[PATCH v3 1/3] eap-tls-common: allow embedded PEMs in settings

[PATCH v3 1/3] eap-tls-common: allow embedded PEMs in settings

[James Prestwood]

[-- Attachment #1: Type: text/plain, Size: 14394 bytes --]

Refactoring was required to allow for embedded certs. The existing
eap_tls_state object was changed to hold the cert types (l_queue,
l_certchain, l_key) rather than the file path, since there may not
actually be separate PEM files.

Care was taken to properly manage the memory of these objects.
Since the TLS object takes ownership when setting auth data or the
CA certs all error cases must be handled properly to free these
objects after they are loaded and in addition they must be set to
NULL so that the cleanup doesn't double free them.

If everything goes to plan, we load all the PEMs in settings_load,
provide these objects to the TLS APIs, and then NULL out the
pointers (TLS now owns this memory). If anything fails between
settings_load and l_tls_start we must free these objects.

A special format must be used to indicate that a PEM is embedded
inside the settings file. First, the l_settings format should be
followed for the PEM itself, e.g.

[@pem(a)my_ca_cert]
<CA Cert data>

This PEM can then be referenced by "embed:my_ca_cert", e.g.

EAP-TLS-CACert=embed:my_ca_cert

Any other value not starting with "embed:" will be treated as a file
path.
---
 src/eap-tls-common.c | 259 +++++++++++++++++++++++++++++--------------
 1 file changed, 177 insertions(+), 82 deletions(-)

diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c
index 39015167..b76770ce 100644
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@@ -113,10 +113,9 @@ struct eap_tls_state {
 
 	bool expecting_frag_ack:1;
 
-	char *ca_cert;
-	char *client_cert;
-	char *client_key;
-	char *passphrase;
+	struct l_queue *ca_cert;
+	struct l_certchain *client_cert;
+	struct l_key *client_key;
 	char **domain_mask;
 
 	const struct eap_tls_variant_ops *variant_ops;
@@ -154,6 +153,21 @@ static void __eap_tls_common_state_reset(struct eap_tls_state *eap_tls)
 	}
 }
 
+static void __eap_tls_common_state_free(struct eap_tls_state *eap_tls)
+{
+	if (eap_tls->ca_cert)
+		l_queue_destroy(eap_tls->ca_cert,
+					(l_queue_destroy_func_t)l_cert_free);
+	if (eap_tls->client_cert)
+		l_certchain_free(eap_tls->client_cert);
+
+	if (eap_tls->client_key)
+		l_key_free(eap_tls->client_key);
+
+	l_strv_free(eap_tls->domain_mask);
+	l_free(eap_tls);
+}
+
 bool eap_tls_common_state_reset(struct eap_state *eap)
 {
 	struct eap_tls_state *eap_tls = eap_get_data(eap);
@@ -177,18 +191,7 @@ void eap_tls_common_state_free(struct eap_state *eap)
 	if (eap_tls->variant_ops->destroy)
 		eap_tls->variant_ops->destroy(eap_tls->variant_data);
 
-	l_free(eap_tls->ca_cert);
-	l_free(eap_tls->client_cert);
-	l_free(eap_tls->client_key);
-
-	if (eap_tls->passphrase) {
-		explicit_bzero(eap_tls->passphrase,
-				strlen(eap_tls->passphrase));
-		l_free(eap_tls->passphrase);
-	}
-
-	l_strv_free(eap_tls->domain_mask);
-	l_free(eap_tls);
+	__eap_tls_common_state_free(eap_tls);
 }
 
 static void eap_tls_tunnel_debug(const char *str, void *user_data)
@@ -544,55 +547,34 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
 									NULL);
 
 	if (eap_tls->client_cert || eap_tls->client_key) {
-		struct l_certchain *client_cert =
-			l_pem_load_certificate_chain(eap_tls->client_cert);
-		struct l_key *client_key;
-
-		if (!client_cert) {
-			l_error("%s: Failed to parse client certificate: %s.",
-					eap_get_method_name(eap),
-					eap_tls->client_cert);
-			return false;
-		}
+		if (!l_tls_set_auth_data(eap_tls->tunnel, eap_tls->client_cert,
+						eap_tls->client_key)) {
+			l_certchain_free(eap_tls->client_cert);
+			eap_tls->client_cert = NULL;
 
