[thirdparty/hostap.git] / src / tls / tlsv1_cred.c

/*
 * TLSv1 credentials
 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * Alternatively, this software may be distributed under the terms of BSD
 * license.
 *
 * See README and COPYING for more details.
 */

#include "includes.h"

#include "common.h"
#include "base64.h"
#include "crypto.h"
#include "x509v3.h"
#include "tlsv1_cred.h"


struct tlsv1_credentials * tlsv1_cred_alloc(void)
{
	struct tlsv1_credentials *cred;
	cred = os_zalloc(sizeof(*cred));
	return cred;
}


void tlsv1_cred_free(struct tlsv1_credentials *cred)
{
	if (cred == NULL)
		return;

	x509_certificate_chain_free(cred->trusted_certs);
	x509_certificate_chain_free(cred->cert);
	crypto_private_key_free(cred->key);
	os_free(cred->dh_p);
	os_free(cred->dh_g);
	os_free(cred);
}


static int tlsv1_add_cert_der(struct x509_certificate **chain,
			      const u8 *buf, size_t len)
{
	struct x509_certificate *cert;
	char name[128];

	cert = x509_certificate_parse(buf, len);
	if (cert == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate",
			   __func__);
		return -1;
	}

	cert->next = *chain;
	*chain = cert;

	x509_name_string(&cert->subject, name, sizeof(name));
	wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name);

	return 0;
}


static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----";
static const char *pem_cert_end = "-----END CERTIFICATE-----";


static const u8 * search_tag(const char *tag, const u8 *buf, size_t len)
{
	size_t i, plen;

	plen = os_strlen(tag);
	if (len < plen)
		return NULL;

	for (i = 0; i < len - plen; i++) {
		if (os_memcmp(buf + i, tag, plen) == 0)
			return buf + i;
	}

	return NULL;
}


static int tlsv1_add_cert(struct x509_certificate **chain,
			  const u8 *buf, size_t len)
{
	const u8 *pos, *end;
	unsigned char *der;
	size_t der_len;

	pos = search_tag(pem_cert_begin, buf, len);
	if (!pos) {
		wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - "
			   "assume DER format");
		return tlsv1_add_cert_der(chain, buf, len);
	}

	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into "
		   "DER format");

	while (pos) {
		pos += os_strlen(pem_cert_begin);
		end = search_tag(pem_cert_end, pos, buf + len - pos);
		if (end == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Could not find PEM "
				   "certificate end tag (%s)", pem_cert_end);
			return -1;
		}

		der = base64_decode(pos, end - pos, &der_len);
		if (der == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM "
				   "certificate");
			return -1;
		}

		if (tlsv1_add_cert_der(chain, der, der_len) < 0) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM "
				   "certificate after DER conversion");
			os_free(der);
			return -1;
		}

		os_free(der);

		end += os_strlen(pem_cert_end);
		pos = search_tag(pem_cert_begin, end, buf + len - end);
	}

	return 0;
}


static int tlsv1_set_cert_chain(struct x509_certificate **chain,
				const char *cert, const u8 *cert_blob,
				size_t cert_blob_len)
{
	if (cert_blob)
		return tlsv1_add_cert(chain, cert_blob, cert_blob_len);

	if (cert) {
		u8 *buf;
		size_t len;
		int ret;

		buf = (u8 *) os_readfile(cert, &len);
		if (buf == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
				   cert);
			return -1;
		}

		ret = tlsv1_add_cert(chain, buf, len);
		os_free(buf);
		return ret;
	}

	return 0;
}


/**
 * tlsv1_set_ca_cert - Set trusted CA certificate(s)
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @cert: File or reference name for X.509 certificate in PEM or DER format
 * @cert_blob: cert as inlined data or %NULL if not used
 * @cert_blob_len: ca_cert_blob length
 * @path: Path to CA certificates (not yet supported)
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_ca_cert(struct tlsv1_credentials *cred, const char *cert,
		      const u8 *cert_blob, size_t cert_blob_len,
		      const char *path)
{
	if (tlsv1_set_cert_chain(&cred->trusted_certs, cert,
				 cert_blob, cert_blob_len) < 0)
		return -1;

