search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Re-enable hardware UDP/TCP checksum calculation with pseudo header on
[dragonfly/port-amd64.git] / contrib / wpa_supplicant-0.4.9 / tls_schannel.c
blobd06a1c34b41a25f751a4a9708f618a687d9de05a
1 /*
2 * WPA Supplicant / SSL/TLS interface functions for Microsoft Schannel
3 * Copyright (c) 2005, Jouni Malinen <jkmaline@cc.hut.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 /*
16 * FIX: Go through all SSPI functions and verify what needs to be freed
17 * FIX: session resumption
18 * TODO: add support for server cert chain validation
19 * TODO: add support for CA cert validation
20 * TODO: add support for EAP-TLS (client cert/key conf)
21 */
22
23 #include <stdlib.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <windows.h>
27 #include <wincrypt.h>
28 #include <schannel.h>
29 #define SECURITY_WIN32
30 #include <security.h>
31 #include <sspi.h>
32
33 #include "common.h"
34 #include "tls.h"
35
36
37 struct tls_global {
38 HMODULE hsecurity;
39 PSecurityFunctionTable sspi;
40 HCERTSTORE my_cert_store;
41 };
42
43 struct tls_connection {
44 int established, start;
45 int failed, read_alerts, write_alerts;
46
47 SCHANNEL_CRED schannel_cred;
48 CredHandle creds;
49 CtxtHandle context;
50
51 u8 eap_tls_prf[128];
52 int eap_tls_prf_set;
53 };
54
55
56 static int schannel_load_lib(struct tls_global *global)
57 {
58 INIT_SECURITY_INTERFACE pInitSecurityInterface;
59
60 global->hsecurity = LoadLibrary("Secur32.dll");
61 if (global->hsecurity == NULL) {
62 wpa_printf(MSG_ERROR, "%s: Could not load Secur32.dll - 0x%x",
63 __func__, (unsigned int) GetLastError());
64 return -1;
65 }
66
67 pInitSecurityInterface = (INIT_SECURITY_INTERFACE) GetProcAddress(
68 global->hsecurity, "InitSecurityInterfaceA");
69 if (pInitSecurityInterface == NULL) {
70 wpa_printf(MSG_ERROR, "%s: Could not find "
71 "InitSecurityInterfaceA from Secur32.dll",
72 __func__);
73 FreeLibrary(global->hsecurity);
74 global->hsecurity = NULL;
75 return -1;
76 }
77
78 global->sspi = pInitSecurityInterface();
79 if (global->sspi == NULL) {
80 wpa_printf(MSG_ERROR, "%s: Could not read security "
81 "interface - 0x%x",
82 __func__, (unsigned int) GetLastError());
83 FreeLibrary(global->hsecurity);
84 global->hsecurity = NULL;
85 return -1;
86 }
87
88 return 0;
89 }
90
91
92 void * tls_init(const struct tls_config *conf)
93 {
94 struct tls_global *global;
95
96 global = malloc(sizeof(*global));
97 if (global == NULL)
98 return NULL;
99 memset(global, 0, sizeof(*global));
100 if (schannel_load_lib(global)) {
101 free(global);
102 return NULL;
103 }
104 return global;
105 }
106
107
108 void tls_deinit(void *ssl_ctx)
109 {
110 struct tls_global *global = ssl_ctx;
111
112 if (global->my_cert_store)
113 CertCloseStore(global->my_cert_store, 0);
114 FreeLibrary(global->hsecurity);
115 free(global);
116 }
117
118
119 int tls_get_errors(void *ssl_ctx)
120 {
121 return 0;
122 }
123
124
