• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * SSL/TLS interface definition
3  * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef TLS_H
10 #define TLS_H
11 
12 struct tls_connection;
13 
14 struct tls_random {
15 	const u8 *client_random;
16 	size_t client_random_len;
17 	const u8 *server_random;
18 	size_t server_random_len;
19 };
20 
21 enum tls_event {
22 	TLS_CERT_CHAIN_SUCCESS,
23 	TLS_CERT_CHAIN_FAILURE,
24 	TLS_PEER_CERTIFICATE,
25 	TLS_ALERT
26 };
27 
28 /*
29  * Note: These are used as identifier with external programs and as such, the
30  * values must not be changed.
31  */
32 enum tls_fail_reason {
33 	TLS_FAIL_UNSPECIFIED = 0,
34 	TLS_FAIL_UNTRUSTED = 1,
35 	TLS_FAIL_REVOKED = 2,
36 	TLS_FAIL_NOT_YET_VALID = 3,
37 	TLS_FAIL_EXPIRED = 4,
38 	TLS_FAIL_SUBJECT_MISMATCH = 5,
39 	TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
40 	TLS_FAIL_BAD_CERTIFICATE = 7,
41 	TLS_FAIL_SERVER_CHAIN_PROBE = 8,
42 	TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
43 	TLS_FAIL_DOMAIN_MISMATCH = 10,
44 };
45 
46 
47 #define TLS_MAX_ALT_SUBJECT 10
48 
49 union tls_event_data {
50 	struct {
51 		int depth;
52 		const char *subject;
53 		enum tls_fail_reason reason;
54 		const char *reason_txt;
55 		const struct wpabuf *cert;
56 	} cert_fail;
57 
58 	struct {
59 		int depth;
60 		const char *subject;
61 		const struct wpabuf *cert;
62 		const u8 *hash;
63 		size_t hash_len;
64 		const char *altsubject[TLS_MAX_ALT_SUBJECT];
65 		int num_altsubject;
66 	} peer_cert;
67 
68 	struct {
69 		int is_local;
70 		const char *type;
71 		const char *description;
72 	} alert;
73 };
74 
75 struct tls_config {
76 	const char *opensc_engine_path;
77 	const char *pkcs11_engine_path;
78 	const char *pkcs11_module_path;
79 	int fips_mode;
80 	int cert_in_cb;
81 	const char *openssl_ciphers;
82 	unsigned int tls_session_lifetime;
83 
84 	void (*event_cb)(void *ctx, enum tls_event ev,
85 			 union tls_event_data *data);
86 	void *cb_ctx;
87 };
88 
89 #define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0)
90 #define TLS_CONN_DISABLE_TIME_CHECKS BIT(1)
91 #define TLS_CONN_DISABLE_SESSION_TICKET BIT(2)
92 #define TLS_CONN_REQUEST_OCSP BIT(3)
93 #define TLS_CONN_REQUIRE_OCSP BIT(4)
94 #define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
95 #define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
96 #define TLS_CONN_EAP_FAST BIT(7)
97 #define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
98 #define TLS_CONN_EXT_CERT_CHECK BIT(9)
99 #define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
100 
101 /**
102  * struct tls_connection_params - Parameters for TLS connection
103  * @ca_cert: File or reference name for CA X.509 certificate in PEM or DER
104  * format
105  * @ca_cert_blob: ca_cert as inlined data or %NULL if not used
106  * @ca_cert_blob_len: ca_cert_blob length
107  * @ca_path: Path to CA certificates (OpenSSL specific)
108  * @subject_match: String to match in the subject of the peer certificate or
109  * %NULL to allow all subjects
110  * @altsubject_match: String to match in the alternative subject of the peer
111  * certificate or %NULL to allow all alternative subjects
112  * @suffix_match: String to suffix match in the dNSName or CN of the peer
113  * certificate or %NULL to allow all domain names. This may allow subdomains an
114  * wildcard certificates. Each domain name label must have a full match.
