TLS: Use separate TLS library context for tunneled TLS

OpenSSL wrapper was using the same certificate store for both Phase 1 and Phase 2 TLS exchange in case of EAP-PEAP/TLS, EAP-TTLS/TLS, and EAP-FAST/TLS. This would be fine if the same CA certificates were used in both phases, but does not work properly if different CA certificates are used. Enforce full separation of TLS state between the phases by using a separate TLS library context in EAP peer implementation. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-04-07 20:57:02 +03:00 · 2012-04-07 20:57:02 +03:00 · 9f98810c5d
commit 9f98810c5d
parent d755e01b34
5 changed files with 46 additions and 24 deletions
--- a/src/eap_peer/eap_tls_common.h
+++ b/src/eap_peer/eap_tls_common.h
@ -1,6 +1,6 @@
 /*
 * EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions
- * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2009, 2012, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
@ -63,6 +63,11 @@ struct eap_ssl_data {
 	 * eap - EAP state machine allocated with eap_peer_sm_init()
 	 */
 	struct eap_sm *eap;
+
+	/**
+	 * ssl_ctx - TLS library context to use for the connection
+	 */
+	void *ssl_ctx;
 };