Commit graph

364 commits

Author SHA1 Message Date
Jouni Malinen
2e38079531 TLS: Fix memory leak with multiple TLS server instances
When using CONFIG_TLS=internal and starting hostapd with multiple
configuration files that each initialize TLS server, the server
certificate and related data was not freed for all the interfaces on
exit path. Fix this by freeing the credential data that is stored
separately for each call to tls_init().

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-31 18:15:22 +02:00
Jouni Malinen
8f3ea3175f tests: Fix build without CONFIG_ERP=y
hmac_sha256_kdf() got pulled in only if CONFIG_ERP=y is set. Fix
test_sha256() by making the test case conditional on the function being
present.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-26 00:42:14 +02:00
Jouni Malinen
cc4f3d6ea7 tests: Add TEST_FAIL() condition to omac1_aes_vector()
This enables more error path testing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-17 20:40:36 +03:00
Jouni Malinen
8fd1d6236d OpenSSL: Add TEST_FAIL() checks to allow error path testing
This makes it easier to test various error paths related to key
derivation and authentication steps.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-12 01:04:22 +03:00
Jouni Malinen
cbb154973d OpenSSL: Make msg_callback debug prints easier to read
Write a text version of the content type and handshake type in debug log
to make it easier to follow TLS exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-11 11:35:35 +03:00
Jouni Malinen
faf8f29379 OpenSSL: Recognize special write_p == 2 in msg_callback
OpenSSL could use this to identify crypto tracing values if built with
OPENSSL_SSL_TRACE_CRYPTO.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-11 11:14:00 +03:00
Jouni Malinen
6f5b284b32 tests: Module test for hmac_sha256_kdf() maximum output length
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-10 18:57:14 +03:00
Jouni Malinen
5a55c9b411 Fix MSCHAP UTF-8 to UCS-2 conversion check for three-byte encoding
The utf8_string_len comparison was off by one and ended up accepting a
truncated three-byte encoded UTF-8 character at the end of the string if
the octet was missing. Since the password string gets null terminated in
the configuration, this did not result in reading beyond the buffer, but
anyway, it is better to explicitly reject the string rather than try to
use an incorrectly encoded UTF-8 string as the password.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-10 18:38:37 +03:00
Jouni Malinen
bdee6ca0e0 BoringSSL: Implement support for OCSP stapling
BoringSSL has removed the OpenSSL OCSP implementation (OCSP_*()
functions) and instead, provides only a minimal mechanism for include
the status request extension and fetching the response from the server.
As such, the previous OpenSSL-based implementation for OCSP stapling is
not usable with BoringSSL.

