]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | /* |
2 | * TLSv1 credentials | |
3af9f298 | 3 | * Copyright (c) 2006-2009, Jouni Malinen <j@w1.fi> |
6fc6879b | 4 | * |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
6fc6879b JM |
7 | */ |
8 | ||
9 | #include "includes.h" | |
10 | ||
11 | #include "common.h" | |
12 | #include "base64.h" | |
03da66bd | 13 | #include "crypto/crypto.h" |
6fc6879b JM |
14 | #include "x509v3.h" |
15 | #include "tlsv1_cred.h" | |
16 | ||
17 | ||
18 | struct tlsv1_credentials * tlsv1_cred_alloc(void) | |
19 | { | |
20 | struct tlsv1_credentials *cred; | |
21 | cred = os_zalloc(sizeof(*cred)); | |
22 | return cred; | |
23 | } | |
24 | ||
25 | ||
26 | void tlsv1_cred_free(struct tlsv1_credentials *cred) | |
27 | { | |
28 | if (cred == NULL) | |
29 | return; | |
30 | ||
31 | x509_certificate_chain_free(cred->trusted_certs); | |
32 | x509_certificate_chain_free(cred->cert); | |
33 | crypto_private_key_free(cred->key); | |
34 | os_free(cred->dh_p); | |
35 | os_free(cred->dh_g); | |
36 | os_free(cred); | |
37 | } | |
38 | ||
39 | ||
40 | static int tlsv1_add_cert_der(struct x509_certificate **chain, | |
41 | const u8 *buf, size_t len) | |
42 | { | |
6921f1f3 | 43 | struct x509_certificate *cert, *p; |
6fc6879b JM |
44 | char name[128]; |
45 | ||
46 | cert = x509_certificate_parse(buf, len); | |
47 | if (cert == NULL) { | |
48 | wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate", | |
49 | __func__); | |
50 | return -1; | |
51 | } | |
52 | ||
6921f1f3 JM |
53 | p = *chain; |
54 | while (p && p->next) | |
55 | p = p->next; | |
56 | if (p && x509_name_compare(&cert->subject, &p->issuer) == 0) { | |
57 | /* | |
58 | * The new certificate is the issuer of the last certificate in | |
59 | * the chain - add the new certificate to the end. | |
60 | */ | |
61 | p->next = cert; | |
62 | } else { | |
63 | /* Add to the beginning of the chain */ | |
64 | cert->next = *chain; | |
65 | *chain = cert; | |
66 | } | |
6fc6879b JM |
67 | |
68 | x509_name_string(&cert->subject, name, sizeof(name)); | |
69 | wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name); | |
70 | ||
71 | return 0; | |
72 | } | |
73 | ||
74 | ||
75 | static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----"; | |
76 | static const char *pem_cert_end = "-----END CERTIFICATE-----"; | |
1b8409a0 JM |
77 | static const char *pem_key_begin = "-----BEGIN RSA PRIVATE KEY-----"; |
78 | static const char *pem_key_end = "-----END RSA PRIVATE KEY-----"; | |
8ef74414 JM |
79 | static const char *pem_key2_begin = "-----BEGIN PRIVATE KEY-----"; |
80 | static const char *pem_key2_end = "-----END PRIVATE KEY-----"; | |
3f4ed97a JM |
81 | static const char *pem_key_enc_begin = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; |
82 | static const char *pem_key_enc_end = "-----END ENCRYPTED PRIVATE KEY-----"; | |
6fc6879b JM |
83 | |
84 | ||
85 | static const u8 * search_tag(const char *tag, const u8 *buf, size_t len) | |
86 | { | |
87 | size_t i, plen; | |
88 | ||
89 | plen = os_strlen(tag); | |
90 | if (len < plen) | |
91 | return NULL; | |
92 | ||
93 | for (i = 0; i < len - plen; i++) { | |
94 | if (os_memcmp(buf + i, tag, plen) == 0) | |
95 | return buf + i; | |
96 | } | |
97 | ||
98 | return NULL; | |
99 | } | |
100 | ||
101 | ||
102 | static int tlsv1_add_cert(struct x509_certificate **chain, | |
103 | const u8 *buf, size_t len) | |
104 | { | |
105 | const u8 *pos, *end; | |
