« back to all changes in this revision
Viewing changes to tls_schannel.c
- browse files at revision 4
- compare with another revision
- download diff
- download tarball
- view history from revision 4
- Committer: Bazaar Package Importer
- Author(s): Daniel T Chen
- Date: 2005-12-04 09:55:18 UTC
- mfrom: (1.1.2 upstream)
- Revision ID: james.westby@ubuntu.com-20051204095518-h2u5t0nev2lvcp3p
Tags: 0.4.7-0ubuntu3
The "All hail the udev New World Order" release.
Convert rcS.d script to use /etc/network/if-p{ost-down,re-up}.d
instead. Remove the rcS.d script installed in 0.4.7-0ubuntu{1,2}.
If you manually modified /etc/network/interfaces to use the pre-up
and post-down directives with wpasupplicant, please remove them.
Thanks to Scott James Remnant for the guidance.
Convert rcS.d script to use /etc/network/if-p{ost-down,re-up}.d
instead. Remove the rcS.d script installed in 0.4.7-0ubuntu{1,2}.
If you manually modified /etc/network/interfaces to use the pre-up
and post-down directives with wpasupplicant, please remove them.
Thanks to Scott James Remnant for the guidance.
added
removed
tls_schannel.c
1
/*
2
* WPA Supplicant / SSL/TLS interface functions for Microsoft Schannel
3
* Copyright (c) 2005, Jouni Malinen <jkmaline@cc.hut.fi>
4
*
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License version 2 as
7
* published by the Free Software Foundation.
8
*
9
* Alternatively, this software may be distributed under the terms of BSD
10
* license.
11
*
12
* See README and COPYING for more details.
13
*/
14
15
/*
16
* FIX: Go through all SSPI functions and verify what needs to be freed
17
* FIX: session resumption
18
* TODO: add support for server cert chain validation
19
* TODO: add support for CA cert validation
20
* TODO: add support for EAP-TLS (client cert/key conf)
21
*/
22
23
#include <stdlib.h>
24
#include <stdio.h>
25
#include <string.h>
26
#include <windows.h>
27
#include <wincrypt.h>
28
#include <schannel.h>
29
#define SECURITY_WIN32
30
#include <security.h>
31
#include <sspi.h>
32
33
#include "common.h"
34
#include "tls.h"
35
36
37
struct tls_global {
38
HMODULE hsecurity;
39
PSecurityFunctionTable sspi;
40
HCERTSTORE my_cert_store;
41
};
42
43
struct tls_connection {
44
int established, start;
45
int failed, read_alerts, write_alerts;
46
47
SCHANNEL_CRED schannel_cred;
48
CredHandle creds;
49
CtxtHandle context;
50
51
u8 eap_tls_prf[128];
52
int eap_tls_prf_set;
53
};
54
55
56
static int schannel_load_lib(struct tls_global *global)
57
{
58
INIT_SECURITY_INTERFACE pInitSecurityInterface;
59
60
global->hsecurity = LoadLibrary("Secur32.dll");
61
if (global->hsecurity == NULL) {
62
wpa_printf(MSG_ERROR, "%s: Could not load Secur32.dll - 0x%x",
63
__func__, (unsigned int) GetLastError());
64
return -1;
65
}
66
67
pInitSecurityInterface = (INIT_SECURITY_INTERFACE) GetProcAddress(
68
global->hsecurity, "InitSecurityInterfaceA");
69
if (pInitSecurityInterface == NULL) {
70
wpa_printf(MSG_ERROR, "%s: Could not find "
71
"InitSecurityInterfaceA from Secur32.dll",
72
__func__);
73
FreeLibrary(global->hsecurity);
74
