DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

TLS: Use ASN.1 helper functions

Browse source 
Simplify ASN.1 parser operations by using the shared helper functions.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2021-03-12 23:24:54 +02:00
parent d4e1d76dbf
commit 626035bec7
2 changed files with 154 additions and 265 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

180
src/tls/tlsv1_client_ocsp.c
View file

@ -138,12 +138,8 @@ static int tls_process_ocsp_single_response(struct tlsv1_client *conn,
*/
/* CertID ::= SEQUENCE */
if (asn1_get_next(resp, len, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (CertID) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr, "OCSP: Expected SEQUENCE (CertID)");
return -1;
}
pos = hdr.payload;
@ -163,11 +159,9 @@ static int tls_process_ocsp_single_response(struct tlsv1_client *conn,
/* issuerNameHash OCTET STRING */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_OCTETSTRING) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected OCTET STRING (issuerNameHash) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_octetstring(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected OCTET STRING (issuerNameHash)");
return -1;
}
name_hash = hdr.payload;
@ -190,11 +184,9 @@ static int tls_process_ocsp_single_response(struct tlsv1_client *conn,
/* issuerKeyHash OCTET STRING */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_OCTETSTRING) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected OCTET STRING (issuerKeyHash) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_octetstring(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected OCTET STRING (issuerKeyHash)");
return -1;
}
key_hash = hdr.payload;
@ -214,11 +206,10 @@ static int tls_process_ocsp_single_response(struct tlsv1_client *conn,
/* serialNumber CertificateSerialNumber ::= INTEGER */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_INTEGER ||
!asn1_is_integer(&hdr) ||
hdr.length < 1 || hdr.length > X509_MAX_SERIAL_NUM_LEN) {
wpa_printf(MSG_DEBUG, "OCSP: No INTEGER tag found for serialNumber; class=%d tag=0x%x length=%u",
hdr.class, hdr.tag, hdr.length);
asn1_unexpected(&hdr,
"OCSP: No INTEGER tag found for serialNumber");
return -1;
}
serial_number = hdr.payload;
@ -240,12 +231,16 @@ static int tls_process_ocsp_single_response(struct tlsv1_client *conn,
pos = end;
end = resp + len;
/* certStatus CertStatus ::= CHOICE */
/* certStatus CertStatus ::= CHOICE
*
* CertStatus ::= CHOICE {
* good [0] IMPLICIT NULL,
* revoked [1] IMPLICIT RevokedInfo,
* unknown [2] IMPLICIT UnknownInfo }
*/
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected CHOICE (CertStatus) - found class %d tag 0x%x",
hdr.class, hdr.tag);
asn1_unexpected(&hdr, "OCSP: Expected CHOICE (CertStatus)");
return -1;
}
cert_status = hdr.tag;
@ -257,8 +252,7 @@ static int tls_process_ocsp_single_response(struct tlsv1_client *conn,
os_get_time(&now);
/* thisUpdate GeneralizedTime */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_GENERALIZEDTIME ||
!asn1_is_generalizedtime(&hdr) ||
x509_parse_time(hdr.payload, hdr.length, hdr.tag, &update) < 0) {
wpa_printf(MSG_DEBUG, "OCSP: Failed to parse thisUpdate");
return -1;
@ -275,12 +269,11 @@ static int tls_process_ocsp_single_response(struct tlsv1_client *conn,
if (pos < end) {
if (asn1_get_next(pos, end - pos, &hdr) < 0)
return -1;
if (hdr.class == ASN1_CLASS_CONTEXT_SPECIFIC && hdr.tag == 0) {
if (asn1_is_cs_tag(&hdr, 0) && hdr.constructed) {
const u8 *next = hdr.payload + hdr.length;
if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_GENERALIZEDTIME ||
!asn1_is_generalizedtime(&hdr) ||
x509_parse_time(hdr.payload, hdr.length, hdr.tag,
&update) < 0) {
wpa_printf(MSG_DEBUG,
@ -329,11 +322,9 @@ tls_process_ocsp_responses(struct tlsv1_client *conn,
while (pos < end) {
/* SingleResponse ::= SEQUENCE */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (SingleResponse) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected SEQUENCE (SingleResponse)");
return TLS_OCSP_INVALID;
}
if (tls_process_ocsp_single_response(conn, cert, issuer,
@ -381,12 +372,9 @@ tls_process_basic_ocsp_response(struct tlsv1_client *conn,
* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
*/
if (asn1_get_next(resp, len, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (BasicOCSPResponse) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected SEQUENCE (BasicOCSPResponse)");
return TLS_OCSP_INVALID;
}
