wpa_supplicant: push keystore access to tls_openssl.c.

Chia-chi Yeh · Chia-chi Yeh · commit 3630a058cb0c · 2009-10-02T00:40:48.000+08:00
Since we support certificate chain, doing it in eap_tls_common.c becomes too complicated.
To make things simpler, push the logic to tls_openssl.c and use keystore namespace instead.
diff --git a/eap_tls_common.c b/eap_tls_common.c
@@ -23,158 +23,6 @@
 #include "tls.h"
 #include "config.h"
 
-#ifdef ANDROID
-#include <openssl/pem.h>
-#include <openssl/x509v3.h>
-#include <keystore_get.h>
-
-#define PEM_CERT_KEYWORD "CERTIFICATE"
-#define PEM_PRIVATEKEY_KEYWORD "PRIVATE KEY"
-
-struct temporal_blobs {
-	struct temporal_blobs *next;
-	struct wpa_config_blob *blob;
-};
-
-static struct temporal_blobs *ks_blobs = NULL;
-
-/**
- * The blob data can not be inserted into config->blobs structure, since the 
- * protected cert/key may be rewritten to config file. We have to maintain the
- * keystore-only blobs.
- */
-static int add_temporal_blob(struct wpa_config_blob *blob)
-{
-	struct temporal_blobs *p;
-
-	p = (struct temporal_blobs*) malloc(sizeof(struct temporal_blobs));
-	if (p == NULL) {
-		return -1;
-	}
-	p->next = ks_blobs;
-	p->blob = blob;
-	ks_blobs = p;
-	return 0;
-}
-
-static void free_temporal_blobs()
-{
-	struct temporal_blobs *p = ks_blobs;
-
-	while (p != NULL) {
-		struct temporal_blobs *q = p;
-		p = p->next;
-		if (q->blob) os_free(q->blob);
-		os_free(q);
-	}
-	ks_blobs = NULL;
-}
-
-typedef enum {
-	PEM_CERTIFICATE,
-	PEM_PRIVATE_KEY,
-	DER_FORMAT,
-	UNKNOWN_CERT_TYPE
-} CERT_TYPE;
-
-/**
- * Tell the encoding format and type of the certificate/key by examining if
- * there is "CERTIFICATE" or "PRIVATE KEY" in the blob. If not, at least we
- * can test if the first byte is '0'.
- */
-static CERT_TYPE get_blob_type(struct wpa_config_blob *blob)
-{
-	CERT_TYPE type = UNKNOWN_CERT_TYPE;
-	unsigned char p = blob->data[blob->len - 1];
-
-	blob->data[blob->len - 1] = 0;
-	if (strstr(blob->data, PEM_CERT_KEYWORD) != NULL) {
-		type = PEM_CERTIFICATE;
-	} else if (strstr(blob->data, PEM_PRIVATEKEY_KEYWORD) != NULL) {
-		type = PEM_PRIVATE_KEY;
-	} else if (blob->data[0] == '0') {
-		type = DER_FORMAT;
-	}
-	blob->data[blob->len - 1] = p;
-	return type;
-}
-
-/**
- * convert_PEM_to_DER() provides the converion from PEM format to DER one, since
- * original certificate handling does not accept the PEM format for blob data.
- * Therefore, we need to convert the data to DER format if it is PEM-format.
- */
-static void convert_PEM_to_DER(struct wpa_config_blob *blob)
-{
-	X509 *cert = NULL;
-	EVP_PKEY *pkey = NULL;
-	BIO *bp = NULL;
-	unsigned char *buf = NULL;
-	int len = 0;
-	CERT_TYPE type;
-
-	if (blob->len < sizeof(PEM_CERT_KEYWORD)) {
-		return;
-	}
-
-	if (((type = get_blob_type(blob)) != PEM_CERTIFICATE) &&
-		(type != PEM_PRIVATE_KEY)) {
-		return;
-	}
-
-	bp = BIO_new(BIO_s_mem());
-	if (!bp) goto err;
-	if (!BIO_write(bp, blob->data, blob->len)) goto err;
-	if (type == PEM_CERTIFICATE) {
-		if ((cert = PEM_read_bio_X509(bp, NULL, NULL, NULL)) != NULL) {
-			len = i2d_X509(cert, &buf);
-		}
-	} else {
-		if ((pkey = PEM_read_bio_PrivateKey(bp, NULL, NULL, NULL)) != NULL) {
-			len = i2d_PrivateKey(pkey, &buf);
-		}
-	}
-
-err:
-	if (bp) BIO_free(bp);
-	if (cert) X509_free(cert);
-	if (pkey) EVP_PKEY_free(pkey);
-	if (buf) {
-		os_free(blob->data);
-		blob->data = buf;
-		blob->len = len;
-	}
-}
-
-struct wpa_config_blob *get_blob_from_keystore(const char *name)
-{
-	char buf[KEYSTORE_MESSAGE_SIZE];
-	int len = keystore_get(name, buf);
-	struct wpa_config_blob *blob = NULL;
-
-	if (len != -1) {
-		if ((blob = os_zalloc(sizeof(*blob))) != NULL &&
-		    (blob->data = os_zalloc(len + 1)) != NULL) {
-			blob->name = os_strdup(name);
-			memcpy(blob->data, buf, len);
-			blob->len = len;
-		} else if (blob) {
-			os_free(blob);
-			blob = NULL;
-		}
-	}
-	if (blob) {
-		// We have to use PEM format here and modify the ca_cert
-		// handling to support cert. chain for CA certificates.
-		// Since the original code can not support the CA chain
-		// from blob data.
-		if (strstr(name, "CACERT") == NULL) convert_PEM_to_DER(blob);
-		add_temporal_blob(blob);
-	}
-	return blob;
-}
-#endif
-
 static int eap_tls_check_blob(struct eap_sm *sm, const char **name,
 			      const u8 **data, size_t *data_len)
 {
@@ -184,11 +32,6 @@ static int eap_tls_check_blob(struct eap_sm *sm, const char **name,
 		return 0;
 
