1 /*
2 * SSL/TLS interface functions for OpenSSL
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #ifdef CONFIG_TESTING_OPTIONS
11 #include <fcntl.h>
12 #endif /* CONFIG_TESTING_OPTIONS */
13
14 #ifndef CONFIG_SMARTCARD
15 #ifndef OPENSSL_NO_ENGINE
16 #ifndef ANDROID
17 #define OPENSSL_NO_ENGINE
18 #endif
19 #endif
20 #endif
21
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/opensslv.h>
25 #include <openssl/pkcs12.h>
26 #include <openssl/x509v3.h>
27 #ifndef OPENSSL_NO_ENGINE
28 #include <openssl/engine.h>
29 #endif /* OPENSSL_NO_ENGINE */
30 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
31 #include <openssl/core_names.h>
32 #include <openssl/decoder.h>
33 #include <openssl/param_build.h>
34 #else /* OpenSSL version >= 3.0 */
35 #ifndef OPENSSL_NO_DSA
36 #include <openssl/dsa.h>
37 #endif
38 #ifndef OPENSSL_NO_DH
39 #include <openssl/dh.h>
40 #endif
41 #endif /* OpenSSL version >= 3.0 */
42
43 #include "common.h"
44 #include "utils/list.h"
45 #include "crypto.h"
46 #include "sha1.h"
47 #include "sha256.h"
48 #include "tls.h"
49 #include "tls_openssl.h"
50
51 #if !defined(CONFIG_FIPS) && \
52 (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
53 defined(EAP_SERVER_FAST))
54 #define OPENSSL_NEED_EAP_FAST_PRF
55 #endif
56
57 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
58 defined(EAP_SERVER_FAST) || defined(EAP_TEAP) || \
59 defined(EAP_SERVER_TEAP)
60 #define EAP_FAST_OR_TEAP
61 #endif
62
63
64 #if defined(OPENSSL_IS_BORINGSSL)
65 /* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */
66 typedef size_t stack_index_t;
67 #else
68 typedef int stack_index_t;
69 #endif
70
71 #ifdef SSL_set_tlsext_status_type
72 #ifndef OPENSSL_NO_TLSEXT
73 #define HAVE_OCSP
74 #include <openssl/ocsp.h>
75 #endif /* OPENSSL_NO_TLSEXT */
76 #endif /* SSL_set_tlsext_status_type */
77
78 #if OPENSSL_VERSION_NUMBER < 0x10100000L && \
79 !defined(BORINGSSL_API_VERSION)
80 /*
81 * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL
82 * 1.1.0 and newer BoringSSL revisions. Provide compatibility wrappers for
83 * older versions.
84 */
85
SSL_get_client_random(const SSL * ssl,unsigned char * out,size_t outlen)86 static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
87 size_t outlen)
88 {
89 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
90 return 0;
91 os_memcpy(out, ssl->s3->client_random, SSL3_RANDOM_SIZE);
92 return SSL3_RANDOM_SIZE;
93 }
94
95
SSL_get_server_random(const SSL * ssl,unsigned char * out,size_t outlen)96 static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
97 size_t outlen)
98 {
99 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
100 return 0;
101 os_memcpy(out, ssl->s3->server_random, SSL3_RANDOM_SIZE);
102 return SSL3_RANDOM_SIZE;
103 }
104
105
106 #ifdef OPENSSL_NEED_EAP_FAST_PRF
SSL_SESSION_get_master_key(const SSL_SESSION * session,unsigned char * out,size_t outlen)107 static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
108 unsigned char *out, size_t outlen)
109 {
110 if (!session || session->master_key_length < 0 ||
111 (size_t) session->master_key_length > outlen)
112 return 0;
113 if ((size_t) session->master_key_length < outlen)
114 outlen = session->master_key_length;
115 os_memcpy(out, session->master_key, outlen);
116 return outlen;
117 }
118 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
119
120 #endif
121
122 #if OPENSSL_VERSION_NUMBER < 0x10100000L
ASN1_STRING_get0_data(const ASN1_STRING * x)123 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
124 {
125 return ASN1_STRING_data((ASN1_STRING *) x);
126 }
127 #endif
128
129 #ifdef ANDROID
130 #include <openssl/pem.h>
131 #include <keystore/keystore_get.h>
132
133 #include <log/log.h>
134 #include <log/log_event_list.h>
135
136 #define CERT_VALIDATION_FAILURE 210033
137 #define ANDROID_KEYSTORE_PREFIX "keystore://"
138 #define ANDROID_KEYSTORE_PREFIX_LEN os_strlen(ANDROID_KEYSTORE_PREFIX)
139 #define ANDROID_KEYSTORE_ENCODED_PREFIX "keystores://"
140 #define ANDROID_KEYSTORE_ENCODED_PREFIX_LEN os_strlen(ANDROID_KEYSTORE_ENCODED_PREFIX)
141
log_cert_validation_failure(const char * reason)142 static void log_cert_validation_failure(const char *reason)
143 {
144 android_log_context ctx = create_android_logger(CERT_VALIDATION_FAILURE);
145 android_log_write_string8(ctx, reason);
146 android_log_write_list(ctx, LOG_ID_SECURITY);
147 android_log_destroy(&ctx);
148 }
149
150
BIO_from_keystore(const char * alias)151 static BIO* BIO_from_keystore(const char *alias)
152 {
153 BIO *bio = NULL;
154 uint8_t *value = NULL;
155 int length = keystore_get(alias, strlen(alias), &value);
156 if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL)
157 BIO_write(bio, value, length);
158 free(value);
159 return bio;
160 }
161
tls_add_ca_from_keystore(X509_STORE * ctx,const char * alias)162 static int tls_add_ca_from_keystore(X509_STORE *ctx, const char *alias)
163 {
164 BIO *bio = BIO_from_keystore(alias);
165 STACK_OF(X509_INFO) *stack = NULL;
166 stack_index_t i;
167 int ret = 0;
168
169 if (!bio) {
170 wpa_printf(MSG_ERROR, "OpenSSL: Failed to parse certificate: %s",
171 alias);
172 return -1;
173 }
174
175 // Keystore returns X.509 certificates in PEM encoding
176 stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
177 BIO_free(bio);
178
179 if (!stack) {
180 wpa_printf(MSG_ERROR, "OpenSSL: Failed to parse certificate: %s",
181 alias);
182 return -1;
183 }
184
185 for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
186 X509_INFO *info = sk_X509_INFO_value(stack, i);
187
188 if (info->x509)
189 if (!X509_STORE_add_cert(ctx, info->x509)) {
190 wpa_printf(MSG_ERROR,
191 "OpenSSL: Failed to add Root CA certificate");
192 ret = -1;
193 break;
194 }
195 if (info->crl)
196 X509_STORE_add_crl(ctx, info->crl);
197 }
198
199 sk_X509_INFO_pop_free(stack, X509_INFO_free);
200 return ret;
201 }
202
203
tls_add_ca_from_keystore_encoded(X509_STORE * ctx,const char * encoded_alias)204 static int tls_add_ca_from_keystore_encoded(X509_STORE *ctx,
205 const char *encoded_alias)
206 {
207 int rc = -1;
208 int len = os_strlen(encoded_alias);
209 unsigned char *decoded_alias;
210
211 if (len & 1) {
212 wpa_printf(MSG_WARNING, "Invalid hex-encoded alias: %s",
213 encoded_alias);
214 return rc;
215 }
216
217 decoded_alias = os_malloc(len / 2 + 1);
218 if (decoded_alias) {
219 if (!hexstr2bin(encoded_alias, decoded_alias, len / 2)) {
220 decoded_alias[len / 2] = '\0';
221 rc = tls_add_ca_from_keystore(
222 ctx, (const char *) decoded_alias);
223 }
224 os_free(decoded_alias);
225 }
226
227 return rc;
228 }
229
230 #endif /* ANDROID */
231
232 static int tls_openssl_ref_count = 0;
233 static int tls_ex_idx_session = -1;
234
235 struct tls_session_data {
236 struct dl_list list;
237 struct wpabuf *buf;
238 };
239
240 struct tls_context {
241 void (*event_cb)(void *ctx, enum tls_event ev,
242 union tls_event_data *data);
243 void *cb_ctx;
244 int cert_in_cb;
245 char *ocsp_stapling_response;
246 struct dl_list sessions; /* struct tls_session_data */
247 };
248
249 static struct tls_context *tls_global = NULL;
250
251
252 struct tls_data {
253 SSL_CTX *ssl;
254 unsigned int tls_session_lifetime;
255 int check_crl;
256 int check_crl_strict;
257 char *ca_cert;
258 unsigned int crl_reload_interval;
259 struct os_reltime crl_last_reload;
260 char *check_cert_subject;
261 };
262
263 struct tls_connection {
264 struct tls_context *context;
265 struct tls_data *data;
266 SSL_CTX *ssl_ctx;
267 SSL *ssl;
268 BIO *ssl_in, *ssl_out;
269 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
270 ENGINE *engine; /* functional reference to the engine */
271 EVP_PKEY *private_key; /* the private key if using engine */
272 #endif /* OPENSSL_NO_ENGINE */
273 char *subject_match, *altsubject_match, *suffix_match, *domain_match;
274 char *check_cert_subject;
275 int read_alerts, write_alerts, failed;
276
277 tls_session_ticket_cb session_ticket_cb;
278 void *session_ticket_cb_ctx;
279
280 /* SessionTicket received from OpenSSL hello_extension_cb (server) */
281 u8 *session_ticket;
282 size_t session_ticket_len;
283
284 unsigned int ca_cert_verify:1;
285 unsigned int cert_probe:1;
286 unsigned int server_cert_only:1;
287 unsigned int invalid_hb_used:1;
288 unsigned int success_data:1;
289 unsigned int client_hello_generated:1;
290 unsigned int server:1;
291
292 u8 srv_cert_hash[32];
293
294 unsigned int flags;
295
296 X509 *peer_cert;
297 X509 *peer_issuer;
298 X509 *peer_issuer_issuer;
299 char *peer_subject; /* peer subject info for authenticated peer */
300
301 unsigned char client_random[SSL3_RANDOM_SIZE];
302 unsigned char server_random[SSL3_RANDOM_SIZE];
303
304 u16 cipher_suite;
305 int server_dh_prime_len;
306 };
307
308
tls_context_new(const struct tls_config * conf)309 static struct tls_context * tls_context_new(const struct tls_config *conf)
310 {
311 struct tls_context *context = os_zalloc(sizeof(*context));
312 if (context == NULL)
313 return NULL;
314 dl_list_init(&context->sessions);
315 if (conf) {
316 context->event_cb = conf->event_cb;
317 context->cb_ctx = conf->cb_ctx;
318 context->cert_in_cb = conf->cert_in_cb;
319 }
320 return context;
321 }
322
323
324 #ifdef CONFIG_NO_STDOUT_DEBUG
325
_tls_show_errors(void)326 static void _tls_show_errors(void)
327 {
328 unsigned long err;
329
330 while ((err = ERR_get_error())) {
331 /* Just ignore the errors, since stdout is disabled */
332 }
333 }
334 #define tls_show_errors(l, f, t) _tls_show_errors()
335
336 #else /* CONFIG_NO_STDOUT_DEBUG */
337
tls_show_errors(int level,const char * func,const char * txt)338 static void tls_show_errors(int level, const char *func, const char *txt)
339 {
340 unsigned long err;
341
342 wpa_printf(level, "OpenSSL: %s - %s %s",
343 func, txt, ERR_error_string(ERR_get_error(), NULL));
344
345 while ((err = ERR_get_error())) {
346 wpa_printf(MSG_INFO, "OpenSSL: pending error: %s",
347 ERR_error_string(err, NULL));
348 }
349 }
350
351 #endif /* CONFIG_NO_STDOUT_DEBUG */
352
353
tls_crl_cert_reload(const char * ca_cert,int check_crl)354 static X509_STORE * tls_crl_cert_reload(const char *ca_cert, int check_crl)
355 {
356 int flags;
357 X509_STORE *store;
358
359 store = X509_STORE_new();
360 if (!store) {
361 wpa_printf(MSG_DEBUG,
362 "OpenSSL: %s - failed to allocate new certificate store",
363 __func__);
364 return NULL;
365 }
366
367 if (ca_cert && X509_STORE_load_locations(store, ca_cert, NULL) != 1) {
368 tls_show_errors(MSG_WARNING, __func__,
369 "Failed to load root certificates");
370 X509_STORE_free(store);
371 return NULL;
372 }
373
374 flags = check_crl ? X509_V_FLAG_CRL_CHECK : 0;
375 if (check_crl == 2)
376 flags |= X509_V_FLAG_CRL_CHECK_ALL;
377
378 X509_STORE_set_flags(store, flags);
379
380 return store;
381 }
382
383
384 #ifdef CONFIG_NATIVE_WINDOWS
385
386 /* Windows CryptoAPI and access to certificate stores */
387 #include <wincrypt.h>
388
389 #ifdef __MINGW32_VERSION
390 /*
391 * MinGW does not yet include all the needed definitions for CryptoAPI, so
392 * define here whatever extra is needed.
393 */
394 #define CERT_SYSTEM_STORE_CURRENT_USER (1 << 16)
395 #define CERT_STORE_READONLY_FLAG 0x00008000
396 #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
397
398 #endif /* __MINGW32_VERSION */
399
400
401 struct cryptoapi_rsa_data {
402 const CERT_CONTEXT *cert;
403 HCRYPTPROV crypt_prov;
404 DWORD key_spec;
405 BOOL free_crypt_prov;
406 };
407
408
cryptoapi_error(const char * msg)409 static void cryptoapi_error(const char *msg)
410 {
411 wpa_printf(MSG_INFO, "CryptoAPI: %s; err=%u",
412 msg, (unsigned int) GetLastError());
413 }
414
415
cryptoapi_rsa_pub_enc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)416 static int cryptoapi_rsa_pub_enc(int flen, const unsigned char *from,
417 unsigned char *to, RSA *rsa, int padding)
418 {
419 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
420 return 0;
421 }
422
423
cryptoapi_rsa_pub_dec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)424 static int cryptoapi_rsa_pub_dec(int flen, const unsigned char *from,
425 unsigned char *to, RSA *rsa, int padding)
426 {
427 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
428 return 0;
429 }
430
431
cryptoapi_rsa_priv_enc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)432 static int cryptoapi_rsa_priv_enc(int flen, const unsigned char *from,
433 unsigned char *to, RSA *rsa, int padding)
434 {
435 struct cryptoapi_rsa_data *priv =
436 (struct cryptoapi_rsa_data *) rsa->meth->app_data;
437 HCRYPTHASH hash;
438 DWORD hash_size, len, i;
439 unsigned char *buf = NULL;
440 int ret = 0;
441
442 if (priv == NULL) {
443 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
444 ERR_R_PASSED_NULL_PARAMETER);
445 return 0;
446 }
447
448 if (padding != RSA_PKCS1_PADDING) {
449 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
450 RSA_R_UNKNOWN_PADDING_TYPE);
451 return 0;
452 }
453
454 if (flen != 16 /* MD5 */ + 20 /* SHA-1 */) {
455 wpa_printf(MSG_INFO, "%s - only MD5-SHA1 hash supported",
456 __func__);
457 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
458 RSA_R_INVALID_MESSAGE_LENGTH);
459 return 0;
460 }
461
462 if (!CryptCreateHash(priv->crypt_prov, CALG_SSL3_SHAMD5, 0, 0, &hash))
463 {
464 cryptoapi_error("CryptCreateHash failed");
465 return 0;
466 }
467
468 len = sizeof(hash_size);
469 if (!CryptGetHashParam(hash, HP_HASHSIZE, (BYTE *) &hash_size, &len,
470 0)) {
471 cryptoapi_error("CryptGetHashParam failed");
472 goto err;
473 }
474
475 if ((int) hash_size != flen) {
476 wpa_printf(MSG_INFO, "CryptoAPI: Invalid hash size (%u != %d)",
477 (unsigned) hash_size, flen);
478 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
479 RSA_R_INVALID_MESSAGE_LENGTH);
480 goto err;
481 }
482 if (!CryptSetHashParam(hash, HP_HASHVAL, (BYTE * ) from, 0)) {
483 cryptoapi_error("CryptSetHashParam failed");
484 goto err;
485 }
486
487 len = RSA_size(rsa);
488 buf = os_malloc(len);
489 if (buf == NULL) {
490 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
491 goto err;
492 }
493
494 if (!CryptSignHash(hash, priv->key_spec, NULL, 0, buf, &len)) {
495 cryptoapi_error("CryptSignHash failed");
496 goto err;
497 }
498
499 for (i = 0; i < len; i++)
500 to[i] = buf[len - i - 1];
501 ret = len;
502
503 err:
504 os_free(buf);
505 CryptDestroyHash(hash);
506
507 return ret;
508 }
509
510
cryptoapi_rsa_priv_dec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)511 static int cryptoapi_rsa_priv_dec(int flen, const unsigned char *from,
512 unsigned char *to, RSA *rsa, int padding)
513 {
514 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
515 return 0;
516 }
517
518
cryptoapi_free_data(struct cryptoapi_rsa_data * priv)519 static void cryptoapi_free_data(struct cryptoapi_rsa_data *priv)
520 {
521 if (priv == NULL)
522 return;
523 if (priv->crypt_prov && priv->free_crypt_prov)
524 CryptReleaseContext(priv->crypt_prov, 0);
525 if (priv->cert)
526 CertFreeCertificateContext(priv->cert);
527 os_free(priv);
528 }
529
530
cryptoapi_finish(RSA * rsa)531 static int cryptoapi_finish(RSA *rsa)
532 {
533 cryptoapi_free_data((struct cryptoapi_rsa_data *) rsa->meth->app_data);
534 os_free((void *) rsa->meth);
535 rsa->meth = NULL;
536 return 1;
537 }
538
539
cryptoapi_find_cert(const char * name,DWORD store)540 static const CERT_CONTEXT * cryptoapi_find_cert(const char *name, DWORD store)
541 {
542 HCERTSTORE cs;
543 const CERT_CONTEXT *ret = NULL;
544
545 cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0,
546 store | CERT_STORE_OPEN_EXISTING_FLAG |
547 CERT_STORE_READONLY_FLAG, L"MY");
548 if (cs == NULL) {
549 cryptoapi_error("Failed to open 'My system store'");
550 return NULL;
551 }
552
553 if (strncmp(name, "cert://", 7) == 0) {
554 unsigned short wbuf[255];
555 MultiByteToWideChar(CP_ACP, 0, name + 7, -1, wbuf, 255);
556 ret = CertFindCertificateInStore(cs, X509_ASN_ENCODING |
557 PKCS_7_ASN_ENCODING,
558 0, CERT_FIND_SUBJECT_STR,
559 wbuf, NULL);
560 } else if (strncmp(name, "hash://", 7) == 0) {
561 CRYPT_HASH_BLOB blob;
562 int len;
563 const char *hash = name + 7;
564 unsigned char *buf;
565
566 len = os_strlen(hash) / 2;
567 buf = os_malloc(len);
568 if (buf && hexstr2bin(hash, buf, len) == 0) {
569 blob.cbData = len;
570 blob.pbData = buf;
571 ret = CertFindCertificateInStore(cs,
572 X509_ASN_ENCODING |
573 PKCS_7_ASN_ENCODING,
574 0, CERT_FIND_HASH,
575 &blob, NULL);
576 }
577 os_free(buf);
578 }
579
580 CertCloseStore(cs, 0);
581
582 return ret;
583 }
584
585
tls_cryptoapi_cert(SSL * ssl,const char * name)586 static int tls_cryptoapi_cert(SSL *ssl, const char *name)
587 {
588 X509 *cert = NULL;
589 RSA *rsa = NULL, *pub_rsa;
590 struct cryptoapi_rsa_data *priv;
591 RSA_METHOD *rsa_meth;
592
593 if (name == NULL ||
594 (strncmp(name, "cert://", 7) != 0 &&
595 strncmp(name, "hash://", 7) != 0))
596 return -1;
597
598 priv = os_zalloc(sizeof(*priv));
599 rsa_meth = os_zalloc(sizeof(*rsa_meth));
600 if (priv == NULL || rsa_meth == NULL) {
601 wpa_printf(MSG_WARNING, "CryptoAPI: Failed to allocate memory "
602 "for CryptoAPI RSA method");
603 os_free(priv);
604 os_free(rsa_meth);
605 return -1;
606 }
607
608 priv->cert = cryptoapi_find_cert(name, CERT_SYSTEM_STORE_CURRENT_USER);
609 if (priv->cert == NULL) {
610 priv->cert = cryptoapi_find_cert(
611 name, CERT_SYSTEM_STORE_LOCAL_MACHINE);
612 }
613 if (priv->cert == NULL) {
614 wpa_printf(MSG_INFO, "CryptoAPI: Could not find certificate "
615 "'%s'", name);
616 goto err;
617 }
618
619 cert = d2i_X509(NULL,
620 (const unsigned char **) &priv->cert->pbCertEncoded,
621 priv->cert->cbCertEncoded);
622 if (cert == NULL) {
623 wpa_printf(MSG_INFO, "CryptoAPI: Could not process X509 DER "
624 "encoding");
625 goto err;
626 }
627
628 if (!CryptAcquireCertificatePrivateKey(priv->cert,
629 CRYPT_ACQUIRE_COMPARE_KEY_FLAG,
630 NULL, &priv->crypt_prov,
631 &priv->key_spec,
632 &priv->free_crypt_prov)) {
633 cryptoapi_error("Failed to acquire a private key for the "
634 "certificate");
635 goto err;
636 }
637
638 rsa_meth->name = "Microsoft CryptoAPI RSA Method";
639 rsa_meth->rsa_pub_enc = cryptoapi_rsa_pub_enc;
640 rsa_meth->rsa_pub_dec = cryptoapi_rsa_pub_dec;
641 rsa_meth->rsa_priv_enc = cryptoapi_rsa_priv_enc;
642 rsa_meth->rsa_priv_dec = cryptoapi_rsa_priv_dec;
643 rsa_meth->finish = cryptoapi_finish;
644 rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK;
645 rsa_meth->app_data = (char *) priv;
646
647 rsa = RSA_new();
648 if (rsa == NULL) {
649 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,
650 ERR_R_MALLOC_FAILURE);
651 goto err;
652 }
653
654 if (!SSL_use_certificate(ssl, cert)) {
655 RSA_free(rsa);
656 rsa = NULL;
657 goto err;
658 }
659 pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
660 X509_free(cert);
661 cert = NULL;
662
663 rsa->n = BN_dup(pub_rsa->n);
664 rsa->e = BN_dup(pub_rsa->e);
665 if (!RSA_set_method(rsa, rsa_meth))
666 goto err;
667
668 if (!SSL_use_RSAPrivateKey(ssl, rsa))
669 goto err;
670 RSA_free(rsa);
671
672 return 0;
673
674 err:
675 if (cert)
676 X509_free(cert);
677 if (rsa)
678 RSA_free(rsa);
679 else {
680 os_free(rsa_meth);
681 cryptoapi_free_data(priv);
682 }
683 return -1;
684 }
685
686
tls_cryptoapi_ca_cert(SSL_CTX * ssl_ctx,SSL * ssl,const char * name)687 static int tls_cryptoapi_ca_cert(SSL_CTX *ssl_ctx, SSL *ssl, const char *name)
688 {
689 HCERTSTORE cs;
690 PCCERT_CONTEXT ctx = NULL;
691 X509 *cert;
692 char buf[128];
693 const char *store;
694 #ifdef UNICODE
695 WCHAR *wstore;
696 #endif /* UNICODE */
697
698 if (name == NULL || strncmp(name, "cert_store://", 13) != 0)
699 return -1;
700
701 store = name + 13;
702 #ifdef UNICODE
703 wstore = os_malloc((os_strlen(store) + 1) * sizeof(WCHAR));
704 if (wstore == NULL)
705 return -1;
706 wsprintf(wstore, L"%S", store);
707 cs = CertOpenSystemStore(0, wstore);
708 os_free(wstore);
709 #else /* UNICODE */
710 cs = CertOpenSystemStore(0, store);
711 #endif /* UNICODE */
712 if (cs == NULL) {
713 wpa_printf(MSG_DEBUG, "%s: failed to open system cert store "
714 "'%s': error=%d", __func__, store,
715 (int) GetLastError());
716 return -1;
717 }
718
719 while ((ctx = CertEnumCertificatesInStore(cs, ctx))) {
720 cert = d2i_X509(NULL,
721 (const unsigned char **) &ctx->pbCertEncoded,
722 ctx->cbCertEncoded);
723 if (cert == NULL) {
724 wpa_printf(MSG_INFO, "CryptoAPI: Could not process "
725 "X509 DER encoding for CA cert");
726 continue;
727 }
728
729 X509_NAME_oneline(X509_get_subject_name(cert), buf,
730 sizeof(buf));
731 wpa_printf(MSG_DEBUG, "OpenSSL: Loaded CA certificate for "
732 "system certificate store: subject='%s'", buf);
733
734 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
735 cert)) {
736 tls_show_errors(MSG_WARNING, __func__,
737 "Failed to add ca_cert to OpenSSL "
738 "certificate store");
739 }
740
741 X509_free(cert);
742 }
743
744 if (!CertCloseStore(cs, 0)) {
745 wpa_printf(MSG_DEBUG, "%s: failed to close system cert store "
746 "'%s': error=%d", __func__, name + 13,
747 (int) GetLastError());
748 }
749
750 return 0;
751 }
752
753
754 #else /* CONFIG_NATIVE_WINDOWS */
755
tls_cryptoapi_cert(SSL * ssl,const char * name)756 static int tls_cryptoapi_cert(SSL *ssl, const char *name)
757 {
758 return -1;
759 }
760
761 #endif /* CONFIG_NATIVE_WINDOWS */
762
763
ssl_info_cb(const SSL * ssl,int where,int ret)764 static void ssl_info_cb(const SSL *ssl, int where, int ret)
765 {
766 const char *str;
767 int w;
768
769 wpa_printf(MSG_DEBUG, "SSL: (where=0x%x ret=0x%x)", where, ret);
770 w = where & ~SSL_ST_MASK;
771 if (w & SSL_ST_CONNECT)
772 str = "SSL_connect";
773 else if (w & SSL_ST_ACCEPT)
774 str = "SSL_accept";
775 else
776 str = "undefined";
777
778 if (where & SSL_CB_LOOP) {
779 wpa_printf(MSG_DEBUG, "SSL: %s:%s",
780 str, SSL_state_string_long(ssl));
781 } else if (where & SSL_CB_ALERT) {
782 struct tls_connection *conn = SSL_get_app_data((SSL *) ssl);
783 wpa_printf(MSG_INFO, "SSL: SSL3 alert: %s:%s:%s",
784 where & SSL_CB_READ ?
