From bfbebd266587aea00ed83d9b21851a93ae243a24 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 23 Aug 2015 21:11:01 +0300 Subject: [PATCH] TLS: Add new arguments to tls_connection_set_verify() The new flags and session_ctx arguments will be used in followup commits. Signed-off-by: Jouni Malinen --- src/crypto/tls.h | 8 +++++++- src/crypto/tls_gnutls.c | 3 ++- src/crypto/tls_internal.c | 3 ++- src/crypto/tls_none.c | 3 ++- src/crypto/tls_openssl.c | 3 ++- src/eap_server/eap_server_tls_common.c | 5 ++++- 6 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 5f1fcf2..31c4e36 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -305,11 +305,17 @@ int __must_check tls_global_set_verify(void *tls_ctx, int check_crl); * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @verify_peer: 1 = verify peer certificate + * @flags: Connection flags (TLS_CONN_*) + * @session_ctx: Session caching context or %NULL to use default + * @session_ctx_len: Length of @session_ctx in bytes. * Returns: 0 on success, -1 on failure */ int __must_check tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn, - int verify_peer); + int verify_peer, + unsigned int flags, + const u8 *session_ctx, + size_t session_ctx_len); /** * tls_connection_get_random - Get random data from TLS connection diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c index b53ec48..3c39e54 100644 --- a/src/crypto/tls_gnutls.c +++ b/src/crypto/tls_gnutls.c @@ -708,7 +708,8 @@ int tls_global_set_verify(void *ssl_ctx, int check_crl) int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, - int verify_peer) + int verify_peer, unsigned int flags, + const u8 *session_ctx, size_t session_ctx_len) { if (conn == NULL || conn->session == NULL) return -1; diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c index df44f0a..79f14a3 100644 --- a/src/crypto/tls_internal.c +++ b/src/crypto/tls_internal.c @@ -328,7 +328,8 @@ int tls_global_set_verify(void *tls_ctx, int check_crl) int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn, - int verify_peer) + int verify_peer, unsigned int flags, + const u8 *session_ctx, size_t session_ctx_len) { #ifdef CONFIG_TLS_INTERNAL_SERVER if (conn->server) diff --git a/src/crypto/tls_none.c b/src/crypto/tls_none.c index 3474302..1f8c9b4 100644 --- a/src/crypto/tls_none.c +++ b/src/crypto/tls_none.c @@ -72,7 +72,8 @@ int tls_global_set_verify(void *tls_ctx, int check_crl) int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn, - int verify_peer) + int verify_peer, unsigned int flags, + const u8 *session_ctx, size_t session_ctx_len) { return -1; } diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 8b84171..10201d6 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1944,7 +1944,8 @@ static int tls_connection_set_subject_match(struct tls_connection *conn, int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, - int verify_peer) + int verify_peer, unsigned int flags, + const u8 *session_ctx, size_t session_ctx_len) { static int counter = 0; diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c index 3fc7cdc..ce3bda3 100644 --- a/src/eap_server/eap_server_tls_common.c +++ b/src/eap_server/eap_server_tls_common.c @@ -46,6 +46,8 @@ static void eap_server_tls_log_cb(void *ctx, const char *msg) int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, int verify_peer) { + unsigned int flags = 0; + if (sm->ssl_ctx == NULL) { wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method"); return -1; @@ -68,7 +70,8 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, #endif /* CONFIG_TESTING_OPTIONS */ #endif /* CONFIG_TLS_INTERNAL */ - if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) { + if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer, + flags, NULL, 0)) { wpa_printf(MSG_INFO, "SSL: Failed to configure verification " "of TLS peer certificate"); tls_connection_deinit(sm->ssl_ctx, data->conn); -- 2.1.4