static int eap_tls_params_from_conf(struct eap_sm *sm,
				    struct eap_ssl_data *data,
				    struct tls_connection_params *params,
				    struct wpa_ssid *config, int phase2)
{
	os_memset(params, 0, sizeof(*params));
	params->engine = config->engine;
	if (phase2)
		eap_tls_params_from_conf2(params, config);
	else
		eap_tls_params_from_conf1(params, config);
	params->tls_ia = data->tls_ia;


	if (eap_tls_check_blob(sm, &params->ca_cert, &params->ca_cert_blob,
			       &params->ca_cert_blob_len) ||
	    eap_tls_check_blob(sm, &params->client_cert,
			       &params->client_cert_blob,
			       &params->client_cert_blob_len) ||
	    eap_tls_check_blob(sm, &params->private_key,
			       &params->private_key_blob,
			       &params->private_key_blob_len) ||
	    eap_tls_check_blob(sm, &params->dh_file, &params->dh_blob,
			       &params->dh_blob_len)) {
		wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
		return -1;
	}

	return 0;
}
static int eap_tls_params_from_conf(struct eap_sm *sm,
				    struct eap_ssl_data *data,
				    struct tls_connection_params *params,
				    struct eap_peer_config *config, int phase2)
{
	os_memset(params, 0, sizeof(*params));
	if (phase2) {
		wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
		eap_tls_params_from_conf2(params, config);
	} else {
		wpa_printf(MSG_DEBUG, "TLS: using phase1 config options");
		eap_tls_params_from_conf1(params, config);
	}
	params->tls_ia = data->tls_ia;

	/*
	 * Use blob data, if available. Otherwise, leave reference to external
	 * file as-is.
	 */
	if (eap_tls_check_blob(sm, &params->ca_cert, &params->ca_cert_blob,
			       &params->ca_cert_blob_len) ||
	    eap_tls_check_blob(sm, &params->client_cert,
			       &params->client_cert_blob,
			       &params->client_cert_blob_len) ||
	    eap_tls_check_blob(sm, &params->private_key,
			       &params->private_key_blob,
			       &params->private_key_blob_len) ||
	    eap_tls_check_blob(sm, &params->dh_file, &params->dh_blob,
			       &params->dh_blob_len)) {
		wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
		return -1;
	}

	return 0;
}
Exemple #3
0
static int eap_tls_params_from_conf(struct eap_sm *sm,
				    struct eap_ssl_data *data,
				    struct tls_connection_params *params,
				    struct eap_peer_config *config, int phase2)
{
	os_memset(params, 0, sizeof(*params));
	if (sm->workaround && data->eap_type != EAP_TYPE_FAST) {
		/*
		 * Some deployed authentication servers seem to be unable to
		 * handle the TLS Session Ticket extension (they are supposed
		 * to ignore unrecognized TLS extensions, but end up rejecting
		 * the ClientHello instead). As a workaround, disable use of
		 * TLS Sesson Ticket extension for EAP-TLS, EAP-PEAP, and
		 * EAP-TTLS (EAP-FAST uses session ticket, so any server that
		 * supports EAP-FAST does not need this workaround).
		 */
		params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
	}
	if (phase2) {
		wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
		eap_tls_params_from_conf2(params, config);
	} else {
		wpa_printf(MSG_DEBUG, "TLS: using phase1 config options");
		eap_tls_params_from_conf1(params, config);
		if (data->eap_type == EAP_TYPE_FAST)
			params->flags |= TLS_CONN_EAP_FAST;
	}

	// crbug.com/605310 - temporarily disable TLSv1.1 and TLSv1.2 until
	// they can be controlled via policy.
	params->flags |= TLS_CONN_DISABLE_TLSv1_1 | TLS_CONN_DISABLE_TLSv1_2;

	/*
	 * Use blob data, if available. Otherwise, leave reference to external
	 * file as-is.
	 */
	if (eap_tls_check_blob(sm, &params->ca_cert, &params->ca_cert_blob,
			       &params->ca_cert_blob_len) ||
	    eap_tls_check_blob(sm, &params->client_cert,
			       &params->client_cert_blob,
			       &params->client_cert_blob_len) ||
	    eap_tls_check_blob(sm, &params->private_key,
			       &params->private_key_blob,
			       &params->private_key_blob_len) ||
	    eap_tls_check_blob(sm, &params->dh_file, &params->dh_blob,
			       &params->dh_blob_len)) {
		wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
		return -1;
	}

	params->openssl_ciphers = config->openssl_ciphers;