	if (path) {
		/* TODO: add support for reading number of certificate files */
		wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory "
			   "not yet supported");
		return -1;
	}

	return 0;
}


/**
 * tlsv1_set_cert - Set certificate
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @cert: File or reference name for X.509 certificate in PEM or DER format
 * @cert_blob: cert as inlined data or %NULL if not used
 * @cert_blob_len: cert_blob length
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_cert(struct tlsv1_credentials *cred, const char *cert,
		   const u8 *cert_blob, size_t cert_blob_len)
{
	return tlsv1_set_cert_chain(&cred->cert, cert,
				    cert_blob, cert_blob_len);
}


static int tlsv1_set_key(struct tlsv1_credentials *cred,
			 const u8 *key, size_t len)
{
	cred->key = crypto_private_key_import(key, len);
	if (cred->key == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key");
		return -1;
	}
	return 0;
}


/**
 * tlsv1_set_private_key - Set private key
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @private_key: File or reference name for the key in PEM or DER format
 * @private_key_passwd: Passphrase for decrypted private key, %NULL if no
 * passphrase is used.
 * @private_key_blob: private_key as inlined data or %NULL if not used
 * @private_key_blob_len: private_key_blob length
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_private_key(struct tlsv1_credentials *cred,
			  const char *private_key,
			  const char *private_key_passwd,
			  const u8 *private_key_blob,
			  size_t private_key_blob_len)
{
	crypto_private_key_free(cred->key);
	cred->key = NULL;

	if (private_key_blob)
		return tlsv1_set_key(cred, private_key_blob,
				     private_key_blob_len);

	if (private_key) {
		u8 *buf;
		size_t len;
		int ret;

		buf = (u8 *) os_readfile(private_key, &len);
		if (buf == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
				   private_key);
			return -1;
		}

		ret = tlsv1_set_key(cred, buf, len);
		os_free(buf);
		return ret;
	}

	return 0;
}


static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred,
				  const u8 *dh, size_t len)
{
	struct asn1_hdr hdr;
	const u8 *pos, *end;

	pos = dh;
	end = dh + len;

	/*
	 * DHParameter ::= SEQUENCE {
	 *   prime INTEGER, -- p
	 *   base INTEGER, -- g
	 *   privateValueLength INTEGER OPTIONAL }
	 */

	/* DHParamer ::= SEQUENCE */
	if (asn1_get_next(pos, len, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG, "DH: DH parameters did not start with a "
			   "valid SEQUENCE - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}
	pos = hdr.payload;

	/* prime INTEGER */
	if (asn1_get_next(pos, end - pos, &hdr) < 0)
		return -1;

	if (hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_INTEGER) {
		wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for p; "
			   "class=%d tag=0x%x", hdr.class, hdr.tag);
		return -1;
	}

	wpa_hexdump(MSG_MSGDUMP, "DH: prime (p)", hdr.payload, hdr.length);
	if (hdr.length == 0)
		return -1;
	os_free(cred->dh_p);
	cred->dh_p = os_malloc(hdr.length);
	if (cred->dh_p == NULL)
		return -1;
	os_memcpy(cred->dh_p, hdr.payload, hdr.length);
	cred->dh_p_len = hdr.length;
	pos = hdr.payload + hdr.length;

