@ -19,6 +19,7 @@
# include <wolfssl/ssl.h> # include <wolfssl/ssl.h>
# include <wolfssl/error-ssl.h> # include <wolfssl/error-ssl.h>
# include <wolfssl/wolfcrypt/asn.h> # include <wolfssl/wolfcrypt/asn.h>
# include <wolfssl/openssl/x509v3.h>
# if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) # if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
# define HAVE_AESGCM # define HAVE_AESGCM
@ -576,7 +577,7 @@ static int tls_connection_private_key(void *tls_ctx,
static int tls_match_alt_subject_component ( WOLFSSL_X509 * cert , int type , static int tls_match_alt_subject_component ( WOLFSSL_X509 * cert , int type ,
const char * value , size_t len )
const char * value , size_t len )
{ {
WOLFSSL_ ASN1_OBJECT * gen ;
WOLFSSL_ GENERAL_NAME * gen ;
void * ext ;
void * ext ;
int found = 0 ;
int found = 0 ;
int i ;
int i ;
@ -585,14 +586,15 @@ static int tls_match_alt_subject_component(WOLFSSL_X509 *cert, int type,
for ( i = 0 ; ext & & i < wolfSSL_sk_num ( ext ) ; i + + ) {
for ( i = 0 ; ext & & i < wolfSSL_sk_num ( ext ) ; i + + ) {
gen = wolfSSL_sk_value ( ext , i ) ;
gen = wolfSSL_sk_value ( ext , i ) ;
if ( gen - > type ! = type )
if ( ! gen | | gen - > type ! = type )
continue ;
continue ;
if ( os_strlen ( ( char * ) gen - > obj ) = = len & &
if ( ( size_t ) wolfSSL_ASN1_STRING_length ( gen - > d . ia5 ) = = len & &
os_memcmp ( value , gen - > obj , len ) = = 0 )
os_memcmp ( value , wolfSSL_ASN1_STRING_data ( gen - > d . ia5 ) ,
len ) = = 0 )
found + + ;
found + + ;
}
}
wolfSSL_sk_ ASN1_OBJECT _free( ext ) ;
wolfSSL_sk_ GENERAL_NAME _free( ext ) ;
return found ;
return found ;
} }
@ -676,7 +678,7 @@ static int domain_suffix_match(const char *val, size_t len, const char *match,
static int tls_match_suffix_helper ( WOLFSSL_X509 * cert , const char * match , static int tls_match_suffix_helper ( WOLFSSL_X509 * cert , const char * match ,
size_t match_len , int full )
size_t match_len , int full )
{ {
WOLFSSL_ ASN1_OBJECT * gen ;
WOLFSSL_ GENERAL_NAME * gen ;
void * ext ;
void * ext ;
int i ;
int i ;
int j ;
int j ;
@ -690,21 +692,23 @@ static int tls_match_suffix_helper(WOLFSSL_X509 *cert, const char *match,
for ( j = 0 ; ext & & j < wolfSSL_sk_num ( ext ) ; j + + ) {
for ( j = 0 ; ext & & j < wolfSSL_sk_num ( ext ) ; j + + ) {
gen = wolfSSL_sk_value ( ext , j ) ;
gen = wolfSSL_sk_value ( ext , j ) ;
if ( gen - > type ! = ASN_DNS_TYPE )
if ( ! gen | | gen - > type ! = ASN_DNS_TYPE )
continue ;
continue ;
dns_name + + ;
dns_name + + ;
wpa_hexdump_ascii ( MSG_DEBUG , " TLS: Certificate dNSName " ,
wpa_hexdump_ascii ( MSG_DEBUG , " TLS: Certificate dNSName " ,
gen - > obj , os_strlen ( ( char * ) gen - > obj ) ) ;
wolfSSL_ASN1_STRING_data ( gen - > d . ia5 ) ,
if ( domain_suffix_match ( ( const char * ) gen - > obj ,
wolfSSL_ASN1_STRING_length ( gen - > d . ia5 ) ) ;
os_strlen ( ( char * ) gen - > obj ) , match ,
