static int eap_tls_init_connection(struct eap_sm *sm,
struct eap_ssl_data *data,
struct eap_peer_config *config,
struct tls_connection_params *params)
{
int res;
if (config->ocsp)
params->flags |= TLS_CONN_REQUEST_OCSP;
if (config->ocsp == 2)
params->flags |= TLS_CONN_REQUIRE_OCSP;
data->conn = tls_connection_init(data->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
return -1;
}
res = tls_connection_set_params(data->ssl_ctx, data->conn, params);
if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) {
/*
* At this point with the pkcs11 engine the PIN might be wrong.
* We reset the PIN in the configuration to be sure to not use
* it again and the calling function must request a new one.
*/
os_free(config->pin);
config->pin = NULL;
} else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) {
wpa_printf(MSG_INFO, "TLS: Failed to load private key");
/*
* We do not know exactly but maybe the PIN was wrong,
* so ask for a new one.
*/
os_free(config->pin);
config->pin = NULL;
eap_sm_request_pin(sm);
sm->ignore = TRUE;
tls_connection_deinit(data->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
} else if (res) {
wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection "
"parameters");
tls_connection_deinit(data->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
}
return 0;
}
int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer)
{
data->eap = sm;
data->phase2 = sm->init_phase2;
data->conn = tls_connection_init(sm->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
return -1;
}
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
"of TLS peer certificate");
tls_connection_deinit(sm->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
}
/* TODO: make this configurable */
data->tls_out_limit = 1398;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
* support fragmentation */
if (data->tls_out_limit > 100)
data->tls_out_limit -= 100;
}
return 0;
}
void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
{
tls_connection_deinit(sm->ssl_ctx, data->conn);
eap_server_tls_free_in_buf(data);
wpabuf_free(data->tls_out);
data->tls_out = NULL;
}
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer, int eap_type)
{
u8 session_ctx[8];
unsigned int flags = 0;
if (sm->ssl_ctx == NULL) {
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
return -1;
}
data->eap = sm;
data->phase2 = sm->init_phase2;
data->conn = tls_connection_init(sm->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
return -1;
}
#ifdef CONFIG_TLS_INTERNAL
tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm);
#ifdef CONFIG_TESTING_OPTIONS
tls_connection_set_test_flags(data->conn, sm->tls_test_flags);
#endif /* CONFIG_TESTING_OPTIONS */
#endif /* CONFIG_TLS_INTERNAL */
if (eap_type != EAP_TYPE_FAST)
flags |= TLS_CONN_DISABLE_SESSION_TICKET;
os_memcpy(session_ctx, "hostapd", 7);
session_ctx[7] = (u8) eap_type;
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
flags, session_ctx,
sizeof(session_ctx))) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
"of TLS peer certificate");
tls_connection_deinit(sm->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
}
data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
* support fragmentation */
if (data->tls_out_limit > 100)
data->tls_out_limit -= 100;
}
return 0;
}
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer)
{
if (sm->ssl_ctx == NULL) {
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
return -1;
}
data->eap = sm;
data->phase2 = sm->init_phase2;
data->conn = tls_connection_init(sm->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
return -1;
}
#ifdef CONFIG_TLS_INTERNAL
tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm);
#ifdef CONFIG_TESTING_OPTIONS
tls_connection_set_test_flags(data->conn, sm->tls_test_flags);
#endif /* CONFIG_TESTING_OPTIONS */
#endif /* CONFIG_TLS_INTERNAL */
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
"of TLS peer certificate");
tls_connection_deinit(sm->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
}
data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
* support fragmentation */
if (data->tls_out_limit > 100)
data->tls_out_limit -= 100;
}
return 0;
}
void eap_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
{
tls_connection_deinit(sm->ssl_ctx, data->conn);
free(data->tls_in);
free(data->tls_out);
}
/**
* eap_peer_tls_ssl_deinit - Deinitialize shared TLS functionality
* @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
* @data: Data for TLS processing
*
* This function deinitializes shared TLS functionality that was initialized
* with eap_peer_tls_ssl_init().
*/
void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
{
tls_connection_deinit(data->ssl_ctx, data->conn);
eap_peer_tls_reset_input(data);
eap_peer_tls_reset_output(data);
}