pos = hdr.payload;
@ -394,11 +382,9 @@ tls_process_basic_ocsp_response(struct tlsv1_client *conn,
/* ResponseData ::= SEQUENCE */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (ResponseData) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected SEQUENCE (ResponseData)");
return TLS_OCSP_INVALID;
}
resp_data = hdr.payload;
@ -413,11 +399,9 @@ tls_process_basic_ocsp_response(struct tlsv1_client *conn,
/* signature BIT STRING */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_BITSTRING) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected BITSTRING (signature) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_bitstring(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected BITSTRING (signature)");
return TLS_OCSP_INVALID;
}
if (hdr.length < 1)
@ -439,11 +423,9 @@ tls_process_basic_ocsp_response(struct tlsv1_client *conn,
/* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL */
if (pos < end) {
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
hdr.tag != 0) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected [0] EXPLICIT (certs) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!hdr.constructed || !asn1_is_cs_tag(&hdr, 0)) {
asn1_unexpected(&hdr,
"OCSP: Expected [0] EXPLICIT (certs)");
return TLS_OCSP_INVALID;
}
wpa_hexdump(MSG_MSGDUMP, "OCSP: certs",
@ -454,11 +436,9 @@ tls_process_basic_ocsp_response(struct tlsv1_client *conn,
struct x509_certificate *cert;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (Certificate) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected SEQUENCE (Certificate)");
goto fail;
}
@ -491,16 +471,12 @@ tls_process_basic_ocsp_response(struct tlsv1_client *conn,
* version [0] EXPLICIT Version DEFAULT v1
* Version ::= INTEGER { v1(0) }
*/
if (asn1_get_next(pos, end - pos, &hdr) < 0 &&
hdr.class == ASN1_CLASS_CONTEXT_SPECIFIC &&
hdr.tag == 0) {
if (asn1_get_next(pos, end - pos, &hdr) == 0 && hdr.constructed &&
asn1_is_cs_tag(&hdr, 0)) {
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_INTEGER ||
hdr.length != 1) {
wpa_printf(MSG_DEBUG,
"OCSP: No INTEGER (len=1) tag found for version field - found class %d tag 0x%x length %d",
hdr.class, hdr.tag, hdr.length);
!asn1_is_integer(&hdr) || hdr.length != 1) {
asn1_unexpected(&hdr,
"OCSP: No INTEGER (len=1) tag found for version field");
goto fail;
}
wpa_printf(MSG_DEBUG, "OCSP: ResponseData version %u",
@ -524,9 +500,7 @@ tls_process_basic_ocsp_response(struct tlsv1_client *conn,
*/
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected CHOICE (ResponderID) - found class %d tag 0x%x",
hdr.class, hdr.tag);
asn1_unexpected(&hdr, "OCSP: Expected CHOICE (ResponderID)");
goto fail;
}
@ -539,11 +513,9 @@ tls_process_basic_ocsp_response(struct tlsv1_client *conn,
} else if (hdr.tag == 2) {
/* KeyHash ::= OCTET STRING */
if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_OCTETSTRING) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected OCTET STRING (KeyHash) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_octetstring(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected OCTET STRING (KeyHash)");
goto fail;
}
key_hash = hdr.payload;
@ -564,8 +536,7 @@ tls_process_basic_ocsp_response(struct tlsv1_client *conn,
/* producedAt GeneralizedTime */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_GENERALIZEDTIME ||
!asn1_is_generalizedtime(&hdr) ||
x509_parse_time(hdr.payload, hdr.length, hdr.tag,
&produced_at) < 0) {
wpa_printf(MSG_DEBUG, "OCSP: Failed to parse producedAt");
@ -577,11 +548,9 @@ tls_process_basic_ocsp_response(struct tlsv1_client *conn,
/* responses SEQUENCE OF SingleResponse */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (responses) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected SEQUENCE (responses)");
goto fail;
}
responses = hdr.payload;
@ -697,12 +666,9 @@ enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn,
* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
*/
if (asn1_get_next(resp, len, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (OCSPResponse) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected SEQUENCE (OCSPResponse)");
return TLS_OCSP_INVALID;
}
pos = hdr.payload;
@ -710,12 +676,9 @@ enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn,
/* OCSPResponseStatus ::= ENUMERATED */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_ENUMERATED ||
hdr.length != 1) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected ENUMERATED (responseStatus) - found class %d tag 0x%x length %u",
