From b99c4cadb7f8f63b3e83b7b67af0d01250f2ad77 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 1 Sep 2019 15:37:22 +0300 Subject: [PATCH] EAP peer: Move certificate configuration params into shared struct These parameters for certificate authentication are identical for the Phase 1 (EAP-TLS alone) and Phase 2 (EAP-TLS inside a TLS tunnel). Furthermore, yet another copy would be needed to support separate machine credential in Phase 2. Clean this up by moving the shared parameters into a separate data struct that can then be used for each need without having to define separate struct members for each use. Signed-off-by: Jouni Malinen --- eap_example/eap_example_peer.c | 4 +- src/eap_peer/eap.c | 4 +- src/eap_peer/eap_config.h | 408 ++++++++++---------------------- src/eap_peer/eap_teap.c | 2 +- src/eap_peer/eap_tls.c | 15 +- src/eap_peer/eap_tls_common.c | 33 +-- wpa_supplicant/config.c | 174 +++++++------- wpa_supplicant/config_file.c | 18 +- wpa_supplicant/config_winreg.c | 12 +- wpa_supplicant/wpa_supplicant.c | 8 +- 10 files changed, 250 insertions(+), 428 deletions(-) diff --git a/eap_example/eap_example_peer.c b/eap_example/eap_example_peer.c index 37b1db2d1..fcbfb12d8 100644 --- a/eap_example/eap_example_peer.c +++ b/eap_example/eap_example_peer.c @@ -299,7 +299,7 @@ int eap_example_peer_init(void) eap_ctx.eap_config.identity_len = 4; eap_ctx.eap_config.password = (u8 *) os_strdup("password"); eap_ctx.eap_config.password_len = 8; - eap_ctx.eap_config.ca_cert = os_strdup("ca.pem"); + eap_ctx.eap_config.cert.ca_cert = os_strdup("ca.pem"); eap_ctx.eap_config.fragment_size = 1398; os_memset(&eap_cb, 0, sizeof(eap_cb)); @@ -332,7 +332,7 @@ void eap_example_peer_deinit(void) wpabuf_free(eap_ctx.eapReqData); os_free(eap_ctx.eap_config.identity); os_free(eap_ctx.eap_config.password); - os_free(eap_ctx.eap_config.ca_cert); + os_free(eap_ctx.eap_config.cert.ca_cert); } diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index edec4586c..a7c4cf666 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -1,6 +1,6 @@ /* * EAP peer state machines (RFC 4137) - * Copyright (c) 2004-2014, Jouni Malinen + * Copyright (c) 2004-2019, Jouni Malinen * * This software may be distributed under the terms of the BSD license. * See README for more details. @@ -2688,7 +2688,7 @@ struct eap_method_type * eap_get_phase2_types(struct eap_peer_config *config, if (eap_allowed_phase2_type(vendor, method)) { if (vendor == EAP_VENDOR_IETF && method == EAP_TYPE_TLS && config && - config->private_key2 == NULL) + !config->phase2_cert.private_key) continue; buf[*count].vendor = vendor; buf[*count].method = method; diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index c2f1ca0d6..feb130118 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -1,6 +1,6 @@ /* * EAP peer configuration data - * Copyright (c) 2003-2013, Jouni Malinen + * Copyright (c) 2003-2019, Jouni Malinen * * This software may be distributed under the terms of the BSD license. * See README for more details. @@ -10,96 +10,9 @@ #define EAP_CONFIG_H /** - * struct eap_peer_config - EAP peer configuration/credentials + * struct eap_peer_cert_config - EAP peer certificate configuration/credential */ -struct eap_peer_config { - /** - * identity - EAP Identity - * - * This field is used to set the real user identity or NAI (for - * EAP-PSK/PAX/SAKE/GPSK). - */ - u8 *identity; - - /** - * identity_len - EAP Identity length - */ - size_t identity_len; - - /** - * anonymous_identity - Anonymous EAP Identity - * - * This field is used for unencrypted use with EAP types that support - * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the - * real identity (identity field) only to the authentication server. - * - * If not set, the identity field will be used for both unencrypted and - * protected fields. - * - * This field can also be used with EAP-SIM/AKA/AKA' to store the - * pseudonym identity. - */ - u8 *anonymous_identity; - - /** - * anonymous_identity_len - Length of anonymous_identity - */ - size_t anonymous_identity_len; - - u8 *imsi_identity; - size_t imsi_identity_len; - - /** - * machine_identity - EAP Identity for machine credential - * - * This field is used to set the machine identity or NAI for cases where - * and explicit machine credential (instead of or in addition to a user - * credential (from %identity) is needed. - */ - u8 *machine_identity; - - /** - * machine_identity_len - EAP Identity length for machine credential - */ - size_t machine_identity_len; - - /** - * password - Password string for EAP - * - * This field can include either the plaintext password (default - * option) or a NtPasswordHash (16-byte MD4 hash of the unicode - * presentation of the password) if flags field has - * EAP_CONFIG_FLAGS_PASSWORD_NTHASH bit set to 1. NtPasswordHash can - * only be used with authentication mechanism that use this hash as the - * starting point for operation: MSCHAP and MSCHAPv2 (EAP-MSCHAPv2, - * EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). - * - * In addition, this field is used to configure a pre-shared key for - * EAP-PSK/PAX/SAKE/GPSK. The length of the PSK must be 16 for EAP-PSK - * and EAP-PAX and 32 for EAP-SAKE. EAP-GPSK can use a variable length - * PSK. - */ - u8 *password; - - /** - * password_len - Length of password field - */ - size_t password_len; - - /** - * machine_password - Password string for EAP machine credential - * - * This field is used when machine credential based on username/password - * is needed instead of a user credential (from %password). See - * %password for more details on the format. - */ - u8 *machine_password; - - /** - * machine_password_len - Length of machine credential password field - */ - size_t machine_password_len; - +struct eap_peer_cert_config { /** * ca_cert - File path to CA certificate file (PEM/DER) * @@ -258,14 +171,6 @@ struct eap_peer_config { */ char *check_cert_subject; - /** - * check_cert_subject2 - Constraint for server certificate subject fields - * - * This field is like check_cert_subject, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. - */ - char *check_cert_subject2; - /** * altsubject_match - Constraint for server certificate alt. subject * @@ -327,115 +232,163 @@ struct eap_peer_config { char *domain_match; /** - * ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2) + * pin - PIN for USIM, GSM SIM, and smartcards * - * This file can have one or more trusted CA certificates. If ca_cert2 - * and ca_path2 are not included, server certificate will not be - * verified. This is insecure and a trusted CA certificate should - * always be configured. Full path to the file should be used since - * working directory may change when wpa_supplicant is run in the - * background. + * This field is used to configure PIN for SIM and smartcards for + * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a + * smartcard is used for private key operations. * - * This field is like ca_cert, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. - * - * Alternatively, a named configuration blob can be used by setting - * this to blob://blob_name. + * If left out, this will be asked through control interface. */ - char *ca_cert2; + char *pin; /** - * ca_path2 - Directory path for CA certificate files (PEM) (Phase 2) + * engine - Enable OpenSSL engine (e.g., for smartcard access) * - * This path may contain multiple CA certificates in OpenSSL format. - * Common use for this is to point to system trusted CA list which is - * often installed into directory like /etc/ssl/certs. If configured, - * these certificates are added to the list of trusted CAs. ca_cert - * may also be included in that case, but it is not required. - * - * This field is like ca_path, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. + * This is used if private key operations for EAP-TLS are performed + * using a smartcard. */ - char *ca_path2; + int engine; /** - * client_cert2 - File path to client certificate file + * engine_id - Engine ID for OpenSSL engine * - * This field is like client_cert, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the - * file should be used since working directory may change when - * wpa_supplicant is run in the background. + * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 + * engine. * - * Alternatively, a named configuration blob can be used by setting - * this to blob://blob_name. + * This is used if private key operations for EAP-TLS are performed + * using a smartcard. */ - char *client_cert2; + char *engine_id; + /** - * private_key2 - File path to client private key file + * key_id - Key ID for OpenSSL engine * - * This field is like private_key, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the - * file should be used since working directory may change when - * wpa_supplicant is run in the background. - * - * Alternatively, a named configuration blob can be used by setting - * this to blob://blob_name. + * This is used if private key operations for EAP-TLS are performed + * using a smartcard. */ - char *private_key2; + char *key_id; /** - * private_key2_passwd - Password for private key file + * cert_id - Cert ID for OpenSSL engine * - * This field is like private_key_passwd, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. + * This is used if the certificate operations for EAP-TLS are performed + * using a smartcard. */ - char *private_key2_passwd; + char *cert_id; /** - * dh_file2 - File path to DH/DSA parameters file (in PEM format) + * ca_cert_id - CA Cert ID for OpenSSL engine * - * This field is like dh_file, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the - * file should be used since working directory may change when - * wpa_supplicant is run in the background. - * - * Alternatively, a named configuration blob can be used by setting - * this to blob://blob_name. + * This is used if the CA certificate for EAP-TLS is on a smartcard. */ - char *dh_file2; + char *ca_cert_id; +}; + +/** + * struct eap_peer_config - EAP peer configuration/credentials + */ +struct eap_peer_config { + /** + * identity - EAP Identity + * + * This field is used to set the real user identity or NAI (for + * EAP-PSK/PAX/SAKE/GPSK). + */ + u8 *identity; /** - * subject_match2 - Constraint for server certificate subject - * - * This field is like subject_match, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. + * identity_len - EAP Identity length */ - char *subject_match2; + size_t identity_len; /** - * altsubject_match2 - Constraint for server certificate alt. subject + * anonymous_identity - Anonymous EAP Identity * - * This field is like altsubject_match, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. + * This field is used for unencrypted use with EAP types that support + * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the + * real identity (identity field) only to the authentication server. + * + * If not set, the identity field will be used for both unencrypted and + * protected fields. + * + * This field can also be used with EAP-SIM/AKA/AKA' to store the + * pseudonym identity. */ - char *altsubject_match2; + u8 *anonymous_identity; /** - * domain_suffix_match2 - Constraint for server domain name - * - * This field is like domain_suffix_match, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. + * anonymous_identity_len - Length of anonymous_identity */ - char *domain_suffix_match2; + size_t anonymous_identity_len; + + u8 *imsi_identity; + size_t imsi_identity_len; /** - * domain_match2 - Constraint for server domain name + * machine_identity - EAP Identity for machine credential * - * This field is like domain_match, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. + * This field is used to set the machine identity or NAI for cases where + * and explicit machine credential (instead of or in addition to a user + * credential (from %identity) is needed. */ - char *domain_match2; + u8 *machine_identity; + + /** + * machine_identity_len - EAP Identity length for machine credential + */ + size_t machine_identity_len; + + /** + * password - Password string for EAP + * + * This field can include either the plaintext password (default + * option) or a NtPasswordHash (16-byte MD4 hash of the unicode + * presentation of the password) if flags field has + * EAP_CONFIG_FLAGS_PASSWORD_NTHASH bit set to 1. NtPasswordHash can + * only be used with authentication mechanism that use this hash as the + * starting point for operation: MSCHAP and MSCHAPv2 (EAP-MSCHAPv2, + * EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). + * + * In addition, this field is used to configure a pre-shared key for + * EAP-PSK/PAX/SAKE/GPSK. The length of the PSK must be 16 for EAP-PSK + * and EAP-PAX and 32 for EAP-SAKE. EAP-GPSK can use a variable length + * PSK. + */ + u8 *password; + + /** + * password_len - Length of password field + */ + size_t password_len; + + /** + * machine_password - Password string for EAP machine credential + * + * This field is used when machine credential based on username/password + * is needed instead of a user credential (from %password). See + * %password for more details on the format. + */ + u8 *machine_password; + + /** + * machine_password_len - Length of machine credential password field + */ + size_t machine_password_len; + + /** + * cert - Certificate parameters for Phase 1 + */ + struct eap_peer_cert_config cert; + + /** + * phase2_cert - Certificate parameters for Phase 2 + * + * This is like cert, but used for Phase 2 (inside + * EAP-TTLS/PEAP/FAST/TEAP tunnel) authentication. + */ + struct eap_peer_cert_config phase2_cert; /** * eap_methods - Allowed EAP methods @@ -534,123 +487,6 @@ struct eap_peer_config { */ char *pcsc; - /** - * pin - PIN for USIM, GSM SIM, and smartcards - * - * This field is used to configure PIN for SIM and smartcards for - * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a - * smartcard is used for private key operations. - * - * If left out, this will be asked through control interface. - */ - char *pin; - - /** - * engine - Enable OpenSSL engine (e.g., for smartcard access) - * - * This is used if private key operations for EAP-TLS are performed - * using a smartcard. - */ - int engine; - - /** - * engine_id - Engine ID for OpenSSL engine - * - * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 - * engine. - * - * This is used if private key operations for EAP-TLS are performed - * using a smartcard. - */ - char *engine_id; - - /** - * engine2 - Enable OpenSSL engine (e.g., for smartcard) (Phase 2) - * - * This is used if private key operations for EAP-TLS are performed - * using a smartcard. - * - * This field is like engine, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. - */ - int engine2; - - - /** - * pin2 - PIN for USIM, GSM SIM, and smartcards (Phase 2) - * - * This field is used to configure PIN for SIM and smartcards for - * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a - * smartcard is used for private key operations. - * - * This field is like pin2, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. - * - * If left out, this will be asked through control interface. - */ - char *pin2; - - /** - * engine2_id - Engine ID for OpenSSL engine (Phase 2) - * - * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 - * engine. - * - * This is used if private key operations for EAP-TLS are performed - * using a smartcard. - * - * This field is like engine_id, but used for phase 2 (inside - * EAP-TTLS/PEAP/FAST tunnel) authentication. - */ - char *engine2_id; - - - /** - * key_id - Key ID for OpenSSL engine - * - * This is used if private key operations for EAP-TLS are performed - * using a smartcard. - */ - char *key_id; - - /** - * cert_id - Cert ID for OpenSSL engine - * - * This is used if the certificate operations for EAP-TLS are performed - * using a smartcard. - */ - char *cert_id; - - /** - * ca_cert_id - CA Cert ID for OpenSSL engine - * - * This is used if the CA certificate for EAP-TLS is on a smartcard. - */ - char *ca_cert_id; - - /** - * key2_id - Key ID for OpenSSL engine (phase2) - * - * This is used if private key operations for EAP-TLS are performed - * using a smartcard. - */ - char *key2_id; - - /** - * cert2_id - Cert ID for OpenSSL engine (phase2) - * - * This is used if the certificate operations for EAP-TLS are performed - * using a smartcard. - */ - char *cert2_id; - - /** - * ca_cert2_id - CA Cert ID for OpenSSL engine (phase2) - * - * This is used if the CA certificate for EAP-TLS is on a smartcard. - */ - char *ca_cert2_id; - /** * otp - One-time-password * diff --git a/src/eap_peer/eap_teap.c b/src/eap_peer/eap_teap.c index e2416f180..169583386 100644 --- a/src/eap_peer/eap_teap.c +++ b/src/eap_peer/eap_teap.c @@ -169,7 +169,7 @@ static void * eap_teap_init(struct eap_sm *sm) eap_teap_parse_phase1(data, config->phase1); if ((data->provisioning_allowed & EAP_TEAP_PROV_AUTH) && - !config->ca_cert && !config->ca_path) { + !config->cert.ca_cert && !config->cert.ca_path) { /* Prevent PAC provisioning without mutual authentication * (either by validating server certificate or by suitable * inner EAP method). */ diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c index 15d60d710..1bde99730 100644 --- a/src/eap_peer/eap_tls.c +++ b/src/eap_peer/eap_tls.c @@ -1,6 +1,6 @@ /* * EAP peer method: EAP-TLS (RFC 2716) - * Copyright (c) 2004-2008, 2012-2015, Jouni Malinen + * Copyright (c) 2004-2008, 2012-2019, Jouni Malinen * * This software may be distributed under the terms of the BSD license. * See README for more details. @@ -34,9 +34,10 @@ static void * eap_tls_init(struct eap_sm *sm) struct eap_tls_data *data; struct eap_peer_config *config = eap_get_config(sm); if (config == NULL || - ((sm->init_phase2 ? config->private_key2 : config->private_key) - == NULL && - (sm->init_phase2 ? config->engine2 : config->engine) == 0)) { + ((sm->init_phase2 ? config->phase2_cert.private_key : + config->cert.private_key) == NULL && + (sm->init_phase2 ? config->phase2_cert.engine : + config->cert.engine) == 0)) { wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured"); return NULL; } @@ -51,13 +52,13 @@ static void * eap_tls_init(struct eap_sm *sm) if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TLS)) { wpa_printf(MSG_INFO, "EAP-TLS: Failed to initialize SSL."); eap_tls_deinit(sm, data); - if (config->engine) { + if (config->cert.engine) { wpa_printf(MSG_DEBUG, "EAP-TLS: Requesting Smartcard " "PIN"); eap_sm_request_pin(sm); sm->ignore = TRUE; - } else if (config->private_key && !config->private_key_passwd) - { + } else if (config->cert.private_key && + !config->cert.private_key_passwd) { wpa_printf(MSG_DEBUG, "EAP-TLS: Requesting private " "key passphrase"); eap_sm_request_passphrase(sm); diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index f4053f867..ce8a1c780 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -105,8 +105,8 @@ static void eap_tls_params_flags(struct tls_connection_params *params, } -static void eap_tls_params_from_conf1(struct tls_connection_params *params, - struct eap_peer_config *config) +static void eap_tls_cert_params_from_conf(struct tls_connection_params *params, + struct eap_peer_cert_config *config) { params->ca_cert = config->ca_cert; params->ca_path = config->ca_path; @@ -125,6 +125,13 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params, params->key_id = config->key_id; params->cert_id = config->cert_id; params->ca_cert_id = config->ca_cert_id; +} + + +static void eap_tls_params_from_conf1(struct tls_connection_params *params, + struct eap_peer_config *config) +{ + eap_tls_cert_params_from_conf(params, &config->cert); eap_tls_params_flags(params, config->phase1); } @@ -132,23 +139,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params, static void eap_tls_params_from_conf2(struct tls_connection_params *params, struct eap_peer_config *config) { - params->ca_cert = config->ca_cert2; - params->ca_path = config->ca_path2; - params->client_cert = config->client_cert2; - params->private_key = config->private_key2; - params->private_key_passwd = config->private_key2_passwd; - params->dh_file = config->dh_file2; - params->subject_match = config->subject_match2; - params->altsubject_match = config->altsubject_match2; - params->check_cert_subject = config->check_cert_subject2; - params->suffix_match = config->domain_suffix_match2; - params->domain_match = config->domain_match2; - params->engine = config->engine2; - params->engine_id = config->engine2_id; - params->pin = config->pin2; - params->key_id = config->key2_id; - params->cert_id = config->cert2_id; - params->ca_cert_id = config->ca_cert2_id; + eap_tls_cert_params_from_conf(params, &config->phase2_cert); eap_tls_params_flags(params, config->phase2); } @@ -264,8 +255,8 @@ static int eap_tls_init_connection(struct eap_sm *sm, */ wpa_printf(MSG_INFO, "TLS: Bad PIN provided, requesting a new one"); - os_free(config->pin); - config->pin = NULL; + os_free(config->cert.pin); + config->cert.pin = NULL; eap_sm_request_pin(sm); sm->ignore = TRUE; } else if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) { diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index cde1e8d35..00d829be1 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -1,6 +1,6 @@ /* * WPA Supplicant / Configuration parser and common functions - * Copyright (c) 2003-2018, Jouni Malinen + * Copyright (c) 2003-2019, Jouni Malinen * * This software may be distributed under the terms of the BSD license. * See README for more details. @@ -2279,23 +2279,24 @@ static char * wpa_config_write_peerkey(const struct