]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | /* |
2 | * TLSv1 credentials | |
3af9f298 | 3 | * Copyright (c) 2006-2009, Jouni Malinen <j@w1.fi> |
6fc6879b JM |
4 | * |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * Alternatively, this software may be distributed under the terms of BSD | |
10 | * license. | |
11 | * | |
12 | * See README and COPYING for more details. | |
13 | */ | |
14 | ||
15 | #include "includes.h" | |
16 | ||
17 | #include "common.h" | |
18 | #include "base64.h" | |
03da66bd | 19 | #include "crypto/crypto.h" |
6fc6879b JM |
20 | #include "x509v3.h" |
21 | #include "tlsv1_cred.h" | |
22 | ||
23 | ||
24 | struct tlsv1_credentials * tlsv1_cred_alloc(void) | |
25 | { | |
26 | struct tlsv1_credentials *cred; | |
27 | cred = os_zalloc(sizeof(*cred)); | |
28 | return cred; | |
29 | } | |
30 | ||
31 | ||
32 | void tlsv1_cred_free(struct tlsv1_credentials *cred) | |
33 | { | |
34 | if (cred == NULL) | |
35 | return; | |
36 | ||
37 | x509_certificate_chain_free(cred->trusted_certs); | |
38 | x509_certificate_chain_free(cred->cert); | |
39 | crypto_private_key_free(cred->key); | |
40 | os_free(cred->dh_p); | |
41 | os_free(cred->dh_g); | |
42 | os_free(cred); | |
43 | } | |
44 | ||
45 | ||
46 | static int tlsv1_add_cert_der(struct x509_certificate **chain, | |
47 | const u8 *buf, size_t len) | |
48 | { | |
49 | struct x509_certificate *cert; | |
50 | char name[128]; | |
51 | ||
52 | cert = x509_certificate_parse(buf, len); | |
53 | if (cert == NULL) { | |
54 | wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate", | |
55 | __func__); | |
56 | return -1; | |
57 | } | |
58 | ||
59 | cert->next = *chain; | |
60 | *chain = cert; | |
61 | ||
62 | x509_name_string(&cert->subject, name, sizeof(name)); | |
63 | wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name); | |
64 | ||
65 | return 0; | |
66 | } | |
67 | ||
68 | ||
69 | static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----"; | |
70 | static const char *pem_cert_end = "-----END CERTIFICATE-----"; | |
1b8409a0 JM |
71 | static const char *pem_key_begin = "-----BEGIN RSA PRIVATE KEY-----"; |
72 | static const char *pem_key_end = "-----END RSA PRIVATE KEY-----"; | |
8ef74414 JM |
73 | static const char *pem_key2_begin = "-----BEGIN PRIVATE KEY-----"; |
74 | static const char *pem_key2_end = "-----END PRIVATE KEY-----"; | |
3f4ed97a JM |
75 | static const char *pem_key_enc_begin = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; |
76 | static const char *pem_key_enc_end = "-----END ENCRYPTED PRIVATE KEY-----"; | |
6fc6879b JM |
77 | |
78 | ||
79 | static const u8 * search_tag(const char *tag, const u8 *buf, size_t len) | |
80 | { | |
81 | size_t i, plen; | |
82 | ||
83 | plen = os_strlen(tag); | |
84 | if (len < plen) | |
85 | return NULL; | |
86 | ||
87 | for (i = 0; i < len - plen; i++) { | |
88 | if (os_memcmp(buf + i, tag, plen) == 0) | |
89 | return buf + i; | |
90 | } | |
91 | ||
92 | return NULL; | |
93 | } | |
94 | ||
95 | ||
96 | static int tlsv1_add_cert(struct x509_certificate **chain, | |
97 | const u8 *buf, size_t len) | |
98 | { | |
99 | const u8 *pos, *end; | |
100 | unsigned char *der; | |
101 | size_t der_len; | |
102 | ||
103 | pos = search_tag(pem_cert_begin, buf, len); | |
104 | if (!pos) { | |
