1 /*
2 * SSL/TLS interface functions for OpenSSL
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #ifdef CONFIG_TESTING_OPTIONS
11 #include <fcntl.h>
12 #endif /* CONFIG_TESTING_OPTIONS */
13
14 #ifndef CONFIG_SMARTCARD
15 #ifndef OPENSSL_NO_ENGINE
16 #ifndef ANDROID
17 #define OPENSSL_NO_ENGINE
18 #endif
19 #endif
20 #endif
21
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/opensslv.h>
25 #include <openssl/pkcs12.h>
26 #include <openssl/x509v3.h>
27 #ifndef OPENSSL_NO_ENGINE
28 #include <openssl/engine.h>
29 #endif /* OPENSSL_NO_ENGINE */
30 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
31 #include <openssl/core_names.h>
32 #include <openssl/decoder.h>
33 #include <openssl/param_build.h>
34 #else /* OpenSSL version >= 3.0 */
35 #ifndef OPENSSL_NO_DSA
36 #include <openssl/dsa.h>
37 #endif
38 #ifndef OPENSSL_NO_DH
39 #include <openssl/dh.h>
40 #endif
41 #endif /* OpenSSL version >= 3.0 */
42
43 #include "common.h"
44 #include "utils/list.h"
45 #include "crypto.h"
46 #include "sha1.h"
47 #include "sha256.h"
48 #include "tls.h"
49 #include "tls_openssl.h"
50
51 #if !defined(CONFIG_FIPS) && \
52 (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
53 defined(EAP_SERVER_FAST))
54 #define OPENSSL_NEED_EAP_FAST_PRF
55 #endif
56
57 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
58 defined(EAP_SERVER_FAST) || defined(EAP_TEAP) || \
59 defined(EAP_SERVER_TEAP)
60 #define EAP_FAST_OR_TEAP
61 #endif
62
63
64 #if defined(OPENSSL_IS_BORINGSSL)
65 /* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */
66 typedef size_t stack_index_t;
67 #else
68 typedef int stack_index_t;
69 #endif
70
71 #ifdef SSL_set_tlsext_status_type
72 #ifndef OPENSSL_NO_TLSEXT
73 #define HAVE_OCSP
74 #include <openssl/ocsp.h>
75 #endif /* OPENSSL_NO_TLSEXT */
76 #endif /* SSL_set_tlsext_status_type */
77
78 #if OPENSSL_VERSION_NUMBER < 0x10100000L && \
79 !defined(BORINGSSL_API_VERSION)
80 /*
81 * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL
82 * 1.1.0 and newer BoringSSL revisions. Provide compatibility wrappers for
83 * older versions.
84 */
85
SSL_get_client_random(const SSL * ssl,unsigned char * out,size_t outlen)86 static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
87 size_t outlen)
88 {
89 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
90 return 0;
91 os_memcpy(out, ssl->s3->client_random, SSL3_RANDOM_SIZE);
92 return SSL3_RANDOM_SIZE;
93 }
94
95
SSL_get_server_random(const SSL * ssl,unsigned char * out,size_t outlen)96 static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
97 size_t outlen)
98 {
99 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
100 return 0;
101 os_memcpy(out, ssl->s3->server_random, SSL3_RANDOM_SIZE);
102 return SSL3_RANDOM_SIZE;
103 }
104
105
106 #ifdef OPENSSL_NEED_EAP_FAST_PRF
SSL_SESSION_get_master_key(const SSL_SESSION * session,unsigned char * out,size_t outlen)107 static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
108 unsigned char *out, size_t outlen)
109 {
110 if (!session || session->master_key_length < 0 ||
111 (size_t) session->master_key_length > outlen)
112 return 0;
113 if ((size_t) session->master_key_length < outlen)
114 outlen = session->master_key_length;
115 os_memcpy(out, session->master_key, outlen);
116 return outlen;
117 }
118 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
119
120 #endif
121
122 #if OPENSSL_VERSION_NUMBER < 0x10100000L
ASN1_STRING_get0_data(const ASN1_STRING * x)123 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
124 {
125 return ASN1_STRING_data((ASN1_STRING *) x);
126 }
127 #endif
128
129 static int tls_openssl_ref_count = 0;
130 static int tls_ex_idx_session = -1;
131
132 struct tls_session_data {
133 struct dl_list list;
134 struct wpabuf *buf;
135 };
136
137 struct tls_context {
138 void (*event_cb)(void *ctx, enum tls_event ev,
139 union tls_event_data *data);
140 void *cb_ctx;
141 int cert_in_cb;
142 char *ocsp_stapling_response;
143 struct dl_list sessions; /* struct tls_session_data */
144 };
145
146 struct tls_data {
147 SSL_CTX *ssl;
148 unsigned int tls_session_lifetime;
149 int check_crl;
150 int check_crl_strict;
151 char *ca_cert;
152 unsigned int crl_reload_interval;
153 struct os_reltime crl_last_reload;
154 char *check_cert_subject;
155 };
156
157 struct tls_connection {
158 struct tls_context *context;
159 struct tls_data *data;
160 SSL_CTX *ssl_ctx;
161 SSL *ssl;
162 BIO *ssl_in, *ssl_out;
163 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
164 ENGINE *engine; /* functional reference to the engine */
165 EVP_PKEY *private_key; /* the private key if using engine */
166 #endif /* OPENSSL_NO_ENGINE */
167 char *subject_match, *altsubject_match, *suffix_match, *domain_match;
168 char *check_cert_subject;
169 int read_alerts, write_alerts, failed;
170
171 tls_session_ticket_cb session_ticket_cb;
172 void *session_ticket_cb_ctx;
173
174 /* SessionTicket received from OpenSSL hello_extension_cb (server) */
175 u8 *session_ticket;
176 size_t session_ticket_len;
177
178 unsigned int ca_cert_verify:1;
179 unsigned int cert_probe:1;
180 unsigned int server_cert_only:1;
181 unsigned int invalid_hb_used:1;
182 unsigned int success_data:1;
183 unsigned int client_hello_generated:1;
184 unsigned int server:1;
185
186 u8 srv_cert_hash[32];
187
188 unsigned int flags;
189
190 X509 *peer_cert;
191 X509 *peer_issuer;
192 X509 *peer_issuer_issuer;
193 char *peer_subject; /* peer subject info for authenticated peer */
194
195 unsigned char client_random[SSL3_RANDOM_SIZE];
196 unsigned char server_random[SSL3_RANDOM_SIZE];
197
198 u16 cipher_suite;
199 int server_dh_prime_len;
200 };
201
202 static struct tls_context *tls_global = NULL;
203 static tls_get_certificate_cb certificate_callback_global = NULL;
204 static tls_openssl_failure_cb openssl_failure_callback_global = NULL;
205
206 #ifdef ANDROID
207 #include <openssl/pem.h>
208
209 #include <log/log.h>
210 #include <log/log_event_list.h>
211
212 #define CERT_VALIDATION_FAILURE 210033
213 #define ANDROID_KEYSTORE_PREFIX "keystore://"
214 #define ANDROID_KEYSTORE_PREFIX_LEN os_strlen(ANDROID_KEYSTORE_PREFIX)
215 #define ANDROID_KEYSTORE_ENCODED_PREFIX "keystores://"
216 #define ANDROID_KEYSTORE_ENCODED_PREFIX_LEN os_strlen(ANDROID_KEYSTORE_ENCODED_PREFIX)
217
log_cert_validation_failure(const char * reason)218 static void log_cert_validation_failure(const char *reason)
219 {
220 android_log_context ctx = create_android_logger(CERT_VALIDATION_FAILURE);
221 android_log_write_string8(ctx, reason);
222 android_log_write_list(ctx, LOG_ID_SECURITY);
223 android_log_destroy(&ctx);
224 }
225
226
BIO_from_keystore(const char * alias,struct tls_connection * conn)227 static BIO* BIO_from_keystore(const char *alias, struct tls_connection *conn)
228 {
229 BIO *bio = NULL;
230 uint8_t *value = NULL;
231
232 void *cb_ctx = NULL;
233 if (conn != NULL && conn->context != NULL) {
234 cb_ctx = conn->context->cb_ctx;
235 }
236
237 if (cb_ctx != NULL && certificate_callback_global != NULL) {
238 wpa_printf(MSG_INFO, "Retrieving certificate using callback");
239 int length = (*certificate_callback_global)(cb_ctx, alias, &value);
240 if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL)
241 BIO_write(bio, value, length);
242 free(value);
243 }
244 return bio;
245 }
246
tls_add_ca_from_keystore(X509_STORE * ctx,const char * alias,struct tls_connection * conn)247 static int tls_add_ca_from_keystore(X509_STORE *ctx, const char *alias, struct tls_connection *conn)
248 {
249 BIO *bio = BIO_from_keystore(alias, conn);
250 STACK_OF(X509_INFO) *stack = NULL;
251 stack_index_t i;
252 int ret = 0;
253
254 if (!bio) {
255 wpa_printf(MSG_ERROR, "OpenSSL: Failed to parse certificate: %s",
256 alias);
257 return -1;
258 }
259
260 // Keystore returns X.509 certificates in PEM encoding
261 stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
262 BIO_free(bio);
263
264 if (!stack) {
265 wpa_printf(MSG_ERROR, "OpenSSL: Failed to parse certificate: %s",
266 alias);
267 return -1;
268 }
269
270 for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
271 X509_INFO *info = sk_X509_INFO_value(stack, i);
272
273 if (info->x509)
274 if (!X509_STORE_add_cert(ctx, info->x509)) {
275 wpa_printf(MSG_ERROR,
276 "OpenSSL: Failed to add Root CA certificate");
277 ret = -1;
278 break;
279 }
280 if (info->crl)
281 X509_STORE_add_crl(ctx, info->crl);
282 }
283
284 sk_X509_INFO_pop_free(stack, X509_INFO_free);
285 return ret;
286 }
287
288
tls_add_ca_from_keystore_encoded(X509_STORE * ctx,const char * encoded_alias,struct tls_connection * conn)289 static int tls_add_ca_from_keystore_encoded(X509_STORE *ctx,
290 const char *encoded_alias,
291 struct tls_connection *conn)
292 {
293 int rc = -1;
294 int len = os_strlen(encoded_alias);
295 unsigned char *decoded_alias;
296
297 if (len & 1) {
298 wpa_printf(MSG_WARNING, "Invalid hex-encoded alias: %s",
299 encoded_alias);
300 return rc;
301 }
302
303 decoded_alias = os_malloc(len / 2 + 1);
304 if (decoded_alias) {
305 if (!hexstr2bin(encoded_alias, decoded_alias, len / 2)) {
306 decoded_alias[len / 2] = '\0';
307 rc = tls_add_ca_from_keystore(
308 ctx, (const char *) decoded_alias, conn);
309 }
310 os_free(decoded_alias);
311 }
312
313 return rc;
314 }
315
316 #endif /* ANDROID */
317
318
tls_context_new(const struct tls_config * conf)319 static struct tls_context * tls_context_new(const struct tls_config *conf)
320 {
321 struct tls_context *context = os_zalloc(sizeof(*context));
322 if (context == NULL)
323 return NULL;
324 dl_list_init(&context->sessions);
325 if (conf) {
326 context->event_cb = conf->event_cb;
327 context->cb_ctx = conf->cb_ctx;
328 context->cert_in_cb = conf->cert_in_cb;
329 }
330 return context;
331 }
332
333
334 #ifdef CONFIG_NO_STDOUT_DEBUG
335
_tls_show_errors(void)336 static void _tls_show_errors(void)
337 {
338 unsigned long err;
339
340 while ((err = ERR_get_error())) {
341 /* Just ignore the errors, since stdout is disabled */
342 }
343 }
344 #define tls_show_errors(l, f, t) _tls_show_errors()
345
346 #else /* CONFIG_NO_STDOUT_DEBUG */
347
tls_show_errors(int level,const char * func,const char * txt)348 static void tls_show_errors(int level, const char *func, const char *txt)
349 {
350 unsigned long err;
351
352 wpa_printf(level, "OpenSSL: %s - %s %s",
353 func, txt, ERR_error_string(ERR_get_error(), NULL));
354
355 while ((err = ERR_get_error())) {
356 wpa_printf(MSG_INFO, "OpenSSL: pending error: %s",
357 ERR_error_string(err, NULL));
358 }
359 }
360
361 #endif /* CONFIG_NO_STDOUT_DEBUG */
362
363
tls_crl_cert_reload(const char * ca_cert,int check_crl)364 static X509_STORE * tls_crl_cert_reload(const char *ca_cert, int check_crl)
365 {
366 int flags;
367 X509_STORE *store;
368
369 store = X509_STORE_new();
370 if (!store) {
371 wpa_printf(MSG_DEBUG,
372 "OpenSSL: %s - failed to allocate new certificate store",
373 __func__);
374 return NULL;
375 }
376
377 if (ca_cert && X509_STORE_load_locations(store, ca_cert, NULL) != 1) {
378 tls_show_errors(MSG_WARNING, __func__,
379 "Failed to load root certificates");
380 X509_STORE_free(store);
381 return NULL;
382 }
383
384 flags = check_crl ? X509_V_FLAG_CRL_CHECK : 0;
385 if (check_crl == 2)
386 flags |= X509_V_FLAG_CRL_CHECK_ALL;
387
388 X509_STORE_set_flags(store, flags);
389
390 return store;
391 }
392
393
394 #ifdef CONFIG_NATIVE_WINDOWS
395
396 /* Windows CryptoAPI and access to certificate stores */
397 #include <wincrypt.h>
398
399 #ifdef __MINGW32_VERSION
400 /*
401 * MinGW does not yet include all the needed definitions for CryptoAPI, so
402 * define here whatever extra is needed.
403 */
404 #define CERT_SYSTEM_STORE_CURRENT_USER (1 << 16)
405 #define CERT_STORE_READONLY_FLAG 0x00008000
406 #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
407
408 #endif /* __MINGW32_VERSION */
409
410
411 struct cryptoapi_rsa_data {
412 const CERT_CONTEXT *cert;
413 HCRYPTPROV crypt_prov;
414 DWORD key_spec;
415 BOOL free_crypt_prov;
416 };
417
418
cryptoapi_error(const char * msg)419 static void cryptoapi_error(const char *msg)
420 {
421 wpa_printf(MSG_INFO, "CryptoAPI: %s; err=%u",
422 msg, (unsigned int) GetLastError());
423 }
424
425
cryptoapi_rsa_pub_enc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)426 static int cryptoapi_rsa_pub_enc(int flen, const unsigned char *from,
427 unsigned char *to, RSA *rsa, int padding)
428 {
429 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
430 return 0;
431 }
432
433
cryptoapi_rsa_pub_dec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)434 static int cryptoapi_rsa_pub_dec(int flen, const unsigned char *from,
435 unsigned char *to, RSA *rsa, int padding)
436 {
437 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
438 return 0;
439 }
440
441
cryptoapi_rsa_priv_enc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)442 static int cryptoapi_rsa_priv_enc(int flen, const unsigned char *from,
443 unsigned char *to, RSA *rsa, int padding)
444 {
445 struct cryptoapi_rsa_data *priv =
446 (struct cryptoapi_rsa_data *) rsa->meth->app_data;
447 HCRYPTHASH hash;
448 DWORD hash_size, len, i;
449 unsigned char *buf = NULL;
450 int ret = 0;
451
452 if (priv == NULL) {
453 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
454 ERR_R_PASSED_NULL_PARAMETER);
455 return 0;
456 }
457
458 if (padding != RSA_PKCS1_PADDING) {
459 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
460 RSA_R_UNKNOWN_PADDING_TYPE);
461 return 0;
462 }
463
464 if (flen != 16 /* MD5 */ + 20 /* SHA-1 */) {
465 wpa_printf(MSG_INFO, "%s - only MD5-SHA1 hash supported",
466 __func__);
467 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
468 RSA_R_INVALID_MESSAGE_LENGTH);
469 return 0;
470 }
471
472 if (!CryptCreateHash(priv->crypt_prov, CALG_SSL3_SHAMD5, 0, 0, &hash))
473 {
474 cryptoapi_error("CryptCreateHash failed");
475 return 0;
476 }
477
478 len = sizeof(hash_size);
479 if (!CryptGetHashParam(hash, HP_HASHSIZE, (BYTE *) &hash_size, &len,
480 0)) {
481 cryptoapi_error("CryptGetHashParam failed");
482 goto err;
483 }
484
485 if ((int) hash_size != flen) {
486 wpa_printf(MSG_INFO, "CryptoAPI: Invalid hash size (%u != %d)",
487 (unsigned) hash_size, flen);
488 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
489 RSA_R_INVALID_MESSAGE_LENGTH);
490 goto err;
491 }
492 if (!CryptSetHashParam(hash, HP_HASHVAL, (BYTE * ) from, 0)) {
493 cryptoapi_error("CryptSetHashParam failed");
494 goto err;
495 }
496
497 len = RSA_size(rsa);
498 buf = os_malloc(len);
499 if (buf == NULL) {
500 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
501 goto err;
502 }
503
504 if (!CryptSignHash(hash, priv->key_spec, NULL, 0, buf, &len)) {
505 cryptoapi_error("CryptSignHash failed");
506 goto err;
507 }
508
509 for (i = 0; i < len; i++)
510 to[i] = buf[len - i - 1];
511 ret = len;
512
513 err:
514 os_free(buf);
515 CryptDestroyHash(hash);
516
517 return ret;
518 }
519
520
cryptoapi_rsa_priv_dec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)521 static int cryptoapi_rsa_priv_dec(int flen, const unsigned char *from,
522 unsigned char *to, RSA *rsa, int padding)
523 {
524 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
525 return 0;
526 }
527
528
cryptoapi_free_data(struct cryptoapi_rsa_data * priv)529 static void cryptoapi_free_data(struct cryptoapi_rsa_data *priv)
530 {
531 if (priv == NULL)
532 return;
533 if (priv->crypt_prov && priv->free_crypt_prov)
534 CryptReleaseContext(priv->crypt_prov, 0);
535 if (priv->cert)
536 CertFreeCertificateContext(priv->cert);
537 os_free(priv);
538 }
539
540
cryptoapi_finish(RSA * rsa)541 static int cryptoapi_finish(RSA *rsa)
542 {
543 cryptoapi_free_data((struct cryptoapi_rsa_data *) rsa->meth->app_data);
544 os_free((void *) rsa->meth);
545 rsa->meth = NULL;
546 return 1;
547 }
548
549
cryptoapi_find_cert(const char * name,DWORD store)550 static const CERT_CONTEXT * cryptoapi_find_cert(const char *name, DWORD store)
551 {
552 HCERTSTORE cs;
553 const CERT_CONTEXT *ret = NULL;
554
555 cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0,
556 store | CERT_STORE_OPEN_EXISTING_FLAG |
557 CERT_STORE_READONLY_FLAG, L"MY");
558 if (cs == NULL) {
559 cryptoapi_error("Failed to open 'My system store'");
560 return NULL;
561 }
562
563 if (strncmp(name, "cert://", 7) == 0) {
564 unsigned short wbuf[255];
565 MultiByteToWideChar(CP_ACP, 0, name + 7, -1, wbuf, 255);
566 ret = CertFindCertificateInStore(cs, X509_ASN_ENCODING |
567 PKCS_7_ASN_ENCODING,
568 0, CERT_FIND_SUBJECT_STR,
569 wbuf, NULL);
570 } else if (strncmp(name, "hash://", 7) == 0) {
571 CRYPT_HASH_BLOB blob;
572 int len;
573 const char *hash = name + 7;
574 unsigned char *buf;
575
576 len = os_strlen(hash) / 2;
577 buf = os_malloc(len);
578 if (buf && hexstr2bin(hash, buf, len) == 0) {
579 blob.cbData = len;
580 blob.pbData = buf;
581 ret = CertFindCertificateInStore(cs,
582 X509_ASN_ENCODING |
583 PKCS_7_ASN_ENCODING,
584 0, CERT_FIND_HASH,
585 &blob, NULL);
586 }
587 os_free(buf);
588 }
589
590 CertCloseStore(cs, 0);
591
592 return ret;
593 }
594
595
tls_cryptoapi_cert(SSL * ssl,const char * name)596 static int tls_cryptoapi_cert(SSL *ssl, const char *name)
597 {
598 X509 *cert = NULL;
599 RSA *rsa = NULL, *pub_rsa;
600 struct cryptoapi_rsa_data *priv;
601 RSA_METHOD *rsa_meth;
602
603 if (name == NULL ||
604 (strncmp(name, "cert://", 7) != 0 &&
605 strncmp(name, "hash://", 7) != 0))
606 return -1;
607
608 priv = os_zalloc(sizeof(*priv));
609 rsa_meth = os_zalloc(sizeof(*rsa_meth));
610 if (priv == NULL || rsa_meth == NULL) {
611 wpa_printf(MSG_WARNING, "CryptoAPI: Failed to allocate memory "
612 "for CryptoAPI RSA method");
613 os_free(priv);
614 os_free(rsa_meth);
615 return -1;
616 }
617
618 priv->cert = cryptoapi_find_cert(name, CERT_SYSTEM_STORE_CURRENT_USER);
619 if (priv->cert == NULL) {
620 priv->cert = cryptoapi_find_cert(
621 name, CERT_SYSTEM_STORE_LOCAL_MACHINE);
622 }
623 if (priv->cert == NULL) {
624 wpa_printf(MSG_INFO, "CryptoAPI: Could not find certificate "
625 "'%s'", name);
626 goto err;
627 }
628
629 cert = d2i_X509(NULL,
630 (const unsigned char **) &priv->cert->pbCertEncoded,
631 priv->cert->cbCertEncoded);
632 if (cert == NULL) {
633 wpa_printf(MSG_INFO, "CryptoAPI: Could not process X509 DER "
634 "encoding");
635 goto err;
636 }
637
638 if (!CryptAcquireCertificatePrivateKey(priv->cert,
639 CRYPT_ACQUIRE_COMPARE_KEY_FLAG,
640 NULL, &priv->crypt_prov,
641 &priv->key_spec,
642 &priv->free_crypt_prov)) {
643 cryptoapi_error("Failed to acquire a private key for the "
644 "certificate");
645 goto err;
646 }
647
648 rsa_meth->name = "Microsoft CryptoAPI RSA Method";
649 rsa_meth->rsa_pub_enc = cryptoapi_rsa_pub_enc;
650 rsa_meth->rsa_pub_dec = cryptoapi_rsa_pub_dec;
651 rsa_meth->rsa_priv_enc = cryptoapi_rsa_priv_enc;
652 rsa_meth->rsa_priv_dec = cryptoapi_rsa_priv_dec;
653 rsa_meth->finish = cryptoapi_finish;
654 rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK;
655 rsa_meth->app_data = (char *) priv;
656
657 rsa = RSA_new();
658 if (rsa == NULL) {
659 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,
660 ERR_R_MALLOC_FAILURE);
661 goto err;
662 }
663
664 if (!SSL_use_certificate(ssl, cert)) {
665 RSA_free(rsa);
666 rsa = NULL;
667 goto err;
668 }
669 pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
670 X509_free(cert);
671 cert = NULL;
672
673 rsa->n = BN_dup(pub_rsa->n);
674 rsa->e = BN_dup(pub_rsa->e);
675 if (!RSA_set_method(rsa, rsa_meth))
676 goto err;
677
678 if (!SSL_use_RSAPrivateKey(ssl, rsa))
679 goto err;
680 RSA_free(rsa);
681
682 return 0;
683
684 err:
685 if (cert)
686 X509_free(cert);
687 if (rsa)
688 RSA_free(rsa);
689 else {
690 os_free(rsa_meth);
691 cryptoapi_free_data(priv);
692 }
693 return -1;
694 }
695
696
tls_cryptoapi_ca_cert(SSL_CTX * ssl_ctx,SSL * ssl,const char * name)697 static int tls_cryptoapi_ca_cert(SSL_CTX *ssl_ctx, SSL *ssl, const char *name)
698 {
699 HCERTSTORE cs;
700 PCCERT_CONTEXT ctx = NULL;
701 X509 *cert;
702 char buf[128];
703 const char *store;
704 #ifdef UNICODE
705 WCHAR *wstore;
706 #endif /* UNICODE */
707
708 if (name == NULL || strncmp(name, "cert_store://", 13) != 0)
709 return -1;
710
711 store = name + 13;
712 #ifdef UNICODE
713 wstore = os_malloc((os_strlen(store) + 1) * sizeof(WCHAR));
714 if (wstore == NULL)
715 return -1;
716 wsprintf(wstore, L"%S", store);
717 cs = CertOpenSystemStore(0, wstore);
718 os_free(wstore);
719 #else /* UNICODE */
720 cs = CertOpenSystemStore(0, store);
721 #endif /* UNICODE */
722 if (cs == NULL) {
723 wpa_printf(MSG_DEBUG, "%s: failed to open system cert store "
724 "'%s': error=%d", __func__, store,
725 (int) GetLastError());
726 return -1;
727 }
728
729 while ((ctx = CertEnumCertificatesInStore(cs, ctx))) {
730 cert = d2i_X509(NULL,
731 (const unsigned char **) &ctx->pbCertEncoded,
732 ctx->cbCertEncoded);
733 if (cert == NULL) {
734 wpa_printf(MSG_INFO, "CryptoAPI: Could not process "
735 "X509 DER encoding for CA cert");
736 continue;
737 }
738
739 X509_NAME_oneline(X509_get_subject_name(cert), buf,
740 sizeof(buf));
741 wpa_printf(MSG_DEBUG, "OpenSSL: Loaded CA certificate for "
742 "system certificate store: subject='%s'", buf);
743
744 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
745 cert)) {
746 tls_show_errors(MSG_WARNING, __func__,
747 "Failed to add ca_cert to OpenSSL "
748 "certificate store");
749 }
750
751 X509_free(cert);
752 }
753
754 if (!CertCloseStore(cs, 0)) {
755 wpa_printf(MSG_DEBUG, "%s: failed to close system cert store "
756 "'%s': error=%d", __func__, name + 13,
757 (int) GetLastError());
758 }
759
760 return 0;
761 }
762
763
764 #else /* CONFIG_NATIVE_WINDOWS */
765
tls_cryptoapi_cert(SSL * ssl,const char * name)766 static int tls_cryptoapi_cert(SSL *ssl, const char *name)
767 {
768 return -1;
769 }
770
771 #endif /* CONFIG_NATIVE_WINDOWS */
772
773
ssl_info_cb(const SSL * ssl,int where,int ret)774 static void ssl_info_cb(const SSL *ssl, int where, int ret)
775 {
776 const char *str;
777 int w;
778
779 wpa_printf(MSG_DEBUG, "SSL: (where=0x%x ret=0x%x)", where, ret);
780 w = where & ~SSL_ST_MASK;
781 if (w & SSL_ST_CONNECT)
782 str = "SSL_connect";
783 else if (w & SSL_ST_ACCEPT)
784 str = "SSL_accept";
785 else
786 str = "undefined";
787
788 if (where & SSL_CB_LOOP) {
789 wpa_printf(MSG_DEBUG, "SSL: %s:%s",
790 str, SSL_state_string_long(ssl));
791 } else if (where & SSL_CB_ALERT) {
792 struct tls_connection *conn = SSL_get_app_data((SSL *) ssl);
793 wpa_printf(MSG_INFO, "SSL: SSL3 alert: %s:%s:%s",
794 where & SSL_CB_READ ?
