#include <openssl/err.h>
#include <openssl/ui.h>
#include <openssl/x509v3.h>
+#include <openssl/pkcs12.h>
#include "pppd.h"
#include "eap.h"
#include "eap-tls.h"
#include "fsm.h"
#include "lcp.h"
+#include "chap_ms.h"
+#include "mppe.h"
#include "pathnames.h"
typedef struct pw_cb_data
const char *prompt_info;
} PW_CB_DATA;
+#ifndef OPENSSL_NO_ENGINE
/* The openssl configuration file and engines can be loaded only once */
static CONF *ssl_config = NULL;
static ENGINE *cert_engine = NULL;
static ENGINE *pkey_engine = NULL;
+#endif
/* TLSv1.3 do we have a session ticket ? */
static int have_session_ticket = 0;
X509 *get_X509_from_file(char *filename);
int ssl_cmp_certs(char *filename, X509 * a);
-#ifdef MPPE
-
-#define EAPTLS_MPPE_KEY_LEN 32
-
/*
* OpenSSL 1.1+ introduced a generic TLS_method()
* For older releases we substitute the appropriate method
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+#ifdef MPPE
+#define EAPTLS_MPPE_KEY_LEN 32
/*
* Generate keys according to RFC 2716 and add to reply
*/
if (client)
{
- p = out;
- BCOPY( p, mppe_send_key, sizeof(mppe_send_key) );
- p += EAPTLS_MPPE_KEY_LEN;
- BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) );
+ mppe_set_keys(out, out + EAPTLS_MPPE_KEY_LEN, EAPTLS_MPPE_KEY_LEN);
}
else
{
- p = out;
- BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) );
- p += EAPTLS_MPPE_KEY_LEN;
- BCOPY( p, mppe_send_key, sizeof(mppe_send_key) );
+ mppe_set_keys(out + EAPTLS_MPPE_KEY_LEN, out, EAPTLS_MPPE_KEY_LEN);
}
-
- mppe_keys_set = 1;
}
#endif /* MPPE */
+
void log_ssl_errors( void )
{
unsigned long ssl_err = ERR_get_error();
}
dbglog( "Loading OpenSSL built-ins" );
+#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines();
+#endif
OPENSSL_load_builtin_modules();
dbglog( "Loading OpenSSL configured modules" );
return config;
}
+#ifndef OPENSSL_NO_ENGINE
ENGINE *eaptls_ssl_load_engine( char *engine_name )
{
ENGINE *e = NULL;
return e;
}
-
+#endif
/*
* for client or server use can be loaded.
*/
SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath,
- char *certfile, char *peer_certfile, char *privkeyfile)
+ char *certfile, char *peer_certfile, char *privkeyfile, char *pkcs12)
{
+#ifndef OPENSSL_NO_ENGINE
char *cert_engine_name = NULL;
char *cert_identifier = NULL;
char *pkey_engine_name = NULL;
char *pkey_identifier = NULL;
+#endif
SSL_CTX *ctx;
SSL *ssl;
X509_STORE *certstore;
X509_LOOKUP *lookup;
X509 *tmp;
+ X509 *cert = NULL;
+ PKCS12 *p12 = NULL;
+ EVP_PKEY *pkey = NULL;
+ STACK_OF(X509) *chain = NULL;
+ BIO *input;
int ret;
+ int reason;
#if defined(TLS1_2_VERSION)
long tls_version = TLS1_2_VERSION;
#elif defined(TLS1_1_VERSION)
/*
* Without these can't continue
*/
- if (!(cacertfile[0] || capath[0]))
+ if (!pkcs12[0])
{
- error("EAP-TLS: CA certificate file or path missing");
- return NULL;
- }
+ if (!(cacertfile[0] || capath[0]))
+ {
+ error("EAP-TLS: CA certificate file or path missing");
+ return NULL;
+ }
- if (!certfile[0])
- {
- error("EAP-TLS: Certificate missing");
- return NULL;
- }
+ if (!certfile[0])
+ {
+ error("EAP-TLS: Certificate missing");
+ return NULL;
+ }
- if (!privkeyfile[0])
- {
- error("EAP-TLS: Private key missing");
- return NULL;
+ if (!privkeyfile[0])
+ {
+ error("EAP-TLS: Private key missing");
+ return NULL;
+ }
}
SSL_library_init();
SSL_load_error_strings();
+#ifndef OPENSSL_NO_ENGINE
/* load the openssl config file only once and load it before triggering
the loading of a global openssl config file via SSL_CTX_new()
*/
if (!ssl_config)
ssl_config = eaptls_ssl_load_config();
+#endif
ctx = SSL_CTX_new(TLS_method());
goto fail;
}
+#ifndef OPENSSL_NO_ENGINE
/* if the certificate filename is of the form engine:id. e.g.
pkcs11:12345
then we try to load and use this engine.
