The internal TLS client implementation can now be used with
ca_cert="probe://" to probe the server certificate chain. This is also
adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and
CTRL-EVENT-EAP-PEER-CERT events.
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit adds support for "hash://server/sha256/cert_hash_in_hex"
scheme in ca_cert property for the internal TLS implementation.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
In documentation is written: "If ca_cert and ca_path are not included,
server certificate will not be verified". This is the case when
wpa_supplicant is compiled with OpenSSL library, but when using the
internal TLS implementation and some certificates in CA chain are in
unsupported format (e.g., use SHA384 or SHA512 hash functions) then
verification fails even if ca_cert property is not specified.
This commit changes behavior so that certificate verification in
internal TLS implementation is really skipped when ca_cert is not
specified.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
The internal TLS implementation assumes that the certificate chain
is ordered by issuer certificate following the certificate that it
signed. Add the certificates to the chain in suitable order when
loading multiple certificates.
In addition, start ordering header file includes to be in more
consistent order: system header files, src/utils, src/*, same
directory as the *.c file.
Private keys can now be used in either unencrypted or encrypted
PKCS #8 encoding. Only the pbeWithMD5AndDES-CBC algorithm (PKCS #5)
is currently supported.
Recognize the PEM header "BEGIN PRIVATE KEY" as base64-decode the data
to be able to use PEM encoded, unencrypted PKCS#8 private keys with the
internal TLS implementation. Previously, only DER encoding of the
PKCS#8 private key was supported.
