1 /*
2 * TLSv1 credentials
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "base64.h"
13 #include "crypto/crypto.h"
14 #include "crypto/sha1.h"
15 #include "pkcs5.h"
16 #include "pkcs8.h"
17 #include "x509v3.h"
18 #include "tlsv1_cred.h"
19
20
tlsv1_cred_alloc(void)21 struct tlsv1_credentials * tlsv1_cred_alloc(void)
22 {
23 struct tlsv1_credentials *cred;
24 cred = os_zalloc(sizeof(*cred));
25 return cred;
26 }
27
28
tlsv1_cred_free(struct tlsv1_credentials * cred)29 void tlsv1_cred_free(struct tlsv1_credentials *cred)
30 {
31 if (cred == NULL)
32 return;
33
34 x509_certificate_chain_free(cred->trusted_certs);
35 x509_certificate_chain_free(cred->cert);
36 crypto_private_key_free(cred->key);
37 os_free(cred->dh_p);
38 os_free(cred->dh_g);
39 os_free(cred->ocsp_stapling_response);
40 os_free(cred->ocsp_stapling_response_multi);
41 os_free(cred);
42 }
43
44
tlsv1_add_cert_der(struct x509_certificate ** chain,const u8 * buf,size_t len)45 static int tlsv1_add_cert_der(struct x509_certificate **chain,
46 const u8 *buf, size_t len)
47 {
48 struct x509_certificate *cert, *p;
49 char name[128];
50
51 cert = x509_certificate_parse(buf, len);
52 if (cert == NULL) {
53 wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate",
54 __func__);
55 return -1;
56 }
57
58 p = *chain;
59 while (p && p->next)
60 p = p->next;
61 if (p && x509_name_compare(&cert->subject, &p->issuer) == 0) {
62 /*
63 * The new certificate is the issuer of the last certificate in
64 * the chain - add the new certificate to the end.
65 */
66 p->next = cert;
67 } else {
68 /* Add to the beginning of the chain */
69 cert->next = *chain;
70 *chain = cert;
71 }
72
73 x509_name_string(&cert->subject, name, sizeof(name));
74 wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name);
75
76 return 0;
77 }
78
79
80 static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----";
81 static const char *pem_cert_end = "-----END CERTIFICATE-----";
82 static const char *pem_key_begin = "-----BEGIN RSA PRIVATE KEY-----";
83 static const char *pem_key_end = "-----END RSA PRIVATE KEY-----";
84 static const char *pem_key2_begin = "-----BEGIN PRIVATE KEY-----";
85 static const char *pem_key2_end = "-----END PRIVATE KEY-----";
86 static const char *pem_key_enc_begin = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
87 static const char *pem_key_enc_end = "-----END ENCRYPTED PRIVATE KEY-----";
88
89
search_tag(const char * tag,const u8 * buf,size_t len)90 static const u8 * search_tag(const char *tag, const u8 *buf, size_t len)
91 {
92 size_t i, plen;
93
94 plen = os_strlen(tag);
95 if (len < plen)
96 return NULL;
97
98 for (i = 0; i < len - plen; i++) {
99 if (os_memcmp(buf + i, tag, plen) == 0)
100 return buf + i;
101 }
102
103 return NULL;
104 }
105
106
tlsv1_add_cert(struct x509_certificate ** chain,const u8 * buf,size_t len)107 static int tlsv1_add_cert(struct x509_certificate **chain,
108 const u8 *buf, size_t len)
109 {
110 const u8 *pos, *end;
111 unsigned char *der;
112 size_t der_len;
113
114 pos = search_tag(pem_cert_begin, buf, len);
115 if (!pos) {
116 wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - "
117 "assume DER format");
118 return tlsv1_add_cert_der(chain, buf, len);
119 }
120
121 wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into "
122 "DER format");
123
124 while (pos) {
125 pos += os_strlen(pem_cert_begin);
126 end = search_tag(pem_cert_end, pos, buf + len - pos);
127 if (end == NULL) {
128 wpa_printf(MSG_INFO, "TLSv1: Could not find PEM "
129 "certificate end tag (%s)", pem_cert_end);
130 return -1;
131 }
132
133 der = base64_decode((const char *) pos, end - pos, &der_len);
134 if (der == NULL) {
135 wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM "
136 "certificate");
137 return -1;
138 }
139
140 if (tlsv1_add_cert_der(chain, der, der_len) < 0) {
141 wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM "
142 "certificate after DER conversion");
143 os_free(der);
144 return -1;
145 }
146
147 os_free(der);
148
149 end += os_strlen(pem_cert_end);
150 pos = search_tag(pem_cert_begin, end, buf + len - end);
151 }
152
153 return 0;
154 }
155
156
tlsv1_set_cert_chain(struct x509_certificate ** chain,const char * cert,const u8 * cert_blob,size_t cert_blob_len)157 static int tlsv1_set_cert_chain(struct x509_certificate **chain,
158 const char *cert, const u8 *cert_blob,
159 size_t cert_blob_len)
160 {
161 if (cert_blob)
162 return tlsv1_add_cert(chain, cert_blob, cert_blob_len);
163
164 if (cert) {
165 u8 *buf;
166 size_t len;
167 int ret;
168
169 buf = (u8 *) os_readfile(cert, &len);
170 if (buf == NULL) {
171 wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
172 cert);
