static int eap_tls_params_from_conf(struct eap_sm *sm,
struct eap_ssl_data *data,
struct tls_connection_params *params,
struct wpa_ssid *config, int phase2)
{
os_memset(params, 0, sizeof(*params));
params->engine = config->engine;
if (phase2)
eap_tls_params_from_conf2(params, config);
else
eap_tls_params_from_conf1(params, config);
params->tls_ia = data->tls_ia;
if (eap_tls_check_blob(sm, ¶ms->ca_cert, ¶ms->ca_cert_blob,
¶ms->ca_cert_blob_len) ||
eap_tls_check_blob(sm, ¶ms->client_cert,
¶ms->client_cert_blob,
¶ms->client_cert_blob_len) ||
eap_tls_check_blob(sm, ¶ms->private_key,
¶ms->private_key_blob,
¶ms->private_key_blob_len) ||
eap_tls_check_blob(sm, ¶ms->dh_file, ¶ms->dh_blob,
¶ms->dh_blob_len)) {
wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
return -1;
}
return 0;
}
static int eap_tls_params_from_conf(struct eap_sm *sm,
struct eap_ssl_data *data,
struct tls_connection_params *params,
struct eap_peer_config *config, int phase2)
{
os_memset(params, 0, sizeof(*params));
if (phase2) {
wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
eap_tls_params_from_conf2(params, config);
} else {
wpa_printf(MSG_DEBUG, "TLS: using phase1 config options");
eap_tls_params_from_conf1(params, config);
}
params->tls_ia = data->tls_ia;
/*
* Use blob data, if available. Otherwise, leave reference to external
* file as-is.
*/
if (eap_tls_check_blob(sm, ¶ms->ca_cert, ¶ms->ca_cert_blob,
¶ms->ca_cert_blob_len) ||
eap_tls_check_blob(sm, ¶ms->client_cert,
¶ms->client_cert_blob,
¶ms->client_cert_blob_len) ||
eap_tls_check_blob(sm, ¶ms->private_key,
¶ms->private_key_blob,
¶ms->private_key_blob_len) ||
eap_tls_check_blob(sm, ¶ms->dh_file, ¶ms->dh_blob,
¶ms->dh_blob_len)) {
wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
return -1;
}
return 0;
}
static int eap_tls_params_from_conf(struct eap_sm *sm,
struct eap_ssl_data *data,
struct tls_connection_params *params,
struct eap_peer_config *config, int phase2)
{
os_memset(params, 0, sizeof(*params));
if (sm->workaround && data->eap_type != EAP_TYPE_FAST) {
/*
* Some deployed authentication servers seem to be unable to
* handle the TLS Session Ticket extension (they are supposed
* to ignore unrecognized TLS extensions, but end up rejecting
* the ClientHello instead). As a workaround, disable use of
* TLS Sesson Ticket extension for EAP-TLS, EAP-PEAP, and
* EAP-TTLS (EAP-FAST uses session ticket, so any server that
* supports EAP-FAST does not need this workaround).
*/
params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
}
if (phase2) {
wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
eap_tls_params_from_conf2(params, config);
} else {
wpa_printf(MSG_DEBUG, "TLS: using phase1 config options");
eap_tls_params_from_conf1(params, config);
if (data->eap_type == EAP_TYPE_FAST)
params->flags |= TLS_CONN_EAP_FAST;
}
// crbug.com/605310 - temporarily disable TLSv1.1 and TLSv1.2 until
// they can be controlled via policy.
params->flags |= TLS_CONN_DISABLE_TLSv1_1 | TLS_CONN_DISABLE_TLSv1_2;
/*
* Use blob data, if available. Otherwise, leave reference to external
* file as-is.
