Home | History | Annotate | Download | only in crypto
      1 /*
      2  * SSL/TLS interface definition
      3  * Copyright (c) 2004-2013, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #ifndef TLS_H
     10 #define TLS_H
     11 
     12 struct tls_connection;
     13 
     14 struct tls_random {
     15 	const u8 *client_random;
     16 	size_t client_random_len;
     17 	const u8 *server_random;
     18 	size_t server_random_len;
     19 };
     20 
     21 enum tls_event {
     22 	TLS_CERT_CHAIN_SUCCESS,
     23 	TLS_CERT_CHAIN_FAILURE,
     24 	TLS_PEER_CERTIFICATE,
     25 	TLS_ALERT
     26 };
     27 
     28 /*
     29  * Note: These are used as identifier with external programs and as such, the
     30  * values must not be changed.
     31  */
     32 enum tls_fail_reason {
     33 	TLS_FAIL_UNSPECIFIED = 0,
     34 	TLS_FAIL_UNTRUSTED = 1,
     35 	TLS_FAIL_REVOKED = 2,
     36 	TLS_FAIL_NOT_YET_VALID = 3,
     37 	TLS_FAIL_EXPIRED = 4,
     38 	TLS_FAIL_SUBJECT_MISMATCH = 5,
     39 	TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
     40 	TLS_FAIL_BAD_CERTIFICATE = 7,
     41 	TLS_FAIL_SERVER_CHAIN_PROBE = 8,
     42 	TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
     43 	TLS_FAIL_DOMAIN_MISMATCH = 10,
     44 };
     45 
     46 
     47 #define TLS_MAX_ALT_SUBJECT 10
     48 
     49 union tls_event_data {
     50 	struct {
     51 		int depth;
     52 		const char *subject;
     53 		enum tls_fail_reason reason;
     54 		const char *reason_txt;
     55 		const struct wpabuf *cert;
     56 	} cert_fail;
     57 
     58 	struct {
     59 		int depth;
     60 		const char *subject;
     61 		const struct wpabuf *cert;
     62 		const u8 *hash;
     63 		size_t hash_len;
     64 		const char *altsubject[TLS_MAX_ALT_SUBJECT];
     65 		int num_altsubject;
     66 	} peer_cert;
     67 
     68 	struct {
     69 		int is_local;
     70 		const char *type;
     71 		const char *description;
     72 	} alert;
     73 };
     74 
     75 struct tls_config {
     76 	const char *opensc_engine_path;
     77 	const char *pkcs11_engine_path;
     78 	const char *pkcs11_module_path;
     79 	int fips_mode;
     80 	int cert_in_cb;
     81 	const char *openssl_ciphers;
     82 	unsigned int tls_session_lifetime;
     83 
     84 	void (*event_cb)(void *ctx, enum tls_event ev,
     85 			 union tls_event_data *data);
     86 	void *cb_ctx;
     87 };
     88 
     89 #define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0)
     90 #define TLS_CONN_DISABLE_TIME_CHECKS BIT(1)
     91 #define TLS_CONN_DISABLE_SESSION_TICKET BIT(2)
     92 #define TLS_CONN_REQUEST_OCSP BIT(3)
     93 #define TLS_CONN_REQUIRE_OCSP BIT(4)
     94 #define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
     95 #define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
     96 #define TLS_CONN_EAP_FAST BIT(7)
     97 #define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
     98 #define TLS_CONN_EXT_CERT_CHECK BIT(9)
     99 #define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
    100 
    101 /**
    102  * struct tls_connection_params - Parameters for TLS connection
    103  * @ca_cert: File or reference name for CA X.509 certificate in PEM or DER
    104  * format
    105  * @ca_cert_blob: ca_cert as inlined data or %NULL if not used
    106  * @ca_cert_blob_len: ca_cert_blob length
    107  * @ca_path: Path to CA certificates (OpenSSL specific)
    108  * @subject_match: String to match in the subject of the peer certificate or
    109  * %NULL to allow all subjects
    110  * @altsubject_match: String to match in the alternative subject of the peer
    111  * certificate or %NULL to allow all alternative subjects
    112  * @suffix_match: String to suffix match in the dNSName or CN of the peer
    113  * certificate or %NULL to allow all domain names. This may allow subdomains an
    114  * wildcard certificates. Each domain name label must have a full match.
