SSL_get_client_random() and SSL_get_server_random() will be added in
OpenSSL 1.1.0. Provide compatibility wrappers for older versions to
simplify the tls_connection_get_random() implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The OpenSSL project will not support version 1.0.0 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 1.0.0 and we might as well drop support for it to allow
cleaning up the conditional source code blocks.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The OpenSSL project will not support version 0.9.8 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 0.9.8 and we might as well drop support for it to allow
cleaning up the conditional source code blocks.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.
This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.
By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.
The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>
Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).
The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>
It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it easier to share the OCSP implementation needed for
BoringSSL outside tls_openssl.c. For now, this is mainly for
http_curl.c.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
OpenSSL 1.1.x will apparently go out with "SSLeay" renamed in the API to
"OpenSSL", which broke the build here for fetching the version of the
running OpenSSL library when wpa_supplicant/hostapd is built against the
current OpenSSL snapshot.
Signed-off-by: Jouni Malinen <j@w1.fi>
LibreSSL does not yet support the new API, so do not use it
when LIBRESSL_VERSION_NUMBER macro is defined.
Signed-off-by: Marek Behun <kabel@blackhole.sk>
Write a text version of the content type and handshake type in debug log
to make it easier to follow TLS exchange.
Signed-off-by: Jouni Malinen <j@w1.fi>
BoringSSL has removed the OpenSSL OCSP implementation (OCSP_*()
functions) and instead, provides only a minimal mechanism for include
the status request extension and fetching the response from the server.
As such, the previous OpenSSL-based implementation for OCSP stapling is
not usable with BoringSSL.
Add a new implementation that uses BoringSSL to request and fetch the
OCSP stapling response and then parse and validate this with the new
implementation within wpa_supplicant. While this may not have identical
behavior with the OpenSSL-based implementation, this should be a good
starting point for being able to use OCSP stapling with BoringSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The switch to BoringSSL broke keystore-backed keys because
wpa_supplicant was using the dynamic ENGINE loading to load
the keystore module.
The ENGINE-like functionality in BoringSSL is much simpler
and this change should enable it.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Commit de2a7b796d ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs') added a new
mechanism for doing this with OpenSSL 1.0.2 and newer. However, it did
not poinr out anything in debug log if SSL_add1_chain_cert() failed. Add
such a debug print and also silence static analyzer warning on res being
stored without being read (since the error case is ignored at least for
now).
Signed-off-by: Jouni Malinen <j@w1.fi>
The new tls_connection_set_success_data(),
tls_connection_set_success_data_resumed(),
tls_connection_get_success_data(), and tls_connection_remove_session()
functions can be used to mark cached sessions valid and to remove
invalid cached sessions. This commit is only adding empty functions. The
actual functionality will be implemented in followup commits.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed at least with BoringSSL to avoid accepting OCSP-required
configuration with a TLS library that does not support OCSP stapling.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Unlike OpenSSL PKCS12_parse(), the BoringSSL version seems to require
the password pointer to be non-NULL even if no password is present. Map
passwrd == NULL to passwd = "" to avoid a NULL pointer dereference
within BoringSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
BoringSSL commit 533ef7304d9b48aad38805f1997031a0a034d7fe ('Remove
SSL_clear calls in handshake functions.') triggered a regression for
EAP-TLS/TTLS/PEAP session resumption in wpa_supplicant due to the
removed SSL_clear() call in ssl3_connect() going away and wpa_supplicant
not calling SSL_clear() after SSL_shutdown(). Fix this by adding the
SSL_clear() call into wpa_supplicant after SSL_shutdown() when preparing
the ssl instance for another connection.
While OpenSSL is still call SSL_clear() in ssl3_connect(), it looks to
be safe to add this call to wpa_supplicant unconditionally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This function does not seem to be available in BoringSSL. Since it is
needed for EAP-FAST (which is not currently working with BoringSSL),
address this by commenting out the EAP-FAST specific step from builds
that do not include EAP-FAST support.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like BoringSSL does include that function even though it claims
support for OPENSSL_VERSION_NUMBER where this is available (1.0.2). For
now, comment out that call to fix build.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When using OpenSSL 1.0.2 or newer, this replaces the older
SSL_CTX_add_extra_chain_cert() design with SSL_add1_chain_cert() to keep
the extra chain certificates out from SSL_CTX and specific to each
connection. In addition, build and rearrange extra certificates with
SSL_build_cert_chain() to avoid incorrect certificates and incorrect
order of certificates in the TLS handshake.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the possible extra certificate(s) from a PKCS#12 file was
added once for each authentication attempt. This resulted in OpenSSL
concatenating the certificates multiple time (add one copy for each try
during the wpa_supplicant process lifetime). Fix this by clearing the
extra chain certificates before adding new ones when using OpenSSL 1.0.1
or newer that include the needed function.