105 | wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - " | |
106 | "assume DER format"); | |
107 | return tlsv1_add_cert_der(chain, buf, len); | |
108 | } | |
109 | ||
110 | wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into " | |
111 | "DER format"); | |
112 | ||
113 | while (pos) { | |
114 | pos += os_strlen(pem_cert_begin); | |
115 | end = search_tag(pem_cert_end, pos, buf + len - pos); | |
116 | if (end == NULL) { | |
117 | wpa_printf(MSG_INFO, "TLSv1: Could not find PEM " | |
118 | "certificate end tag (%s)", pem_cert_end); | |
119 | return -1; | |
120 | } | |
121 | ||
122 | der = base64_decode(pos, end - pos, &der_len); | |
123 | if (der == NULL) { | |
124 | wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM " | |
125 | "certificate"); | |
126 | return -1; | |
127 | } | |
128 | ||
129 | if (tlsv1_add_cert_der(chain, der, der_len) < 0) { | |
130 | wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM " | |
131 | "certificate after DER conversion"); | |
132 | os_free(der); | |
133 | return -1; | |
134 | } | |
135 | ||
136 | os_free(der); | |
137 | ||
138 | end += os_strlen(pem_cert_end); | |
139 | pos = search_tag(pem_cert_begin, end, buf + len - end); | |
140 | } | |
141 | ||
142 | return 0; | |
143 | } | |
144 | ||
145 | ||
146 | static int tlsv1_set_cert_chain(struct x509_certificate **chain, | |
147 | const char *cert, const u8 *cert_blob, | |
148 | size_t cert_blob_len) | |
149 | { | |
150 | if (cert_blob) | |
151 | return tlsv1_add_cert(chain, cert_blob, cert_blob_len); | |
152 | ||
153 | if (cert) { | |
154 | u8 *buf; | |
155 | size_t len; | |
156 | int ret; | |
157 | ||
158 | buf = (u8 *) os_readfile(cert, &len); | |
159 | if (buf == NULL) { | |
160 | wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'", | |
161 | cert); | |
162 | return -1; | |
163 | } | |
164 | ||
165 | ret = tlsv1_add_cert(chain, buf, len); | |
166 | os_free(buf); | |
167 | return ret; | |
168 | } | |
169 | ||
170 | return 0; | |
171 | } | |
172 | ||
173 | ||
174 | /** | |
175 | * tlsv1_set_ca_cert - Set trusted CA certificate(s) | |
176 | * @cred: TLSv1 credentials from tlsv1_cred_alloc() | |
177 | * @cert: File or reference name for X.509 certificate in PEM or DER format | |
178 | * @cert_blob: cert as inlined data or %NULL if not used | |
179 | * @cert_blob_len: ca_cert_blob length | |
180 | * @path: Path to CA certificates (not yet supported) | |
181 | * Returns: 0 on success, -1 on failure | |
182 | */ | |
183 | int tlsv1_set_ca_cert(struct tlsv1_credentials *cred, const char *cert, | |
184 | const u8 *cert_blob, size_t cert_blob_len, | |
185 | const char *path) | |
186 | { | |
187 | if (tlsv1_set_cert_chain(&cred->trusted_certs, cert, | |
188 | cert_blob, cert_blob_len) < 0) | |
189 | return -1; | |
190 | ||
191 | if (path) { | |
192 | /* TODO: add support for reading number of certificate files */ | |
193 | wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory " | |
194 | "not yet supported"); | |
195 | return -1; | |
196 | } | |
197 | ||
198 | return 0; | |
199 | } | |
200 | ||
201 | ||
202 | /** | |
203 | * tlsv1_set_cert - Set certificate | |
204 | * @cred: TLSv1 credentials from tlsv1_cred_alloc() | |
205 | * @cert: File or reference name for X.509 certificate in PEM or DER format | |
206 | * @cert_blob: cert as inlined data or %NULL if not used | |
