Lines Matching refs:conn
758 struct tls_connection *conn = SSL_get_app_data((SSL *) ssl); in ssl_info_cb() local
767 conn->read_alerts++; in ssl_info_cb()
769 conn->write_alerts++; in ssl_info_cb()
771 if (conn->context->event_cb != NULL) { in ssl_info_cb()
773 struct tls_context *context = conn->context; in ssl_info_cb()
1261 static int tls_engine_init(struct tls_connection *conn, const char *engine_id, in tls_engine_init() argument
1271 conn->engine = NULL; in tls_engine_init()
1272 conn->private_key = EVP_PKEY_from_keystore(key_id); in tls_engine_init()
1273 if (!conn->private_key) { in tls_engine_init()
1293 conn->engine = ENGINE_by_id(engine_id); in tls_engine_init()
1294 if (!conn->engine) { in tls_engine_init()
1299 if (ENGINE_init(conn->engine) != 1) { in tls_engine_init()
1308 if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) { in tls_engine_init()
1325 conn->private_key = ENGINE_load_private_key(conn->engine, in tls_engine_init()
1328 if (!conn->private_key) { in tls_engine_init()
1348 if (!ENGINE_ctrl(conn->engine, ENGINE_CTRL_GET_CMD_FROM_NAME, in tls_engine_init()
1360 if (conn->engine) { in tls_engine_init()
1361 ENGINE_free(conn->engine); in tls_engine_init()
1362 conn->engine = NULL; in tls_engine_init()
1365 if (conn->private_key) { in tls_engine_init()
1366 EVP_PKEY_free(conn->private_key); in tls_engine_init()
1367 conn->private_key = NULL; in tls_engine_init()
1377 static void tls_engine_deinit(struct tls_connection *conn) in tls_engine_deinit() argument
1381 if (conn->private_key) { in tls_engine_deinit()
1382 EVP_PKEY_free(conn->private_key); in tls_engine_deinit()
1383 conn->private_key = NULL; in tls_engine_deinit()
1385 if (conn->engine) { in tls_engine_deinit()
1387 ENGINE_finish(conn->engine); in tls_engine_deinit()
1389 conn->engine = NULL; in tls_engine_deinit()
1489 static void check_server_hello(struct tls_connection *conn, in check_server_hello() argument
1524 conn->cipher_suite = WPA_GET_BE16(pos); in check_server_hello()
1526 conn->cipher_suite); in check_server_hello()
1530 static void check_server_key_exchange(SSL *ssl, struct tls_connection *conn, in check_server_key_exchange() argument
1538 if (!(conn->flags & TLS_CONN_SUITEB)) in check_server_key_exchange()
1542 if (conn->cipher_suite != 0x9f) in check_server_key_exchange()
1568 conn->server_dh_prime_len = bits; in check_server_key_exchange()
1570 conn->server_dh_prime_len); in check_server_key_exchange()
1579 struct tls_connection *conn = arg; in tls_msg_cb() local
1608 conn->invalid_hb_used = 1; in tls_msg_cb()
1619 check_server_hello(conn, pos + 1, pos + len); in tls_msg_cb()
1621 check_server_key_exchange(ssl, conn, pos + 1, pos + len); in tls_msg_cb()
1687 struct tls_connection *conn; in tls_connection_init() local
1711 conn = os_zalloc(sizeof(*conn)); in tls_connection_init()
1712 if (conn == NULL) in tls_connection_init()
1714 conn->data = data; in tls_connection_init()
1715 conn->ssl_ctx = ssl; in tls_connection_init()
1716 conn->ssl = SSL_new(ssl); in tls_connection_init()
1717 if (conn->ssl == NULL) { in tls_connection_init()
1720 os_free(conn); in tls_connection_init()
1724 conn->context = context; in tls_connection_init()
1725 SSL_set_app_data(conn->ssl, conn); in tls_connection_init()
1726 SSL_set_msg_callback(conn->ssl, tls_msg_cb); in tls_connection_init()
1727 SSL_set_msg_callback_arg(conn->ssl, conn); in tls_connection_init()
1733 SSL_set_options(conn->ssl, options); in tls_connection_init()
1737 SSL_clear_options(conn->ssl, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); in tls_connection_init()
1744 SSL_CTX_set_keylog_callback(conn->ssl_ctx, tls_keylog_cb); in tls_connection_init()
1748 conn->ssl_in = BIO_new(BIO_s_mem()); in tls_connection_init()
1749 if (!conn->ssl_in) { in tls_connection_init()
1752 SSL_free(conn->ssl); in tls_connection_init()
1753 os_free(conn); in tls_connection_init()
