Lines Matching refs:tls_conf
140 struct tls_conf struct
181 struct tls_conf *tls_conf; argument
198 struct tls_conf *tls_conf; member
343 struct tls_conf *tls_conf_init(void *tls_ctx) in tls_conf_init()
345 struct tls_conf *tls_conf = os_zalloc(sizeof(*tls_conf)); in tls_conf_init() local
346 if (tls_conf == NULL) in tls_conf_init()
348 tls_conf->refcnt = 1; in tls_conf_init()
350 mbedtls_ssl_config_init(&tls_conf->conf); in tls_conf_init()
351 mbedtls_ssl_conf_rng(&tls_conf->conf, hostap_rng_fn, hostap_rng_ctx()); in tls_conf_init()
352 mbedtls_x509_crt_init(&tls_conf->ca_cert); in tls_conf_init()
353 mbedtls_x509_crt_init(&tls_conf->client_cert); in tls_conf_init()
354 mbedtls_pk_init(&tls_conf->private_key); in tls_conf_init()
357 tls_mbedtls_set_debug_cb(&tls_conf->conf, DEBUG_THRESHOLD, NULL); in tls_conf_init()
359 return tls_conf; in tls_conf_init()
362 struct tls_conf *tls_conf_deinit(struct tls_conf *tls_conf) in tls_conf_deinit() argument
364 if (tls_conf == NULL || --tls_conf->refcnt != 0) in tls_conf_deinit()
365 return tls_conf; in tls_conf_deinit()
367 mbedtls_x509_crt_free(&tls_conf->ca_cert); in tls_conf_deinit()
368 mbedtls_x509_crt_free(&tls_conf->client_cert); in tls_conf_deinit()
369 if (tls_conf->crl) in tls_conf_deinit()
371 mbedtls_x509_crl_free(tls_conf->crl); in tls_conf_deinit()
372 os_free(tls_conf->crl); in tls_conf_deinit()
374 mbedtls_pk_free(&tls_conf->private_key); in tls_conf_deinit()
375 mbedtls_ssl_config_free(&tls_conf->conf); in tls_conf_deinit()
376 os_free(tls_conf->curves); in tls_conf_deinit()
377 os_free(tls_conf->ciphersuites); in tls_conf_deinit()
379 os_free(tls_conf->subject_match); in tls_conf_deinit()
380 os_free(tls_conf->altsubject_match); in tls_conf_deinit()
381 os_free(tls_conf->suffix_match); in tls_conf_deinit()
382 os_free(tls_conf->domain_match); in tls_conf_deinit()
383 os_free(tls_conf->check_cert_subject); in tls_conf_deinit()
385 os_free(tls_conf); in tls_conf_deinit()
424 tls_ctx_global.tls_conf = tls_conf_deinit(tls_ctx_global.tls_conf); in tls_deinit()
485 tls_conf_deinit(conn->tls_conf); in tls_connection_deinit()
500 conn->tls_conf = tls_ctx_global.tls_conf; /*(inherit global conf, if set)*/ in tls_connection_init()
501 if (conn->tls_conf) in tls_connection_init()
503 ++conn->tls_conf->refcnt; in tls_connection_init()
507 conn->verify_peer = conn->tls_conf->verify_peer; in tls_connection_init()
651 int ret = mbedtls_ssl_setup(&conn->ssl, &conn->tls_conf->conf); in tls_mbedtls_ssl_setup()
662 mbedtls_ssl_conf_export_keys_ext_cb(&conn->tls_conf->conf, tls_connection_export_keys_cb, conn); in tls_mbedtls_ssl_setup()
675 static void tls_mbedtls_set_allowed_tls_vers(struct tls_conf *tls_conf, mbedtls_ssl_config *conf) in tls_mbedtls_set_allowed_tls_vers() argument
678 tls_conf->flags |= TLS_CONN_DISABLE_TLSv1_3; in tls_mbedtls_set_allowed_tls_vers()
682 if (tls_conf->flags & TLS_CONN_SUITEB) in tls_mbedtls_set_allowed_tls_vers()