125 struct tls_connection * tls_connection_init(void *ssl_ctx)
126 {
127 struct tls_connection *conn;
128
129 conn = malloc(sizeof(*conn));
130 if (conn == NULL)
131 return NULL;
132 memset(conn, 0, sizeof(*conn));
133 conn->start = 1;
134
135 return conn;
136 }
137
138
139 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
140 {
141 if (conn == NULL)
142 return;
143
144 free(conn);
145 }
146
147
148 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn)
149 {
150 return conn ? conn->established : 0;
151 }
152
153
154 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)
155 {
156 struct tls_global *global = ssl_ctx;
157 if (conn == NULL)
158 return -1;
159
160 conn->eap_tls_prf_set = 0;
161 conn->established = conn->failed = 0;
162 conn->read_alerts = conn->write_alerts = 0;
163 global->sspi->DeleteSecurityContext(&conn->context);
164 /* FIX: what else needs to be reseted? */
165
166 return 0;
167 }
168
169
170 int tls_global_ca_cert(void *_ssl_ctx, const char *ca_cert)
171 {
172 return -1;
173 }
174
175
176 int tls_global_set_verify(void *ssl_ctx, int check_crl)
177 {
178 return -1;
179 }
180
181
182 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
183 int verify_peer)
184 {
185 return -1;
186 }
187
188
189 int tls_global_client_cert(void *_ssl_ctx, const char *client_cert)
190 {
191 return -1;
192 }
193
194
195 int tls_global_private_key(void *_ssl_ctx, const char *private_key,
196 const char *private_key_passwd)
197 {
198 return -1;
199 }
200
201
202 int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn,
203 struct tls_keys *keys)
204 {
205 if (conn == NULL || keys == NULL || !conn->eap_tls_prf_set)
206 return -1;
207
208 memset(keys, 0, sizeof(*keys));
209
210 /*
211 * Cannot get master_key from Schannel, but EapKeyBlock can be used to
212 * generate session keys for EAP-TLS and EAP-PEAPv0. EAP-PEAPv2 and
213 * EAP-TTLS cannot use this, though, since they are using different
214 * labels. The only option could be to implement TLSv1 completely here
215 * and just use Schannel or CryptoAPI for low-level crypto
216 * functionality..
217 */
218 keys->eap_tls_prf = conn->eap_tls_prf;
219 keys->eap_tls_prf_len = sizeof(conn->eap_tls_prf);
220
221 return 0;
222 }
223
224
225 static u8 * tls_conn_hs_clienthello(struct tls_global *global,
226 struct tls_connection *conn,
227 size_t *out_len)
228 {
229 DWORD sspi_flags, sspi_flags_out;
230 SecBufferDesc outbuf;
231 SecBuffer outbufs[1];
232 SECURITY_STATUS status;
233 TimeStamp ts_expiry;
234
235 sspi_flags = ISC_REQ_REPLAY_DETECT |
236 ISC_REQ_CONFIDENTIALITY |
237 ISC_RET_EXTENDED_ERROR |
238 ISC_REQ_ALLOCATE_MEMORY |
239 ISC_REQ_MANUAL_CRED_VALIDATION;
240
241 wpa_printf(MSG_DEBUG, "%s: Generating ClientHello", __func__);
242
243 outbufs[0].pvBuffer = NULL;
244 outbufs[0].BufferType = SECBUFFER_TOKEN;
245 outbufs[0].cbBuffer = 0;
246
247 outbuf.cBuffers = 1;
248 outbuf.pBuffers = outbufs;
249 outbuf.ulVersion = SECBUFFER_VERSION;
