Lines Matching refs:ssl
88 static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, in SSL_get_client_random() argument
91 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE) in SSL_get_client_random()
93 os_memcpy(out, ssl->s3->client_random, SSL3_RANDOM_SIZE); in SSL_get_client_random()
98 static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, in SSL_get_server_random() argument
101 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE) in SSL_get_server_random()
103 os_memcpy(out, ssl->s3->server_random, SSL3_RANDOM_SIZE); in SSL_get_server_random()
228 SSL_CTX *ssl; member
243 SSL *ssl; member
562 static int tls_cryptoapi_cert(SSL *ssl, const char *name) in tls_cryptoapi_cert() argument
630 if (!SSL_use_certificate(ssl, cert)) { in tls_cryptoapi_cert()
644 if (!SSL_use_RSAPrivateKey(ssl, rsa)) in tls_cryptoapi_cert()
663 static int tls_cryptoapi_ca_cert(SSL_CTX *ssl_ctx, SSL *ssl, const char *name) in tls_cryptoapi_ca_cert() argument
732 static int tls_cryptoapi_cert(SSL *ssl, const char *name) in tls_cryptoapi_cert() argument
740 static void ssl_info_cb(const SSL *ssl, int where, int ret) in ssl_info_cb() argument
756 str, SSL_state_string_long(ssl)); in ssl_info_cb()
758 struct tls_connection *conn = SSL_get_app_data((SSL *) ssl); in ssl_info_cb()
783 SSL_state_string_long(ssl)); in ssl_info_cb()
995 SSL_CTX *ssl; in tls_init() local
1087 ssl = SSL_CTX_new(SSLv23_method()); in tls_init()
1089 ssl = NULL; in tls_init()
1090 if (ssl == NULL) { in tls_init()
1101 data->ssl = ssl; in tls_init()
1107 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); in tls_init()
1108 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); in tls_init()
1110 SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY); in tls_init()
1117 SSL_CTX_clear_mode(ssl, SSL_MODE_NO_AUTO_CHAIN); in tls_init()
1120 SSL_CTX_set_info_callback(ssl, ssl_info_cb); in tls_init()
1121 SSL_CTX_set_app_data(ssl, context); in tls_init()
1123 SSL_CTX_set_quiet_shutdown(ssl, 1); in tls_init()
1128 SSL_CTX_set_session_id_context(ssl, (u8 *) "hostapd", 7); in tls_init()
1129 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_SERVER); in tls_init()
1130 SSL_CTX_set_timeout(ssl, data->tls_session_lifetime); in tls_init()
1131 SSL_CTX_sess_set_remove_cb(ssl, remove_session_cb); in tls_init()
1136 SSL_CTX_set_num_tickets(ssl, 1); in tls_init()
1139 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_OFF); in tls_init()
1143 SSL_CTX_set_num_tickets(ssl, 0); in tls_init()
1174 if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) { in tls_init()
1189 SSL_CTX *ssl = data->ssl; in tls_deinit() local
1190 struct tls_context *context = SSL_CTX_get_app_data(ssl); in tls_deinit()
1195 SSL_CTX_flush_sessions(ssl, 0); in tls_deinit()
1210 SSL_CTX_free(ssl); in tls_deinit()
1530 static void check_server_key_exchange(SSL *ssl, struct tls_connection *conn, in check_server_key_exchange() argument
1577 const void *buf, size_t len, SSL *ssl, void *arg) in tls_msg_cb() argument
1583 if ((SSL_version(ssl) == TLS1_VERSION || in tls_msg_cb()
1584 SSL_version(ssl) == TLS1_1_VERSION) && in tls_msg_cb()
1585 SSL_get_security_level(ssl) > 0) { in tls_msg_cb()
1588 SSL_set_security_level(ssl, 0); in tls_msg_cb()
1621 check_server_key_exchange(ssl, conn, pos + 1, pos + len); in tls_msg_cb()
1646 static void tls_keylog_cb(const SSL *ssl, const char *line) in tls_keylog_cb() argument
1686 SSL_CTX *ssl = data->ssl; in tls_connection_init() local
1691 struct tls_context *context = SSL_CTX_get_app_data(ssl); in tls_connection_init()
1706 SSL_CTX_set_cert_store(ssl, new_cert_store); in tls_connection_init()