1757 conn->ssl_out = BIO_new(BIO_s_mem()); in tls_connection_init()
1758 if (!conn->ssl_out) { in tls_connection_init()
1761 SSL_free(conn->ssl); in tls_connection_init()
1762 BIO_free(conn->ssl_in); in tls_connection_init()
1763 os_free(conn); in tls_connection_init()
1767 SSL_set_bio(conn->ssl, conn->ssl_in, conn->ssl_out); in tls_connection_init()
1769 return conn; in tls_connection_init()
1773 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn) in tls_connection_deinit() argument
1775 if (conn == NULL) in tls_connection_deinit()
1777 if (conn->success_data) { in tls_connection_deinit()
1782 SSL_set_quiet_shutdown(conn->ssl, 1); in tls_connection_deinit()
1783 SSL_shutdown(conn->ssl); in tls_connection_deinit()
1785 SSL_free(conn->ssl); in tls_connection_deinit()
1786 tls_engine_deinit(conn); in tls_connection_deinit()
1787 os_free(conn->subject_match); in tls_connection_deinit()
1788 os_free(conn->altsubject_match); in tls_connection_deinit()
1789 os_free(conn->suffix_match); in tls_connection_deinit()
1790 os_free(conn->domain_match); in tls_connection_deinit()
1791 os_free(conn->check_cert_subject); in tls_connection_deinit()
1792 os_free(conn->session_ticket); in tls_connection_deinit()
1793 os_free(conn->peer_subject); in tls_connection_deinit()
1794 os_free(conn); in tls_connection_deinit()
1798 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn) in tls_connection_established() argument
1800 return conn ? SSL_is_init_finished(conn->ssl) : 0; in tls_connection_established()
1805 struct tls_connection *conn) in tls_connection_peer_serial_num() argument
1811 if (!conn->peer_cert) in tls_connection_peer_serial_num()
1814 ser = X509_get_serialNumber(conn->peer_cert); in tls_connection_peer_serial_num()
1829 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn) in tls_connection_shutdown() argument
1831 if (conn == NULL) in tls_connection_shutdown()
1837 SSL_set_quiet_shutdown(conn->ssl, 1); in tls_connection_shutdown()
1838 SSL_shutdown(conn->ssl); in tls_connection_shutdown()
1839 return SSL_clear(conn->ssl) == 1 ? 0 : -1; in tls_connection_shutdown()
2305 static void openssl_tls_fail_event(struct tls_connection *conn, in openssl_tls_fail_event() argument
2312 struct tls_context *context = conn->context; in openssl_tls_fail_event()
2361 static void openssl_tls_cert_event(struct tls_connection *conn, in openssl_tls_cert_event() argument
2367 struct tls_context *context = conn->context; in openssl_tls_cert_event()
2383 if (conn->cert_probe || (conn->flags & TLS_CONN_EXT_CERT_CHECK) || in openssl_tls_cert_event()
2500 struct tls_connection *conn; in tls_verify_cb() local
2518 conn = SSL_get_app_data(ssl); in tls_verify_cb()
2519 if (conn == NULL) in tls_verify_cb()
2523 conn->peer_cert = err_cert; in tls_verify_cb()
2525 conn->peer_issuer = err_cert; in tls_verify_cb()
2527 conn->peer_issuer_issuer = err_cert; in tls_verify_cb()
2529 context = conn->context; in tls_verify_cb()
2530 match = conn->subject_match; in tls_verify_cb()
2531 altmatch = conn->altsubject_match; in tls_verify_cb()
2532 suffix_match = conn->suffix_match; in tls_verify_cb()
2533 domain_match = conn->domain_match; in tls_verify_cb()
2535 if (!preverify_ok && !conn->ca_cert_verify) in tls_verify_cb()
2537 if (!preverify_ok && depth > 0 && conn->server_cert_only) in tls_verify_cb()
2539 if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) && in tls_verify_cb()
2546 if (!preverify_ok && !conn->data->check_crl_strict && in tls_verify_cb()
2561 if (depth == 0 && conn->server_cert_only) { in tls_verify_cb()
2575 os_memcmp(conn->srv_cert_hash, hash, 32) != 0) { in tls_verify_cb()
2593 openssl_tls_cert_event(conn, err_cert, depth, buf); in tls_verify_cb()
2611 openssl_tls_cert_event(conn, cert, 0, buf2); in tls_verify_cb()
2620 openssl_tls_fail_event(conn, err_cert, err, depth, buf, in tls_verify_cb()
2628 conn->ca_cert_verify, depth, buf); in tls_verify_cb()
