static void * eap_tls_init(struct eap_sm *sm) { struct eap_tls_data *data; struct wpa_ssid *config = eap_get_config(sm); if (config == NULL || ((sm->init_phase2 ? config->private_key2 : config->private_key) == NULL && config->engine == 0)) { wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured"); return NULL; } data = wpa_zalloc(sizeof(*data)); if (data == NULL) return NULL; if (eap_tls_ssl_init(sm, &data->ssl, config)) { wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL."); eap_tls_deinit(sm, data); if (config->engine) { wpa_printf(MSG_DEBUG, "EAP-TLS: Requesting Smartcard " "PIN"); eap_sm_request_pin(sm); sm->ignore = TRUE; } else if (config->private_key && !config->private_key_passwd) { wpa_printf(MSG_DEBUG, "EAP-TLS: Requesting private " "key passphrase"); eap_sm_request_passphrase(sm); sm->ignore = TRUE; } return NULL; } return data; }
static int eap_tls_init_connection(struct eap_sm *sm, struct eap_ssl_data *data, struct eap_peer_config *config, struct tls_connection_params *params) { int res; if (config->ocsp) params->flags |= TLS_CONN_REQUEST_OCSP; if (config->ocsp == 2) params->flags |= TLS_CONN_REQUIRE_OCSP; data->conn = tls_connection_init(data->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); return -1; } res = tls_connection_set_params(data->ssl_ctx, data->conn, params); if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) { /* * At this point with the pkcs11 engine the PIN might be wrong. * We reset the PIN in the configuration to be sure to not use * it again and the calling function must request a new one. */ os_free(config->pin); config->pin = NULL; } else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) { wpa_printf(MSG_INFO, "TLS: Failed to load private key"); /* * We do not know exactly but maybe the PIN was wrong, * so ask for a new one. */ os_free(config->pin); config->pin = NULL; eap_sm_request_pin(sm); sm->ignore = TRUE; tls_connection_deinit(data->ssl_ctx, data->conn); data->conn = NULL; return -1; } else if (res) { wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection " "parameters"); tls_connection_deinit(data->ssl_ctx, data->conn); data->conn = NULL; return -1; } return 0; }
static int eap_sm_get_scard_identity(struct eap_sm *sm, struct wpa_ssid *ssid) { if (scard_set_pin(sm->scard_ctx, ssid->pin)) { /* * Make sure the same PIN is not tried again in order to avoid * blocking SIM. */ free(ssid->pin); ssid->pin = NULL; wpa_printf(MSG_WARNING, "PIN validation failed"); eap_sm_request_pin(sm, ssid); return -1; } return eap_sm_imsi_identity(sm, ssid); }
void eap_sm_notify_ctrl_attached(struct eap_sm *sm) { struct wpa_ssid *config = eap_get_config(sm); if (config == NULL) return; /* Re-send any pending requests for user data since a new control * interface was added. This handles cases where the EAP authentication * starts immediately after system startup when the user interface is * not yet running. */ if (config->pending_req_identity) eap_sm_request_identity(sm, config); if (config->pending_req_password) eap_sm_request_password(sm, config); if (config->pending_req_otp) eap_sm_request_otp(sm, config, NULL, 0); if (config->pending_req_pin) eap_sm_request_pin(sm, config); }
int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, struct wpa_ssid *config) { int ret = -1, res; struct tls_connection_params params; if (config == NULL) return -1; data->eap = sm; data->phase2 = sm->init_phase2; memset(¶ms, 0, sizeof(params)); params.engine = config->engine; if (data->phase2) { params.ca_cert = (char *) config->ca_cert2; params.ca_path = (char *) config->ca_path2; params.client_cert = (char *) config->client_cert2; params.private_key = (char *) config->private_key2; params.private_key_passwd = (char *) config->private_key2_passwd; params.dh_file = (char *) config->dh_file2; params.subject_match = (char *) config->subject_match2; params.altsubject_match = (char *) config->altsubject_match2; } else { params.ca_cert = (char *) config->ca_cert; params.ca_path = (char *) config->ca_path; params.client_cert = (char *) config->client_cert; params.device_subca1_cert = (char *) config->device_subca1_cert; params.device_subca2_cert = (char *) config->device_subca2_cert; params.private_key = (char *) config->private_key; params.private_key_passwd = (char *) config->private_key_passwd; params.dh_file = (char *) config->dh_file; params.subject_match = (char *) config->subject_match; params.altsubject_match = (char *) config->altsubject_match; params.engine_id = config->engine_id; params.pin = config->pin; params.key_id = config->key_id; params.cipher_rule = config->cipher_rule; } if (eap_tls_check_blob(sm, ¶ms.ca_cert, ¶ms.ca_cert_blob, ¶ms.ca_cert_blob_len) || eap_tls_check_blob(sm, ¶ms.client_cert, ¶ms.client_cert_blob, ¶ms.client_cert_blob_len) || #ifdef BECEEM_CSCM eap_tls_check_blob(sm, ¶ms.device_subca1_cert, ¶ms.device_subca1_cert_blob, ¶ms.device_subca1_cert_blob_len) || eap_tls_check_blob(sm, ¶ms.device_subca2_cert, ¶ms.device_subca2_cert_blob, ¶ms.device_subca2_cert_blob_len) || #endif