    115  * @domain_match: String to match in the dNSName or CN of the peer
    116  * certificate or %NULL to allow all domain names. This requires a full,
    117  * case-insensitive match.
    118  * @client_cert: File or reference name for client X.509 certificate in PEM or
    119  * DER format
    120  * @client_cert_blob: client_cert as inlined data or %NULL if not used
    121  * @client_cert_blob_len: client_cert_blob length
    122  * @private_key: File or reference name for client private key in PEM or DER
    123  * format (traditional format (RSA PRIVATE KEY) or PKCS#8 (PRIVATE KEY)
    124  * @private_key_blob: private_key as inlined data or %NULL if not used
    125  * @private_key_blob_len: private_key_blob length
    126  * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
    127  * passphrase is used.
    128  * @dh_file: File name for DH/DSA data in PEM format, or %NULL if not used
    129  * @dh_blob: dh_file as inlined data or %NULL if not used
    130  * @dh_blob_len: dh_blob length
    131  * @engine: 1 = use engine (e.g., a smartcard) for private key operations
    132  * (this is OpenSSL specific for now)
    133  * @engine_id: engine id string (this is OpenSSL specific for now)
    134  * @ppin: pointer to the pin variable in the configuration
    135  * (this is OpenSSL specific for now)
    136  * @key_id: the private key's id when using engine (this is OpenSSL
    137  * specific for now)
    138  * @cert_id: the certificate's id when using engine
    139  * @ca_cert_id: the CA certificate's id when using engine
    140  * @openssl_ciphers: OpenSSL cipher configuration
    141  * @flags: Parameter options (TLS_CONN_*)
    142  * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response
    143  *	or %NULL if OCSP is not enabled
    144  * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling
    145  *	response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if
    146  *	ocsp_multi is not enabled
    147  *
    148  * TLS connection parameters to be configured with tls_connection_set_params()
    149  * and tls_global_set_params().
    150  *
    151  * Certificates and private key can be configured either as a reference name
    152  * (file path or reference to certificate store) or by providing the same data
    153  * as a pointer to the data in memory. Only one option will be used for each
    154  * field.
    155  */
    156 struct tls_connection_params {
    157 	const char *ca_cert;
    158 	const u8 *ca_cert_blob;
    159 	size_t ca_cert_blob_len;
    160 	const char *ca_path;
    161 	const char *subject_match;
    162 	const char *altsubject_match;
    163 	const char *suffix_match;
    164 	const char *domain_match;
    165 	const char *client_cert;
    166 	const u8 *client_cert_blob;
    167 	size_t client_cert_blob_len;
    168 	const char *private_key;
    169 	const u8 *private_key_blob;
    170 	size_t private_key_blob_len;
    171 	const char *private_key_passwd;
    172 	const char *dh_file;
    173 	const u8 *dh_blob;
    174 	size_t dh_blob_len;
    175 
    176 	/* OpenSSL specific variables */
    177 	int engine;
    178 	const char *engine_id;
    179 	const char *pin;
    180 	const char *key_id;
    181 	const char *cert_id;
    182 	const char *ca_cert_id;
    183 	const char *openssl_ciphers;
    184 
    185 	unsigned int flags;
    186 	const char *ocsp_stapling_response;
    187 	const char *ocsp_stapling_response_multi;
    188 };
    189 
    190 
    191 /**
    192  * tls_init - Initialize TLS library
    193  * @conf: Configuration data for TLS library
    194  * Returns: Context data to be used as tls_ctx in calls to other functions,
    195  * or %NULL on failure.
    196  *
    197  * Called once during program startup and once for each RSN pre-authentication
    198  * session. In other words, there can be two concurrent TLS contexts. If global
    199  * library initialization is needed (i.e., one that is shared between both
    200  * authentication types), the TLS library wrapper should maintain a reference
    201  * counter and do global initialization only when moving from 0 to 1 reference.
