CLIENT
648 	if (conn->client)
649 		return tlsv1_client_resumed(conn->client);
650 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
651 #ifdef CONFIG_TLS_INTERNAL_SERVER
652 	if (conn->server)
653 		return tlsv1_server_resumed(conn->server);
654 #endif /* CONFIG_TLS_INTERNAL_SERVER */
655 	return -1;
656 }
657 
658 
659 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
660 				   u8 *ciphers)
661 {
662 #ifdef CONFIG_TLS_INTERNAL_CLIENT
663 	if (conn->client)
664 		return tlsv1_client_set_cipher_list(conn->client, ciphers);
665 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
666 #ifdef CONFIG_TLS_INTERNAL_SERVER
667 	if (conn->server)
668 		return tlsv1_server_set_cipher_list(conn->server, ciphers);
669 #endif /* CONFIG_TLS_INTERNAL_SERVER */
670 	return -1;
671 }
672 
673 
674 int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
675 		    char *buf, size_t buflen)
676 {
677 	if (conn == NULL)
678 		return -1;
679 #ifdef CONFIG_TLS_INTERNAL_CLIENT
680 	if (conn->client)
681 		return tlsv1_client_get_version(conn->client, buf, buflen);
682 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
683 	return -1;
684 }
685 
686 
687 int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
688 		   char *buf, size_t buflen)
689 {
690 	if (conn == NULL)
691 		return -1;
692 #ifdef CONFIG_TLS_INTERNAL_CLIENT
693 	if (conn->client)
694 		return tlsv1_client_get_cipher(conn->client, buf, buflen);
695 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
696 #ifdef CONFIG_TLS_INTERNAL_SERVER
697 	if (conn->server)
698 		return tlsv1_server_get_cipher(conn->server, buf, buflen);
699 #endif /* CONFIG_TLS_INTERNAL_SERVER */
700 	return -1;
701 }
702 
703 
704 int tls_connection_enable_workaround(void *tls_ctx,
705 				     struct tls_connection *conn)
706 {
707 	return -1;
708 }
709 
710 
711 int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn,
712 				    int ext_type, const u8 *data,
713 				    size_t data_len)
714 {
715 #ifdef CONFIG_TLS_INTERNAL_CLIENT
716 	if (conn->client) {
717 		return tlsv1_client_hello_ext(conn->client, ext_type,
718 					      data, data_len);
719 	}
720 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
721 	return -1;
722 }
723 
724 
725 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn)
726 {
727 #ifdef CONFIG_TLS_INTERNAL_SERVER
728 	if (conn->server)
729 		return tlsv1_server_get_failed(conn->server);
730 #endif /* CONFIG_TLS_INTERNAL_SERVER */
731 	return 0;
732 }
733 
734 
735 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn)
736 {
737 #ifdef CONFIG_TLS_INTERNAL_SERVER
738 	if (conn->server)
739 		return tlsv1_server_get_read_alerts(conn->server);
740 #endif /* CONFIG_TLS_INTERNAL_SERVER */
741 	return 0;
742 }
743 
744 
745 int tls_connection_get_write_alerts(void *tls_ctx,
746 				    struct tls_connection *conn)
747 {
748 #ifdef CONFIG_TLS_INTERNAL_SERVER
749 	if (conn->server)
750 		return tlsv1_server_get_write_alerts(conn->server);
751 #endif /* CONFIG_TLS_INTERNAL_SERVER */
752 	return 0;
753 }
754 
755 
756 int tls_connection_set_session_ticket_cb(void *tls_ctx,
757 					 struct tls_connection *conn,
758 					 tls_session_ticket_cb cb,
759 					 void *ctx)
760 {
761 #ifdef CONFIG_TLS_INTERNAL_CLIENT
762 	if (conn->client) {
763 		tlsv1_client_set_session_ticket_cb(conn->client, cb, ctx);
764 		return 0;
765 	}
766 #endif /* CONFIG_TLS_INTERNAL_CLIENT */
767 #ifdef CONFIG_TLS_INTERNAL_SERVER
768 	if (conn->server) {
769 		tlsv1_server_set_session_ticket_cb(conn->server, cb, ctx);
770 		return 0;
771 	}
772 #endif /* CONFIG_TLS_INTERNAL_SERVER */
773 	return -1;
774 }
775 
776 
777 int tls_get_library_version(char *buf, size_t buf_len)
778 {
779 	return os_snprintf(buf, buf_len, "internal");
780 }
781 
782 
783 void tls_connection_set_success_data(struct tls_connection *conn,
784 				     struct wpabuf *data)
785 {
786 	wpabuf_free(data);
787 }
788 
789 
790 void tls_connection_set_success_data_resumed(struct tls_connection *conn)
791 {
792 }
793 
794 
795 const struct wpabuf *
796 tls_connection_get_success_data(struct tls_connection *conn)
797 {
798 	return NULL;
799 }
800 
801 
802 void tls_connection_remove_session(struct tls_connection *conn)
803 {
804 }
805