[thirdparty/hostap.git] / src / tls / tlsv1_cred.c

/*
 * TLSv1 credentials
 * Copyright (c) 2006-2009, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "base64.h"
#include "crypto/crypto.h"
#include "x509v3.h"
#include "tlsv1_cred.h"


struct tlsv1_credentials * tlsv1_cred_alloc(void)
{
	struct tlsv1_credentials *cred;
	cred = os_zalloc(sizeof(*cred));
	return cred;
}


void tlsv1_cred_free(struct tlsv1_credentials *cred)
{
	if (cred == NULL)
		return;

	x509_certificate_chain_free(cred->trusted_certs);
	x509_certificate_chain_free(cred->cert);
	crypto_private_key_free(cred->key);
	os_free(cred->dh_p);
	os_free(cred->dh_g);
	os_free(cred);
}


static int tlsv1_add_cert_der(struct x509_certificate **chain,
			      const u8 *buf, size_t len)
{
	struct x509_certificate *cert, *p;
	char name[128];

	cert = x509_certificate_parse(buf, len);
	if (cert == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate",
			   __func__);
		return -1;
	}

	p = *chain;
	while (p && p->next)
		p = p->next;
	if (p && x509_name_compare(&cert->subject, &p->issuer) == 0) {
		/*
		 * The new certificate is the issuer of the last certificate in
		 * the chain - add the new certificate to the end.
		 */
		p->next = cert;
	} else {
		/* Add to the beginning of the chain */
		cert->next = *chain;
		*chain = cert;
	}

	x509_name_string(&cert->subject, name, sizeof(name));
	wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name);

	return 0;
}


static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----";
static const char *pem_cert_end = "-----END CERTIFICATE-----";
static const char *pem_key_begin = "-----BEGIN RSA PRIVATE KEY-----";
static const char *pem_key_end = "-----END RSA PRIVATE KEY-----";
static const char *pem_key2_begin = "-----BEGIN PRIVATE KEY-----";
static const char *pem_key2_end = "-----END PRIVATE KEY-----";
static const char *pem_key_enc_begin = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
static const char *pem_key_enc_end = "-----END ENCRYPTED PRIVATE KEY-----";


static const u8 * search_tag(const char *tag, const u8 *buf, size_t len)
{
	size_t i, plen;

	plen = os_strlen(tag);
	if (len < plen)
		return NULL;

	for (i = 0; i < len - plen; i++) {
		if (os_memcmp(buf + i, tag, plen) == 0)
			return buf + i;
	}

	return NULL;
}


static int tlsv1_add_cert(struct x509_certificate **chain,
			  const u8 *buf, size_t len)
{
	const u8 *pos, *end;
	unsigned char *der;
	size_t der_len;

	pos = search_tag(pem_cert_begin, buf, len);
	if (!pos) {
		wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - "
			   "assume DER format");
		return tlsv1_add_cert_der(chain, buf, len);
	}

	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into "
		   "DER format");

	while (pos) {
		pos += os_strlen(pem_cert_begin);
		end = search_tag(pem_cert_end, pos, buf + len - pos);
		if (end == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Could not find PEM "
				   "certificate end tag (%s)", pem_cert_end);
			return -1;
		}

		der = base64_decode(pos, end - pos, &der_len);
		if (der == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM "
				   "certificate");
			return -1;
		}

		if (tlsv1_add_cert_der(chain, der, der_len) < 0) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM "
				   "certificate after DER conversion");
			os_free(der);
			return -1;
		}

		os_free(der);

		end += os_strlen(pem_cert_end);
		pos = search_tag(pem_cert_begin, end, buf + len - end);
	}

	return 0;
}


static int tlsv1_set_cert_chain(struct x509_certificate **chain,
				const char *cert, const u8 *cert_blob,
				size_t cert_blob_len)
{
	if (cert_blob)
		return tlsv1_add_cert(chain, cert_blob, cert_blob_len);

