* @out: Buffer for output data from TLS-PRF * @out_len: Length of the output buffer * Returns: 0 on success, -1 on failure * * This function is optional to implement if tls_connection_get_keys() provides * access to master secret and server/client random values. If these values are * not exported from the TLS library, tls_connection_prf() is required so that * further keying material can be derived from the master secret. If not * implemented, the function will still need to be defined, but it can just * return -1. Example implementation of this function is in tls_prf() function * when it is called with seed set to client_random|server_random (or * server_random|client_random). */int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,		       const char *label, int server_random_first,		       u8 *out, size_t out_len);/** * tls_connection_handshake - Process TLS handshake (client side) * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @in_data: Input data from TLS peer * @in_len: Input data length * @out_len: Length of the output buffer. * * Returns: Pointer to output data, %NULL on failure * * Caller is responsible for freeing returned output data. * * This function is used during TLS handshake. The first call is done with * in_data == %NULL and the library is expected to return ClientHello packet. * This packet is then send to the server and a response from server is given * to TLS library by calling this function again with in_data pointing to the * TLS message from the server. * * If the TLS handshake fails, this function may return %NULL. However, if the * TLS library has a TLS alert to send out, that should be returned as the * output data. In this case, tls_connection_get_failed() must return failure * (> 0). * * tls_connection_established() should return 1 once the TLS handshake has been * completed successfully. */u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn,			      const u8 *in_data, size_t in_len,			      size_t *out_len);/** * tls_connection_server_handshake - Process TLS handshake (server side) * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @in_data: Input data from TLS peer * @in_len: Input data length * @out_len: Length of the output buffer. * * Returns: pointer to output data, %NULL on failure * * Caller is responsible for freeing returned output data. */u8 * tls_connection_server_handshake(void *tls_ctx,				     struct tls_connection *conn,				     const u8 *in_data, size_t in_len,				     size_t *out_len);/** * tls_connection_encrypt - Encrypt data into TLS tunnel * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @in_data: Pointer to plaintext data to be encrypted * @in_len: Input buffer length * @out_data: Pointer to output buffer (encrypted TLS data) * @out_len: Maximum out_data length  * * Returns: Number of bytes written to out_data, -1 on failure * * This function is used after TLS handshake has been completed successfully to * send data in the encrypted tunnel. */int tls_connection_encrypt(void *tls_ctx, struct tls_connection *conn,			   const u8 *in_data, size_t in_len,			   u8 *out_data, size_t out_len);/** * tls_connection_decrypt - Decrypt data from TLS tunnel * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @in_data: Pointer to input buffer (encrypted TLS data) * @in_len: Input buffer length * @out_data: Pointer to output buffer (decrypted data from TLS tunnel) * @out_len: Maximum out_data length * * Returns: Number of bytes written to out_data, -1 on failure * * This function is used after TLS handshake has been completed successfully to * receive data from the encrypted tunnel. */int tls_connection_decrypt(void *tls_ctx, struct tls_connection *conn,			   const u8 *in_data, size_t in_len,			   u8 *out_data, size_t out_len);/** * tls_connection_resumed - Was session resumption used * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * * Returns: 1 if current session used session resumption, 0 if not */int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn);/** * tls_connection_set_master_key - Configure master secret for TLS connection * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @key: TLS pre-master-secret * @key_len: length of key in bytes * * Returns: 0 on success, -1 on failure */int tls_connection_set_master_key(void *tls_ctx, struct tls_connection *conn,				  const u8 *key, size_t key_len);/** * tls_connection_set_anon_dh - Configure TLS connection to use anonymous DH * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * * Returns: 0 on success, -1 on failure * * TODO: consider changing this to more generic routine for configuring allowed * ciphers */int tls_connection_set_anon_dh(void *tls_ctx, struct tls_connection *conn);/** * tls_get_cipher - Get current cipher name * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @buf: Buffer for the cipher name * @buflen: buf size * * Returns: 0 on success, -1 on failure * * Get the name of the currently used cipher. */int tls_get_cipher(void *tls_ctx, struct tls_connection *conn,		   char *buf, size_t buflen);/** * tls_connection_enable_workaround - Enable TLS workaround options * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * * Returns: 0 on success, -1 on failure * * This function is used to enable connection-specific workaround options for * buffer SSL/TLS implementations. */int tls_connection_enable_workaround(void *tls_ctx,				     struct tls_connection *conn);/** * tls_connection_client_hello_ext - Set TLS extension for ClientHello * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @ext_type: Extension type * @data: Extension payload (NULL to remove extension) * @data_len: Extension payload length * * Returns: 0 on success, -1 on failure */int tls_connection_client_hello_ext(void *tls_ctx, struct tls_connection *conn,				    int ext_type, const u8 *data,				    size_t data_len);/** * tls_connection_get_failed - Get connection failure status * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * * Returns >0 if connection has failed, 0 if not. */int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn);/** * tls_connection_get_read_alerts - Get connection read alert status * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * * Returns: Number of times a fatal read (remote end reported error) has * happened during this connection. */int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn);/** * tls_connection_get_write_alerts - Get connection write alert status * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * * Returns: Number of times a fatal write (locally detected error) has happened * during this connection. */int tls_connection_get_write_alerts(void *tls_ctx,				    struct tls_connection *conn);/** * tls_connection_get_keyblock_size - Get TLS key_block size * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * Returns: Size of the key_block for the negotiated cipher suite or -1 on * failure */int tls_connection_get_keyblock_size(void *tls_ctx,				     struct tls_connection *conn);#define TLS_CAPABILITY_IA 0x0001 /* TLS Inner Application (TLS/IA) *//** * tls_capabilities - Get supported TLS capabilities * @tls_ctx: TLS context data from tls_init() * Returns: Bit field of supported TLS capabilities (TLS_CAPABILITY_*) */unsigned int tls_capabilities(void *tls_ctx);/** * tls_connection_ia_send_phase_finished - Send a TLS/IA PhaseFinished message * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @final: 1 = FinalPhaseFinished, 0 = IntermediatePhaseFinished * @out_data: Pointer to output buffer (encrypted TLS/IA data) * @out_len: Maximum out_data length  * Returns: Number of bytes written to out_data on success, -1 on failure * * This function is used to send the TLS/IA end phase message, e.g., when the * EAP server completes EAP-TTLSv1. */int tls_connection_ia_send_phase_finished(void *tls_ctx,					  struct tls_connection *conn,					  int final,					  u8 *out_data, size_t out_len);/** * tls_connection_ia_final_phase_finished - Has final phase been completed * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * Returns: 1 if valid FinalPhaseFinished has been received, 0 if not, or -1 * on failure */int tls_connection_ia_final_phase_finished(void *tls_ctx,					   struct tls_connection *conn);/** * tls_connection_ia_permute_inner_secret - Permute TLS/IA inner secret * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @key: Session key material (session_key vectors with 2-octet length), or * %NULL if no session key was generating in the current phase * @key_len: Length of session key material * Returns: 0 on success, -1 on failure */int tls_connection_ia_permute_inner_secret(void *tls_ctx,					   struct tls_connection *conn,					   const u8 *key, size_t key_len);#endif /* TLS_H */