157 	struct tls_connection *conn = (struct tls_connection *) ptr;  in tls_pull_func()  local
159 	if (conn->pull_buf == NULL) {  in tls_pull_func()
164 	end = wpabuf_head_u8(conn->pull_buf) + wpabuf_len(conn->pull_buf);  in tls_pull_func()
165 	if ((size_t) (end - conn->pull_buf_offset) < len)  in tls_pull_func()
166 		len = end - conn->pull_buf_offset;  in tls_pull_func()
167 	os_memcpy(buf, conn->pull_buf_offset, len);  in tls_pull_func()
168 	conn->pull_buf_offset += len;  in tls_pull_func()
169 	if (conn->pull_buf_offset == end) {  in tls_pull_func()
171 		wpabuf_free(conn->pull_buf);  in tls_pull_func()
172 		conn->pull_buf = NULL;  in tls_pull_func()
173 		conn->pull_buf_offset = NULL;  in tls_pull_func()
177 			   (unsigned long) (end - conn->pull_buf_offset));  in tls_pull_func()
186 	struct tls_connection *conn = (struct tls_connection *) ptr;  in tls_push_func()  local
188 	if (wpabuf_resize(&conn->push_buf, len) < 0) {  in tls_push_func()
192 	wpabuf_put_data(conn->push_buf, buf, len);  in tls_push_func()
199 				   struct tls_connection *conn)  in tls_gnutls_init_session()  argument
204 	ret = gnutls_init(&conn->session,  in tls_gnutls_init_session()
212 	ret = gnutls_set_default_priority(conn->session);  in tls_gnutls_init_session()
216 	ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0",  in tls_gnutls_init_session()
224 	gnutls_transport_set_pull_function(conn->session, tls_pull_func);  in tls_gnutls_init_session()
225 	gnutls_transport_set_push_function(conn->session, tls_push_func);  in tls_gnutls_init_session()
226 	gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr_t) conn);  in tls_gnutls_init_session()
227 	gnutls_session_set_ptr(conn->session, conn);  in tls_gnutls_init_session()
234 	gnutls_deinit(conn->session);  in tls_gnutls_init_session()
242 	struct tls_connection *conn;  in tls_connection_init()  local
245 	conn = os_zalloc(sizeof(*conn));  in tls_connection_init()
246 	if (conn == NULL)  in tls_connection_init()
248 	conn->global = global;  in tls_connection_init()
250 	if (tls_gnutls_init_session(global, conn)) {  in tls_connection_init()
251 		os_free(conn);  in tls_connection_init()
256 		ret = gnutls_credentials_set(conn->session,  in tls_connection_init()
262 			os_free(conn);  in tls_connection_init()
267 	if (gnutls_certificate_allocate_credentials(&conn->xcred)) {  in tls_connection_init()
268 		os_free(conn);  in tls_connection_init()
272 	return conn;  in tls_connection_init()
276 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)  in tls_connection_deinit()  argument
278 	if (conn == NULL)  in tls_connection_deinit()
281 	gnutls_certificate_free_credentials(conn->xcred);  in tls_connection_deinit()
282 	gnutls_deinit(conn->session);  in tls_connection_deinit()
283 	os_free(conn->pre_shared_secret);  in tls_connection_deinit()
284 	wpabuf_free(conn->push_buf);  in tls_connection_deinit()
285 	wpabuf_free(conn->pull_buf);  in tls_connection_deinit()
286 	os_free(conn->suffix_match);  in tls_connection_deinit()
287 	os_free(conn->domain_match);  in tls_connection_deinit()
288 	os_free(conn);  in tls_connection_deinit()
292 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn)  in tls_connection_established()  argument
294 	return conn ? conn->established : 0;  in tls_connection_established()
299 				      struct tls_connection *conn)  in tls_connection_peer_serial_num()  argument
306 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)  in tls_connection_shutdown()  argument
311 	if (conn == NULL)  in tls_connection_shutdown()
317 	gnutls_bye(conn->session, GNUTLS_SHUT_RDWR);  in tls_connection_shutdown()
318 	wpabuf_free(conn->push_buf);  in tls_connection_shutdown()
319 	conn->push_buf = NULL;  in tls_connection_shutdown()
320 	conn->established = 0;  in tls_connection_shutdown()
322 	gnutls_deinit(conn->session);  in tls_connection_shutdown()
323 	if (tls_gnutls_init_session(global, conn)) {  in tls_connection_shutdown()
329 	ret = gnutls_credentials_set(conn->session, GNUTLS_CRD_CERTIFICATE,  in tls_connection_shutdown()
330 				     conn->params_set ? conn->xcred :  in tls_connection_shutdown()
339 		ret = gnutls_session_set_data(conn->session,  in tls_connection_shutdown()
