1 /*
2 * SSL/TLS interface functions for OpenSSL
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #ifndef CONFIG_SMARTCARD
12 #ifndef OPENSSL_NO_ENGINE
13 #ifndef ANDROID
14 #define OPENSSL_NO_ENGINE
15 #endif
16 #endif
17 #endif
18
19 #include <openssl/ssl.h>
20 #include <openssl/err.h>
21 #include <openssl/opensslv.h>
22 #include <openssl/pkcs12.h>
23 #include <openssl/x509v3.h>
24 #ifndef OPENSSL_NO_ENGINE
25 #include <openssl/engine.h>
26 #endif /* OPENSSL_NO_ENGINE */
27 #ifndef OPENSSL_NO_DSA
28 #include <openssl/dsa.h>
29 #endif
30 #ifndef OPENSSL_NO_DH
31 #include <openssl/dh.h>
32 #endif
33
34 #include "common.h"
35 #include "crypto.h"
36 #include "sha1.h"
37 #include "sha256.h"
38 #include "tls.h"
39 #include "tls_openssl.h"
40 #ifdef CONFIG_OHOS_CERTMGR
41 #include "wpa_evp_key.h"
42 #endif
43
44 #if !defined(CONFIG_FIPS) && \
45 (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
46 defined(EAP_SERVER_FAST))
47 #define OPENSSL_NEED_EAP_FAST_PRF
48 #endif
49
50 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
51 defined(EAP_SERVER_FAST) || defined(EAP_TEAP) || \
52 defined(EAP_SERVER_TEAP)
53 #define EAP_FAST_OR_TEAP
54 #endif
55
56
57 #if defined(OPENSSL_IS_BORINGSSL)
58 /* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */
59 typedef size_t stack_index_t;
60 #else
61 typedef int stack_index_t;
62 #endif
63
64 #ifdef SSL_set_tlsext_status_type
65 #ifndef OPENSSL_NO_TLSEXT
66 #define HAVE_OCSP
67 #include <openssl/ocsp.h>
68 #endif /* OPENSSL_NO_TLSEXT */
69 #endif /* SSL_set_tlsext_status_type */
70
71 #if (OPENSSL_VERSION_NUMBER < 0x10100000L || \
72 (defined(LIBRESSL_VERSION_NUMBER) && \
73 LIBRESSL_VERSION_NUMBER < 0x20700000L)) && \
74 !defined(BORINGSSL_API_VERSION)
75 /*
76 * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL
77 * 1.1.0 and newer BoringSSL revisions. Provide compatibility wrappers for
78 * older versions.
79 */
80
SSL_get_client_random(const SSL * ssl,unsigned char * out,size_t outlen)81 static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
82 size_t outlen)
83 {
84 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
85 return 0;
86 os_memcpy(out, ssl->s3->client_random, SSL3_RANDOM_SIZE);
87 return SSL3_RANDOM_SIZE;
88 }
89
90
SSL_get_server_random(const SSL * ssl,unsigned char * out,size_t outlen)91 static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
92 size_t outlen)
93 {
94 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
95 return 0;
96 os_memcpy(out, ssl->s3->server_random, SSL3_RANDOM_SIZE);
97 return SSL3_RANDOM_SIZE;
98 }
99
100
101 #ifdef OPENSSL_NEED_EAP_FAST_PRF
SSL_SESSION_get_master_key(const SSL_SESSION * session,unsigned char * out,size_t outlen)102 static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
103 unsigned char *out, size_t outlen)
104 {
105 if (!session || session->master_key_length < 0 ||
106 (size_t) session->master_key_length > outlen)
107 return 0;
108 if ((size_t) session->master_key_length < outlen)
109 outlen = session->master_key_length;
110 os_memcpy(out, session->master_key, outlen);
111 return outlen;
112 }
113 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
114
115 #endif
116
117 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
118 (defined(LIBRESSL_VERSION_NUMBER) && \
119 LIBRESSL_VERSION_NUMBER < 0x20700000L)
120 #ifdef CONFIG_SUITEB
RSA_bits(const RSA * r)121 static int RSA_bits(const RSA *r)
122 {
123 return BN_num_bits(r->n);
124 }
125 #endif /* CONFIG_SUITEB */
126
127
ASN1_STRING_get0_data(const ASN1_STRING * x)128 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
129 {
130 return ASN1_STRING_data((ASN1_STRING *) x);
131 }
132 #endif
133
134 #ifdef ANDROID
135 #include <openssl/pem.h>
136 #include <keystore/keystore_get.h>
137
BIO_from_keystore(const char * key)138 static BIO * BIO_from_keystore(const char *key)
139 {
140 BIO *bio = NULL;
141 uint8_t *value = NULL;
142 int length = keystore_get(key, strlen(key), &value);
143 if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL)
144 BIO_write(bio, value, length);
145 free(value);
146 return bio;
147 }
148
149
tls_add_ca_from_keystore(X509_STORE * ctx,const char * key_alias)150 static int tls_add_ca_from_keystore(X509_STORE *ctx, const char *key_alias)
151 {
152 BIO *bio = BIO_from_keystore(key_alias);
153 STACK_OF(X509_INFO) *stack = NULL;
154 stack_index_t i;
155
156 if (bio) {
157 stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
158 BIO_free(bio);
159 }
160
161 if (!stack) {
162 wpa_printf(MSG_WARNING, "TLS: Failed to parse certificate: %s",
163 key_alias);
164 return -1;
165 }
166
167 for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
168 X509_INFO *info = sk_X509_INFO_value(stack, i);
169
170 if (info->x509)
171 X509_STORE_add_cert(ctx, info->x509);
172 if (info->crl)
173 X509_STORE_add_crl(ctx, info->crl);
174 }
175
176 sk_X509_INFO_pop_free(stack, X509_INFO_free);
177
178 return 0;
179 }
180
181
tls_add_ca_from_keystore_encoded(X509_STORE * ctx,const char * encoded_key_alias)182 static int tls_add_ca_from_keystore_encoded(X509_STORE *ctx,
183 const char *encoded_key_alias)
184 {
185 int rc = -1;
186 int len = os_strlen(encoded_key_alias);
187 unsigned char *decoded_alias;
188
189 if (len & 1) {
190 wpa_printf(MSG_WARNING, "Invalid hex-encoded alias: %s",
191 encoded_key_alias);
192 return rc;
193 }
194
195 decoded_alias = os_malloc(len / 2 + 1);
196 if (decoded_alias) {
197 if (!hexstr2bin(encoded_key_alias, decoded_alias, len / 2)) {
198 decoded_alias[len / 2] = '\0';
199 rc = tls_add_ca_from_keystore(
200 ctx, (const char *) decoded_alias);
201 }
202 os_free(decoded_alias);
203 }
204
205 return rc;
206 }
207
208 #endif /* ANDROID */
209
210 static int tls_openssl_ref_count = 0;
211 static int tls_ex_idx_session = -1;
212
213 struct tls_context {
214 void (*event_cb)(void *ctx, enum tls_event ev,
215 union tls_event_data *data);
216 void *cb_ctx;
217 int cert_in_cb;
218 char *ocsp_stapling_response;
219 };
220
221 static struct tls_context *tls_global = NULL;
222
223
224 struct tls_data {
225 SSL_CTX *ssl;
226 unsigned int tls_session_lifetime;
227 int check_crl;
228 int check_crl_strict;
229 char *ca_cert;
230 unsigned int crl_reload_interval;
231 struct os_reltime crl_last_reload;
232 char *check_cert_subject;
233 };
234
235 struct tls_connection {
236 struct tls_context *context;
237 struct tls_data *data;
238 SSL_CTX *ssl_ctx;
239 SSL *ssl;
240 BIO *ssl_in, *ssl_out;
241 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
242 ENGINE *engine; /* functional reference to the engine */
243 EVP_PKEY *private_key; /* the private key if using engine */
244 #endif /* OPENSSL_NO_ENGINE */
245 char *subject_match, *altsubject_match, *suffix_match, *domain_match;
246 char *check_cert_subject;
247 int read_alerts, write_alerts, failed;
248
249 tls_session_ticket_cb session_ticket_cb;
250 void *session_ticket_cb_ctx;
251
252 /* SessionTicket received from OpenSSL hello_extension_cb (server) */
253 u8 *session_ticket;
254 size_t session_ticket_len;
255
256 unsigned int ca_cert_verify:1;
257 unsigned int cert_probe:1;
258 unsigned int server_cert_only:1;
259 unsigned int invalid_hb_used:1;
260 unsigned int success_data:1;
261 unsigned int client_hello_generated:1;
262 unsigned int server:1;
263
264 u8 srv_cert_hash[32];
265
266 unsigned int flags;
267
268 X509 *peer_cert;
269 X509 *peer_issuer;
270 X509 *peer_issuer_issuer;
271 char *peer_subject; /* peer subject info for authenticated peer */
272
273 unsigned char client_random[SSL3_RANDOM_SIZE];
274 unsigned char server_random[SSL3_RANDOM_SIZE];
275
276 u16 cipher_suite;
277 int server_dh_prime_len;
278 };
279
280
tls_context_new(const struct tls_config * conf)281 static struct tls_context * tls_context_new(const struct tls_config *conf)
282 {
283 struct tls_context *context = os_zalloc(sizeof(*context));
284 if (context == NULL)
285 return NULL;
286 if (conf) {
287 context->event_cb = conf->event_cb;
288 context->cb_ctx = conf->cb_ctx;
289 context->cert_in_cb = conf->cert_in_cb;
290 }
291 return context;
292 }
293
294
295 #ifdef CONFIG_NO_STDOUT_DEBUG
296
_tls_show_errors(void)297 static void _tls_show_errors(void)
298 {
299 unsigned long err;
300
301 while ((err = ERR_get_error())) {
302 /* Just ignore the errors, since stdout is disabled */
303 }
304 }
305 #define tls_show_errors(l, f, t) _tls_show_errors()
306
307 #else /* CONFIG_NO_STDOUT_DEBUG */
308
tls_show_errors(int level,const char * func,const char * txt)309 static void tls_show_errors(int level, const char *func, const char *txt)
310 {
311 unsigned long err;
312
313 wpa_printf(level, "OpenSSL: %s - %s %s",
314 func, txt, ERR_error_string(ERR_get_error(), NULL));
315
316 while ((err = ERR_get_error())) {
317 wpa_printf(MSG_INFO, "OpenSSL: pending error: %s",
318 ERR_error_string(err, NULL));
319 }
320 }
321
322 #endif /* CONFIG_NO_STDOUT_DEBUG */
323
324
tls_crl_cert_reload(const char * ca_cert,int check_crl)325 static X509_STORE * tls_crl_cert_reload(const char *ca_cert, int check_crl)
326 {
327 int flags;
328 X509_STORE *store;
329
330 store = X509_STORE_new();
331 if (!store) {
332 wpa_printf(MSG_DEBUG,
333 "OpenSSL: %s - failed to allocate new certificate store",
334 __func__);
335 return NULL;
336 }
337
338 if (ca_cert && X509_STORE_load_locations(store, ca_cert, NULL) != 1) {
339 tls_show_errors(MSG_WARNING, __func__,
340 "Failed to load root certificates");
341 X509_STORE_free(store);
342 return NULL;
343 }
344
345 flags = check_crl ? X509_V_FLAG_CRL_CHECK : 0;
346 if (check_crl == 2)
347 flags |= X509_V_FLAG_CRL_CHECK_ALL;
348
349 X509_STORE_set_flags(store, flags);
350
351 return store;
352 }
353
354
355 #ifdef CONFIG_NATIVE_WINDOWS
356
357 /* Windows CryptoAPI and access to certificate stores */
358 #include <wincrypt.h>
359
360 #ifdef __MINGW32_VERSION
361 /*
362 * MinGW does not yet include all the needed definitions for CryptoAPI, so
363 * define here whatever extra is needed.
364 */
365 #define CERT_SYSTEM_STORE_CURRENT_USER (1 << 16)
366 #define CERT_STORE_READONLY_FLAG 0x00008000
367 #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
368
369 #endif /* __MINGW32_VERSION */
370
371
372 struct cryptoapi_rsa_data {
373 const CERT_CONTEXT *cert;
374 HCRYPTPROV crypt_prov;
375 DWORD key_spec;
376 BOOL free_crypt_prov;
377 };
378
379
cryptoapi_error(const char * msg)380 static void cryptoapi_error(const char *msg)
381 {
382 wpa_printf(MSG_INFO, "CryptoAPI: %s; err=%u",
383 msg, (unsigned int) GetLastError());
384 }
385
386
cryptoapi_rsa_pub_enc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)387 static int cryptoapi_rsa_pub_enc(int flen, const unsigned char *from,
388 unsigned char *to, RSA *rsa, int padding)
389 {
390 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
391 return 0;
392 }
393
394
cryptoapi_rsa_pub_dec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)395 static int cryptoapi_rsa_pub_dec(int flen, const unsigned char *from,
396 unsigned char *to, RSA *rsa, int padding)
397 {
398 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
399 return 0;
400 }
401
402
cryptoapi_rsa_priv_enc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)403 static int cryptoapi_rsa_priv_enc(int flen, const unsigned char *from,
404 unsigned char *to, RSA *rsa, int padding)
405 {
406 struct cryptoapi_rsa_data *priv =
407 (struct cryptoapi_rsa_data *) rsa->meth->app_data;
408 HCRYPTHASH hash;
409 DWORD hash_size, len, i;
410 unsigned char *buf = NULL;
411 int ret = 0;
412
413 if (priv == NULL) {
414 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
415 ERR_R_PASSED_NULL_PARAMETER);
416 return 0;
417 }
418
419 if (padding != RSA_PKCS1_PADDING) {
420 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
421 RSA_R_UNKNOWN_PADDING_TYPE);
422 return 0;
423 }
424
425 if (flen != 16 /* MD5 */ + 20 /* SHA-1 */) {
426 wpa_printf(MSG_INFO, "%s - only MD5-SHA1 hash supported",
427 __func__);
428 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
429 RSA_R_INVALID_MESSAGE_LENGTH);
430 return 0;
431 }
432
433 if (!CryptCreateHash(priv->crypt_prov, CALG_SSL3_SHAMD5, 0, 0, &hash))
434 {
435 cryptoapi_error("CryptCreateHash failed");
436 return 0;
437 }
438
439 len = sizeof(hash_size);
440 if (!CryptGetHashParam(hash, HP_HASHSIZE, (BYTE *) &hash_size, &len,
441 0)) {
442 cryptoapi_error("CryptGetHashParam failed");
443 goto err;
444 }
445
446 if ((int) hash_size != flen) {
447 wpa_printf(MSG_INFO, "CryptoAPI: Invalid hash size (%u != %d)",
448 (unsigned) hash_size, flen);
449 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
450 RSA_R_INVALID_MESSAGE_LENGTH);
451 goto err;
452 }
453 if (!CryptSetHashParam(hash, HP_HASHVAL, (BYTE * ) from, 0)) {
454 cryptoapi_error("CryptSetHashParam failed");
455 goto err;
456 }
457
458 len = RSA_size(rsa);
459 buf = os_malloc(len);
460 if (buf == NULL) {
461 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
462 goto err;
463 }
464
465 if (!CryptSignHash(hash, priv->key_spec, NULL, 0, buf, &len)) {
466 cryptoapi_error("CryptSignHash failed");
467 goto err;
468 }
469
470 for (i = 0; i < len; i++)
471 to[i] = buf[len - i - 1];
472 ret = len;
473
474 err:
475 os_free(buf);
476 CryptDestroyHash(hash);
477
478 return ret;
479 }
480
481
cryptoapi_rsa_priv_dec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)482 static int cryptoapi_rsa_priv_dec(int flen, const unsigned char *from,
483 unsigned char *to, RSA *rsa, int padding)
484 {
485 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
486 return 0;
487 }
488
489
cryptoapi_free_data(struct cryptoapi_rsa_data * priv)490 static void cryptoapi_free_data(struct cryptoapi_rsa_data *priv)
491 {
492 if (priv == NULL)
493 return;
494 if (priv->crypt_prov && priv->free_crypt_prov)
495 CryptReleaseContext(priv->crypt_prov, 0);
496 if (priv->cert)
497 CertFreeCertificateContext(priv->cert);
498 os_free(priv);
499 }
500
501
cryptoapi_finish(RSA * rsa)502 static int cryptoapi_finish(RSA *rsa)
503 {
504 cryptoapi_free_data((struct cryptoapi_rsa_data *) rsa->meth->app_data);
505 os_free((void *) rsa->meth);
506 rsa->meth = NULL;
507 return 1;
508 }
509
510
cryptoapi_find_cert(const char * name,DWORD store)511 static const CERT_CONTEXT * cryptoapi_find_cert(const char *name, DWORD store)
512 {
513 HCERTSTORE cs;
514 const CERT_CONTEXT *ret = NULL;
515
516 cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0,
517 store | CERT_STORE_OPEN_EXISTING_FLAG |
518 CERT_STORE_READONLY_FLAG, L"MY");
519 if (cs == NULL) {
520 cryptoapi_error("Failed to open 'My system store'");
521 return NULL;
522 }
523
524 if (strncmp(name, "cert://", 7) == 0) {
525 unsigned short wbuf[255];
526 MultiByteToWideChar(CP_ACP, 0, name + 7, -1, wbuf, 255);
527 ret = CertFindCertificateInStore(cs, X509_ASN_ENCODING |
528 PKCS_7_ASN_ENCODING,
529 0, CERT_FIND_SUBJECT_STR,
530 wbuf, NULL);
531 } else if (strncmp(name, "hash://", 7) == 0) {
532 CRYPT_HASH_BLOB blob;
533 int len;
534 const char *hash = name + 7;
535 unsigned char *buf;
536
537 len = os_strlen(hash) / 2;
538 buf = os_malloc(len);
539 if (buf && hexstr2bin(hash, buf, len) == 0) {
540 blob.cbData = len;
541 blob.pbData = buf;
542 ret = CertFindCertificateInStore(cs,
543 X509_ASN_ENCODING |
544 PKCS_7_ASN_ENCODING,
545 0, CERT_FIND_HASH,
546 &blob, NULL);
547 }
548 os_free(buf);
549 }
550
551 CertCloseStore(cs, 0);
552
553 return ret;
554 }
555
556
tls_cryptoapi_cert(SSL * ssl,const char * name)557 static int tls_cryptoapi_cert(SSL *ssl, const char *name)
558 {
559 X509 *cert = NULL;
560 RSA *rsa = NULL, *pub_rsa;
561 struct cryptoapi_rsa_data *priv;
562 RSA_METHOD *rsa_meth;
563
564 if (name == NULL ||
565 (strncmp(name, "cert://", 7) != 0 &&
566 strncmp(name, "hash://", 7) != 0))
567 return -1;
568
569 priv = os_zalloc(sizeof(*priv));
570 rsa_meth = os_zalloc(sizeof(*rsa_meth));
571 if (priv == NULL || rsa_meth == NULL) {
572 wpa_printf(MSG_WARNING, "CryptoAPI: Failed to allocate memory "
573 "for CryptoAPI RSA method");
574 os_free(priv);
575 os_free(rsa_meth);
576 return -1;
577 }
578
579 priv->cert = cryptoapi_find_cert(name, CERT_SYSTEM_STORE_CURRENT_USER);
580 if (priv->cert == NULL) {
581 priv->cert = cryptoapi_find_cert(
582 name, CERT_SYSTEM_STORE_LOCAL_MACHINE);
583 }
584 if (priv->cert == NULL) {
585 wpa_printf(MSG_INFO, "CryptoAPI: Could not find certificate "
586 "'%s'", name);
587 goto err;
588 }
589
590 cert = d2i_X509(NULL,
591 (const unsigned char **) &priv->cert->pbCertEncoded,
592 priv->cert->cbCertEncoded);
593 if (cert == NULL) {
594 wpa_printf(MSG_INFO, "CryptoAPI: Could not process X509 DER "
595 "encoding");
596 goto err;
597 }
598
599 if (!CryptAcquireCertificatePrivateKey(priv->cert,
600 CRYPT_ACQUIRE_COMPARE_KEY_FLAG,
601 NULL, &priv->crypt_prov,
602 &priv->key_spec,
603 &priv->free_crypt_prov)) {
604 cryptoapi_error("Failed to acquire a private key for the "
605 "certificate");
606 goto err;
607 }
608
609 rsa_meth->name = "Microsoft CryptoAPI RSA Method";
610 rsa_meth->rsa_pub_enc = cryptoapi_rsa_pub_enc;
611 rsa_meth->rsa_pub_dec = cryptoapi_rsa_pub_dec;
612 rsa_meth->rsa_priv_enc = cryptoapi_rsa_priv_enc;
613 rsa_meth->rsa_priv_dec = cryptoapi_rsa_priv_dec;
614 rsa_meth->finish = cryptoapi_finish;
615 rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK;
616 rsa_meth->app_data = (char *) priv;
617
618 rsa = RSA_new();
619 if (rsa == NULL) {
620 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,
621 ERR_R_MALLOC_FAILURE);
622 goto err;
623 }
624
625 if (!SSL_use_certificate(ssl, cert)) {
626 RSA_free(rsa);
627 rsa = NULL;
628 goto err;
629 }
630 pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
631 X509_free(cert);
632 cert = NULL;
633
634 rsa->n = BN_dup(pub_rsa->n);
635 rsa->e = BN_dup(pub_rsa->e);
636 if (!RSA_set_method(rsa, rsa_meth))
637 goto err;
638
639 if (!SSL_use_RSAPrivateKey(ssl, rsa))
640 goto err;
641 RSA_free(rsa);
642
643 return 0;
644
645 err:
646 if (cert)
647 X509_free(cert);
648 if (rsa)
649 RSA_free(rsa);
650 else {
651 os_free(rsa_meth);
652 cryptoapi_free_data(priv);
653 }
654 return -1;
655 }
656
657
tls_cryptoapi_ca_cert(SSL_CTX * ssl_ctx,SSL * ssl,const char * name)658 static int tls_cryptoapi_ca_cert(SSL_CTX *ssl_ctx, SSL *ssl, const char *name)
659 {
660 HCERTSTORE cs;
661 PCCERT_CONTEXT ctx = NULL;
662 X509 *cert;
663 char buf[128];
664 const char *store;
665 #ifdef UNICODE
666 WCHAR *wstore;
667 #endif /* UNICODE */
668
669 if (name == NULL || strncmp(name, "cert_store://", 13) != 0)
670 return -1;
671
672 store = name + 13;
673 #ifdef UNICODE
674 wstore = os_malloc((os_strlen(store) + 1) * sizeof(WCHAR));
675 if (wstore == NULL)
676 return -1;
677 wsprintf(wstore, L"%S", store);
678 cs = CertOpenSystemStore(0, wstore);
679 os_free(wstore);
680 #else /* UNICODE */
681 cs = CertOpenSystemStore(0, store);
682 #endif /* UNICODE */
683 if (cs == NULL) {
684 wpa_printf(MSG_DEBUG, "%s: failed to open system cert store "
685 "'%s': error=%d", __func__, store,
686 (int) GetLastError());
687 return -1;
688 }
689
690 while ((ctx = CertEnumCertificatesInStore(cs, ctx))) {
691 cert = d2i_X509(NULL,
692 (const unsigned char **) &ctx->pbCertEncoded,
693 ctx->cbCertEncoded);
694 if (cert == NULL) {
695 wpa_printf(MSG_INFO, "CryptoAPI: Could not process "
696 "X509 DER encoding for CA cert");
697 continue;
698 }
699
700 X509_NAME_oneline(X509_get_subject_name(cert), buf,
701 sizeof(buf));
702 wpa_printf(MSG_DEBUG, "OpenSSL: Loaded CA certificate for "
703 "system certificate store: subject='%s'", buf);
704
705 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
706 cert)) {
707 tls_show_errors(MSG_WARNING, __func__,
708 "Failed to add ca_cert to OpenSSL "
709 "certificate store");
710 }
711
712 X509_free(cert);
713 }
714
715 if (!CertCloseStore(cs, 0)) {
716 wpa_printf(MSG_DEBUG, "%s: failed to close system cert store "
717 "'%s': error=%d", __func__, name + 13,
718 (int) GetLastError());
719 }
720
721 return 0;
722 }
723
724
725 #else /* CONFIG_NATIVE_WINDOWS */
726
tls_cryptoapi_cert(SSL * ssl,const char * name)727 static int tls_cryptoapi_cert(SSL *ssl, const char *name)
728 {
729 return -1;
730 }
731
732 #endif /* CONFIG_NATIVE_WINDOWS */
733
734
ssl_info_cb(const SSL * ssl,int where,int ret)735 static void ssl_info_cb(const SSL *ssl, int where, int ret)
736 {
737 const char *str;
738 int w;
739
740 wpa_printf(MSG_DEBUG, "SSL: (where=0x%x ret=0x%x)", where, ret);
741 w = where & ~SSL_ST_MASK;
742 if (w & SSL_ST_CONNECT)
743 str = "SSL_connect";
744 else if (w & SSL_ST_ACCEPT)
745 str = "SSL_accept";
746 else
747 str = "undefined";
748
749 if (where & SSL_CB_LOOP) {
750 wpa_printf(MSG_DEBUG, "SSL: %s:%s",
751 str, SSL_state_string_long(ssl));
752 } else if (where & SSL_CB_ALERT) {
753 struct tls_connection *conn = SSL_get_app_data((SSL *) ssl);
754 wpa_printf(MSG_INFO, "SSL: SSL3 alert: %s:%s:%s",
755 where & SSL_CB_READ ?