	if (cert) {
		u8 *buf;
		size_t len;
		int ret;

		buf = (u8 *) os_readfile(cert, &len);
		if (buf == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
				   cert);
			return -1;
		}

		ret = tlsv1_add_cert(chain, buf, len);
		os_free(buf);
		return ret;
	}

	return 0;
}


/**
 * tlsv1_set_ca_cert - Set trusted CA certificate(s)
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @cert: File or reference name for X.509 certificate in PEM or DER format
 * @cert_blob: cert as inlined data or %NULL if not used
 * @cert_blob_len: ca_cert_blob length
 * @path: Path to CA certificates (not yet supported)
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_ca_cert(struct tlsv1_credentials *cred, const char *cert,
		      const u8 *cert_blob, size_t cert_blob_len,
		      const char *path)
{
	cred->ca_cert_verify = cert || cert_blob || path;

	if (tlsv1_set_cert_chain(&cred->trusted_certs, cert,
				 cert_blob, cert_blob_len) < 0)
		return -1;

	if (path) {
		/* TODO: add support for reading number of certificate files */
		wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory "
			   "not yet supported");
		return -1;
	}

	return 0;
}


/**
 * tlsv1_set_cert - Set certificate
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @cert: File or reference name for X.509 certificate in PEM or DER format
 * @cert_blob: cert as inlined data or %NULL if not used
 * @cert_blob_len: cert_blob length
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_cert(struct tlsv1_credentials *cred, const char *cert,
		   const u8 *cert_blob, size_t cert_blob_len)
{
	return tlsv1_set_cert_chain(&cred->cert, cert,
				    cert_blob, cert_blob_len);
}


static struct crypto_private_key * tlsv1_set_key_pem(const u8 *key, size_t len)
{
	const u8 *pos, *end;
	unsigned char *der;
	size_t der_len;
	struct crypto_private_key *pkey;

	pos = search_tag(pem_key_begin, key, len);
	if (!pos) {
		pos = search_tag(pem_key2_begin, key, len);
		if (!pos)
			return NULL;
		pos += os_strlen(pem_key2_begin);
		end = search_tag(pem_key2_end, pos, key + len - pos);
		if (!end)
			return NULL;
	} else {
		const u8 *pos2;
		pos += os_strlen(pem_key_begin);
		end = search_tag(pem_key_end, pos, key + len - pos);
		if (!end)
			return NULL;
		pos2 = search_tag("Proc-Type: 4,ENCRYPTED", pos, end - pos);
		if (pos2) {
			wpa_printf(MSG_DEBUG, "TLSv1: Unsupported private key "
				   "format (Proc-Type/DEK-Info)");
			return NULL;
		}
	}

	der = base64_decode(pos, end - pos, &der_len);
	if (!der)
		return NULL;
	pkey = crypto_private_key_import(der, der_len, NULL);
	os_free(der);
	return pkey;
}


static struct crypto_private_key * tlsv1_set_key_enc_pem(const u8 *key,
							 size_t len,
							 const char *passwd)
{
	const u8 *pos, *end;
	unsigned char *der;
	size_t der_len;
	struct crypto_private_key *pkey;

	if (passwd == NULL)
		return NULL;
	pos = search_tag(pem_key_enc_begin, key, len);
	if (!pos)
		return NULL;
	pos += os_strlen(pem_key_enc_begin);
	end = search_tag(pem_key_enc_end, pos, key + len - pos);
	if (!end)
		return NULL;

	der = base64_decode(pos, end - pos, &der_len);
	if (!der)
		return NULL;
	pkey = crypto_private_key_import(der, der_len, passwd);
	os_free(der);
	return pkey;
}


static int tlsv1_set_key(struct tlsv1_credentials *cred,
			 const u8 *key, size_t len, const char *passwd)
{
	cred->key = crypto_private_key_import(key, len, passwd);
	if (cred->key == NULL)
		cred->key = tlsv1_set_key_pem(key, len);
	if (cred->key == NULL)
		cred->key = tlsv1_set_key_enc_pem(key, len, passwd);
	if (cred->key == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key");
		return -1;
	}
	return 0;
}


