diff options
Diffstat (limited to 'hs20')
-rw-r--r-- | hs20/client/Android.mk | 1 | ||||
-rw-r--r-- | hs20/client/Makefile | 1 | ||||
-rw-r--r-- | hs20/client/est.c | 72 |
3 files changed, 54 insertions, 20 deletions
diff --git a/hs20/client/Android.mk b/hs20/client/Android.mk index a71e86d0..e4db3220 100644 --- a/hs20/client/Android.mk +++ b/hs20/client/Android.mk @@ -54,6 +54,7 @@ OBJS += ../../src/crypto/crypto_internal.c OBJS += ../../src/crypto/md5-internal.c OBJS += ../../src/crypto/sha1-internal.c OBJS += ../../src/crypto/sha256-internal.c +OBJS += ../../src/crypto/tls_openssl_ocsp.c L_CFLAGS += -DEAP_TLS_OPENSSL diff --git a/hs20/client/Makefile b/hs20/client/Makefile index 94cd5f14..fc9b6194 100644 --- a/hs20/client/Makefile +++ b/hs20/client/Makefile @@ -76,6 +76,7 @@ LIBS += -lcurl endif CFLAGS += -DEAP_TLS_OPENSSL +OBJS += ../../src/crypto/tls_openssl_ocsp.o LIBS += -lssl -lcrypto hs20-osu-client: $(OBJS) diff --git a/hs20/client/est.c b/hs20/client/est.c index c22d9ca2..9f1519bf 100644 --- a/hs20/client/est.c +++ b/hs20/client/est.c @@ -16,6 +16,9 @@ #include <openssl/asn1t.h> #include <openssl/x509.h> #include <openssl/x509v3.h> +#ifdef OPENSSL_IS_BORINGSSL +#include <openssl/buf.h> +#endif /* OPENSSL_IS_BORINGSSL */ #include "common.h" #include "utils/base64.h" @@ -28,16 +31,27 @@ static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7, size_t len, char *pem_file, char *der_file) { #ifdef OPENSSL_IS_BORINGSSL - wpa_printf(MSG_ERROR, - "EST: pkcs7_to_cert not yet supported with BoringSSL"); - return -1; + CBS pkcs7_cbs; #else /* OPENSSL_IS_BORINGSSL */ PKCS7 *p7 = NULL; const unsigned char *p = pkcs7; +#endif /* OPENSSL_IS_BORINGSSL */ STACK_OF(X509) *certs; int i, num, ret = -1; BIO *out = NULL; +#ifdef OPENSSL_IS_BORINGSSL + certs = sk_X509_new_null(); + if (!certs) + goto fail; + CBS_init(&pkcs7_cbs, pkcs7, len); + if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) { + wpa_printf(MSG_INFO, "Could not parse PKCS#7 object: %s", + ERR_error_string(ERR_get_error(), NULL)); + write_result(ctx, "Could not parse PKCS#7 object from EST"); + goto fail; + } +#else /* OPENSSL_IS_BORINGSSL */ p7 = d2i_PKCS7(NULL, &p, len); if (p7 == NULL) { wpa_printf(MSG_INFO, "Could not parse PKCS#7 object: %s", @@ -57,6 +71,7 @@ static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7, certs = NULL; break; } +#endif /* OPENSSL_IS_BORINGSSL */ if (!certs || ((num = sk_X509_num(certs)) == 0)) { wpa_printf(MSG_INFO, "No certificates found in PKCS#7 object"); @@ -89,12 +104,16 @@ static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7, ret = 0; fail: +#ifdef OPENSSL_IS_BORINGSSL + if (certs) + sk_X509_pop_free(certs, X509_free); +#else /* OPENSSL_IS_BORINGSSL */ PKCS7_free(p7); +#endif /* OPENSSL_IS_BORINGSSL */ if (out) BIO_free_all(out); return ret; -#endif /* OPENSSL_IS_BORINGSSL */ } @@ -222,8 +241,6 @@ ASN1_CHOICE(CsrAttrs) = { IMPLEMENT_ASN1_FUNCTIONS(CsrAttrs); -#ifndef OPENSSL_IS_BORINGSSL - static void add_csrattrs_oid(struct hs20_osu_client *ctx, ASN1_OBJECT *oid, STACK_OF(X509_EXTENSION) *exts) { @@ -318,6 +335,23 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs, if (!csrattrs || ! csrattrs->attrs) return; +#ifdef OPENSSL_IS_BORINGSSL + num = sk_num(CHECKED_CAST(_STACK *, STACK_OF(AttrOrOID) *, + csrattrs->attrs)); + for (i = 0; i < num; i++) { + AttrOrOID *ao = sk_value( + CHECKED_CAST(_STACK *, const STACK_OF(AttrOrOID) *, + csrattrs->attrs), i); + switch (ao->type) { + case 0: + add_csrattrs_oid(ctx, ao->d.oid, exts); + break; + case 1: + add_csrattrs_attr(ctx, ao->d.attribute, exts); + break; + } + } +#else /* OPENSSL_IS_BORINGSSL */ num = SKM_sk_num(AttrOrOID, csrattrs->attrs); for (i = 0; i < num; i++) { AttrOrOID *ao = SKM_sk_value(AttrOrOID, csrattrs->attrs, i); @@ -330,20 +364,14 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs, break; } } -} - #endif /* OPENSSL_IS_BORINGSSL */ +} static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, char *csr_pem, char *est_req, char *old_cert, CsrAttrs *csrattrs) { -#ifdef OPENSSL_IS_BORINGSSL - wpa_printf(MSG_ERROR, - "EST: CSR generation not yet supported with BoringSSL"); - return -1; -#else /* OPENSSL_IS_BORINGSSL */ EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; RSA *rsa; @@ -355,6 +383,7 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, STACK_OF(X509_EXTENSION) *exts = NULL; X509_EXTENSION *ex; BIO *out; + CONF *ctmp = NULL; wpa_printf(MSG_INFO, "Generate RSA private key"); write_summary(ctx, "Generate RSA private key"); @@ -436,20 +465,20 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, if (!exts) goto fail; - ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, - "CA:FALSE"); + ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_basic_constraints, + "CA:FALSE"); if (ex == NULL || !sk_X509_EXTENSION_push(exts, ex)) goto fail; - ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, - "nonRepudiation,digitalSignature,keyEncipherment"); + ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_key_usage, + "nonRepudiation,digitalSignature,keyEncipherment"); if (ex == NULL || !sk_X509_EXTENSION_push(exts, ex)) goto fail; - ex = X509V3_EXT_conf_nid(NULL, NULL, NID_ext_key_usage, - "1.3.6.1.4.1.40808.1.1.2"); + ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_ext_key_usage, + "1.3.6.1.4.1.40808.1.1.2"); if (ex == NULL || !sk_X509_EXTENSION_push(exts, ex)) goto fail; @@ -469,7 +498,9 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, char *txt; size_t rlen; +#if !defined(ANDROID) || !defined(OPENSSL_IS_BORINGSSL) X509_REQ_print(out, req); +#endif rlen = BIO_ctrl_pending(out); txt = os_malloc(rlen + 1); if (txt) { @@ -488,7 +519,9 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, FILE *f = fopen(csr_pem, "w"); if (f == NULL) goto fail; +#if !defined(ANDROID) || !defined(OPENSSL_IS_BORINGSSL) X509_REQ_print_fp(f, req); +#endif if (!PEM_write_X509_REQ(f, req)) { fclose(f); goto fail; @@ -550,7 +583,6 @@ fail: if (pctx) EVP_PKEY_CTX_free(pctx); return ret; -#endif /* OPENSSL_IS_BORINGSSL */ } |