795 "read (remote end reported an error)" :
796 "write (local SSL3 detected an error)",
797 SSL_alert_type_string_long(ret),
798 SSL_alert_desc_string_long(ret));
799 if ((ret >> 8) == SSL3_AL_FATAL) {
800 if (where & SSL_CB_READ)
801 conn->read_alerts++;
802 else
803 conn->write_alerts++;
804 }
805 if (conn->context->event_cb != NULL) {
806 union tls_event_data ev;
807 struct tls_context *context = conn->context;
808 os_memset(&ev, 0, sizeof(ev));
809 ev.alert.is_local = !(where & SSL_CB_READ);
810 ev.alert.type = SSL_alert_type_string_long(ret);
811 ev.alert.description = SSL_alert_desc_string_long(ret);
812 context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
813 }
814 } else if (where & SSL_CB_EXIT && ret <= 0) {
815 wpa_printf(MSG_DEBUG, "SSL: %s:%s in %s",
816 str, ret == 0 ? "failed" : "error",
817 SSL_state_string_long(ssl));
818 }
819 }
820
821
822 #ifndef OPENSSL_NO_ENGINE
823 /**
824 * tls_engine_load_dynamic_generic - load any openssl engine
825 * @pre: an array of commands and values that load an engine initialized
826 * in the engine specific function
827 * @post: an array of commands and values that initialize an already loaded
828 * engine (or %NULL if not required)
829 * @id: the engine id of the engine to load (only required if post is not %NULL
830 *
831 * This function is a generic function that loads any openssl engine.
832 *
833 * Returns: 0 on success, -1 on failure
834 */
tls_engine_load_dynamic_generic(const char * pre[],const char * post[],const char * id)835 static int tls_engine_load_dynamic_generic(const char *pre[],
836 const char *post[], const char *id)
837 {
838 ENGINE *engine;
839 const char *dynamic_id = "dynamic";
840
841 engine = ENGINE_by_id(id);
842 if (engine) {
843 wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already "
844 "available", id);
845 /*
846 * If it was auto-loaded by ENGINE_by_id() we might still
847 * need to tell it which PKCS#11 module to use in legacy
848 * (non-p11-kit) environments. Do so now; even if it was
849 * properly initialised before, setting it again will be
850 * harmless.
851 */
852 goto found;
853 }
854 ERR_clear_error();
855
856 engine = ENGINE_by_id(dynamic_id);
857 if (engine == NULL) {
858 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]",
859 dynamic_id,
860 ERR_error_string(ERR_get_error(), NULL));
861 return -1;
862 }
863
864 /* Perform the pre commands. This will load the engine. */
865 while (pre && pre[0]) {
866 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", pre[0], pre[1]);
867 if (ENGINE_ctrl_cmd_string(engine, pre[0], pre[1], 0) == 0) {
868 wpa_printf(MSG_INFO, "ENGINE: ctrl cmd_string failed: "
869 "%s %s [%s]", pre[0], pre[1],
870 ERR_error_string(ERR_get_error(), NULL));
871 ENGINE_free(engine);
872 return -1;
873 }
874 pre += 2;
875 }
876
877 /*
878 * Free the reference to the "dynamic" engine. The loaded engine can
879 * now be looked up using ENGINE_by_id().
880 */
881 ENGINE_free(engine);
882
883 engine = ENGINE_by_id(id);
884 if (engine == NULL) {
885 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]",
886 id, ERR_error_string(ERR_get_error(), NULL));
887 return -1;
888 }
889 found:
890 while (post && post[0]) {
891 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", post[0], post[1]);
892 if (ENGINE_ctrl_cmd_string(engine, post[0], post[1], 0) == 0) {
893 wpa_printf(MSG_DEBUG, "ENGINE: ctrl cmd_string failed:"
894 " %s %s [%s]", post[0], post[1],
895 ERR_error_string(ERR_get_error(), NULL));
896 ENGINE_remove(engine);
897 ENGINE_free(engine);
898 return -1;
899 }
900 post += 2;
901 }
902 ENGINE_free(engine);
903
904 return 0;
905 }
906
907
908 /**
909 * tls_engine_load_dynamic_pkcs11 - load the pkcs11 engine provided by opensc
910 * @pkcs11_so_path: pksc11_so_path from the configuration
911 * @pcks11_module_path: pkcs11_module_path from the configuration
912 */
tls_engine_load_dynamic_pkcs11(const char * pkcs11_so_path,const char * pkcs11_module_path)913 static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path,
914 const char *pkcs11_module_path)
915 {
916 char *engine_id = "pkcs11";
917 const char *pre_cmd[] = {
918 "SO_PATH", NULL /* pkcs11_so_path */,
919 "ID", NULL /* engine_id */,
920 "LIST_ADD", "1",
921 /* "NO_VCHECK", "1", */
922 "LOAD", NULL,
923 NULL, NULL
924 };
925 const char *post_cmd[] = {
926 "MODULE_PATH", NULL /* pkcs11_module_path */,
927 NULL, NULL
928 };
929
930 if (!pkcs11_so_path)
931 return 0;
932
933 pre_cmd[1] = pkcs11_so_path;
934 pre_cmd[3] = engine_id;
935 if (pkcs11_module_path)
936 post_cmd[1] = pkcs11_module_path;
937 else
938 post_cmd[0] = NULL;
939
940 wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
941 pkcs11_so_path);
942
943 return tls_engine_load_dynamic_generic(pre_cmd, post_cmd, engine_id);
944 }
945
946
947 /**
948 * tls_engine_load_dynamic_opensc - load the opensc engine provided by opensc
949 * @opensc_so_path: opensc_so_path from the configuration
950 */
tls_engine_load_dynamic_opensc(const char * opensc_so_path)951 static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
952 {
953 char *engine_id = "opensc";
954 const char *pre_cmd[] = {
955 "SO_PATH", NULL /* opensc_so_path */,
956 "ID", NULL /* engine_id */,
957 "LIST_ADD", "1",
958 "LOAD", NULL,
959 NULL, NULL
960 };
961
962 if (!opensc_so_path)
963 return 0;
964
965 pre_cmd[1] = opensc_so_path;
966 pre_cmd[3] = engine_id;
967
968 wpa_printf(MSG_DEBUG, "ENGINE: Loading OpenSC Engine from %s",
969 opensc_so_path);
970
971 return tls_engine_load_dynamic_generic(pre_cmd, NULL, engine_id);
972 }
973 #endif /* OPENSSL_NO_ENGINE */
974
975
get_session_data(struct tls_context * context,const struct wpabuf * buf)976 static struct tls_session_data * get_session_data(struct tls_context *context,
977 const struct wpabuf *buf)
978 {
979 struct tls_session_data *data;
980
981 dl_list_for_each(data, &context->sessions, struct tls_session_data,
982 list) {
983 if (data->buf == buf)
984 return data;
985 }
986
987 return NULL;
988 }
989
990
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)991 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
992 {
993 struct wpabuf *buf;
994 struct tls_context *context;
995 struct tls_session_data *found;
996
997 wpa_printf(MSG_DEBUG,
998 "OpenSSL: Remove session %p (tls_ex_idx_session=%d)", sess,
999 tls_ex_idx_session);
1000
1001 if (tls_ex_idx_session < 0)
1002 return;
1003 buf = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
1004 if (!buf)
1005 return;
1006
1007 context = SSL_CTX_get_app_data(ctx);
1008 SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, NULL);
1009 found = get_session_data(context, buf);
1010 if (!found) {
1011 wpa_printf(MSG_DEBUG,
1012 "OpenSSL: Do not free application session data %p (sess %p)",
1013 buf, sess);
1014 return;
1015 }
1016
1017 dl_list_del(&found->list);
1018 os_free(found);
1019 wpa_printf(MSG_DEBUG,
1020 "OpenSSL: Free application session data %p (sess %p)",
1021 buf, sess);
1022 wpabuf_free(buf);
1023 }
1024
1025
tls_init(const struct tls_config * conf)1026 void * tls_init(const struct tls_config *conf)
1027 {
1028 struct tls_data *data;
1029 SSL_CTX *ssl;
1030 struct tls_context *context;
1031 const char *ciphers;
1032 #ifndef OPENSSL_NO_ENGINE
1033 #ifdef CONFIG_OPENSC_ENGINE_PATH
1034 char const * const opensc_engine_path = CONFIG_OPENSC_ENGINE_PATH;
1035 #else /* CONFIG_OPENSC_ENGINE_PATH */
1036 char const * const opensc_engine_path =
1037 conf ? conf->opensc_engine_path : NULL;
1038 #endif /* CONFIG_OPENSC_ENGINE_PATH */
1039 #ifdef CONFIG_PKCS11_ENGINE_PATH
1040 char const * const pkcs11_engine_path = CONFIG_PKCS11_ENGINE_PATH;
1041 #else /* CONFIG_PKCS11_ENGINE_PATH */
1042 char const * const pkcs11_engine_path =
1043 conf ? conf->pkcs11_engine_path : NULL;
1044 #endif /* CONFIG_PKCS11_ENGINE_PATH */
1045 #ifdef CONFIG_PKCS11_MODULE_PATH
1046 char const * const pkcs11_module_path = CONFIG_PKCS11_MODULE_PATH;
1047 #else /* CONFIG_PKCS11_MODULE_PATH */
1048 char const * const pkcs11_module_path =
1049 conf ? conf->pkcs11_module_path : NULL;
1050 #endif /* CONFIG_PKCS11_MODULE_PATH */
1051 #endif /* OPENSSL_NO_ENGINE */
1052
1053 if (tls_openssl_ref_count == 0) {
1054 void openssl_load_legacy_provider(void);
1055
1056 openssl_load_legacy_provider();
1057
1058 tls_global = context = tls_context_new(conf);
1059 if (context == NULL)
1060 return NULL;
1061 #ifdef CONFIG_FIPS
1062 #ifdef OPENSSL_FIPS
1063 if (conf && conf->fips_mode) {
1064 static int fips_enabled = 0;
1065
1066 if (!fips_enabled && !FIPS_mode_set(1)) {
1067 wpa_printf(MSG_ERROR, "Failed to enable FIPS "
1068 "mode");
1069 ERR_load_crypto_strings();
1070 ERR_print_errors_fp(stderr);
1071 os_free(tls_global);
1072 tls_global = NULL;
1073 return NULL;
1074 } else {
1075 wpa_printf(MSG_INFO, "Running in FIPS mode");
1076 fips_enabled = 1;
1077 }
1078 }
1079 #else /* OPENSSL_FIPS */
1080 if (conf && conf->fips_mode) {
1081 wpa_printf(MSG_ERROR, "FIPS mode requested, but not "
1082 "supported");
1083 os_free(tls_global);
1084 tls_global = NULL;
1085 return NULL;
1086 }
1087 #endif /* OPENSSL_FIPS */
1088 #endif /* CONFIG_FIPS */
1089 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1090 SSL_load_error_strings();
1091 SSL_library_init();
1092 #ifndef OPENSSL_NO_SHA256
1093 EVP_add_digest(EVP_sha256());
1094 #endif /* OPENSSL_NO_SHA256 */
1095 /* TODO: if /dev/urandom is available, PRNG is seeded
1096 * automatically. If this is not the case, random data should
1097 * be added here. */
1098
1099 #ifdef PKCS12_FUNCS
1100 #ifndef OPENSSL_NO_RC2
1101 /*
1102 * 40-bit RC2 is commonly used in PKCS#12 files, so enable it.
1103 * This is enabled by PKCS12_PBE_add() in OpenSSL 0.9.8
1104 * versions, but it looks like OpenSSL 1.0.0 does not do that
1105 * anymore.
1106 */
1107 EVP_add_cipher(EVP_rc2_40_cbc());
1108 #endif /* OPENSSL_NO_RC2 */
1109 PKCS12_PBE_add();
1110 #endif /* PKCS12_FUNCS */
1111 #endif /* < 1.1.0 */
1112 } else {
1113 context = tls_context_new(conf);
1114 if (context == NULL)
1115 return NULL;
1116 }
1117 tls_openssl_ref_count++;
1118
1119 data = os_zalloc(sizeof(*data));
1120 if (data)
1121 ssl = SSL_CTX_new(SSLv23_method());
1122 else
1123 ssl = NULL;
1124 if (ssl == NULL) {
1125 tls_openssl_ref_count--;
1126 if (context != tls_global)
1127 os_free(context);
1128 if (tls_openssl_ref_count == 0) {
1129 os_free(tls_global);
1130 tls_global = NULL;
1131 }
1132 os_free(data);
1133 return NULL;
1134 }
1135 data->ssl = ssl;
1136 if (conf) {
1137 data->tls_session_lifetime = conf->tls_session_lifetime;
1138 data->crl_reload_interval = conf->crl_reload_interval;
1139 }
1140
1141 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
1142 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
1143
1144 SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
1145
1146 #ifdef SSL_MODE_NO_AUTO_CHAIN
1147 /* Number of deployed use cases assume the default OpenSSL behavior of
1148 * auto chaining the local certificate is in use. BoringSSL removed this
1149 * functionality by default, so we need to restore it here to avoid
1150 * breaking existing use cases. */
1151 SSL_CTX_clear_mode(ssl, SSL_MODE_NO_AUTO_CHAIN);
1152 #endif /* SSL_MODE_NO_AUTO_CHAIN */
1153
1154 SSL_CTX_set_info_callback(ssl, ssl_info_cb);
1155 SSL_CTX_set_app_data(ssl, context);
1156 if (data->tls_session_lifetime > 0) {
1157 SSL_CTX_set_quiet_shutdown(ssl, 1);
1158 /*
1159 * Set default context here. In practice, this will be replaced
1160 * by the per-EAP method context in tls_connection_set_verify().
1161 */
1162 SSL_CTX_set_session_id_context(ssl, (u8 *) "hostapd", 7);
1163 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_SERVER);
1164 SSL_CTX_set_timeout(ssl, data->tls_session_lifetime);
1165 SSL_CTX_sess_set_remove_cb(ssl, remove_session_cb);
1166 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && \
1167 !defined(LIBRESSL_VERSION_NUMBER) && \
1168 !defined(OPENSSL_IS_BORINGSSL)
1169 /* One session ticket is sufficient for EAP-TLS */
1170 SSL_CTX_set_num_tickets(ssl, 1);
1171 #endif
1172 } else {
1173 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_OFF);
1174 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && \
1175 !defined(LIBRESSL_VERSION_NUMBER) && \
1176 !defined(OPENSSL_IS_BORINGSSL)
1177 SSL_CTX_set_num_tickets(ssl, 0);
1178 #endif
1179 }
1180
1181 if (tls_ex_idx_session < 0) {
1182 tls_ex_idx_session = SSL_SESSION_get_ex_new_index(
1183 0, NULL, NULL, NULL, NULL);
1184 if (tls_ex_idx_session < 0) {
1185 tls_deinit(data);
1186 return NULL;
1187 }
1188 }
1189
1190 #ifndef OPENSSL_NO_ENGINE
1191 wpa_printf(MSG_DEBUG, "ENGINE: Loading builtin engines");
1192 ENGINE_load_builtin_engines();
1193
1194 if (opensc_engine_path || pkcs11_engine_path || pkcs11_module_path) {
1195 if (tls_engine_load_dynamic_opensc(opensc_engine_path) ||
1196 tls_engine_load_dynamic_pkcs11(pkcs11_engine_path,
1197 pkcs11_module_path)) {
1198 tls_deinit(data);
1199 return NULL;
1200 }
1201 }
1202 #endif /* OPENSSL_NO_ENGINE */
1203
1204 if (conf && conf->openssl_ciphers)
1205 ciphers = conf->openssl_ciphers;
1206 else
1207 ciphers = TLS_DEFAULT_CIPHERS;
1208 if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
1209 wpa_printf(MSG_ERROR,
1210 "OpenSSL: Failed to set cipher string '%s'",
1211 ciphers);
1212 tls_deinit(data);
1213 return NULL;
1214 }
1215
1216 return data;
1217 }
1218
1219
tls_deinit(void * ssl_ctx)1220 void tls_deinit(void *ssl_ctx)
1221 {
1222 struct tls_data *data = ssl_ctx;
1223 SSL_CTX *ssl = data->ssl;
1224 struct tls_context *context = SSL_CTX_get_app_data(ssl);
1225 struct tls_session_data *sess_data;
1226
1227 if (data->tls_session_lifetime > 0) {
1228 wpa_printf(MSG_DEBUG, "OpenSSL: Flush sessions");
1229 SSL_CTX_flush_sessions(ssl, 0);
1230 wpa_printf(MSG_DEBUG, "OpenSSL: Flush sessions - done");
1231 }
1232 while ((sess_data = dl_list_first(&context->sessions,
1233 struct tls_session_data, list))) {
1234 wpa_printf(MSG_DEBUG,
1235 "OpenSSL: Freeing not-flushed session data %p",
1236 sess_data->buf);
1237 wpabuf_free(sess_data->buf);
1238 dl_list_del(&sess_data->list);
1239 os_free(sess_data);
1240 }
1241 if (context != tls_global)
1242 os_free(context);
1243 os_free(data->ca_cert);
1244 SSL_CTX_free(ssl);
1245
1246 tls_openssl_ref_count--;
1247 if (tls_openssl_ref_count == 0) {
1248 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1249 #ifndef OPENSSL_NO_ENGINE
1250 ENGINE_cleanup();
1251 #endif /* OPENSSL_NO_ENGINE */
1252 CRYPTO_cleanup_all_ex_data();
1253 ERR_remove_thread_state(NULL);
1254 ERR_free_strings();
1255 EVP_cleanup();
1256 #endif /* < 1.1.0 */
1257 os_free(tls_global->ocsp_stapling_response);
1258 tls_global->ocsp_stapling_response = NULL;
1259 os_free(tls_global);
1260 tls_global = NULL;
1261 }
1262
1263 os_free(data->check_cert_subject);
1264 os_free(data);
1265 }
1266
1267
1268 #ifndef OPENSSL_NO_ENGINE
1269
1270 /* Cryptoki return values */
1271 #define CKR_PIN_INCORRECT 0x000000a0
1272 #define CKR_PIN_INVALID 0x000000a1
1273 #define CKR_PIN_LEN_RANGE 0x000000a2
1274
1275 /* libp11 */
1276 #define ERR_LIB_PKCS11 ERR_LIB_USER
1277
tls_is_pin_error(unsigned int err)1278 static int tls_is_pin_error(unsigned int err)
1279 {
1280 return ERR_GET_LIB(err) == ERR_LIB_PKCS11 &&
1281 (ERR_GET_REASON(err) == CKR_PIN_INCORRECT ||
1282 ERR_GET_REASON(err) == CKR_PIN_INVALID ||
1283 ERR_GET_REASON(err) == CKR_PIN_LEN_RANGE);
1284 }
1285
1286 #endif /* OPENSSL_NO_ENGINE */
1287
1288
1289 #ifdef ANDROID
1290 /* EVP_PKEY_from_keystore comes from system/security/keystore-engine. */
1291 EVP_PKEY * EVP_PKEY_from_keystore(const char *key_id);
1292 #endif /* ANDROID */
1293
tls_engine_init(struct tls_connection * conn,const char * engine_id,const char * pin,const char * key_id,const char * cert_id,const char * ca_cert_id)1294 static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
1295 const char *pin, const char *key_id,
1296 const char *cert_id, const char *ca_cert_id)
1297 {
1298 #if defined(ANDROID) && defined(OPENSSL_IS_BORINGSSL)
1299 #if !defined(OPENSSL_NO_ENGINE)
1300 #error "This code depends on OPENSSL_NO_ENGINE being defined by BoringSSL."