353 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,  in tls_connection_set_params()  argument
361 	if (conn == NULL || params == NULL)  in tls_connection_set_params()
386 	os_free(conn->suffix_match);  in tls_connection_set_params()
387 	conn->suffix_match = NULL;  in tls_connection_set_params()
389 		conn->suffix_match = os_strdup(params->suffix_match);  in tls_connection_set_params()
390 		if (conn->suffix_match == NULL)  in tls_connection_set_params()
395 	os_free(conn->domain_match);  in tls_connection_set_params()
396 	conn->domain_match = NULL;  in tls_connection_set_params()
398 		conn->domain_match = os_strdup(params->domain_match);  in tls_connection_set_params()
399 		if (conn->domain_match == NULL)  in tls_connection_set_params()
409 	conn->flags = params->flags;  in tls_connection_set_params()
455 		ret = gnutls_priority_set_direct(conn->session, prio, &err);  in tls_connection_set_params()
477 			conn->xcred, params->ca_cert, GNUTLS_X509_FMT_DER);  in tls_connection_set_params()
484 				conn->xcred, params->ca_cert,  in tls_connection_set_params()
508 			conn->xcred, &ca, GNUTLS_X509_FMT_DER);  in tls_connection_set_params()
514 				conn->xcred, &ca, GNUTLS_X509_FMT_PEM);  in tls_connection_set_params()
527 	conn->disable_time_checks = 0;  in tls_connection_set_params()
529 		conn->verify_peer = 1;  in tls_connection_set_params()
531 			conn->xcred, tls_connection_verify_peer);  in tls_connection_set_params()
535 				conn->xcred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);  in tls_connection_set_params()
539 			conn->disable_time_checks = 1;  in tls_connection_set_params()
541 				conn->xcred,  in tls_connection_set_params()
552 			conn->xcred, params->client_cert, params->private_key,  in tls_connection_set_params()
557 			conn->xcred, params->client_cert, params->private_key,  in tls_connection_set_params()
566 				conn->xcred, params->client_cert,  in tls_connection_set_params()
571 				conn->xcred, params->client_cert,  in tls_connection_set_params()
594 			conn->xcred, params->private_key, GNUTLS_X509_FMT_DER,  in tls_connection_set_params()
619 			conn->xcred, &cert, &key, GNUTLS_X509_FMT_DER,  in tls_connection_set_params()
624 			conn->xcred, &cert, &key, GNUTLS_X509_FMT_DER);  in tls_connection_set_params()
631 				conn->xcred, &cert, &key, GNUTLS_X509_FMT_PEM,  in tls_connection_set_params()
636 				conn->xcred, &cert, &key, GNUTLS_X509_FMT_PEM);  in tls_connection_set_params()
654 			conn->xcred, &key, GNUTLS_X509_FMT_DER,  in tls_connection_set_params()
669 		ret = gnutls_ocsp_status_request_enable_client(conn->session,  in tls_connection_set_params()
685 	conn->params_set = 1;  in tls_connection_set_params()
687 	ret = gnutls_credentials_set(conn->session, GNUTLS_CRD_CERTIFICATE,  in tls_connection_set_params()
688 				     conn->xcred);  in tls_connection_set_params()
861 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,  in tls_connection_set_verify()  argument
865 	if (conn == NULL || conn->session == NULL)  in tls_connection_set_verify()
868 	conn->verify_peer = verify_peer;  in tls_connection_set_verify()
869 	gnutls_certificate_server_set_request(conn->session,  in tls_connection_set_verify()
877 int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn,  in tls_connection_get_random()  argument
883 	if (conn == NULL || conn->session == NULL || keys == NULL)  in tls_connection_get_random()
887 	gnutls_session_get_random(conn->session, &client, &server);  in tls_connection_get_random()
900 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,  in tls_connection_export_key()  argument
904 	if (conn == NULL || conn->session == NULL)  in tls_connection_export_key()
908 	return gnutls_prf_rfc5705(conn->session, os_strlen(label), label,  in tls_connection_export_key()
914 	return gnutls_prf(conn->session, os_strlen(label), label,  in tls_connection_export_key()
921 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,  in tls_connection_get_eap_fast_key()  argument
928 static void gnutls_tls_fail_event(struct tls_connection *conn,  in gnutls_tls_fail_event()  argument
934 	struct tls_global *global = conn->global;  in gnutls_tls_fail_event()
990 static int check_ocsp(struct tls_connection *conn, gnutls_session_t session,  in check_ocsp()  argument
