contrib/hostapd/src/tls/tlsv1_cred.c

/*
 * TLSv1 credentials
 * Copyright (c) 2006-2009, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "base64.h"
#include "crypto/crypto.h"
#include "x509v3.h"
#include "tlsv1_cred.h"


struct tlsv1_credentials * tlsv1_cred_alloc(void)
{
	struct tlsv1_credentials *cred;
	cred = os_zalloc(sizeof(*cred));
	return cred;
}


void tlsv1_cred_free(struct tlsv1_credentials *cred)
{
	if (cred == NULL)
		return;

	x509_certificate_chain_free(cred->trusted_certs);
	x509_certificate_chain_free(cred->cert);
	crypto_private_key_free(cred->key);
	os_free(cred->dh_p);
	os_free(cred->dh_g);
	os_free(cred);
}


static int tlsv1_add_cert_der(struct x509_certificate **chain,
			      const u8 *buf, size_t len)
{
	struct x509_certificate *cert, *p;
	char name[128];

	cert = x509_certificate_parse(buf, len);
	if (cert == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate",
			   __func__);
		return -1;
	}

	p = *chain;
	while (p && p->next)
		p = p->next;
	if (p && x509_name_compare(&cert->subject, &p->issuer) == 0) {
		/*
		 * The new certificate is the issuer of the last certificate in
		 * the chain - add the new certificate to the end.
		 */
		p->next = cert;
	} else {
		/* Add to the beginning of the chain */
		cert->next = *chain;
		*chain = cert;
	}

	x509_name_string(&cert->subject, name, sizeof(name));
	wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name);

	return 0;
}


static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----";
static const char *pem_cert_end = "-----END CERTIFICATE-----";
static const char *pem_key_begin = "-----BEGIN RSA PRIVATE KEY-----";
static const char *pem_key_end = "-----END RSA PRIVATE KEY-----";
static const char *pem_key2_begin = "-----BEGIN PRIVATE KEY-----";
static const char *pem_key2_end = "-----END PRIVATE KEY-----";
static const char *pem_key_enc_begin = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
static const char *pem_key_enc_end = "-----END ENCRYPTED PRIVATE KEY-----";


static const u8 * search_tag(const char *tag, const u8 *buf, size_t len)
{
	size_t i, plen;

	plen = os_strlen(tag);
	if (len < plen)
		return NULL;

	for (i = 0; i < len - plen; i++) {
		if (os_memcmp(buf + i, tag, plen) == 0)
			return buf + i;
	}

	return NULL;
}


static int tlsv1_add_cert(struct x509_certificate **chain,
			  const u8 *buf, size_t len)
{
	const u8 *pos, *end;
	unsigned char *der;
	size_t der_len;

	pos = search_tag(pem_cert_begin, buf, len);
	if (!pos) {
		wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - "
			   "assume DER format");
		return tlsv1_add_cert_der(chain, buf, len);
	}

	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into "
		   "DER format");

	while (pos) {
		pos += os_strlen(pem_cert_begin);
		end = search_tag(pem_cert_end, pos, buf + len - pos);
		if (end == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Could not find PEM "
				   "certificate end tag (%s)", pem_cert_end);
			return -1;
		}

		der = base64_decode(pos, end - pos, &der_len);
		if (der == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM "
				   "certificate");
			return -1;
		}

		if (tlsv1_add_cert_der(chain, der, der_len) < 0) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM "
				   "certificate after DER conversion");
			os_free(der);
			return -1;
		}

		os_free(der);

		end += os_strlen(pem_cert_end);
		pos = search_tag(pem_cert_begin, end, buf + len - end);
	}

	return 0;
}


static int tlsv1_set_cert_chain(struct x509_certificate **chain,
				const char *cert, const u8 *cert_blob,
				size_t cert_blob_len)
{
	if (cert_blob)
		return tlsv1_add_cert(chain, cert_blob, cert_blob_len);

	if (cert) {
		u8 *buf;
		size_t len;
		int ret;

		buf = (u8 *) os_readfile(cert, &len);
		if (buf == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
				   cert);
			return -1;
		}