1301 #endif
1302 if (!key_id)
1303 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1304 conn->engine = NULL;
1305 conn->private_key = EVP_PKEY_from_keystore(key_id);
1306 if (!conn->private_key) {
1307 wpa_printf(MSG_ERROR,
1308 "ENGINE: cannot load private key with id '%s' [%s]",
1309 key_id,
1310 ERR_error_string(ERR_get_error(), NULL));
1311 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1312 }
1313 #endif /* ANDROID && OPENSSL_IS_BORINGSSL */
1314
1315 #ifndef OPENSSL_NO_ENGINE
1316 int ret = -1;
1317 if (engine_id == NULL) {
1318 wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
1319 return -1;
1320 }
1321
1322 ERR_clear_error();
1323 #ifdef ANDROID
1324 ENGINE_load_dynamic();
1325 #endif
1326 conn->engine = ENGINE_by_id(engine_id);
1327 if (!conn->engine) {
1328 wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]",
1329 engine_id, ERR_error_string(ERR_get_error(), NULL));
1330 goto err;
1331 }
1332 if (ENGINE_init(conn->engine) != 1) {
1333 wpa_printf(MSG_ERROR, "ENGINE: engine init failed "
1334 "(engine: %s) [%s]", engine_id,
1335 ERR_error_string(ERR_get_error(), NULL));
1336 goto err;
1337 }
1338 wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
1339
1340 #ifndef ANDROID
1341 if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
1342 wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
1343 ERR_error_string(ERR_get_error(), NULL));
1344 goto err;
1345 }
1346 #endif
1347 if (key_id) {
1348 /*
1349 * Ensure that the ENGINE does not attempt to use the OpenSSL
1350 * UI system to obtain a PIN, if we didn't provide one.
1351 */
1352 struct {
1353 const void *password;
1354 const char *prompt_info;
1355 } key_cb = { "", NULL };
1356
1357 /* load private key first in-case PIN is required for cert */
1358 conn->private_key = ENGINE_load_private_key(conn->engine,
1359 key_id, NULL,
1360 &key_cb);
1361 if (!conn->private_key) {
1362 unsigned long err = ERR_get_error();
1363
1364 wpa_printf(MSG_ERROR,
1365 "ENGINE: cannot load private key with id '%s' [%s]",
1366 key_id,
1367 ERR_error_string(err, NULL));
1368 if (tls_is_pin_error(err))
1369 ret = TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN;
1370 else
1371 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1372 goto err;
1373 }
1374 }
1375
1376 /* handle a certificate and/or CA certificate */
1377 if (cert_id || ca_cert_id) {
1378 const char *cmd_name = "LOAD_CERT_CTRL";
1379
1380 /* test if the engine supports a LOAD_CERT_CTRL */
1381 if (!ENGINE_ctrl(conn->engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
1382 0, (void *)cmd_name, NULL)) {
1383 wpa_printf(MSG_ERROR, "ENGINE: engine does not support"
1384 " loading certificates");
1385 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1386 goto err;
1387 }
1388 }
1389
1390 return 0;
1391
1392 err:
1393 if (conn->engine) {
1394 ENGINE_free(conn->engine);
1395 conn->engine = NULL;
1396 }
1397
1398 if (conn->private_key) {
1399 EVP_PKEY_free(conn->private_key);
1400 conn->private_key = NULL;
1401 }
1402
1403 return ret;
1404 #else /* OPENSSL_NO_ENGINE */
1405 return 0;
1406 #endif /* OPENSSL_NO_ENGINE */
1407 }
1408
1409
tls_engine_deinit(struct tls_connection * conn)1410 static void tls_engine_deinit(struct tls_connection *conn)
1411 {
1412 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
1413 wpa_printf(MSG_DEBUG, "ENGINE: engine deinit");
1414 if (conn->private_key) {
1415 EVP_PKEY_free(conn->private_key);
1416 conn->private_key = NULL;
1417 }
1418 if (conn->engine) {
1419 #if !defined(OPENSSL_IS_BORINGSSL)
1420 ENGINE_finish(conn->engine);
1421 #endif /* !OPENSSL_IS_BORINGSSL */
1422 conn->engine = NULL;
1423 }
1424 #endif /* ANDROID || !OPENSSL_NO_ENGINE */
1425 }
1426
1427
tls_get_errors(void * ssl_ctx)1428 int tls_get_errors(void *ssl_ctx)
1429 {
1430 int count = 0;
1431 unsigned long err;
1432
1433 while ((err = ERR_get_error())) {
1434 wpa_printf(MSG_INFO, "TLS - SSL error: %s",
1435 ERR_error_string(err, NULL));
1436 count++;
1437 }
1438
1439 return count;
1440 }
1441
1442
openssl_content_type(int content_type)1443 static const char * openssl_content_type(int content_type)
1444 {
1445 switch (content_type) {
1446 case 20:
1447 return "change cipher spec";
1448 case 21:
1449 return "alert";
1450 case 22:
1451 return "handshake";
1452 case 23:
1453 return "application data";
1454 case 24:
1455 return "heartbeat";
1456 case 256:
1457 return "TLS header info"; /* pseudo content type */
1458 case 257:
1459 return "inner content type"; /* pseudo content type */
1460 default:
1461 return "?";
1462 }
1463 }
1464
1465
openssl_handshake_type(int content_type,const u8 * buf,size_t len)1466 static const char * openssl_handshake_type(int content_type, const u8 *buf,
1467 size_t len)
1468 {
1469 if (content_type == 257 && buf && len == 1)
1470 return openssl_content_type(buf[0]);
1471 if (content_type != 22 || !buf || len == 0)
1472 return "";
1473 switch (buf[0]) {
1474 case 0:
1475 return "hello request";
1476 case 1:
1477 return "client hello";
1478 case 2:
1479 return "server hello";
1480 case 3:
1481 return "hello verify request";
1482 case 4:
1483 return "new session ticket";
1484 case 5:
1485 return "end of early data";
1486 case 6:
1487 return "hello retry request";
1488 case 8:
1489 return "encrypted extensions";
1490 case 11:
1491 return "certificate";
1492 case 12:
1493 return "server key exchange";
1494 case 13:
1495 return "certificate request";
1496 case 14:
1497 return "server hello done";
1498 case 15:
1499 return "certificate verify";
1500 case 16:
1501 return "client key exchange";
1502 case 20:
1503 return "finished";
1504 case 21:
1505 return "certificate url";
1506 case 22:
1507 return "certificate status";
1508 case 23:
1509 return "supplemental data";
1510 case 24:
1511 return "key update";
1512 case 254:
1513 return "message hash";
1514 default:
1515 return "?";
1516 }
1517 }
1518
1519
1520 #ifdef CONFIG_SUITEB
1521
check_server_hello(struct tls_connection * conn,const u8 * pos,const u8 * end)1522 static void check_server_hello(struct tls_connection *conn,
1523 const u8 *pos, const u8 *end)
1524 {
1525 size_t payload_len, id_len;
1526
1527 /*
1528 * Parse ServerHello to get the selected cipher suite since OpenSSL does
1529 * not make it cleanly available during handshake and we need to know
1530 * whether DHE was selected.
1531 */
1532
1533 if (end - pos < 3)
1534 return;
1535 payload_len = WPA_GET_BE24(pos);
1536 pos += 3;
1537
1538 if ((size_t) (end - pos) < payload_len)
1539 return;
1540 end = pos + payload_len;
1541
1542 /* Skip Version and Random */
1543 if (end - pos < 2 + SSL3_RANDOM_SIZE)
1544 return;
1545 pos += 2 + SSL3_RANDOM_SIZE;
1546
1547 /* Skip Session ID */
1548 if (end - pos < 1)
1549 return;
1550 id_len = *pos++;
1551 if ((size_t) (end - pos) < id_len)
1552 return;
1553 pos += id_len;
1554
1555 if (end - pos < 2)
1556 return;
1557 conn->cipher_suite = WPA_GET_BE16(pos);
1558 wpa_printf(MSG_DEBUG, "OpenSSL: Server selected cipher suite 0x%x",
1559 conn->cipher_suite);
1560 }
1561
1562
check_server_key_exchange(SSL * ssl,struct tls_connection * conn,const u8 * pos,const u8 * end)1563 static void check_server_key_exchange(SSL *ssl, struct tls_connection *conn,
1564 const u8 *pos, const u8 *end)
1565 {
1566 size_t payload_len;
1567 u16 dh_len;
1568 BIGNUM *p;
1569 int bits;
1570
1571 if (!(conn->flags & TLS_CONN_SUITEB))
1572 return;
1573
1574 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
1575 if (conn->cipher_suite != 0x9f)
1576 return;
1577
1578 if (end - pos < 3)
1579 return;
1580 payload_len = WPA_GET_BE24(pos);
1581 pos += 3;
1582
1583 if ((size_t) (end - pos) < payload_len)
1584 return;
1585 end = pos + payload_len;
1586
1587 if (end - pos < 2)
1588 return;
1589 dh_len = WPA_GET_BE16(pos);
1590 pos += 2;
1591
1592 if ((size_t) (end - pos) < dh_len)
1593 return;
1594 p = BN_bin2bn(pos, dh_len, NULL);
1595 if (!p)
1596 return;
1597
1598 bits = BN_num_bits(p);
1599 BN_free(p);
1600
1601 conn->server_dh_prime_len = bits;
1602 wpa_printf(MSG_DEBUG, "OpenSSL: Server DH prime length: %d bits",
1603 conn->server_dh_prime_len);
1604 }
1605
1606 #endif /* CONFIG_SUITEB */
1607
1608
tls_msg_cb(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg)1609 static void tls_msg_cb(int write_p, int version, int content_type,
1610 const void *buf, size_t len, SSL *ssl, void *arg)
1611 {
1612 struct tls_connection *conn = arg;
1613 const u8 *pos = buf;
1614
1615 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1616 if ((SSL_version(ssl) == TLS1_VERSION ||
1617 SSL_version(ssl) == TLS1_1_VERSION) &&
1618 SSL_get_security_level(ssl) > 0) {
1619 wpa_printf(MSG_DEBUG,
1620 "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm");
1621 SSL_set_security_level(ssl, 0);
1622 }
1623 #endif /* OpenSSL version >= 3.0 */
1624 if (write_p == 2) {
1625 wpa_printf(MSG_DEBUG,
1626 "OpenSSL: session ver=0x%x content_type=%d",
1627 version, content_type);
1628 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Data", buf, len);
1629 return;
1630 }
1631
1632 wpa_printf(MSG_DEBUG, "OpenSSL: %s ver=0x%x content_type=%d (%s/%s)",
1633 write_p ? "TX" : "RX", version, content_type,
1634 openssl_content_type(content_type),
1635 openssl_handshake_type(content_type, buf, len));
1636 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Message", buf, len);
1637 if (content_type == 24 && len >= 3 && pos[0] == 1) {
1638 size_t payload_len = WPA_GET_BE16(pos + 1);
1639 if (payload_len + 3 > len) {
1640 wpa_printf(MSG_ERROR, "OpenSSL: Heartbeat attack detected");
1641 conn->invalid_hb_used = 1;
1642 }
1643 }
1644
1645 #ifdef CONFIG_SUITEB
1646 /*
1647 * Need to parse these handshake messages to be able to check DH prime
1648 * length since OpenSSL does not expose the new cipher suite and DH
1649 * parameters during handshake (e.g., for cert_cb() callback).
1650 */
1651 if (content_type == 22 && pos && len > 0 && pos[0] == 2)
1652 check_server_hello(conn, pos + 1, pos + len);
1653 if (content_type == 22 && pos && len > 0 && pos[0] == 12)
1654 check_server_key_exchange(ssl, conn, pos + 1, pos + len);
1655 #endif /* CONFIG_SUITEB */
1656 }
1657
1658
1659 #ifdef CONFIG_TESTING_OPTIONS
1660 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
1661 /*
1662 * By setting the environment variable SSLKEYLOGFILE to a filename keying
1663 * material will be exported that you may use with Wireshark to decode any
1664 * TLS flows. Please see the following for more details:
1665 *
1666 * https://gitlab.com/wireshark/wireshark/-/wikis/TLS#tls-decryption
1667 *
1668 * Example logging sessions are (you should delete the file on each run):
1669 *
1670 * rm -f /tmp/sslkey.log
1671 * env SSLKEYLOGFILE=/tmp/sslkey.log hostapd ...
1672 *
1673 * rm -f /tmp/sslkey.log
1674 * env SSLKEYLOGFILE=/tmp/sslkey.log wpa_supplicant ...
1675 *
1676 * rm -f /tmp/sslkey.log
1677 * env SSLKEYLOGFILE=/tmp/sslkey.log eapol_test ...
1678 */
tls_keylog_cb(const SSL * ssl,const char * line)1679 static void tls_keylog_cb(const SSL *ssl, const char *line)
1680 {
1681 int fd;
1682 const char *filename;
1683 struct iovec iov[2];
1684
1685 filename = getenv("SSLKEYLOGFILE");
1686 if (!filename)
1687 return;
1688
1689 fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR);
1690 if (fd < 0) {
1691 wpa_printf(MSG_ERROR,
1692 "OpenSSL: Failed to open keylog file %s: %s",
1693 filename, strerror(errno));
1694 return;
1695 }
1696
1697 /* Assume less than _POSIX_PIPE_BUF (512) where writes are guaranteed
1698 * to be atomic for O_APPEND. */
1699 iov[0].iov_base = (void *) line;
1700 iov[0].iov_len = os_strlen(line);
1701 iov[1].iov_base = "\n";
1702 iov[1].iov_len = 1;
1703
1704 if (writev(fd, iov, ARRAY_SIZE(iov)) < 01) {
1705 wpa_printf(MSG_DEBUG,
1706 "OpenSSL: Failed to write to keylog file %s: %s",
1707 filename, strerror(errno));
1708 }
1709
1710 close(fd);
1711 }
1712 #endif
1713 #endif /* CONFIG_TESTING_OPTIONS */
1714
1715
tls_connection_init(void * ssl_ctx)1716 struct tls_connection * tls_connection_init(void *ssl_ctx)
1717 {
1718 struct tls_data *data = ssl_ctx;
1719 SSL_CTX *ssl = data->ssl;
1720 struct tls_connection *conn;
1721 long options;
1722 X509_STORE *new_cert_store;
1723 struct os_reltime now;
1724 struct tls_context *context = SSL_CTX_get_app_data(ssl);
1725
1726 /* Replace X509 store if it is time to update CRL. */
1727 if (data->crl_reload_interval > 0 && os_get_reltime(&now) == 0 &&
1728 os_reltime_expired(&now, &data->crl_last_reload,
1729 data->crl_reload_interval)) {
1730 wpa_printf(MSG_INFO,
1731 "OpenSSL: Flushing X509 store with ca_cert file");
1732 new_cert_store = tls_crl_cert_reload(data->ca_cert,
1733 data->check_crl);
1734 if (!new_cert_store) {
1735 wpa_printf(MSG_ERROR,
1736 "OpenSSL: Error replacing X509 store with ca_cert file");
1737 } else {
1738 /* Replace old store */
1739 SSL_CTX_set_cert_store(ssl, new_cert_store);
1740 data->crl_last_reload = now;
1741 }
1742 }
1743
1744 conn = os_zalloc(sizeof(*conn));
1745 if (conn == NULL)
1746 return NULL;
1747 conn->data = data;
1748 conn->ssl_ctx = ssl;
1749 conn->ssl = SSL_new(ssl);
1750 if (conn->ssl == NULL) {
1751 tls_show_errors(MSG_INFO, __func__,
1752 "Failed to initialize new SSL connection");
1753 os_free(conn);
1754 return NULL;
1755 }
1756
1757 conn->context = context;
1758 SSL_set_app_data(conn->ssl, conn);
1759 SSL_set_msg_callback(conn->ssl, tls_msg_cb);
1760 SSL_set_msg_callback_arg(conn->ssl, conn);
1761 options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
1762 SSL_OP_SINGLE_DH_USE;
1763 #ifdef SSL_OP_NO_COMPRESSION
1764 options |= SSL_OP_NO_COMPRESSION;
1765 #endif /* SSL_OP_NO_COMPRESSION */
1766 SSL_set_options(conn->ssl, options);
1767 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
1768 /* Hopefully there is no need for middlebox compatibility mechanisms
1769 * when going through EAP authentication. */
1770 SSL_clear_options(conn->ssl, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
1771 #endif
1772
1773 #ifdef CONFIG_TESTING_OPTIONS
1774 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
1775 /* Set the keylog file if the admin requested it. */
1776 if (getenv("SSLKEYLOGFILE"))
1777 SSL_CTX_set_keylog_callback(conn->ssl_ctx, tls_keylog_cb);
1778 #endif
1779 #endif /* CONFIG_TESTING_OPTIONS */
1780
1781 conn->ssl_in = BIO_new(BIO_s_mem());
1782 if (!conn->ssl_in) {
1783 tls_show_errors(MSG_INFO, __func__,
1784 "Failed to create a new BIO for ssl_in");
1785 SSL_free(conn->ssl);
1786 os_free(conn);
1787 return NULL;
1788 }
1789
1790 conn->ssl_out = BIO_new(BIO_s_mem());
1791 if (!conn->ssl_out) {
1792 tls_show_errors(MSG_INFO, __func__,
1793 "Failed to create a new BIO for ssl_out");
1794 SSL_free(conn->ssl);
1795 BIO_free(conn->ssl_in);
1796 os_free(conn);
1797 return NULL;
1798 }
1799
1800 SSL_set_bio(conn->ssl, conn->ssl_in, conn->ssl_out);
1801
1802 return conn;
1803 }
1804
1805
tls_connection_deinit(void * ssl_ctx,struct tls_connection * conn)1806 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
1807 {
1808 if (conn == NULL)
1809 return;
1810 if (conn->success_data) {
1811 /*
1812 * Make sure ssl_clear_bad_session() does not remove this
1813 * session.
1814 */
1815 SSL_set_quiet_shutdown(conn->ssl, 1);
1816 SSL_shutdown(conn->ssl);
1817 }
1818 SSL_free(conn->ssl);
1819 tls_engine_deinit(conn);
1820 os_free(conn->subject_match);
1821 os_free(conn->altsubject_match);
1822 os_free(conn->suffix_match);
1823 os_free(conn->domain_match);
1824 os_free(conn->check_cert_subject);
1825 os_free(conn->session_ticket);
1826 os_free(conn->peer_subject);
1827 os_free(conn);
1828 }
1829
1830
tls_connection_established(void * ssl_ctx,struct tls_connection * conn)1831 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn)
1832 {
1833 return conn ? SSL_is_init_finished(conn->ssl) : 0;
1834 }
1835
1836
tls_connection_peer_serial_num(void * tls_ctx,struct tls_connection * conn)1837 char * tls_connection_peer_serial_num(void *tls_ctx,
1838 struct tls_connection *conn)
1839 {
1840 ASN1_INTEGER *ser;
1841 char *serial_num;
1842 size_t len;
1843
1844 if (!conn->peer_cert)
1845 return NULL;
1846
1847 ser = X509_get_serialNumber(conn->peer_cert);
1848 if (!ser)
1849 return NULL;
1850
1851 len = ASN1_STRING_length(ser) * 2 + 1;
1852 serial_num = os_malloc(len);
1853 if (!serial_num)
1854 return NULL;
1855 wpa_snprintf_hex_uppercase(serial_num, len,
1856 ASN1_STRING_get0_data(ser),
1857 ASN1_STRING_length(ser));
1858 return serial_num;
1859 }
1860
1861
tls_connection_shutdown(void * ssl_ctx,struct tls_connection * conn)1862 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)
1863 {
1864 if (conn == NULL)
1865 return -1;
1866
1867 /* Shutdown previous TLS connection without notifying the peer
1868 * because the connection was already terminated in practice
1869 * and "close notify" shutdown alert would confuse AS. */
1870 SSL_set_quiet_shutdown(conn->ssl, 1);
1871 SSL_shutdown(conn->ssl);
1872 return SSL_clear(conn->ssl) == 1 ? 0 : -1;
1873 }
1874
1875
tls_match_altsubject_component(X509 * cert,int type,const char * value,size_t len)1876 static int tls_match_altsubject_component(X509 *cert, int type,
1877 const char *value, size_t len)
1878 {
1879 GENERAL_NAME *gen;
1880 void *ext;
1881 int found = 0;
1882 stack_index_t i;
1883
1884 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
1885
1886 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
1887 gen = sk_GENERAL_NAME_value(ext, i);
1888 if (gen->type != type)
1889 continue;
1890 if (os_strlen((char *) gen->d.ia5->data) == len &&
1891 os_memcmp(value, gen->d.ia5->data, len) == 0)
1892 found++;
1893 }
1894
1895 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
1896
1897 return found;
1898 }
1899
1900
tls_match_altsubject(X509 * cert,const char * match)1901 static int tls_match_altsubject(X509 *cert, const char *match)
1902 {
1903 int type;
1904 const char *pos, *end;
1905 size_t len;
1906
1907 pos = match;
1908 do {
1909 if (os_strncmp(pos, "EMAIL:", 6) == 0) {
1910 type = GEN_EMAIL;
1911 pos += 6;
1912 } else if (os_strncmp(pos, "DNS:", 4) == 0) {
1913 type = GEN_DNS;
1914 pos += 4;
1915 } else if (os_strncmp(pos, "URI:", 4) == 0) {
1916 type = GEN_URI;
1917 pos += 4;
1918 } else {
1919 wpa_printf(MSG_INFO, "TLS: Invalid altSubjectName "
1920 "match '%s'", pos);
1921 return 0;
1922 }
1923 end = os_strchr(pos, ';');
1924 while (end) {
1925 if (os_strncmp(end + 1, "EMAIL:", 6) == 0 ||
1926 os_strncmp(end + 1, "DNS:", 4) == 0 ||
1927 os_strncmp(end + 1, "URI:", 4) == 0)
1928 break;
1929 end = os_strchr(end + 1, ';');
1930 }
1931 if (end)
1932 len = end - pos;
1933 else
1934 len = os_strlen(pos);
1935 if (tls_match_altsubject_component(cert, type, pos, len) > 0)
1936 return 1;
1937 pos = end + 1;
1938 } while (end);
1939
1940 return 0;
1941 }
1942
1943
1944 #ifndef CONFIG_NATIVE_WINDOWS
domain_suffix_match(const u8 * val,size_t len,const char * match,size_t match_len,int full)1945 static int domain_suffix_match(const u8 *val, size_t len, const char *match,
1946 size_t match_len, int full)
1947 {
1948 size_t i;
1949
1950 /* Check for embedded nuls that could mess up suffix matching */
1951 for (i = 0; i < len; i++) {
1952 if (val[i] == '\0') {
1953 wpa_printf(MSG_DEBUG, "TLS: Embedded null in a string - reject");
1954 return 0;
1955 }
1956 }
1957
1958 if (match_len > len || (full && match_len != len))
1959 return 0;
1960
1961 if (os_strncasecmp((const char *) val + len - match_len, match,
1962 match_len) != 0)
1963 return 0; /* no match */
1964
1965 if (match_len == len)
1966 return 1; /* exact match */
1967
1968 if (val[len - match_len - 1] == '.')
