TLS: Add new arguments to tls_connection_set_verify()
The new flags and session_ctx arguments will be used in followup commits. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
bd9b8b2b68
commit
bfbebd2665
6 changed files with 19 additions and 6 deletions
|
@ -305,11 +305,17 @@ int __must_check tls_global_set_verify(void *tls_ctx, int check_crl);
|
||||||
* @tls_ctx: TLS context data from tls_init()
|
* @tls_ctx: TLS context data from tls_init()
|
||||||
* @conn: Connection context data from tls_connection_init()
|
* @conn: Connection context data from tls_connection_init()
|
||||||
* @verify_peer: 1 = verify peer certificate
|
* @verify_peer: 1 = verify peer certificate
|
||||||
|
* @flags: Connection flags (TLS_CONN_*)
|
||||||
|
* @session_ctx: Session caching context or %NULL to use default
|
||||||
|
* @session_ctx_len: Length of @session_ctx in bytes.
|
||||||
* Returns: 0 on success, -1 on failure
|
* Returns: 0 on success, -1 on failure
|
||||||
*/
|
*/
|
||||||
int __must_check tls_connection_set_verify(void *tls_ctx,
|
int __must_check tls_connection_set_verify(void *tls_ctx,
|
||||||
struct tls_connection *conn,
|
struct tls_connection *conn,
|
||||||
int verify_peer);
|
int verify_peer,
|
||||||
|
unsigned int flags,
|
||||||
|
const u8 *session_ctx,
|
||||||
|
size_t session_ctx_len);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* tls_connection_get_random - Get random data from TLS connection
|
* tls_connection_get_random - Get random data from TLS connection
|
||||||
|
|
|
@ -708,7 +708,8 @@ int tls_global_set_verify(void *ssl_ctx, int check_crl)
|
||||||
|
|
||||||
|
|
||||||
int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
|
int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
|
||||||
int verify_peer)
|
int verify_peer, unsigned int flags,
|
||||||
|
const u8 *session_ctx, size_t session_ctx_len)
|
||||||
{
|
{
|
||||||
if (conn == NULL || conn->session == NULL)
|
if (conn == NULL || conn->session == NULL)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
|
@ -328,7 +328,8 @@ int tls_global_set_verify(void *tls_ctx, int check_crl)
|
||||||
|
|
||||||
|
|
||||||
int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
|
int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
|
||||||
int verify_peer)
|
int verify_peer, unsigned int flags,
|
||||||
|
const u8 *session_ctx, size_t session_ctx_len)
|
||||||
{
|
{
|
||||||
#ifdef CONFIG_TLS_INTERNAL_SERVER
|
#ifdef CONFIG_TLS_INTERNAL_SERVER
|
||||||
if (conn->server)
|
if (conn->server)
|
||||||
|
|
|
@ -72,7 +72,8 @@ int tls_global_set_verify(void *tls_ctx, int check_crl)
|
||||||
|
|
||||||
|
|
||||||
int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
|
int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
|
||||||
int verify_peer)
|
int verify_peer, unsigned int flags,
|
||||||
|
const u8 *session_ctx, size_t session_ctx_len)
|
||||||
{
|
{
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1944,7 +1944,8 @@ static int tls_connection_set_subject_match(struct tls_connection *conn,
|
||||||
|
|
||||||
|
|
||||||
int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
|
int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
|
||||||
int verify_peer)
|
int verify_peer, unsigned int flags,
|
||||||
|
const u8 *session_ctx, size_t session_ctx_len)
|
||||||
{
|
{
|
||||||
static int counter = 0;
|
static int counter = 0;
|
||||||
|
|
||||||
|
|
|
@ -46,6 +46,8 @@ static void eap_server_tls_log_cb(void *ctx, const char *msg)
|
||||||
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
|
int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
|
||||||
int verify_peer)
|
int verify_peer)
|
||||||
{
|
{
|
||||||
|
unsigned int flags = 0;
|
||||||
|
|
||||||
if (sm->ssl_ctx == NULL) {
|
if (sm->ssl_ctx == NULL) {
|
||||||
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
|
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -68,7 +70,8 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
|
||||||
#endif /* CONFIG_TESTING_OPTIONS */
|
#endif /* CONFIG_TESTING_OPTIONS */
|
||||||
#endif /* CONFIG_TLS_INTERNAL */
|
#endif /* CONFIG_TLS_INTERNAL */
|
||||||
|
|
||||||
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) {
|
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
|
||||||
|
flags, NULL, 0)) {
|
||||||
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
|
wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
|
||||||
"of TLS peer certificate");
|
"of TLS peer certificate");
|
||||||
tls_connection_deinit(sm->ssl_ctx, data->conn);
|
tls_connection_deinit(sm->ssl_ctx, data->conn);
|
||||||
|
|
Loading…
Reference in a new issue