		ret = tlsv1_add_cert(chain, buf, len);
		os_free(buf);
		return ret;
	}

	return 0;
}


/**
 * tlsv1_set_ca_cert - Set trusted CA certificate(s)
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @cert: File or reference name for X.509 certificate in PEM or DER format
 * @cert_blob: cert as inlined data or %NULL if not used
 * @cert_blob_len: ca_cert_blob length
 * @path: Path to CA certificates (not yet supported)
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_ca_cert(struct tlsv1_credentials *cred, const char *cert,
		      const u8 *cert_blob, size_t cert_blob_len,
		      const char *path)
{
	if (tlsv1_set_cert_chain(&cred->trusted_certs, cert,
				 cert_blob, cert_blob_len) < 0)
		return -1;

	if (path) {
		/* TODO: add support for reading number of certificate files */
		wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory "
			   "not yet supported");
		return -1;
	}

	return 0;
}


/**
 * tlsv1_set_cert - Set certificate
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @cert: File or reference name for X.509 certificate in PEM or DER format
 * @cert_blob: cert as inlined data or %NULL if not used
 * @cert_blob_len: cert_blob length
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_cert(struct tlsv1_credentials *cred, const char *cert,
		   const u8 *cert_blob, size_t cert_blob_len)
{
	return tlsv1_set_cert_chain(&cred->cert, cert,
				    cert_blob, cert_blob_len);
}


static struct crypto_private_key * tlsv1_set_key_pem(const u8 *key, size_t len)
{
	const u8 *pos, *end;
	unsigned char *der;
	size_t der_len;
	struct crypto_private_key *pkey;

	pos = search_tag(pem_key_begin, key, len);
	if (!pos) {
		pos = search_tag(pem_key2_begin, key, len);
		if (!pos)
			return NULL;
		pos += os_strlen(pem_key2_begin);
		end = search_tag(pem_key2_end, pos, key + len - pos);
		if (!end)
			return NULL;
	} else {
		const u8 *pos2;
		pos += os_strlen(pem_key_begin);
		end = search_tag(pem_key_end, pos, key + len - pos);
		if (!end)
			return NULL;
		pos2 = search_tag("Proc-Type: 4,ENCRYPTED", pos, end - pos);
		if (pos2) {
			wpa_printf(MSG_DEBUG, "TLSv1: Unsupported private key "
				   "format (Proc-Type/DEK-Info)");
			return NULL;
		}
	}

	der = base64_decode(pos, end - pos, &der_len);
	if (!der)
		return NULL;
	pkey = crypto_private_key_import(der, der_len, NULL);
	os_free(der);
	return pkey;
}


static struct crypto_private_key * tlsv1_set_key_enc_pem(const u8 *key,
							 size_t len,
							 const char *passwd)
{
	const u8 *pos, *end;
	unsigned char *der;
	size_t der_len;
	struct crypto_private_key *pkey;

	if (passwd == NULL)
		return NULL;
	pos = search_tag(pem_key_enc_begin, key, len);
	if (!pos)
		return NULL;
	pos += os_strlen(pem_key_enc_begin);
	end = search_tag(pem_key_enc_end, pos, key + len - pos);
	if (!end)
		return NULL;

	der = base64_decode(pos, end - pos, &der_len);
	if (!der)
		return NULL;
	pkey = crypto_private_key_import(der, der_len, passwd);
	os_free(der);
	return pkey;
}


static int tlsv1_set_key(struct tlsv1_credentials *cred,
			 const u8 *key, size_t len, const char *passwd)
{
	cred->key = crypto_private_key_import(key, len, passwd);
	if (cred->key == NULL)
		cred->key = tlsv1_set_key_pem(key, len);
	if (cred->key == NULL)
		cred->key = tlsv1_set_key_enc_pem(key, len, passwd);
	if (cred->key == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key");
		return -1;
	}
	return 0;
}


/**
 * tlsv1_set_private_key - Set private key
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @private_key: File or reference name for the key in PEM or DER format
 * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
 * passphrase is used.
 * @private_key_blob: private_key as inlined data or %NULL if not used
 * @private_key_blob_len: private_key_blob length
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_private_key(struct tlsv1_credentials *cred,
			  const char *private_key,
			  const char *private_key_passwd,
			  const u8 *private_key_blob,
			  size_t private_key_blob_len)
{
	crypto_private_key_free(cred->key);
	cred->key = NULL;

	if (private_key_blob)
		return tlsv1_set_key(cred, private_key_blob,
				     private_key_blob_len,
				     private_key_passwd);

	if (private_key) {
		u8 *buf;
		size_t len;
		int ret;

		buf = (u8 *) os_readfile(private_key, &len);
		if (buf == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
				   private_key);
			return -1;
		}

		ret = tlsv1_set_key(cred, buf, len, private_key_passwd);
		os_free(buf);
		return ret;
	}

	return 0;
}


static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred,
				  const u8 *dh, size_t len)
{
	struct asn1_hdr hdr;
	const u8 *pos, *end;

	pos = dh;
	end = dh + len;

