aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2005-12-08 04:22:34 (GMT)
committerJouni Malinen <j@w1.fi>2005-12-08 04:22:34 (GMT)
commitd47ce4e4746b5363f4ef89e05ca542b19f3a390d (patch)
treed44d164b81d16f5de296388804cd123d81f4f539
parentfb606bc07b4d64b245237f2e88478904585a3bdb (diff)
downloadhostap-history-d47ce4e4746b5363f4ef89e05ca542b19f3a390d.zip
hostap-history-d47ce4e4746b5363f4ef89e05ca542b19f3a390d.tar.gz
hostap-history-d47ce4e4746b5363f4ef89e05ca542b19f3a390d.tar.bz2
Added support for configuring CA certificate as DER file and as a
configuration blob.
-rw-r--r--wpa_supplicant/ChangeLog2
-rw-r--r--wpa_supplicant/tls_openssl.c63
2 files changed, 62 insertions, 3 deletions
diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog
index c51de5a..7767625 100644
--- a/wpa_supplicant/ChangeLog
+++ b/wpa_supplicant/ChangeLog
@@ -48,6 +48,8 @@ ChangeLog for wpa_supplicant
3 ms
* added support for EAP-FAST key derivation using other ciphers than
RC4-128-SHA for authentication and AES128-SHA for provisioning
+ * added support for configuring CA certificate as DER file and as a
+ configuration blob
2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
* l2_packet_pcap: fixed wired IEEE 802.1X authentication with libpcap
diff --git a/wpa_supplicant/tls_openssl.c b/wpa_supplicant/tls_openssl.c
index 38f0d76..c184f1b 100644
--- a/wpa_supplicant/tls_openssl.c
+++ b/wpa_supplicant/tls_openssl.c
@@ -943,12 +943,63 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
}
-static int tls_connection_ca_cert(void *ssl_ctx, struct tls_connection *conn,
+#ifndef OPENSSL_NO_STDIO
+static int tls_load_ca_der(void *_ssl_ctx, const char *ca_cert)
+{
+ SSL_CTX *ssl_ctx = _ssl_ctx;
+ X509_LOOKUP *lookup;
+ int ret = 0;
+
+ lookup = X509_STORE_add_lookup(ssl_ctx->cert_store,
+ X509_LOOKUP_file());
+ if (lookup == NULL) {
+ tls_show_errors(MSG_WARNING, __func__,
+ "Failed add lookup for X509 store");
+ return -1;
+ }
+
+ if (!X509_LOOKUP_load_file(lookup, ca_cert, X509_FILETYPE_ASN1)) {
+ unsigned long err = ERR_peek_error();
+ tls_show_errors(MSG_WARNING, __func__,
+ "Failed load CA in DER format");
+ if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
+ ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+ wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
+ "cert already in hash table error",
+ __func__);
+ } else
+ ret = -1;
+ }
+
+ return ret;
+}
+#endif /* OPENSSL_NO_STDIO */
+
+
+static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
const char *ca_cert, const u8 *ca_cert_blob,
size_t ca_cert_blob_len, const char *ca_path)
{
+ SSL_CTX *ssl_ctx = _ssl_ctx;
+
if (ca_cert_blob) {
- /* FIX: add ca_cert_blob as a trusted cert */
+ X509 *cert = d2i_X509(NULL, &ca_cert_blob, ca_cert_blob_len);
+ if (cert == NULL) {
+ tls_show_errors(MSG_WARNING, __func__,
+ "Failed to parse ca_cert_blob");
+ return -1;
+ }
+
+ if (!X509_STORE_add_cert(ssl_ctx->cert_store, cert)) {
+ tls_show_errors(MSG_WARNING, __func__,
+ "Failed to add ca_cert_blob to "
+ "certificate store");
+ X509_free(cert);
+ return -1;
+ }
+ X509_free(cert);
+ wpa_printf(MSG_DEBUG, "OpenSSL: %s - added ca_cert_blob "
+ "to certificate store", __func__);
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
return 0;
}
@@ -958,7 +1009,13 @@ static int tls_connection_ca_cert(void *ssl_ctx, struct tls_connection *conn,
1) {
tls_show_errors(MSG_WARNING, __func__,
"Failed to load root certificates");
- return -1;
+ if (ca_cert &&
+ tls_load_ca_der(ssl_ctx, ca_cert) == 0) {
+ wpa_printf(MSG_DEBUG, "OpenSSL: %s - loaded "
+ "DER format CA certificate",
+ __func__);
+ } else
+ return -1;
} else {
wpa_printf(MSG_DEBUG, "TLS: Trusted root "
"certificate(s) loaded");