else
pkey_engine = eaptls_ssl_load_engine( pkey_engine_name );
}
+#endif
SSL_CTX_set_default_passwd_cb (ctx, password_callback);
if (init_server)
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile));
+#ifndef OPENSSL_NO_ENGINE
if (cert_engine)
{
struct
if (cert_info.cert)
{
- dbglog( "Got the certificate, adding it to SSL context" );
+ dbglog( "Got the certificate" );
dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) );
- if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0)
- {
- error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier);
- goto fail;
- }
+ cert = cert_info.cert;
}
else
{
}
}
else
+#endif
{
- if (!SSL_CTX_use_certificate_chain_file(ctx, certfile))
+ if (pkcs12[0])
{
- error( "EAP-TLS: Cannot use public certificate %s", certfile );
- goto fail;
+ input = BIO_new_file(pkcs12, "r");
+ if (input == NULL)
+ {
+ error("EAP-TLS: Cannot open `%s' PKCS12 for input", pkcs12);
+ goto fail;
+ }
+
+ p12 = d2i_PKCS12_bio(input, NULL);
+ BIO_free(input);
+ if (!p12)
+ {
+ error("EAP-TLS: Cannot load PKCS12 certificate");
+ goto fail;
+ }
+
+ if (PKCS12_parse(p12, passwd, &pkey, &cert, &chain) != 1)
+ {
+ error("EAP-TLS: Cannot parse PKCS12 certificate, invalid password");
+ PKCS12_free(p12);
+ goto fail;
+ }
+
+ PKCS12_free(p12);
+ }
+ else
+ {
+ if (!SSL_CTX_use_certificate_chain_file(ctx, certfile))
+ {
+ error( "EAP-TLS: Cannot load certificate %s", certfile );
+ goto fail;
+ }
}
}
+ if (cert)
+ {
+ if (!SSL_CTX_use_certificate(ctx, cert))
+ {
+ error("EAP-TLS: Cannot use load certificate");
+ goto fail;
+ }
+
+ if (chain)
+ {
+ int i;
+ for (i = 0; i < sk_X509_num(chain); i++)
+ {
+ if (!SSL_CTX_add_extra_chain_cert(ctx, sk_X509_value(chain, i)))
+ {
+ error("EAP-TLS: Cannot add extra chain certificate");
+ goto fail;
+ }
+ }
+ }
+ }
/*
* Check the Before and After dates of the certificate
}
SSL_free(ssl);
+#ifndef OPENSSL_NO_ENGINE
if (pkey_engine)
{
- EVP_PKEY *pkey = NULL;
PW_CB_DATA cb_data;
cb_data.password = passwd;
dbglog( "Loading private key '%s' from engine", pkey_identifier );
pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, NULL);
}
- if (pkey)
+ }
+ else
+#endif
+ {
+ if (!pkey)
{
- dbglog( "Got the private key, adding it to SSL context" );
- if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0)
+ input = BIO_new_file(privkeyfile, "r");
+ if (!input)
{
- error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier);
+ error("EAP-TLS: Could not open private key, %s", privkeyfile);
+ goto fail;
+ }
+
+ pkey = PEM_read_bio_PrivateKey(input, NULL, password_callback, NULL);
+ BIO_free(input);
+ if (!pkey)
+ {
+ error("EAP-TLS: Cannot load private key, %s", privkeyfile);
goto fail;
}
- }
- else
- {
- warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier);
- log_ssl_errors();
}
}
- else
+
+ if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1)
{
- if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM))
- {
- error("EAP-TLS: Cannot use private key %s", privkeyfile);
- goto fail;
- }
+ error("EAP-TLS: Cannot use private key");
+ goto fail;
}
- if (SSL_CTX_check_private_key(ctx) != 1) {
- error("EAP-TLS: Private key %s fails security check", privkeyfile);
+ if (SSL_CTX_check_private_key(ctx) != 1)
+ {
+ error("EAP-TLS: Private key fails security check");
goto fail;
}
return ctx;
fail:
+
+ if (cert)
+ X509_free(cert);
+
+ if (pkey)
+ EVP_PKEY_free(pkey);
+
+ if (chain)
+ sk_X509_pop_free(chain, X509_free);
+
log_ssl_errors();
SSL_CTX_free(ctx);
return NULL;
char cacertfile[MAXWORDLEN];
char capath[MAXWORDLEN];
char pkfile[MAXWORDLEN];
+ char pkcs12[MAXWORDLEN];
+
/*
* Allocate new eaptls session
*/
dbglog( "getting eaptls secret" );
if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer,
esp->es_server.ea_name, clicertfile,
- servcertfile, cacertfile, capath, pkfile, 1)) {
+ servcertfile, cacertfile, capath, pkfile, pkcs12, 1)) {
error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"",
esp->es_server.ea_peer, esp->es_server.ea_name );
return 0;
ets->mtu = eaptls_get_mtu(esp->es_unit);
- ets->ctx = eaptls_init_ssl(1, cacertfile, capath, servcertfile, clicertfile, pkfile);
+ ets->ctx = eaptls_init_ssl(1, cacertfile, capath, servcertfile, clicertfile, pkfile, pkcs12);
if (!ets->ctx)
goto fail;
char cacertfile[MAXWORDLEN];
char capath[MAXWORDLEN];
char pkfile[MAXWORDLEN];
+ char pkcs12[MAXWORDLEN];
/*
* Allocate new eaptls session
dbglog( "calling get_eaptls_secret" );
if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name,
ets->peer, clicertfile,
- servcertfile, cacertfile, capath, pkfile, 0)) {
+ servcertfile, cacertfile, capath, pkfile, pkcs12, 0)) {
error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"",
esp->es_client.ea_name, ets->peer );
return 0;
}
dbglog( "calling eaptls_init_ssl" );
- ets->ctx = eaptls_init_ssl(0, cacertfile, capath, clicertfile, servcertfile, pkfile);
+ ets->ctx = eaptls_init_ssl(0, cacertfile, capath, clicertfile, servcertfile, pkfile, pkcs12);
if (!ets->ctx)
goto fail;
* If acting as client and the name of the server wasn't specified
* explicitely, we can't verify the server authenticity
*/
- if (!ets->peer[0] || !strcmp(tls_verify_method, TLS_VERIFY_NONE)) {
+ if (!tls_verify_method)
+ tls_verify_method = TLS_VERIFY_NONE;
+
+ if (!ets->peer[0] || !strcmp(TLS_VERIFY_NONE, tls_verify_method)) {
warn("Certificate verication disabled or no peer name was specified");
return ok;
}
projects / ppp.git / blobdiff