	/*
	 * DHParameter ::= SEQUENCE {
	 *   prime INTEGER, -- p
	 *   base INTEGER, -- g
	 *   privateValueLength INTEGER OPTIONAL }
	 */

	/* DHParamer ::= SEQUENCE */
	if (asn1_get_next(pos, len, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG, "DH: DH parameters did not start with a "
			   "valid SEQUENCE - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}
	pos = hdr.payload;

	/* prime INTEGER */
	if (asn1_get_next(pos, end - pos, &hdr) < 0)
		return -1;

	if (hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_INTEGER) {
		wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for p; "
			   "class=%d tag=0x%x", hdr.class, hdr.tag);
		return -1;
	}

	wpa_hexdump(MSG_MSGDUMP, "DH: prime (p)", hdr.payload, hdr.length);
	if (hdr.length == 0)
		return -1;
	os_free(cred->dh_p);
	cred->dh_p = os_malloc(hdr.length);
	if (cred->dh_p == NULL)
		return -1;
	os_memcpy(cred->dh_p, hdr.payload, hdr.length);
	cred->dh_p_len = hdr.length;
	pos = hdr.payload + hdr.length;

	/* base INTEGER */
	if (asn1_get_next(pos, end - pos, &hdr) < 0)
		return -1;

	if (hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_INTEGER) {
		wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for g; "
			   "class=%d tag=0x%x", hdr.class, hdr.tag);
		return -1;
	}

	wpa_hexdump(MSG_MSGDUMP, "DH: base (g)", hdr.payload, hdr.length);
	if (hdr.length == 0)
		return -1;
	os_free(cred->dh_g);
	cred->dh_g = os_malloc(hdr.length);
	if (cred->dh_g == NULL)
		return -1;
	os_memcpy(cred->dh_g, hdr.payload, hdr.length);
	cred->dh_g_len = hdr.length;

	return 0;
}


static const char *pem_dhparams_begin = "-----BEGIN DH PARAMETERS-----";
static const char *pem_dhparams_end = "-----END DH PARAMETERS-----";


static int tlsv1_set_dhparams_blob(struct tlsv1_credentials *cred,
				   const u8 *buf, size_t len)
{
	const u8 *pos, *end;
	unsigned char *der;
	size_t der_len;

	pos = search_tag(pem_dhparams_begin, buf, len);
	if (!pos) {
		wpa_printf(MSG_DEBUG, "TLSv1: No PEM dhparams tag found - "
			   "assume DER format");
		return tlsv1_set_dhparams_der(cred, buf, len);
	}

	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format dhparams into DER "
		   "format");

	pos += os_strlen(pem_dhparams_begin);
	end = search_tag(pem_dhparams_end, pos, buf + len - pos);
	if (end == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: Could not find PEM dhparams end "
			   "tag (%s)", pem_dhparams_end);
		return -1;
	}

	der = base64_decode(pos, end - pos, &der_len);
	if (der == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM dhparams");
		return -1;
	}

	if (tlsv1_set_dhparams_der(cred, der, der_len) < 0) {
		wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM dhparams "
			   "DER conversion");
		os_free(der);
		return -1;
	}

	os_free(der);

	return 0;
}


/**
 * tlsv1_set_dhparams - Set Diffie-Hellman parameters
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @dh_file: File or reference name for the DH params in PEM or DER format
 * @dh_blob: DH params as inlined data or %NULL if not used
 * @dh_blob_len: dh_blob length
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_dhparams(struct tlsv1_credentials *cred, const char *dh_file,
		       const u8 *dh_blob, size_t dh_blob_len)
{
	if (dh_blob)
		return tlsv1_set_dhparams_blob(cred, dh_blob, dh_blob_len);

	if (dh_file) {
		u8 *buf;
		size_t len;
		int ret;

		buf = (u8 *) os_readfile(dh_file, &len);
		if (buf == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
				   dh_file);
			return -1;
		}