2629 check_cert_subject = conn->check_cert_subject; in tls_verify_cb()
2631 check_cert_subject = conn->data->check_cert_subject; in tls_verify_cb()
2636 openssl_tls_fail_event(conn, err_cert, err, depth, buf, in tls_verify_cb()
2645 openssl_tls_fail_event(conn, err_cert, err, depth, buf, in tls_verify_cb()
2653 openssl_tls_fail_event(conn, err_cert, err, depth, buf, in tls_verify_cb()
2661 openssl_tls_fail_event(conn, err_cert, err, depth, buf, in tls_verify_cb()
2669 openssl_tls_fail_event(conn, err_cert, err, depth, buf, in tls_verify_cb()
2674 if (conn->cert_probe && preverify_ok && depth == 0) { in tls_verify_cb()
2678 openssl_tls_fail_event(conn, err_cert, err, depth, buf, in tls_verify_cb()
2684 if (conn->flags & TLS_CONN_SUITEB) { in tls_verify_cb()
2700 conn, err_cert, err, in tls_verify_cb()
2710 if (depth == 0 && (conn->flags & TLS_CONN_REQUEST_OCSP) && in tls_verify_cb()
2714 res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert, in tls_verify_cb()
2715 conn->peer_issuer, in tls_verify_cb()
2716 conn->peer_issuer_issuer); in tls_verify_cb()
2719 openssl_tls_fail_event(conn, err_cert, err, depth, buf, in tls_verify_cb()
2726 (conn->flags & TLS_CONN_REQUIRE_OCSP)) { in tls_verify_cb()
2728 openssl_tls_fail_event(conn, err_cert, err, depth, buf, in tls_verify_cb()
2740 os_free(conn->peer_subject); in tls_verify_cb()
2741 conn->peer_subject = os_strdup(buf); in tls_verify_cb()
2782 struct tls_connection *conn, in tls_connection_ca_cert() argument
2801 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); in tls_connection_ca_cert()
2802 conn->ca_cert_verify = 1; in tls_connection_ca_cert()
2807 conn->cert_probe = 1; in tls_connection_ca_cert()
2808 conn->ca_cert_verify = 0; in tls_connection_ca_cert()
2826 if (hexstr2bin(pos, conn->srv_cert_hash, 32) < 0) { in tls_connection_ca_cert()
2831 conn->server_cert_only = 1; in tls_connection_ca_cert()
2895 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); in tls_connection_ca_cert()
2924 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); in tls_connection_ca_cert()
2930 if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) == in tls_connection_ca_cert()
2964 conn->ca_cert_verify = 0; in tls_connection_ca_cert()
3026 static int tls_connection_set_subject_match(struct tls_connection *conn, in tls_connection_set_subject_match() argument
3033 os_free(conn->subject_match); in tls_connection_set_subject_match()
3034 conn->subject_match = NULL; in tls_connection_set_subject_match()
3036 conn->subject_match = os_strdup(subject_match); in tls_connection_set_subject_match()
3037 if (conn->subject_match == NULL) in tls_connection_set_subject_match()
3041 os_free(conn->altsubject_match); in tls_connection_set_subject_match()
3042 conn->altsubject_match = NULL; in tls_connection_set_subject_match()
3044 conn->altsubject_match = os_strdup(altsubject_match); in tls_connection_set_subject_match()
3045 if (conn->altsubject_match == NULL) in tls_connection_set_subject_match()
3049 os_free(conn->suffix_match); in tls_connection_set_subject_match()
3050 conn->suffix_match = NULL; in tls_connection_set_subject_match()
3052 conn->suffix_match = os_strdup(suffix_match); in tls_connection_set_subject_match()
3053 if (conn->suffix_match == NULL) in tls_connection_set_subject_match()
3057 os_free(conn->domain_match); in tls_connection_set_subject_match()
3058 conn->domain_match = NULL; in tls_connection_set_subject_match()
3060 conn->domain_match = os_strdup(domain_match); in tls_connection_set_subject_match()
3061 if (conn->domain_match == NULL) in tls_connection_set_subject_match()
3065 os_free(conn->check_cert_subject); in tls_connection_set_subject_match()
3066 conn->check_cert_subject = NULL; in tls_connection_set_subject_match()
3068 conn->check_cert_subject = os_strdup(check_cert_subject); in tls_connection_set_subject_match()