756 "read (remote end reported an error)" :
757 "write (local SSL3 detected an error)",
758 SSL_alert_type_string_long(ret),
759 SSL_alert_desc_string_long(ret));
760 if ((ret >> 8) == SSL3_AL_FATAL) {
761 if (where & SSL_CB_READ)
762 conn->read_alerts++;
763 else
764 conn->write_alerts++;
765 }
766 if (conn->context->event_cb != NULL) {
767 union tls_event_data ev;
768 struct tls_context *context = conn->context;
769 os_memset(&ev, 0, sizeof(ev));
770 ev.alert.is_local = !(where & SSL_CB_READ);
771 ev.alert.type = SSL_alert_type_string_long(ret);
772 ev.alert.description = SSL_alert_desc_string_long(ret);
773 context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
774 }
775 } else if (where & SSL_CB_EXIT && ret <= 0) {
776 wpa_printf(MSG_DEBUG, "SSL: %s:%s in %s",
777 str, ret == 0 ? "failed" : "error",
778 SSL_state_string_long(ssl));
779 }
780 }
781
782
783 #ifndef OPENSSL_NO_ENGINE
784 /**
785 * tls_engine_load_dynamic_generic - load any openssl engine
786 * @pre: an array of commands and values that load an engine initialized
787 * in the engine specific function
788 * @post: an array of commands and values that initialize an already loaded
789 * engine (or %NULL if not required)
790 * @id: the engine id of the engine to load (only required if post is not %NULL
791 *
792 * This function is a generic function that loads any openssl engine.
793 *
794 * Returns: 0 on success, -1 on failure
795 */
tls_engine_load_dynamic_generic(const char * pre[],const char * post[],const char * id)796 static int tls_engine_load_dynamic_generic(const char *pre[],
797 const char *post[], const char *id)
798 {
799 ENGINE *engine;
800 const char *dynamic_id = "dynamic";
801
802 engine = ENGINE_by_id(id);
803 if (engine) {
804 wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already "
805 "available", id);
806 /*
807 * If it was auto-loaded by ENGINE_by_id() we might still
808 * need to tell it which PKCS#11 module to use in legacy
809 * (non-p11-kit) environments. Do so now; even if it was
810 * properly initialised before, setting it again will be
811 * harmless.
812 */
813 goto found;
814 }
815 ERR_clear_error();
816
817 engine = ENGINE_by_id(dynamic_id);
818 if (engine == NULL) {
819 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]",
820 dynamic_id,
821 ERR_error_string(ERR_get_error(), NULL));
822 return -1;
823 }
824
825 /* Perform the pre commands. This will load the engine. */
826 while (pre && pre[0]) {
827 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", pre[0], pre[1]);
828 if (ENGINE_ctrl_cmd_string(engine, pre[0], pre[1], 0) == 0) {
829 wpa_printf(MSG_INFO, "ENGINE: ctrl cmd_string failed: "
830 "%s %s [%s]", pre[0], pre[1],
831 ERR_error_string(ERR_get_error(), NULL));
832 ENGINE_free(engine);
833 return -1;
834 }
835 pre += 2;
836 }
837
838 /*
839 * Free the reference to the "dynamic" engine. The loaded engine can
840 * now be looked up using ENGINE_by_id().
841 */
842 ENGINE_free(engine);
843
844 engine = ENGINE_by_id(id);
845 if (engine == NULL) {
846 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]",
847 id, ERR_error_string(ERR_get_error(), NULL));
848 return -1;
849 }
850 found:
851 while (post && post[0]) {
852 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", post[0], post[1]);
853 if (ENGINE_ctrl_cmd_string(engine, post[0], post[1], 0) == 0) {
854 wpa_printf(MSG_DEBUG, "ENGINE: ctrl cmd_string failed:"
855 " %s %s [%s]", post[0], post[1],
856 ERR_error_string(ERR_get_error(), NULL));
857 ENGINE_remove(engine);
858 ENGINE_free(engine);
859 return -1;
860 }
861 post += 2;
862 }
863 ENGINE_free(engine);
864
865 return 0;
866 }
867
868
869 /**
870 * tls_engine_load_dynamic_pkcs11 - load the pkcs11 engine provided by opensc
871 * @pkcs11_so_path: pksc11_so_path from the configuration
872 * @pcks11_module_path: pkcs11_module_path from the configuration
873 */
tls_engine_load_dynamic_pkcs11(const char * pkcs11_so_path,const char * pkcs11_module_path)874 static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path,
875 const char *pkcs11_module_path)
876 {
877 char *engine_id = "pkcs11";
878 const char *pre_cmd[] = {
879 "SO_PATH", NULL /* pkcs11_so_path */,
880 "ID", NULL /* engine_id */,
881 "LIST_ADD", "1",
882 /* "NO_VCHECK", "1", */
883 "LOAD", NULL,
884 NULL, NULL
885 };
886 const char *post_cmd[] = {
887 "MODULE_PATH", NULL /* pkcs11_module_path */,
888 NULL, NULL
889 };
890
891 if (!pkcs11_so_path)
892 return 0;
893
894 pre_cmd[1] = pkcs11_so_path;
895 pre_cmd[3] = engine_id;
896 if (pkcs11_module_path)
897 post_cmd[1] = pkcs11_module_path;
898 else
899 post_cmd[0] = NULL;
900
901 wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
902 pkcs11_so_path);
903
904 return tls_engine_load_dynamic_generic(pre_cmd, post_cmd, engine_id);
905 }
906
907
908 /**
909 * tls_engine_load_dynamic_opensc - load the opensc engine provided by opensc
910 * @opensc_so_path: opensc_so_path from the configuration
911 */
tls_engine_load_dynamic_opensc(const char * opensc_so_path)912 static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
913 {
914 char *engine_id = "opensc";
915 const char *pre_cmd[] = {
916 "SO_PATH", NULL /* opensc_so_path */,
917 "ID", NULL /* engine_id */,
918 "LIST_ADD", "1",
919 "LOAD", NULL,
920 NULL, NULL
921 };
922
923 if (!opensc_so_path)
924 return 0;
925
926 pre_cmd[1] = opensc_so_path;
927 pre_cmd[3] = engine_id;
928
929 wpa_printf(MSG_DEBUG, "ENGINE: Loading OpenSC Engine from %s",
930 opensc_so_path);
931
932 return tls_engine_load_dynamic_generic(pre_cmd, NULL, engine_id);
933 }
934 #endif /* OPENSSL_NO_ENGINE */
935
936
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)937 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
938 {
939 struct wpabuf *buf;
940
941 if (tls_ex_idx_session < 0)
942 return;
943 buf = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
944 if (!buf)
945 return;
946 wpa_printf(MSG_DEBUG,
947 "OpenSSL: Free application session data %p (sess %p)",
948 buf, sess);
949 wpabuf_free(buf);
950
951 SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, NULL);
952 }
953
954
tls_init(const struct tls_config * conf)955 void * tls_init(const struct tls_config *conf)
956 {
957 struct tls_data *data;
958 SSL_CTX *ssl;
959 struct tls_context *context;
960 const char *ciphers;
961
962 if (tls_openssl_ref_count == 0) {
963 void openssl_load_legacy_provider(void);
964
965 openssl_load_legacy_provider();
966
967 tls_global = context = tls_context_new(conf);
968 if (context == NULL)
969 return NULL;
970 #ifdef CONFIG_FIPS
971 #ifdef OPENSSL_FIPS
972 if (conf && conf->fips_mode) {
973 static int fips_enabled = 0;
974
975 if (!fips_enabled && !FIPS_mode_set(1)) {
976 wpa_printf(MSG_ERROR, "Failed to enable FIPS "
977 "mode");
978 ERR_load_crypto_strings();
979 ERR_print_errors_fp(stderr);
980 os_free(tls_global);
981 tls_global = NULL;
982 return NULL;
983 } else {
984 wpa_printf(MSG_INFO, "Running in FIPS mode");
985 fips_enabled = 1;
986 }
987 }
988 #else /* OPENSSL_FIPS */
989 if (conf && conf->fips_mode) {
990 wpa_printf(MSG_ERROR, "FIPS mode requested, but not "
991 "supported");
992 os_free(tls_global);
993 tls_global = NULL;
994 return NULL;
995 }
996 #endif /* OPENSSL_FIPS */
997 #endif /* CONFIG_FIPS */
998 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
999 (defined(LIBRESSL_VERSION_NUMBER) && \
1000 LIBRESSL_VERSION_NUMBER < 0x20700000L)
1001 SSL_load_error_strings();
1002 SSL_library_init();
1003 #ifndef OPENSSL_NO_SHA256
1004 EVP_add_digest(EVP_sha256());
1005 #endif /* OPENSSL_NO_SHA256 */
1006 /* TODO: if /dev/urandom is available, PRNG is seeded
1007 * automatically. If this is not the case, random data should
1008 * be added here. */
1009
1010 #ifdef PKCS12_FUNCS
1011 #ifndef OPENSSL_NO_RC2
1012 /*
1013 * 40-bit RC2 is commonly used in PKCS#12 files, so enable it.
1014 * This is enabled by PKCS12_PBE_add() in OpenSSL 0.9.8
1015 * versions, but it looks like OpenSSL 1.0.0 does not do that
1016 * anymore.
1017 */
1018 EVP_add_cipher(EVP_rc2_40_cbc());
1019 #endif /* OPENSSL_NO_RC2 */
1020 PKCS12_PBE_add();
1021 #endif /* PKCS12_FUNCS */
1022 #endif /* < 1.1.0 */
1023 } else {
1024 context = tls_context_new(conf);
1025 if (context == NULL)
1026 return NULL;
1027 }
1028 tls_openssl_ref_count++;
1029
1030 data = os_zalloc(sizeof(*data));
1031 if (data)
1032 ssl = SSL_CTX_new(SSLv23_method());
1033 else
1034 ssl = NULL;
1035 if (ssl == NULL) {
1036 tls_openssl_ref_count--;
1037 if (context != tls_global)
1038 os_free(context);
1039 if (tls_openssl_ref_count == 0) {
1040 os_free(tls_global);
1041 tls_global = NULL;
1042 }
1043 os_free(data);
1044 return NULL;
1045 }
1046 data->ssl = ssl;
1047 if (conf) {
1048 data->tls_session_lifetime = conf->tls_session_lifetime;
1049 data->crl_reload_interval = conf->crl_reload_interval;
1050 }
1051
1052 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
1053 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
1054
1055 SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
1056
1057 #ifdef SSL_MODE_NO_AUTO_CHAIN
1058 /* Number of deployed use cases assume the default OpenSSL behavior of
1059 * auto chaining the local certificate is in use. BoringSSL removed this
1060 * functionality by default, so we need to restore it here to avoid
1061 * breaking existing use cases. */
1062 SSL_CTX_clear_mode(ssl, SSL_MODE_NO_AUTO_CHAIN);
1063 #endif /* SSL_MODE_NO_AUTO_CHAIN */
1064
1065 SSL_CTX_set_info_callback(ssl, ssl_info_cb);
1066 SSL_CTX_set_app_data(ssl, context);
1067 if (data->tls_session_lifetime > 0) {
1068 SSL_CTX_set_quiet_shutdown(ssl, 1);
1069 /*
1070 * Set default context here. In practice, this will be replaced
1071 * by the per-EAP method context in tls_connection_set_verify().
1072 */
1073 SSL_CTX_set_session_id_context(ssl, (u8 *) "hostapd", 7);
1074 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_SERVER);
1075 SSL_CTX_set_timeout(ssl, data->tls_session_lifetime);
1076 SSL_CTX_sess_set_remove_cb(ssl, remove_session_cb);
1077 } else {
1078 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_OFF);
1079 }
1080
1081 if (tls_ex_idx_session < 0) {
1082 tls_ex_idx_session = SSL_SESSION_get_ex_new_index(
1083 0, NULL, NULL, NULL, NULL);
1084 if (tls_ex_idx_session < 0) {
1085 tls_deinit(data);
1086 return NULL;
1087 }
1088 }
1089
1090 #ifndef OPENSSL_NO_ENGINE
1091 wpa_printf(MSG_DEBUG, "ENGINE: Loading builtin engines");
1092 ENGINE_load_builtin_engines();
1093
1094 if (conf &&
1095 (conf->opensc_engine_path || conf->pkcs11_engine_path ||
1096 conf->pkcs11_module_path)) {
1097 if (tls_engine_load_dynamic_opensc(conf->opensc_engine_path) ||
1098 tls_engine_load_dynamic_pkcs11(conf->pkcs11_engine_path,
1099 conf->pkcs11_module_path)) {
1100 tls_deinit(data);
1101 return NULL;
1102 }
1103 }
1104 #endif /* OPENSSL_NO_ENGINE */
1105
1106 if (conf && conf->openssl_ciphers)
1107 ciphers = conf->openssl_ciphers;
1108 else
1109 ciphers = TLS_DEFAULT_CIPHERS;
1110 if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
1111 wpa_printf(MSG_ERROR,
1112 "OpenSSL: Failed to set cipher string '%s'",
1113 ciphers);
1114 tls_deinit(data);
1115 return NULL;
1116 }
1117
1118 return data;
1119 }
1120
1121
tls_deinit(void * ssl_ctx)1122 void tls_deinit(void *ssl_ctx)
1123 {
1124 struct tls_data *data = ssl_ctx;
1125 SSL_CTX *ssl = data->ssl;
1126 struct tls_context *context = SSL_CTX_get_app_data(ssl);
1127 if (context != tls_global)
1128 os_free(context);
1129 if (data->tls_session_lifetime > 0)
1130 SSL_CTX_flush_sessions(ssl, 0);
1131 os_free(data->ca_cert);
1132 SSL_CTX_free(ssl);
1133
1134 tls_openssl_ref_count--;
1135 if (tls_openssl_ref_count == 0) {
1136 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
1137 (defined(LIBRESSL_VERSION_NUMBER) && \
1138 LIBRESSL_VERSION_NUMBER < 0x20700000L)
1139 #ifndef OPENSSL_NO_ENGINE
1140 ENGINE_cleanup();
1141 #endif /* OPENSSL_NO_ENGINE */
1142 CRYPTO_cleanup_all_ex_data();
1143 ERR_remove_thread_state(NULL);
1144 ERR_free_strings();
1145 EVP_cleanup();
1146 #endif /* < 1.1.0 */
1147 os_free(tls_global->ocsp_stapling_response);
1148 tls_global->ocsp_stapling_response = NULL;
1149 os_free(tls_global);
1150 tls_global = NULL;
1151 }
1152
1153 os_free(data->check_cert_subject);
1154 os_free(data);
1155 }
1156
1157
1158 #ifndef OPENSSL_NO_ENGINE
1159
1160 /* Cryptoki return values */
1161 #define CKR_PIN_INCORRECT 0x000000a0
1162 #define CKR_PIN_INVALID 0x000000a1
1163 #define CKR_PIN_LEN_RANGE 0x000000a2
1164
1165 /* libp11 */
1166 #define ERR_LIB_PKCS11 ERR_LIB_USER
1167
tls_is_pin_error(unsigned int err)1168 static int tls_is_pin_error(unsigned int err)
1169 {
1170 return ERR_GET_LIB(err) == ERR_LIB_PKCS11 &&
1171 (ERR_GET_REASON(err) == CKR_PIN_INCORRECT ||
1172 ERR_GET_REASON(err) == CKR_PIN_INVALID ||
1173 ERR_GET_REASON(err) == CKR_PIN_LEN_RANGE);
1174 }
1175
1176 #endif /* OPENSSL_NO_ENGINE */
1177
1178
1179 #ifdef ANDROID
1180 /* EVP_PKEY_from_keystore comes from system/security/keystore-engine. */
1181 EVP_PKEY * EVP_PKEY_from_keystore(const char *key_id);
1182 #endif /* ANDROID */
1183
tls_engine_init(struct tls_connection * conn,const char * engine_id,const char * pin,const char * key_id,const char * cert_id,const char * ca_cert_id)1184 static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
1185 const char *pin, const char *key_id,
1186 const char *cert_id, const char *ca_cert_id)
1187 {
1188 #if defined(ANDROID) && defined(OPENSSL_IS_BORINGSSL)
1189 #if !defined(OPENSSL_NO_ENGINE)
1190 #error "This code depends on OPENSSL_NO_ENGINE being defined by BoringSSL."
1191 #endif
1192 if (!key_id)
1193 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1194 conn->engine = NULL;
1195 conn->private_key = EVP_PKEY_from_keystore(key_id);
1196 if (!conn->private_key) {
1197 wpa_printf(MSG_ERROR,
1198 "ENGINE: cannot load private key with id '%s' [%s]",
1199 key_id,
1200 ERR_error_string(ERR_get_error(), NULL));
1201 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1202 }
1203 #endif /* ANDROID && OPENSSL_IS_BORINGSSL */
1204
1205 #ifndef OPENSSL_NO_ENGINE
1206 int ret = -1;
1207 if (engine_id == NULL) {
1208 wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
1209 return -1;
1210 }
1211
1212 ERR_clear_error();
1213 #ifdef ANDROID
1214 ENGINE_load_dynamic();
1215 #endif
1216 conn->engine = ENGINE_by_id(engine_id);
1217 if (!conn->engine) {
1218 wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]",
1219 engine_id, ERR_error_string(ERR_get_error(), NULL));
1220 goto err;
1221 }
1222 if (ENGINE_init(conn->engine) != 1) {
1223 wpa_printf(MSG_ERROR, "ENGINE: engine init failed "
1224 "(engine: %s) [%s]", engine_id,
1225 ERR_error_string(ERR_get_error(), NULL));
1226 goto err;
1227 }
1228 wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
1229
1230 #ifndef ANDROID
1231 if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
1232 wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
1233 ERR_error_string(ERR_get_error(), NULL));
1234 goto err;
1235 }
1236 #endif
1237 if (key_id) {
1238 /*
1239 * Ensure that the ENGINE does not attempt to use the OpenSSL
1240 * UI system to obtain a PIN, if we didn't provide one.
1241 */
1242 struct {
1243 const void *password;
1244 const char *prompt_info;
1245 } key_cb = { "", NULL };
1246
1247 /* load private key first in-case PIN is required for cert */
1248 conn->private_key = ENGINE_load_private_key(conn->engine,
1249 key_id, NULL,
1250 &key_cb);
1251 if (!conn->private_key) {
1252 unsigned long err = ERR_get_error();
1253
1254 wpa_printf(MSG_ERROR,
1255 "ENGINE: cannot load private key with id '%s' [%s]",
1256 key_id,
1257 ERR_error_string(err, NULL));
1258 if (tls_is_pin_error(err))
1259 ret = TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN;
1260 else
1261 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1262 goto err;
1263 }
1264 }
1265
1266 /* handle a certificate and/or CA certificate */
1267 if (cert_id || ca_cert_id) {
1268 const char *cmd_name = "LOAD_CERT_CTRL";
1269
1270 /* test if the engine supports a LOAD_CERT_CTRL */
1271 if (!ENGINE_ctrl(conn->engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
1272 0, (void *)cmd_name, NULL)) {
1273 wpa_printf(MSG_ERROR, "ENGINE: engine does not support"
1274 " loading certificates");
1275 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1276 goto err;
1277 }
1278 }
1279
1280 return 0;
1281
1282 err:
1283 if (conn->engine) {
1284 ENGINE_free(conn->engine);
1285 conn->engine = NULL;
1286 }
1287
1288 if (conn->private_key) {
1289 EVP_PKEY_free(conn->private_key);
1290 conn->private_key = NULL;
1291 }
1292
1293 return ret;
1294 #else /* OPENSSL_NO_ENGINE */
1295 return 0;
1296 #endif /* OPENSSL_NO_ENGINE */
1297 }
1298
1299
tls_engine_deinit(struct tls_connection * conn)1300 static void tls_engine_deinit(struct tls_connection *conn)
1301 {
1302 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
1303 wpa_printf(MSG_DEBUG, "ENGINE: engine deinit");
1304 if (conn->private_key) {
1305 EVP_PKEY_free(conn->private_key);
1306 conn->private_key = NULL;
1307 }
1308 if (conn->engine) {
1309 #if !defined(OPENSSL_IS_BORINGSSL)
1310 ENGINE_finish(conn->engine);
1311 #endif /* !OPENSSL_IS_BORINGSSL */
1312 conn->engine = NULL;
1313 }
1314 #endif /* ANDROID || !OPENSSL_NO_ENGINE */
1315 }
1316
1317
tls_get_errors(void * ssl_ctx)1318 int tls_get_errors(void *ssl_ctx)
1319 {
1320 int count = 0;
1321 unsigned long err;
1322
1323 while ((err = ERR_get_error())) {
1324 wpa_printf(MSG_INFO, "TLS - SSL error: %s",
1325 ERR_error_string(err, NULL));
1326 count++;
1327 }
1328
1329 return count;
1330 }
1331
1332
openssl_content_type(int content_type)1333 static const char * openssl_content_type(int content_type)
1334 {
1335 switch (content_type) {
1336 case 20:
1337 return "change cipher spec";
1338 case 21:
1339 return "alert";
1340 case 22:
1341 return "handshake";
1342 case 23:
1343 return "application data";
1344 case 24:
1345 return "heartbeat";
1346 case 256:
1347 return "TLS header info"; /* pseudo content type */
1348 case 257:
1349 return "inner content type"; /* pseudo content type */
1350 default:
1351 return "?";
1352 }
1353 }
1354
1355
openssl_handshake_type(int content_type,const u8 * buf,size_t len)1356 static const char * openssl_handshake_type(int content_type, const u8 *buf,
1357 size_t len)
1358 {
1359 if (content_type == 257 && buf && len == 1)
1360 return openssl_content_type(buf[0]);
1361 if (content_type != 22 || !buf || len == 0)
1362 return "";
1363 switch (buf[0]) {
1364 case 0:
1365 return "hello request";
1366 case 1:
1367 return "client hello";
1368 case 2:
1369 return "server hello";
1370 case 3:
1371 return "hello verify request";
1372 case 4:
1373 return "new session ticket";
1374 case 5:
1375 return "end of early data";
1376 case 6:
1377 return "hello retry request";
1378 case 8:
1379 return "encrypted extensions";
1380 case 11:
1381 return "certificate";
1382 case 12:
1383 return "server key exchange";
1384 case 13:
1385 return "certificate request";
1386 case 14:
1387 return "server hello done";
1388 case 15:
1389 return "certificate verify";
1390 case 16:
1391 return "client key exchange";
1392 case 20:
1393 return "finished";
1394 case 21:
1395 return "certificate url";
1396 case 22:
1397 return "certificate status";
1398 case 23:
1399 return "supplemental data";
1400 case 24:
1401 return "key update";
1402 case 254:
1403 return "message hash";
1404 default:
1405 return "?";
1406 }
1407 }
1408
1409
1410 #ifdef CONFIG_SUITEB
1411
check_server_hello(struct tls_connection * conn,const u8 * pos,const u8 * end)1412 static void check_server_hello(struct tls_connection *conn,
1413 const u8 *pos, const u8 *end)
1414 {
1415 size_t payload_len, id_len;
1416
1417 /*
1418 * Parse ServerHello to get the selected cipher suite since OpenSSL does
1419 * not make it cleanly available during handshake and we need to know
1420 * whether DHE was selected.
1421 */
1422
1423 if (end - pos < 3)
1424 return;
1425 payload_len = WPA_GET_BE24(pos);
1426 pos += 3;
1427
1428 if ((size_t) (end - pos) < payload_len)
1429 return;
1430 end = pos + payload_len;
1431
1432 /* Skip Version and Random */
1433 if (end - pos < 2 + SSL3_RANDOM_SIZE)
1434 return;
1435 pos += 2 + SSL3_RANDOM_SIZE;
1436
1437 /* Skip Session ID */
1438 if (end - pos < 1)
1439 return;
1440 id_len = *pos++;
1441 if ((size_t) (end - pos) < id_len)
1442 return;
1443 pos += id_len;
1444
1445 if (end - pos < 2)
1446 return;
1447 conn->cipher_suite = WPA_GET_BE16(pos);
1448 wpa_printf(MSG_DEBUG, "OpenSSL: Server selected cipher suite 0x%x",
1449 conn->cipher_suite);
1450 }
1451
1452
check_server_key_exchange(SSL * ssl,struct tls_connection * conn,const u8 * pos,const u8 * end)1453 static void check_server_key_exchange(SSL *ssl, struct tls_connection *conn,
1454 const u8 *pos, const u8 *end)
1455 {
1456 size_t payload_len;
1457 u16 dh_len;
1458 BIGNUM *p;
1459 int bits;
1460
1461 if (!(conn->flags & TLS_CONN_SUITEB))
1462 return;
1463
1464 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
1465 if (conn->cipher_suite != 0x9f)
1466 return;
1467
1468 if (end - pos < 3)
1469 return;
1470 payload_len = WPA_GET_BE24(pos);
1471 pos += 3;
1472
1473 if ((size_t) (end - pos) < payload_len)
1474 return;
1475 end = pos + payload_len;
1476
1477 if (end - pos < 2)
1478 return;
1479 dh_len = WPA_GET_BE16(pos);
1480 pos += 2;
1481
1482 if ((size_t) (end - pos) < dh_len)
1483 return;
1484 p = BN_bin2bn(pos, dh_len, NULL);
1485 if (!p)
1486 return;
1487
1488 bits = BN_num_bits(p);
1489 BN_free(p);
1490
1491 conn->server_dh_prime_len = bits;
1492 wpa_printf(MSG_DEBUG, "OpenSSL: Server DH prime length: %d bits",
1493 conn->server_dh_prime_len);
1494 }
1495
1496 #endif /* CONFIG_SUITEB */
1497
1498
tls_msg_cb(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg)1499 static void tls_msg_cb(int write_p, int version, int content_type,
1500 const void *buf, size_t len, SSL *ssl, void *arg)
1501 {
1502 struct tls_connection *conn = arg;
1503 const u8 *pos = buf;
1504
1505 if (write_p == 2) {
1506 wpa_printf(MSG_DEBUG,
1507 "OpenSSL: session ver=0x%x content_type=%d",
1508 version, content_type);
1509 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Data", buf, len);
1510 return;
1511 }
1512
1513 wpa_printf(MSG_DEBUG, "OpenSSL: %s ver=0x%x content_type=%d (%s/%s)",
1514 write_p ? "TX" : "RX", version, content_type,
1515 openssl_content_type(content_type),
1516 openssl_handshake_type(content_type, buf, len));
1517 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Message", buf, len);
1518 if (content_type == 24 && len >= 3 && pos[0] == 1) {
1519 size_t payload_len = WPA_GET_BE16(pos + 1);
1520 if (payload_len + 3 > len) {
1521 wpa_printf(MSG_ERROR, "OpenSSL: Heartbeat attack detected");
1522 conn->invalid_hb_used = 1;
1523 }
1524 }
1525
1526 #ifdef CONFIG_SUITEB
1527 /*
1528 * Need to parse these handshake messages to be able to check DH prime
1529 * length since OpenSSL does not expose the new cipher suite and DH
1530 * parameters during handshake (e.g., for cert_cb() callback).