Add a new implementation that uses BoringSSL to request and fetch the
OCSP stapling response and then parse and validate this with the new
implementation within wpa_supplicant. While this may not have identical
behavior with the OpenSSL-based implementation, this should be a good
starting point for being able to use OCSP stapling with BoringSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-09 23:48:30 +03:00
Adam Langley
aeeb0bca71 Android: Fix keystore-backed keys with BoringSSL
The switch to BoringSSL broke keystore-backed keys because
wpa_supplicant was using the dynamic ENGINE loading to load
the keystore module.
The ENGINE-like functionality in BoringSSL is much simpler
and this change should enable it.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2015-10-06 23:10:17 +03:00
Jouni Malinen
d9c807cab1 Fix key derivation for Suite B 192-bit AKM to use SHA384
While the EAPOL-Key MIC derivation was already changed from SHA256 to
SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly.
Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK
from PMK when using the Suite B 192-bit AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-27 20:42:14 +03:00
Jouni Malinen
20f331b707 OpenSSL: Write PKCS#12 extra cert errors into debug log
Commit de2a7b796d ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs') added a new
mechanism for doing this with OpenSSL 1.0.2 and newer. However, it did
not poinr out anything in debug log if SSL_add1_chain_cert() failed. Add
such a debug print and also silence static analyzer warning on res being
stored without being read (since the error case is ignored at least for
now).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 19:36:34 +03:00
Jouni Malinen
acf36f319f OpenSSL: Enable support for server side TLS session resumption
This allows TLS-based EAP server methods to use session resumption.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 18:01:40 +03:00
Jouni Malinen
b3b8085ae8 TLS: Add functions for managing cached session state
The new tls_connection_set_success_data(),
tls_connection_set_success_data_resumed(),
tls_connection_get_success_data(), and tls_connection_remove_session()
functions can be used to mark cached sessions valid and to remove
invalid cached sessions. This commit is only adding empty functions. The
actual functionality will be implemented in followup commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:30 +03:00
Jouni Malinen
681e199dfb EAP server: Add tls_session_lifetime configuration
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:30 +03:00
Jouni Malinen
93bc654996 OpenSSL: Allow server connection parameters to be configured
This extends OpenSSL version of tls_connection_set_verify() to support
the new flags argument.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:29 +03:00
Jouni Malinen
bfbebd2665 TLS: Add new arguments to tls_connection_set_verify()
The new flags and session_ctx arguments will be used in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:29 +03:00
Jouni Malinen
bd9b8b2b68 OpenSSL: Add wrapper struct for tls_init() result
This new struct tls_data is needed to store per-tls_init() information
in the followup commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:25 +03:00
Jouni Malinen
87c59a1e5a tests: Allow AES-WRAP-192 test cases to be commented out with BoringSSL
BoringSSL does not support 192-bit AES, so these parts of the
wpa_supplicant module tests would fail.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 20:21:44 +03:00
Jouni Malinen
355a5c8ec5 OpenSSL: Reject OCSP-required configuration if no OCSP support
This is needed at least with BoringSSL to avoid accepting OCSP-required
configuration with a TLS library that does not support OCSP stapling.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 02:24:06 +03:00
Jouni Malinen
c07e7b43e9 BoringSSL: Fix PKCS12_parse() segfault when used without password
Unlike OpenSSL PKCS12_parse(), the BoringSSL version seems to require
the password pointer to be non-NULL even if no password is present. Map
passwrd == NULL to passwd = "" to avoid a NULL pointer dereference
within BoringSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 02:06:02 +03:00
Jouni Malinen
a89beee589 OpenSSL: Handshake completion and resumption state into debug log
This new debug log entry makes it more convenient to check how TLS
handshake was completed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:05 +03:00
Jouni Malinen
a7803b0caf BoringSSL: Fix session resumption
BoringSSL commit 533ef7304d9b48aad38805f1997031a0a034d7fe ('Remove
SSL_clear calls in handshake functions.') triggered a regression for
EAP-TLS/TTLS/PEAP session resumption in wpa_supplicant due to the
removed SSL_clear() call in ssl3_connect() going away and wpa_supplicant
not calling SSL_clear() after SSL_shutdown(). Fix this by adding the
SSL_clear() call into wpa_supplicant after SSL_shutdown() when preparing
the ssl instance for another connection.

While OpenSSL is still call SSL_clear() in ssl3_connect(), it looks to
be safe to add this call to wpa_supplicant unconditionally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:05 +03:00
Jouni Malinen
0f56057c64 BoringSSL: Make SSL_set_ssl_method() conditional on EAP-FAST
This function does not seem to be available in BoringSSL. Since it is
needed for EAP-FAST (which is not currently working with BoringSSL),
address this by commenting out the EAP-FAST specific step from builds
that do not include EAP-FAST support.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:05 +03:00
Jouni Malinen
226cdea6ca BoringSSL: Comment out SSL_build_cert_chain() call
It looks like BoringSSL does include that function even though it claims
support for OPENSSL_VERSION_NUMBER where this is available (1.0.2). For
now, comment out that call to fix build.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:04 +03:00
Jouni Malinen
812f28b79c BoringSSL: Allow internal AES key wrap to be used with "OpenSSL" build
It looks like BoringSSL has removed the AES_wrap_key(), AES_unwrap_key()
API. This broke wpa_supplicant/hostapd build since those functions from
OpenSSL were used to replace the internal AES key wrap implementation.
Add a new build configuration option
(CONFIG_OPENSSL_INTERNAL_AES_WRAP=y) to allow the internal
implementation to be used with CONFIG_OPENSSL=y build to allow build
against the latest BoringSSL version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:02 +03:00
Jouni Malinen
de2a7b796d OpenSSL: Use connection certificate chain with PKCS#12 extra certs
When using OpenSSL 1.0.2 or newer, this replaces the older
SSL_CTX_add_extra_chain_cert() design with SSL_add1_chain_cert() to keep
the extra chain certificates out from SSL_CTX and specific to each
connection. In addition, build and rearrange extra certificates with
SSL_build_cert_chain() to avoid incorrect certificates and incorrect
order of certificates in the TLS handshake.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-11 01:27:03 +03:00
Jouni Malinen
0d2c0e6776 OpenSSL: Fix PKCS#12 extra certificate handling
Previously, the possible extra certificate(s) from a PKCS#12 file was
added once for each authentication attempt. This resulted in OpenSSL
concatenating the certificates multiple time (add one copy for each try
during the wpa_supplicant process lifetime). Fix this by clearing the
extra chain certificates before adding new ones when using OpenSSL 1.0.1
or newer that include the needed function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-11 01:27:00 +03:00
Jouni Malinen
7cb53ded11 Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.