684 tls_conf->flags |= TLS_CONN_DISABLE_TLSv1_0; in tls_mbedtls_set_allowed_tls_vers()
685 tls_conf->flags |= TLS_CONN_DISABLE_TLSv1_1; in tls_mbedtls_set_allowed_tls_vers()
688 const unsigned int flags = tls_conf->flags; in tls_mbedtls_set_allowed_tls_vers()
754 static int tls_mbedtls_set_dhparams(struct tls_conf *tls_conf, const struct tls_connection_params *… in tls_mbedtls_set_dhparams() argument
781 rc = mbedtls_ssl_conf_dh_param_ctx(&tls_conf->conf, &dhm); in tls_mbedtls_set_dhparams()
806 static int tls_mbedtls_set_curves(struct tls_conf *tls_conf, const char *curvelist) in tls_mbedtls_set_curves() argument
874 tls_conf->curves = os_malloc(nids * sizeof(mbedtls_ecp_group_id)); in tls_mbedtls_set_curves()
875 if (tls_conf->curves == NULL) in tls_mbedtls_set_curves()
877 os_memcpy(tls_conf->curves, ids, nids * sizeof(mbedtls_ecp_group_id)); in tls_mbedtls_set_curves()
879 mbedtls_ssl_conf_curves(&tls_conf->conf, tls_conf->curves); in tls_mbedtls_set_curves()
894 static int tls_mbedtls_set_curves(struct tls_conf *tls_conf, const char *curvelist) in tls_mbedtls_set_curves() argument
965 tls_conf->curves = os_malloc(nids * sizeof(uint16_t)); in tls_mbedtls_set_curves()
966 if (tls_conf->curves == NULL) in tls_mbedtls_set_curves()
968 os_memcpy(tls_conf->curves, ids, nids * sizeof(uint16_t)); in tls_mbedtls_set_curves()
970 mbedtls_ssl_conf_groups(&tls_conf->conf, tls_conf->curves); in tls_mbedtls_set_curves()
1185 __attribute_noinline__ static int tls_mbedtls_set_ciphersuites(struct tls_conf *tls_conf, int *ids,… in tls_mbedtls_set_ciphersuites() argument
1188 os_free(tls_conf->ciphersuites); in tls_mbedtls_set_ciphersuites()
1189 tls_conf->ciphersuites = os_malloc(nids * sizeof(int)); in tls_mbedtls_set_ciphersuites()
1190 if (tls_conf->ciphersuites == NULL) in tls_mbedtls_set_ciphersuites()
1192 os_memcpy(tls_conf->ciphersuites, ids, nids * sizeof(int)); in tls_mbedtls_set_ciphersuites()
1193 mbedtls_ssl_conf_ciphersuites(&tls_conf->conf, tls_conf->ciphersuites); in tls_mbedtls_set_ciphersuites()
1197 static int tls_mbedtls_set_ciphers(struct tls_conf *tls_conf, const char *ciphers) in tls_mbedtls_set_ciphers() argument
1217 return tls_mbedtls_set_ciphersuites(tls_conf, ssl_preset_suiteb192_ciphersuites, 2); in tls_mbedtls_set_ciphers()
1222 return tls_mbedtls_set_ciphersuites(tls_conf, ssl_preset_suiteb128_ciphersuites, 2); in tls_mbedtls_set_ciphers()
1306 return tls_mbedtls_set_ciphersuites(tls_conf, ids, nids); in tls_mbedtls_set_ciphers()
1318 static int tls_connection_set_subject_match(struct tls_conf *tls_conf, const struct tls_connection_… in tls_connection_set_subject_match() argument
1321 rc &= tls_mbedtls_set_item(&tls_conf->subject_match, params->subject_match); in tls_connection_set_subject_match()
1322 rc &= tls_mbedtls_set_item(&tls_conf->altsubject_match, params->altsubject_match); in tls_connection_set_subject_match()
