commit e12166ac483d0a00bbbedcaacf157f28f2212c28
author Gabriel Biren <gbiren@google.com> Tue Apr 18 23:51:26 2023 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Tue Apr 18 23:51:26 2023 +0000
tree d01c936a05b6e86dd4e808d279cfb6a79bb9d09a
parent c450e7b5d8bd79e83c3b444dab501b14b7384941
parent ff4f8380cab68653bbb99d6bfc13947a908a55ab

Merge changes from topic "supplicant-cert-crash" into udc-dev

* changes:
  Pass current EAP state machine to BIO_from_keystore().
  Move tls_data and tls_connection struct declarations to before BIO_from_keystore.

src/crypto/tls_openssl.c

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index edb3f0c..01b17b2 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -143,114 +143,6 @@
 	struct dl_list sessions; /* struct tls_session_data */
 };
 
-static struct tls_context *tls_global = NULL;
-static tls_get_certificate_cb certificate_callback_global = NULL;
-
-#ifdef ANDROID
-#include <openssl/pem.h>
-
-#include <log/log.h>
-#include <log/log_event_list.h>
-
-#define CERT_VALIDATION_FAILURE 210033
-#define ANDROID_KEYSTORE_PREFIX "keystore://"
-#define ANDROID_KEYSTORE_PREFIX_LEN os_strlen(ANDROID_KEYSTORE_PREFIX)
-#define ANDROID_KEYSTORE_ENCODED_PREFIX "keystores://"
-#define ANDROID_KEYSTORE_ENCODED_PREFIX_LEN os_strlen(ANDROID_KEYSTORE_ENCODED_PREFIX)
-
-static void log_cert_validation_failure(const char *reason)
-{
-	android_log_context ctx = create_android_logger(CERT_VALIDATION_FAILURE);
-	android_log_write_string8(ctx, reason);
-	android_log_write_list(ctx, LOG_ID_SECURITY);
-	android_log_destroy(&ctx);
-}
-
-
-static BIO* BIO_from_keystore(const char *alias)
-{
-	BIO *bio = NULL;
-	uint8_t *value = NULL;
-	if (tls_global != NULL && certificate_callback_global != NULL) {
-		wpa_printf(MSG_INFO, "Retrieving certificate using callback");
-		int length = (*certificate_callback_global)(tls_global->cb_ctx, alias, &value);
-		if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL)
-			BIO_write(bio, value, length);
-	}
-	free(value);
-	return bio;
-}
-
-static int tls_add_ca_from_keystore(X509_STORE *ctx, const char *alias)
-{
-	BIO *bio = BIO_from_keystore(alias);
-	STACK_OF(X509_INFO) *stack = NULL;
-	stack_index_t i;
-	int ret = 0;
-
-	if (!bio) {
-		wpa_printf(MSG_ERROR, "OpenSSL: Failed to parse certificate: %s",
-				alias);
-		return -1;
-	}
-
-	// Keystore returns X.509 certificates in PEM encoding
-	stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
-	BIO_free(bio);
-
-	if (!stack) {
-		wpa_printf(MSG_ERROR, "OpenSSL: Failed to parse certificate: %s",
-				alias);
-		return -1;
-	}
-
-	for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
-		X509_INFO *info = sk_X509_INFO_value(stack, i);
-
-		if (info->x509)
-			if (!X509_STORE_add_cert(ctx, info->x509)) {
-				wpa_printf(MSG_ERROR,
-						"OpenSSL: Failed to add Root CA certificate");
-				ret = -1;
-				break;
-			}
-		if (info->crl)
-			X509_STORE_add_crl(ctx, info->crl);
-	}
-
-	sk_X509_INFO_pop_free(stack, X509_INFO_free);
-	return ret;
-}
-
-
-static int tls_add_ca_from_keystore_encoded(X509_STORE *ctx,
-					    const char *encoded_alias)
-{
-	int rc = -1;
-	int len = os_strlen(encoded_alias);
-	unsigned char *decoded_alias;
-
-	if (len & 1) {
-		wpa_printf(MSG_WARNING, "Invalid hex-encoded alias: %s",
-			   encoded_alias);
-		return rc;
-	}
-
-	decoded_alias = os_malloc(len / 2 + 1);
-	if (decoded_alias) {
-		if (!hexstr2bin(encoded_alias, decoded_alias, len / 2)) {
-			decoded_alias[len / 2] = '\0';
-			rc = tls_add_ca_from_keystore(
-				ctx, (const char *) decoded_alias);
-		}
-		os_free(decoded_alias);
-	}
-
-	return rc;
-}
-
-#endif /* ANDROID */
-
 struct tls_data {
 	SSL_CTX *ssl;
 	unsigned int tls_session_lifetime;
@@ -307,6 +199,121 @@
 	int server_dh_prime_len;
 };
 