/**
 * tlsv1_set_private_key - Set private key
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @private_key: File or reference name for the key in PEM or DER format
 * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
 * passphrase is used.
 * @private_key_blob: private_key as inlined data or %NULL if not used
 * @private_key_blob_len: private_key_blob length
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_private_key(struct tlsv1_credentials *cred,
			  const char *private_key,
			  const char *private_key_passwd,
			  const u8 *private_key_blob,
			  size_t private_key_blob_len)
{
	crypto_private_key_free(cred->key);
	cred->key = NULL;

	if (private_key_blob)
		return tlsv1_set_key(cred, private_key_blob,
				     private_key_blob_len,
				     private_key_passwd);

	if (private_key) {
		u8 *buf;
		size_t len;
		int ret;

		buf = (u8 *) os_readfile(private_key, &len);
		if (buf == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
				   private_key);
			return -1;
		}

		ret = tlsv1_set_key(cred, buf, len, private_key_passwd);
		os_free(buf);
		return ret;
	}

	return 0;
}


static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred,
				  const u8 *dh, size_t len)
{
	struct asn1_hdr hdr;
	const u8 *pos, *end;

	pos = dh;
	end = dh + len;

	/*
	 * DHParameter ::= SEQUENCE {
	 *   prime INTEGER, -- p
	 *   base INTEGER, -- g
	 *   privateValueLength INTEGER OPTIONAL }
	 */

	/* DHParamer ::= SEQUENCE */
	if (asn1_get_next(pos, len, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG, "DH: DH parameters did not start with a "
			   "valid SEQUENCE - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}
	pos = hdr.payload;

	/* prime INTEGER */
	if (asn1_get_next(pos, end - pos, &hdr) < 0)
		return -1;

	if (hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_INTEGER) {
		wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for p; "
			   "class=%d tag=0x%x", hdr.class, hdr.tag);
		return -1;
	}

	wpa_hexdump(MSG_MSGDUMP, "DH: prime (p)", hdr.payload, hdr.length);
	if (hdr.length == 0)
		return -1;
	os_free(cred->dh_p);
	cred->dh_p = os_malloc(hdr.length);
	if (cred->dh_p == NULL)
		return -1;
	os_memcpy(cred->dh_p, hdr.payload, hdr.length);
	cred->dh_p_len = hdr.length;
	pos = hdr.payload + hdr.length;

	/* base INTEGER */
	if (asn1_get_next(pos, end - pos, &hdr) < 0)
		return -1;

	if (hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_INTEGER) {
		wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for g; "
			   "class=%d tag=0x%x", hdr.class, hdr.tag);
		return -1;
	}

	wpa_hexdump(MSG_MSGDUMP, "DH: base (g)", hdr.payload, hdr.length);
	if (hdr.length == 0)
		return -1;
	os_free(cred->dh_g);
	cred->dh_g = os_malloc(hdr.length);
	if (cred->dh_g == NULL)
		return -1;
	os_memcpy(cred->dh_g, hdr.payload, hdr.length);
	cred->dh_g_len = hdr.length;

	return 0;
}


static const char *pem_dhparams_begin = "-----BEGIN DH PARAMETERS-----";
static const char *pem_dhparams_end = "-----END DH PARAMETERS-----";


static int tlsv1_set_dhparams_blob(struct tlsv1_credentials *cred,
				   const u8 *buf, size_t len)
{
	const u8 *pos, *end;
	unsigned char *der;
	size_t der_len;

	pos = search_tag(pem_dhparams_begin, buf, len);
	if (!pos) {
		wpa_printf(MSG_DEBUG, "TLSv1: No PEM dhparams tag found - "
			   "assume DER format");
		return tlsv1_set_dhparams_der(cred, buf, len);
	}