106 | unsigned char *der; | |
107 | size_t der_len; | |
108 | ||
109 | pos = search_tag(pem_cert_begin, buf, len); | |
110 | if (!pos) { | |
111 | wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - " | |
112 | "assume DER format"); | |
113 | return tlsv1_add_cert_der(chain, buf, len); | |
114 | } | |
115 | ||
116 | wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into " | |
117 | "DER format"); | |
118 | ||
119 | while (pos) { | |
120 | pos += os_strlen(pem_cert_begin); | |
121 | end = search_tag(pem_cert_end, pos, buf + len - pos); | |
122 | if (end == NULL) { | |
123 | wpa_printf(MSG_INFO, "TLSv1: Could not find PEM " | |
124 | "certificate end tag (%s)", pem_cert_end); | |
125 | return -1; | |
126 | } | |
127 | ||
128 | der = base64_decode(pos, end - pos, &der_len); | |
129 | if (der == NULL) { | |
130 | wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM " | |
131 | "certificate"); | |
132 | return -1; | |
133 | } | |
134 | ||
135 | if (tlsv1_add_cert_der(chain, der, der_len) < 0) { | |
136 | wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM " | |
137 | "certificate after DER conversion"); | |
138 | os_free(der); | |
139 | return -1; | |
140 | } | |
141 | ||
142 | os_free(der); | |
143 | ||
144 | end += os_strlen(pem_cert_end); | |
145 | pos = search_tag(pem_cert_begin, end, buf + len - end); | |
146 | } | |
147 | ||
148 | return 0; | |
149 | } | |
150 | ||
151 | ||
152 | static int tlsv1_set_cert_chain(struct x509_certificate **chain, | |
153 | const char *cert, const u8 *cert_blob, | |
154 | size_t cert_blob_len) | |
155 | { | |
156 | if (cert_blob) | |
157 | return tlsv1_add_cert(chain, cert_blob, cert_blob_len); | |
158 | ||
159 | if (cert) { | |
160 | u8 *buf; | |
161 | size_t len; | |
162 | int ret; | |
163 | ||
164 | buf = (u8 *) os_readfile(cert, &len); | |
165 | if (buf == NULL) { | |
166 | wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'", | |
167 | cert); | |
168 | return -1; | |
169 | } | |
170 | ||
171 | ret = tlsv1_add_cert(chain, buf, len); | |
172 | os_free(buf); | |
173 | return ret; | |
174 | } | |
175 | ||
176 | return 0; | |
177 | } | |
178 | ||
179 | ||
180 | /** | |
181 | * tlsv1_set_ca_cert - Set trusted CA certificate(s) | |
182 | * @cred: TLSv1 credentials from tlsv1_cred_alloc() | |
183 | * @cert: File or reference name for X.509 certificate in PEM or DER format | |
184 | * @cert_blob: cert as inlined data or %NULL if not used | |
185 | * @cert_blob_len: ca_cert_blob length | |
186 | * @path: Path to CA certificates (not yet supported) | |
187 | * Returns: 0 on success, -1 on failure | |
188 | */ | |
189 | int tlsv1_set_ca_cert(struct tlsv1_credentials *cred, const char *cert, | |
190 | const u8 *cert_blob, size_t cert_blob_len, | |
191 | const char *path) | |
192 | { | |
3665776e PR |
193 | cred->ca_cert_verify = cert || cert_blob || path; |
194 | ||
6fc6879b JM |
195 | if (tlsv1_set_cert_chain(&cred->trusted_certs, cert, |
196 | cert_blob, cert_blob_len) < 0) | |
197 | return -1; | |
198 | ||
199 | if (path) { | |
200 | /* TODO: add support for reading number of certificate files */ | |
201 | wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory " | |
202 | "not yet supported"); | |
203 | return -1; | |
204 | } | |
205 | ||
206 | return 0; | |
207 | } | |
208 | ||
209 | ||
210 | /** | |
211 | * tlsv1_set_cert - Set certificate | |
212 | * @cred: TLSv1 credentials from tlsv1_cred_alloc() | |