1715 conn->ssl_ctx = ssl; in tls_connection_init()
1716 conn->ssl = SSL_new(ssl); in tls_connection_init()
1717 if (conn->ssl == NULL) { in tls_connection_init()
1725 SSL_set_app_data(conn->ssl, conn); in tls_connection_init()
1726 SSL_set_msg_callback(conn->ssl, tls_msg_cb); in tls_connection_init()
1727 SSL_set_msg_callback_arg(conn->ssl, conn); in tls_connection_init()
1733 SSL_set_options(conn->ssl, options); in tls_connection_init()
1737 SSL_clear_options(conn->ssl, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); in tls_connection_init()
1752 SSL_free(conn->ssl); in tls_connection_init()
1761 SSL_free(conn->ssl); in tls_connection_init()
1767 SSL_set_bio(conn->ssl, conn->ssl_in, conn->ssl_out); in tls_connection_init()
1782 SSL_set_quiet_shutdown(conn->ssl, 1); in tls_connection_deinit()
1783 SSL_shutdown(conn->ssl); in tls_connection_deinit()
1785 SSL_free(conn->ssl); in tls_connection_deinit()
1800 return conn ? SSL_is_init_finished(conn->ssl) : 0; in tls_connection_established()
1837 SSL_set_quiet_shutdown(conn->ssl, 1); in tls_connection_shutdown()
1838 SSL_shutdown(conn->ssl); in tls_connection_shutdown()
1839 return SSL_clear(conn->ssl) == 1 ? 0 : -1; in tls_connection_shutdown()
2499 SSL *ssl; in tls_verify_cb() local
2512 ssl = X509_STORE_CTX_get_ex_data(x509_ctx, in tls_verify_cb()
2518 conn = SSL_get_app_data(ssl); in tls_verify_cb()
2714 res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert, in tls_verify_cb()
2751 SSL_CTX *ssl_ctx = data->ssl; in tls_load_ca_der()
2786 SSL_CTX *ssl_ctx = data->ssl; in tls_connection_ca_cert()
2801 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); in tls_connection_ca_cert()
2895 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); in tls_connection_ca_cert()
2924 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); in tls_connection_ca_cert()
2930 if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) == in tls_connection_ca_cert()
2973 SSL_CTX *ssl_ctx = data->ssl; in tls_global_ca_cert()
3006 X509_STORE *cs = SSL_CTX_get_cert_store(data->ssl); in tls_global_set_verify()
3078 static int suiteb_cert_cb(SSL *ssl, void *arg) in suiteb_cert_cb() argument
3110 SSL *ssl = conn->ssl; in tls_set_conn_flags() local
3114 SSL_set_options(ssl, SSL_OP_NO_TICKET); in tls_set_conn_flags()
3116 SSL_clear_options(ssl, SSL_OP_NO_TICKET); in tls_set_conn_flags()
3121 SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); in tls_set_conn_flags()
3126 SSL_set_options(ssl, SSL_OP_NO_TLSv1); in tls_set_conn_flags()
3128 SSL_clear_options(ssl, SSL_OP_NO_TLSv1); in tls_set_conn_flags()
3132 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1); in tls_set_conn_flags()
3134 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_1); in tls_set_conn_flags()
3138 SSL_set_options(ssl, SSL_OP_NO_TLSv1_2); in tls_set_conn_flags()
3140 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2); in tls_set_conn_flags()
3144 SSL_set_options(ssl, SSL_OP_NO_TLSv1_3); in tls_set_conn_flags()
3146 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3); in tls_set_conn_flags()
3168 if (SSL_set_min_proto_version(ssl, version) != 1) { in tls_set_conn_flags()
3187 SSL_get_security_level(ssl) > need_level) { in tls_set_conn_flags()
3193 SSL_set_security_level(conn->ssl, need_level); in tls_set_conn_flags()
3215 if (SSL_set_cipher_list(ssl, ciphers) != 1) { in tls_set_conn_flags()
3234 if (SSL_set_cipher_list(ssl, ciphers) != 1) { in tls_set_conn_flags()
3241 if (SSL_set1_groups(ssl, nid, 1) != 1) { in tls_set_conn_flags()
3248 if (SSL_set1_curves(ssl, nid, 1) != 1) { in tls_set_conn_flags()
3255 if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) { in tls_set_conn_flags()