	return 0;
}
int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
		     struct wpa_ssid *config)
{
	int ret = -1, res;
	struct tls_connection_params params;

	if (config == NULL)
		return -1;

	data->eap = sm;
	data->phase2 = sm->init_phase2;
	memset(&params, 0, sizeof(params));
	params.engine = config->engine;
	if (data->phase2) {
		params.ca_cert = (char *) config->ca_cert2;
		params.ca_path = (char *) config->ca_path2;
		params.client_cert = (char *) config->client_cert2;
		params.private_key = (char *) config->private_key2;
		params.private_key_passwd =
			(char *) config->private_key2_passwd;
		params.dh_file = (char *) config->dh_file2;
		params.subject_match = (char *) config->subject_match2;
		params.altsubject_match = (char *) config->altsubject_match2;
	} else {
		params.ca_cert = (char *) config->ca_cert;
		params.ca_path = (char *) config->ca_path;
		params.client_cert = (char *) config->client_cert;
		params.device_subca1_cert = (char *) config->device_subca1_cert; 
		params.device_subca2_cert = (char *) config->device_subca2_cert;
		params.private_key = (char *) config->private_key;
		params.private_key_passwd =
			(char *) config->private_key_passwd;
		params.dh_file = (char *) config->dh_file;
		params.subject_match = (char *) config->subject_match;
		params.altsubject_match = (char *) config->altsubject_match;
		params.engine_id = config->engine_id;
		params.pin = config->pin;
		params.key_id = config->key_id;
		params.cipher_rule = config->cipher_rule;
	}

	if (eap_tls_check_blob(sm, &params.ca_cert, &params.ca_cert_blob,
			       &params.ca_cert_blob_len) ||
	    eap_tls_check_blob(sm, &params.client_cert,
			       &params.client_cert_blob,
			       &params.client_cert_blob_len) ||
#ifdef BECEEM_CSCM
		eap_tls_check_blob(sm, &params.device_subca1_cert,
			       &params.device_subca1_cert_blob,
			       &params.device_subca1_cert_blob_len) ||
		eap_tls_check_blob(sm, &params.device_subca2_cert,
			       &params.device_subca2_cert_blob,
			       &params.device_subca2_cert_blob_len) ||
#endif
	    eap_tls_check_blob(sm, &params.private_key,
			       &params.private_key_blob,
			       &params.private_key_blob_len) ||
	    eap_tls_check_blob(sm, &params.dh_file, &params.dh_blob,
			       &params.dh_blob_len)) {
		wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
		goto done;
	}

#ifdef BECEEM_CSCM
	if (params.client_cert != NULL && params.client_cert[0])
	{
		if (SSL_CTX_use_certificate_chain_file(sm->ssl_ctx, params.client_cert) == 1) {
			wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file --> OK");
		} else {
			wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file failed");
		}
	}
#endif

	data->conn = tls_connection_init(sm->ssl_ctx);
	if (data->conn == NULL) {
		wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
			   "connection");
		goto done;
	}

	res = tls_connection_set_params(sm->ssl_ctx, data->conn, &params);
	if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) {
		/* At this point with the pkcs11 engine the PIN might be wrong.
		 * We reset the PIN in the configuration to be sure to not use
		 * it again and the calling function must request a new one */
		free(config->pin);
		config->pin = NULL;
	} else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) {
		wpa_printf(MSG_INFO,"TLS: Failed to load private key");
		/* We don't know exactly but maybe the PIN was wrong,
		 * so ask for a new one. */
		free(config->pin);
		config->pin = NULL;
		eap_sm_request_pin(sm, config);
		sm->ignore = TRUE;
		goto done;
	} else if (res) {
		wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection "
			   "parameters");
		goto done;
	}

	/* TODO: make this configurable */
	// Original: data->tls_out_limit = 1398;
	if (config->fragment_size > 256)
		data->tls_out_limit = config->fragment_size - 10; // +TLS header of 10 bytes; total should be < 1400 bytes
	else
		data->tls_out_limit = 256;
	if (data->phase2) {
		/* Limit the fragment size in the inner TLS authentication
		 * since the outer authentication with EAP-PEAP does not yet
		 * support fragmentation */
		if (data->tls_out_limit > 100)
			data->tls_out_limit -= 100;
	}

	if (config->phase1 &&
	    strstr(config->phase1, "include_tls_length=1")) {
		wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in "
			   "unfragmented packets");
		data->include_tls_length = 1;
	}

	ret = 0;

done:
	return ret;
}