1323 rc &= tls_mbedtls_set_item(&tls_conf->suffix_match, params->suffix_match); in tls_connection_set_subject_match()
1324 rc &= tls_mbedtls_set_item(&tls_conf->domain_match, params->domain_match); in tls_connection_set_subject_match()
1325 rc &= tls_mbedtls_set_item(&tls_conf->check_cert_subject, params->check_cert_subject); in tls_connection_set_subject_match()
1356 static int tls_mbedtls_set_crl(struct tls_conf *tls_conf, const u8 *data, size_t len) in tls_mbedtls_set_crl() argument
1380 mbedtls_x509_crl *crl_old = tls_conf->crl; in tls_mbedtls_set_crl()
1381 tls_conf->crl = crl_new; in tls_mbedtls_set_crl()
1390 static int tls_mbedtls_set_ca(struct tls_conf *tls_conf, u8 *data, size_t len) in tls_mbedtls_set_ca() argument
1408 mbedtls_x509_crt_free(&tls_conf->ca_cert); in tls_mbedtls_set_ca()
1409 os_memcpy(&tls_conf->ca_cert, &crt, sizeof(crt)); in tls_mbedtls_set_ca()
1413 static int tls_mbedtls_set_ca_and_crl(struct tls_conf *tls_conf, const char *ca_cert_file) in tls_mbedtls_set_ca_and_crl() argument
1421 if (0 == (rc = tls_mbedtls_set_ca(tls_conf, data, len)) && in tls_mbedtls_set_ca_and_crl()
1423 || 0 == (rc = tls_mbedtls_set_crl(tls_conf, data, len)))) in tls_mbedtls_set_ca_and_crl()
1425 mbedtls_ssl_conf_ca_chain(&tls_conf->conf, &tls_conf->ca_cert, tls_conf->crl); in tls_mbedtls_set_ca_and_crl()
1459 if (tls_mbedtls_set_ca_and_crl(tls_ctx_global.tls_conf, ca_cert_file) == 0) in tls_mbedtls_refresh_crl()
1463 static int tls_mbedtls_set_ca_cert(struct tls_conf *tls_conf, const struct tls_connection_params *p… in tls_mbedtls_set_ca_cert() argument
1469 tls_conf->ca_cert_probe = 1; in tls_mbedtls_set_ca_cert()
1470 tls_conf->has_ca_cert = 1; in tls_mbedtls_set_ca_cert()
1488 if (hexstr2bin(pos, tls_conf->ca_cert_hash, SHA256_DIGEST_LENGTH) < 0) in tls_mbedtls_set_ca_cert()
1494 tls_conf->verify_depth0_only = 1; in tls_mbedtls_set_ca_cert()
1495 tls_conf->has_ca_cert = 1; in tls_mbedtls_set_ca_cert()
1499 if (tls_mbedtls_set_ca_and_crl(tls_conf, params->ca_cert) != 0) in tls_mbedtls_set_ca_cert()
1506 int ret = mbedtls_x509_crt_parse(&tls_conf->ca_cert, params->ca_cert_blob, len); in tls_mbedtls_set_ca_cert()
1514 ret = tls_mbedtls_set_crl(tls_conf, params->ca_cert_blob, len); in tls_mbedtls_set_ca_cert()
1523 if (mbedtls_x509_time_is_future(&tls_conf->ca_cert.valid_from) || in tls_mbedtls_set_ca_cert()
1524 mbedtls_x509_time_is_past(&tls_conf->ca_cert.valid_to)) in tls_mbedtls_set_ca_cert()
1531 tls_conf->has_ca_cert = 1; in tls_mbedtls_set_ca_cert()
1535 static int tls_mbedtls_set_certs(struct tls_conf *tls_conf, const struct tls_connection_params *par… in tls_mbedtls_set_certs() argument
1541 if (tls_mbedtls_set_ca_cert(tls_conf, params) != 0) in tls_mbedtls_set_certs()
1550 if (!tls_conf->has_ca_cert) in tls_mbedtls_set_certs()
1551 mbedtls_ssl_conf_authmode(&tls_conf->conf, MBEDTLS_SSL_VERIFY_NONE); in tls_mbedtls_set_certs()
1556 tls_conf->verify_peer = (tls_ctx_global.tls_conf == NULL); in tls_mbedtls_set_certs()
