58 static void eap_tls_params_flags(struct tls_connection_params *params,  in eap_tls_params_flags()  argument
64 		params->flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;  in eap_tls_params_flags()
66 		params->flags |= TLS_CONN_DISABLE_TIME_CHECKS;  in eap_tls_params_flags()
68 		params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;  in eap_tls_params_flags()
70 		params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;  in eap_tls_params_flags()
72 		params->flags |= TLS_CONN_DISABLE_TLSv1_0;  in eap_tls_params_flags()
74 		params->flags &= ~TLS_CONN_DISABLE_TLSv1_0;  in eap_tls_params_flags()
75 		params->flags |= TLS_CONN_ENABLE_TLSv1_0;  in eap_tls_params_flags()
78 		params->flags |= TLS_CONN_DISABLE_TLSv1_1;  in eap_tls_params_flags()
80 		params->flags &= ~TLS_CONN_DISABLE_TLSv1_1;  in eap_tls_params_flags()
81 		params->flags |= TLS_CONN_ENABLE_TLSv1_1;  in eap_tls_params_flags()
84 		params->flags |= TLS_CONN_DISABLE_TLSv1_2;  in eap_tls_params_flags()
86 		params->flags &= ~TLS_CONN_DISABLE_TLSv1_2;  in eap_tls_params_flags()
87 		params->flags |= TLS_CONN_ENABLE_TLSv1_2;  in eap_tls_params_flags()
90 		params->flags |= TLS_CONN_DISABLE_TLSv1_3;  in eap_tls_params_flags()
92 		params->flags &= ~TLS_CONN_DISABLE_TLSv1_3;  in eap_tls_params_flags()
94 		params->flags |= TLS_CONN_EXT_CERT_CHECK;  in eap_tls_params_flags()
96 		params->flags &= ~TLS_CONN_EXT_CERT_CHECK;  in eap_tls_params_flags()
98 		params->flags |= TLS_CONN_SUITEB;  in eap_tls_params_flags()
100 		params->flags &= ~TLS_CONN_SUITEB;  in eap_tls_params_flags()
102 		params->flags |= TLS_CONN_SUITEB_NO_ECDH;  in eap_tls_params_flags()
104 		params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;  in eap_tls_params_flags()
106 		params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;  in eap_tls_params_flags()
108 		params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;  in eap_tls_params_flags()
112 static void eap_tls_cert_params_from_conf(struct tls_connection_params *params,  in eap_tls_cert_params_from_conf()  argument
115 	params->ca_cert = config->ca_cert;  in eap_tls_cert_params_from_conf()
116 	params->ca_path = config->ca_path;  in eap_tls_cert_params_from_conf()
117 	params->client_cert = config->client_cert;  in eap_tls_cert_params_from_conf()
118 	params->private_key = config->private_key;  in eap_tls_cert_params_from_conf()
119 	params->private_key_passwd = config->private_key_passwd;  in eap_tls_cert_params_from_conf()
120 	params->subject_match = config->subject_match;  in eap_tls_cert_params_from_conf()
121 	params->altsubject_match = config->altsubject_match;  in eap_tls_cert_params_from_conf()
122 	params->check_cert_subject = config->check_cert_subject;  in eap_tls_cert_params_from_conf()
123 	params->suffix_match = config->domain_suffix_match;  in eap_tls_cert_params_from_conf()
124 	params->domain_match = config->domain_match;  in eap_tls_cert_params_from_conf()
125 	params->engine = config->engine;  in eap_tls_cert_params_from_conf()
126 	params->engine_id = config->engine_id;  in eap_tls_cert_params_from_conf()
127 	params->pin = config->pin;  in eap_tls_cert_params_from_conf()
128 	params->key_id = config->key_id;  in eap_tls_cert_params_from_conf()
129 	params->cert_id = config->cert_id;  in eap_tls_cert_params_from_conf()
130 	params->ca_cert_id = config->ca_cert_id;  in eap_tls_cert_params_from_conf()
132 		params->flags |= TLS_CONN_REQUEST_OCSP;  in eap_tls_cert_params_from_conf()
134 		params->flags |= TLS_CONN_REQUIRE_OCSP;  in eap_tls_cert_params_from_conf()
