Commit fa0e715100 ('Use
tls_connection_prf() for all EAP TLS-based key derivation') copied some
pointer checks from the generic implementation to tls_openssl.c.
However, these are arrays and cannot be NULL in OpenSSL data. Remove the
unnecessary checks and add master_key_length check for completeness.
(CID 109619).
Signed-off-by: Jouni Malinen <j@w1.fi>
This function exposes internal state of the TLS negotiated parameters
for the sole purpose of being able to implement PRF for EAP-FAST. Since
tls_connection_prf() is now taking care of all TLS-based key derivation
cases, it is cleaner to keep this detail internal to each tls_*.c
wrapper implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is not needed anymore with the tls_connection_prf() being used to
handle all key derivation needs. tls_connection_get_keys() is a bit
misnamed for now, but it is only used to fetch the client and server
random for Session-Id derivation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
tls_openssl.c is the only remaining TLS/crypto wrapper that needs the
internal PRF implementation for EAP-FAST (since
SSL_export_keying_material() is not available in older versions and does
not support server-random-before-client case). As such, it is cleaner to
assume that TLS libraries support tls_connection_prf() and move the
additional support code for the otherwise unsupported cases into
tls_openssl.c.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If OpenSSL reports that a presented leaf certificate is invalid,
but it has been explicitly pinned, accept it anyway.
Signed-off-by: Rohit Agrawal <rohit.agrawal.mn@gmail.com>
These were not supposed to include a newline at the end of the message
text since such formatting gets handled by tls_show_errors(). In
addition, change the message about the issuer's issuer to be more
accurate.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If addition of a peer issuer certificate fails, the certs pointer would
be NULL when being passed to sk_X509_push() for peer issuer's issuer.
Fix this by skipping addition of issuer's issue if issuer addition
fails.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is going to be required for OpenSSL 1.1.0 which makes the SSL
structure opaque. Older versions starting from OpenSSL 1.0.1 include
this function, so start using it now based on OPENSSL_VERSION_NUMBER.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 0.9.8 and newer includes SSL_CTX_get_cert_store() and
SSL_CTX_set_cert_store() helper functions, so there is no need to
dereference the SSL_CTX pointer to cert ssl_ctx->cert_store. This helps
in working with the future OpenSSL 1.1.0 release that makes the SSL_CTX
structure opaque.
Signed-off-by: Jouni Malinen <j@w1.fi>
These have reached out-of-life status in the OpenSSL project and there
is no need to maintain support for them in hostapd/wpa_supplicant
either.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.
Signed-off-by: Jouni Malinen <j@w1.fi>
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com
Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.
Signed-off-by: Jouni Malinen <j@w1.fi>
This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.
Signed-off-by: Jouni Malinen <j@w1.fi>
It isn't mandatory. If we need one and it's not present, the ENGINE will
try asking for it. Make sure it doesn't actually let an OpenSSL UI loose,
since we don't currently capture those.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
It needs to be available to ENGINE_by_id(), which in my case means it
needs to be /usr/lib64/openssl/engines/libpkcs11.so. But that's a system
packaging issue. If it isn't there, it will fail gracefully enough with:
ENGINE: engine pkcs11 not available [error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library]
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
This means that if the PKCS#11 engine is installed in the right place
in the system, it'll automatically be invoked by ENGINE_by_id("pkcs11")
later, and things work without explictly configuring pkcs11_engine_path.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
If these start with "pkcs11:" then they are PKCS#11 URIs. These Just Work
in the normal private_key/ca_cert/client_cert configuration fields when
built with GnuTLS; make it work that way with OpenSSL too.
(Yes, you still need to explicitly set engine=1 and point to the engine,
but I'll work on that next...)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
There's no reason I shouldn't be able to use PKCS#11 for just the CA cert,
or even the client cert, while the private key is still from a file.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
New versions of engine_pkcs11 will automatically use the system's
p11-kit-proxy.so to make the globally-configured PKCS#11 tokens available
by default. So invoking the engine without an explicit module path is
not an error.
Older engines will fail but gracefully enough, so although it's still an
error in that case there's no need for us to catch it for ourselves.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Commit d4913c585e ('OpenSSL: Fix EAP-FAST
peer regression') introduced a workaround to use a new SSL_CTX instance
set for TLSv1_method() when using EAP-FAST. While that works, it is
unnecessarily complex since there is not really a need to use a separate
SSL_CTX to be able to do that. Instead, simply use SSL_set_ssl_method()
to update the ssl_method for the SSL instance. In practice, this commit
reverts most of the tls_openssl.c changes from that earlier commit and
adds that single call into tls_connection_set_params() based on EAP-FAST
flag.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 35efa2479f ('OpenSSL: Allow TLS
v1.1 and v1.2 to be negotiated by default') changed from using
TLSv1_method() to SSLv23_method() to allow negotiation of TLS v1.0,
v1.1, and v1.2.
Unfortunately, it looks like EAP-FAST does not work with this due to
OpenSSL not allowing ClientHello extensions to be configured with
SSL_set_session_ticket_ext() when SSLv23_method() is used. Work around
this regression by initiating a separate SSL_CTX instance for EAP-FAST
phase 1 needs with TLSv1_method() while leaving all other EAP cases
using TLS to work with the new default that allows v1.1 and v1.2 to be
negotiated. This is not ideal and will hopefully get fixed in the future
with a new OpenSSL method, but until that time, this can be used allow
other methods use newer TLS versions while still allowing EAP-FAST to be
used even if it remains to be constraint to TLS v1.0 only.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit f5fa824e9a ('Update OpenSSL 0.9.8
patch for EAP-FAST support') changed the OpenSSL 0.9.8 patch to support
the new API that was introduced in OpenSSL 1.0.0 for EAP-FAST. As such,
there should be no valid users of the old API anymore and tls_openssl.c
can be cleaned up to use only the new API.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use SSLv23_method() to enable TLS version negotiation for any version
equal to or newer than 1.0. If the old behavior is needed as a
workaround for some broken authentication servers, it can be configured
with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1".