    202  */
    203 void * tls_init(const struct tls_config *conf);
    204 
    205 /**
    206  * tls_deinit - Deinitialize TLS library
    207  * @tls_ctx: TLS context data from tls_init()
    208  *
    209  * Called once during program shutdown and once for each RSN pre-authentication
    210  * session. If global library deinitialization is needed (i.e., one that is
    211  * shared between both authentication types), the TLS library wrapper should
    212  * maintain a reference counter and do global deinitialization only when moving
    213  * from 1 to 0 references.
    214  */
    215 void tls_deinit(void *tls_ctx);
    216 
    217 /**
    218  * tls_get_errors - Process pending errors
    219  * @tls_ctx: TLS context data from tls_init()
    220  * Returns: Number of found error, 0 if no errors detected.
    221  *
    222  * Process all pending TLS errors.
    223  */
    224 int tls_get_errors(void *tls_ctx);
    225 
    226 /**
    227  * tls_connection_init - Initialize a new TLS connection
    228  * @tls_ctx: TLS context data from tls_init()
    229  * Returns: Connection context data, conn for other function calls
    230  */
    231 struct tls_connection * tls_connection_init(void *tls_ctx);
    232 
    233 /**
    234  * tls_connection_deinit - Free TLS connection data
    235  * @tls_ctx: TLS context data from tls_init()
    236  * @conn: Connection context data from tls_connection_init()
    237  *
    238  * Release all resources allocated for TLS connection.
    239  */
    240 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn);
    241 
    242 /**
    243  * tls_connection_established - Has the TLS connection been completed?
    244  * @tls_ctx: TLS context data from tls_init()
    245  * @conn: Connection context data from tls_connection_init()
    246  * Returns: 1 if TLS connection has been completed, 0 if not.
    247  */
    248 int tls_connection_established(void *tls_ctx, struct tls_connection *conn);
    249 
    250 /**
    251  * tls_connection_shutdown - Shutdown TLS connection
    252  * @tls_ctx: TLS context data from tls_init()
    253  * @conn: Connection context data from tls_connection_init()
    254  * Returns: 0 on success, -1 on failure
    255  *
    256  * Shutdown current TLS connection without releasing all resources. New
    257  * connection can be started by using the same conn without having to call
    258  * tls_connection_init() or setting certificates etc. again. The new
    259  * connection should try to use session resumption.
    260  */
    261 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn);
    262 
    263 enum {
    264 	TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN = -4,
    265 	TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED = -3,
    266 	TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED = -2
    267 };
    268 
    269 /**
    270  * tls_connection_set_params - Set TLS connection parameters
    271  * @tls_ctx: TLS context data from tls_init()
    272  * @conn: Connection context data from tls_connection_init()
    273  * @params: Connection parameters
    274  * Returns: 0 on success, -1 on failure,
    275  * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine
    276  * failure, or
    277  * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the
    278  * PKCS#11 engine private key, or
    279  * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine
    280  * failure.
    281  */
    282 int __must_check
    283 tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
    284 			  const struct tls_connection_params *params);
    285 
    286 /**
    287  * tls_global_set_params - Set TLS parameters for all TLS connection
    288  * @tls_ctx: TLS context data from tls_init()
    289  * @params: Global TLS parameters
    290  * Returns: 0 on success, -1 on failure,
    291  * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine
    292  * failure, or
    293  * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the
    294  * PKCS#11 engine private key, or
    295  * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine
    296  * failure.
    297  */
    298 int __must_check tls_global_set_params(
    299 	void *tls_ctx, const struct tls_connection_params *params);
    300 
    301 /**
    302  * tls_global_set_verify - Set global certificate verification options
    303  * @tls_ctx: TLS context data from tls_init()
    304  * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate,
    305  * 2 = verify CRL for all certificates
    306  * Returns: 0 on success, -1 on failure
    307  */
    308 int __must_check tls_global_set_verify(void *tls_ctx, int check_crl);
    309 
    310 /**
    311  * tls_connection_set_verify - Set certificate verification options
    312  * @tls_ctx: TLS context data from tls_init()
    313  * @conn: Connection context data from tls_connection_init()
    314  * @verify_peer: 1 = verify peer certificate
    315  * @flags: Connection flags (TLS_CONN_*)
    316  * @session_ctx: Session caching context or %NULL to use default
    317  * @session_ctx_len: Length of @session_ctx in bytes.
