aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--wpa_supplicant/ChangeLog2
-rw-r--r--wpa_supplicant/tls_openssl.c87
2 files changed, 66 insertions, 23 deletions
diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog
index 7767625..4eb819c 100644
--- a/wpa_supplicant/ChangeLog
+++ b/wpa_supplicant/ChangeLog
@@ -50,6 +50,8 @@ ChangeLog for wpa_supplicant
RC4-128-SHA for authentication and AES128-SHA for provisioning
* added support for configuring CA certificate as DER file and as a
configuration blob
+ * fixed private key configuration as configuration blob and added
+ support for using PKCS#12 as a blob
2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
* l2_packet_pcap: fixed wired IEEE 802.1X authentication with libpcap
diff --git a/wpa_supplicant/tls_openssl.c b/wpa_supplicant/tls_openssl.c
index c184f1b..bbba85f 100644
--- a/wpa_supplicant/tls_openssl.c
+++ b/wpa_supplicant/tls_openssl.c
@@ -1215,31 +1215,16 @@ static int tls_passwd_cb(char *buf, int size, int rwflag, void *password)
}
-static int tls_read_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, const char *private_key,
- const char *passwd)
-{
#ifdef PKCS12_FUNCS
- FILE *f;
- PKCS12 *p12;
+static int tls_parse_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, PKCS12 *p12,
+ const char *passwd)
+{
EVP_PKEY *pkey;
X509 *cert;
STACK_OF(X509) *certs;
int res = 0;
char buf[256];
- f = fopen(private_key, "r");
- if (f == NULL)
- return -1;
-
- p12 = d2i_PKCS12_fp(f, NULL);
- if (p12 == NULL) {
- wpa_printf(MSG_DEBUG, "TLS: Failed to read PKCS12 file '%s'",
- private_key);
- fclose(f);
- return -1;
- }
- fclose(f);
-
pkey = NULL;
cert = NULL;
certs = NULL;
@@ -1248,8 +1233,7 @@ static int tls_read_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, const char *private_key,
"Failed to parse PKCS12 file");
return -1;
}
- wpa_printf(MSG_DEBUG, "TLS: Successfully parsed PKCS12 file '%s'",
- private_key);
+ wpa_printf(MSG_DEBUG, "TLS: Successfully parsed PKCS12 data");
if (cert) {
X509_NAME_oneline(X509_get_subject_name(cert), buf,
@@ -1302,6 +1286,32 @@ static int tls_read_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, const char *private_key,
tls_get_errors(ssl_ctx);
return res;
+}
+#endif /* PKCS12_FUNCS */
+
+
+static int tls_read_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, const char *private_key,
+ const char *passwd)
+{
+#ifdef PKCS12_FUNCS
+ FILE *f;
+ PKCS12 *p12;
+
+ f = fopen(private_key, "r");
+ if (f == NULL)
+ return -1;
+
+ p12 = d2i_PKCS12_fp(f, NULL);
+ fclose(f);
+
+ if (p12 == NULL) {
+ tls_show_errors(MSG_INFO, __func__,
+ "Failed to use PKCS#12 file");
+ return -1;
+ }
+
+ return tls_parse_pkcs12(ssl_ctx, ssl, p12, passwd);
+
#else /* PKCS12_FUNCS */
wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot read "
"p12/pfx files");
@@ -1310,6 +1320,29 @@ static int tls_read_pkcs12(SSL_CTX *ssl_ctx, SSL *ssl, const char *private_key,
}
+static int tls_read_pkcs12_blob(SSL_CTX *ssl_ctx, SSL *ssl,
+ const u8 *blob, size_t len, const char *passwd)
+{
+#ifdef PKCS12_FUNCS
+ PKCS12 *p12;
+
+ p12 = d2i_PKCS12(NULL, &blob, len);
+ if (p12 == NULL) {
+ tls_show_errors(MSG_INFO, __func__,
+ "Failed to use PKCS#12 blob");
+ return -1;
+ }
+
+ return tls_parse_pkcs12(ssl_ctx, ssl, p12, passwd);
+
+#else /* PKCS12_FUNCS */
+ wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot parse "
+ "p12/pfx blobs");
+ return -1;
+#endif /* PKCS12_FUNCS */
+}
+
+
static int tls_connection_engine_private_key(void *_ssl_ctx,
struct tls_connection *conn)
{
@@ -1361,7 +1394,7 @@ static int tls_connection_private_key(void *_ssl_ctx,
while (private_key_blob) {
if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, conn->ssl,
(u8 *) private_key_blob,
- private_key_blob_len) == 0) {
+ private_key_blob_len) == 1) {
wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
"ASN1(EVP_PKEY_RSA) --> OK");
ok = 1;
@@ -1374,7 +1407,7 @@ static int tls_connection_private_key(void *_ssl_ctx,
if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA, conn->ssl,
(u8 *) private_key_blob,
- private_key_blob_len) == 0) {
+ private_key_blob_len) == 1) {
wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
"ASN1(EVP_PKEY_DSA) --> OK");
ok = 1;
@@ -1387,7 +1420,7 @@ static int tls_connection_private_key(void *_ssl_ctx,
if (SSL_use_RSAPrivateKey_ASN1(conn->ssl,
(u8 *) private_key_blob,
- private_key_blob_len) == 0) {
+ private_key_blob_len) == 1) {
wpa_printf(MSG_DEBUG, "OpenSSL: "
"SSL_use_RSAPrivateKey_ASN1 --> OK");
ok = 1;
@@ -1397,6 +1430,14 @@ static int tls_connection_private_key(void *_ssl_ctx,
"SSL_use_RSAPrivateKey_ASN1 failed");
}
+ if (tls_read_pkcs12_blob(ssl_ctx, conn->ssl, private_key_blob,
+ private_key_blob_len, passwd) == 0) {
+ wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> "
+ "OK");
+ ok = 1;
+ break;
+ }
+
break;
}