		ret = tlsv1_set_dhparams_blob(cred, buf, len);
		os_free(buf);
		return ret;
	}

	return 0;
}
Commit	Line	Data
	1	/*
	2	* TLSv1 credentials
	3	* Copyright (c) 2006-2009, Jouni Malinen <j@w1.fi>
	4	*
	5	* This software may be distributed under the terms of the BSD license.
	6	* See README for more details.
	7	*/
	8
	9	#include "includes.h"
	10
	11	#include "common.h"
	12	#include "base64.h"
	13	#include "crypto/crypto.h"
	14	#include "x509v3.h"
	15	#include "tlsv1_cred.h"
	16
	17
	18	struct tlsv1_credentials * tlsv1_cred_alloc(void)
	19	{
	20	struct tlsv1_credentials *cred;
	21	cred = os_zalloc(sizeof(*cred));
	22	return cred;
	23	}
	24
	25
	26	void tlsv1_cred_free(struct tlsv1_credentials *cred)
	27	{
	28	if (cred == NULL)
	29	return;
	30
	31	x509_certificate_chain_free(cred->trusted_certs);
	32	x509_certificate_chain_free(cred->cert);
	33	crypto_private_key_free(cred->key);
	34	os_free(cred->dh_p);
	35	os_free(cred->dh_g);
	36	os_free(cred);
	37	}
	38
	39
	40	static int tlsv1_add_cert_der(struct x509_certificate **chain,
	41	const u8 *buf, size_t len)
	42	{
	43	struct x509_certificate cert, p;
	44	char name[128];
	45
	46	cert = x509_certificate_parse(buf, len);
	47	if (cert == NULL) {
	48	wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate",
	49	__func__);
	50	return -1;
	51	}
	52
	53	p = *chain;
	54	while (p && p->next)
	55	p = p->next;
	56	if (p && x509_name_compare(&cert->subject, &p->issuer) == 0) {
	57	/*
	58	* The new certificate is the issuer of the last certificate in
	59	* the chain - add the new certificate to the end.
	60	*/
	61	p->next = cert;
	62	} else {
	63	/* Add to the beginning of the chain */
	64	cert->next = *chain;
	65	*chain = cert;
	66	}
	67
	68	x509_name_string(&cert->subject, name, sizeof(name));
	69	wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name);
	70
	71	return 0;
	72	}
	73
	74
	75	static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----";
	76	static const char *pem_cert_end = "-----END CERTIFICATE-----";
	77	static const char *pem_key_begin = "-----BEGIN RSA PRIVATE KEY-----";
	78	static const char *pem_key_end = "-----END RSA PRIVATE KEY-----";
	79	static const char *pem_key2_begin = "-----BEGIN PRIVATE KEY-----";
	80	static const char *pem_key2_end = "-----END PRIVATE KEY-----";
	81	static const char *pem_key_enc_begin = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
	82	static const char *pem_key_enc_end = "-----END ENCRYPTED PRIVATE KEY-----";
	83
	84
	85	static const u8 * search_tag(const char tag, const u8 buf, size_t len)
	86	{
	87	size_t i, plen;
	88
	89	plen = os_strlen(tag);
	90	if (len < plen)
	91	return NULL;
	92
	93	for (i = 0; i < len - plen; i++) {
	94	if (os_memcmp(buf + i, tag, plen) == 0)
	95	return buf + i;
	96	}
	97
	98	return NULL;
	99	}
	100
	101
	102	static int tlsv1_add_cert(struct x509_certificate **chain,
	103	const u8 *buf, size_t len)
	104	{
	105	const u8 pos, end;
	106	unsigned char *der;
	107	size_t der_len;
	108
	109	pos = search_tag(pem_cert_begin, buf, len);
	110	if (!pos) {
	111	wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - "
	112	"assume DER format");
	113	return tlsv1_add_cert_der(chain, buf, len);
	114	}
	115
	116	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into "
	117	"DER format");
	118
	119	while (pos) {
	120	pos += os_strlen(pem_cert_begin);
	121	end = search_tag(pem_cert_end, pos, buf + len - pos);
	122	if (end == NULL) {
	123	wpa_printf(MSG_INFO, "TLSv1: Could not find PEM "
	124	"certificate end tag (%s)", pem_cert_end);
	125	return -1;
	126	}