*/
if (eap_tls_check_blob(sm, ¶ms->ca_cert, ¶ms->ca_cert_blob,
¶ms->ca_cert_blob_len) ||
eap_tls_check_blob(sm, ¶ms->client_cert,
¶ms->client_cert_blob,
¶ms->client_cert_blob_len) ||
eap_tls_check_blob(sm, ¶ms->private_key,
¶ms->private_key_blob,
¶ms->private_key_blob_len) ||
eap_tls_check_blob(sm, ¶ms->dh_file, ¶ms->dh_blob,
¶ms->dh_blob_len)) {
wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
return -1;
}
params->openssl_ciphers = config->openssl_ciphers;
return 0;
}
int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
struct wpa_ssid *config)
{
int ret = -1, res;
struct tls_connection_params params;
if (config == NULL)
return -1;
data->eap = sm;
data->phase2 = sm->init_phase2;
memset(¶ms, 0, sizeof(params));
params.engine = config->engine;
if (data->phase2) {
params.ca_cert = (char *) config->ca_cert2;
params.ca_path = (char *) config->ca_path2;
params.client_cert = (char *) config->client_cert2;
params.private_key = (char *) config->private_key2;
params.private_key_passwd =
(char *) config->private_key2_passwd;
params.dh_file = (char *) config->dh_file2;
params.subject_match = (char *) config->subject_match2;
params.altsubject_match = (char *) config->altsubject_match2;
} else {
params.ca_cert = (char *) config->ca_cert;
params.ca_path = (char *) config->ca_path;
params.client_cert = (char *) config->client_cert;
params.device_subca1_cert = (char *) config->device_subca1_cert;
params.device_subca2_cert = (char *) config->device_subca2_cert;
params.private_key = (char *) config->private_key;
params.private_key_passwd =
(char *) config->private_key_passwd;
params.dh_file = (char *) config->dh_file;
params.subject_match = (char *) config->subject_match;
params.altsubject_match = (char *) config->altsubject_match;
params.engine_id = config->engine_id;
params.pin = config->pin;
params.key_id = config->key_id;
params.cipher_rule = config->cipher_rule;
}
if (eap_tls_check_blob(sm, ¶ms.ca_cert, ¶ms.ca_cert_blob,
¶ms.ca_cert_blob_len) ||
eap_tls_check_blob(sm, ¶ms.client_cert,
¶ms.client_cert_blob,
¶ms.client_cert_blob_len) ||
#ifdef BECEEM_CSCM
eap_tls_check_blob(sm, ¶ms.device_subca1_cert,
¶ms.device_subca1_cert_blob,
¶ms.device_subca1_cert_blob_len) ||
eap_tls_check_blob(sm, ¶ms.device_subca2_cert,
¶ms.device_subca2_cert_blob,
¶ms.device_subca2_cert_blob_len) ||
#endif
eap_tls_check_blob(sm, ¶ms.private_key,
¶ms.private_key_blob,
¶ms.private_key_blob_len) ||
eap_tls_check_blob(sm, ¶ms.dh_file, ¶ms.dh_blob,
¶ms.dh_blob_len)) {
wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
goto done;
}
#ifdef BECEEM_CSCM
if (params.client_cert != NULL && params.client_cert[0])
{
if (SSL_CTX_use_certificate_chain_file(sm->ssl_ctx, params.client_cert) == 1) {
wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file --> OK");
} else {
wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file failed");
}
}
#endif
data->conn = tls_connection_init(sm->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
goto done;
}
res = tls_connection_set_params(sm->ssl_ctx, data->conn, ¶ms);
if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) {
/* At this point with the pkcs11 engine the PIN might be wrong.
* We reset the PIN in the configuration to be sure to not use
* it again and the calling function must request a new one */
free(config->pin);
config->pin = NULL;
} else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) {
wpa_printf(MSG_INFO,"TLS: Failed to load private key");
/* We don't know exactly but maybe the PIN was wrong,
* so ask for a new one. */
free(config->pin);
config->pin = NULL;
eap_sm_request_pin(sm, config);
sm->ignore = TRUE;
goto done;
} else if (res) {
wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection "
"parameters");
goto done;
}
/* TODO: make this configurable */
// Original: data->tls_out_limit = 1398;
if (config->fragment_size > 256)
data->tls_out_limit = config->fragment_size - 10; // +TLS header of 10 bytes; total should be < 1400 bytes
else
data->tls_out_limit = 256;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
* support fragmentation */
if (data->tls_out_limit > 100)
data->tls_out_limit -= 100;
}
if (config->phase1 &&
strstr(config->phase1, "include_tls_length=1")) {
wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in "
"unfragmented packets");
data->include_tls_length = 1;
}
ret = 0;
done:
return ret;
}