    318  * Returns: 0 on success, -1 on failure
    319  */
    320 int __must_check tls_connection_set_verify(void *tls_ctx,
    321 					   struct tls_connection *conn,
    322 					   int verify_peer,
    323 					   unsigned int flags,
    324 					   const u8 *session_ctx,
    325 					   size_t session_ctx_len);
    326 
    327 /**
    328  * tls_connection_get_random - Get random data from TLS connection
    329  * @tls_ctx: TLS context data from tls_init()
    330  * @conn: Connection context data from tls_connection_init()
    331  * @data: Structure of client/server random data (filled on success)
    332  * Returns: 0 on success, -1 on failure
    333  */
    334 int __must_check tls_connection_get_random(void *tls_ctx,
    335 					 struct tls_connection *conn,
    336 					 struct tls_random *data);
    337 
    338 /**
    339  * tls_connection_export_key - Derive keying material from a TLS connection
    340  * @tls_ctx: TLS context data from tls_init()
    341  * @conn: Connection context data from tls_connection_init()
    342  * @label: Label (e.g., description of the key) for PRF
    343  * @out: Buffer for output data from TLS-PRF
    344  * @out_len: Length of the output buffer
    345  * Returns: 0 on success, -1 on failure
    346  *
    347  * Exports keying material using the mechanism described in RFC 5705.
    348  */
    349 int __must_check tls_connection_export_key(void *tls_ctx,
    350 					   struct tls_connection *conn,
    351 					   const char *label,
    352 					   u8 *out, size_t out_len);
    353 
    354 /**
    355  * tls_connection_get_eap_fast_key - Derive key material for EAP-FAST
    356  * @tls_ctx: TLS context data from tls_init()
    357  * @conn: Connection context data from tls_connection_init()
    358  * @out: Buffer for output data from TLS-PRF
    359  * @out_len: Length of the output buffer
    360  * Returns: 0 on success, -1 on failure
    361  *
    362  * Exports key material after the normal TLS key block for use with
    363  * EAP-FAST. Most callers will want tls_connection_export_key(), but EAP-FAST
    364  * uses a different legacy mechanism.
    365  */
    366 int __must_check tls_connection_get_eap_fast_key(void *tls_ctx,
    367 						 struct tls_connection *conn,
    368 						 u8 *out, size_t out_len);
    369 
    370 /**
    371  * tls_connection_handshake - Process TLS handshake (client side)
    372  * @tls_ctx: TLS context data from tls_init()
    373  * @conn: Connection context data from tls_connection_init()
    374  * @in_data: Input data from TLS server
    375  * @appl_data: Pointer to application data pointer, or %NULL if dropped
    376  * Returns: Output data, %NULL on failure
    377  *
    378  * The caller is responsible for freeing the returned output data. If the final
    379  * handshake message includes application data, this is decrypted and
    380  * appl_data (if not %NULL) is set to point this data. The caller is
    381  * responsible for freeing appl_data.
    382  *
    383  * This function is used during TLS handshake. The first call is done with
    384  * in_data == %NULL and the library is expected to return ClientHello packet.
    385  * This packet is then send to the server and a response from server is given
    386  * to TLS library by calling this function again with in_data pointing to the
    387  * TLS message from the server.
    388  *
    389  * If the TLS handshake fails, this function may return %NULL. However, if the
    390  * TLS library has a TLS alert to send out, that should be returned as the
    391  * output data. In this case, tls_connection_get_failed() must return failure
    392  * (> 0).
    393  *
    394  * tls_connection_established() should return 1 once the TLS handshake has been
    395  * completed successfully.
    396  */
    397 struct wpabuf * tls_connection_handshake(void *tls_ctx,
    398 					 struct tls_connection *conn,
    399 					 const struct wpabuf *in_data,
    400 					 struct wpabuf **appl_data);
    401 
    402 struct wpabuf * tls_connection_handshake2(void *tls_ctx,
    403 					  struct tls_connection *conn,
    404 					  const struct wpabuf *in_data,
    405 					  struct wpabuf **appl_data,
    406 					  int *more_data_needed);
    407 
    408 /**
    409  * tls_connection_server_handshake - Process TLS handshake (server side)
    410  * @tls_ctx: TLS context data from tls_init()
    411  * @conn: Connection context data from tls_connection_init()
    412  * @in_data: Input data from TLS peer
    413  * @appl_data: Pointer to application data pointer, or %NULL if dropped
    414  * Returns: Output data, %NULL on failure
    415  *
    416  * The caller is responsible for freeing the returned output data.
