int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, int verify_peer) { data->eap = sm; data->phase2 = sm->init_phase2; data->conn = tls_connection_init(sm->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); return -1; } if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) { wpa_printf(MSG_INFO, "SSL: Failed to configure verification " "of TLS peer certificate"); tls_connection_deinit(sm->ssl_ctx, data->conn); data->conn = NULL; return -1; } /* TODO: make this configurable */ data->tls_out_limit = 1398; if (data->phase2) { /* Limit the fragment size in the inner TLS authentication * since the outer authentication with EAP-PEAP does not yet * support fragmentation */ if (data->tls_out_limit > 100) data->tls_out_limit -= 100; } return 0; }
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, int verify_peer, int eap_type) { u8 session_ctx[8]; unsigned int flags = 0; if (sm->ssl_ctx == NULL) { wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method"); return -1; } data->eap = sm; data->phase2 = sm->init_phase2; data->conn = tls_connection_init(sm->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); return -1; } #ifdef CONFIG_TLS_INTERNAL tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm); #ifdef CONFIG_TESTING_OPTIONS tls_connection_set_test_flags(data->conn, sm->tls_test_flags); #endif /* CONFIG_TESTING_OPTIONS */ #endif /* CONFIG_TLS_INTERNAL */ if (eap_type != EAP_TYPE_FAST) flags |= TLS_CONN_DISABLE_SESSION_TICKET; os_memcpy(session_ctx, "hostapd", 7); session_ctx[7] = (u8) eap_type; if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer, flags, session_ctx, sizeof(session_ctx))) { wpa_printf(MSG_INFO, "SSL: Failed to configure verification " "of TLS peer certificate"); tls_connection_deinit(sm->ssl_ctx, data->conn); data->conn = NULL; return -1; } data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398; if (data->phase2) { /* Limit the fragment size in the inner TLS authentication * since the outer authentication with EAP-PEAP does not yet * support fragmentation */ if (data->tls_out_limit > 100) data->tls_out_limit -= 100; } return 0; }
static int eap_tls_init_connection(struct eap_sm *sm, struct eap_ssl_data *data, struct eap_peer_config *config, struct tls_connection_params *params) { int res; if (config->ocsp) params->flags |= TLS_CONN_REQUEST_OCSP; if (config->ocsp == 2) params->flags |= TLS_CONN_REQUIRE_OCSP; data->conn = tls_connection_init(data->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); return -1; } res = tls_connection_set_params(data->ssl_ctx, data->conn, params); if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) { /* * At this point with the pkcs11 engine the PIN might be wrong. * We reset the PIN in the configuration to be sure to not use * it again and the calling function must request a new one. */ os_free(config->pin); config->pin = NULL; } else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) { wpa_printf(MSG_INFO, "TLS: Failed to load private key"); /* * We do not know exactly but maybe the PIN was wrong, * so ask for a new one. */ os_free(config->pin); config->pin = NULL; eap_sm_request_pin(sm); sm->ignore = TRUE; tls_connection_deinit(data->ssl_ctx, data->conn); data->conn = NULL; return -1; } else if (res) { wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection " "parameters"); tls_connection_deinit(data->ssl_ctx, data->conn); data->conn = NULL; return -1; } return 0; }
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, int verify_peer) { if (sm->ssl_ctx == NULL) { wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method"); return -1; } data->eap = sm; data->phase2 = sm->init_phase2; data->conn = tls_connection_init(sm->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); return -1; } #ifdef CONFIG_TLS_INTERNAL tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm); #ifdef CONFIG_TESTING_OPTIONS tls_connection_set_test_flags(data->conn, sm->tls_test_flags); #endif /* CONFIG_TESTING_OPTIONS */ #endif /* CONFIG_TLS_INTERNAL */ if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) { wpa_printf(MSG_INFO, "SSL: Failed to configure verification " "of TLS peer certificate"); tls_connection_deinit(sm->ssl_ctx, data->conn); data->conn = NULL; return -1; } data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398; if (data->phase2) { /* Limit the fragment size in the inner TLS authentication * since the outer authentication with EAP-PEAP does not yet * support fragmentation */ if (data->tls_out_limit > 100) data->tls_out_limit -= 100; } return 0; }
int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, struct wpa_ssid *config) { int ret = -1, res; struct tls_connection_params params; if (config == NULL) return -1; data->eap = sm; data->phase2 = sm->init_phase2; memset(¶ms, 0, sizeof(params)); params.engine = config->engine; if (data->phase2) { params.ca_cert = (char *) config->ca_cert2; params.ca_path = (char *) config->ca_path2; params.client_cert = (char *) config->client_cert2; params.private_key = (char *) config->private_key2; params.private_key_passwd = (char *) config->private_key2_passwd; params.dh_file = (char *) config->dh_file2; params.subject_match = (char *) config->subject_match2; params.altsubject_match = (char *) config->altsubject_match2; } else { params.ca_cert = (char *) config->ca_cert; params.ca_path = (char *) config->ca_path; params.client_cert = (char *) config->client_cert; params.device_subca1_cert = (char *) config->device_subca1_cert; params.device_subca2_cert = (char *) config->device_subca2_cert; params.private_key = (char *) config->private_key; params.private_key_passwd = (char *) config->private_key_passwd; params.dh_file = (char *) config->dh_file; params.subject_match = (char *) config->subject_match; params.altsubject_match = (char *) config->altsubject_match; params.engine_id = config->engine_id; params.pin = config->pin; params.key_id = config->key_id; params.cipher_rule = config->cipher_rule; } if (eap_tls_check_blob(sm, ¶ms.ca_cert, ¶ms.ca_cert_blob, ¶ms.ca_cert_blob_len) || eap_tls_check_blob(sm, ¶ms.client_cert, ¶ms.client_cert_blob, ¶ms.client_cert_blob_len) || #ifdef BECEEM_CSCM eap_tls_check_blob(sm, ¶ms.device_subca1_cert, ¶ms.device_subca1_cert_blob, ¶ms.device_subca1_cert_blob_len) || eap_tls_check_blob(sm, ¶ms.device_subca2_cert, ¶ms.device_subca2_cert_blob, ¶ms.device_subca2_cert_blob_len) || #endif eap_tls_check_blob(sm, ¶ms.private_key, ¶ms.private_key_blob, ¶ms.private_key_blob_len) || eap_tls_check_blob(sm, ¶ms.dh_file, ¶ms.dh_blob, ¶ms.dh_blob_len)) { wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs"); goto done; } #ifdef BECEEM_CSCM if (params.client_cert != NULL && params.client_cert[0]) { if (SSL_CTX_use_certificate_chain_file(sm->ssl_ctx, params.client_cert) == 1) { wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file --> OK"); } else { wpa_printf(MSG_DEBUG, "OpenSSL: SSL_CTX_use_certificate_chain_file failed"); } } #endif data->conn = tls_connection_init(sm->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); goto done; } res = tls_connection_set_params(sm->ssl_ctx, data->conn, ¶ms); if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) { /* At this point with the pkcs11 engine the PIN might be wrong. * We reset the PIN in the configuration to be sure to not use * it again and the calling function must request a new one */ free(config->pin); config->pin = NULL; } else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) { wpa_printf(MSG_INFO,"TLS: Failed to load private key"); /* We don't know exactly but maybe the PIN was wrong, * so ask for a new one. */ free(config->pin); config->pin = NULL; eap_sm_request_pin(sm, config); sm->ignore = TRUE; goto done; } else if (res) { wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection " "parameters"); goto done; } /* TODO: make this configurable */ // Original: data->tls_out_limit = 1398; if (config->fragment_size > 256) data->tls_out_limit = config->fragment_size - 10; // +TLS header of 10 bytes; total should be < 1400 bytes else data->tls_out_limit = 256; if (data->phase2) { /* Limit the fragment size in the inner TLS authentication * since the outer authentication with EAP-PEAP does not yet * support fragmentation */ if (data->tls_out_limit > 100) data->tls_out_limit -= 100; } if (config->phase1 && strstr(config->phase1, "include_tls_length=1")) { wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in " "unfragmented packets"); data->include_tls_length = 1; } ret = 0; done: return ret; }
int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, struct wpa_ssid *config) { int ret = -1; char *ca_cert, *client_cert, *private_key, *private_key_passwd, *dh_file, *subject_match, *engine_id, **ppin, *key_id; data->eap = sm; data->phase2 = sm->init_phase2; if (config == NULL) { ca_cert = NULL; client_cert = NULL; private_key = NULL; private_key_passwd = NULL; dh_file = NULL; subject_match = NULL; engine_id = NULL; ppin = NULL; key_id = NULL; } else if (data->phase2) { ca_cert = (char *) config->ca_cert2; client_cert = (char *) config->client_cert2; private_key = (char *) config->private_key2; private_key_passwd = (char *) config->private_key2_passwd; dh_file = (char *) config->dh_file2; subject_match = (char *) config->subject_match2; engine_id = NULL; ppin = NULL; key_id = NULL; } else { ca_cert = (char *) config->ca_cert; client_cert = (char *) config->client_cert; private_key = (char *) config->private_key; private_key_passwd = (char *) config->private_key_passwd; dh_file = (char *) config->dh_file; subject_match = (char *) config->subject_match; engine_id = config->engine_id; ppin = &(config->pin); key_id = config->key_id; } data->conn = tls_connection_init(sm->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " "connection"); goto done; } if (tls_connection_ca_cert(sm->ssl_ctx, data->conn, ca_cert, subject_match)) { wpa_printf(MSG_INFO, "TLS: Failed to load root certificate " "'%s'", ca_cert); goto done; } if (tls_connection_client_cert(sm->ssl_ctx, data->conn, client_cert)) { wpa_printf(MSG_INFO, "TLS: Failed to load client certificate " "'%s'", client_cert); goto done; } if (config->engine) { wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine"); if (tls_engine_init(data->conn, engine_id, ppin, key_id)) goto done; if (tls_connection_engine_private_key(sm->ssl_ctx, data->conn)) { wpa_printf(MSG_INFO,"TLS: Failed to load private key"); /* We don't know exactly but maybe the PIN was wrong, * so ask for a new one. */ free(config->pin); config->pin = NULL; eap_sm_request_pin(sm, config); sm->ignore = TRUE; goto done; } } else if (tls_connection_private_key(sm->ssl_ctx, data->conn, private_key, private_key_passwd)) { wpa_printf(MSG_INFO, "TLS: Failed to load private key '%s'", private_key); goto done; } if (dh_file && tls_connection_dh(sm->ssl_ctx, data->conn, dh_file)) { wpa_printf(MSG_INFO, "TLS: Failed to load DH file '%s'", dh_file); goto done; } /* TODO: make this configurable */ data->tls_out_limit = 1398; if (data->phase2) { /* Limit the fragment size in the inner TLS authentication * since the outer authentication with EAP-PEAP does not yet * support fragmentation */ if (data->tls_out_limit > 100) data->tls_out_limit -= 100; } if (config && config->phase1 && strstr(config->phase1, "include_tls_length=1")) { wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in " "unfragmented packets"); data->include_tls_length = 1; } ret = 0; done: return ret; }