3290 if (SSL_set1_sigalgs_list(ssl, algs) != 1) { in tls_set_conn_flags()
3297 SSL_set_options(ssl, SSL_OP_NO_TLSv1); in tls_set_conn_flags()
3298 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1); in tls_set_conn_flags()
3299 SSL_set_cert_cb(ssl, suiteb_cert_cb, conn); in tls_set_conn_flags()
3307 if (SSL_set1_curves(ssl, nid, 1) != 1) { in tls_set_conn_flags()
3322 openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) { in tls_set_conn_flags()
3330 if (openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) { in tls_set_conn_flags()
3359 SSL_set_security_level(conn->ssl, 0); in tls_set_conn_flags()
3365 if (SSL_set_cipher_list(conn->ssl, cs) != 1) { in tls_set_conn_flags()
3388 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER | in tls_connection_set_verify()
3392 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER | in tls_connection_set_verify()
3397 SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); in tls_connection_set_verify()
3404 SSL_set_accept_state(conn->ssl); in tls_connection_set_verify()
3413 SSL_set_session_id_context(conn->ssl, in tls_connection_set_verify()
3417 SSL_set_session_id_context(conn->ssl, session_ctx, in tls_connection_set_verify()
3445 SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob, in tls_connection_client_cert()
3465 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) { in tls_connection_client_cert()
3476 SSL_add0_chain_cert(conn->ssl, x509); in tls_connection_client_cert()
3495 if (SSL_use_certificate(conn->ssl, x509) == 1) in tls_connection_client_cert()
3505 SSL_add0_chain_cert(conn->ssl, x509); in tls_connection_client_cert()
3516 if (SSL_use_certificate_file(conn->ssl, client_cert, in tls_connection_client_cert()
3525 if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) { in tls_connection_client_cert()
3532 if (SSL_use_certificate_file(conn->ssl, client_cert, in tls_connection_client_cert()
3555 SSL_CTX *ssl_ctx = data->ssl; in tls_global_client_cert()
3580 static int tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12, in tls_parse_pkcs12() argument
3607 if (ssl) { in tls_parse_pkcs12()
3608 if (SSL_use_certificate(ssl, cert) != 1) in tls_parse_pkcs12()
3611 if (SSL_CTX_use_certificate(data->ssl, cert) != 1) in tls_parse_pkcs12()
3619 if (ssl) { in tls_parse_pkcs12()
3620 if (SSL_use_PrivateKey(ssl, pkey) != 1) in tls_parse_pkcs12()
3623 if (SSL_CTX_use_PrivateKey(data->ssl, pkey) != 1) in tls_parse_pkcs12()
3631 if (ssl) in tls_parse_pkcs12()
3632 SSL_clear_chain_certs(ssl); in tls_parse_pkcs12()
3634 SSL_CTX_clear_chain_certs(data->ssl); in tls_parse_pkcs12()
3640 if ((ssl && SSL_add1_chain_cert(ssl, cert) != 1) || in tls_parse_pkcs12()
3641 (!ssl && SSL_CTX_add1_chain_cert(data->ssl, in tls_parse_pkcs12()
3656 if (ssl) in tls_parse_pkcs12()
3658 ssl, in tls_parse_pkcs12()
3663 data->ssl, in tls_parse_pkcs12()
3680 SSL_CTX_clear_extra_chain_certs(data->ssl); in tls_parse_pkcs12()
3690 if (SSL_CTX_add_extra_chain_cert(data->ssl, cert) != 1) in tls_parse_pkcs12()
3711 static int tls_read_pkcs12(struct tls_data *data, SSL *ssl, in tls_read_pkcs12() argument
3731 return tls_parse_pkcs12(data, ssl, p12, passwd); in tls_read_pkcs12()
3741 static int tls_read_pkcs12_blob(struct tls_data *data, SSL *ssl, in tls_read_pkcs12_blob() argument
3754 return tls_parse_pkcs12(data, ssl, p12, passwd); in tls_read_pkcs12_blob()
3808 if (!SSL_use_certificate(conn->ssl, cert)) { in tls_connection_engine_client_cert()
3831 SSL_CTX *ssl_ctx = data->ssl; in tls_connection_engine_ca_cert()
3864 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); in tls_connection_engine_ca_cert()