global->hsecurity = NULL;
75
return -1;
76
}
77
78
global->sspi = pInitSecurityInterface();
79
if (global->sspi == NULL) {
80
wpa_printf(MSG_ERROR, "%s: Could not read security "
81
"interface - 0x%x",
82
__func__, (unsigned int) GetLastError());
83
FreeLibrary(global->hsecurity);
84
global->hsecurity = NULL;
85
return -1;
86
}
87
88
return 0;
89
}
90
91
92
void * tls_init(const struct tls_config *conf)
93
{
94
struct tls_global *global;
95
96
global = malloc(sizeof(*global));
97
if (global == NULL)
98
return NULL;
99
memset(global, 0, sizeof(*global));
100
if (schannel_load_lib(global)) {
101
free(global);
102
return NULL;
103
}
104
return global;
105
}
106
107
108
void tls_deinit(void *ssl_ctx)
109
{
110
struct tls_global *global = ssl_ctx;
111
112
if (global->my_cert_store)
113
CertCloseStore(global->my_cert_store, 0);
114
FreeLibrary(global->hsecurity);
115
free(global);
116
}
117
118
119
int tls_get_errors(void *ssl_ctx)
120
{
121
return 0;
122
}
123
124
125
struct tls_connection * tls_connection_init(void *ssl_ctx)
126
{
127
struct tls_connection *conn;
128
129
conn = malloc(sizeof(*conn));
130
if (conn == NULL)
131
return NULL;
132
memset(conn, 0, sizeof(*conn));
133
conn->start = 1;
134
135
return conn;
136
}
137
138
139
void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
140
{
141
if (conn == NULL)
142
return;
143
144
free(conn);
145
}
146
147
148
int tls_connection_established(void *ssl_ctx, struct tls_connection *conn)
149
{
150
return conn ? conn->established : 0;
151
}
152
153
154
int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)
155
{
156
struct tls_global *global = ssl_ctx;
157
if (conn == NULL)
158
return -1;
159
160
conn->eap_tls_prf_set = 0;
161
conn->established = conn->failed = 0;
162
conn->read_alerts = conn->write_alerts = 0;
163
global->sspi->DeleteSecurityContext(&conn->context);
164
/* FIX: what else needs to be reseted? */
165
166
return 0;
167
}
168
169
170
int tls_global_ca_cert(void *_ssl_ctx, const char *ca_cert)
171
{
172
return -1;
173
}
174
175
176
int tls_global_set_verify(void *ssl_ctx, int check_crl)
177
{
178
return -1;
179
}
180
181
182
int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
183
int verify_peer)
184
{
185
return -1;
186
}
187
188
189
int tls_global_client_cert(void *_ssl_ctx, const char *client_cert)
190
{
191
return -1;
192
}
193
194
195
int tls_global_private_key(void *_ssl_ctx, const char *private_key,
196
const char *private_key_passwd)
197
{
198
return -1;
199
}
200
201
202
int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn,
203
struct tls_keys *keys)
204
{
205
if (conn == NULL || keys == NULL || !conn->eap_tls_prf_set)
206
return -1;
207
208
memset(keys, 0, sizeof(*keys));
209
210
/*
211
* Cannot get master_key from Schannel, but EapKeyBlock can be used to
212
* generate session keys for EAP-TLS and EAP-PEAPv0. EAP-PEAPv2 and
213
* EAP-TTLS cannot use this, though, since they are using different
214
* labels. The only option could be to implement TLSv1 completely here
215
* and just use Schannel or CryptoAPI for low-level crypto
216
* functionality..
