Commit graph

38 commits

Author SHA1 Message Date
Jouni Malinen
cebee30f31 Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
3e7f1c7980 GnuTLS: Add TLS event callbacks for chain success/failure and peer cert
This makes GnuTLS events match the ones provided when OpenSSL is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0eb2ed067f GnuTLS: Add support for OCSP stapling as a client
This allows ocsp=2 to be used with wpa_supplicant when built with GnuTLS
to request TLS status extension (OCSP stapling) to be used to validate
server certificate validity.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0e1bb94b91 GnuTLS: Verify that server certificate EKU is valid for a server
The server certificate will be rejected if it includes any EKU and none
of the listed EKUs is either TLS Web Server Authentication or ANY.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
d4d1f5cb33 GnuTLS: Fix tls_disable_time_checks=1 processing
Certificate expiration is checked both within GnuTLS and in the
tls_gnutls.c implementation. The former was configured to use the
request to ignore time checks while the latter was not. Complete support
for this parameter by ignoring the internal expiration checks if
requested.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
594d1fc084 GnuTLS: Add support for private_key and client_cert as blobs
This allows private key and client certificate to be configured using
wpa_supplicant blobs instead of external files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
79b1dd9aad GnuTLS: Fix DER encoding certificate parsing
It looks like GnuTLS may return success on
gnutls_certificate_set_x509_*() functions with GNUTLS_X509_FMT_PEM even
when trying to read DER encoded information. Reverse the order of
parsing attempts so that we start with DER and then move to PEM if
GnuTLS reports failure on DER parsing. This seems to be more reliable
way of getting errors reported and both cases can now be handled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
a16514516b Add "GET tls_library" to provide information on TLS library and version
This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
c3bb84b415 GnuTLS: Add event callbacks
This allows wpa_supplicant to provide more information about peer
certificate validation results to upper layers similarly to the
mechanism used with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
8ddcd6b9d4 GnuTLS: Add support for domain_suffix_match
This implementation uses GnuTLS function
gnutls_x509_crt_check_hostname(). It has a bit different rules regarding
matching (allows wildcards in some cases, but does not use suffix
matching) compared to the internal implementation used with OpenSSL.
However, these rules are sufficiently close to each other to be of
reasonable use for most cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
4bc13bf709 GnuTLS: Check for any unknown verification failure
After having checked all known GNUTLS_CERT_* error cases that we care
about, check that no other errors have been indicated by
gnutls_certificate_verify_peers2() as a reason to reject negotiation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
e0d431a515 GnuTLS: Add more debug prints for version and session status
Make the debug output more useful for determining whuch version of
GnuTLS was used and what was negotiated for the session.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
65ec7f4c12 GnuTLS: Move peer certificate validation into callback function
GnuTLS 2.10.0 added gnutls_certificate_set_verify_function() that can be
used to move peer certificate validation to an earlier point in the
handshake. Use that to get similar validation behavior to what was done
with OpenSSL, i.e., reject the handshake immediately after receiving the
peer certificate rather than at the completion of handshake.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:20 +02:00
Jouni Malinen
7c8245798f GnuTLS: Remove support for versions older than 2.12.x
GnuTLS project has marked 2.12.x obsolete since January 2014. There is
not much need for maintaining support for obsolete versions of the
library, so drop all #if/#endif blocks targeting 2.x.y versions. In
practice, none of these were requiring 2.12.x version with x greater
than 0, so 2.12.x remains supported for now.

In addition, add newer version (GnuTLS 3.0.18 and newer) to fetch client
and server random from the session since the old method is not supported
by new GnuTLS versions and as such, gets removed with rest of the old
ifdef blocks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:18:57 +02:00
Jouni Malinen
e1d63f6aea GnuTLS: Remove old version number checks for 1.3.2
No one should be using GnuTLS versions older than 1.3.2 from 2006
anymore, so remove these unnecessary #if/#endif checks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 11:13:20 +02:00
Jouni Malinen
ae0a23a0ca GnuTLS: Remove GNUTLS_INTERNAL_STRUCTURE_HACK
This was needed with very old GnuTLS versions, but has not been needed,
or used, since GnuTLS 1.3.2 which was released in 2006. As such, there
is no need to maintain this code anymore and it is better to just clean
the source code by removing all the related code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 11:11:03 +02:00
Jouni Malinen
db4cf40b92 GnuTLS: Add support for ca_cert as a blob
This allows GnuTLS to be used with trusted CA certificate from
wpa_supplicant blob rather than an external certificate file.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 01:49:09 +02:00
Jouni Malinen
224104ddf6 TLS: Reject openssl_ciphers parameter in non-OpenSSL cases
This TLS configuration parameter is explicitly for OpenSSL. Instead of
ignoring it silently, reject any configuration trying to use it in
builds that use other options for TLS implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 01:35:54 +02:00
Jouni Malinen
f8717ac8b3 GnuTLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with GnuTLS.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with GnuTLS instead of the default OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:33:48 +02:00
David Woodhouse
7d9286d3e7 Support private_key_passwd for GnuTLS (3.1.11+)
It's possible to jump through hoops to support it in older versions too,
but that seems a little unnecessary at this point.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2014-12-25 16:37:12 +02:00
Jouni Malinen
cbe23ffd6d GnuTLS: Get rid of warnings about deprecated typedef names
'_t' suffix for gnutls_session and gnutls_transport_ptr was added in
GnuTLS 1.1.11 over ten years ago and the more recent versions of GnuTLS
have started forcing compiler warnings from the old names. Move to the
new names and don't bother about backwards compatibility with older
versions taken into account how long ago this change happened in GnuTLS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-25 16:37:12 +02:00
Jouni Malinen
0187c41d88 Declare wpa_debug_* variables in src/utils/wpa_debug.h
These were somewhat more hidden to avoid direct use, but there are now
numerous places where these are needed and more justification to make
the extern int declarations available from wpa_debug.h. In addition,
this avoids some warnings from sparse.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-31 19:29:52 +02:00
Jouni Malinen
0f3d578efc Remove the GPL notification from files contributed by Jouni Malinen
Remove the GPL notification text from the files that were
initially contributed by myself.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-11 19:39:36 +02:00
Jouni Malinen
fd2f2d0489 Remove EAP-TTLSv1 and TLS/IA
These protocols seem to be abandoned: latest IETF drafts have expired
years ago and it does not seem likely that EAP-TTLSv1 would be
deployed. The implementation in hostapd/wpa_supplicant was not complete
and not fully tested. In addition, the TLS/IA functionality was only
available when GnuTLS was used. Since GnuTLS removed this functionality
in 3.0.0, there is no available TLS/IA implementation in the latest
version of any supported TLS library.

