[PATCH 21/21] dpp: rename dpp_pkcs7_certs to pkcs7_get_certificates

Mon Jun 28 09:25:38 PDT 2021

From: Cedric Izoard <cedric.izoard at laposte.net>

Move implementation of dpp_pkcs7_certs into openssl specific files and
defined its prototype in tls/pkcs7.h

Signed-off-by: Cedric Izoard <cedric.izoard at ceva-dsp.com>
---
 src/common/dpp.c            |  3 +-
 src/common/dpp.h            |  1 -
 src/common/dpp_crypto.c     | 90 -------------------------------------
 src/crypto/crypto_openssl.c | 89 ++++++++++++++++++++++++++++++++++++
 src/tls/pkcs7.h             | 13 ++++++
 5 files changed, 104 insertions(+), 92 deletions(-)
 create mode 100644 src/tls/pkcs7.h

diff --git a/src/common/dpp.c b/src/common/dpp.c
index 5e64fad34..79ad78d2a 100644
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -21,6 +21,7 @@
 #include "crypto/aes.h"
 #include "crypto/aes_siv.h"
 #include "drivers/driver.h"
+#include "tls/pkcs7.h"
 #include "dpp.h"
 #include "dpp_i.h"
 
@@ -2553,7 +2554,7 @@ static int dpp_parse_cred_dot1x(struct dpp_authentication *auth,
 		return -1;
 	}
 	wpa_hexdump_buf(MSG_MSGDUMP, "DPP: Received certBag", conf->certbag);
-	conf->certs = dpp_pkcs7_certs(conf->certbag);
+	conf->certs = pkcs7_get_certificates(conf->certbag);
 	if (!conf->certs) {
 		dpp_auth_fail(auth, "No certificates in certBag");
 		return -1;
diff --git a/src/common/dpp.h b/src/common/dpp.h
index f353e5c3e..51568088d 100644
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@@ -631,7 +631,6 @@ void dpp_pfs_free(struct dpp_pfs *pfs);
 
 struct wpabuf * dpp_build_csr(struct dpp_authentication *auth,
 			      const char *name);
-struct wpabuf * dpp_pkcs7_certs(const struct wpabuf *pkcs7);
 int dpp_validate_csr(struct dpp_authentication *auth, const struct wpabuf *csr);
 
 struct dpp_bootstrap_info * dpp_add_qr_code(struct dpp_global *dpp,
diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c
index 5092e98e3..66b64d331 100644
--- a/src/common/dpp_crypto.c
+++ b/src/common/dpp_crypto.c
@@ -8,8 +8,6 @@
  */
 
 #include "utils/includes.h"
-#include <openssl/err.h>
-#include <openssl/pem.h>
 
 #include "utils/common.h"
 #include "utils/base64.h"
@@ -2102,94 +2100,6 @@ fail:
 }
 
 
-struct wpabuf * dpp_pkcs7_certs(const struct wpabuf *pkcs7)
-{
-#ifdef OPENSSL_IS_BORINGSSL
-	CBS pkcs7_cbs;
-#else /* OPENSSL_IS_BORINGSSL */
-	PKCS7 *p7 = NULL;
-	const unsigned char *p = wpabuf_head(pkcs7);
-#endif /* OPENSSL_IS_BORINGSSL */
-	STACK_OF(X509) *certs;
-	int i, num;
-	BIO *out = NULL;
-	size_t rlen;
-	struct wpabuf *pem = NULL;
-	int res;
-
-#ifdef OPENSSL_IS_BORINGSSL
-	certs = sk_X509_new_null();
-	if (!certs)
-		goto fail;
-	CBS_init(&pkcs7_cbs, wpabuf_head(pkcs7), wpabuf_len(pkcs7));
-	if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) {
-		wpa_printf(MSG_INFO, "DPP: Could not parse PKCS#7 object: %s",
-			   ERR_error_string(ERR_get_error(), NULL));
-		goto fail;
-	}
-#else /* OPENSSL_IS_BORINGSSL */
-	p7 = d2i_PKCS7(NULL, &p, wpabuf_len(pkcs7));
-	if (!p7) {
-		wpa_printf(MSG_INFO, "DPP: Could not parse PKCS#7 object: %s",
-			   ERR_error_string(ERR_get_error(), NULL));
-		goto fail;
-	}
-
-	switch (OBJ_obj2nid(p7->type)) {
-	case NID_pkcs7_signed:
-		certs = p7->d.sign->cert;
-		break;
-	case NID_pkcs7_signedAndEnveloped:
-		certs = p7->d.signed_and_enveloped->cert;
-		break;
-	default:
-		certs = NULL;
-		break;
-	}
-#endif /* OPENSSL_IS_BORINGSSL */
-
-	if (!certs || ((num = sk_X509_num(certs)) == 0)) {
-		wpa_printf(MSG_INFO,
-			   "DPP: No certificates found in PKCS#7 object");
-		goto fail;
-	}
-
-	out = BIO_new(BIO_s_mem());
-	if (!out)
-		goto fail;
-
-	for (i = 0; i < num; i++) {
-		X509 *cert = sk_X509_value(certs, i);
-
-		PEM_write_bio_X509(out, cert);
-	}
-
-	rlen = BIO_ctrl_pending(out);
-	pem = wpabuf_alloc(rlen);
-	if (!pem)
-		goto fail;
-	res = BIO_read(out, wpabuf_put(pem, 0), rlen);
-	if (res <= 0) {
-		wpabuf_free(pem);
-		pem = NULL;
-		goto fail;
-	}
-	wpabuf_put(pem, res);
-
-fail:
-#ifdef OPENSSL_IS_BORINGSSL
-	if (certs)
-		sk_X509_pop_free(certs, X509_free);
-#else /* OPENSSL_IS_BORINGSSL */
-	PKCS7_free(p7);
-#endif /* OPENSSL_IS_BORINGSSL */
-	if (out)
-		BIO_free_all(out);
-
-	return pem;
-}
-
-
 int dpp_validate_csr(struct dpp_authentication *auth, const struct wpabuf *csrbuf)
 {
 	struct crypto_csr *csr = NULL;
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index abcfeef38..8ff28af22 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -22,6 +22,7 @@
 #ifdef CONFIG_ECC
 #include <openssl/ec.h>
 #include <openssl/x509.h>
+#include <openssl/pem.h>
 #endif /* CONFIG_ECC */
 