115  * @domain_match: String to match in the dNSName or CN of the peer
116  * certificate or %NULL to allow all domain names. This requires a full,
117  * case-insensitive match.
118  * @client_cert: File or reference name for client X.509 certificate in PEM or
119  * DER format
120  * @client_cert_blob: client_cert as inlined data or %NULL if not used
121  * @client_cert_blob_len: client_cert_blob length
122  * @private_key: File or reference name for client private key in PEM or DER
123  * format (traditional format (RSA PRIVATE KEY) or PKCS#8 (PRIVATE KEY)
124  * @private_key_blob: private_key as inlined data or %NULL if not used
125  * @private_key_blob_len: private_key_blob length
126  * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
127  * passphrase is used.
128  * @dh_file: File name for DH/DSA data in PEM format, or %NULL if not used
129  * @dh_blob: dh_file as inlined data or %NULL if not used
130  * @dh_blob_len: dh_blob length
131  * @engine: 1 = use engine (e.g., a smartcard) for private key operations
132  * (this is OpenSSL specific for now)
133  * @engine_id: engine id string (this is OpenSSL specific for now)
134  * @ppin: pointer to the pin variable in the configuration
135  * (this is OpenSSL specific for now)
136  * @key_id: the private key's id when using engine (this is OpenSSL
137  * specific for now)
138  * @cert_id: the certificate's id when using engine
139  * @ca_cert_id: the CA certificate's id when using engine
140  * @openssl_ciphers: OpenSSL cipher configuration
141  * @flags: Parameter options (TLS_CONN_*)
142  * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response
143  *	or %NULL if OCSP is not enabled
144  * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling
145  *	response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if
146  *	ocsp_multi is not enabled
147  *
148  * TLS connection parameters to be configured with tls_connection_set_params()
149  * and tls_global_set_params().
150  *
151  * Certificates and private key can be configured either as a reference name
152  * (file path or reference to certificate store) or by providing the same data
153  * as a pointer to the data in memory. Only one option will be used for each
154  * field.
155  */
156 struct tls_connection_params {
157 	const char *ca_cert;
158 	const u8 *ca_cert_blob;
159 	size_t ca_cert_blob_len;
160 	const char *ca_path;
161 	const char *subject_match;
162 	const char *altsubject_match;
163 	const char *suffix_match;
164 	const char *domain_match;
165 	const char *client_cert;
166 	const u8 *client_cert_blob;
167 	size_t client_cert_blob_len;
168 	const char *private_key;
169 	const u8 *private_key_blob;
170 	size_t private_key_blob_len;
171 	const char *private_key_passwd;
172 	const char *dh_file;
173 	const u8 *dh_blob;
174 	size_t dh_blob_len;
175 
176 	/* OpenSSL specific variables */
177 	int engine;
178 	const char *engine_id;
179 	const char *pin;
180 	const char *key_id;
181 	const char *cert_id;
182 	const char *ca_cert_id;
183 	const char *openssl_ciphers;
184 
185 	unsigned int flags;
186 	const char *ocsp_stapling_response;
187 	const char *ocsp_stapling_response_multi;
188 };
189 
190 
191 /**
192  * tls_init - Initialize TLS library
193  * @conf: Configuration data for TLS library
194  * Returns: Context data to be used as tls_ctx in calls to other functions,
195  * or %NULL on failure.
196  *
197  * Called once during program startup and once for each RSN pre-authentication
198  * session. In other words, there can be two concurrent TLS contexts. If global
199  * library initialization is needed (i.e., one that is shared between both
200  * authentication types), the TLS library wrapper should maintain a reference
201  * counter and do global initialization only when moving from 0 to 1 reference.
202  */
203 void * tls_init(const struct tls_config *conf);
204 
205 /**
206  * tls_deinit - Deinitialize TLS library
207  * @tls_ctx: TLS context data from tls_init()
208  *
209  * Called once during program shutdown and once for each RSN pre-authentication
210  * session. If global library deinitialization is needed (i.e., one that is
211  * shared between both authentication types), the TLS library wrapper should
212  * maintain a reference counter and do global deinitialization only when moving
213  * from 1 to 0 references.
