Lines Matching +full:ext +full:- +full:gen
3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
20 #include <wolfssl/error-ssl.h>
114 context->event_cb = conf->event_cb;
115 context->cb_ctx = conf->cb_ctx;
116 context->cert_in_cb = conf->cert_in_cb;
127 in->in_data = buf;
128 in->consumed = 0;
135 out->out_data = wpabuf_alloc_copy("", 0);
146 return -1;
148 if (get > (wpabuf_len(data->in_data) - data->consumed))
149 get = wpabuf_len(data->in_data) - data->consumed;
151 os_memcpy(buf, wpabuf_head_u8(data->in_data) + data->consumed, get);
152 data->consumed += get;
155 return -2; /* WANT_READ */
168 return -1;
174 return -1;
175 data->out_data = wpabuf_concat(data->out_data, tmp);
176 if (!data->out_data)
177 return -1;
256 tls_ref_count--;
266 context->tls_session_lifetime = conf->tls_session_lifetime;
269 if (conf->tls_session_lifetime > 0) {
276 wolfSSL_CTX_set_timeout(ssl_ctx, conf->tls_session_lifetime);
283 if (conf && conf->openssl_ciphers)
284 ciphers = conf->openssl_ciphers;
309 tls_ref_count--;
326 wpa_printf(MSG_INFO, "TLS - SSL error: %s",
346 conn->ssl = wolfSSL_new(ssl_ctx);
347 if (!conn->ssl) {
352 wolfSSL_SetIOReadCtx(conn->ssl, &conn->input);
353 wolfSSL_SetIOWriteCtx(conn->ssl, &conn->output);
354 wolfSSL_set_ex_data(conn->ssl, 0, conn);
355 conn->context = wolfSSL_CTX_get_ex_data(ssl_ctx, 0);
357 /* Need randoms post-hanshake for EAP-FAST, export key and deriving
359 wolfSSL_KeepArrays(conn->ssl);
360 wolfSSL_KeepHandshakeResources(conn->ssl);
361 wolfSSL_UseClientSuites(conn->ssl);
375 wolfSSL_free(conn->ssl);
376 os_free(conn->subject_match);
377 os_free(conn->alt_subject_match);
378 os_free(conn->suffix_match);
379 os_free(conn->domain_match);
380 os_free(conn->peer_subject);
389 return conn ? wolfSSL_is_init_finished(conn->ssl) : 0;
406 return -1;
411 wolfSSL_set_quiet_shutdown(conn->ssl, 1);
412 wolfSSL_shutdown(conn->ssl);
414 session = wolfSSL_get1_session(conn->ssl);
415 if (wolfSSL_clear(conn->ssl) != 1) {
417 return -1;
419 wolfSSL_set_session(conn->ssl, session);
432 os_free(conn->subject_match);
433 conn->subject_match = NULL;
435 conn->subject_match = os_strdup(subject_match);
436 if (!conn->subject_match)
437 return -1;
440 os_free(conn->alt_subject_match);
441 conn->alt_subject_match = NULL;
443 conn->alt_subject_match = os_strdup(alt_subject_match);
444 if (!conn->alt_subject_match)
445 return -1;
448 os_free(conn->suffix_match);
449 conn->suffix_match = NULL;
451 conn->suffix_match = os_strdup(suffix_match);
452 if (!conn->suffix_match)
453 return -1;
456 os_free(conn->domain_match);
457 conn->domain_match = NULL;
459 conn->domain_match = os_strdup(domain_match);
460 if (!conn->domain_match)
461 return -1;
478 conn->ssl, client_cert_blob, blob_len,
483 conn->ssl, client_cert_blob, blob_len,
487 return -1;
496 conn->ssl, client_cert) != SSL_SUCCESS) {
500 conn->ssl, client_cert,
504 return -1;
541 return -1;
548 if (wolfSSL_use_PrivateKey_buffer(conn->ssl,
555 conn->ssl,
571 if (wolfSSL_use_PrivateKey_file(conn->ssl, private_key,
576 if (wolfSSL_use_PrivateKey_file(conn->ssl, private_key,
596 return -1;
605 WOLFSSL_GENERAL_NAME *gen;
606 void *ext;
610 ext = wolfSSL_X509_get_ext_d2i(cert, ALT_NAMES_OID, NULL, NULL);
612 for (i = 0; ext && i < wolfSSL_sk_num(ext); i++) {
613 gen = wolfSSL_sk_value(ext, i);
614 if (!gen || gen->type != type)
616 if ((size_t) wolfSSL_ASN1_STRING_length(gen->d.ia5) == len &&
617 os_memcmp(value, wolfSSL_ASN1_STRING_data(gen->d.ia5),
622 wolfSSL_sk_GENERAL_NAME_free(ext);
660 len = end - pos;
681 "TLS: Embedded null in a string - reject");
689 if (os_strncasecmp(val + len - match_len, match, match_len) != 0)
695 if (val[len - match_len - 1] == '.')