1531 */
1532 if (content_type == 22 && pos && len > 0 && pos[0] == 2)
1533 check_server_hello(conn, pos + 1, pos + len);
1534 if (content_type == 22 && pos && len > 0 && pos[0] == 12)
1535 check_server_key_exchange(ssl, conn, pos + 1, pos + len);
1536 #endif /* CONFIG_SUITEB */
1537 }
1538
1539
tls_connection_init(void * ssl_ctx)1540 struct tls_connection * tls_connection_init(void *ssl_ctx)
1541 {
1542 struct tls_data *data = ssl_ctx;
1543 SSL_CTX *ssl = data->ssl;
1544 struct tls_connection *conn;
1545 long options;
1546 X509_STORE *new_cert_store;
1547 struct os_reltime now;
1548 struct tls_context *context = SSL_CTX_get_app_data(ssl);
1549
1550 /* Replace X509 store if it is time to update CRL. */
1551 if (data->crl_reload_interval > 0 && os_get_reltime(&now) == 0 &&
1552 os_reltime_expired(&now, &data->crl_last_reload,
1553 data->crl_reload_interval)) {
1554 wpa_printf(MSG_INFO,
1555 "OpenSSL: Flushing X509 store with ca_cert file");
1556 new_cert_store = tls_crl_cert_reload(data->ca_cert,
1557 data->check_crl);
1558 if (!new_cert_store) {
1559 wpa_printf(MSG_ERROR,
1560 "OpenSSL: Error replacing X509 store with ca_cert file");
1561 } else {
1562 /* Replace old store */
1563 SSL_CTX_set_cert_store(ssl, new_cert_store);
1564 data->crl_last_reload = now;
1565 }
1566 }
1567
1568 conn = os_zalloc(sizeof(*conn));
1569 if (conn == NULL)
1570 return NULL;
1571 conn->data = data;
1572 conn->ssl_ctx = ssl;
1573 conn->ssl = SSL_new(ssl);
1574 if (conn->ssl == NULL) {
1575 tls_show_errors(MSG_INFO, __func__,
1576 "Failed to initialize new SSL connection");
1577 os_free(conn);
1578 return NULL;
1579 }
1580
1581 conn->context = context;
1582 SSL_set_app_data(conn->ssl, conn);
1583 SSL_set_msg_callback(conn->ssl, tls_msg_cb);
1584 SSL_set_msg_callback_arg(conn->ssl, conn);
1585 options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
1586 SSL_OP_SINGLE_DH_USE;
1587 #ifdef SSL_OP_NO_COMPRESSION
1588 options |= SSL_OP_NO_COMPRESSION;
1589 #endif /* SSL_OP_NO_COMPRESSION */
1590 SSL_set_options(conn->ssl, options);
1591 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
1592 /* Hopefully there is no need for middlebox compatibility mechanisms
1593 * when going through EAP authentication. */
1594 SSL_clear_options(conn->ssl, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
1595 #endif
1596
1597 conn->ssl_in = BIO_new(BIO_s_mem());
1598 if (!conn->ssl_in) {
1599 tls_show_errors(MSG_INFO, __func__,
1600 "Failed to create a new BIO for ssl_in");
1601 SSL_free(conn->ssl);
1602 os_free(conn);
1603 return NULL;
1604 }
1605
1606 conn->ssl_out = BIO_new(BIO_s_mem());
1607 if (!conn->ssl_out) {
1608 tls_show_errors(MSG_INFO, __func__,
1609 "Failed to create a new BIO for ssl_out");
1610 SSL_free(conn->ssl);
1611 BIO_free(conn->ssl_in);
1612 os_free(conn);
1613 return NULL;
1614 }
1615
1616 SSL_set_bio(conn->ssl, conn->ssl_in, conn->ssl_out);
1617
1618 return conn;
1619 }
1620
1621
tls_connection_deinit(void * ssl_ctx,struct tls_connection * conn)1622 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
1623 {
1624 if (conn == NULL)
1625 return;
1626 if (conn->success_data) {
1627 /*
1628 * Make sure ssl_clear_bad_session() does not remove this
1629 * session.
1630 */
1631 SSL_set_quiet_shutdown(conn->ssl, 1);
1632 SSL_shutdown(conn->ssl);
1633 }
1634 SSL_free(conn->ssl);
1635 tls_engine_deinit(conn);
1636 os_free(conn->subject_match);
1637 os_free(conn->altsubject_match);
1638 os_free(conn->suffix_match);
1639 os_free(conn->domain_match);
1640 os_free(conn->check_cert_subject);
1641 os_free(conn->session_ticket);
1642 os_free(conn->peer_subject);
1643 os_free(conn);
1644 }
1645
1646
tls_connection_established(void * ssl_ctx,struct tls_connection * conn)1647 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn)
1648 {
1649 return conn ? SSL_is_init_finished(conn->ssl) : 0;
1650 }
1651
1652
tls_connection_peer_serial_num(void * tls_ctx,struct tls_connection * conn)1653 char * tls_connection_peer_serial_num(void *tls_ctx,
1654 struct tls_connection *conn)
1655 {
1656 ASN1_INTEGER *ser;
1657 char *serial_num;
1658 size_t len;
1659
1660 if (!conn->peer_cert)
1661 return NULL;
1662
1663 ser = X509_get_serialNumber(conn->peer_cert);
1664 if (!ser)
1665 return NULL;
1666
1667 len = ASN1_STRING_length(ser) * 2 + 1;
1668 serial_num = os_malloc(len);
1669 if (!serial_num)
1670 return NULL;
1671 wpa_snprintf_hex_uppercase(serial_num, len,
1672 ASN1_STRING_get0_data(ser),
1673 ASN1_STRING_length(ser));
1674 return serial_num;
1675 }
1676
1677
tls_connection_shutdown(void * ssl_ctx,struct tls_connection * conn)1678 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)
1679 {
1680 if (conn == NULL)
1681 return -1;
1682
1683 /* Shutdown previous TLS connection without notifying the peer
1684 * because the connection was already terminated in practice
1685 * and "close notify" shutdown alert would confuse AS. */
1686 SSL_set_quiet_shutdown(conn->ssl, 1);
1687 SSL_shutdown(conn->ssl);
1688 return SSL_clear(conn->ssl) == 1 ? 0 : -1;
1689 }
1690
1691
tls_match_altsubject_component(X509 * cert,int type,const char * value,size_t len)1692 static int tls_match_altsubject_component(X509 *cert, int type,
1693 const char *value, size_t len)
1694 {
1695 GENERAL_NAME *gen;
1696 void *ext;
1697 int found = 0;
1698 stack_index_t i;
1699
1700 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
1701
1702 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
1703 gen = sk_GENERAL_NAME_value(ext, i);
1704 if (gen->type != type)
1705 continue;
1706 if (os_strlen((char *) gen->d.ia5->data) == len &&
1707 os_memcmp(value, gen->d.ia5->data, len) == 0)
1708 found++;
1709 }
1710
1711 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
1712
1713 return found;
1714 }
1715
1716
tls_match_altsubject(X509 * cert,const char * match)1717 static int tls_match_altsubject(X509 *cert, const char *match)
1718 {
1719 int type;
1720 const char *pos, *end;
1721 size_t len;
1722
1723 pos = match;
1724 do {
1725 if (os_strncmp(pos, "EMAIL:", 6) == 0) {
1726 type = GEN_EMAIL;
1727 pos += 6;
1728 } else if (os_strncmp(pos, "DNS:", 4) == 0) {
1729 type = GEN_DNS;
1730 pos += 4;
1731 } else if (os_strncmp(pos, "URI:", 4) == 0) {
1732 type = GEN_URI;
1733 pos += 4;
1734 } else {
1735 wpa_printf(MSG_INFO, "TLS: Invalid altSubjectName "
1736 "match '%s'", pos);
1737 return 0;
1738 }
1739 end = os_strchr(pos, ';');
1740 while (end) {
1741 if (os_strncmp(end + 1, "EMAIL:", 6) == 0 ||
1742 os_strncmp(end + 1, "DNS:", 4) == 0 ||
1743 os_strncmp(end + 1, "URI:", 4) == 0)
1744 break;
1745 end = os_strchr(end + 1, ';');
1746 }
1747 if (end)
1748 len = end - pos;
1749 else
1750 len = os_strlen(pos);
1751 if (tls_match_altsubject_component(cert, type, pos, len) > 0)
1752 return 1;
1753 pos = end + 1;
1754 } while (end);
1755
1756 return 0;
1757 }
1758
1759
1760 #ifndef CONFIG_NATIVE_WINDOWS
domain_suffix_match(const u8 * val,size_t len,const char * match,size_t match_len,int full)1761 static int domain_suffix_match(const u8 *val, size_t len, const char *match,
1762 size_t match_len, int full)
1763 {
1764 size_t i;
1765
1766 /* Check for embedded nuls that could mess up suffix matching */
1767 for (i = 0; i < len; i++) {
1768 if (val[i] == '\0') {
1769 wpa_printf(MSG_DEBUG, "TLS: Embedded null in a string - reject");
1770 return 0;
1771 }
1772 }
1773
1774 if (match_len > len || (full && match_len != len))
1775 return 0;
1776
1777 if (os_strncasecmp((const char *) val + len - match_len, match,
1778 match_len) != 0)
1779 return 0; /* no match */
1780
1781 if (match_len == len)
1782 return 1; /* exact match */
1783
1784 if (val[len - match_len - 1] == '.')
1785 return 1; /* full label match completes suffix match */
1786
1787 wpa_printf(MSG_DEBUG, "TLS: Reject due to incomplete label match");
1788 return 0;
1789 }
1790 #endif /* CONFIG_NATIVE_WINDOWS */
1791
1792
1793 struct tls_dn_field_order_cnt {
1794 u8 cn;
1795 u8 c;
1796 u8 l;
1797 u8 st;
1798 u8 o;
1799 u8 ou;
1800 u8 email;
1801 };
1802
1803
get_dn_field_index(const struct tls_dn_field_order_cnt * dn_cnt,int nid)1804 static int get_dn_field_index(const struct tls_dn_field_order_cnt *dn_cnt,
1805 int nid)
1806 {
1807 switch (nid) {
1808 case NID_commonName:
1809 return dn_cnt->cn;
1810 case NID_countryName:
1811 return dn_cnt->c;
1812 case NID_localityName:
1813 return dn_cnt->l;
1814 case NID_stateOrProvinceName:
1815 return dn_cnt->st;
1816 case NID_organizationName:
1817 return dn_cnt->o;
1818 case NID_organizationalUnitName:
1819 return dn_cnt->ou;
1820 case NID_pkcs9_emailAddress:
1821 return dn_cnt->email;
1822 default:
1823 wpa_printf(MSG_ERROR,
1824 "TLS: Unknown NID '%d' in check_cert_subject",
1825 nid);
1826 return -1;
1827 }
1828 }
1829
1830
1831 /**
1832 * match_dn_field - Match configuration DN field against Certificate DN field
1833 * @cert: Certificate
1834 * @nid: NID of DN field
1835 * @field: Field name
1836 * @value DN field value which is passed from configuration
1837 * e.g., if configuration have C=US and this argument will point to US.
1838 * @dn_cnt: DN matching context
1839 * Returns: 1 on success and 0 on failure
1840 */
match_dn_field(const X509 * cert,int nid,const char * field,const char * value,const struct tls_dn_field_order_cnt * dn_cnt)1841 static int match_dn_field(const X509 *cert, int nid, const char *field,
1842 const char *value,
1843 const struct tls_dn_field_order_cnt *dn_cnt)
1844 {
1845 int i, ret = 0, len, config_dn_field_index, match_index = 0;
1846 X509_NAME *name;
1847
1848 len = os_strlen(value);
1849 name = X509_get_subject_name((X509 *) cert);
1850
1851 /* Assign incremented cnt for every field of DN to check DN field in
1852 * right order */
1853 config_dn_field_index = get_dn_field_index(dn_cnt, nid);
1854 if (config_dn_field_index < 0)
1855 return 0;
1856
1857 /* Fetch value based on NID */
1858 for (i = -1; (i = X509_NAME_get_index_by_NID(name, nid, i)) > -1;) {
1859 X509_NAME_ENTRY *e;
1860 ASN1_STRING *cn;
1861
1862 e = X509_NAME_get_entry(name, i);
1863 if (!e)
1864 continue;
1865
1866 cn = X509_NAME_ENTRY_get_data(e);
1867 if (!cn)
1868 continue;
1869
1870 match_index++;
1871
1872 /* check for more than one DN field with same name */
1873 if (match_index != config_dn_field_index)
1874 continue;
1875
1876 /* Check wildcard at the right end side */
1877 /* E.g., if OU=develop* mentioned in configuration, allow 'OU'
1878 * of the subject in the client certificate to start with
1879 * 'develop' */
1880 if (len > 0 && value[len - 1] == '*') {
1881 /* Compare actual certificate DN field value with
1882 * configuration DN field value up to the specified
1883 * length. */
1884 ret = ASN1_STRING_length(cn) >= len - 1 &&
1885 os_memcmp(ASN1_STRING_get0_data(cn), value,
1886 len - 1) == 0;
1887 } else {
1888 /* Compare actual certificate DN field value with
1889 * configuration DN field value */
1890 ret = ASN1_STRING_length(cn) == len &&
1891 os_memcmp(ASN1_STRING_get0_data(cn), value,
1892 len) == 0;
1893 }
1894 if (!ret) {
1895 wpa_printf(MSG_ERROR,
1896 "OpenSSL: Failed to match %s '%s' with certificate DN field value '%s'",
1897 field, value, ASN1_STRING_get0_data(cn));
1898 }
1899 break;
1900 }
1901
1902 return ret;
1903 }
1904
1905
1906 /**
1907 * get_value_from_field - Get value from DN field
1908 * @cert: Certificate
1909 * @field_str: DN field string which is passed from configuration file (e.g.,
1910 * C=US)
1911 * @dn_cnt: DN matching context
1912 * Returns: 1 on success and 0 on failure
1913 */
get_value_from_field(const X509 * cert,char * field_str,struct tls_dn_field_order_cnt * dn_cnt)1914 static int get_value_from_field(const X509 *cert, char *field_str,
1915 struct tls_dn_field_order_cnt *dn_cnt)
1916 {
1917 int nid;
1918 char *context = NULL, *name, *value;
1919
1920 if (os_strcmp(field_str, "*") == 0)
1921 return 1; /* wildcard matches everything */
1922
1923 name = str_token(field_str, "=", &context);
1924 if (!name)
1925 return 0;
1926
1927 /* Compare all configured DN fields and assign nid based on that to
1928 * fetch correct value from certificate subject */
1929 if (os_strcmp(name, "CN") == 0) {
1930 nid = NID_commonName;
1931 dn_cnt->cn++;
1932 } else if(os_strcmp(name, "C") == 0) {
1933 nid = NID_countryName;
1934 dn_cnt->c++;
1935 } else if (os_strcmp(name, "L") == 0) {
1936 nid = NID_localityName;
1937 dn_cnt->l++;
1938 } else if (os_strcmp(name, "ST") == 0) {
1939 nid = NID_stateOrProvinceName;
1940 dn_cnt->st++;
1941 } else if (os_strcmp(name, "O") == 0) {
1942 nid = NID_organizationName;
1943 dn_cnt->o++;
1944 } else if (os_strcmp(name, "OU") == 0) {
1945 nid = NID_organizationalUnitName;
1946 dn_cnt->ou++;
1947 } else if (os_strcmp(name, "emailAddress") == 0) {
1948 nid = NID_pkcs9_emailAddress;
1949 dn_cnt->email++;
1950 } else {
1951 wpa_printf(MSG_ERROR,
1952 "TLS: Unknown field '%s' in check_cert_subject", name);
1953 return 0;
1954 }
1955
1956 value = str_token(field_str, "=", &context);
1957 if (!value) {
1958 wpa_printf(MSG_ERROR,
1959 "TLS: Distinguished Name field '%s' value is not defined in check_cert_subject",
1960 name);
1961 return 0;
1962 }
1963
1964 return match_dn_field(cert, nid, name, value, dn_cnt);
1965 }
1966
1967
1968 /**
1969 * tls_match_dn_field - Match subject DN field with check_cert_subject
1970 * @cert: Certificate
1971 * @match: check_cert_subject string
1972 * Returns: Return 1 on success and 0 on failure
1973 */
tls_match_dn_field(X509 * cert,const char * match)1974 static int tls_match_dn_field(X509 *cert, const char *match)
1975 {
1976 const char *token, *last = NULL;
1977 char field[256];
1978 struct tls_dn_field_order_cnt dn_cnt;
1979
1980 os_memset(&dn_cnt, 0, sizeof(dn_cnt));
1981
1982 /* Maximum length of each DN field is 255 characters */
1983
1984 /* Process each '/' delimited field */
1985 while ((token = cstr_token(match, "/", &last))) {
1986 if (last - token >= (int) sizeof(field)) {
1987 wpa_printf(MSG_ERROR,
1988 "OpenSSL: Too long DN matching field value in '%s'",
1989 match);
1990 return 0;
1991 }
1992 os_memcpy(field, token, last - token);
1993 field[last - token] = '\0';
1994
1995 if (!get_value_from_field(cert, field, &dn_cnt)) {
1996 wpa_printf(MSG_DEBUG, "OpenSSL: No match for DN '%s'",
1997 field);
1998 return 0;
1999 }
2000 }
2001
2002 return 1;
2003 }
2004
2005
2006 #ifndef CONFIG_NATIVE_WINDOWS
tls_match_suffix_helper(X509 * cert,const char * match,size_t match_len,int full)2007 static int tls_match_suffix_helper(X509 *cert, const char *match,
2008 size_t match_len, int full)
2009 {
2010 GENERAL_NAME *gen;
2011 void *ext;
2012 int i;
2013 stack_index_t j;
2014 int dns_name = 0;
2015 X509_NAME *name;
2016
2017 wpa_printf(MSG_DEBUG, "TLS: Match domain against %s%s",
2018 full ? "": "suffix ", match);
2019
2020 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
2021
2022 for (j = 0; ext && j < sk_GENERAL_NAME_num(ext); j++) {
2023 gen = sk_GENERAL_NAME_value(ext, j);
2024 if (gen->type != GEN_DNS)
2025 continue;
2026 dns_name++;
2027 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName",
2028 gen->d.dNSName->data,
2029 gen->d.dNSName->length);
2030 if (domain_suffix_match(gen->d.dNSName->data,
2031 gen->d.dNSName->length,
2032 match, match_len, full) == 1) {
2033 wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found",
2034 full ? "Match" : "Suffix match");
2035 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2036 return 1;
2037 }
2038 }
2039 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2040
2041 if (dns_name) {
2042 wpa_printf(MSG_DEBUG, "TLS: None of the dNSName(s) matched");
2043 return 0;
2044 }
2045
2046 name = X509_get_subject_name(cert);
2047 i = -1;
2048 for (;;) {
2049 X509_NAME_ENTRY *e;
2050 ASN1_STRING *cn;
2051
2052 i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
2053 if (i == -1)
2054 break;
2055 e = X509_NAME_get_entry(name, i);
2056 if (e == NULL)
2057 continue;
2058 cn = X509_NAME_ENTRY_get_data(e);
2059 if (cn == NULL)
2060 continue;
2061 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName",
2062 cn->data, cn->length);
2063 if (domain_suffix_match(cn->data, cn->length,
2064 match, match_len, full) == 1) {
2065 wpa_printf(MSG_DEBUG, "TLS: %s in commonName found",
2066 full ? "Match" : "Suffix match");
2067 return 1;
2068 }
2069 }
2070
2071 wpa_printf(MSG_DEBUG, "TLS: No CommonName %smatch found",
2072 full ? "": "suffix ");
2073 return 0;
2074 }
2075 #endif /* CONFIG_NATIVE_WINDOWS */
2076
2077
tls_match_suffix(X509 * cert,const char * match,int full)2078 static int tls_match_suffix(X509 *cert, const char *match, int full)
2079 {
2080 #ifdef CONFIG_NATIVE_WINDOWS
2081 /* wincrypt.h has conflicting X509_NAME definition */
2082 return -1;
2083 #else /* CONFIG_NATIVE_WINDOWS */
2084 const char *token, *last = NULL;
2085
2086 /* Process each match alternative separately until a match is found */
2087 while ((token = cstr_token(match, ";", &last))) {
2088 if (tls_match_suffix_helper(cert, token, last - token, full))
2089 return 1;
2090 }
2091
2092 return 0;
2093 #endif /* CONFIG_NATIVE_WINDOWS */
2094 }
2095
2096
openssl_tls_fail_reason(int err)2097 static enum tls_fail_reason openssl_tls_fail_reason(int err)
2098 {
2099 switch (err) {
2100 case X509_V_ERR_CERT_REVOKED:
2101 return TLS_FAIL_REVOKED;
2102 case X509_V_ERR_CERT_NOT_YET_VALID:
2103 case X509_V_ERR_CRL_NOT_YET_VALID:
2104 return TLS_FAIL_NOT_YET_VALID;
2105 case X509_V_ERR_CERT_HAS_EXPIRED:
2106 case X509_V_ERR_CRL_HAS_EXPIRED:
2107 return TLS_FAIL_EXPIRED;
2108 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
2109 case X509_V_ERR_UNABLE_TO_GET_CRL:
2110 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
2111 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
2112 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
2113 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
2114 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
2115 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
2116 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
2117 case X509_V_ERR_INVALID_CA:
2118 return TLS_FAIL_UNTRUSTED;
2119 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
2120 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
2121 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
2122 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
2123 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
2124 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
2125 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
2126 case X509_V_ERR_CERT_UNTRUSTED:
2127 case X509_V_ERR_CERT_REJECTED:
2128 return TLS_FAIL_BAD_CERTIFICATE;
2129 default:
2130 return TLS_FAIL_UNSPECIFIED;
2131 }
2132 }
2133
2134
get_x509_cert(X509 * cert)2135 static struct wpabuf * get_x509_cert(X509 *cert)
2136 {
2137 struct wpabuf *buf;
2138 u8 *tmp;
2139
2140 int cert_len = i2d_X509(cert, NULL);
2141 if (cert_len <= 0)
2142 return NULL;
2143
2144 buf = wpabuf_alloc(cert_len);
2145 if (buf == NULL)
2146 return NULL;
2147
2148 tmp = wpabuf_put(buf, cert_len);
2149 i2d_X509(cert, &tmp);
2150 return buf;
2151 }
2152
2153
openssl_tls_fail_event(struct tls_connection * conn,X509 * err_cert,int err,int depth,const char * subject,const char * err_str,enum tls_fail_reason reason)2154 static void openssl_tls_fail_event(struct tls_connection *conn,
2155 X509 *err_cert, int err, int depth,
2156 const char *subject, const char *err_str,
2157 enum tls_fail_reason reason)
2158 {
2159 union tls_event_data ev;
2160 struct wpabuf *cert = NULL;
2161 struct tls_context *context = conn->context;
2162
2163 if (context->event_cb == NULL)
2164 return;
2165
2166 cert = get_x509_cert(err_cert);
2167 os_memset(&ev, 0, sizeof(ev));
2168 ev.cert_fail.reason = reason != TLS_FAIL_UNSPECIFIED ?
