aboutsummaryrefslogtreecommitdiffstats
path: root/hs20
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2015-12-04 14:25:21 (GMT)
committerJouni Malinen <j@w1.fi>2015-12-04 18:08:31 (GMT)
commite6f4832737cd2b83b010e13582f59f2b4a965ce6 (patch)
tree02648ad8f624c00a748222c5568acaa25181e141 /hs20
parented2566ac9ba81a90ed2bfb72ce1445e7933aa466 (diff)
downloadhostap-e6f4832737cd2b83b010e13582f59f2b4a965ce6.zip
hostap-e6f4832737cd2b83b010e13582f59f2b4a965ce6.tar.gz
hostap-e6f4832737cd2b83b010e13582f59f2b4a965ce6.tar.bz2
EST: Add CSR generation support with BoringSSL
This completes EST support with hs20-osu-client when built with BoringSSL instead of OpenSSL. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Diffstat (limited to 'hs20')
-rw-r--r--hs20/client/est.c44
1 files changed, 28 insertions, 16 deletions
diff --git a/hs20/client/est.c b/hs20/client/est.c
index d754e61..90a51d5 100644
--- a/hs20/client/est.c
+++ b/hs20/client/est.c
@@ -16,6 +16,9 @@
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#ifdef OPENSSL_IS_BORINGSSL
+#include <openssl/buf.h>
+#endif /* OPENSSL_IS_BORINGSSL */
#include "common.h"
#include "utils/base64.h"
@@ -238,8 +241,6 @@ ASN1_CHOICE(CsrAttrs) = {
IMPLEMENT_ASN1_FUNCTIONS(CsrAttrs);
-#ifndef OPENSSL_IS_BORINGSSL
-
static void add_csrattrs_oid(struct hs20_osu_client *ctx, ASN1_OBJECT *oid,
STACK_OF(X509_EXTENSION) *exts)
{
@@ -334,6 +335,23 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs,
if (!csrattrs || ! csrattrs->attrs)
return;
+#ifdef OPENSSL_IS_BORINGSSL
+ num = sk_num(CHECKED_CAST(_STACK *, STACK_OF(AttrOrOID) *,
+ csrattrs->attrs));
+ for (i = 0; i < num; i++) {
+ AttrOrOID *ao = sk_value(
+ CHECKED_CAST(_STACK *, const STACK_OF(AttrOrOID) *,
+ csrattrs->attrs), i);
+ switch (ao->type) {
+ case 0:
+ add_csrattrs_oid(ctx, ao->d.oid, exts);
+ break;
+ case 1:
+ add_csrattrs_attr(ctx, ao->d.attribute, exts);
+ break;
+ }
+ }
+#else /* OPENSSL_IS_BORINGSSL */
num = SKM_sk_num(AttrOrOID, csrattrs->attrs);
for (i = 0; i < num; i++) {
AttrOrOID *ao = SKM_sk_value(AttrOrOID, csrattrs->attrs, i);
@@ -346,20 +364,14 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs,
break;
}
}
-}
-
#endif /* OPENSSL_IS_BORINGSSL */
+}
static int generate_csr(struct hs20_osu_client *ctx, char *key_pem,
char *csr_pem, char *est_req, char *old_cert,
CsrAttrs *csrattrs)
{
-#ifdef OPENSSL_IS_BORINGSSL
- wpa_printf(MSG_ERROR,
- "EST: CSR generation not yet supported with BoringSSL");
- return -1;
-#else /* OPENSSL_IS_BORINGSSL */
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *pkey = NULL;
RSA *rsa;
@@ -371,6 +383,7 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem,
STACK_OF(X509_EXTENSION) *exts = NULL;
X509_EXTENSION *ex;
BIO *out;
+ CONF *ctmp = NULL;
wpa_printf(MSG_INFO, "Generate RSA private key");
write_summary(ctx, "Generate RSA private key");
@@ -452,20 +465,20 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem,
if (!exts)
goto fail;
- ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
- "CA:FALSE");
+ ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_basic_constraints,
+ "CA:FALSE");
if (ex == NULL ||
!sk_X509_EXTENSION_push(exts, ex))
goto fail;
- ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage,
- "nonRepudiation,digitalSignature,keyEncipherment");
+ ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_key_usage,
+ "nonRepudiation,digitalSignature,keyEncipherment");
if (ex == NULL ||
!sk_X509_EXTENSION_push(exts, ex))
goto fail;
- ex = X509V3_EXT_conf_nid(NULL, NULL, NID_ext_key_usage,
- "1.3.6.1.4.1.40808.1.1.2");
+ ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_ext_key_usage,
+ "1.3.6.1.4.1.40808.1.1.2");
if (ex == NULL ||
!sk_X509_EXTENSION_push(exts, ex))
goto fail;
@@ -566,7 +579,6 @@ fail:
if (pctx)
EVP_PKEY_CTX_free(pctx);
return ret;
-#endif /* OPENSSL_IS_BORINGSSL */
}