Signed-off-by: Jouni Malinen <j@w1.fi>
FIPS_mode_set(1) cannot be called multiple times which could happen in
some dynamic interface cases. Avoid this by enabling FIPS mode only
once. There is no code in wpa_supplicant to disable FIPS mode, so once
it is enabled, it will remain enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 94f1fe6f63 ('Remove master key
extraction from tls_connection_get_keys()') left only fetching of
server/client random, but did not rename the function and structure to
minimize code changes. The only name is quite confusing, so rename this
through the repository to match the new purpose.
Signed-off-by: Jouni Malinen <j@w1.fi>
tls_connection_get_keys() used to return TLS master secret, but that
part was removed in commit 94f1fe6f63
('Remove master key extraction from tls_connection_get_keys()'). Since
then, there is no real need for preventing this function from being used
in FIPS mode.
Signed-off-by: Jouni Malinen <j@w1.fi>
The issue with the special form of TLS session tickets has been fixed in
the OpenSSL 1.1.0 branch, so disable workaround for it. OpenSSL 1.0.1
and 1.0.2 workaround is still in place until a release with the fix has
been made.
This allows TLSv1.1 and TLSv1.2 to be negotiated for EAP-FAST with the
OpenSSL versions that support this.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 1.1.0 disables the anonymous ciphers by default, so need to
enable these for the special case of anonymous EAP-FAST provisioning.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed when enabling TLSv1.2 support for EAP-FAST since the
SSL_export_keying_material() call does not support the needed parameters
for TLS PRF and the external-to-OpenSSL PRF needs to be used instead.
Signed-off-by: Jouni Malinen <j@w1.fi>
This needs to use the new accessor functions since the SSL session
details are not directly accessible anymore and there is now sufficient
helper functions to get to the needed information.
Signed-off-by: Jouni Malinen <j@w1.fi>
This needs to use the new accessor functions for client/server random
since the previously used direct access won't be available anymore.
Signed-off-by: Jouni Malinen <j@w1.fi>
openssl_handshake() was checking only that in_data is not NULL and not
its length when determining whether to call BIO_write(). Extend that to
check the buffer length as well. In practice, this removes an
unnecessary BIO_write() call at the beginning of a TLS handshake on the
client side. This did not cause issues with OpenSSL versions up to
1.0.2, but that call seems to fail with the current OpenSSL 1.1.0
degvelopment snapshot. There is no need for that zero-length BIO_write()
call, so remove it.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds a new STATUS command field "eap_tls_version" that shows the
TLS version number that was used during EAP-TLS/TTLS/PEAP/FAST exchange.
For now, this is only supported with OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new phase1 config parameter value tls_disable_tlsv1_0=1 can now be
used to disable use of TLSv1.0 for a network configuration. This can be
used to force a newer TLS version to be used. For example,
phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" would indicate that
only TLS v1.2 is accepted.
Signed-off-by: Jouni Malinen <j@w1.fi>
This mechanism to figure out TLS library capabilities has not been used
since commit fd2f2d0489 ('Remove
EAP-TTLSv1 and TLS/IA') (Sep 2011).
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 0.9.8 (and newer) includes SSL_CTX_get_app_data() and
SSL_CTX_set_app_data(), so there is no need to maintain this old
OPENSSL_SUPPORTS_CTX_APP_DATA backwards compatibility design.
Signed-off-by: Jouni Malinen <j@w1.fi>
Free tmp_out before returning to prevent memory leak in case the second
memory allocation in openssl_tls_prf() fails. This is quite unlikely,
but at least theoretically possible memory leak with EAP-FAST.
Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
The OPENSSL_VERSION_NUMBER < 0x00909000L case of
openssl_get_keyblock_size() had not been kept in sync with the cleanup
changes.