1557 …int authmode = tls_conf->verify_peer ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_O… in tls_mbedtls_set_certs()
1558 mbedtls_ssl_conf_authmode(&tls_conf->conf, authmode); in tls_mbedtls_set_certs()
1559 mbedtls_ssl_conf_ca_chain(&tls_conf->conf, &tls_conf->ca_cert, tls_conf->crl); in tls_mbedtls_set_certs()
1562 if (!tls_connection_set_subject_match(tls_conf, params)) in tls_mbedtls_set_certs()
1576 ret = mbedtls_x509_crt_parse(&tls_conf->client_cert, data, len); in tls_mbedtls_set_certs()
1584 ret = mbedtls_x509_crt_parse(&tls_conf->client_cert, params->client_cert_blob, len); in tls_mbedtls_set_certs()
1595 if (mbedtls_x509_time_is_future(&tls_conf->client_cert.valid_from) || in tls_mbedtls_set_certs()
1596 mbedtls_x509_time_is_past(&tls_conf->client_cert.valid_to)) in tls_mbedtls_set_certs()
1602 tls_conf->has_client_cert = 1; in tls_mbedtls_set_certs()
1617 ret = mbedtls_pk_parse_key(&tls_conf->private_key, data, len, (const unsigned char *)pwd, in tls_mbedtls_set_certs()
1620 ret = mbedtls_pk_parse_key(&tls_conf->private_key, data, len, (const unsigned char *)pwd, in tls_mbedtls_set_certs()
1633 tls_conf->has_private_key = 1; in tls_mbedtls_set_certs()
1636 if (tls_conf->has_client_cert && tls_conf->has_private_key) in tls_mbedtls_set_certs()
1638 … ret = mbedtls_ssl_conf_own_cert(&tls_conf->conf, &tls_conf->client_cert, &tls_conf->private_key); in tls_mbedtls_set_certs()
1699 static int tls_mbedtls_set_params(struct tls_conf *tls_conf, const struct tls_connection_params *pa… in tls_mbedtls_set_params() argument
1701 tls_conf->flags = params->flags; in tls_mbedtls_set_params()
1703 if (tls_conf->flags & TLS_CONN_REQUIRE_OCSP_ALL) in tls_mbedtls_set_params()
1709 if (tls_conf->flags & TLS_CONN_REQUIRE_OCSP) in tls_mbedtls_set_params()
1722 tls_conf->flags |= TLS_CONN_SUITEB; in tls_mbedtls_set_params()
1727 tls_conf->flags |= TLS_CONN_SUITEB; in tls_mbedtls_set_params()
1732 &tls_conf->conf, tls_ctx_global.tls_conf ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, in tls_mbedtls_set_params()
1747 mbedtls_ssl_conf_cert_profile(&tls_conf->conf, &tls_mbedtls_crt_profile_suiteb128); in tls_mbedtls_set_params()
1749 mbedtls_ssl_conf_dhm_min_bitlen(&tls_conf->conf, 2048); in tls_mbedtls_set_params()
1754 mbedtls_ssl_conf_cert_profile(&tls_conf->conf, &tls_mbedtls_crt_profile_suiteb192); in tls_mbedtls_set_params()
1756 mbedtls_ssl_conf_dhm_min_bitlen(&tls_conf->conf, 3072); in tls_mbedtls_set_params()
1759 else if (tls_conf->flags & TLS_CONN_SUITEB) in tls_mbedtls_set_params()
1762 mbedtls_ssl_conf_cert_profile(&tls_conf->conf, &tls_mbedtls_crt_profile_suiteb192_anypk); in tls_mbedtls_set_params()
1764 mbedtls_ssl_conf_dhm_min_bitlen(&tls_conf->conf, 3072); in tls_mbedtls_set_params()
1768 tls_mbedtls_set_allowed_tls_vers(tls_conf, &tls_conf->conf); in tls_mbedtls_set_params()
1769 ret = tls_mbedtls_set_certs(tls_conf, params); in tls_mbedtls_set_params()