	/* base INTEGER */
	if (asn1_get_next(pos, end - pos, &hdr) < 0)
		return -1;

	if (hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_INTEGER) {
		wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for g; "
			   "class=%d tag=0x%x", hdr.class, hdr.tag);
		return -1;
	}

	wpa_hexdump(MSG_MSGDUMP, "DH: base (g)", hdr.payload, hdr.length);
	if (hdr.length == 0)
		return -1;
	os_free(cred->dh_g);
	cred->dh_g = os_malloc(hdr.length);
	if (cred->dh_g == NULL)
		return -1;
	os_memcpy(cred->dh_g, hdr.payload, hdr.length);
	cred->dh_g_len = hdr.length;

	return 0;
}


static const char *pem_dhparams_begin = "-----BEGIN DH PARAMETERS-----";
static const char *pem_dhparams_end = "-----END DH PARAMETERS-----";


static int tlsv1_set_dhparams_blob(struct tlsv1_credentials *cred,
				   const u8 *buf, size_t len)
{
	const u8 *pos, *end;
	unsigned char *der;
	size_t der_len;

	pos = search_tag(pem_dhparams_begin, buf, len);
	if (!pos) {
		wpa_printf(MSG_DEBUG, "TLSv1: No PEM dhparams tag found - "
			   "assume DER format");
		return tlsv1_set_dhparams_der(cred, buf, len);
	}

	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format dhparams into DER "
		   "format");

	pos += os_strlen(pem_dhparams_begin);
	end = search_tag(pem_dhparams_end, pos, buf + len - pos);
	if (end == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: Could not find PEM dhparams end "
			   "tag (%s)", pem_dhparams_end);
		return -1;
	}

	der = base64_decode(pos, end - pos, &der_len);
	if (der == NULL) {
		wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM dhparams");
		return -1;
	}

	if (tlsv1_set_dhparams_der(cred, der, der_len) < 0) {
		wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM dhparams "
			   "DER conversion");
		os_free(der);
		return -1;
	}

	os_free(der);

	return 0;
}


/**
 * tlsv1_set_dhparams - Set Diffie-Hellman parameters
 * @cred: TLSv1 credentials from tlsv1_cred_alloc()
 * @dh_file: File or reference name for the DH params in PEM or DER format
 * @dh_blob: DH params as inlined data or %NULL if not used
 * @dh_blob_len: dh_blob length
 * Returns: 0 on success, -1 on failure
 */
int tlsv1_set_dhparams(struct tlsv1_credentials *cred, const char *dh_file,
		       const u8 *dh_blob, size_t dh_blob_len)
{
	if (dh_blob)
		return tlsv1_set_dhparams_blob(cred, dh_blob, dh_blob_len);

	if (dh_file) {
		u8 *buf;
		size_t len;
		int ret;

		buf = (u8 *) os_readfile(dh_file, &len);
		if (buf == NULL) {
			wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
				   dh_file);
			return -1;
		}