2169 reason : openssl_tls_fail_reason(err);
2170 ev.cert_fail.depth = depth;
2171 ev.cert_fail.subject = subject;
2172 ev.cert_fail.reason_txt = err_str;
2173 ev.cert_fail.cert = cert;
2174 context->event_cb(context->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
2175 wpabuf_free(cert);
2176 }
2177
2178
openssl_cert_tod(X509 * cert)2179 static int openssl_cert_tod(X509 *cert)
2180 {
2181 CERTIFICATEPOLICIES *ext;
2182 stack_index_t i;
2183 char buf[100];
2184 int res;
2185 int tod = 0;
2186
2187 ext = X509_get_ext_d2i(cert, NID_certificate_policies, NULL, NULL);
2188 if (!ext)
2189 return 0;
2190
2191 for (i = 0; i < sk_POLICYINFO_num(ext); i++) {
2192 POLICYINFO *policy;
2193
2194 policy = sk_POLICYINFO_value(ext, i);
2195 res = OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 0);
2196 if (res < 0 || (size_t) res >= sizeof(buf))
2197 continue;
2198 wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf);
2199 if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0)
2200 tod = 1; /* TOD-STRICT */
2201 else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod)
2202 tod = 2; /* TOD-TOFU */
2203 }
2204 sk_POLICYINFO_pop_free(ext, POLICYINFO_free);
2205
2206 return tod;
2207 }
2208
2209
openssl_tls_cert_event(struct tls_connection * conn,X509 * err_cert,int depth,const char * subject)2210 static void openssl_tls_cert_event(struct tls_connection *conn,
2211 X509 *err_cert, int depth,
2212 const char *subject)
2213 {
2214 struct wpabuf *cert = NULL;
2215 union tls_event_data ev;
2216 struct tls_context *context = conn->context;
2217 char *altsubject[TLS_MAX_ALT_SUBJECT];
2218 int alt, num_altsubject = 0;
2219 GENERAL_NAME *gen;
2220 void *ext;
2221 stack_index_t i;
2222 ASN1_INTEGER *ser;
2223 char serial_num[128];
2224 #ifdef CONFIG_SHA256
2225 u8 hash[32];
2226 #endif /* CONFIG_SHA256 */
2227
2228 if (context->event_cb == NULL)
2229 return;
2230
2231 os_memset(&ev, 0, sizeof(ev));
2232 if (conn->cert_probe || (conn->flags & TLS_CONN_EXT_CERT_CHECK) ||
2233 context->cert_in_cb) {
2234 cert = get_x509_cert(err_cert);
2235 ev.peer_cert.cert = cert;
2236 }
2237 #ifdef CONFIG_SHA256
2238 if (cert) {
2239 const u8 *addr[1];
2240 size_t len[1];
2241 addr[0] = wpabuf_head(cert);
2242 len[0] = wpabuf_len(cert);
2243 if (sha256_vector(1, addr, len, hash) == 0) {
2244 ev.peer_cert.hash = hash;
2245 ev.peer_cert.hash_len = sizeof(hash);
2246 }
2247 }
2248 #endif /* CONFIG_SHA256 */
2249 ev.peer_cert.depth = depth;
2250 ev.peer_cert.subject = subject;
2251
2252 ser = X509_get_serialNumber(err_cert);
2253 if (ser) {
2254 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num),
2255 ASN1_STRING_get0_data(ser),
2256 ASN1_STRING_length(ser));
2257 ev.peer_cert.serial_num = serial_num;
2258 }
2259
2260 ext = X509_get_ext_d2i(err_cert, NID_subject_alt_name, NULL, NULL);
2261 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
2262 char *pos;
2263
2264 if (num_altsubject == TLS_MAX_ALT_SUBJECT)
2265 break;
2266 gen = sk_GENERAL_NAME_value(ext, i);
2267 if (gen->type != GEN_EMAIL &&
2268 gen->type != GEN_DNS &&
2269 gen->type != GEN_URI)
2270 continue;
2271
2272 pos = os_malloc(10 + gen->d.ia5->length + 1);
2273 if (pos == NULL)
2274 break;
2275 altsubject[num_altsubject++] = pos;
2276
2277 switch (gen->type) {
2278 case GEN_EMAIL:
2279 os_memcpy(pos, "EMAIL:", 6);
2280 pos += 6;
2281 break;
2282 case GEN_DNS:
2283 os_memcpy(pos, "DNS:", 4);
2284 pos += 4;
2285 break;
2286 case GEN_URI:
2287 os_memcpy(pos, "URI:", 4);
2288 pos += 4;
2289 break;
2290 }
2291
2292 os_memcpy(pos, gen->d.ia5->data, gen->d.ia5->length);
2293 pos += gen->d.ia5->length;
2294 *pos = '\0';
2295 }
2296 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2297
2298 for (alt = 0; alt < num_altsubject; alt++)
2299 ev.peer_cert.altsubject[alt] = altsubject[alt];
2300 ev.peer_cert.num_altsubject = num_altsubject;
2301
2302 ev.peer_cert.tod = openssl_cert_tod(err_cert);
2303
2304 context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
2305 wpabuf_free(cert);
2306 for (alt = 0; alt < num_altsubject; alt++)
2307 os_free(altsubject[alt]);
2308 }
2309
2310
debug_print_cert(X509 * cert,const char * title)2311 static void debug_print_cert(X509 *cert, const char *title)
2312 {
2313 #ifndef CONFIG_NO_STDOUT_DEBUG
2314 BIO *out;
2315 size_t rlen;
2316 char *txt;
2317 int res;
2318
2319 if (wpa_debug_level > MSG_DEBUG)
2320 return;
2321
2322 out = BIO_new(BIO_s_mem());
2323 if (!out)
2324 return;
2325
2326 X509_print(out, cert);
2327 rlen = BIO_ctrl_pending(out);
2328 txt = os_malloc(rlen + 1);
2329 if (txt) {
2330 res = BIO_read(out, txt, rlen);
2331 if (res > 0) {
2332 txt[res] = '\0';
2333 wpa_printf(MSG_DEBUG, "OpenSSL: %s\n%s", title, txt);
2334 }
2335 os_free(txt);
2336 }
2337
2338 BIO_free(out);
2339 #endif /* CONFIG_NO_STDOUT_DEBUG */
2340 }
2341
2342
tls_verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)2343 static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
2344 {
2345 char buf[256];
2346 X509 *err_cert;
2347 int err, depth;
2348 SSL *ssl;
2349 struct tls_connection *conn;
2350 struct tls_context *context;
2351 char *match, *altmatch, *suffix_match, *domain_match;
2352 const char *check_cert_subject;
2353 const char *err_str;
2354
2355 err_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
2356 if (!err_cert)
2357 return 0;
2358
2359 err = X509_STORE_CTX_get_error(x509_ctx);
2360 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
2361 ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
2362 SSL_get_ex_data_X509_STORE_CTX_idx());
2363 os_snprintf(buf, sizeof(buf), "Peer certificate - depth %d", depth);
2364 debug_print_cert(err_cert, buf);
2365 X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
2366
2367 conn = SSL_get_app_data(ssl);
2368 if (conn == NULL)
2369 return 0;
2370
2371 if (depth == 0)
2372 conn->peer_cert = err_cert;
2373 else if (depth == 1)
2374 conn->peer_issuer = err_cert;
2375 else if (depth == 2)
2376 conn->peer_issuer_issuer = err_cert;
2377
2378 context = conn->context;
2379 match = conn->subject_match;
2380 altmatch = conn->altsubject_match;
2381 suffix_match = conn->suffix_match;
2382 domain_match = conn->domain_match;
2383
2384 if (!preverify_ok && !conn->ca_cert_verify)
2385 preverify_ok = 1;
2386 if (!preverify_ok && depth > 0 && conn->server_cert_only)
2387 preverify_ok = 1;
2388 if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
2389 (err == X509_V_ERR_CERT_HAS_EXPIRED ||
2390 err == X509_V_ERR_CERT_NOT_YET_VALID)) {
2391 wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
2392 "time mismatch");
2393 preverify_ok = 1;
2394 }
2395 if (!preverify_ok && !conn->data->check_crl_strict &&
2396 (err == X509_V_ERR_CRL_HAS_EXPIRED ||
2397 err == X509_V_ERR_CRL_NOT_YET_VALID)) {
2398 wpa_printf(MSG_DEBUG,
2399 "OpenSSL: Ignore certificate validity CRL time mismatch");
2400 preverify_ok = 1;
2401 }
2402
2403 err_str = X509_verify_cert_error_string(err);
2404
2405 #ifdef CONFIG_SHA256
2406 /*
2407 * Do not require preverify_ok so we can explicity allow otherwise
2408 * invalid pinned server certificates.
2409 */
2410 if (depth == 0 && conn->server_cert_only) {
2411 struct wpabuf *cert;
2412 cert = get_x509_cert(err_cert);
2413 if (!cert) {
2414 wpa_printf(MSG_DEBUG, "OpenSSL: Could not fetch "
2415 "server certificate data");
2416 preverify_ok = 0;
2417 } else {
2418 u8 hash[32];
2419 const u8 *addr[1];
2420 size_t len[1];
2421 addr[0] = wpabuf_head(cert);
2422 len[0] = wpabuf_len(cert);
2423 if (sha256_vector(1, addr, len, hash) < 0 ||
2424 os_memcmp(conn->srv_cert_hash, hash, 32) != 0) {
2425 err_str = "Server certificate mismatch";
2426 err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
2427 preverify_ok = 0;
2428 } else if (!preverify_ok) {
2429 /*
2430 * Certificate matches pinned certificate, allow
2431 * regardless of other problems.
2432 */
2433 wpa_printf(MSG_DEBUG,
2434 "OpenSSL: Ignore validation issues for a pinned server certificate");
2435 preverify_ok = 1;
2436 }
2437 wpabuf_free(cert);
2438 }
2439 }
2440 #endif /* CONFIG_SHA256 */
2441
2442 openssl_tls_cert_event(conn, err_cert, depth, buf);
2443
2444 if (!preverify_ok) {
2445 if (depth > 0) {
2446 /* Send cert event for the peer certificate so that
2447 * the upper layers get information about it even if
2448 * validation of a CA certificate fails. */
2449 STACK_OF(X509) *chain;
2450
2451 chain = X509_STORE_CTX_get1_chain(x509_ctx);
2452 if (chain && sk_X509_num(chain) > 0) {
2453 char buf2[256];
2454 X509 *cert;
2455
2456 cert = sk_X509_value(chain, 0);
2457 X509_NAME_oneline(X509_get_subject_name(cert),
2458 buf2, sizeof(buf2));
2459
2460 openssl_tls_cert_event(conn, cert, 0, buf2);
2461 }
2462 if (chain)
2463 sk_X509_pop_free(chain, X509_free);
2464 }
2465
2466 wpa_printf(MSG_WARNING, "TLS: Certificate verification failed,"
2467 " error %d (%s) depth %d for '%s'", err, err_str,
2468 depth, buf);
2469 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2470 err_str, TLS_FAIL_UNSPECIFIED);
2471 return preverify_ok;
2472 }
2473
2474 wpa_printf(MSG_DEBUG, "TLS: tls_verify_cb - preverify_ok=%d "
2475 "err=%d (%s) ca_cert_verify=%d depth=%d buf='%s'",
2476 preverify_ok, err, err_str,
2477 conn->ca_cert_verify, depth, buf);
2478 check_cert_subject = conn->check_cert_subject;
2479 if (!check_cert_subject)
2480 check_cert_subject = conn->data->check_cert_subject;
2481 if (check_cert_subject) {
2482 if (depth == 0 &&
2483 !tls_match_dn_field(err_cert, check_cert_subject)) {
2484 preverify_ok = 0;
2485 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2486 "Distinguished Name",
2487 TLS_FAIL_DN_MISMATCH);
2488 }
2489 }
2490 if (depth == 0 && match && os_strstr(buf, match) == NULL) {
2491 wpa_printf(MSG_WARNING, "TLS: Subject '%s' did not "
2492 "match with '%s'", buf, match);
2493 preverify_ok = 0;
2494 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2495 "Subject mismatch",
2496 TLS_FAIL_SUBJECT_MISMATCH);
2497 } else if (depth == 0 && altmatch &&
2498 !tls_match_altsubject(err_cert, altmatch)) {
2499 wpa_printf(MSG_WARNING, "TLS: altSubjectName match "
2500 "'%s' not found", altmatch);
2501 preverify_ok = 0;
2502 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2503 "AltSubject mismatch",
2504 TLS_FAIL_ALTSUBJECT_MISMATCH);
2505 } else if (depth == 0 && suffix_match &&
2506 !tls_match_suffix(err_cert, suffix_match, 0)) {
2507 wpa_printf(MSG_WARNING, "TLS: Domain suffix match '%s' not found",
2508 suffix_match);
2509 preverify_ok = 0;
2510 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2511 "Domain suffix mismatch",
2512 TLS_FAIL_DOMAIN_SUFFIX_MISMATCH);
2513 } else if (depth == 0 && domain_match &&
2514 !tls_match_suffix(err_cert, domain_match, 1)) {
2515 wpa_printf(MSG_WARNING, "TLS: Domain match '%s' not found",
2516 domain_match);
2517 preverify_ok = 0;
2518 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2519 "Domain mismatch",
2520 TLS_FAIL_DOMAIN_MISMATCH);
2521 }
2522
2523 if (conn->cert_probe && preverify_ok && depth == 0) {
2524 wpa_printf(MSG_DEBUG, "OpenSSL: Reject server certificate "
2525 "on probe-only run");
2526 preverify_ok = 0;
2527 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2528 "Server certificate chain probe",
2529 TLS_FAIL_SERVER_CHAIN_PROBE);
2530 }
2531
2532 #ifdef CONFIG_SUITEB
2533 if (conn->flags & TLS_CONN_SUITEB) {
2534 EVP_PKEY *pk;
2535 RSA *rsa;
2536 int len = -1;
2537
2538 pk = X509_get_pubkey(err_cert);
2539 if (pk) {
2540 rsa = EVP_PKEY_get1_RSA(pk);
2541 if (rsa) {
2542 len = RSA_bits(rsa);
2543 RSA_free(rsa);
2544 }
2545 EVP_PKEY_free(pk);
2546 }
2547
2548 if (len >= 0) {
2549 wpa_printf(MSG_DEBUG,
2550 "OpenSSL: RSA modulus size: %d bits", len);
2551 if (len < 3072) {
2552 preverify_ok = 0;
2553 openssl_tls_fail_event(
2554 conn, err_cert, err,
2555 depth, buf,
2556 "Insufficient RSA modulus size",
2557 TLS_FAIL_INSUFFICIENT_KEY_LEN);
2558 }
2559 }
2560 }
2561 #endif /* CONFIG_SUITEB */
2562
2563 #ifdef OPENSSL_IS_BORINGSSL
2564 if (depth == 0 && (conn->flags & TLS_CONN_REQUEST_OCSP) &&
2565 preverify_ok) {
2566 enum ocsp_result res;
2567
2568 res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert,
2569 conn->peer_issuer,
2570 conn->peer_issuer_issuer);
2571 if (res == OCSP_REVOKED) {
2572 preverify_ok = 0;
2573 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2574 "certificate revoked",
2575 TLS_FAIL_REVOKED);
2576 if (err == X509_V_OK)
2577 X509_STORE_CTX_set_error(
2578 x509_ctx, X509_V_ERR_CERT_REVOKED);
2579 } else if (res != OCSP_GOOD &&
2580 (conn->flags & TLS_CONN_REQUIRE_OCSP)) {
2581 preverify_ok = 0;
2582 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2583 "bad certificate status response",
2584 TLS_FAIL_UNSPECIFIED);
2585 }
2586 }
2587 #endif /* OPENSSL_IS_BORINGSSL */
2588
2589 if (depth == 0 && preverify_ok && context->event_cb != NULL)
2590 context->event_cb(context->cb_ctx,
2591 TLS_CERT_CHAIN_SUCCESS, NULL);
2592
2593 if (depth == 0 && preverify_ok) {
2594 os_free(conn->peer_subject);
2595 conn->peer_subject = os_strdup(buf);
2596 }
2597
2598 return preverify_ok;
2599 }
2600
2601
2602 #ifndef OPENSSL_NO_STDIO
tls_load_ca_der(struct tls_data * data,const char * ca_cert)2603 static int tls_load_ca_der(struct tls_data *data, const char *ca_cert)
2604 {
2605 SSL_CTX *ssl_ctx = data->ssl;
2606 X509_LOOKUP *lookup;
2607 int ret = 0;
2608
2609 lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(ssl_ctx),
2610 X509_LOOKUP_file());
2611 if (lookup == NULL) {
2612 tls_show_errors(MSG_WARNING, __func__,
2613 "Failed add lookup for X509 store");
2614 return -1;
2615 }
2616
2617 if (!X509_LOOKUP_load_file(lookup, ca_cert, X509_FILETYPE_ASN1)) {
2618 unsigned long err = ERR_peek_error();
2619 tls_show_errors(MSG_WARNING, __func__,
2620 "Failed load CA in DER format");
2621 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
2622 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
2623 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
2624 "cert already in hash table error",
2625 __func__);
2626 } else
2627 ret = -1;
2628 }
2629
2630 return ret;
2631 }
2632 #endif /* OPENSSL_NO_STDIO */
2633
2634
tls_connection_ca_cert(struct tls_data * data,struct tls_connection * conn,const char * ca_cert,const u8 * ca_cert_blob,size_t ca_cert_blob_len,const char * ca_path)2635 static int tls_connection_ca_cert(struct tls_data *data,
2636 struct tls_connection *conn,
2637 const char *ca_cert, const u8 *ca_cert_blob,
2638 size_t ca_cert_blob_len, const char *ca_path)
2639 {
2640 SSL_CTX *ssl_ctx = data->ssl;
2641 X509_STORE *store;
2642
2643 /*
2644 * Remove previously configured trusted CA certificates before adding
2645 * new ones.
2646 */
2647 store = X509_STORE_new();
2648 if (store == NULL) {
2649 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
2650 "certificate store", __func__);
2651 return -1;
2652 }
2653 SSL_CTX_set_cert_store(ssl_ctx, store);
2654
2655 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2656 conn->ca_cert_verify = 1;
2657
2658 if (ca_cert && os_strncmp(ca_cert, "probe://", 8) == 0) {
2659 wpa_printf(MSG_DEBUG, "OpenSSL: Probe for server certificate "
2660 "chain");
2661 conn->cert_probe = 1;
2662 conn->ca_cert_verify = 0;
2663 return 0;
2664 }
2665
2666 if (ca_cert && os_strncmp(ca_cert, "hash://", 7) == 0) {
2667 #ifdef CONFIG_SHA256
2668 const char *pos = ca_cert + 7;
2669 if (os_strncmp(pos, "server/sha256/", 14) != 0) {
2670 wpa_printf(MSG_DEBUG, "OpenSSL: Unsupported ca_cert "
2671 "hash value '%s'", ca_cert);
2672 return -1;
2673 }
2674 pos += 14;
2675 if (os_strlen(pos) != 32 * 2) {
2676 wpa_printf(MSG_DEBUG, "OpenSSL: Unexpected SHA256 "
2677 "hash length in ca_cert '%s'", ca_cert);
2678 return -1;
2679 }
2680 if (hexstr2bin(pos, conn->srv_cert_hash, 32) < 0) {
2681 wpa_printf(MSG_DEBUG, "OpenSSL: Invalid SHA256 hash "
2682 "value in ca_cert '%s'", ca_cert);
2683 return -1;
2684 }
2685 conn->server_cert_only = 1;
2686 wpa_printf(MSG_DEBUG, "OpenSSL: Checking only server "
2687 "certificate match");
2688 return 0;
2689 #else /* CONFIG_SHA256 */
2690 wpa_printf(MSG_INFO, "No SHA256 included in the build - "
2691 "cannot validate server certificate hash");
2692 return -1;
2693 #endif /* CONFIG_SHA256 */
2694 }
2695
2696 if (ca_cert_blob) {
2697 X509 *cert = d2i_X509(NULL,
2698 (const unsigned char **) &ca_cert_blob,
2699 ca_cert_blob_len);
2700 if (cert == NULL) {
2701 BIO *bio = BIO_new_mem_buf(ca_cert_blob,
2702 ca_cert_blob_len);
2703
2704 if (bio) {
2705 cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
2706 BIO_free(bio);
2707 }
2708
2709 if (!cert) {
2710 tls_show_errors(MSG_WARNING, __func__,
2711 "Failed to parse ca_cert_blob");
2712 return -1;
2713 }
2714
2715 while (ERR_get_error()) {
2716 /* Ignore errors from DER conversion. */
2717 }
2718 }
2719
2720 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
2721 cert)) {
2722 unsigned long err = ERR_peek_error();
2723 tls_show_errors(MSG_WARNING, __func__,
2724 "Failed to add ca_cert_blob to "
2725 "certificate store");
2726 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
2727 ERR_GET_REASON(err) ==
2728 X509_R_CERT_ALREADY_IN_HASH_TABLE) {
2729 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
2730 "cert already in hash table error",
2731 __func__);
2732 } else {
2733 X509_free(cert);
2734 return -1;
2735 }
2736 }
2737 X509_free(cert);
2738 wpa_printf(MSG_DEBUG, "OpenSSL: %s - added ca_cert_blob "
2739 "to certificate store", __func__);
2740 return 0;
2741 }
2742
2743 #ifdef ANDROID
2744 /* Single alias */
2745 if (ca_cert && os_strncmp("keystore://", ca_cert, 11) == 0) {
2746 if (tls_add_ca_from_keystore(SSL_CTX_get_cert_store(ssl_ctx),
2747 &ca_cert[11]) < 0)
2748 return -1;
2749 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2750 return 0;
2751 }
2752
2753 /* Multiple aliases separated by space */
2754 if (ca_cert && os_strncmp("keystores://", ca_cert, 12) == 0) {
2755 char *aliases = os_strdup(&ca_cert[12]);
2756 const char *delim = " ";
2757 int rc = 0;
2758 char *savedptr;
2759 char *alias;
2760
2761 if (!aliases)
2762 return -1;
2763 alias = strtok_r(aliases, delim, &savedptr);
2764 for (; alias; alias = strtok_r(NULL, delim, &savedptr)) {
2765 if (tls_add_ca_from_keystore_encoded(
2766 SSL_CTX_get_cert_store(ssl_ctx), alias)) {
2767 wpa_printf(MSG_WARNING,
2768 "OpenSSL: %s - Failed to add ca_cert %s from keystore",
2769 __func__, alias);
2770 rc = -1;
2771 break;
2772 }
2773 }
2774 os_free(aliases);
2775 if (rc)
2776 return rc;
2777
2778 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2779 return 0;
2780 }
2781 #endif /* ANDROID */
2782
2783 #ifdef CONFIG_NATIVE_WINDOWS
2784 if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) ==
2785 0) {
2786 wpa_printf(MSG_DEBUG, "OpenSSL: Added CA certificates from "
2787 "system certificate store");
2788 return 0;
2789 }
2790 #endif /* CONFIG_NATIVE_WINDOWS */
2791
2792 if (ca_cert || ca_path) {
2793 #ifndef OPENSSL_NO_STDIO
2794 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, ca_path) !=
2795 1) {
2796 tls_show_errors(MSG_WARNING, __func__,
2797 "Failed to load root certificates");
2798 if (ca_cert &&
2799 tls_load_ca_der(data, ca_cert) == 0) {
2800 wpa_printf(MSG_DEBUG, "OpenSSL: %s - loaded "
2801 "DER format CA certificate",
2802 __func__);
2803 } else
2804 return -1;
2805 } else {
2806 wpa_printf(MSG_DEBUG, "TLS: Trusted root "
2807 "certificate(s) loaded");
2808 tls_get_errors(data);
2809 }
2810 #else /* OPENSSL_NO_STDIO */
2811 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO",
2812 __func__);
2813 return -1;
2814 #endif /* OPENSSL_NO_STDIO */
2815 } else {
2816 /* No ca_cert configured - do not try to verify server
2817 * certificate */
2818 conn->ca_cert_verify = 0;
2819 }
2820
2821 return 0;
2822 }
2823
2824
tls_global_ca_cert(struct tls_data * data,const char * ca_cert)2825 static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert)
2826 {
2827 SSL_CTX *ssl_ctx = data->ssl;
2828
2829 if (ca_cert) {
2830 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1)
2831 {
2832 tls_show_errors(MSG_WARNING, __func__,
2833 "Failed to load root certificates");
2834 return -1;
2835 }
2836
2837 wpa_printf(MSG_DEBUG, "TLS: Trusted root "
2838 "certificate(s) loaded");
2839
2840 #ifndef OPENSSL_NO_STDIO
2841 /* Add the same CAs to the client certificate requests */
2842 SSL_CTX_set_client_CA_list(ssl_ctx,
2843 SSL_load_client_CA_file(ca_cert));
2844 #endif /* OPENSSL_NO_STDIO */
2845
2846 os_free(data->ca_cert);
2847 data->ca_cert = os_strdup(ca_cert);
2848 }
2849
2850 return 0;
2851 }
2852
2853
tls_global_set_verify(void * ssl_ctx,int check_crl,int strict)2854 int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
2855 {
2856 int flags;
2857
2858 if (check_crl) {
2859 struct tls_data *data = ssl_ctx;
2860 X509_STORE *cs = SSL_CTX_get_cert_store(data->ssl);
2861 if (cs == NULL) {
2862 tls_show_errors(MSG_INFO, __func__, "Failed to get "
2863 "certificate store when enabling "
2864 "check_crl");
2865 return -1;
2866 }
2867 flags = X509_V_FLAG_CRL_CHECK;
2868 if (check_crl == 2)
2869 flags |= X509_V_FLAG_CRL_CHECK_ALL;
2870 X509_STORE_set_flags(cs, flags);
2871
2872 data->check_crl = check_crl;
2873 data->check_crl_strict = strict;
2874 os_get_reltime(&data->crl_last_reload);
2875 }
2876 return 0;
2877 }
2878
2879
tls_connection_set_subject_match(struct tls_connection * conn,const char * subject_match,const char * altsubject_match,const char * suffix_match,const char * domain_match,const char * check_cert_subject)2880 static int tls_connection_set_subject_match(struct tls_connection *conn,
2881 const char *subject_match,
2882 const char *altsubject_match,
2883 const char *suffix_match,
2884 const char *domain_match,
2885 const char *check_cert_subject)
2886 {
2887 os_free(conn->subject_match);
2888 conn->subject_match = NULL;
2889 if (subject_match) {
2890 conn->subject_match = os_strdup(subject_match);
2891 if (conn->subject_match == NULL)
2892 return -1;
2893 }
2894
2895 os_free(conn->altsubject_match);
2896 conn->altsubject_match = NULL;
2897 if (altsubject_match) {
2898 conn->altsubject_match = os_strdup(altsubject_match);
2899 if (conn->altsubject_match == NULL)
2900 return -1;
2901 }
2902
2903 os_free(conn->suffix_match);
2904 conn->suffix_match = NULL;
2905 if (suffix_match) {
2906 conn->suffix_match = os_strdup(suffix_match);
2907 if (conn->suffix_match == NULL)
2908 return -1;
2909 }
2910
2911 os_free(conn->domain_match);
2912 conn->domain_match = NULL;
2913 if (domain_match) {
2914 conn->domain_match = os_strdup(domain_match);
2915 if (conn->domain_match == NULL)
2916 return -1;
2917 }
2918
2919 os_free(conn->check_cert_subject);
2920 conn->check_cert_subject = NULL;
2921 if (check_cert_subject) {
2922 conn->check_cert_subject = os_strdup(check_cert_subject);
2923 if (!conn->check_cert_subject)
2924 return -1;
2925 }
2926
2927 return 0;
2928 }
2929
2930
2931 #ifdef CONFIG_SUITEB
2932 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
suiteb_cert_cb(SSL * ssl,void * arg)2933 static int suiteb_cert_cb(SSL *ssl, void *arg)
2934 {
2935 struct tls_connection *conn = arg;
2936
2937 /*
2938 * This cert_cb() is not really the best location for doing a
2939 * constraint check for the ServerKeyExchange message, but this seems to
2940 * be the only place where the current OpenSSL sequence can be
2941 * terminated cleanly with an TLS alert going out to the server.