785 "read (remote end reported an error)" :
786 "write (local SSL3 detected an error)",
787 SSL_alert_type_string_long(ret),
788 SSL_alert_desc_string_long(ret));
789 if ((ret >> 8) == SSL3_AL_FATAL) {
790 if (where & SSL_CB_READ)
791 conn->read_alerts++;
792 else
793 conn->write_alerts++;
794 }
795 if (conn->context->event_cb != NULL) {
796 union tls_event_data ev;
797 struct tls_context *context = conn->context;
798 os_memset(&ev, 0, sizeof(ev));
799 ev.alert.is_local = !(where & SSL_CB_READ);
800 ev.alert.type = SSL_alert_type_string_long(ret);
801 ev.alert.description = SSL_alert_desc_string_long(ret);
802 context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
803 }
804 } else if (where & SSL_CB_EXIT && ret <= 0) {
805 wpa_printf(MSG_DEBUG, "SSL: %s:%s in %s",
806 str, ret == 0 ? "failed" : "error",
807 SSL_state_string_long(ssl));
808 }
809 }
810
811
812 #ifndef OPENSSL_NO_ENGINE
813 /**
814 * tls_engine_load_dynamic_generic - load any openssl engine
815 * @pre: an array of commands and values that load an engine initialized
816 * in the engine specific function
817 * @post: an array of commands and values that initialize an already loaded
818 * engine (or %NULL if not required)
819 * @id: the engine id of the engine to load (only required if post is not %NULL
820 *
821 * This function is a generic function that loads any openssl engine.
822 *
823 * Returns: 0 on success, -1 on failure
824 */
tls_engine_load_dynamic_generic(const char * pre[],const char * post[],const char * id)825 static int tls_engine_load_dynamic_generic(const char *pre[],
826 const char *post[], const char *id)
827 {
828 ENGINE *engine;
829 const char *dynamic_id = "dynamic";
830
831 engine = ENGINE_by_id(id);
832 if (engine) {
833 wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already "
834 "available", id);
835 /*
836 * If it was auto-loaded by ENGINE_by_id() we might still
837 * need to tell it which PKCS#11 module to use in legacy
838 * (non-p11-kit) environments. Do so now; even if it was
839 * properly initialised before, setting it again will be
840 * harmless.
841 */
842 goto found;
843 }
844 ERR_clear_error();
845
846 engine = ENGINE_by_id(dynamic_id);
847 if (engine == NULL) {
848 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]",
849 dynamic_id,
850 ERR_error_string(ERR_get_error(), NULL));
851 return -1;
852 }
853
854 /* Perform the pre commands. This will load the engine. */
855 while (pre && pre[0]) {
856 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", pre[0], pre[1]);
857 if (ENGINE_ctrl_cmd_string(engine, pre[0], pre[1], 0) == 0) {
858 wpa_printf(MSG_INFO, "ENGINE: ctrl cmd_string failed: "
859 "%s %s [%s]", pre[0], pre[1],
860 ERR_error_string(ERR_get_error(), NULL));
861 ENGINE_free(engine);
862 return -1;
863 }
864 pre += 2;
865 }
866
867 /*
868 * Free the reference to the "dynamic" engine. The loaded engine can
869 * now be looked up using ENGINE_by_id().
870 */
871 ENGINE_free(engine);
872
873 engine = ENGINE_by_id(id);
874 if (engine == NULL) {
875 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]",
876 id, ERR_error_string(ERR_get_error(), NULL));
877 return -1;
878 }
879 found:
880 while (post && post[0]) {
881 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", post[0], post[1]);
882 if (ENGINE_ctrl_cmd_string(engine, post[0], post[1], 0) == 0) {
883 wpa_printf(MSG_DEBUG, "ENGINE: ctrl cmd_string failed:"
884 " %s %s [%s]", post[0], post[1],
885 ERR_error_string(ERR_get_error(), NULL));
886 ENGINE_remove(engine);
887 ENGINE_free(engine);
888 return -1;
889 }
890 post += 2;
891 }
892 ENGINE_free(engine);
893
894 return 0;
895 }
896
897
898 /**
899 * tls_engine_load_dynamic_pkcs11 - load the pkcs11 engine provided by opensc
900 * @pkcs11_so_path: pksc11_so_path from the configuration
901 * @pcks11_module_path: pkcs11_module_path from the configuration
902 */
tls_engine_load_dynamic_pkcs11(const char * pkcs11_so_path,const char * pkcs11_module_path)903 static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path,
904 const char *pkcs11_module_path)
905 {
906 char *engine_id = "pkcs11";
907 const char *pre_cmd[] = {
908 "SO_PATH", NULL /* pkcs11_so_path */,
909 "ID", NULL /* engine_id */,
910 "LIST_ADD", "1",
911 /* "NO_VCHECK", "1", */
912 "LOAD", NULL,
913 NULL, NULL
914 };
915 const char *post_cmd[] = {
916 "MODULE_PATH", NULL /* pkcs11_module_path */,
917 NULL, NULL
918 };
919
920 if (!pkcs11_so_path)
921 return 0;
922
923 pre_cmd[1] = pkcs11_so_path;
924 pre_cmd[3] = engine_id;
925 if (pkcs11_module_path)
926 post_cmd[1] = pkcs11_module_path;
927 else
928 post_cmd[0] = NULL;
929
930 wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
931 pkcs11_so_path);
932
933 return tls_engine_load_dynamic_generic(pre_cmd, post_cmd, engine_id);
934 }
935
936
937 /**
938 * tls_engine_load_dynamic_opensc - load the opensc engine provided by opensc
939 * @opensc_so_path: opensc_so_path from the configuration
940 */
tls_engine_load_dynamic_opensc(const char * opensc_so_path)941 static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
942 {
943 char *engine_id = "opensc";
944 const char *pre_cmd[] = {
945 "SO_PATH", NULL /* opensc_so_path */,
946 "ID", NULL /* engine_id */,
947 "LIST_ADD", "1",
948 "LOAD", NULL,
949 NULL, NULL
950 };
951
952 if (!opensc_so_path)
953 return 0;
954
955 pre_cmd[1] = opensc_so_path;
956 pre_cmd[3] = engine_id;
957
958 wpa_printf(MSG_DEBUG, "ENGINE: Loading OpenSC Engine from %s",
959 opensc_so_path);
960
961 return tls_engine_load_dynamic_generic(pre_cmd, NULL, engine_id);
962 }
963 #endif /* OPENSSL_NO_ENGINE */
964
965
get_session_data(struct tls_context * context,const struct wpabuf * buf)966 static struct tls_session_data * get_session_data(struct tls_context *context,
967 const struct wpabuf *buf)
968 {
969 struct tls_session_data *data;
970
971 dl_list_for_each(data, &context->sessions, struct tls_session_data,
972 list) {
973 if (data->buf == buf)
974 return data;
975 }
976
977 return NULL;
978 }
979
980
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)981 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
982 {
983 struct wpabuf *buf;
984 struct tls_context *context;
985 struct tls_session_data *found;
986
987 wpa_printf(MSG_DEBUG,
988 "OpenSSL: Remove session %p (tls_ex_idx_session=%d)", sess,
989 tls_ex_idx_session);
990
991 if (tls_ex_idx_session < 0)
992 return;
993 buf = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
994 if (!buf)
995 return;
996
997 context = SSL_CTX_get_app_data(ctx);
998 SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, NULL);
999 found = get_session_data(context, buf);
1000 if (!found) {
1001 wpa_printf(MSG_DEBUG,
1002 "OpenSSL: Do not free application session data %p (sess %p)",
1003 buf, sess);
1004 return;
1005 }
1006
1007 dl_list_del(&found->list);
1008 os_free(found);
1009 wpa_printf(MSG_DEBUG,
1010 "OpenSSL: Free application session data %p (sess %p)",
1011 buf, sess);
1012 wpabuf_free(buf);
1013 }
1014
1015
tls_init(const struct tls_config * conf)1016 void * tls_init(const struct tls_config *conf)
1017 {
1018 struct tls_data *data;
1019 SSL_CTX *ssl;
1020 struct tls_context *context;
1021 const char *ciphers;
1022
1023 if (tls_openssl_ref_count == 0) {
1024 void openssl_load_legacy_provider(void);
1025
1026 openssl_load_legacy_provider();
1027
1028 tls_global = context = tls_context_new(conf);
1029 if (context == NULL)
1030 return NULL;
1031 #ifdef CONFIG_FIPS
1032 #ifdef OPENSSL_FIPS
1033 if (conf && conf->fips_mode) {
1034 static int fips_enabled = 0;
1035
1036 if (!fips_enabled && !FIPS_mode_set(1)) {
1037 wpa_printf(MSG_ERROR, "Failed to enable FIPS "
1038 "mode");
1039 ERR_load_crypto_strings();
1040 ERR_print_errors_fp(stderr);
1041 os_free(tls_global);
1042 tls_global = NULL;
1043 return NULL;
1044 } else {
1045 wpa_printf(MSG_INFO, "Running in FIPS mode");
1046 fips_enabled = 1;
1047 }
1048 }
1049 #else /* OPENSSL_FIPS */
1050 if (conf && conf->fips_mode) {
1051 wpa_printf(MSG_ERROR, "FIPS mode requested, but not "
1052 "supported");
1053 os_free(tls_global);
1054 tls_global = NULL;
1055 return NULL;
1056 }
1057 #endif /* OPENSSL_FIPS */
1058 #endif /* CONFIG_FIPS */
1059 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1060 SSL_load_error_strings();
1061 SSL_library_init();
1062 #ifndef OPENSSL_NO_SHA256
1063 EVP_add_digest(EVP_sha256());
1064 #endif /* OPENSSL_NO_SHA256 */
1065 /* TODO: if /dev/urandom is available, PRNG is seeded
1066 * automatically. If this is not the case, random data should
1067 * be added here. */
1068
1069 #ifdef PKCS12_FUNCS
1070 #ifndef OPENSSL_NO_RC2
1071 /*
1072 * 40-bit RC2 is commonly used in PKCS#12 files, so enable it.
1073 * This is enabled by PKCS12_PBE_add() in OpenSSL 0.9.8
1074 * versions, but it looks like OpenSSL 1.0.0 does not do that
1075 * anymore.
1076 */
1077 EVP_add_cipher(EVP_rc2_40_cbc());
1078 #endif /* OPENSSL_NO_RC2 */
1079 PKCS12_PBE_add();
1080 #endif /* PKCS12_FUNCS */
1081 #endif /* < 1.1.0 */
1082 } else {
1083 context = tls_context_new(conf);
1084 if (context == NULL)
1085 return NULL;
1086 }
1087 tls_openssl_ref_count++;
1088
1089 data = os_zalloc(sizeof(*data));
1090 if (data)
1091 ssl = SSL_CTX_new(SSLv23_method());
1092 else
1093 ssl = NULL;
1094 if (ssl == NULL) {
1095 tls_openssl_ref_count--;
1096 if (context != tls_global)
1097 os_free(context);
1098 if (tls_openssl_ref_count == 0) {
1099 os_free(tls_global);
1100 tls_global = NULL;
1101 }
1102 os_free(data);
1103 return NULL;
1104 }
1105 data->ssl = ssl;
1106 if (conf) {
1107 data->tls_session_lifetime = conf->tls_session_lifetime;
1108 data->crl_reload_interval = conf->crl_reload_interval;
1109 }
1110
1111 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
1112 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
1113
1114 SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
1115
1116 #ifdef SSL_MODE_NO_AUTO_CHAIN
1117 /* Number of deployed use cases assume the default OpenSSL behavior of
1118 * auto chaining the local certificate is in use. BoringSSL removed this
1119 * functionality by default, so we need to restore it here to avoid
1120 * breaking existing use cases. */
1121 SSL_CTX_clear_mode(ssl, SSL_MODE_NO_AUTO_CHAIN);
1122 #endif /* SSL_MODE_NO_AUTO_CHAIN */
1123
1124 SSL_CTX_set_info_callback(ssl, ssl_info_cb);
1125 SSL_CTX_set_app_data(ssl, context);
1126 if (data->tls_session_lifetime > 0) {
1127 SSL_CTX_set_quiet_shutdown(ssl, 1);
1128 /*
1129 * Set default context here. In practice, this will be replaced
1130 * by the per-EAP method context in tls_connection_set_verify().
1131 */
1132 SSL_CTX_set_session_id_context(ssl, (u8 *) "hostapd", 7);
1133 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_SERVER);
1134 SSL_CTX_set_timeout(ssl, data->tls_session_lifetime);
1135 SSL_CTX_sess_set_remove_cb(ssl, remove_session_cb);
1136 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && \
1137 !defined(LIBRESSL_VERSION_NUMBER) && \
1138 !defined(OPENSSL_IS_BORINGSSL)
1139 /* One session ticket is sufficient for EAP-TLS */
1140 SSL_CTX_set_num_tickets(ssl, 1);
1141 #endif
1142 } else {
1143 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_OFF);
1144 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && \
1145 !defined(LIBRESSL_VERSION_NUMBER) && \
1146 !defined(OPENSSL_IS_BORINGSSL)
1147 SSL_CTX_set_num_tickets(ssl, 0);
1148 #endif
1149 }
1150
1151 if (tls_ex_idx_session < 0) {
1152 tls_ex_idx_session = SSL_SESSION_get_ex_new_index(
1153 0, NULL, NULL, NULL, NULL);
1154 if (tls_ex_idx_session < 0) {
1155 tls_deinit(data);
1156 return NULL;
1157 }
1158 }
1159
1160 #ifndef OPENSSL_NO_ENGINE
1161 wpa_printf(MSG_DEBUG, "ENGINE: Loading builtin engines");
1162 ENGINE_load_builtin_engines();
1163
1164 if (conf &&
1165 (conf->opensc_engine_path || conf->pkcs11_engine_path ||
1166 conf->pkcs11_module_path)) {
1167 if (tls_engine_load_dynamic_opensc(conf->opensc_engine_path) ||
1168 tls_engine_load_dynamic_pkcs11(conf->pkcs11_engine_path,
1169 conf->pkcs11_module_path)) {
1170 tls_deinit(data);
1171 return NULL;
1172 }
1173 }
1174 #endif /* OPENSSL_NO_ENGINE */
1175
1176 if (conf && conf->openssl_ciphers)
1177 ciphers = conf->openssl_ciphers;
1178 else
1179 ciphers = TLS_DEFAULT_CIPHERS;
1180 if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
1181 wpa_printf(MSG_ERROR,
1182 "OpenSSL: Failed to set cipher string '%s'",
1183 ciphers);
1184 tls_deinit(data);
1185 return NULL;
1186 }
1187
1188 return data;
1189 }
1190
1191
tls_deinit(void * ssl_ctx)1192 void tls_deinit(void *ssl_ctx)
1193 {
1194 struct tls_data *data = ssl_ctx;
1195 SSL_CTX *ssl = data->ssl;
1196 struct tls_context *context = SSL_CTX_get_app_data(ssl);
1197 struct tls_session_data *sess_data;
1198
1199 if (data->tls_session_lifetime > 0) {
1200 wpa_printf(MSG_DEBUG, "OpenSSL: Flush sessions");
1201 SSL_CTX_flush_sessions(ssl, 0);
1202 wpa_printf(MSG_DEBUG, "OpenSSL: Flush sessions - done");
1203 }
1204 while ((sess_data = dl_list_first(&context->sessions,
1205 struct tls_session_data, list))) {
1206 wpa_printf(MSG_DEBUG,
1207 "OpenSSL: Freeing not-flushed session data %p",
1208 sess_data->buf);
1209 wpabuf_free(sess_data->buf);
1210 dl_list_del(&sess_data->list);
1211 os_free(sess_data);
1212 }
1213 if (context != tls_global)
1214 os_free(context);
1215 os_free(data->ca_cert);
1216 SSL_CTX_free(ssl);
1217
1218 tls_openssl_ref_count--;
1219 if (tls_openssl_ref_count == 0) {
1220 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1221 #ifndef OPENSSL_NO_ENGINE
1222 ENGINE_cleanup();
1223 #endif /* OPENSSL_NO_ENGINE */
1224 CRYPTO_cleanup_all_ex_data();
1225 ERR_remove_thread_state(NULL);
1226 ERR_free_strings();
1227 EVP_cleanup();
1228 #endif /* < 1.1.0 */
1229 os_free(tls_global->ocsp_stapling_response);
1230 tls_global->ocsp_stapling_response = NULL;
1231 os_free(tls_global);
1232 tls_global = NULL;
1233 }
1234
1235 os_free(data->check_cert_subject);
1236 os_free(data);
1237 }
1238
1239
1240 #ifndef OPENSSL_NO_ENGINE
1241
1242 /* Cryptoki return values */
1243 #define CKR_PIN_INCORRECT 0x000000a0
1244 #define CKR_PIN_INVALID 0x000000a1
1245 #define CKR_PIN_LEN_RANGE 0x000000a2
1246
1247 /* libp11 */
1248 #define ERR_LIB_PKCS11 ERR_LIB_USER
1249
tls_is_pin_error(unsigned int err)1250 static int tls_is_pin_error(unsigned int err)
1251 {
1252 return ERR_GET_LIB(err) == ERR_LIB_PKCS11 &&
1253 (ERR_GET_REASON(err) == CKR_PIN_INCORRECT ||
1254 ERR_GET_REASON(err) == CKR_PIN_INVALID ||
1255 ERR_GET_REASON(err) == CKR_PIN_LEN_RANGE);
1256 }
1257
1258 #endif /* OPENSSL_NO_ENGINE */
1259
1260
1261 #ifdef ANDROID
1262 /* EVP_PKEY_from_keystore comes from system/security/keystore-engine. */
1263 EVP_PKEY * EVP_PKEY_from_keystore(const char *key_id);
1264 #endif /* ANDROID */
1265
tls_engine_init(struct tls_connection * conn,const char * engine_id,const char * pin,const char * key_id,const char * cert_id,const char * ca_cert_id)1266 static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
1267 const char *pin, const char *key_id,
1268 const char *cert_id, const char *ca_cert_id)
1269 {
1270 #if defined(ANDROID) && defined(OPENSSL_IS_BORINGSSL)
1271 #if !defined(OPENSSL_NO_ENGINE)
1272 #error "This code depends on OPENSSL_NO_ENGINE being defined by BoringSSL."
1273 #endif
1274 if (!key_id)
1275 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1276 conn->engine = NULL;
1277 conn->private_key = EVP_PKEY_from_keystore(key_id);
1278 if (!conn->private_key) {
1279 wpa_printf(MSG_ERROR,
1280 "ENGINE: cannot load private key with id '%s' [%s]",
1281 key_id,
1282 ERR_error_string(ERR_get_error(), NULL));
1283 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1284 }
1285 #endif /* ANDROID && OPENSSL_IS_BORINGSSL */
1286
1287 #ifndef OPENSSL_NO_ENGINE
1288 int ret = -1;
1289 if (engine_id == NULL) {
1290 wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
1291 return -1;
1292 }
1293
1294 ERR_clear_error();
1295 #ifdef ANDROID
1296 ENGINE_load_dynamic();
1297 #endif
1298 conn->engine = ENGINE_by_id(engine_id);
1299 if (!conn->engine) {
1300 wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]",
1301 engine_id, ERR_error_string(ERR_get_error(), NULL));
1302 goto err;
1303 }
1304 if (ENGINE_init(conn->engine) != 1) {
1305 wpa_printf(MSG_ERROR, "ENGINE: engine init failed "
1306 "(engine: %s) [%s]", engine_id,
1307 ERR_error_string(ERR_get_error(), NULL));
1308 goto err;
1309 }
1310 wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
1311
1312 #ifndef ANDROID
1313 if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
1314 wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
1315 ERR_error_string(ERR_get_error(), NULL));
1316 goto err;
1317 }
1318 #endif
1319 if (key_id) {
1320 /*
1321 * Ensure that the ENGINE does not attempt to use the OpenSSL
1322 * UI system to obtain a PIN, if we didn't provide one.
1323 */
1324 struct {
1325 const void *password;
1326 const char *prompt_info;
1327 } key_cb = { "", NULL };
1328
1329 /* load private key first in-case PIN is required for cert */
1330 conn->private_key = ENGINE_load_private_key(conn->engine,
1331 key_id, NULL,
1332 &key_cb);
1333 if (!conn->private_key) {
1334 unsigned long err = ERR_get_error();
1335
1336 wpa_printf(MSG_ERROR,
1337 "ENGINE: cannot load private key with id '%s' [%s]",
1338 key_id,
1339 ERR_error_string(err, NULL));
1340 if (tls_is_pin_error(err))
1341 ret = TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN;
1342 else
1343 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1344 goto err;
1345 }
1346 }
1347
1348 /* handle a certificate and/or CA certificate */
1349 if (cert_id || ca_cert_id) {
1350 const char *cmd_name = "LOAD_CERT_CTRL";
1351
1352 /* test if the engine supports a LOAD_CERT_CTRL */
1353 if (!ENGINE_ctrl(conn->engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
1354 0, (void *)cmd_name, NULL)) {
1355 wpa_printf(MSG_ERROR, "ENGINE: engine does not support"
1356 " loading certificates");
1357 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1358 goto err;
1359 }
1360 }
1361
1362 return 0;
1363
1364 err:
1365 if (conn->engine) {
1366 ENGINE_free(conn->engine);
1367 conn->engine = NULL;
1368 }
1369
1370 if (conn->private_key) {
1371 EVP_PKEY_free(conn->private_key);
1372 conn->private_key = NULL;
1373 }
1374
1375 return ret;
1376 #else /* OPENSSL_NO_ENGINE */
1377 return 0;
1378 #endif /* OPENSSL_NO_ENGINE */
1379 }
1380
1381
tls_engine_deinit(struct tls_connection * conn)1382 static void tls_engine_deinit(struct tls_connection *conn)
1383 {
1384 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
1385 wpa_printf(MSG_DEBUG, "ENGINE: engine deinit");
1386 if (conn->private_key) {
1387 EVP_PKEY_free(conn->private_key);
1388 conn->private_key = NULL;
1389 }
1390 if (conn->engine) {
1391 #if !defined(OPENSSL_IS_BORINGSSL)
1392 ENGINE_finish(conn->engine);
1393 #endif /* !OPENSSL_IS_BORINGSSL */
1394 conn->engine = NULL;
1395 }
1396 #endif /* ANDROID || !OPENSSL_NO_ENGINE */
1397 }
1398
1399
tls_get_errors(void * ssl_ctx)1400 int tls_get_errors(void *ssl_ctx)
1401 {
1402 int count = 0;
1403 unsigned long err;
1404
1405 while ((err = ERR_get_error())) {
1406 wpa_printf(MSG_INFO, "TLS - SSL error: %s",
1407 ERR_error_string(err, NULL));
1408 count++;
1409 }
1410
1411 return count;
1412 }
1413
1414
openssl_content_type(int content_type)1415 static const char * openssl_content_type(int content_type)
1416 {
1417 switch (content_type) {
1418 case 20:
1419 return "change cipher spec";
1420 case 21:
1421 return "alert";
1422 case 22:
1423 return "handshake";
1424 case 23:
1425 return "application data";
1426 case 24:
1427 return "heartbeat";
1428 case 256:
1429 return "TLS header info"; /* pseudo content type */
1430 case 257:
1431 return "inner content type"; /* pseudo content type */
1432 default:
1433 return "?";
1434 }
1435 }
1436
1437
openssl_handshake_type(int content_type,const u8 * buf,size_t len)1438 static const char * openssl_handshake_type(int content_type, const u8 *buf,
1439 size_t len)
1440 {
1441 if (content_type == 257 && buf && len == 1)
1442 return openssl_content_type(buf[0]);
1443 if (content_type != 22 || !buf || len == 0)
1444 return "";
1445 switch (buf[0]) {
1446 case 0:
1447 return "hello request";
1448 case 1:
1449 return "client hello";
1450 case 2:
1451 return "server hello";
1452 case 3:
1453 return "hello verify request";
1454 case 4:
1455 return "new session ticket";
1456 case 5:
1457 return "end of early data";
1458 case 6:
1459 return "hello retry request";
1460 case 8:
1461 return "encrypted extensions";
1462 case 11:
1463 return "certificate";
1464 case 12:
1465 return "server key exchange";
1466 case 13:
1467 return "certificate request";
1468 case 14:
1469 return "server hello done";
1470 case 15:
1471 return "certificate verify";
1472 case 16:
1473 return "client key exchange";
1474 case 20:
1475 return "finished";
1476 case 21:
1477 return "certificate url";
1478 case 22:
1479 return "certificate status";
1480 case 23:
1481 return "supplemental data";
1482 case 24:
1483 return "key update";
1484 case 254:
1485 return "message hash";
1486 default:
1487 return "?";
1488 }
1489 }
1490
1491
1492 #ifdef CONFIG_SUITEB
1493
check_server_hello(struct tls_connection * conn,const u8 * pos,const u8 * end)1494 static void check_server_hello(struct tls_connection *conn,
1495 const u8 *pos, const u8 *end)
1496 {
1497 size_t payload_len, id_len;
1498
1499 /*
1500 * Parse ServerHello to get the selected cipher suite since OpenSSL does
1501 * not make it cleanly available during handshake and we need to know
1502 * whether DHE was selected.