173 return -1;
174 }
175
176 ret = tlsv1_add_cert(chain, buf, len);
177 os_free(buf);
178 return ret;
179 }
180
181 return 0;
182 }
183
184
185 /**
186 * tlsv1_set_ca_cert - Set trusted CA certificate(s)
187 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
188 * @cert: File or reference name for X.509 certificate in PEM or DER format
189 * @cert_blob: cert as inlined data or %NULL if not used
190 * @cert_blob_len: ca_cert_blob length
191 * @path: Path to CA certificates (not yet supported)
192 * Returns: 0 on success, -1 on failure
193 */
tlsv1_set_ca_cert(struct tlsv1_credentials * cred,const char * cert,const u8 * cert_blob,size_t cert_blob_len,const char * path)194 int tlsv1_set_ca_cert(struct tlsv1_credentials *cred, const char *cert,
195 const u8 *cert_blob, size_t cert_blob_len,
196 const char *path)
197 {
198 if (cert && os_strncmp(cert, "hash://", 7) == 0) {
199 const char *pos = cert + 7;
200 if (os_strncmp(pos, "server/sha256/", 14) != 0) {
201 wpa_printf(MSG_DEBUG,
202 "TLSv1: Unsupported ca_cert hash value '%s'",
203 cert);
204 return -1;
205 }
206 pos += 14;
207 if (os_strlen(pos) != 32 * 2) {
208 wpa_printf(MSG_DEBUG,
209 "TLSv1: Unexpected SHA256 hash length in ca_cert '%s'",
210 cert);
211 return -1;
212 }
213 if (hexstr2bin(pos, cred->srv_cert_hash, 32) < 0) {
214 wpa_printf(MSG_DEBUG,
215 "TLSv1: Invalid SHA256 hash value in ca_cert '%s'",
216 cert);
217 return -1;
218 }
219 cred->server_cert_only = 1;
220 cred->ca_cert_verify = 0;
221 wpa_printf(MSG_DEBUG,
222 "TLSv1: Checking only server certificate match");
223 return 0;
224 }
225
226 if (cert && os_strncmp(cert, "probe://", 8) == 0) {
227 cred->cert_probe = 1;
228 cred->ca_cert_verify = 0;
229 wpa_printf(MSG_DEBUG, "TLSv1: Only probe server certificate");
230 return 0;
231 }
232
233 cred->ca_cert_verify = cert || cert_blob || path;
234
235 if (tlsv1_set_cert_chain(&cred->trusted_certs, cert,
236 cert_blob, cert_blob_len) < 0)
237 return -1;
238
239 if (path) {
240 /* TODO: add support for reading number of certificate files */
241 wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory "
242 "not yet supported");
243 return -1;
244 }
245
246 return 0;
247 }
248
249
250 /**
251 * tlsv1_set_cert - Set certificate
252 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
253 * @cert: File or reference name for X.509 certificate in PEM or DER format
254 * @cert_blob: cert as inlined data or %NULL if not used
255 * @cert_blob_len: cert_blob length
256 * Returns: 0 on success, -1 on failure
257 */
tlsv1_set_cert(struct tlsv1_credentials * cred,const char * cert,const u8 * cert_blob,size_t cert_blob_len)258 int tlsv1_set_cert(struct tlsv1_credentials *cred, const char *cert,
259 const u8 *cert_blob, size_t cert_blob_len)
260 {
261 return tlsv1_set_cert_chain(&cred->cert, cert,
262 cert_blob, cert_blob_len);
263 }
264
265
tlsv1_set_key_pem(const u8 * key,size_t len)266 static struct crypto_private_key * tlsv1_set_key_pem(const u8 *key, size_t len)
267 {
268 const u8 *pos, *end;
269 unsigned char *der;
270 size_t der_len;
271 struct crypto_private_key *pkey;
272
273 pos = search_tag(pem_key_begin, key, len);
274 if (!pos) {
275 pos = search_tag(pem_key2_begin, key, len);
276 if (!pos)
277 return NULL;
278 pos += os_strlen(pem_key2_begin);
279 end = search_tag(pem_key2_end, pos, key + len - pos);
280 if (!end)
281 return NULL;
282 } else {
283 const u8 *pos2;
284 pos += os_strlen(pem_key_begin);
285 end = search_tag(pem_key_end, pos, key + len - pos);
286 if (!end)
287 return NULL;
288 pos2 = search_tag("Proc-Type: 4,ENCRYPTED", pos, end - pos);
289 if (pos2) {
290 wpa_printf(MSG_DEBUG, "TLSv1: Unsupported private key "
291 "format (Proc-Type/DEK-Info)");
292 return NULL;
293 }
294 }
295
296 der = base64_decode((const char *) pos, end - pos, &der_len);
297 if (!der)
298 return NULL;
299 pkey = crypto_private_key_import(der, der_len, NULL);
300 os_free(der);
301 return pkey;
302 }
303
304
tlsv1_set_key_enc_pem(const u8 * key,size_t len,const char * passwd)305 static struct crypto_private_key * tlsv1_set_key_enc_pem(const u8 *key,
306 size_t len,
307 const char *passwd)
308 {
309 const u8 *pos, *end;
310 unsigned char *der;
311 size_t der_len;
312 struct crypto_private_key *pkey;
313
314 if (passwd == NULL)
315 return NULL;
316 pos = search_tag(pem_key_enc_begin, key, len);
317 if (!pos)
318 return NULL;
319 pos += os_strlen(pem_key_enc_begin);
320 end = search_tag(pem_key_enc_end, pos, key + len - pos);
321 if (!end)
322 return NULL;
323
324 der = base64_decode((const char *) pos, end - pos, &der_len);
325 if (!der)
326 return NULL;
327 pkey = crypto_private_key_import(der, der_len, passwd);
328 os_free(der);