	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format dhparams into DER "
		   "format");

	pos += os_strlen(pem_dhparams_begin);
	end = search_tag(pem_dhparams_end, pos, buf + len - pos);
	if (end == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: Could not find PEM dhparams end "
			   "tag (%s)", pem_dhparams_end);
		return -1;
	}

	der = base64_decode(pos, end - pos, &der_len);
	if (der == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM dhparams");
		return -1;
	}

	if (tlsv1_set_dhparams_der(cred, der, der_len) < 0) {
		wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM dhparams "
			   "DER conversion");
		os_free(der);
		return -1;
	}

	os_free(der);

	return 0;
}


/**
 * tlsv1_set_dhparams - Set Diffie-Hellman parameters
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @dh_file: File or reference name for the DH params in PEM or DER format
 * @dh_blob: DH params as inlined data or %NULL if not used
 * @dh_blob_len: dh_blob length
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_dhparams(struct tlsv1_credentials *cred, const char *dh_file,
		       const u8 *dh_blob, size_t dh_blob_len)
{
	if (dh_blob)
		return tlsv1_set_dhparams_blob(cred, dh_blob, dh_blob_len);

	if (dh_file) {
		u8 *buf;
		size_t len;
		int ret;

		buf = (u8 *) os_readfile(dh_file, &len);
		if (buf == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
				   dh_file);
			return -1;
		}