1503 */
1504
1505 if (end - pos < 3)
1506 return;
1507 payload_len = WPA_GET_BE24(pos);
1508 pos += 3;
1509
1510 if ((size_t) (end - pos) < payload_len)
1511 return;
1512 end = pos + payload_len;
1513
1514 /* Skip Version and Random */
1515 if (end - pos < 2 + SSL3_RANDOM_SIZE)
1516 return;
1517 pos += 2 + SSL3_RANDOM_SIZE;
1518
1519 /* Skip Session ID */
1520 if (end - pos < 1)
1521 return;
1522 id_len = *pos++;
1523 if ((size_t) (end - pos) < id_len)
1524 return;
1525 pos += id_len;
1526
1527 if (end - pos < 2)
1528 return;
1529 conn->cipher_suite = WPA_GET_BE16(pos);
1530 wpa_printf(MSG_DEBUG, "OpenSSL: Server selected cipher suite 0x%x",
1531 conn->cipher_suite);
1532 }
1533
1534
check_server_key_exchange(SSL * ssl,struct tls_connection * conn,const u8 * pos,const u8 * end)1535 static void check_server_key_exchange(SSL *ssl, struct tls_connection *conn,
1536 const u8 *pos, const u8 *end)
1537 {
1538 size_t payload_len;
1539 u16 dh_len;
1540 BIGNUM *p;
1541 int bits;
1542
1543 if (!(conn->flags & TLS_CONN_SUITEB))
1544 return;
1545
1546 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
1547 if (conn->cipher_suite != 0x9f)
1548 return;
1549
1550 if (end - pos < 3)
1551 return;
1552 payload_len = WPA_GET_BE24(pos);
1553 pos += 3;
1554
1555 if ((size_t) (end - pos) < payload_len)
1556 return;
1557 end = pos + payload_len;
1558
1559 if (end - pos < 2)
1560 return;
1561 dh_len = WPA_GET_BE16(pos);
1562 pos += 2;
1563
1564 if ((size_t) (end - pos) < dh_len)
1565 return;
1566 p = BN_bin2bn(pos, dh_len, NULL);
1567 if (!p)
1568 return;
1569
1570 bits = BN_num_bits(p);
1571 BN_free(p);
1572
1573 conn->server_dh_prime_len = bits;
1574 wpa_printf(MSG_DEBUG, "OpenSSL: Server DH prime length: %d bits",
1575 conn->server_dh_prime_len);
1576 }
1577
1578 #endif /* CONFIG_SUITEB */
1579
1580
tls_msg_cb(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg)1581 static void tls_msg_cb(int write_p, int version, int content_type,
1582 const void *buf, size_t len, SSL *ssl, void *arg)
1583 {
1584 struct tls_connection *conn = arg;
1585 const u8 *pos = buf;
1586
1587 if (write_p == 2) {
1588 wpa_printf(MSG_DEBUG,
1589 "OpenSSL: session ver=0x%x content_type=%d",
1590 version, content_type);
1591 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Data", buf, len);
1592 return;
1593 }
1594
1595 wpa_printf(MSG_DEBUG, "OpenSSL: %s ver=0x%x content_type=%d (%s/%s)",
1596 write_p ? "TX" : "RX", version, content_type,
1597 openssl_content_type(content_type),
1598 openssl_handshake_type(content_type, buf, len));
1599 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Message", buf, len);
1600 if (content_type == 24 && len >= 3 && pos[0] == 1) {
1601 size_t payload_len = WPA_GET_BE16(pos + 1);
1602 if (payload_len + 3 > len) {
1603 wpa_printf(MSG_ERROR, "OpenSSL: Heartbeat attack detected");
1604 conn->invalid_hb_used = 1;
1605 }
1606 }
1607
1608 #ifdef CONFIG_SUITEB
1609 /*
1610 * Need to parse these handshake messages to be able to check DH prime
1611 * length since OpenSSL does not expose the new cipher suite and DH
1612 * parameters during handshake (e.g., for cert_cb() callback).
1613 */
1614 if (content_type == 22 && pos && len > 0 && pos[0] == 2)
1615 check_server_hello(conn, pos + 1, pos + len);
1616 if (content_type == 22 && pos && len > 0 && pos[0] == 12)
1617 check_server_key_exchange(ssl, conn, pos + 1, pos + len);
1618 #endif /* CONFIG_SUITEB */
1619 }
1620
1621
1622 #ifdef CONFIG_TESTING_OPTIONS
1623 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
1624 /*
1625 * By setting the environment variable SSLKEYLOGFILE to a filename keying
1626 * material will be exported that you may use with Wireshark to decode any
1627 * TLS flows. Please see the following for more details:
1628 *
1629 * https://gitlab.com/wireshark/wireshark/-/wikis/TLS#tls-decryption
1630 *
1631 * Example logging sessions are (you should delete the file on each run):
1632 *
1633 * rm -f /tmp/sslkey.log
1634 * env SSLKEYLOGFILE=/tmp/sslkey.log hostapd ...
1635 *
1636 * rm -f /tmp/sslkey.log
1637 * env SSLKEYLOGFILE=/tmp/sslkey.log wpa_supplicant ...
1638 *
1639 * rm -f /tmp/sslkey.log
1640 * env SSLKEYLOGFILE=/tmp/sslkey.log eapol_test ...
1641 */
tls_keylog_cb(const SSL * ssl,const char * line)1642 static void tls_keylog_cb(const SSL *ssl, const char *line)
1643 {
1644 int fd;
1645 const char *filename;
1646 struct iovec iov[2];
1647
1648 filename = getenv("SSLKEYLOGFILE");
1649 if (!filename)
1650 return;
1651
1652 fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR);
1653 if (fd < 0) {
1654 wpa_printf(MSG_ERROR,
1655 "OpenSSL: Failed to open keylog file %s: %s",
1656 filename, strerror(errno));
1657 return;
1658 }
1659
1660 /* Assume less than _POSIX_PIPE_BUF (512) where writes are guaranteed
1661 * to be atomic for O_APPEND. */
1662 iov[0].iov_base = (void *) line;
1663 iov[0].iov_len = os_strlen(line);
1664 iov[1].iov_base = "\n";
1665 iov[1].iov_len = 1;
1666
1667 if (writev(fd, iov, ARRAY_SIZE(iov)) < 01) {
1668 wpa_printf(MSG_DEBUG,
1669 "OpenSSL: Failed to write to keylog file %s: %s",
1670 filename, strerror(errno));
1671 }
1672
1673 close(fd);
1674 }
1675 #endif
1676 #endif /* CONFIG_TESTING_OPTIONS */
1677
1678
tls_connection_init(void * ssl_ctx)1679 struct tls_connection * tls_connection_init(void *ssl_ctx)
1680 {
1681 struct tls_data *data = ssl_ctx;
1682 SSL_CTX *ssl = data->ssl;
1683 struct tls_connection *conn;
1684 long options;
1685 X509_STORE *new_cert_store;
1686 struct os_reltime now;
1687 struct tls_context *context = SSL_CTX_get_app_data(ssl);
1688
1689 /* Replace X509 store if it is time to update CRL. */
1690 if (data->crl_reload_interval > 0 && os_get_reltime(&now) == 0 &&
1691 os_reltime_expired(&now, &data->crl_last_reload,
1692 data->crl_reload_interval)) {
1693 wpa_printf(MSG_INFO,
1694 "OpenSSL: Flushing X509 store with ca_cert file");
1695 new_cert_store = tls_crl_cert_reload(data->ca_cert,
1696 data->check_crl);
1697 if (!new_cert_store) {
1698 wpa_printf(MSG_ERROR,
1699 "OpenSSL: Error replacing X509 store with ca_cert file");
1700 } else {
1701 /* Replace old store */
1702 SSL_CTX_set_cert_store(ssl, new_cert_store);
1703 data->crl_last_reload = now;
1704 }
1705 }
1706
1707 conn = os_zalloc(sizeof(*conn));
1708 if (conn == NULL)
1709 return NULL;
1710 conn->data = data;
1711 conn->ssl_ctx = ssl;
1712 conn->ssl = SSL_new(ssl);
1713 if (conn->ssl == NULL) {
1714 tls_show_errors(MSG_INFO, __func__,
1715 "Failed to initialize new SSL connection");
1716 os_free(conn);
1717 return NULL;
1718 }
1719
1720 conn->context = context;
1721 SSL_set_app_data(conn->ssl, conn);
1722 SSL_set_msg_callback(conn->ssl, tls_msg_cb);
1723 SSL_set_msg_callback_arg(conn->ssl, conn);
1724 options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
1725 SSL_OP_SINGLE_DH_USE;
1726 #ifdef SSL_OP_NO_COMPRESSION
1727 options |= SSL_OP_NO_COMPRESSION;
1728 #endif /* SSL_OP_NO_COMPRESSION */
1729 SSL_set_options(conn->ssl, options);
1730 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
1731 /* Hopefully there is no need for middlebox compatibility mechanisms
1732 * when going through EAP authentication. */
1733 SSL_clear_options(conn->ssl, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
1734 #endif
1735
1736 #ifdef CONFIG_TESTING_OPTIONS
1737 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
1738 /* Set the keylog file if the admin requested it. */
1739 if (getenv("SSLKEYLOGFILE"))
1740 SSL_CTX_set_keylog_callback(conn->ssl_ctx, tls_keylog_cb);
1741 #endif
1742 #endif /* CONFIG_TESTING_OPTIONS */
1743
1744 conn->ssl_in = BIO_new(BIO_s_mem());
1745 if (!conn->ssl_in) {
1746 tls_show_errors(MSG_INFO, __func__,
1747 "Failed to create a new BIO for ssl_in");
1748 SSL_free(conn->ssl);
1749 os_free(conn);
1750 return NULL;
1751 }
1752
1753 conn->ssl_out = BIO_new(BIO_s_mem());
1754 if (!conn->ssl_out) {
1755 tls_show_errors(MSG_INFO, __func__,
1756 "Failed to create a new BIO for ssl_out");
1757 SSL_free(conn->ssl);
1758 BIO_free(conn->ssl_in);
1759 os_free(conn);
1760 return NULL;
1761 }
1762
1763 SSL_set_bio(conn->ssl, conn->ssl_in, conn->ssl_out);
1764
1765 return conn;
1766 }
1767
1768
tls_connection_deinit(void * ssl_ctx,struct tls_connection * conn)1769 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
1770 {
1771 if (conn == NULL)
1772 return;
1773 if (conn->success_data) {
1774 /*
1775 * Make sure ssl_clear_bad_session() does not remove this
1776 * session.
1777 */
1778 SSL_set_quiet_shutdown(conn->ssl, 1);
1779 SSL_shutdown(conn->ssl);
1780 }
1781 SSL_free(conn->ssl);
1782 tls_engine_deinit(conn);
1783 os_free(conn->subject_match);
1784 os_free(conn->altsubject_match);
1785 os_free(conn->suffix_match);
1786 os_free(conn->domain_match);
1787 os_free(conn->check_cert_subject);
1788 os_free(conn->session_ticket);
1789 os_free(conn->peer_subject);
1790 os_free(conn);
1791 }
1792
1793
tls_connection_established(void * ssl_ctx,struct tls_connection * conn)1794 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn)
1795 {
1796 return conn ? SSL_is_init_finished(conn->ssl) : 0;
1797 }
1798
1799
tls_connection_peer_serial_num(void * tls_ctx,struct tls_connection * conn)1800 char * tls_connection_peer_serial_num(void *tls_ctx,
1801 struct tls_connection *conn)
1802 {
1803 ASN1_INTEGER *ser;
1804 char *serial_num;
1805 size_t len;
1806
1807 if (!conn->peer_cert)
1808 return NULL;
1809
1810 ser = X509_get_serialNumber(conn->peer_cert);
1811 if (!ser)
1812 return NULL;
1813
1814 len = ASN1_STRING_length(ser) * 2 + 1;
1815 serial_num = os_malloc(len);
1816 if (!serial_num)
1817 return NULL;
1818 wpa_snprintf_hex_uppercase(serial_num, len,
1819 ASN1_STRING_get0_data(ser),
1820 ASN1_STRING_length(ser));
1821 return serial_num;
1822 }
1823
1824
tls_connection_shutdown(void * ssl_ctx,struct tls_connection * conn)1825 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)
1826 {
1827 if (conn == NULL)
1828 return -1;
1829
1830 /* Shutdown previous TLS connection without notifying the peer
1831 * because the connection was already terminated in practice
1832 * and "close notify" shutdown alert would confuse AS. */
1833 SSL_set_quiet_shutdown(conn->ssl, 1);
1834 SSL_shutdown(conn->ssl);
1835 return SSL_clear(conn->ssl) == 1 ? 0 : -1;
1836 }
1837
1838
tls_match_altsubject_component(X509 * cert,int type,const char * value,size_t len)1839 static int tls_match_altsubject_component(X509 *cert, int type,
1840 const char *value, size_t len)
1841 {
1842 GENERAL_NAME *gen;
1843 void *ext;
1844 int found = 0;
1845 stack_index_t i;
1846
1847 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
1848
1849 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
1850 gen = sk_GENERAL_NAME_value(ext, i);
1851 if (gen->type != type)
1852 continue;
1853 if (os_strlen((char *) gen->d.ia5->data) == len &&
1854 os_memcmp(value, gen->d.ia5->data, len) == 0)
1855 found++;
1856 }
1857
1858 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
1859
1860 return found;
1861 }
1862
1863
tls_match_altsubject(X509 * cert,const char * match)1864 static int tls_match_altsubject(X509 *cert, const char *match)
1865 {
1866 int type;
1867 const char *pos, *end;
1868 size_t len;
1869
1870 pos = match;
1871 do {
1872 if (os_strncmp(pos, "EMAIL:", 6) == 0) {
1873 type = GEN_EMAIL;
1874 pos += 6;
1875 } else if (os_strncmp(pos, "DNS:", 4) == 0) {
1876 type = GEN_DNS;
1877 pos += 4;
1878 } else if (os_strncmp(pos, "URI:", 4) == 0) {
1879 type = GEN_URI;
1880 pos += 4;
1881 } else {
1882 wpa_printf(MSG_INFO, "TLS: Invalid altSubjectName "
1883 "match '%s'", pos);
1884 return 0;
1885 }
1886 end = os_strchr(pos, ';');
1887 while (end) {
1888 if (os_strncmp(end + 1, "EMAIL:", 6) == 0 ||
1889 os_strncmp(end + 1, "DNS:", 4) == 0 ||
1890 os_strncmp(end + 1, "URI:", 4) == 0)
1891 break;
1892 end = os_strchr(end + 1, ';');
1893 }
1894 if (end)
1895 len = end - pos;
1896 else
1897 len = os_strlen(pos);
1898 if (tls_match_altsubject_component(cert, type, pos, len) > 0)
1899 return 1;
1900 pos = end + 1;
1901 } while (end);
1902
1903 return 0;
1904 }
1905
1906
1907 #ifndef CONFIG_NATIVE_WINDOWS
domain_suffix_match(const u8 * val,size_t len,const char * match,size_t match_len,int full)1908 static int domain_suffix_match(const u8 *val, size_t len, const char *match,
1909 size_t match_len, int full)
1910 {
1911 size_t i;
1912
1913 /* Check for embedded nuls that could mess up suffix matching */
1914 for (i = 0; i < len; i++) {
1915 if (val[i] == '\0') {
1916 wpa_printf(MSG_DEBUG, "TLS: Embedded null in a string - reject");
1917 return 0;
1918 }
1919 }
1920
1921 if (match_len > len || (full && match_len != len))
1922 return 0;
1923
1924 if (os_strncasecmp((const char *) val + len - match_len, match,
1925 match_len) != 0)
1926 return 0; /* no match */
1927
1928 if (match_len == len)
1929 return 1; /* exact match */
1930
1931 if (val[len - match_len - 1] == '.')
1932 return 1; /* full label match completes suffix match */
1933
1934 wpa_printf(MSG_DEBUG, "TLS: Reject due to incomplete label match");
1935 return 0;
1936 }
1937 #endif /* CONFIG_NATIVE_WINDOWS */
1938
1939
1940 struct tls_dn_field_order_cnt {
1941 u8 cn;
1942 u8 c;
1943 u8 l;
1944 u8 st;
1945 u8 o;
1946 u8 ou;
1947 u8 email;
1948 };
1949
1950
get_dn_field_index(const struct tls_dn_field_order_cnt * dn_cnt,int nid)1951 static int get_dn_field_index(const struct tls_dn_field_order_cnt *dn_cnt,
1952 int nid)
1953 {
1954 switch (nid) {
1955 case NID_commonName:
1956 return dn_cnt->cn;
1957 case NID_countryName:
1958 return dn_cnt->c;
1959 case NID_localityName:
1960 return dn_cnt->l;
1961 case NID_stateOrProvinceName:
1962 return dn_cnt->st;
1963 case NID_organizationName:
1964 return dn_cnt->o;
1965 case NID_organizationalUnitName:
1966 return dn_cnt->ou;
1967 case NID_pkcs9_emailAddress:
1968 return dn_cnt->email;
1969 default:
1970 wpa_printf(MSG_ERROR,
1971 "TLS: Unknown NID '%d' in check_cert_subject",
1972 nid);
1973 return -1;
1974 }
1975 }
1976
1977
1978 /**
1979 * match_dn_field - Match configuration DN field against Certificate DN field
1980 * @cert: Certificate
1981 * @nid: NID of DN field
1982 * @field: Field name
1983 * @value DN field value which is passed from configuration
1984 * e.g., if configuration have C=US and this argument will point to US.
1985 * @dn_cnt: DN matching context
1986 * Returns: 1 on success and 0 on failure
1987 */
match_dn_field(const X509 * cert,int nid,const char * field,const char * value,const struct tls_dn_field_order_cnt * dn_cnt)1988 static int match_dn_field(const X509 *cert, int nid, const char *field,
1989 const char *value,
1990 const struct tls_dn_field_order_cnt *dn_cnt)
1991 {
1992 int i, ret = 0, len, config_dn_field_index, match_index = 0;
1993 X509_NAME *name;
1994
1995 len = os_strlen(value);
1996 name = X509_get_subject_name((X509 *) cert);
1997
1998 /* Assign incremented cnt for every field of DN to check DN field in
1999 * right order */
2000 config_dn_field_index = get_dn_field_index(dn_cnt, nid);
2001 if (config_dn_field_index < 0)
2002 return 0;
2003
2004 /* Fetch value based on NID */
2005 for (i = -1; (i = X509_NAME_get_index_by_NID(name, nid, i)) > -1;) {
2006 X509_NAME_ENTRY *e;
2007 ASN1_STRING *cn;
2008
2009 e = X509_NAME_get_entry(name, i);
2010 if (!e)
2011 continue;
2012
2013 cn = X509_NAME_ENTRY_get_data(e);
2014 if (!cn)
2015 continue;
2016
2017 match_index++;
2018
2019 /* check for more than one DN field with same name */
2020 if (match_index != config_dn_field_index)
2021 continue;
2022
2023 /* Check wildcard at the right end side */
2024 /* E.g., if OU=develop* mentioned in configuration, allow 'OU'
2025 * of the subject in the client certificate to start with
2026 * 'develop' */
2027 if (len > 0 && value[len - 1] == '*') {
2028 /* Compare actual certificate DN field value with
2029 * configuration DN field value up to the specified
2030 * length. */
2031 ret = ASN1_STRING_length(cn) >= len - 1 &&
2032 os_memcmp(ASN1_STRING_get0_data(cn), value,
2033 len - 1) == 0;
2034 } else {
2035 /* Compare actual certificate DN field value with
2036 * configuration DN field value */
2037 ret = ASN1_STRING_length(cn) == len &&
2038 os_memcmp(ASN1_STRING_get0_data(cn), value,
2039 len) == 0;
2040 }
2041 if (!ret) {
2042 wpa_printf(MSG_ERROR,
2043 "OpenSSL: Failed to match %s '%s' with certificate DN field value '%s'",
2044 field, value, ASN1_STRING_get0_data(cn));
2045 }
2046 break;
2047 }
2048
2049 return ret;
2050 }
2051
2052
2053 /**
2054 * get_value_from_field - Get value from DN field
2055 * @cert: Certificate
2056 * @field_str: DN field string which is passed from configuration file (e.g.,
2057 * C=US)
2058 * @dn_cnt: DN matching context
2059 * Returns: 1 on success and 0 on failure
2060 */
get_value_from_field(const X509 * cert,char * field_str,struct tls_dn_field_order_cnt * dn_cnt)2061 static int get_value_from_field(const X509 *cert, char *field_str,
2062 struct tls_dn_field_order_cnt *dn_cnt)
2063 {
2064 int nid;
2065 char *context = NULL, *name, *value;
2066
2067 if (os_strcmp(field_str, "*") == 0)
2068 return 1; /* wildcard matches everything */
2069
2070 name = str_token(field_str, "=", &context);
2071 if (!name)
2072 return 0;
2073
2074 /* Compare all configured DN fields and assign nid based on that to
2075 * fetch correct value from certificate subject */
2076 if (os_strcmp(name, "CN") == 0) {
2077 nid = NID_commonName;
2078 dn_cnt->cn++;
2079 } else if(os_strcmp(name, "C") == 0) {
2080 nid = NID_countryName;
2081 dn_cnt->c++;
2082 } else if (os_strcmp(name, "L") == 0) {
2083 nid = NID_localityName;
2084 dn_cnt->l++;
2085 } else if (os_strcmp(name, "ST") == 0) {
2086 nid = NID_stateOrProvinceName;
2087 dn_cnt->st++;
2088 } else if (os_strcmp(name, "O") == 0) {
2089 nid = NID_organizationName;
2090 dn_cnt->o++;
2091 } else if (os_strcmp(name, "OU") == 0) {
2092 nid = NID_organizationalUnitName;
2093 dn_cnt->ou++;
2094 } else if (os_strcmp(name, "emailAddress") == 0) {
2095 nid = NID_pkcs9_emailAddress;
2096 dn_cnt->email++;
2097 } else {
2098 wpa_printf(MSG_ERROR,
2099 "TLS: Unknown field '%s' in check_cert_subject", name);
2100 return 0;
2101 }
2102
2103 value = str_token(field_str, "=", &context);
2104 if (!value) {
2105 wpa_printf(MSG_ERROR,
2106 "TLS: Distinguished Name field '%s' value is not defined in check_cert_subject",
2107 name);
2108 return 0;
2109 }
2110
2111 return match_dn_field(cert, nid, name, value, dn_cnt);
2112 }
2113
2114
2115 /**
2116 * tls_match_dn_field - Match subject DN field with check_cert_subject
2117 * @cert: Certificate
2118 * @match: check_cert_subject string
2119 * Returns: Return 1 on success and 0 on failure
2120 */
tls_match_dn_field(X509 * cert,const char * match)2121 static int tls_match_dn_field(X509 *cert, const char *match)
2122 {
2123 const char *token, *last = NULL;
2124 char field[256];
2125 struct tls_dn_field_order_cnt dn_cnt;
2126
2127 os_memset(&dn_cnt, 0, sizeof(dn_cnt));
2128
2129 /* Maximum length of each DN field is 255 characters */
2130
2131 /* Process each '/' delimited field */
2132 while ((token = cstr_token(match, "/", &last))) {
2133 if (last - token >= (int) sizeof(field)) {
2134 wpa_printf(MSG_ERROR,
2135 "OpenSSL: Too long DN matching field value in '%s'",
2136 match);
2137 return 0;
2138 }
2139 os_memcpy(field, token, last - token);
2140 field[last - token] = '\0';
2141
2142 if (!get_value_from_field(cert, field, &dn_cnt)) {
2143 wpa_printf(MSG_DEBUG, "OpenSSL: No match for DN '%s'",
2144 field);
2145 return 0;
2146 }
2147 }
2148
2149 return 1;
2150 }
2151
2152
2153 #ifndef CONFIG_NATIVE_WINDOWS
tls_match_suffix_helper(X509 * cert,const char * match,size_t match_len,int full)2154 static int tls_match_suffix_helper(X509 *cert, const char *match,
2155 size_t match_len, int full)
2156 {
2157 GENERAL_NAME *gen;
2158 void *ext;
2159 int i;
2160 stack_index_t j;
2161 int dns_name = 0;
2162 X509_NAME *name;
2163
2164 wpa_printf(MSG_DEBUG, "TLS: Match domain against %s%s",
2165 full ? "": "suffix ", match);
2166
2167 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
2168
2169 for (j = 0; ext && j < sk_GENERAL_NAME_num(ext); j++) {
2170 gen = sk_GENERAL_NAME_value(ext, j);
2171 if (gen->type != GEN_DNS)
2172 continue;
2173 dns_name++;
2174 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName",
2175 gen->d.dNSName->data,
2176 gen->d.dNSName->length);
2177 if (domain_suffix_match(gen->d.dNSName->data,
2178 gen->d.dNSName->length,
2179 match, match_len, full) == 1) {
2180 wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found",
2181 full ? "Match" : "Suffix match");
2182 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2183 return 1;
2184 }
2185 }
2186 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2187
2188 if (dns_name) {
2189 wpa_printf(MSG_DEBUG, "TLS: None of the dNSName(s) matched");
2190 return 0;
2191 }
2192
2193 name = X509_get_subject_name(cert);
2194 i = -1;
2195 for (;;) {
2196 X509_NAME_ENTRY *e;
2197 ASN1_STRING *cn;
2198
2199 i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
2200 if (i == -1)
2201 break;
2202 e = X509_NAME_get_entry(name, i);
2203 if (e == NULL)
2204 continue;
2205 cn = X509_NAME_ENTRY_get_data(e);
2206 if (cn == NULL)
2207 continue;
2208 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName",
2209 cn->data, cn->length);
2210 if (domain_suffix_match(cn->data, cn->length,
2211 match, match_len, full) == 1) {
2212 wpa_printf(MSG_DEBUG, "TLS: %s in commonName found",
2213 full ? "Match" : "Suffix match");
2214 return 1;
2215 }
2216 }
2217
2218 wpa_printf(MSG_DEBUG, "TLS: No CommonName %smatch found",
2219 full ? "": "suffix ");
2220 return 0;
2221 }
2222 #endif /* CONFIG_NATIVE_WINDOWS */
2223
2224
tls_match_suffix(X509 * cert,const char * match,int full)2225 static int tls_match_suffix(X509 *cert, const char *match, int full)
2226 {
2227 #ifdef CONFIG_NATIVE_WINDOWS
2228 /* wincrypt.h has conflicting X509_NAME definition */
2229 return -1;
2230 #else /* CONFIG_NATIVE_WINDOWS */
2231 const char *token, *last = NULL;
2232
2233 /* Process each match alternative separately until a match is found */
2234 while ((token = cstr_token(match, ";", &last))) {
2235 if (tls_match_suffix_helper(cert, token, last - token, full))
2236 return 1;
2237 }
2238
2239 return 0;
2240 #endif /* CONFIG_NATIVE_WINDOWS */
2241 }
2242
2243
openssl_tls_fail_reason(int err)2244 static enum tls_fail_reason openssl_tls_fail_reason(int err)
2245 {
2246 switch (err) {
2247 case X509_V_ERR_CERT_REVOKED:
2248 return TLS_FAIL_REVOKED;
2249 case X509_V_ERR_CERT_NOT_YET_VALID:
2250 case X509_V_ERR_CRL_NOT_YET_VALID:
2251 return TLS_FAIL_NOT_YET_VALID;
2252 case X509_V_ERR_CERT_HAS_EXPIRED:
2253 case X509_V_ERR_CRL_HAS_EXPIRED:
2254 return TLS_FAIL_EXPIRED;
2255 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
2256 case X509_V_ERR_UNABLE_TO_GET_CRL:
2257 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
2258 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
2259 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
2260 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
2261 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
2262 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
2263 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
2264 case X509_V_ERR_INVALID_CA:
2265 return TLS_FAIL_UNTRUSTED;
2266 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
2267 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
2268 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
2269 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
2270 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
2271 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
2272 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
2273 case X509_V_ERR_CERT_UNTRUSTED:
2274 case X509_V_ERR_CERT_REJECTED:
2275 return TLS_FAIL_BAD_CERTIFICATE;
2276 default:
2277 return TLS_FAIL_UNSPECIFIED;
2278 }
2279 }
2280
2281
get_x509_cert(X509 * cert)2282 static struct wpabuf * get_x509_cert(X509 *cert)
2283 {
2284 struct wpabuf *buf;
2285 u8 *tmp;
2286
2287 int cert_len = i2d_X509(cert, NULL);
2288 if (cert_len <= 0)
2289 return NULL;
2290
2291 buf = wpabuf_alloc(cert_len);
2292 if (buf == NULL)
2293 return NULL;
2294
2295 tmp = wpabuf_put(buf, cert_len);
2296 i2d_X509(cert, &tmp);
2297 return buf;
2298 }
2299
2300
openssl_tls_fail_event(struct tls_connection * conn,X509 * err_cert,int err,int depth,const char * subject,const char * err_str,enum tls_fail_reason reason)2301 static void openssl_tls_fail_event(struct tls_connection *conn,
2302 X509 *err_cert, int err, int depth,
2303 const char *subject, const char *err_str,
2304 enum tls_fail_reason reason)
2305 {
2306 union tls_event_data ev;
2307 struct wpabuf *cert = NULL;
2308 struct tls_context *context = conn->context;
2309
2310 #ifdef ANDROID
2311 log_cert_validation_failure(err_str);
2312 #endif
2313
2314 if (context->event_cb == NULL)
2315 return;
2316
2317 cert = get_x509_cert(err_cert);
2318 os_memset(&ev, 0, sizeof(ev));
2319 ev.cert_fail.reason = reason != TLS_FAIL_UNSPECIFIED ?