 #include "common.h"
@@ -3009,4 +3010,92 @@ struct wpabuf * crypto_csr_sign(struct crypto_csr *csr, struct crypto_ec_key *ke
 	return buf;
 }
 
+
+struct wpabuf *pkcs7_get_certificates(const struct wpabuf *pkcs7)
+{
+#ifdef OPENSSL_IS_BORINGSSL
+	CBS pkcs7_cbs;
+#else /* OPENSSL_IS_BORINGSSL */
+	PKCS7 *p7 = NULL;
+	const unsigned char *p = wpabuf_head(pkcs7);
+#endif /* OPENSSL_IS_BORINGSSL */
+	STACK_OF(X509) *certs;
+	int i, num;
+	BIO *out = NULL;
+	size_t rlen;
+	struct wpabuf *pem = NULL;
+	int res;
+
+#ifdef OPENSSL_IS_BORINGSSL
+	certs = sk_X509_new_null();
+	if (!certs)
+		goto fail;
+	CBS_init(&pkcs7_cbs, wpabuf_head(pkcs7), wpabuf_len(pkcs7));
+	if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) {
+		wpa_printf(MSG_INFO, "OpenSSL: Could not parse PKCS#7 object: %s",
+			   ERR_error_string(ERR_get_error(), NULL));
+		goto fail;
+	}
+#else /* OPENSSL_IS_BORINGSSL */
+	p7 = d2i_PKCS7(NULL, &p, wpabuf_len(pkcs7));
+	if (!p7) {
+		wpa_printf(MSG_INFO, "OpenSSL: Could not parse PKCS#7 object: %s",
+			   ERR_error_string(ERR_get_error(), NULL));
+		goto fail;
+	}
+
+	switch (OBJ_obj2nid(p7->type)) {
+	case NID_pkcs7_signed:
+		certs = p7->d.sign->cert;
+		break;
+	case NID_pkcs7_signedAndEnveloped:
+		certs = p7->d.signed_and_enveloped->cert;
+		break;
+	default:
+		certs = NULL;
+		break;
+	}
+#endif /* OPENSSL_IS_BORINGSSL */
+
+	if (!certs || ((num = sk_X509_num(certs)) == 0)) {
+		wpa_printf(MSG_INFO,
+			   "OpenSSL: No certificates found in PKCS#7 object");
+		goto fail;
+	}
+
+	out = BIO_new(BIO_s_mem());
+	if (!out)
+		goto fail;
+
+	for (i = 0; i < num; i++) {
+		X509 *cert = sk_X509_value(certs, i);
+
+		PEM_write_bio_X509(out, cert);
+	}
+
+	rlen = BIO_ctrl_pending(out);
+	pem = wpabuf_alloc(rlen);
+	if (!pem)
+		goto fail;
+	res = BIO_read(out, wpabuf_put(pem, 0), rlen);
+	if (res <= 0) {
+		wpabuf_free(pem);
+		pem = NULL;
+		goto fail;
+	}
+	wpabuf_put(pem, res);
+
+fail:
+#ifdef OPENSSL_IS_BORINGSSL
+	if (certs)
+		sk_X509_pop_free(certs, X509_free);
+#else /* OPENSSL_IS_BORINGSSL */
+	PKCS7_free(p7);
+#endif /* OPENSSL_IS_BORINGSSL */
+	if (out)
+		BIO_free_all(out);
+
+	return pem;
+
+}
 #endif /* CONFIG_ECC */
diff --git a/src/tls/pkcs7.h b/src/tls/pkcs7.h
new file mode 100644
index 000000000..370b2a2a9
--- /dev/null
+++ b/src/tls/pkcs7.h
@@ -0,0 +1,13 @@
+/*
+ * PKCS #7 (Cryptographic Message Syntax)
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#ifndef PKCS7_H
+#define PKCS7_H
+
+struct wpabuf *pkcs7_get_certificates(const struct wpabuf *pkcs7);
+
+#endif /* PKCS7_H */
-- 
2.17.0