217
*/
218
keys->eap_tls_prf = conn->eap_tls_prf;
219
keys->eap_tls_prf_len = sizeof(conn->eap_tls_prf);
220
221
return 0;
222
}
223
224
225
static u8 * tls_conn_hs_clienthello(struct tls_global *global,
226
struct tls_connection *conn,
227
size_t *out_len)
228
{
229
DWORD sspi_flags, sspi_flags_out;
230
SecBufferDesc outbuf;
231
SecBuffer outbufs[1];
232
SECURITY_STATUS status;
233
TimeStamp ts_expiry;
234
235
sspi_flags = ISC_REQ_REPLAY_DETECT |
236
ISC_REQ_CONFIDENTIALITY |
237
ISC_RET_EXTENDED_ERROR |
238
ISC_REQ_ALLOCATE_MEMORY |
239
ISC_REQ_MANUAL_CRED_VALIDATION;
240
241
wpa_printf(MSG_DEBUG, "%s: Generating ClientHello", __func__);
242
243
outbufs[0].pvBuffer = NULL;
244
outbufs[0].BufferType = SECBUFFER_TOKEN;
245
outbufs[0].cbBuffer = 0;
246
247
outbuf.cBuffers = 1;
248
outbuf.pBuffers = outbufs;
249
outbuf.ulVersion = SECBUFFER_VERSION;
250
251
status = global->sspi->InitializeSecurityContextA(
252
&conn->creds, NULL, NULL /* server name */, sspi_flags, 0,
253
SECURITY_NATIVE_DREP, NULL, 0, &conn->context,
254
&outbuf, &sspi_flags_out, &ts_expiry);
255
if (status != SEC_I_CONTINUE_NEEDED) {
256
wpa_printf(MSG_ERROR, "%s: InitializeSecurityContextA "
257
"failed - 0x%x",
258
__func__, (unsigned int) status);
259
return NULL;
260
}
261
262
if (outbufs[0].cbBuffer != 0 && outbufs[0].pvBuffer) {
263
u8 *buf;
264
wpa_hexdump(MSG_MSGDUMP, "SChannel - ClientHello",
265
outbufs[0].pvBuffer, outbufs[0].cbBuffer);
266
conn->start = 0;
267
*out_len = outbufs[0].cbBuffer;
268
buf = malloc(*out_len);
269
if (buf == NULL)
270
return NULL;
271
memcpy(buf, outbufs[0].pvBuffer, *out_len);
272
global->sspi->FreeContextBuffer(outbufs[0].pvBuffer);
273
return buf;
274
}
275
276
wpa_printf(MSG_ERROR, "SChannel: Failed to generate ClientHello");
277
278
return NULL;
279
}
280
281
282
#ifndef SECPKG_ATTR_EAP_KEY_BLOCK
283
#define SECPKG_ATTR_EAP_KEY_BLOCK 0x5b
284
285
typedef struct _SecPkgContext_EapKeyBlock {
286
BYTE rgbKeys[128];
287
BYTE rgbIVs[64];
288
} SecPkgContext_EapKeyBlock, *PSecPkgContext_EapKeyBlock;
289
#endif /* !SECPKG_ATTR_EAP_KEY_BLOCK */
290
291
static int tls_get_eap(struct tls_global *global, struct tls_connection *conn)
292
{
293
SECURITY_STATUS status;
294
SecPkgContext_EapKeyBlock kb;
295
296
/* Note: Windows NT and Windows Me/98/95 do not support getting
297
* EapKeyBlock */
298
299
status = global->sspi->QueryContextAttributes(
300
&conn->context, SECPKG_ATTR_EAP_KEY_BLOCK, &kb);
301
if (status != SEC_E_OK) {
302
wpa_printf(MSG_DEBUG, "%s: QueryContextAttributes("
303
"SECPKG_ATTR_EAP_KEY_BLOCK) failed (%d)",
304
__func__, (int) status);
305
return -1;
306
}
307
308
wpa_hexdump_key(MSG_MSGDUMP, "Schannel - EapKeyBlock - rgbKeys",
309
kb.rgbKeys, sizeof(kb.rgbKeys));
310
wpa_hexdump_key(MSG_MSGDUMP, "Schannel - EapKeyBlock - rgbIVs",
311
kb.rgbIVs, sizeof(kb.rgbIVs));
312
313
memcpy(conn->eap_tls_prf, kb.rgbKeys, sizeof(kb.rgbKeys));
314
conn->eap_tls_prf_set = 1;
315
}
316
317
318
u8 * tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
319
const u8 *in_data, size_t in_len,
320
size_t *out_len)
321
{
322
struct tls_global *global = ssl_ctx;