2320 reason : openssl_tls_fail_reason(err);
2321 ev.cert_fail.depth = depth;
2322 ev.cert_fail.subject = subject;
2323 ev.cert_fail.reason_txt = err_str;
2324 ev.cert_fail.cert = cert;
2325 context->event_cb(context->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
2326 wpabuf_free(cert);
2327 }
2328
2329
openssl_cert_tod(X509 * cert)2330 static int openssl_cert_tod(X509 *cert)
2331 {
2332 CERTIFICATEPOLICIES *ext;
2333 stack_index_t i;
2334 char buf[100];
2335 int res;
2336 int tod = 0;
2337
2338 ext = X509_get_ext_d2i(cert, NID_certificate_policies, NULL, NULL);
2339 if (!ext)
2340 return 0;
2341
2342 for (i = 0; i < sk_POLICYINFO_num(ext); i++) {
2343 POLICYINFO *policy;
2344
2345 policy = sk_POLICYINFO_value(ext, i);
2346 res = OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 0);
2347 if (res < 0 || (size_t) res >= sizeof(buf))
2348 continue;
2349 wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf);
2350 if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0)
2351 tod = 1; /* TOD-STRICT */
2352 else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod)
2353 tod = 2; /* TOD-TOFU */
2354 }
2355 sk_POLICYINFO_pop_free(ext, POLICYINFO_free);
2356
2357 return tod;
2358 }
2359
2360
openssl_tls_cert_event(struct tls_connection * conn,X509 * err_cert,int depth,const char * subject)2361 static void openssl_tls_cert_event(struct tls_connection *conn,
2362 X509 *err_cert, int depth,
2363 const char *subject)
2364 {
2365 struct wpabuf *cert = NULL;
2366 union tls_event_data ev;
2367 struct tls_context *context = conn->context;
2368 char *altsubject[TLS_MAX_ALT_SUBJECT];
2369 int alt, num_altsubject = 0;
2370 GENERAL_NAME *gen;
2371 void *ext;
2372 stack_index_t i;
2373 ASN1_INTEGER *ser;
2374 char serial_num[128];
2375 #ifdef CONFIG_SHA256
2376 u8 hash[32];
2377 #endif /* CONFIG_SHA256 */
2378
2379 if (context->event_cb == NULL)
2380 return;
2381
2382 os_memset(&ev, 0, sizeof(ev));
2383 if (conn->cert_probe || (conn->flags & TLS_CONN_EXT_CERT_CHECK) ||
2384 context->cert_in_cb) {
2385 cert = get_x509_cert(err_cert);
2386 ev.peer_cert.cert = cert;
2387 }
2388 #ifdef CONFIG_SHA256
2389 if (cert) {
2390 const u8 *addr[1];
2391 size_t len[1];
2392 addr[0] = wpabuf_head(cert);
2393 len[0] = wpabuf_len(cert);
2394 if (sha256_vector(1, addr, len, hash) == 0) {
2395 ev.peer_cert.hash = hash;
2396 ev.peer_cert.hash_len = sizeof(hash);
2397 }
2398 }
2399 #endif /* CONFIG_SHA256 */
2400 ev.peer_cert.depth = depth;
2401 ev.peer_cert.subject = subject;
2402
2403 ser = X509_get_serialNumber(err_cert);
2404 if (ser) {
2405 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num),
2406 ASN1_STRING_get0_data(ser),
2407 ASN1_STRING_length(ser));
2408 ev.peer_cert.serial_num = serial_num;
2409 }
2410
2411 ext = X509_get_ext_d2i(err_cert, NID_subject_alt_name, NULL, NULL);
2412 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
2413 char *pos;
2414
2415 if (num_altsubject == TLS_MAX_ALT_SUBJECT)
2416 break;
2417 gen = sk_GENERAL_NAME_value(ext, i);
2418 if (gen->type != GEN_EMAIL &&
2419 gen->type != GEN_DNS &&
2420 gen->type != GEN_URI)
2421 continue;
2422
2423 pos = os_malloc(10 + gen->d.ia5->length + 1);
2424 if (pos == NULL)
2425 break;
2426 altsubject[num_altsubject++] = pos;
2427
2428 switch (gen->type) {
2429 case GEN_EMAIL:
2430 os_memcpy(pos, "EMAIL:", 6);
2431 pos += 6;
2432 break;
2433 case GEN_DNS:
2434 os_memcpy(pos, "DNS:", 4);
2435 pos += 4;
2436 break;
2437 case GEN_URI:
2438 os_memcpy(pos, "URI:", 4);
2439 pos += 4;
2440 break;
2441 }
2442
2443 os_memcpy(pos, gen->d.ia5->data, gen->d.ia5->length);
2444 pos += gen->d.ia5->length;
2445 *pos = '\0';
2446 }
2447 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2448
2449 for (alt = 0; alt < num_altsubject; alt++)
2450 ev.peer_cert.altsubject[alt] = altsubject[alt];
2451 ev.peer_cert.num_altsubject = num_altsubject;
2452
2453 ev.peer_cert.tod = openssl_cert_tod(err_cert);
2454
2455 context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
2456 wpabuf_free(cert);
2457 for (alt = 0; alt < num_altsubject; alt++)
2458 os_free(altsubject[alt]);
2459 }
2460
2461
debug_print_cert(X509 * cert,const char * title)2462 static void debug_print_cert(X509 *cert, const char *title)
2463 {
2464 #ifndef CONFIG_NO_STDOUT_DEBUG
2465 BIO *out;
2466 size_t rlen;
2467 char *txt;
2468 int res;
2469
2470 if (wpa_debug_level > MSG_DEBUG)
2471 return;
2472
2473 out = BIO_new(BIO_s_mem());
2474 if (!out)
2475 return;
2476
2477 X509_print(out, cert);
2478 rlen = BIO_ctrl_pending(out);
2479 txt = os_malloc(rlen + 1);
2480 if (txt) {
2481 res = BIO_read(out, txt, rlen);
2482 if (res > 0) {
2483 txt[res] = '\0';
2484 wpa_printf(MSG_DEBUG, "OpenSSL: %s\n%s", title, txt);
2485 }
2486 os_free(txt);
2487 }
2488
2489 BIO_free(out);
2490 #endif /* CONFIG_NO_STDOUT_DEBUG */
2491 }
2492
2493
tls_verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)2494 static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
2495 {
2496 char buf[256];
2497 X509 *err_cert;
2498 int err, depth;
2499 SSL *ssl;
2500 struct tls_connection *conn;
2501 struct tls_context *context;
2502 char *match, *altmatch, *suffix_match, *domain_match;
2503 const char *check_cert_subject;
2504 const char *err_str;
2505
2506 err_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
2507 if (!err_cert)
2508 return 0;
2509
2510 err = X509_STORE_CTX_get_error(x509_ctx);
2511 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
2512 ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
2513 SSL_get_ex_data_X509_STORE_CTX_idx());
2514 os_snprintf(buf, sizeof(buf), "Peer certificate - depth %d", depth);
2515 debug_print_cert(err_cert, buf);
2516 X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
2517
2518 conn = SSL_get_app_data(ssl);
2519 if (conn == NULL)
2520 return 0;
2521
2522 if (depth == 0)
2523 conn->peer_cert = err_cert;
2524 else if (depth == 1)
2525 conn->peer_issuer = err_cert;
2526 else if (depth == 2)
2527 conn->peer_issuer_issuer = err_cert;
2528
2529 context = conn->context;
2530 match = conn->subject_match;
2531 altmatch = conn->altsubject_match;
2532 suffix_match = conn->suffix_match;
2533 domain_match = conn->domain_match;
2534
2535 if (!preverify_ok && !conn->ca_cert_verify)
2536 preverify_ok = 1;
2537 if (!preverify_ok && depth > 0 && conn->server_cert_only)
2538 preverify_ok = 1;
2539 if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
2540 (err == X509_V_ERR_CERT_HAS_EXPIRED ||
2541 err == X509_V_ERR_CERT_NOT_YET_VALID)) {
2542 wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
2543 "time mismatch");
2544 preverify_ok = 1;
2545 }
2546 if (!preverify_ok && !conn->data->check_crl_strict &&
2547 (err == X509_V_ERR_CRL_HAS_EXPIRED ||
2548 err == X509_V_ERR_CRL_NOT_YET_VALID)) {
2549 wpa_printf(MSG_DEBUG,
2550 "OpenSSL: Ignore certificate validity CRL time mismatch");
2551 preverify_ok = 1;
2552 }
2553
2554 err_str = X509_verify_cert_error_string(err);
2555
2556 #ifdef CONFIG_SHA256
2557 /*
2558 * Do not require preverify_ok so we can explicity allow otherwise
2559 * invalid pinned server certificates.
2560 */
2561 if (depth == 0 && conn->server_cert_only) {
2562 struct wpabuf *cert;
2563 cert = get_x509_cert(err_cert);
2564 if (!cert) {
2565 wpa_printf(MSG_DEBUG, "OpenSSL: Could not fetch "
2566 "server certificate data");
2567 preverify_ok = 0;
2568 } else {
2569 u8 hash[32];
2570 const u8 *addr[1];
2571 size_t len[1];
2572 addr[0] = wpabuf_head(cert);
2573 len[0] = wpabuf_len(cert);
2574 if (sha256_vector(1, addr, len, hash) < 0 ||
2575 os_memcmp(conn->srv_cert_hash, hash, 32) != 0) {
2576 err_str = "Server certificate mismatch";
2577 err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
2578 preverify_ok = 0;
2579 } else if (!preverify_ok) {
2580 /*
2581 * Certificate matches pinned certificate, allow
2582 * regardless of other problems.
2583 */
2584 wpa_printf(MSG_DEBUG,
2585 "OpenSSL: Ignore validation issues for a pinned server certificate");
2586 preverify_ok = 1;
2587 }
2588 wpabuf_free(cert);
2589 }
2590 }
2591 #endif /* CONFIG_SHA256 */
2592
2593 openssl_tls_cert_event(conn, err_cert, depth, buf);
2594
2595 if (!preverify_ok) {
2596 if (depth > 0) {
2597 /* Send cert event for the peer certificate so that
2598 * the upper layers get information about it even if
2599 * validation of a CA certificate fails. */
2600 STACK_OF(X509) *chain;
2601
2602 chain = X509_STORE_CTX_get1_chain(x509_ctx);
2603 if (chain && sk_X509_num(chain) > 0) {
2604 char buf2[256];
2605 X509 *cert;
2606
2607 cert = sk_X509_value(chain, 0);
2608 X509_NAME_oneline(X509_get_subject_name(cert),
2609 buf2, sizeof(buf2));
2610
2611 openssl_tls_cert_event(conn, cert, 0, buf2);
2612 }
2613 if (chain)
2614 sk_X509_pop_free(chain, X509_free);
2615 }
2616
2617 wpa_printf(MSG_WARNING, "TLS: Certificate verification failed,"
2618 " error %d (%s) depth %d for '%s'", err, err_str,
2619 depth, buf);
2620 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2621 err_str, TLS_FAIL_UNSPECIFIED);
2622 return preverify_ok;
2623 }
2624
2625 wpa_printf(MSG_DEBUG, "TLS: tls_verify_cb - preverify_ok=%d "
2626 "err=%d (%s) ca_cert_verify=%d depth=%d buf='%s'",
2627 preverify_ok, err, err_str,
2628 conn->ca_cert_verify, depth, buf);
2629 check_cert_subject = conn->check_cert_subject;
2630 if (!check_cert_subject)
2631 check_cert_subject = conn->data->check_cert_subject;
2632 if (check_cert_subject) {
2633 if (depth == 0 &&
2634 !tls_match_dn_field(err_cert, check_cert_subject)) {
2635 preverify_ok = 0;
2636 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2637 "Distinguished Name",
2638 TLS_FAIL_DN_MISMATCH);
2639 }
2640 }
2641 if (depth == 0 && match && os_strstr(buf, match) == NULL) {
2642 wpa_printf(MSG_WARNING, "TLS: Subject '%s' did not "
2643 "match with '%s'", buf, match);
2644 preverify_ok = 0;
2645 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2646 "Subject mismatch",
2647 TLS_FAIL_SUBJECT_MISMATCH);
2648 } else if (depth == 0 && altmatch &&
2649 !tls_match_altsubject(err_cert, altmatch)) {
2650 wpa_printf(MSG_WARNING, "TLS: altSubjectName match "
2651 "'%s' not found", altmatch);
2652 preverify_ok = 0;
2653 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2654 "AltSubject mismatch",
2655 TLS_FAIL_ALTSUBJECT_MISMATCH);
2656 } else if (depth == 0 && suffix_match &&
2657 !tls_match_suffix(err_cert, suffix_match, 0)) {
2658 wpa_printf(MSG_WARNING, "TLS: Domain suffix match '%s' not found",
2659 suffix_match);
2660 preverify_ok = 0;
2661 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2662 "Domain suffix mismatch",
2663 TLS_FAIL_DOMAIN_SUFFIX_MISMATCH);
2664 } else if (depth == 0 && domain_match &&
2665 !tls_match_suffix(err_cert, domain_match, 1)) {
2666 wpa_printf(MSG_WARNING, "TLS: Domain match '%s' not found",
2667 domain_match);
2668 preverify_ok = 0;
2669 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2670 "Domain mismatch",
2671 TLS_FAIL_DOMAIN_MISMATCH);
2672 }
2673
2674 if (conn->cert_probe && preverify_ok && depth == 0) {
2675 wpa_printf(MSG_DEBUG, "OpenSSL: Reject server certificate "
2676 "on probe-only run");
2677 preverify_ok = 0;
2678 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2679 "Server certificate chain probe",
2680 TLS_FAIL_SERVER_CHAIN_PROBE);
2681 }
2682
2683 #ifdef CONFIG_SUITEB
2684 if (conn->flags & TLS_CONN_SUITEB) {
2685 EVP_PKEY *pk;
2686 int len = -1;
2687
2688 pk = X509_get_pubkey(err_cert);
2689 if (pk) {
2690 len = EVP_PKEY_bits(pk);
2691 EVP_PKEY_free(pk);
2692 }
2693
2694 if (len >= 0) {
2695 wpa_printf(MSG_DEBUG,
2696 "OpenSSL: RSA modulus size: %d bits", len);
2697 if (len < 3072) {
2698 preverify_ok = 0;
2699 openssl_tls_fail_event(
2700 conn, err_cert, err,
2701 depth, buf,
2702 "Insufficient RSA modulus size",
2703 TLS_FAIL_INSUFFICIENT_KEY_LEN);
2704 }
2705 }
2706 }
2707 #endif /* CONFIG_SUITEB */
2708
2709 #ifdef OPENSSL_IS_BORINGSSL
2710 if (depth == 0 && (conn->flags & TLS_CONN_REQUEST_OCSP) &&
2711 preverify_ok) {
2712 enum ocsp_result res;
2713
2714 res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert,
2715 conn->peer_issuer,
2716 conn->peer_issuer_issuer);
2717 if (res == OCSP_REVOKED) {
2718 preverify_ok = 0;
2719 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2720 "certificate revoked",
2721 TLS_FAIL_REVOKED);
2722 if (err == X509_V_OK)
2723 X509_STORE_CTX_set_error(
2724 x509_ctx, X509_V_ERR_CERT_REVOKED);
2725 } else if (res != OCSP_GOOD &&
2726 (conn->flags & TLS_CONN_REQUIRE_OCSP)) {
2727 preverify_ok = 0;
2728 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2729 "bad certificate status response",
2730 TLS_FAIL_UNSPECIFIED);
2731 }
2732 }
2733 #endif /* OPENSSL_IS_BORINGSSL */
2734
2735 if (depth == 0 && preverify_ok && context->event_cb != NULL)
2736 context->event_cb(context->cb_ctx,
2737 TLS_CERT_CHAIN_SUCCESS, NULL);
2738
2739 if (depth == 0 && preverify_ok) {
2740 os_free(conn->peer_subject);
2741 conn->peer_subject = os_strdup(buf);
2742 }
2743
2744 return preverify_ok;
2745 }
2746
2747
2748 #ifndef OPENSSL_NO_STDIO
tls_load_ca_der(struct tls_data * data,const char * ca_cert)2749 static int tls_load_ca_der(struct tls_data *data, const char *ca_cert)
2750 {
2751 SSL_CTX *ssl_ctx = data->ssl;
2752 X509_LOOKUP *lookup;
2753 int ret = 0;
2754
2755 lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(ssl_ctx),
2756 X509_LOOKUP_file());
2757 if (lookup == NULL) {
2758 tls_show_errors(MSG_WARNING, __func__,
2759 "Failed add lookup for X509 store");
2760 return -1;
2761 }
2762
2763 if (!X509_LOOKUP_load_file(lookup, ca_cert, X509_FILETYPE_ASN1)) {
2764 unsigned long err = ERR_peek_error();
2765 tls_show_errors(MSG_WARNING, __func__,
2766 "Failed load CA in DER format");
2767 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
2768 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
2769 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
2770 "cert already in hash table error",
2771 __func__);
2772 } else
2773 ret = -1;
2774 }
2775
2776 return ret;
2777 }
2778 #endif /* OPENSSL_NO_STDIO */
2779
2780
tls_connection_ca_cert(struct tls_data * data,struct tls_connection * conn,const char * ca_cert,const u8 * ca_cert_blob,size_t ca_cert_blob_len,const char * ca_path)2781 static int tls_connection_ca_cert(struct tls_data *data,
2782 struct tls_connection *conn,
2783 const char *ca_cert, const u8 *ca_cert_blob,
2784 size_t ca_cert_blob_len, const char *ca_path)
2785 {
2786 SSL_CTX *ssl_ctx = data->ssl;
2787 X509_STORE *store;
2788
2789 /*
2790 * Remove previously configured trusted CA certificates before adding
2791 * new ones.
2792 */
2793 store = X509_STORE_new();
2794 if (store == NULL) {
2795 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
2796 "certificate store", __func__);
2797 return -1;
2798 }
2799 SSL_CTX_set_cert_store(ssl_ctx, store);
2800
2801 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2802 conn->ca_cert_verify = 1;
2803
2804 if (ca_cert && os_strncmp(ca_cert, "probe://", 8) == 0) {
2805 wpa_printf(MSG_DEBUG, "OpenSSL: Probe for server certificate "
2806 "chain");
2807 conn->cert_probe = 1;
2808 conn->ca_cert_verify = 0;
2809 return 0;
2810 }
2811
2812 if (ca_cert && os_strncmp(ca_cert, "hash://", 7) == 0) {
2813 #ifdef CONFIG_SHA256
2814 const char *pos = ca_cert + 7;
2815 if (os_strncmp(pos, "server/sha256/", 14) != 0) {
2816 wpa_printf(MSG_DEBUG, "OpenSSL: Unsupported ca_cert "
2817 "hash value '%s'", ca_cert);
2818 return -1;
2819 }
2820 pos += 14;
2821 if (os_strlen(pos) != 32 * 2) {
2822 wpa_printf(MSG_DEBUG, "OpenSSL: Unexpected SHA256 "
2823 "hash length in ca_cert '%s'", ca_cert);
2824 return -1;
2825 }
2826 if (hexstr2bin(pos, conn->srv_cert_hash, 32) < 0) {
2827 wpa_printf(MSG_DEBUG, "OpenSSL: Invalid SHA256 hash "
2828 "value in ca_cert '%s'", ca_cert);
2829 return -1;
2830 }
2831 conn->server_cert_only = 1;
2832 wpa_printf(MSG_DEBUG, "OpenSSL: Checking only server "
2833 "certificate match");
2834 return 0;
2835 #else /* CONFIG_SHA256 */
2836 wpa_printf(MSG_INFO, "No SHA256 included in the build - "
2837 "cannot validate server certificate hash");
2838 return -1;
2839 #endif /* CONFIG_SHA256 */
2840 }
2841
2842 if (ca_cert_blob) {
2843 X509 *cert = d2i_X509(NULL,
2844 (const unsigned char **) &ca_cert_blob,
2845 ca_cert_blob_len);
2846 if (cert == NULL) {
2847 BIO *bio = BIO_new_mem_buf(ca_cert_blob,
2848 ca_cert_blob_len);
2849
2850 if (bio) {
2851 cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
2852 BIO_free(bio);
2853 }
2854
2855 if (!cert) {
2856 tls_show_errors(MSG_WARNING, __func__,
2857 "Failed to parse ca_cert_blob");
2858 return -1;
2859 }
2860
2861 while (ERR_get_error()) {
2862 /* Ignore errors from DER conversion. */
2863 }
2864 }
2865
2866 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
2867 cert)) {
2868 unsigned long err = ERR_peek_error();
2869 tls_show_errors(MSG_WARNING, __func__,
2870 "Failed to add ca_cert_blob to "
2871 "certificate store");
2872 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
2873 ERR_GET_REASON(err) ==
2874 X509_R_CERT_ALREADY_IN_HASH_TABLE) {
2875 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
2876 "cert already in hash table error",
2877 __func__);
2878 } else {
2879 X509_free(cert);
2880 return -1;
2881 }
2882 }
2883 X509_free(cert);
2884 wpa_printf(MSG_DEBUG, "OpenSSL: %s - added ca_cert_blob "
2885 "to certificate store", __func__);
2886 return 0;
2887 }
2888
2889 #ifdef ANDROID
2890 /* Single alias */
2891 if (ca_cert && os_strncmp(ANDROID_KEYSTORE_PREFIX, ca_cert,
2892 ANDROID_KEYSTORE_PREFIX_LEN) == 0) {
2893 if (tls_add_ca_from_keystore(SSL_CTX_get_cert_store(ssl_ctx),
2894 &ca_cert[ANDROID_KEYSTORE_PREFIX_LEN]) < 0)
2895 return -1;
2896 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2897 return 0;
2898 }
2899
2900 /* Multiple aliases separated by space */
2901 if (ca_cert && os_strncmp(ANDROID_KEYSTORE_ENCODED_PREFIX, ca_cert,
2902 ANDROID_KEYSTORE_ENCODED_PREFIX_LEN) == 0) {
2903 char *aliases = os_strdup(
2904 &ca_cert[ANDROID_KEYSTORE_ENCODED_PREFIX_LEN]);
2905 const char *delim = " ";
2906 int rc = 0;
2907 char *savedptr;
2908 char *alias;
2909
2910 if (!aliases)
2911 return -1;
2912 alias = strtok_r(aliases, delim, &savedptr);
2913 for (; alias; alias = strtok_r(NULL, delim, &savedptr)) {
2914 if (tls_add_ca_from_keystore_encoded(
2915 SSL_CTX_get_cert_store(ssl_ctx), alias)) {
2916 wpa_printf(MSG_ERROR,
2917 "OpenSSL: Failed to add ca_cert %s from keystore",
2918 alias);
2919 rc = -1;
2920 break;
2921 }
2922 }
2923 os_free(aliases);
2924 if (rc)
2925 return rc;
2926
2927 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2928 return 0;
2929 }
2930 #endif /* ANDROID */
2931
2932 #ifdef CONFIG_NATIVE_WINDOWS
2933 if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) ==
2934 0) {
2935 wpa_printf(MSG_DEBUG, "OpenSSL: Added CA certificates from "
2936 "system certificate store");
2937 return 0;
2938 }
2939 #endif /* CONFIG_NATIVE_WINDOWS */
2940
2941 if (ca_cert || ca_path) {
2942 #ifndef OPENSSL_NO_STDIO
2943 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, ca_path) !=
2944 1) {
2945 tls_show_errors(MSG_WARNING, __func__,
2946 "Failed to load root certificates");
2947 if (ca_cert &&
2948 tls_load_ca_der(data, ca_cert) == 0) {
2949 wpa_printf(MSG_DEBUG, "OpenSSL: %s - loaded "
2950 "DER format CA certificate",
2951 __func__);
2952 } else
2953 return -1;
2954 } else {
2955 wpa_printf(MSG_DEBUG, "TLS: Trusted root "
2956 "certificate(s) loaded");
2957 tls_get_errors(data);
2958 }
2959 #else /* OPENSSL_NO_STDIO */
2960 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO",
2961 __func__);
2962 return -1;
2963 #endif /* OPENSSL_NO_STDIO */
2964 } else {
2965 /* No ca_cert configured - do not try to verify server
2966 * certificate */
2967 conn->ca_cert_verify = 0;
2968 }
2969
2970 return 0;
2971 }
2972
2973
tls_global_ca_cert(struct tls_data * data,const char * ca_cert)2974 static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert)
2975 {
2976 SSL_CTX *ssl_ctx = data->ssl;
2977
2978 if (ca_cert) {
2979 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1)
2980 {
2981 tls_show_errors(MSG_WARNING, __func__,
2982 "Failed to load root certificates");
2983 return -1;
2984 }
2985
2986 wpa_printf(MSG_DEBUG, "TLS: Trusted root "
2987 "certificate(s) loaded");
2988
2989 #ifndef OPENSSL_NO_STDIO
2990 /* Add the same CAs to the client certificate requests */
2991 SSL_CTX_set_client_CA_list(ssl_ctx,
2992 SSL_load_client_CA_file(ca_cert));
2993 #endif /* OPENSSL_NO_STDIO */
2994
2995 os_free(data->ca_cert);
2996 data->ca_cert = os_strdup(ca_cert);
2997 }
2998
2999 return 0;
3000 }
3001
3002
tls_global_set_verify(void * ssl_ctx,int check_crl,int strict)3003 int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
3004 {
3005 int flags;
3006
3007 if (check_crl) {
3008 struct tls_data *data = ssl_ctx;
3009 X509_STORE *cs = SSL_CTX_get_cert_store(data->ssl);
3010 if (cs == NULL) {
3011 tls_show_errors(MSG_INFO, __func__, "Failed to get "
3012 "certificate store when enabling "
3013 "check_crl");
3014 return -1;
3015 }
3016 flags = X509_V_FLAG_CRL_CHECK;
3017 if (check_crl == 2)
3018 flags |= X509_V_FLAG_CRL_CHECK_ALL;
3019 X509_STORE_set_flags(cs, flags);
3020
3021 data->check_crl = check_crl;
3022 data->check_crl_strict = strict;
3023 os_get_reltime(&data->crl_last_reload);
3024 }
3025 return 0;
3026 }
3027
3028
tls_connection_set_subject_match(struct tls_connection * conn,const char * subject_match,const char * altsubject_match,const char * suffix_match,const char * domain_match,const char * check_cert_subject)3029 static int tls_connection_set_subject_match(struct tls_connection *conn,
3030 const char *subject_match,
3031 const char *altsubject_match,
3032 const char *suffix_match,
3033 const char *domain_match,
3034 const char *check_cert_subject)
3035 {
3036 os_free(conn->subject_match);
3037 conn->subject_match = NULL;
3038 if (subject_match) {
3039 conn->subject_match = os_strdup(subject_match);
3040 if (conn->subject_match == NULL)
3041 return -1;
3042 }
3043
3044 os_free(conn->altsubject_match);
3045 conn->altsubject_match = NULL;
3046 if (altsubject_match) {
3047 conn->altsubject_match = os_strdup(altsubject_match);
3048 if (conn->altsubject_match == NULL)
3049 return -1;
3050 }
3051
3052 os_free(conn->suffix_match);
3053 conn->suffix_match = NULL;
3054 if (suffix_match) {
3055 conn->suffix_match = os_strdup(suffix_match);
3056 if (conn->suffix_match == NULL)
3057 return -1;
3058 }
3059
3060 os_free(conn->domain_match);
3061 conn->domain_match = NULL;
3062 if (domain_match) {
3063 conn->domain_match = os_strdup(domain_match);
3064 if (conn->domain_match == NULL)
3065 return -1;
3066 }
3067
3068 os_free(conn->check_cert_subject);
3069 conn->check_cert_subject = NULL;
3070 if (check_cert_subject) {
3071 conn->check_cert_subject = os_strdup(check_cert_subject);
3072 if (!conn->check_cert_subject)
3073 return -1;
3074 }
3075
3076 return 0;
3077 }
3078
3079
3080 #ifdef CONFIG_SUITEB
suiteb_cert_cb(SSL * ssl,void * arg)3081 static int suiteb_cert_cb(SSL *ssl, void *arg)
3082 {
3083 struct tls_connection *conn = arg;
3084
3085 /*
3086 * This cert_cb() is not really the best location for doing a
3087 * constraint check for the ServerKeyExchange message, but this seems to
3088 * be the only place where the current OpenSSL sequence can be
3089 * terminated cleanly with an TLS alert going out to the server.