250
251 status = global->sspi->InitializeSecurityContextA(
252 &conn->creds, NULL, NULL /* server name */, sspi_flags, 0,
253 SECURITY_NATIVE_DREP, NULL, 0, &conn->context,
254 &outbuf, &sspi_flags_out, &ts_expiry);
255 if (status != SEC_I_CONTINUE_NEEDED) {
256 wpa_printf(MSG_ERROR, "%s: InitializeSecurityContextA "
257 "failed - 0x%x",
258 __func__, (unsigned int) status);
259 return NULL;
260 }
261
262 if (outbufs[0].cbBuffer != 0 && outbufs[0].pvBuffer) {
263 u8 *buf;
264 wpa_hexdump(MSG_MSGDUMP, "SChannel - ClientHello",
265 outbufs[0].pvBuffer, outbufs[0].cbBuffer);
266 conn->start = 0;
267 *out_len = outbufs[0].cbBuffer;
268 buf = malloc(*out_len);
269 if (buf == NULL)
270 return NULL;
271 memcpy(buf, outbufs[0].pvBuffer, *out_len);
272 global->sspi->FreeContextBuffer(outbufs[0].pvBuffer);
273 return buf;
274 }
275
276 wpa_printf(MSG_ERROR, "SChannel: Failed to generate ClientHello");
277
278 return NULL;
279 }
280
281
282 #ifndef SECPKG_ATTR_EAP_KEY_BLOCK
283 #define SECPKG_ATTR_EAP_KEY_BLOCK 0x5b
284
285 typedef struct _SecPkgContext_EapKeyBlock {
286 BYTE rgbKeys[128];
287 BYTE rgbIVs[64];
288 } SecPkgContext_EapKeyBlock, *PSecPkgContext_EapKeyBlock;
289 #endif /* !SECPKG_ATTR_EAP_KEY_BLOCK */
290
291 static int tls_get_eap(struct tls_global *global, struct tls_connection *conn)
292 {
293 SECURITY_STATUS status;
294 SecPkgContext_EapKeyBlock kb;
295
296 /* Note: Windows NT and Windows Me/98/95 do not support getting
297 * EapKeyBlock */
298
299 status = global->sspi->QueryContextAttributes(
300 &conn->context, SECPKG_ATTR_EAP_KEY_BLOCK, &kb);
301 if (status != SEC_E_OK) {
302 wpa_printf(MSG_DEBUG, "%s: QueryContextAttributes("
303 "SECPKG_ATTR_EAP_KEY_BLOCK) failed (%d)",
304 __func__, (int) status);
305 return -1;
306 }
307
308 wpa_hexdump_key(MSG_MSGDUMP, "Schannel - EapKeyBlock - rgbKeys",
309 kb.rgbKeys, sizeof(kb.rgbKeys));
310 wpa_hexdump_key(MSG_MSGDUMP, "Schannel - EapKeyBlock - rgbIVs",
311 kb.rgbIVs, sizeof(kb.rgbIVs));
312
313 memcpy(conn->eap_tls_prf, kb.rgbKeys, sizeof(kb.rgbKeys));
314 conn->eap_tls_prf_set = 1;
315 }
316
317
318 u8 * tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
319 const u8 *in_data, size_t in_len,
320 size_t *out_len)
321 {
322 struct tls_global *global = ssl_ctx;
323 DWORD sspi_flags, sspi_flags_out;
324 SecBufferDesc inbuf, outbuf;
325 SecBuffer inbufs[2], outbufs[1];
326 SECURITY_STATUS status;
327 TimeStamp ts_expiry;
328 u8 *out_buf = NULL;
329
330 if (conn->start) {
331 return tls_conn_hs_clienthello(global, conn, out_len);
332 }
333
334 wpa_printf(MSG_DEBUG, "SChannel: %d bytes handshake data to process",
335 in_len);
336
337 sspi_flags = ISC_REQ_REPLAY_DETECT |
338 ISC_REQ_CONFIDENTIALITY |
339 ISC_RET_EXTENDED_ERROR |
340 ISC_REQ_ALLOCATE_MEMORY |
341 ISC_REQ_MANUAL_CRED_VALIDATION;
342
343 /* Input buffer for Schannel */
344 inbufs[0].pvBuffer = (u8 *) in_data;
345 inbufs[0].cbBuffer = in_len;
346 inbufs[0].BufferType = SECBUFFER_TOKEN;