		ret = tlsv1_set_dhparams_blob(cred, buf, len);
		os_free(buf);
		return ret;
	}

	return 0;
}
Commit	Line	Data
6fc6879b JM	1	/*
	2	* TLSv1 credentials
	3	* Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License version 2 as
	7	* published by the Free Software Foundation.
	8	*
	9	* Alternatively, this software may be distributed under the terms of BSD
	10	* license.
	11	*
	12	* See README and COPYING for more details.
	13	*/
	14
	15	#include "includes.h"
	16
	17	#include "common.h"
	18	#include "base64.h"
	19	#include "crypto.h"
	20	#include "x509v3.h"
	21	#include "tlsv1_cred.h"
	22
	23
	24	struct tlsv1_credentials * tlsv1_cred_alloc(void)
	25	{
	26	struct tlsv1_credentials *cred;
	27	cred = os_zalloc(sizeof(*cred));
	28	return cred;
	29	}
	30
	31
	32	void tlsv1_cred_free(struct tlsv1_credentials *cred)
	33	{
	34	if (cred == NULL)
	35	return;
	36
	37	x509_certificate_chain_free(cred->trusted_certs);
	38	x509_certificate_chain_free(cred->cert);
	39	crypto_private_key_free(cred->key);
	40	os_free(cred->dh_p);
	41	os_free(cred->dh_g);
	42	os_free(cred);
	43	}
	44
	45
	46	static int tlsv1_add_cert_der(struct x509_certificate **chain,
	47	const u8 *buf, size_t len)
	48	{
	49	struct x509_certificate *cert;
	50	char name[128];
	51
	52	cert = x509_certificate_parse(buf, len);
	53	if (cert == NULL) {
	54	wpa_printf(MSG_INFO, "TLSv1: %s - failed to parse certificate",
	55	__func__);
	56	return -1;
	57	}
	58
	59	cert->next = *chain;
	60	*chain = cert;
	61
	62	x509_name_string(&cert->subject, name, sizeof(name));
	63	wpa_printf(MSG_DEBUG, "TLSv1: Added certificate: %s", name);
	64
65	return 0;
66	}
67
68
69	static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----";
70	static const char *pem_cert_end = "-----END CERTIFICATE-----";
71
72
73	static const u8 * search_tag(const char tag, const u8 buf, size_t len)
74	{
75	size_t i, plen;
76
77	plen = os_strlen(tag);
78	if (len < plen)
79	return NULL;
80
81	for (i = 0; i < len - plen; i++) {
82	if (os_memcmp(buf + i, tag, plen) == 0)
83	return buf + i;
84	}
85
86	return NULL;
87	}
88
89
90	static int tlsv1_add_cert(struct x509_certificate **chain,
91	const u8 *buf, size_t len)
92	{
93	const u8 pos, end;
94	unsigned char *der;
95	size_t der_len;
96
97	pos = search_tag(pem_cert_begin, buf, len);
98	if (!pos) {
99	wpa_printf(MSG_DEBUG, "TLSv1: No PEM certificate tag found - "
100	"assume DER format");
101	return tlsv1_add_cert_der(chain, buf, len);
102	}
103
104	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format certificate into "
105	"DER format");
106
107	while (pos) {
108	pos += os_strlen(pem_cert_begin);
109	end = search_tag(pem_cert_end, pos, buf + len - pos);
110	if (end == NULL) {
111	wpa_printf(MSG_INFO, "TLSv1: Could not find PEM "
112	"certificate end tag (%s)", pem_cert_end);
113	return -1;
114	}
115
116	der = base64_decode(pos, end - pos, &der_len);
117	if (der == NULL) {
118	wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM "
119	"certificate");
120	return -1;
121	}
122
123	if (tlsv1_add_cert_der(chain, der, der_len) < 0) {
124	wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM "
125	"certificate after DER conversion");
126	os_free(der);
127	return -1;
128	}
129
130	os_free(der);
131
132	end += os_strlen(pem_cert_end);
133	pos = search_tag(pem_cert_begin, end, buf + len - end);
134	}
135
136	return 0;
137	}
138
139
140	static int tlsv1_set_cert_chain(struct x509_certificate **chain,
141	const char cert, const u8 cert_blob,
142	size_t cert_blob_len)
143	{
144	if (cert_blob)
145	return tlsv1_add_cert(chain, cert_blob, cert_blob_len);
146
147	if (cert) {
148	u8 *buf;
149	size_t len;
150	int ret;
151
152	buf = (u8 *) os_readfile(cert, &len);