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
Now on an engine error we decode the error value and determine if the
issue is due to a true PIN error or not. If it is due to incorrrect PIN,
delete the PIN as usual, but if it isn't let the PIN be.
Signed-off-by: Mike Gerow <gerow@google.com>
Commit fa0e715100 ('Use
tls_connection_prf() for all EAP TLS-based key derivation') copied some
pointer checks from the generic implementation to tls_openssl.c.
However, these are arrays and cannot be NULL in OpenSSL data. Remove the
unnecessary checks and add master_key_length check for completeness.
(CID 109619).
Signed-off-by: Jouni Malinen <j@w1.fi>
This function exposes internal state of the TLS negotiated parameters
for the sole purpose of being able to implement PRF for EAP-FAST. Since
tls_connection_prf() is now taking care of all TLS-based key derivation
cases, it is cleaner to keep this detail internal to each tls_*.c
wrapper implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is not needed anymore with the tls_connection_prf() being used to
handle all key derivation needs. tls_connection_get_keys() is a bit
misnamed for now, but it is only used to fetch the client and server
random for Session-Id derivation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
tls_openssl.c is the only remaining TLS/crypto wrapper that needs the
internal PRF implementation for EAP-FAST (since
SSL_export_keying_material() is not available in older versions and does
not support server-random-before-client case). As such, it is cleaner to
assume that TLS libraries support tls_connection_prf() and move the
additional support code for the otherwise unsupported cases into
tls_openssl.c.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If OpenSSL reports that a presented leaf certificate is invalid,
but it has been explicitly pinned, accept it anyway.
Signed-off-by: Rohit Agrawal <rohit.agrawal.mn@gmail.com>
These were not supposed to include a newline at the end of the message
text since such formatting gets handled by tls_show_errors(). In
addition, change the message about the issuer's issuer to be more
accurate.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If addition of a peer issuer certificate fails, the certs pointer would
be NULL when being passed to sk_X509_push() for peer issuer's issuer.
Fix this by skipping addition of issuer's issue if issuer addition
fails.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is going to be required for OpenSSL 1.1.0 which makes the SSL
structure opaque. Older versions starting from OpenSSL 1.0.1 include
this function, so start using it now based on OPENSSL_VERSION_NUMBER.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 0.9.8 and newer includes SSL_CTX_get_cert_store() and
SSL_CTX_set_cert_store() helper functions, so there is no need to
dereference the SSL_CTX pointer to cert ssl_ctx->cert_store. This helps
in working with the future OpenSSL 1.1.0 release that makes the SSL_CTX
structure opaque.
Signed-off-by: Jouni Malinen <j@w1.fi>
These have reached out-of-life status in the OpenSSL project and there
is no need to maintain support for them in hostapd/wpa_supplicant
either.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.
Signed-off-by: Jouni Malinen <j@w1.fi>
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com
Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.
Signed-off-by: Jouni Malinen <j@w1.fi>
This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.
Signed-off-by: Jouni Malinen <j@w1.fi>
It isn't mandatory. If we need one and it's not present, the ENGINE will
try asking for it. Make sure it doesn't actually let an OpenSSL UI loose,
since we don't currently capture those.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
It needs to be available to ENGINE_by_id(), which in my case means it
needs to be /usr/lib64/openssl/engines/libpkcs11.so. But that's a system
packaging issue. If it isn't there, it will fail gracefully enough with:
ENGINE: engine pkcs11 not available [error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library]
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
This means that if the PKCS#11 engine is installed in the right place
in the system, it'll automatically be invoked by ENGINE_by_id("pkcs11")
later, and things work without explictly configuring pkcs11_engine_path.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
If these start with "pkcs11:" then they are PKCS#11 URIs. These Just Work
in the normal private_key/ca_cert/client_cert configuration fields when
built with GnuTLS; make it work that way with OpenSSL too.
(Yes, you still need to explicitly set engine=1 and point to the engine,
but I'll work on that next...)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
There's no reason I shouldn't be able to use PKCS#11 for just the CA cert,
or even the client cert, while the private key is still from a file.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
New versions of engine_pkcs11 will automatically use the system's
p11-kit-proxy.so to make the globally-configured PKCS#11 tokens available
by default. So invoking the engine without an explicit module path is
not an error.