This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
4fc53159b9 OpenSSL: Fix FIPS mode enabling in dynamic interface case
FIPS_mode_set(1) cannot be called multiple times which could happen in
some dynamic interface cases. Avoid this by enabling FIPS mode only
once. There is no code in wpa_supplicant to disable FIPS mode, so once
it is enabled, it will remain enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
e234c7c010 OpenSSL: Remove md4_vector() from CONFIG_FIPS=y builds
MD4 is not allowed in such builds, so comment out md4_vector() from the
build to force compile time failures for cases that cannot be supported
instead of failing the MD¤ operations at runtime. This makes it easier
to detect and fix accidental cases where MD4 could still be used in some
older protocols.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
cd94f0d159 tests: Skip ms_funcs module tests in CONFIG_FIPS=y builds
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
1046db8b53 Rename tls_connection_get_keys() to tls_connection_get_random()
Commit 94f1fe6f63 ('Remove master key
extraction from tls_connection_get_keys()') left only fetching of
server/client random, but did not rename the function and structure to
minimize code changes. The only name is quite confusing, so rename this
through the repository to match the new purpose.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
d0eb8a0b4e OpenSSL: Allow server/client random to be fetched in FIPS mode
tls_connection_get_keys() used to return TLS master secret, but that
part was removed in commit 94f1fe6f63
('Remove master key extraction from tls_connection_get_keys()'). Since
then, there is no real need for preventing this function from being used
in FIPS mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
f413eb03d9 random: Fix random_get_bytes() with CONFIG_FIPS=y
The bytes pointer was not reset back to the beginning of the buffer when
mixing in additional entropy from the crypto module. This resulted in
writing beyond the return buffer and not getting the required mixing of
the extra entropy for the actual return buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 21:08:11 +03:00
Jouni Malinen
4a26972dfc OpenSSL: Remove md5_vector() from CONFIG_FIPS=y builds
MD5 is not allowed in such builds, so comment out md5_vector() from the
build to force compile time failures for cases that cannot be supported
instead of failing the MD5 operations at runtime. This makes it easier
to detect and fix accidental cases where MD5 could still be used in some
older protocols.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 21:08:06 +03:00
Jouni Malinen
97e986cd74 tests: Skip MD5 module tests in CONFIG_FIPS=y builds
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 16:57:04 +03:00
Jouni Malinen
276a3c44dd OpenSSL: Implement aes_wrap/aes_unwrap through EVP for CONFIG_FIPS=y
The OpenSSL internal AES_wrap_key() and AES_unwrap_key() functions are
unfortunately not available in FIPS mode. Trying to use them results in
"aes_misc.c(83): OpenSSL internal error, assertion failed: Low level API
call to cipher AES forbidden in FIPS mode!" and process termination.
Work around this by reverting commit
f19c907822 ('OpenSSL: Implement aes_wrap()
and aes_unwrap()') changes for CONFIG_FIPS=y case. In practice, this
ends up using the internal AES key wrap/unwrap implementation through
the OpenSSL EVP API which is available in FIPS mode. When CONFIG_FIPS=y
is not used, the OpenSSL AES_wrap_key()/AES_unwrap_key() API continues
to be used to minimize code size.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 16:56:59 +03:00
Jouni Malinen
266cf4a0bc OpenSSL: Comment out openssl_get_keyblock_size() if CONFIG_FIPS=y
This function is not used in CONFIG_FIPS=y builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 15:52:35 +03:00
Jouni Malinen
5bbc1c2581 tests: Comment out TLS PRF test from CONFIG_FIPS=y build
This fixes CONFIG_FIPS=y build that may not include tls_prf_sha1_md5().