3090 */
3091
3092 if (!(conn->flags & TLS_CONN_SUITEB))
3093 return 1;
3094
3095 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
3096 if (conn->cipher_suite != 0x9f)
3097 return 1;
3098
3099 if (conn->server_dh_prime_len >= 3072)
3100 return 1;
3101
3102 wpa_printf(MSG_DEBUG,
3103 "OpenSSL: Server DH prime length (%d bits) not sufficient for Suite B RSA - reject handshake",
3104 conn->server_dh_prime_len);
3105 return 0;
3106 }
3107 #endif /* CONFIG_SUITEB */
3108
3109
tls_set_conn_flags(struct tls_connection * conn,unsigned int flags,const char * openssl_ciphers)3110 static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
3111 const char *openssl_ciphers)
3112 {
3113 SSL *ssl = conn->ssl;
3114
3115 #ifdef SSL_OP_NO_TICKET
3116 if (flags & TLS_CONN_DISABLE_SESSION_TICKET)
3117 SSL_set_options(ssl, SSL_OP_NO_TICKET);
3118 else
3119 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
3120 #endif /* SSL_OP_NO_TICKET */
3121
3122 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
3123 if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
3124 SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
3125 #endif /* SSL_OP_LEGACY_SERVER_CONNECT */
3126
3127 #ifdef SSL_OP_NO_TLSv1
3128 if (flags & TLS_CONN_DISABLE_TLSv1_0)
3129 SSL_set_options(ssl, SSL_OP_NO_TLSv1);
3130 else
3131 SSL_clear_options(ssl, SSL_OP_NO_TLSv1);
3132 #endif /* SSL_OP_NO_TLSv1 */
3133 #ifdef SSL_OP_NO_TLSv1_1
3134 if (flags & TLS_CONN_DISABLE_TLSv1_1)
3135 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
3136 else
3137 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_1);
3138 #endif /* SSL_OP_NO_TLSv1_1 */
3139 #ifdef SSL_OP_NO_TLSv1_2
3140 if (flags & TLS_CONN_DISABLE_TLSv1_2)
3141 SSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
3142 else
3143 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
3144 #endif /* SSL_OP_NO_TLSv1_2 */
3145 #ifdef SSL_OP_NO_TLSv1_3
3146 if (flags & TLS_CONN_DISABLE_TLSv1_3)
3147 SSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
3148 else
3149 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3);
3150 #endif /* SSL_OP_NO_TLSv1_3 */
3151 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
3152 if (flags & (TLS_CONN_ENABLE_TLSv1_0 |
3153 TLS_CONN_ENABLE_TLSv1_1 |
3154 TLS_CONN_ENABLE_TLSv1_2)) {
3155 int version = 0;
3156
3157 /* Explicit request to enable TLS versions even if needing to
3158 * override systemwide policies. */
3159 if (flags & TLS_CONN_ENABLE_TLSv1_0)
3160 version = TLS1_VERSION;
3161 else if (flags & TLS_CONN_ENABLE_TLSv1_1)
3162 version = TLS1_1_VERSION;
3163 else if (flags & TLS_CONN_ENABLE_TLSv1_2)
3164 version = TLS1_2_VERSION;
3165 if (!version) {
3166 wpa_printf(MSG_DEBUG,
3167 "OpenSSL: Invalid TLS version configuration");
3168 return -1;
3169 }
3170
3171 if (SSL_set_min_proto_version(ssl, version) != 1) {
3172 wpa_printf(MSG_DEBUG,
3173 "OpenSSL: Failed to set minimum TLS version");
3174 return -1;
3175 }
3176 }
3177 #endif /* >= 1.1.0 */
3178 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3179 !defined(LIBRESSL_VERSION_NUMBER) && \
3180 !defined(OPENSSL_IS_BORINGSSL)
3181 {
3182 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3183 int need_level = 0;
3184 #else
3185 int need_level = 1;
3186 #endif
3187
3188 if ((flags &
3189 (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
3190 SSL_get_security_level(ssl) > need_level) {
3191 /*
3192 * Need to drop to security level 1 (or 0 with OpenSSL
3193 * 3.0) to allow TLS versions older than 1.2 to be used
3194 * when explicitly enabled in configuration.
3195 */
3196 SSL_set_security_level(conn->ssl, need_level);
3197 }
3198 }
3199 #endif
3200
3201 #ifdef CONFIG_SUITEB
3202 #ifdef OPENSSL_IS_BORINGSSL
3203 /* Start with defaults from BoringSSL */
3204 SSL_set_verify_algorithm_prefs(conn->ssl, NULL, 0);
3205 #endif /* OPENSSL_IS_BORINGSSL */
3206 if (flags & TLS_CONN_SUITEB_NO_ECDH) {
3207 const char *ciphers = "DHE-RSA-AES256-GCM-SHA384";
3208
3209 if (openssl_ciphers) {
3210 wpa_printf(MSG_DEBUG,
3211 "OpenSSL: Override ciphers for Suite B (no ECDH): %s",
3212 openssl_ciphers);
3213 ciphers = openssl_ciphers;
3214 }
3215 if (SSL_set_cipher_list(ssl, ciphers) != 1) {
3216 wpa_printf(MSG_INFO,
3217 "OpenSSL: Failed to set Suite B ciphers");
3218 return -1;
3219 }
3220 } else if (flags & TLS_CONN_SUITEB) {
3221 #if OPENSSL_VERSION_NUMBER < 0x30000000L
3222 EC_KEY *ecdh;
3223 #endif
3224 const char *ciphers =
3225 "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
3226 int nid[1] = { NID_secp384r1 };
3227
3228 if (openssl_ciphers) {
3229 wpa_printf(MSG_DEBUG,
3230 "OpenSSL: Override ciphers for Suite B: %s",
3231 openssl_ciphers);
3232 ciphers = openssl_ciphers;
3233 }
3234 if (SSL_set_cipher_list(ssl, ciphers) != 1) {
3235 wpa_printf(MSG_INFO,
3236 "OpenSSL: Failed to set Suite B ciphers");
3237 return -1;
3238 }
3239
3240 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3241 if (SSL_set1_groups(ssl, nid, 1) != 1) {
3242 wpa_printf(MSG_INFO,
3243 "OpenSSL: Failed to set Suite B groups");
3244 return -1;
3245 }
3246
3247 #else
3248 if (SSL_set1_curves(ssl, nid, 1) != 1) {
3249 wpa_printf(MSG_INFO,
3250 "OpenSSL: Failed to set Suite B curves");
3251 return -1;
3252 }
3253
3254 ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
3255 if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) {
3256 EC_KEY_free(ecdh);
3257 wpa_printf(MSG_INFO,
3258 "OpenSSL: Failed to set ECDH parameter");
3259 return -1;
3260 }
3261 EC_KEY_free(ecdh);
3262 #endif
3263 }
3264 if (flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) {
3265 #ifdef OPENSSL_IS_BORINGSSL
3266 uint16_t sigalgs[1] = { SSL_SIGN_RSA_PKCS1_SHA384 };
3267
3268 if (SSL_set_verify_algorithm_prefs(conn->ssl, sigalgs,
3269 1) != 1) {
3270 wpa_printf(MSG_INFO,
3271 "OpenSSL: Failed to set Suite B sigalgs");
3272 return -1;
3273 }
3274 #else /* OPENSSL_IS_BORINGSSL */
3275 /* ECDSA+SHA384 if need to add EC support here */
3276 if (SSL_set1_sigalgs_list(ssl, "RSA+SHA384") != 1) {
3277 wpa_printf(MSG_INFO,
3278 "OpenSSL: Failed to set Suite B sigalgs");
3279 return -1;
3280 }
3281 #endif /* OPENSSL_IS_BORINGSSL */
3282
3283 SSL_set_options(ssl, SSL_OP_NO_TLSv1);
3284 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
3285 SSL_set_cert_cb(ssl, suiteb_cert_cb, conn);
3286 }
3287
3288 #ifdef OPENSSL_IS_BORINGSSL
3289 if (openssl_ciphers && os_strcmp(openssl_ciphers, "SUITEB192") == 0) {
3290 uint16_t sigalgs[1] = { SSL_SIGN_ECDSA_SECP384R1_SHA384 };
3291 int nid[1] = { NID_secp384r1 };
3292
3293 if (SSL_set1_curves(ssl, nid, 1) != 1) {
3294 wpa_printf(MSG_INFO,
3295 "OpenSSL: Failed to set Suite B curves");
3296 return -1;
3297 }
3298
3299 if (SSL_set_verify_algorithm_prefs(conn->ssl, sigalgs,
3300 1) != 1) {
3301 wpa_printf(MSG_INFO,
3302 "OpenSSL: Failed to set Suite B sigalgs");
3303 return -1;
3304 }
3305 }
3306 #else /* OPENSSL_IS_BORINGSSL */
3307 if (!(flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) &&
3308 openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
3309 wpa_printf(MSG_INFO,
3310 "OpenSSL: Failed to set openssl_ciphers '%s'",
3311 openssl_ciphers);
3312 return -1;
3313 }
3314 #endif /* OPENSSL_IS_BORINGSSL */
3315 #else /* CONFIG_SUITEB */
3316 if (openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
3317 wpa_printf(MSG_INFO,
3318 "OpenSSL: Failed to set openssl_ciphers '%s'",
3319 openssl_ciphers);
3320 return -1;
3321 }
3322 #endif /* CONFIG_SUITEB */
3323
3324 if (flags & TLS_CONN_TEAP_ANON_DH) {
3325 #ifndef TEAP_DH_ANON_CS
3326 #define TEAP_DH_ANON_CS \
3327 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:" \
3328 "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:" \
3329 "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:" \
3330 "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" \
3331 "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:" \
3332 "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" \
3333 "ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:" \
3334 "ADH-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA:ADH-AES128-SHA"
3335 #endif
3336 static const char *cs = TEAP_DH_ANON_CS;
3337
3338 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3339 !defined(LIBRESSL_VERSION_NUMBER) && \
3340 !defined(OPENSSL_IS_BORINGSSL)
3341 /*
3342 * Need to drop to security level 0 to allow anonymous
3343 * cipher suites for EAP-TEAP.
3344 */
3345 SSL_set_security_level(conn->ssl, 0);
3346 #endif
3347
3348 wpa_printf(MSG_DEBUG,
3349 "OpenSSL: Enable cipher suites for anonymous EAP-TEAP provisioning: %s",
3350 cs);
3351 if (SSL_set_cipher_list(conn->ssl, cs) != 1) {
3352 tls_show_errors(MSG_INFO, __func__,
3353 "Cipher suite configuration failed");
3354 return -1;
3355 }
3356 }
3357
3358 return 0;
3359 }
3360
3361
tls_connection_set_verify(void * ssl_ctx,struct tls_connection * conn,int verify_peer,unsigned int flags,const u8 * session_ctx,size_t session_ctx_len)3362 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
3363 int verify_peer, unsigned int flags,
3364 const u8 *session_ctx, size_t session_ctx_len)
3365 {
3366 static int counter = 0;
3367 struct tls_data *data = ssl_ctx;
3368
3369 if (conn == NULL)
3370 return -1;
3371
3372 if (verify_peer == 2) {
3373 conn->ca_cert_verify = 1;
3374 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
3375 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
3376 } else if (verify_peer) {
3377 conn->ca_cert_verify = 1;
3378 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
3379 SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
3380 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
3381 } else {
3382 conn->ca_cert_verify = 0;
3383 SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
3384 }
3385
3386 if (tls_set_conn_flags(conn, flags, NULL) < 0)
3387 return -1;
3388 conn->flags = flags;
3389
3390 SSL_set_accept_state(conn->ssl);
3391
3392 if (data->tls_session_lifetime == 0) {
3393 /*
3394 * Set session id context to a unique value to make sure
3395 * session resumption cannot be used either through session
3396 * caching or TLS ticket extension.
3397 */
3398 counter++;
3399 SSL_set_session_id_context(conn->ssl,
3400 (const unsigned char *) &counter,
3401 sizeof(counter));
3402 } else if (session_ctx) {
3403 SSL_set_session_id_context(conn->ssl, session_ctx,
3404 session_ctx_len);
3405 }
3406
3407 return 0;
3408 }
3409
3410
tls_connection_client_cert(struct tls_connection * conn,const char * client_cert,const u8 * client_cert_blob,size_t client_cert_blob_len)3411 static int tls_connection_client_cert(struct tls_connection *conn,
3412 const char *client_cert,
3413 const u8 *client_cert_blob,
3414 size_t client_cert_blob_len)
3415 {
3416 if (client_cert == NULL && client_cert_blob == NULL)
3417 return 0;
3418
3419 #ifdef PKCS12_FUNCS
3420 #ifdef LIBRESSL_VERSION_NUMBER
3421 /*
3422 * Clear previously set extra chain certificates, if any, from PKCS#12
3423 * processing in tls_parse_pkcs12() to allow LibreSSL to build a new
3424 * chain properly.
3425 */
3426 SSL_CTX_clear_extra_chain_certs(conn->ssl_ctx);
3427 #endif /* LIBRESSL_VERSION_NUMBER */
3428 #endif /* PKCS12_FUNCS */
3429
3430 if (client_cert_blob &&
3431 SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob,
3432 client_cert_blob_len) == 1) {
3433 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_ASN1 --> "
3434 "OK");
3435 return 0;
3436 } else if (client_cert_blob) {
3437 #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20901000L
3438 tls_show_errors(MSG_DEBUG, __func__,
3439 "SSL_use_certificate_ASN1 failed");
3440 #else
3441 BIO *bio;
3442 X509 *x509;
3443
3444 tls_show_errors(MSG_DEBUG, __func__,
3445 "SSL_use_certificate_ASN1 failed");
3446 bio = BIO_new(BIO_s_mem());
3447 if (!bio)
3448 return -1;
3449 BIO_write(bio, client_cert_blob, client_cert_blob_len);
3450 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3451 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) {
3452 X509_free(x509);
3453 BIO_free(bio);
3454 return -1;
3455 }
3456 X509_free(x509);
3457 wpa_printf(MSG_DEBUG,
3458 "OpenSSL: Found PEM encoded certificate from blob");
3459 while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))) {
3460 wpa_printf(MSG_DEBUG,
3461 "OpenSSL: Added an additional certificate into the chain");
3462 SSL_add0_chain_cert(conn->ssl, x509);
3463 }
3464 BIO_free(bio);
3465 return 0;
3466 #endif
3467 }
3468
3469 if (client_cert == NULL)
3470 return -1;
3471
3472 #ifdef ANDROID
3473 if (os_strncmp(ANDROID_KEYSTORE_PREFIX, client_cert,
3474 ANDROID_KEYSTORE_PREFIX_LEN) == 0) {
3475 BIO *bio = BIO_from_keystore(&client_cert[ANDROID_KEYSTORE_PREFIX_LEN]);
3476 X509 *x509 = NULL;
3477 if (!bio) {
3478 return -1;
3479 }
3480 // Keystore returns X.509 certificates in PEM encoding
3481 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3482 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) {
3483 X509_free(x509);
3484 BIO_free(bio);
3485 wpa_printf(MSG_ERROR, "OpenSSL: Unknown certificate encoding");
3486 return -1;
3487 }
3488 X509_free(x509);
3489 wpa_printf(MSG_DEBUG,
3490 "OpenSSL: Found PEM encoded certificate from keystore: %s",
3491 client_cert);
3492
3493 // Read additional certificates into the chain
3494 while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))) {
3495 wpa_printf(MSG_DEBUG,
3496 "OpenSSL: Added an additional certificate into the chain");
3497 // Takes ownership of x509, no need to free it here
3498 SSL_add0_chain_cert(conn->ssl, x509);
3499 }
3500 BIO_free(bio);
3501 return 0;
3502 }
3503 #endif /* ANDROID */
3504
3505 #ifndef OPENSSL_NO_STDIO
3506 if (SSL_use_certificate_file(conn->ssl, client_cert,
3507 SSL_FILETYPE_ASN1) == 1) {
3508 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (DER)"
3509 " --> OK");
3510 return 0;
3511 }
3512
3513 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3514 !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
3515 if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
3516 ERR_clear_error();
3517 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
3518 " --> OK");
3519 return 0;
3520 }
3521 #else
3522 if (SSL_use_certificate_file(conn->ssl, client_cert,
3523 SSL_FILETYPE_PEM) == 1) {
3524 ERR_clear_error();
3525 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
3526 " --> OK");
3527 return 0;
3528 }
3529 #endif
3530
3531 tls_show_errors(MSG_DEBUG, __func__,
3532 "SSL_use_certificate_file failed");
3533 #else /* OPENSSL_NO_STDIO */
3534 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3535 #endif /* OPENSSL_NO_STDIO */
3536
3537 return -1;
3538 }
3539
3540
tls_global_client_cert(struct tls_data * data,const char * client_cert)3541 static int tls_global_client_cert(struct tls_data *data,
3542 const char *client_cert)
3543 {
3544 #ifndef OPENSSL_NO_STDIO
3545 SSL_CTX *ssl_ctx = data->ssl;
3546
3547 if (client_cert == NULL)
3548 return 0;
3549
3550 if (SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
3551 SSL_FILETYPE_ASN1) != 1 &&
3552 SSL_CTX_use_certificate_chain_file(ssl_ctx, client_cert) != 1 &&
3553 SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
3554 SSL_FILETYPE_PEM) != 1) {
3555 tls_show_errors(MSG_INFO, __func__,
3556 "Failed to load client certificate");
3557 return -1;
3558 }
3559 return 0;
3560 #else /* OPENSSL_NO_STDIO */
3561 if (client_cert == NULL)
3562 return 0;
3563 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3564 return -1;
3565 #endif /* OPENSSL_NO_STDIO */
3566 }
3567
3568
3569 #ifdef PKCS12_FUNCS
tls_parse_pkcs12(struct tls_data * data,SSL * ssl,PKCS12 * p12,const char * passwd)3570 static int tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12,
3571 const char *passwd)
3572 {
3573 EVP_PKEY *pkey;
3574 X509 *cert;
3575 STACK_OF(X509) *certs;
3576 int res = 0;
3577 char buf[256];
3578
3579 pkey = NULL;
3580 cert = NULL;
3581 certs = NULL;
3582 if (!passwd)
3583 passwd = "";
3584 if (!PKCS12_parse(p12, passwd, &pkey, &cert, &certs)) {
3585 tls_show_errors(MSG_DEBUG, __func__,
3586 "Failed to parse PKCS12 file");
3587 PKCS12_free(p12);
3588 return -1;
3589 }
3590 wpa_printf(MSG_DEBUG, "TLS: Successfully parsed PKCS12 data");
3591
3592 if (cert) {
3593 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3594 sizeof(buf));
3595 wpa_printf(MSG_DEBUG, "TLS: Got certificate from PKCS12: "
3596 "subject='%s'", buf);
3597 if (ssl) {
3598 if (SSL_use_certificate(ssl, cert) != 1)
3599 res = -1;
3600 } else {
3601 if (SSL_CTX_use_certificate(data->ssl, cert) != 1)
3602 res = -1;
3603 }
3604 X509_free(cert);
3605 }
3606
3607 if (pkey) {
3608 wpa_printf(MSG_DEBUG, "TLS: Got private key from PKCS12");
3609 if (ssl) {
3610 if (SSL_use_PrivateKey(ssl, pkey) != 1)
3611 res = -1;
3612 } else {
3613 if (SSL_CTX_use_PrivateKey(data->ssl, pkey) != 1)
3614 res = -1;
3615 }
3616 EVP_PKEY_free(pkey);
3617 }
3618
3619 if (certs) {
3620 #ifndef LIBRESSL_VERSION_NUMBER
3621 if (ssl)
3622 SSL_clear_chain_certs(ssl);
3623 else
3624 SSL_CTX_clear_chain_certs(data->ssl);
3625 while ((cert = sk_X509_pop(certs)) != NULL) {
3626 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3627 sizeof(buf));
3628 wpa_printf(MSG_DEBUG, "TLS: additional certificate"
3629 " from PKCS12: subject='%s'", buf);
3630 if ((ssl && SSL_add1_chain_cert(ssl, cert) != 1) ||
3631 (!ssl && SSL_CTX_add1_chain_cert(data->ssl,
3632 cert) != 1)) {
3633 tls_show_errors(MSG_DEBUG, __func__,
3634 "Failed to add additional certificate");
3635 res = -1;
3636 X509_free(cert);
3637 break;
3638 }
3639 X509_free(cert);
3640 }
3641 if (!res) {
3642 /* Try to continue anyway */
3643 }
3644 sk_X509_pop_free(certs, X509_free);
3645 #ifndef OPENSSL_IS_BORINGSSL
3646 if (ssl)
3647 res = SSL_build_cert_chain(
3648 ssl,
3649 SSL_BUILD_CHAIN_FLAG_CHECK |
3650 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
3651 else
3652 res = SSL_CTX_build_cert_chain(
3653 data->ssl,
3654 SSL_BUILD_CHAIN_FLAG_CHECK |
3655 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
3656 if (!res) {
3657 tls_show_errors(MSG_DEBUG, __func__,
3658 "Failed to build certificate chain");
3659 } else if (res == 2) {
3660 wpa_printf(MSG_DEBUG,
3661 "TLS: Ignore certificate chain verification error when building chain with PKCS#12 extra certificates");
3662 }
3663 #endif /* OPENSSL_IS_BORINGSSL */
3664 /*
3665 * Try to continue regardless of result since it is possible for
3666 * the extra certificates not to be required.
3667 */
3668 res = 0;
3669 #else /* LIBRESSL_VERSION_NUMBER */
3670 SSL_CTX_clear_extra_chain_certs(data->ssl);
3671 while ((cert = sk_X509_pop(certs)) != NULL) {
3672 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3673 sizeof(buf));
3674 wpa_printf(MSG_DEBUG, "TLS: additional certificate"
3675 " from PKCS12: subject='%s'", buf);
3676 /*
3677 * There is no SSL equivalent for the chain cert - so
3678 * always add it to the context...