706 WOLFSSL_GENERAL_NAME *gen;
707 void *ext;
716 ext = wolfSSL_X509_get_ext_d2i(cert, ALT_NAMES_OID, NULL, NULL);
718 for (j = 0; ext && j < wolfSSL_sk_num(ext); j++) {
719 gen = wolfSSL_sk_value(ext, j);
720 if (!gen || gen->type != ASN_DNS_TYPE)
724 wolfSSL_ASN1_STRING_data(gen->d.ia5),
725 wolfSSL_ASN1_STRING_length(gen->d.ia5));
727 (const char *) wolfSSL_ASN1_STRING_data(gen->d.ia5),
728 wolfSSL_ASN1_STRING_length(gen->d.ia5), match,
732 wolfSSL_sk_ASN1_OBJECT_free(ext);
736 wolfSSL_sk_GENERAL_NAME_free(ext);
744 i = -1;
750 if (i == -1)
759 cn->data, cn->length);
760 if (domain_suffix_match(cn->data, cn->length,
780 if (tls_match_suffix_helper(cert, token, last - token, full))
862 struct tls_context *context = conn->context;
864 if (!context->event_cb)
875 context->event_cb(context->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
886 struct tls_context *context = conn->context;
889 WOLFSSL_GENERAL_NAME *gen;
890 void *ext;
896 if (!context->event_cb)
900 if (conn->cert_probe || (conn->flags & TLS_CONN_EXT_CERT_CHECK) ||
901 context->cert_in_cb) {
923 ext = wolfSSL_X509_get_ext_d2i(err_cert, ALT_NAMES_OID, NULL, NULL);
924 for (i = 0; ext && i < wolfSSL_sk_num(ext); i++) {
929 gen = wolfSSL_sk_value((void *) ext, i);
930 if (!gen ||
931 (gen->type != GEN_EMAIL &&
932 gen->type != GEN_DNS &&
933 gen->type != GEN_URI))
936 pos = os_malloc(10 + wolfSSL_ASN1_STRING_length(gen->d.ia5) +
942 switch (gen->type) {
957 os_memcpy(pos, wolfSSL_ASN1_STRING_data(gen->d.ia5),
958 wolfSSL_ASN1_STRING_length(gen->d.ia5));
959 pos += wolfSSL_ASN1_STRING_length(gen->d.ia5);
962 wolfSSL_sk_GENERAL_NAME_free(ext);
968 context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
1006 conn->peer_cert = err_cert;
1008 conn->peer_issuer = err_cert;
1010 conn->peer_issuer_issuer = err_cert;
1012 context = conn->context;
1013 match = conn->subject_match;
1014 altmatch = conn->alt_subject_match;
1015 suffix_match = conn->suffix_match;
1016 domain_match = conn->domain_match;
1018 if (!preverify_ok && !conn->ca_cert_verify)
1020 if (!preverify_ok && depth > 0 && conn->server_cert_only)
1022 if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
1038 if (depth == 0 && conn->server_cert_only) {
1054 os_memcmp(conn->srv_cert_hash, hash, 32) != 0) {
1082 "TLS: %s - preverify_ok=%d err=%d (%s) ca_cert_verify=%d depth=%d buf='%s'",
1084 conn->ca_cert_verify, depth, buf);
1123 if (conn->cert_probe && preverify_ok && depth == 0) {
1125 "wolfSSL: Reject server certificate on probe-only run");
1133 if (depth == 0 && (conn->flags & TLS_CONN_REQUEST_OCSP) &&
1137 res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert,
1138 conn->peer_issuer,
1139 conn->peer_issuer_issuer);
1149 (conn->flags & TLS_CONN_REQUIRE_OCSP)) {
1157 if (depth == 0 && preverify_ok && context->event_cb != NULL)
1158 context->event_cb(context->cb_ctx,
1162 os_free(conn->peer_subject);
1163 conn->peer_subject = os_strdup(buf);
1177 wolfSSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
1178 conn->ca_cert_verify = 1;
1183 conn->cert_probe = 1;
1184 conn->ca_cert_verify = 0;
1196 return -1;
1203 return -1;
1205 if (hexstr2bin(pos, conn->srv_cert_hash, 32) < 0) {
1209 return -1;
1211 conn->server_cert_only = 1;
1217 "No SHA256 included in the build - cannot validate server certificate hash");
1218 return -1;
1232 return -1;
1245 return -1;
1255 return -1;
1262 return -1;
1268 conn->ca_cert_verify = 0;
1296 if (tls_connection_set_subject_match(conn, params->subject_match,
1297 params->altsubject_match,
1298 params->suffix_match,
1299 params->domain_match) < 0) {
1301 return -1;
1304 if (tls_connection_ca_cert(tls_ctx, conn, params->ca_cert,
1305 params->ca_cert_blob,