2942 */
2943
2944 if (!(conn->flags & TLS_CONN_SUITEB))
2945 return 1;
2946
2947 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
2948 if (conn->cipher_suite != 0x9f)
2949 return 1;
2950
2951 if (conn->server_dh_prime_len >= 3072)
2952 return 1;
2953
2954 wpa_printf(MSG_DEBUG,
2955 "OpenSSL: Server DH prime length (%d bits) not sufficient for Suite B RSA - reject handshake",
2956 conn->server_dh_prime_len);
2957 return 0;
2958 }
2959 #endif /* OPENSSL_VERSION_NUMBER */
2960 #endif /* CONFIG_SUITEB */
2961
2962
tls_set_conn_flags(struct tls_connection * conn,unsigned int flags,const char * openssl_ciphers)2963 static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
2964 const char *openssl_ciphers)
2965 {
2966 SSL *ssl = conn->ssl;
2967
2968 #ifdef SSL_OP_NO_TICKET
2969 if (flags & TLS_CONN_DISABLE_SESSION_TICKET)
2970 SSL_set_options(ssl, SSL_OP_NO_TICKET);
2971 else
2972 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
2973 #endif /* SSL_OP_NO_TICKET */
2974
2975 #ifdef SSL_OP_NO_TLSv1
2976 if (flags & TLS_CONN_DISABLE_TLSv1_0)
2977 SSL_set_options(ssl, SSL_OP_NO_TLSv1);
2978 else
2979 SSL_clear_options(ssl, SSL_OP_NO_TLSv1);
2980 #endif /* SSL_OP_NO_TLSv1 */
2981 #ifdef SSL_OP_NO_TLSv1_1
2982 if (flags & TLS_CONN_DISABLE_TLSv1_1)
2983 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
2984 else
2985 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_1);
2986 #endif /* SSL_OP_NO_TLSv1_1 */
2987 #ifdef SSL_OP_NO_TLSv1_2
2988 if (flags & TLS_CONN_DISABLE_TLSv1_2)
2989 SSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
2990 else
2991 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
2992 #endif /* SSL_OP_NO_TLSv1_2 */
2993 #ifdef SSL_OP_NO_TLSv1_3
2994 if (flags & TLS_CONN_DISABLE_TLSv1_3)
2995 SSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
2996 else
2997 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3);
2998 #endif /* SSL_OP_NO_TLSv1_3 */
2999 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
3000 if (flags & (TLS_CONN_ENABLE_TLSv1_0 |
3001 TLS_CONN_ENABLE_TLSv1_1 |
3002 TLS_CONN_ENABLE_TLSv1_2)) {
3003 int version = 0;
3004
3005 /* Explicit request to enable TLS versions even if needing to
3006 * override systemwide policies. */
3007 if (flags & TLS_CONN_ENABLE_TLSv1_0)
3008 version = TLS1_VERSION;
3009 else if (flags & TLS_CONN_ENABLE_TLSv1_1)
3010 version = TLS1_1_VERSION;
3011 else if (flags & TLS_CONN_ENABLE_TLSv1_2)
3012 version = TLS1_2_VERSION;
3013 if (!version) {
3014 wpa_printf(MSG_DEBUG,
3015 "OpenSSL: Invalid TLS version configuration");
3016 return -1;
3017 }
3018
3019 if (SSL_set_min_proto_version(ssl, version) != 1) {
3020 wpa_printf(MSG_DEBUG,
3021 "OpenSSL: Failed to set minimum TLS version");
3022 return -1;
3023 }
3024 }
3025 #endif /* >= 1.1.0 */
3026 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3027 !defined(LIBRESSL_VERSION_NUMBER) && \
3028 !defined(OPENSSL_IS_BORINGSSL)
3029 {
3030 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3031 int need_level = 0;
3032 #else
3033 int need_level = 1;
3034 #endif
3035
3036 if ((flags &
3037 (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
3038 SSL_get_security_level(ssl) > need_level) {
3039 /*
3040 * Need to drop to security level 1 (or 0 with OpenSSL
3041 * 3.0) to allow TLS versions older than 1.2 to be used
3042 * when explicitly enabled in configuration.
3043 */
3044 SSL_set_security_level(conn->ssl, need_level);
3045 }
3046 }
3047 #endif
3048
3049 #ifdef CONFIG_SUITEB
3050 #ifdef OPENSSL_IS_BORINGSSL
3051 /* Start with defaults from BoringSSL */
3052 SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, NULL, 0);
3053 #endif /* OPENSSL_IS_BORINGSSL */
3054 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
3055 if (flags & TLS_CONN_SUITEB_NO_ECDH) {
3056 const char *ciphers = "DHE-RSA-AES256-GCM-SHA384";
3057
3058 if (openssl_ciphers) {
3059 wpa_printf(MSG_DEBUG,
3060 "OpenSSL: Override ciphers for Suite B (no ECDH): %s",
3061 openssl_ciphers);
3062 ciphers = openssl_ciphers;
3063 }
3064 if (SSL_set_cipher_list(ssl, ciphers) != 1) {
3065 wpa_printf(MSG_INFO,
3066 "OpenSSL: Failed to set Suite B ciphers");
3067 return -1;
3068 }
3069 } else if (flags & TLS_CONN_SUITEB) {
3070 EC_KEY *ecdh;
3071 const char *ciphers =
3072 "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
3073 int nid[1] = { NID_secp384r1 };
3074
3075 if (openssl_ciphers) {
3076 wpa_printf(MSG_DEBUG,
3077 "OpenSSL: Override ciphers for Suite B: %s",
3078 openssl_ciphers);
3079 ciphers = openssl_ciphers;
3080 }
3081 if (SSL_set_cipher_list(ssl, ciphers) != 1) {
3082 wpa_printf(MSG_INFO,
3083 "OpenSSL: Failed to set Suite B ciphers");
3084 return -1;
3085 }
3086
3087 if (SSL_set1_curves(ssl, nid, 1) != 1) {
3088 wpa_printf(MSG_INFO,
3089 "OpenSSL: Failed to set Suite B curves");
3090 return -1;
3091 }
3092
3093 ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
3094 if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) {
3095 EC_KEY_free(ecdh);
3096 wpa_printf(MSG_INFO,
3097 "OpenSSL: Failed to set ECDH parameter");
3098 return -1;
3099 }
3100 EC_KEY_free(ecdh);
3101 }
3102 if (flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) {
3103 #ifdef OPENSSL_IS_BORINGSSL
3104 uint16_t sigalgs[1] = { SSL_SIGN_RSA_PKCS1_SHA384 };
3105
3106 if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs,
3107 1) != 1) {
3108 wpa_printf(MSG_INFO,
3109 "OpenSSL: Failed to set Suite B sigalgs");
3110 return -1;
3111 }
3112 #else /* OPENSSL_IS_BORINGSSL */
3113 /* ECDSA+SHA384 if need to add EC support here */
3114 if (SSL_set1_sigalgs_list(ssl, "RSA+SHA384") != 1) {
3115 wpa_printf(MSG_INFO,
3116 "OpenSSL: Failed to set Suite B sigalgs");
3117 return -1;
3118 }
3119 #endif /* OPENSSL_IS_BORINGSSL */
3120
3121 SSL_set_options(ssl, SSL_OP_NO_TLSv1);
3122 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
3123 SSL_set_cert_cb(ssl, suiteb_cert_cb, conn);
3124 }
3125 #else /* OPENSSL_VERSION_NUMBER < 0x10002000L */
3126 if (flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) {
3127 wpa_printf(MSG_ERROR,
3128 "OpenSSL: Suite B RSA case not supported with this OpenSSL version");
3129 return -1;
3130 }
3131 #endif /* OPENSSL_VERSION_NUMBER */
3132
3133 #ifdef OPENSSL_IS_BORINGSSL
3134 if (openssl_ciphers && os_strcmp(openssl_ciphers, "SUITEB192") == 0) {
3135 uint16_t sigalgs[1] = { SSL_SIGN_ECDSA_SECP384R1_SHA384 };
3136 int nid[1] = { NID_secp384r1 };
3137
3138 if (SSL_set1_curves(ssl, nid, 1) != 1) {
3139 wpa_printf(MSG_INFO,
3140 "OpenSSL: Failed to set Suite B curves");
3141 return -1;
3142 }
3143
3144 if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs,
3145 1) != 1) {
3146 wpa_printf(MSG_INFO,
3147 "OpenSSL: Failed to set Suite B sigalgs");
3148 return -1;
3149 }
3150 }
3151 #else /* OPENSSL_IS_BORINGSSL */
3152 if (!(flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) &&
3153 openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
3154 wpa_printf(MSG_INFO,
3155 "OpenSSL: Failed to set openssl_ciphers '%s'",
3156 openssl_ciphers);
3157 return -1;
3158 }
3159 #endif /* OPENSSL_IS_BORINGSSL */
3160 #else /* CONFIG_SUITEB */
3161 if (openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
3162 wpa_printf(MSG_INFO,
3163 "OpenSSL: Failed to set openssl_ciphers '%s'",
3164 openssl_ciphers);
3165 return -1;
3166 }
3167 #endif /* CONFIG_SUITEB */
3168
3169 if (flags & TLS_CONN_TEAP_ANON_DH) {
3170 #ifndef TEAP_DH_ANON_CS
3171 #define TEAP_DH_ANON_CS \
3172 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:" \
3173 "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:" \
3174 "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:" \
3175 "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" \
3176 "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:" \
3177 "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" \
3178 "ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:" \
3179 "ADH-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA:ADH-AES128-SHA"
3180 #endif
3181 static const char *cs = TEAP_DH_ANON_CS;
3182
3183 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3184 !defined(LIBRESSL_VERSION_NUMBER) && \
3185 !defined(OPENSSL_IS_BORINGSSL)
3186 /*
3187 * Need to drop to security level 0 to allow anonymous
3188 * cipher suites for EAP-TEAP.
3189 */
3190 SSL_set_security_level(conn->ssl, 0);
3191 #endif
3192
3193 wpa_printf(MSG_DEBUG,
3194 "OpenSSL: Enable cipher suites for anonymous EAP-TEAP provisioning: %s",
3195 cs);
3196 if (SSL_set_cipher_list(conn->ssl, cs) != 1) {
3197 tls_show_errors(MSG_INFO, __func__,
3198 "Cipher suite configuration failed");
3199 return -1;
3200 }
3201 }
3202
3203 return 0;
3204 }
3205
3206
tls_connection_set_verify(void * ssl_ctx,struct tls_connection * conn,int verify_peer,unsigned int flags,const u8 * session_ctx,size_t session_ctx_len)3207 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
3208 int verify_peer, unsigned int flags,
3209 const u8 *session_ctx, size_t session_ctx_len)
3210 {
3211 static int counter = 0;
3212 struct tls_data *data = ssl_ctx;
3213
3214 if (conn == NULL)
3215 return -1;
3216
3217 if (verify_peer == 2) {
3218 conn->ca_cert_verify = 1;
3219 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
3220 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
3221 } else if (verify_peer) {
3222 conn->ca_cert_verify = 1;
3223 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
3224 SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
3225 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
3226 } else {
3227 conn->ca_cert_verify = 0;
3228 SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
3229 }
3230
3231 if (tls_set_conn_flags(conn, flags, NULL) < 0)
3232 return -1;
3233 conn->flags = flags;
3234
3235 SSL_set_accept_state(conn->ssl);
3236
3237 if (data->tls_session_lifetime == 0) {
3238 /*
3239 * Set session id context to a unique value to make sure
3240 * session resumption cannot be used either through session
3241 * caching or TLS ticket extension.
3242 */
3243 counter++;
3244 SSL_set_session_id_context(conn->ssl,
3245 (const unsigned char *) &counter,
3246 sizeof(counter));
3247 } else if (session_ctx) {
3248 SSL_set_session_id_context(conn->ssl, session_ctx,
3249 session_ctx_len);
3250 }
3251
3252 return 0;
3253 }
3254
3255
tls_connection_client_cert(struct tls_connection * conn,const char * client_cert,const u8 * client_cert_blob,size_t client_cert_blob_len)3256 static int tls_connection_client_cert(struct tls_connection *conn,
3257 const char *client_cert,
3258 const u8 *client_cert_blob,
3259 size_t client_cert_blob_len)
3260 {
3261 if (client_cert == NULL && client_cert_blob == NULL)
3262 return 0;
3263
3264 #ifdef PKCS12_FUNCS
3265 #if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
3266 /*
3267 * Clear previously set extra chain certificates, if any, from PKCS#12
3268 * processing in tls_parse_pkcs12() to allow OpenSSL to build a new
3269 * chain properly.
3270 */
3271 SSL_CTX_clear_extra_chain_certs(conn->ssl_ctx);
3272 #endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */
3273 #endif /* PKCS12_FUNCS */
3274
3275 if (client_cert_blob &&
3276 SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob,
3277 client_cert_blob_len) == 1) {
3278 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_ASN1 --> "
3279 "OK");
3280 return 0;
3281 } else if (client_cert_blob) {
3282 #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20901000L
3283 tls_show_errors(MSG_DEBUG, __func__,
3284 "SSL_use_certificate_ASN1 failed");
3285 #else
3286 BIO *bio;
3287 X509 *x509;
3288
3289 tls_show_errors(MSG_DEBUG, __func__,
3290 "SSL_use_certificate_ASN1 failed");
3291 bio = BIO_new(BIO_s_mem());
3292 if (!bio)
3293 return -1;
3294 BIO_write(bio, client_cert_blob, client_cert_blob_len);
3295 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3296 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) {
3297 X509_free(x509);
3298 BIO_free(bio);
3299 return -1;
3300 }
3301 X509_free(x509);
3302 wpa_printf(MSG_DEBUG,
3303 "OpenSSL: Found PEM encoded certificate from blob");
3304 while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))) {
3305 wpa_printf(MSG_DEBUG,
3306 "OpenSSL: Added an additional certificate into the chain");
3307 SSL_add0_chain_cert(conn->ssl, x509);
3308 }
3309 BIO_free(bio);
3310 return 0;
3311 #endif
3312 }
3313
3314 if (client_cert == NULL)
3315 return -1;
3316
3317 #ifdef ANDROID
3318 if (os_strncmp("keystore://", client_cert, 11) == 0) {
3319 BIO *bio = BIO_from_keystore(&client_cert[11]);
3320 X509 *x509 = NULL;
3321 int ret = -1;
3322 if (bio) {
3323 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3324 }
3325 if (x509) {
3326 if (SSL_use_certificate(conn->ssl, x509) == 1)
3327 ret = 0;
3328 X509_free(x509);
3329 }
3330
3331 /* Read additional certificates into the chain. */
3332 while (bio) {
3333 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3334 if (x509) {
3335 /* Takes ownership of x509 */
3336 SSL_add0_chain_cert(conn->ssl, x509);
3337 } else {
3338 BIO_free(bio);
3339 bio = NULL;
3340 }
3341 }
3342 return ret;
3343 }
3344 #endif /* ANDROID */
3345
3346 #ifdef CONFIG_OHOS_CERTMGR
3347 int ret = -1;
3348 X509 *x509 = NULL;
3349 BIO *bio = BIO_from_cm(&client_cert[0]);
3350 if (bio)
3351 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3352 if (x509) {
3353 if (SSL_use_certificate(conn->ssl, x509) == 1)
3354 ret = 0;
3355 X509_free(x509);
3356 }
3357
3358 /* Read additional certificates into the chain. */
3359 while (bio) {
3360 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3361 if (x509) {
3362 /* Takes ownership of x509 */
3363 SSL_add0_chain_cert(conn->ssl, x509);
3364 } else {
3365 BIO_free(bio);
3366 bio = NULL;
3367 }
3368 }
3369 return ret;
3370 #endif
3371
3372 #ifndef OPENSSL_NO_STDIO
3373 if (SSL_use_certificate_file(conn->ssl, client_cert,
3374 SSL_FILETYPE_ASN1) == 1) {
3375 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (DER)"
3376 " --> OK");
3377 return 0;
3378 }
3379
3380 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3381 !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
3382 if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
3383 ERR_clear_error();
3384 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
3385 " --> OK");
3386 return 0;
3387 }
3388 #else
3389 if (SSL_use_certificate_file(conn->ssl, client_cert,
3390 SSL_FILETYPE_PEM) == 1) {
3391 ERR_clear_error();
3392 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
3393 " --> OK");
3394 return 0;
3395 }
3396 #endif
3397
3398 tls_show_errors(MSG_DEBUG, __func__,
3399 "SSL_use_certificate_file failed");
3400 #else /* OPENSSL_NO_STDIO */
3401 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3402 #endif /* OPENSSL_NO_STDIO */
3403
3404 return -1;
3405 }
3406
3407
tls_global_client_cert(struct tls_data * data,const char * client_cert)3408 static int tls_global_client_cert(struct tls_data *data,
3409 const char *client_cert)
3410 {
3411 #ifndef OPENSSL_NO_STDIO
3412 SSL_CTX *ssl_ctx = data->ssl;
3413
3414 if (client_cert == NULL)
3415 return 0;
3416
3417 if (SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
3418 SSL_FILETYPE_ASN1) != 1 &&
3419 SSL_CTX_use_certificate_chain_file(ssl_ctx, client_cert) != 1 &&
3420 SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
3421 SSL_FILETYPE_PEM) != 1) {
3422 tls_show_errors(MSG_INFO, __func__,
3423 "Failed to load client certificate");
3424 return -1;
3425 }
3426 return 0;
3427 #else /* OPENSSL_NO_STDIO */
3428 if (client_cert == NULL)
3429 return 0;
3430 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3431 return -1;
3432 #endif /* OPENSSL_NO_STDIO */
3433 }
3434
3435
3436 #ifdef PKCS12_FUNCS
tls_parse_pkcs12(struct tls_data * data,SSL * ssl,PKCS12 * p12,const char * passwd)3437 static int tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12,
3438 const char *passwd)
3439 {
3440 EVP_PKEY *pkey;
3441 X509 *cert;
3442 STACK_OF(X509) *certs;
3443 int res = 0;
3444 char buf[256];
3445
3446 pkey = NULL;
3447 cert = NULL;
3448 certs = NULL;
3449 if (!passwd)
3450 passwd = "";
3451 if (!PKCS12_parse(p12, passwd, &pkey, &cert, &certs)) {
3452 tls_show_errors(MSG_DEBUG, __func__,
3453 "Failed to parse PKCS12 file");
3454 PKCS12_free(p12);
3455 return -1;
3456 }
3457 wpa_printf(MSG_DEBUG, "TLS: Successfully parsed PKCS12 data");
3458
3459 if (cert) {
3460 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3461 sizeof(buf));
3462 wpa_printf(MSG_DEBUG, "TLS: Got certificate from PKCS12: "
3463 "subject='%s'", buf);
3464 if (ssl) {
3465 if (SSL_use_certificate(ssl, cert) != 1)
3466 res = -1;
3467 } else {
3468 if (SSL_CTX_use_certificate(data->ssl, cert) != 1)
3469 res = -1;
3470 }
3471 X509_free(cert);
3472 }
3473
3474 if (pkey) {
3475 wpa_printf(MSG_DEBUG, "TLS: Got private key from PKCS12");
3476 if (ssl) {
3477 if (SSL_use_PrivateKey(ssl, pkey) != 1)
3478 res = -1;
3479 } else {
3480 if (SSL_CTX_use_PrivateKey(data->ssl, pkey) != 1)
3481 res = -1;
3482 }
3483 EVP_PKEY_free(pkey);
3484 }
3485
3486 if (certs) {
3487 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
3488 if (ssl)
3489 SSL_clear_chain_certs(ssl);
3490 else
3491 SSL_CTX_clear_chain_certs(data->ssl);
3492 while ((cert = sk_X509_pop(certs)) != NULL) {
3493 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3494 sizeof(buf));
3495 wpa_printf(MSG_DEBUG, "TLS: additional certificate"
3496 " from PKCS12: subject='%s'", buf);
3497 if ((ssl && SSL_add1_chain_cert(ssl, cert) != 1) ||
3498 (!ssl && SSL_CTX_add1_chain_cert(data->ssl,
3499 cert) != 1)) {
3500 tls_show_errors(MSG_DEBUG, __func__,
3501 "Failed to add additional certificate");
3502 res = -1;
3503 X509_free(cert);
3504 break;
3505 }
3506 X509_free(cert);
3507 }
3508 if (!res) {
3509 /* Try to continue anyway */
3510 }
3511 sk_X509_pop_free(certs, X509_free);
3512 #ifndef OPENSSL_IS_BORINGSSL
3513 if (ssl)
3514 res = SSL_build_cert_chain(
3515 ssl,
3516 SSL_BUILD_CHAIN_FLAG_CHECK |
3517 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
3518 else
3519 res = SSL_CTX_build_cert_chain(
3520 data->ssl,
3521 SSL_BUILD_CHAIN_FLAG_CHECK |
3522 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
3523 if (!res) {
3524 tls_show_errors(MSG_DEBUG, __func__,
3525 "Failed to build certificate chain");
3526 } else if (res == 2) {
3527 wpa_printf(MSG_DEBUG,
3528 "TLS: Ignore certificate chain verification error when building chain with PKCS#12 extra certificates");
3529 }
3530 #endif /* OPENSSL_IS_BORINGSSL */
3531 /*
3532 * Try to continue regardless of result since it is possible for
3533 * the extra certificates not to be required.
3534 */
3535 res = 0;
3536 #else /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
3537 SSL_CTX_clear_extra_chain_certs(data->ssl);
3538 while ((cert = sk_X509_pop(certs)) != NULL) {
3539 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3540 sizeof(buf));
3541 wpa_printf(MSG_DEBUG, "TLS: additional certificate"
3542 " from PKCS12: subject='%s'", buf);
3543 /*
3544 * There is no SSL equivalent for the chain cert - so
3545 * always add it to the context...