    417  */
    418 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
    419 						struct tls_connection *conn,
    420 						const struct wpabuf *in_data,
    421 						struct wpabuf **appl_data);
    422 
    423 /**
    424  * tls_connection_encrypt - Encrypt data into TLS tunnel
    425  * @tls_ctx: TLS context data from tls_init()
    426  * @conn: Connection context data from tls_connection_init()
    427  * @in_data: Plaintext data to be encrypted
    428  * Returns: Encrypted TLS data or %NULL on failure
    429  *
    430  * This function is used after TLS handshake has been completed successfully to
    431  * send data in the encrypted tunnel. The caller is responsible for freeing the
    432  * returned output data.
    433  */
    434 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
    435 				       struct tls_connection *conn,
    436 				       const struct wpabuf *in_data);
    437 
    438 /**
    439  * tls_connection_decrypt - Decrypt data from TLS tunnel
    440  * @tls_ctx: TLS context data from tls_init()
    441  * @conn: Connection context data from tls_connection_init()
    442  * @in_data: Encrypted TLS data
    443  * Returns: Decrypted TLS data or %NULL on failure
    444  *
    445  * This function is used after TLS handshake has been completed successfully to
    446  * receive data from the encrypted tunnel. The caller is responsible for
    447  * freeing the returned output data.
    448  */
    449 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
    450 				       struct tls_connection *conn,
    451 				       const struct wpabuf *in_data);
    452 
    453 struct wpabuf * tls_connection_decrypt2(void *tls_ctx,
    454 					struct tls_connection *conn,
    455 					const struct wpabuf *in_data,
    456 					int *more_data_needed);
    457 
    458 /**
    459  * tls_connection_resumed - Was session resumption used
    460  * @tls_ctx: TLS context data from tls_init()
    461  * @conn: Connection context data from tls_connection_init()
    462  * Returns: 1 if current session used session resumption, 0 if not
    463  */
    464 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn);
    465 
    466 enum {
    467 	TLS_CIPHER_NONE,
    468 	TLS_CIPHER_RC4_SHA /* 0x0005 */,
    469 	TLS_CIPHER_AES128_SHA /* 0x002f */,
    470 	TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */,
    471 	TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */,
    472 	TLS_CIPHER_RSA_DHE_AES256_SHA /* 0x0039 */,
    473 	TLS_CIPHER_AES256_SHA /* 0x0035 */,
    474 };
    475 
    476 /**
    477  * tls_connection_set_cipher_list - Configure acceptable cipher suites
    478  * @tls_ctx: TLS context data from tls_init()
    479  * @conn: Connection context data from tls_connection_init()
    480  * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers
    481  * (TLS_CIPHER_*).
    482  * Returns: 0 on success, -1 on failure
    483  */
    484 int __must_check tls_connection_set_cipher_list(void *tls_ctx,
    485 						struct tls_connection *conn,
    486 						u8 *ciphers);
    487 
    488 /**
    489  * tls_get_version - Get the current TLS version number
    490  * @tls_ctx: TLS context data from tls_init()
    491  * @conn: Connection context data from tls_connection_init()
    492  * @buf: Buffer for returning the TLS version number
    493  * @buflen: buf size
    494  * Returns: 0 on success, -1 on failure
    495  *
    496  * Get the currently used TLS version number.
    497  */
    498 int __must_check tls_get_version(void *tls_ctx, struct tls_connection *conn,
    499 				 char *buf, size_t buflen);
    500 
    501 /**
    502  * tls_get_cipher - Get current cipher name
    503  * @tls_ctx: TLS context data from tls_init()
    504  * @conn: Connection context data from tls_connection_init()
    505  * @buf: Buffer for the cipher name
    506  * @buflen: buf size
    507  * Returns: 0 on success, -1 on failure
    508  *
    509  * Get the name of the currently used cipher.