347
348 /* Place for leftover data from Schannel */
349 inbufs[1].pvBuffer = NULL;
350 inbufs[1].cbBuffer = 0;
351 inbufs[1].BufferType = SECBUFFER_EMPTY;
352
353 inbuf.cBuffers = 2;
354 inbuf.pBuffers = inbufs;
355 inbuf.ulVersion = SECBUFFER_VERSION;
356
357 /* Output buffer for Schannel */
358 outbufs[0].pvBuffer = NULL;
359 outbufs[0].cbBuffer = 0;
360 outbufs[0].BufferType = SECBUFFER_TOKEN;
361
362 outbuf.cBuffers = 1;
363 outbuf.pBuffers = outbufs;
364 outbuf.ulVersion = SECBUFFER_VERSION;
365
366 status = global->sspi->InitializeSecurityContextA(
367 &conn->creds, &conn->context, NULL, sspi_flags, 0,
368 SECURITY_NATIVE_DREP, &inbuf, 0, NULL,
369 &outbuf, &sspi_flags_out, &ts_expiry);
370
371 wpa_printf(MSG_MSGDUMP, "Schannel: InitializeSecurityContextA -> "
372 "status=%d inlen[0]=%d intype[0]=%d inlen[1]=%d "
373 "intype[1]=%d outlen[0]=%d",
374 (int) status, (int) inbufs[0].cbBuffer,
375 (int) inbufs[0].BufferType, (int) inbufs[1].cbBuffer,
376 (int) inbufs[1].BufferType,
377 (int) outbufs[0].cbBuffer);
378 if (status == SEC_E_OK || status == SEC_I_CONTINUE_NEEDED ||
379 (FAILED(status) && (sspi_flags_out & ISC_RET_EXTENDED_ERROR))) {
380 if (outbufs[0].cbBuffer != 0 && outbufs[0].pvBuffer) {
381 wpa_hexdump(MSG_MSGDUMP, "SChannel - output",
382 outbufs[0].pvBuffer, outbufs[0].cbBuffer);
383 *out_len = outbufs[0].cbBuffer;
384 out_buf = malloc(*out_len);
385 if (out_buf == NULL)
386 return NULL;
387 memcpy(out_buf, outbufs[0].pvBuffer, *out_len);
388 global->sspi->FreeContextBuffer(outbufs[0].pvBuffer);
389 outbufs[0].pvBuffer = NULL;
390 }
391 }
392
393 switch (status) {
394 case SEC_E_INCOMPLETE_MESSAGE:
395 wpa_printf(MSG_DEBUG, "Schannel: SEC_E_INCOMPLETE_MESSAGE");
396 break;
397 case SEC_I_CONTINUE_NEEDED:
398 wpa_printf(MSG_DEBUG, "Schannel: SEC_I_CONTINUE_NEEDED");
399 break;
400 case SEC_E_OK:
401 /* TODO: verify server certificate chain */
402 wpa_printf(MSG_DEBUG, "Schannel: SEC_E_OK - Handshake "
403 "completed successfully");
404 conn->established = 1;
405 tls_get_eap(global, conn);
406
407 /* Need to return something to get final TLS ACK. */
408 if (out_buf == NULL)
409 out_buf = malloc(1);
410
411 if (inbufs[1].BufferType == SECBUFFER_EXTRA) {
412 wpa_hexdump(MSG_MSGDUMP, "SChannel - Encrypted "
413 "application data",
414 inbufs[1].pvBuffer, inbufs[1].cbBuffer);
415 /* FIX: need to fix TLS API to allow this data to be
416 * passed to the caller */
417 global->sspi->FreeContextBuffer(inbufs[1].pvBuffer);
418 inbufs[1].pvBuffer = NULL;
419 }
420 break;
421 case SEC_I_INCOMPLETE_CREDENTIALS:
422 wpa_printf(MSG_DEBUG,
423 "Schannel: SEC_I_INCOMPLETE_CREDENTIALS");
424 break;
425 case SEC_E_WRONG_PRINCIPAL:
426 wpa_printf(MSG_DEBUG, "Schannel: SEC_E_WRONG_PRINCIPAL");
427 break;
428 case SEC_E_INTERNAL_ERROR:
429 wpa_printf(MSG_DEBUG, "Schannel: SEC_E_INTERNAL_ERROR");
430 break;
431 }
432
433 if (FAILED(status)) {
434 wpa_printf(MSG_DEBUG, "Schannel: Handshake failed "