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 15:51:44 +03:00
Jouni Malinen
06836013d3 OpenSSL: Remove EAP-FAST TLSv1.0 only workaround for OpenSSL 1.1.0
The issue with the special form of TLS session tickets has been fixed in
the OpenSSL 1.1.0 branch, so disable workaround for it. OpenSSL 1.0.1
and 1.0.2 workaround is still in place until a release with the fix has
been made.

This allows TLSv1.1 and TLSv1.2 to be negotiated for EAP-FAST with the
OpenSSL versions that support this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:18 +03:00
Jouni Malinen
c34cd66866 OpenSSL: Drop security level to 0 if needed for EAP-FAST
OpenSSL 1.1.0 disables the anonymous ciphers by default, so need to
enable these for the special case of anonymous EAP-FAST provisioning.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:17 +03:00
Jouni Malinen
16bc3b8935 OpenSSL: Add SHA256 support in openssl_tls_prf() for TLSv1.2
This is needed when enabling TLSv1.2 support for EAP-FAST since the
SSL_export_keying_material() call does not support the needed parameters
for TLS PRF and the external-to-OpenSSL PRF needs to be used instead.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:17 +03:00
Jouni Malinen
3de28506d2 OpenSSL: Implement openssl_tls_prf() for OpenSSL 1.1.0
This needs to use the new accessor functions since the SSL session
details are not directly accessible anymore and there is now sufficient
helper functions to get to the needed information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 18:56:45 +03:00
Jouni Malinen
4d2a1b4f8f OpenSSL: Implement SSL_set_session_secret_cb() callback for OpenSSL 1.1.0
This needs to use the new accessor functions for client/server random
since the previously used direct access won't be available anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 18:56:45 +03:00
Jouni Malinen
005c5dcf43 OpenSSL: Implement tls_connection_get_keys() for OpenSSL 1.1.0
This needs to use the new accessor functions since the SSL session
details are not directly accessible anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 18:56:45 +03:00
Jouni Malinen
690e543e8a OpenSSL: Include openssl/engine.h and openssl/dsa.h explicitly
This seems to be needed for OpenSSL 1.1.0.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 18:56:45 +03:00
Jouni Malinen
e9690eb74e OpenSSL: Remove extra BIO_write() call on TLS client
openssl_handshake() was checking only that in_data is not NULL and not
its length when determining whether to call BIO_write(). Extend that to
check the buffer length as well. In practice, this removes an
unnecessary BIO_write() call at the beginning of a TLS handshake on the
client side. This did not cause issues with OpenSSL versions up to
1.0.2, but that call seems to fail with the current OpenSSL 1.1.0
degvelopment snapshot. There is no need for that zero-length BIO_write()
call, so remove it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 18:56:45 +03:00
Jouni Malinen
fe1bf32974 Make TLS version number available in STATUS command
This adds a new STATUS command field "eap_tls_version" that shows the
TLS version number that was used during EAP-TLS/TTLS/PEAP/FAST exchange.
For now, this is only supported with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 19:51:03 +03:00
Jouni Malinen
5650d379a3 OpenSSL: Add option to disable use of TLSv1.0
The new phase1 config parameter value tls_disable_tlsv1_0=1 can now be
used to disable use of TLSv1.0 for a network configuration. This can be
used to force a newer TLS version to be used. For example,
phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" would indicate that
only TLS v1.2 is accepted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 19:27:57 +03:00