-		client_key = l_pem_load_private_key(eap_tls->client_key,
-							eap_tls->passphrase,
-							NULL);
-		if (!client_key) {
-			l_error("%s: Failed to parse client private key: %s.",
-					eap_get_method_name(eap),
-					eap_tls->client_key);
-			return false;
-		}
+			l_key_free(eap_tls->client_key);
+			eap_tls->client_key = NULL;
 
-		if (!l_tls_set_auth_data(eap_tls->tunnel,
-						client_cert, client_key)) {
-			l_certchain_free(client_cert);
-			l_key_free(client_key);
 			l_error("%s: Failed to set auth data.",
 					eap_get_method_name(eap));
 			return false;
 		}
+
+		eap_tls->client_cert = NULL;
+		eap_tls->client_key = NULL;
 	}
 
 	if (eap_tls->ca_cert) {
-		struct l_queue *ca_cert =
-			l_pem_load_certificate_list(eap_tls->ca_cert);
-
-		if (!ca_cert) {
-			l_error("%s: Error loading CA certificates from %s.",
-						eap_get_method_name(eap),
-						eap_tls->ca_cert);
-			return false;
-		}
-
-		if (!l_tls_set_cacert(eap_tls->tunnel, ca_cert)) {
-			l_queue_destroy(ca_cert,
+		if (!l_tls_set_cacert(eap_tls->tunnel, eap_tls->ca_cert)) {
+			l_queue_destroy(eap_tls->ca_cert,
 					(l_queue_destroy_func_t)l_cert_free);
+			eap_tls->ca_cert = NULL;
 			l_error("%s: Error settings CA certificates.",
 					eap_get_method_name(eap));
 			return false;
 		}
+
+		eap_tls->ca_cert = NULL;
 	}
 
 	if (eap_tls->domain_mask)
@@ -793,6 +775,83 @@ error:
 	eap_method_error(eap);
 }
 
+static const char *load_embedded_pem(struct l_settings *settings,
+					const char *name)
+{
+	const char *pem;
+	const char *type;
+
+	pem = l_settings_get_embedded_value(settings, name + 6, &type);
+	if (!pem)
+		return NULL;
+
+	if (strcmp(type, "pem"))
+		return NULL;
+
+	return pem;
+}
+
+static bool is_embedded(const char *str)
+{
+	if (!str)
+		return false;
+
+	if (strlen(str) < 6)
+		return false;
+
+	if (!strncmp("embed:", str, 6))
+		return true;
+
+	return false;
+}
+
+static struct l_queue *eap_tls_load_ca_cert(struct l_settings *settings,
+						const char *value)
+{
+	const char *pem;
+
+	if (!is_embedded(value))
+		return l_pem_load_certificate_list(value);
+
+	pem = load_embedded_pem(settings, value);
+	if (!pem)
+		return NULL;
+
+	return l_pem_load_certificate_list_from_data(pem, strlen(pem));
+}
+
+static struct l_certchain *eap_tls_load_client_cert(struct l_settings *settings,
+							const char *value)
+{
+	const char *pem;
+
+	if (!is_embedded(value))
+		return l_pem_load_certificate_chain(value);
+
+	pem = load_embedded_pem(settings, value);
+	if (!pem)
+		return NULL;
+
+	return l_pem_load_certificate_chain_from_data(pem, strlen(pem));
+}
+
+static struct l_key *eap_tls_load_priv_key(struct l_settings *settings,
+				const char *value, const char *passphrase,
+				bool *is_encrypted)
+{
+	const char *pem;
+
+	if (!is_embedded(value))
+		return l_pem_load_private_key(value, passphrase, is_encrypted);
+
+	pem = load_embedded_pem(settings, value);
+	if (!pem)
+		return NULL;
+
+	return l_pem_load_private_key_from_data(pem, strlen(pem),
+						passphrase, is_encrypted);
+}
+
 int eap_tls_common_settings_check(struct l_settings *settings,
 					struct l_queue *secrets,
 					const char *prefix,
@@ -813,16 +872,17 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 	struct l_key *pub_key;
 	const char *domain_mask_str;
 