1969 return 1; /* full label match completes suffix match */
1970
1971 wpa_printf(MSG_DEBUG, "TLS: Reject due to incomplete label match");
1972 return 0;
1973 }
1974 #endif /* CONFIG_NATIVE_WINDOWS */
1975
1976
1977 struct tls_dn_field_order_cnt {
1978 u8 cn;
1979 u8 c;
1980 u8 l;
1981 u8 st;
1982 u8 o;
1983 u8 ou;
1984 u8 email;
1985 };
1986
1987
get_dn_field_index(const struct tls_dn_field_order_cnt * dn_cnt,int nid)1988 static int get_dn_field_index(const struct tls_dn_field_order_cnt *dn_cnt,
1989 int nid)
1990 {
1991 switch (nid) {
1992 case NID_commonName:
1993 return dn_cnt->cn;
1994 case NID_countryName:
1995 return dn_cnt->c;
1996 case NID_localityName:
1997 return dn_cnt->l;
1998 case NID_stateOrProvinceName:
1999 return dn_cnt->st;
2000 case NID_organizationName:
2001 return dn_cnt->o;
2002 case NID_organizationalUnitName:
2003 return dn_cnt->ou;
2004 case NID_pkcs9_emailAddress:
2005 return dn_cnt->email;
2006 default:
2007 wpa_printf(MSG_ERROR,
2008 "TLS: Unknown NID '%d' in check_cert_subject",
2009 nid);
2010 return -1;
2011 }
2012 }
2013
2014
2015 /**
2016 * match_dn_field - Match configuration DN field against Certificate DN field
2017 * @cert: Certificate
2018 * @nid: NID of DN field
2019 * @field: Field name
2020 * @value DN field value which is passed from configuration
2021 * e.g., if configuration have C=US and this argument will point to US.
2022 * @dn_cnt: DN matching context
2023 * Returns: 1 on success and 0 on failure
2024 */
match_dn_field(const X509 * cert,int nid,const char * field,const char * value,const struct tls_dn_field_order_cnt * dn_cnt)2025 static int match_dn_field(const X509 *cert, int nid, const char *field,
2026 const char *value,
2027 const struct tls_dn_field_order_cnt *dn_cnt)
2028 {
2029 int i, ret = 0, len, config_dn_field_index, match_index = 0;
2030 X509_NAME *name;
2031
2032 len = os_strlen(value);
2033 name = X509_get_subject_name((X509 *) cert);
2034
2035 /* Assign incremented cnt for every field of DN to check DN field in
2036 * right order */
2037 config_dn_field_index = get_dn_field_index(dn_cnt, nid);
2038 if (config_dn_field_index < 0)
2039 return 0;
2040
2041 /* Fetch value based on NID */
2042 for (i = -1; (i = X509_NAME_get_index_by_NID(name, nid, i)) > -1;) {
2043 X509_NAME_ENTRY *e;
2044 ASN1_STRING *cn;
2045
2046 e = X509_NAME_get_entry(name, i);
2047 if (!e)
2048 continue;
2049
2050 cn = X509_NAME_ENTRY_get_data(e);
2051 if (!cn)
2052 continue;
2053
2054 match_index++;
2055
2056 /* check for more than one DN field with same name */
2057 if (match_index != config_dn_field_index)
2058 continue;
2059
2060 /* Check wildcard at the right end side */
2061 /* E.g., if OU=develop* mentioned in configuration, allow 'OU'
2062 * of the subject in the client certificate to start with
2063 * 'develop' */
2064 if (len > 0 && value[len - 1] == '*') {
2065 /* Compare actual certificate DN field value with
2066 * configuration DN field value up to the specified
2067 * length. */
2068 ret = ASN1_STRING_length(cn) >= len - 1 &&
2069 os_memcmp(ASN1_STRING_get0_data(cn), value,
2070 len - 1) == 0;
2071 } else {
2072 /* Compare actual certificate DN field value with
2073 * configuration DN field value */
2074 ret = ASN1_STRING_length(cn) == len &&
2075 os_memcmp(ASN1_STRING_get0_data(cn), value,
2076 len) == 0;
2077 }
2078 if (!ret) {
2079 wpa_printf(MSG_ERROR,
2080 "OpenSSL: Failed to match %s '%s' with certificate DN field value '%s'",
2081 field, value, ASN1_STRING_get0_data(cn));
2082 }
2083 break;
2084 }
2085
2086 return ret;
2087 }
2088
2089
2090 /**
2091 * get_value_from_field - Get value from DN field
2092 * @cert: Certificate
2093 * @field_str: DN field string which is passed from configuration file (e.g.,
2094 * C=US)
2095 * @dn_cnt: DN matching context
2096 * Returns: 1 on success and 0 on failure
2097 */
get_value_from_field(const X509 * cert,char * field_str,struct tls_dn_field_order_cnt * dn_cnt)2098 static int get_value_from_field(const X509 *cert, char *field_str,
2099 struct tls_dn_field_order_cnt *dn_cnt)
2100 {
2101 int nid;
2102 char *context = NULL, *name, *value;
2103
2104 if (os_strcmp(field_str, "*") == 0)
2105 return 1; /* wildcard matches everything */
2106
2107 name = str_token(field_str, "=", &context);
2108 if (!name)
2109 return 0;
2110
2111 /* Compare all configured DN fields and assign nid based on that to
2112 * fetch correct value from certificate subject */
2113 if (os_strcmp(name, "CN") == 0) {
2114 nid = NID_commonName;
2115 dn_cnt->cn++;
2116 } else if(os_strcmp(name, "C") == 0) {
2117 nid = NID_countryName;
2118 dn_cnt->c++;
2119 } else if (os_strcmp(name, "L") == 0) {
2120 nid = NID_localityName;
2121 dn_cnt->l++;
2122 } else if (os_strcmp(name, "ST") == 0) {
2123 nid = NID_stateOrProvinceName;
2124 dn_cnt->st++;
2125 } else if (os_strcmp(name, "O") == 0) {
2126 nid = NID_organizationName;
2127 dn_cnt->o++;
2128 } else if (os_strcmp(name, "OU") == 0) {
2129 nid = NID_organizationalUnitName;
2130 dn_cnt->ou++;
2131 } else if (os_strcmp(name, "emailAddress") == 0) {
2132 nid = NID_pkcs9_emailAddress;
2133 dn_cnt->email++;
2134 } else {
2135 wpa_printf(MSG_ERROR,
2136 "TLS: Unknown field '%s' in check_cert_subject", name);
2137 return 0;
2138 }
2139
2140 value = str_token(field_str, "=", &context);
2141 if (!value) {
2142 wpa_printf(MSG_ERROR,
2143 "TLS: Distinguished Name field '%s' value is not defined in check_cert_subject",
2144 name);
2145 return 0;
2146 }
2147
2148 return match_dn_field(cert, nid, name, value, dn_cnt);
2149 }
2150
2151
2152 /**
2153 * tls_match_dn_field - Match subject DN field with check_cert_subject
2154 * @cert: Certificate
2155 * @match: check_cert_subject string
2156 * Returns: Return 1 on success and 0 on failure
2157 */
tls_match_dn_field(X509 * cert,const char * match)2158 static int tls_match_dn_field(X509 *cert, const char *match)
2159 {
2160 const char *token, *last = NULL;
2161 char field[256];
2162 struct tls_dn_field_order_cnt dn_cnt;
2163
2164 os_memset(&dn_cnt, 0, sizeof(dn_cnt));
2165
2166 /* Maximum length of each DN field is 255 characters */
2167
2168 /* Process each '/' delimited field */
2169 while ((token = cstr_token(match, "/", &last))) {
2170 if (last - token >= (int) sizeof(field)) {
2171 wpa_printf(MSG_ERROR,
2172 "OpenSSL: Too long DN matching field value in '%s'",
2173 match);
2174 return 0;
2175 }
2176 os_memcpy(field, token, last - token);
2177 field[last - token] = '\0';
2178
2179 if (!get_value_from_field(cert, field, &dn_cnt)) {
2180 wpa_printf(MSG_DEBUG, "OpenSSL: No match for DN '%s'",
2181 field);
2182 return 0;
2183 }
2184 }
2185
2186 return 1;
2187 }
2188
2189
2190 #ifndef CONFIG_NATIVE_WINDOWS
tls_match_suffix_helper(X509 * cert,const char * match,size_t match_len,int full)2191 static int tls_match_suffix_helper(X509 *cert, const char *match,
2192 size_t match_len, int full)
2193 {
2194 GENERAL_NAME *gen;
2195 void *ext;
2196 int i;
2197 stack_index_t j;
2198 int dns_name = 0;
2199 X509_NAME *name;
2200
2201 wpa_printf(MSG_DEBUG, "TLS: Match domain against %s%s",
2202 full ? "": "suffix ", match);
2203
2204 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
2205
2206 for (j = 0; ext && j < sk_GENERAL_NAME_num(ext); j++) {
2207 gen = sk_GENERAL_NAME_value(ext, j);
2208 if (gen->type != GEN_DNS)
2209 continue;
2210 dns_name++;
2211 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName",
2212 gen->d.dNSName->data,
2213 gen->d.dNSName->length);
2214 if (domain_suffix_match(gen->d.dNSName->data,
2215 gen->d.dNSName->length,
2216 match, match_len, full) == 1) {
2217 wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found",
2218 full ? "Match" : "Suffix match");
2219 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2220 return 1;
2221 }
2222 }
2223 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2224
2225 if (dns_name) {
2226 wpa_printf(MSG_DEBUG, "TLS: None of the dNSName(s) matched");
2227 return 0;
2228 }
2229
2230 name = X509_get_subject_name(cert);
2231 i = -1;
2232 for (;;) {
2233 X509_NAME_ENTRY *e;
2234 ASN1_STRING *cn;
2235
2236 i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
2237 if (i == -1)
2238 break;
2239 e = X509_NAME_get_entry(name, i);
2240 if (e == NULL)
2241 continue;
2242 cn = X509_NAME_ENTRY_get_data(e);
2243 if (cn == NULL)
2244 continue;
2245 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName",
2246 cn->data, cn->length);
2247 if (domain_suffix_match(cn->data, cn->length,
2248 match, match_len, full) == 1) {
2249 wpa_printf(MSG_DEBUG, "TLS: %s in commonName found",
2250 full ? "Match" : "Suffix match");
2251 return 1;
2252 }
2253 }
2254
2255 wpa_printf(MSG_DEBUG, "TLS: No CommonName %smatch found",
2256 full ? "": "suffix ");
2257 return 0;
2258 }
2259 #endif /* CONFIG_NATIVE_WINDOWS */
2260
2261
tls_match_suffix(X509 * cert,const char * match,int full)2262 static int tls_match_suffix(X509 *cert, const char *match, int full)
2263 {
2264 #ifdef CONFIG_NATIVE_WINDOWS
2265 /* wincrypt.h has conflicting X509_NAME definition */
2266 return -1;
2267 #else /* CONFIG_NATIVE_WINDOWS */
2268 const char *token, *last = NULL;
2269
2270 /* Process each match alternative separately until a match is found */
2271 while ((token = cstr_token(match, ";", &last))) {
2272 if (tls_match_suffix_helper(cert, token, last - token, full))
2273 return 1;
2274 }
2275
2276 return 0;
2277 #endif /* CONFIG_NATIVE_WINDOWS */
2278 }
2279
2280
openssl_tls_fail_reason(int err)2281 static enum tls_fail_reason openssl_tls_fail_reason(int err)
2282 {
2283 switch (err) {
2284 case X509_V_ERR_CERT_REVOKED:
2285 return TLS_FAIL_REVOKED;
2286 case X509_V_ERR_CERT_NOT_YET_VALID:
2287 case X509_V_ERR_CRL_NOT_YET_VALID:
2288 return TLS_FAIL_NOT_YET_VALID;
2289 case X509_V_ERR_CERT_HAS_EXPIRED:
2290 case X509_V_ERR_CRL_HAS_EXPIRED:
2291 return TLS_FAIL_EXPIRED;
2292 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
2293 case X509_V_ERR_UNABLE_TO_GET_CRL:
2294 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
2295 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
2296 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
2297 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
2298 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
2299 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
2300 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
2301 case X509_V_ERR_INVALID_CA:
2302 return TLS_FAIL_UNTRUSTED;
2303 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
2304 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
2305 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
2306 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
2307 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
2308 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
2309 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
2310 case X509_V_ERR_CERT_UNTRUSTED:
2311 case X509_V_ERR_CERT_REJECTED:
2312 return TLS_FAIL_BAD_CERTIFICATE;
2313 default:
2314 return TLS_FAIL_UNSPECIFIED;
2315 }
2316 }
2317
2318
get_x509_cert(X509 * cert)2319 static struct wpabuf * get_x509_cert(X509 *cert)
2320 {
2321 struct wpabuf *buf;
2322 u8 *tmp;
2323
2324 int cert_len = i2d_X509(cert, NULL);
2325 if (cert_len <= 0)
2326 return NULL;
2327
2328 buf = wpabuf_alloc(cert_len);
2329 if (buf == NULL)
2330 return NULL;
2331
2332 tmp = wpabuf_put(buf, cert_len);
2333 i2d_X509(cert, &tmp);
2334 return buf;
2335 }
2336
2337
openssl_tls_fail_event(struct tls_connection * conn,X509 * err_cert,int err,int depth,const char * subject,const char * err_str,enum tls_fail_reason reason)2338 static void openssl_tls_fail_event(struct tls_connection *conn,
2339 X509 *err_cert, int err, int depth,
2340 const char *subject, const char *err_str,
2341 enum tls_fail_reason reason)
2342 {
2343 union tls_event_data ev;
2344 struct wpabuf *cert = NULL;
2345 struct tls_context *context = conn->context;
2346
2347 #ifdef ANDROID
2348 log_cert_validation_failure(err_str);
2349 #endif
2350
2351 if (context->event_cb == NULL)
2352 return;
2353
2354 cert = get_x509_cert(err_cert);
2355 os_memset(&ev, 0, sizeof(ev));
2356 ev.cert_fail.reason = reason != TLS_FAIL_UNSPECIFIED ?
2357 reason : openssl_tls_fail_reason(err);
2358 ev.cert_fail.depth = depth;
2359 ev.cert_fail.subject = subject;
2360 ev.cert_fail.reason_txt = err_str;
2361 ev.cert_fail.cert = cert;
2362 context->event_cb(context->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
2363 wpabuf_free(cert);
2364 }
2365
2366
openssl_cert_tod(X509 * cert)2367 static int openssl_cert_tod(X509 *cert)
2368 {
2369 CERTIFICATEPOLICIES *ext;
2370 stack_index_t i;
2371 char buf[100];
2372 int res;
2373 int tod = 0;
2374
2375 ext = X509_get_ext_d2i(cert, NID_certificate_policies, NULL, NULL);
2376 if (!ext)
2377 return 0;
2378
2379 for (i = 0; i < sk_POLICYINFO_num(ext); i++) {
2380 POLICYINFO *policy;
2381
2382 policy = sk_POLICYINFO_value(ext, i);
2383 res = OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 0);
2384 if (res < 0 || (size_t) res >= sizeof(buf))
2385 continue;
2386 wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf);
2387 if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0)
2388 tod = 1; /* TOD-STRICT */
2389 else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod)
2390 tod = 2; /* TOD-TOFU */
2391 }
2392 sk_POLICYINFO_pop_free(ext, POLICYINFO_free);
2393
2394 return tod;
2395 }
2396
2397
openssl_tls_cert_event(struct tls_connection * conn,X509 * err_cert,int depth,const char * subject)2398 static void openssl_tls_cert_event(struct tls_connection *conn,
2399 X509 *err_cert, int depth,
2400 const char *subject)
2401 {
2402 struct wpabuf *cert = NULL;
2403 union tls_event_data ev;
2404 struct tls_context *context = conn->context;
2405 char *altsubject[TLS_MAX_ALT_SUBJECT];
2406 int alt, num_altsubject = 0;
2407 GENERAL_NAME *gen;
2408 void *ext;
2409 stack_index_t i;
2410 ASN1_INTEGER *ser;
2411 char serial_num[128];
2412 #ifdef CONFIG_SHA256
2413 u8 hash[32];
2414 #endif /* CONFIG_SHA256 */
2415
2416 if (context->event_cb == NULL)
2417 return;
2418
2419 os_memset(&ev, 0, sizeof(ev));
2420 if (conn->cert_probe || (conn->flags & TLS_CONN_EXT_CERT_CHECK) ||
2421 context->cert_in_cb) {
2422 cert = get_x509_cert(err_cert);
2423 ev.peer_cert.cert = cert;
2424 }
2425 #ifdef CONFIG_SHA256
2426 if (cert) {
2427 const u8 *addr[1];
2428 size_t len[1];
2429 addr[0] = wpabuf_head(cert);
2430 len[0] = wpabuf_len(cert);
2431 if (sha256_vector(1, addr, len, hash) == 0) {
2432 ev.peer_cert.hash = hash;
2433 ev.peer_cert.hash_len = sizeof(hash);
2434 }
2435 }
2436 #endif /* CONFIG_SHA256 */
2437 ev.peer_cert.depth = depth;
2438 ev.peer_cert.subject = subject;
2439
2440 ser = X509_get_serialNumber(err_cert);
2441 if (ser) {
2442 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num),
2443 ASN1_STRING_get0_data(ser),
2444 ASN1_STRING_length(ser));
2445 ev.peer_cert.serial_num = serial_num;
2446 }
2447
2448 ext = X509_get_ext_d2i(err_cert, NID_subject_alt_name, NULL, NULL);
2449 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
2450 char *pos;
2451
2452 if (num_altsubject == TLS_MAX_ALT_SUBJECT)
2453 break;
2454 gen = sk_GENERAL_NAME_value(ext, i);
2455 if (gen->type != GEN_EMAIL &&
2456 gen->type != GEN_DNS &&
2457 gen->type != GEN_URI)
2458 continue;
2459
2460 pos = os_malloc(10 + gen->d.ia5->length + 1);
2461 if (pos == NULL)
2462 break;
2463 altsubject[num_altsubject++] = pos;
2464
2465 switch (gen->type) {
2466 case GEN_EMAIL:
2467 os_memcpy(pos, "EMAIL:", 6);
2468 pos += 6;
2469 break;
2470 case GEN_DNS:
2471 os_memcpy(pos, "DNS:", 4);
2472 pos += 4;
2473 break;
2474 case GEN_URI:
2475 os_memcpy(pos, "URI:", 4);
2476 pos += 4;
2477 break;
2478 }
2479
2480 os_memcpy(pos, gen->d.ia5->data, gen->d.ia5->length);
2481 pos += gen->d.ia5->length;
2482 *pos = '\0';
2483 }
2484 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2485
2486 for (alt = 0; alt < num_altsubject; alt++)
2487 ev.peer_cert.altsubject[alt] = altsubject[alt];
2488 ev.peer_cert.num_altsubject = num_altsubject;
2489
2490 ev.peer_cert.tod = openssl_cert_tod(err_cert);
2491
2492 context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
2493 wpabuf_free(cert);
2494 for (alt = 0; alt < num_altsubject; alt++)
2495 os_free(altsubject[alt]);
2496 }
2497
2498
debug_print_cert(X509 * cert,const char * title)2499 static void debug_print_cert(X509 *cert, const char *title)
2500 {
2501 #ifndef CONFIG_NO_STDOUT_DEBUG
2502 BIO *out;
2503 size_t rlen;
2504 char *txt;
2505 int res;
2506
2507 if (wpa_debug_level > MSG_DEBUG)
2508 return;
2509
2510 out = BIO_new(BIO_s_mem());
2511 if (!out)
2512 return;
2513
2514 X509_print(out, cert);
2515 rlen = BIO_ctrl_pending(out);
2516 txt = os_malloc(rlen + 1);
2517 if (txt) {
2518 res = BIO_read(out, txt, rlen);
2519 if (res > 0) {
2520 txt[res] = '\0';
2521 wpa_printf(MSG_DEBUG, "OpenSSL: %s\n%s", title, txt);
2522 }
2523 os_free(txt);
2524 }
2525
2526 BIO_free(out);
2527 #endif /* CONFIG_NO_STDOUT_DEBUG */
2528 }
2529
2530
tls_verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)2531 static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
2532 {
2533 char buf[256];
2534 X509 *err_cert;
2535 int err, depth;
2536 SSL *ssl;
2537 struct tls_connection *conn;
2538 struct tls_context *context;
2539 char *match, *altmatch, *suffix_match, *domain_match;
2540 const char *check_cert_subject;
2541 const char *err_str;
2542
2543 err_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
2544 if (!err_cert)
2545 return 0;
2546
2547 err = X509_STORE_CTX_get_error(x509_ctx);
2548 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
2549 ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
2550 SSL_get_ex_data_X509_STORE_CTX_idx());
2551 os_snprintf(buf, sizeof(buf), "Peer certificate - depth %d", depth);
2552 debug_print_cert(err_cert, buf);
2553 X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
2554
2555 conn = SSL_get_app_data(ssl);
2556 if (conn == NULL)
2557 return 0;
2558
2559 if (depth == 0)
2560 conn->peer_cert = err_cert;
2561 else if (depth == 1)
2562 conn->peer_issuer = err_cert;
2563 else if (depth == 2)
2564 conn->peer_issuer_issuer = err_cert;
2565
2566 context = conn->context;
2567 match = conn->subject_match;
2568 altmatch = conn->altsubject_match;
2569 suffix_match = conn->suffix_match;
2570 domain_match = conn->domain_match;
2571
2572 if (!preverify_ok && !conn->ca_cert_verify)
2573 preverify_ok = 1;
2574 if (!preverify_ok && depth > 0 && conn->server_cert_only)
2575 preverify_ok = 1;
2576 if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
2577 (err == X509_V_ERR_CERT_HAS_EXPIRED ||
2578 err == X509_V_ERR_CERT_NOT_YET_VALID)) {
2579 wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
2580 "time mismatch");
2581 preverify_ok = 1;
2582 }
2583 if (!preverify_ok && !conn->data->check_crl_strict &&
2584 (err == X509_V_ERR_CRL_HAS_EXPIRED ||
2585 err == X509_V_ERR_CRL_NOT_YET_VALID)) {
2586 wpa_printf(MSG_DEBUG,
2587 "OpenSSL: Ignore certificate validity CRL time mismatch");
2588 preverify_ok = 1;
2589 }
2590
2591 err_str = X509_verify_cert_error_string(err);
2592
2593 #ifdef CONFIG_SHA256
2594 /*
2595 * Do not require preverify_ok so we can explicity allow otherwise
2596 * invalid pinned server certificates.