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the TLS wrapper code to allow OpenSSL cipherlist string to
be configured. In addition, the default value is now set to
DEFAULT:!EXP:!LOW to ensure cipher suites with low and export encryption
algoriths (40-64 bit keys) do not get enabled in default configuration
regardless of how OpenSSL build was configured.
Signed-off-by: Jouni Malinen <j@w1.fi>
The (int) typecast I used with sk_GENERAL_NAME_num() to complete the
BoringSSL compilation was not really the cleanest way of doing this.
Update that to use stack_index_t variable to avoid this just like the
other sk_*_num() calls.
Signed-off-by: Jouni Malinen <j@w1.fi>
BoringSSL is Google's cleanup of OpenSSL and an attempt to unify
Chromium, Android and internal codebases around a single OpenSSL.
As part of moving Android to BoringSSL, the wpa_supplicant maintainers
in Android requested that I upstream the change. I've worked to reduce
the size of the patch a lot but I'm afraid that it still contains a
number of #ifdefs.
[1] https://www.imperialviolet.org/2014/06/20/boringssl.html
Signed-off-by: Adam Langley <agl@chromium.org>
Instead of using X509_print_fp() to print directly to stdout, print the
certificate dump to a memory BIO and use wpa_printf() to get this into
the debug log. This allows redirection of debug log to work better and
avoids undesired stdout prints when debugging is not enabled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Some OpenSSL versions have vulnerability in TLS heartbeat request
processing. Check the processed message to determine if the attack has
been used and if so, do not send the response to the peer. This does not
prevent the buffer read overflow within OpenSSL, but this prevents the
attacker from receiving the information.
This change is an additional layer of protection if some yet to be
identified paths were to expose this OpenSSL vulnerability. However, the
way OpenSSL is used for EAP-TLS/TTLS/PEAP/FAST in hostapd/wpa_supplicant
was already rejecting the messages before the response goes out and as
such, this additional change is unlikely to be needed to avoid the
issue.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These can be used to disable TLSv1.1 and TLSv1.2 as a workaround for AAA
servers that have issues interoperating with newer TLS versions.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This reverts commit 51e3eafb68. There are
too many deployed AAA servers that include both id-kp-clientAuth and
id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
for AAA authentication server validation. OpenSSL enforces the policy of
not connecting if only id-kp-clientAuth is included. If a valid EKU is
listed with it, the connection needs to be accepted.
Signed-off-by: Jouni Malinen <j@w1.fi>
In function tls_verify_cb(), X509_STORE_CTX_get_current_cert() may
return NULL, and it will be dereferenced by X509_get_subject_name().
Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
These were somewhat more hidden to avoid direct use, but there are now
numerous places where these are needed and more justification to make
the extern int declarations available from wpa_debug.h. In addition,
this avoids some warnings from sparse.
Signed-hostap: Jouni Malinen <j@w1.fi>
If the extended key usage of the AAA server certificate indicates
that the certificate is for client use, reject the TLS handshake.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
OCSP response may not include all the needed CA certificates, so use the
ones received during TLS handshake.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
It's not possible to get a raw private key from keystore anymore, so
this would fail every time anyway. Remove it so it doesn't confuse
anyone that looks at this code.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
The new keystore ENGINE is usable to perform private key operations when
we can't get the actual private key data. This is the case when hardware
crypto is enabled: the private key never leaves the hardware.
Subsequently, we need to be able to talk to OpenSSL ENGINEs that aren't
PKCS#11 or OpenSC. This just changes a few #define variables to allow us
to talk to our keystore engine without having one of those enabled and
without using a PIN.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
If SSL_CTX_new() fails in tls_init(), the per-SSL app-data allocation
could have been leaked when multiple TLS instances are allocated.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new domain_suffix_match (and domain_suffix_match2 for Phase 2
EAP-TLS) can now be used to specify an additional constraint for the
server certificate domain name. If set, one of the dNSName values (or if
no dNSName is present, one of the commonName values) in the certificate
must have a suffix match with the specified value. Suffix match is done
based on full domain name labels, i.e., "example.com" matches
"test.example.com" but not "test-example.com".
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Check that SSL_clear_options and SSL_CTX_clear_options are defined
before using them to avoid compilation failures with older OpenSSL
versions that did not include these macros.
Signed-hostap: Jouni Malinen <j@w1.fi>
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.
hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).
This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).
Signed-hostap: Jouni Malinen <j@w1.fi>
Store context for each tls_init() caller, so events are generated for
the correct wpa_s instance. The tls_global variable is retained for
older OpenSSL implementations that may not have app-data for SSL_CTX.
Signed-hostap: Paul Stewart <pstew@chromium.org>
The mechanism to figure out key block size based on ssl->read_hash
does not seem to work with OpenSSL 1.0.1, so add an alternative
mechanism to figure out the NAC key size that seems to work at
least with the current OpenSSL 1.0.1 releases.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
This can be used to implement workaround for authentication servers that
do not handle TLS extensions in ClientHello properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