-	L_AUTO_FREE_VAR(char *, path);
+	L_AUTO_FREE_VAR(char *, value);
 	L_AUTO_FREE_VAR(char *, client_cert) = NULL;
 	L_AUTO_FREE_VAR(char *, passphrase) = NULL;
 
 	snprintf(setting_key, sizeof(setting_key), "%sCACert", prefix);
-	path = l_settings_get_string(settings, "Security", setting_key);
-	if (path) {
-		cacerts = l_pem_load_certificate_list(path);
+	value = l_settings_get_string(settings, "Security", setting_key);
+	if (value) {
+		cacerts = eap_tls_load_ca_cert(settings, value);
+
 		if (!cacerts) {
-			l_error("Failed to load %s", path);
+			l_error("Failed to load %s", value);
 			return -EIO;
 		}
 	}
@@ -832,7 +892,8 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 	client_cert = l_settings_get_string(settings, "Security",
 							client_cert_setting);
 	if (client_cert) {
-		cert = l_pem_load_certificate_chain(client_cert);
+		cert = eap_tls_load_client_cert(settings, client_cert);
+
 		if (!cert) {
 			l_error("Failed to load %s", client_cert);
 			ret = -EIO;
@@ -843,7 +904,7 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 			if (cacerts)
 				l_error("Certificate chain %s is not trusted "
 					"by any CA in %s or fails verification"
-					": %s", client_cert, path, error_str);
+					": %s", client_cert, value, error_str);
 			else
 				l_error("Certificate chain %s fails "
 					"verification: %s",
@@ -854,17 +915,17 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 		}
 	}
 
-	l_free(path);
+	l_free(value);
 
 	snprintf(setting_key, sizeof(setting_key), "%sClientKey", prefix);
-	path = l_settings_get_string(settings, "Security", setting_key);
+	value = l_settings_get_string(settings, "Security", setting_key);
 
-	if (path && !client_cert) {
+	if (value && !client_cert) {
 		l_error("%s present but no client certificate (%s)",
 					setting_key, client_cert_setting);
 		ret = -ENOENT;
 		goto done;
-	} else if (!path && client_cert) {
+	} else if (!value && client_cert) {
 		l_error("%s present but no client private key (%s)",
 					client_cert_setting, setting_key);
 		ret = -ENOENT;
@@ -885,10 +946,11 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 			passphrase = l_strdup(secret->value);
 	}
 
-	if (!path) {
+	if (!value) {
 		if (passphrase) {
-			l_error("%s present but no client private key path set (%s)",
-				passphrase_setting, setting_key);
+			l_error("%s present but no client private key"
+				" value set (%s)", passphrase_setting,
+				setting_key);
 			ret = -ENOENT;
 			goto done;
 		}
@@ -897,17 +959,19 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 		goto done;
 	}
 
-	priv_key = l_pem_load_private_key(path, passphrase, &is_encrypted);
+	priv_key = eap_tls_load_priv_key(settings, value, passphrase,
+						&is_encrypted);
+
 	if (!priv_key) {
 		if (!is_encrypted) {
-			l_error("Error loading client private key %s", path);
+			l_error("Error loading client private key %s", value);
 			ret = -EIO;
 			goto done;
 		}
 