1774 if (params->dh_blob && !tls_mbedtls_set_dhparams(tls_conf, params)) in tls_mbedtls_set_params()
1780 … if (params->openssl_ecdh_curves && !tls_mbedtls_set_curves(tls_conf, params->openssl_ecdh_curves)) in tls_mbedtls_set_params()
1787 if (!tls_mbedtls_set_ciphers(tls_conf, params->openssl_ciphers)) in tls_mbedtls_set_params()
1790 else if (tls_conf->flags & TLS_CONN_SUITEB) in tls_mbedtls_set_params()
1793 if (!tls_mbedtls_set_ciphers(tls_conf, (tls_conf->flags & TLS_CONN_SUITEB_NO_ECDH) ? in tls_mbedtls_set_params()
1807 tls_conf_deinit(conn->tls_conf); in tls_connection_set_params()
1808 struct tls_conf *tls_conf = conn->tls_conf = tls_conf_init(tls_ctx); in tls_connection_set_params() local
1809 if (tls_conf == NULL) in tls_connection_set_params()
1812 if (tls_ctx_global.tls_conf) in tls_connection_set_params()
1814 tls_conf->check_crl = tls_ctx_global.tls_conf->check_crl; in tls_connection_set_params()
1815 tls_conf->check_crl_strict = tls_ctx_global.tls_conf->check_crl_strict; in tls_connection_set_params()
1818 if (tls_ctx_global.tls_conf->check_cert_subject) in tls_connection_set_params()
1820 tls_conf->check_cert_subject = os_strdup(tls_ctx_global.tls_conf->check_cert_subject); in tls_connection_set_params()
1821 if (tls_conf->check_cert_subject == NULL) in tls_connection_set_params()
1827 if (tls_mbedtls_set_params(tls_conf, params) != 0) in tls_connection_set_params()
1829 conn->verify_peer = tls_conf->verify_peer; in tls_connection_set_params()
1838 if (conn->tls_conf->flags & TLS_CONN_DISABLE_SESSION_TICKET) in tls_mbedtls_clienthello_session_ticket_prep()
1929 if (tls_ctx_global.tls_conf) in tls_global_set_params()
1930 tls_conf_deinit(tls_ctx_global.tls_conf); in tls_global_set_params()
1931 tls_ctx_global.tls_conf = tls_conf_init(tls_ctx); in tls_global_set_params()
1932 if (tls_ctx_global.tls_conf == NULL) in tls_global_set_params()
1939 … mbedtls_ssl_conf_session_tickets_cb(&tls_ctx_global.tls_conf->conf, tls_mbedtls_ssl_ticket_write, in tls_global_set_params()
1942 … mbedtls_ssl_conf_session_tickets_cb(&tls_ctx_global.tls_conf->conf, mbedtls_ssl_ticket_write, in tls_global_set_params()
1957 return tls_mbedtls_set_params(tls_ctx_global.tls_conf, params); in tls_global_set_params()
1962 tls_ctx_global.tls_conf->check_crl = check_crl; in tls_global_set_verify()
1963 tls_ctx_global.tls_conf->check_crl_strict = strict; /*(time checks)*/ in tls_global_set_verify()
1978 conn->tls_conf->flags |= flags; /* TODO: reprocess flags, if necessary */ in tls_connection_set_verify()
2176 if (!(conn->tls_conf->flags & TLS_CONN_SUITEB)) in tls_mbedtls_suiteb_handshake_alert()
2178 if (tls_ctx_global.tls_conf) /*(is server; want issue event on client)*/ in tls_mbedtls_suiteb_handshake_alert()
2212 if (conn->tls_conf == NULL) in tls_connection_handshake()
2217 params.flags = tls_ctx_global.tls_conf->flags; in tls_connection_handshake()
2234 if (conn->tls_conf->flags & TLS_CONN_DISABLE_SESSION_TICKET) in tls_connection_handshake()