    510  */
    511 int __must_check tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
    512 				char *buf, size_t buflen);
    513 
    514 /**
    515  * tls_connection_enable_workaround - Enable TLS workaround options
    516  * @tls_ctx: TLS context data from tls_init()
    517  * @conn: Connection context data from tls_connection_init()
    518  * Returns: 0 on success, -1 on failure
    519  *
    520  * This function is used to enable connection-specific workaround options for
    521  * buffer SSL/TLS implementations.
    522  */
    523 int __must_check tls_connection_enable_workaround(void *tls_ctx,
    524 						  struct tls_connection *conn);
    525 
    526 /**
    527  * tls_connection_client_hello_ext - Set TLS extension for ClientHello
    528  * @tls_ctx: TLS context data from tls_init()
    529  * @conn: Connection context data from tls_connection_init()
    530  * @ext_type: Extension type
    531  * @data: Extension payload (%NULL to remove extension)
    532  * @data_len: Extension payload length
    533  * Returns: 0 on success, -1 on failure
    534  */
    535 int __must_check tls_connection_client_hello_ext(void *tls_ctx,
    536 						 struct tls_connection *conn,
    537 						 int ext_type, const u8 *data,
    538 						 size_t data_len);
    539 
    540 /**
    541  * tls_connection_get_failed - Get connection failure status
    542  * @tls_ctx: TLS context data from tls_init()
    543  * @conn: Connection context data from tls_connection_init()
    544  *
    545  * Returns >0 if connection has failed, 0 if not.
    546  */
    547 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn);
    548 
    549 /**
    550  * tls_connection_get_read_alerts - Get connection read alert status
    551  * @tls_ctx: TLS context data from tls_init()
    552  * @conn: Connection context data from tls_connection_init()
    553  * Returns: Number of times a fatal read (remote end reported error) has
    554  * happened during this connection.
    555  */
    556 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn);
    557 
    558 /**
    559  * tls_connection_get_write_alerts - Get connection write alert status
    560  * @tls_ctx: TLS context data from tls_init()
    561  * @conn: Connection context data from tls_connection_init()
    562  * Returns: Number of times a fatal write (locally detected error) has happened
    563  * during this connection.
    564  */
    565 int tls_connection_get_write_alerts(void *tls_ctx,
    566 				    struct tls_connection *conn);
    567 
    568 typedef int (*tls_session_ticket_cb)
    569 (void *ctx, const u8 *ticket, size_t len, const u8 *client_random,
    570  const u8 *server_random, u8 *master_secret);
    571 
    572 int __must_check  tls_connection_set_session_ticket_cb(
    573 	void *tls_ctx, struct tls_connection *conn,
    574 	tls_session_ticket_cb cb, void *ctx);
    575 
    576 void tls_connection_set_log_cb(struct tls_connection *conn,
    577 			       void (*log_cb)(void *ctx, const char *msg),
    578 			       void *ctx);
    579 
    580 #define TLS_BREAK_VERIFY_DATA BIT(0)
    581 #define TLS_BREAK_SRV_KEY_X_HASH BIT(1)
    582 #define TLS_BREAK_SRV_KEY_X_SIGNATURE BIT(2)
    583 #define TLS_DHE_PRIME_511B BIT(3)
    584 #define TLS_DHE_PRIME_767B BIT(4)
    585 #define TLS_DHE_PRIME_15 BIT(5)
    586 #define TLS_DHE_PRIME_58B BIT(6)
    587 #define TLS_DHE_NON_PRIME BIT(7)
    588 
    589 void tls_connection_set_test_flags(struct tls_connection *conn, u32 flags);
    590 
    591 int tls_get_library_version(char *buf, size_t buf_len);
    592 
    593 void tls_connection_set_success_data(struct tls_connection *conn,
    594 				     struct wpabuf *data);
    595 
    596 void tls_connection_set_success_data_resumed(struct tls_connection *conn);
    597 
    598 const struct wpabuf *
    599 tls_connection_get_success_data(struct tls_connection *conn);
    600 
    601 void tls_connection_remove_session(struct tls_connection *conn);
    602 
    603 #endif /* TLS_H */
    604