207 | * @cert_blob_len: cert_blob length | |
208 | * Returns: 0 on success, -1 on failure | |
209 | */ | |
210 | int tlsv1_set_cert(struct tlsv1_credentials *cred, const char *cert, | |
211 | const u8 *cert_blob, size_t cert_blob_len) | |
212 | { | |
213 | return tlsv1_set_cert_chain(&cred->cert, cert, | |
214 | cert_blob, cert_blob_len); | |
215 | } | |
216 | ||
217 | ||
3af9f298 | 218 | static struct crypto_private_key * tlsv1_set_key_pem(const u8 *key, size_t len) |
1b8409a0 JM |
219 | { |
220 | const u8 *pos, *end; | |
221 | unsigned char *der; | |
222 | size_t der_len; | |
3af9f298 | 223 | struct crypto_private_key *pkey; |
1b8409a0 JM |
224 | |
225 | pos = search_tag(pem_key_begin, key, len); | |
8ef74414 JM |
226 | if (!pos) { |
227 | pos = search_tag(pem_key2_begin, key, len); | |
228 | if (!pos) | |
3af9f298 | 229 | return NULL; |
8ef74414 JM |
230 | pos += os_strlen(pem_key2_begin); |
231 | end = search_tag(pem_key2_end, pos, key + len - pos); | |
232 | if (!end) | |
3af9f298 | 233 | return NULL; |
8ef74414 JM |
234 | } else { |
235 | pos += os_strlen(pem_key_begin); | |
236 | end = search_tag(pem_key_end, pos, key + len - pos); | |
237 | if (!end) | |
3af9f298 | 238 | return NULL; |
8ef74414 | 239 | } |
1b8409a0 JM |
240 | |
241 | der = base64_decode(pos, end - pos, &der_len); | |
242 | if (!der) | |
3af9f298 JM |
243 | return NULL; |
244 | pkey = crypto_private_key_import(der, der_len, NULL); | |
3f4ed97a | 245 | os_free(der); |
3af9f298 | 246 | return pkey; |
3f4ed97a JM |
247 | } |
248 | ||
249 | ||
3af9f298 JM |
250 | static struct crypto_private_key * tlsv1_set_key_enc_pem(const u8 *key, |
251 | size_t len, | |
252 | const char *passwd) | |
3f4ed97a JM |
253 | { |
254 | const u8 *pos, *end; | |
255 | unsigned char *der; | |
256 | size_t der_len; | |
3af9f298 | 257 | struct crypto_private_key *pkey; |
3f4ed97a JM |
258 | |
259 | if (passwd == NULL) | |
3af9f298 | 260 | return NULL; |
3f4ed97a JM |
261 | pos = search_tag(pem_key_enc_begin, key, len); |
262 | if (!pos) | |
3af9f298 | 263 | return NULL; |
3f4ed97a JM |
264 | pos += os_strlen(pem_key_enc_begin); |
265 | end = search_tag(pem_key_enc_end, pos, key + len - pos); | |
266 | if (!end) | |
3af9f298 | 267 | return NULL; |
3f4ed97a JM |
268 | |
269 | der = base64_decode(pos, end - pos, &der_len); | |
270 | if (!der) | |
3af9f298 JM |
271 | return NULL; |
272 | pkey = crypto_private_key_import(der, der_len, passwd); | |
1b8409a0 | 273 | os_free(der); |
3af9f298 | 274 | return pkey; |
1b8409a0 JM |
275 | } |
276 | ||
277 | ||
6fc6879b | 278 | static int tlsv1_set_key(struct tlsv1_credentials *cred, |
3f4ed97a | 279 | const u8 *key, size_t len, const char *passwd) |
6fc6879b | 280 | { |
3f4ed97a | 281 | cred->key = crypto_private_key_import(key, len, passwd); |
1b8409a0 | 282 | if (cred->key == NULL) |
3af9f298 | 283 | cred->key = tlsv1_set_key_pem(key, len); |
3f4ed97a | 284 | if (cred->key == NULL) |
3af9f298 | 285 | cred->key = tlsv1_set_key_enc_pem(key, len, passwd); |
6fc6879b JM |
286 | if (cred->key == NULL) { |
287 | wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key"); | |
288 | return -1; | |
289 | } | |
290 | return 0; | |
291 | } | |
292 | ||
293 | ||
294 | /** | |
295 | * tlsv1_set_private_key - Set private key | |