		ret = tlsv1_set_dhparams_blob(cred, buf, len);
		os_free(buf);
		return ret;
	}

	return 0;
}
Commit	Line	Data
6fc6879b JM	1	/*
6fc6879b JM	2	* TLSv1 credentials
3af9f298	3	* Copyright (c) 2006-2009, Jouni Malinen <j@w1.fi>
6fc6879b	4	*
0f3d578e JM	5	* This software may be distributed under the terms of the BSD license.
0f3d578e JM	6	* See README for more details.
6fc6879b JM	7	*/
	8
	9	#include "includes.h"
	10
	11	#include "common.h"
	12	#include "base64.h"
03da66bd	13	#include "crypto/crypto.h"
6fc6879b JM	14	#include "x509v3.h"
	15	#include "tlsv1_cred.h"
	16
	17
	18	struct tlsv1_credentials * tlsv1_cred_alloc(void)
	19	{
	20	struct tlsv1_credentials *cred;
	21	cred = os_zalloc(sizeof(*cred));
	22	return cred;
	23	}
	24
	25
	26	void tlsv1_cred_free(struct tlsv1_credentials *cred)
	27	{
	28	if (cred == NULL)
	29	return;
	30
	31	x509_certificate_chain_free(cred->trusted_certs);
	32	x509_certificate_chain_free(cred->cert);
	33	crypto_private_key_free(cred->key);
	34	os_free(cred->dh_p);
	35	os_free(cred->dh_g);
	36	os_free(cred);
	37	}
	38
	39
	40	static int tlsv1_add_cert_der(struct x509_certificate **chain,
	41	const u8 *buf, size_t len)
	42	{
6921f1f3	43	struct x509_certificate cert, p;
6fc6879b JM	44	char name[128];
	45
	46	cert = x509_certificate_parse(buf, len);
	47	if (cert == NULL) {
	48	wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate",
	49	__func__);
	50	return -1;
	51	}
	52
6921f1f3 JM	53	p = *chain;
	54	while (p && p->next)
	55	p = p->next;
	56	if (p && x509_name_compare(&cert->subject, &p->issuer) == 0) {
	57	/*
	58	* The new certificate is the issuer of the last certificate in
	59	* the chain - add the new certificate to the end.
	60	*/
	61	p->next = cert;
	62	} else {
	63	/* Add to the beginning of the chain */
	64	cert->next = *chain;
	65	*chain = cert;
	66	}
6fc6879b JM	67
	68	x509_name_string(&cert->subject, name, sizeof(name));
	69	wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name);
	70
	71	return 0;
	72	}
	73
	74
	75	static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----";
	76	static const char *pem_cert_end = "-----END CERTIFICATE-----";
1b8409a0 JM	77	static const char *pem_key_begin = "-----BEGIN RSA PRIVATE KEY-----";
1b8409a0 JM	78	static const char *pem_key_end = "-----END RSA PRIVATE KEY-----";
8ef74414 JM	79	static const char *pem_key2_begin = "-----BEGIN PRIVATE KEY-----";
8ef74414 JM	80	static const char *pem_key2_end = "-----END PRIVATE KEY-----";
3f4ed97a JM	81	static const char *pem_key_enc_begin = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
3f4ed97a JM	82	static const char *pem_key_enc_end = "-----END ENCRYPTED PRIVATE KEY-----";
6fc6879b JM	83
	84
	85	static const u8 * search_tag(const char tag, const u8 buf, size_t len)
	86	{
	87	size_t i, plen;
	88
	89	plen = os_strlen(tag);
	90	if (len < plen)
	91	return NULL;
	92
	93	for (i = 0; i < len - plen; i++) {
	94	if (os_memcmp(buf + i, tag, plen) == 0)
	95	return buf + i;
	96	}
	97
	98	return NULL;
	99	}
	100
	101
	102	static int tlsv1_add_cert(struct x509_certificate **chain,
	103	const u8 *buf, size_t len)
	104	{
	105	const u8 pos, end;
	106	unsigned char *der;
	107	size_t der_len;
	108
	109	pos = search_tag(pem_cert_begin, buf, len);
	110	if (!pos) {
	111	wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - "
	112	"assume DER format");
	113	return tlsv1_add_cert_der(chain, buf, len);
	114	}
	115
	116	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into "
	117	"DER format");
	118
	119	while (pos) {
	120	pos += os_strlen(pem_cert_begin);
	121	end = search_tag(pem_cert_end, pos, buf + len - pos);
	122	if (end == NULL) {
	123	wpa_printf(MSG_INFO, "TLSv1: Could not find PEM "
	124	"certificate end tag (%s)", pem_cert_end);