435 "(out_buf=%p)", out_buf);
436 conn->failed++;
437 global->sspi->DeleteSecurityContext(&conn->context);
438 return out_buf;
439 }
440
441 if (inbufs[1].BufferType == SECBUFFER_EXTRA) {
442 /* TODO: Can this happen? What to do with this data? */
443 wpa_hexdump(MSG_MSGDUMP, "SChannel - Leftover data",
444 inbufs[1].pvBuffer, inbufs[1].cbBuffer);
445 global->sspi->FreeContextBuffer(inbufs[1].pvBuffer);
446 inbufs[1].pvBuffer = NULL;
447 }
448
449 return out_buf;
450 }
451
452
453 u8 * tls_connection_server_handshake(void *ssl_ctx,
454 struct tls_connection *conn,
455 const u8 *in_data, size_t in_len,
456 size_t *out_len)
457 {
458 return NULL;
459 }
460
461
462 int tls_connection_encrypt(void *ssl_ctx, struct tls_connection *conn,
463 const u8 *in_data, size_t in_len,
464 u8 *out_data, size_t out_len)
465 {
466 struct tls_global *global = ssl_ctx;
467 SECURITY_STATUS status;
468 SecBufferDesc buf;
469 SecBuffer bufs[4];
470 SecPkgContext_StreamSizes sizes;
471 int i;
472 size_t total_len;
473
474 status = global->sspi->QueryContextAttributes(&conn->context,
475 SECPKG_ATTR_STREAM_SIZES,
476 &sizes);
477 if (status != SEC_E_OK) {
478 wpa_printf(MSG_DEBUG, "%s: QueryContextAttributes failed",
479 __func__);
480 return -1;
481 }
482 wpa_printf(MSG_DEBUG, "%s: Stream sizes: header=%u trailer=%u",
483 __func__,
484 (unsigned int) sizes.cbHeader,
485 (unsigned int) sizes.cbTrailer);
486
487 total_len = sizes.cbHeader + in_len + sizes.cbTrailer;
488
489 if (out_len < total_len) {
490 wpa_printf(MSG_DEBUG, "%s: too short out_data (out_len=%lu "
491 "in_len=%lu total_len=%lu)", __func__,
492 (unsigned long) out_len, (unsigned long) in_len,
493 (unsigned long) total_len);
494 return -1;
495 }
496
497 memset(&bufs, 0, sizeof(bufs));
498 bufs[0].pvBuffer = out_data;
499 bufs[0].cbBuffer = sizes.cbHeader;
500 bufs[0].BufferType = SECBUFFER_STREAM_HEADER;
501
502 memcpy(out_data + sizes.cbHeader, in_data, in_len);
503 bufs[1].pvBuffer = out_data + sizes.cbHeader;
504 bufs[1].cbBuffer = in_len;
505 bufs[1].BufferType = SECBUFFER_DATA;
506
507 bufs[2].pvBuffer = out_data + sizes.cbHeader + in_len;
508 bufs[2].cbBuffer = sizes.cbTrailer;
509 bufs[2].BufferType = SECBUFFER_STREAM_TRAILER;
510
511 buf.ulVersion = SECBUFFER_VERSION;
512 buf.cBuffers = 3;
513 buf.pBuffers = bufs;
514
515 status = global->sspi->EncryptMessage(&conn->context, 0, &buf, 0);
516
517 wpa_printf(MSG_MSGDUMP, "Schannel: EncryptMessage -> "
518 "status=%d len[0]=%d type[0]=%d len[1]=%d type[1]=%d "
519 "len[2]=%d type[2]=%d",
520 (int) status,
521 (int) bufs[0].cbBuffer, (int) bufs[0].BufferType,
522 (int) bufs[1].cbBuffer, (int) bufs[1].BufferType,
523 (int) bufs[2].cbBuffer, (int) bufs[2].BufferType);
524 wpa_printf(MSG_MSGDUMP, "Schannel: EncryptMessage pointers: "
525 "out_data=%p bufs %p %p %p",
526 out_data, bufs[0].pvBuffer, bufs[1].pvBuffer,
527 bufs[2].pvBuffer);
528
529 for (i = 0; i < 3; i++) {