 		if (passphrase) {
 			l_error("Error loading encrypted client private key %s",
-				path);
+				value);
 			ret = -EACCES;
 			goto done;
 		}
@@ -918,7 +982,7 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 		 */
 		eap_append_secret(out_missing,
 					EAP_SECRET_LOCAL_PKEY_PASSPHRASE,
-					passphrase_setting, NULL, path,
+					passphrase_setting, NULL, value,
 					EAP_CACHE_TEMPORARY);
 		ret = 0;
 		goto done;
@@ -926,7 +990,7 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 
 	if (passphrase && !is_encrypted) {
 		l_error("%s present but client private key %s is not encrypted",
-			passphrase_setting, path);
+			passphrase_setting, value);
 		ret = -ENOENT;
 		goto done;
 	}
@@ -934,7 +998,7 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 	if (!l_key_get_info(priv_key, L_KEY_RSA_PKCS1_V1_5, L_CHECKSUM_NONE,
 				&size, &is_public) || is_public) {
 		l_error("%s is not a private key or l_key_get_info fails",
-			path);
+			value);
 		ret = -EINVAL;
 		goto done;
 	}
@@ -964,14 +1028,14 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 	result = l_key_decrypt(priv_key, L_KEY_RSA_PKCS1_V1_5, L_CHECKSUM_NONE,
 				encrypted, decrypted, size, size);
 	if (result < 0) {
-		l_error("l_key_decrypt fails with %s: %s", path,
+		l_error("l_key_decrypt fails with %s: %s", value,
 			strerror(-result));
 		ret = result;
 		goto done;
 	}
 
 	if (result != 1 || decrypted[0] != 0) {
-		l_error("Private key %s does not match certificate %s", path,
+		l_error("Private key %s does not match certificate %s", value,
 			client_cert);
 		ret = -EINVAL;
 		goto done;
@@ -1014,6 +1078,8 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
 	struct eap_tls_state *eap_tls;
 	char setting_key[72];
 	char *domain_mask_str;
+	L_AUTO_FREE_VAR(char *, value) = NULL;
+	L_AUTO_FREE_VAR(char *, passphrase) = NULL;
 
 	eap_tls = l_new(struct eap_tls_state, 1);
 
@@ -1022,21 +1088,45 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
 	eap_tls->variant_data = variant_data;
 
 	snprintf(setting_key, sizeof(setting_key), "%sCACert", prefix);
-	eap_tls->ca_cert = l_settings_get_string(settings, "Security",
-								setting_key);
+	value = l_settings_get_string(settings, "Security", setting_key);
+	if (value) {
+		eap_tls->ca_cert = eap_tls_load_ca_cert(settings, value);
+		if (!eap_tls->ca_cert) {
+			l_error("Could not load CACert %s", value);
+			goto load_error;
+		}
+	}
+
+	l_free(value);
 
 	snprintf(setting_key, sizeof(setting_key), "%sClientCert", prefix);
-	eap_tls->client_cert = l_settings_get_string(settings, "Security",
-								setting_key);
+	value = l_settings_get_string(settings, "Security", setting_key);
+	if (value) {
+		eap_tls->client_cert = eap_tls_load_client_cert(settings,
+								value);
+		if (!eap_tls->ca_cert) {
+			l_error("Could not load ClientCert %s", value);
+			goto load_error;
+		}
+	}
 
-	snprintf(setting_key, sizeof(setting_key), "%sClientKey", prefix);
-	eap_tls->client_key = l_settings_get_string(settings, "Security",
-								setting_key);
+	l_free(value);
 
 	snprintf(setting_key, sizeof(setting_key), "%sClientKeyPassphrase",
 									prefix);
-	eap_tls->passphrase = l_settings_get_string(settings, "Security",
-								setting_key);
+	passphrase = l_settings_get_string(settings, "Security", setting_key);
+
+	snprintf(setting_key, sizeof(setting_key), "%sClientKey", prefix);
+	value = l_settings_get_string(settings, "Security", setting_key);
+	if (value) {
+		eap_tls->client_key = eap_tls_load_priv_key(settings, value,
+								passphrase,
+								NULL);
+		if (!eap_tls->client_key) {
+			l_error("Could not load ClientKey %s", value);
+			goto load_error;
+		}
+	}
 
 	snprintf(setting_key, sizeof(setting_key), "%sServerDomainMask",
 								prefix);
@@ -1051,6 +1141,11 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
 	eap_set_data(eap, eap_tls);
 
 	return true;
+
+load_error:
+	__eap_tls_common_state_free(eap_tls);
+
+	return false;
 }
 
 void eap_tls_common_set_completed(struct eap_state *eap)
-- 
2.17.1

[PATCH v3 2/3] build: generate tls config for unit tests

[James Prestwood]