	127
	128	der = base64_decode(pos, end - pos, &der_len);
	129	if (der == NULL) {
	130	wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM "
	131	"certificate");
	132	return -1;
	133	}
	134
	135	if (tlsv1_add_cert_der(chain, der, der_len) < 0) {
	136	wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM "
	137	"certificate after DER conversion");
	138	os_free(der);
	139	return -1;
	140	}
	141
	142	os_free(der);
	143
	144	end += os_strlen(pem_cert_end);
	145	pos = search_tag(pem_cert_begin, end, buf + len - end);
	146	}
	147
	148	return 0;
	149	}
	150
	151
	152	static int tlsv1_set_cert_chain(struct x509_certificate **chain,
	153	const char cert, const u8 cert_blob,
	154	size_t cert_blob_len)
	155	{
	156	if (cert_blob)
	157	return tlsv1_add_cert(chain, cert_blob, cert_blob_len);
	158
	159	if (cert) {
	160	u8 *buf;
	161	size_t len;
	162	int ret;
	163
	164	buf = (u8 *) os_readfile(cert, &len);
	165	if (buf == NULL) {
	166	wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
	167	cert);
	168	return -1;
	169	}
	170
	171	ret = tlsv1_add_cert(chain, buf, len);
	172	os_free(buf);
	173	return ret;
	174	}
	175
	176	return 0;
	177	}
	178
	179
	180	/**
	181	* tlsv1_set_ca_cert - Set trusted CA certificate(s)
	182	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
	183	* @cert: File or reference name for X.509 certificate in PEM or DER format
	184	* @cert_blob: cert as inlined data or %NULL if not used
	185	* @cert_blob_len: ca_cert_blob length
	186	* @path: Path to CA certificates (not yet supported)
	187	* Returns: 0 on success, -1 on failure
	188	*/
	189	int tlsv1_set_ca_cert(struct tlsv1_credentials cred, const char cert,
	190	const u8 *cert_blob, size_t cert_blob_len,
	191	const char *path)
	192	{
	193	if (tlsv1_set_cert_chain(&cred->trusted_certs, cert,
	194	cert_blob, cert_blob_len) < 0)
	195	return -1;
	196
	197	if (path) {
	198	/* TODO: add support for reading number of certificate files */
	199	wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory "
	200	"not yet supported");
	201	return -1;
	202	}
	203
	204	return 0;
	205	}
	206
	207
	208	/**
	209	* tlsv1_set_cert - Set certificate
	210	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
	211	* @cert: File or reference name for X.509 certificate in PEM or DER format
	212	* @cert_blob: cert as inlined data or %NULL if not used
	213	* @cert_blob_len: cert_blob length
	214	* Returns: 0 on success, -1 on failure
	215	*/
	216	int tlsv1_set_cert(struct tlsv1_credentials cred, const char cert,
	217	const u8 *cert_blob, size_t cert_blob_len)
	218	{
	219	return tlsv1_set_cert_chain(&cred->cert, cert,
	220	cert_blob, cert_blob_len);
	221	}
	222
	223
	224	static struct crypto_private_key * tlsv1_set_key_pem(const u8 *key, size_t len)
	225	{
	226	const u8 pos, end;
	227	unsigned char *der;
	228	size_t der_len;
	229	struct crypto_private_key *pkey;
	230
	231	pos = search_tag(pem_key_begin, key, len);
	232	if (!pos) {
	233	pos = search_tag(pem_key2_begin, key, len);
	234	if (!pos)
	235	return NULL;
	236	pos += os_strlen(pem_key2_begin);
	237	end = search_tag(pem_key2_end, pos, key + len - pos);
	238	if (!end)
	239	return NULL;
	240	} else {
	241	const u8 *pos2;
	242	pos += os_strlen(pem_key_begin);
	243	end = search_tag(pem_key_end, pos, key + len - pos);
	244	if (!end)
	245	return NULL;
	246	pos2 = search_tag("Proc-Type: 4,ENCRYPTED", pos, end - pos);
	247	if (pos2) {
	248	wpa_printf(MSG_DEBUG, "TLSv1: Unsupported private key "
	249	"format (Proc-Type/DEK-Info)");
	250	return NULL;
	251	}
	252	}
	253