3069 if (!conn->check_cert_subject) in tls_connection_set_subject_match()
3080 struct tls_connection *conn = arg; in suiteb_cert_cb() local
3089 if (!(conn->flags & TLS_CONN_SUITEB)) in suiteb_cert_cb()
3093 if (conn->cipher_suite != 0x9f) in suiteb_cert_cb()
3096 if (conn->server_dh_prime_len >= 3072) in suiteb_cert_cb()
3101 conn->server_dh_prime_len); in suiteb_cert_cb()
3107 static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, in tls_set_conn_flags() argument
3110 SSL *ssl = conn->ssl; in tls_set_conn_flags()
3193 SSL_set_security_level(conn->ssl, need_level); in tls_set_conn_flags()
3199 openssl_ciphers = conn->data->openssl_ciphers; in tls_set_conn_flags()
3204 SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, NULL, 0); in tls_set_conn_flags()
3278 if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs, in tls_set_conn_flags()
3299 SSL_set_cert_cb(ssl, suiteb_cert_cb, conn); in tls_set_conn_flags()
3313 if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs, in tls_set_conn_flags()
3359 SSL_set_security_level(conn->ssl, 0); in tls_set_conn_flags()
3365 if (SSL_set_cipher_list(conn->ssl, cs) != 1) { in tls_set_conn_flags()
3376 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, in tls_connection_set_verify() argument
3383 if (conn == NULL) in tls_connection_set_verify()
3387 conn->ca_cert_verify = 1; in tls_connection_set_verify()
3388 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER | in tls_connection_set_verify()
3391 conn->ca_cert_verify = 1; in tls_connection_set_verify()
3392 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER | in tls_connection_set_verify()
3396 conn->ca_cert_verify = 0; in tls_connection_set_verify()
3397 SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); in tls_connection_set_verify()
3400 if (tls_set_conn_flags(conn, flags, NULL) < 0) in tls_connection_set_verify()
3402 conn->flags = flags; in tls_connection_set_verify()
3404 SSL_set_accept_state(conn->ssl); in tls_connection_set_verify()
3413 SSL_set_session_id_context(conn->ssl, in tls_connection_set_verify()
3417 SSL_set_session_id_context(conn->ssl, session_ctx, in tls_connection_set_verify()
3425 static int tls_connection_client_cert(struct tls_connection *conn, in tls_connection_client_cert() argument
3440 SSL_CTX_clear_extra_chain_certs(conn->ssl_ctx); in tls_connection_client_cert()
3445 SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob, in tls_connection_client_cert()
3465 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) { in tls_connection_client_cert()
3476 SSL_add0_chain_cert(conn->ssl, x509); in tls_connection_client_cert()
3495 if (SSL_use_certificate(conn->ssl, x509) == 1) in tls_connection_client_cert()
3505 SSL_add0_chain_cert(conn->ssl, x509); in tls_connection_client_cert()
3516 if (SSL_use_certificate_file(conn->ssl, client_cert, in tls_connection_client_cert()
3525 if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) { in tls_connection_client_cert()
3532 if (SSL_use_certificate_file(conn->ssl, client_cert, in tls_connection_client_cert()
3765 static int tls_engine_get_cert(struct tls_connection *conn, in tls_engine_get_cert() argument
3777 if (!ENGINE_ctrl_cmd(conn->engine, "LOAD_CERT_CTRL", in tls_engine_get_cert()
3799 static int tls_connection_engine_client_cert(struct tls_connection *conn, in tls_connection_engine_client_cert() argument
3805 if (tls_engine_get_cert(conn, cert_id, &cert)) in tls_connection_engine_client_cert()
3808 if (!SSL_use_certificate(conn->ssl, cert)) { in tls_connection_engine_client_cert()
3826 struct tls_connection *conn, in tls_connection_engine_ca_cert() argument
3834 if (tls_engine_get_cert(conn, ca_cert_id, &cert)) in tls_connection_engine_ca_cert()
3864 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); in tls_connection_engine_ca_cert()
3865 conn->ca_cert_verify = 1; in tls_connection_engine_ca_cert()