Remove the EAP-TTLSv1 and TLS/IA implementation to clean up unwanted
complexity from hostapd and wpa_supplicant. In addition, this removes
any potential use of the GnuTLS extra library.
2011-09-25 21:28:32 +03:00
Jouni Malinen
e655e1f512 GnuTLS: Fix build bit various GnuTLS versions
This fixes some build issues in GnuTLS wrapper to be compatible with
at least following GnuTLS versions: 2.2.5, 2.4.3, 2.6.6, 2.8.6,
2.10.5, 2.12.11, 3.0.3.
2011-09-25 19:32:28 +03:00
Jouni Malinen
b763863d97 GnuTLS: Implement tls_connection_enable_workaround() 2009-12-20 22:08:54 +02:00
Jouni Malinen
9dd37a224b GnuTLS: Add support for piggybacked Application Data 2009-12-20 22:07:59 +02:00
Jouni Malinen
c9a7bbe5a8 GnuTLS: Define empty tls_connection_set_session_ticket_cb()
This allows EAP-FAST build to be completed even if it does not actually
work yet with GnuTLS.
2009-12-20 21:37:36 +02:00
Jouni Malinen
496c5d981e Use wpabuf with tls_connection_ia_send_phase_finished() 2009-12-20 21:33:32 +02:00
Jouni Malinen
2944656925 Allow TLS flags to be configured (allow MD5, disable time checks)
Undocumented (at least for the time being) TLS parameters can now
be provided in wpa_supplicant configuration to enable some workarounds
for being able to connect insecurely to some networks. phase1 and
phase2 network parameters can use following options:
tls_allow_md5=1
- allow MD5 signature to be used (disabled by default with GnuTLS)
tls_disable_time_checks=1
- ignore certificate expiration time

For now, only the GnuTLS TLS wrapper implements support for these.
2009-12-20 19:28:47 +02:00
Jouni Malinen
4a1e97790d GnuTLS: Report certificate validation failures with TLS alert
In addition, show more detailed reason for the failure in debug log.
2009-12-20 19:14:17 +02:00
Jouni Malinen
074be2332f GnuTLS: Use struct wpabuf for push/pull buffers 2009-12-20 18:31:56 +02:00
Jouni Malinen
81c85c069a Convert TLS wrapper to use struct wpabuf
This converts tls_connection_handshake(),
tls_connection_server_handshake(), tls_connection_encrypt(), and
tls_connection_decrypt() to use struct wpa_buf to allow higher layer
code to be cleaned up with consistent struct wpabuf use.
2009-12-20 18:17:55 +02:00
Jouni Malinen
e3992c3381 GnuTLS: Fix compilation with newer GnuTLS versions
Avoid duplicate defination of TLS_RANDOM_SIZE and TLS_MASTER_SIZE.
2009-11-21 20:23:58 +02:00
Jouni Malinen
049a292f89 Fix builds that need SHA256 or mod_exp, but not TLS functions 2009-02-27 17:46:40 +02:00
Jouni Malinen
edd757e8a3 Use larger buffer for TLS encryption to avoid issues with GnuTLS
It looks like GnuTLS (at least newer versions) is using random padding
on the application data and the previously used 100 byte extra buffer
for tls_connection_encrypt() calls was not enough to handle all cases.
This resulted in semi-random authentication failures with EAP-PEAP and
EAP-TTLS during Phase 2.

Increase the extra space for encryption from 100 to 300 bytes and add an
error message into tls_gnutls.c to make it easier to notice this issue
should it ever show up again even with the larger buffer.
2009-02-09 22:37:55 +02:00
Jouni Malinen
5f1f352e6c Cleaned up printf format warnings on 64-bit build 2009-02-05 18:18:31 +02:00
Jouni Malinen
6fc6879bd5 Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00