Older engines will fail but gracefully enough, so although it's still an
error in that case there's no need for us to catch it for ourselves.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Commit d4913c585e ('OpenSSL: Fix EAP-FAST
peer regression') introduced a workaround to use a new SSL_CTX instance
set for TLSv1_method() when using EAP-FAST. While that works, it is
unnecessarily complex since there is not really a need to use a separate
SSL_CTX to be able to do that. Instead, simply use SSL_set_ssl_method()
to update the ssl_method for the SSL instance. In practice, this commit
reverts most of the tls_openssl.c changes from that earlier commit and
adds that single call into tls_connection_set_params() based on EAP-FAST
flag.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 35efa2479f ('OpenSSL: Allow TLS
v1.1 and v1.2 to be negotiated by default') changed from using
TLSv1_method() to SSLv23_method() to allow negotiation of TLS v1.0,
v1.1, and v1.2.
Unfortunately, it looks like EAP-FAST does not work with this due to
OpenSSL not allowing ClientHello extensions to be configured with
SSL_set_session_ticket_ext() when SSLv23_method() is used. Work around
this regression by initiating a separate SSL_CTX instance for EAP-FAST
phase 1 needs with TLSv1_method() while leaving all other EAP cases
using TLS to work with the new default that allows v1.1 and v1.2 to be
negotiated. This is not ideal and will hopefully get fixed in the future
with a new OpenSSL method, but until that time, this can be used allow
other methods use newer TLS versions while still allowing EAP-FAST to be
used even if it remains to be constraint to TLS v1.0 only.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit f5fa824e9a ('Update OpenSSL 0.9.8
patch for EAP-FAST support') changed the OpenSSL 0.9.8 patch to support
the new API that was introduced in OpenSSL 1.0.0 for EAP-FAST. As such,
there should be no valid users of the old API anymore and tls_openssl.c
can be cleaned up to use only the new API.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use SSLv23_method() to enable TLS version negotiation for any version
equal to or newer than 1.0. If the old behavior is needed as a
workaround for some broken authentication servers, it can be configured
with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1".
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the TLS wrapper code to allow OpenSSL cipherlist string to
be configured. In addition, the default value is now set to
DEFAULT:!EXP:!LOW to ensure cipher suites with low and export encryption
algoriths (40-64 bit keys) do not get enabled in default configuration
regardless of how OpenSSL build was configured.
Signed-off-by: Jouni Malinen <j@w1.fi>
The (int) typecast I used with sk_GENERAL_NAME_num() to complete the
BoringSSL compilation was not really the cleanest way of doing this.
Update that to use stack_index_t variable to avoid this just like the
other sk_*_num() calls.
Signed-off-by: Jouni Malinen <j@w1.fi>
BoringSSL is Google's cleanup of OpenSSL and an attempt to unify
Chromium, Android and internal codebases around a single OpenSSL.
As part of moving Android to BoringSSL, the wpa_supplicant maintainers
in Android requested that I upstream the change. I've worked to reduce
the size of the patch a lot but I'm afraid that it still contains a
number of #ifdefs.
[1] https://www.imperialviolet.org/2014/06/20/boringssl.html
Signed-off-by: Adam Langley <agl@chromium.org>
Instead of using X509_print_fp() to print directly to stdout, print the
certificate dump to a memory BIO and use wpa_printf() to get this into
the debug log. This allows redirection of debug log to work better and
avoids undesired stdout prints when debugging is not enabled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Some OpenSSL versions have vulnerability in TLS heartbeat request
processing. Check the processed message to determine if the attack has
been used and if so, do not send the response to the peer. This does not
prevent the buffer read overflow within OpenSSL, but this prevents the
attacker from receiving the information.
This change is an additional layer of protection if some yet to be
identified paths were to expose this OpenSSL vulnerability. However, the
way OpenSSL is used for EAP-TLS/TTLS/PEAP/FAST in hostapd/wpa_supplicant
was already rejecting the messages before the response goes out and as
such, this additional change is unlikely to be needed to avoid the
issue.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These can be used to disable TLSv1.1 and TLSv1.2 as a workaround for AAA
servers that have issues interoperating with newer TLS versions.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This reverts commit 51e3eafb68. There are
too many deployed AAA servers that include both id-kp-clientAuth and
id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
for AAA authentication server validation. OpenSSL enforces the policy of
not connecting if only id-kp-clientAuth is included. If a valid EKU is
listed with it, the connection needs to be accepted.