2597 */
2598 if (depth == 0 && conn->server_cert_only) {
2599 struct wpabuf *cert;
2600 cert = get_x509_cert(err_cert);
2601 if (!cert) {
2602 wpa_printf(MSG_DEBUG, "OpenSSL: Could not fetch "
2603 "server certificate data");
2604 preverify_ok = 0;
2605 } else {
2606 u8 hash[32];
2607 const u8 *addr[1];
2608 size_t len[1];
2609
2610 addr[0] = wpabuf_head(cert);
2611 len[0] = wpabuf_len(cert);
2612 if (sha256_vector(1, addr, len, hash) < 0 ||
2613 os_memcmp(conn->srv_cert_hash, hash, 32) != 0) {
2614 err_str = "Server certificate mismatch";
2615 err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
2616 preverify_ok = 0;
2617 } else if (!preverify_ok) {
2618 /*
2619 * Certificate matches pinned certificate, allow
2620 * regardless of other problems.
2621 */
2622 wpa_printf(MSG_DEBUG,
2623 "OpenSSL: Ignore validation issues for a pinned server certificate");
2624 preverify_ok = 1;
2625 }
2626 wpabuf_free(cert);
2627 }
2628 }
2629 #endif /* CONFIG_SHA256 */
2630
2631 if (!preverify_ok) {
2632 /* Send cert events for the peer certificate chain so that
2633 * the upper layers get information about it even if
2634 * validation of a CA certificate fails. */
2635 STACK_OF(X509) *chain;
2636 int num_of_certs;
2637
2638 chain = X509_STORE_CTX_get1_chain(x509_ctx);
2639 num_of_certs = sk_X509_num(chain);
2640 if (chain && num_of_certs > 0) {
2641 char buf2[256];
2642 X509 *cert;
2643 int cur_depth;
2644
2645 for (cur_depth = num_of_certs - 1; cur_depth >= 0; cur_depth--) {
2646 cert = sk_X509_value(chain, cur_depth);
2647 X509_NAME_oneline(X509_get_subject_name(cert),
2648 buf2, sizeof(buf2));
2649
2650 openssl_tls_cert_event(conn, cert, cur_depth, buf2);
2651 }
2652 }
2653 if (chain)
2654 sk_X509_pop_free(chain, X509_free);
2655
2656 char *format_str = "TLS: Certificate verification failed,"
2657 " error %d (%s) depth %d for '%s'";
2658 int msg_len = snprintf(NULL, 0, format_str, err, err_str, depth, buf) + 1;
2659 char *msg = os_malloc(msg_len);
2660 snprintf(msg, msg_len, format_str, err, err_str, depth, buf);
2661
2662 wpa_printf(MSG_WARNING, "%s", msg);
2663 if (conn != NULL && conn->context != NULL
2664 && openssl_failure_callback_global != NULL) {
2665 (*openssl_failure_callback_global)(conn->context->cb_ctx, msg);
2666 }
2667 os_free(msg);
2668
2669 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2670 err_str, TLS_FAIL_UNSPECIFIED);
2671 return preverify_ok;
2672 }
2673
2674 openssl_tls_cert_event(conn, err_cert, depth, buf);
2675
2676 wpa_printf(MSG_DEBUG, "TLS: tls_verify_cb - preverify_ok=%d "
2677 "err=%d (%s) ca_cert_verify=%d depth=%d buf='%s'",
2678 preverify_ok, err, err_str,
2679 conn->ca_cert_verify, depth, buf);
2680 check_cert_subject = conn->check_cert_subject;
2681 if (!check_cert_subject)
2682 check_cert_subject = conn->data->check_cert_subject;
2683 if (check_cert_subject) {
2684 if (depth == 0 &&
2685 !tls_match_dn_field(err_cert, check_cert_subject)) {
2686 preverify_ok = 0;
2687 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2688 "Distinguished Name",
2689 TLS_FAIL_DN_MISMATCH);
2690 }
2691 }
2692 if (depth == 0 && match && os_strstr(buf, match) == NULL) {
2693 wpa_printf(MSG_WARNING, "TLS: Subject '%s' did not "
2694 "match with '%s'", buf, match);
2695 preverify_ok = 0;
2696 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2697 "Subject mismatch",
2698 TLS_FAIL_SUBJECT_MISMATCH);
2699 } else if (depth == 0 && altmatch &&
2700 !tls_match_altsubject(err_cert, altmatch)) {
2701 wpa_printf(MSG_WARNING, "TLS: altSubjectName match "
2702 "'%s' not found", altmatch);
2703 preverify_ok = 0;
2704 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2705 "AltSubject mismatch",
2706 TLS_FAIL_ALTSUBJECT_MISMATCH);
2707 } else if (depth == 0 && suffix_match &&
2708 !tls_match_suffix(err_cert, suffix_match, 0)) {
2709 wpa_printf(MSG_WARNING, "TLS: Domain suffix match '%s' not found",
2710 suffix_match);
2711 preverify_ok = 0;
2712 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2713 "Domain suffix mismatch",
2714 TLS_FAIL_DOMAIN_SUFFIX_MISMATCH);
2715 } else if (depth == 0 && domain_match &&
2716 !tls_match_suffix(err_cert, domain_match, 1)) {
2717 wpa_printf(MSG_WARNING, "TLS: Domain match '%s' not found",
2718 domain_match);
2719 preverify_ok = 0;
2720 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2721 "Domain mismatch",
2722 TLS_FAIL_DOMAIN_MISMATCH);
2723 }
2724
2725 if (conn->cert_probe && preverify_ok && depth == 0) {
2726 wpa_printf(MSG_DEBUG, "OpenSSL: Reject server certificate "
2727 "on probe-only run");
2728 preverify_ok = 0;
2729 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2730 "Server certificate chain probe",
2731 TLS_FAIL_SERVER_CHAIN_PROBE);
2732 }
2733
2734 #ifdef CONFIG_SUITEB
2735 if (conn->flags & TLS_CONN_SUITEB) {
2736 EVP_PKEY *pk;
2737 int len = -1;
2738
2739 pk = X509_get_pubkey(err_cert);
2740 if (pk) {
2741 len = EVP_PKEY_bits(pk);
2742 EVP_PKEY_free(pk);
2743 }
2744
2745 if (len >= 0) {
2746 wpa_printf(MSG_DEBUG,
2747 "OpenSSL: RSA modulus size: %d bits", len);
2748 if (len < 3072) {
2749 preverify_ok = 0;
2750 openssl_tls_fail_event(
2751 conn, err_cert, err,
2752 depth, buf,
2753 "Insufficient RSA modulus size",
2754 TLS_FAIL_INSUFFICIENT_KEY_LEN);
2755 }
2756 }
2757 }
2758 #endif /* CONFIG_SUITEB */
2759
2760 #ifdef OPENSSL_IS_BORINGSSL
2761 if (depth == 0 && (conn->flags & TLS_CONN_REQUEST_OCSP) &&
2762 preverify_ok) {
2763 enum ocsp_result res;
2764
2765 res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert,
2766 conn->peer_issuer,
2767 conn->peer_issuer_issuer);
2768 if (res == OCSP_REVOKED) {
2769 preverify_ok = 0;
2770 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2771 "certificate revoked",
2772 TLS_FAIL_REVOKED);
2773 if (err == X509_V_OK)
2774 X509_STORE_CTX_set_error(
2775 x509_ctx, X509_V_ERR_CERT_REVOKED);
2776 } else if (res != OCSP_GOOD &&
2777 (conn->flags & TLS_CONN_REQUIRE_OCSP)) {
2778 preverify_ok = 0;
2779 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2780 "bad certificate status response",
2781 TLS_FAIL_UNSPECIFIED);
2782 }
2783 }
2784 #endif /* OPENSSL_IS_BORINGSSL */
2785
2786 if (depth == 0 && preverify_ok && context->event_cb != NULL)
2787 context->event_cb(context->cb_ctx,
2788 TLS_CERT_CHAIN_SUCCESS, NULL);
2789
2790 if (depth == 0 && preverify_ok) {
2791 os_free(conn->peer_subject);
2792 conn->peer_subject = os_strdup(buf);
2793 }
2794
2795 return preverify_ok;
2796 }
2797
2798
2799 #ifndef OPENSSL_NO_STDIO
tls_load_ca_der(struct tls_data * data,const char * ca_cert)2800 static int tls_load_ca_der(struct tls_data *data, const char *ca_cert)
2801 {
2802 SSL_CTX *ssl_ctx = data->ssl;
2803 X509_LOOKUP *lookup;
2804 int ret = 0;
2805
2806 lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(ssl_ctx),
2807 X509_LOOKUP_file());
2808 if (lookup == NULL) {
2809 tls_show_errors(MSG_WARNING, __func__,
2810 "Failed add lookup for X509 store");
2811 return -1;
2812 }
2813
2814 if (!X509_LOOKUP_load_file(lookup, ca_cert, X509_FILETYPE_ASN1)) {
2815 unsigned long err = ERR_peek_error();
2816 tls_show_errors(MSG_WARNING, __func__,
2817 "Failed load CA in DER format");
2818 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
2819 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
2820 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
2821 "cert already in hash table error",
2822 __func__);
2823 } else
2824 ret = -1;
2825 }
2826
2827 return ret;
2828 }
2829 #endif /* OPENSSL_NO_STDIO */
2830
2831
tls_connection_ca_cert(struct tls_data * data,struct tls_connection * conn,const char * ca_cert,const u8 * ca_cert_blob,size_t ca_cert_blob_len,const char * ca_path)2832 static int tls_connection_ca_cert(struct tls_data *data,
2833 struct tls_connection *conn,
2834 const char *ca_cert, const u8 *ca_cert_blob,
2835 size_t ca_cert_blob_len, const char *ca_path)
2836 {
2837 SSL_CTX *ssl_ctx = data->ssl;
2838 X509_STORE *store;
2839
2840 /*
2841 * Remove previously configured trusted CA certificates before adding
2842 * new ones.
2843 */
2844 store = X509_STORE_new();
2845 if (store == NULL) {
2846 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
2847 "certificate store", __func__);
2848 return -1;
2849 }
2850 SSL_CTX_set_cert_store(ssl_ctx, store);
2851
2852 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2853 conn->ca_cert_verify = 1;
2854
2855 if (ca_cert && os_strncmp(ca_cert, "probe://", 8) == 0) {
2856 wpa_printf(MSG_DEBUG, "OpenSSL: Probe for server certificate "
2857 "chain");
2858 conn->cert_probe = 1;
2859 conn->ca_cert_verify = 0;
2860 return 0;
2861 }
2862
2863 if (ca_cert && os_strncmp(ca_cert, "hash://", 7) == 0) {
2864 #ifdef CONFIG_SHA256
2865 const char *pos = ca_cert + 7;
2866 if (os_strncmp(pos, "server/sha256/", 14) != 0) {
2867 wpa_printf(MSG_DEBUG, "OpenSSL: Unsupported ca_cert "
2868 "hash value '%s'", ca_cert);
2869 return -1;
2870 }
2871 pos += 14;
2872 if (os_strlen(pos) != 32 * 2) {
2873 wpa_printf(MSG_DEBUG, "OpenSSL: Unexpected SHA256 "
2874 "hash length in ca_cert '%s'", ca_cert);
2875 return -1;
2876 }
2877 if (hexstr2bin(pos, conn->srv_cert_hash, 32) < 0) {
2878 wpa_printf(MSG_DEBUG, "OpenSSL: Invalid SHA256 hash "
2879 "value in ca_cert '%s'", ca_cert);
2880 return -1;
2881 }
2882 conn->server_cert_only = 1;
2883 wpa_printf(MSG_DEBUG, "OpenSSL: Checking only server "
2884 "certificate match");
2885 return 0;
2886 #else /* CONFIG_SHA256 */
2887 wpa_printf(MSG_INFO, "No SHA256 included in the build - "
2888 "cannot validate server certificate hash");
2889 return -1;
2890 #endif /* CONFIG_SHA256 */
2891 }
2892
2893 if (ca_cert_blob) {
2894 X509 *cert = d2i_X509(NULL,
2895 (const unsigned char **) &ca_cert_blob,
2896 ca_cert_blob_len);
2897 if (cert == NULL) {
2898 BIO *bio = BIO_new_mem_buf(ca_cert_blob,
2899 ca_cert_blob_len);
2900
2901 if (bio) {
2902 cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
2903 BIO_free(bio);
2904 }
2905
2906 if (!cert) {
2907 tls_show_errors(MSG_WARNING, __func__,
2908 "Failed to parse ca_cert_blob");
2909 return -1;
2910 }
2911
2912 while (ERR_get_error()) {
2913 /* Ignore errors from DER conversion. */
2914 }
2915 }
2916
2917 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
2918 cert)) {
2919 unsigned long err = ERR_peek_error();
2920 tls_show_errors(MSG_WARNING, __func__,
2921 "Failed to add ca_cert_blob to "
2922 "certificate store");
2923 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
2924 ERR_GET_REASON(err) ==
2925 X509_R_CERT_ALREADY_IN_HASH_TABLE) {
2926 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
2927 "cert already in hash table error",
2928 __func__);
2929 } else {
2930 X509_free(cert);
2931 return -1;
2932 }
2933 }
2934 X509_free(cert);
2935 wpa_printf(MSG_DEBUG, "OpenSSL: %s - added ca_cert_blob "
2936 "to certificate store", __func__);
2937 return 0;
2938 }
2939
2940 #ifdef ANDROID
2941 /* Single alias */
2942 if (ca_cert && os_strncmp(ANDROID_KEYSTORE_PREFIX, ca_cert,
2943 ANDROID_KEYSTORE_PREFIX_LEN) == 0) {
2944 if (tls_add_ca_from_keystore(SSL_CTX_get_cert_store(ssl_ctx),
2945 &ca_cert[ANDROID_KEYSTORE_PREFIX_LEN], conn) < 0)
2946 return -1;
2947 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2948 return 0;
2949 }
2950
2951 /* Multiple aliases separated by space */
2952 if (ca_cert && os_strncmp(ANDROID_KEYSTORE_ENCODED_PREFIX, ca_cert,
2953 ANDROID_KEYSTORE_ENCODED_PREFIX_LEN) == 0) {
2954 char *aliases = os_strdup(
2955 &ca_cert[ANDROID_KEYSTORE_ENCODED_PREFIX_LEN]);
2956 const char *delim = " ";
2957 int rc = 0;
2958 char *savedptr;
2959 char *alias;
2960
2961 if (!aliases)
2962 return -1;
2963 alias = strtok_r(aliases, delim, &savedptr);
2964 for (; alias; alias = strtok_r(NULL, delim, &savedptr)) {
2965 if (tls_add_ca_from_keystore_encoded(
2966 SSL_CTX_get_cert_store(ssl_ctx), alias, conn)) {
2967 wpa_printf(MSG_ERROR,
2968 "OpenSSL: Failed to add ca_cert %s from keystore",
2969 alias);
2970 rc = -1;
2971 break;
2972 }
2973 }
2974 os_free(aliases);
2975 if (rc)
2976 return rc;
2977
2978 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2979 return 0;
2980 }
2981 #endif /* ANDROID */
2982
2983 #ifdef CONFIG_NATIVE_WINDOWS
2984 if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) ==
2985 0) {
2986 wpa_printf(MSG_DEBUG, "OpenSSL: Added CA certificates from "
2987 "system certificate store");
2988 return 0;
2989 }
2990 #endif /* CONFIG_NATIVE_WINDOWS */
2991
2992 if (ca_cert || ca_path) {
2993 #ifndef OPENSSL_NO_STDIO
2994 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, ca_path) !=
2995 1) {
2996 tls_show_errors(MSG_WARNING, __func__,
2997 "Failed to load root certificates");
2998 if (ca_cert &&
2999 tls_load_ca_der(data, ca_cert) == 0) {
3000 wpa_printf(MSG_DEBUG, "OpenSSL: %s - loaded "
3001 "DER format CA certificate",
3002 __func__);
3003 } else
3004 return -1;
3005 } else {
3006 wpa_printf(MSG_DEBUG, "TLS: Trusted root "
3007 "certificate(s) loaded");
3008 tls_get_errors(data);
3009 }
3010 #else /* OPENSSL_NO_STDIO */
3011 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO",
3012 __func__);
3013 return -1;
3014 #endif /* OPENSSL_NO_STDIO */
3015 } else {
3016 /* No ca_cert configured - do not try to verify server
3017 * certificate */
3018 conn->ca_cert_verify = 0;
3019 }
3020
3021 return 0;
3022 }
3023
3024
tls_global_ca_cert(struct tls_data * data,const char * ca_cert)3025 static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert)
3026 {
3027 SSL_CTX *ssl_ctx = data->ssl;
3028
3029 if (ca_cert) {
3030 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1)
3031 {
3032 tls_show_errors(MSG_WARNING, __func__,
3033 "Failed to load root certificates");
3034 return -1;
3035 }
3036
3037 wpa_printf(MSG_DEBUG, "TLS: Trusted root "
3038 "certificate(s) loaded");
3039
3040 #ifndef OPENSSL_NO_STDIO
3041 /* Add the same CAs to the client certificate requests */
3042 SSL_CTX_set_client_CA_list(ssl_ctx,
3043 SSL_load_client_CA_file(ca_cert));
3044 #endif /* OPENSSL_NO_STDIO */
3045
3046 os_free(data->ca_cert);
3047 data->ca_cert = os_strdup(ca_cert);
3048 }
3049
3050 return 0;
3051 }
3052
3053
tls_global_set_verify(void * ssl_ctx,int check_crl,int strict)3054 int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
3055 {
3056 int flags;
3057
3058 if (check_crl) {
3059 struct tls_data *data = ssl_ctx;
3060 X509_STORE *cs = SSL_CTX_get_cert_store(data->ssl);
3061 if (cs == NULL) {
3062 tls_show_errors(MSG_INFO, __func__, "Failed to get "
3063 "certificate store when enabling "
3064 "check_crl");
3065 return -1;
3066 }
3067 flags = X509_V_FLAG_CRL_CHECK;
3068 if (check_crl == 2)
3069 flags |= X509_V_FLAG_CRL_CHECK_ALL;
3070 X509_STORE_set_flags(cs, flags);
3071
3072 data->check_crl = check_crl;
3073 data->check_crl_strict = strict;
3074 os_get_reltime(&data->crl_last_reload);
3075 }
3076 return 0;
3077 }
3078
3079
tls_connection_set_subject_match(struct tls_connection * conn,const char * subject_match,const char * altsubject_match,const char * suffix_match,const char * domain_match,const char * check_cert_subject)3080 static int tls_connection_set_subject_match(struct tls_connection *conn,
3081 const char *subject_match,
3082 const char *altsubject_match,
3083 const char *suffix_match,
3084 const char *domain_match,
3085 const char *check_cert_subject)
3086 {
3087 os_free(conn->subject_match);
3088 conn->subject_match = NULL;
3089 if (subject_match) {
3090 conn->subject_match = os_strdup(subject_match);
3091 if (conn->subject_match == NULL)
3092 return -1;
3093 }
3094
3095 os_free(conn->altsubject_match);
3096 conn->altsubject_match = NULL;
3097 if (altsubject_match) {
3098 conn->altsubject_match = os_strdup(altsubject_match);
3099 if (conn->altsubject_match == NULL)
3100 return -1;
3101 }
3102
3103 os_free(conn->suffix_match);
3104 conn->suffix_match = NULL;
3105 if (suffix_match) {
3106 conn->suffix_match = os_strdup(suffix_match);
3107 if (conn->suffix_match == NULL)
3108 return -1;
3109 }
3110
3111 os_free(conn->domain_match);
3112 conn->domain_match = NULL;
3113 if (domain_match) {
3114 conn->domain_match = os_strdup(domain_match);
3115 if (conn->domain_match == NULL)
3116 return -1;
3117 }
3118
3119 os_free(conn->check_cert_subject);
3120 conn->check_cert_subject = NULL;
3121 if (check_cert_subject) {
3122 conn->check_cert_subject = os_strdup(check_cert_subject);
3123 if (!conn->check_cert_subject)
3124 return -1;
3125 }
3126
3127 return 0;
3128 }
3129
3130
3131 #ifdef CONFIG_SUITEB
suiteb_cert_cb(SSL * ssl,void * arg)3132 static int suiteb_cert_cb(SSL *ssl, void *arg)
3133 {
3134 struct tls_connection *conn = arg;
3135
3136 /*
3137 * This cert_cb() is not really the best location for doing a
3138 * constraint check for the ServerKeyExchange message, but this seems to
3139 * be the only place where the current OpenSSL sequence can be
3140 * terminated cleanly with an TLS alert going out to the server.
3141 */
3142
3143 if (!(conn->flags & TLS_CONN_SUITEB))
3144 return 1;
3145
3146 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
3147 if (conn->cipher_suite != 0x9f)
3148 return 1;
3149
3150 if (conn->server_dh_prime_len >= 3072)
3151 return 1;
3152
3153 wpa_printf(MSG_DEBUG,
3154 "OpenSSL: Server DH prime length (%d bits) not sufficient for Suite B RSA - reject handshake",
3155 conn->server_dh_prime_len);
3156 return 0;
3157 }
3158 #endif /* CONFIG_SUITEB */
3159
3160
tls_set_conn_flags(struct tls_connection * conn,unsigned int flags,const char * openssl_ciphers)3161 static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
3162 const char *openssl_ciphers)
3163 {
3164 SSL *ssl = conn->ssl;
3165
3166 #ifdef SSL_OP_NO_TICKET
3167 if (flags & TLS_CONN_DISABLE_SESSION_TICKET)
3168 SSL_set_options(ssl, SSL_OP_NO_TICKET);
3169 else
3170 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
3171 #endif /* SSL_OP_NO_TICKET */
3172
3173 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
3174 if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
3175 SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
3176 #endif /* SSL_OP_LEGACY_SERVER_CONNECT */
3177
3178 #ifdef SSL_OP_NO_TLSv1
3179 if (flags & TLS_CONN_DISABLE_TLSv1_0)
3180 SSL_set_options(ssl, SSL_OP_NO_TLSv1);
3181 else
3182 SSL_clear_options(ssl, SSL_OP_NO_TLSv1);
3183 #endif /* SSL_OP_NO_TLSv1 */
3184 #ifdef SSL_OP_NO_TLSv1_1
3185 if (flags & TLS_CONN_DISABLE_TLSv1_1)
3186 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
3187 else
3188 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_1);
3189 #endif /* SSL_OP_NO_TLSv1_1 */
3190 #ifdef SSL_OP_NO_TLSv1_2
3191 if (flags & TLS_CONN_DISABLE_TLSv1_2)
3192 SSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
3193 else
3194 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
3195 #endif /* SSL_OP_NO_TLSv1_2 */
3196 #ifdef SSL_OP_NO_TLSv1_3
3197 if (flags & TLS_CONN_DISABLE_TLSv1_3)
3198 SSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
3199 else
3200 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3);
3201 #endif /* SSL_OP_NO_TLSv1_3 */
3202 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
3203 if (flags & (TLS_CONN_ENABLE_TLSv1_0 |
3204 TLS_CONN_ENABLE_TLSv1_1 |
3205 TLS_CONN_ENABLE_TLSv1_2)) {
3206 int version = 0;
3207
3208 /* Explicit request to enable TLS versions even if needing to
3209 * override systemwide policies. */
3210 if (flags & TLS_CONN_ENABLE_TLSv1_0)
3211 version = TLS1_VERSION;
3212 else if (flags & TLS_CONN_ENABLE_TLSv1_1)
3213 version = TLS1_1_VERSION;
3214 else if (flags & TLS_CONN_ENABLE_TLSv1_2)
3215 version = TLS1_2_VERSION;
3216 if (!version) {
3217 wpa_printf(MSG_DEBUG,
3218 "OpenSSL: Invalid TLS version configuration");
3219 return -1;
3220 }
3221
3222 if (SSL_set_min_proto_version(ssl, version) != 1) {
3223 wpa_printf(MSG_DEBUG,
3224 "OpenSSL: Failed to set minimum TLS version");
3225 return -1;
3226 }
3227 }
3228 #endif /* >= 1.1.0 */
3229 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3230 !defined(LIBRESSL_VERSION_NUMBER) && \
3231 !defined(OPENSSL_IS_BORINGSSL)
3232 {
3233 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3234 int need_level = 0;
3235 #else
3236 int need_level = 1;
3237 #endif
3238
3239 if ((flags &
3240 (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
3241 SSL_get_security_level(ssl) > need_level) {
3242 /*
3243 * Need to drop to security level 1 (or 0 with OpenSSL
3244 * 3.0) to allow TLS versions older than 1.2 to be used
3245 * when explicitly enabled in configuration.