+static struct tls_context *tls_global = NULL;
+static tls_get_certificate_cb certificate_callback_global = NULL;
+
+#ifdef ANDROID
+#include <openssl/pem.h>
+
+#include <log/log.h>
+#include <log/log_event_list.h>
+
+#define CERT_VALIDATION_FAILURE 210033
+#define ANDROID_KEYSTORE_PREFIX "keystore://"
+#define ANDROID_KEYSTORE_PREFIX_LEN os_strlen(ANDROID_KEYSTORE_PREFIX)
+#define ANDROID_KEYSTORE_ENCODED_PREFIX "keystores://"
+#define ANDROID_KEYSTORE_ENCODED_PREFIX_LEN os_strlen(ANDROID_KEYSTORE_ENCODED_PREFIX)
+
+static void log_cert_validation_failure(const char *reason)
+{
+	android_log_context ctx = create_android_logger(CERT_VALIDATION_FAILURE);
+	android_log_write_string8(ctx, reason);
+	android_log_write_list(ctx, LOG_ID_SECURITY);
+	android_log_destroy(&ctx);
+}
+
+
+static BIO* BIO_from_keystore(const char *alias, struct tls_connection *conn)
+{
+	BIO *bio = NULL;
+	uint8_t *value = NULL;
+
+	void *cb_ctx = NULL;
+	if (conn != NULL && conn->context != NULL) {
+		cb_ctx = conn->context->cb_ctx;
+	}
+
+	if (cb_ctx != NULL && certificate_callback_global != NULL) {
+		wpa_printf(MSG_INFO, "Retrieving certificate using callback");
+		int length = (*certificate_callback_global)(cb_ctx, alias, &value);
+		if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL)
+			BIO_write(bio, value, length);
+		free(value);
+	}
+	return bio;
+}
+
+static int tls_add_ca_from_keystore(X509_STORE *ctx, const char *alias, struct tls_connection *conn)
+{
+	BIO *bio = BIO_from_keystore(alias, conn);
+	STACK_OF(X509_INFO) *stack = NULL;
+	stack_index_t i;
+	int ret = 0;
+
+	if (!bio) {
+		wpa_printf(MSG_ERROR, "OpenSSL: Failed to parse certificate: %s",
+				alias);
+		return -1;
+	}
+
+	// Keystore returns X.509 certificates in PEM encoding
+	stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
+	BIO_free(bio);
+
+	if (!stack) {
+		wpa_printf(MSG_ERROR, "OpenSSL: Failed to parse certificate: %s",
+				alias);
+		return -1;
+	}
+
+	for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
+		X509_INFO *info = sk_X509_INFO_value(stack, i);
+
+		if (info->x509)
+			if (!X509_STORE_add_cert(ctx, info->x509)) {
+				wpa_printf(MSG_ERROR,
+						"OpenSSL: Failed to add Root CA certificate");
+				ret = -1;
+				break;
+			}
+		if (info->crl)
+			X509_STORE_add_crl(ctx, info->crl);
+	}
+
+	sk_X509_INFO_pop_free(stack, X509_INFO_free);
+	return ret;
+}
+
+
+static int tls_add_ca_from_keystore_encoded(X509_STORE *ctx,
+						const char *encoded_alias,
+						struct tls_connection *conn)
+{
+	int rc = -1;
+	int len = os_strlen(encoded_alias);
+	unsigned char *decoded_alias;
+
+	if (len & 1) {
+		wpa_printf(MSG_WARNING, "Invalid hex-encoded alias: %s",
+			   encoded_alias);
+		return rc;
+	}
+
+	decoded_alias = os_malloc(len / 2 + 1);
+	if (decoded_alias) {
+		if (!hexstr2bin(encoded_alias, decoded_alias, len / 2)) {
+			decoded_alias[len / 2] = '\0';
+			rc = tls_add_ca_from_keystore(
+				ctx, (const char *) decoded_alias, conn);
+		}
+		os_free(decoded_alias);
+	}
+
+	return rc;
+}
+
+#endif /* ANDROID */
+
 
 static struct tls_context * tls_context_new(const struct tls_config *conf)
 {
@@ -2902,7 +2909,7 @@
 	if (ca_cert && os_strncmp(ANDROID_KEYSTORE_PREFIX, ca_cert,
 					ANDROID_KEYSTORE_PREFIX_LEN) == 0) {
 		if (tls_add_ca_from_keystore(SSL_CTX_get_cert_store(ssl_ctx),
-				&ca_cert[ANDROID_KEYSTORE_PREFIX_LEN]) < 0)
+				&ca_cert[ANDROID_KEYSTORE_PREFIX_LEN], conn) < 0)
 			return -1;
 		SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
 		return 0;
@@ -2923,7 +2930,7 @@
 		alias = strtok_r(aliases, delim, &savedptr);
 		for (; alias; alias = strtok_r(NULL, delim, &savedptr)) {
 			if (tls_add_ca_from_keystore_encoded(
-					SSL_CTX_get_cert_store(ssl_ctx), alias)) {
+					SSL_CTX_get_cert_store(ssl_ctx), alias, conn)) {
 				wpa_printf(MSG_ERROR,
 						"OpenSSL: Failed to add ca_cert %s from keystore",
 						alias);
@@ -3487,7 +3494,7 @@
 #ifdef ANDROID
 	if (os_strncmp(ANDROID_KEYSTORE_PREFIX, client_cert,
 			ANDROID_KEYSTORE_PREFIX_LEN) == 0) {
-		BIO *bio = BIO_from_keystore(&client_cert[ANDROID_KEYSTORE_PREFIX_LEN]);
+		BIO *bio = BIO_from_keystore(&client_cert[ANDROID_KEYSTORE_PREFIX_LEN], conn);
 		X509 *x509 = NULL;
 		if (!bio) {
 			return -1;