3546 */
3547 if (SSL_CTX_add_extra_chain_cert(data->ssl, cert) != 1)
3548 {
3549 X509_free(cert);
3550 res = -1;
3551 break;
3552 }
3553 }
3554 sk_X509_pop_free(certs, X509_free);
3555 #endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
3556 }
3557
3558 PKCS12_free(p12);
3559
3560 if (res < 0)
3561 tls_get_errors(data);
3562
3563 return res;
3564 }
3565 #endif /* PKCS12_FUNCS */
3566
3567
tls_read_pkcs12(struct tls_data * data,SSL * ssl,const char * private_key,const char * passwd)3568 static int tls_read_pkcs12(struct tls_data *data, SSL *ssl,
3569 const char *private_key, const char *passwd)
3570 {
3571 #ifdef PKCS12_FUNCS
3572 FILE *f;
3573 PKCS12 *p12;
3574
3575 f = fopen(private_key, "rb");
3576 if (f == NULL)
3577 return -1;
3578
3579 p12 = d2i_PKCS12_fp(f, NULL);
3580 fclose(f);
3581
3582 if (p12 == NULL) {
3583 tls_show_errors(MSG_INFO, __func__,
3584 "Failed to use PKCS#12 file");
3585 return -1;
3586 }
3587
3588 return tls_parse_pkcs12(data, ssl, p12, passwd);
3589
3590 #else /* PKCS12_FUNCS */
3591 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot read "
3592 "p12/pfx files");
3593 return -1;
3594 #endif /* PKCS12_FUNCS */
3595 }
3596
3597
tls_read_pkcs12_blob(struct tls_data * data,SSL * ssl,const u8 * blob,size_t len,const char * passwd)3598 static int tls_read_pkcs12_blob(struct tls_data *data, SSL *ssl,
3599 const u8 *blob, size_t len, const char *passwd)
3600 {
3601 #ifdef PKCS12_FUNCS
3602 PKCS12 *p12;
3603
3604 p12 = d2i_PKCS12(NULL, (const unsigned char **) &blob, len);
3605 if (p12 == NULL) {
3606 tls_show_errors(MSG_INFO, __func__,
3607 "Failed to use PKCS#12 blob");
3608 return -1;
3609 }
3610
3611 return tls_parse_pkcs12(data, ssl, p12, passwd);
3612
3613 #else /* PKCS12_FUNCS */
3614 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot parse "
3615 "p12/pfx blobs");
3616 return -1;
3617 #endif /* PKCS12_FUNCS */
3618 }
3619
3620
3621 #ifndef OPENSSL_NO_ENGINE
tls_engine_get_cert(struct tls_connection * conn,const char * cert_id,X509 ** cert)3622 static int tls_engine_get_cert(struct tls_connection *conn,
3623 const char *cert_id,
3624 X509 **cert)
3625 {
3626 /* this runs after the private key is loaded so no PIN is required */
3627 struct {
3628 const char *cert_id;
3629 X509 *cert;
3630 } params;
3631 params.cert_id = cert_id;
3632 params.cert = NULL;
3633
3634 if (!ENGINE_ctrl_cmd(conn->engine, "LOAD_CERT_CTRL",
3635 0, ¶ms, NULL, 1)) {
3636 unsigned long err = ERR_get_error();
3637
3638 wpa_printf(MSG_ERROR, "ENGINE: cannot load client cert with id"
3639 " '%s' [%s]", cert_id,
3640 ERR_error_string(err, NULL));
3641 if (tls_is_pin_error(err))
3642 return TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN;
3643 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
3644 }
3645 if (!params.cert) {
3646 wpa_printf(MSG_ERROR, "ENGINE: did not properly cert with id"
3647 " '%s'", cert_id);
3648 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
3649 }
3650 *cert = params.cert;
3651 return 0;
3652 }
3653 #endif /* OPENSSL_NO_ENGINE */
3654
3655
tls_connection_engine_client_cert(struct tls_connection * conn,const char * cert_id)3656 static int tls_connection_engine_client_cert(struct tls_connection *conn,
3657 const char *cert_id)
3658 {
3659 #ifndef OPENSSL_NO_ENGINE
3660 X509 *cert;
3661
3662 if (tls_engine_get_cert(conn, cert_id, &cert))
3663 return -1;
3664
3665 if (!SSL_use_certificate(conn->ssl, cert)) {
3666 tls_show_errors(MSG_ERROR, __func__,
3667 "SSL_use_certificate failed");
3668 X509_free(cert);
3669 return -1;
3670 }
3671 X509_free(cert);
3672 wpa_printf(MSG_DEBUG, "ENGINE: SSL_use_certificate --> "
3673 "OK");
3674 return 0;
3675
3676 #else /* OPENSSL_NO_ENGINE */
3677 return -1;
3678 #endif /* OPENSSL_NO_ENGINE */
3679 }
3680
3681
tls_connection_engine_ca_cert(struct tls_data * data,struct tls_connection * conn,const char * ca_cert_id)3682 static int tls_connection_engine_ca_cert(struct tls_data *data,
3683 struct tls_connection *conn,
3684 const char *ca_cert_id)
3685 {
3686 #ifndef OPENSSL_NO_ENGINE
3687 X509 *cert;
3688 SSL_CTX *ssl_ctx = data->ssl;
3689 X509_STORE *store;
3690
3691 if (tls_engine_get_cert(conn, ca_cert_id, &cert))
3692 return -1;
3693
3694 /* start off the same as tls_connection_ca_cert */
3695 store = X509_STORE_new();
3696 if (store == NULL) {
3697 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
3698 "certificate store", __func__);
3699 X509_free(cert);
3700 return -1;
3701 }
3702 SSL_CTX_set_cert_store(ssl_ctx, store);
3703 if (!X509_STORE_add_cert(store, cert)) {
3704 unsigned long err = ERR_peek_error();
3705 tls_show_errors(MSG_WARNING, __func__,
3706 "Failed to add CA certificate from engine "
3707 "to certificate store");
3708 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
3709 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
3710 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring cert"
3711 " already in hash table error",
3712 __func__);
3713 } else {
3714 X509_free(cert);
3715 return -1;
3716 }
3717 }
3718 X509_free(cert);
3719 wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine "
3720 "to certificate store", __func__);
3721 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
3722 conn->ca_cert_verify = 1;
3723
3724 return 0;
3725
3726 #else /* OPENSSL_NO_ENGINE */
3727 return -1;
3728 #endif /* OPENSSL_NO_ENGINE */
3729 }
3730
3731
tls_connection_engine_private_key(struct tls_connection * conn)3732 static int tls_connection_engine_private_key(struct tls_connection *conn)
3733 {
3734 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
3735 if (SSL_use_PrivateKey(conn->ssl, conn->private_key) != 1) {
3736 tls_show_errors(MSG_ERROR, __func__,
3737 "ENGINE: cannot use private key for TLS");
3738 return -1;
3739 }
3740 if (!SSL_check_private_key(conn->ssl)) {
3741 tls_show_errors(MSG_INFO, __func__,
3742 "Private key failed verification");
3743 return -1;
3744 }
3745 return 0;
3746 #else /* OPENSSL_NO_ENGINE */
3747 wpa_printf(MSG_ERROR, "SSL: Configuration uses engine, but "
3748 "engine support was not compiled in");
3749 return -1;
3750 #endif /* OPENSSL_NO_ENGINE */
3751 }
3752
3753
3754 #ifndef OPENSSL_NO_STDIO
tls_passwd_cb(char * buf,int size,int rwflag,void * password)3755 static int tls_passwd_cb(char *buf, int size, int rwflag, void *password)
3756 {
3757 if (!password)
3758 return 0;
3759 os_strlcpy(buf, (const char *) password, size);
3760 return os_strlen(buf);
3761 }
3762 #endif /* OPENSSL_NO_STDIO */
3763
3764
tls_use_private_key_file(struct tls_data * data,SSL * ssl,const char * private_key,const char * private_key_passwd)3765 static int tls_use_private_key_file(struct tls_data *data, SSL *ssl,
3766 const char *private_key,
3767 const char *private_key_passwd)
3768 {
3769 #ifndef OPENSSL_NO_STDIO
3770 BIO *bio;
3771 EVP_PKEY *pkey;
3772 int ret;
3773
3774 /* First try ASN.1 (DER). */
3775 bio = BIO_new_file(private_key, "r");
3776 if (!bio)
3777 return -1;
3778 pkey = d2i_PrivateKey_bio(bio, NULL);
3779 BIO_free(bio);
3780
3781 if (pkey) {
3782 wpa_printf(MSG_DEBUG, "OpenSSL: %s (DER) --> loaded", __func__);
3783 } else {
3784 /* Try PEM with the provided password. */
3785 bio = BIO_new_file(private_key, "r");
3786 if (!bio)
3787 return -1;
3788 pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_passwd_cb,
3789 (void *) private_key_passwd);
3790 BIO_free(bio);
3791 if (!pkey)
3792 return -1;
3793 wpa_printf(MSG_DEBUG, "OpenSSL: %s (PEM) --> loaded", __func__);
3794 /* Clear errors from the previous failed load. */
3795 ERR_clear_error();
3796 }
3797
3798 if (ssl)
3799 ret = SSL_use_PrivateKey(ssl, pkey);
3800 else
3801 ret = SSL_CTX_use_PrivateKey(data->ssl, pkey);
3802
3803 EVP_PKEY_free(pkey);
3804 return ret == 1 ? 0 : -1;
3805 #else /* OPENSSL_NO_STDIO */
3806 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3807 return -1;
3808 #endif /* OPENSSL_NO_STDIO */
3809 }
3810
3811 #ifdef CONFIG_OHOS_CERTMGR
tls_use_cm_key(struct tls_data * data,SSL * ssl,const char * private_key)3812 static int tls_use_cm_key(struct tls_data *data, SSL *ssl, const char *private_key)
3813 {
3814 int ret;
3815 EVP_PKEY *pkey = GET_EVP_PKEY(private_key);
3816 if (pkey == NULL) {
3817 wpa_printf(MSG_DEBUG, "can not get evp pkey");
3818 return -1;
3819 }
3820 if (ssl)
3821 ret = SSL_use_PrivateKey(ssl, pkey);
3822 else
3823 ret = SSL_CTX_use_PrivateKey(data->ssl, pkey);
3824
3825 EVP_PKEY_free(pkey);
3826 return ret == 1 ? 0 : -1;
3827 }
3828 #endif
3829
tls_connection_private_key(struct tls_data * data,struct tls_connection * conn,const char * private_key,const char * private_key_passwd,const u8 * private_key_blob,size_t private_key_blob_len)3830 static int tls_connection_private_key(struct tls_data *data,
3831 struct tls_connection *conn,
3832 const char *private_key,
3833 const char *private_key_passwd,
3834 const u8 *private_key_blob,
3835 size_t private_key_blob_len)
3836 {
3837 BIO *bio;
3838 int ok;
3839
3840 if (private_key == NULL && private_key_blob == NULL)
3841 return 0;
3842
3843 ok = 0;
3844 while (private_key_blob) {
3845 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, conn->ssl,
3846 (u8 *) private_key_blob,
3847 private_key_blob_len) == 1) {
3848 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
3849 "ASN1(EVP_PKEY_RSA) --> OK");
3850 ok = 1;
3851 break;
3852 }
3853
3854 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA, conn->ssl,
3855 (u8 *) private_key_blob,
3856 private_key_blob_len) == 1) {
3857 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
3858 "ASN1(EVP_PKEY_DSA) --> OK");
3859 ok = 1;
3860 break;
3861 }
3862
3863 #ifndef OPENSSL_NO_EC
3864 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, conn->ssl,
3865 (u8 *) private_key_blob,
3866 private_key_blob_len) == 1) {
3867 wpa_printf(MSG_DEBUG,
3868 "OpenSSL: SSL_use_PrivateKey_ASN1(EVP_PKEY_EC) --> OK");
3869 ok = 1;
3870 break;
3871 }
3872 #endif /* OPENSSL_NO_EC */
3873
3874 if (SSL_use_RSAPrivateKey_ASN1(conn->ssl,
3875 (u8 *) private_key_blob,
3876 private_key_blob_len) == 1) {
3877 wpa_printf(MSG_DEBUG, "OpenSSL: "
3878 "SSL_use_RSAPrivateKey_ASN1 --> OK");
3879 ok = 1;
3880 break;
3881 }
3882
3883 bio = BIO_new_mem_buf((u8 *) private_key_blob,
3884 private_key_blob_len);
3885 if (bio) {
3886 EVP_PKEY *pkey;
3887
3888 pkey = PEM_read_bio_PrivateKey(
3889 bio, NULL, tls_passwd_cb,
3890 (void *) private_key_passwd);
3891 if (pkey) {
3892 if (SSL_use_PrivateKey(conn->ssl, pkey) == 1) {
3893 wpa_printf(MSG_DEBUG,
3894 "OpenSSL: SSL_use_PrivateKey --> OK");
3895 ok = 1;
3896 EVP_PKEY_free(pkey);
3897 BIO_free(bio);
3898 break;
3899 }
3900 EVP_PKEY_free(pkey);
3901 }
3902 BIO_free(bio);
3903 }
3904
3905 if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob,
3906 private_key_blob_len,
3907 private_key_passwd) == 0) {
3908 wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> "
3909 "OK");
3910 ok = 1;
3911 break;
3912 }
3913
3914 break;
3915 }
3916
3917 while (!ok && private_key) {
3918 #ifdef CONFIG_OHOS_CERTMGR
3919 if (tls_use_cm_key(data, conn->ssl, private_key) == 0) {
3920 ok = 1;
3921 break;
3922 }
3923 #endif
3924
3925 if (tls_use_private_key_file(data, conn->ssl, private_key,
3926 private_key_passwd) == 0) {
3927 ok = 1;
3928 break;
3929 }
3930
3931 if (tls_read_pkcs12(data, conn->ssl, private_key,
3932 private_key_passwd) == 0) {
3933 wpa_printf(MSG_DEBUG, "OpenSSL: Reading PKCS#12 file "
3934 "--> OK");
3935 ok = 1;
3936 break;
3937 }
3938
3939 if (tls_cryptoapi_cert(conn->ssl, private_key) == 0) {
3940 wpa_printf(MSG_DEBUG, "OpenSSL: Using CryptoAPI to "
3941 "access certificate store --> OK");
3942 ok = 1;
3943 break;
3944 }
3945
3946 break;
3947 }
3948
3949 if (!ok) {
3950 tls_show_errors(MSG_INFO, __func__,
3951 "Failed to load private key");
3952 return -1;
3953 }
3954 ERR_clear_error();
3955
3956 if (!SSL_check_private_key(conn->ssl)) {
3957 tls_show_errors(MSG_INFO, __func__, "Private key failed "
3958 "verification");
3959 return -1;
3960 }
3961
3962 wpa_printf(MSG_DEBUG, "SSL: Private key loaded successfully");
3963 return 0;
3964 }
3965
3966
tls_global_private_key(struct tls_data * data,const char * private_key,const char * private_key_passwd)3967 static int tls_global_private_key(struct tls_data *data,
3968 const char *private_key,
3969 const char *private_key_passwd)
3970 {
3971 SSL_CTX *ssl_ctx = data->ssl;
3972
3973 if (private_key == NULL)
3974 return 0;
3975
3976 if (tls_use_private_key_file(data, NULL, private_key,
3977 private_key_passwd) &&
3978 tls_read_pkcs12(data, NULL, private_key, private_key_passwd)) {
3979 tls_show_errors(MSG_INFO, __func__,
3980 "Failed to load private key");
3981 ERR_clear_error();
3982 return -1;
3983 }
3984 ERR_clear_error();
3985
3986 if (!SSL_CTX_check_private_key(ssl_ctx)) {
3987 tls_show_errors(MSG_INFO, __func__,
3988 "Private key failed verification");
3989 return -1;
3990 }
3991
3992 return 0;
3993 }
3994
3995
tls_connection_dh(struct tls_connection * conn,const char * dh_file)3996 static int tls_connection_dh(struct tls_connection *conn, const char *dh_file)
3997 {
3998 #ifdef OPENSSL_NO_DH
3999 if (dh_file == NULL)
4000 return 0;
4001 wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
4002 "dh_file specified");
4003 return -1;
4004 #else /* OPENSSL_NO_DH */
4005 DH *dh;
4006 BIO *bio;
4007
4008 /* TODO: add support for dh_blob */
4009 if (dh_file == NULL)
4010 return 0;
4011 if (conn == NULL)
4012 return -1;
4013
4014 bio = BIO_new_file(dh_file, "r");
4015 if (bio == NULL) {
4016 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
4017 dh_file, ERR_error_string(ERR_get_error(), NULL));
4018 return -1;
4019 }
4020 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
4021 BIO_free(bio);
4022 #ifndef OPENSSL_NO_DSA
4023 while (dh == NULL) {
4024 DSA *dsa;
4025 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
4026 " trying to parse as DSA params", dh_file,
4027 ERR_error_string(ERR_get_error(), NULL));
4028 bio = BIO_new_file(dh_file, "r");
4029 if (bio == NULL)
4030 break;
4031 dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
4032 BIO_free(bio);
4033 if (!dsa) {
4034 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
4035 "'%s': %s", dh_file,
4036 ERR_error_string(ERR_get_error(), NULL));
4037 break;
4038 }
4039
4040 wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
4041 dh = DSA_dup_DH(dsa);
4042 DSA_free(dsa);
4043 if (dh == NULL) {
4044 wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
4045 "params into DH params");
4046 break;
4047 }
4048 break;
4049 }
4050 #endif /* !OPENSSL_NO_DSA */
4051 if (dh == NULL) {
4052 wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
4053 "'%s'", dh_file);
4054 return -1;
4055 }
4056
4057 if (SSL_set_tmp_dh(conn->ssl, dh) != 1) {
4058 wpa_printf(MSG_INFO, "TLS: Failed to set DH params from '%s': "
4059 "%s", dh_file,
4060 ERR_error_string(ERR_get_error(), NULL));
4061 DH_free(dh);
4062 return -1;
4063 }
4064 DH_free(dh);
4065 return 0;
4066 #endif /* OPENSSL_NO_DH */
4067 }
4068
4069
tls_global_dh(struct tls_data * data,const char * dh_file)4070 static int tls_global_dh(struct tls_data *data, const char *dh_file)
4071 {
4072 #ifdef OPENSSL_NO_DH
4073 if (dh_file == NULL)
4074 return 0;
4075 wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
4076 "dh_file specified");
4077 return -1;
4078 #else /* OPENSSL_NO_DH */
4079 SSL_CTX *ssl_ctx = data->ssl;
4080 DH *dh;
4081 BIO *bio;
4082
4083 /* TODO: add support for dh_blob */
4084 if (dh_file == NULL)
4085 return 0;
4086 if (ssl_ctx == NULL)
4087 return -1;
4088
4089 bio = BIO_new_file(dh_file, "r");
4090 if (bio == NULL) {
4091 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
4092 dh_file, ERR_error_string(ERR_get_error(), NULL));
4093 return -1;
4094 }
4095 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
4096 BIO_free(bio);
4097 #ifndef OPENSSL_NO_DSA
4098 while (dh == NULL) {
4099 DSA *dsa;
4100 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
4101 " trying to parse as DSA params", dh_file,
4102 ERR_error_string(ERR_get_error(), NULL));
4103 bio = BIO_new_file(dh_file, "r");
4104 if (bio == NULL)
4105 break;
4106 dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
4107 BIO_free(bio);
4108 if (!dsa) {
4109 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
4110 "'%s': %s", dh_file,
4111 ERR_error_string(ERR_get_error(), NULL));
4112 break;
4113 }
4114
4115 wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
4116 dh = DSA_dup_DH(dsa);
4117 DSA_free(dsa);
4118 if (dh == NULL) {
4119 wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
4120 "params into DH params");
4121 break;
4122 }
4123 break;
4124 }
4125 #endif /* !OPENSSL_NO_DSA */
4126 if (dh == NULL) {
4127 wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
4128 "'%s'", dh_file);
4129 return -1;
4130 }
4131
4132 if (SSL_CTX_set_tmp_dh(ssl_ctx, dh) != 1) {
4133 wpa_printf(MSG_INFO, "TLS: Failed to set DH params from '%s': "
4134 "%s", dh_file,
4135 ERR_error_string(ERR_get_error(), NULL));
4136 DH_free(dh);
4137 return -1;
4138 }
4139 DH_free(dh);
4140 return 0;
4141 #endif /* OPENSSL_NO_DH */
4142 }
4143
4144
tls_connection_get_random(void * ssl_ctx,struct tls_connection * conn,struct tls_random * keys)4145 int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn,
4146 struct tls_random *keys)
4147 {
4148 SSL *ssl;
4149
4150 if (conn == NULL || keys == NULL)
4151 return -1;
4152 ssl = conn->ssl;
4153 if (ssl == NULL)
4154 return -1;
4155
4156 os_memset(keys, 0, sizeof(*keys));
4157 keys->client_random = conn->client_random;
4158 keys->client_random_len = SSL_get_client_random(
4159 ssl, conn->client_random, sizeof(conn->client_random));
4160 keys->server_random = conn->server_random;
4161 keys->server_random_len = SSL_get_server_random(
4162 ssl, conn->server_random, sizeof(conn->server_random));
4163
4164 return 0;
4165 }
4166
4167
4168 #ifdef OPENSSL_NEED_EAP_FAST_PRF
openssl_get_keyblock_size(SSL * ssl)4169 static int openssl_get_keyblock_size(SSL *ssl)
4170 {
4171 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
4172 (defined(LIBRESSL_VERSION_NUMBER) && \
4173 LIBRESSL_VERSION_NUMBER < 0x20700000L)
4174 const EVP_CIPHER *c;
4175 const EVP_MD *h;
4176 int md_size;
4177
4178 if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL ||
4179 ssl->read_hash == NULL)
4180 return -1;
4181
4182 c = ssl->enc_read_ctx->cipher;
4183 h = EVP_MD_CTX_md(ssl->read_hash);
4184 if (h)
4185 md_size = EVP_MD_size(h);
4186 else if (ssl->s3)
4187 md_size = ssl->s3->tmp.new_mac_secret_size;
4188 else
4189 return -1;
4190
4191 wpa_printf(MSG_DEBUG, "OpenSSL: keyblock size: key_len=%d MD_size=%d "
4192 "IV_len=%d", EVP_CIPHER_key_length(c), md_size,
4193 EVP_CIPHER_iv_length(c));
4194 return 2 * (EVP_CIPHER_key_length(c) +
4195 md_size +
4196 EVP_CIPHER_iv_length(c));
4197 #else
4198 const SSL_CIPHER *ssl_cipher;
4199 int cipher, digest;
4200 const EVP_CIPHER *c;
4201 const EVP_MD *h;
4202 int mac_key_len, enc_key_len, fixed_iv_len;
4203
4204 ssl_cipher = SSL_get_current_cipher(ssl);
4205 if (!ssl_cipher)
4206 return -1;
4207 cipher = SSL_CIPHER_get_cipher_nid(ssl_cipher);
4208 digest = SSL_CIPHER_get_digest_nid(ssl_cipher);
4209 wpa_printf(MSG_DEBUG, "OpenSSL: cipher nid %d digest nid %d",
4210 cipher, digest);
4211 if (cipher < 0 || digest < 0)
4212 return -1;
4213 if (cipher == NID_undef) {
4214 wpa_printf(MSG_DEBUG, "OpenSSL: no cipher in use?!");
4215 return -1;
4216 }
4217 c = EVP_get_cipherbynid(cipher);
4218 if (!c)
4219 return -1;
4220 enc_key_len = EVP_CIPHER_key_length(c);
4221 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE ||
4222 EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
4223 fixed_iv_len = 4; /* only part of IV from PRF */
4224 else
4225 fixed_iv_len = EVP_CIPHER_iv_length(c);
4226 if (digest == NID_undef) {
4227 wpa_printf(MSG_DEBUG, "OpenSSL: no digest in use (e.g., AEAD)");
4228 mac_key_len = 0;
4229 } else {
4230 h = EVP_get_digestbynid(digest);
4231 if (!h)
4232 return -1;
4233 mac_key_len = EVP_MD_size(h);
4234 }
4235
4236 wpa_printf(MSG_DEBUG,
4237 "OpenSSL: keyblock size: mac_key_len=%d enc_key_len=%d fixed_iv_len=%d",
4238 mac_key_len, enc_key_len, fixed_iv_len);
4239 return 2 * (mac_key_len + enc_key_len + fixed_iv_len);
4240 #endif
4241 }
4242 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4243
4244
tls_connection_export_key(void * tls_ctx,struct tls_connection * conn,const char * label,const u8 * context,size_t context_len,u8 * out,size_t out_len)4245 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
4246 const char *label, const u8 *context,
4247 size_t context_len, u8 *out, size_t out_len)
4248 {
4249 if (!conn ||
4250 SSL_export_keying_material(conn->ssl, out, out_len, label,
4251 os_strlen(label), context, context_len,
4252 context != NULL) != 1)
4253 return -1;
4254 return 0;
4255 }
4256
4257
tls_connection_get_eap_fast_key(void * tls_ctx,struct tls_connection * conn,u8 * out,size_t out_len)4258 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
4259 u8 *out, size_t out_len)
4260 {
4261 #ifdef OPENSSL_NEED_EAP_FAST_PRF
4262 SSL *ssl;
4263 SSL_SESSION *sess;
4264 u8 *rnd;
4265 int ret = -1;
4266 int skip = 0;
4267 u8 *tmp_out = NULL;
4268 u8 *_out = out;
4269 unsigned char client_random[SSL3_RANDOM_SIZE];
4270 unsigned char server_random[SSL3_RANDOM_SIZE];
4271 unsigned char master_key[64];
4272 size_t master_key_len;
4273 const char *ver;
4274
4275 /*
4276 * TLS library did not support EAP-FAST key generation, so get the
4277 * needed TLS session parameters and use an internal implementation of
4278 * TLS PRF to derive the key.
4279 */
4280
4281 if (conn == NULL)
4282 return -1;
4283 ssl = conn->ssl;
4284 if (ssl == NULL)
4285 return -1;
4286 ver = SSL_get_version(ssl);
4287 sess = SSL_get_session(ssl);
4288 if (!ver || !sess)
4289 return -1;
4290
4291 skip = openssl_get_keyblock_size(ssl);
4292 if (skip < 0)
4293 return -1;
4294 tmp_out = os_malloc(skip + out_len);
4295 if (!tmp_out)
4296 return -1;
4297 _out = tmp_out;
4298
4299 rnd = os_malloc(2 * SSL3_RANDOM_SIZE);
4300 if (!rnd) {
4301 os_free(tmp_out);
4302 return -1;
4303 }
4304
4305 SSL_get_client_random(ssl, client_random, sizeof(client_random));
4306 SSL_get_server_random(ssl, server_random, sizeof(server_random));
4307 master_key_len = SSL_SESSION_get_master_key(sess, master_key,
4308 sizeof(master_key));
4309
4310 os_memcpy(rnd, server_random, SSL3_RANDOM_SIZE);
4311 os_memcpy(rnd + SSL3_RANDOM_SIZE, client_random, SSL3_RANDOM_SIZE);
4312
4313 if (os_strcmp(ver, "TLSv1.2") == 0) {
4314 tls_prf_sha256(master_key, master_key_len,
4315 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE,
4316 _out, skip + out_len);
4317 ret = 0;
4318 } else if (tls_prf_sha1_md5(master_key, master_key_len,
4319 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE,
4320 _out, skip + out_len) == 0) {
4321 ret = 0;
4322 }
4323 forced_memzero(master_key, sizeof(master_key));
4324 os_free(rnd);
4325 if (ret == 0)
4326 os_memcpy(out, _out + skip, out_len);
4327 bin_clear_free(tmp_out, skip);
4328
4329 return ret;
4330 #else /* OPENSSL_NEED_EAP_FAST_PRF */
4331 wpa_printf(MSG_ERROR,
4332 "OpenSSL: EAP-FAST keys cannot be exported in FIPS mode");
4333 return -1;
4334 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4335 }
4336
4337
4338 static struct wpabuf *
openssl_handshake(struct tls_connection * conn,const struct wpabuf * in_data)4339 openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
4340 {
4341 int res;
4342 struct wpabuf *out_data;
4343
4344 /*
4345 * Give TLS handshake data from the server (if available) to OpenSSL
4346 * for processing.