3875 static int tls_connection_engine_private_key(struct tls_connection *conn) in tls_connection_engine_private_key() argument
3878 if (SSL_use_PrivateKey(conn->ssl, conn->private_key) != 1) { in tls_connection_engine_private_key()
3883 if (!SSL_check_private_key(conn->ssl)) { in tls_connection_engine_private_key()
3956 struct tls_connection *conn, in tls_connection_private_key() argument
3970 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, conn->ssl, in tls_connection_private_key()
3979 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA, conn->ssl, in tls_connection_private_key()
3989 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, conn->ssl, in tls_connection_private_key()
4000 if (SSL_use_RSAPrivateKey_ASN1(conn->ssl, in tls_connection_private_key()
4019 if (SSL_use_PrivateKey(conn->ssl, pkey) == 1) { in tls_connection_private_key()
4032 if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob, in tls_connection_private_key()
4045 if (tls_use_private_key_file(data, conn->ssl, private_key, in tls_connection_private_key()
4051 if (tls_read_pkcs12(data, conn->ssl, private_key, in tls_connection_private_key()
4059 if (tls_cryptoapi_cert(conn->ssl, private_key) == 0) { in tls_connection_private_key()
4076 if (!SSL_check_private_key(conn->ssl)) { in tls_connection_private_key()
4306 int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn, in tls_connection_get_random() argument
4311 if (conn == NULL || keys == NULL) in tls_connection_get_random()
4313 ssl = conn->ssl; in tls_connection_get_random()
4318 keys->client_random = conn->client_random; in tls_connection_get_random()
4320 ssl, conn->client_random, sizeof(conn->client_random)); in tls_connection_get_random()
4321 keys->server_random = conn->server_random; in tls_connection_get_random()
4323 ssl, conn->server_random, sizeof(conn->server_random)); in tls_connection_get_random()
4404 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, in tls_connection_export_key() argument
4408 if (!conn || in tls_connection_export_key()
4409 SSL_export_keying_material(conn->ssl, out, out_len, label, in tls_connection_export_key()
4417 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn, in tls_connection_get_eap_fast_key() argument
4440 if (conn == NULL) in tls_connection_get_eap_fast_key()
4442 ssl = conn->ssl; in tls_connection_get_eap_fast_key()
4498 openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) in openssl_handshake() argument
4500 struct tls_context *context = conn->context; in openssl_handshake()
4509 BIO_write(conn->ssl_in, wpabuf_head(in_data), wpabuf_len(in_data)) in openssl_handshake()
4517 if (conn->server) in openssl_handshake()
4518 res = SSL_accept(conn->ssl); in openssl_handshake()
4520 res = SSL_connect(conn->ssl); in openssl_handshake()
4522 int err = SSL_get_error(conn->ssl, res); in openssl_handshake()
4543 conn->failed++; in openssl_handshake()
4544 if (!conn->server && !conn->client_hello_generated) { in openssl_handshake()
4552 conn->write_alerts++; in openssl_handshake()
4558 if (!conn->server && !conn->failed) in openssl_handshake()
4559 conn->client_hello_generated = 1; in openssl_handshake()
4562 if ((conn->flags & TLS_CONN_SUITEB) && !conn->server && in openssl_handshake()
4563 os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 && in openssl_handshake()
4564 conn->server_dh_prime_len < 3072) { in openssl_handshake()
4573 conn->server_dh_prime_len); in openssl_handshake()
4588 conn->failed++; in openssl_handshake()
4589 conn->write_alerts++; in openssl_handshake()
4595 res = BIO_ctrl_pending(conn->ssl_out); in openssl_handshake()
4601 if (BIO_reset(conn->ssl_out) < 0) { in openssl_handshake()
4607 res = res == 0 ? 0 : BIO_read(conn->ssl_out, wpabuf_mhead(out_data), in openssl_handshake()
4612 if (BIO_reset(conn->ssl_out) < 0) { in openssl_handshake()
4626 openssl_get_appl_data(struct tls_connection *conn, size_t max_len) in openssl_get_appl_data() argument