213 | * @cert: File or reference name for X.509 certificate in PEM or DER format | |
214 | * @cert_blob: cert as inlined data or %NULL if not used | |
215 | * @cert_blob_len: cert_blob length | |
216 | * Returns: 0 on success, -1 on failure | |
217 | */ | |
218 | int tlsv1_set_cert(struct tlsv1_credentials *cred, const char *cert, | |
219 | const u8 *cert_blob, size_t cert_blob_len) | |
220 | { | |
221 | return tlsv1_set_cert_chain(&cred->cert, cert, | |
222 | cert_blob, cert_blob_len); | |
223 | } | |
224 | ||
225 | ||
3af9f298 | 226 | static struct crypto_private_key * tlsv1_set_key_pem(const u8 *key, size_t len) |
1b8409a0 JM |
227 | { |
228 | const u8 *pos, *end; | |
229 | unsigned char *der; | |
230 | size_t der_len; | |
3af9f298 | 231 | struct crypto_private_key *pkey; |
1b8409a0 JM |
232 | |
233 | pos = search_tag(pem_key_begin, key, len); | |
8ef74414 JM |
234 | if (!pos) { |
235 | pos = search_tag(pem_key2_begin, key, len); | |
236 | if (!pos) | |
3af9f298 | 237 | return NULL; |
8ef74414 JM |
238 | pos += os_strlen(pem_key2_begin); |
239 | end = search_tag(pem_key2_end, pos, key + len - pos); | |
240 | if (!end) | |
3af9f298 | 241 | return NULL; |
8ef74414 | 242 | } else { |
e770c497 | 243 | const u8 *pos2; |
8ef74414 JM |
244 | pos += os_strlen(pem_key_begin); |
245 | end = search_tag(pem_key_end, pos, key + len - pos); | |
246 | if (!end) | |
3af9f298 | 247 | return NULL; |
e770c497 JM |
248 | pos2 = search_tag("Proc-Type: 4,ENCRYPTED", pos, end - pos); |
249 | if (pos2) { | |
250 | wpa_printf(MSG_DEBUG, "TLSv1: Unsupported private key " | |
251 | "format (Proc-Type/DEK-Info)"); | |
252 | return NULL; | |
253 | } | |
8ef74414 | 254 | } |
1b8409a0 JM |
255 | |
256 | der = base64_decode(pos, end - pos, &der_len); | |
257 | if (!der) | |
3af9f298 JM |
258 | return NULL; |
259 | pkey = crypto_private_key_import(der, der_len, NULL); | |
3f4ed97a | 260 | os_free(der); |
3af9f298 | 261 | return pkey; |
3f4ed97a JM |
262 | } |
263 | ||
264 | ||
3af9f298 JM |
265 | static struct crypto_private_key * tlsv1_set_key_enc_pem(const u8 *key, |
266 | size_t len, | |
267 | const char *passwd) | |
3f4ed97a JM |
268 | { |
269 | const u8 *pos, *end; | |
270 | unsigned char *der; | |
271 | size_t der_len; | |
3af9f298 | 272 | struct crypto_private_key *pkey; |
3f4ed97a JM |
273 | |
274 | if (passwd == NULL) | |
3af9f298 | 275 | return NULL; |
3f4ed97a JM |
276 | pos = search_tag(pem_key_enc_begin, key, len); |
277 | if (!pos) | |
3af9f298 | 278 | return NULL; |
3f4ed97a JM |
279 | pos += os_strlen(pem_key_enc_begin); |
280 | end = search_tag(pem_key_enc_end, pos, key + len - pos); | |
281 | if (!end) | |
3af9f298 | 282 | return NULL; |
3f4ed97a JM |
283 | |
284 | der = base64_decode(pos, end - pos, &der_len); | |
285 | if (!der) | |
3af9f298 JM |
286 | return NULL; |
287 | pkey = crypto_private_key_import(der, der_len, passwd); | |
1b8409a0 | 288 | os_free(der); |
3af9f298 | 289 | return pkey; |
1b8409a0 JM |
290 | } |
291 | ||
292 | ||
6fc6879b | 293 | static int tlsv1_set_key(struct tlsv1_credentials *cred, |
3f4ed97a | 294 | const u8 *key, size_t len, const char *passwd) |
6fc6879b | 295 | { |
3f4ed97a | 296 | cred->key = crypto_private_key_import(key, len, passwd); |
1b8409a0 | 297 | if (cred->key == NULL) |
3af9f298 | 298 | cred->key = tlsv1_set_key_pem(key, len); |
3f4ed97a | 299 | if (cred->key == NULL) |
3af9f298 | 300 | cred->key = tlsv1_set_key_enc_pem(key, len, passwd); |
6fc6879b JM |