hdr.class, hdr.tag, hdr.length);
!asn1_is_enumerated(&hdr) || hdr.length != 1) {
asn1_unexpected(&hdr,
"OCSP: Expected ENUMERATED (responseStatus)");
return TLS_OCSP_INVALID;
}
resp_status = hdr.payload[0];
@ -730,12 +693,10 @@ enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn,
if (pos == end)
return TLS_OCSP_NO_RESPONSE;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
hdr.tag != 0) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected [0] EXPLICIT (responseBytes) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 || !hdr.constructed ||
!asn1_is_cs_tag(&hdr, 0)) {
asn1_unexpected(&hdr,
"OCSP: Expected [0] EXPLICIT (responseBytes)");
return TLS_OCSP_INVALID;
}
@ -746,11 +707,9 @@ enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn,
*/
if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (ResponseBytes) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"OCSP: Expected SEQUENCE (ResponseBytes)");
return TLS_OCSP_INVALID;
}
pos = hdr.payload;
@ -771,11 +730,8 @@ enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn,
/* response OCTET STRING */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_OCTETSTRING) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected OCTET STRING (response) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_octetstring(&hdr)) {
asn1_unexpected(&hdr, "OCSP: Expected OCTET STRING (response)");
return TLS_OCSP_INVALID;
}

239
src/tls/tlsv1_cred.c
View file

@ -455,12 +455,8 @@ static int pkcs12_certbag(struct tlsv1_credentials *cred,
* }
*/
if (asn1_get_next(buf, len, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SEQUENCE (CertBag) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(buf, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr, "PKCS #12: Expected SEQUENCE (CertBag)");
return -1;
}
@ -482,21 +478,17 @@ static int pkcs12_certbag(struct tlsv1_credentials *cred,
obuf);
}
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
hdr.tag != 0) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected [0] EXPLICIT (certValue) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 || !hdr.constructed ||
!asn1_is_cs_tag(&hdr, 0)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected [0] EXPLICIT (certValue)");
return -1;
}
if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_OCTETSTRING) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected OCTET STRING (x509Certificate) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_octetstring(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected OCTET STRING (x509Certificate)");
return -1;
}
@ -534,11 +526,9 @@ static int pkcs12_parse_attr_friendly_name(const u8 *pos, const u8 *end)
* }
*/
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_BMPSTRING) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected BMPSTRING (friendlyName) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_bmpstring(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected BMPSTRING (friendlyName)");
return 0;
}
wpa_hexdump_ascii(MSG_DEBUG, "PKCS #12: friendlyName",
@ -561,11 +551,9 @@ static int pkcs12_parse_attr_local_key_id(const u8 *pos, const u8 *end)
* }
*/
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_OCTETSTRING) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected OCTET STRING (localKeyID) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_octetstring(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected OCTET STRING (localKeyID)");
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "PKCS #12: localKeyID",
@ -596,12 +584,8 @@ static int pkcs12_parse_attr(const u8 *pos, size_t len)
asn1_oid_to_str(&a_oid, obuf, sizeof(obuf));
wpa_printf(MSG_DEBUG, "PKCS #12: attrId %s", obuf);
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SET) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SET (attrValues) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_set(&hdr)) {
asn1_unexpected(&hdr, "PKCS #12: Expected SET (attrValues)");
return -1;
}
wpa_hexdump_key(MSG_MSGDUMP, "PKCS #12: attrValues",
@ -641,12 +625,10 @@ static int pkcs12_safebag(struct tlsv1_credentials *cred,
asn1_oid_to_str(&oid, obuf, sizeof(obuf));
wpa_printf(MSG_DEBUG, "PKCS #12: BAG-TYPE %s", obuf);
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
hdr.tag != 0) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected [0] EXPLICIT (bagValue) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 || !hdr.constructed ||