214  */
215 void tls_deinit(void *tls_ctx);
216 
217 /**
218  * tls_get_errors - Process pending errors
219  * @tls_ctx: TLS context data from tls_init()
220  * Returns: Number of found error, 0 if no errors detected.
221  *
222  * Process all pending TLS errors.
223  */
224 int tls_get_errors(void *tls_ctx);
225 
226 /**
227  * tls_connection_init - Initialize a new TLS connection
228  * @tls_ctx: TLS context data from tls_init()
229  * Returns: Connection context data, conn for other function calls
230  */
231 struct tls_connection * tls_connection_init(void *tls_ctx);
232 
233 /**
234  * tls_connection_deinit - Free TLS connection data
235  * @tls_ctx: TLS context data from tls_init()
236  * @conn: Connection context data from tls_connection_init()
237  *
238  * Release all resources allocated for TLS connection.
239  */
240 void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn);
241 
242 /**
243  * tls_connection_established - Has the TLS connection been completed?
244  * @tls_ctx: TLS context data from tls_init()
245  * @conn: Connection context data from tls_connection_init()
246  * Returns: 1 if TLS connection has been completed, 0 if not.
247  */
248 int tls_connection_established(void *tls_ctx, struct tls_connection *conn);
249 
250 /**
251  * tls_connection_shutdown - Shutdown TLS connection
252  * @tls_ctx: TLS context data from tls_init()
253  * @conn: Connection context data from tls_connection_init()
254  * Returns: 0 on success, -1 on failure
255  *
256  * Shutdown current TLS connection without releasing all resources. New
257  * connection can be started by using the same conn without having to call
258  * tls_connection_init() or setting certificates etc. again. The new
259  * connection should try to use session resumption.
260  */
261 int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn);
262 
263 enum {
264 	TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN = -4,
265 	TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED = -3,
266 	TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED = -2
267 };
268 
269 /**
270  * tls_connection_set_params - Set TLS connection parameters
271  * @tls_ctx: TLS context data from tls_init()
272  * @conn: Connection context data from tls_connection_init()
273  * @params: Connection parameters
274  * Returns: 0 on success, -1 on failure,
275  * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine
276  * failure, or
277  * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the
278  * PKCS#11 engine private key, or
279  * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine
280  * failure.
281  */
282 int __must_check
283 tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
284 			  const struct tls_connection_params *params);
285 
286 /**
287  * tls_global_set_params - Set TLS parameters for all TLS connection
288  * @tls_ctx: TLS context data from tls_init()
289  * @params: Global TLS parameters
290  * Returns: 0 on success, -1 on failure,
291  * TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED (-2) on error causing PKCS#11 engine
292  * failure, or
293  * TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED (-3) on failure to verify the
294  * PKCS#11 engine private key, or
295  * TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN (-4) on PIN error causing PKCS#11 engine
296  * failure.
297  */
298 int __must_check tls_global_set_params(
299 	void *tls_ctx, const struct tls_connection_params *params);
300 
301 /**
302  * tls_global_set_verify - Set global certificate verification options
303  * @tls_ctx: TLS context data from tls_init()
304  * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate,
305  * 2 = verify CRL for all certificates
306  * Returns: 0 on success, -1 on failure
307  */
308 int __must_check tls_global_set_verify(void *tls_ctx, int check_crl);
309 
310 /**
311  * tls_connection_set_verify - Set certificate verification options
312  * @tls_ctx: TLS context data from tls_init()
313  * @conn: Connection context data from tls_connection_init()
314  * @verify_peer: 1 = verify peer certificate
315  * @flags: Connection flags (TLS_CONN_*)
316  * @session_ctx: Session caching context or %NULL to use default
317  * @session_ctx_len: Length of @session_ctx in bytes.