[-- Attachment #1: Type: text/plain, Size: 2012 bytes --]

To test embedded certs we need a settings file containing the same
PEMs that we generate during build time. In the same fashion generate
tls-settings.8021x file using the previously generated PEMs.
---
 Makefile.am | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

-v3:
 * Escape each $(file operation newline

diff --git a/Makefile.am b/Makefile.am
index 7f01689a..5d835735 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -441,7 +441,8 @@ unit_test_eapol_DEPENDENCIES = $(ell_dependencies) \
 				unit/cert-server.pem \
 				unit/cert-server-key-pkcs8.pem \
 				unit/cert-client.pem \
-				unit/cert-client-key-pkcs8.pem
+				unit/cert-client-key-pkcs8.pem \
+				unit/tls-settings.8021x
 
 unit_test_util_SOURCES = src/util.h src/util.c \
 				unit/test-util.c
@@ -576,6 +577,21 @@ unit/cert-client.pem: unit/cert-client.csr unit/cert-ca.pem unit/gencerts.cnf
 			-CAserial $(builddir)/unit/cert-ca.srl \
 			-CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl)
 
+unit/tls-settings.8021x: unit/cert-ca.pem unit/cert-client.pem unit/cert-client-key-pkcs8.pem
+	$(AM_V_GEN) \
+	$(file >$@,[Security]) \
+	$(file >>$@,EAP-Method=TLS) \
+	$(file >>$@,EAP-Identity=abc(a)example.com) \
+	$(file >>$@,EAP-TLS-CACert=embed:ca_cert) \
+	$(file >>$@,EAP-TLS-ClientCert=embed:client_cert) \
+	$(file >>$@,EAP-TLS-ClientKey=embed:client_key) \
+	$(file >>$@,[@pem(a)ca_cert]) \
+	$(shell cat unit/cert-ca.pem >> $@) \
+	$(file >>$@,[@pem(a)client_cert]) \
+	$(shell cat unit/cert-client.pem >> $@) \
+	$(file >>$@,[@pem(a)client_key]) \
+	$(shell cat unit/cert-client-key-pkcs8.pem >> $@)
+
 BUILT_SOURCES = $(ell_built_sources) src/builtin.h
 
 ell/internal: Makefile
@@ -627,7 +643,7 @@ endif
 endif
 
 clean-local:
-	-rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl
+	-rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl unit/*-settings.8021x
 
 maintainer-clean-local:
 	-rm -rf build-aux ell
-- 
2.17.1

[PATCH v3 3/3] unit: add test for embedded certs to test-eapol

[James Prestwood]

[-- Attachment #1: Type: text/plain, Size: 6614 bytes --]

Refactored eapol_sm_test_tls to take a l_settings object rather than
a settings string. This lets the caller either load from data or
from file (the new test loads the build time generated tls-settings
file).
---
 unit/test-eapol.c | 65 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 50 insertions(+), 15 deletions(-)

diff --git a/unit/test-eapol.c b/unit/test-eapol.c
index 933d9522..1fe39b0c 100644
--- a/unit/test-eapol.c
+++ b/unit/test-eapol.c
@@ -2886,7 +2886,7 @@ static void test_handshake_event(struct handshake_state *hs,
 }
 
 static void eapol_sm_test_tls(struct eapol_8021x_tls_test_state *s,
-				const char *config)
+				struct l_settings *config)
 {
 	static const unsigned char ap_wpa_ie[] = {
 		0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00,
@@ -2898,7 +2898,6 @@ static void eapol_sm_test_tls(struct eapol_8021x_tls_test_state *s,
 	struct handshake_state *hs;
 	struct test_handshake_state *ths;
 	struct eapol_sm *sm;
-	struct l_settings *settings;
 	uint8_t tx_buf[2000];
 	size_t header_len, data_len, tx_len;
 	bool start;
@@ -2933,13 +2932,9 @@ static void eapol_sm_test_tls(struct eapol_8021x_tls_test_state *s,
 
 	handshake_state_set_authenticator_ie(hs, ap_wpa_ie);
 