eap_tls_check_blob(sm, ¶ms.private_key, ¶ms.private_key_blob, ¶ms.private_key_blob_len) || eap_tls_check_blob(sm, ¶ms.dh_file, ¶ms.dh_blob, ¶ms.dh_blob_len)) { wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs"); goto done; } #ifdef BECEEM_CSCM if (params.client_cert != NULL && params.client_cert[0]) { if (SSL_CTX_use_certificate_chain_file(sm->ssl_ctx, params.client_cert) == 1) { wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file --> OK"); } else { wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file failed"); } } #endif data->conn = tls_connection_init(sm->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); goto done; } res = tls_connection_set_params(sm->ssl_ctx, data->conn, ¶ms); if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) { /* At this point with the pkcs11 engine the PIN might be wrong. * We reset the PIN in the configuration to be sure to not use * it again and the calling function must request a new one */ free(config->pin); config->pin = NULL; } else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) { wpa_printf(MSG_INFO,"TLS: Failed to load private key"); /* We don't know exactly but maybe the PIN was wrong, * so ask for a new one. */ free(config->pin); config->pin = NULL; eap_sm_request_pin(sm, config); sm->ignore = TRUE; goto done; } else if (res) { wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection " "parameters"); goto done; } /* TODO: make this configurable */ // Original: data->tls_out_limit = 1398; if (config->fragment_size > 256) data->tls_out_limit = config->fragment_size - 10; // +TLS header of 10 bytes; total should be < 1400 bytes else data->tls_out_limit = 256; if (data->phase2) { /* Limit the fragment size in the inner TLS authentication * since the outer authentication with EAP-PEAP does not yet * support fragmentation */ if (data->tls_out_limit > 100) data->tls_out_limit -= 100; } if (config->phase1 && strstr(config->phase1, "include_tls_length=1")) { wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in " "unfragmented packets"); data->include_tls_length = 1; } ret = 0; done: return ret; }
int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, struct wpa_ssid *config) { int ret = -1; char *ca_cert, *client_cert, *private_key, *private_key_passwd, *dh_file, *subject_match, *engine_id, **ppin, *key_id; data->eap = sm; data->phase2 = sm->init_phase2; if (config == NULL) { ca_cert = NULL; client_cert = NULL; private_key = NULL; private_key_passwd = NULL; dh_file = NULL; subject_match = NULL; engine_id = NULL; ppin = NULL; key_id = NULL; } else if (data->phase2) { ca_cert = (char *) config->ca_cert2; client_cert = (char *) config->client_cert2; private_key = (char *) config->private_key2; private_key_passwd = (char *) config->private_key2_passwd; dh_file = (char *) config->dh_file2; subject_match = (char *) config->subject_match2; engine_id = NULL; ppin = NULL; key_id = NULL; } else { ca_cert = (char *) config->ca_cert; client_cert = (char *) config->client_cert; private_key = (char *) config->private_key; private_key_passwd = (char *) config->private_key_passwd; dh_file = (char *) config->dh_file; subject_match = (char *) config->subject_match; engine_id = config->engine_id; ppin = &(config->pin); key_id = config->key_id; } data->conn = tls_connection_init(sm->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); goto done; } if (tls_connection_ca_cert(sm->ssl_ctx, data->conn, ca_cert, subject_match)) { wpa_printf(MSG_INFO, "TLS: Failed to load root certificate " "'%s'", ca_cert); goto done; } if (tls_connection_client_cert(sm->ssl_ctx, data->conn, client_cert)) { wpa_printf(MSG_INFO, "TLS: Failed to load client certificate " "'%s'", client_cert); goto done; } if (config->engine) { wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine"); if (tls_engine_init(data->conn, engine_id, ppin, key_id)) goto done; if (tls_connection_engine_private_key(sm->ssl_ctx, data->conn)) { wpa_printf(MSG_INFO,"TLS: Failed to load private key"); /* We don't know exactly but maybe the PIN was wrong, * so ask for a new one. */ free(config->pin); config->pin = NULL; eap_sm_request_pin(sm, config); sm->ignore = TRUE; goto done; } } else if (tls_connection_private_key(sm->ssl_ctx, data->conn, private_key, private_key_passwd)) { wpa_printf(MSG_INFO, "TLS: Failed to load private key '%s'", private_key); goto done; } if (dh_file && tls_connection_dh(sm->ssl_ctx, data->conn, dh_file)) { wpa_printf(MSG_INFO, "TLS: Failed to load DH file '%s'", dh_file); goto done; } /* TODO: make this configurable */ data->tls_out_limit = 1398; if (data->phase2) { /* Limit the fragment size in the inner TLS authentication * since the outer authentication with EAP-PEAP does not yet * support fragmentation */ if (data->tls_out_limit > 100) data->tls_out_limit -= 100; } if (config && config->phase1 && strstr(config->phase1, "include_tls_length=1")) { wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in " "unfragmented packets"); data->include_tls_length = 1; } ret = 0; done: return ret; }