3246 */
3247 SSL_set_security_level(conn->ssl, need_level);
3248 }
3249 }
3250 #endif
3251
3252 #ifdef CONFIG_SUITEB
3253 #ifdef OPENSSL_IS_BORINGSSL
3254 /* Start with defaults from BoringSSL */
3255 SSL_set_verify_algorithm_prefs(conn->ssl, NULL, 0);
3256 #endif /* OPENSSL_IS_BORINGSSL */
3257 if (flags & TLS_CONN_SUITEB_NO_ECDH) {
3258 const char *ciphers = "DHE-RSA-AES256-GCM-SHA384";
3259
3260 if (openssl_ciphers) {
3261 wpa_printf(MSG_DEBUG,
3262 "OpenSSL: Override ciphers for Suite B (no ECDH): %s",
3263 openssl_ciphers);
3264 ciphers = openssl_ciphers;
3265 }
3266 if (SSL_set_cipher_list(ssl, ciphers) != 1) {
3267 wpa_printf(MSG_INFO,
3268 "OpenSSL: Failed to set Suite B ciphers");
3269 return -1;
3270 }
3271 } else if (flags & TLS_CONN_SUITEB) {
3272 #if OPENSSL_VERSION_NUMBER < 0x30000000L
3273 EC_KEY *ecdh;
3274 #endif
3275 const char *ciphers =
3276 "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
3277 int nid[1] = { NID_secp384r1 };
3278
3279 if (openssl_ciphers) {
3280 wpa_printf(MSG_DEBUG,
3281 "OpenSSL: Override ciphers for Suite B: %s",
3282 openssl_ciphers);
3283 ciphers = openssl_ciphers;
3284 }
3285 if (SSL_set_cipher_list(ssl, ciphers) != 1) {
3286 wpa_printf(MSG_INFO,
3287 "OpenSSL: Failed to set Suite B ciphers");
3288 return -1;
3289 }
3290
3291 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3292 if (SSL_set1_groups(ssl, nid, 1) != 1) {
3293 wpa_printf(MSG_INFO,
3294 "OpenSSL: Failed to set Suite B groups");
3295 return -1;
3296 }
3297
3298 #else
3299 if (SSL_set1_curves(ssl, nid, 1) != 1) {
3300 wpa_printf(MSG_INFO,
3301 "OpenSSL: Failed to set Suite B curves");
3302 return -1;
3303 }
3304
3305 ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
3306 if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) {
3307 EC_KEY_free(ecdh);
3308 wpa_printf(MSG_INFO,
3309 "OpenSSL: Failed to set ECDH parameter");
3310 return -1;
3311 }
3312 EC_KEY_free(ecdh);
3313 #endif
3314 }
3315 if ((flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH))
3316 #ifdef EAP_TLSV1_3
3317 && (flags & TLS_CONN_DISABLE_TLSv1_3)
3318 #endif
3319 ) {
3320 #ifdef OPENSSL_IS_BORINGSSL
3321 uint16_t sigalgs[1] = { SSL_SIGN_RSA_PKCS1_SHA384 };
3322
3323 if (SSL_set_verify_algorithm_prefs(conn->ssl, sigalgs,
3324 1) != 1) {
3325 wpa_printf(MSG_INFO,
3326 "OpenSSL: Failed to set Suite B sigalgs");
3327 return -1;
3328 }
3329 #else /* OPENSSL_IS_BORINGSSL */
3330 /* ECDSA+SHA384 if need to add EC support here */
3331 if (SSL_set1_sigalgs_list(ssl, "RSA+SHA384") != 1) {
3332 wpa_printf(MSG_INFO,
3333 "OpenSSL: Failed to set Suite B sigalgs");
3334 return -1;
3335 }
3336 #endif /* OPENSSL_IS_BORINGSSL */
3337
3338 SSL_set_options(ssl, SSL_OP_NO_TLSv1);
3339 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
3340 SSL_set_cert_cb(ssl, suiteb_cert_cb, conn);
3341 }
3342
3343 #ifdef OPENSSL_IS_BORINGSSL
3344 if (openssl_ciphers && os_strcmp(openssl_ciphers, "SUITEB192") == 0) {
3345 uint16_t sigalgs[1] = { SSL_SIGN_ECDSA_SECP384R1_SHA384 };
3346 int nid[1] = { NID_secp384r1 };
3347
3348 if (SSL_set1_curves(ssl, nid, 1) != 1) {
3349 wpa_printf(MSG_INFO,
3350 "OpenSSL: Failed to set Suite B curves");
3351 return -1;
3352 }
3353
3354 if (SSL_set_verify_algorithm_prefs(conn->ssl, sigalgs,
3355 1) != 1) {
3356 wpa_printf(MSG_INFO,
3357 "OpenSSL: Failed to set Suite B sigalgs");
3358 return -1;
3359 }
3360 }
3361 #else /* OPENSSL_IS_BORINGSSL */
3362 if (!(flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) &&
3363 openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
3364 wpa_printf(MSG_INFO,
3365 "OpenSSL: Failed to set openssl_ciphers '%s'",
3366 openssl_ciphers);
3367 return -1;
3368 }
3369 #endif /* OPENSSL_IS_BORINGSSL */
3370 #else /* CONFIG_SUITEB */
3371 if (openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
3372 wpa_printf(MSG_INFO,
3373 "OpenSSL: Failed to set openssl_ciphers '%s'",
3374 openssl_ciphers);
3375 return -1;
3376 }
3377 #endif /* CONFIG_SUITEB */
3378
3379 if (flags & TLS_CONN_TEAP_ANON_DH) {
3380 #ifndef TEAP_DH_ANON_CS
3381 #define TEAP_DH_ANON_CS \
3382 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:" \
3383 "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:" \
3384 "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:" \
3385 "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" \
3386 "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:" \
3387 "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" \
3388 "ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:" \
3389 "ADH-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA:ADH-AES128-SHA"
3390 #endif
3391 static const char *cs = TEAP_DH_ANON_CS;
3392
3393 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3394 !defined(LIBRESSL_VERSION_NUMBER) && \
3395 !defined(OPENSSL_IS_BORINGSSL)
3396 /*
3397 * Need to drop to security level 0 to allow anonymous
3398 * cipher suites for EAP-TEAP.
3399 */
3400 SSL_set_security_level(conn->ssl, 0);
3401 #endif
3402
3403 wpa_printf(MSG_DEBUG,
3404 "OpenSSL: Enable cipher suites for anonymous EAP-TEAP provisioning: %s",
3405 cs);
3406 if (SSL_set_cipher_list(conn->ssl, cs) != 1) {
3407 tls_show_errors(MSG_INFO, __func__,
3408 "Cipher suite configuration failed");
3409 return -1;
3410 }
3411 }
3412
3413 return 0;
3414 }
3415
3416
tls_connection_set_verify(void * ssl_ctx,struct tls_connection * conn,int verify_peer,unsigned int flags,const u8 * session_ctx,size_t session_ctx_len)3417 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
3418 int verify_peer, unsigned int flags,
3419 const u8 *session_ctx, size_t session_ctx_len)
3420 {
3421 static int counter = 0;
3422 struct tls_data *data = ssl_ctx;
3423
3424 if (conn == NULL)
3425 return -1;
3426
3427 if (verify_peer == 2) {
3428 conn->ca_cert_verify = 1;
3429 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
3430 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
3431 } else if (verify_peer) {
3432 conn->ca_cert_verify = 1;
3433 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
3434 SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
3435 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
3436 } else {
3437 conn->ca_cert_verify = 0;
3438 SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
3439 }
3440
3441 if (tls_set_conn_flags(conn, flags, NULL) < 0)
3442 return -1;
3443 conn->flags = flags;
3444
3445 SSL_set_accept_state(conn->ssl);
3446
3447 if (data->tls_session_lifetime == 0) {
3448 /*
3449 * Set session id context to a unique value to make sure
3450 * session resumption cannot be used either through session
3451 * caching or TLS ticket extension.
3452 */
3453 counter++;
3454 SSL_set_session_id_context(conn->ssl,
3455 (const unsigned char *) &counter,
3456 sizeof(counter));
3457 } else if (session_ctx) {
3458 SSL_set_session_id_context(conn->ssl, session_ctx,
3459 session_ctx_len);
3460 }
3461
3462 return 0;
3463 }
3464
3465
tls_connection_client_cert(struct tls_connection * conn,const char * client_cert,const u8 * client_cert_blob,size_t client_cert_blob_len)3466 static int tls_connection_client_cert(struct tls_connection *conn,
3467 const char *client_cert,
3468 const u8 *client_cert_blob,
3469 size_t client_cert_blob_len)
3470 {
3471 if (client_cert == NULL && client_cert_blob == NULL)
3472 return 0;
3473
3474 #ifdef PKCS12_FUNCS
3475 #ifdef LIBRESSL_VERSION_NUMBER
3476 /*
3477 * Clear previously set extra chain certificates, if any, from PKCS#12
3478 * processing in tls_parse_pkcs12() to allow LibreSSL to build a new
3479 * chain properly.
3480 */
3481 SSL_CTX_clear_extra_chain_certs(conn->ssl_ctx);
3482 #endif /* LIBRESSL_VERSION_NUMBER */
3483 #endif /* PKCS12_FUNCS */
3484
3485 if (client_cert_blob &&
3486 SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob,
3487 client_cert_blob_len) == 1) {
3488 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_ASN1 --> "
3489 "OK");
3490 return 0;
3491 } else if (client_cert_blob) {
3492 #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20901000L
3493 tls_show_errors(MSG_DEBUG, __func__,
3494 "SSL_use_certificate_ASN1 failed");
3495 #else
3496 BIO *bio;
3497 X509 *x509;
3498
3499 tls_show_errors(MSG_DEBUG, __func__,
3500 "SSL_use_certificate_ASN1 failed");
3501 bio = BIO_new(BIO_s_mem());
3502 if (!bio)
3503 return -1;
3504 BIO_write(bio, client_cert_blob, client_cert_blob_len);
3505 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3506 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) {
3507 X509_free(x509);
3508 BIO_free(bio);
3509 return -1;
3510 }
3511 X509_free(x509);
3512 wpa_printf(MSG_DEBUG,
3513 "OpenSSL: Found PEM encoded certificate from blob");
3514 while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))) {
3515 wpa_printf(MSG_DEBUG,
3516 "OpenSSL: Added an additional certificate into the chain");
3517 SSL_add0_chain_cert(conn->ssl, x509);
3518 }
3519 BIO_free(bio);
3520 return 0;
3521 #endif
3522 }
3523
3524 if (client_cert == NULL)
3525 return -1;
3526
3527 #ifdef ANDROID
3528 if (os_strncmp(ANDROID_KEYSTORE_PREFIX, client_cert,
3529 ANDROID_KEYSTORE_PREFIX_LEN) == 0) {
3530 BIO *bio = BIO_from_keystore(&client_cert[ANDROID_KEYSTORE_PREFIX_LEN], conn);
3531 X509 *x509 = NULL;
3532 if (!bio) {
3533 return -1;
3534 }
3535 // Keystore returns X.509 certificates in PEM encoding
3536 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3537 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) {
3538 X509_free(x509);
3539 BIO_free(bio);
3540 wpa_printf(MSG_ERROR, "OpenSSL: Unknown certificate encoding");
3541 return -1;
3542 }
3543 X509_free(x509);
3544 wpa_printf(MSG_DEBUG,
3545 "OpenSSL: Found PEM encoded certificate from keystore: %s",
3546 client_cert);
3547
3548 // Read additional certificates into the chain
3549 while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))) {
3550 wpa_printf(MSG_DEBUG,
3551 "OpenSSL: Added an additional certificate into the chain");
3552 // Takes ownership of x509, no need to free it here
3553 SSL_add0_chain_cert(conn->ssl, x509);
3554 }
3555 BIO_free(bio);
3556 return 0;
3557 }
3558 #endif /* ANDROID */
3559
3560 #ifndef OPENSSL_NO_STDIO
3561 if (SSL_use_certificate_file(conn->ssl, client_cert,
3562 SSL_FILETYPE_ASN1) == 1) {
3563 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (DER)"
3564 " --> OK");
3565 return 0;
3566 }
3567
3568 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3569 !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
3570 if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
3571 ERR_clear_error();
3572 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
3573 " --> OK");
3574 return 0;
3575 }
3576 #else
3577 if (SSL_use_certificate_file(conn->ssl, client_cert,
3578 SSL_FILETYPE_PEM) == 1) {
3579 ERR_clear_error();
3580 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
3581 " --> OK");
3582 return 0;
3583 }
3584 #endif
3585
3586 tls_show_errors(MSG_DEBUG, __func__,
3587 "SSL_use_certificate_file failed");
3588 #else /* OPENSSL_NO_STDIO */
3589 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3590 #endif /* OPENSSL_NO_STDIO */
3591
3592 return -1;
3593 }
3594
3595
tls_global_client_cert(struct tls_data * data,const char * client_cert)3596 static int tls_global_client_cert(struct tls_data *data,
3597 const char *client_cert)
3598 {
3599 #ifndef OPENSSL_NO_STDIO
3600 SSL_CTX *ssl_ctx = data->ssl;
3601
3602 if (client_cert == NULL)
3603 return 0;
3604
3605 if (SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
3606 SSL_FILETYPE_ASN1) != 1 &&
3607 SSL_CTX_use_certificate_chain_file(ssl_ctx, client_cert) != 1 &&
3608 SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
3609 SSL_FILETYPE_PEM) != 1) {
3610 tls_show_errors(MSG_INFO, __func__,
3611 "Failed to load client certificate");
3612 return -1;
3613 }
3614 return 0;
3615 #else /* OPENSSL_NO_STDIO */
3616 if (client_cert == NULL)
3617 return 0;
3618 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3619 return -1;
3620 #endif /* OPENSSL_NO_STDIO */
3621 }
3622
3623
3624 #ifdef PKCS12_FUNCS
tls_parse_pkcs12(struct tls_data * data,SSL * ssl,PKCS12 * p12,const char * passwd)3625 static int tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12,
3626 const char *passwd)
3627 {
3628 EVP_PKEY *pkey;
3629 X509 *cert;
3630 STACK_OF(X509) *certs;
3631 int res = 0;
3632 char buf[256];
3633
3634 pkey = NULL;
3635 cert = NULL;
3636 certs = NULL;
3637 if (!passwd)
3638 passwd = "";
3639 if (!PKCS12_parse(p12, passwd, &pkey, &cert, &certs)) {
3640 tls_show_errors(MSG_DEBUG, __func__,
3641 "Failed to parse PKCS12 file");
3642 PKCS12_free(p12);
3643 return -1;
3644 }
3645 wpa_printf(MSG_DEBUG, "TLS: Successfully parsed PKCS12 data");
3646
3647 if (cert) {
3648 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3649 sizeof(buf));
3650 wpa_printf(MSG_DEBUG, "TLS: Got certificate from PKCS12: "
3651 "subject='%s'", buf);
3652 if (ssl) {
3653 if (SSL_use_certificate(ssl, cert) != 1)
3654 res = -1;
3655 } else {
3656 if (SSL_CTX_use_certificate(data->ssl, cert) != 1)
3657 res = -1;
3658 }
3659 X509_free(cert);
3660 }
3661
3662 if (pkey) {
3663 wpa_printf(MSG_DEBUG, "TLS: Got private key from PKCS12");
3664 if (ssl) {
3665 if (SSL_use_PrivateKey(ssl, pkey) != 1)
3666 res = -1;
3667 } else {
3668 if (SSL_CTX_use_PrivateKey(data->ssl, pkey) != 1)
3669 res = -1;
3670 }
3671 EVP_PKEY_free(pkey);
3672 }
3673
3674 if (certs) {
3675 #ifndef LIBRESSL_VERSION_NUMBER
3676 if (ssl)
3677 SSL_clear_chain_certs(ssl);
3678 else
3679 SSL_CTX_clear_chain_certs(data->ssl);
3680 while ((cert = sk_X509_pop(certs)) != NULL) {
3681 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3682 sizeof(buf));
3683 wpa_printf(MSG_DEBUG, "TLS: additional certificate"
3684 " from PKCS12: subject='%s'", buf);
3685 if ((ssl && SSL_add1_chain_cert(ssl, cert) != 1) ||
3686 (!ssl && SSL_CTX_add1_chain_cert(data->ssl,
3687 cert) != 1)) {
3688 tls_show_errors(MSG_DEBUG, __func__,
3689 "Failed to add additional certificate");
3690 res = -1;
3691 X509_free(cert);
3692 break;
3693 }
3694 X509_free(cert);
3695 }
3696 if (!res) {
3697 /* Try to continue anyway */
3698 }
3699 sk_X509_pop_free(certs, X509_free);
3700 #ifndef OPENSSL_IS_BORINGSSL
3701 if (ssl)
3702 res = SSL_build_cert_chain(
3703 ssl,
3704 SSL_BUILD_CHAIN_FLAG_CHECK |
3705 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
3706 else
3707 res = SSL_CTX_build_cert_chain(
3708 data->ssl,
3709 SSL_BUILD_CHAIN_FLAG_CHECK |
3710 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
3711 if (!res) {
3712 tls_show_errors(MSG_DEBUG, __func__,
3713 "Failed to build certificate chain");
3714 } else if (res == 2) {
3715 wpa_printf(MSG_DEBUG,
3716 "TLS: Ignore certificate chain verification error when building chain with PKCS#12 extra certificates");
3717 }
3718 #endif /* OPENSSL_IS_BORINGSSL */
3719 /*
3720 * Try to continue regardless of result since it is possible for
3721 * the extra certificates not to be required.
3722 */
3723 res = 0;
3724 #else /* LIBRESSL_VERSION_NUMBER */
3725 SSL_CTX_clear_extra_chain_certs(data->ssl);
3726 while ((cert = sk_X509_pop(certs)) != NULL) {
3727 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3728 sizeof(buf));
3729 wpa_printf(MSG_DEBUG, "TLS: additional certificate"
3730 " from PKCS12: subject='%s'", buf);
3731 /*
3732 * There is no SSL equivalent for the chain cert - so
3733 * always add it to the context...
