OpenSSL: Add wrapper struct for tls_init() result

This new struct tls_data is needed to store per-tls_init() information
in the followup commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-23 19:22:13 +03:00
parent 137b293963
commit bd9b8b2b68

View file

@ -86,6 +86,10 @@ struct tls_context {
static struct tls_context *tls_global = NULL; static struct tls_context *tls_global = NULL;
struct tls_data {
SSL_CTX *ssl;
};
struct tls_connection { struct tls_connection {
struct tls_context *context; struct tls_context *context;
SSL_CTX *ssl_ctx; SSL_CTX *ssl_ctx;
@ -746,6 +750,7 @@ static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
void * tls_init(const struct tls_config *conf) void * tls_init(const struct tls_config *conf)
{ {
struct tls_data *data;
SSL_CTX *ssl; SSL_CTX *ssl;
struct tls_context *context; struct tls_context *context;
const char *ciphers; const char *ciphers;
@ -810,7 +815,11 @@ void * tls_init(const struct tls_config *conf)
} }
tls_openssl_ref_count++; tls_openssl_ref_count++;
ssl = SSL_CTX_new(SSLv23_method()); data = os_zalloc(sizeof(*data));
if (data)
ssl = SSL_CTX_new(SSLv23_method());
else
ssl = NULL;
if (ssl == NULL) { if (ssl == NULL) {
tls_openssl_ref_count--; tls_openssl_ref_count--;
if (context != tls_global) if (context != tls_global)
@ -821,6 +830,7 @@ void * tls_init(const struct tls_config *conf)
} }
return NULL; return NULL;
} }
data->ssl = ssl;
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
@ -839,7 +849,7 @@ void * tls_init(const struct tls_config *conf)
if (tls_engine_load_dynamic_opensc(conf->opensc_engine_path) || if (tls_engine_load_dynamic_opensc(conf->opensc_engine_path) ||
tls_engine_load_dynamic_pkcs11(conf->pkcs11_engine_path, tls_engine_load_dynamic_pkcs11(conf->pkcs11_engine_path,
conf->pkcs11_module_path)) { conf->pkcs11_module_path)) {
tls_deinit(ssl); tls_deinit(data);
return NULL; return NULL;
} }
} }
@ -853,17 +863,18 @@ void * tls_init(const struct tls_config *conf)
wpa_printf(MSG_ERROR, wpa_printf(MSG_ERROR,
"OpenSSL: Failed to set cipher string '%s'", "OpenSSL: Failed to set cipher string '%s'",
ciphers); ciphers);
tls_deinit(ssl); tls_deinit(data);
return NULL; return NULL;
} }
return ssl; return data;
} }
void tls_deinit(void *ssl_ctx) void tls_deinit(void *ssl_ctx)
{ {
SSL_CTX *ssl = ssl_ctx; struct tls_data *data = ssl_ctx;
SSL_CTX *ssl = data->ssl;
struct tls_context *context = SSL_CTX_get_app_data(ssl); struct tls_context *context = SSL_CTX_get_app_data(ssl);
if (context != tls_global) if (context != tls_global)
os_free(context); os_free(context);
@ -883,6 +894,8 @@ void tls_deinit(void *ssl_ctx)
os_free(tls_global); os_free(tls_global);
tls_global = NULL; tls_global = NULL;
} }
os_free(data);
} }
@ -1058,7 +1071,8 @@ static void tls_msg_cb(int write_p, int version, int content_type,
struct tls_connection * tls_connection_init(void *ssl_ctx) struct tls_connection * tls_connection_init(void *ssl_ctx)
{ {
SSL_CTX *ssl = ssl_ctx; struct tls_data *data = ssl_ctx;
SSL_CTX *ssl = data->ssl;
struct tls_connection *conn; struct tls_connection *conn;
long options; long options;
struct tls_context *context = SSL_CTX_get_app_data(ssl); struct tls_context *context = SSL_CTX_get_app_data(ssl);
@ -1066,7 +1080,7 @@ struct tls_connection * tls_connection_init(void *ssl_ctx)
conn = os_zalloc(sizeof(*conn)); conn = os_zalloc(sizeof(*conn));
if (conn == NULL) if (conn == NULL)
return NULL; return NULL;
conn->ssl_ctx = ssl_ctx; conn->ssl_ctx = ssl;
conn->ssl = SSL_new(ssl); conn->ssl = SSL_new(ssl);
if (conn->ssl == NULL) { if (conn->ssl == NULL) {
tls_show_errors(MSG_INFO, __func__, tls_show_errors(MSG_INFO, __func__,
@ -1641,9 +1655,9 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
#ifndef OPENSSL_NO_STDIO #ifndef OPENSSL_NO_STDIO
static int tls_load_ca_der(void *_ssl_ctx, const char *ca_cert) static int tls_load_ca_der(struct tls_data *data, const char *ca_cert)