	254	der = base64_decode(pos, end - pos, &der_len);
	255	if (!der)
	256	return NULL;
	257	pkey = crypto_private_key_import(der, der_len, NULL);
	258	os_free(der);
	259	return pkey;
	260	}
	261
	262
	263	static struct crypto_private_key * tlsv1_set_key_enc_pem(const u8 *key,
	264	size_t len,
	265	const char *passwd)
	266	{
	267	const u8 pos, end;
	268	unsigned char *der;
	269	size_t der_len;
	270	struct crypto_private_key *pkey;
	271
	272	if (passwd == NULL)
	273	return NULL;
	274	pos = search_tag(pem_key_enc_begin, key, len);
	275	if (!pos)
	276	return NULL;
	277	pos += os_strlen(pem_key_enc_begin);
	278	end = search_tag(pem_key_enc_end, pos, key + len - pos);
	279	if (!end)
	280	return NULL;
	281
	282	der = base64_decode(pos, end - pos, &der_len);
	283	if (!der)
	284	return NULL;
	285	pkey = crypto_private_key_import(der, der_len, passwd);
	286	os_free(der);
	287	return pkey;
	288	}
	289
	290
	291	static int tlsv1_set_key(struct tlsv1_credentials *cred,
	292	const u8 key, size_t len, const char passwd)
	293	{
	294	cred->key = crypto_private_key_import(key, len, passwd);
	295	if (cred->key == NULL)
	296	cred->key = tlsv1_set_key_pem(key, len);
	297	if (cred->key == NULL)
	298	cred->key = tlsv1_set_key_enc_pem(key, len, passwd);
	299	if (cred->key == NULL) {
	300	wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key");
	301	return -1;
	302	}
	303	return 0;
	304	}
	305
	306
	307	/**
	308	* tlsv1_set_private_key - Set private key
	309	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
	310	* @private_key: File or reference name for the key in PEM or DER format
	311	* @private_key_passwd: Passphrase for decrypted private key, %NULL if no
	312	* passphrase is used.
	313	* @private_key_blob: private_key as inlined data or %NULL if not used
	314	* @private_key_blob_len: private_key_blob length
	315	* Returns: 0 on success, -1 on failure
	316	*/
	317	int tlsv1_set_private_key(struct tlsv1_credentials *cred,
	318	const char *private_key,
	319	const char *private_key_passwd,
	320	const u8 *private_key_blob,
	321	size_t private_key_blob_len)
	322	{
	323	crypto_private_key_free(cred->key);
	324	cred->key = NULL;
	325
	326	if (private_key_blob)
	327	return tlsv1_set_key(cred, private_key_blob,
	328	private_key_blob_len,
	329	private_key_passwd);
	330
	331	if (private_key) {
	332	u8 *buf;
	333	size_t len;
	334	int ret;
	335
	336	buf = (u8 *) os_readfile(private_key, &len);
	337	if (buf == NULL) {
	338	wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
	339	private_key);
	340	return -1;
	341	}
	342
	343	ret = tlsv1_set_key(cred, buf, len, private_key_passwd);
	344	os_free(buf);
	345	return ret;
	346	}
	347
	348	return 0;
	349	}
	350
	351
	352	static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred,
	353	const u8 *dh, size_t len)
	354	{
	355	struct asn1_hdr hdr;
	356	const u8 pos, end;
	357
	358	pos = dh;
	359	end = dh + len;
	360
	361	/*
	362	* DHParameter ::= SEQUENCE {
	363	* prime INTEGER, -- p
	364	* base INTEGER, -- g
	365	* privateValueLength INTEGER OPTIONAL }
	366	*/
	367
	368	/* DHParamer ::= SEQUENCE */
	369	if (asn1_get_next(pos, len, &hdr) < 0 \|\|
	370	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
	371	hdr.tag != ASN1_TAG_SEQUENCE) {
	372	wpa_printf(MSG_DEBUG, "DH: DH parameters did not start with a "
	373	"valid SEQUENCE - found class %d tag 0x%x",
	374	hdr.class, hdr.tag);
	375	return -1;
	376	}
	377	pos = hdr.payload;
	378
	379	/* prime INTEGER */
	380	if (asn1_get_next(pos, end - pos, &hdr) < 0)
	381	return -1;
	382
	383	if (hdr.class != ASN1_CLASS_UNIVERSAL \|\|