318  * Returns: 0 on success, -1 on failure
319  */
320 int __must_check tls_connection_set_verify(void *tls_ctx,
321 					   struct tls_connection *conn,
322 					   int verify_peer,
323 					   unsigned int flags,
324 					   const u8 *session_ctx,
325 					   size_t session_ctx_len);
326 
327 /**
328  * tls_connection_get_random - Get random data from TLS connection
329  * @tls_ctx: TLS context data from tls_init()
330  * @conn: Connection context data from tls_connection_init()
331  * @data: Structure of client/server random data (filled on success)
332  * Returns: 0 on success, -1 on failure
333  */
334 int __must_check tls_connection_get_random(void *tls_ctx,
335 					 struct tls_connection *conn,
336 					 struct tls_random *data);
337 
338 /**
339  * tls_connection_export_key - Derive keying material from a TLS connection
340  * @tls_ctx: TLS context data from tls_init()
341  * @conn: Connection context data from tls_connection_init()
342  * @label: Label (e.g., description of the key) for PRF
343  * @out: Buffer for output data from TLS-PRF
344  * @out_len: Length of the output buffer
345  * Returns: 0 on success, -1 on failure
346  *
347  * Exports keying material using the mechanism described in RFC 5705.
348  */
349 int __must_check tls_connection_export_key(void *tls_ctx,
350 					   struct tls_connection *conn,
351 					   const char *label,
352 					   u8 *out, size_t out_len);
353 
354 /**
355  * tls_connection_get_eap_fast_key - Derive key material for EAP-FAST
356  * @tls_ctx: TLS context data from tls_init()
357  * @conn: Connection context data from tls_connection_init()
358  * @out: Buffer for output data from TLS-PRF
359  * @out_len: Length of the output buffer
360  * Returns: 0 on success, -1 on failure
361  *
362  * Exports key material after the normal TLS key block for use with
363  * EAP-FAST. Most callers will want tls_connection_export_key(), but EAP-FAST
364  * uses a different legacy mechanism.
365  */
366 int __must_check tls_connection_get_eap_fast_key(void *tls_ctx,
367 						 struct tls_connection *conn,
368 						 u8 *out, size_t out_len);
369 
370 /**
371  * tls_connection_handshake - Process TLS handshake (client side)
372  * @tls_ctx: TLS context data from tls_init()
373  * @conn: Connection context data from tls_connection_init()
374  * @in_data: Input data from TLS server
375  * @appl_data: Pointer to application data pointer, or %NULL if dropped
376  * Returns: Output data, %NULL on failure
377  *
378  * The caller is responsible for freeing the returned output data. If the final
379  * handshake message includes application data, this is decrypted and
380  * appl_data (if not %NULL) is set to point this data. The caller is
381  * responsible for freeing appl_data.
382  *
383  * This function is used during TLS handshake. The first call is done with
384  * in_data == %NULL and the library is expected to return ClientHello packet.
385  * This packet is then send to the server and a response from server is given
386  * to TLS library by calling this function again with in_data pointing to the
387  * TLS message from the server.
388  *
389  * If the TLS handshake fails, this function may return %NULL. However, if the
390  * TLS library has a TLS alert to send out, that should be returned as the
391  * output data. In this case, tls_connection_get_failed() must return failure
392  * (> 0).
393  *
394  * tls_connection_established() should return 1 once the TLS handshake has been
395  * completed successfully.
396  */
397 struct wpabuf * tls_connection_handshake(void *tls_ctx,
398 					 struct tls_connection *conn,
399 					 const struct wpabuf *in_data,
400 					 struct wpabuf **appl_data);
401 
402 struct wpabuf * tls_connection_handshake2(void *tls_ctx,
403 					  struct tls_connection *conn,
404 					  const struct wpabuf *in_data,
405 					  struct wpabuf **appl_data,
406 					  int *more_data_needed);
407 
408 /**
409  * tls_connection_server_handshake - Process TLS handshake (server side)
410  * @tls_ctx: TLS context data from tls_init()
411  * @conn: Connection context data from tls_connection_init()
412  * @in_data: Input data from TLS peer
413  * @appl_data: Pointer to application data pointer, or %NULL if dropped
414  * Returns: Output data, %NULL on failure
415  *
416  * The caller is responsible for freeing the returned output data.