parse_data *data, /* STR: Define a string variable for an ASCII string; f = field name */ #ifdef NO_CONFIG_WRITE #define _STR(f) #f, wpa_config_parse_str, OFFSET(f) -#define _STRe(f) #f, wpa_config_parse_str, OFFSET(eap.f) +#define _STRe(f, m) #f, wpa_config_parse_str, OFFSET(eap.m) #else /* NO_CONFIG_WRITE */ #define _STR(f) #f, wpa_config_parse_str, wpa_config_write_str, OFFSET(f) -#define _STRe(f) #f, wpa_config_parse_str, wpa_config_write_str, OFFSET(eap.f) +#define _STRe(f, m) #f, wpa_config_parse_str, wpa_config_write_str, \ + OFFSET(eap.m) #endif /* NO_CONFIG_WRITE */ #define STR(f) _STR(f), NULL, NULL, NULL, 0 -#define STRe(f) _STRe(f), NULL, NULL, NULL, 0 +#define STRe(f, m) _STRe(f, m), NULL, NULL, NULL, 0 #define STR_KEY(f) _STR(f), NULL, NULL, NULL, 1 -#define STR_KEYe(f) _STRe(f), NULL, NULL, NULL, 1 +#define STR_KEYe(f, m) _STRe(f, m), NULL, NULL, NULL, 1 /* STR_LEN: Define a string variable with a separate variable for storing the * data length. Unlike STR(), this can be used to store arbitrary binary data * (i.e., even nul termination character). */ #define _STR_LEN(f) _STR(f), OFFSET(f ## _len) -#define _STR_LENe(f) _STRe(f), OFFSET(eap.f ## _len) +#define _STR_LENe(f, m) _STRe(f, m), OFFSET(eap.m ## _len) #define STR_LEN(f) _STR_LEN(f), NULL, NULL, 0 -#define STR_LENe(f) _STR_LENe(f), NULL, NULL, 0 +#define STR_LENe(f, m) _STR_LENe(f, m), NULL, NULL, 0 #define STR_LEN_KEY(f) _STR_LEN(f), NULL, NULL, 1 /* STR_RANGE: Like STR_LEN(), but with minimum and maximum allowed length @@ -2306,17 +2307,17 @@ static char * wpa_config_write_peerkey(const struct parse_data *data, #ifdef NO_CONFIG_WRITE #define _INT(f) #f, wpa_config_parse_int, OFFSET(f), (void *) 0 -#define _INTe(f) #f, wpa_config_parse_int, OFFSET(eap.f), (void *) 0 +#define _INTe(f, m) #f, wpa_config_parse_int, OFFSET(eap.m), (void *) 0 #else /* NO_CONFIG_WRITE */ #define _INT(f) #f, wpa_config_parse_int, wpa_config_write_int, \ OFFSET(f), (void *) 0 -#define _INTe(f) #f, wpa_config_parse_int, wpa_config_write_int, \ - OFFSET(eap.f), (void *) 0 +#define _INTe(f, m) #f, wpa_config_parse_int, wpa_config_write_int, \ + OFFSET(eap.m), (void *) 0 #endif /* NO_CONFIG_WRITE */ /* INT: Define an integer variable */ #define INT(f) _INT(f), NULL, NULL, 0 -#define INTe(f) _INTe(f), NULL, NULL, 0 +#define INTe(f, m) _INTe(f, m), NULL, NULL, 0 /* INT_RANGE: Define an integer variable with allowed value range */ #define INT_RANGE(f, min, max) _INT(f), (void *) (min), (void *) (max), 0 @@ -2384,53 +2385,53 @@ static const struct parse_data ssid_fields[] = { { INT(vht_center_freq2) }, #ifdef IEEE8021X_EAPOL { FUNC(eap) }, - { STR_LENe(identity) }, - { STR_LENe(anonymous_identity) }, - { STR_LENe(imsi_identity) }, - { STR_LENe(machine_identity) }, + { STR_LENe(identity, identity) }, + { STR_LENe(anonymous_identity, anonymous_identity) }, + { STR_LENe(imsi_identity, imsi_identity) }, + { STR_LENe(machine_identity, machine_identity) }, { FUNC_KEY(password) }, { FUNC_KEY(machine_password) }, - { STRe(ca_cert) }, - { STRe(ca_path) }, - { STRe(client_cert) }, - { STRe(private_key) }, - { STR_KEYe(private_key_passwd) }, - { STRe(dh_file) }, - { STRe(subject_match) }, - { STRe(check_cert_subject) }, - { STRe(altsubject_match) }, - { STRe(domain_suffix_match) }, - { STRe(domain_match) }, - { STRe(ca_cert2) }, - { STRe(ca_path2) }, - { STRe(client_cert2) }, - { STRe(private_key2) }, - { STR_KEYe(private_key2_passwd) }, - { STRe(dh_file2) }, - { STRe(subject_match2) }, - { STRe(check_cert_subject2) }, - { STRe(altsubject_match2) }, - { STRe(domain_suffix_match2) }, - { STRe(domain_match2) }, - { STRe(phase1) }, - { STRe(phase2) }, - { STRe(pcsc) }, - { STR_KEYe(pin) }, - { STRe(engine_id) }, - { STRe(key_id) }, - { STRe(cert_id) }, - { STRe(ca_cert_id) }, - { STR_KEYe(pin2) }, - { STRe(engine2_id) }, - { STRe(key2_id) }, - { STRe(cert2_id) }, - { STRe(ca_cert2_id) }, - { INTe(engine) }, - { INTe(engine2) }, + { STRe(ca_cert, cert.ca_cert) }, + { STRe(ca_path, cert.ca_path) }, + { STRe(client_cert, cert.client_cert) }, + { STRe(private_key, cert.private_key) }, + { STR_KEYe(private_key_passwd, cert.private_key_passwd) }, + { STRe(dh_file, cert.dh_file) }, + { STRe(subject_match, cert.subject_match) }, + { STRe(check_cert_subject, cert.check_cert_subject) }, + { STRe(altsubject_match, cert