3679 */
3680 if (SSL_CTX_add_extra_chain_cert(data->ssl, cert) != 1)
3681 {
3682 X509_free(cert);
3683 res = -1;
3684 break;
3685 }
3686 }
3687 sk_X509_pop_free(certs, X509_free);
3688 #endif /* LIBRSESSL_VERSION_NUMBER */
3689 }
3690
3691 PKCS12_free(p12);
3692
3693 if (res < 0)
3694 tls_get_errors(data);
3695
3696 return res;
3697 }
3698 #endif /* PKCS12_FUNCS */
3699
3700
tls_read_pkcs12(struct tls_data * data,SSL * ssl,const char * private_key,const char * passwd)3701 static int tls_read_pkcs12(struct tls_data *data, SSL *ssl,
3702 const char *private_key, const char *passwd)
3703 {
3704 #ifdef PKCS12_FUNCS
3705 FILE *f;
3706 PKCS12 *p12;
3707
3708 f = fopen(private_key, "rb");
3709 if (f == NULL)
3710 return -1;
3711
3712 p12 = d2i_PKCS12_fp(f, NULL);
3713 fclose(f);
3714
3715 if (p12 == NULL) {
3716 tls_show_errors(MSG_INFO, __func__,
3717 "Failed to use PKCS#12 file");
3718 return -1;
3719 }
3720
3721 return tls_parse_pkcs12(data, ssl, p12, passwd);
3722
3723 #else /* PKCS12_FUNCS */
3724 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot read "
3725 "p12/pfx files");
3726 return -1;
3727 #endif /* PKCS12_FUNCS */
3728 }
3729
3730
tls_read_pkcs12_blob(struct tls_data * data,SSL * ssl,const u8 * blob,size_t len,const char * passwd)3731 static int tls_read_pkcs12_blob(struct tls_data *data, SSL *ssl,
3732 const u8 *blob, size_t len, const char *passwd)
3733 {
3734 #ifdef PKCS12_FUNCS
3735 PKCS12 *p12;
3736
3737 p12 = d2i_PKCS12(NULL, (const unsigned char **) &blob, len);
3738 if (p12 == NULL) {
3739 tls_show_errors(MSG_INFO, __func__,
3740 "Failed to use PKCS#12 blob");
3741 return -1;
3742 }
3743
3744 return tls_parse_pkcs12(data, ssl, p12, passwd);
3745
3746 #else /* PKCS12_FUNCS */
3747 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot parse "
3748 "p12/pfx blobs");
3749 return -1;
3750 #endif /* PKCS12_FUNCS */
3751 }
3752
3753
3754 #ifndef OPENSSL_NO_ENGINE
tls_engine_get_cert(struct tls_connection * conn,const char * cert_id,X509 ** cert)3755 static int tls_engine_get_cert(struct tls_connection *conn,
3756 const char *cert_id,
3757 X509 **cert)
3758 {
3759 /* this runs after the private key is loaded so no PIN is required */
3760 struct {
3761 const char *cert_id;
3762 X509 *cert;
3763 } params;
3764 params.cert_id = cert_id;
3765 params.cert = NULL;
3766
3767 if (!ENGINE_ctrl_cmd(conn->engine, "LOAD_CERT_CTRL",
3768 0, ¶ms, NULL, 1)) {
3769 unsigned long err = ERR_get_error();
3770
3771 wpa_printf(MSG_ERROR, "ENGINE: cannot load client cert with id"
3772 " '%s' [%s]", cert_id,
3773 ERR_error_string(err, NULL));
3774 if (tls_is_pin_error(err))
3775 return TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN;
3776 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
3777 }
3778 if (!params.cert) {
3779 wpa_printf(MSG_ERROR, "ENGINE: did not properly cert with id"
3780 " '%s'", cert_id);
3781 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
3782 }
3783 *cert = params.cert;
3784 return 0;
3785 }
3786 #endif /* OPENSSL_NO_ENGINE */
3787
3788
tls_connection_engine_client_cert(struct tls_connection * conn,const char * cert_id)3789 static int tls_connection_engine_client_cert(struct tls_connection *conn,
3790 const char *cert_id)
3791 {
3792 #ifndef OPENSSL_NO_ENGINE
3793 X509 *cert;
3794
3795 if (tls_engine_get_cert(conn, cert_id, &cert))
3796 return -1;
3797
3798 if (!SSL_use_certificate(conn->ssl, cert)) {
3799 tls_show_errors(MSG_ERROR, __func__,
3800 "SSL_use_certificate failed");
3801 X509_free(cert);
3802 return -1;
3803 }
3804 X509_free(cert);
3805 wpa_printf(MSG_DEBUG, "ENGINE: SSL_use_certificate --> "
3806 "OK");
3807 return 0;
3808
3809 #else /* OPENSSL_NO_ENGINE */
3810 return -1;
3811 #endif /* OPENSSL_NO_ENGINE */
3812 }
3813
3814
tls_connection_engine_ca_cert(struct tls_data * data,struct tls_connection * conn,const char * ca_cert_id)3815 static int tls_connection_engine_ca_cert(struct tls_data *data,
3816 struct tls_connection *conn,
3817 const char *ca_cert_id)
3818 {
3819 #ifndef OPENSSL_NO_ENGINE
3820 X509 *cert;
3821 SSL_CTX *ssl_ctx = data->ssl;
3822 X509_STORE *store;
3823
3824 if (tls_engine_get_cert(conn, ca_cert_id, &cert))
3825 return -1;
3826
3827 /* start off the same as tls_connection_ca_cert */
3828 store = X509_STORE_new();
3829 if (store == NULL) {
3830 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
3831 "certificate store", __func__);
3832 X509_free(cert);
3833 return -1;
3834 }
3835 SSL_CTX_set_cert_store(ssl_ctx, store);
3836 if (!X509_STORE_add_cert(store, cert)) {
3837 unsigned long err = ERR_peek_error();
3838 tls_show_errors(MSG_WARNING, __func__,
3839 "Failed to add CA certificate from engine "
3840 "to certificate store");
3841 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
3842 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
3843 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring cert"
3844 " already in hash table error",
3845 __func__);
3846 } else {
3847 X509_free(cert);
3848 return -1;
3849 }
3850 }
3851 X509_free(cert);
3852 wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine "
3853 "to certificate store", __func__);
3854 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
3855 conn->ca_cert_verify = 1;
3856
3857 return 0;
3858
3859 #else /* OPENSSL_NO_ENGINE */
3860 return -1;
3861 #endif /* OPENSSL_NO_ENGINE */
3862 }
3863
3864
tls_connection_engine_private_key(struct tls_connection * conn)3865 static int tls_connection_engine_private_key(struct tls_connection *conn)
3866 {
3867 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
3868 if (SSL_use_PrivateKey(conn->ssl, conn->private_key) != 1) {
3869 tls_show_errors(MSG_ERROR, __func__,
3870 "ENGINE: cannot use private key for TLS");
3871 return -1;
3872 }
3873 if (!SSL_check_private_key(conn->ssl)) {
3874 tls_show_errors(MSG_INFO, __func__,
3875 "Private key failed verification");
3876 return -1;
3877 }
3878 return 0;
3879 #else /* OPENSSL_NO_ENGINE */
3880 wpa_printf(MSG_ERROR, "SSL: Configuration uses engine, but "
3881 "engine support was not compiled in");
3882 return -1;
3883 #endif /* OPENSSL_NO_ENGINE */
3884 }
3885
3886
3887 #ifndef OPENSSL_NO_STDIO
tls_passwd_cb(char * buf,int size,int rwflag,void * password)3888 static int tls_passwd_cb(char *buf, int size, int rwflag, void *password)
3889 {
3890 if (!password)
3891 return 0;
3892 os_strlcpy(buf, (const char *) password, size);
3893 return os_strlen(buf);
3894 }
3895 #endif /* OPENSSL_NO_STDIO */
3896
3897
tls_use_private_key_file(struct tls_data * data,SSL * ssl,const char * private_key,const char * private_key_passwd)3898 static int tls_use_private_key_file(struct tls_data *data, SSL *ssl,
3899 const char *private_key,
3900 const char *private_key_passwd)
3901 {
3902 #ifndef OPENSSL_NO_STDIO
3903 BIO *bio;
3904 EVP_PKEY *pkey;
3905 int ret;
3906
3907 /* First try ASN.1 (DER). */
3908 bio = BIO_new_file(private_key, "r");
3909 if (!bio)
3910 return -1;
3911 pkey = d2i_PrivateKey_bio(bio, NULL);
3912 BIO_free(bio);
3913
3914 if (pkey) {
3915 wpa_printf(MSG_DEBUG, "OpenSSL: %s (DER) --> loaded", __func__);
3916 } else {
3917 /* Try PEM with the provided password. */
3918 bio = BIO_new_file(private_key, "r");
3919 if (!bio)
3920 return -1;
3921 pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_passwd_cb,
3922 (void *) private_key_passwd);
3923 BIO_free(bio);
3924 if (!pkey)
3925 return -1;
3926 wpa_printf(MSG_DEBUG, "OpenSSL: %s (PEM) --> loaded", __func__);
3927 /* Clear errors from the previous failed load. */
3928 ERR_clear_error();
3929 }
3930
3931 if (ssl)
3932 ret = SSL_use_PrivateKey(ssl, pkey);
3933 else
3934 ret = SSL_CTX_use_PrivateKey(data->ssl, pkey);
3935
3936 EVP_PKEY_free(pkey);
3937 return ret == 1 ? 0 : -1;
3938 #else /* OPENSSL_NO_STDIO */
3939 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3940 return -1;
3941 #endif /* OPENSSL_NO_STDIO */
3942 }
3943
3944
tls_connection_private_key(struct tls_data * data,struct tls_connection * conn,const char * private_key,const char * private_key_passwd,const u8 * private_key_blob,size_t private_key_blob_len)3945 static int tls_connection_private_key(struct tls_data *data,
3946 struct tls_connection *conn,
3947 const char *private_key,
3948 const char *private_key_passwd,
3949 const u8 *private_key_blob,
3950 size_t private_key_blob_len)
3951 {
3952 BIO *bio;
3953 int ok;
3954
3955 if (private_key == NULL && private_key_blob == NULL)
3956 return 0;
3957
3958 ok = 0;
3959 while (private_key_blob) {
3960 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, conn->ssl,
3961 (u8 *) private_key_blob,
3962 private_key_blob_len) == 1) {
3963 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
3964 "ASN1(EVP_PKEY_RSA) --> OK");
3965 ok = 1;
3966 break;
3967 }
3968
3969 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA, conn->ssl,
3970 (u8 *) private_key_blob,
3971 private_key_blob_len) == 1) {
3972 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
3973 "ASN1(EVP_PKEY_DSA) --> OK");
3974 ok = 1;
3975 break;
3976 }
3977
3978 #ifndef OPENSSL_NO_EC
3979 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, conn->ssl,
3980 (u8 *) private_key_blob,
3981 private_key_blob_len) == 1) {
3982 wpa_printf(MSG_DEBUG,
3983 "OpenSSL: SSL_use_PrivateKey_ASN1(EVP_PKEY_EC) --> OK");
3984 ok = 1;
3985 break;
3986 }
3987 #endif /* OPENSSL_NO_EC */
3988
3989 #if OPENSSL_VERSION_NUMBER < 0x30000000L
3990 if (SSL_use_RSAPrivateKey_ASN1(conn->ssl,
3991 (u8 *) private_key_blob,
3992 private_key_blob_len) == 1) {
3993 wpa_printf(MSG_DEBUG, "OpenSSL: "
3994 "SSL_use_RSAPrivateKey_ASN1 --> OK");
3995 ok = 1;
3996 break;
3997 }
3998 #endif
3999
4000 bio = BIO_new_mem_buf((u8 *) private_key_blob,
4001 private_key_blob_len);
4002 if (bio) {
4003 EVP_PKEY *pkey;
4004
4005 pkey = PEM_read_bio_PrivateKey(
4006 bio, NULL, tls_passwd_cb,
4007 (void *) private_key_passwd);
4008 if (pkey) {
4009 if (SSL_use_PrivateKey(conn->ssl, pkey) == 1) {
4010 wpa_printf(MSG_DEBUG,
4011 "OpenSSL: SSL_use_PrivateKey --> OK");
4012 ok = 1;
4013 EVP_PKEY_free(pkey);
4014 BIO_free(bio);
4015 break;
4016 }
4017 EVP_PKEY_free(pkey);
4018 }
4019 BIO_free(bio);
4020 }
4021
4022 if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob,
4023 private_key_blob_len,
4024 private_key_passwd) == 0) {
4025 wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> "
4026 "OK");
4027 ok = 1;
4028 break;
4029 }
4030
4031 break;
4032 }
4033
4034 while (!ok && private_key) {
4035 if (tls_use_private_key_file(data, conn->ssl, private_key,
4036 private_key_passwd) == 0) {
4037 ok = 1;
4038 break;
4039 }
4040
4041 if (tls_read_pkcs12(data, conn->ssl, private_key,
4042 private_key_passwd) == 0) {
4043 wpa_printf(MSG_DEBUG, "OpenSSL: Reading PKCS#12 file "
4044 "--> OK");
4045 ok = 1;
4046 break;
4047 }
4048
4049 if (tls_cryptoapi_cert(conn->ssl, private_key) == 0) {
4050 wpa_printf(MSG_DEBUG, "OpenSSL: Using CryptoAPI to "
4051 "access certificate store --> OK");
4052 ok = 1;
4053 break;
4054 }
4055
4056 break;
4057 }
4058
4059 if (!ok) {
4060 tls_show_errors(MSG_INFO, __func__,
4061 "Failed to load private key");
4062 return -1;
4063 }
4064 ERR_clear_error();
4065
4066 if (!SSL_check_private_key(conn->ssl)) {
4067 tls_show_errors(MSG_INFO, __func__, "Private key failed "
4068 "verification");
4069 return -1;
4070 }
4071
4072 wpa_printf(MSG_DEBUG, "SSL: Private key loaded successfully");
4073 return 0;
4074 }
4075
4076
tls_global_private_key(struct tls_data * data,const char * private_key,const char * private_key_passwd)4077 static int tls_global_private_key(struct tls_data *data,
4078 const char *private_key,
4079 const char *private_key_passwd)
4080 {
4081 SSL_CTX *ssl_ctx = data->ssl;
4082
4083 if (private_key == NULL)
4084 return 0;
4085
4086 if (tls_use_private_key_file(data, NULL, private_key,
4087 private_key_passwd) &&
4088 tls_read_pkcs12(data, NULL, private_key, private_key_passwd)) {
4089 tls_show_errors(MSG_INFO, __func__,
4090 "Failed to load private key");
4091 ERR_clear_error();
4092 return -1;
4093 }
4094 ERR_clear_error();
4095
4096 if (!SSL_CTX_check_private_key(ssl_ctx)) {
4097 tls_show_errors(MSG_INFO, __func__,
4098 "Private key failed verification");
4099 return -1;
4100 }
4101
4102 return 0;
4103 }
4104
4105
4106 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4107 #ifndef OPENSSL_NO_DH
4108 #ifndef OPENSSL_NO_DSA
4109 /* This is needed to replace the deprecated DSA_dup_DH() function */
openssl_dsa_to_dh(EVP_PKEY * dsa)4110 static EVP_PKEY * openssl_dsa_to_dh(EVP_PKEY *dsa)
4111 {
4112 OSSL_PARAM_BLD *bld = NULL;
4113 OSSL_PARAM *params = NULL;
4114 BIGNUM *p = NULL, *q = NULL, *g = NULL;
4115 EVP_PKEY_CTX *ctx = NULL;
4116 EVP_PKEY *pkey = NULL;
4117
4118 if (!EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_P, &p) ||
4119 !EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_Q, &q) ||
4120 !EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_G, &g) ||
4121 !(bld = OSSL_PARAM_BLD_new()) ||
4122 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) ||
4123 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q) ||
4124 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) ||
4125 !(params = OSSL_PARAM_BLD_to_param(bld)) ||
4126 !(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL)) ||
4127 EVP_PKEY_fromdata_init(ctx) != 1 ||
4128 EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS,
4129 params) != 1)
4130 wpa_printf(MSG_INFO,
4131 "TLS: Failed to convert DSA parameters to DH parameters");
4132
4133 EVP_PKEY_CTX_free(ctx);
4134 OSSL_PARAM_free(params);
4135 OSSL_PARAM_BLD_free(bld);
4136 BN_free(p);
4137 BN_free(q);
4138 BN_free(g);
4139 return pkey;
4140 }
4141 #endif /* !OPENSSL_NO_DSA */
4142 #endif /* OPENSSL_NO_DH */
4143 #endif /* OpenSSL version >= 3.0 */
4144
tls_global_dh(struct tls_data * data,const char * dh_file)4145 static int tls_global_dh(struct tls_data *data, const char *dh_file)
4146 {
4147 #ifdef OPENSSL_NO_DH
4148 if (dh_file == NULL)
4149 return 0;
4150 wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
4151 "dh_file specified");
4152 return -1;
4153 #else /* OPENSSL_NO_DH */
4154 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4155 SSL_CTX *ssl_ctx = data->ssl;
4156 BIO *bio;
4157 OSSL_DECODER_CTX *ctx = NULL;
4158 EVP_PKEY *pkey = NULL, *tmpkey = NULL;
4159 bool dsa = false;
4160
4161 if (!ssl_ctx)
4162 return -1;
4163 if (!dh_file) {
4164 SSL_CTX_set_dh_auto(ssl_ctx, 1);
4165 return 0;
4166 }
4167
4168 bio = BIO_new_file(dh_file, "r");
4169 if (!bio) {
4170 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
4171 dh_file, ERR_error_string(ERR_get_error(), NULL));
4172 return -1;
4173 }
4174 ctx = OSSL_DECODER_CTX_new_for_pkey(
4175 &tmpkey, "PEM", NULL, NULL,
4176 OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, NULL, NULL);
4177 if (!ctx ||
4178 OSSL_DECODER_from_bio(ctx, bio) != 1) {
4179 wpa_printf(MSG_INFO,
4180 "TLS: Failed to decode domain parameters from '%s': %s",
4181 dh_file, ERR_error_string(ERR_get_error(), NULL));
4182 BIO_free(bio);
4183 return -1;
4184 }
4185 BIO_free(bio);
4186
4187 if (!tmpkey) {
4188 wpa_printf(MSG_INFO, "TLS: Failed to load domain parameters");
4189 return -1;
4190 }
4191
4192 #ifndef OPENSSL_NO_DSA
4193 if (EVP_PKEY_is_a(tmpkey, "DSA")) {
4194 pkey = openssl_dsa_to_dh(tmpkey);
4195 EVP_PKEY_free(tmpkey);
4196 if (!pkey)
4197 return -1;
4198 dsa = true;
4199 }
4200 #endif /* !OPENSSL_NO_DSA */
4201 if (!dsa) {
4202 if (EVP_PKEY_is_a(tmpkey, "DH") ||
4203 EVP_PKEY_is_a(tmpkey, "DHX")) {
4204 } else {
4205 wpa_printf(MSG_INFO,
4206 "TLS: No DH parameters found in %s",
4207 dh_file);
4208 EVP_PKEY_free(tmpkey);
4209 return -1;
4210 }
4211 pkey = tmpkey;
4212 tmpkey = NULL;
4213 }
4214
4215 if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, pkey) != 1) {
4216 wpa_printf(MSG_INFO,
4217 "TLS: Failed to set DH params from '%s': %s",
4218 dh_file, ERR_error_string(ERR_get_error(), NULL));
4219 EVP_PKEY_free(pkey);
4220 return -1;
4221 }
4222 return 0;
4223 #else /* OpenSSL version >= 3.0 */
4224 SSL_CTX *ssl_ctx = data->ssl;
4225 DH *dh;
4226 BIO *bio;
4227
4228 if (!ssl_ctx)
4229 return -1;
4230 if (!dh_file) {
4231 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)
4232 SSL_CTX_set_dh_auto(ssl_ctx, 1);
4233 #endif
4234 return 0;
4235 }
4236
4237 bio = BIO_new_file(dh_file, "r");
4238 if (bio == NULL) {
4239 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
4240 dh_file, ERR_error_string(ERR_get_error(), NULL));
4241 return -1;
4242 }
4243 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
4244 BIO_free(bio);
4245 #ifndef OPENSSL_NO_DSA
4246 while (dh == NULL) {
4247 DSA *dsa;
4248 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
4249 " trying to parse as DSA params", dh_file,
4250 ERR_error_string(ERR_get_error(), NULL));
4251 bio = BIO_new_file(dh_file, "r");
4252 if (bio == NULL)
4253 break;
4254 dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
4255 BIO_free(bio);
4256 if (!dsa) {
4257 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
4258 "'%s': %s", dh_file,
4259 ERR_error_string(ERR_get_error(), NULL));
4260 break;
4261 }
4262
4263 wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
4264 dh = DSA_dup_DH(dsa);
4265 DSA_free(dsa);
4266 if (dh == NULL) {
4267 wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
4268 "params into DH params");
4269 break;
4270 }
4271 break;
4272 }
4273 #endif /* !OPENSSL_NO_DSA */
4274 if (dh == NULL) {
4275 wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
4276 "'%s'", dh_file);
4277 return -1;
4278 }
4279
4280 if (SSL_CTX_set_tmp_dh(ssl_ctx, dh) != 1) {
4281 wpa_printf(MSG_INFO, "TLS: Failed to set DH params from '%s': "
4282 "%s", dh_file,
4283 ERR_error_string(ERR_get_error(), NULL));
4284 DH_free(dh);
4285 return -1;
4286 }
4287 DH_free(dh);
4288 return 0;
4289 #endif /* OpenSSL version >= 3.0 */
4290 #endif /* OPENSSL_NO_DH */
4291 }
4292
4293
tls_connection_get_random(void * ssl_ctx,struct tls_connection * conn,struct tls_random * keys)4294 int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn,
4295 struct tls_random *keys)
4296 {
4297 SSL *ssl;
4298
4299 if (conn == NULL || keys == NULL)
4300 return -1;
4301 ssl = conn->ssl;
4302 if (ssl == NULL)
4303 return -1;
4304
4305 os_memset(keys, 0, sizeof(*keys));
4306 keys->client_random = conn->client_random;
4307 keys->client_random_len = SSL_get_client_random(
4308 ssl, conn->client_random, sizeof(conn->client_random));
4309 keys->server_random = conn->server_random;
4310 keys->server_random_len = SSL_get_server_random(
4311 ssl, conn->server_random, sizeof(conn->server_random));
4312
4313 return 0;
4314 }
4315
4316
4317 #ifdef OPENSSL_NEED_EAP_FAST_PRF
openssl_get_keyblock_size(SSL * ssl)4318 static int openssl_get_keyblock_size(SSL *ssl)
4319 {
4320 #if OPENSSL_VERSION_NUMBER < 0x10100000L
4321 const EVP_CIPHER *c;
4322 const EVP_MD *h;
4323 int md_size;
4324
4325 if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL ||
4326 ssl->read_hash == NULL)
4327 return -1;
4328
4329 c = ssl->enc_read_ctx->cipher;
4330 h = EVP_MD_CTX_md(ssl->read_hash);
4331 if (h)
4332 md_size = EVP_MD_size(h);
4333 else if (ssl->s3)
4334 md_size = ssl->s3->tmp.new_mac_secret_size;
4335 else
4336 return -1;
4337
4338 wpa_printf(MSG_DEBUG, "OpenSSL: keyblock size: key_len=%d MD_size=%d "
4339 "IV_len=%d", EVP_CIPHER_key_length(c), md_size,
4340 EVP_CIPHER_iv_length(c));
4341 return 2 * (EVP_CIPHER_key_length(c) +
4342 md_size +
4343 EVP_CIPHER_iv_length(c));
4344 #else
4345 const SSL_CIPHER *ssl_cipher;
4346 int cipher, digest;
4347 const EVP_CIPHER *c;
4348 const EVP_MD *h;
4349 int mac_key_len, enc_key_len, fixed_iv_len;
4350
4351 ssl_cipher = SSL_get_current_cipher(ssl);
4352 if (!ssl_cipher)
4353 return -1;
4354 cipher = SSL_CIPHER_get_cipher_nid(ssl_cipher);
4355 digest = SSL_CIPHER_get_digest_nid(ssl_cipher);
4356 wpa_printf(MSG_DEBUG, "OpenSSL: cipher nid %d digest nid %d",
4357 cipher, digest);
4358 if (cipher < 0 || digest < 0)
4359 return -1;
4360 if (cipher == NID_undef) {
4361 wpa_printf(MSG_DEBUG, "OpenSSL: no cipher in use?!");
4362 return -1;
4363 }
4364 c = EVP_get_cipherbynid(cipher);
4365 if (!c)
4366 return -1;
4367 enc_key_len = EVP_CIPHER_key_length(c);
4368 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE ||
4369 EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
4370 fixed_iv_len = 4; /* only part of IV from PRF */
4371 else
4372 fixed_iv_len = EVP_CIPHER_iv_length(c);
4373 if (digest == NID_undef) {
4374 wpa_printf(MSG_DEBUG, "OpenSSL: no digest in use (e.g., AEAD)");
4375 mac_key_len = 0;
4376 } else {
4377 h = EVP_get_digestbynid(digest);
4378 if (!h)
4379 return -1;
4380 mac_key_len = EVP_MD_size(h);
4381 }
4382
4383 wpa_printf(MSG_DEBUG,
4384 "OpenSSL: keyblock size: mac_key_len=%d enc_key_len=%d fixed_iv_len=%d",
4385 mac_key_len, enc_key_len, fixed_iv_len);
4386 return 2 * (mac_key_len + enc_key_len + fixed_iv_len);
4387 #endif
4388 }
4389 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4390
4391
tls_connection_export_key(void * tls_ctx,struct tls_connection * conn,const char * label,const u8 * context,size_t context_len,u8 * out,size_t out_len)4392 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
4393 const char *label, const u8 *context,
4394 size_t context_len, u8 *out, size_t out_len)
4395 {
4396 if (!conn ||
4397 SSL_export_keying_material(conn->ssl, out, out_len, label,
4398 os_strlen(label), context, context_len,
4399 context != NULL) != 1)
4400 return -1;
4401 return 0;
4402 }
4403
4404
tls_connection_get_eap_fast_key(void * tls_ctx,struct tls_connection * conn,u8 * out,size_t out_len)4405 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
4406 u8 *out, size_t out_len)
4407 {
4408 #ifdef OPENSSL_NEED_EAP_FAST_PRF
4409 SSL *ssl;
4410 SSL_SESSION *sess;
4411 u8 *rnd;
4412 int ret = -1;
4413 int skip = 0;
4414 u8 *tmp_out = NULL;
4415 u8 *_out = out;
4416 unsigned char client_random[SSL3_RANDOM_SIZE];
4417 unsigned char server_random[SSL3_RANDOM_SIZE];
4418 unsigned char master_key[64];
4419 size_t master_key_len;
4420 const char *ver;
4421
4422 /*
4423 * TLS library did not support EAP-FAST key generation, so get the
4424 * needed TLS session parameters and use an internal implementation of
4425 * TLS PRF to derive the key.
