From d7dc6606de304fc8da0852a84f159f1f940c7532 Mon Sep 17 00:00:00 2001 From: Andrew Zaborowski Date: Sat, 17 Nov 2018 15:01:32 +0100 Subject: [PATCH] eap-tls, ttls, peap: Update for l_tls API changes --- src/eap-peap.c | 9 ++++----- src/eap-tls.c | 16 +++++++++------- src/eap-ttls.c | 16 +++++++++------- 3 files changed, 22 insertions(+), 19 deletions(-) diff --git a/src/eap-peap.c b/src/eap-peap.c index 9558ce52..1d99bb25 100644 --- a/src/eap-peap.c +++ b/src/eap-peap.c @@ -512,7 +512,7 @@ static void eap_peap_tunnel_ready(const char *peer_identity, void *user_data) eap_start_complete_timeout(eap); /* MSK, EMSK and challenge derivation */ - l_tls_prf_get_bytes(peap->tunnel, L_CHECKSUM_SHA256, 32, true, + l_tls_prf_get_bytes(peap->tunnel, true, "client EAP encryption", msk_emsk, 128); eap_set_key_material(eap, msk_emsk + 0, 64, NULL, 0, NULL, 0); @@ -554,14 +554,13 @@ static bool eap_peap_tunnel_init(struct eap_state *eap) l_tls_set_debug(peap->tunnel, eap_peap_debug_cb, NULL, NULL); if (!l_tls_set_auth_data(peap->tunnel, peap->client_cert, - peap->client_key, NULL)) { + peap->client_key, NULL) || + (peap->ca_cert && + !l_tls_set_cacert(peap->tunnel, peap->ca_cert))) { l_error("PEAP: Failed to set authentication data."); return false; } - if (peap->ca_cert) - l_tls_set_cacert(peap->tunnel, peap->ca_cert); - return true; } diff --git a/src/eap-tls.c b/src/eap-tls.c index 4c88d0f4..8abf3551 100644 --- a/src/eap-tls.c +++ b/src/eap-tls.c @@ -146,9 +146,9 @@ static void eap_tls_ready_cb(const char *peer_identity, void *user_data) eap_start_complete_timeout(eap); /* MSK, EMSK and IV derivation */ - l_tls_prf_get_bytes(tls->tls, L_CHECKSUM_SHA256, 32, true, + l_tls_prf_get_bytes(tls->tls, true, "client EAP encryption", msk_emsk, 128); - l_tls_prf_get_bytes(tls->tls, L_CHECKSUM_SHA256, 32, false, + l_tls_prf_get_bytes(tls->tls, false, "client EAP encryption", iv, 64); eap_set_key_material(eap, msk_emsk + 0, 64, msk_emsk + 64, 64, iv, 64); @@ -317,11 +317,13 @@ static void eap_tls_handle_request(struct eap_state *eap, if (getenv("IWD_TLS_DEBUG")) l_tls_set_debug(tls->tls, eap_tls_debug_cb, NULL, NULL); - l_tls_set_auth_data(tls->tls, tls->client_cert, tls->client_key, - tls->passphrase); - - if (tls->ca_cert) - l_tls_set_cacert(tls->tls, tls->ca_cert); + if (!l_tls_set_auth_data(tls->tls, tls->client_cert, + tls->client_key, tls->passphrase) || + (tls->ca_cert && + !l_tls_set_cacert(tls->tls, tls->ca_cert))) { + l_error("Error loading EAP-TLS keys or certificates"); + goto err; + } } /* diff --git a/src/eap-ttls.c b/src/eap-ttls.c index 3445434b..c3df2e7c 100644 --- a/src/eap-ttls.c +++ b/src/eap-ttls.c @@ -509,7 +509,7 @@ static void eap_ttls_phase2_chap_generate_challenge(struct l_tls *tunnel, uint8_t *challenge, size_t challenge_len) { - l_tls_prf_get_bytes(tunnel, L_CHECKSUM_SHA256, 32, true, + l_tls_prf_get_bytes(tunnel, true, "ttls challenge", challenge, challenge_len); } @@ -792,7 +792,7 @@ static void eap_ttls_ready_cb(const char *peer_identity, void *user_data) eap_method_success(eap); /* MSK, EMSK and challenge derivation */ - l_tls_prf_get_bytes(ttls->tls, L_CHECKSUM_SHA256, 32, true, + l_tls_prf_get_bytes(ttls->tls, true, "ttls keying material", msk_emsk, 128); eap_set_key_material(eap, msk_emsk + 0, 64, msk_emsk + 64, 64, @@ -1012,11 +1012,13 @@ add_to_pkt_buf: if (getenv("IWD_TLS_DEBUG")) l_tls_set_debug(ttls->tls, eap_ttls_debug_cb, NULL, NULL); - l_tls_set_auth_data(ttls->tls, ttls->client_cert, - ttls->client_key, ttls->passphrase); - - if (ttls->ca_cert) - l_tls_set_cacert(ttls->tls, ttls->ca_cert); + if (!l_tls_set_auth_data(ttls->tls, ttls->client_cert, + ttls->client_key, ttls->passphrase) || + (ttls->ca_cert && + !l_tls_set_cacert(ttls->tls, ttls->ca_cert))) { + l_error("Error loading EAP-TTLS keys or certificates"); + goto err; + } /* * RFC5281 section 9.1: "For all packets other than a