329 return pkey;
330 }
331
332
333 #ifdef PKCS12_FUNCS
334
oid_is_rsadsi(struct asn1_oid * oid)335 static int oid_is_rsadsi(struct asn1_oid *oid)
336 {
337 return oid->len >= 4 &&
338 oid->oid[0] == 1 /* iso */ &&
339 oid->oid[1] == 2 /* member-body */ &&
340 oid->oid[2] == 840 /* us */ &&
341 oid->oid[3] == 113549 /* rsadsi */;
342 }
343
344
pkcs12_is_bagtype_oid(struct asn1_oid * oid,unsigned long type)345 static int pkcs12_is_bagtype_oid(struct asn1_oid *oid, unsigned long type)
346 {
347 return oid->len == 9 &&
348 oid_is_rsadsi(oid) &&
349 oid->oid[4] == 1 /* pkcs */ &&
350 oid->oid[5] == 12 /* pkcs-12 */ &&
351 oid->oid[6] == 10 &&
352 oid->oid[7] == 1 /* bagtypes */ &&
353 oid->oid[8] == type;
354 }
355
356
is_oid_pkcs7(struct asn1_oid * oid)357 static int is_oid_pkcs7(struct asn1_oid *oid)
358 {
359 return oid->len == 7 &&
360 oid->oid[0] == 1 /* iso */ &&
361 oid->oid[1] == 2 /* member-body */ &&
362 oid->oid[2] == 840 /* us */ &&
363 oid->oid[3] == 113549 /* rsadsi */ &&
364 oid->oid[4] == 1 /* pkcs */ &&
365 oid->oid[5] == 7 /* pkcs-7 */;
366 }
367
368
is_oid_pkcs7_data(struct asn1_oid * oid)369 static int is_oid_pkcs7_data(struct asn1_oid *oid)
370 {
371 return is_oid_pkcs7(oid) && oid->oid[6] == 1 /* data */;
372 }
373
374
is_oid_pkcs7_enc_data(struct asn1_oid * oid)375 static int is_oid_pkcs7_enc_data(struct asn1_oid *oid)
376 {
377 return is_oid_pkcs7(oid) && oid->oid[6] == 6 /* encryptedData */;
378 }
379
380
is_oid_pkcs9(struct asn1_oid * oid)381 static int is_oid_pkcs9(struct asn1_oid *oid)
382 {
383 return oid->len >= 6 &&
384 oid->oid[0] == 1 /* iso */ &&
385 oid->oid[1] == 2 /* member-body */ &&
386 oid->oid[2] == 840 /* us */ &&
387 oid->oid[3] == 113549 /* rsadsi */ &&
388 oid->oid[4] == 1 /* pkcs */ &&
389 oid->oid[5] == 9 /* pkcs-9 */;
390 }
391
392
is_oid_pkcs9_friendly_name(struct asn1_oid * oid)393 static int is_oid_pkcs9_friendly_name(struct asn1_oid *oid)
394 {
395 return oid->len == 7 && is_oid_pkcs9(oid) &&
396 oid->oid[6] == 20;
397 }
398
399
is_oid_pkcs9_local_key_id(struct asn1_oid * oid)400 static int is_oid_pkcs9_local_key_id(struct asn1_oid *oid)
401 {
402 return oid->len == 7 && is_oid_pkcs9(oid) &&
403 oid->oid[6] == 21;
404 }
405
406
is_oid_pkcs9_x509_cert(struct asn1_oid * oid)407 static int is_oid_pkcs9_x509_cert(struct asn1_oid *oid)
408 {
409 return oid->len == 8 && is_oid_pkcs9(oid) &&
410 oid->oid[6] == 22 /* certTypes */ &&
411 oid->oid[7] == 1 /* x509Certificate */;
412 }
413
414
pkcs12_keybag(struct tlsv1_credentials * cred,const u8 * buf,size_t len)415 static int pkcs12_keybag(struct tlsv1_credentials *cred,
416 const u8 *buf, size_t len)
417 {
418 /* TODO */
419 return 0;
420 }
421
422
pkcs12_pkcs8_keybag(struct tlsv1_credentials * cred,const u8 * buf,size_t len,const char * passwd)423 static int pkcs12_pkcs8_keybag(struct tlsv1_credentials *cred,
424 const u8 *buf, size_t len,
425 const char *passwd)
426 {
427 struct crypto_private_key *key;
428
429 /* PKCS8ShroudedKeyBag ::= EncryptedPrivateKeyInfo */
430 key = pkcs8_enc_key_import(buf, len, passwd);
431 if (!key)
432 return -1;
433
434 wpa_printf(MSG_DEBUG,
435 "PKCS #12: Successfully decrypted PKCS8ShroudedKeyBag");
436 crypto_private_key_free(cred->key);
437 cred->key = key;
438
439 return 0;
440 }
441
442
pkcs12_certbag(struct tlsv1_credentials * cred,const u8 * buf,size_t len)443 static int pkcs12_certbag(struct tlsv1_credentials *cred,
444 const u8 *buf, size_t len)
445 {
446 struct asn1_hdr hdr;
447 struct asn1_oid oid;
448 char obuf[80];
449 const u8 *pos, *end;
450
451 /*
452 * CertBag ::= SEQUENCE {
453 * certId BAG-TYPE.&id ({CertTypes}),
454 * certValue [0] EXPLICIT BAG-TYPE.&Type ({CertTypes}{@certId})
455 * }
456 */
457
458 if (asn1_get_next(buf, len, &hdr) < 0 ||
459 hdr.class != ASN1_CLASS_UNIVERSAL ||
460 hdr.tag != ASN1_TAG_SEQUENCE) {
461 wpa_printf(MSG_DEBUG,
462 "PKCS #12: Expected SEQUENCE (CertBag) - found class %d tag 0x%x",
463 hdr.class, hdr.tag);
464 return -1;
465 }
466
467 pos = hdr.payload;
468 end = hdr.payload + hdr.length;
469
470 if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
471 wpa_printf(MSG_DEBUG,
472 "PKCS #12: Failed to parse OID (certId)");
473 return -1;
474 }
475
476 asn1_oid_to_str(&oid, obuf, sizeof(obuf));
477 wpa_printf(MSG_DEBUG, "PKCS #12: certId %s", obuf);
478
479 if (!is_oid_pkcs9_x509_cert(&oid)) {
480 wpa_printf(MSG_DEBUG,
481 "PKCS #12: Ignored unsupported certificate type (certId %s)",
482 obuf);
483 }
484
485 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
486 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
487 hdr.tag != 0) {
488 wpa_printf(MSG_DEBUG,
489 "PKCS #12: Expected [0] EXPLICIT (certValue) - found class %d tag 0x%x",