323
DWORD sspi_flags, sspi_flags_out;
324
SecBufferDesc inbuf, outbuf;
325
SecBuffer inbufs[2], outbufs[1];
326
SECURITY_STATUS status;
327
TimeStamp ts_expiry;
328
u8 *out_buf = NULL;
329
330
if (conn->start) {
331
return tls_conn_hs_clienthello(global, conn, out_len);
332
}
333
334
wpa_printf(MSG_DEBUG, "SChannel: %d bytes handshake data to process",
335
in_len);
336
337
sspi_flags = ISC_REQ_REPLAY_DETECT |
338
ISC_REQ_CONFIDENTIALITY |
339
ISC_RET_EXTENDED_ERROR |
340
ISC_REQ_ALLOCATE_MEMORY |
341
ISC_REQ_MANUAL_CRED_VALIDATION;
342
343
/* Input buffer for Schannel */
344
inbufs[0].pvBuffer = (u8 *) in_data;
345
inbufs[0].cbBuffer = in_len;
346
inbufs[0].BufferType = SECBUFFER_TOKEN;
347
348
/* Place for leftover data from Schannel */
349
inbufs[1].pvBuffer = NULL;
350
inbufs[1].cbBuffer = 0;
351
inbufs[1].BufferType = SECBUFFER_EMPTY;
352
353
inbuf.cBuffers = 2;
354
inbuf.pBuffers = inbufs;
355
inbuf.ulVersion = SECBUFFER_VERSION;
356
357
/* Output buffer for Schannel */
358
outbufs[0].pvBuffer = NULL;
359
outbufs[0].cbBuffer = 0;
360
outbufs[0].BufferType = SECBUFFER_TOKEN;
361
362
outbuf.cBuffers = 1;
363
outbuf.pBuffers = outbufs;
364
outbuf.ulVersion = SECBUFFER_VERSION;
365
366
status = global->sspi->InitializeSecurityContextA(
367
&conn->creds, &conn->context, NULL, sspi_flags, 0,
368
SECURITY_NATIVE_DREP, &inbuf, 0, NULL,
369
&outbuf, &sspi_flags_out, &ts_expiry);
370
371
wpa_printf(MSG_MSGDUMP, "Schannel: InitializeSecurityContextA -> "
372
"status=%d inlen[0]=%d intype[0]=%d inlen[1]=%d "
373
"intype[1]=%d outlen[0]=%d",
374
(int) status, (int) inbufs[0].cbBuffer,
375
(int) inbufs[0].BufferType, (int) inbufs[1].cbBuffer,
376
(int) inbufs[1].BufferType,
377
(int) outbufs[0].cbBuffer);
378
if (status == SEC_E_OK || status == SEC_I_CONTINUE_NEEDED ||
379
(FAILED(status) && (sspi_flags_out & ISC_RET_EXTENDED_ERROR))) {
380
if (outbufs[0].cbBuffer != 0 && outbufs[0].pvBuffer) {
381
wpa_hexdump(MSG_MSGDUMP, "SChannel - output",
382
outbufs[0].pvBuffer, outbufs[0].cbBuffer);
383
*out_len = outbufs[0].cbBuffer;
384
out_buf = malloc(*out_len);
385
if (out_buf == NULL)
386
return NULL;
387
memcpy(out_buf, outbufs[0].pvBuffer, *out_len);
388
global->sspi->FreeContextBuffer(outbufs[0].pvBuffer);
389
outbufs[0].pvBuffer = NULL;
390
}
391
}
392
393
switch (status) {
394
case SEC_E_INCOMPLETE_MESSAGE:
395
wpa_printf(MSG_DEBUG, "Schannel: SEC_E_INCOMPLETE_MESSAGE");
396
break;
397
case SEC_I_CONTINUE_NEEDED:
398
wpa_printf(MSG_DEBUG, "Schannel: SEC_I_CONTINUE_NEEDED");
399
break;
400
case SEC_E_OK:
401
/* TODO: verify server certificate chain */
402
wpa_printf(MSG_DEBUG, "Schannel: SEC_E_OK - Handshake "
403
"completed successfully");
404
conn->established = 1;
405
tls_get_eap(global, conn);
406
407
/* Need to return something to get final TLS ACK. */
408
if (out_buf == NULL)
409
out_buf = malloc(1);
410
411
if (inbufs[1].BufferType == SECBUFFER_EXTRA) {
412
wpa_hexdump(MSG_MSGDUMP, "SChannel - Encrypted "
413
"application data",
414
inbufs[1].pvBuffer, inbufs[1].cbBuffer);
415
/* FIX: need to fix TLS API to allow this data to be
416
* passed to the caller */
417