999 	if (!(conn->flags & (TLS_CONN_REQUEST_OCSP | TLS_CONN_REQUIRE_OCSP)))  in check_ocsp()
1003 		if (conn->flags & TLS_CONN_REQUIRE_OCSP) {  in check_ocsp()
1069 		if (conn->flags & TLS_CONN_REQUIRE_OCSP)  in check_ocsp()
1078 	gnutls_tls_fail_event(conn, NULL, 0, NULL,  in check_ocsp()
1137 	struct tls_connection *conn;  in tls_connection_verify_peer()  local
1145 	conn = gnutls_session_get_ptr(session);  in tls_connection_verify_peer()
1146 	if (!conn->verify_peer) {  in tls_connection_verify_peer()
1160 		if (!conn->global->server) {  in tls_connection_verify_peer()
1204 	if (conn->verify_peer && (status & GNUTLS_CERT_INVALID)) {  in tls_connection_verify_peer()
1209 			gnutls_tls_fail_event(conn, NULL, 0, NULL,  in tls_connection_verify_peer()
1218 			gnutls_tls_fail_event(conn, NULL, 0, NULL,  in tls_connection_verify_peer()
1226 			gnutls_tls_fail_event(conn, NULL, 0, NULL,  in tls_connection_verify_peer()
1232 		gnutls_tls_fail_event(conn, NULL, 0, NULL,  in tls_connection_verify_peer()
1242 		gnutls_tls_fail_event(conn, NULL, 0, NULL, "signed not found",  in tls_connection_verify_peer()
1250 		gnutls_tls_fail_event(conn, NULL, 0, NULL,  in tls_connection_verify_peer()
1264 	if (check_ocsp(conn, session, &err))  in tls_connection_verify_peer()
1298 		if (conn->global->event_cb) {  in tls_connection_verify_peer()
1308 			if (conn->global->cert_in_cb) {  in tls_connection_verify_peer()
1323 			conn->global->event_cb(conn->global->cb_ctx,  in tls_connection_verify_peer()
1329 			if (conn->suffix_match &&  in tls_connection_verify_peer()
1330 			    !tls_match_suffix(cert, conn->suffix_match, 0)) {  in tls_connection_verify_peer()
1333 					   conn->suffix_match);  in tls_connection_verify_peer()
1335 					conn, &certs[i], i, buf,  in tls_connection_verify_peer()
1345 			if (conn->domain_match &&  in tls_connection_verify_peer()
1346 			    !tls_match_suffix(cert, conn->domain_match, 1)) {  in tls_connection_verify_peer()
1349 					   conn->domain_match);  in tls_connection_verify_peer()
1351 					conn, &certs[i], i, buf,  in tls_connection_verify_peer()
1370 			if (!conn->global->server &&  in tls_connection_verify_peer()
1375 					conn, &certs[i], i, buf,  in tls_connection_verify_peer()
1386 		if (!conn->disable_time_checks &&  in tls_connection_verify_peer()
1393 				conn, &certs[i], i, buf,  in tls_connection_verify_peer()
1407 	if (conn->global->event_cb != NULL)  in tls_connection_verify_peer()
1408 		conn->global->event_cb(conn->global->cb_ctx,  in tls_connection_verify_peer()
1414 	conn->failed++;  in tls_connection_verify_peer()
1420 static struct wpabuf * gnutls_get_appl_data(struct tls_connection *conn)  in gnutls_get_appl_data()  argument
1425 	ad = wpabuf_alloc((wpabuf_len(conn->pull_buf) + 500) * 3);  in gnutls_get_appl_data()
1429 	res = gnutls_record_recv(conn->session, wpabuf_mhead(ad),  in gnutls_get_appl_data()
1448 					 struct tls_connection *conn,  in tls_connection_handshake()  argument
1460 		if (conn->pull_buf) {  in tls_connection_handshake()
1463 				   (unsigned long) wpabuf_len(conn->pull_buf));  in tls_connection_handshake()
1464 			wpabuf_free(conn->pull_buf);  in tls_connection_handshake()
1466 		conn->pull_buf = wpabuf_dup(in_data);  in tls_connection_handshake()
1467 		if (conn->pull_buf == NULL)  in tls_connection_handshake()
1469 		conn->pull_buf_offset = wpabuf_head(conn->pull_buf);  in tls_connection_handshake()
1472 	ret = gnutls_handshake(conn->session);  in tls_connection_handshake()
1479 			if (global->server && conn->established &&  in tls_connection_handshake()
1480 			    conn->push_buf == NULL) {  in tls_connection_handshake()
1483 				conn->push_buf = wpabuf_alloc(0);  in tls_connection_handshake()
1488 			if (conn->global->event_cb) {  in tls_connection_handshake()
1493 				conn->global->event_cb(conn->global->cb_ctx,  in tls_connection_handshake()
1500 			conn->failed++;  in tls_connection_handshake()
1501 			conn->write_alerts++;  in tls_connection_handshake()
1504 			alert = gnutls_alert_get(conn->session);  in tls_connection_handshake()
1507 			conn->read_alerts++;  in tls_connection_handshake()
1508 			if (conn->global->event_cb != NULL) {  in tls_connection_handshake()
1513 				conn->global->event_cb(conn->global->cb_ctx,  in tls_connection_handshake()
