[PATCH 1/1] wolfssl: Add missing functions for EAP-TLS
Andreas Tobler
andreas.tobler at onway.ch
Wed Apr 7 08:23:52 BST 2021
Implement the missing functions when using EAP-TLS with wolfSSL.
Signed-off-by: Andreas Tobler <andreas.tobler at onway.ch>
---
src/crypto/tls_wolfssl.c | 68 +++++++++++++++++++++++++++++++++++-----
1 file changed, 61 insertions(+), 7 deletions(-)
diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index cf482bfc3..4dfe53422 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -90,10 +90,12 @@ struct tls_connection {
unsigned int cert_probe:1;
unsigned int server_cert_only:1;
unsigned int success_data:1;
+ unsigned int server:1;
WOLFSSL_X509 *peer_cert;
WOLFSSL_X509 *peer_issuer;
WOLFSSL_X509 *peer_issuer_issuer;
+ char *peer_subject; /* peer subject info for authenticated peer */
};
@@ -337,6 +339,8 @@ void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
os_free(conn->suffix_match);
os_free(conn->domain_match);
+ os_free(conn->peer_subject);
+
/* self */
os_free(conn);
}
@@ -1134,6 +1138,11 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx)
context->event_cb(context->cb_ctx,
TLS_CERT_CHAIN_SUCCESS, NULL);
+ if (depth == 0 && preverify_ok) {
+ os_free(conn->peer_subject);
+ conn->peer_subject = os_strdup(buf);
+ }
+
return preverify_ok;
}
@@ -1614,15 +1623,14 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
static struct wpabuf * wolfssl_handshake(struct tls_connection *conn,
- const struct wpabuf *in_data,
- int server)
+ const struct wpabuf *in_data)
{
int res;
wolfssl_reset_out_data(&conn->output);
/* Initiate TLS handshake or continue the existing handshake */
- if (server) {
+ if (conn->server) {
wolfSSL_set_accept_state(conn->ssl);
res = wolfSSL_accept(conn->ssl);
wpa_printf(MSG_DEBUG, "SSL: wolfSSL_accept: %d", res);
@@ -1695,7 +1703,7 @@ static struct wpabuf * wolfssl_get_appl_data(struct tls_connection *conn,
static struct wpabuf *
wolfssl_connection_handshake(struct tls_connection *conn,
const struct wpabuf *in_data,
- struct wpabuf **appl_data, int server)
+ struct wpabuf **appl_data)
{
struct wpabuf *out_data;
@@ -1704,7 +1712,7 @@ wolfssl_connection_handshake(struct tls_connection *conn,
if (appl_data)
*appl_data = NULL;
- out_data = wolfssl_handshake(conn, in_data, server);
+ out_data = wolfssl_handshake(conn, in_data);
if (!out_data)
return NULL;
@@ -1726,7 +1734,7 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
const struct wpabuf *in_data,
struct wpabuf **appl_data)
{
- return wolfssl_connection_handshake(conn, in_data, appl_data, 0);
+ return wolfssl_connection_handshake(conn, in_data, appl_data);
}
@@ -1735,7 +1743,8 @@ struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
const struct wpabuf *in_data,
struct wpabuf **appl_data)
{
- return wolfssl_connection_handshake(conn, in_data, appl_data, 1);
+ conn->server = 1;
+ return wolfssl_connection_handshake(conn, in_data, appl_data);
}
@@ -2206,3 +2215,48 @@ tls_connection_get_success_data(struct tls_connection *conn)
return NULL;
return wolfSSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
}
+
+
+int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len)
+{
+ size_t len;
+ int reused;
+
+ reused = wolfSSL_session_reused(conn->ssl);
+ if ((conn->server && !reused) || (!conn->server && reused))
+ len = wolfSSL_get_peer_finished(conn->ssl, buf, max_len);
+ else
+ len = wolfSSL_get_finished(conn->ssl, buf, max_len);
+
+ if (len == 0 || len > max_len)
+ return -1;
+
+ return len;
+}
+
+
+u16 tls_connection_get_cipher_suite(struct tls_connection *conn)
+{
+ const WOLFSSL_CIPHER *cipher;
+
+ cipher = wolfSSL_get_current_cipher(conn->ssl);
+ if (!cipher)
+ return 0;
+ return wolfSSL_CIPHER_get_id(cipher);
+}
+
+
+const char * tls_connection_get_peer_subject(struct tls_connection *conn)
+{
+ if (conn)
+ return conn->peer_subject;
+ return NULL;
+}
+
+
+bool tls_connection_get_own_cert_used(struct tls_connection *conn)
+{
+ if (conn)
+ return wolfSSL_get_certificate(conn->ssl) != NULL;
+ return false;
+}
--
2.25.1
More information about the Hostap
mailing list