417  */
418 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
419 						struct tls_connection *conn,
420 						const struct wpabuf *in_data,
421 						struct wpabuf **appl_data);
422 
423 /**
424  * tls_connection_encrypt - Encrypt data into TLS tunnel
425  * @tls_ctx: TLS context data from tls_init()
426  * @conn: Connection context data from tls_connection_init()
427  * @in_data: Plaintext data to be encrypted
428  * Returns: Encrypted TLS data or %NULL on failure
429  *
430  * This function is used after TLS handshake has been completed successfully to
431  * send data in the encrypted tunnel. The caller is responsible for freeing the
432  * returned output data.
433  */
434 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
435 				       struct tls_connection *conn,
436 				       const struct wpabuf *in_data);
437 
438 /**
439  * tls_connection_decrypt - Decrypt data from TLS tunnel
440  * @tls_ctx: TLS context data from tls_init()
441  * @conn: Connection context data from tls_connection_init()
442  * @in_data: Encrypted TLS data
443  * Returns: Decrypted TLS data or %NULL on failure
444  *
445  * This function is used after TLS handshake has been completed successfully to
446  * receive data from the encrypted tunnel. The caller is responsible for
447  * freeing the returned output data.
448  */
449 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
450 				       struct tls_connection *conn,
451 				       const struct wpabuf *in_data);
452 
453 struct wpabuf * tls_connection_decrypt2(void *tls_ctx,
454 					struct tls_connection *conn,
455 					const struct wpabuf *in_data,
456 					int *more_data_needed);
457 
458 /**
459  * tls_connection_resumed - Was session resumption used
460  * @tls_ctx: TLS context data from tls_init()
461  * @conn: Connection context data from tls_connection_init()
462  * Returns: 1 if current session used session resumption, 0 if not
463  */
464 int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn);
465 
466 enum {
467 	TLS_CIPHER_NONE,
468 	TLS_CIPHER_RC4_SHA /* 0x0005 */,
469 	TLS_CIPHER_AES128_SHA /* 0x002f */,
470 	TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */,
471 	TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */,
472 	TLS_CIPHER_RSA_DHE_AES256_SHA /* 0x0039 */,
473 	TLS_CIPHER_AES256_SHA /* 0x0035 */,
474 };
475 
476 /**
477  * tls_connection_set_cipher_list - Configure acceptable cipher suites
478  * @tls_ctx: TLS context data from tls_init()
479  * @conn: Connection context data from tls_connection_init()
480  * @ciphers: Zero (TLS_CIPHER_NONE) terminated list of allowed ciphers
481  * (TLS_CIPHER_*).
482  * Returns: 0 on success, -1 on failure
483  */
484 int __must_check tls_connection_set_cipher_list(void *tls_ctx,
485 						struct tls_connection *conn,
486 						u8 *ciphers);
487 
488 /**
489  * tls_get_version - Get the current TLS version number
490  * @tls_ctx: TLS context data from tls_init()
491  * @conn: Connection context data from tls_connection_init()
492  * @buf: Buffer for returning the TLS version number
493  * @buflen: buf size
494  * Returns: 0 on success, -1 on failure
495  *
496  * Get the currently used TLS version number.
497  */
498 int __must_check tls_get_version(void *tls_ctx, struct tls_connection *conn,
499 				 char *buf, size_t buflen);
500 
501 /**
502  * tls_get_cipher - Get current cipher name
503  * @tls_ctx: TLS context data from tls_init()
504  * @conn: Connection context data from tls_connection_init()
505  * @buf: Buffer for the cipher name
506  * @buflen: buf size
507  * Returns: 0 on success, -1 on failure
508  *
509  * Get the name of the currently used cipher.