global->sspi->FreeContextBuffer(inbufs[1].pvBuffer);
418
inbufs[1].pvBuffer = NULL;
419
}
420
break;
421
case SEC_I_INCOMPLETE_CREDENTIALS:
422
wpa_printf(MSG_DEBUG,
423
"Schannel: SEC_I_INCOMPLETE_CREDENTIALS");
424
break;
425
case SEC_E_WRONG_PRINCIPAL:
426
wpa_printf(MSG_DEBUG, "Schannel: SEC_E_WRONG_PRINCIPAL");
427
break;
428
case SEC_E_INTERNAL_ERROR:
429
wpa_printf(MSG_DEBUG, "Schannel: SEC_E_INTERNAL_ERROR");
430
break;
431
}
432
433
if (FAILED(status)) {
434
wpa_printf(MSG_DEBUG, "Schannel: Handshake failed "
435
"(out_buf=%p)", out_buf);
436
conn->failed++;
437
global->sspi->DeleteSecurityContext(&conn->context);
438
return out_buf;
439
}
440
441
if (inbufs[1].BufferType == SECBUFFER_EXTRA) {
442
/* TODO: Can this happen? What to do with this data? */
443
wpa_hexdump(MSG_MSGDUMP, "SChannel - Leftover data",
444
inbufs[1].pvBuffer, inbufs[1].cbBuffer);
445
global->sspi->FreeContextBuffer(inbufs[1].pvBuffer);
446
inbufs[1].pvBuffer = NULL;
447
}
448
449
return out_buf;
450
}
451
452
453
u8 * tls_connection_server_handshake(void *ssl_ctx,
454
struct tls_connection *conn,
455
const u8 *in_data, size_t in_len,
456
size_t *out_len)
457
{
458
return NULL;
459
}
460
461
462
int tls_connection_encrypt(void *ssl_ctx, struct tls_connection *conn,
463
const u8 *in_data, size_t in_len,
464
u8 *out_data, size_t out_len)
465
{
466
struct tls_global *global = ssl_ctx;
467
SECURITY_STATUS status;
468
SecBufferDesc buf;
469
SecBuffer bufs[4];
470
SecPkgContext_StreamSizes sizes;
471
int i;
472
size_t total_len;
473
474
status = global->sspi->QueryContextAttributes(&conn->context,
475
SECPKG_ATTR_STREAM_SIZES,
476
&sizes);
477
if (status != SEC_E_OK) {
478
wpa_printf(MSG_DEBUG, "%s: QueryContextAttributes failed",
479
__func__);
480
return -1;
481
}
482
wpa_printf(MSG_DEBUG, "%s: Stream sizes: header=%u trailer=%u",
483
__func__,
484
(unsigned int) sizes.cbHeader,
485
(unsigned int) sizes.cbTrailer);
486
487
total_len = sizes.cbHeader + in_len + sizes.cbTrailer;
488
489
if (out_len < total_len) {
490
wpa_printf(MSG_DEBUG, "%s: too short out_data (out_len=%lu "
491
"in_len=%lu total_len=%lu)", __func__,
492
(unsigned long) out_len, (unsigned long) in_len,
493
(unsigned long) total_len);
494
return -1;
495
}
496
497
memset(&bufs, 0, sizeof(bufs));
498
bufs[0].pvBuffer = out_data;
499
bufs[0].cbBuffer = sizes.cbHeader;
500
bufs[0].BufferType = SECBUFFER_STREAM_HEADER;
501
502
memcpy(out_data + sizes.cbHeader, in_data, in_len);
503
bufs[1].pvBuffer = out_data + sizes.cbHeader;
504
bufs[1].cbBuffer = in_len;
505
bufs[1].BufferType = SECBUFFER_DATA;
506
507
bufs[2].pvBuffer = out_data + sizes.cbHeader + in_len;
508
bufs[2].cbBuffer = sizes.cbTrailer;
509
bufs[2].BufferType = SECBUFFER_STREAM_TRAILER;
510
511
buf.ulVersion = SECBUFFER_VERSION;
512
buf.cBuffers = 3;
513
buf.pBuffers = bufs;
514
515
status = global->sspi->EncryptMessage(&conn->context, 0, &buf, 0);
516
517
wpa_printf(MSG_MSGDUMP, "Schannel: EncryptMessage -> "
518
"status=%d len[0]=%d type[0]=%d len[1]=%d type[1]=%d "
519
"len[2]=%d type[2]=%d",
520
(int) status,
521
(int) bufs[0].cbBuffer, (int) bufs[0].BufferType,
