if (!thisint)    {      debug_printf(DEBUG_NORMAL, "Invalid interface struct in tls_funcs_load_root_certs()!\n");      return XEMALLOC;    }  if ((!root_cert) && (!root_dir))    {      debug_printf(DEBUG_NORMAL, "Invalid data passed in to tls_funcs_load_root_certs()!\n");      return XEMALLOC;    }  mytls_vars = (struct tls_vars *)thisint->eap_data;  if (!mytls_vars)    {      debug_printf(DEBUG_NORMAL, "Invalid EAP data was passed in to tls_funcs_load_root_certs()!\n");      return XEMALLOC;    }  if (root_cert == NULL)    {      debug_printf(DEBUG_NORMAL, "Error loading cert!  Path to cert is NULL!\n");      return XETLSCERTLOAD;    } else {      debug_printf(DEBUG_CONFIG, "Loading certificate %s . . . \n", root_cert);    }  if (mytls_vars->ctx == NULL)    {      debug_printf(DEBUG_NORMAL, "Invalid context in tls_funcs_load_root_certs()!\n");      return XEMALLOC;    }  SSL_CTX_set_info_callback(mytls_vars->ctx, (void (*) ()) ssl_info_callback);    if (SSL_CTX_load_verify_locations(mytls_vars->ctx, root_cert, root_dir) == 0)    {      debug_printf(DEBUG_NORMAL, "Failed to initalize path to root certificate!\n");      debug_printf(DEBUG_NORMAL, "Error : %s\n", ERR_error_string(ERR_get_error(), NULL));      if(mytls_vars->ctx)	{	  SSL_CTX_free(mytls_vars->ctx);	  mytls_vars->ctx = NULL;	}      return XETLSCERTLOAD;    }  debug_printf(DEBUG_CONFIG, "Loaded root certificate %s and dirctory %s\n",		root_cert, root_dir);  if (crl_dir) {    if (SSL_CTX_load_verify_locations(mytls_vars->ctx, NULL, crl_dir) == 0)      {	debug_printf(DEBUG_NORMAL, "Failed to initalize path to CRLs!\n");	debug_printf(DEBUG_NORMAL, "Error : %s\n", ERR_error_string(ERR_get_error(), NULL));	if(mytls_vars->ctx)	  {	    SSL_CTX_free(mytls_vars->ctx);	    mytls_vars->ctx = NULL;	  }	return XETLSCERTLOAD;      }  }    /* Do we really want to pick up the default paths? */  if (SSL_CTX_set_default_verify_paths(mytls_vars->ctx) == 0)    {      debug_printf(DEBUG_NORMAL, "Failed to initalize default paths for root certificates!\n");      debug_printf(DEBUG_NORMAL, "Error : %s\n", ERR_error_string(ERR_get_error(), NULL));      if(mytls_vars->ctx)	{	  SSL_CTX_free(mytls_vars->ctx);	  mytls_vars->ctx = NULL;	}      return XETLSCERTLOAD;    }  return XENONE;}int tls_funcs_load_random(struct generic_eap_data *thisint, char *random_file){  char *default_random = "/dev/urandom", *file;  struct tls_vars *mytls_vars;   if (!thisint)    {      debug_printf(DEBUG_NORMAL, "Invalid interface struct passed in to tls_funcs_load_random()!\n");      return XEMALLOC;    }  if (thisint->eap_data == NULL)    {      debug_printf(DEBUG_NORMAL, "Invalid EAP data in tls_funcs_load_random()!\n");      return XEMALLOC;    }  mytls_vars = thisint->eap_data;  file = random_file == NULL ? default_random : random_file;  if (RAND_load_file(file, 1024) < 0)    {      if(mytls_vars->ctx)	{	  SSL_CTX_free(mytls_vars->ctx);	  mytls_vars->ctx = NULL;	}	        debug_printf(DEBUG_NORMAL, "Couldn't load random data from %s\n", file);      return -1;    }   return XENONE;}int tls_funcs_load_user_cert(struct generic_eap_data *thisint, 			     char *client_cert, char *key_file, char *password,			     char *random_file){  struct tls_vars *mytls_vars;  if ((!thisint) || (!client_cert) || (!key_file) || (!password))    {      debug_printf(DEBUG_NORMAL, "Invalid state in tls_funcs_load_user_cert()!