510  */
511 int __must_check tls_get_cipher(void *tls_ctx, struct tls_connection *conn,
512 				char *buf, size_t buflen);
513 
514 /**
515  * tls_connection_enable_workaround - Enable TLS workaround options
516  * @tls_ctx: TLS context data from tls_init()
517  * @conn: Connection context data from tls_connection_init()
518  * Returns: 0 on success, -1 on failure
519  *
520  * This function is used to enable connection-specific workaround options for
521  * buffer SSL/TLS implementations.
522  */
523 int __must_check tls_connection_enable_workaround(void *tls_ctx,
524 						  struct tls_connection *conn);
525 
526 /**
527  * tls_connection_client_hello_ext - Set TLS extension for ClientHello
528  * @tls_ctx: TLS context data from tls_init()
529  * @conn: Connection context data from tls_connection_init()
530  * @ext_type: Extension type
531  * @data: Extension payload (%NULL to remove extension)
532  * @data_len: Extension payload length
533  * Returns: 0 on success, -1 on failure
534  */
535 int __must_check tls_connection_client_hello_ext(void *tls_ctx,
536 						 struct tls_connection *conn,
537 						 int ext_type, const u8 *data,
538 						 size_t data_len);
539 
540 /**
541  * tls_connection_get_failed - Get connection failure status
542  * @tls_ctx: TLS context data from tls_init()
543  * @conn: Connection context data from tls_connection_init()
544  *
545  * Returns >0 if connection has failed, 0 if not.
546  */
547 int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn);
548 
549 /**
550  * tls_connection_get_read_alerts - Get connection read alert status
551  * @tls_ctx: TLS context data from tls_init()
552  * @conn: Connection context data from tls_connection_init()
553  * Returns: Number of times a fatal read (remote end reported error) has
554  * happened during this connection.
555  */
556 int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn);
557 
558 /**
559  * tls_connection_get_write_alerts - Get connection write alert status
560  * @tls_ctx: TLS context data from tls_init()
561  * @conn: Connection context data from tls_connection_init()
562  * Returns: Number of times a fatal write (locally detected error) has happened
563  * during this connection.
564  */
565 int tls_connection_get_write_alerts(void *tls_ctx,
566 				    struct tls_connection *conn);
567 
568 typedef int (*tls_session_ticket_cb)
569 (void *ctx, const u8 *ticket, size_t len, const u8 *client_random,
570  const u8 *server_random, u8 *master_secret);
571 
572 int __must_check  tls_connection_set_session_ticket_cb(
573 	void *tls_ctx, struct tls_connection *conn,
574 	tls_session_ticket_cb cb, void *ctx);
575 
576 void tls_connection_set_log_cb(struct tls_connection *conn,
577 			       void (*log_cb)(void *ctx, const char *msg),
578 			       void *ctx);
579 
580 #define TLS_BREAK_VERIFY_DATA BIT(0)
581 #define TLS_BREAK_SRV_KEY_X_HASH BIT(1)
582 #define TLS_BREAK_SRV_KEY_X_SIGNATURE BIT(2)
583 #define TLS_DHE_PRIME_511B BIT(3)
584 #define TLS_DHE_PRIME_767B BIT(4)
585 #define TLS_DHE_PRIME_15 BIT(5)
586 #define TLS_DHE_PRIME_58B BIT(6)
587 #define TLS_DHE_NON_PRIME BIT(7)
588 
589 void tls_connection_set_test_flags(struct tls_connection *conn, u32 flags);
590 
591 int tls_get_library_version(char *buf, size_t buf_len);
592 
593 void tls_connection_set_success_data(struct tls_connection *conn,
594 				     struct wpabuf *data);
595 
596 void tls_connection_set_success_data_resumed(struct tls_connection *conn);
597 
598 const struct wpabuf *
599 tls_connection_get_success_data(struct tls_connection *conn);
600 
601 void tls_connection_remove_session(struct tls_connection *conn);
602 
603 #endif /* TLS_H */
604