Signed-off-by: Jouni Malinen <j@w1.fi>
In function tls_verify_cb(), X509_STORE_CTX_get_current_cert() may
return NULL, and it will be dereferenced by X509_get_subject_name().
Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
These were somewhat more hidden to avoid direct use, but there are now
numerous places where these are needed and more justification to make
the extern int declarations available from wpa_debug.h. In addition,
this avoids some warnings from sparse.
Signed-hostap: Jouni Malinen <j@w1.fi>
If the extended key usage of the AAA server certificate indicates
that the certificate is for client use, reject the TLS handshake.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
OCSP response may not include all the needed CA certificates, so use the
ones received during TLS handshake.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
It's not possible to get a raw private key from keystore anymore, so
this would fail every time anyway. Remove it so it doesn't confuse
anyone that looks at this code.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
The new keystore ENGINE is usable to perform private key operations when
we can't get the actual private key data. This is the case when hardware
crypto is enabled: the private key never leaves the hardware.
Subsequently, we need to be able to talk to OpenSSL ENGINEs that aren't
PKCS#11 or OpenSC. This just changes a few #define variables to allow us
to talk to our keystore engine without having one of those enabled and
without using a PIN.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
If SSL_CTX_new() fails in tls_init(), the per-SSL app-data allocation
could have been leaked when multiple TLS instances are allocated.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new domain_suffix_match (and domain_suffix_match2 for Phase 2
EAP-TLS) can now be used to specify an additional constraint for the
server certificate domain name. If set, one of the dNSName values (or if
no dNSName is present, one of the commonName values) in the certificate
must have a suffix match with the specified value. Suffix match is done
based on full domain name labels, i.e., "example.com" matches
"test.example.com" but not "test-example.com".
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Check that SSL_clear_options and SSL_CTX_clear_options are defined
before using them to avoid compilation failures with older OpenSSL
versions that did not include these macros.
Signed-hostap: Jouni Malinen <j@w1.fi>
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.
hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).
This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).
Signed-hostap: Jouni Malinen <j@w1.fi>
Store context for each tls_init() caller, so events are generated for
the correct wpa_s instance. The tls_global variable is retained for
older OpenSSL implementations that may not have app-data for SSL_CTX.
Signed-hostap: Paul Stewart <pstew@chromium.org>
The mechanism to figure out key block size based on ssl->read_hash
does not seem to work with OpenSSL 1.0.1, so add an alternative
mechanism to figure out the NAC key size that seems to work at
least with the current OpenSSL 1.0.1 releases.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
This can be used to implement workaround for authentication servers that
do not handle TLS extensions in ClientHello properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
Only allow the TLS library keying material exporter functionality to be
used for MSK derivation with TLS-based EAP methods to avoid exporting
internal TLS keys from the library.
Signed-hostap: Jouni Malinen <j@w1.fi>
Use SSL_export_keying_material() if possible, i.e., if OpenSSL is
version 1.0.1 or newer and if client random value is used first. This
allows MSK derivation with TLS-based EAP methods (apart from EAP-FAST)
without exporting the master key from OpenSSL.
Signed-hostap: Jouni Malinen <j@w1.fi>
Do not leave the tls_global context allocated if the global OpenSSL
initialization fails. This was possible in case of FIPS builds if
the FIPS mode cannot be initialized.
Signed-hostap: Jouni Malinen <j@w1.fi>
This bit is set in the code path that handles keys and certs from places
other than OpenSSL authentication engines. Setting this bit causes
authentication to fail when the server provides certificates that don't
match the client certificate authority.
Send an "EAP" signal via the new DBus interface under various
conditions during EAP authentication:
- During method selection (ACK and NAK)
- During certificate verification
- While sending and receiving TLS alert messages
- EAP success and failure messages
This provides DBus callers a number of new tools:
- The ability to probe an AP for available EAP methods
(given an identity).
- The ability to identify why the remote certificate was
not verified.
- The ability to identify why the remote peer refused
a TLS connection.
Signed-hostap: Paul Stewart <pstew@chromium.org>
Currently OpenSSL implementation of TLS in hostapd loads only top
certificate in server certificate file. Change this to try to the
whole chain first and only if that fails, revert to old behavior.
