207 	struct tls_connection *conn = (struct tls_connection *) ptr;
209 	if (conn->pull_buf == NULL) {
214 	end = wpabuf_head_u8(conn->pull_buf) + wpabuf_len(conn->pull_buf);
215 	if ((size_t) (end - conn->pull_buf_offset) < len)
216 		len = end - conn->pull_buf_offset;
217 	os_memcpy(buf, conn->pull_buf_offset, len);
218 	conn->pull_buf_offset += len;
219 	if (conn->pull_buf_offset == end) {
221 		wpabuf_free(conn->pull_buf);
222 		conn->pull_buf = NULL;
223 		conn->pull_buf_offset = NULL;
227 			   (unsigned long) (end - conn->pull_buf_offset));
236 	struct tls_connection *conn = (struct tls_connection *) ptr;
238 	if (wpabuf_resize(&conn->push_buf, len) < 0) {
242 	wpabuf_put_data(conn->push_buf, buf, len);
249 				   struct tls_connection *conn)
259 	ret = gnutls_init(&conn->session,
267 	ret = gnutls_set_default_priority(conn->session);
272 	ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0",
280 	ret = gnutls_certificate_type_set_priority(conn->session, cert_types);
284 	ret = gnutls_protocol_set_priority(conn->session, protos);
289 	gnutls_transport_set_pull_function(conn->session, tls_pull_func);
290 	gnutls_transport_set_push_function(conn->session, tls_push_func);
291 	gnutls_transport_set_ptr(conn->session, (gnutls_transport_ptr) conn);
298 	gnutls_deinit(conn->session);
306 	struct tls_connection *conn;
309 	conn = os_zalloc(sizeof(*conn));
310 	if (conn == NULL)
313 	if (tls_gnutls_init_session(global, conn)) {
314 		os_free(conn);
319 		ret = gnutls_credentials_set(conn->session,
325 			os_free(conn);
330 	if (gnutls_certificate_allocate_credentials(&conn->xcred)) {
331 		os_free(conn);
335 	return conn;
339 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
341 	if (conn == NULL)
344 	gnutls_certificate_free_credentials(conn->xcred);
345 	gnutls_deinit(conn->session);
346 	os_free(conn->pre_shared_secret);
347 	os_free(conn->subject_match);
348 	os_free(conn->altsubject_match);
349 	wpabuf_free(conn->push_buf);
350 	wpabuf_free(conn->pull_buf);
351 	os_free(conn);
355 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn)
357 	return conn ? conn->established : 0;
361 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)
366 	if (conn == NULL)
372 	gnutls_bye(conn->session, GNUTLS_SHUT_RDWR);
373 	wpabuf_free(conn->push_buf);
374 	conn->push_buf = NULL;
375 	conn->established = 0;
377 	gnutls_deinit(conn->session);
378 	if (tls_gnutls_init_session(global, conn)) {
384 	ret = gnutls_credentials_set(conn->session, GNUTLS_CRD_CERTIFICATE,
385 				     conn->params_set ? conn->xcred :
394 		ret = gnutls_session_set_data(conn->session,
466 	struct tls_connection *conn;
476 	conn = SSL_get_app_data(ssl);
477 	match = conn ? conn->subject_match : NULL;
478 	altmatch = conn ? conn->altsubject_match : NULL;
506 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
511 	if (conn == NULL || params == NULL)
514 	os_free(conn->subject_match);
515 	conn->subject_match = NULL;
517 		conn->subject_match = os_strdup(params->subject_match);
518 		if (conn->subject_match == NULL)
522 	os_free(conn->altsubject_match);
523 	conn->altsubject_match = NULL;
525 		conn->altsubject_match = os_strdup(params->altsubject_match);
526 		if (conn->altsubject_match == NULL)
534 		conn->verify_peer = 1;
536 			conn->xcred, params->ca_cert, GNUTLS_X509_FMT_PEM);
542 				conn->xcred, params->ca_cert,
555 				conn->xcred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
561 				conn->xcred,
570 			conn->xcred, params->client_cert, params->private_key,
576 				conn->xcred, params->client_cert,
591 			conn->xcred, params->private_key, GNUTLS_X509_FMT_DER,
609 	conn->params_set = 1;
611 	ret = gnutls_credentials_set(conn->session, GNUTLS_CRD_CERTIFICATE,
612 				     conn->xcred);
