int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer)
{
data->eap = sm;
data->phase2 = sm->init_phase2;
data->conn = tls_connection_init(sm->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
return -1;
}
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
"of TLS peer certificate");
tls_connection_deinit(sm->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
}
/* TODO: make this configurable */
data->tls_out_limit = 1398;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
* support fragmentation */
if (data->tls_out_limit > 100)
data->tls_out_limit -= 100;
}
return 0;
}
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer, int eap_type)
{
u8 session_ctx[8];
unsigned int flags = 0;
if (sm->ssl_ctx == NULL) {
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
return -1;
}
data->eap = sm;
data->phase2 = sm->init_phase2;
data->conn = tls_connection_init(sm->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
return -1;
}
#ifdef CONFIG_TLS_INTERNAL
tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm);
#ifdef CONFIG_TESTING_OPTIONS
tls_connection_set_test_flags(data->conn, sm->tls_test_flags);
#endif /* CONFIG_TESTING_OPTIONS */
#endif /* CONFIG_TLS_INTERNAL */
if (eap_type != EAP_TYPE_FAST)
flags |= TLS_CONN_DISABLE_SESSION_TICKET;
os_memcpy(session_ctx, "hostapd", 7);
session_ctx[7] = (u8) eap_type;
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
flags, session_ctx,
sizeof(session_ctx))) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
"of TLS peer certificate");
tls_connection_deinit(sm->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
}
data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
* support fragmentation */
if (data->tls_out_limit > 100)
data->tls_out_limit -= 100;
}
return 0;
}
static int eap_tls_init_connection(struct eap_sm *sm,
struct eap_ssl_data *data,
struct eap_peer_config *config,
struct tls_connection_params *params)
{
int res;
if (config->ocsp)
params->flags |= TLS_CONN_REQUEST_OCSP;
if (config->ocsp == 2)
params->flags |= TLS_CONN_REQUIRE_OCSP;
data->conn = tls_connection_init(data->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
return -1;
}
res = tls_connection_set_params(data->ssl_ctx, data->conn, params);
if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) {
/*
* At this point with the pkcs11 engine the PIN might be wrong.
* We reset the PIN in the configuration to be sure to not use
* it again and the calling function must request a new one.
*/
os_free(config->pin);
config->pin = NULL;
} else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) {
wpa_printf(MSG_INFO, "TLS: Failed to load private key");
/*
* We do not know exactly but maybe the PIN was wrong,
* so ask for a new one.
*/
os_free(config->pin);
config->pin = NULL;
eap_sm_request_pin(sm);
sm->ignore = TRUE;
tls_connection_deinit(data->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
} else if (res) {
wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection "
"parameters");
tls_connection_deinit(data->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
}
return 0;
}
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer)
{
if (sm->ssl_ctx == NULL) {
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
return -1;
}
data->eap = sm;
data->phase2 = sm->init_phase2;
data->conn = tls_connection_init(sm->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
return -1;
}
#ifdef CONFIG_TLS_INTERNAL
tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm);
#ifdef CONFIG_TESTING_OPTIONS
tls_connection_set_test_flags(data->conn, sm->tls_test_flags);
#endif /* CONFIG_TESTING_OPTIONS */
#endif /* CONFIG_TLS_INTERNAL */
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) {
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
"of TLS peer certificate");
tls_connection_deinit(sm->ssl_ctx, data->conn);
data->conn = NULL;
return -1;
}
data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
* support fragmentation */
if (data->tls_out_limit > 100)
data->tls_out_limit -= 100;
}
return 0;
}
int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
struct wpa_ssid *config)
{
int ret = -1, res;
struct tls_connection_params params;
if (config == NULL)
return -1;
data->eap = sm;
data->phase2 = sm->init_phase2;
memset(¶ms, 0, sizeof(params));
params.engine = config->engine;
if (data->phase2) {
params.ca_cert = (char *) config->ca_cert2;
params.ca_path = (char *) config->ca_path2;
params.client_cert = (char *) config->client_cert2;
params.private_key = (char *) config->private_key2;
params.private_key_passwd =
(char *) config->private_key2_passwd;
params.dh_file = (char *) config->dh_file2;
params.subject_match = (char *) config->subject_match2;
params.altsubject_match = (char *) config->altsubject_match2;
} else {
params.ca_cert = (char *) config->ca_cert;
params.ca_path = (char *) config->ca_path;
params.client_cert = (char *) config->client_cert;
params.device_subca1_cert = (char *) config->device_subca1_cert;
params.device_subca2_cert = (char *) config->device_subca2_cert;
params.private_key = (char *) config->private_key;
params.private_key_passwd =
(char *) config->private_key_passwd;
params.dh_file = (char *) config->dh_file;
params.subject_match = (char *) config->subject_match;
params.altsubject_match = (char *) config->altsubject_match;
params.engine_id = config->engine_id;
params.pin = config->pin;
params.key_id = config->key_id;
params.cipher_rule = config->cipher_rule;
}
if (eap_tls_check_blob(sm, ¶ms.ca_cert, ¶ms.ca_cert_blob,
¶ms.ca_cert_blob_len) ||
eap_tls_check_blob(sm, ¶ms.client_cert,
¶ms.client_cert_blob,
¶ms.client_cert_blob_len) ||
#ifdef BECEEM_CSCM
eap_tls_check_blob(sm, ¶ms.device_subca1_cert,
¶ms.device_subca1_cert_blob,
¶ms.device_subca1_cert_blob_len) ||
eap_tls_check_blob(sm, ¶ms.device_subca2_cert,
¶ms.device_subca2_cert_blob,
¶ms.device_subca2_cert_blob_len) ||
#endif
eap_tls_check_blob(sm, ¶ms.private_key,
¶ms.private_key_blob,
¶ms.private_key_blob_len) ||
eap_tls_check_blob(sm, ¶ms.dh_file, ¶ms.dh_blob,
¶ms.dh_blob_len)) {
wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
goto done;
}
#ifdef BECEEM_CSCM
if (params.client_cert != NULL && params.client_cert[0])
{
if (SSL_CTX_use_certificate_chain_file(sm->ssl_ctx, params.client_cert) == 1) {
wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file --> OK");
} else {
wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file failed");
}
}
#endif
data->conn = tls_connection_init(sm->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
goto done;
}
res = tls_connection_set_params(sm->ssl_ctx, data->conn, ¶ms);
if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) {
/* At this point with the pkcs11 engine the PIN might be wrong.