!asn1_is_cs_tag(&hdr, 0)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected [0] EXPLICIT (bagValue)");
return 0;
}
value = hdr.payload;
@ -657,11 +639,9 @@ static int pkcs12_safebag(struct tlsv1_credentials *cred,
if (pos < end) {
/* bagAttributes SET OF PKCS12Attribute OPTIONAL */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SET) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SET (bagAttributes) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_set(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SET (bagAttributes)");
return -1;
}
wpa_hexdump_key(MSG_MSGDUMP, "PKCS #12: bagAttributes",
@ -672,11 +652,9 @@ static int pkcs12_safebag(struct tlsv1_credentials *cred,
while (pos < end) {
/* PKCS12Attribute ::= SEQUENCE */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SEQUENCE (PKCS12Attribute) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SEQUENCE (PKCS12Attribute)");
return -1;
}
if (pkcs12_parse_attr(hdr.payload, hdr.length) < 0)
@ -705,12 +683,9 @@ static int pkcs12_safecontents(struct tlsv1_credentials *cred,
const u8 *pos, *end;
/* SafeContents ::= SEQUENCE OF SafeBag */
if (asn1_get_next(buf, len, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SEQUENCE (SafeContents) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(buf, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SEQUENCE (SafeContents)");
return -1;
}
pos = hdr.payload;
@ -726,11 +701,9 @@ static int pkcs12_safecontents(struct tlsv1_credentials *cred,
while (pos < end) {
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SEQUENCE (SafeBag) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SEQUENCE (SafeBag)");
return -1;
}
if (pkcs12_safebag(cred, hdr.payload, hdr.length, passwd) < 0)
@ -750,11 +723,8 @@ static int pkcs12_parse_content_data(struct tlsv1_credentials *cred,
/* Data ::= OCTET STRING */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_OCTETSTRING) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected OCTET STRING (Data) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_octetstring(&hdr)) {
asn1_unexpected(&hdr, "PKCS #12: Expected OCTET STRING (Data)");
return -1;
}
@ -782,21 +752,17 @@ static int pkcs12_parse_content_enc_data(struct tlsv1_credentials *cred,
* encryptedContentInfo EncryptedContentInfo }
*/
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SEQUENCE (EncryptedData) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SEQUENCE (EncryptedData)");
return 0;
}
pos = hdr.payload;
/* Version ::= INTEGER */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
wpa_printf(MSG_DEBUG,
"PKCS #12: No INTEGER tag found for version; class=%d tag=0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_integer(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: No INTEGER tag found for version");
return -1;
}
if (hdr.length != 1 || hdr.payload[0] != 0) {
@ -815,11 +781,9 @@ static int pkcs12_parse_content_enc_data(struct tlsv1_credentials *cred,
* encryptedContent [0] IMPLICIT EncryptedContent OPTIONAL }
*/
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SEQUENCE (EncryptedContentInfo) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SEQUENCE (EncryptedContentInfo)");
return -1;
}
@ -845,22 +809,19 @@ static int pkcs12_parse_content_enc_data(struct tlsv1_credentials *cred,
/* ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG, "PKCS #12: Expected SEQUENCE (ContentEncryptionAlgorithmIdentifier) - found class %d tag 0x%x",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SEQUENCE (ContentEncryptionAlgorithmIdentifier)");
return -1;
}
enc_alg = hdr.payload;
enc_alg_len = hdr.length;
pos = hdr.payload + hdr.length;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
hdr.tag != 0) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected [0] IMPLICIT (encryptedContent) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 || hdr.constructed ||
!asn1_is_cs_tag(&hdr, 0)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected [0] IMPLICIT (encryptedContent)");
return -1;
}
@ -900,12 +861,10 @@ static int pkcs12_parse_content(struct tlsv1_credentials *cred,
asn1_oid_to_str(&oid, txt, sizeof(txt));
wpa_printf(MSG_DEBUG, "PKCS #12: contentType %s", txt);
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
hdr.tag != 0) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected [0] EXPLICIT (content) - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 || !hdr.constructed ||