{ {
SSL_CTX *ssl_ctx = _ssl_ctx; SSL_CTX *ssl_ctx = data->ssl;
X509_LOOKUP *lookup; X509_LOOKUP *lookup;
int ret = 0; int ret = 0;
@ -1673,11 +1687,12 @@ static int tls_load_ca_der(void *_ssl_ctx, const char *ca_cert)
#endif /* OPENSSL_NO_STDIO */ #endif /* OPENSSL_NO_STDIO */
static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn, static int tls_connection_ca_cert(struct tls_data *data,
struct tls_connection *conn,
const char *ca_cert, const u8 *ca_cert_blob, const char *ca_cert, const u8 *ca_cert_blob,
size_t ca_cert_blob_len, const char *ca_path) size_t ca_cert_blob_len, const char *ca_path)
{ {
SSL_CTX *ssl_ctx = _ssl_ctx; SSL_CTX *ssl_ctx = data->ssl;
X509_STORE *store; X509_STORE *store;
/* /*
@ -1812,7 +1827,7 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
tls_show_errors(MSG_WARNING, __func__, tls_show_errors(MSG_WARNING, __func__,
"Failed to load root certificates"); "Failed to load root certificates");
if (ca_cert && if (ca_cert &&
tls_load_ca_der(ssl_ctx, ca_cert) == 0) { tls_load_ca_der(data, ca_cert) == 0) {
wpa_printf(MSG_DEBUG, "OpenSSL: %s - loaded " wpa_printf(MSG_DEBUG, "OpenSSL: %s - loaded "
"DER format CA certificate", "DER format CA certificate",
__func__); __func__);
@ -1821,7 +1836,7 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
} else { } else {
wpa_printf(MSG_DEBUG, "TLS: Trusted root " wpa_printf(MSG_DEBUG, "TLS: Trusted root "
"certificate(s) loaded"); "certificate(s) loaded");
tls_get_errors(ssl_ctx); tls_get_errors(data);
} }
#else /* OPENSSL_NO_STDIO */ #else /* OPENSSL_NO_STDIO */
wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO",
@ -1838,8 +1853,10 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
} }
static int tls_global_ca_cert(SSL_CTX *ssl_ctx, const char *ca_cert) static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert)
{ {
SSL_CTX *ssl_ctx = data->ssl;
if (ca_cert) { if (ca_cert) {
if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1) if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1)
{ {
@ -1867,7 +1884,8 @@ int tls_global_set_verify(void *ssl_ctx, int check_crl)
int flags; int flags;
if (check_crl) { if (check_crl) {
X509_STORE *cs = SSL_CTX_get_cert_store(ssl_ctx); struct tls_data *data = ssl_ctx;
X509_STORE *cs = SSL_CTX_get_cert_store(data->ssl);
if (cs == NULL) { if (cs == NULL) {
tls_show_errors(MSG_INFO, __func__, "Failed to get " tls_show_errors(MSG_INFO, __func__, "Failed to get "
"certificate store when enabling " "certificate store when enabling "
@ -2028,9 +2046,12 @@ static int tls_connection_client_cert(struct tls_connection *conn,
} }
static int tls_global_client_cert(SSL_CTX *ssl_ctx, const char *client_cert) static int tls_global_client_cert(struct tls_data *data,
const char *client_cert)
{ {
#ifndef OPENSSL_NO_STDIO #ifndef OPENSSL_NO_STDIO
SSL_CTX *ssl_ctx = data->ssl;
if (client_cert == NULL) if (client_cert == NULL)
return 0; return 0;
@ -2064,7 +2085,7 @@ static int tls_passwd_cb(char *buf, int size, int rwflag, void *password)
#ifdef PKCS12_FUNCS #ifdef PKCS12_FUNCS
static int tls_parse_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, PKCS12 *p12, static int tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12,
const char *passwd) const char *passwd)
{ {
EVP_PKEY *pkey; EVP_PKEY *pkey;
@ -2095,7 +2116,7 @@ static int tls_parse_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, PKCS12 *p12,
if (SSL_use_certificate(ssl, cert) != 1) if (SSL_use_certificate(ssl, cert) != 1)
res = -1; res = -1;
} else { } else {
if (SSL_CTX_use_certificate(ssl_ctx, cert) != 1) if (SSL_CTX_use_certificate(data->ssl, cert) != 1)
res = -1; res = -1;
} }
X509_free(cert); X509_free(cert);
@ -2107,7 +2128,7 @@ static int tls_parse_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, PKCS12 *p12,
if (SSL_use_PrivateKey(ssl, pkey) != 1) if (SSL_use_PrivateKey(ssl, pkey) != 1)