490 hdr.class, hdr.tag);
491 return -1;
492 }
493
494 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
495 hdr.class != ASN1_CLASS_UNIVERSAL ||
496 hdr.tag != ASN1_TAG_OCTETSTRING) {
497 wpa_printf(MSG_DEBUG,
498 "PKCS #12: Expected OCTET STRING (x509Certificate) - found class %d tag 0x%x",
499 hdr.class, hdr.tag);
500 return -1;
501 }
502
503 wpa_hexdump(MSG_DEBUG, "PKCS #12: x509Certificate",
504 hdr.payload, hdr.length);
505 if (cred->cert) {
506 struct x509_certificate *cert;
507
508 wpa_printf(MSG_DEBUG, "PKCS #12: Ignore extra certificate");
509 cert = x509_certificate_parse(hdr.payload, hdr.length);
510 if (!cert) {
511 wpa_printf(MSG_DEBUG,
512 "PKCS #12: Failed to parse x509Certificate");
513 return 0;
514 }
515 x509_certificate_chain_free(cert);
516
517 return 0;
518 }
519 return tlsv1_set_cert(cred, NULL, hdr.payload, hdr.length);
520 }
521
522
pkcs12_parse_attr_friendly_name(const u8 * pos,const u8 * end)523 static int pkcs12_parse_attr_friendly_name(const u8 *pos, const u8 *end)
524 {
525 struct asn1_hdr hdr;
526
527 /*
528 * RFC 2985, 5.5.1:
529 * friendlyName ATTRIBUTE ::= {
530 * WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
531 * EQUALITY MATCHING RULE caseIgnoreMatch
532 * SINGLE VALUE TRUE
533 * ID pkcs-9-at-friendlyName
534 * }
535 */
536 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
537 hdr.class != ASN1_CLASS_UNIVERSAL ||
538 hdr.tag != ASN1_TAG_BMPSTRING) {
539 wpa_printf(MSG_DEBUG,
540 "PKCS #12: Expected BMPSTRING (friendlyName) - found class %d tag 0x%x",
541 hdr.class, hdr.tag);
542 return 0;
543 }
544 wpa_hexdump_ascii(MSG_DEBUG, "PKCS #12: friendlyName",
545 hdr.payload, hdr.length);
546 return 0;
547 }
548
549
pkcs12_parse_attr_local_key_id(const u8 * pos,const u8 * end)550 static int pkcs12_parse_attr_local_key_id(const u8 *pos, const u8 *end)
551 {
552 struct asn1_hdr hdr;
553
554 /*
555 * RFC 2985, 5.5.2:
556 * localKeyId ATTRIBUTE ::= {
557 * WITH SYNTAX OCTET STRING
558 * EQUALITY MATCHING RULE octetStringMatch
559 * SINGLE VALUE TRUE
560 * ID pkcs-9-at-localKeyId
561 * }
562 */
563 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
564 hdr.class != ASN1_CLASS_UNIVERSAL ||
565 hdr.tag != ASN1_TAG_OCTETSTRING) {
566 wpa_printf(MSG_DEBUG,
567 "PKCS #12: Expected OCTET STRING (localKeyID) - found class %d tag 0x%x",
568 hdr.class, hdr.tag);
569 return -1;
570 }
571 wpa_hexdump_key(MSG_DEBUG, "PKCS #12: localKeyID",
572 hdr.payload, hdr.length);
573 return 0;
574 }
575
576
pkcs12_parse_attr(const u8 * pos,size_t len)577 static int pkcs12_parse_attr(const u8 *pos, size_t len)
578 {
579 const u8 *end = pos + len;
580 struct asn1_hdr hdr;
581 struct asn1_oid a_oid;
582 char obuf[80];
583
584 /*
585 * PKCS12Attribute ::= SEQUENCE {
586 * attrId ATTRIBUTE.&id ({PKCS12AttrSet}),
587 * attrValues SET OF ATTRIBUTE.&Type ({PKCS12AttrSet}{@attrId})
588 * }
589 */
590
591 if (asn1_get_oid(pos, end - pos, &a_oid, &pos)) {
592 wpa_printf(MSG_DEBUG, "PKCS #12: Failed to parse OID (attrId)");
593 return -1;
594 }
595
596 asn1_oid_to_str(&a_oid, obuf, sizeof(obuf));
597 wpa_printf(MSG_DEBUG, "PKCS #12: attrId %s", obuf);
598
599 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
600 hdr.class != ASN1_CLASS_UNIVERSAL ||
601 hdr.tag != ASN1_TAG_SET) {
602 wpa_printf(MSG_DEBUG,
603 "PKCS #12: Expected SET (attrValues) - found class %d tag 0x%x",
604 hdr.class, hdr.tag);
605 return -1;
606 }
607 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #12: attrValues",
608 hdr.payload, hdr.length);
609 pos = hdr.payload;
610 end = hdr.payload + hdr.length;
611
612 if (is_oid_pkcs9_friendly_name(&a_oid))
613 return pkcs12_parse_attr_friendly_name(pos, end);
614 if (is_oid_pkcs9_local_key_id(&a_oid))
615 return pkcs12_parse_attr_local_key_id(pos, end);
616
617 wpa_printf(MSG_DEBUG, "PKCS #12: Ignore unknown attribute");
618 return 0;
619 }
620
621
pkcs12_safebag(struct tlsv1_credentials * cred,const u8 * buf,size_t len,const char * passwd)622 static int pkcs12_safebag(struct tlsv1_credentials *cred,
623 const u8 *buf, size_t len, const char *passwd)
624 {
625 struct asn1_hdr hdr;
626 struct asn1_oid oid;
627 char obuf[80];
628 const u8 *pos = buf, *end = buf + len;
629 const u8 *value;
630 size_t value_len;
631
632 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #12: SafeBag", buf, len);
633
634 /* BAG-TYPE ::= TYPE-IDENTIFIER */
635 if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
636 wpa_printf(MSG_DEBUG,
637 "PKCS #12: Failed to parse OID (BAG-TYPE)");
638 return -1;
639 }
640
641 asn1_oid_to_str(&oid, obuf, sizeof(obuf));
642 wpa_printf(MSG_DEBUG, "PKCS #12: BAG-TYPE %s", obuf);
643