530 if (bufs[i].pvBuffer && bufs[i].BufferType != SECBUFFER_EMPTY)
531 {
532 wpa_hexdump(MSG_MSGDUMP, "SChannel: bufs",
533 bufs[i].pvBuffer, bufs[i].cbBuffer);
534 }
535 }
536
537 if (status == SEC_E_OK) {
538 wpa_printf(MSG_DEBUG, "%s: SEC_E_OK", __func__);
539 wpa_hexdump_key(MSG_MSGDUMP, "Schannel: Encrypted data from "
540 "EncryptMessage", out_data, total_len);
541 return total_len;
542 }
543
544 wpa_printf(MSG_DEBUG, "%s: Failed - status=%d",
545 __func__, (int) status);
546 return -1;
547 }
548
549
550 int tls_connection_decrypt(void *ssl_ctx, struct tls_connection *conn,
551 const u8 *in_data, size_t in_len,
552 u8 *out_data, size_t out_len)
553 {
554 struct tls_global *global = ssl_ctx;
555 SECURITY_STATUS status;
556 SecBufferDesc buf;
557 SecBuffer bufs[4];
558 int i;
559
560 if (out_len < in_len) {
561 wpa_printf(MSG_DEBUG, "%s: out_len=%lu < in_len=%lu", __func__,
562 (unsigned long) out_len, (unsigned long) in_len);
563 return -1;
564 }
565
566 wpa_hexdump(MSG_MSGDUMP, "Schannel: Encrypted data to DecryptMessage",
567 in_data, in_len);
568 memset(&bufs, 0, sizeof(bufs));
569 memcpy(out_data, in_data, in_len);
570 bufs[0].pvBuffer = out_data;
571 bufs[0].cbBuffer = in_len;
572 bufs[0].BufferType = SECBUFFER_DATA;
573
574 bufs[1].BufferType = SECBUFFER_EMPTY;
575 bufs[2].BufferType = SECBUFFER_EMPTY;
576 bufs[3].BufferType = SECBUFFER_EMPTY;
577
578 buf.ulVersion = SECBUFFER_VERSION;
579 buf.cBuffers = 4;
580 buf.pBuffers = bufs;
581
582 status = global->sspi->DecryptMessage(&conn->context, &buf, 0,
583 NULL);
584 wpa_printf(MSG_MSGDUMP, "Schannel: DecryptMessage -> "
585 "status=%d len[0]=%d type[0]=%d len[1]=%d type[1]=%d "
586 "len[2]=%d type[2]=%d len[3]=%d type[3]=%d",
587 (int) status,
588 (int) bufs[0].cbBuffer, (int) bufs[0].BufferType,
589 (int) bufs[1].cbBuffer, (int) bufs[1].BufferType,
590 (int) bufs[2].cbBuffer, (int) bufs[2].BufferType,
591 (int) bufs[3].cbBuffer, (int) bufs[3].BufferType);
592 wpa_printf(MSG_MSGDUMP, "Schannel: DecryptMessage pointers: "
593 "out_data=%p bufs %p %p %p %p",
594 out_data, bufs[0].pvBuffer, bufs[1].pvBuffer,
595 bufs[2].pvBuffer, bufs[3].pvBuffer);
596
597 switch (status) {
598 case SEC_E_INCOMPLETE_MESSAGE:
599 wpa_printf(MSG_DEBUG, "%s: SEC_E_INCOMPLETE_MESSAGE",
600 __func__);
601 break;
602 case SEC_E_OK:
603 wpa_printf(MSG_DEBUG, "%s: SEC_E_OK", __func__);
604 for (i = 0; i < 4; i++) {
605 if (bufs[i].BufferType == SECBUFFER_DATA)
606 break;
607 }
608 if (i == 4) {
609 wpa_printf(MSG_DEBUG, "%s: No output data from "
610 "DecryptMessage", __func__);
611 return -1;
612 }
613 wpa_hexdump_key(MSG_MSGDUMP, "Schannel: Decrypted data from "
614 "DecryptMessage",
615 bufs[i].pvBuffer, bufs[i].cbBuffer);
616 if (bufs[i].cbBuffer > out_len) {
617 wpa_printf(MSG_DEBUG, "%s: Too long output data",
618 __func__);
619 return -1;
620 }
621 memmove(out_data, bufs[i].pvBuffer, bufs[i].cbBuffer);
622 return bufs[i].cbBuffer;
623 }
624