296 | * @cred: TLSv1 credentials from tlsv1_cred_alloc() | |
297 | * @private_key: File or reference name for the key in PEM or DER format | |
298 | * @private_key_passwd: Passphrase for decrypted private key, %NULL if no | |
299 | * passphrase is used. | |
300 | * @private_key_blob: private_key as inlined data or %NULL if not used | |
301 | * @private_key_blob_len: private_key_blob length | |
302 | * Returns: 0 on success, -1 on failure | |
303 | */ | |
304 | int tlsv1_set_private_key(struct tlsv1_credentials *cred, | |
305 | const char *private_key, | |
306 | const char *private_key_passwd, | |
307 | const u8 *private_key_blob, | |
308 | size_t private_key_blob_len) | |
309 | { | |
310 | crypto_private_key_free(cred->key); | |
311 | cred->key = NULL; | |
312 | ||
313 | if (private_key_blob) | |
314 | return tlsv1_set_key(cred, private_key_blob, | |
3f4ed97a JM |
315 | private_key_blob_len, |
316 | private_key_passwd); | |
6fc6879b JM |
317 | |
318 | if (private_key) { | |
319 | u8 *buf; | |
320 | size_t len; | |
321 | int ret; | |
322 | ||
323 | buf = (u8 *) os_readfile(private_key, &len); | |
324 | if (buf == NULL) { | |
325 | wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'", | |
326 | private_key); | |
327 | return -1; | |
328 | } | |
329 | ||
3f4ed97a | 330 | ret = tlsv1_set_key(cred, buf, len, private_key_passwd); |
6fc6879b JM |
331 | os_free(buf); |
332 | return ret; | |
333 | } | |
334 | ||
335 | return 0; | |
336 | } | |
337 | ||
338 | ||
339 | static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred, | |
340 | const u8 *dh, size_t len) | |
341 | { | |
342 | struct asn1_hdr hdr; | |
343 | const u8 *pos, *end; | |
344 | ||
345 | pos = dh; | |
346 | end = dh + len; | |
347 | ||
348 | /* | |
349 | * DHParameter ::= SEQUENCE { | |
350 | * prime INTEGER, -- p | |
351 | * base INTEGER, -- g | |
352 | * privateValueLength INTEGER OPTIONAL } | |
353 | */ | |
354 | ||
355 | /* DHParamer ::= SEQUENCE */ | |
356 | if (asn1_get_next(pos, len, &hdr) < 0 || | |
357 | hdr.class != ASN1_CLASS_UNIVERSAL || | |
358 | hdr.tag != ASN1_TAG_SEQUENCE) { | |
359 | wpa_printf(MSG_DEBUG, "DH: DH parameters did not start with a " | |
360 | "valid SEQUENCE - found class %d tag 0x%x", | |
361 | hdr.class, hdr.tag); | |
362 | return -1; | |
363 | } | |
364 | pos = hdr.payload; | |
365 | ||
366 | /* prime INTEGER */ | |
367 | if (asn1_get_next(pos, end - pos, &hdr) < 0) | |
368 | return -1; | |
369 | ||
370 | if (hdr.class != ASN1_CLASS_UNIVERSAL || | |
371 | hdr.tag != ASN1_TAG_INTEGER) { | |
372 | wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for p; " | |
373 | "class=%d tag=0x%x", hdr.class, hdr.tag); | |
374 | return -1; | |
375 | } | |
376 | ||
377 | wpa_hexdump(MSG_MSGDUMP, "DH: prime (p)", hdr.payload, hdr.length); | |
378 | if (hdr.length == 0) | |
379 | return -1; | |
380 | os_free(cred->dh_p); | |
381 | cred->dh_p = os_malloc(hdr.length); | |
382 | if (cred->dh_p == NULL) | |
383 | return -1; | |
384 | os_memcpy(cred->dh_p, hdr.payload, hdr.length); | |
385 | cred->dh_p_len = hdr.length; | |
386 | pos = hdr.payload + hdr.length; | |
387 | ||
388 | /* base INTEGER */ | |
389 | if (asn1_get_next(pos, end - pos, &hdr) < 0) | |
390 | return -1; | |
391 | ||
392 | if (hdr.class != ASN1_CLASS_UNIVERSAL || | |
393 | hdr.tag != ASN1_TAG_INTEGER) { | |