res = -1; res = -1;
} else { } else {
if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) if (SSL_CTX_use_PrivateKey(data->ssl, pkey) != 1)
res = -1; res = -1;
} }
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
@ -2146,7 +2167,7 @@ static int tls_parse_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, PKCS12 *p12,
res = 0; res = 0;
#else /* OPENSSL_VERSION_NUMBER >= 0x10002000L */ #else /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
#if OPENSSL_VERSION_NUMBER >= 0x10001000L #if OPENSSL_VERSION_NUMBER >= 0x10001000L
SSL_CTX_clear_extra_chain_certs(ssl_ctx); SSL_CTX_clear_extra_chain_certs(data->ssl);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10001000L */ #endif /* OPENSSL_VERSION_NUMBER >= 0x10001000L */
while ((cert = sk_X509_pop(certs)) != NULL) { while ((cert = sk_X509_pop(certs)) != NULL) {
X509_NAME_oneline(X509_get_subject_name(cert), buf, X509_NAME_oneline(X509_get_subject_name(cert), buf,
@ -2157,7 +2178,8 @@ static int tls_parse_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, PKCS12 *p12,
* There is no SSL equivalent for the chain cert - so * There is no SSL equivalent for the chain cert - so
* always add it to the context... * always add it to the context...
*/ */
if (SSL_CTX_add_extra_chain_cert(ssl_ctx, cert) != 1) { if (SSL_CTX_add_extra_chain_cert(data->ssl, cert) != 1)
{
res = -1; res = -1;
break; break;
} }
@ -2169,15 +2191,15 @@ static int tls_parse_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, PKCS12 *p12,
PKCS12_free(p12); PKCS12_free(p12);
if (res < 0) if (res < 0)
tls_get_errors(ssl_ctx); tls_get_errors(data);
return res; return res;
} }
#endif /* PKCS12_FUNCS */ #endif /* PKCS12_FUNCS */
static int tls_read_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, const char *private_key, static int tls_read_pkcs12(struct tls_data *data, SSL *ssl,
const char *passwd) const char *private_key, const char *passwd)
{ {
#ifdef PKCS12_FUNCS #ifdef PKCS12_FUNCS
FILE *f; FILE *f;
@ -2196,7 +2218,7 @@ static int tls_read_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, const char *private_key,
return -1; return -1;
} }
return tls_parse_pkcs12(ssl_ctx, ssl, p12, passwd); return tls_parse_pkcs12(data, ssl, p12, passwd);
#else /* PKCS12_FUNCS */ #else /* PKCS12_FUNCS */
wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot read " wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot read "
@ -2206,7 +2228,7 @@ static int tls_read_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, const char *private_key,
} }
static int tls_read_pkcs12_blob(SSL_CTX *ssl_ctx, SSL *ssl, static int tls_read_pkcs12_blob(struct tls_data *data, SSL *ssl,
const u8 *blob, size_t len, const char *passwd) const u8 *blob, size_t len, const char *passwd)
{ {
#ifdef PKCS12_FUNCS #ifdef PKCS12_FUNCS
@ -2219,7 +2241,7 @@ static int tls_read_pkcs12_blob(SSL_CTX *ssl_ctx, SSL *ssl,
return -1; return -1;
} }
return tls_parse_pkcs12(ssl_ctx, ssl, p12, passwd); return tls_parse_pkcs12(data, ssl, p12, passwd);
#else /* PKCS12_FUNCS */ #else /* PKCS12_FUNCS */
wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot parse " wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot parse "
@ -2290,13 +2312,13 @@ static int tls_connection_engine_client_cert(struct tls_connection *conn,
} }
static int tls_connection_engine_ca_cert(void *_ssl_ctx, static int tls_connection_engine_ca_cert(struct tls_data *data,
struct tls_connection *conn, struct tls_connection *conn,
const char *ca_cert_id) const char *ca_cert_id)
{ {
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
X509 *cert; X509 *cert;
SSL_CTX *ssl_ctx = _ssl_ctx; SSL_CTX *ssl_ctx = data->ssl;
X509_STORE *store; X509_STORE *store;
if (tls_engine_get_cert(conn, ca_cert_id, &cert)) if (tls_engine_get_cert(conn, ca_cert_id, &cert))
@ -2362,14 +2384,14 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