522
(int) bufs[1].cbBuffer, (int) bufs[1].BufferType,
523
(int) bufs[2].cbBuffer, (int) bufs[2].BufferType);
524
wpa_printf(MSG_MSGDUMP, "Schannel: EncryptMessage pointers: "
525
"out_data=%p bufs %p %p %p",
526
out_data, bufs[0].pvBuffer, bufs[1].pvBuffer,
527
bufs[2].pvBuffer);
528
529
for (i = 0; i < 3; i++) {
530
if (bufs[i].pvBuffer && bufs[i].BufferType != SECBUFFER_EMPTY)
531
{
532
wpa_hexdump(MSG_MSGDUMP, "SChannel: bufs",
533
bufs[i].pvBuffer, bufs[i].cbBuffer);
534
}
535
}
536
537
if (status == SEC_E_OK) {
538
wpa_printf(MSG_DEBUG, "%s: SEC_E_OK", __func__);
539
wpa_hexdump_key(MSG_MSGDUMP, "Schannel: Encrypted data from "
540
"EncryptMessage", out_data, total_len);
541
return total_len;
542
}
543
544
wpa_printf(MSG_DEBUG, "%s: Failed - status=%d",
545
__func__, (int) status);
546
return -1;
547
}
548
549
550
int tls_connection_decrypt(void *ssl_ctx, struct tls_connection *conn,
551
const u8 *in_data, size_t in_len,
552
u8 *out_data, size_t out_len)
553
{
554
struct tls_global *global = ssl_ctx;
555
SECURITY_STATUS status;
556
SecBufferDesc buf;
557
SecBuffer bufs[4];
558
int i;
559
560
if (out_len < in_len) {
561
wpa_printf(MSG_DEBUG, "%s: out_len=%lu < in_len=%lu", __func__,
562
(unsigned long) out_len, (unsigned long) in_len);
563
return -1;
564
}
565
566
wpa_hexdump(MSG_MSGDUMP, "Schannel: Encrypted data to DecryptMessage",
567
in_data, in_len);
568
memset(&bufs, 0, sizeof(bufs));
569
memcpy(out_data, in_data, in_len);
570
bufs[0].pvBuffer = out_data;
571
bufs[0].cbBuffer = in_len;
572
bufs[0].BufferType = SECBUFFER_DATA;
573
574
bufs[1].BufferType = SECBUFFER_EMPTY;
575
bufs[2].BufferType = SECBUFFER_EMPTY;
576
bufs[3].BufferType = SECBUFFER_EMPTY;
577
578
buf.ulVersion = SECBUFFER_VERSION;
579
buf.cBuffers = 4;
580
buf.pBuffers = bufs;
581
582
status = global->sspi->DecryptMessage(&conn->context, &buf, 0,
583
NULL);
584
wpa_printf(MSG_MSGDUMP, "Schannel: DecryptMessage -> "
585
"status=%d len[0]=%d type[0]=%d len[1]=%d type[1]=%d "
586
"len[2]=%d type[2]=%d len[3]=%d type[3]=%d",
587
(int) status,
588
(int) bufs[0].cbBuffer, (int) bufs[0].BufferType,
589
(int) bufs[1].cbBuffer, (int) bufs[1].BufferType,
590
(int) bufs[2].cbBuffer, (int) bufs[2].BufferType,
591
(int) bufs[3].cbBuffer, (int) bufs[3].BufferType);
592
wpa_printf(MSG_MSGDUMP, "Schannel: DecryptMessage pointers: "
593
"out_data=%p bufs %p %p %p %p",
594
out_data, bufs[0].pvBuffer, bufs[1].pvBuffer,
595
bufs[2].pvBuffer, bufs[3].pvBuffer);
596
597
switch (status) {
598
case SEC_E_INCOMPLETE_MESSAGE:
599
wpa_printf(MSG_DEBUG, "%s: SEC_E_INCOMPLETE_MESSAGE",
600
__func__);
601
break;
602
case SEC_E_OK:
603
wpa_printf(MSG_DEBUG, "%s: SEC_E_OK", __func__);
604
for (i = 0; i < 4; i++) {
605
if (bufs[i].BufferType == SECBUFFER_DATA)
606
break;
607
}
608
if (i == 4) {
609
wpa_printf(MSG_DEBUG, "%s: No output data from "
610
"DecryptMessage", __func__);
611
return -1;
612
}
613
wpa_hexdump_key(MSG_MSGDUMP, "Schannel: Decrypted data from "
614
"DecryptMessage",
615
bufs[i].pvBuffer, bufs[i].cbBuffer);
616
if (bufs[i].cbBuffer > out_len) {
617
wpa_printf(MSG_DEBUG, "%s: Too long output data",