4347 */
4348 if (in_data && wpabuf_len(in_data) > 0 &&
4349 BIO_write(conn->ssl_in, wpabuf_head(in_data), wpabuf_len(in_data))
4350 < 0) {
4351 tls_show_errors(MSG_INFO, __func__,
4352 "Handshake failed - BIO_write");
4353 return NULL;
4354 }
4355
4356 /* Initiate TLS handshake or continue the existing handshake */
4357 if (conn->server)
4358 res = SSL_accept(conn->ssl);
4359 else
4360 res = SSL_connect(conn->ssl);
4361 if (res != 1) {
4362 int err = SSL_get_error(conn->ssl, res);
4363 if (err == SSL_ERROR_WANT_READ)
4364 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want "
4365 "more data");
4366 else if (err == SSL_ERROR_WANT_WRITE)
4367 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
4368 "write");
4369 else {
4370 tls_show_errors(MSG_INFO, __func__, "SSL_connect");
4371 conn->failed++;
4372 if (!conn->server && !conn->client_hello_generated) {
4373 /* The server would not understand TLS Alert
4374 * before ClientHello, so simply terminate
4375 * handshake on this type of error case caused
4376 * by a likely internal error like no ciphers
4377 * available. */
4378 wpa_printf(MSG_DEBUG,
4379 "OpenSSL: Could not generate ClientHello");
4380 conn->write_alerts++;
4381 return NULL;
4382 }
4383 }
4384 }
4385
4386 if (!conn->server && !conn->failed)
4387 conn->client_hello_generated = 1;
4388
4389 #ifdef CONFIG_SUITEB
4390 if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
4391 os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
4392 conn->server_dh_prime_len < 3072) {
4393 struct tls_context *context = conn->context;
4394
4395 /*
4396 * This should not be reached since earlier cert_cb should have
4397 * terminated the handshake. Keep this check here for extra
4398 * protection if anything goes wrong with the more low-level
4399 * checks based on having to parse the TLS handshake messages.
4400 */
4401 wpa_printf(MSG_DEBUG,
4402 "OpenSSL: Server DH prime length: %d bits",
4403 conn->server_dh_prime_len);
4404
4405 if (context->event_cb) {
4406 union tls_event_data ev;
4407
4408 os_memset(&ev, 0, sizeof(ev));
4409 ev.alert.is_local = 1;
4410 ev.alert.type = "fatal";
4411 ev.alert.description = "insufficient security";
4412 context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
4413 }
4414 /*
4415 * Could send a TLS Alert to the server, but for now, simply
4416 * terminate handshake.
4417 */
4418 conn->failed++;
4419 conn->write_alerts++;
4420 return NULL;
4421 }
4422 #endif /* CONFIG_SUITEB */
4423
4424 /* Get the TLS handshake data to be sent to the server */
4425 res = BIO_ctrl_pending(conn->ssl_out);
4426 wpa_printf(MSG_DEBUG, "SSL: %d bytes pending from ssl_out", res);
4427 out_data = wpabuf_alloc(res);
4428 if (out_data == NULL) {
4429 wpa_printf(MSG_DEBUG, "SSL: Failed to allocate memory for "
4430 "handshake output (%d bytes)", res);
4431 if (BIO_reset(conn->ssl_out) < 0) {
4432 tls_show_errors(MSG_INFO, __func__,
4433 "BIO_reset failed");
4434 }
4435 return NULL;
4436 }
4437 res = res == 0 ? 0 : BIO_read(conn->ssl_out, wpabuf_mhead(out_data),
4438 res);
4439 if (res < 0) {
4440 tls_show_errors(MSG_INFO, __func__,
4441 "Handshake failed - BIO_read");
4442 if (BIO_reset(conn->ssl_out) < 0) {
4443 tls_show_errors(MSG_INFO, __func__,
4444 "BIO_reset failed");
4445 }
4446 wpabuf_free(out_data);
4447 return NULL;
4448 }
4449 wpabuf_put(out_data, res);
4450
4451 return out_data;
4452 }
4453
4454
4455 static struct wpabuf *
openssl_get_appl_data(struct tls_connection * conn,size_t max_len)4456 openssl_get_appl_data(struct tls_connection *conn, size_t max_len)
4457 {
4458 struct wpabuf *appl_data;
4459 int res;
4460
4461 appl_data = wpabuf_alloc(max_len + 100);
4462 if (appl_data == NULL)
4463 return NULL;
4464
4465 res = SSL_read(conn->ssl, wpabuf_mhead(appl_data),
4466 wpabuf_size(appl_data));
4467 if (res < 0) {
4468 int err = SSL_get_error(conn->ssl, res);
4469 if (err == SSL_ERROR_WANT_READ ||
4470 err == SSL_ERROR_WANT_WRITE) {
4471 wpa_printf(MSG_DEBUG, "SSL: No Application Data "
4472 "included");
4473 } else {
4474 tls_show_errors(MSG_INFO, __func__,
4475 "Failed to read possible "
4476 "Application Data");
4477 }
4478 wpabuf_free(appl_data);
4479 return NULL;
4480 }
4481
4482 wpabuf_put(appl_data, res);
4483 wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application Data in Finished "
4484 "message", appl_data);
4485
4486 return appl_data;
4487 }
4488
4489
4490 static struct wpabuf *
openssl_connection_handshake(struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4491 openssl_connection_handshake(struct tls_connection *conn,
4492 const struct wpabuf *in_data,
4493 struct wpabuf **appl_data)
4494 {
4495 struct wpabuf *out_data;
4496
4497 if (appl_data)
4498 *appl_data = NULL;
4499
4500 out_data = openssl_handshake(conn, in_data);
4501 if (out_data == NULL)
4502 return NULL;
4503 if (conn->invalid_hb_used) {
4504 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4505 wpabuf_free(out_data);
4506 return NULL;
4507 }
4508
4509 if (SSL_is_init_finished(conn->ssl)) {
4510 wpa_printf(MSG_DEBUG,
4511 "OpenSSL: Handshake finished - resumed=%d",
4512 tls_connection_resumed(conn->ssl_ctx, conn));
4513 if (conn->server) {
4514 char *buf;
4515 size_t buflen = 2000;
4516
4517 buf = os_malloc(buflen);
4518 if (buf) {
4519 if (SSL_get_shared_ciphers(conn->ssl, buf,
4520 buflen)) {
4521 buf[buflen - 1] = '\0';
4522 wpa_printf(MSG_DEBUG,
4523 "OpenSSL: Shared ciphers: %s",
4524 buf);
4525 }
4526 os_free(buf);
4527 }
4528 }
4529 if (appl_data && in_data)
4530 *appl_data = openssl_get_appl_data(conn,
4531 wpabuf_len(in_data));
4532 }
4533
4534 if (conn->invalid_hb_used) {
4535 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4536 if (appl_data) {
4537 wpabuf_free(*appl_data);
4538 *appl_data = NULL;
4539 }
4540 wpabuf_free(out_data);
4541 return NULL;
4542 }
4543
4544 return out_data;
4545 }
4546
4547
4548 struct wpabuf *
tls_connection_handshake(void * ssl_ctx,struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4549 tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
4550 const struct wpabuf *in_data,
4551 struct wpabuf **appl_data)
4552 {
4553 return openssl_connection_handshake(conn, in_data, appl_data);
4554 }
4555
4556
tls_connection_server_handshake(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4557 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
4558 struct tls_connection *conn,
4559 const struct wpabuf *in_data,
4560 struct wpabuf **appl_data)
4561 {
4562 conn->server = 1;
4563 return openssl_connection_handshake(conn, in_data, appl_data);
4564 }
4565
4566
tls_connection_encrypt(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data)4567 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
4568 struct tls_connection *conn,
4569 const struct wpabuf *in_data)
4570 {
4571 int res;
4572 struct wpabuf *buf;
4573
4574 if (conn == NULL)
4575 return NULL;
4576
4577 /* Give plaintext data for OpenSSL to encrypt into the TLS tunnel. */
4578 if ((res = BIO_reset(conn->ssl_in)) < 0 ||
4579 (res = BIO_reset(conn->ssl_out)) < 0) {
4580 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
4581 return NULL;
4582 }
4583 res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data));
4584 if (res < 0) {
4585 tls_show_errors(MSG_INFO, __func__,
4586 "Encryption failed - SSL_write");
4587 return NULL;
4588 }
4589
4590 /* Read encrypted data to be sent to the server */
4591 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
4592 if (buf == NULL)
4593 return NULL;
4594 res = BIO_read(conn->ssl_out, wpabuf_mhead(buf), wpabuf_size(buf));
4595 if (res < 0) {
4596 tls_show_errors(MSG_INFO, __func__,
4597 "Encryption failed - BIO_read");
4598 wpabuf_free(buf);
4599 return NULL;
4600 }
4601 wpabuf_put(buf, res);
4602
4603 return buf;
4604 }
4605
4606
tls_connection_decrypt(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data)4607 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
4608 struct tls_connection *conn,
4609 const struct wpabuf *in_data)
4610 {
4611 int res;
4612 struct wpabuf *buf;
4613
4614 /* Give encrypted data from TLS tunnel for OpenSSL to decrypt. */
4615 res = BIO_write(conn->ssl_in, wpabuf_head(in_data),
4616 wpabuf_len(in_data));
4617 if (res < 0) {
4618 tls_show_errors(MSG_INFO, __func__,
4619 "Decryption failed - BIO_write");
4620 return NULL;
4621 }
4622 if (BIO_reset(conn->ssl_out) < 0) {
4623 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
4624 return NULL;
4625 }
4626
4627 /* Read decrypted data for further processing */
4628 /*
4629 * Even though we try to disable TLS compression, it is possible that
4630 * this cannot be done with all TLS libraries. Add extra buffer space
4631 * to handle the possibility of the decrypted data being longer than
4632 * input data.
4633 */
4634 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
4635 if (buf == NULL)
4636 return NULL;
4637 res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf));
4638 if (res < 0) {
4639 int err = SSL_get_error(conn->ssl, res);
4640
4641 if (err == SSL_ERROR_WANT_READ) {
4642 wpa_printf(MSG_DEBUG,
4643 "SSL: SSL_connect - want more data");
4644 res = 0;
4645 } else {
4646 tls_show_errors(MSG_INFO, __func__,
4647 "Decryption failed - SSL_read");
4648 wpabuf_free(buf);
4649 return NULL;
4650 }
4651 }
4652 wpabuf_put(buf, res);
4653
4654 if (conn->invalid_hb_used) {
4655 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4656 wpabuf_free(buf);
4657 return NULL;
4658 }
4659
4660 return buf;
4661 }
4662
4663
tls_connection_resumed(void * ssl_ctx,struct tls_connection * conn)4664 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
4665 {
4666 return conn ? SSL_session_reused(conn->ssl) : 0;
4667 }
4668
4669
tls_connection_set_cipher_list(void * tls_ctx,struct tls_connection * conn,u8 * ciphers)4670 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
4671 u8 *ciphers)
4672 {
4673 char buf[500], *pos, *end;
4674 u8 *c;
4675 int ret;
4676
4677 if (conn == NULL || conn->ssl == NULL || ciphers == NULL)
4678 return -1;
4679
4680 buf[0] = '\0';
4681 pos = buf;
4682 end = pos + sizeof(buf);
4683
4684 c = ciphers;
4685 while (*c != TLS_CIPHER_NONE) {
4686 const char *suite;
4687
4688 switch (*c) {
4689 case TLS_CIPHER_RC4_SHA:
4690 suite = "RC4-SHA";
4691 break;
4692 case TLS_CIPHER_AES128_SHA:
4693 suite = "AES128-SHA";
4694 break;
4695 case TLS_CIPHER_RSA_DHE_AES128_SHA:
4696 suite = "DHE-RSA-AES128-SHA";
4697 break;
4698 case TLS_CIPHER_ANON_DH_AES128_SHA:
4699 suite = "ADH-AES128-SHA";
4700 break;
4701 case TLS_CIPHER_RSA_DHE_AES256_SHA:
4702 suite = "DHE-RSA-AES256-SHA";
4703 break;
4704 case TLS_CIPHER_AES256_SHA:
4705 suite = "AES256-SHA";
4706 break;
4707 default:
4708 wpa_printf(MSG_DEBUG, "TLS: Unsupported "
4709 "cipher selection: %d", *c);
4710 return -1;
4711 }
4712 ret = os_snprintf(pos, end - pos, ":%s", suite);
4713 if (os_snprintf_error(end - pos, ret))
4714 break;
4715 pos += ret;
4716
4717 c++;
4718 }
4719 if (!buf[0]) {
4720 wpa_printf(MSG_DEBUG, "OpenSSL: No ciphers listed");
4721 return -1;
4722 }
4723
4724 wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
4725
4726 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
4727 #ifdef EAP_FAST_OR_TEAP
4728 if (os_strstr(buf, ":ADH-")) {
4729 /*
4730 * Need to drop to security level 0 to allow anonymous
4731 * cipher suites for EAP-FAST.
4732 */
4733 SSL_set_security_level(conn->ssl, 0);
4734 } else if (SSL_get_security_level(conn->ssl) == 0) {
4735 /* Force at least security level 1 */
4736 SSL_set_security_level(conn->ssl, 1);
4737 }
4738 #endif /* EAP_FAST_OR_TEAP */
4739 #endif
4740
4741 if (SSL_set_cipher_list(conn->ssl, buf + 1) != 1) {
4742 tls_show_errors(MSG_INFO, __func__,
4743 "Cipher suite configuration failed");
4744 return -1;
4745 }
4746
4747 return 0;
4748 }
4749
4750
tls_get_version(void * ssl_ctx,struct tls_connection * conn,char * buf,size_t buflen)4751 int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
4752 char *buf, size_t buflen)
4753 {
4754 const char *name;
4755 if (conn == NULL || conn->ssl == NULL)
4756 return -1;
4757
4758 name = SSL_get_version(conn->ssl);
4759 if (name == NULL)
4760 return -1;
4761
4762 os_strlcpy(buf, name, buflen);
4763 return 0;
4764 }
4765
4766
tls_get_cipher(void * ssl_ctx,struct tls_connection * conn,char * buf,size_t buflen)4767 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
4768 char *buf, size_t buflen)
4769 {
4770 const char *name;
4771 if (conn == NULL || conn->ssl == NULL)
4772 return -1;
4773
4774 name = SSL_get_cipher(conn->ssl);
4775 if (name == NULL)
4776 return -1;
4777
4778 os_strlcpy(buf, name, buflen);
4779 return 0;
4780 }
4781
4782
tls_connection_enable_workaround(void * ssl_ctx,struct tls_connection * conn)4783 int tls_connection_enable_workaround(void *ssl_ctx,
4784 struct tls_connection *conn)
4785 {
4786 SSL_set_options(conn->ssl, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
4787
4788 return 0;
4789 }
4790
4791
4792 #ifdef EAP_FAST_OR_TEAP
4793 /* ClientHello TLS extensions require a patch to openssl, so this function is
4794 * commented out unless explicitly needed for EAP-FAST in order to be able to
4795 * build this file with unmodified openssl. */
tls_connection_client_hello_ext(void * ssl_ctx,struct tls_connection * conn,int ext_type,const u8 * data,size_t data_len)4796 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
4797 int ext_type, const u8 *data,
4798 size_t data_len)
4799 {
4800 if (conn == NULL || conn->ssl == NULL || ext_type != 35)
4801 return -1;
4802
4803 if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
4804 data_len) != 1)
4805 return -1;
4806
4807 return 0;
4808 }
4809 #endif /* EAP_FAST_OR_TEAP */
4810
4811
tls_connection_get_failed(void * ssl_ctx,struct tls_connection * conn)4812 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)
4813 {
4814 if (conn == NULL)
4815 return -1;
4816 return conn->failed;
4817 }
4818
4819
tls_connection_get_read_alerts(void * ssl_ctx,struct tls_connection * conn)4820 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)
4821 {
4822 if (conn == NULL)
4823 return -1;
4824 return conn->read_alerts;
4825 }
4826
4827
tls_connection_get_write_alerts(void * ssl_ctx,struct tls_connection * conn)4828 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)
4829 {
4830 if (conn == NULL)
4831 return -1;
4832 return conn->write_alerts;
4833 }
4834
4835
4836 #ifdef HAVE_OCSP
4837
ocsp_debug_print_resp(OCSP_RESPONSE * rsp)4838 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
4839 {
4840 #ifndef CONFIG_NO_STDOUT_DEBUG
4841 BIO *out;
4842 size_t rlen;
4843 char *txt;
4844 int res;
4845
4846 if (wpa_debug_level > MSG_DEBUG)
4847 return;
4848
4849 out = BIO_new(BIO_s_mem());
4850 if (!out)
4851 return;
4852
4853 OCSP_RESPONSE_print(out, rsp, 0);
4854 rlen = BIO_ctrl_pending(out);
4855 txt = os_malloc(rlen + 1);
4856 if (!txt) {
4857 BIO_free(out);
4858 return;
4859 }
4860
4861 res = BIO_read(out, txt, rlen);
4862 if (res > 0) {
4863 txt[res] = '\0';
4864 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP Response\n%s", txt);
4865 }
4866 os_free(txt);
4867 BIO_free(out);
4868 #endif /* CONFIG_NO_STDOUT_DEBUG */
4869 }
4870
4871
ocsp_resp_cb(SSL * s,void * arg)4872 static int ocsp_resp_cb(SSL *s, void *arg)
4873 {
4874 struct tls_connection *conn = arg;
4875 const unsigned char *p;
4876 int len, status, reason, res;
4877 OCSP_RESPONSE *rsp;
4878 OCSP_BASICRESP *basic;
4879 OCSP_CERTID *id;
4880 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
4881 X509_STORE *store;
4882 STACK_OF(X509) *certs = NULL;
4883
4884 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
4885 if (!p) {
4886 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
4887 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
4888 }
4889
4890 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
4891
4892 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
4893 if (!rsp) {
4894 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
4895 return 0;
4896 }
4897
4898 ocsp_debug_print_resp(rsp);
4899
4900 status = OCSP_response_status(rsp);
4901 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
4902 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
4903 status, OCSP_response_status_str(status));
4904 return 0;
4905 }
4906
4907 basic = OCSP_response_get1_basic(rsp);
4908 if (!basic) {
4909 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
4910 return 0;
4911 }
4912
4913 store = SSL_CTX_get_cert_store(conn->ssl_ctx);
4914 if (conn->peer_issuer) {
4915 debug_print_cert(conn->peer_issuer, "Add OCSP issuer");
4916
4917 if (X509_STORE_add_cert(store, conn->peer_issuer) != 1) {
4918 tls_show_errors(MSG_INFO, __func__,
4919 "OpenSSL: Could not add issuer to certificate store");
4920 }
4921 certs = sk_X509_new_null();
4922 if (certs) {
4923 X509 *cert;
4924 cert = X509_dup(conn->peer_issuer);
4925 if (cert && !sk_X509_push(certs, cert)) {
4926 tls_show_errors(
4927 MSG_INFO, __func__,
4928 "OpenSSL: Could not add issuer to OCSP responder trust store");
4929 X509_free(cert);
4930 sk_X509_free(certs);
4931 certs = NULL;
4932 }
4933 if (certs && conn->peer_issuer_issuer) {
4934 cert = X509_dup(conn->peer_issuer_issuer);
4935 if (cert && !sk_X509_push(certs, cert)) {
4936 tls_show_errors(
4937 MSG_INFO, __func__,
4938 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
4939 X509_free(cert);
4940 }
4941 }
4942 }
4943 }
4944
4945 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
4946 sk_X509_pop_free(certs, X509_free);
4947 if (status <= 0) {
4948 tls_show_errors(MSG_INFO, __func__,
4949 "OpenSSL: OCSP response failed verification");
4950 OCSP_BASICRESP_free(basic);
4951 OCSP_RESPONSE_free(rsp);
4952 return 0;
4953 }
4954
4955 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
4956
4957 if (!conn->peer_cert) {
4958 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
4959 OCSP_BASICRESP_free(basic);
4960 OCSP_RESPONSE_free(rsp);
4961 return 0;
4962 }
4963
4964 if (!conn->peer_issuer) {
4965 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
4966 OCSP_BASICRESP_free(basic);
4967 OCSP_RESPONSE_free(rsp);
4968 return 0;
4969 }
4970
4971 id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer);
4972 if (!id) {
4973 wpa_printf(MSG_DEBUG,
4974 "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
4975 OCSP_BASICRESP_free(basic);
4976 OCSP_RESPONSE_free(rsp);
4977 return 0;
4978 }
4979
4980 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
4981 &this_update, &next_update);
4982 if (!res) {
4983 OCSP_CERTID_free(id);
4984 id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
4985 if (!id) {
4986 wpa_printf(MSG_DEBUG,
4987 "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
4988 OCSP_BASICRESP_free(basic);
4989 OCSP_RESPONSE_free(rsp);
4990 return 0;
4991 }
4992
4993 res = OCSP_resp_find_status(basic, id, &status, &reason,
4994 &produced_at, &this_update,
4995 &next_update);
4996 }
4997
4998 if (!res) {
4999 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
5000 (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" :
5001 " (OCSP not required)");
5002 OCSP_CERTID_free(id);
5003 OCSP_BASICRESP_free(basic);
5004 OCSP_RESPONSE_free(rsp);
5005 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
5006 }
5007 OCSP_CERTID_free(id);
5008
5009 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
5010 tls_show_errors(MSG_INFO, __func__,
5011 "OpenSSL: OCSP status times invalid");
5012 OCSP_BASICRESP_free(basic);
5013 OCSP_RESPONSE_free(rsp);
5014 return 0;
5015 }
5016
5017 OCSP_BASICRESP_free(basic);
5018 OCSP_RESPONSE_free(rsp);
5019
5020 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
5021 OCSP_cert_status_str(status));
5022
5023 if (status == V_OCSP_CERTSTATUS_GOOD)
5024 return 1;
5025 if (status == V_OCSP_CERTSTATUS_REVOKED)
5026 return 0;
5027 if (conn->flags & TLS_CONN_REQUIRE_OCSP) {
5028 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
5029 return 0;
5030 }
5031 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
5032 return 1;
5033 }
5034
5035
ocsp_status_cb(SSL * s,void * arg)5036 static int ocsp_status_cb(SSL *s, void *arg)
5037 {
5038 char *tmp;
5039 char *resp;
5040 size_t len;
5041
5042 if (tls_global->ocsp_stapling_response == NULL) {
5043 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - no response configured");
5044 return SSL_TLSEXT_ERR_OK;
5045 }
5046
5047 resp = os_readfile(tls_global->ocsp_stapling_response, &len);
5048 if (resp == NULL) {
5049 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - could not read response file");
5050 /* TODO: Build OCSPResponse with responseStatus = internalError
5051 */
5052 return SSL_TLSEXT_ERR_OK;
5053 }
5054 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - send cached response");
5055 tmp = OPENSSL_malloc(len);
5056 if (tmp == NULL) {
5057 os_free(resp);
5058 return SSL_TLSEXT_ERR_ALERT_FATAL;
5059 }
5060
5061 os_memcpy(tmp, resp, len);
5062 os_free(resp);
5063 SSL_set_tlsext_status_ocsp_resp(s, tmp, len);
5064
5065 return SSL_TLSEXT_ERR_OK;
5066 }
5067
5068 #endif /* HAVE_OCSP */
5069
5070
max_str_len(const char ** lines)5071 static size_t max_str_len(const char **lines)
5072 {
5073 const char **p;
5074 size_t max_len = 0;
5075
5076 for (p = lines; *p; p++) {
5077 size_t len = os_strlen(*p);
5078
5079 if (len > max_len)
5080 max_len = len;
5081 }
5082
5083 return max_len;
5084 }
5085
5086
match_lines_in_file(const char * path,const char ** lines)5087 static int match_lines_in_file(const char *path, const char **lines)
5088 {
5089 FILE *f;
5090 char *buf;
5091 size_t bufsize;
5092 int found = 0, is_linestart = 1;
5093
5094 bufsize = max_str_len(lines) + sizeof("\r\n");
5095 buf = os_malloc(bufsize);
5096 if (!buf)
5097 return 0;
5098
5099 f = fopen(path, "r");
5100 if (!f) {
5101 os_free(buf);
5102 return 0;
5103 }
5104
5105 while (!found && fgets(buf, bufsize, f)) {
5106 int is_lineend;
5107 size_t len;
5108 const char **p;
5109
5110 len = strcspn(buf, "\r\n");
5111 is_lineend = buf[len] != '\0';
5112 buf[len] = '\0';
5113
5114 if (is_linestart && is_lineend) {
5115 for (p = lines; !found && *p; p++)
5116 found = os_strcmp(buf, *p) == 0;
5117 }
5118 is_linestart = is_lineend;
5119 }
5120
5121 fclose(f);
5122 bin_clear_free(buf, bufsize);
5123
5124 return found;
5125 }
5126
5127
is_tpm2_key(const char * path)5128 static int is_tpm2_key(const char *path)
5129 {
5130 /* Check both new and old format of TPM2 PEM guard tag */
5131 static const char *tpm2_tags[] = {
5132 "-----BEGIN TSS2 PRIVATE KEY-----",
5133 "-----BEGIN TSS2 KEY BLOB-----",
5134 NULL
5135 };
5136
5137 return match_lines_in_file(path, tpm2_tags);
5138 }
5139
5140
tls_connection_set_params(void * tls_ctx,struct tls_connection * conn,const struct tls_connection_params * params)5141 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
5142 const struct tls_connection_params *params)
5143 {
5144 struct tls_data *data = tls_ctx;
5145 int ret;
5146 unsigned long err;
5147 int can_pkcs11 = 0;
5148 const char *key_id = params->key_id;
5149 const char *cert_id = params->cert_id;
5150 const char *ca_cert_id = params->ca_cert_id;
5151 const char *engine_id = params->engine ? params->engine_id : NULL;
5152 const char *ciphers;
5153
5154 if (conn == NULL)
5155 return -1;
5156
5157 if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
5158 wpa_printf(MSG_INFO,
5159 "OpenSSL: ocsp=3 not supported");
5160 return -1;
5161 }
5162
5163 /*
5164 * If the engine isn't explicitly configured, and any of the
5165 * cert/key fields are actually PKCS#11 URIs, then automatically
5166 * use the PKCS#11 ENGINE.