	384	hdr.tag != ASN1_TAG_INTEGER) {
	385	wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for p; "
	386	"class=%d tag=0x%x", hdr.class, hdr.tag);
	387	return -1;
	388	}
	389
	390	wpa_hexdump(MSG_MSGDUMP, "DH: prime (p)", hdr.payload, hdr.length);
	391	if (hdr.length == 0)
	392	return -1;
	393	os_free(cred->dh_p);
	394	cred->dh_p = os_malloc(hdr.length);
	395	if (cred->dh_p == NULL)
	396	return -1;
	397	os_memcpy(cred->dh_p, hdr.payload, hdr.length);
	398	cred->dh_p_len = hdr.length;
	399	pos = hdr.payload + hdr.length;
	400
	401	/* base INTEGER */
	402	if (asn1_get_next(pos, end - pos, &hdr) < 0)
	403	return -1;
	404
	405	if (hdr.class != ASN1_CLASS_UNIVERSAL \|\|
	406	hdr.tag != ASN1_TAG_INTEGER) {
	407	wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for g; "
	408	"class=%d tag=0x%x", hdr.class, hdr.tag);
	409	return -1;
	410	}
	411
	412	wpa_hexdump(MSG_MSGDUMP, "DH: base (g)", hdr.payload, hdr.length);
	413	if (hdr.length == 0)
	414	return -1;
	415	os_free(cred->dh_g);
	416	cred->dh_g = os_malloc(hdr.length);
	417	if (cred->dh_g == NULL)
	418	return -1;
	419	os_memcpy(cred->dh_g, hdr.payload, hdr.length);
	420	cred->dh_g_len = hdr.length;
	421
	422	return 0;
	423	}
	424
	425
	426	static const char *pem_dhparams_begin = "-----BEGIN DH PARAMETERS-----";
	427	static const char *pem_dhparams_end = "-----END DH PARAMETERS-----";
	428
	429
	430	static int tlsv1_set_dhparams_blob(struct tlsv1_credentials *cred,
	431	const u8 *buf, size_t len)
	432	{
	433	const u8 pos, end;
	434	unsigned char *der;
	435	size_t der_len;
	436
	437	pos = search_tag(pem_dhparams_begin, buf, len);
	438	if (!pos) {
	439	wpa_printf(MSG_DEBUG, "TLSv1: No PEM dhparams tag found - "
	440	"assume DER format");
	441	return tlsv1_set_dhparams_der(cred, buf, len);
	442	}
	443
	444	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format dhparams into DER "
	445	"format");
	446
	447	pos += os_strlen(pem_dhparams_begin);
	448	end = search_tag(pem_dhparams_end, pos, buf + len - pos);
	449	if (end == NULL) {
	450	wpa_printf(MSG_INFO, "TLSv1: Could not find PEM dhparams end "
	451	"tag (%s)", pem_dhparams_end);
	452	return -1;
	453	}
	454
	455	der = base64_decode(pos, end - pos, &der_len);
	456	if (der == NULL) {
	457	wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM dhparams");
	458	return -1;
	459	}
	460
	461	if (tlsv1_set_dhparams_der(cred, der, der_len) < 0) {
	462	wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM dhparams "
	463	"DER conversion");
	464	os_free(der);
	465	return -1;
	466	}
	467
	468	os_free(der);
	469
	470	return 0;
	471	}
	472
	473
	474	/**
	475	* tlsv1_set_dhparams - Set Diffie-Hellman parameters
	476	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
	477	* @dh_file: File or reference name for the DH params in PEM or DER format
	478	* @dh_blob: DH params as inlined data or %NULL if not used
	479	* @dh_blob_len: dh_blob length
	480	* Returns: 0 on success, -1 on failure
	481	*/
	482	int tlsv1_set_dhparams(struct tlsv1_credentials cred, const char dh_file,
	483	const u8 *dh_blob, size_t dh_blob_len)
	484	{
	485	if (dh_blob)
	486	return tlsv1_set_dhparams_blob(cred, dh_blob, dh_blob_len);
	487
	488	if (dh_file) {
	489	u8 *buf;
	490	size_t len;
	491	int ret;
	492
	493	buf = (u8 *) os_readfile(dh_file, &len);
	494	if (buf == NULL) {
	495	wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
	496	dh_file);
	497	return -1;
	498	}
	499
	500	ret = tlsv1_set_dhparams_blob(cred, buf, len);
	501	os_free(buf);
	502	return ret;
	503	}
	504
	505	return 0;
	506	}