153	if (buf == NULL) {
154	wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
155	cert);
156	return -1;
157	}
158
159	ret = tlsv1_add_cert(chain, buf, len);
160	os_free(buf);
161	return ret;
162	}
163
164	return 0;
165	}
166
167
168	/**
169	* tlsv1_set_ca_cert - Set trusted CA certificate(s)
170	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
171	* @cert: File or reference name for X.509 certificate in PEM or DER format
172	* @cert_blob: cert as inlined data or %NULL if not used
173	* @cert_blob_len: ca_cert_blob length
174	* @path: Path to CA certificates (not yet supported)
175	* Returns: 0 on success, -1 on failure
176	*/
177	int tlsv1_set_ca_cert(struct tlsv1_credentials cred, const char cert,
178	const u8 *cert_blob, size_t cert_blob_len,
179	const char *path)
180	{
181	if (tlsv1_set_cert_chain(&cred->trusted_certs, cert,
182	cert_blob, cert_blob_len) < 0)
183	return -1;
184
185	if (path) {
186	/* TODO: add support for reading number of certificate files */
187	wpa_printf(MSG_INFO, "TLSv1: Use of CA certificate directory "
188	"not yet supported");
189	return -1;
190	}
191
192	return 0;
193	}
194
195
196	/**
197	* tlsv1_set_cert - Set certificate
198	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
199	* @cert: File or reference name for X.509 certificate in PEM or DER format
200	* @cert_blob: cert as inlined data or %NULL if not used
201	* @cert_blob_len: cert_blob length
202	* Returns: 0 on success, -1 on failure
203	*/
204	int tlsv1_set_cert(struct tlsv1_credentials cred, const char cert,
205	const u8 *cert_blob, size_t cert_blob_len)
206	{
207	return tlsv1_set_cert_chain(&cred->cert, cert,
208	cert_blob, cert_blob_len);
209	}
210
211
212	static int tlsv1_set_key(struct tlsv1_credentials *cred,
213	const u8 *key, size_t len)
214	{
215	cred->key = crypto_private_key_import(key, len);
216	if (cred->key == NULL) {
217	wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key");
218	return -1;
219	}
220	return 0;
221	}
222
223
224	/**
225	* tlsv1_set_private_key - Set private key
226	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
227	* @private_key: File or reference name for the key in PEM or DER format
228	* @private_key_passwd: Passphrase for decrypted private key, %NULL if no
229	* passphrase is used.
230	* @private_key_blob: private_key as inlined data or %NULL if not used
231	* @private_key_blob_len: private_key_blob length
232	* Returns: 0 on success, -1 on failure
233	*/
234	int tlsv1_set_private_key(struct tlsv1_credentials *cred,
235	const char *private_key,
236	const char *private_key_passwd,
237	const u8 *private_key_blob,
238	size_t private_key_blob_len)
239	{
240	crypto_private_key_free(cred->key);
241	cred->key = NULL;
242
243	if (private_key_blob)
244	return tlsv1_set_key(cred, private_key_blob,
245	private_key_blob_len);
246
247	if (private_key) {
248	u8 *buf;
249	size_t len;
250	int ret;
251
252	buf = (u8 *) os_readfile(private_key, &len);
253	if (buf == NULL) {
254	wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
255	private_key);
256	return -1;
257	}
258
259	ret = tlsv1_set_key(cred, buf, len);
260	os_free(buf);
261	return ret;
262	}
263
264	return 0;
265	}
266
267
268	static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred,
269	const u8 *dh, size_t len)
270	{
271	struct asn1_hdr hdr;
272	const u8 pos, end;
273
274	pos = dh;
275	end = dh + len;
276
277	/*
278	* DHParameter ::= SEQUENCE {
279	* prime INTEGER, -- p
280	* base INTEGER, -- g
281	* privateValueLength INTEGER OPTIONAL }
282	*/
283
284	/* DHParamer ::= SEQUENCE */
285	if (asn1_get_next(pos, len, &hdr) < 0 \|\|
286	hdr.class != ASN1_CLASS_UNIVERSAL \|\|
287	hdr.tag != ASN1_TAG_SEQUENCE) {
