aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/tls_openssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'wpa_supplicant/tls_openssl.c')
-rw-r--r--wpa_supplicant/tls_openssl.c63
1 files changed, 60 insertions, 3 deletions
diff --git a/wpa_supplicant/tls_openssl.c b/wpa_supplicant/tls_openssl.c
index 38f0d76..c184f1b 100644
--- a/wpa_supplicant/tls_openssl.c
+++ b/wpa_supplicant/tls_openssl.c
@@ -943,12 +943,63 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
}
-static int tls_connection_ca_cert(void *ssl_ctx, struct tls_connection *conn,
+#ifndef OPENSSL_NO_STDIO
+static int tls_load_ca_der(void *_ssl_ctx, const char *ca_cert)
+{
+ SSL_CTX *ssl_ctx = _ssl_ctx;
+ X509_LOOKUP *lookup;
+ int ret = 0;
+
+ lookup = X509_STORE_add_lookup(ssl_ctx->cert_store,
+ X509_LOOKUP_file());
+ if (lookup == NULL) {
+ tls_show_errors(MSG_WARNING, __func__,
+ "Failed add lookup for X509 store");
+ return -1;
+ }
+
+ if (!X509_LOOKUP_load_file(lookup, ca_cert, X509_FILETYPE_ASN1)) {
+ unsigned long err = ERR_peek_error();
+ tls_show_errors(MSG_WARNING, __func__,
+ "Failed load CA in DER format");
+ if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
+ ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+ wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
+ "cert already in hash table error",
+ __func__);
+ } else
+ ret = -1;
+ }
+
+ return ret;
+}
+#endif /* OPENSSL_NO_STDIO */
+
+
+static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
const char *ca_cert, const u8 *ca_cert_blob,
size_t ca_cert_blob_len, const char *ca_path)
{
+ SSL_CTX *ssl_ctx = _ssl_ctx;
+
if (ca_cert_blob) {
- /* FIX: add ca_cert_blob as a trusted cert */
+ X509 *cert = d2i_X509(NULL, &ca_cert_blob, ca_cert_blob_len);
+ if (cert == NULL) {
+ tls_show_errors(MSG_WARNING, __func__,
+ "Failed to parse ca_cert_blob");
+ return -1;
+ }
+
+ if (!X509_STORE_add_cert(ssl_ctx->cert_store, cert)) {
+ tls_show_errors(MSG_WARNING, __func__,
+ "Failed to add ca_cert_blob to "
+ "certificate store");
+ X509_free(cert);
+ return -1;
+ }
+ X509_free(cert);
+ wpa_printf(MSG_DEBUG, "OpenSSL: %s - added ca_cert_blob "
+ "to certificate store", __func__);
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
return 0;
}
@@ -958,7 +1009,13 @@ static int tls_connection_ca_cert(void *ssl_ctx, struct tls_connection *conn,
1) {
tls_show_errors(MSG_WARNING, __func__,
"Failed to load root certificates");
- return -1;
+ if (ca_cert &&
+ tls_load_ca_der(ssl_ctx, ca_cert) == 0) {
+ wpa_printf(MSG_DEBUG, "OpenSSL: %s - loaded "
+ "DER format CA certificate",
+ __func__);
+ } else
+ return -1;
} else {
wpa_printf(MSG_DEBUG, "TLS: Trusted root "
"certificate(s) loaded");