]> git.ozlabs.org Git - ppp.git/blobdiff - pppd/eap-tls.c
pppd: add experimental support for PEAP protocol, an extension of EAP
[ppp.git] / pppd / eap-tls.c
index c9730bac34595fbf104464bf106df3f8b503bb20..b15d801565f54807165435a6a09a585f1c5cd665 100644 (file)
  *
  */
 
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
 #include <string.h>
 #include <strings.h>
 #include <unistd.h>
@@ -37,7 +41,9 @@
 #include <fcntl.h>
 
 #include <openssl/conf.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 #include <openssl/hmac.h>
 #include <openssl/err.h>
 #include <openssl/ui.h>
@@ -279,6 +285,23 @@ ENGINE *eaptls_ssl_load_engine( char *engine_name )
 #endif
 
 
+#ifndef OPENSSL_NO_ENGINE
+static int eaptls_UI_writer(UI *ui, UI_STRING *uis)
+{
+    PW_CB_DATA* cb_data = (PW_CB_DATA*)UI_get0_user_data(ui);
+    UI_set_result(ui, uis, cb_data->password);
+    return 1;
+}
+
+static int eaptls_UI_stub(UI* ui) {
+    return 1;
+}
+
+static int eaptls_UI_reader(UI *ui, UI_STRING *uis) {
+    return 1;
+}
+#endif
+
 /*
  * Initialize the SSL stacks and tests if certificates, key and crl
  * for client or server use can be loaded.
@@ -288,9 +311,8 @@ SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath,
 {
 #ifndef OPENSSL_NO_ENGINE
     char        *cert_engine_name = NULL;
-    char        *cert_identifier = NULL;
     char        *pkey_engine_name = NULL;
-    char        *pkey_identifier = NULL;
+    char        *idx;
 #endif
     SSL_CTX     *ctx;
     SSL         *ssl;
@@ -361,19 +383,13 @@ SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath,
        If the certificate filename starts with a / or . then we
        ALWAYS assume it is a file and not an engine/pkcs11 identifier
      */
-    if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL )
+    if ( (idx = index( certfile, ':' )) != NULL )
     {
-        cert_identifier = index( certfile, ':' );
-
-        if (cert_identifier)
-        {
-            cert_engine_name = certfile;
-            *cert_identifier = '\0';
-            cert_identifier++;
+        cert_engine_name = strdup( certfile );
+        cert_engine_name[idx - certfile] = 0;
 
-            dbglog( "Found certificate engine '%s'", cert_engine_name );
-            dbglog( "Found certificate identifier '%s'", cert_identifier );
-        }
+        dbglog( "Using engine '%s' for certificate, URI: '%s'",
+                cert_engine_name, certfile );
     }
 
     /* if the privatekey filename is of the form engine:id. e.g.
@@ -382,39 +398,33 @@ SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath,
        If the privatekey filename starts with a / or . then we
        ALWAYS assume it is a file and not an engine/pkcs11 identifier
      */
-    if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL )
+    if ( (idx = index( privkeyfile, ':' )) != NULL )
     {
-        pkey_identifier = index( privkeyfile, ':' );
-
-        if (pkey_identifier)
-        {
-            pkey_engine_name = privkeyfile;
-            *pkey_identifier = '\0';
-            pkey_identifier++;
+        pkey_engine_name = strdup( privkeyfile );
+        pkey_engine_name[idx - privkeyfile] = 0;
 
-            dbglog( "Found privatekey engine '%s'", pkey_engine_name );
-            dbglog( "Found privatekey identifier '%s'", pkey_identifier );
-        }
+        dbglog( "Using engine '%s' for private key, URI: '%s'",
+                pkey_engine_name, privkeyfile );
     }
 