} }
static int tls_connection_private_key(void *_ssl_ctx, static int tls_connection_private_key(struct tls_data *data,
struct tls_connection *conn, struct tls_connection *conn,
const char *private_key, const char *private_key,
const char *private_key_passwd, const char *private_key_passwd,
const u8 *private_key_blob, const u8 *private_key_blob,
size_t private_key_blob_len) size_t private_key_blob_len)
{ {
SSL_CTX *ssl_ctx = _ssl_ctx; SSL_CTX *ssl_ctx = data->ssl;
char *passwd; char *passwd;
int ok; int ok;
@ -2415,7 +2437,7 @@ static int tls_connection_private_key(void *_ssl_ctx,
break; break;
} }
if (tls_read_pkcs12_blob(ssl_ctx, conn->ssl, private_key_blob, if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob,
private_key_blob_len, passwd) == 0) { private_key_blob_len, passwd) == 0) {
wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> " wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> "
"OK"); "OK");
@ -2448,7 +2470,7 @@ static int tls_connection_private_key(void *_ssl_ctx,
__func__); __func__);
#endif /* OPENSSL_NO_STDIO */ #endif /* OPENSSL_NO_STDIO */
if (tls_read_pkcs12(ssl_ctx, conn->ssl, private_key, passwd) if (tls_read_pkcs12(data, conn->ssl, private_key, passwd)
== 0) { == 0) {
wpa_printf(MSG_DEBUG, "OpenSSL: Reading PKCS#12 file " wpa_printf(MSG_DEBUG, "OpenSSL: Reading PKCS#12 file "
"--> OK"); "--> OK");
@ -2487,9 +2509,11 @@ static int tls_connection_private_key(void *_ssl_ctx,
} }
static int tls_global_private_key(SSL_CTX *ssl_ctx, const char *private_key, static int tls_global_private_key(struct tls_data *data,
const char *private_key,
const char *private_key_passwd) const char *private_key_passwd)
{ {
SSL_CTX *ssl_ctx = data->ssl;
char *passwd; char *passwd;
if (private_key == NULL) if (private_key == NULL)
@ -2511,7 +2535,7 @@ static int tls_global_private_key(SSL_CTX *ssl_ctx, const char *private_key,
SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key, SSL_CTX_use_PrivateKey_file(ssl_ctx, private_key,
SSL_FILETYPE_PEM) != 1 && SSL_FILETYPE_PEM) != 1 &&
#endif /* OPENSSL_NO_STDIO */ #endif /* OPENSSL_NO_STDIO */
tls_read_pkcs12(ssl_ctx, NULL, private_key, passwd)) { tls_read_pkcs12(data, NULL, private_key, passwd)) {
tls_show_errors(MSG_INFO, __func__, tls_show_errors(MSG_INFO, __func__,
"Failed to load private key"); "Failed to load private key");
os_free(passwd); os_free(passwd);
@ -2606,7 +2630,7 @@ static int tls_connection_dh(struct tls_connection *conn, const char *dh_file)
} }
static int tls_global_dh(SSL_CTX *ssl_ctx, const char *dh_file) static int tls_global_dh(struct tls_data *data, const char *dh_file)
{ {
#ifdef OPENSSL_NO_DH #ifdef OPENSSL_NO_DH
if (dh_file == NULL) if (dh_file == NULL)
@ -2615,6 +2639,7 @@ static int tls_global_dh(SSL_CTX *ssl_ctx, const char *dh_file)
"dh_file specified"); "dh_file specified");
return -1; return -1;
#else /* OPENSSL_NO_DH */ #else /* OPENSSL_NO_DH */
SSL_CTX *ssl_ctx = data->ssl;
DH *dh; DH *dh;
BIO *bio; BIO *bio;
@ -2778,7 +2803,7 @@ static int openssl_get_keyblock_size(SSL *ssl)
#endif /* CONFIG_FIPS */ #endif /* CONFIG_FIPS */
static int openssl_tls_prf(void *tls_ctx, struct tls_connection *conn, static int openssl_tls_prf(struct tls_connection *conn,
const char *label, int server_random_first, const char *label, int server_random_first,
int skip_keyblock, u8 *out, size_t out_len) int skip_keyblock, u8 *out, size_t out_len)
{ {
@ -2946,7 +2971,7 @@ int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
if (conn == NULL) if (conn == NULL)
return -1; return -1;
if (server_random_first || skip_keyblock) if (server_random_first || skip_keyblock)
return openssl_tls_prf(tls_ctx, conn, label, return openssl_tls_prf(conn, label,
server_random_first, skip_keyblock, server_random_first, skip_keyblock,
out, out_len); out, out_len);
ssl = conn->ssl; ssl = conn->ssl;
