static int eap_tls_init_connection(struct eap_sm *sm, struct eap_ssl_data *data, struct eap_peer_config *config, struct tls_connection_params *params) { int res; if (config->ocsp) params->flags |= TLS_CONN_REQUEST_OCSP; if (config->ocsp == 2) params->flags |= TLS_CONN_REQUIRE_OCSP; data->conn = tls_connection_init(data->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); return -1; } res = tls_connection_set_params(data->ssl_ctx, data->conn, params); if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) { /* * At this point with the pkcs11 engine the PIN might be wrong. * We reset the PIN in the configuration to be sure to not use * it again and the calling function must request a new one. */ os_free(config->pin); config->pin = NULL; } else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) { wpa_printf(MSG_INFO, "TLS: Failed to load private key"); /* * We do not know exactly but maybe the PIN was wrong, * so ask for a new one. */ os_free(config->pin); config->pin = NULL; eap_sm_request_pin(sm); sm->ignore = TRUE; tls_connection_deinit(data->ssl_ctx, data->conn); data->conn = NULL; return -1; } else if (res) { wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection " "parameters"); tls_connection_deinit(data->ssl_ctx, data->conn); data->conn = NULL; return -1; } return 0; }
int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, struct wpa_ssid *config) { int ret = -1, res; struct tls_connection_params params; if (config == NULL) return -1; data->eap = sm; data->phase2 = sm->init_phase2; memset(¶ms, 0, sizeof(params)); params.engine = config->engine; if (data->phase2) { params.ca_cert = (char *) config->ca_cert2; params.ca_path = (char *) config->ca_path2; params.client_cert = (char *) config->client_cert2; params.private_key = (char *) config->private_key2; params.private_key_passwd = (char *) config->private_key2_passwd; params.dh_file = (char *) config->dh_file2; params.subject_match = (char *) config->subject_match2; params.altsubject_match = (char *) config->altsubject_match2; } else { params.ca_cert = (char *) config->ca_cert; params.ca_path = (char *) config->ca_path; params.client_cert = (char *) config->client_cert; params.device_subca1_cert = (char *) config->device_subca1_cert; params.device_subca2_cert = (char *) config->device_subca2_cert; params.private_key = (char *) config->private_key; params.private_key_passwd = (char *) config->private_key_passwd; params.dh_file = (char *) config->dh_file; params.subject_match = (char *) config->subject_match; params.altsubject_match = (char *) config->altsubject_match; params.engine_id = config->engine_id; params.pin = config->pin; params.key_id = config->key_id; params.cipher_rule = config->cipher_rule; } if (eap_tls_check_blob(sm, ¶ms.ca_cert, ¶ms.ca_cert_blob, ¶ms.ca_cert_blob_len) || eap_tls_check_blob(sm, ¶ms.client_cert, ¶ms.client_cert_blob, ¶ms.client_cert_blob_len) || #ifdef BECEEM_CSCM eap_tls_check_blob(sm, ¶ms.device_subca1_cert, ¶ms.device_subca1_cert_blob, ¶ms.device_subca1_cert_blob_len) || eap_tls_check_blob(sm, ¶ms.device_subca2_cert, ¶ms.device_subca2_cert_blob, ¶ms.device_subca2_cert_blob_len) || #endif eap_tls_check_blob(sm, ¶ms.private_key, ¶ms.private_key_blob, ¶ms.private_key_blob_len) || eap_tls_check_blob(sm, ¶ms.dh_file, ¶ms.dh_blob, ¶ms.dh_blob_len)) { wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs"); goto done; } #ifdef BECEEM_CSCM if (params.client_cert != NULL && params.client_cert[0]) { if (SSL_CTX_use_certificate_chain_file(sm->ssl_ctx, params.client_cert) == 1) { wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file --> OK"); } else { wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file failed"); } } #endif data->conn = tls_connection_init(sm->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); goto done; } res = tls_connection_set_params(sm->ssl_ctx, data->conn, ¶ms); if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) { /* At this point with the pkcs11 engine the PIN might be wrong. * We reset the PIN in the configuration to be sure to not use * it again and the calling function must request a new one */ free(config->pin); config->pin = NULL; } else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) { wpa_printf(MSG_INFO,"TLS: Failed to load private key"); /* We don't know exactly but maybe the PIN was wrong, * so ask for a new one. */ free(config->pin); config->pin = NULL; eap_sm_request_pin(sm, config); sm->ignore = TRUE; goto done; } else if (res) { wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection " "parameters"); goto done; } /* TODO: make this configurable */ // Original: data->tls_out_limit = 1398; if (config->fragment_size > 256) data->tls_out_limit = config->fragment_size - 10; // +TLS header of 10 bytes; total should be < 1400 bytes else data->tls_out_limit = 256; if (data->phase2) { /* Limit the fragment size in the inner TLS authentication * since the outer authentication with EAP-PEAP does not yet * support fragmentation */ if (data->tls_out_limit > 100) data->tls_out_limit -= 100; } if (config->phase1 && strstr(config->phase1, "include_tls_length=1")) { wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in " "unfragmented packets"); data->include_tls_length = 1; } ret = 0; done: return ret; }