3878 if (SSL_use_PrivateKey(conn->ssl, conn->private_key) != 1) { in tls_connection_engine_private_key()
3883 if (!SSL_check_private_key(conn->ssl)) { in tls_connection_engine_private_key()
3908 static int tls_use_private_key_file(struct tls_data *data, SSL *ssl, in tls_use_private_key_file() argument
3941 if (ssl) in tls_use_private_key_file()
3942 ret = SSL_use_PrivateKey(ssl, pkey); in tls_use_private_key_file()
3944 ret = SSL_CTX_use_PrivateKey(data->ssl, pkey); in tls_use_private_key_file()
3970 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, conn->ssl, in tls_connection_private_key()
3979 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA, conn->ssl, in tls_connection_private_key()
3989 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, conn->ssl, in tls_connection_private_key()
4000 if (SSL_use_RSAPrivateKey_ASN1(conn->ssl, in tls_connection_private_key()
4019 if (SSL_use_PrivateKey(conn->ssl, pkey) == 1) { in tls_connection_private_key()
4032 if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob, in tls_connection_private_key()
4045 if (tls_use_private_key_file(data, conn->ssl, private_key, in tls_connection_private_key()
4051 if (tls_read_pkcs12(data, conn->ssl, private_key, in tls_connection_private_key()
4059 if (tls_cryptoapi_cert(conn->ssl, private_key) == 0) { in tls_connection_private_key()
4076 if (!SSL_check_private_key(conn->ssl)) { in tls_connection_private_key()
4091 SSL_CTX *ssl_ctx = data->ssl; in tls_global_private_key()
4165 SSL_CTX *ssl_ctx = data->ssl; in tls_global_dh()
4236 SSL_CTX *ssl_ctx = data->ssl; in tls_global_dh()
4309 SSL *ssl; in tls_connection_get_random() local
4313 ssl = conn->ssl; in tls_connection_get_random()
4314 if (ssl == NULL) in tls_connection_get_random()
4320 ssl, conn->client_random, sizeof(conn->client_random)); in tls_connection_get_random()
4323 ssl, conn->server_random, sizeof(conn->server_random)); in tls_connection_get_random()
4330 static int openssl_get_keyblock_size(SSL *ssl) in openssl_get_keyblock_size() argument
4337 if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL || in openssl_get_keyblock_size()
4338 ssl->read_hash == NULL) in openssl_get_keyblock_size()
4341 c = ssl->enc_read_ctx->cipher; in openssl_get_keyblock_size()
4342 h = EVP_MD_CTX_md(ssl->read_hash); in openssl_get_keyblock_size()
4345 else if (ssl->s3) in openssl_get_keyblock_size()
4346 md_size = ssl->s3->tmp.new_mac_secret_size; in openssl_get_keyblock_size()
4363 ssl_cipher = SSL_get_current_cipher(ssl); in openssl_get_keyblock_size()
4409 SSL_export_keying_material(conn->ssl, out, out_len, label, in tls_connection_export_key()
4421 SSL *ssl; in tls_connection_get_eap_fast_key() local
4442 ssl = conn->ssl; in tls_connection_get_eap_fast_key()
4443 if (ssl == NULL) in tls_connection_get_eap_fast_key()
4445 ver = SSL_get_version(ssl); in tls_connection_get_eap_fast_key()
4446 sess = SSL_get_session(ssl); in tls_connection_get_eap_fast_key()
4450 skip = openssl_get_keyblock_size(ssl); in tls_connection_get_eap_fast_key()
4464 SSL_get_client_random(ssl, client_random, sizeof(client_random)); in tls_connection_get_eap_fast_key()
4465 SSL_get_server_random(ssl, server_random, sizeof(server_random)); in tls_connection_get_eap_fast_key()
4518 res = SSL_accept(conn->ssl); in openssl_handshake()
4520 res = SSL_connect(conn->ssl); in openssl_handshake()
4522 int err = SSL_get_error(conn->ssl, res); in openssl_handshake()
4563 os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 && in openssl_handshake()
4635 res = SSL_read(conn->ssl, wpabuf_mhead(appl_data), in openssl_get_appl_data()
4638 int err = SSL_get_error(conn->ssl, res); in openssl_get_appl_data()