136 		params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;  in eap_tls_cert_params_from_conf()
140 static void eap_tls_params_from_conf1(struct tls_connection_params *params,  in eap_tls_params_from_conf1()  argument
143 	eap_tls_cert_params_from_conf(params, &config->cert);  in eap_tls_params_from_conf1()
144 	eap_tls_params_flags(params, config->phase1);  in eap_tls_params_from_conf1()
148 static void eap_tls_params_from_conf2(struct tls_connection_params *params,  in eap_tls_params_from_conf2()  argument
151 	eap_tls_cert_params_from_conf(params, &config->phase2_cert);  in eap_tls_params_from_conf2()
152 	eap_tls_params_flags(params, config->phase2);  in eap_tls_params_from_conf2()
156 static void eap_tls_params_from_conf2m(struct tls_connection_params *params,  in eap_tls_params_from_conf2m()  argument
159 	eap_tls_cert_params_from_conf(params, &config->machine_cert);  in eap_tls_params_from_conf2m()
160 	eap_tls_params_flags(params, config->machine_phase2);  in eap_tls_params_from_conf2m()
166 				    struct tls_connection_params *params,  in eap_tls_params_from_conf()  argument
169 	os_memset(params, 0, sizeof(*params));  in eap_tls_params_from_conf()
181 		params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;  in eap_tls_params_from_conf()
185 		params->flags |= TLS_CONN_DISABLE_TLSv1_0 |  in eap_tls_params_from_conf()
188 			params->flags |= TLS_CONN_TEAP_ANON_DH;  in eap_tls_params_from_conf()
196 		params->flags |= TLS_CONN_DISABLE_TLSv1_3;  in eap_tls_params_from_conf()
209 		params->flags |= TLS_CONN_DISABLE_TLSv1_3;  in eap_tls_params_from_conf()
214 		eap_tls_params_from_conf2m(params, config);  in eap_tls_params_from_conf()
217 		eap_tls_params_from_conf2(params, config);  in eap_tls_params_from_conf()
220 		eap_tls_params_from_conf1(params, config);  in eap_tls_params_from_conf()
222 			params->flags |= TLS_CONN_EAP_FAST;  in eap_tls_params_from_conf()
229 	if (eap_tls_check_blob(sm, &params->ca_cert, &params->ca_cert_blob,  in eap_tls_params_from_conf()
230 			       &params->ca_cert_blob_len) ||  in eap_tls_params_from_conf()
231 	    eap_tls_check_blob(sm, &params->client_cert,  in eap_tls_params_from_conf()
232 			       &params->client_cert_blob,  in eap_tls_params_from_conf()
233 			       &params->client_cert_blob_len) ||  in eap_tls_params_from_conf()
234 	    eap_tls_check_blob(sm, &params->private_key,  in eap_tls_params_from_conf()
235 			       &params->private_key_blob,  in eap_tls_params_from_conf()
236 			       &params->private_key_blob_len)) {  in eap_tls_params_from_conf()
241 	params->openssl_ciphers = config->openssl_ciphers;  in eap_tls_params_from_conf()
243 	sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);  in eap_tls_params_from_conf()
246 		data->client_cert_conf = params->client_cert ||  in eap_tls_params_from_conf()
247 			params->client_cert_blob ||  in eap_tls_params_from_conf()
248 			params->private_key ||  in eap_tls_params_from_conf()
249 			params->private_key_blob;  in eap_tls_params_from_conf()
258 				   struct tls_connection_params *params)  in eap_tls_init_connection()  argument
269 	res = tls_connection_set_params(data->ssl_ctx, data->conn, params);  in eap_tls_init_connection()
314 	struct tls_connection_params params;  in eap_peer_tls_ssl_init()  local
324 	if (eap_tls_params_from_conf(sm, data, &params, config, data->phase2) <  in eap_peer_tls_ssl_init()
328 	if (eap_tls_init_connection(sm, data, config, &params) < 0)  in eap_peer_tls_ssl_init()