EAP-TTLS for OpenSSL too

sailfishos-mirror · Jun 7, 2019 · 732d38e · 732d38e
1 parent b7d2814
commit 732d38e
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 1 deletion.
diff --git a/library.c b/library.c
@@ -382,7 +382,10 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 	free(vpninfo->ifname);
 	free(vpninfo->dtls_cipher);
 	free(vpninfo->peer_cert_hash);
-#ifdef OPENCONNECT_GNUTLS
+#if defined(OPENCONNECT_OPENSSL)
+	if (vpninfo->ttls_bio_meth)
+		BIO_meth_free(vpninfo->ttls_bio_meth);
+#elif defined(OPENCONNECT_GNUTLS)
 	gnutls_free(vpninfo->cstp_cipher); /* In OpenSSL this is const */
 #ifdef HAVE_DTLS
 	gnutls_free(vpninfo->gnutls_dtls_cipher);

diff --git a/openconnect-internal.h b/openconnect-internal.h
@@ -507,6 +507,7 @@ struct openconnect_info {
 	X509 *cert_x509;
 	SSL_CTX *https_ctx;
 	SSL *https_ssl;
+	BIO_METHOD *ttls_bio_meth;
 #elif defined(OPENCONNECT_GNUTLS)
 	gnutls_session_t https_sess;
 	gnutls_session_t eap_ttls_sess;

diff --git a/openssl.c b/openssl.c
@@ -1978,3 +1978,81 @@ int hotp_hmac(struct openconnect_info *vpninfo, const void *challenge)
 	hashlen = hash[hashlen - 1] & 15;
 	return load_be32(&hash[hashlen]) & 0x7fffffff;
 }
+
+static int ttls_push_func(BIO *b, const char *buf, int len)
+{
+	struct openconnect_info *vpninfo = BIO_get_data(b);
+	int ret = pulse_eap_ttls_send(vpninfo, buf, len);
+	if (ret >= 0)
+		return ret;
+
+	return 0;
+}
+
+static int ttls_pull_func(BIO *b, char *buf, int len)
+{
+	struct openconnect_info *vpninfo = BIO_get_data(b);
+	int ret = pulse_eap_ttls_recv(vpninfo, buf, len);
+	if (ret >= 0)
+		return ret;
+
+	return 0;
+}
+
+static long ttls_ctrl_func(BIO *b, int cmd, long larg, void *iarg)
+{
+	switch(cmd) {
+	case BIO_CTRL_FLUSH:
+		return 1;
+	default:
+		return 0;
+	}
+}
+
+void *establish_eap_ttls(struct openconnect_info *vpninfo)
+{
+	SSL *ttls_ssl = NULL;
+	BIO *bio;
+	int err;
+
+
+	if (!vpninfo->ttls_bio_meth) {
+		vpninfo->ttls_bio_meth = BIO_meth_new(BIO_get_new_index(), "EAP-TTLS");
+		BIO_meth_set_write(vpninfo->ttls_bio_meth, ttls_push_func);
+		BIO_meth_set_read(vpninfo->ttls_bio_meth, ttls_pull_func);
+		BIO_meth_set_ctrl(vpninfo->ttls_bio_meth, ttls_ctrl_func);
+	}
+
+	bio = BIO_new(vpninfo->ttls_bio_meth);
+	BIO_set_data(bio, vpninfo);
+	BIO_set_init(bio, 1);
+	ttls_ssl = SSL_new(vpninfo->https_ctx);
+	workaround_openssl_certchain_bug(vpninfo, ttls_ssl);
+
+	SSL_set_bio(ttls_ssl, bio, bio);
+
+	SSL_set_verify(ttls_ssl, SSL_VERIFY_PEER, NULL);
+
+	vpn_progress(vpninfo, PRG_INFO, _("EAP-TTLS negotiation with %s\n"),
+		     vpninfo->hostname);
+
+	err = SSL_connect(ttls_ssl);
+	if (err == 1) {
+		vpn_progress(vpninfo, PRG_TRACE,
+			     _("Established EAP-TTLS session\n"));
+		return ttls_ssl;
+	}
+
+	err = SSL_get_error(ttls_ssl, err);
+	vpn_progress(vpninfo, PRG_ERR, _("EAP-TTLS connection failure %d\n"), err);
+	openconnect_report_ssl_errors(vpninfo);
+	SSL_free(ttls_ssl);
+	return NULL;
+}
+
+void destroy_eap_ttls(struct openconnect_info *vpninfo, void *ttls)
+{
+	SSL_free(ttls);
+	/* Leave the BIO_METH for now. It may get reused and we don't want to
+	 * have to call BIO_get_new_index() more times than is necessary */
+}