301 | if (cred->key == NULL) { |
302 | wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key"); | |
303 | return -1; | |
304 | } | |
305 | return 0; | |
306 | } | |
307 | ||
308 | ||
309 | /** | |
310 | * tlsv1_set_private_key - Set private key | |
311 | * @cred: TLSv1 credentials from tlsv1_cred_alloc() | |
312 | * @private_key: File or reference name for the key in PEM or DER format | |
313 | * @private_key_passwd: Passphrase for decrypted private key, %NULL if no | |
314 | * passphrase is used. | |
315 | * @private_key_blob: private_key as inlined data or %NULL if not used | |
316 | * @private_key_blob_len: private_key_blob length | |
317 | * Returns: 0 on success, -1 on failure | |
318 | */ | |
319 | int tlsv1_set_private_key(struct tlsv1_credentials *cred, | |
320 | const char *private_key, | |
321 | const char *private_key_passwd, | |
322 | const u8 *private_key_blob, | |
323 | size_t private_key_blob_len) | |
324 | { | |
325 | crypto_private_key_free(cred->key); | |
326 | cred->key = NULL; | |
327 | ||
328 | if (private_key_blob) | |
329 | return tlsv1_set_key(cred, private_key_blob, | |
3f4ed97a JM |
330 | private_key_blob_len, |
331 | private_key_passwd); | |
6fc6879b JM |
332 | |
333 | if (private_key) { | |
334 | u8 *buf; | |
335 | size_t len; | |
336 | int ret; | |
337 | ||
338 | buf = (u8 *) os_readfile(private_key, &len); | |
339 | if (buf == NULL) { | |
340 | wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'", | |
341 | private_key); | |
342 | return -1; | |
343 | } | |
344 | ||
3f4ed97a | 345 | ret = tlsv1_set_key(cred, buf, len, private_key_passwd); |
6fc6879b JM |
346 | os_free(buf); |
347 | return ret; | |
348 | } | |
349 | ||
350 | return 0; | |
351 | } | |
352 | ||
353 | ||
354 | static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred, | |
355 | const u8 *dh, size_t len) | |
356 | { | |
357 | struct asn1_hdr hdr; | |
358 | const u8 *pos, *end; | |
359 | ||
360 | pos = dh; | |
361 | end = dh + len; | |
362 | ||
363 | /* | |
364 | * DHParameter ::= SEQUENCE { | |
365 | * prime INTEGER, -- p | |
366 | * base INTEGER, -- g | |
367 | * privateValueLength INTEGER OPTIONAL } | |
368 | */ | |
369 | ||
370 | /* DHParamer ::= SEQUENCE */ | |
371 | if (asn1_get_next(pos, len, &hdr) < 0 || | |
372 | hdr.class != ASN1_CLASS_UNIVERSAL || | |
373 | hdr.tag != ASN1_TAG_SEQUENCE) { | |
374 | wpa_printf(MSG_DEBUG, "DH: DH parameters did not start with a " | |
375 | "valid SEQUENCE - found class %d tag 0x%x", | |
376 | hdr.class, hdr.tag); | |
377 | return -1; | |
378 | } | |
379 | pos = hdr.payload; | |
380 | ||
381 | /* prime INTEGER */ | |
382 | if (asn1_get_next(pos, end - pos, &hdr) < 0) | |
383 | return -1; | |
384 | ||
385 | if (hdr.class != ASN1_CLASS_UNIVERSAL || | |
386 | hdr.tag != ASN1_TAG_INTEGER) { | |
387 | wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for p; " | |
388 | "class=%d tag=0x%x", hdr.class, hdr.tag); | |
389 | return -1; | |
390 | } | |
391 | ||
392 | wpa_hexdump(MSG_MSGDUMP, "DH: prime (p)", hdr.payload, hdr.length); | |
393 | if (hdr.length == 0) | |
394 | return -1; | |
395 | os_free(cred->dh_p); | |
396 | cred->dh_p = os_malloc(hdr.length); | |
397 | if (cred->dh_p == NULL) | |
398 | return -1; | |
399 | os_memcpy(cred->dh_p, hdr.payload, hdr.length); | |
400 | cred->dh_p_len = hdr.length; | |
401 | pos = hdr.payload + hdr.length; | |
402 | ||
403 | /* base INTEGER */ | |
404 | if (asn1_get_next(pos, end - pos, &hdr) < 0) | |