-    if (cert_identifier && pkey_identifier)
+    if (cert_engine_name && pkey_engine_name)
     {
-        if (strlen( cert_identifier ) == 0)
+        if (strlen( certfile ) - strlen( cert_engine_name ) == 1)
         {
-            if (strlen( pkey_identifier ) == 0)
+            if (strlen( privkeyfile ) - strlen( pkey_engine_name ) == 1)
                 error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" );
             else
             {
                 dbglog( "Substituting privatekey identifier for certificate identifier" );
-                cert_identifier = pkey_identifier;
+                certfile = privkeyfile;
             }
         }
         else
         {
-            if (strlen( pkey_identifier ) == 0)
+            if (strlen( privkeyfile ) - strlen( pkey_engine_name ) == 1)
             {
                 dbglog( "Substituting certificate identifier for privatekey identifier" );
-                pkey_identifier = cert_identifier;
+                privkeyfile = certfile;
             }
         }
     }
@@ -430,6 +440,13 @@ SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath,
         else
             pkey_engine = eaptls_ssl_load_engine( pkey_engine_name );
     }
+
+    if (cert_engine_name)
+        free(cert_engine_name);
+
+    if (pkey_engine_name)
+        free(pkey_engine_name);
+
 #endif
 
     SSL_CTX_set_default_passwd_cb (ctx, password_callback);
@@ -457,12 +474,12 @@ SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath,
             X509 *cert;
         } cert_info;
 
-        cert_info.s_slot_cert_id = cert_identifier;
+        cert_info.s_slot_cert_id = certfile;
         cert_info.cert = NULL;
         
         if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) )
         {
-            error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier );
+            error( "EAP-TLS: Error loading certificate with URI '%s' from engine", certfile );
             goto fail;
         }
 
@@ -474,7 +491,7 @@ SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath,
         }
         else
         {
-            warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier);
+            warn("EAP-TLS: Cannot load key with URI: '%s'", certfile );
             log_ssl_errors();
         }
     }
@@ -572,35 +589,26 @@ SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath,
         PW_CB_DATA  cb_data;
 
         cb_data.password = passwd;
-        cb_data.prompt_info = pkey_identifier;
+        cb_data.prompt_info = privkeyfile;
 
         if (passwd[0] != 0)
         {
             UI_METHOD* transfer_pin = UI_create_method("transfer_pin");
 
-            int writer (UI *ui, UI_STRING *uis)
-            {
-                PW_CB_DATA* cb_data = (PW_CB_DATA*)UI_get0_user_data(ui);
-                UI_set_result(ui, uis, cb_data->password);
-                return 1;
-            };
-            int stub (UI* ui) {return 1;};
-            int stub_reader (UI *ui, UI_STRING *uis) {return 1;};
-
-            UI_method_set_writer(transfer_pin,  writer);
-            UI_method_set_opener(transfer_pin,  stub);
-            UI_method_set_closer(transfer_pin,  stub);
-            UI_method_set_flusher(transfer_pin, stub);
-            UI_method_set_reader(transfer_pin,  stub_reader);
-
-            dbglog( "Using our private key '%s' in engine", pkey_identifier );
-            pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, transfer_pin, &cb_data);
+            UI_method_set_writer(transfer_pin,  eaptls_UI_writer);
+            UI_method_set_opener(transfer_pin,  eaptls_UI_stub);
+            UI_method_set_closer(transfer_pin,  eaptls_UI_stub);
+            UI_method_set_flusher(transfer_pin, eaptls_UI_stub);
+            UI_method_set_reader(transfer_pin,  eaptls_UI_reader);
+
+            dbglog( "Using our private key URI: '%s' in engine", privkeyfile );
+            pkey = ENGINE_load_private_key(pkey_engine, privkeyfile, transfer_pin, &cb_data);
 
             if (transfer_pin) UI_destroy_method(transfer_pin);
         }
         else {
-            dbglog( "Loading private key '%s' from engine", pkey_identifier );
-            pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, NULL);
+            dbglog( "Loading private key URI: '%s' from engine", privkeyfile );
+            pkey = ENGINE_load_private_key(pkey_engine, privkeyfile, NULL, NULL);
         }
     }
     else