3734 */
3735 if (SSL_CTX_add_extra_chain_cert(data->ssl, cert) != 1)
3736 {
3737 X509_free(cert);
3738 res = -1;
3739 break;
3740 }
3741 }
3742 sk_X509_pop_free(certs, X509_free);
3743 #endif /* LIBRSESSL_VERSION_NUMBER */
3744 }
3745
3746 PKCS12_free(p12);
3747
3748 if (res < 0)
3749 tls_get_errors(data);
3750
3751 return res;
3752 }
3753 #endif /* PKCS12_FUNCS */
3754
3755
tls_read_pkcs12(struct tls_data * data,SSL * ssl,const char * private_key,const char * passwd)3756 static int tls_read_pkcs12(struct tls_data *data, SSL *ssl,
3757 const char *private_key, const char *passwd)
3758 {
3759 #ifdef PKCS12_FUNCS
3760 FILE *f;
3761 PKCS12 *p12;
3762
3763 f = fopen(private_key, "rb");
3764 if (f == NULL)
3765 return -1;
3766
3767 p12 = d2i_PKCS12_fp(f, NULL);
3768 fclose(f);
3769
3770 if (p12 == NULL) {
3771 tls_show_errors(MSG_INFO, __func__,
3772 "Failed to use PKCS#12 file");
3773 return -1;
3774 }
3775
3776 return tls_parse_pkcs12(data, ssl, p12, passwd);
3777
3778 #else /* PKCS12_FUNCS */
3779 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot read "
3780 "p12/pfx files");
3781 return -1;
3782 #endif /* PKCS12_FUNCS */
3783 }
3784
3785
tls_read_pkcs12_blob(struct tls_data * data,SSL * ssl,const u8 * blob,size_t len,const char * passwd)3786 static int tls_read_pkcs12_blob(struct tls_data *data, SSL *ssl,
3787 const u8 *blob, size_t len, const char *passwd)
3788 {
3789 #ifdef PKCS12_FUNCS
3790 PKCS12 *p12;
3791
3792 p12 = d2i_PKCS12(NULL, (const unsigned char **) &blob, len);
3793 if (p12 == NULL) {
3794 tls_show_errors(MSG_INFO, __func__,
3795 "Failed to use PKCS#12 blob");
3796 return -1;
3797 }
3798
3799 return tls_parse_pkcs12(data, ssl, p12, passwd);
3800
3801 #else /* PKCS12_FUNCS */
3802 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot parse "
3803 "p12/pfx blobs");
3804 return -1;
3805 #endif /* PKCS12_FUNCS */
3806 }
3807
3808
3809 #ifndef OPENSSL_NO_ENGINE
tls_engine_get_cert(struct tls_connection * conn,const char * cert_id,X509 ** cert)3810 static int tls_engine_get_cert(struct tls_connection *conn,
3811 const char *cert_id,
3812 X509 **cert)
3813 {
3814 /* this runs after the private key is loaded so no PIN is required */
3815 struct {
3816 const char *cert_id;
3817 X509 *cert;
3818 } params;
3819 params.cert_id = cert_id;
3820 params.cert = NULL;
3821
3822 if (!ENGINE_ctrl_cmd(conn->engine, "LOAD_CERT_CTRL",
3823 0, ¶ms, NULL, 1)) {
3824 unsigned long err = ERR_get_error();
3825
3826 wpa_printf(MSG_ERROR, "ENGINE: cannot load client cert with id"
3827 " '%s' [%s]", cert_id,
3828 ERR_error_string(err, NULL));
3829 if (tls_is_pin_error(err))
3830 return TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN;
3831 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
3832 }
3833 if (!params.cert) {
3834 wpa_printf(MSG_ERROR, "ENGINE: did not properly cert with id"
3835 " '%s'", cert_id);
3836 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
3837 }
3838 *cert = params.cert;
3839 return 0;
3840 }
3841 #endif /* OPENSSL_NO_ENGINE */
3842
3843
tls_connection_engine_client_cert(struct tls_connection * conn,const char * cert_id)3844 static int tls_connection_engine_client_cert(struct tls_connection *conn,
3845 const char *cert_id)
3846 {
3847 #ifndef OPENSSL_NO_ENGINE
3848 X509 *cert;
3849
3850 if (tls_engine_get_cert(conn, cert_id, &cert))
3851 return -1;
3852
3853 if (!SSL_use_certificate(conn->ssl, cert)) {
3854 tls_show_errors(MSG_ERROR, __func__,
3855 "SSL_use_certificate failed");
3856 X509_free(cert);
3857 return -1;
3858 }
3859 X509_free(cert);
3860 wpa_printf(MSG_DEBUG, "ENGINE: SSL_use_certificate --> "
3861 "OK");
3862 return 0;
3863
3864 #else /* OPENSSL_NO_ENGINE */
3865 return -1;
3866 #endif /* OPENSSL_NO_ENGINE */
3867 }
3868
3869
tls_connection_engine_ca_cert(struct tls_data * data,struct tls_connection * conn,const char * ca_cert_id)3870 static int tls_connection_engine_ca_cert(struct tls_data *data,
3871 struct tls_connection *conn,
3872 const char *ca_cert_id)
3873 {
3874 #ifndef OPENSSL_NO_ENGINE
3875 X509 *cert;
3876 SSL_CTX *ssl_ctx = data->ssl;
3877 X509_STORE *store;
3878
3879 if (tls_engine_get_cert(conn, ca_cert_id, &cert))
3880 return -1;
3881
3882 /* start off the same as tls_connection_ca_cert */
3883 store = X509_STORE_new();
3884 if (store == NULL) {
3885 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
3886 "certificate store", __func__);
3887 X509_free(cert);
3888 return -1;
3889 }
3890 SSL_CTX_set_cert_store(ssl_ctx, store);
3891 if (!X509_STORE_add_cert(store, cert)) {
3892 unsigned long err = ERR_peek_error();
3893 tls_show_errors(MSG_WARNING, __func__,
3894 "Failed to add CA certificate from engine "
3895 "to certificate store");
3896 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
3897 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
3898 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring cert"
3899 " already in hash table error",
3900 __func__);
3901 } else {
3902 X509_free(cert);
3903 return -1;
3904 }
3905 }
3906 X509_free(cert);
3907 wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine "
3908 "to certificate store", __func__);
3909 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
3910 conn->ca_cert_verify = 1;
3911
3912 return 0;
3913
3914 #else /* OPENSSL_NO_ENGINE */
3915 return -1;
3916 #endif /* OPENSSL_NO_ENGINE */
3917 }
3918
3919
tls_connection_engine_private_key(struct tls_connection * conn)3920 static int tls_connection_engine_private_key(struct tls_connection *conn)
3921 {
3922 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
3923 if (SSL_use_PrivateKey(conn->ssl, conn->private_key) != 1) {
3924 tls_show_errors(MSG_ERROR, __func__,
3925 "ENGINE: cannot use private key for TLS");
3926 return -1;
3927 }
3928 if (!SSL_check_private_key(conn->ssl)) {
3929 tls_show_errors(MSG_INFO, __func__,
3930 "Private key failed verification");
3931 return -1;
3932 }
3933 return 0;
3934 #else /* OPENSSL_NO_ENGINE */
3935 wpa_printf(MSG_ERROR, "SSL: Configuration uses engine, but "
3936 "engine support was not compiled in");
3937 return -1;
3938 #endif /* OPENSSL_NO_ENGINE */
3939 }
3940
3941
3942 #ifndef OPENSSL_NO_STDIO
tls_passwd_cb(char * buf,int size,int rwflag,void * password)3943 static int tls_passwd_cb(char *buf, int size, int rwflag, void *password)
3944 {
3945 if (!password)
3946 return 0;
3947 os_strlcpy(buf, (const char *) password, size);
3948 return os_strlen(buf);
3949 }
3950 #endif /* OPENSSL_NO_STDIO */
3951
3952
tls_use_private_key_file(struct tls_data * data,SSL * ssl,const char * private_key,const char * private_key_passwd)3953 static int tls_use_private_key_file(struct tls_data *data, SSL *ssl,
3954 const char *private_key,
3955 const char *private_key_passwd)
3956 {
3957 #ifndef OPENSSL_NO_STDIO
3958 BIO *bio;
3959 EVP_PKEY *pkey;
3960 int ret;
3961
3962 /* First try ASN.1 (DER). */
3963 bio = BIO_new_file(private_key, "r");
3964 if (!bio)
3965 return -1;
3966 pkey = d2i_PrivateKey_bio(bio, NULL);
3967 BIO_free(bio);
3968
3969 if (pkey) {
3970 wpa_printf(MSG_DEBUG, "OpenSSL: %s (DER) --> loaded", __func__);
3971 } else {
3972 /* Try PEM with the provided password. */
3973 bio = BIO_new_file(private_key, "r");
3974 if (!bio)
3975 return -1;
3976 pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_passwd_cb,
3977 (void *) private_key_passwd);
3978 BIO_free(bio);
3979 if (!pkey)
3980 return -1;
3981 wpa_printf(MSG_DEBUG, "OpenSSL: %s (PEM) --> loaded", __func__);
3982 /* Clear errors from the previous failed load. */
3983 ERR_clear_error();
3984 }
3985
3986 if (ssl)
3987 ret = SSL_use_PrivateKey(ssl, pkey);
3988 else
3989 ret = SSL_CTX_use_PrivateKey(data->ssl, pkey);
3990
3991 EVP_PKEY_free(pkey);
3992 return ret == 1 ? 0 : -1;
3993 #else /* OPENSSL_NO_STDIO */
3994 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3995 return -1;
3996 #endif /* OPENSSL_NO_STDIO */
3997 }
3998
3999
tls_connection_private_key(struct tls_data * data,struct tls_connection * conn,const char * private_key,const char * private_key_passwd,const u8 * private_key_blob,size_t private_key_blob_len)4000 static int tls_connection_private_key(struct tls_data *data,
4001 struct tls_connection *conn,
4002 const char *private_key,
4003 const char *private_key_passwd,
4004 const u8 *private_key_blob,
4005 size_t private_key_blob_len)
4006 {
4007 BIO *bio;
4008 int ok;
4009
4010 if (private_key == NULL && private_key_blob == NULL)
4011 return 0;
4012
4013 ok = 0;
4014 while (private_key_blob) {
4015 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, conn->ssl,
4016 (u8 *) private_key_blob,
4017 private_key_blob_len) == 1) {
4018 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
4019 "ASN1(EVP_PKEY_RSA) --> OK");
4020 ok = 1;
4021 break;
4022 }
4023
4024 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA, conn->ssl,
4025 (u8 *) private_key_blob,
4026 private_key_blob_len) == 1) {
4027 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
4028 "ASN1(EVP_PKEY_DSA) --> OK");
4029 ok = 1;
4030 break;
4031 }
4032
4033 #ifndef OPENSSL_NO_EC
4034 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, conn->ssl,
4035 (u8 *) private_key_blob,
4036 private_key_blob_len) == 1) {
4037 wpa_printf(MSG_DEBUG,
4038 "OpenSSL: SSL_use_PrivateKey_ASN1(EVP_PKEY_EC) --> OK");
4039 ok = 1;
4040 break;
4041 }
4042 #endif /* OPENSSL_NO_EC */
4043
4044 #if OPENSSL_VERSION_NUMBER < 0x30000000L
4045 if (SSL_use_RSAPrivateKey_ASN1(conn->ssl,
4046 (u8 *) private_key_blob,
4047 private_key_blob_len) == 1) {
4048 wpa_printf(MSG_DEBUG, "OpenSSL: "
4049 "SSL_use_RSAPrivateKey_ASN1 --> OK");
4050 ok = 1;
4051 break;
4052 }
4053 #endif
4054
4055 bio = BIO_new_mem_buf((u8 *) private_key_blob,
4056 private_key_blob_len);
4057 if (bio) {
4058 EVP_PKEY *pkey;
4059
4060 pkey = PEM_read_bio_PrivateKey(
4061 bio, NULL, tls_passwd_cb,
4062 (void *) private_key_passwd);
4063 if (pkey) {
4064 if (SSL_use_PrivateKey(conn->ssl, pkey) == 1) {
4065 wpa_printf(MSG_DEBUG,
4066 "OpenSSL: SSL_use_PrivateKey --> OK");
4067 ok = 1;
4068 EVP_PKEY_free(pkey);
4069 BIO_free(bio);
4070 break;
4071 }
4072 EVP_PKEY_free(pkey);
4073 }
4074 BIO_free(bio);
4075 }
4076
4077 if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob,
4078 private_key_blob_len,
4079 private_key_passwd) == 0) {
4080 wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> "
4081 "OK");
4082 ok = 1;
4083 break;
4084 }
4085
4086 break;
4087 }
4088
4089 while (!ok && private_key) {
4090 if (tls_use_private_key_file(data, conn->ssl, private_key,
4091 private_key_passwd) == 0) {
4092 ok = 1;
4093 break;
4094 }
4095
4096 if (tls_read_pkcs12(data, conn->ssl, private_key,
4097 private_key_passwd) == 0) {
4098 wpa_printf(MSG_DEBUG, "OpenSSL: Reading PKCS#12 file "
4099 "--> OK");
4100 ok = 1;
4101 break;
4102 }
4103
4104 if (tls_cryptoapi_cert(conn->ssl, private_key) == 0) {
4105 wpa_printf(MSG_DEBUG, "OpenSSL: Using CryptoAPI to "
4106 "access certificate store --> OK");
4107 ok = 1;
4108 break;
4109 }
4110
4111 break;
4112 }
4113
4114 if (!ok) {
4115 tls_show_errors(MSG_INFO, __func__,
4116 "Failed to load private key");
4117 return -1;
4118 }
4119 ERR_clear_error();
4120
4121 if (!SSL_check_private_key(conn->ssl)) {
4122 tls_show_errors(MSG_INFO, __func__, "Private key failed "
4123 "verification");
4124 return -1;
4125 }
4126
4127 wpa_printf(MSG_DEBUG, "SSL: Private key loaded successfully");
4128 return 0;
4129 }
4130
4131
tls_global_private_key(struct tls_data * data,const char * private_key,const char * private_key_passwd)4132 static int tls_global_private_key(struct tls_data *data,
4133 const char *private_key,
4134 const char *private_key_passwd)
4135 {
4136 SSL_CTX *ssl_ctx = data->ssl;
4137
4138 if (private_key == NULL)
4139 return 0;
4140
4141 if (tls_use_private_key_file(data, NULL, private_key,
4142 private_key_passwd) &&
4143 tls_read_pkcs12(data, NULL, private_key, private_key_passwd)) {
4144 tls_show_errors(MSG_INFO, __func__,
4145 "Failed to load private key");
4146 ERR_clear_error();
4147 return -1;
4148 }
4149 ERR_clear_error();
4150
4151 if (!SSL_CTX_check_private_key(ssl_ctx)) {
4152 tls_show_errors(MSG_INFO, __func__,
4153 "Private key failed verification");
4154 return -1;
4155 }
4156
4157 return 0;
4158 }
4159
4160
4161 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4162 #ifndef OPENSSL_NO_DH
4163 #ifndef OPENSSL_NO_DSA
4164 /* This is needed to replace the deprecated DSA_dup_DH() function */
openssl_dsa_to_dh(EVP_PKEY * dsa)4165 static EVP_PKEY * openssl_dsa_to_dh(EVP_PKEY *dsa)
4166 {
4167 OSSL_PARAM_BLD *bld = NULL;
4168 OSSL_PARAM *params = NULL;
4169 BIGNUM *p = NULL, *q = NULL, *g = NULL;
4170 EVP_PKEY_CTX *ctx = NULL;
4171 EVP_PKEY *pkey = NULL;
4172
4173 if (!EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_P, &p) ||
4174 !EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_Q, &q) ||
4175 !EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_G, &g) ||
4176 !(bld = OSSL_PARAM_BLD_new()) ||
4177 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) ||
4178 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q) ||
4179 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) ||
4180 !(params = OSSL_PARAM_BLD_to_param(bld)) ||
4181 !(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL)) ||
4182 EVP_PKEY_fromdata_init(ctx) != 1 ||
4183 EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS,
4184 params) != 1)
4185 wpa_printf(MSG_INFO,
4186 "TLS: Failed to convert DSA parameters to DH parameters");
4187
4188 EVP_PKEY_CTX_free(ctx);
4189 OSSL_PARAM_free(params);
4190 OSSL_PARAM_BLD_free(bld);
4191 BN_free(p);
4192 BN_free(q);
4193 BN_free(g);
4194 return pkey;
4195 }
4196 #endif /* !OPENSSL_NO_DSA */
4197 #endif /* OPENSSL_NO_DH */
4198 #endif /* OpenSSL version >= 3.0 */
4199
tls_global_dh(struct tls_data * data,const char * dh_file)4200 static int tls_global_dh(struct tls_data *data, const char *dh_file)
4201 {
4202 #ifdef OPENSSL_NO_DH
4203 if (dh_file == NULL)
4204 return 0;
4205 wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
4206 "dh_file specified");
4207 return -1;
4208 #else /* OPENSSL_NO_DH */
4209 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4210 SSL_CTX *ssl_ctx = data->ssl;
4211 BIO *bio;
4212 OSSL_DECODER_CTX *ctx = NULL;
4213 EVP_PKEY *pkey = NULL, *tmpkey = NULL;
4214 bool dsa = false;
4215
4216 if (!ssl_ctx)
4217 return -1;
4218 if (!dh_file) {
4219 SSL_CTX_set_dh_auto(ssl_ctx, 1);
4220 return 0;
4221 }
4222
4223 bio = BIO_new_file(dh_file, "r");
4224 if (!bio) {
4225 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
4226 dh_file, ERR_error_string(ERR_get_error(), NULL));
4227 return -1;
4228 }
4229 ctx = OSSL_DECODER_CTX_new_for_pkey(
4230 &tmpkey, "PEM", NULL, NULL,
4231 OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, NULL, NULL);
4232 if (!ctx ||
4233 OSSL_DECODER_from_bio(ctx, bio) != 1) {
4234 wpa_printf(MSG_INFO,
4235 "TLS: Failed to decode domain parameters from '%s': %s",
4236 dh_file, ERR_error_string(ERR_get_error(), NULL));
4237 BIO_free(bio);
4238 OSSL_DECODER_CTX_free(ctx);
4239 return -1;
4240 }
4241 OSSL_DECODER_CTX_free(ctx);
4242 BIO_free(bio);
4243
4244 if (!tmpkey) {
4245 wpa_printf(MSG_INFO, "TLS: Failed to load domain parameters");
4246 return -1;
4247 }
4248
4249 #ifndef OPENSSL_NO_DSA
4250 if (EVP_PKEY_is_a(tmpkey, "DSA")) {
4251 pkey = openssl_dsa_to_dh(tmpkey);
4252 EVP_PKEY_free(tmpkey);
4253 if (!pkey)
4254 return -1;
4255 dsa = true;
4256 }
4257 #endif /* !OPENSSL_NO_DSA */
4258 if (!dsa) {
4259 if (EVP_PKEY_is_a(tmpkey, "DH") ||
4260 EVP_PKEY_is_a(tmpkey, "DHX")) {
4261 } else {
4262 wpa_printf(MSG_INFO,
4263 "TLS: No DH parameters found in %s",
4264 dh_file);
4265 EVP_PKEY_free(tmpkey);
4266 return -1;
4267 }
4268 pkey = tmpkey;
4269 tmpkey = NULL;
4270 }
4271
4272 if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, pkey) != 1) {
4273 wpa_printf(MSG_INFO,
4274 "TLS: Failed to set DH params from '%s': %s",
4275 dh_file, ERR_error_string(ERR_get_error(), NULL));
4276 EVP_PKEY_free(pkey);
4277 return -1;
4278 }
4279 return 0;
4280 #else /* OpenSSL version >= 3.0 */
4281 SSL_CTX *ssl_ctx = data->ssl;
4282 DH *dh;
4283 BIO *bio;
4284
4285 if (!ssl_ctx)
4286 return -1;
4287 if (!dh_file) {
4288 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)
4289 SSL_CTX_set_dh_auto(ssl_ctx, 1);
4290 #endif
4291 return 0;
4292 }
4293
4294 bio = BIO_new_file(dh_file, "r");
4295 if (bio == NULL) {
4296 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
4297 dh_file, ERR_error_string(ERR_get_error(), NULL));
4298 return -1;
4299 }
4300 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
4301 BIO_free(bio);
4302 #ifndef OPENSSL_NO_DSA
4303 while (dh == NULL) {
4304 DSA *dsa;
4305 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
4306 " trying to parse as DSA params", dh_file,
4307 ERR_error_string(ERR_get_error(), NULL));
4308 bio = BIO_new_file(dh_file, "r");
4309 if (bio == NULL)
4310 break;
4311 dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
4312 BIO_free(bio);
4313 if (!dsa) {
4314 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
4315 "'%s': %s", dh_file,
4316 ERR_error_string(ERR_get_error(), NULL));
4317 break;
4318 }
4319
4320 wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
4321 dh = DSA_dup_DH(dsa);
4322 DSA_free(dsa);
4323 if (dh == NULL) {
4324 wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
4325 "params into DH params");
4326 break;
4327 }
4328 break;
4329 }
4330 #endif /* !OPENSSL_NO_DSA */
4331 if (dh == NULL) {
4332 wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
4333 "'%s'", dh_file);
4334 return -1;
4335 }
4336
4337 if (SSL_CTX_set_tmp_dh(ssl_ctx, dh) != 1) {
4338 wpa_printf(MSG_INFO, "TLS: Failed to set DH params from '%s': "
4339 "%s", dh_file,
4340 ERR_error_string(ERR_get_error(), NULL));
4341 DH_free(dh);
4342 return -1;
4343 }
4344 DH_free(dh);
4345 return 0;
4346 #endif /* OpenSSL version >= 3.0 */
4347 #endif /* OPENSSL_NO_DH */
4348 }
4349
4350
tls_connection_get_random(void * ssl_ctx,struct tls_connection * conn,struct tls_random * keys)4351 int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn,
4352 struct tls_random *keys)
4353 {
4354 SSL *ssl;
4355
4356 if (conn == NULL || keys == NULL)
4357 return -1;
4358 ssl = conn->ssl;
4359 if (ssl == NULL)
4360 return -1;
4361
4362 os_memset(keys, 0, sizeof(*keys));
4363 keys->client_random = conn->client_random;
4364 keys->client_random_len = SSL_get_client_random(
4365 ssl, conn->client_random, sizeof(conn->client_random));
4366 keys->server_random = conn->server_random;
4367 keys->server_random_len = SSL_get_server_random(
4368 ssl, conn->server_random, sizeof(conn->server_random));
4369
4370 return 0;
4371 }
4372
4373
4374 #ifdef OPENSSL_NEED_EAP_FAST_PRF
openssl_get_keyblock_size(SSL * ssl)4375 static int openssl_get_keyblock_size(SSL *ssl)
4376 {
4377 #if OPENSSL_VERSION_NUMBER < 0x10100000L
4378 const EVP_CIPHER *c;
4379 const EVP_MD *h;
4380 int md_size;
4381
4382 if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL ||
4383 ssl->read_hash == NULL)
4384 return -1;
4385
4386 c = ssl->enc_read_ctx->cipher;
4387 h = EVP_MD_CTX_md(ssl->read_hash);
4388 if (h)
4389 md_size = EVP_MD_size(h);
4390 else if (ssl->s3)
4391 md_size = ssl->s3->tmp.new_mac_secret_size;
4392 else
4393 return -1;
4394
4395 wpa_printf(MSG_DEBUG, "OpenSSL: keyblock size: key_len=%d MD_size=%d "
4396 "IV_len=%d", EVP_CIPHER_key_length(c), md_size,
4397 EVP_CIPHER_iv_length(c));
4398 return 2 * (EVP_CIPHER_key_length(c) +
4399 md_size +
4400 EVP_CIPHER_iv_length(c));
4401 #else
4402 const SSL_CIPHER *ssl_cipher;
4403 int cipher, digest;
4404 const EVP_CIPHER *c;
4405 const EVP_MD *h;
4406 int mac_key_len, enc_key_len, fixed_iv_len;
4407
4408 ssl_cipher = SSL_get_current_cipher(ssl);
4409 if (!ssl_cipher)
4410 return -1;
4411 cipher = SSL_CIPHER_get_cipher_nid(ssl_cipher);
4412 digest = SSL_CIPHER_get_digest_nid(ssl_cipher);
4413 wpa_printf(MSG_DEBUG, "OpenSSL: cipher nid %d digest nid %d",
4414 cipher, digest);
4415 if (cipher < 0 || digest < 0)
4416 return -1;
4417 if (cipher == NID_undef) {
4418 wpa_printf(MSG_DEBUG, "OpenSSL: no cipher in use?!");
4419 return -1;
4420 }
4421 c = EVP_get_cipherbynid(cipher);
4422 if (!c)
4423 return -1;
4424 enc_key_len = EVP_CIPHER_key_length(c);
4425 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE ||
4426 EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
4427 fixed_iv_len = 4; /* only part of IV from PRF */
4428 else
4429 fixed_iv_len = EVP_CIPHER_iv_length(c);
4430 if (digest == NID_undef) {
4431 wpa_printf(MSG_DEBUG, "OpenSSL: no digest in use (e.g., AEAD)");
4432 mac_key_len = 0;
4433 } else {
4434 h = EVP_get_digestbynid(digest);
4435 if (!h)
4436 return -1;
4437 mac_key_len = EVP_MD_size(h);
4438 }
4439
4440 wpa_printf(MSG_DEBUG,
4441 "OpenSSL: keyblock size: mac_key_len=%d enc_key_len=%d fixed_iv_len=%d",
4442 mac_key_len, enc_key_len, fixed_iv_len);
4443 return 2 * (mac_key_len + enc_key_len + fixed_iv_len);
4444 #endif
4445 }
4446 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4447
4448
tls_connection_export_key(void * tls_ctx,struct tls_connection * conn,const char * label,const u8 * context,size_t context_len,u8 * out,size_t out_len)4449 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
4450 const char *label, const u8 *context,
4451 size_t context_len, u8 *out, size_t out_len)
4452 {
4453 if (!conn ||
4454 SSL_export_keying_material(conn->ssl, out, out_len, label,
4455 os_strlen(label), context, context_len,
4456 context != NULL) != 1)
4457 return -1;
4458 return 0;
4459 }
4460
4461
tls_connection_get_eap_fast_key(void * tls_ctx,struct tls_connection * conn,u8 * out,size_t out_len)4462 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
4463 u8 *out, size_t out_len)
4464 {
4465 #ifdef OPENSSL_NEED_EAP_FAST_PRF
4466 SSL *ssl;
4467 SSL_SESSION *sess;
4468 u8 *rnd;
4469 int ret = -1;
4470 int skip = 0;
4471 u8 *tmp_out = NULL;
4472 u8 *_out = out;
4473 unsigned char client_random[SSL3_RANDOM_SIZE];
4474 unsigned char server_random[SSL3_RANDOM_SIZE];
4475 unsigned char master_key[64];
4476 size_t master_key_len;
4477 const char *ver;
4478
4479 /*
4480 * TLS library did not support EAP-FAST key generation, so get the
4481 * needed TLS session parameters and use an internal implementation of
4482 * TLS PRF to derive the key.