4635 res = SSL_read(conn->ssl, wpabuf_mhead(appl_data), in openssl_get_appl_data()
4638 int err = SSL_get_error(conn->ssl, res); in openssl_get_appl_data()
4661 openssl_connection_handshake(struct tls_connection *conn, in openssl_connection_handshake() argument
4670 out_data = openssl_handshake(conn, in_data); in openssl_connection_handshake()
4673 if (conn->invalid_hb_used) { in openssl_connection_handshake()
4679 if (SSL_is_init_finished(conn->ssl)) { in openssl_connection_handshake()
4682 tls_connection_resumed(conn->ssl_ctx, conn)); in openssl_connection_handshake()
4683 if (conn->server) { in openssl_connection_handshake()
4689 if (SSL_get_shared_ciphers(conn->ssl, buf, in openssl_connection_handshake()
4700 *appl_data = openssl_get_appl_data(conn, in openssl_connection_handshake()
4704 if (conn->invalid_hb_used) { in openssl_connection_handshake()
4719 tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn, in tls_connection_handshake() argument
4723 return openssl_connection_handshake(conn, in_data, appl_data); in tls_connection_handshake()
4728 struct tls_connection *conn, in tls_connection_server_handshake() argument
4732 conn->server = 1; in tls_connection_server_handshake()
4733 return openssl_connection_handshake(conn, in_data, appl_data); in tls_connection_server_handshake()
4738 struct tls_connection *conn, in tls_connection_encrypt() argument
4744 if (conn == NULL) in tls_connection_encrypt()
4748 if ((res = BIO_reset(conn->ssl_in)) < 0 || in tls_connection_encrypt()
4749 (res = BIO_reset(conn->ssl_out)) < 0) { in tls_connection_encrypt()
4753 res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data)); in tls_connection_encrypt()
4764 res = BIO_read(conn->ssl_out, wpabuf_mhead(buf), wpabuf_size(buf)); in tls_connection_encrypt()
4778 struct tls_connection *conn, in tls_connection_decrypt() argument
4785 res = BIO_write(conn->ssl_in, wpabuf_head(in_data), in tls_connection_decrypt()
4792 if (BIO_reset(conn->ssl_out) < 0) { in tls_connection_decrypt()
4807 res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf)); in tls_connection_decrypt()
4809 int err = SSL_get_error(conn->ssl, res); in tls_connection_decrypt()
4824 if (conn->invalid_hb_used) { in tls_connection_decrypt()
4834 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn) in tls_connection_resumed() argument
4836 return conn ? SSL_session_reused(conn->ssl) : 0; in tls_connection_resumed()
4840 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, in tls_connection_set_cipher_list() argument
4847 if (conn == NULL || conn->ssl == NULL || ciphers == NULL) in tls_connection_set_cipher_list()
4903 SSL_set_security_level(conn->ssl, 0); in tls_connection_set_cipher_list()
4904 } else if (SSL_get_security_level(conn->ssl) == 0) { in tls_connection_set_cipher_list()
4906 SSL_set_security_level(conn->ssl, 1); in tls_connection_set_cipher_list()
4911 if (SSL_set_cipher_list(conn->ssl, buf + 1) != 1) { in tls_connection_set_cipher_list()
4921 int tls_get_version(void *ssl_ctx, struct tls_connection *conn, in tls_get_version() argument
4925 if (conn == NULL || conn->ssl == NULL) in tls_get_version()
4928 name = SSL_get_version(conn->ssl); in tls_get_version()
4937 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn, in tls_get_cipher() argument
4941 if (conn == NULL || conn->ssl == NULL) in tls_get_cipher()
4944 name = SSL_get_cipher(conn->ssl); in tls_get_cipher()
4954 struct tls_connection *conn) in tls_connection_enable_workaround() argument
4956 SSL_set_options(conn->ssl, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); in tls_connection_enable_workaround()
4966 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn, in tls_connection_client_hello_ext() argument
4970 if (conn == NULL || conn->ssl == NULL || ext_type != 35) in tls_connection_client_hello_ext()
4973 if (SSL_set_session_ticket_ext(conn->ssl, (void *) data, in tls_connection_client_hello_ext()
