static int eap_tls_params_from_conf(struct eap_sm *sm, struct eap_ssl_data *data, struct tls_connection_params *params, struct wpa_ssid *config, int phase2) { os_memset(params, 0, sizeof(*params)); params->engine = config->engine; if (phase2) eap_tls_params_from_conf2(params, config); else eap_tls_params_from_conf1(params, config); params->tls_ia = data->tls_ia; if (eap_tls_check_blob(sm, ¶ms->ca_cert, ¶ms->ca_cert_blob, ¶ms->ca_cert_blob_len) || eap_tls_check_blob(sm, ¶ms->client_cert, ¶ms->client_cert_blob, ¶ms->client_cert_blob_len) || eap_tls_check_blob(sm, ¶ms->private_key, ¶ms->private_key_blob, ¶ms->private_key_blob_len) || eap_tls_check_blob(sm, ¶ms->dh_file, ¶ms->dh_blob, ¶ms->dh_blob_len)) { wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs"); return -1; } return 0; }
static int eap_tls_params_from_conf(struct eap_sm *sm, struct eap_ssl_data *data, struct tls_connection_params *params, struct eap_peer_config *config, int phase2) { os_memset(params, 0, sizeof(*params)); if (phase2) { wpa_printf(MSG_DEBUG, "TLS: using phase2 config options"); eap_tls_params_from_conf2(params, config); } else { wpa_printf(MSG_DEBUG, "TLS: using phase1 config options"); eap_tls_params_from_conf1(params, config); } params->tls_ia = data->tls_ia; /* * Use blob data, if available. Otherwise, leave reference to external * file as-is. */ if (eap_tls_check_blob(sm, ¶ms->ca_cert, ¶ms->ca_cert_blob, ¶ms->ca_cert_blob_len) || eap_tls_check_blob(sm, ¶ms->client_cert, ¶ms->client_cert_blob, ¶ms->client_cert_blob_len) || eap_tls_check_blob(sm, ¶ms->private_key, ¶ms->private_key_blob, ¶ms->private_key_blob_len) || eap_tls_check_blob(sm, ¶ms->dh_file, ¶ms->dh_blob, ¶ms->dh_blob_len)) { wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs"); return -1; } return 0; }
static int eap_tls_params_from_conf(struct eap_sm *sm, struct eap_ssl_data *data, struct tls_connection_params *params, struct eap_peer_config *config, int phase2) { os_memset(params, 0, sizeof(*params)); if (sm->workaround && data->eap_type != EAP_TYPE_FAST) { /* * Some deployed authentication servers seem to be unable to * handle the TLS Session Ticket extension (they are supposed * to ignore unrecognized TLS extensions, but end up rejecting * the ClientHello instead). As a workaround, disable use of * TLS Sesson Ticket extension for EAP-TLS, EAP-PEAP, and * EAP-TTLS (EAP-FAST uses session ticket, so any server that * supports EAP-FAST does not need this workaround). */ params->flags |= TLS_CONN_DISABLE_SESSION_TICKET; } if (phase2) { wpa_printf(MSG_DEBUG, "TLS: using phase2 config options"); eap_tls_params_from_conf2(params, config); } else { wpa_printf(MSG_DEBUG, "TLS: using phase1 config options"); eap_tls_params_from_conf1(params, config); if (data->eap_type == EAP_TYPE_FAST) params->flags |= TLS_CONN_EAP_FAST; } // crbug.com/605310 - temporarily disable TLSv1.1 and TLSv1.2 until // they can be controlled via policy. params->flags |= TLS_CONN_DISABLE_TLSv1_1 | TLS_CONN_DISABLE_TLSv1_2; /* * Use blob data, if available. Otherwise, leave reference to external * file as-is. */ if (eap_tls_check_blob(sm, ¶ms->ca_cert, ¶ms->ca_cert_blob, ¶ms->ca_cert_blob_len) || eap_tls_check_blob(sm, ¶ms->client_cert, ¶ms->client_cert_blob, ¶ms->client_cert_blob_len) || eap_tls_check_blob(sm, ¶ms->private_key, ¶ms->private_key_blob, ¶ms->private_key_blob_len) || eap_tls_check_blob(sm, ¶ms->dh_file, ¶ms->dh_blob, ¶ms->dh_blob_len)) { wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs"); return -1; } params->openssl_ciphers = config->openssl_ciphers; return 0; }