1520 			conn->failed++;  in tls_connection_handshake()
1531 			desc = gnutls_session_get_desc(conn->session);  in tls_connection_handshake()
1539 		conn->established = 1;  in tls_connection_handshake()
1540 		if (conn->push_buf == NULL) {  in tls_connection_handshake()
1542 			conn->push_buf = wpabuf_alloc(0);  in tls_connection_handshake()
1545 		gnutls_session_get_data(conn->session, NULL, &size);  in tls_connection_handshake()
1553 			gnutls_session_get_data(conn->session,  in tls_connection_handshake()
1558 		if (conn->pull_buf && appl_data)  in tls_connection_handshake()
1559 			*appl_data = gnutls_get_appl_data(conn);  in tls_connection_handshake()
1562 	out_data = conn->push_buf;  in tls_connection_handshake()
1563 	conn->push_buf = NULL;  in tls_connection_handshake()
1569 						struct tls_connection *conn,  in tls_connection_server_handshake()  argument
1573 	return tls_connection_handshake(tls_ctx, conn, in_data, appl_data);  in tls_connection_server_handshake()
1578 				       struct tls_connection *conn,  in tls_connection_encrypt()  argument
1584 	res = gnutls_record_send(conn->session, wpabuf_head(in_data),  in tls_connection_encrypt()
1592 	buf = conn->push_buf;  in tls_connection_encrypt()
1593 	conn->push_buf = NULL;  in tls_connection_encrypt()
1599 				       struct tls_connection *conn,  in tls_connection_decrypt()  argument
1605 	if (conn->pull_buf) {  in tls_connection_decrypt()
1608 			   (unsigned long) wpabuf_len(conn->pull_buf));  in tls_connection_decrypt()
1609 		wpabuf_free(conn->pull_buf);  in tls_connection_decrypt()
1611 	conn->pull_buf = wpabuf_dup(in_data);  in tls_connection_decrypt()
1612 	if (conn->pull_buf == NULL)  in tls_connection_decrypt()
1614 	conn->pull_buf_offset = wpabuf_head(conn->pull_buf);  in tls_connection_decrypt()
1626 	res = gnutls_record_recv(conn->session, wpabuf_mhead(out),  in tls_connection_decrypt()
1640 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)  in tls_connection_resumed()  argument
1642 	if (conn == NULL)  in tls_connection_resumed()
1644 	return gnutls_session_is_resumed(conn->session);  in tls_connection_resumed()
1648 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,  in tls_connection_set_cipher_list()  argument
1656 int tls_get_version(void *ssl_ctx, struct tls_connection *conn,  in tls_get_version()  argument
1661 	ver = gnutls_protocol_get_version(conn->session);  in tls_get_version()
1674 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,  in tls_get_cipher()  argument
1683 	cipher = gnutls_cipher_get(conn->session);  in tls_get_cipher()
1688 	kx = gnutls_kx_get(conn->session);  in tls_get_cipher()
1693 	mac = gnutls_mac_get(conn->session);  in tls_get_cipher()
1711 				     struct tls_connection *conn)  in tls_connection_enable_workaround()  argument
1713 	gnutls_record_disable_padding(conn->session);  in tls_connection_enable_workaround()
1718 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,  in tls_connection_client_hello_ext()  argument
1727 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)  in tls_connection_get_failed()  argument
1729 	if (conn == NULL)  in tls_connection_get_failed()
1731 	return conn->failed;  in tls_connection_get_failed()
1735 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)  in tls_connection_get_read_alerts()  argument
1737 	if (conn == NULL)  in tls_connection_get_read_alerts()
1739 	return conn->read_alerts;  in tls_connection_get_read_alerts()
1743 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)  in tls_connection_get_write_alerts()  argument
1745 	if (conn == NULL)  in tls_connection_get_write_alerts()
1747 	return conn->write_alerts;  in tls_connection_get_write_alerts()
1752 					 struct tls_connection *conn,  in tls_connection_set_session_ticket_cb()  argument
1766 void tls_connection_set_success_data(struct tls_connection *conn,  in tls_connection_set_success_data()  argument
1773 void tls_connection_set_success_data_resumed(struct tls_connection *conn)  in tls_connection_set_success_data_resumed()  argument
1779 tls_connection_get_success_data(struct tls_connection *conn)  in tls_connection_get_success_data()  argument
1785 void tls_connection_remove_session(struct tls_connection *conn)  in tls_connection_remove_session()  argument