	125	return -1;
	126	}
	127
	128	der = base64_decode(pos, end - pos, &der_len);
	129	if (der == NULL) {
	130	wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM "
	131	"certificate");
	132	return -1;
	133	}
	134
	135	if (tlsv1_add_cert_der(chain, der, der_len) < 0) {
	136	wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM "
	137	"certificate after DER conversion");
	138	os_free(der);
	139	return -1;
	140	}
	141
	142	os_free(der);
	143
	144	end += os_strlen(pem_cert_end);
	145	pos = search_tag(pem_cert_begin, end, buf + len - end);
	146	}
147
148	return 0;
149	}
150
151
152	static int tlsv1_set_cert_chain(struct x509_certificate **chain,
153	const char cert, const u8 cert_blob,
154	size_t cert_blob_len)
155	{
156	if (cert_blob)
157	return tlsv1_add_cert(chain, cert_blob, cert_blob_len);
158
159	if (cert) {
160	u8 *buf;
161	size_t len;
162	int ret;
163
164	buf = (u8 *) os_readfile(cert, &len);
165	if (buf == NULL) {
166	wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
167	cert);
168	return -1;
169	}
170
171	ret = tlsv1_add_cert(chain, buf, len);
172	os_free(buf);
173	return ret;
174	}
175
176	return 0;
177	}
178
179
180	/**
181	* tlsv1_set_ca_cert - Set trusted CA certificate(s)
182	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
183	* @cert: File or reference name for X.509 certificate in PEM or DER format
184	* @cert_blob: cert as inlined data or %NULL if not used
185	* @cert_blob_len: ca_cert_blob length
186	* @path: Path to CA certificates (not yet supported)
187	* Returns: 0 on success, -1 on failure
188	*/
189	int tlsv1_set_ca_cert(struct tlsv1_credentials cred, const char cert,
190	const u8 *cert_blob, size_t cert_blob_len,
191	const char *path)
192	{
3665776e PR	193	cred->ca_cert_verify = cert \|\| cert_blob \|\| path;
3665776e PR	194
6fc6879b JM	195	if (tlsv1_set_cert_chain(&cred->trusted_certs, cert,
	196	cert_blob, cert_blob_len) < 0)
	197	return -1;
	198
	199	if (path) {
	200	/* TODO: add support for reading number of certificate files */
	201	wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory "
	202	"not yet supported");
	203	return -1;
	204	}
	205
	206	return 0;
	207	}
	208
	209
	210	/**
	211	* tlsv1_set_cert - Set certificate
	212	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
	213	* @cert: File or reference name for X.509 certificate in PEM or DER format
	214	* @cert_blob: cert as inlined data or %NULL if not used
	215	* @cert_blob_len: cert_blob length
	216	* Returns: 0 on success, -1 on failure
	217	*/
	218	int tlsv1_set_cert(struct tlsv1_credentials cred, const char cert,
	219	const u8 *cert_blob, size_t cert_blob_len)
	220	{
	221	return tlsv1_set_cert_chain(&cred->cert, cert,
	222	cert_blob, cert_blob_len);
	223	}
	224
	225
3af9f298	226	static struct crypto_private_key * tlsv1_set_key_pem(const u8 *key, size_t len)
1b8409a0 JM	227	{
	228	const u8 pos, end;
	229	unsigned char *der;
	230	size_t der_len;
3af9f298	231	struct crypto_private_key *pkey;
1b8409a0 JM	232
1b8409a0 JM	233	pos = search_tag(pem_key_begin, key, len);
8ef74414 JM	234	if (!pos) {
	235	pos = search_tag(pem_key2_begin, key, len);
	236	if (!pos)
3af9f298	237	return NULL;
8ef74414 JM	238	pos += os_strlen(pem_key2_begin);
	239	end = search_tag(pem_key2_end, pos, key + len - pos);
	240	if (!end)
3af9f298	241	return NULL;
8ef74414	242	} else {
e770c497	243	const u8 *pos2;
8ef74414 JM	244	pos += os_strlen(pem_key_begin);
	245	end = search_tag(pem_key_end, pos, key + len - pos);
	246	if (!end)
3af9f298	247	return NULL;
e770c497 JM	248	pos2 = search_tag("Proc-Type: 4,ENCRYPTED", pos, end - pos);
	249	if (pos2) {
	250	wpa_printf(MSG_DEBUG, "TLSv1: Unsupported private key "
	251	"format (Proc-Type/DEK-Info)");