1306 params->ca_cert_blob_len,
1307 params->ca_path) < 0) {
1309 return -1;
1312 if (tls_connection_client_cert(conn, params->client_cert,
1313 params->client_cert_blob,
1314 params->client_cert_blob_len) < 0) {
1316 return -1;
1319 if (tls_connection_private_key(tls_ctx, conn, params->private_key,
1320 params->private_key_passwd,
1321 params->private_key_blob,
1322 params->private_key_blob_len) < 0) {
1324 return -1;
1328 params->openssl_ciphers ? params->openssl_ciphers : "N/A");
1329 if (params->openssl_ciphers &&
1330 wolfSSL_set_cipher_list(conn->ssl, params->openssl_ciphers) != 1) {
1333 params->openssl_ciphers);
1334 return -1;
1337 tls_set_conn_flags(conn->ssl, params->flags);
1340 if (params->flags & TLS_CONN_REQUEST_OCSP) {
1341 if (wolfSSL_UseOCSPStapling(conn->ssl, WOLFSSL_CSR_OCSP,
1344 return -1;
1345 if (wolfSSL_EnableOCSPStapling(conn->ssl) != SSL_SUCCESS)
1346 return -1;
1350 if (params->flags & TLS_CONN_REQUEST_OCSP) {
1351 if (wolfSSL_UseOCSPStaplingV2(conn->ssl,
1354 return -1;
1355 if (wolfSSL_EnableOCSPStapling(conn->ssl) != SSL_SUCCESS)
1356 return -1;
1362 if (params->flags & TLS_CONN_REQUEST_OCSP)
1365 if (params->flags & TLS_CONN_REQUIRE_OCSP) {
1367 "wolfSSL: No OCSP support included - reject configuration");
1368 return -1;
1370 if (params->flags & TLS_CONN_REQUEST_OCSP) {
1372 "wolfSSL: No OCSP support included - allow optional OCSP case to continue");
1378 conn->flags = params->flags;
1393 return -1;
1417 return -1;
1440 return -1;
1451 ret = -1;
1476 return -1;
1499 "wolfSSL: OCSP status callback - no response configured");
1507 "wolfSSL: OCSP status callback - could not read response file");
1508 return -1;
1511 "wolfSSL: OCSP status callback - send cached response");
1529 if (params->check_cert_subject)
1530 return -1; /* not yet supported */
1532 if (tls_global_ca_cert(tls_ctx, params->ca_cert) < 0) {
1534 params->ca_cert);
1535 return -1;
1538 if (tls_global_client_cert(tls_ctx, params->client_cert) < 0) {
1541 params->client_cert);
1542 return -1;
1545 if (tls_global_private_key(tls_ctx, params->private_key,
1546 params->private_key_passwd) < 0) {
1549 params->private_key);
1550 return -1;
1553 if (tls_global_dh(tls_ctx, params->dh_file) < 0) {
1555 params->dh_file);
1556 return -1;
1560 params->openssl_ciphers ? params->openssl_ciphers : "N/A");
1561 if (params->openssl_ciphers &&
1563 params->openssl_ciphers) != 1) {
1566 params->openssl_ciphers);
1567 return -1;
1570 if (params->openssl_ecdh_curves) {
1573 return -1;
1577 /* Session ticket is off by default - can't disable once on. */
1578 if (!(params->flags & TLS_CONN_DISABLE_SESSION_TICKET))
1583 if (params->ocsp_stapling_response) {
1585 params->ocsp_stapling_response);
1616 return -1;
1621 conn->ca_cert_verify = 1;
1622 wolfSSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
1626 conn->ca_cert_verify = 0;
1627 wolfSSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
1630 wolfSSL_set_accept_state(conn->ssl);
1633 if (context && context->tls_session_lifetime == 0) {
1640 wolfSSL_set_session_id_context(conn->ssl,
1644 wolfSSL_set_session_id_context(conn->ssl, session_ctx,
1660 wolfssl_reset_out_data(&conn->output);
1664 wolfSSL_set_accept_state(conn->ssl);
1665 res = wolfSSL_accept(conn->ssl);
1668 wolfSSL_set_connect_state(conn->ssl);
1669 res = wolfSSL_connect(conn->ssl);
1674 int err = wolfSSL_get_error(conn->ssl, res);
1678 "SSL: %s - WOLFSSL_ERROR_NONE (%d)",
1683 "SSL: %s - want more data",
1688 "SSL: %s - want to write",
1695 "SSL: %s - failed %s",
1699 conn->failed++;
1703 return conn->output.out_data;
1716 res = wolfSSL_read(conn->ssl, wpabuf_mhead(appl_data),
1719 int err = wolfSSL_get_error(conn->ssl, res);