 	blob = eap_get_config_blob(sm, *name + 7);
-#ifdef ANDROID
-	if(blob == NULL) {
-		blob = get_blob_from_keystore(*name + 7);
-	}
-#endif
 	if (blob == NULL) {
 		wpa_printf(MSG_ERROR, "%s: Named configuration blob '%s' not "
 			   "found", __func__, *name + 7);
@@ -352,9 +195,6 @@ int eap_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
 	ret = 0;
 
 done:
-#ifdef ANDROID
-	free_temporal_blobs();
-#endif
 	return ret;
 }
 
diff --git a/tls_openssl.c b/tls_openssl.c
@@ -37,6 +37,22 @@
 #define OPENSSL_d2i_TYPE unsigned char **
 #endif
 
+#ifdef ANDROID
+#include <openssl/pem.h>
+#include "keystore_get.h"
+
+static BIO *BIO_from_keystore(const char *key)
+{
+	BIO *bio = NULL;
+	char value[KEYSTORE_MESSAGE_SIZE];
+	int length = keystore_get(key, value);
+	if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL) {
+		BIO_write(bio, value, length);
+	}
+	return bio;
+}
+#endif
+
 static int tls_openssl_ref_count = 0;
 
 struct tls_connection {
@@ -1092,35 +1108,6 @@ static int tls_load_ca_der(void *_ssl_ctx, const char *ca_cert)
 }
 #endif /* OPENSSL_NO_STDIO */
 