288	wpa_printf(MSG_DEBUG, "DH: DH parameters did not start with a "
289	"valid SEQUENCE - found class %d tag 0x%x",
290	hdr.class, hdr.tag);
291	return -1;
292	}
293	pos = hdr.payload;
294
295	/* prime INTEGER */
296	if (asn1_get_next(pos, end - pos, &hdr) < 0)
297	return -1;
298
299	if (hdr.class != ASN1_CLASS_UNIVERSAL \|\|
300	hdr.tag != ASN1_TAG_INTEGER) {
301	wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for p; "
302	"class=%d tag=0x%x", hdr.class, hdr.tag);
303	return -1;
304	}
305
306	wpa_hexdump(MSG_MSGDUMP, "DH: prime (p)", hdr.payload, hdr.length);
307	if (hdr.length == 0)
308	return -1;
309	os_free(cred->dh_p);
310	cred->dh_p = os_malloc(hdr.length);
311	if (cred->dh_p == NULL)
312	return -1;
313	os_memcpy(cred->dh_p, hdr.payload, hdr.length);
314	cred->dh_p_len = hdr.length;
315	pos = hdr.payload + hdr.length;
316
317	/* base INTEGER */
318	if (asn1_get_next(pos, end - pos, &hdr) < 0)
319	return -1;
320
321	if (hdr.class != ASN1_CLASS_UNIVERSAL \|\|
322	hdr.tag != ASN1_TAG_INTEGER) {
323	wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for g; "
324	"class=%d tag=0x%x", hdr.class, hdr.tag);
325	return -1;
326	}
327
328	wpa_hexdump(MSG_MSGDUMP, "DH: base (g)", hdr.payload, hdr.length);
329	if (hdr.length == 0)
330	return -1;
331	os_free(cred->dh_g);
332	cred->dh_g = os_malloc(hdr.length);
333	if (cred->dh_g == NULL)
334	return -1;
335	os_memcpy(cred->dh_g, hdr.payload, hdr.length);
336	cred->dh_g_len = hdr.length;
337
338	return 0;
339	}
340
341
342	static const char *pem_dhparams_begin = "-----BEGIN DH PARAMETERS-----";
343	static const char *pem_dhparams_end = "-----END DH PARAMETERS-----";
344
345
346	static int tlsv1_set_dhparams_blob(struct tlsv1_credentials *cred,
347	const u8 *buf, size_t len)
348	{
349	const u8 pos, end;
350	unsigned char *der;
351	size_t der_len;
352
353	pos = search_tag(pem_dhparams_begin, buf, len);
354	if (!pos) {
355	wpa_printf(MSG_DEBUG, "TLSv1: No PEM dhparams tag found - "
356	"assume DER format");
357	return tlsv1_set_dhparams_der(cred, buf, len);
358	}
359
360	wpa_printf(MSG_DEBUG, "TLSv1: Converting PEM format dhparams into DER "
361	"format");
362
363	pos += os_strlen(pem_dhparams_begin);
364	end = search_tag(pem_dhparams_end, pos, buf + len - pos);
365	if (end == NULL) {
366	wpa_printf(MSG_INFO, "TLSv1: Could not find PEM dhparams end "
367	"tag (%s)", pem_dhparams_end);
368	return -1;
369	}
370
371	der = base64_decode(pos, end - pos, &der_len);
372	if (der == NULL) {
373	wpa_printf(MSG_INFO, "TLSv1: Could not decode PEM dhparams");
374	return -1;
375	}
376
377	if (tlsv1_set_dhparams_der(cred, der, der_len) < 0) {
378	wpa_printf(MSG_INFO, "TLSv1: Failed to parse PEM dhparams "
379	"DER conversion");
380	os_free(der);
381	return -1;
382	}
383
384	os_free(der);
385
386	return 0;
387	}
388
389
390	/**
391	* tlsv1_set_dhparams - Set Diffie-Hellman parameters
392	* @cred: TLSv1 credentials from tlsv1_cred_alloc()
393	* @dh_file: File or reference name for the DH params in PEM or DER format
394	* @dh_blob: DH params as inlined data or %NULL if not used
395	* @dh_blob_len: dh_blob length
396	* Returns: 0 on success, -1 on failure
397	*/
398	int tlsv1_set_dhparams(struct tlsv1_credentials cred, const char dh_file,
399	const u8 *dh_blob, size_t dh_blob_len)
400	{
401	if (dh_blob)
402	return tlsv1_set_dhparams_blob(cred, dh_blob, dh_blob_len);
403
404	if (dh_file) {
405	u8 *buf;
406	size_t len;
407	int ret;
408
409	buf = (u8 *) os_readfile(dh_file, &len);
410	if (buf == NULL) {
411	wpa_printf(MSG_INFO, "TLSv1: Failed to read '%s'",
412	dh_file);
413	return -1;
414	}
415
416	ret = tlsv1_set_dhparams_blob(cred, buf, len);
417	os_free(buf);
418	return ret;
419	}
420
421	return 0;
422	}