5167 */
5168 if (!engine_id || os_strcmp(engine_id, "pkcs11") == 0)
5169 can_pkcs11 = 1;
5170
5171 if (!key_id && params->private_key && can_pkcs11 &&
5172 os_strncmp(params->private_key, "pkcs11:", 7) == 0) {
5173 can_pkcs11 = 2;
5174 key_id = params->private_key;
5175 }
5176
5177 if (!cert_id && params->client_cert && can_pkcs11 &&
5178 os_strncmp(params->client_cert, "pkcs11:", 7) == 0) {
5179 can_pkcs11 = 2;
5180 cert_id = params->client_cert;
5181 }
5182
5183 if (!ca_cert_id && params->ca_cert && can_pkcs11 &&
5184 os_strncmp(params->ca_cert, "pkcs11:", 7) == 0) {
5185 can_pkcs11 = 2;
5186 ca_cert_id = params->ca_cert;
5187 }
5188
5189 /* If we need to automatically enable the PKCS#11 ENGINE, do so. */
5190 if (can_pkcs11 == 2 && !engine_id)
5191 engine_id = "pkcs11";
5192
5193 /* If private_key points to a TPM2-wrapped key, automatically enable
5194 * tpm2 engine and use it to unwrap the key. */
5195 if (params->private_key &&
5196 (!engine_id || os_strcmp(engine_id, "tpm2") == 0) &&
5197 is_tpm2_key(params->private_key)) {
5198 wpa_printf(MSG_DEBUG, "OpenSSL: Found TPM2 wrapped key %s",
5199 params->private_key);
5200 key_id = key_id ? key_id : params->private_key;
5201 engine_id = engine_id ? engine_id : "tpm2";
5202 }
5203
5204 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
5205 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
5206 if (params->flags & TLS_CONN_EAP_FAST) {
5207 wpa_printf(MSG_DEBUG,
5208 "OpenSSL: Use TLSv1_method() for EAP-FAST");
5209 if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) {
5210 tls_show_errors(MSG_INFO, __func__,
5211 "Failed to set TLSv1_method() for EAP-FAST");
5212 return -1;
5213 }
5214 }
5215 #endif
5216 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
5217 #ifdef SSL_OP_NO_TLSv1_3
5218 if (params->flags & TLS_CONN_EAP_FAST) {
5219 /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1
5220 * refuses to start the handshake with the modified ciphersuite
5221 * list (no TLS v1.3 ciphersuites included) for EAP-FAST. */
5222 wpa_printf(MSG_DEBUG, "OpenSSL: Disable TLSv1.3 for EAP-FAST");
5223 SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_3);
5224 }
5225 #endif /* SSL_OP_NO_TLSv1_3 */
5226 #endif
5227 #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
5228
5229 while ((err = ERR_get_error())) {
5230 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",
5231 __func__, ERR_error_string(err, NULL));
5232 }
5233
5234 if (engine_id) {
5235 wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s",
5236 engine_id);
5237 ret = tls_engine_init(conn, engine_id, params->pin,
5238 key_id, cert_id, ca_cert_id);
5239 if (ret)
5240 return ret;
5241 }
5242 if (tls_connection_set_subject_match(conn,
5243 params->subject_match,
5244 params->altsubject_match,
5245 params->suffix_match,
5246 params->domain_match,
5247 params->check_cert_subject))
5248 return -1;
5249
5250 if (engine_id && ca_cert_id) {
5251 if (tls_connection_engine_ca_cert(data, conn, ca_cert_id))
5252 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5253 } else if (tls_connection_ca_cert(data, conn, params->ca_cert,
5254 params->ca_cert_blob,
5255 params->ca_cert_blob_len,
5256 params->ca_path))
5257 return -1;
5258
5259 if (engine_id && cert_id) {
5260 if (tls_connection_engine_client_cert(conn, cert_id))
5261 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5262 } else if (tls_connection_client_cert(conn, params->client_cert,
5263 params->client_cert_blob,
5264 params->client_cert_blob_len))
5265 return -1;
5266
5267 if (engine_id && key_id) {
5268 wpa_printf(MSG_DEBUG, "TLS: Using private key from engine");
5269 if (tls_connection_engine_private_key(conn))
5270 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5271 } else if (tls_connection_private_key(data, conn,
5272 params->private_key,
5273 params->private_key_passwd,
5274 params->private_key_blob,
5275 params->private_key_blob_len)) {
5276 wpa_printf(MSG_INFO, "TLS: Failed to load private key '%s'",
5277 params->private_key);
5278 return -1;
5279 }
5280
5281 if (tls_connection_dh(conn, params->dh_file)) {
5282 wpa_printf(MSG_INFO, "TLS: Failed to load DH file '%s'",
5283 params->dh_file);
5284 return -1;
5285 }
5286
5287 ciphers = params->openssl_ciphers;
5288 #ifdef CONFIG_SUITEB
5289 #ifdef OPENSSL_IS_BORINGSSL
5290 if (ciphers && os_strcmp(ciphers, "SUITEB192") == 0) {
5291 /* BoringSSL removed support for SUITEB192, so need to handle
5292 * this with hardcoded ciphersuite and additional checks for
5293 * other parameters. */
5294 ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384";
5295 }
5296 #endif /* OPENSSL_IS_BORINGSSL */
5297 #endif /* CONFIG_SUITEB */
5298 if (ciphers && SSL_set_cipher_list(conn->ssl, ciphers) != 1) {
5299 wpa_printf(MSG_INFO,
5300 "OpenSSL: Failed to set cipher string '%s'",
5301 ciphers);
5302 return -1;
5303 }
5304
5305 if (!params->openssl_ecdh_curves) {
5306 #ifndef OPENSSL_IS_BORINGSSL
5307 #ifndef OPENSSL_NO_EC
5308 #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
5309 (OPENSSL_VERSION_NUMBER < 0x10100000L)
5310 if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) {
5311 wpa_printf(MSG_INFO,
5312 "OpenSSL: Failed to set ECDH curves to auto");
5313 return -1;
5314 }
5315 #endif /* >= 1.0.2 && < 1.1.0 */
5316 #endif /* OPENSSL_NO_EC */
5317 #endif /* OPENSSL_IS_BORINGSSL */
5318 } else if (params->openssl_ecdh_curves[0]) {
5319 #if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
5320 wpa_printf(MSG_INFO,
5321 "OpenSSL: ECDH configuration nnot supported");
5322 return -1;
5323 #else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
5324 #ifndef OPENSSL_NO_EC
5325 if (SSL_set1_curves_list(conn->ssl,
5326 params->openssl_ecdh_curves) != 1) {
5327 wpa_printf(MSG_INFO,
5328 "OpenSSL: Failed to set ECDH curves '%s'",
5329 params->openssl_ecdh_curves);
5330 return -1;
5331 }
5332 #else /* OPENSSL_NO_EC */
5333 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
5334 return -1;
5335 #endif /* OPENSSL_NO_EC */
5336 #endif /* OPENSSL_IS_BORINGSSL */
5337 }
5338
5339 if (tls_set_conn_flags(conn, params->flags,
5340 params->openssl_ciphers) < 0)
5341 return -1;
5342
5343 #ifdef OPENSSL_IS_BORINGSSL
5344 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5345 SSL_enable_ocsp_stapling(conn->ssl);
5346 }
5347 #else /* OPENSSL_IS_BORINGSSL */
5348 #ifdef HAVE_OCSP
5349 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5350 SSL_CTX *ssl_ctx = data->ssl;
5351 SSL_set_tlsext_status_type(conn->ssl, TLSEXT_STATUSTYPE_ocsp);
5352 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
5353 SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
5354 }
5355 #else /* HAVE_OCSP */
5356 if (params->flags & TLS_CONN_REQUIRE_OCSP) {
5357 wpa_printf(MSG_INFO,
5358 "OpenSSL: No OCSP support included - reject configuration");
5359 return -1;
5360 }
5361 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5362 wpa_printf(MSG_DEBUG,
5363 "OpenSSL: No OCSP support included - allow optional OCSP case to continue");
5364 }
5365 #endif /* HAVE_OCSP */
5366 #endif /* OPENSSL_IS_BORINGSSL */
5367
5368 conn->flags = params->flags;
5369
5370 tls_get_errors(data);
5371
5372 return 0;
5373 }
5374
5375
openssl_debug_dump_cipher_list(SSL_CTX * ssl_ctx)5376 static void openssl_debug_dump_cipher_list(SSL_CTX *ssl_ctx)
5377 {
5378 SSL *ssl;
5379 int i;
5380
5381 ssl = SSL_new(ssl_ctx);
5382 if (!ssl)
5383 return;
5384
5385 wpa_printf(MSG_DEBUG,
5386 "OpenSSL: Enabled cipher suites in priority order");
5387 for (i = 0; ; i++) {
5388 const char *cipher;
5389
5390 cipher = SSL_get_cipher_list(ssl, i);
5391 if (!cipher)
5392 break;
5393 wpa_printf(MSG_DEBUG, "Cipher %d: %s", i, cipher);
5394 }
5395
5396 SSL_free(ssl);
5397 }
5398
5399
5400 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
5401
openssl_pkey_type_str(const EVP_PKEY * pkey)5402 static const char * openssl_pkey_type_str(const EVP_PKEY *pkey)
5403 {
5404 if (!pkey)
5405 return "NULL";
5406 switch (EVP_PKEY_type(EVP_PKEY_id(pkey))) {
5407 case EVP_PKEY_RSA:
5408 return "RSA";
5409 case EVP_PKEY_DSA:
5410 return "DSA";
5411 case EVP_PKEY_DH:
5412 return "DH";
5413 case EVP_PKEY_EC:
5414 return "EC";
5415 }
5416 return "?";
5417 }
5418
5419
openssl_debug_dump_certificate(int i,X509 * cert)5420 static void openssl_debug_dump_certificate(int i, X509 *cert)
5421 {
5422 char buf[256];
5423 EVP_PKEY *pkey;
5424 ASN1_INTEGER *ser;
5425 char serial_num[128];
5426
5427 if (!cert)
5428 return;
5429
5430 X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
5431
5432 ser = X509_get_serialNumber(cert);
5433 if (ser)
5434 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num),
5435 ASN1_STRING_get0_data(ser),
5436 ASN1_STRING_length(ser));
5437 else
5438 serial_num[0] = '\0';
5439
5440 pkey = X509_get_pubkey(cert);
5441 wpa_printf(MSG_DEBUG, "%d: %s (%s) %s", i, buf,
5442 openssl_pkey_type_str(pkey), serial_num);
5443 EVP_PKEY_free(pkey);
5444 }
5445
5446
openssl_debug_dump_certificates(SSL_CTX * ssl_ctx)5447 static void openssl_debug_dump_certificates(SSL_CTX *ssl_ctx)
5448 {
5449 STACK_OF(X509) *certs;
5450
5451 wpa_printf(MSG_DEBUG, "OpenSSL: Configured certificate chain");
5452 if (SSL_CTX_get0_chain_certs(ssl_ctx, &certs) == 1) {
5453 int i;
5454
5455 for (i = sk_X509_num(certs); i > 0; i--)
5456 openssl_debug_dump_certificate(i, sk_X509_value(certs,
5457 i - 1));
5458 }
5459 openssl_debug_dump_certificate(0, SSL_CTX_get0_certificate(ssl_ctx));
5460 }
5461
5462 #endif
5463
5464
openssl_debug_dump_certificate_chains(SSL_CTX * ssl_ctx)5465 static void openssl_debug_dump_certificate_chains(SSL_CTX *ssl_ctx)
5466 {
5467 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
5468 int res;
5469
5470 for (res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
5471 res == 1;
5472 res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_NEXT))
5473 openssl_debug_dump_certificates(ssl_ctx);
5474
5475 SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
5476 #endif
5477 }
5478
5479
openssl_debug_dump_ctx(SSL_CTX * ssl_ctx)5480 static void openssl_debug_dump_ctx(SSL_CTX *ssl_ctx)
5481 {
5482 openssl_debug_dump_cipher_list(ssl_ctx);
5483 openssl_debug_dump_certificate_chains(ssl_ctx);
5484 }
5485
5486
tls_global_set_params(void * tls_ctx,const struct tls_connection_params * params)5487 int tls_global_set_params(void *tls_ctx,
5488 const struct tls_connection_params *params)
5489 {
5490 struct tls_data *data = tls_ctx;
5491 SSL_CTX *ssl_ctx = data->ssl;
5492 unsigned long err;
5493
5494 while ((err = ERR_get_error())) {
5495 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",
5496 __func__, ERR_error_string(err, NULL));
5497 }
5498
5499 os_free(data->check_cert_subject);
5500 data->check_cert_subject = NULL;
5501 if (params->check_cert_subject) {
5502 data->check_cert_subject =
5503 os_strdup(params->check_cert_subject);
5504 if (!data->check_cert_subject)
5505 return -1;
5506 }
5507
5508 if (tls_global_ca_cert(data, params->ca_cert) ||
5509 tls_global_client_cert(data, params->client_cert) ||
5510 tls_global_private_key(data, params->private_key,
5511 params->private_key_passwd) ||
5512 tls_global_client_cert(data, params->client_cert2) ||
5513 tls_global_private_key(data, params->private_key2,
5514 params->private_key_passwd2) ||
5515 tls_global_dh(data, params->dh_file)) {
5516 wpa_printf(MSG_INFO, "TLS: Failed to set global parameters");
5517 return -1;
5518 }
5519
5520 if (params->openssl_ciphers &&
5521 SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) {
5522 wpa_printf(MSG_INFO,
5523 "OpenSSL: Failed to set cipher string '%s'",
5524 params->openssl_ciphers);
5525 return -1;
5526 }
5527
5528 if (!params->openssl_ecdh_curves) {
5529 #ifndef OPENSSL_IS_BORINGSSL
5530 #ifndef OPENSSL_NO_EC
5531 #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
5532 (OPENSSL_VERSION_NUMBER < 0x10100000L)
5533 if (SSL_CTX_set_ecdh_auto(ssl_ctx, 1) != 1) {
5534 wpa_printf(MSG_INFO,
5535 "OpenSSL: Failed to set ECDH curves to auto");
5536 return -1;
5537 }
5538 #endif /* >= 1.0.2 && < 1.1.0 */
5539 #endif /* OPENSSL_NO_EC */
5540 #endif /* OPENSSL_IS_BORINGSSL */
5541 } else if (params->openssl_ecdh_curves[0]) {
5542 #if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
5543 wpa_printf(MSG_INFO,
5544 "OpenSSL: ECDH configuration nnot supported");
5545 return -1;
5546 #else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
5547 #ifndef OPENSSL_NO_EC
5548 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5549 SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
5550 #endif
5551 if (SSL_CTX_set1_curves_list(ssl_ctx,
5552 params->openssl_ecdh_curves) !=
5553 1) {
5554 wpa_printf(MSG_INFO,
5555 "OpenSSL: Failed to set ECDH curves '%s'",
5556 params->openssl_ecdh_curves);
5557 return -1;
5558 }
5559 #else /* OPENSSL_NO_EC */
5560 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
5561 return -1;
5562 #endif /* OPENSSL_NO_EC */
5563 #endif /* OPENSSL_IS_BORINGSSL */
5564 }
5565
5566 #ifdef SSL_OP_NO_TICKET
5567 if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
5568 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
5569 else
5570 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TICKET);
5571 #endif /* SSL_OP_NO_TICKET */
5572
5573 #ifdef HAVE_OCSP
5574 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_status_cb);
5575 SSL_CTX_set_tlsext_status_arg(ssl_ctx, ssl_ctx);
5576 os_free(tls_global->ocsp_stapling_response);
5577 if (params->ocsp_stapling_response)
5578 tls_global->ocsp_stapling_response =
5579 os_strdup(params->ocsp_stapling_response);
5580 else
5581 tls_global->ocsp_stapling_response = NULL;
5582 #endif /* HAVE_OCSP */
5583
5584 openssl_debug_dump_ctx(ssl_ctx);
5585
5586 return 0;
5587 }
5588
5589
5590 #ifdef EAP_FAST_OR_TEAP
5591 /* Pre-shared secred requires a patch to openssl, so this function is
5592 * commented out unless explicitly needed for EAP-FAST in order to be able to
5593 * build this file with unmodified openssl. */
5594
5595 #if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
tls_sess_sec_cb(SSL * s,void * secret,int * secret_len,STACK_OF (SSL_CIPHER)* peer_ciphers,const SSL_CIPHER ** cipher,void * arg)5596 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
5597 STACK_OF(SSL_CIPHER) *peer_ciphers,
5598 const SSL_CIPHER **cipher, void *arg)
5599 #else /* OPENSSL_IS_BORINGSSL */
5600 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
5601 STACK_OF(SSL_CIPHER) *peer_ciphers,
5602 SSL_CIPHER **cipher, void *arg)
5603 #endif /* OPENSSL_IS_BORINGSSL */
5604 {
5605 struct tls_connection *conn = arg;
5606 int ret;
5607
5608 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
5609 (defined(LIBRESSL_VERSION_NUMBER) && \
5610 LIBRESSL_VERSION_NUMBER < 0x20700000L)
5611 if (conn == NULL || conn->session_ticket_cb == NULL)
5612 return 0;
5613
5614 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
5615 conn->session_ticket,
5616 conn->session_ticket_len,
5617 s->s3->client_random,
5618 s->s3->server_random, secret);
5619 #else
5620 unsigned char client_random[SSL3_RANDOM_SIZE];
5621 unsigned char server_random[SSL3_RANDOM_SIZE];
5622
5623 if (conn == NULL || conn->session_ticket_cb == NULL)
5624 return 0;
5625
5626 SSL_get_client_random(s, client_random, sizeof(client_random));
5627 SSL_get_server_random(s, server_random, sizeof(server_random));
5628
5629 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
5630 conn->session_ticket,
5631 conn->session_ticket_len,
5632 client_random,
5633 server_random, secret);
5634 #endif
5635
5636 os_free(conn->session_ticket);
5637 conn->session_ticket = NULL;
5638
5639 if (ret <= 0)
5640 return 0;
5641
5642 *secret_len = SSL_MAX_MASTER_KEY_LENGTH;
5643 return 1;
5644 }
5645
5646
tls_session_ticket_ext_cb(SSL * s,const unsigned char * data,int len,void * arg)5647 static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
5648 int len, void *arg)
5649 {
5650 struct tls_connection *conn = arg;
5651
5652 if (conn == NULL || conn->session_ticket_cb == NULL)
5653 return 0;
5654
5655 wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len);
5656
5657 os_free(conn->session_ticket);
5658 conn->session_ticket = NULL;
5659
5660 wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
5661 "extension", data, len);
5662
5663 conn->session_ticket = os_memdup(data, len);
5664 if (conn->session_ticket == NULL)
5665 return 0;
5666
5667 conn->session_ticket_len = len;
5668
5669 return 1;
5670 }
5671 #endif /* EAP_FAST_OR_TEAP */
5672
5673
tls_connection_set_session_ticket_cb(void * tls_ctx,struct tls_connection * conn,tls_session_ticket_cb cb,void * ctx)5674 int tls_connection_set_session_ticket_cb(void *tls_ctx,
5675 struct tls_connection *conn,
5676 tls_session_ticket_cb cb,
5677 void *ctx)
5678 {
5679 #ifdef EAP_FAST_OR_TEAP
5680 conn->session_ticket_cb = cb;
5681 conn->session_ticket_cb_ctx = ctx;
5682
5683 if (cb) {
5684 if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
5685 conn) != 1)
5686 return -1;
5687 SSL_set_session_ticket_ext_cb(conn->ssl,
5688 tls_session_ticket_ext_cb, conn);
5689 } else {
5690 if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
5691 return -1;
5692 SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
5693 }
5694
5695 return 0;
5696 #else /* EAP_FAST_OR_TEAP */
5697 return -1;
5698 #endif /* EAP_FAST_OR_TEAP */
5699 }
5700
5701
tls_get_library_version(char * buf,size_t buf_len)5702 int tls_get_library_version(char *buf, size_t buf_len)
5703 {
5704 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
5705 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
5706 OPENSSL_VERSION_TEXT,
5707 OpenSSL_version(OPENSSL_VERSION));
5708 #else
5709 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
5710 OPENSSL_VERSION_TEXT,
5711 SSLeay_version(SSLEAY_VERSION));
5712 #endif
5713 }
5714
5715
tls_connection_set_success_data(struct tls_connection * conn,struct wpabuf * data)5716 void tls_connection_set_success_data(struct tls_connection *conn,
5717 struct wpabuf *data)
5718 {
5719 SSL_SESSION *sess;
5720 struct wpabuf *old;
5721
5722 if (tls_ex_idx_session < 0)
5723 goto fail;
5724 sess = SSL_get_session(conn->ssl);
5725 if (!sess)
5726 goto fail;
5727 old = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
5728 if (old) {
5729 wpa_printf(MSG_DEBUG, "OpenSSL: Replacing old success data %p",
5730 old);
5731 wpabuf_free(old);
5732 }
5733 if (SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, data) != 1)
5734 goto fail;
5735
5736 wpa_printf(MSG_DEBUG, "OpenSSL: Stored success data %p", data);
5737 conn->success_data = 1;
5738 return;
5739
5740 fail:
5741 wpa_printf(MSG_INFO, "OpenSSL: Failed to store success data");
5742 wpabuf_free(data);
5743 }
5744
5745
tls_connection_set_success_data_resumed(struct tls_connection * conn)5746 void tls_connection_set_success_data_resumed(struct tls_connection *conn)
5747 {
5748 wpa_printf(MSG_DEBUG,
5749 "OpenSSL: Success data accepted for resumed session");
5750 conn->success_data = 1;
5751 }
5752
5753
5754 const struct wpabuf *
tls_connection_get_success_data(struct tls_connection * conn)5755 tls_connection_get_success_data(struct tls_connection *conn)
5756 {
5757 SSL_SESSION *sess;
5758
5759 if (tls_ex_idx_session < 0 ||
5760 !(sess = SSL_get_session(conn->ssl)))
5761 return NULL;
5762 return SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
5763 }
5764
5765
tls_connection_remove_session(struct tls_connection * conn)5766 void tls_connection_remove_session(struct tls_connection *conn)
5767 {
5768 SSL_SESSION *sess;
5769
5770 sess = SSL_get_session(conn->ssl);
5771 if (!sess)
5772 return;
5773
5774 if (SSL_CTX_remove_session(conn->ssl_ctx, sess) != 1)
5775 wpa_printf(MSG_DEBUG,
5776 "OpenSSL: Session was not cached");
5777 else
5778 wpa_printf(MSG_DEBUG,
5779 "OpenSSL: Removed cached session to disable session resumption");
5780 }
5781
5782
tls_get_tls_unique(struct tls_connection * conn,u8 * buf,size_t max_len)5783 int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len)
5784 {
5785 size_t len;
5786 int reused;
5787
5788 reused = SSL_session_reused(conn->ssl);
5789 if ((conn->server && !reused) || (!conn->server && reused))
5790 len = SSL_get_peer_finished(conn->ssl, buf, max_len);
5791 else
5792 len = SSL_get_finished(conn->ssl, buf, max_len);
5793
5794 if (len == 0 || len > max_len)
5795 return -1;
5796
5797 return len;
5798 }
5799
5800
tls_connection_get_cipher_suite(struct tls_connection * conn)5801 u16 tls_connection_get_cipher_suite(struct tls_connection *conn)
5802 {
5803 const SSL_CIPHER *cipher;
5804
5805 cipher = SSL_get_current_cipher(conn->ssl);
5806 if (!cipher)
5807 return 0;
5808 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
5809 return SSL_CIPHER_get_protocol_id(cipher);
5810 #else
5811 return SSL_CIPHER_get_id(cipher) & 0xFFFF;
5812 #endif
5813 }
5814
5815
tls_connection_get_peer_subject(struct tls_connection * conn)5816 const char * tls_connection_get_peer_subject(struct tls_connection *conn)
5817 {
5818 if (conn)
5819 return conn->peer_subject;
5820 return NULL;
5821 }
5822
5823
tls_connection_get_own_cert_used(struct tls_connection * conn)5824 bool tls_connection_get_own_cert_used(struct tls_connection *conn)
5825 {
5826 if (conn)
5827 return SSL_get_certificate(conn->ssl) != NULL;
5828 return false;
5829 }
5830