4982 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn) in tls_connection_get_failed() argument
4984 if (conn == NULL) in tls_connection_get_failed()
4986 return conn->failed; in tls_connection_get_failed()
4990 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn) in tls_connection_get_read_alerts() argument
4992 if (conn == NULL) in tls_connection_get_read_alerts()
4994 return conn->read_alerts; in tls_connection_get_read_alerts()
4998 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn) in tls_connection_get_write_alerts() argument
5000 if (conn == NULL) in tls_connection_get_write_alerts()
5002 return conn->write_alerts; in tls_connection_get_write_alerts()
5044 struct tls_connection *conn = arg; in ocsp_resp_cb() local
5072 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1; in ocsp_resp_cb()
5098 store = SSL_CTX_get_cert_store(conn->ssl_ctx); in ocsp_resp_cb()
5099 if (conn->peer_issuer) { in ocsp_resp_cb()
5100 debug_print_cert(conn->peer_issuer, "Add OCSP issuer"); in ocsp_resp_cb()
5102 if (X509_STORE_add_cert(store, conn->peer_issuer) != 1) { in ocsp_resp_cb()
5109 cert = X509_dup(conn->peer_issuer); in ocsp_resp_cb()
5118 if (certs && conn->peer_issuer_issuer) { in ocsp_resp_cb()
5119 cert = X509_dup(conn->peer_issuer_issuer); in ocsp_resp_cb()
5142 if (!conn->peer_cert) { in ocsp_resp_cb()
5149 if (!conn->peer_issuer) { in ocsp_resp_cb()
5156 id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer); in ocsp_resp_cb()
5169 id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer); in ocsp_resp_cb()
5185 (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" : in ocsp_resp_cb()
5190 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1; in ocsp_resp_cb()
5212 if (conn->flags & TLS_CONN_REQUIRE_OCSP) { in ocsp_resp_cb()
5326 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, in tls_connection_set_params() argument
5339 if (conn == NULL) in tls_connection_set_params()
5394 if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) { in tls_connection_set_params()
5408 SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_3); in tls_connection_set_params()
5419 if (tls_set_conn_flags(conn, params->flags, in tls_connection_set_params()
5426 ret = tls_engine_init(conn, engine_id, params->pin, in tls_connection_set_params()
5431 if (tls_connection_set_subject_match(conn, in tls_connection_set_params()
5440 if (tls_connection_engine_ca_cert(data, conn, ca_cert_id)) in tls_connection_set_params()
5442 } else if (tls_connection_ca_cert(data, conn, params->ca_cert, in tls_connection_set_params()
5449 if (tls_connection_engine_client_cert(conn, cert_id)) in tls_connection_set_params()
5451 } else if (tls_connection_client_cert(conn, params->client_cert, in tls_connection_set_params()
5458 if (tls_connection_engine_private_key(conn)) in tls_connection_set_params()
5460 } else if (tls_connection_private_key(data, conn, in tls_connection_set_params()
5481 if (ciphers && SSL_set_cipher_list(conn->ssl, ciphers) != 1) { in tls_connection_set_params()
5492 if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) { in tls_connection_set_params()
5507 if (SSL_set1_curves_list(conn->ssl, in tls_connection_set_params()
5523 SSL_enable_ocsp_stapling(conn->ssl); in tls_connection_set_params()
5529 SSL_set_tlsext_status_type(conn->ssl, TLSEXT_STATUSTYPE_ocsp); in tls_connection_set_params()
5531 SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn); in tls_connection_set_params()
5546 conn->flags = params->flags; in tls_connection_set_params()
5791 struct tls_connection *conn = arg; in tls_sess_sec_cb() local
5795 if (conn == NULL || conn->session_ticket_cb == NULL) in tls_sess_sec_cb()
5798 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx, in tls_sess_sec_cb()
5799 conn->session_ticket, in tls_sess_sec_cb()
5800 conn->session_ticket_len, in tls_sess_sec_cb()