!asn1_is_cs_tag(&hdr, 0)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected [0] EXPLICIT (content)");
return 0;
}
pos = hdr.payload;
@ -938,23 +897,18 @@ static int pkcs12_parse(struct tlsv1_credentials *cred,
* }
*/
if (asn1_get_next(key, len, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SEQUENCE (PFX) - found class %d tag 0x%x; assume PKCS #12 not used",
hdr.class, hdr.tag);
if (asn1_get_next(key, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SEQUENCE (PFX); assume PKCS #12 not used");
return -1;
}
pos = hdr.payload;
end = pos + hdr.length;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) {
wpa_printf(MSG_DEBUG,
"PKCS #12: No INTEGER tag found for version; class=%d tag=0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_integer(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: No INTEGER tag found for version");
return -1;
}
if (hdr.length != 1 || hdr.payload[0] != 3) {
@ -970,11 +924,9 @@ static int pkcs12_parse(struct tlsv1_credentials *cred,
*/
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SEQUENCE (authSafe) - found class %d tag 0x%x; assume PKCS #12 not used",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SEQUENCE (authSafe); assume PKCS #12 not used");
return -1;
}
@ -995,12 +947,10 @@ static int pkcs12_parse(struct tlsv1_credentials *cred,
return -1;
}
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
hdr.tag != 0) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected [0] EXPLICIT (content) - found class %d tag 0x%x; assume PKCS #12 not used",
hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 || !hdr.constructed ||
!asn1_is_cs_tag(&hdr, 0)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected [0] EXPLICIT (content); assume PKCS #12 not used");
return -1;
}
@ -1008,11 +958,9 @@ static int pkcs12_parse(struct tlsv1_credentials *cred,
/* Data ::= OCTET STRING */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_OCTETSTRING) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected OCTET STRING (Data) - found class %d tag 0x%x; assume PKCS #12 not used",
hdr.class, hdr.tag);
!asn1_is_octetstring(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected OCTET STRING (Data); assume PKCS #12 not used");
return -1;
}
@ -1026,11 +974,9 @@ static int pkcs12_parse(struct tlsv1_credentials *cred,
hdr.payload, hdr.length);
if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SEQUENCE within Data content - found class %d tag 0x%x; assume PKCS #12 not used",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SEQUENCE within Data content; assume PKCS #12 not used");
return -1;
}
@ -1039,11 +985,9 @@ static int pkcs12_parse(struct tlsv1_credentials *cred,
while (end > pos) {
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"PKCS #12: Expected SEQUENCE (ContentInfo) - found class %d tag 0x%x; assume PKCS #12 not used",
hdr.class, hdr.tag);
!asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"PKCS #12: Expected SEQUENCE (ContentInfo); assume PKCS #12 not used");
return -1;
}
if (pkcs12_parse_content(cred, hdr.payload, hdr.length,
@ -1141,24 +1085,17 @@ static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred,
*/
/* DHParamer ::= SEQUENCE */
if (asn1_get_next(pos, len, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG, "DH: DH parameters did not start with a "
"valid SEQUENCE - found class %d tag 0x%x",
hdr.class, hdr.tag);
if (asn1_get_next(pos, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
asn1_unexpected(&hdr,
"DH: DH parameters did not start with a valid SEQUENCE");
return -1;
}
pos = hdr.payload;
/* prime INTEGER */
if (asn1_get_next(pos, end - pos, &hdr) < 0)
return -1;
if (hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_INTEGER) {
wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for p; "
"class=%d tag=0x%x", hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
!asn1_is_integer(&hdr)) {
asn1_unexpected(&hdr, "DH: No INTEGER tag found for p");
return -1;
}
@ -1173,13 +1110,9 @@ static int tlsv1_set_dhparams_der(struct tlsv1_credentials *cred,
pos = hdr.payload + hdr.length;
/* base INTEGER */
if (asn1_get_next(pos, end - pos, &hdr) < 0)
return -1;
if (hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_INTEGER) {
wpa_printf(MSG_DEBUG, "DH: No INTEGER tag found for g; "
"class=%d tag=0x%x", hdr.class, hdr.tag);
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
!asn1_is_integer(&hdr)) {
asn1_unexpected(&hdr, "DH: No INTEGER tag found for g");
return -1;
}