	252	return NULL;
	253	}
8ef74414	254	}
1b8409a0 JM	255
	256	der = base64_decode(pos, end - pos, &der_len);
	257	if (!der)
3af9f298 JM	258	return NULL;
3af9f298 JM	259	pkey = crypto_private_key_import(der, der_len, NULL);
3f4ed97a	260	os_free(der);
3af9f298	261	return pkey;
3f4ed97a JM	262	}
	263
	264
3af9f298 JM	265	static struct crypto_private_key * tlsv1_set_key_enc_pem(const u8 *key,
	266	size_t len,
	267	const char *passwd)
3f4ed97a JM	268	{
	269	const u8 pos, end;
	270	unsigned char *der;
	271	size_t der_len;
3af9f298	272	struct crypto_private_key *pkey;
3f4ed97a JM	273
3f4ed97a JM	274	if (passwd == NULL)
3af9f298	275	return NULL;
3f4ed97a JM	276	pos = search_tag(pem_key_enc_begin, key, len);
3f4ed97a JM	277	if (!pos)
3af9f298	278	return NULL;
3f4ed97a JM	279	pos += os_strlen(pem_key_enc_begin);
	280	end = search_tag(pem_key_enc_end, pos, key + len - pos);
	281	if (!end)
3af9f298	282	return NULL;
3f4ed97a JM	283
	284	der = base64_decode(pos, end - pos, &der_len);
	285	if (!der)
3af9f298 JM	286	return NULL;
3af9f298 JM	287	pkey = crypto_private_key_import(der, der_len, passwd);
1b8409a0	288	os_free(der);
3af9f298	289	return pkey;
1b8409a0 JM	290	}
	291
	292
6fc6879b	293	static int tlsv1_set_key(struct tlsv1_credentials *cred,
3f4ed97a	294	const u8 key, size_t len, const char passwd)
6fc6879b	295	{
3f4ed97a	296	cred->key = crypto_private_key_import(key, len, passwd);
1b8409a0	297	if (cred->key == NULL)
3af9f298	298	cred->key = tlsv1_set_key_pem(key, len);
3f4ed97a	299	if (cred->key == NULL)
3af9f298	300	cred->key = tlsv1_set_key_enc_pem(key, len, passwd);
6fc6879b JM	301	if (cred->key == NULL) {
	302	wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key");
	303	return -1;
	304	}
	305	return 0;
	306	}
	307
	308
	309	/**
	310	* tlsv1_set_private_key - Set private key
	311	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
	312	* @private_key: File or reference name for the key in PEM or DER format
	313	* @private_key_passwd: Passphrase for decrypted private key, %NULL if no
	314	* passphrase is used.
	315	* @private_key_blob: private_key as inlined data or %NULL if not used
	316	* @private_key_blob_len: private_key_blob length
	317	* Returns: 0 on success, -1 on failure
	318	*/
	319	int tlsv1_set_private_key(struct tlsv1_credentials *cred,
	320	const char *private_key,
	321	const char *private_key_passwd,
	322	const u8 *private_key_blob,
	323	size_t private_key_blob_len)
	324	{
	325	crypto_private_key_free(cred->key);
	326	cred->key = NULL;
	327
	328	if (private_key_blob)
	329	return tlsv1_set_key(cred, private_key_blob,
3f4ed97a JM	330	private_key_blob_len,
3f4ed97a JM	331	private_key_passwd);
6fc6879b JM	332
	333	if (private_key) {
	334	u8 *buf;
	335	size_t len;
	336	int ret;
	337
	338	buf = (u8 *) os_readfile(private_key, &len);
	339	if (buf == NULL) {
	340	wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
	341	private_key);
	342	return -1;
	343	}
	344
3f4ed97a	345	ret = tlsv1_set_key(cred, buf, len, private_key_passwd);
6fc6879b JM	346	os_free(buf);
	347	return ret;
	348	}
	349
	350	return 0;
	351	}
	352
	353
	354	static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred,
	355	const u8 *dh, size_t len)
	356	{
	357	struct asn1_hdr hdr;
	358	const u8 pos, end;
	359
	360	pos = dh;
	361	end = dh + len;
	362
	363	/*
	364	* DHParameter ::= SEQUENCE {
	365	* prime INTEGER, -- p
	366	* base INTEGER, -- g
	367	* privateValueLength INTEGER OPTIONAL }
	368	*/
	369
	370	/* DHParamer ::= SEQUENCE */
	371	if (asn1_get_next(pos, len, &hdr) < 0 \|\|
	372	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
	373	hdr.tag != ASN1_TAG_SEQUENCE) {
	374	wpa_printf(MSG_DEBUG, "DH: DH parameters did not start with a "
