diff options
Diffstat (limited to 'src/tls')
| -rw-r--r-- | src/tls/.gitignore | 1 | ||||
| -rw-r--r-- | src/tls/rsa.c | 2 | ||||
| -rw-r--r-- | src/tls/tlsv1_client.c | 11 | ||||
| -rw-r--r-- | src/tls/tlsv1_server_read.c | 10 |
4 files changed, 16 insertions, 8 deletions
diff --git a/src/tls/.gitignore b/src/tls/.gitignore deleted file mode 100644 index a4383358ec72f..0000000000000 --- a/src/tls/.gitignore +++ /dev/null @@ -1 +0,0 @@ -*.d diff --git a/src/tls/rsa.c b/src/tls/rsa.c index bfc0d5222495d..4965a2a311cc6 100644 --- a/src/tls/rsa.c +++ b/src/tls/rsa.c @@ -35,6 +35,7 @@ struct crypto_rsa_key { }; +#ifdef EAP_TLS_FUNCS static const u8 * crypto_rsa_parse_integer(const u8 *pos, const u8 *end, struct bignum *num) { @@ -223,6 +224,7 @@ error: crypto_rsa_free(key); return NULL; } +#endif /* EAP_TLS_FUNCS */ /** diff --git a/src/tls/tlsv1_client.c b/src/tls/tlsv1_client.c index 302e3ee13946c..0bf11742ca934 100644 --- a/src/tls/tlsv1_client.c +++ b/src/tls/tlsv1_client.c @@ -620,6 +620,17 @@ int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers) suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA; suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5; suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA; + + /* + * Cisco AP (at least 350 and 1200 series) local authentication + * server does not know how to search cipher suites from the + * list and seem to require that the last entry in the list is + * the one that it wants to use. However, TLS specification + * requires the list to be in the client preference order. As a + * workaround, add anon-DH AES-128-SHA1 again at the end of the + * list to allow the Cisco code to find it. + */ + suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA; conn->num_cipher_suites = count; } diff --git a/src/tls/tlsv1_server_read.c b/src/tls/tlsv1_server_read.c index 0e299d8aa4e5e..397d74a197abe 100644 --- a/src/tls/tlsv1_server_read.c +++ b/src/tls/tlsv1_server_read.c @@ -40,6 +40,7 @@ static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, u16 cipher_suite; u16 num_suites; int compr_null_found; + u16 ext_type, ext_len; if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " @@ -183,10 +184,7 @@ static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, } if (end - pos >= 2) { - u16 ext_len; - /* Extension client_hello_extension_list<0..2^16-1> */ - ext_len = WPA_GET_BE16(pos); pos += 2; @@ -195,7 +193,7 @@ static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, if (end - pos != ext_len) { wpa_printf(MSG_DEBUG, "TLSv1: Invalid ClientHello " "extension list length %u (expected %u)", - ext_len, end - pos); + ext_len, (unsigned int) (end - pos)); goto decode_error; } @@ -207,8 +205,6 @@ static int tls_process_client_hello(struct tlsv1_server *conn, u8 ct, */ while (pos < end) { - u16 ext_type, ext_len; - if (end - pos < 2) { wpa_printf(MSG_DEBUG, "TLSv1: Invalid " "extension_type field"); @@ -520,7 +516,7 @@ static int tls_process_client_key_exchange_rsa( out, &outlen) < 0) { wpa_printf(MSG_DEBUG, "TLSv1: Failed to decrypt " "PreMasterSecret (encr_len=%d outlen=%lu)", - end - pos, (unsigned long) outlen); + (int) (end - pos), (unsigned long) outlen); use_random = 1; } |