4426 */
4427
4428 if (conn == NULL)
4429 return -1;
4430 ssl = conn->ssl;
4431 if (ssl == NULL)
4432 return -1;
4433 ver = SSL_get_version(ssl);
4434 sess = SSL_get_session(ssl);
4435 if (!ver || !sess)
4436 return -1;
4437
4438 skip = openssl_get_keyblock_size(ssl);
4439 if (skip < 0)
4440 return -1;
4441 tmp_out = os_malloc(skip + out_len);
4442 if (!tmp_out)
4443 return -1;
4444 _out = tmp_out;
4445
4446 rnd = os_malloc(2 * SSL3_RANDOM_SIZE);
4447 if (!rnd) {
4448 os_free(tmp_out);
4449 return -1;
4450 }
4451
4452 SSL_get_client_random(ssl, client_random, sizeof(client_random));
4453 SSL_get_server_random(ssl, server_random, sizeof(server_random));
4454 master_key_len = SSL_SESSION_get_master_key(sess, master_key,
4455 sizeof(master_key));
4456
4457 os_memcpy(rnd, server_random, SSL3_RANDOM_SIZE);
4458 os_memcpy(rnd + SSL3_RANDOM_SIZE, client_random, SSL3_RANDOM_SIZE);
4459
4460 if (os_strcmp(ver, "TLSv1.2") == 0) {
4461 tls_prf_sha256(master_key, master_key_len,
4462 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE,
4463 _out, skip + out_len);
4464 ret = 0;
4465 } else if (tls_prf_sha1_md5(master_key, master_key_len,
4466 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE,
4467 _out, skip + out_len) == 0) {
4468 ret = 0;
4469 }
4470 forced_memzero(master_key, sizeof(master_key));
4471 os_free(rnd);
4472 if (ret == 0)
4473 os_memcpy(out, _out + skip, out_len);
4474 bin_clear_free(tmp_out, skip);
4475
4476 return ret;
4477 #else /* OPENSSL_NEED_EAP_FAST_PRF */
4478 wpa_printf(MSG_ERROR,
4479 "OpenSSL: EAP-FAST keys cannot be exported in FIPS mode");
4480 return -1;
4481 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4482 }
4483
4484
4485 static struct wpabuf *
openssl_handshake(struct tls_connection * conn,const struct wpabuf * in_data)4486 openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
4487 {
4488 struct tls_context *context = conn->context;
4489 int res;
4490 struct wpabuf *out_data;
4491
4492 /*
4493 * Give TLS handshake data from the server (if available) to OpenSSL
4494 * for processing.
4495 */
4496 if (in_data && wpabuf_len(in_data) > 0 &&
4497 BIO_write(conn->ssl_in, wpabuf_head(in_data), wpabuf_len(in_data))
4498 < 0) {
4499 tls_show_errors(MSG_INFO, __func__,
4500 "Handshake failed - BIO_write");
4501 return NULL;
4502 }
4503
4504 /* Initiate TLS handshake or continue the existing handshake */
4505 if (conn->server)
4506 res = SSL_accept(conn->ssl);
4507 else
4508 res = SSL_connect(conn->ssl);
4509 if (res != 1) {
4510 int err = SSL_get_error(conn->ssl, res);
4511 if (err == SSL_ERROR_WANT_READ)
4512 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want "
4513 "more data");
4514 else if (err == SSL_ERROR_WANT_WRITE)
4515 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
4516 "write");
4517 else {
4518 unsigned long error = ERR_peek_last_error();
4519
4520 tls_show_errors(MSG_INFO, __func__, "SSL_connect");
4521
4522 if (context->event_cb &&
4523 ERR_GET_LIB(error) == ERR_LIB_SSL &&
4524 ERR_GET_REASON(error) ==
4525 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) {
4526 context->event_cb(
4527 context->cb_ctx,
4528 TLS_UNSAFE_RENEGOTIATION_DISABLED,
4529 NULL);
4530 }
4531 conn->failed++;
4532 if (!conn->server && !conn->client_hello_generated) {
4533 /* The server would not understand TLS Alert
4534 * before ClientHello, so simply terminate
4535 * handshake on this type of error case caused
4536 * by a likely internal error like no ciphers
4537 * available. */
4538 wpa_printf(MSG_DEBUG,
4539 "OpenSSL: Could not generate ClientHello");
4540 conn->write_alerts++;
4541 return NULL;
4542 }
4543 }
4544 }
4545
4546 if (!conn->server && !conn->failed)
4547 conn->client_hello_generated = 1;
4548
4549 #ifdef CONFIG_SUITEB
4550 if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
4551 os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
4552 conn->server_dh_prime_len < 3072) {
4553 /*
4554 * This should not be reached since earlier cert_cb should have
4555 * terminated the handshake. Keep this check here for extra
4556 * protection if anything goes wrong with the more low-level
4557 * checks based on having to parse the TLS handshake messages.
4558 */
4559 wpa_printf(MSG_DEBUG,
4560 "OpenSSL: Server DH prime length: %d bits",
4561 conn->server_dh_prime_len);
4562
4563 if (context->event_cb) {
4564 union tls_event_data ev;
4565
4566 os_memset(&ev, 0, sizeof(ev));
4567 ev.alert.is_local = 1;
4568 ev.alert.type = "fatal";
4569 ev.alert.description = "insufficient security";
4570 context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
4571 }
4572 /*
4573 * Could send a TLS Alert to the server, but for now, simply
4574 * terminate handshake.
4575 */
4576 conn->failed++;
4577 conn->write_alerts++;
4578 return NULL;
4579 }
4580 #endif /* CONFIG_SUITEB */
4581
4582 /* Get the TLS handshake data to be sent to the server */
4583 res = BIO_ctrl_pending(conn->ssl_out);
4584 wpa_printf(MSG_DEBUG, "SSL: %d bytes pending from ssl_out", res);
4585 out_data = wpabuf_alloc(res);
4586 if (out_data == NULL) {
4587 wpa_printf(MSG_DEBUG, "SSL: Failed to allocate memory for "
4588 "handshake output (%d bytes)", res);
4589 if (BIO_reset(conn->ssl_out) < 0) {
4590 tls_show_errors(MSG_INFO, __func__,
4591 "BIO_reset failed");
4592 }
4593 return NULL;
4594 }
4595 res = res == 0 ? 0 : BIO_read(conn->ssl_out, wpabuf_mhead(out_data),
4596 res);
4597 if (res < 0) {
4598 tls_show_errors(MSG_INFO, __func__,
4599 "Handshake failed - BIO_read");
4600 if (BIO_reset(conn->ssl_out) < 0) {
4601 tls_show_errors(MSG_INFO, __func__,
4602 "BIO_reset failed");
4603 }
4604 wpabuf_free(out_data);
4605 return NULL;
4606 }
4607 wpabuf_put(out_data, res);
4608
4609 return out_data;
4610 }
4611
4612
4613 static struct wpabuf *
openssl_get_appl_data(struct tls_connection * conn,size_t max_len)4614 openssl_get_appl_data(struct tls_connection *conn, size_t max_len)
4615 {
4616 struct wpabuf *appl_data;
4617 int res;
4618
4619 appl_data = wpabuf_alloc(max_len + 100);
4620 if (appl_data == NULL)
4621 return NULL;
4622
4623 res = SSL_read(conn->ssl, wpabuf_mhead(appl_data),
4624 wpabuf_size(appl_data));
4625 if (res < 0) {
4626 int err = SSL_get_error(conn->ssl, res);
4627 if (err == SSL_ERROR_WANT_READ ||
4628 err == SSL_ERROR_WANT_WRITE) {
4629 wpa_printf(MSG_DEBUG, "SSL: No Application Data "
4630 "included");
4631 } else {
4632 tls_show_errors(MSG_INFO, __func__,
4633 "Failed to read possible "
4634 "Application Data");
4635 }
4636 wpabuf_free(appl_data);
4637 return NULL;
4638 }
4639
4640 wpabuf_put(appl_data, res);
4641 wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application Data in Finished "
4642 "message", appl_data);
4643
4644 return appl_data;
4645 }
4646
4647
4648 static struct wpabuf *
openssl_connection_handshake(struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4649 openssl_connection_handshake(struct tls_connection *conn,
4650 const struct wpabuf *in_data,
4651 struct wpabuf **appl_data)
4652 {
4653 struct wpabuf *out_data;
4654
4655 if (appl_data)
4656 *appl_data = NULL;
4657
4658 out_data = openssl_handshake(conn, in_data);
4659 if (out_data == NULL)
4660 return NULL;
4661 if (conn->invalid_hb_used) {
4662 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4663 wpabuf_free(out_data);
4664 return NULL;
4665 }
4666
4667 if (SSL_is_init_finished(conn->ssl)) {
4668 wpa_printf(MSG_DEBUG,
4669 "OpenSSL: Handshake finished - resumed=%d",
4670 tls_connection_resumed(conn->ssl_ctx, conn));
4671 if (conn->server) {
4672 char *buf;
4673 size_t buflen = 2000;
4674
4675 buf = os_malloc(buflen);
4676 if (buf) {
4677 if (SSL_get_shared_ciphers(conn->ssl, buf,
4678 buflen)) {
4679 buf[buflen - 1] = '\0';
4680 wpa_printf(MSG_DEBUG,
4681 "OpenSSL: Shared ciphers: %s",
4682 buf);
4683 }
4684 os_free(buf);
4685 }
4686 }
4687 if (appl_data && in_data)
4688 *appl_data = openssl_get_appl_data(conn,
4689 wpabuf_len(in_data));
4690 }
4691
4692 if (conn->invalid_hb_used) {
4693 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4694 if (appl_data) {
4695 wpabuf_free(*appl_data);
4696 *appl_data = NULL;
4697 }
4698 wpabuf_free(out_data);
4699 return NULL;
4700 }
4701
4702 return out_data;
4703 }
4704
4705
4706 struct wpabuf *
tls_connection_handshake(void * ssl_ctx,struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4707 tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
4708 const struct wpabuf *in_data,
4709 struct wpabuf **appl_data)
4710 {
4711 return openssl_connection_handshake(conn, in_data, appl_data);
4712 }
4713
4714
tls_connection_server_handshake(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4715 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
4716 struct tls_connection *conn,
4717 const struct wpabuf *in_data,
4718 struct wpabuf **appl_data)
4719 {
4720 conn->server = 1;
4721 return openssl_connection_handshake(conn, in_data, appl_data);
4722 }
4723
4724
tls_connection_encrypt(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data)4725 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
4726 struct tls_connection *conn,
4727 const struct wpabuf *in_data)
4728 {
4729 int res;
4730 struct wpabuf *buf;
4731
4732 if (conn == NULL)
4733 return NULL;
4734
4735 /* Give plaintext data for OpenSSL to encrypt into the TLS tunnel. */
4736 if ((res = BIO_reset(conn->ssl_in)) < 0 ||
4737 (res = BIO_reset(conn->ssl_out)) < 0) {
4738 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
4739 return NULL;
4740 }
4741 res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data));
4742 if (res < 0) {
4743 tls_show_errors(MSG_INFO, __func__,
4744 "Encryption failed - SSL_write");
4745 return NULL;
4746 }
4747
4748 /* Read encrypted data to be sent to the server */
4749 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
4750 if (buf == NULL)
4751 return NULL;
4752 res = BIO_read(conn->ssl_out, wpabuf_mhead(buf), wpabuf_size(buf));
4753 if (res < 0) {
4754 tls_show_errors(MSG_INFO, __func__,
4755 "Encryption failed - BIO_read");
4756 wpabuf_free(buf);
4757 return NULL;
4758 }
4759 wpabuf_put(buf, res);
4760
4761 return buf;
4762 }
4763
4764
tls_connection_decrypt(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data)4765 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
4766 struct tls_connection *conn,
4767 const struct wpabuf *in_data)
4768 {
4769 int res;
4770 struct wpabuf *buf;
4771
4772 /* Give encrypted data from TLS tunnel for OpenSSL to decrypt. */
4773 res = BIO_write(conn->ssl_in, wpabuf_head(in_data),
4774 wpabuf_len(in_data));
4775 if (res < 0) {
4776 tls_show_errors(MSG_INFO, __func__,
4777 "Decryption failed - BIO_write");
4778 return NULL;
4779 }
4780 if (BIO_reset(conn->ssl_out) < 0) {
4781 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
4782 return NULL;
4783 }
4784
4785 /* Read decrypted data for further processing */
4786 /*
4787 * Even though we try to disable TLS compression, it is possible that
4788 * this cannot be done with all TLS libraries. Add extra buffer space
4789 * to handle the possibility of the decrypted data being longer than
4790 * input data.
4791 */
4792 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
4793 if (buf == NULL)
4794 return NULL;
4795 res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf));
4796 if (res < 0) {
4797 int err = SSL_get_error(conn->ssl, res);
4798
4799 if (err == SSL_ERROR_WANT_READ) {
4800 wpa_printf(MSG_DEBUG,
4801 "SSL: SSL_connect - want more data");
4802 res = 0;
4803 } else {
4804 tls_show_errors(MSG_INFO, __func__,
4805 "Decryption failed - SSL_read");
4806 wpabuf_free(buf);
4807 return NULL;
4808 }
4809 }
4810 wpabuf_put(buf, res);
4811
4812 if (conn->invalid_hb_used) {
4813 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4814 wpabuf_free(buf);
4815 return NULL;
4816 }
4817
4818 return buf;
4819 }
4820
4821
tls_connection_resumed(void * ssl_ctx,struct tls_connection * conn)4822 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
4823 {
4824 return conn ? SSL_session_reused(conn->ssl) : 0;
4825 }
4826
4827
tls_connection_set_cipher_list(void * tls_ctx,struct tls_connection * conn,u8 * ciphers)4828 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
4829 u8 *ciphers)
4830 {
4831 char buf[500], *pos, *end;
4832 u8 *c;
4833 int ret;
4834
4835 if (conn == NULL || conn->ssl == NULL || ciphers == NULL)
4836 return -1;
4837
4838 buf[0] = '\0';
4839 pos = buf;
4840 end = pos + sizeof(buf);
4841
4842 c = ciphers;
4843 while (*c != TLS_CIPHER_NONE) {
4844 const char *suite;
4845
4846 switch (*c) {
4847 case TLS_CIPHER_RC4_SHA:
4848 suite = "RC4-SHA";
4849 break;
4850 case TLS_CIPHER_AES128_SHA:
4851 suite = "AES128-SHA";
4852 break;
4853 case TLS_CIPHER_RSA_DHE_AES128_SHA:
4854 suite = "DHE-RSA-AES128-SHA";
4855 break;
4856 case TLS_CIPHER_ANON_DH_AES128_SHA:
4857 suite = "ADH-AES128-SHA";
4858 break;
4859 case TLS_CIPHER_RSA_DHE_AES256_SHA:
4860 suite = "DHE-RSA-AES256-SHA";
4861 break;
4862 case TLS_CIPHER_AES256_SHA:
4863 suite = "AES256-SHA";
4864 break;
4865 default:
4866 wpa_printf(MSG_DEBUG, "TLS: Unsupported "
4867 "cipher selection: %d", *c);
4868 return -1;
4869 }
4870 ret = os_snprintf(pos, end - pos, ":%s", suite);
4871 if (os_snprintf_error(end - pos, ret))
4872 break;
4873 pos += ret;
4874
4875 c++;
4876 }
4877 if (!buf[0]) {
4878 wpa_printf(MSG_DEBUG, "OpenSSL: No ciphers listed");
4879 return -1;
4880 }
4881
4882 wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
4883
4884 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
4885 #ifdef EAP_FAST_OR_TEAP
4886 if (os_strstr(buf, ":ADH-")) {
4887 /*
4888 * Need to drop to security level 0 to allow anonymous
4889 * cipher suites for EAP-FAST.
4890 */
4891 SSL_set_security_level(conn->ssl, 0);
4892 } else if (SSL_get_security_level(conn->ssl) == 0) {
4893 /* Force at least security level 1 */
4894 SSL_set_security_level(conn->ssl, 1);
4895 }
4896 #endif /* EAP_FAST_OR_TEAP */
4897 #endif
4898
4899 if (SSL_set_cipher_list(conn->ssl, buf + 1) != 1) {
4900 tls_show_errors(MSG_INFO, __func__,
4901 "Cipher suite configuration failed");
4902 return -1;
4903 }
4904
4905 return 0;
4906 }
4907
4908
tls_get_version(void * ssl_ctx,struct tls_connection * conn,char * buf,size_t buflen)4909 int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
4910 char *buf, size_t buflen)
4911 {
4912 const char *name;
4913 if (conn == NULL || conn->ssl == NULL)
4914 return -1;
4915
4916 name = SSL_get_version(conn->ssl);
4917 if (name == NULL)
4918 return -1;
4919
4920 os_strlcpy(buf, name, buflen);
4921 return 0;
4922 }
4923
4924
tls_get_cipher(void * ssl_ctx,struct tls_connection * conn,char * buf,size_t buflen)4925 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
4926 char *buf, size_t buflen)
4927 {
4928 const char *name;
4929 if (conn == NULL || conn->ssl == NULL)
4930 return -1;
4931
4932 name = SSL_get_cipher(conn->ssl);
4933 if (name == NULL)
4934 return -1;
4935
4936 os_strlcpy(buf, name, buflen);
4937 return 0;
4938 }
4939
4940
tls_connection_enable_workaround(void * ssl_ctx,struct tls_connection * conn)4941 int tls_connection_enable_workaround(void *ssl_ctx,
4942 struct tls_connection *conn)
4943 {
4944 SSL_set_options(conn->ssl, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
4945
4946 return 0;
4947 }
4948
4949
4950 #ifdef EAP_FAST_OR_TEAP
4951 /* ClientHello TLS extensions require a patch to openssl, so this function is
4952 * commented out unless explicitly needed for EAP-FAST in order to be able to
4953 * build this file with unmodified openssl. */
tls_connection_client_hello_ext(void * ssl_ctx,struct tls_connection * conn,int ext_type,const u8 * data,size_t data_len)4954 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
4955 int ext_type, const u8 *data,
4956 size_t data_len)
4957 {
4958 if (conn == NULL || conn->ssl == NULL || ext_type != 35)
4959 return -1;
4960
4961 if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
4962 data_len) != 1)
4963 return -1;
4964
4965 return 0;
4966 }
4967 #endif /* EAP_FAST_OR_TEAP */
4968
4969
tls_connection_get_failed(void * ssl_ctx,struct tls_connection * conn)4970 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)
4971 {
4972 if (conn == NULL)
4973 return -1;
4974 return conn->failed;
4975 }
4976
4977
tls_connection_get_read_alerts(void * ssl_ctx,struct tls_connection * conn)4978 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)
4979 {
4980 if (conn == NULL)
4981 return -1;
4982 return conn->read_alerts;
4983 }
4984
4985
tls_connection_get_write_alerts(void * ssl_ctx,struct tls_connection * conn)4986 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)
4987 {
4988 if (conn == NULL)
4989 return -1;
4990 return conn->write_alerts;
4991 }
4992
4993
4994 #ifdef HAVE_OCSP
4995
ocsp_debug_print_resp(OCSP_RESPONSE * rsp)4996 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
4997 {
4998 #ifndef CONFIG_NO_STDOUT_DEBUG
4999 BIO *out;
5000 size_t rlen;
5001 char *txt;
5002 int res;
5003
5004 if (wpa_debug_level > MSG_DEBUG)
5005 return;
5006
5007 out = BIO_new(BIO_s_mem());
5008 if (!out)
5009 return;
5010
5011 OCSP_RESPONSE_print(out, rsp, 0);
5012 rlen = BIO_ctrl_pending(out);
5013 txt = os_malloc(rlen + 1);
5014 if (!txt) {
5015 BIO_free(out);
5016 return;
5017 }
5018
5019 res = BIO_read(out, txt, rlen);
5020 if (res > 0) {
5021 txt[res] = '\0';
5022 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP Response\n%s", txt);
5023 }
5024 os_free(txt);
5025 BIO_free(out);
5026 #endif /* CONFIG_NO_STDOUT_DEBUG */
5027 }
5028
5029
ocsp_resp_cb(SSL * s,void * arg)5030 static int ocsp_resp_cb(SSL *s, void *arg)
5031 {
5032 struct tls_connection *conn = arg;
5033 const unsigned char *p;
5034 int len, status, reason, res;
5035 OCSP_RESPONSE *rsp;
5036 OCSP_BASICRESP *basic;
5037 OCSP_CERTID *id;
5038 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
5039 X509_STORE *store;
5040 STACK_OF(X509) *certs = NULL;
5041
5042 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
5043 if (!p) {
5044 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
5045 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
5046 if (SSL_version(s) == TLS1_3_VERSION && SSL_session_reused(s)) {
5047 /* TLS 1.3 sends the OCSP response with the server
5048 * Certificate message. Since that Certificate message
5049 * is not sent when resuming a session, there can be no
5050 * new OCSP response. Allow this since the OCSP response
5051 * was validated when checking the initial certificate
5052 * exchange. */
5053 wpa_printf(MSG_DEBUG,
5054 "OpenSSL: Allow no OCSP response when using TLS 1.3 and a resumed session");
5055 return 1;
5056 }
5057 #endif
5058 #endif
5059 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
5060 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
5061 }
5062
5063 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
5064
5065 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
5066 if (!rsp) {
5067 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
5068 return 0;
5069 }
5070
5071 ocsp_debug_print_resp(rsp);
5072
5073 status = OCSP_response_status(rsp);
5074 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
5075 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
5076 status, OCSP_response_status_str(status));
5077 return 0;
5078 }
5079
5080 basic = OCSP_response_get1_basic(rsp);
5081 if (!basic) {
5082 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
5083 return 0;
5084 }
5085
5086 store = SSL_CTX_get_cert_store(conn->ssl_ctx);
5087 if (conn->peer_issuer) {
5088 debug_print_cert(conn->peer_issuer, "Add OCSP issuer");
5089
5090 if (X509_STORE_add_cert(store, conn->peer_issuer) != 1) {
5091 tls_show_errors(MSG_INFO, __func__,
5092 "OpenSSL: Could not add issuer to certificate store");
5093 }
5094 certs = sk_X509_new_null();
5095 if (certs) {
5096 X509 *cert;
5097 cert = X509_dup(conn->peer_issuer);
5098 if (cert && !sk_X509_push(certs, cert)) {
5099 tls_show_errors(
5100 MSG_INFO, __func__,
5101 "OpenSSL: Could not add issuer to OCSP responder trust store");
5102 X509_free(cert);
5103 sk_X509_free(certs);
5104 certs = NULL;
5105 }
5106 if (certs && conn->peer_issuer_issuer) {
5107 cert = X509_dup(conn->peer_issuer_issuer);
5108 if (cert && !sk_X509_push(certs, cert)) {
5109 tls_show_errors(
5110 MSG_INFO, __func__,
5111 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
5112 X509_free(cert);
5113 }
5114 }
5115 }
5116 }
5117
5118 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
5119 sk_X509_pop_free(certs, X509_free);
5120 if (status <= 0) {
5121 tls_show_errors(MSG_INFO, __func__,
5122 "OpenSSL: OCSP response failed verification");
5123 OCSP_BASICRESP_free(basic);
5124 OCSP_RESPONSE_free(rsp);
5125 return 0;
5126 }
5127
5128 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
5129
5130 if (!conn->peer_cert) {
5131 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
5132 OCSP_BASICRESP_free(basic);
5133 OCSP_RESPONSE_free(rsp);
5134 return 0;
5135 }
5136
5137 if (!conn->peer_issuer) {
5138 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
5139 OCSP_BASICRESP_free(basic);
5140 OCSP_RESPONSE_free(rsp);
5141 return 0;
5142 }
5143
5144 id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer);
5145 if (!id) {
5146 wpa_printf(MSG_DEBUG,
5147 "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
5148 OCSP_BASICRESP_free(basic);
5149 OCSP_RESPONSE_free(rsp);
5150 return 0;
5151 }
5152
5153 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
5154 &this_update, &next_update);
5155 if (!res) {
5156 OCSP_CERTID_free(id);
5157 id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
5158 if (!id) {
5159 wpa_printf(MSG_DEBUG,
5160 "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
5161 OCSP_BASICRESP_free(basic);
5162 OCSP_RESPONSE_free(rsp);
5163 return 0;
5164 }
5165
5166 res = OCSP_resp_find_status(basic, id, &status, &reason,
5167 &produced_at, &this_update,
5168 &next_update);
5169 }
5170
5171 if (!res) {
5172 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
5173 (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" :
5174 " (OCSP not required)");
5175 OCSP_CERTID_free(id);
5176 OCSP_BASICRESP_free(basic);
5177 OCSP_RESPONSE_free(rsp);
5178 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
5179 }
5180 OCSP_CERTID_free(id);
5181
5182 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
5183 tls_show_errors(MSG_INFO, __func__,
5184 "OpenSSL: OCSP status times invalid");
5185 OCSP_BASICRESP_free(basic);
5186 OCSP_RESPONSE_free(rsp);
5187 return 0;
5188 }
5189
5190 OCSP_BASICRESP_free(basic);
5191 OCSP_RESPONSE_free(rsp);
5192
5193 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
5194 OCSP_cert_status_str(status));
5195
5196 if (status == V_OCSP_CERTSTATUS_GOOD)
5197 return 1;
5198 if (status == V_OCSP_CERTSTATUS_REVOKED)
5199 return 0;
5200 if (conn->flags & TLS_CONN_REQUIRE_OCSP) {
5201 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
5202 return 0;
5203 }
5204 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
5205 return 1;
5206 }
5207
5208
ocsp_status_cb(SSL * s,void * arg)5209 static int ocsp_status_cb(SSL *s, void *arg)
5210 {
5211 char *tmp;
5212 char *resp;
5213 size_t len;
5214
5215 if (tls_global->ocsp_stapling_response == NULL) {
5216 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - no response configured");
5217 return SSL_TLSEXT_ERR_OK;
5218 }
5219
5220 resp = os_readfile(tls_global->ocsp_stapling_response, &len);
5221 if (resp == NULL) {
5222 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - could not read response file");
5223 /* TODO: Build OCSPResponse with responseStatus = internalError
5224 */
5225 return SSL_TLSEXT_ERR_OK;
5226 }
5227 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - send cached response");
5228 tmp = OPENSSL_malloc(len);
5229 if (tmp == NULL) {
5230 os_free(resp);
5231 return SSL_TLSEXT_ERR_ALERT_FATAL;
5232 }
5233
5234 os_memcpy(tmp, resp, len);
5235 os_free(resp);
5236 SSL_set_tlsext_status_ocsp_resp(s, tmp, len);
5237
5238 return SSL_TLSEXT_ERR_OK;
5239 }
5240
5241 #endif /* HAVE_OCSP */
5242
5243
max_str_len(const char ** lines)5244 static size_t max_str_len(const char **lines)
5245 {
5246 const char **p;
5247 size_t max_len = 0;
5248
5249 for (p = lines; *p; p++) {
5250 size_t len = os_strlen(*p);
5251
5252 if (len > max_len)
5253 max_len = len;
5254 }
5255
5256 return max_len;
5257 }
5258
5259
match_lines_in_file(const char * path,const char ** lines)5260 static int match_lines_in_file(const char *path, const char **lines)
5261 {
5262 FILE *f;
5263 char *buf;
5264 size_t bufsize;
5265 int found = 0, is_linestart = 1;
5266
5267 bufsize = max_str_len(lines) + sizeof("\r\n");
5268 buf = os_malloc(bufsize);
5269 if (!buf)
5270 return 0;
5271
5272 f = fopen(path, "r");
5273 if (!f) {
5274 os_free(buf);
5275 return 0;
5276 }
5277
5278 while (!found && fgets(buf, bufsize, f)) {
5279 int is_lineend;
5280 size_t len;
5281 const char **p;
5282
5283 len = strcspn(buf, "\r\n");
5284 is_lineend = buf[len] != '\0';
5285 buf[len] = '\0';
5286
5287 if (is_linestart && is_lineend) {
5288 for (p = lines; !found && *p; p++)
5289 found = os_strcmp(buf, *p) == 0;
5290 }
5291 is_linestart = is_lineend;
5292 }
5293
5294 fclose(f);
5295 bin_clear_free(buf, bufsize);
5296
5297 return found;
5298 }
5299
5300
is_tpm2_key(const char * path)5301 static int is_tpm2_key(const char *path)
5302 {
5303 /* Check both new and old format of TPM2 PEM guard tag */
5304 static const char *tpm2_tags[] = {
5305 "-----BEGIN TSS2 PRIVATE KEY-----",
5306 "-----BEGIN TSS2 KEY BLOB-----",
5307 NULL
5308 };
5309
5310 return match_lines_in_file(path, tpm2_tags);
5311 }
5312
5313
tls_connection_set_params(void * tls_ctx,struct tls_connection * conn,const struct tls_connection_params * params)5314 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
5315 const struct tls_connection_params *params)
5316 {
5317 struct tls_data *data = tls_ctx;
5318 int ret;
5319 unsigned long err;
5320 int can_pkcs11 = 0;
5321 const char *key_id = params->key_id;
5322 const char *cert_id = params->cert_id;
5323 const char *ca_cert_id = params->ca_cert_id;
5324 const char *engine_id = params->engine ? params->engine_id : NULL;
5325 const char *ciphers;
5326
5327 if (conn == NULL)
5328 return -1;
5329
5330 if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
5331 wpa_printf(MSG_INFO,
5332 "OpenSSL: ocsp=3 not supported");
5333 return -1;
5334 }
5335
5336 /*
5337 * If the engine isn't explicitly configured, and any of the
5338 * cert/key fields are actually PKCS#11 URIs, then automatically
5339 * use the PKCS#11 ENGINE.