2235 mbedtls_ssl_conf_session_tickets_cb(&conn->tls_conf->conf, NULL, NULL, NULL); in tls_connection_handshake()
2237 mbedtls_ssl_conf_session_tickets_cb(&conn->tls_conf->conf, tls_mbedtls_ssl_ticket_write, in tls_connection_handshake()
2254 mbedtls_ssl_conf_session_tickets_cb(&conn->tls_conf->conf, tls_mbedtls_ssl_ticket_write, in tls_connection_handshake()
2273 if (tls_ctx_global.tls_conf /*(is server)*/ in tls_connection_handshake()
2429 return tls_mbedtls_set_ciphersuites(conn->tls_conf, ids, nids) ? 0 : -1; in tls_connection_set_cipher_list()
2501 if (!(conn->tls_conf->flags & TLS_CONN_DISABLE_SESSION_TICKET)) in tls_connection_set_session_ticket_cb()
2593 const struct tls_conf *const tls_conf = conn->tls_conf; in tls_connection_get_own_cert_used() local
2594 return (tls_conf->has_client_cert && tls_conf->has_private_key); in tls_connection_get_own_cert_used()
3074 struct tls_conf *tls_conf = conn->tls_conf; in tls_mbedtls_verify_cert_event() local
3075 …if (tls_conf->ca_cert_probe || (tls_conf->flags & TLS_CONN_EXT_CERT_CHECK) || init_conf->cert_in_c… in tls_mbedtls_verify_cert_event()
3100 struct tls_conf *tls_conf = conn->tls_conf; in tls_mbedtls_verify_cb() local
3114 else if (tls_conf->verify_depth0_only) in tls_mbedtls_verify_cb()
3124 os_memcmp(tls_conf->ca_cert_hash, hash, sizeof(hash)) != 0) in tls_mbedtls_verify_cb()
3150 …else if (tls_conf->subject_match && os_strstr(conn->peer_subject, tls_conf->subject_match) == NULL) in tls_mbedtls_verify_cb()
3153 tls_conf->subject_match); in tls_mbedtls_verify_cb()
3157 … if (tls_conf->altsubject_match && !tls_mbedtls_match_altsubject(crt, tls_conf->altsubject_match)) in tls_mbedtls_verify_cb()
3159 … wpa_printf(MSG_WARNING, "MTLS: altSubjectName match '%s' not found", tls_conf->altsubject_match); in tls_mbedtls_verify_cb()
3163 if (tls_conf->suffix_match && !tls_mbedtls_match_suffixes(crt, tls_conf->suffix_match, 0)) in tls_mbedtls_verify_cb()
3165 … wpa_printf(MSG_WARNING, "MTLS: Domain suffix match '%s' not found", tls_conf->suffix_match); in tls_mbedtls_verify_cb()
3169 if (tls_conf->domain_match && !tls_mbedtls_match_suffixes(crt, tls_conf->domain_match, 1)) in tls_mbedtls_verify_cb()
3171 wpa_printf(MSG_WARNING, "MTLS: Domain match '%s' not found", tls_conf->domain_match); in tls_mbedtls_verify_cb()
3175 …if (tls_conf->check_cert_subject && !tls_mbedtls_match_dn_field(crt, tls_conf->check_cert_subject)) in tls_mbedtls_verify_cb()
3181 if (tls_conf->flags & TLS_CONN_SUITEB) in tls_mbedtls_verify_cb()
3201 if (tls_conf->check_crl && tls_conf->crl == NULL) in tls_mbedtls_verify_cb()
3214 if (tls_conf->check_crl != 2) /* 2 == verify CRLs for all certs */ in tls_mbedtls_verify_cb()
3218 if (!tls_conf->check_crl_strict) in tls_mbedtls_verify_cb()
3224 if (tls_conf->flags & TLS_CONN_DISABLE_TIME_CHECKS) in tls_mbedtls_verify_cb()
3283 if (tls_conf->ca_cert_probe) in tls_mbedtls_verify_cb()