params->flags |= TLS_CONN_DISABLE_TLSv1_2;
if (os_strstr(txt, "tls_disable_tlsv1_2=0"))
params->flags &= ~TLS_CONN_DISABLE_TLSv1_2;
+ if (os_strstr(txt, "tls_ext_cert_check=1"))
+ params->flags |= TLS_CONN_EXT_CERT_CHECK;
+ if (os_strstr(txt, "tls_ext_cert_check=0"))
+ params->flags &= ~TLS_CONN_EXT_CERT_CHECK;
}
params->cert_id = config->cert_id;
params->ca_cert_id = config->ca_cert_id;
eap_tls_params_flags(params, config->phase1);
- params->validate_ca_cb = config->validate_ca_cb;
- params->validate_ca_ctx = config->validate_ca_ctx;
+ params->server_cert_cb = config->server_cert_cb;
+ params->server_cert_ctx = config->server_cert_ctx;
}
params->cert_id = config->cert2_id;
params->ca_cert_id = config->ca_cert2_id;
eap_tls_params_flags(params, config->phase2);
+ params->server_cert_cb = config->server_cert_cb;
+ params->server_cert_ctx = config->server_cert_ctx;
}
params->openssl_ciphers = config->openssl_ciphers;
+ sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+
return 0;
}
if (config->ocsp)
params->flags |= TLS_CONN_REQUEST_OCSP;
- if (config->ocsp == 2)
+ if (config->ocsp >= 2)
params->flags |= TLS_CONN_REQUIRE_OCSP;
+ if (config->ocsp == 3)
+ params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
data->conn = tls_connection_init(data->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
if (out == NULL)
return NULL;
- if (tls_connection_prf(data->ssl_ctx, data->conn, label, 0, 0,
- out, len)) {
+ if (tls_connection_export_key(data->ssl_ctx, data->conn, label, out,
+ len)) {
os_free(out);
return NULL;
}
struct tls_random keys;
u8 *out;
- if (tls_connection_get_random(sm->ssl_ctx, data->conn, &keys))
- return NULL;
-
- if (keys.client_random == NULL || keys.server_random == NULL)
+ if (tls_connection_get_random(sm->ssl_ctx, data->conn, &keys) ||
+ keys.client_random == NULL || keys.server_random == NULL)
return NULL;
*len = 1 + keys.client_random_len + keys.server_random_len;
size_t left;
unsigned int tls_msg_len;
- /* Ignore errors before we do anything*/
- (void) tls_get_errors(sm->ssl_ctx);
- //// if (tls_get_errors(data->ssl_ctx)) {
- //// wpa_printf(MSG_INFO, "SSL: TLS errors detected");
- //// ret->ignore = TRUE;
- //// return NULL;
- //// }
+ if (tls_get_errors(data->ssl_ctx)) {
+ wpa_printf(MSG_INFO, "SSL: TLS errors detected");
+ /* Next two lines commented out by Painless Security for Moonshot */
+ /* ret->ignore = TRUE;
+ * return NULL;
+ */
+ }
if (eap_type == EAP_UNAUTH_TLS_TYPE)
pos = eap_hdr_validate(EAP_VENDOR_UNAUTH_TLS,
if (vendor == EAP_VENDOR_IETF && method == EAP_TYPE_NONE) {
wpa_printf(MSG_ERROR, "TLS: Unsupported Phase2 EAP "
"method '%s'", start);
+ os_free(methods);
+ os_free(buf);
+ return -1;
} else {
num_methods++;
_methods = os_realloc_array(methods, num_methods,