644 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
645 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
646 hdr.tag != 0) {
647 wpa_printf(MSG_DEBUG,
648 "PKCS #12: Expected [0] EXPLICIT (bagValue) - found class %d tag 0x%x",
649 hdr.class, hdr.tag);
650 return 0;
651 }
652 value = hdr.payload;
653 value_len = hdr.length;
654 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #12: bagValue", value, value_len);
655 pos = hdr.payload + hdr.length;
656
657 if (pos < end) {
658 /* bagAttributes SET OF PKCS12Attribute OPTIONAL */
659 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
660 hdr.class != ASN1_CLASS_UNIVERSAL ||
661 hdr.tag != ASN1_TAG_SET) {
662 wpa_printf(MSG_DEBUG,
663 "PKCS #12: Expected SET (bagAttributes) - found class %d tag 0x%x",
664 hdr.class, hdr.tag);
665 return -1;
666 }
667 wpa_hexdump_key(MSG_MSGDUMP, "PKCS #12: bagAttributes",
668 hdr.payload, hdr.length);
669
670 pos = hdr.payload;
671 end = hdr.payload + hdr.length;
672 while (pos < end) {
673 /* PKCS12Attribute ::= SEQUENCE */
674 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
675 hdr.class != ASN1_CLASS_UNIVERSAL ||
676 hdr.tag != ASN1_TAG_SEQUENCE) {
677 wpa_printf(MSG_DEBUG,
678 "PKCS #12: Expected SEQUENCE (PKCS12Attribute) - found class %d tag 0x%x",
679 hdr.class, hdr.tag);
680 return -1;
681 }
682 if (pkcs12_parse_attr(hdr.payload, hdr.length) < 0)
683 return -1;
684 pos = hdr.payload + hdr.length;
685 }
686 }
687
688 if (pkcs12_is_bagtype_oid(&oid, 1))
689 return pkcs12_keybag(cred, value, value_len);
690 if (pkcs12_is_bagtype_oid(&oid, 2))
691 return pkcs12_pkcs8_keybag(cred, value, value_len, passwd);
692 if (pkcs12_is_bagtype_oid(&oid, 3))
693 return pkcs12_certbag(cred, value, value_len);
694
695 wpa_printf(MSG_DEBUG, "PKCS #12: Ignore unsupported BAG-TYPE");
696 return 0;
697 }
698
699
pkcs12_safecontents(struct tlsv1_credentials * cred,const u8 * buf,size_t len,const char * passwd)700 static int pkcs12_safecontents(struct tlsv1_credentials *cred,
701 const u8 *buf, size_t len,
702 const char *passwd)
703 {
704 struct asn1_hdr hdr;
705 const u8 *pos, *end;
706
707 /* SafeContents ::= SEQUENCE OF SafeBag */
708 if (asn1_get_next(buf, len, &hdr) < 0 ||
709 hdr.class != ASN1_CLASS_UNIVERSAL ||
710 hdr.tag != ASN1_TAG_SEQUENCE) {
711 wpa_printf(MSG_DEBUG,
712 "PKCS #12: Expected SEQUENCE (SafeContents) - found class %d tag 0x%x",
713 hdr.class, hdr.tag);
714 return -1;
715 }
716 pos = hdr.payload;
717 end = hdr.payload + hdr.length;
718
719 /*
720 * SafeBag ::= SEQUENCE {
721 * bagId BAG-TYPE.&id ({PKCS12BagSet})
722 * bagValue [0] EXPLICIT BAG-TYPE.&Type({PKCS12BagSet}{@bagId}),
723 * bagAttributes SET OF PKCS12Attribute OPTIONAL
724 * }
725 */
726
727 while (pos < end) {
728 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
729 hdr.class != ASN1_CLASS_UNIVERSAL ||
730 hdr.tag != ASN1_TAG_SEQUENCE) {
731 wpa_printf(MSG_DEBUG,
732 "PKCS #12: Expected SEQUENCE (SafeBag) - found class %d tag 0x%x",
733 hdr.class, hdr.tag);
734 return -1;
735 }
736 if (pkcs12_safebag(cred, hdr.payload, hdr.length, passwd) < 0)
737 return -1;
738 pos = hdr.payload + hdr.length;
739 }
740
741 return 0;
742 }
743
744
pkcs12_parse_content_data(struct tlsv1_credentials * cred,const u8 * pos,const u8 * end,const char * passwd)745 static int pkcs12_parse_content_data(struct tlsv1_credentials *cred,
746 const u8 *pos, const u8 *end,
747 const char *passwd)
748 {
749 struct asn1_hdr hdr;
750
751 /* Data ::= OCTET STRING */
752 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
753 hdr.class != ASN1_CLASS_UNIVERSAL ||
754 hdr.tag != ASN1_TAG_OCTETSTRING) {
755 wpa_printf(MSG_DEBUG,
756 "PKCS #12: Expected OCTET STRING (Data) - found class %d tag 0x%x",
757 hdr.class, hdr.tag);
758 return -1;
759 }
760
761 wpa_hexdump(MSG_MSGDUMP, "PKCS #12: Data", hdr.payload, hdr.length);
762
763 return pkcs12_safecontents(cred, hdr.payload, hdr.length, passwd);
764 }
765
766
pkcs12_parse_content_enc_data(struct tlsv1_credentials * cred,const u8 * pos,const u8 * end,const char * passwd)767 static int pkcs12_parse_content_enc_data(struct tlsv1_credentials *cred,
768 const u8 *pos, const u8 *end,
769 const char *passwd)
770 {
771 struct asn1_hdr hdr;
772 struct asn1_oid oid;
773 char buf[80];
774 const u8 *enc_alg;
775 u8 *data;
776 size_t enc_alg_len, data_len;
777 int res = -1;
778
779 /*
780 * EncryptedData ::= SEQUENCE {
781 * version Version,
782 * encryptedContentInfo EncryptedContentInfo }
783 */
784 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
785 hdr.class != ASN1_CLASS_UNIVERSAL ||
786 hdr.tag != ASN1_TAG_SEQUENCE) {
787 wpa_printf(MSG_DEBUG,
788 "PKCS #12: Expected SEQUENCE (EncryptedData) - found class %d tag 0x%x",