405 | return -1; | |
406 | ||
407 | if (hdr.class != ASN1_CLASS_UNIVERSAL || | |
408 | hdr.tag != ASN1_TAG_INTEGER) { | |
409 | wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for g; " | |
410 | "class=%d tag=0x%x", hdr.class, hdr.tag); | |
411 | return -1; | |
412 | } | |
413 | ||
414 | wpa_hexdump(MSG_MSGDUMP, "DH: base (g)", hdr.payload, hdr.length); | |
415 | if (hdr.length == 0) | |
416 | return -1; | |
417 | os_free(cred->dh_g); | |
418 | cred->dh_g = os_malloc(hdr.length); | |
419 | if (cred->dh_g == NULL) | |
420 | return -1; | |
421 | os_memcpy(cred->dh_g, hdr.payload, hdr.length); | |
422 | cred->dh_g_len = hdr.length; | |
423 | ||
424 | return 0; | |
425 | } | |
426 | ||
427 | ||
428 | static const char *pem_dhparams_begin = "-----BEGIN DH PARAMETERS-----"; | |
429 | static const char *pem_dhparams_end = "-----END DH PARAMETERS-----"; | |
430 | ||
431 | ||
432 | static int tlsv1_set_dhparams_blob(struct tlsv1_credentials *cred, | |
433 | const u8 *buf, size_t len) | |
434 | { | |
435 | const u8 *pos, *end; | |
436 | unsigned char *der; | |
437 | size_t der_len; | |
438 | ||
439 | pos = search_tag(pem_dhparams_begin, buf, len); | |
440 | if (!pos) { | |
441 | wpa_printf(MSG_DEBUG, "TLSv1: No PEM dhparams tag found - " | |
442 | "assume DER format"); | |
443 | return tlsv1_set_dhparams_der(cred, buf, len); | |
444 | } | |
445 | ||
446 | wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format dhparams into DER " | |
447 | "format"); | |
448 | ||
449 | pos += os_strlen(pem_dhparams_begin); | |
450 | end = search_tag(pem_dhparams_end, pos, buf + len - pos); | |
451 | if (end == NULL) { | |
452 | wpa_printf(MSG_INFO, "TLSv1: Could not find PEM dhparams end " | |
453 | "tag (%s)", pem_dhparams_end); | |
454 | return -1; | |
455 | } | |
456 | ||
457 | der = base64_decode(pos, end - pos, &der_len); | |
458 | if (der == NULL) { | |
459 | wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM dhparams"); | |
460 | return -1; | |
461 | } | |
462 | ||
463 | if (tlsv1_set_dhparams_der(cred, der, der_len) < 0) { | |
464 | wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM dhparams " | |
465 | "DER conversion"); | |
466 | os_free(der); | |
467 | return -1; | |
468 | } | |
469 | ||
470 | os_free(der); | |
471 | ||
472 | return 0; | |
473 | } | |
474 | ||
475 | ||
476 | /** | |
477 | * tlsv1_set_dhparams - Set Diffie-Hellman parameters | |
478 | * @cred: TLSv1 credentials from tlsv1_cred_alloc() | |
479 | * @dh_file: File or reference name for the DH params in PEM or DER format | |
480 | * @dh_blob: DH params as inlined data or %NULL if not used | |
481 | * @dh_blob_len: dh_blob length | |
482 | * Returns: 0 on success, -1 on failure | |
483 | */ | |
484 | int tlsv1_set_dhparams(struct tlsv1_credentials *cred, const char *dh_file, | |
485 | const u8 *dh_blob, size_t dh_blob_len) | |
486 | { | |
487 | if (dh_blob) | |
488 | return tlsv1_set_dhparams_blob(cred, dh_blob, dh_blob_len); | |
489 | ||
490 | if (dh_file) { | |
491 | u8 *buf; | |
492 | size_t len; | |
493 | int ret; | |
494 | ||
495 | buf = (u8 *) os_readfile(dh_file, &len); | |
496 | if (buf == NULL) { | |
497 | wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'", | |
498 | dh_file); | |
499 | return -1; | |
500 | } | |
501 | ||
502 | ret = tlsv1_set_dhparams_blob(cred, buf, len); | |
503 | os_free(buf); | |
504 | return ret; | |
505 | } | |
506 | ||
507 | return 0; | |
508 | } |