5340 */
5341 if (!engine_id || os_strcmp(engine_id, "pkcs11") == 0)
5342 can_pkcs11 = 1;
5343
5344 if (!key_id && params->private_key && can_pkcs11 &&
5345 os_strncmp(params->private_key, "pkcs11:", 7) == 0) {
5346 can_pkcs11 = 2;
5347 key_id = params->private_key;
5348 }
5349
5350 if (!cert_id && params->client_cert && can_pkcs11 &&
5351 os_strncmp(params->client_cert, "pkcs11:", 7) == 0) {
5352 can_pkcs11 = 2;
5353 cert_id = params->client_cert;
5354 }
5355
5356 if (!ca_cert_id && params->ca_cert && can_pkcs11 &&
5357 os_strncmp(params->ca_cert, "pkcs11:", 7) == 0) {
5358 can_pkcs11 = 2;
5359 ca_cert_id = params->ca_cert;
5360 }
5361
5362 /* If we need to automatically enable the PKCS#11 ENGINE, do so. */
5363 if (can_pkcs11 == 2 && !engine_id)
5364 engine_id = "pkcs11";
5365
5366 /* If private_key points to a TPM2-wrapped key, automatically enable
5367 * tpm2 engine and use it to unwrap the key. */
5368 if (params->private_key &&
5369 (!engine_id || os_strcmp(engine_id, "tpm2") == 0) &&
5370 is_tpm2_key(params->private_key)) {
5371 wpa_printf(MSG_DEBUG, "OpenSSL: Found TPM2 wrapped key %s",
5372 params->private_key);
5373 key_id = key_id ? key_id : params->private_key;
5374 engine_id = engine_id ? engine_id : "tpm2";
5375 }
5376
5377 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
5378 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
5379 if (params->flags & TLS_CONN_EAP_FAST) {
5380 wpa_printf(MSG_DEBUG,
5381 "OpenSSL: Use TLSv1_method() for EAP-FAST");
5382 if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) {
5383 tls_show_errors(MSG_INFO, __func__,
5384 "Failed to set TLSv1_method() for EAP-FAST");
5385 return -1;
5386 }
5387 }
5388 #endif
5389 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
5390 #ifdef SSL_OP_NO_TLSv1_3
5391 if (params->flags & TLS_CONN_EAP_FAST) {
5392 /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1
5393 * refuses to start the handshake with the modified ciphersuite
5394 * list (no TLS v1.3 ciphersuites included) for EAP-FAST. */
5395 wpa_printf(MSG_DEBUG, "OpenSSL: Disable TLSv1.3 for EAP-FAST");
5396 SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_3);
5397 }
5398 #endif /* SSL_OP_NO_TLSv1_3 */
5399 #endif
5400 #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
5401
5402 while ((err = ERR_get_error())) {
5403 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",
5404 __func__, ERR_error_string(err, NULL));
5405 }
5406
5407 if (engine_id) {
5408 wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s",
5409 engine_id);
5410 ret = tls_engine_init(conn, engine_id, params->pin,
5411 key_id, cert_id, ca_cert_id);
5412 if (ret)
5413 return ret;
5414 }
5415 if (tls_connection_set_subject_match(conn,
5416 params->subject_match,
5417 params->altsubject_match,
5418 params->suffix_match,
5419 params->domain_match,
5420 params->check_cert_subject)) {
5421 wpa_printf(MSG_ERROR, "TLS: Failed to set subject match");
5422 return -1;
5423 }
5424
5425 if (engine_id && ca_cert_id) {
5426 if (tls_connection_engine_ca_cert(data, conn, ca_cert_id))
5427 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5428 } else if (tls_connection_ca_cert(data, conn, params->ca_cert,
5429 params->ca_cert_blob,
5430 params->ca_cert_blob_len,
5431 params->ca_path)) {
5432 wpa_printf(MSG_ERROR, "TLS: Failed to parse Root CA certificate");
5433 return -1;
5434 }
5435
5436 if (engine_id && cert_id) {
5437 if (tls_connection_engine_client_cert(conn, cert_id))
5438 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5439 } else if (tls_connection_client_cert(conn, params->client_cert,
5440 params->client_cert_blob,
5441 params->client_cert_blob_len)) {
5442 wpa_printf(MSG_ERROR, "TLS: Failed to parse client certificate");
5443 return -1;
5444 }
5445
5446 if (engine_id && key_id) {
5447 wpa_printf(MSG_DEBUG, "TLS: Using private key from engine");
5448 if (tls_connection_engine_private_key(conn))
5449 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5450 } else if (tls_connection_private_key(data, conn,
5451 params->private_key,
5452 params->private_key_passwd,
5453 params->private_key_blob,
5454 params->private_key_blob_len)) {
5455 wpa_printf(MSG_INFO, "TLS: Failed to load private key '%s'",
5456 params->private_key);
5457 return -1;
5458 }
5459
5460 ciphers = params->openssl_ciphers;
5461 #ifdef CONFIG_SUITEB
5462 #ifdef OPENSSL_IS_BORINGSSL
5463 if (ciphers && os_strcmp(ciphers, "SUITEB192") == 0) {
5464 /* BoringSSL removed support for SUITEB192, so need to handle
5465 * this with hardcoded ciphersuite and additional checks for
5466 * other parameters. */
5467 ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384";
5468 }
5469 #endif /* OPENSSL_IS_BORINGSSL */
5470 #endif /* CONFIG_SUITEB */
5471 if (ciphers && SSL_set_cipher_list(conn->ssl, ciphers) != 1) {
5472 wpa_printf(MSG_INFO,
5473 "OpenSSL: Failed to set cipher string '%s'",
5474 ciphers);
5475 return -1;
5476 }
5477
5478 if (!params->openssl_ecdh_curves) {
5479 #ifndef OPENSSL_IS_BORINGSSL
5480 #ifndef OPENSSL_NO_EC
5481 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5482 if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) {
5483 wpa_printf(MSG_INFO,
5484 "OpenSSL: Failed to set ECDH curves to auto");
5485 return -1;
5486 }
5487 #endif /* < 1.1.0 */
5488 #endif /* OPENSSL_NO_EC */
5489 #endif /* OPENSSL_IS_BORINGSSL */
5490 } else if (params->openssl_ecdh_curves[0]) {
5491 #ifdef OPENSSL_IS_BORINGSSL
5492 wpa_printf(MSG_INFO,
5493 "OpenSSL: ECDH configuration not supported");
5494 return -1;
5495 #else /* !OPENSSL_IS_BORINGSSL */
5496 #ifndef OPENSSL_NO_EC
5497 if (SSL_set1_curves_list(conn->ssl,
5498 params->openssl_ecdh_curves) != 1) {
5499 wpa_printf(MSG_INFO,
5500 "OpenSSL: Failed to set ECDH curves '%s'",
5501 params->openssl_ecdh_curves);
5502 return -1;
5503 }
5504 #else /* OPENSSL_NO_EC */
5505 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
5506 return -1;
5507 #endif /* OPENSSL_NO_EC */
5508 #endif /* OPENSSL_IS_BORINGSSL */
5509 }
5510
5511 if (tls_set_conn_flags(conn, params->flags,
5512 params->openssl_ciphers) < 0) {
5513 wpa_printf(MSG_ERROR, "TLS: Failed to set connection flags");
5514 return -1;
5515 }
5516
5517 #ifdef OPENSSL_IS_BORINGSSL
5518 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5519 SSL_enable_ocsp_stapling(conn->ssl);
5520 }
5521 #else /* OPENSSL_IS_BORINGSSL */
5522 #ifdef HAVE_OCSP
5523 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5524 SSL_CTX *ssl_ctx = data->ssl;
5525 SSL_set_tlsext_status_type(conn->ssl, TLSEXT_STATUSTYPE_ocsp);
5526 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
5527 SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
5528 }
5529 #else /* HAVE_OCSP */
5530 if (params->flags & TLS_CONN_REQUIRE_OCSP) {
5531 wpa_printf(MSG_INFO,
5532 "OpenSSL: No OCSP support included - reject configuration");
5533 return -1;
5534 }
5535 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5536 wpa_printf(MSG_DEBUG,
5537 "OpenSSL: No OCSP support included - allow optional OCSP case to continue");
5538 }
5539 #endif /* HAVE_OCSP */
5540 #endif /* OPENSSL_IS_BORINGSSL */
5541
5542 conn->flags = params->flags;
5543
5544 tls_get_errors(data);
5545
5546 return 0;
5547 }
5548
5549
openssl_debug_dump_cipher_list(SSL_CTX * ssl_ctx)5550 static void openssl_debug_dump_cipher_list(SSL_CTX *ssl_ctx)
5551 {
5552 SSL *ssl;
5553 int i;
5554
5555 ssl = SSL_new(ssl_ctx);
5556 if (!ssl)
5557 return;
5558
5559 wpa_printf(MSG_DEBUG,
5560 "OpenSSL: Enabled cipher suites in priority order");
5561 for (i = 0; ; i++) {
5562 const char *cipher;
5563
5564 cipher = SSL_get_cipher_list(ssl, i);
5565 if (!cipher)
5566 break;
5567 wpa_printf(MSG_DEBUG, "Cipher %d: %s", i, cipher);
5568 }
5569
5570 SSL_free(ssl);
5571 }
5572
5573
5574 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
5575
openssl_pkey_type_str(const EVP_PKEY * pkey)5576 static const char * openssl_pkey_type_str(const EVP_PKEY *pkey)
5577 {
5578 if (!pkey)
5579 return "NULL";
5580 switch (EVP_PKEY_type(EVP_PKEY_id(pkey))) {
5581 case EVP_PKEY_RSA:
5582 return "RSA";
5583 case EVP_PKEY_DSA:
5584 return "DSA";
5585 case EVP_PKEY_DH:
5586 return "DH";
5587 case EVP_PKEY_EC:
5588 return "EC";
5589 }
5590 return "?";
5591 }
5592
5593
openssl_debug_dump_certificate(int i,X509 * cert)5594 static void openssl_debug_dump_certificate(int i, X509 *cert)
5595 {
5596 char buf[256];
5597 EVP_PKEY *pkey;
5598 ASN1_INTEGER *ser;
5599 char serial_num[128];
5600
5601 if (!cert)
5602 return;
5603
5604 X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
5605
5606 ser = X509_get_serialNumber(cert);
5607 if (ser)
5608 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num),
5609 ASN1_STRING_get0_data(ser),
5610 ASN1_STRING_length(ser));
5611 else
5612 serial_num[0] = '\0';
5613
5614 pkey = X509_get_pubkey(cert);
5615 wpa_printf(MSG_DEBUG, "%d: %s (%s) %s", i, buf,
5616 openssl_pkey_type_str(pkey), serial_num);
5617 EVP_PKEY_free(pkey);
5618 }
5619
5620
openssl_debug_dump_certificates(SSL_CTX * ssl_ctx)5621 static void openssl_debug_dump_certificates(SSL_CTX *ssl_ctx)
5622 {
5623 STACK_OF(X509) *certs;
5624
5625 wpa_printf(MSG_DEBUG, "OpenSSL: Configured certificate chain");
5626 if (SSL_CTX_get0_chain_certs(ssl_ctx, &certs) == 1) {
5627 int i;
5628
5629 for (i = sk_X509_num(certs); i > 0; i--)
5630 openssl_debug_dump_certificate(i, sk_X509_value(certs,
5631 i - 1));
5632 }
5633 openssl_debug_dump_certificate(0, SSL_CTX_get0_certificate(ssl_ctx));
5634 }
5635
5636 #endif
5637
5638
openssl_debug_dump_certificate_chains(SSL_CTX * ssl_ctx)5639 static void openssl_debug_dump_certificate_chains(SSL_CTX *ssl_ctx)
5640 {
5641 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
5642 int res;
5643
5644 for (res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
5645 res == 1;
5646 res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_NEXT))
5647 openssl_debug_dump_certificates(ssl_ctx);
5648
5649 SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
5650 #endif
5651 }
5652
5653
openssl_debug_dump_ctx(SSL_CTX * ssl_ctx)5654 static void openssl_debug_dump_ctx(SSL_CTX *ssl_ctx)
5655 {
5656 openssl_debug_dump_cipher_list(ssl_ctx);
5657 openssl_debug_dump_certificate_chains(ssl_ctx);
5658 }
5659
5660
tls_global_set_params(void * tls_ctx,const struct tls_connection_params * params)5661 int tls_global_set_params(void *tls_ctx,
5662 const struct tls_connection_params *params)
5663 {
5664 struct tls_data *data = tls_ctx;
5665 SSL_CTX *ssl_ctx = data->ssl;
5666 unsigned long err;
5667
5668 while ((err = ERR_get_error())) {
5669 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",
5670 __func__, ERR_error_string(err, NULL));
5671 }
5672
5673 os_free(data->check_cert_subject);
5674 data->check_cert_subject = NULL;
5675 if (params->check_cert_subject) {
5676 data->check_cert_subject =
5677 os_strdup(params->check_cert_subject);
5678 if (!data->check_cert_subject)
5679 return -1;
5680 }
5681
5682 if (tls_global_ca_cert(data, params->ca_cert) ||
5683 tls_global_client_cert(data, params->client_cert) ||
5684 tls_global_private_key(data, params->private_key,
5685 params->private_key_passwd) ||
5686 tls_global_client_cert(data, params->client_cert2) ||
5687 tls_global_private_key(data, params->private_key2,
5688 params->private_key_passwd2) ||
5689 tls_global_dh(data, params->dh_file)) {
5690 wpa_printf(MSG_INFO, "TLS: Failed to set global parameters");
5691 return -1;
5692 }
5693
5694 if (params->openssl_ciphers &&
5695 SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) {
5696 wpa_printf(MSG_INFO,
5697 "OpenSSL: Failed to set cipher string '%s'",
5698 params->openssl_ciphers);
5699 return -1;
5700 }
5701
5702 if (!params->openssl_ecdh_curves) {
5703 #ifndef OPENSSL_IS_BORINGSSL
5704 #ifndef OPENSSL_NO_EC
5705 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5706 if (SSL_CTX_set_ecdh_auto(ssl_ctx, 1) != 1) {
5707 wpa_printf(MSG_INFO,
5708 "OpenSSL: Failed to set ECDH curves to auto");
5709 return -1;
5710 }
5711 #endif /* < 1.1.0 */
5712 #endif /* OPENSSL_NO_EC */
5713 #endif /* OPENSSL_IS_BORINGSSL */
5714 } else if (params->openssl_ecdh_curves[0]) {
5715 #ifdef OPENSSL_IS_BORINGSSL
5716 wpa_printf(MSG_INFO,
5717 "OpenSSL: ECDH configuration not supported");
5718 return -1;
5719 #else /* !OPENSSL_IS_BORINGSSL */
5720 #ifndef OPENSSL_NO_EC
5721 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5722 SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
5723 #endif
5724 if (SSL_CTX_set1_curves_list(ssl_ctx,
5725 params->openssl_ecdh_curves) !=
5726 1) {
5727 wpa_printf(MSG_INFO,
5728 "OpenSSL: Failed to set ECDH curves '%s'",
5729 params->openssl_ecdh_curves);
5730 return -1;
5731 }
5732 #else /* OPENSSL_NO_EC */
5733 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
5734 return -1;
5735 #endif /* OPENSSL_NO_EC */
5736 #endif /* OPENSSL_IS_BORINGSSL */
5737 }
5738
5739 #ifdef SSL_OP_NO_TICKET
5740 if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
5741 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
5742 else
5743 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TICKET);
5744 #endif /* SSL_OP_NO_TICKET */
5745
5746 #ifdef HAVE_OCSP
5747 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_status_cb);
5748 SSL_CTX_set_tlsext_status_arg(ssl_ctx, ssl_ctx);
5749 os_free(tls_global->ocsp_stapling_response);
5750 if (params->ocsp_stapling_response)
5751 tls_global->ocsp_stapling_response =
5752 os_strdup(params->ocsp_stapling_response);
5753 else
5754 tls_global->ocsp_stapling_response = NULL;
5755 #endif /* HAVE_OCSP */
5756
5757 openssl_debug_dump_ctx(ssl_ctx);
5758
5759 return 0;
5760 }
5761
5762
5763 #ifdef EAP_FAST_OR_TEAP
5764 /* Pre-shared secred requires a patch to openssl, so this function is
5765 * commented out unless explicitly needed for EAP-FAST in order to be able to
5766 * build this file with unmodified openssl. */
5767
5768 #if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
tls_sess_sec_cb(SSL * s,void * secret,int * secret_len,STACK_OF (SSL_CIPHER)* peer_ciphers,const SSL_CIPHER ** cipher,void * arg)5769 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
5770 STACK_OF(SSL_CIPHER) *peer_ciphers,
5771 const SSL_CIPHER **cipher, void *arg)
5772 #else /* OPENSSL_IS_BORINGSSL */
5773 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
5774 STACK_OF(SSL_CIPHER) *peer_ciphers,
5775 SSL_CIPHER **cipher, void *arg)
5776 #endif /* OPENSSL_IS_BORINGSSL */
5777 {
5778 struct tls_connection *conn = arg;
5779 int ret;
5780
5781 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5782 if (conn == NULL || conn->session_ticket_cb == NULL)
5783 return 0;
5784
5785 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
5786 conn->session_ticket,
5787 conn->session_ticket_len,
5788 s->s3->client_random,
5789 s->s3->server_random, secret);
5790 #else
5791 unsigned char client_random[SSL3_RANDOM_SIZE];
5792 unsigned char server_random[SSL3_RANDOM_SIZE];
5793
5794 if (conn == NULL || conn->session_ticket_cb == NULL)
5795 return 0;
5796
5797 SSL_get_client_random(s, client_random, sizeof(client_random));
5798 SSL_get_server_random(s, server_random, sizeof(server_random));
5799
5800 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
5801 conn->session_ticket,
5802 conn->session_ticket_len,
5803 client_random,
5804 server_random, secret);
5805 #endif
5806
5807 os_free(conn->session_ticket);
5808 conn->session_ticket = NULL;
5809
5810 if (ret <= 0)
5811 return 0;
5812
5813 *secret_len = SSL_MAX_MASTER_KEY_LENGTH;
5814 return 1;
5815 }
5816
5817
tls_session_ticket_ext_cb(SSL * s,const unsigned char * data,int len,void * arg)5818 static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
5819 int len, void *arg)
5820 {
5821 struct tls_connection *conn = arg;
5822
5823 if (conn == NULL || conn->session_ticket_cb == NULL)
5824 return 0;
5825
5826 wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len);
5827
5828 os_free(conn->session_ticket);
5829 conn->session_ticket = NULL;
5830
5831 wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
5832 "extension", data, len);
5833
5834 conn->session_ticket = os_memdup(data, len);
5835 if (conn->session_ticket == NULL)
5836 return 0;
5837
5838 conn->session_ticket_len = len;
5839
5840 return 1;
5841 }
5842 #endif /* EAP_FAST_OR_TEAP */
5843
5844
tls_connection_set_session_ticket_cb(void * tls_ctx,struct tls_connection * conn,tls_session_ticket_cb cb,void * ctx)5845 int tls_connection_set_session_ticket_cb(void *tls_ctx,
5846 struct tls_connection *conn,
5847 tls_session_ticket_cb cb,
5848 void *ctx)
5849 {
5850 #ifdef EAP_FAST_OR_TEAP
5851 conn->session_ticket_cb = cb;
5852 conn->session_ticket_cb_ctx = ctx;
5853
5854 if (cb) {
5855 if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
5856 conn) != 1)
5857 return -1;
5858 SSL_set_session_ticket_ext_cb(conn->ssl,
5859 tls_session_ticket_ext_cb, conn);
5860 } else {
5861 if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
5862 return -1;
5863 SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
5864 }
5865
5866 return 0;
5867 #else /* EAP_FAST_OR_TEAP */
5868 return -1;
5869 #endif /* EAP_FAST_OR_TEAP */
5870 }
5871
5872
tls_get_library_version(char * buf,size_t buf_len)5873 int tls_get_library_version(char *buf, size_t buf_len)
5874 {
5875 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
5876 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
5877 OPENSSL_VERSION_TEXT,
5878 OpenSSL_version(OPENSSL_VERSION));
5879 #else
5880 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
5881 OPENSSL_VERSION_TEXT,
5882 SSLeay_version(SSLEAY_VERSION));
5883 #endif
5884 }
5885
5886
tls_connection_set_success_data(struct tls_connection * conn,struct wpabuf * data)5887 void tls_connection_set_success_data(struct tls_connection *conn,
5888 struct wpabuf *data)
5889 {
5890 SSL_SESSION *sess;
5891 struct wpabuf *old;
5892 struct tls_session_data *sess_data = NULL;
5893
5894 if (tls_ex_idx_session < 0)
5895 goto fail;
5896 sess = SSL_get_session(conn->ssl);
5897 if (!sess)
5898 goto fail;
5899 old = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
5900 if (old) {
5901 struct tls_session_data *found;
5902
5903 found = get_session_data(conn->context, old);
5904 wpa_printf(MSG_DEBUG,
5905 "OpenSSL: Replacing old success data %p (sess %p)%s",
5906 old, sess, found ? "" : " (not freeing)");
5907 if (found) {
5908 dl_list_del(&found->list);
5909 os_free(found);
5910 wpabuf_free(old);
5911 }
5912 }
5913
5914 sess_data = os_zalloc(sizeof(*sess_data));
5915 if (!sess_data ||
5916 SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, data) != 1)
5917 goto fail;
5918
5919 sess_data->buf = data;
5920 dl_list_add(&conn->context->sessions, &sess_data->list);
5921 wpa_printf(MSG_DEBUG, "OpenSSL: Stored success data %p (sess %p)",
5922 data, sess);
5923 conn->success_data = 1;
5924 return;
5925
5926 fail:
5927 wpa_printf(MSG_INFO, "OpenSSL: Failed to store success data");
5928 wpabuf_free(data);
5929 os_free(sess_data);
5930 }
5931
5932
tls_connection_set_success_data_resumed(struct tls_connection * conn)5933 void tls_connection_set_success_data_resumed(struct tls_connection *conn)
5934 {
5935 wpa_printf(MSG_DEBUG,
5936 "OpenSSL: Success data accepted for resumed session");
5937 conn->success_data = 1;
5938 }
5939
5940
5941 const struct wpabuf *
tls_connection_get_success_data(struct tls_connection * conn)5942 tls_connection_get_success_data(struct tls_connection *conn)
5943 {
5944 SSL_SESSION *sess;
5945
5946 if (tls_ex_idx_session < 0 ||
5947 !(sess = SSL_get_session(conn->ssl)))
5948 return NULL;
5949 return SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
5950 }
5951
5952
tls_connection_remove_session(struct tls_connection * conn)5953 void tls_connection_remove_session(struct tls_connection *conn)
5954 {
5955 SSL_SESSION *sess;
5956
5957 sess = SSL_get_session(conn->ssl);
5958 if (!sess)
5959 return;
5960
5961 if (SSL_CTX_remove_session(conn->ssl_ctx, sess) != 1)
5962 wpa_printf(MSG_DEBUG,
5963 "OpenSSL: Session was not cached");
5964 else
5965 wpa_printf(MSG_DEBUG,
5966 "OpenSSL: Removed cached session to disable session resumption");
5967 }
5968
5969
tls_get_tls_unique(struct tls_connection * conn,u8 * buf,size_t max_len)5970 int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len)
5971 {
5972 size_t len;
5973 int reused;
5974
5975 reused = SSL_session_reused(conn->ssl);
5976 if ((conn->server && !reused) || (!conn->server && reused))
5977 len = SSL_get_peer_finished(conn->ssl, buf, max_len);
5978 else
5979 len = SSL_get_finished(conn->ssl, buf, max_len);
5980
5981 if (len == 0 || len > max_len)
5982 return -1;
5983
5984 return len;
5985 }
5986
5987
tls_connection_get_cipher_suite(struct tls_connection * conn)5988 u16 tls_connection_get_cipher_suite(struct tls_connection *conn)
5989 {
5990 const SSL_CIPHER *cipher;
5991
5992 cipher = SSL_get_current_cipher(conn->ssl);
5993 if (!cipher)
5994 return 0;
5995 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
5996 return SSL_CIPHER_get_protocol_id(cipher);
5997 #else
5998 return SSL_CIPHER_get_id(cipher) & 0xFFFF;
5999 #endif
6000 }
6001
6002
tls_connection_get_peer_subject(struct tls_connection * conn)6003 const char * tls_connection_get_peer_subject(struct tls_connection *conn)
6004 {
6005 if (conn)
6006 return conn->peer_subject;
6007 return NULL;
6008 }
6009
6010
tls_connection_get_own_cert_used(struct tls_connection * conn)6011 bool tls_connection_get_own_cert_used(struct tls_connection *conn)
6012 {
6013 if (conn)
6014 return SSL_get_certificate(conn->ssl) != NULL;
6015 return false;
6016 }
6017