-	settings = l_settings_new();
-	l_settings_load_from_data(settings, config, strlen(config));
-	handshake_state_set_8021x_config(hs, settings);
+	handshake_state_set_8021x_config(hs, config);
 	eapol_start(sm);
 
-	l_settings_free(settings);
-
 	__eapol_set_tx_packet_func(verify_8021x_identity_resp);
 	s->pending_req = 1;
 	__eapol_rx_packet(1, ap_address, ETH_P_PAE, eap_identity_req,
@@ -3152,25 +3147,48 @@ done:
 
 static void eapol_sm_test_eap_tls(const void *data)
 {
-	static const char *eapol_8021x_config = "[Security]\n"
+	static const char *config_8021x = "[Security]\n"
 		"EAP-Method=TLS\n"
 		"EAP-Identity=abc(a)example.com\n"
 		"EAP-TLS-CACert=" CERTDIR "cert-ca.pem\n"
 		"EAP-TLS-ClientCert=" CERTDIR "cert-client.pem\n"
 		"EAP-TLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem";
 	struct eapol_8021x_tls_test_state s = {};
+	struct l_settings* config = l_settings_new();
+
+	l_settings_load_from_data(config, config_8021x, strlen(config_8021x));
 
 	s.app_data_cb = eapol_sm_test_tls_new_data;
 	s.ready_cb = eapol_sm_test_tls_test_ready;
 	s.disconnect_cb = eapol_sm_test_tls_test_disconnected;
 	s.method = EAP_TYPE_TLS;
 
-	eapol_sm_test_tls(&s, eapol_8021x_config);
+	eapol_sm_test_tls(&s, config);
+
+	l_settings_free(config);
+}
+
+static void eapol_sm_test_eap_tls_embedded(const void *data)
+{
+	struct eapol_8021x_tls_test_state s = {};
+	struct l_settings *config;
+
+	config = l_settings_new();
+	l_settings_load_from_file(config, CERTDIR "tls-settings.8021x");
+
+	s.app_data_cb = eapol_sm_test_tls_new_data;
+	s.ready_cb = eapol_sm_test_tls_test_ready;
+	s.disconnect_cb = eapol_sm_test_tls_test_disconnected;
+	s.method = EAP_TYPE_TLS;
+
+	eapol_sm_test_tls(&s, config);
+
+	l_settings_free(config);
 }
 
 static void eapol_sm_test_eap_tls_subject_good(const void *data)
 {
-	static const char *eapol_8021x_config = "[Security]\n"
+	static const char *config_8021x = "[Security]\n"
 		"EAP-Method=TLS\n"
 		"EAP-Identity=abc(a)example.com\n"
 		"EAP-TLS-CACert=" CERTDIR "cert-ca.pem\n"
@@ -3178,18 +3196,23 @@ static void eapol_sm_test_eap_tls_subject_good(const void *data)
 		"EAP-TLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem\n"
 		"EAP-TLS-ServerDomainMask=bad.example.org;*.example.org";
 	struct eapol_8021x_tls_test_state s = {};
+	struct l_settings* config = l_settings_new();
+
+	l_settings_load_from_data(config, config_8021x, strlen(config_8021x));
 
 	s.app_data_cb = eapol_sm_test_tls_new_data;
 	s.ready_cb = eapol_sm_test_tls_test_ready;
 	s.disconnect_cb = eapol_sm_test_tls_test_disconnected;
 	s.method = EAP_TYPE_TLS;
 