4679 if (SSL_is_init_finished(conn->ssl)) { in openssl_connection_handshake()
4689 if (SSL_get_shared_ciphers(conn->ssl, buf, in openssl_connection_handshake()
4753 res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data)); in tls_connection_encrypt()
4807 res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf)); in tls_connection_decrypt()
4809 int err = SSL_get_error(conn->ssl, res); in tls_connection_decrypt()
4836 return conn ? SSL_session_reused(conn->ssl) : 0; in tls_connection_resumed()
4847 if (conn == NULL || conn->ssl == NULL || ciphers == NULL) in tls_connection_set_cipher_list()
4903 SSL_set_security_level(conn->ssl, 0); in tls_connection_set_cipher_list()
4904 } else if (SSL_get_security_level(conn->ssl) == 0) { in tls_connection_set_cipher_list()
4906 SSL_set_security_level(conn->ssl, 1); in tls_connection_set_cipher_list()
4911 if (SSL_set_cipher_list(conn->ssl, buf + 1) != 1) { in tls_connection_set_cipher_list()
4925 if (conn == NULL || conn->ssl == NULL) in tls_get_version()
4928 name = SSL_get_version(conn->ssl); in tls_get_version()
4941 if (conn == NULL || conn->ssl == NULL) in tls_get_cipher()
4944 name = SSL_get_cipher(conn->ssl); in tls_get_cipher()
4956 SSL_set_options(conn->ssl, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); in tls_connection_enable_workaround()
4970 if (conn == NULL || conn->ssl == NULL || ext_type != 35) in tls_connection_client_hello_ext()
4973 if (SSL_set_session_ticket_ext(conn->ssl, (void *) data, in tls_connection_client_hello_ext()
5394 if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) { in tls_connection_set_params()
5408 SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_3); in tls_connection_set_params()
5481 if (ciphers && SSL_set_cipher_list(conn->ssl, ciphers) != 1) { in tls_connection_set_params()
5492 if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) { in tls_connection_set_params()
5507 if (SSL_set1_curves_list(conn->ssl, in tls_connection_set_params()
5523 SSL_enable_ocsp_stapling(conn->ssl); in tls_connection_set_params()
5528 SSL_CTX *ssl_ctx = data->ssl; in tls_connection_set_params()
5529 SSL_set_tlsext_status_type(conn->ssl, TLSEXT_STATUSTYPE_ocsp); in tls_connection_set_params()
5556 SSL *ssl; in openssl_debug_dump_cipher_list() local
5559 ssl = SSL_new(ssl_ctx); in openssl_debug_dump_cipher_list()
5560 if (!ssl) in openssl_debug_dump_cipher_list()
5568 cipher = SSL_get_cipher_list(ssl, i); in openssl_debug_dump_cipher_list()
5574 SSL_free(ssl); in openssl_debug_dump_cipher_list()
5670 SSL_CTX *ssl_ctx = data->ssl; in tls_global_set_params()
5868 if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb, in tls_connection_set_session_ticket_cb()
5871 SSL_set_session_ticket_ext_cb(conn->ssl, in tls_connection_set_session_ticket_cb()
5874 if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1) in tls_connection_set_session_ticket_cb()
5876 SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL); in tls_connection_set_session_ticket_cb()
5909 sess = SSL_get_session(conn->ssl); in tls_connection_set_success_data()
5960 !(sess = SSL_get_session(conn->ssl))) in tls_connection_get_success_data()
5970 sess = SSL_get_session(conn->ssl); in tls_connection_remove_session()
5988 reused = SSL_session_reused(conn->ssl); in tls_get_tls_unique()
5990 len = SSL_get_peer_finished(conn->ssl, buf, max_len); in tls_get_tls_unique()
5992 len = SSL_get_finished(conn->ssl, buf, max_len); in tls_get_tls_unique()
6005 cipher = SSL_get_current_cipher(conn->ssl); in tls_connection_get_cipher_suite()
6027 return SSL_get_certificate(conn->ssl) != NULL; in tls_connection_get_own_cert_used()