737 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
740 	if (conn == NULL || conn->session == NULL)
743 	conn->verify_peer = verify_peer;
744 	gnutls_certificate_server_set_request(conn->session,
752 int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn,
759 	if (conn == NULL || conn->session == NULL || keys == NULL)
766 	sec = &conn->session->security_parameters;
773 		(u8 *) gnutls_session_get_client_random(conn->session);
775 		(u8 *) gnutls_session_get_server_random(conn->session);
789 int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
794 	if (conn == NULL || conn->session == NULL)
797 	return gnutls_prf(conn->session, os_strlen(label), label,
805 static int tls_connection_verify_peer(struct tls_connection *conn,
813 	if (gnutls_certificate_verify_peers2(conn->session, &status) < 0) {
820 	if (conn->verify_peer && (status & GNUTLS_CERT_INVALID)) {
857 	certs = gnutls_certificate_get_peers(conn->session, &num_certs);
917 static struct wpabuf * gnutls_get_appl_data(struct tls_connection *conn)
922 	ad = wpabuf_alloc((wpabuf_len(conn->pull_buf) + 500) * 3);
926 	res = gnutls_record_recv(conn->session, wpabuf_mhead(ad),
945 					 struct tls_connection *conn,
957 		if (conn->pull_buf) {
960 				   (unsigned long) wpabuf_len(conn->pull_buf));
961 			wpabuf_free(conn->pull_buf);
963 		conn->pull_buf = wpabuf_dup(in_data);
964 		if (conn->pull_buf == NULL)
966 		conn->pull_buf_offset = wpabuf_head(conn->pull_buf);
969 	ret = gnutls_handshake(conn->session);
973 			if (global->server && conn->established &&
974 			    conn->push_buf == NULL) {
977 				conn->push_buf = wpabuf_alloc(0);
983 					   gnutls_alert_get(conn->session)));
984 			conn->read_alerts++;
989 			conn->failed++;
995 		if (conn->verify_peer &&
996 		    tls_connection_verify_peer(conn, &err)) {
999 			conn->failed++;
1000 			gnutls_alert_send(conn->session, GNUTLS_AL_FATAL, err);
1005 		conn->established = 1;
1006 		if (conn->push_buf == NULL) {
1008 			conn->push_buf = wpabuf_alloc(0);
1011 		gnutls_session_get_data(conn->session, NULL, &size);
1019 			gnutls_session_get_data(conn->session,
1024 		if (conn->pull_buf && appl_data)
1025 			*appl_data = gnutls_get_appl_data(conn);
1029 	out_data = conn->push_buf;
1030 	conn->push_buf = NULL;
1036 						struct tls_connection *conn,
1040 	return tls_connection_handshake(tls_ctx, conn, in_data, appl_data);
1045 				       struct tls_connection *conn,
1051 	res = gnutls_record_send(conn->session, wpabuf_head(in_data),
1059 	buf = conn->push_buf;
1060 	conn->push_buf = NULL;
1066 				       struct tls_connection *conn,
1072 	if (conn->pull_buf) {
1075 			   (unsigned long) wpabuf_len(conn->pull_buf));
1076 		wpabuf_free(conn->pull_buf);
1078 	conn->pull_buf = wpabuf_dup(in_data);
1079 	if (conn->pull_buf == NULL)
1081 	conn->pull_buf_offset = wpabuf_head(conn->pull_buf);
1093 	res = gnutls_record_recv(conn->session, wpabuf_mhead(out),
1107 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
1109 	if (conn == NULL)
1111 	return gnutls_session_is_resumed(conn->session);
1115 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
1123 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
1133 				     struct tls_connection *conn)
1135 	gnutls_record_disable_padding(conn->session);
1140 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
1149 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)
1151 	if (conn == NULL)
1153 	return conn->failed;
1157 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)
1159 	if (conn == NULL)
1161 	return conn->read_alerts;
1165 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)
1167 	if (conn == NULL)
1169 	return conn->write_alerts;
1174 				     struct tls_connection *conn)
1188 					 struct tls_connection *conn,

Indexes created Thu Jun 27 20:29:42 MDT 2024