625 wpa_printf(MSG_DEBUG, "%s: Failed - status=%d",
626 __func__, (int) status);
627 return -1;
628 }
629
630
631 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
632 {
633 return 0;
634 }
635
636
637 #ifdef EAP_FAST
638 int tls_connection_set_master_key(void *ssl_ctx, struct tls_connection *conn,
639 const u8 *key, size_t key_len)
640 {
641 return -1;
642 }
643 #endif /* EAP_FAST */
644
645
646 int tls_connection_set_anon_dh(void *ssl_ctx, struct tls_connection *conn)
647 {
648 return -1;
649 }
650
651
652 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
653 char *buf, size_t buflen)
654 {
655 return -1;
656 }
657
658
659 int tls_connection_enable_workaround(void *ssl_ctx,
660 struct tls_connection *conn)
661 {
662 return 0;
663 }
664
665
666 #ifdef EAP_FAST
667 /* ClientHello TLS extensions require a patch to openssl, so this function is
668 * commented out unless explicitly needed for EAP-FAST in order to be able to
669 * build this file with unmodified openssl. */
670 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
671 int ext_type, const u8 *data,
672 size_t data_len)
673 {
674 return -1;
675 }
676 #endif /* EAP_FAST */
677
678
679 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)
680 {
681 if (conn == NULL)
682 return -1;
683 return conn->failed;
684 }
685
686
687 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)
688 {
689 if (conn == NULL)
690 return -1;
691 return conn->read_alerts;
692 }
693
694
695 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)
696 {
697 if (conn == NULL)
698 return -1;
699 return conn->write_alerts;
700 }
701
702
703 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
704 const struct tls_connection_params *params)
705 {
706 struct tls_global *global = tls_ctx;
707 ALG_ID algs[1];
708 SECURITY_STATUS status;
709 TimeStamp ts_expiry;
710
711 if (conn == NULL)
712 return -1;
713
714 if (global->my_cert_store == NULL &&
715 (global->my_cert_store = CertOpenSystemStore(0, "MY")) == NULL) {
716 wpa_printf(MSG_ERROR, "%s: CertOpenSystemStore failed - 0x%x",
717 __func__, (unsigned int) GetLastError());
718 return -1;
719 }
720
721 memset(&conn->schannel_cred, 0, sizeof(conn->schannel_cred));
722 conn->schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
723 conn->schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1;
724 algs[0] = CALG_RSA_KEYX;
725 conn->schannel_cred.cSupportedAlgs = 1;
726 conn->schannel_cred.palgSupportedAlgs = algs;
727 conn->schannel_cred.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;
728 status = global->sspi->AcquireCredentialsHandleA(
729 NULL, UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL,
730 &conn->schannel_cred, NULL, NULL, &conn->creds, &ts_expiry);
731 if (status != SEC_E_OK) {
732 wpa_printf(MSG_DEBUG, "%s: AcquireCredentialsHandleA failed - "
733 "0x%x", __func__, (unsigned int) status);
734 return -1;
735 }
736
737 return 0;
738 }
A repo for keeping AMD64 port code before merging with the master