789 hdr.class, hdr.tag);
790 return 0;
791 }
792 pos = hdr.payload;
793
794 /* Version ::= INTEGER */
795 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
796 hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
797 wpa_printf(MSG_DEBUG,
798 "PKCS #12: No INTEGER tag found for version; class=%d tag=0x%x",
799 hdr.class, hdr.tag);
800 return -1;
801 }
802 if (hdr.length != 1 || hdr.payload[0] != 0) {
803 wpa_printf(MSG_DEBUG, "PKCS #12: Unrecognized PKCS #7 version");
804 return -1;
805 }
806 pos = hdr.payload + hdr.length;
807
808 wpa_hexdump(MSG_MSGDUMP, "PKCS #12: EncryptedContentInfo",
809 pos, end - pos);
810
811 /*
812 * EncryptedContentInfo ::= SEQUENCE {
813 * contentType ContentType,
814 * contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
815 * encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL }
816 */
817 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
818 hdr.class != ASN1_CLASS_UNIVERSAL ||
819 hdr.tag != ASN1_TAG_SEQUENCE) {
820 wpa_printf(MSG_DEBUG,
821 "PKCS #12: Expected SEQUENCE (EncryptedContentInfo) - found class %d tag 0x%x",
822 hdr.class, hdr.tag);
823 return -1;
824 }
825
826 pos = hdr.payload;
827 end = pos + hdr.length;
828
829 /* ContentType ::= OBJECT IDENTIFIER */
830 if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
831 wpa_printf(MSG_DEBUG,
832 "PKCS #12: Could not find OBJECT IDENTIFIER (contentType)");
833 return -1;
834 }
835 asn1_oid_to_str(&oid, buf, sizeof(buf));
836 wpa_printf(MSG_DEBUG, "PKCS #12: EncryptedContentInfo::contentType %s",
837 buf);
838
839 if (!is_oid_pkcs7_data(&oid)) {
840 wpa_printf(MSG_DEBUG,
841 "PKCS #12: Unsupported EncryptedContentInfo::contentType %s",
842 buf);
843 return 0;
844 }
845
846 /* ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier */
847 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
848 hdr.class != ASN1_CLASS_UNIVERSAL ||
849 hdr.tag != ASN1_TAG_SEQUENCE) {
850 wpa_printf(MSG_DEBUG, "PKCS #12: Expected SEQUENCE (ContentEncryptionAlgorithmIdentifier) - found class %d tag 0x%x",
851 hdr.class, hdr.tag);
852 return -1;
853 }
854 enc_alg = hdr.payload;
855 enc_alg_len = hdr.length;
856 pos = hdr.payload + hdr.length;
857
858 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
859 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
860 hdr.tag != 0) {
861 wpa_printf(MSG_DEBUG,
862 "PKCS #12: Expected [0] IMPLICIT (encryptedContent) - found class %d tag 0x%x",
863 hdr.class, hdr.tag);
864 return -1;
865 }
866
867 /* EncryptedContent ::= OCTET STRING */
868 data = pkcs5_decrypt(enc_alg, enc_alg_len, hdr.payload, hdr.length,
869 passwd, &data_len);
870 if (data) {
871 wpa_hexdump_key(MSG_MSGDUMP,
872 "PKCS #12: Decrypted encryptedContent",
873 data, data_len);
874 res = pkcs12_safecontents(cred, data, data_len, passwd);
875 os_free(data);
876 }
877
878 return res;
879 }
880
881
pkcs12_parse_content(struct tlsv1_credentials * cred,const u8 * buf,size_t len,const char * passwd)882 static int pkcs12_parse_content(struct tlsv1_credentials *cred,
883 const u8 *buf, size_t len,
884 const char *passwd)
885 {
886 const u8 *pos = buf;
887 const u8 *end = buf + len;
888 struct asn1_oid oid;
889 char txt[80];
890 struct asn1_hdr hdr;
891
892 wpa_hexdump(MSG_MSGDUMP, "PKCS #12: ContentInfo", buf, len);
893
894 if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
895 wpa_printf(MSG_DEBUG,
896 "PKCS #12: Could not find OBJECT IDENTIFIER (contentType)");
897 return 0;
898 }
899
900 asn1_oid_to_str(&oid, txt, sizeof(txt));
901 wpa_printf(MSG_DEBUG, "PKCS #12: contentType %s", txt);
902
903 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
904 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
905 hdr.tag != 0) {
906 wpa_printf(MSG_DEBUG,
907 "PKCS #12: Expected [0] EXPLICIT (content) - found class %d tag 0x%x",
908 hdr.class, hdr.tag);
909 return 0;
910 }
911 pos = hdr.payload;
912
913 if (is_oid_pkcs7_data(&oid))
914 return pkcs12_parse_content_data(cred, pos, end, passwd);
915 if (is_oid_pkcs7_enc_data(&oid))
916 return pkcs12_parse_content_enc_data(cred, pos, end, passwd);
917
918 wpa_printf(MSG_DEBUG, "PKCS #12: Ignored unsupported contentType %s",
919 txt);
920
921 return 0;
922 }
923
924
pkcs12_parse(struct tlsv1_credentials * cred,const u8 * key,size_t len,const char * passwd)925 static int pkcs12_parse(struct tlsv1_credentials *cred,
926 const u8 *key, size_t len, const char *passwd)
927 {
928 struct asn1_hdr hdr;
929 const u8 *pos, *end;
930 struct asn1_oid oid;
931 char buf[80];
932
933 /*
934 * PFX ::= SEQUENCE {
935 * version INTEGER {v3(3)}(v3,...),
936 * authSafe ContentInfo,
937 * macData MacData OPTIONAL
938 * }
939 */
940
941 if (asn1_get_next(key, len, &hdr) < 0 ||