-#ifdef ANDROID
-static int add_cert_chain_from_blob(X509_STORE *store, char *value, int size)
-{
-	int i, ret = -1;
-	BIO *bio = NULL;
-	STACK_OF(X509_INFO) *stack = NULL;
-
-	bio = BIO_new(BIO_s_mem());
-	if (bio == NULL) goto end;
-	BIO_write(bio, value, size);
-	stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
-	if (stack == NULL) goto end;
-	for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
-		X509_INFO *info = sk_X509_INFO_value(stack, i);
-		if (info->x509) {
-			X509_STORE_add_cert(store, info->x509);
-		}
-		if (info->crl) {
-			X509_STORE_add_crl(store, info->crl);
-		}
-	}
-	sk_X509_INFO_pop_free(stack, X509_INFO_free);
-	ret = 0;
-end:
-	if (bio != NULL) BIO_free(bio);
-	return ret;
-}
-#endif
-
 static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
 				  const char *ca_cert, const u8 *ca_cert_blob,
 				  size_t ca_cert_blob_len, const char *ca_path)
@@ -1138,12 +1125,8 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
 			   "certificate store", __func__);
 		return -1;
 	}
+
 	if (ca_cert_blob) {
-#ifdef ANDROID
-		return add_cert_chain_from_blob(ssl_ctx->cert_store,
-						(char*)ca_cert_blob,
-						(int)ca_cert_blob_len);
-#else
 		X509 *cert = d2i_X509(NULL, (OPENSSL_d2i_TYPE) &ca_cert_blob,
 				      ca_cert_blob_len);
 		if (cert == NULL) {
@@ -1173,9 +1156,34 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
 			   "to certificate store", __func__);
 		SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
 		return 0;
-#endif
 	}
 
+#ifdef ANDROID
+	if (strncmp("keystore://", ca_cert, 11) == 0) {
+		BIO *bio = BIO_from_keystore(&ca_cert[11]);
+		STACK_OF(X509_INFO) *stack = NULL;
+		int i;
+		if (bio) {
+			stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
+			BIO_free(bio);
+		}
+		if (!stack) {
+			return -1;
+		}
+		for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
+			X509_INFO *info = sk_X509_INFO_value(stack, i);
+			if (info->x509) {
+				X509_STORE_add_cert(ssl_ctx->cert_store, info->x509);
+			}
+			if (info->crl) {
+				X509_STORE_add_crl(ssl_ctx->cert_store, info->crl);
+			}
+		}
+		sk_X509_INFO_pop_free(stack, X509_INFO_free);
+		SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
+		return 0;
+	}
+#endif
 
 #ifdef CONFIG_NATIVE_WINDOWS
 	if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) ==
@@ -1332,6 +1340,25 @@ static int tls_connection_client_cert(struct tls_connection *conn,
 	if (client_cert == NULL)
 		return -1;
 
+#ifdef ANDROID
+	if (strncmp("keystore://", client_cert, 11) == 0) {
+		BIO *bio = BIO_from_keystore(&client_cert[11]);
+		X509 *x509 = NULL;
+		int ret = -1;
+		if (bio) {
+			x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+			BIO_free(bio);
+		}
+		if (x509) {
+			if (SSL_use_certificate(conn->ssl, x509) == 1) {
+				ret = 0;
+			}
+			X509_free(x509);
+		}
+		return ret;
+	}
+#endif
+
 #ifndef OPENSSL_NO_STDIO
 	if (SSL_use_certificate_file(conn->ssl, client_cert,
 				     SSL_FILETYPE_ASN1) == 1) {
@@ -1621,6 +1648,23 @@ static int tls_connection_private_key(void *_ssl_ctx,
 		break;
 	}
 
+#ifdef ANDROID
+	if (!ok && private_key && strncmp("keystore://", private_key, 11) == 0) {
+		BIO *bio = BIO_from_keystore(&private_key[11]);
+		EVP_PKEY *pkey = NULL;
+		if (bio) {
+			pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
+			BIO_free(bio);
+		}
+		if (pkey) {
+			if (SSL_use_PrivateKey(conn->ssl, pkey) == 1) {
+				ok = 1;
+			}
+			EVP_PKEY_free(pkey);
+		}
+	}
+#endif
+
 	while (!ok && private_key) {
 #ifndef OPENSSL_NO_STDIO
 		if (SSL_use_PrivateKey_file(conn->ssl, private_key,