5807 if (conn == NULL || conn->session_ticket_cb == NULL) in tls_sess_sec_cb()
5813 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx, in tls_sess_sec_cb()
5814 conn->session_ticket, in tls_sess_sec_cb()
5815 conn->session_ticket_len, in tls_sess_sec_cb()
5820 os_free(conn->session_ticket); in tls_sess_sec_cb()
5821 conn->session_ticket = NULL; in tls_sess_sec_cb()
5834 struct tls_connection *conn = arg; in tls_session_ticket_ext_cb() local
5836 if (conn == NULL || conn->session_ticket_cb == NULL) in tls_session_ticket_ext_cb()
5841 os_free(conn->session_ticket); in tls_session_ticket_ext_cb()
5842 conn->session_ticket = NULL; in tls_session_ticket_ext_cb()
5847 conn->session_ticket = os_memdup(data, len); in tls_session_ticket_ext_cb()
5848 if (conn->session_ticket == NULL) in tls_session_ticket_ext_cb()
5851 conn->session_ticket_len = len; in tls_session_ticket_ext_cb()
5859 struct tls_connection *conn, in tls_connection_set_session_ticket_cb() argument
5864 conn->session_ticket_cb = cb; in tls_connection_set_session_ticket_cb()
5865 conn->session_ticket_cb_ctx = ctx; in tls_connection_set_session_ticket_cb()
5868 if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb, in tls_connection_set_session_ticket_cb()
5869 conn) != 1) in tls_connection_set_session_ticket_cb()
5871 SSL_set_session_ticket_ext_cb(conn->ssl, in tls_connection_set_session_ticket_cb()
5872 tls_session_ticket_ext_cb, conn); in tls_connection_set_session_ticket_cb()
5874 if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1) in tls_connection_set_session_ticket_cb()
5876 SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL); in tls_connection_set_session_ticket_cb()
5900 void tls_connection_set_success_data(struct tls_connection *conn, in tls_connection_set_success_data() argument
5909 sess = SSL_get_session(conn->ssl); in tls_connection_set_success_data()
5916 found = get_session_data(conn->context, old); in tls_connection_set_success_data()
5933 dl_list_add(&conn->context->sessions, &sess_data->list); in tls_connection_set_success_data()
5936 conn->success_data = 1; in tls_connection_set_success_data()
5946 void tls_connection_set_success_data_resumed(struct tls_connection *conn) in tls_connection_set_success_data_resumed() argument
5950 conn->success_data = 1; in tls_connection_set_success_data_resumed()
5955 tls_connection_get_success_data(struct tls_connection *conn) in tls_connection_get_success_data() argument
5960 !(sess = SSL_get_session(conn->ssl))) in tls_connection_get_success_data()
5966 void tls_connection_remove_session(struct tls_connection *conn) in tls_connection_remove_session() argument
5970 sess = SSL_get_session(conn->ssl); in tls_connection_remove_session()
5974 if (SSL_CTX_remove_session(conn->ssl_ctx, sess) != 1) in tls_connection_remove_session()
5983 int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len) in tls_get_tls_unique() argument
5988 reused = SSL_session_reused(conn->ssl); in tls_get_tls_unique()
5989 if ((conn->server && !reused) || (!conn->server && reused)) in tls_get_tls_unique()
5990 len = SSL_get_peer_finished(conn->ssl, buf, max_len); in tls_get_tls_unique()
5992 len = SSL_get_finished(conn->ssl, buf, max_len); in tls_get_tls_unique()
6001 u16 tls_connection_get_cipher_suite(struct tls_connection *conn) in tls_connection_get_cipher_suite() argument
6005 cipher = SSL_get_current_cipher(conn->ssl); in tls_connection_get_cipher_suite()
6016 const char * tls_connection_get_peer_subject(struct tls_connection *conn) in tls_connection_get_peer_subject() argument
6018 if (conn) in tls_connection_get_peer_subject()
6019 return conn->peer_subject; in tls_connection_get_peer_subject()
6024 bool tls_connection_get_own_cert_used(struct tls_connection *conn) in tls_connection_get_own_cert_used() argument
6026 if (conn) in tls_connection_get_own_cert_used()
6027 return SSL_get_certificate(conn->ssl) != NULL; in tls_connection_get_own_cert_used()