	375	"valid SEQUENCE - found class %d tag 0x%x",
	376	hdr.class, hdr.tag);
	377	return -1;
	378	}
	379	pos = hdr.payload;
	380
	381	/* prime INTEGER */
	382	if (asn1_get_next(pos, end - pos, &hdr) < 0)
	383	return -1;
	384
	385	if (hdr.class != ASN1_CLASS_UNIVERSAL \|\|
	386	hdr.tag != ASN1_TAG_INTEGER) {
	387	wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for p; "
	388	"class=%d tag=0x%x", hdr.class, hdr.tag);
	389	return -1;
	390	}
	391
	392	wpa_hexdump(MSG_MSGDUMP, "DH: prime (p)", hdr.payload, hdr.length);
	393	if (hdr.length == 0)
	394	return -1;
	395	os_free(cred->dh_p);
	396	cred->dh_p = os_malloc(hdr.length);
	397	if (cred->dh_p == NULL)
	398	return -1;
	399	os_memcpy(cred->dh_p, hdr.payload, hdr.length);
	400	cred->dh_p_len = hdr.length;
	401	pos = hdr.payload + hdr.length;
	402
	403	/* base INTEGER */
	404	if (asn1_get_next(pos, end - pos, &hdr) < 0)
	405	return -1;
	406
	407	if (hdr.class != ASN1_CLASS_UNIVERSAL \|\|
	408	hdr.tag != ASN1_TAG_INTEGER) {
	409	wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for g; "
410	"class=%d tag=0x%x", hdr.class, hdr.tag);
411	return -1;
412	}
413
414	wpa_hexdump(MSG_MSGDUMP, "DH: base (g)", hdr.payload, hdr.length);
415	if (hdr.length == 0)
416	return -1;
417	os_free(cred->dh_g);
418	cred->dh_g = os_malloc(hdr.length);
419	if (cred->dh_g == NULL)
420	return -1;
421	os_memcpy(cred->dh_g, hdr.payload, hdr.length);
422	cred->dh_g_len = hdr.length;
423
424	return 0;
425	}
426
427
428	static const char *pem_dhparams_begin = "-----BEGIN DH PARAMETERS-----";
429	static const char *pem_dhparams_end = "-----END DH PARAMETERS-----";
430
431
432	static int tlsv1_set_dhparams_blob(struct tlsv1_credentials *cred,
433	const u8 *buf, size_t len)
434	{
435	const u8 pos, end;
436	unsigned char *der;
437	size_t der_len;
438
439	pos = search_tag(pem_dhparams_begin, buf, len);
440	if (!pos) {
441	wpa_printf(MSG_DEBUG, "TLSv1: No PEM dhparams tag found - "
442	"assume DER format");
443	return tlsv1_set_dhparams_der(cred, buf, len);
444	}
445
446	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format dhparams into DER "
447	"format");
448
449	pos += os_strlen(pem_dhparams_begin);
450	end = search_tag(pem_dhparams_end, pos, buf + len - pos);
451	if (end == NULL) {
452	wpa_printf(MSG_INFO, "TLSv1: Could not find PEM dhparams end "
453	"tag (%s)", pem_dhparams_end);
454	return -1;
455	}
456
457	der = base64_decode(pos, end - pos, &der_len);
458	if (der == NULL) {
459	wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM dhparams");
460	return -1;
461	}
462
463	if (tlsv1_set_dhparams_der(cred, der, der_len) < 0) {
464	wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM dhparams "
465	"DER conversion");
466	os_free(der);
467	return -1;
468	}
469
470	os_free(der);
471
472	return 0;
473	}
474
475
476	/**
477	* tlsv1_set_dhparams - Set Diffie-Hellman parameters
478	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
479	* @dh_file: File or reference name for the DH params in PEM or DER format
480	* @dh_blob: DH params as inlined data or %NULL if not used
481	* @dh_blob_len: dh_blob length
482	* Returns: 0 on success, -1 on failure
483	*/
484	int tlsv1_set_dhparams(struct tlsv1_credentials cred, const char dh_file,
485	const u8 *dh_blob, size_t dh_blob_len)
486	{
487	if (dh_blob)
488	return tlsv1_set_dhparams_blob(cred, dh_blob, dh_blob_len);
489
490	if (dh_file) {
491	u8 *buf;
492	size_t len;
493	int ret;
494
495	buf = (u8 *) os_readfile(dh_file, &len);
496	if (buf == NULL) {
497	wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
498	dh_file);
499	return -1;
500	}
501
502	ret = tlsv1_set_dhparams_blob(cred, buf, len);
503	os_free(buf);
504	return ret;
505	}
506
507	return 0;
508	}