1751 wolfssl_reset_in_data(&conn->input, in_data);
1760 if (wolfSSL_is_init_finished(conn->ssl)) {
1762 "wolfSSL: Handshake finished - resumed=%d",
1802 wolfssl_reset_out_data(&conn->output);
1804 res = wolfSSL_write(conn->ssl, wpabuf_head(in_data),
1807 int err = wolfSSL_get_error(conn->ssl, res);
1810 wpa_printf(MSG_INFO, "Encryption failed - SSL_write: %s",
1815 return conn->output.out_data;
1831 wolfssl_reset_in_data(&conn->input, in_data);
1843 res = wolfSSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf));
1845 wpa_printf(MSG_INFO, "Decryption failed - SSL_read");
1859 return conn ? wolfSSL_session_reused(conn->ssl) : 0;
1870 if (!conn || !conn->ssl || !ciphers)
1871 return -1;
1883 suite = "RC4-SHA";
1886 suite = "AES128-SHA";
1889 suite = "DHE-RSA-AES128-SHA";
1892 suite = "ADH-AES128-SHA";
1895 suite = "DHE-RSA-AES256-SHA";
1898 suite = "AES256-SHA";
1903 return -1;
1905 ret = os_snprintf(pos, end - pos, ":%s", suite);
1906 if (os_snprintf_error(end - pos, ret))
1915 if (wolfSSL_set_cipher_list(conn->ssl, buf + 1) != 1) {
1917 return -1;
1930 if (!conn || !conn->ssl)
1931 return -1;
1933 cipher = wolfSSL_get_current_cipher(conn->ssl);
1935 return -1;
1939 return -1;
1942 os_strlcpy(buf, "RC4-SHA", buflen);
1944 os_strlcpy(buf, "AES128-SHA", buflen);
1946 os_strlcpy(buf, "DHE-RSA-AES128-SHA", buflen);
1948 os_strlcpy(buf, "ADH-AES128-SHA", buflen);
1950 os_strlcpy(buf, "DHE-RSA-AES256-SHA", buflen);
1952 os_strlcpy(buf, "AES256-SHA", buflen);
1971 return -1;
1973 return conn->failed;
1980 return -1;
1983 return conn->read_alerts;
1991 return -1;
1994 return conn->write_alerts;
2010 if (!conn || !conn->ssl)
2011 return -1;
2013 name = wolfSSL_get_version(conn->ssl);
2015 return -1;
2028 return -1;
2029 ssl = conn->ssl;
2031 return -1;
2034 keys->client_random = conn->client_random;
2035 keys->client_random_len = wolfSSL_get_client_random(
2036 ssl, conn->client_random, sizeof(conn->client_random));
2037 keys->server_random = conn->server_random;
2038 keys->server_random_len = wolfSSL_get_server_random(
2039 ssl, conn->server_random, sizeof(conn->server_random));
2050 return -1;
2052 if (wolfSSL_export_keying_material(conn->ssl, out, out_len,
2056 return -1;
2060 wolfSSL_make_eap_keys(conn->ssl, out, out_len, label) != 0)
2061 return -1;
2073 int ret = -1;
2085 if (!conn || !conn->ssl)
2086 return -1;
2087 ssl = conn->ssl;
2094 return -1;
2111 ret = -1;
2136 if (!conn || !conn->ssl || ext_type != 35)
2137 return -1;
2139 if (wolfSSL_set_SessionTicket(conn->ssl, data,
2141 return -1;
2153 word32 ticket_len = sizeof(conn->session_ticket);
2155 if (!conn || !conn->session_ticket_cb)
2162 wolfSSL_get_SessionTicket(s, conn->session_ticket,
2169 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
2170 conn->session_ticket, ticket_len,
2188 conn->session_ticket_cb = cb;
2189 conn->session_ticket_cb_ctx = ctx;
2192 if (wolfSSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
2194 return -1;
2196 if (wolfSSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
2197 return -1;
2202 return -1;
2218 sess = wolfSSL_get_session(conn->ssl);
2233 reused = wolfSSL_session_reused(conn->ssl);
2234 if ((wolfSSL_is_server(conn->ssl) && !reused) ||
2235 (!wolfSSL_is_server(conn->ssl) && reused))
2236 len = wolfSSL_get_peer_finished(conn->ssl, buf, max_len);
2238 len = wolfSSL_get_finished(conn->ssl, buf, max_len);
2241 return -1;
2249 return (u16) wolfSSL_get_current_cipher_suite(conn->ssl);
2256 return conn->peer_subject;
2269 sess = wolfSSL_get_session(conn->ssl);
2286 conn->success_data = 1;
2302 sess = wolfSSL_get_session(conn->ssl);
2312 return wolfSSL_get_certificate(conn->ssl) != NULL;