394 | wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for g; " | |
395 | "class=%d tag=0x%x", hdr.class, hdr.tag); | |
396 | return -1; | |
397 | } | |
398 | ||
399 | wpa_hexdump(MSG_MSGDUMP, "DH: base (g)", hdr.payload, hdr.length); | |
400 | if (hdr.length == 0) | |
401 | return -1; | |
402 | os_free(cred->dh_g); | |
403 | cred->dh_g = os_malloc(hdr.length); | |
404 | if (cred->dh_g == NULL) | |
405 | return -1; | |
406 | os_memcpy(cred->dh_g, hdr.payload, hdr.length); | |
407 | cred->dh_g_len = hdr.length; | |
408 | ||
409 | return 0; | |
410 | } | |
411 | ||
412 | ||
413 | static const char *pem_dhparams_begin = "-----BEGIN DH PARAMETERS-----"; | |
414 | static const char *pem_dhparams_end = "-----END DH PARAMETERS-----"; | |
415 | ||
416 | ||
417 | static int tlsv1_set_dhparams_blob(struct tlsv1_credentials *cred, | |
418 | const u8 *buf, size_t len) | |
419 | { | |
420 | const u8 *pos, *end; | |
421 | unsigned char *der; | |
422 | size_t der_len; | |
423 | ||
424 | pos = search_tag(pem_dhparams_begin, buf, len); | |
425 | if (!pos) { | |
426 | wpa_printf(MSG_DEBUG, "TLSv1: No PEM dhparams tag found - " | |
427 | "assume DER format"); | |
428 | return tlsv1_set_dhparams_der(cred, buf, len); | |
429 | } | |
430 | ||
431 | wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format dhparams into DER " | |
432 | "format"); | |
433 | ||
434 | pos += os_strlen(pem_dhparams_begin); | |
435 | end = search_tag(pem_dhparams_end, pos, buf + len - pos); | |
436 | if (end == NULL) { | |
437 | wpa_printf(MSG_INFO, "TLSv1: Could not find PEM dhparams end " | |
438 | "tag (%s)", pem_dhparams_end); | |
439 | return -1; | |
440 | } | |
441 | ||
442 | der = base64_decode(pos, end - pos, &der_len); | |
443 | if (der == NULL) { | |
444 | wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM dhparams"); | |
445 | return -1; | |
446 | } | |
447 | ||
448 | if (tlsv1_set_dhparams_der(cred, der, der_len) < 0) { | |
449 | wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM dhparams " | |
450 | "DER conversion"); | |
451 | os_free(der); | |
452 | return -1; | |
453 | } | |
454 | ||
455 | os_free(der); | |
456 | ||
457 | return 0; | |
458 | } | |
459 | ||
460 | ||
461 | /** | |
462 | * tlsv1_set_dhparams - Set Diffie-Hellman parameters | |
463 | * @cred: TLSv1 credentials from tlsv1_cred_alloc() | |
464 | * @dh_file: File or reference name for the DH params in PEM or DER format | |
465 | * @dh_blob: DH params as inlined data or %NULL if not used | |
466 | * @dh_blob_len: dh_blob length | |
467 | * Returns: 0 on success, -1 on failure | |
468 | */ | |
469 | int tlsv1_set_dhparams(struct tlsv1_credentials *cred, const char *dh_file, | |
470 | const u8 *dh_blob, size_t dh_blob_len) | |
471 | { | |
472 | if (dh_blob) | |
473 | return tlsv1_set_dhparams_blob(cred, dh_blob, dh_blob_len); | |
474 | ||
475 | if (dh_file) { | |
476 | u8 *buf; | |
477 | size_t len; | |
478 | int ret; | |
479 | ||
480 | buf = (u8 *) os_readfile(dh_file, &len); | |
481 | if (buf == NULL) { | |
482 | wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'", | |
483 | dh_file); | |
484 | return -1; | |
485 | } | |
486 | ||
487 | ret = tlsv1_set_dhparams_blob(cred, buf, len); | |
488 | os_free(buf); | |
489 | return ret; | |
490 | } | |
491 | ||
492 | return 0; | |
493 | } |