618
__func__);
619
return -1;
620
}
621
memmove(out_data, bufs[i].pvBuffer, bufs[i].cbBuffer);
622
return bufs[i].cbBuffer;
623
}
624
625
wpa_printf(MSG_DEBUG, "%s: Failed - status=%d",
626
__func__, (int) status);
627
return -1;
628
}
629
630
631
int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
632
{
633
return 0;
634
}
635
636
637
#ifdef EAP_FAST
638
int tls_connection_set_master_key(void *ssl_ctx, struct tls_connection *conn,
639
const u8 *key, size_t key_len)
640
{
641
return -1;
642
}
643
#endif /* EAP_FAST */
644
645
646
int tls_connection_set_anon_dh(void *ssl_ctx, struct tls_connection *conn)
647
{
648
return -1;
649
}
650
651
652
int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
653
char *buf, size_t buflen)
654
{
655
return -1;
656
}
657
658
659
int tls_connection_enable_workaround(void *ssl_ctx,
660
struct tls_connection *conn)
661
{
662
return 0;
663
}
664
665
666
#ifdef EAP_FAST
667
/* ClientHello TLS extensions require a patch to openssl, so this function is
668
* commented out unless explicitly needed for EAP-FAST in order to be able to
669
* build this file with unmodified openssl. */
670
int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
671
int ext_type, const u8 *data,
672
size_t data_len)
673
{
674
return -1;
675
}
676
#endif /* EAP_FAST */
677
678
679
int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)
680
{
681
if (conn == NULL)
682
return -1;
683
return conn->failed;
684
}
685
686
687
int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)
688
{
689
if (conn == NULL)
690
return -1;
691
return conn->read_alerts;
692
}
693
694
695
int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)
696
{
697
if (conn == NULL)
698
return -1;
699
return conn->write_alerts;
700
}
701
702
703
int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
704
const struct tls_connection_params *params)
705
{
706
struct tls_global *global = tls_ctx;
707
ALG_ID algs[1];
708
SECURITY_STATUS status;
709
TimeStamp ts_expiry;
710
711
if (conn == NULL)
712
return -1;
713
714
if (global->my_cert_store == NULL &&
715
(global->my_cert_store = CertOpenSystemStore(0, "MY")) == NULL) {
716
wpa_printf(MSG_ERROR, "%s: CertOpenSystemStore failed - 0x%x",
717
__func__, (unsigned int) GetLastError());
718
return -1;
719
}
720
721
memset(&conn->schannel_cred, 0, sizeof(conn->schannel_cred));
722
conn->schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
723
conn->schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1;
724
algs[0] = CALG_RSA_KEYX;
725
conn->schannel_cred.cSupportedAlgs = 1;
726
conn->schannel_cred.palgSupportedAlgs = algs;
727
conn->schannel_cred.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;
728
status = global->sspi->AcquireCredentialsHandleA(
729
NULL, UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL,
730
&conn->schannel_cred, NULL, NULL, &conn->creds, &ts_expiry);
731
if (status != SEC_E_OK) {
732
wpa_printf(MSG_DEBUG, "%s: AcquireCredentialsHandleA failed - "
733
"0x%x", __func__, (unsigned int) status);
734
return -1;
735
}
736
737
return 0;
738
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.1