From patchwork Fri Apr 29 14:13:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1624361 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=fD/7XrMz; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KqZH45BTPz9s0r for ; Sat, 30 Apr 2022 00:14:08 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=JMFgvDvUZnm1kymLtj+x0oDTdEe7vpWGcS8DJfP0tCQ=; b=fD/7XrMzyfmWD6 F3f8/cEccdfVkMIVHDqQ6+a72vg9wIw768PkQ02/nyQqzhfaH5eKoA2DEjzGFszUn1Fc2hCD0zssB IB1rxyu5LGbDdFtvJt2YoynV1vxrMj87+gsRGV0I6F0pL2D7XTPomeYIzKjGtLz+0GqxVDxV4qMyy 7li71qm4l6aKlXA9hSRRAoFHCci7nGQphcitB5PpqDk7izD0Wh3ko20r1SZCVtpcF/w65XQX38g4r P+1eIvJ9I2FmR0DoAxzFfLaOs1ypLySbp+8zZCuVE8bDWPmcI/jQAmhCXmXYbuIj2O+USqVswS9G/ gybWu/NHvWXaMMaaeSqw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nkRN8-00BVnl-M6; Fri, 29 Apr 2022 14:13:26 +0000 Received: from p3plsmtpa07-01.prod.phx3.secureserver.net ([173.201.192.230]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nkRN5-00BVmM-A6 for hostap@lists.infradead.org; Fri, 29 Apr 2022 14:13:24 +0000 Received: from localhost.localdomain ([188.212.135.187]) by :SMTPAUTH: with ESMTPSA id kRN1nZle8d3MvkRN2nSbP5; Fri, 29 Apr 2022 07:13:21 -0700 X-CMAE-Analysis: v=2.4 cv=IMvHtijG c=1 sm=1 tr=0 ts=626bf281 a=hBd5MtljtBjdjwZMofp0Cg==:117 a=hBd5MtljtBjdjwZMofp0Cg==:17 a=pm0Bc0eypRlGCtC6Mi8A:9 X-SECURESERVER-ACCT: juliusz@wolfssl.com From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH] wolfSSL: support both DER and PEM blobs Date: Fri, 29 Apr 2022 16:13:10 +0200 Message-Id: <20220429141309.66281-1-juliusz@wolfssl.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CMAE-Envelope: MS4xfDFr93DRDQDQpvl7H6qlav6T6XIPBq8nOlWp4ico0j7IGudd045DBHuQxOoNUCdP/p4QpJwuDzLtH4E+kIAeY5jZZB3ra81NxrQluKwckOoQxNIDyEyK u2wI6bXyDHGIKy5uK597Ay2x/mC0auHDyFRyKdyv4rOREO2CD6915wrDRHSV2xn9ZDyPr7O4Lo4Gls5VF1N5G0+xrTJ0cDQNI18wKl/iZ49pL1ebBIJtFNJp WifYOUkkmZQaOlLo/XJlkA== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220429_071323_404856_DA66A457 X-CRM114-Status: GOOD ( 10.38 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: --- src/crypto/tls_wolfssl.c | 40 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index ed0b75769d..04e1e0e810 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -454,7 +454,13 @@ static int tls_c [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [173.201.192.230 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [173.201.192.230 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org --- src/crypto/tls_wolfssl.c | 40 ++++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index ed0b75769d..04e1e0e810 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -454,7 +454,13 @@ static int tls_connection_client_cert(struct tls_connection *conn, SSL_FILETYPE_ASN1) != SSL_SUCCESS) { wpa_printf(MSG_INFO, "SSL: use client cert DER blob failed"); - return -1; + if (wolfSSL_use_certificate_chain_buffer_format( + conn->ssl, client_cert_blob, blob_len, + SSL_FILETYPE_PEM) != SSL_SUCCESS) { + wpa_printf(MSG_INFO, + "SSL: use client cert PEM blob failed"); + return -1; + } } wpa_printf(MSG_DEBUG, "SSL: use client cert blob OK"); return 0; @@ -516,27 +522,34 @@ static int tls_connection_private_key(void *tls_ctx, if (private_key_blob) { if (wolfSSL_use_PrivateKey_buffer(conn->ssl, private_key_blob, blob_len, - SSL_FILETYPE_ASN1) <= 0) { + SSL_FILETYPE_ASN1) != SSL_SUCCESS) { wpa_printf(MSG_INFO, "SSL: use private DER blob failed"); + if (wolfSSL_use_PrivateKey_buffer(conn->ssl, + private_key_blob, blob_len, + SSL_FILETYPE_PEM) != SSL_SUCCESS) { + wpa_printf(MSG_INFO, + "SSL: use private PEM blob failed"); + } + else { + ok = 1; + } } else { - wpa_printf(MSG_DEBUG, "SSL: use private key blob OK"); ok = 1; } + if (ok) + wpa_printf(MSG_DEBUG, "SSL: use private key blob OK"); } if (!ok && private_key) { if (wolfSSL_use_PrivateKey_file(conn->ssl, private_key, - SSL_FILETYPE_PEM) <= 0) { + SSL_FILETYPE_PEM) != SSL_SUCCESS) { wpa_printf(MSG_INFO, "SSL: use private key PEM file failed"); if (wolfSSL_use_PrivateKey_file(conn->ssl, private_key, - SSL_FILETYPE_ASN1) <= 0) - { + SSL_FILETYPE_ASN1) != SSL_SUCCESS) { wpa_printf(MSG_INFO, "SSL: use private key DER file failed"); - } else { - ok = 1; } } else { ok = 1; @@ -1178,10 +1191,13 @@ static int tls_connection_ca_cert(void *tls_ctx, struct tls_connection *conn, if (ca_cert_blob) { if (wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_blob, blob_len, - SSL_FILETYPE_ASN1) != - SSL_SUCCESS) { - wpa_printf(MSG_INFO, "SSL: failed to load CA blob"); - return -1; + SSL_FILETYPE_ASN1) != SSL_SUCCESS) { + wpa_printf(MSG_INFO, "SSL: failed to load DER CA blob"); + if (wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_blob, blob_len, + SSL_FILETYPE_PEM) != SSL_SUCCESS) { + wpa_printf(MSG_INFO, "SSL: failed to load PEM CA blob"); + return -1; + } } wpa_printf(MSG_DEBUG, "SSL: use CA cert blob OK"); return 0;