\n");      return XENOUSERDATA;    }  if (!thisint->eap_data)    {      debug_printf(DEBUG_NORMAL, "Invalid EAP data in tls_funcs_load_user_cert()!\n");      return XEMALLOC;    }  mytls_vars = (struct tls_vars *)thisint->eap_data;  SSL_CTX_set_default_passwd_cb_userdata(mytls_vars->ctx, password);  SSL_CTX_set_default_passwd_cb(mytls_vars->ctx, return_password);  if (SSL_CTX_use_certificate_file(mytls_vars->ctx, client_cert, 				   SSL_FILETYPE_ASN1) != 1 &&      SSL_CTX_use_certificate_file(mytls_vars->ctx, client_cert, 				   SSL_FILETYPE_PEM) != 1 )    {      debug_printf(DEBUG_NORMAL, "Couldn't load client certificate data!\n");      if(mytls_vars->ctx)	{	  SSL_CTX_free(mytls_vars->ctx);	  mytls_vars->ctx = NULL;	}      return XETLSCERTLOAD;    }  debug_printf(DEBUG_CONFIG, "Loading user Private Key from %s...\n", key_file);  if (SSL_CTX_use_PrivateKey_file(mytls_vars->ctx, key_file, 				  SSL_FILETYPE_PEM) != 1 &&      SSL_CTX_use_PrivateKey_file(mytls_vars->ctx, key_file, 				  SSL_FILETYPE_ASN1) != 1)     {      if(mytls_vars->ctx)	{	  SSL_CTX_free(mytls_vars->ctx);	  mytls_vars->ctx = NULL;	}      debug_printf(DEBUG_NORMAL, "Couldn't load client private key!\n");      return XETLSCERTLOAD;    }  if (!SSL_CTX_check_private_key(mytls_vars->ctx))    {      debug_printf(DEBUG_NORMAL, "Private key isn't valid!\n");      return XETLSCERTLOAD;    }  SSL_CTX_set_options(mytls_vars->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |		      SSL_OP_SINGLE_DH_USE);  SSL_CTX_set_verify(mytls_vars->ctx, SSL_VERIFY_PEER | 		     SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);  if (tls_funcs_load_random(thisint, random_file))    {      return XETLSCERTLOAD;    }  // If we made it this far, our user cert is loaded, so indicate it.  mytls_vars->cert_loaded = TRUE;  return XENONE;}int tls_funcs_failed(struct generic_eap_data *thisint){  struct tls_vars *mytls_vars;  debug_printf(DEBUG_EVERYTHING, "(TLS-FUNCS) Cleaning up (possible after a failure)!\n");  if (!thisint)    {      debug_printf(DEBUG_NORMAL, "Invalid interface struct in tls_funcs_cleanup()!\n");      return XEMALLOC;    }  if (!thisint->eap_data)    {      debug_printf(DEBUG_NORMAL, "Invalid EAP data in tls_funcs_cleanup()!\n");      return XEMALLOC;    }  ERR_free_strings();  mytls_vars = (struct tls_vars *)thisint->eap_data;  if (mytls_vars->ctx)    {      debug_printf(DEBUG_AUTHTYPES, "(EAP-TLS) Freeing mytls_vars->ctx!\n");      SSL_CTX_free(mytls_vars->ctx);      mytls_vars->ctx = NULL;    }  return XENONE;}int tls_funcs_cleanup(struct generic_eap_data *thisint){  int err=XENONE;  struct tls_vars *mytls_vars;  debug_printf(DEBUG_EVERYTHING, "(TLS-FUNCS) Cleaning up!\n");  if ((!thisint) || (!thisint->eap_data))    {      debug_printf(DEBUG_NORMAL, "Invalid interface structure passed to tls_funcs_cleanup()!\n");      return XEMALLOC;    }  mytls_vars = (struct tls_vars *)thisint->eap_data;  err = tls_funcs_failed(thisint);  if (mytls_vars->sessionkeyconst != NULL)    {      debug_printf(DEBUG_AUTHTYPES, "(EAP-TLS) Freeing session key const!