.altsubject_match) }, + { STRe(domain_suffix_match, cert.domain_suffix_match) }, + { STRe(domain_match, cert.domain_match) }, + { STRe(ca_cert2, phase2_cert.ca_cert) }, + { STRe(ca_path2, phase2_cert.ca_path) }, + { STRe(client_cert2, phase2_cert.client_cert) }, + { STRe(private_key2, phase2_cert.private_key) }, + { STR_KEYe(private_key2_passwd, phase2_cert.private_key_passwd) }, + { STRe(dh_file2, phase2_cert.dh_file) }, + { STRe(subject_match2, phase2_cert.subject_match) }, + { STRe(check_cert_subject2, phase2_cert.check_cert_subject) }, + { STRe(altsubject_match2, phase2_cert.altsubject_match) }, + { STRe(domain_suffix_match2, phase2_cert.domain_suffix_match) }, + { STRe(domain_match2, phase2_cert.domain_match) }, + { STRe(phase1, phase1) }, + { STRe(phase2, phase2) }, + { STRe(pcsc, pcsc) }, + { STR_KEYe(pin, cert.pin) }, + { STRe(engine_id, cert.engine_id) }, + { STRe(key_id, cert.key_id) }, + { STRe(cert_id, cert.cert_id) }, + { STRe(ca_cert_id, cert.ca_cert_id) }, + { STR_KEYe(pin2, phase2_cert.pin) }, + { STRe(engine_id2, phase2_cert.engine_id) }, + { STRe(key_id2, phase2_cert.key_id) }, + { STRe(cert_id2, phase2_cert.cert_id) }, + { STRe(ca_cert_id2, phase2_cert.ca_cert_id) }, + { INTe(engine, cert.engine) }, + { INTe(engine2, phase2_cert.engine) }, { INT(eapol_flags) }, - { INTe(sim_num) }, - { STRe(openssl_ciphers) }, - { INTe(erp) }, + { INTe(sim_num, sim_num) }, + { STRe(openssl_ciphers, openssl_ciphers) }, + { INTe(erp, erp) }, #endif /* IEEE8021X_EAPOL */ { FUNC_KEY(wep_key0) }, { FUNC_KEY(wep_key1) }, @@ -2440,9 +2441,9 @@ static const struct parse_data ssid_fields[] = { { INT(priority) }, #ifdef IEEE8021X_EAPOL { INT(eap_workaround) }, - { STRe(pac_file) }, - { INTe(fragment_size) }, - { INTe(ocsp) }, + { STRe(pac_file, pac_file) }, + { INTe(fragment_size, fragment_size) }, + { INTe(ocsp, ocsp) }, #endif /* IEEE8021X_EAPOL */ #ifdef CONFIG_MESH { INT_RANGE(mode, 0, 5) }, @@ -2654,6 +2655,28 @@ int wpa_config_update_prio_list(struct wpa_config *config) #ifdef IEEE8021X_EAPOL + +static void eap_peer_config_free_cert(struct eap_peer_cert_config *cert) +{ + os_free(cert->ca_cert); + os_free(cert->ca_path); + os_free(cert->client_cert); + os_free(cert->private_key); + str_clear_free(cert->private_key_passwd); + os_free(cert->dh_file); + os_free(cert->subject_match); + os_free(cert->check_cert_subject); + os_free(cert->altsubject_match); + os_free(cert->domain_suffix_match); + os_free(cert->domain_match); + str_clear_free(cert->pin); + os_free(cert->engine_id); + os_free(cert->key_id); + os_free(cert->cert_id); + os_free(cert->ca_cert_id); +} + + static void eap_peer_config_free(struct eap_peer_config *eap) { os_free(eap->eap_methods); @@ -2663,41 +2686,11 @@ static void eap_peer_config_free(struct eap_peer_config *eap) os_free(eap->machine_identity); bin_clear_free(eap->password, eap->password_len); bin_clear_free(eap->machine_password, eap->machine_password_len); - os_free(eap->ca_cert); - os_free(eap->ca_path); - os_free(eap->client_cert); - os_free(eap->private_key); - str_clear_free(eap->private_key_passwd); - os_free(eap->dh_file); - os_free(eap->subject_match); - os_free(eap->check_cert_subject); - os_free(eap->altsubject_match); - os_free(eap->domain_suffix_match); - os_free(eap->domain_match); - os_free(eap->ca_cert2); - os_free(eap->ca_path2); - os_free(eap->client_cert2); - os_free(eap->private_key2); - str_clear_free(eap->private_key2_passwd); - os_free(eap->dh_file2); - os_free(eap->subject_match2); - os_free(eap->check_cert_subject2); - os_free(eap->altsubject_match2); - os_free(eap->domain_suffix_match2); - os_free(eap->domain_match2); + eap_peer_config_free_cert(&eap->cert); + eap_peer_config_free_cert(&eap->phase2_cert); os_free(eap->phase1); os_free(eap->phase2); os_free(eap->pcsc); - str_clear_free(eap->pin); - os_free(eap->engine_id); - os_free(eap->key_id); - os_free(eap->cert_id); - os_free(eap->ca_cert_id); - os_free(eap->key2_id); - os_free(eap->cert2_id); - os_free(eap->ca_cert2_id); - str_clear_free(eap->pin2); - os_free(eap->engine2_id); os_free(eap->otp); os_free(eap->pending_req_otp); os_free(eap->pac_file); @@ -2705,6 +2698,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap) str_clear_free(eap->external_sim_resp); os_free(eap->openssl_ciphers); } + #endif /* IEEE8021X_EAPOL */ diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 8d81e361d..7dd7b1786 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -1,6 +1,6 @@ /* * WPA Supplicant / Configuration backend: text file - * Copyright (c) 2003-2012, Jouni Malinen + * Copyright (c) 2003-2019, Jouni Malinen * * This software may be distributed under the terms of the BSD license. * See README for more details. @@ -745,9 +745,9 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) #define STR(t) write_str(f, #t, ssid) #define INT(t) write_int(f, #t, ssid->t, 0) -#define INTe(t) write_int(f, #t, ssid->eap.t, 0) +#define INTe(t, m) write_int(f, #t, ssid->eap.m, 0) #define INT_DEF(t, def) write_int(f, #t, ssid->t, def) -#define INT_DEFe(t, def) write_int(f, #t, ssid->eap.t, def) +#define INT_DEFe(t, m, def) write_int(f, #t, ssid->eap.m, def) STR(ssid); INT(scan_ssid); @@ -812,11 +812,11 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) STR(engine2_id); STR(cert2_id); STR(ca_cert2_id); - INTe(engine); - INTe(engine2); + INTe(engine, cert.engine); + INTe(engine2, phase2_cert.engine); INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS); STR(openssl_ciphers); - INTe(erp); + INTe(erp, erp); #endif /* IEEE8021X_EAPOL */ for (i = 0; i < 4; i++) write_wep_key(f, i, ssid); @@ -825,9 +825,9 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) #ifdef IEEE8021X_EAPOL INT_DEF(eap_workaround, DEFAULT_EAP_WORKAROUND); STR(pac_file); - INT_DEFe(fragment_size, DEFAULT_FRAGMENT_SIZE); - INTe(ocsp); - INT_DEFe(sim_num, DEFAULT_USER_SELECTED_SIM); + INT_DEFe(fragment_size, fragment_size, DEFAULT_FRAGMENT_SIZE); + INTe(ocsp, ocsp); + INT_DEFe(sim_num, sim_num, DEFAULT_USER_SELECTED_SIM); #endif /* IEEE8021X_EAPOL */ INT(mode); INT(no_auto_peer); diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c index 3ea5c8077..118710872 100644 --- a/wpa_supplicant/config_winreg.c +++ b/wpa_supplicant/config_winreg.c @@ -1,6 +1,6 @@ /* * WPA Supplicant / Configuration backend: Windows registry - * Copyright (c) 2003-2008, Jouni Malinen + * Copyright (c) 2003-2019, Jouni Malinen * * This software may be distributed under the terms of the BSD license. * See README for more details. @@ -868,9 +868,9 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) #define STR(t) write_str(netw, #t, ssid) #define INT(t) write_int(netw, #t, ssid->t, 0) -#define INTe(t) write_int(netw, #t, ssid->eap.t, 0) +#define INTe(t, m) write_int(netw, #t, ssid->eap.m, 0) #define INT_DEF(t, def) write_int(netw, #t, ssid->t, def) -#define INT_DEFe(t, def) write_int(netw, #t, ssid->eap.t, def) +#define INT_DEFe(t, m, def) write_int(netw, #t, ssid->eap.m, def) STR(ssid); INT(scan_ssid); @@ -920,8 +920,8 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) STR(engine2_id); STR(cert2_id); STR(ca_cert2_id); - INTe(engine); - INTe(engine2); + INTe(engine, cert.engine); + INTe(engine2, phase2_cert.engine); INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS); #endif /* IEEE8021X_EAPOL */ for (i = 0; i < 4; i++) @@ -931,7 +931,7 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) #ifdef IEEE8021X_EAPOL INT_DEF(eap_workaround, DEFAULT_EAP_WORKAROUND); STR(pac_file); - INT_DEFe(fragment_size, DEFAULT_FRAGMENT_SIZE); + INT_DEFe(fragment_size, fragment_size, DEFAULT_FRAGMENT_SIZE); #endif /* IEEE8021X_EAPOL */ INT(mode); write_int(netw, "proactive_key_caching", ssid->proactive_key_caching, diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index fe22be4aa..05a5d7f69 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -6918,8 +6918,8 @@ int wpa_supplicant_ctrl_iface_ctrl_rsp_handle(struct wpa_supplicant *wpa_s, wpa_s->reassociate = 1; break; case WPA_CTRL_REQ_EAP_PIN: - str_clear_free(eap->pin); - eap->pin = os_strdup(value); + str_clear_free(eap->cert.pin); + eap->cert.pin = os_strdup(value); eap->pending_req_pin = 0; if (ssid == wpa_s->current_ssid) wpa_s->reassociate = 1; @@ -6933,8 +6933,8 @@ int wpa_supplicant_ctrl_iface_ctrl_rsp_handle(struct wpa_supplicant *wpa_s, eap->pending_req_otp_len = 0; break; case WPA_CTRL_REQ_EAP_PASSPHRASE: - str_clear_free(eap->private_key_passwd); - eap->private_key_passwd = os_strdup(value); + str_clear_free(eap->cert.private_key_passwd); + eap->cert.private_key_passwd = os_strdup(value); eap->pending_req_passphrase = 0; if (ssid == wpa_s->current_ssid) wpa_s->reassociate = 1;