@ -2956,7 +2981,7 @@ int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
return 0; return 0;
} }
#endif #endif
return openssl_tls_prf(tls_ctx, conn, label, server_random_first, return openssl_tls_prf(conn, label, server_random_first,
skip_keyblock, out, out_len); skip_keyblock, out, out_len);
} }
@ -3633,6 +3658,7 @@ static int ocsp_status_cb(SSL *s, void *arg)
int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
const struct tls_connection_params *params) const struct tls_connection_params *params)
{ {
struct tls_data *data = tls_ctx;
int ret; int ret;
unsigned long err; unsigned long err;
int can_pkcs11 = 0; int can_pkcs11 = 0;
@ -3708,10 +3734,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1; return -1;
if (engine_id && ca_cert_id) { if (engine_id && ca_cert_id) {
if (tls_connection_engine_ca_cert(tls_ctx, conn, if (tls_connection_engine_ca_cert(data, conn, ca_cert_id))
ca_cert_id))
return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED; return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
} else if (tls_connection_ca_cert(tls_ctx, conn, params->ca_cert, } else if (tls_connection_ca_cert(data, conn, params->ca_cert,
params->ca_cert_blob, params->ca_cert_blob,
params->ca_cert_blob_len, params->ca_cert_blob_len,
params->ca_path)) params->ca_path))
@ -3729,7 +3754,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
wpa_printf(MSG_DEBUG, "TLS: Using private key from engine"); wpa_printf(MSG_DEBUG, "TLS: Using private key from engine");
if (tls_connection_engine_private_key(conn)) if (tls_connection_engine_private_key(conn))
return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED; return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
} else if (tls_connection_private_key(tls_ctx, conn, } else if (tls_connection_private_key(data, conn,
params->private_key, params->private_key,
params->private_key_passwd, params->private_key_passwd,
params->private_key_blob, params->private_key_blob,
@ -3783,7 +3808,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
if (params->flags & TLS_CONN_REQUEST_OCSP) { if (params->flags & TLS_CONN_REQUEST_OCSP) {
SSL_CTX *ssl_ctx = tls_ctx; SSL_CTX *ssl_ctx = data->ssl;
SSL_set_tlsext_status_type(conn->ssl, TLSEXT_STATUSTYPE_ocsp); SSL_set_tlsext_status_type(conn->ssl, TLSEXT_STATUSTYPE_ocsp);
SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb); SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn); SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
@ -3802,7 +3827,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
conn->flags = params->flags; conn->flags = params->flags;
tls_get_errors(tls_ctx); tls_get_errors(data);
return 0; return 0;
} }
@ -3811,7 +3836,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
int tls_global_set_params(void *tls_ctx, int tls_global_set_params(void *tls_ctx,
const struct tls_connection_params *params) const struct tls_connection_params *params)
{ {
SSL_CTX *ssl_ctx = tls_ctx; struct tls_data *data = tls_ctx;
SSL_CTX *ssl_ctx = data->ssl;
unsigned long err; unsigned long err;
while ((err = ERR_get_error())) { while ((err = ERR_get_error())) {
@ -3819,11 +3845,11 @@ int tls_global_set_params(void *tls_ctx,
__func__, ERR_error_string(err, NULL)); __func__, ERR_error_string(err, NULL));
} }
if (tls_global_ca_cert(ssl_ctx, params->ca_cert) || if (tls_global_ca_cert(data, params->ca_cert) ||
tls_global_client_cert(ssl_ctx, params->client_cert) || tls_global_client_cert(data, params->client_cert) ||
tls_global_private_key(ssl_ctx, params->private_key, tls_global_private_key(data, params->private_key,
params->private_key_passwd) || params->private_key_passwd) ||
tls_global_dh(ssl_ctx, params->dh_file)) { tls_global_dh(data, params->dh_file)) {
wpa_printf(MSG_INFO, "TLS: Failed to set global parameters"); wpa_printf(MSG_INFO, "TLS: Failed to set global parameters");
return -1; return -1;
} }