\n");      free(mytls_vars->sessionkeyconst);      mytls_vars->sessionkeyconst = NULL;    }  return err;}/* TLS PRF from rfc2246 pages 11-12 */inttls_funcs_PRF(u_char *secret, int secret_len, u_char *label, int label_len, 	     u_char *seed, int seed_len, u_char *output, int outlen){  int retVal = 0;  int L_S1, L_S2;  u_char *S1, *S2;  u_char *P_MD5_buf, *P_SHA1_buf;  u_char *P_seed;  int P_seed_len;  u_char A_MD5[MD5_DIGEST_LENGTH];  u_char A_SHA1[SHA_DIGEST_LENGTH];  int MD5_iterations, SHA1_iterations;  int i, hashed_len;  const EVP_MD *hash;  HMAC_CTX ctx;  if ((!secret) || (!label) || (!seed) || (!output))    {      debug_printf(DEBUG_NORMAL, "Invalid data passed to tls_funcs_PRF()!\n");      return XEMALLOC;    }  /* determine the length of "half" the secret */  if (secret_len % 2 == 0) {    L_S1 = secret_len / 2;  }  else {    L_S1 = secret_len / 2 + 1;  }  L_S2 = L_S1;  S1 = secret; /* first L_S1 bytes of secret */  S2 = secret + secret_len - L_S2;  /* last L_S2 bytes of secret */  MD5_iterations = outlen / MD5_DIGEST_LENGTH;  /* if there is anything left over, iterate 1 more time */  MD5_iterations = outlen % MD5_DIGEST_LENGTH == 0 ?     MD5_iterations : MD5_iterations + 1;  SHA1_iterations = outlen / SHA_DIGEST_LENGTH;  SHA1_iterations = outlen % SHA_DIGEST_LENGTH == 0 ?    SHA1_iterations : SHA1_iterations + 1;  P_seed_len = label_len + seed_len;  P_seed = (u_char *)malloc(sizeof(u_char) * P_seed_len);  if (P_seed == NULL)    {      debug_printf(DEBUG_NORMAL, "Error with malloc of P_seed in tls_funcs_PRF().\n");      return XEMALLOC;    }  memcpy(P_seed, label, label_len);  memcpy(P_seed+label_len, seed, seed_len);  P_MD5_buf = (u_char *)malloc(sizeof(u_char) * 			       MD5_iterations  * MD5_DIGEST_LENGTH);  if (P_MD5_buf == NULL)    {      debug_printf(DEBUG_NORMAL, "Error with malloc of P_MD5_buf in tls_funcs_PRF().\n");      free(P_seed);      P_seed = NULL;      return XEMALLOC;    }  P_SHA1_buf = (u_char *)malloc(sizeof(u_char) *				SHA1_iterations * SHA_DIGEST_LENGTH);  if (P_SHA1_buf == NULL)    {      debug_printf(DEBUG_NORMAL, "Error with malloc of P_SHA1_buf in tls_funcs_PRF().\n");      free(P_seed);      P_seed = NULL;      free(P_MD5_buf);      P_MD5_buf = NULL;      return XEMALLOC;    }  /* P_MD5 */  hash = EVP_md5();  /* Initialize A_MD5 */  HMAC(hash, S1, L_S1, P_seed, P_seed_len, A_MD5, &hashed_len);  for (i = 0; i < MD5_iterations; i++) {    HMAC_Init(&ctx, S1, L_S1, hash);    HMAC_Update(&ctx, A_MD5, MD5_DIGEST_LENGTH);    HMAC_Update(&ctx, P_seed, P_seed_len);    HMAC_Final(&ctx, P_MD5_buf + i*(MD5_DIGEST_LENGTH), &hashed_len);    HMAC_cleanup(&ctx);    HMAC(hash, S1, L_S1, A_MD5, MD5_DIGEST_LENGTH,	 A_MD5, &hashed_len);  }      /* do P_SHA1 */  hash = EVP_sha1();  /* Initialize A_SHA1 */  HMAC(hash, S2, L_S2, P_seed, P_seed_len, A_SHA1, &hashed_len);  for (i = 0; i < SHA1_iterations; i++) {    HMAC_Init(&ctx, S2, L_S2, hash);    HMAC_Update(&ctx, A_SHA1, SHA_DIGEST_LENGTH);    HMAC_Update(&ctx, P_seed, P_seed_len);    HMAC_Final(&ctx, P_SHA1_buf + i*(SHA_DIGEST_LENGTH), &hashed_len);    HMAC_cleanup(&ctx);    HMAC(hash, S2, L_S2, A_SHA1, SHA_DIGEST_LENGTH,	 A_SHA1, &hashed_len);  }  /* XOR Them for the answer */  for (i = 0; i < outlen; i++) {    *(output + i) = P_MD5_buf[i] ^ P_SHA1_buf[i];  }  if (P_seed)    {free(P_seed); P_seed = NULL;}  if (P_MD5_buf)     {free(P_MD5_buf); P_MD5_buf = NULL;}  if (P_SHA1_buf)     {free(P_SHA1_buf); P_SHA1_buf = NULL;}  return retVal;}