-	eapol_sm_test_tls(&s, eapol_8021x_config);
+	eapol_sm_test_tls(&s, config);
+
+	l_settings_free(config);
 }
 
 static void eapol_sm_test_eap_tls_subject_bad(const void *data)
 {
-	static const char *eapol_8021x_config = "[Security]\n"
+	static const char *config_8021x = "[Security]\n"
 		"EAP-Method=TLS\n"
 		"EAP-Identity=abc(a)example.com\n"
 		"EAP-TLS-CACert=" CERTDIR "cert-ca.pem\n"
@@ -3197,6 +3220,9 @@ static void eapol_sm_test_eap_tls_subject_bad(const void *data)
 		"EAP-TLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem\n"
 		"EAP-TLS-ServerDomainMask=bad.example.org";
 	struct eapol_8021x_tls_test_state s = {};
+	struct l_settings* config = l_settings_new();
+
+	l_settings_load_from_data(config, config_8021x, strlen(config_8021x));
 
 	s.app_data_cb = eapol_sm_test_tls_new_data;
 	s.ready_cb = eapol_sm_test_tls_test_ready;
@@ -3204,7 +3230,9 @@ static void eapol_sm_test_eap_tls_subject_bad(const void *data)
 	s.method = EAP_TYPE_TLS;
 	s.expect_handshake_fail = true;
 
-	eapol_sm_test_tls(&s, eapol_8021x_config);
+	eapol_sm_test_tls(&s, config);
+
+	l_settings_free(config);
 }
 
 static const uint8_t eap_ttls_eap_identity_avp[] = {
@@ -3267,7 +3295,7 @@ static void eapol_sm_test_eap_ttls_test_ready(const char *peer_identity,
 
 static void eapol_sm_test_eap_ttls_md5(const void *data)
 {
-	static const char *eapol_8021x_config = "[Security]\n"
+	static const char *config_8021x = "[Security]\n"
 		"EAP-Method=TTLS\n"
 		"EAP-Identity=abc(a)example.com\n"
 		"EAP-TTLS-CACert=" CERTDIR "cert-ca.pem\n"
@@ -3277,13 +3305,18 @@ static void eapol_sm_test_eap_ttls_md5(const void *data)
 		"EAP-TTLS-Phase2-Identity=abc(a)example.com\n"
 		"EAP-TTLS-Phase2-Password=testpasswd";
 	struct eapol_8021x_eap_ttls_test_state s = {};
+	struct l_settings* config = l_settings_new();
+
+	l_settings_load_from_data(config, config_8021x, strlen(config_8021x));
 
 	s.tls.app_data_cb = eapol_sm_test_eap_ttls_new_data;
 	s.tls.ready_cb = eapol_sm_test_eap_ttls_test_ready;
 	s.tls.disconnect_cb = eapol_sm_test_tls_test_disconnected;
 	s.tls.method = EAP_TYPE_TTLS;
 
-	eapol_sm_test_tls(&s.tls, eapol_8021x_config);
+	eapol_sm_test_tls(&s.tls, config);
+
+	l_settings_free(config);
 }
 
 static const uint8_t eap_ttls_start_req[] = {
@@ -3605,6 +3638,8 @@ int main(int argc, char *argv[])
 				&eapol_sm_test_eap_tls_subject_good, NULL);
 		l_test_add("EAPoL/8021x EAP-TLS subject name mismatch",
 				&eapol_sm_test_eap_tls_subject_bad, NULL);
+		l_test_add("EAPoL/8021x EAP-TLS embedded certs",
+				&eapol_sm_test_eap_tls_embedded, NULL);
 	}
 
 	l_test_add("EAPoL/FT-Using-PSK 4-Way Handshake",
-- 
2.17.1

Re: [PATCH v3 1/3] eap-tls-common: allow embedded PEMs in settings

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 85 bytes --]

Hi James,

All applied (patch 1 from v1 was applied earlier).

Regards,
-Denis