942 hdr.class != ASN1_CLASS_UNIVERSAL ||
943 hdr.tag != ASN1_TAG_SEQUENCE) {
944 wpa_printf(MSG_DEBUG,
945 "PKCS #12: Expected SEQUENCE (PFX) - found class %d tag 0x%x; assume PKCS #12 not used",
946 hdr.class, hdr.tag);
947 return -1;
948 }
949
950 pos = hdr.payload;
951 end = pos + hdr.length;
952
953 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
954 hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
955 wpa_printf(MSG_DEBUG,
956 "PKCS #12: No INTEGER tag found for version; class=%d tag=0x%x",
957 hdr.class, hdr.tag);
958 return -1;
959 }
960 if (hdr.length != 1 || hdr.payload[0] != 3) {
961 wpa_printf(MSG_DEBUG, "PKCS #12: Unrecognized version");
962 return -1;
963 }
964 pos = hdr.payload + hdr.length;
965
966 /*
967 * ContentInfo ::= SEQUENCE {
968 * contentType ContentType,
969 * content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
970 */
971
972 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
973 hdr.class != ASN1_CLASS_UNIVERSAL ||
974 hdr.tag != ASN1_TAG_SEQUENCE) {
975 wpa_printf(MSG_DEBUG,
976 "PKCS #12: Expected SEQUENCE (authSafe) - found class %d tag 0x%x; assume PKCS #12 not used",
977 hdr.class, hdr.tag);
978 return -1;
979 }
980
981 pos = hdr.payload;
982 end = pos + hdr.length;
983
984 /* ContentType ::= OBJECT IDENTIFIER */
985 if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
986 wpa_printf(MSG_DEBUG,
987 "PKCS #12: Could not find OBJECT IDENTIFIER (contentType); assume PKCS #12 not used");
988 return -1;
989 }
990 asn1_oid_to_str(&oid, buf, sizeof(buf));
991 wpa_printf(MSG_DEBUG, "PKCS #12: contentType %s", buf);
992 if (!is_oid_pkcs7_data(&oid)) {
993 wpa_printf(MSG_DEBUG, "PKCS #12: Unsupported contentType %s",
994 buf);
995 return -1;
996 }
997
998 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
999 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
1000 hdr.tag != 0) {
1001 wpa_printf(MSG_DEBUG,
1002 "PKCS #12: Expected [0] EXPLICIT (content) - found class %d tag 0x%x; assume PKCS #12 not used",
1003 hdr.class, hdr.tag);
1004 return -1;
1005 }
1006
1007 pos = hdr.payload;
1008
1009 /* Data ::= OCTET STRING */
1010 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
1011 hdr.class != ASN1_CLASS_UNIVERSAL ||
1012 hdr.tag != ASN1_TAG_OCTETSTRING) {
1013 wpa_printf(MSG_DEBUG,
1014 "PKCS #12: Expected OCTET STRING (Data) - found class %d tag 0x%x; assume PKCS #12 not used",
1015 hdr.class, hdr.tag);
1016 return -1;
1017 }
1018
1019 /*
1020 * AuthenticatedSafe ::= SEQUENCE OF ContentInfo
1021 * -- Data if unencrypted
1022 * -- EncryptedData if password-encrypted
1023 * -- EnvelopedData if public key-encrypted
1024 */
1025 wpa_hexdump(MSG_MSGDUMP, "PKCS #12: Data content",
1026 hdr.payload, hdr.length);
1027
1028 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
1029 hdr.class != ASN1_CLASS_UNIVERSAL ||
1030 hdr.tag != ASN1_TAG_SEQUENCE) {
1031 wpa_printf(MSG_DEBUG,
1032 "PKCS #12: Expected SEQUENCE within Data content - found class %d tag 0x%x; assume PKCS #12 not used",
1033 hdr.class, hdr.tag);
1034 return -1;
1035 }
1036
1037 pos = hdr.payload;
1038 end = pos + hdr.length;
1039
1040 while (end > pos) {
1041 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
1042 hdr.class != ASN1_CLASS_UNIVERSAL ||
1043 hdr.tag != ASN1_TAG_SEQUENCE) {
1044 wpa_printf(MSG_DEBUG,
1045 "PKCS #12: Expected SEQUENCE (ContentInfo) - found class %d tag 0x%x; assume PKCS #12 not used",
1046 hdr.class, hdr.tag);
1047 return -1;
1048 }
1049 if (pkcs12_parse_content(cred, hdr.payload, hdr.length,
1050 passwd) < 0)
1051 return -1;
1052
1053 pos = hdr.payload + hdr.length;
1054 }
1055
1056 return 0;
1057 }
1058
1059 #endif /* PKCS12_FUNCS */
1060
1061
tlsv1_set_key(struct tlsv1_credentials * cred,const u8 * key,size_t len,const char * passwd)1062 static int tlsv1_set_key(struct tlsv1_credentials *cred,
1063 const u8 *key, size_t len, const char *passwd)
1064 {
1065 cred->key = crypto_private_key_import(key, len, passwd);
1066 if (cred->key == NULL)
1067 cred->key = tlsv1_set_key_pem(key, len);
1068 if (cred->key == NULL)
1069 cred->key = tlsv1_set_key_enc_pem(key, len, passwd);
1070 #ifdef PKCS12_FUNCS
1071 if (!cred->key)
1072 pkcs12_parse(cred, key, len, passwd);
1073 #endif /* PKCS12_FUNCS */
1074 if (cred->key == NULL) {
1075 wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key");
1076 return -1;
1077 }
1078 return 0;
1079 }
1080
1081
1082 /**
1083 * tlsv1_set_private_key - Set private key
1084 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
1085 * @private_key: File or reference name for the key in PEM or DER format
1086 * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
1087 * passphrase is used.