if ( domain_suffix_match (
match_len , full ) = = 1 ) {
( const char * ) wolfSSL_ASN1_STRING_data ( gen - > d . ia5 ) ,
wolfSSL_ASN1_STRING_length ( gen - > d . ia5 ) , match ,
match_len , full ) = = 1 ) {
wpa_printf ( MSG_DEBUG , " TLS: %s in dNSName found " ,
wpa_printf ( MSG_DEBUG , " TLS: %s in dNSName found " ,
full ? " Match " : " Suffix match " ) ;
full ? " Match " : " Suffix match " ) ;
wolfSSL_sk_ASN1_OBJECT_free ( ext ) ;
wolfSSL_sk_ASN1_OBJECT_free ( ext ) ;
return 1 ;
return 1 ;
}
}
}
}
wolfSSL_sk_ ASN1_OBJECT _free( ext ) ;
wolfSSL_sk_ GENERAL_NAME _free( ext ) ;
if ( dns_name ) {
if ( dns_name ) {
wpa_printf ( MSG_DEBUG , " TLS: None of the dNSName(s) matched " ) ;
wpa_printf ( MSG_DEBUG , " TLS: None of the dNSName(s) matched " ) ;
@ -858,7 +862,7 @@ static void wolfssl_tls_cert_event(struct tls_connection *conn,
struct tls_context * context = conn - > context ;
struct tls_context * context = conn - > context ;
char * alt_subject [ TLS_MAX_ALT_SUBJECT ] ;
char * alt_subject [ TLS_MAX_ALT_SUBJECT ] ;
int alt , num_alt_subject = 0 ;
int alt , num_alt_subject = 0 ;
WOLFSSL_ ASN1_OBJECT * gen ;
WOLFSSL_ GENERAL_NAME * gen ;
void * ext ;
void * ext ;
int i ;
int i ;
# ifdef CONFIG_SHA256 # ifdef CONFIG_SHA256
@ -899,12 +903,14 @@ static void wolfssl_tls_cert_event(struct tls_connection *conn,
if ( num_alt_subject = = TLS_MAX_ALT_SUBJECT )
if ( num_alt_subject = = TLS_MAX_ALT_SUBJECT )
break ;
break ;
gen = wolfSSL_sk_value ( ( void * ) ext , i ) ;
gen = wolfSSL_sk_value ( ( void * ) ext , i ) ;
if ( gen - > type ! = GEN_EMAIL & &
if ( ! gen | |
gen - > type ! = GEN_DNS & &
( gen - > type ! = GEN_EMAIL & &
gen - > type ! = GEN_URI )
gen - > type ! = GEN_DNS & &
gen - > type ! = GEN_URI ) )
continue ;
continue ;
pos = os_malloc ( 10 + os_strlen ( ( char * ) gen - > obj ) + 1 ) ;
pos = os_malloc ( 10 + wolfSSL_ASN1_STRING_length ( gen - > d . ia5 ) +
1 ) ;
if ( ! pos )
if ( ! pos )
break ;
break ;
alt_subject [ num_alt_subject + + ] = pos ;
alt_subject [ num_alt_subject + + ] = pos ;
@ -924,11 +930,12 @@ static void wolfssl_tls_cert_event(struct tls_connection *conn,
break ;
break ;
}
}
os_memcpy ( pos , gen - > obj , os_strlen ( ( char * ) gen - > obj ) ) ;
os_memcpy ( pos , wolfSSL_ASN1_STRING_data ( gen - > d . ia5 ) ,
pos + = os_strlen ( ( char * ) gen - > obj ) ;
wolfSSL_ASN1_STRING_length ( gen - > d . ia5 ) ) ;
pos + = wolfSSL_ASN1_STRING_length ( gen - > d . ia5 ) ;
* pos = ' \0 ' ;
* pos = ' \0 ' ;
}
}
wolfSSL_sk_ ASN1_OBJECT _free( ext ) ;
wolfSSL_sk_ GENERAL_NAME _free( ext ) ;
for ( alt = 0 ; alt < num_alt_subject ; alt + + )
for ( alt = 0 ; alt < num_alt_subject ; alt + + )
ev . peer_cert . altsubject [ alt ] = alt_subject [ alt ] ;
ev . peer_cert . altsubject [ alt ] = alt_subject [ alt ] ;
Juliusz Sosinowicz
4 years ago
committed by
Jouni Malinen