Signed-off-by: Maciej Szmigiero <mhej@o2.pl>
These protocols seem to be abandoned: latest IETF drafts have expired
years ago and it does not seem likely that EAP-TTLSv1 would be
deployed. The implementation in hostapd/wpa_supplicant was not complete
and not fully tested. In addition, the TLS/IA functionality was only
available when GnuTLS was used. Since GnuTLS removed this functionality
in 3.0.0, there is no available TLS/IA implementation in the latest
version of any supported TLS library.
Remove the EAP-TTLSv1 and TLS/IA implementation to clean up unwanted
complexity from hostapd and wpa_supplicant. In addition, this removes
any potential use of the GnuTLS extra library.
eapol_test command line argument -o<file> can now be used to request
the received server certificate chain to be written to the specified
file. The certificates will be written in PEM format. [Bug 391]
This phase1 parameter for TLS-based EAP methods was already supported
with GnuTLS and this commit extends that support for OpenSSL and the
internal TLS implementation.
This allows keystore:// prefix to be used with client_cert and
private_key configuration parameters.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
If parsing of the certificate or private key succeeds using any of
the tried encoding types, clear the OpenSSL error queue without
showing the pending errors in debug log since they do not really
provide any useful output and can be confusing.
This allows external programs (e.g., UI) to get more information
about server certificate chain used during TLS handshake. This can
be used both to automatically probe the authentication server to
figure out most likely network configuration and to get information
about reasons for failed authentications.
The follow new control interface events are used for this:
CTRL-EVENT-EAP-PEER-CERT
CTRL-EVENT-EAP-TLS-CERT-ERROR
In addition, there is now an option for matching the server certificate
instead of the full certificate chain for cases where a trusted CA is
not configured or even known. This can be used, e.g., by first probing
the network and learning the server certificate hash based on the new
events and then adding a network configuration with the server
certificate hash after user have accepted it. Future connections will
then be allowed as long as the same server certificate is used.
Authentication server probing can be done, e.g., with following
configuration options:
eap=TTLS PEAP TLS
identity=""
ca_cert="probe://"
Example set of control events for this:
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe'
CTRL-EVENT-EAP-FAILURE EAP authentication failed
Server certificate matching is configured with ca_cert, e.g.:
ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
This functionality is currently available only with OpenSSL. Other
TLS libraries (including internal implementation) may be added in
the future.
This converts tls_connection_handshake(),
tls_connection_server_handshake(), tls_connection_encrypt(), and
tls_connection_decrypt() to use struct wpa_buf to allow higher layer
code to be cleaned up with consistent struct wpabuf use.
This message from tls_connection_handshake() is not really an error in
most cases, so do not show it if there was indeed no Application Data
available (which is a normal scenario and not an indication of any
error).
The current MinGW/w32api versions seem to provide all the needed CryptoAPI
functions, so the code for loading these dynamically from the DLL can be
removed.
wpa_supplicant can now be built with FIPS capable OpenSSL for FIPS mode
operation. Currently, this is only enabling the FIPS mode in OpenSSL
without providing any higher level enforcement in wpa_supplicant.
Consequently, invalid configuration will fail during the authentication
run. Proper configuration (e.g., WPA2-Enterprise with EAP-TLS) allows
the connection to be completed.
Updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore).
The server handshake processing was still using SSL_read() to get OpenSSL
to perform the handshake. While this works for most cases, it caused some
issues for re-authentication. This is now changed to use SSL_accept() which
is more approriate here since we know that the handshake is still going on
and there will not be any tunneled data available. This resolves some of
the re-authentication issues and makes it possible for the server to notice
if TLS processing fails (SSL_read() did not return an error in many of
these cases while SSL_accept() does).
Set session id context to a unique value in order to avoid fatal errors
when client tries session resumption (SSL_set_session_id_context() must be
called for that to work), but disable session resumption with the unique
value for the time being since not all server side code is ready for it yet
(e.g., EAP-TTLS needs special Phase 2 processing when using abbreviated
handshake).
Changed EAP-TLS server not to call TLS library when processing the final
ACK (empty data) from the client in order to avoid starting a new TLS
handshake with SSL_accept().
It looks like this SSL_set_options() value was added in 0.9.9 and it does
not exist in stable releases of OpenSSL. Fix build by using #ifdef on this
variable before use.