1088 * @private_key_blob: private_key as inlined data or %NULL if not used
1089 * @private_key_blob_len: private_key_blob length
1090 * Returns: 0 on success, -1 on failure
1091 */
tlsv1_set_private_key(struct tlsv1_credentials * cred,const char * private_key,const char * private_key_passwd,const u8 * private_key_blob,size_t private_key_blob_len)1092 int tlsv1_set_private_key(struct tlsv1_credentials *cred,
1093 const char *private_key,
1094 const char *private_key_passwd,
1095 const u8 *private_key_blob,
1096 size_t private_key_blob_len)
1097 {
1098 crypto_private_key_free(cred->key);
1099 cred->key = NULL;
1100
1101 if (private_key_blob)
1102 return tlsv1_set_key(cred, private_key_blob,
1103 private_key_blob_len,
1104 private_key_passwd);
1105
1106 if (private_key) {
1107 u8 *buf;
1108 size_t len;
1109 int ret;
1110
1111 buf = (u8 *) os_readfile(private_key, &len);
1112 if (buf == NULL) {
1113 wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
1114 private_key);
1115 return -1;
1116 }
1117
1118 ret = tlsv1_set_key(cred, buf, len, private_key_passwd);
1119 os_free(buf);
1120 return ret;
1121 }
1122
1123 return 0;
1124 }
1125
1126
tlsv1_set_dhparams_der(struct tlsv1_credentials * cred,const u8 * dh,size_t len)1127 static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred,
1128 const u8 *dh, size_t len)
1129 {
1130 struct asn1_hdr hdr;
1131 const u8 *pos, *end;
1132
1133 pos = dh;
1134 end = dh + len;
1135
1136 /*
1137 * DHParameter ::= SEQUENCE {
1138 * prime INTEGER, -- p
1139 * base INTEGER, -- g
1140 * privateValueLength INTEGER OPTIONAL }
1141 */
1142
1143 /* DHParamer ::= SEQUENCE */
1144 if (asn1_get_next(pos, len, &hdr) < 0 ||
1145 hdr.class != ASN1_CLASS_UNIVERSAL ||
1146 hdr.tag != ASN1_TAG_SEQUENCE) {
1147 wpa_printf(MSG_DEBUG, "DH: DH parameters did not start with a "
1148 "valid SEQUENCE - found class %d tag 0x%x",
1149 hdr.class, hdr.tag);
1150 return -1;
1151 }
1152 pos = hdr.payload;
1153
1154 /* prime INTEGER */
1155 if (asn1_get_next(pos, end - pos, &hdr) < 0)
1156 return -1;
1157
1158 if (hdr.class != ASN1_CLASS_UNIVERSAL ||
1159 hdr.tag != ASN1_TAG_INTEGER) {
1160 wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for p; "
1161 "class=%d tag=0x%x", hdr.class, hdr.tag);
1162 return -1;
1163 }
1164
1165 wpa_hexdump(MSG_MSGDUMP, "DH: prime (p)", hdr.payload, hdr.length);
1166 if (hdr.length == 0)
1167 return -1;
1168 os_free(cred->dh_p);
1169 cred->dh_p = os_memdup(hdr.payload, hdr.length);
1170 if (cred->dh_p == NULL)
1171 return -1;
1172 cred->dh_p_len = hdr.length;
1173 pos = hdr.payload + hdr.length;
1174
1175 /* base INTEGER */
1176 if (asn1_get_next(pos, end - pos, &hdr) < 0)
1177 return -1;
1178
1179 if (hdr.class != ASN1_CLASS_UNIVERSAL ||
1180 hdr.tag != ASN1_TAG_INTEGER) {
1181 wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for g; "
1182 "class=%d tag=0x%x", hdr.class, hdr.tag);
1183 return -1;
1184 }
1185
1186 wpa_hexdump(MSG_MSGDUMP, "DH: base (g)", hdr.payload, hdr.length);
1187 if (hdr.length == 0)
1188 return -1;
1189 os_free(cred->dh_g);
1190 cred->dh_g = os_memdup(hdr.payload, hdr.length);
1191 if (cred->dh_g == NULL)
1192 return -1;
1193 cred->dh_g_len = hdr.length;
1194
1195 return 0;
1196 }
1197
1198
1199 static const char *pem_dhparams_begin = "-----BEGIN DH PARAMETERS-----";
1200 static const char *pem_dhparams_end = "-----END DH PARAMETERS-----";
1201
1202
tlsv1_set_dhparams_blob(struct tlsv1_credentials * cred,const u8 * buf,size_t len)1203 static int tlsv1_set_dhparams_blob(struct tlsv1_credentials *cred,
1204 const u8 *buf, size_t len)
1205 {
1206 const u8 *pos, *end;
1207 unsigned char *der;
1208 size_t der_len;
1209
1210 pos = search_tag(pem_dhparams_begin, buf, len);
1211 if (!pos) {
1212 wpa_printf(MSG_DEBUG, "TLSv1: No PEM dhparams tag found - "
1213 "assume DER format");
1214 return tlsv1_set_dhparams_der(cred, buf, len);
1215 }
1216
1217 wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format dhparams into DER "
1218 "format");
1219
1220 pos += os_strlen(pem_dhparams_begin);
1221 end = search_tag(pem_dhparams_end, pos, buf + len - pos);
1222 if (end == NULL) {
1223 wpa_printf(MSG_INFO, "TLSv1: Could not find PEM dhparams end "
1224 "tag (%s)", pem_dhparams_end);
1225 return -1;
1226 }
1227
1228 der = base64_decode((const char *) pos, end - pos, &der_len);
1229 if (der == NULL) {
1230 wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM dhparams");
1231 return -1;
1232 }
1233
1234 if (tlsv1_set_dhparams_der(cred, der, der_len) < 0) {
1235 wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM dhparams "
1236 "DER conversion");
1237 os_free(der);
1238 return -1;
1239 }
1240
1241 os_free(der);
1242
1243 return 0;
1244 }
1245
1246
1247 /**
1248 * tlsv1_set_dhparams - Set Diffie-Hellman parameters
1249 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
1250 * @dh_file: File or reference name for the DH params in PEM or DER format
1251 * @dh_blob: DH params as inlined data or %NULL if not used
1252 * @dh_blob_len: dh_blob length
1253 * Returns: 0 on success, -1 on failure
1254 */
tlsv1_set_dhparams(struct tlsv1_credentials * cred,const char * dh_file,const u8 * dh_blob,size_t dh_blob_len)1255 int tlsv1_set_dhparams(struct tlsv1_credentials *cred, const char *dh_file,
1256 const u8 *dh_blob, size_t dh_blob_len)
1257 {
1258 if (dh_blob)
1259 return tlsv1_set_dhparams_blob(cred, dh_blob, dh_blob_len);
1260
1261 if (dh_file) {
1262 u8 *buf;
1263 size_t len;
1264 int ret;
1265
1266 buf = (u8 *) os_readfile(dh_file, &len);
1267 if (buf == NULL) {
1268 wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
1269 dh_file);
1270 return -1;
1271 }
1272
1273 ret = tlsv1_set_dhparams_blob(cred, buf, len);
1274 os_free(buf);
1275 return ret;
1276 }
1277
1278 return 0;
1279 }
1280