* We reset the PIN in the configuration to be sure to not use
* it again and the calling function must request a new one */
free(config->pin);
config->pin = NULL;
} else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) {
wpa_printf(MSG_INFO,"TLS: Failed to load private key");
/* We don't know exactly but maybe the PIN was wrong,
* so ask for a new one. */
free(config->pin);
config->pin = NULL;
eap_sm_request_pin(sm, config);
sm->ignore = TRUE;
goto done;
} else if (res) {
wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection "
"parameters");
goto done;
}
/* TODO: make this configurable */
// Original: data->tls_out_limit = 1398;
if (config->fragment_size > 256)
data->tls_out_limit = config->fragment_size - 10; // +TLS header of 10 bytes; total should be < 1400 bytes
else
data->tls_out_limit = 256;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
* support fragmentation */
if (data->tls_out_limit > 100)
data->tls_out_limit -= 100;
}
if (config->phase1 &&
strstr(config->phase1, "include_tls_length=1")) {
wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in "
"unfragmented packets");
data->include_tls_length = 1;
}
ret = 0;
done:
return ret;
}
int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
struct wpa_ssid *config)
{
int ret = -1;
char *ca_cert, *client_cert, *private_key, *private_key_passwd,
*dh_file, *subject_match, *engine_id, **ppin, *key_id;
data->eap = sm;
data->phase2 = sm->init_phase2;
if (config == NULL) {
ca_cert = NULL;
client_cert = NULL;
private_key = NULL;
private_key_passwd = NULL;
dh_file = NULL;
subject_match = NULL;
engine_id = NULL;
ppin = NULL;
key_id = NULL;
} else if (data->phase2) {
ca_cert = (char *) config->ca_cert2;
client_cert = (char *) config->client_cert2;
private_key = (char *) config->private_key2;
private_key_passwd = (char *) config->private_key2_passwd;
dh_file = (char *) config->dh_file2;
subject_match = (char *) config->subject_match2;
engine_id = NULL;
ppin = NULL;
key_id = NULL;
} else {
ca_cert = (char *) config->ca_cert;
client_cert = (char *) config->client_cert;
private_key = (char *) config->private_key;
private_key_passwd = (char *) config->private_key_passwd;
dh_file = (char *) config->dh_file;
subject_match = (char *) config->subject_match;
engine_id = config->engine_id;
ppin = &(config->pin);
key_id = config->key_id;
}
data->conn = tls_connection_init(sm->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
"connection");
goto done;
}
if (tls_connection_ca_cert(sm->ssl_ctx, data->conn, ca_cert,
subject_match)) {
wpa_printf(MSG_INFO, "TLS: Failed to load root certificate "
"'%s'", ca_cert);
goto done;
}
if (tls_connection_client_cert(sm->ssl_ctx, data->conn, client_cert)) {
wpa_printf(MSG_INFO, "TLS: Failed to load client certificate "
"'%s'", client_cert);
goto done;
}
if (config->engine) {
wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine");
if (tls_engine_init(data->conn, engine_id, ppin, key_id))
goto done;
if (tls_connection_engine_private_key(sm->ssl_ctx,
data->conn)) {
wpa_printf(MSG_INFO,"TLS: Failed to load private key");
/* We don't know exactly but maybe the PIN was wrong,
* so ask for a new one. */
free(config->pin);
config->pin = NULL;
eap_sm_request_pin(sm, config);
sm->ignore = TRUE;
goto done;
}
} else if (tls_connection_private_key(sm->ssl_ctx, data->conn,
private_key,
private_key_passwd)) {
wpa_printf(MSG_INFO, "TLS: Failed to load private key '%s'",
private_key);
goto done;
}
if (dh_file && tls_connection_dh(sm->ssl_ctx, data->conn, dh_file)) {
wpa_printf(MSG_INFO, "TLS: Failed to load DH file '%s'",
dh_file);
goto done;
}
/* TODO: make this configurable */
data->tls_out_limit = 1398;
if (data->phase2) {
/* Limit the fragment size in the inner TLS authentication
* since the outer authentication with EAP-PEAP does not yet
* support fragmentation */
if (data->tls_out_limit > 100)
data->tls_out_limit -= 100;
}
if (config && config->phase1 &&
strstr(config->phase1, "include_tls_length=1")) {
wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in "
"unfragmented packets");
data->include_tls_length = 1;
}
ret = 0;
done:
return ret;
}