4483 */
4484
4485 if (conn == NULL)
4486 return -1;
4487 ssl = conn->ssl;
4488 if (ssl == NULL)
4489 return -1;
4490 ver = SSL_get_version(ssl);
4491 sess = SSL_get_session(ssl);
4492 if (!ver || !sess)
4493 return -1;
4494
4495 skip = openssl_get_keyblock_size(ssl);
4496 if (skip < 0)
4497 return -1;
4498 tmp_out = os_malloc(skip + out_len);
4499 if (!tmp_out)
4500 return -1;
4501 _out = tmp_out;
4502
4503 rnd = os_malloc(2 * SSL3_RANDOM_SIZE);
4504 if (!rnd) {
4505 os_free(tmp_out);
4506 return -1;
4507 }
4508
4509 SSL_get_client_random(ssl, client_random, sizeof(client_random));
4510 SSL_get_server_random(ssl, server_random, sizeof(server_random));
4511 master_key_len = SSL_SESSION_get_master_key(sess, master_key,
4512 sizeof(master_key));
4513
4514 os_memcpy(rnd, server_random, SSL3_RANDOM_SIZE);
4515 os_memcpy(rnd + SSL3_RANDOM_SIZE, client_random, SSL3_RANDOM_SIZE);
4516
4517 if (os_strcmp(ver, "TLSv1.2") == 0) {
4518 tls_prf_sha256(master_key, master_key_len,
4519 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE,
4520 _out, skip + out_len);
4521 ret = 0;
4522 } else if (tls_prf_sha1_md5(master_key, master_key_len,
4523 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE,
4524 _out, skip + out_len) == 0) {
4525 ret = 0;
4526 }
4527 forced_memzero(master_key, sizeof(master_key));
4528 os_free(rnd);
4529 if (ret == 0)
4530 os_memcpy(out, _out + skip, out_len);
4531 bin_clear_free(tmp_out, skip);
4532
4533 return ret;
4534 #else /* OPENSSL_NEED_EAP_FAST_PRF */
4535 wpa_printf(MSG_ERROR,
4536 "OpenSSL: EAP-FAST keys cannot be exported in FIPS mode");
4537 return -1;
4538 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4539 }
4540
4541
4542 static struct wpabuf *
openssl_handshake(struct tls_connection * conn,const struct wpabuf * in_data)4543 openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
4544 {
4545 struct tls_context *context = conn->context;
4546 int res;
4547 struct wpabuf *out_data;
4548
4549 /*
4550 * Give TLS handshake data from the server (if available) to OpenSSL
4551 * for processing.
4552 */
4553 if (in_data && wpabuf_len(in_data) > 0 &&
4554 BIO_write(conn->ssl_in, wpabuf_head(in_data), wpabuf_len(in_data))
4555 < 0) {
4556 tls_show_errors(MSG_INFO, __func__,
4557 "Handshake failed - BIO_write");
4558 return NULL;
4559 }
4560
4561 /* Initiate TLS handshake or continue the existing handshake */
4562 if (conn->server)
4563 res = SSL_accept(conn->ssl);
4564 else
4565 res = SSL_connect(conn->ssl);
4566 if (res != 1) {
4567 int err = SSL_get_error(conn->ssl, res);
4568 if (err == SSL_ERROR_WANT_READ)
4569 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want "
4570 "more data");
4571 else if (err == SSL_ERROR_WANT_WRITE)
4572 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
4573 "write");
4574 else {
4575 unsigned long error = ERR_peek_last_error();
4576
4577 tls_show_errors(MSG_INFO, __func__, "SSL_connect");
4578
4579 if (context->event_cb &&
4580 ERR_GET_LIB(error) == ERR_LIB_SSL &&
4581 ERR_GET_REASON(error) ==
4582 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) {
4583 context->event_cb(
4584 context->cb_ctx,
4585 TLS_UNSAFE_RENEGOTIATION_DISABLED,
4586 NULL);
4587 }
4588 conn->failed++;
4589 if (!conn->server && !conn->client_hello_generated) {
4590 /* The server would not understand TLS Alert
4591 * before ClientHello, so simply terminate
4592 * handshake on this type of error case caused
4593 * by a likely internal error like no ciphers
4594 * available. */
4595 wpa_printf(MSG_DEBUG,
4596 "OpenSSL: Could not generate ClientHello");
4597 conn->write_alerts++;
4598 return NULL;
4599 }
4600 }
4601 }
4602
4603 if (!conn->server && !conn->failed)
4604 conn->client_hello_generated = 1;
4605
4606 #ifdef CONFIG_SUITEB
4607 if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
4608 os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
4609 conn->server_dh_prime_len < 3072) {
4610 /*
4611 * This should not be reached since earlier cert_cb should have
4612 * terminated the handshake. Keep this check here for extra
4613 * protection if anything goes wrong with the more low-level
4614 * checks based on having to parse the TLS handshake messages.
4615 */
4616 wpa_printf(MSG_DEBUG,
4617 "OpenSSL: Server DH prime length: %d bits",
4618 conn->server_dh_prime_len);
4619
4620 if (context->event_cb) {
4621 union tls_event_data ev;
4622
4623 os_memset(&ev, 0, sizeof(ev));
4624 ev.alert.is_local = 1;
4625 ev.alert.type = "fatal";
4626 ev.alert.description = "insufficient security";
4627 context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
4628 }
4629 /*
4630 * Could send a TLS Alert to the server, but for now, simply
4631 * terminate handshake.
4632 */
4633 conn->failed++;
4634 conn->write_alerts++;
4635 return NULL;
4636 }
4637 #endif /* CONFIG_SUITEB */
4638
4639 /* Get the TLS handshake data to be sent to the server */
4640 res = BIO_ctrl_pending(conn->ssl_out);
4641 wpa_printf(MSG_DEBUG, "SSL: %d bytes pending from ssl_out", res);
4642 out_data = wpabuf_alloc(res);
4643 if (out_data == NULL) {
4644 wpa_printf(MSG_DEBUG, "SSL: Failed to allocate memory for "
4645 "handshake output (%d bytes)", res);
4646 if (BIO_reset(conn->ssl_out) < 0) {
4647 tls_show_errors(MSG_INFO, __func__,
4648 "BIO_reset failed");
4649 }
4650 return NULL;
4651 }
4652 res = res == 0 ? 0 : BIO_read(conn->ssl_out, wpabuf_mhead(out_data),
4653 res);
4654 if (res < 0) {
4655 tls_show_errors(MSG_INFO, __func__,
4656 "Handshake failed - BIO_read");
4657 if (BIO_reset(conn->ssl_out) < 0) {
4658 tls_show_errors(MSG_INFO, __func__,
4659 "BIO_reset failed");
4660 }
4661 wpabuf_free(out_data);
4662 return NULL;
4663 }
4664 wpabuf_put(out_data, res);
4665
4666 return out_data;
4667 }
4668
4669
4670 static struct wpabuf *
openssl_get_appl_data(struct tls_connection * conn,size_t max_len)4671 openssl_get_appl_data(struct tls_connection *conn, size_t max_len)
4672 {
4673 struct wpabuf *appl_data;
4674 int res;
4675
4676 appl_data = wpabuf_alloc(max_len + 100);
4677 if (appl_data == NULL)
4678 return NULL;
4679
4680 res = SSL_read(conn->ssl, wpabuf_mhead(appl_data),
4681 wpabuf_size(appl_data));
4682 if (res < 0) {
4683 int err = SSL_get_error(conn->ssl, res);
4684 if (err == SSL_ERROR_WANT_READ ||
4685 err == SSL_ERROR_WANT_WRITE) {
4686 wpa_printf(MSG_DEBUG, "SSL: No Application Data "
4687 "included");
4688 } else {
4689 tls_show_errors(MSG_INFO, __func__,
4690 "Failed to read possible "
4691 "Application Data");
4692 }
4693 wpabuf_free(appl_data);
4694 return NULL;
4695 }
4696
4697 wpabuf_put(appl_data, res);
4698 wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application Data in Finished "
4699 "message", appl_data);
4700
4701 return appl_data;
4702 }
4703
4704
4705 static struct wpabuf *
openssl_connection_handshake(struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4706 openssl_connection_handshake(struct tls_connection *conn,
4707 const struct wpabuf *in_data,
4708 struct wpabuf **appl_data)
4709 {
4710 struct wpabuf *out_data;
4711
4712 if (appl_data)
4713 *appl_data = NULL;
4714
4715 out_data = openssl_handshake(conn, in_data);
4716 if (out_data == NULL)
4717 return NULL;
4718 if (conn->invalid_hb_used) {
4719 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4720 wpabuf_free(out_data);
4721 return NULL;
4722 }
4723
4724 if (SSL_is_init_finished(conn->ssl)) {
4725 wpa_printf(MSG_DEBUG,
4726 "OpenSSL: Handshake finished - resumed=%d",
4727 tls_connection_resumed(conn->ssl_ctx, conn));
4728 if (conn->server) {
4729 char *buf;
4730 size_t buflen = 2000;
4731
4732 buf = os_malloc(buflen);
4733 if (buf) {
4734 if (SSL_get_shared_ciphers(conn->ssl, buf,
4735 buflen)) {
4736 buf[buflen - 1] = '\0';
4737 wpa_printf(MSG_DEBUG,
4738 "OpenSSL: Shared ciphers: %s",
4739 buf);
4740 }
4741 os_free(buf);
4742 }
4743 }
4744 if (appl_data && in_data)
4745 *appl_data = openssl_get_appl_data(conn,
4746 wpabuf_len(in_data));
4747 }
4748
4749 if (conn->invalid_hb_used) {
4750 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4751 if (appl_data) {
4752 wpabuf_free(*appl_data);
4753 *appl_data = NULL;
4754 }
4755 wpabuf_free(out_data);
4756 return NULL;
4757 }
4758
4759 return out_data;
4760 }
4761
4762
4763 struct wpabuf *
tls_connection_handshake(void * ssl_ctx,struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4764 tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
4765 const struct wpabuf *in_data,
4766 struct wpabuf **appl_data)
4767 {
4768 return openssl_connection_handshake(conn, in_data, appl_data);
4769 }
4770
4771
tls_connection_server_handshake(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4772 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
4773 struct tls_connection *conn,
4774 const struct wpabuf *in_data,
4775 struct wpabuf **appl_data)
4776 {
4777 conn->server = 1;
4778 return openssl_connection_handshake(conn, in_data, appl_data);
4779 }
4780
4781
tls_connection_encrypt(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data)4782 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
4783 struct tls_connection *conn,
4784 const struct wpabuf *in_data)
4785 {
4786 int res;
4787 struct wpabuf *buf;
4788
4789 if (conn == NULL)
4790 return NULL;
4791
4792 /* Give plaintext data for OpenSSL to encrypt into the TLS tunnel. */
4793 if ((res = BIO_reset(conn->ssl_in)) < 0 ||
4794 (res = BIO_reset(conn->ssl_out)) < 0) {
4795 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
4796 return NULL;
4797 }
4798 res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data));
4799 if (res < 0) {
4800 tls_show_errors(MSG_INFO, __func__,
4801 "Encryption failed - SSL_write");
4802 return NULL;
4803 }
4804
4805 /* Read encrypted data to be sent to the server */
4806 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
4807 if (buf == NULL)
4808 return NULL;
4809 res = BIO_read(conn->ssl_out, wpabuf_mhead(buf), wpabuf_size(buf));
4810 if (res < 0) {
4811 tls_show_errors(MSG_INFO, __func__,
4812 "Encryption failed - BIO_read");
4813 wpabuf_free(buf);
4814 return NULL;
4815 }
4816 wpabuf_put(buf, res);
4817
4818 return buf;
4819 }
4820
4821
tls_connection_decrypt(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data)4822 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
4823 struct tls_connection *conn,
4824 const struct wpabuf *in_data)
4825 {
4826 int res;
4827 struct wpabuf *buf;
4828
4829 /* Give encrypted data from TLS tunnel for OpenSSL to decrypt. */
4830 res = BIO_write(conn->ssl_in, wpabuf_head(in_data),
4831 wpabuf_len(in_data));
4832 if (res < 0) {
4833 tls_show_errors(MSG_INFO, __func__,
4834 "Decryption failed - BIO_write");
4835 return NULL;
4836 }
4837 if (BIO_reset(conn->ssl_out) < 0) {
4838 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
4839 return NULL;
4840 }
4841
4842 /* Read decrypted data for further processing */
4843 /*
4844 * Even though we try to disable TLS compression, it is possible that
4845 * this cannot be done with all TLS libraries. Add extra buffer space
4846 * to handle the possibility of the decrypted data being longer than
4847 * input data.
4848 */
4849 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
4850 if (buf == NULL)
4851 return NULL;
4852 res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf));
4853 if (res < 0) {
4854 int err = SSL_get_error(conn->ssl, res);
4855
4856 if (err == SSL_ERROR_WANT_READ) {
4857 wpa_printf(MSG_DEBUG,
4858 "SSL: SSL_connect - want more data");
4859 res = 0;
4860 } else {
4861 tls_show_errors(MSG_INFO, __func__,
4862 "Decryption failed - SSL_read");
4863 wpabuf_free(buf);
4864 return NULL;
4865 }
4866 }
4867 wpabuf_put(buf, res);
4868
4869 if (conn->invalid_hb_used) {
4870 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4871 wpabuf_free(buf);
4872 return NULL;
4873 }
4874
4875 return buf;
4876 }
4877
4878
tls_connection_resumed(void * ssl_ctx,struct tls_connection * conn)4879 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
4880 {
4881 return conn ? SSL_session_reused(conn->ssl) : 0;
4882 }
4883
4884
tls_connection_set_cipher_list(void * tls_ctx,struct tls_connection * conn,u8 * ciphers)4885 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
4886 u8 *ciphers)
4887 {
4888 char buf[500], *pos, *end;
4889 u8 *c;
4890 int ret;
4891
4892 if (conn == NULL || conn->ssl == NULL || ciphers == NULL)
4893 return -1;
4894
4895 buf[0] = '\0';
4896 pos = buf;
4897 end = pos + sizeof(buf);
4898
4899 c = ciphers;
4900 while (*c != TLS_CIPHER_NONE) {
4901 const char *suite;
4902
4903 switch (*c) {
4904 case TLS_CIPHER_RC4_SHA:
4905 suite = "RC4-SHA";
4906 break;
4907 case TLS_CIPHER_AES128_SHA:
4908 suite = "AES128-SHA";
4909 break;
4910 case TLS_CIPHER_RSA_DHE_AES128_SHA:
4911 suite = "DHE-RSA-AES128-SHA";
4912 break;
4913 case TLS_CIPHER_ANON_DH_AES128_SHA:
4914 suite = "ADH-AES128-SHA";
4915 break;
4916 case TLS_CIPHER_RSA_DHE_AES256_SHA:
4917 suite = "DHE-RSA-AES256-SHA";
4918 break;
4919 case TLS_CIPHER_AES256_SHA:
4920 suite = "AES256-SHA";
4921 break;
4922 default:
4923 wpa_printf(MSG_DEBUG, "TLS: Unsupported "
4924 "cipher selection: %d", *c);
4925 return -1;
4926 }
4927 ret = os_snprintf(pos, end - pos, ":%s", suite);
4928 if (os_snprintf_error(end - pos, ret))
4929 break;
4930 pos += ret;
4931
4932 c++;
4933 }
4934 if (!buf[0]) {
4935 wpa_printf(MSG_DEBUG, "OpenSSL: No ciphers listed");
4936 return -1;
4937 }
4938
4939 wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
4940
4941 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
4942 #ifdef EAP_FAST_OR_TEAP
4943 if (os_strstr(buf, ":ADH-")) {
4944 /*
4945 * Need to drop to security level 0 to allow anonymous
4946 * cipher suites for EAP-FAST.
4947 */
4948 SSL_set_security_level(conn->ssl, 0);
4949 } else if (SSL_get_security_level(conn->ssl) == 0) {
4950 /* Force at least security level 1 */
4951 SSL_set_security_level(conn->ssl, 1);
4952 }
4953 #endif /* EAP_FAST_OR_TEAP */
4954 #endif
4955
4956 if (SSL_set_cipher_list(conn->ssl, buf + 1) != 1) {
4957 tls_show_errors(MSG_INFO, __func__,
4958 "Cipher suite configuration failed");
4959 return -1;
4960 }
4961
4962 return 0;
4963 }
4964
4965
tls_get_version(void * ssl_ctx,struct tls_connection * conn,char * buf,size_t buflen)4966 int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
4967 char *buf, size_t buflen)
4968 {
4969 const char *name;
4970 if (conn == NULL || conn->ssl == NULL)
4971 return -1;
4972
4973 name = SSL_get_version(conn->ssl);
4974 if (name == NULL)
4975 return -1;
4976
4977 os_strlcpy(buf, name, buflen);
4978 return 0;
4979 }
4980
4981
tls_get_cipher(void * ssl_ctx,struct tls_connection * conn,char * buf,size_t buflen)4982 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
4983 char *buf, size_t buflen)
4984 {
4985 const char *name;
4986 if (conn == NULL || conn->ssl == NULL)
4987 return -1;
4988
4989 name = SSL_get_cipher(conn->ssl);
4990 if (name == NULL)
4991 return -1;
4992
4993 os_strlcpy(buf, name, buflen);
4994 return 0;
4995 }
4996
4997
tls_connection_enable_workaround(void * ssl_ctx,struct tls_connection * conn)4998 int tls_connection_enable_workaround(void *ssl_ctx,
4999 struct tls_connection *conn)
5000 {
5001 SSL_set_options(conn->ssl, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
5002
5003 return 0;
5004 }
5005
5006
5007 #ifdef EAP_FAST_OR_TEAP
5008 /* ClientHello TLS extensions require a patch to openssl, so this function is
5009 * commented out unless explicitly needed for EAP-FAST in order to be able to
5010 * build this file with unmodified openssl. */
tls_connection_client_hello_ext(void * ssl_ctx,struct tls_connection * conn,int ext_type,const u8 * data,size_t data_len)5011 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
5012 int ext_type, const u8 *data,
5013 size_t data_len)
5014 {
5015 if (conn == NULL || conn->ssl == NULL || ext_type != 35)
5016 return -1;
5017
5018 if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
5019 data_len) != 1)
5020 return -1;
5021
5022 return 0;
5023 }
5024 #endif /* EAP_FAST_OR_TEAP */
5025
5026
tls_connection_get_failed(void * ssl_ctx,struct tls_connection * conn)5027 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)
5028 {
5029 if (conn == NULL)
5030 return -1;
5031 return conn->failed;
5032 }
5033
5034
tls_connection_get_read_alerts(void * ssl_ctx,struct tls_connection * conn)5035 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)
5036 {
5037 if (conn == NULL)
5038 return -1;
5039 return conn->read_alerts;
5040 }
5041
5042
tls_connection_get_write_alerts(void * ssl_ctx,struct tls_connection * conn)5043 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)
5044 {
5045 if (conn == NULL)
5046 return -1;
5047 return conn->write_alerts;
5048 }
5049
5050
5051 #ifdef HAVE_OCSP
5052
ocsp_debug_print_resp(OCSP_RESPONSE * rsp)5053 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
5054 {
5055 #ifndef CONFIG_NO_STDOUT_DEBUG
5056 BIO *out;
5057 size_t rlen;
5058 char *txt;
5059 int res;
5060
5061 if (wpa_debug_level > MSG_DEBUG)
5062 return;
5063
5064 out = BIO_new(BIO_s_mem());
5065 if (!out)
5066 return;
5067
5068 OCSP_RESPONSE_print(out, rsp, 0);
5069 rlen = BIO_ctrl_pending(out);
5070 txt = os_malloc(rlen + 1);
5071 if (!txt) {
5072 BIO_free(out);
5073 return;
5074 }
5075
5076 res = BIO_read(out, txt, rlen);
5077 if (res > 0) {
5078 txt[res] = '\0';
5079 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP Response\n%s", txt);
5080 }
5081 os_free(txt);
5082 BIO_free(out);
5083 #endif /* CONFIG_NO_STDOUT_DEBUG */
5084 }
5085
5086
ocsp_resp_cb(SSL * s,void * arg)5087 static int ocsp_resp_cb(SSL *s, void *arg)
5088 {
5089 struct tls_connection *conn = arg;
5090 const unsigned char *p;
5091 int len, status, reason, res;
5092 OCSP_RESPONSE *rsp;
5093 OCSP_BASICRESP *basic;
5094 OCSP_CERTID *id;
5095 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
5096 X509_STORE *store;
5097 STACK_OF(X509) *certs = NULL;
5098
5099 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
5100 if (!p) {
5101 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
5102 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
5103 if (SSL_version(s) == TLS1_3_VERSION && SSL_session_reused(s)) {
5104 /* TLS 1.3 sends the OCSP response with the server
5105 * Certificate message. Since that Certificate message
5106 * is not sent when resuming a session, there can be no
5107 * new OCSP response. Allow this since the OCSP response
5108 * was validated when checking the initial certificate
5109 * exchange. */
5110 wpa_printf(MSG_DEBUG,
5111 "OpenSSL: Allow no OCSP response when using TLS 1.3 and a resumed session");
5112 return 1;
5113 }
5114 #endif
5115 #endif
5116 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
5117 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
5118 }
5119
5120 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
5121
5122 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
5123 if (!rsp) {
5124 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
5125 return 0;
5126 }
5127
5128 ocsp_debug_print_resp(rsp);
5129
5130 status = OCSP_response_status(rsp);
5131 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
5132 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
5133 status, OCSP_response_status_str(status));
5134 return 0;
5135 }
5136
5137 basic = OCSP_response_get1_basic(rsp);
5138 if (!basic) {
5139 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
5140 return 0;
5141 }
5142
5143 store = SSL_CTX_get_cert_store(conn->ssl_ctx);
5144 if (conn->peer_issuer) {
5145 debug_print_cert(conn->peer_issuer, "Add OCSP issuer");
5146
5147 if (X509_STORE_add_cert(store, conn->peer_issuer) != 1) {
5148 tls_show_errors(MSG_INFO, __func__,
5149 "OpenSSL: Could not add issuer to certificate store");
5150 }
5151 certs = sk_X509_new_null();
5152 if (certs) {
5153 X509 *cert;
5154 cert = X509_dup(conn->peer_issuer);
5155 if (cert && !sk_X509_push(certs, cert)) {
5156 tls_show_errors(
5157 MSG_INFO, __func__,
5158 "OpenSSL: Could not add issuer to OCSP responder trust store");
5159 X509_free(cert);
5160 sk_X509_free(certs);
5161 certs = NULL;
5162 }
5163 if (certs && conn->peer_issuer_issuer) {
5164 cert = X509_dup(conn->peer_issuer_issuer);
5165 if (cert && !sk_X509_push(certs, cert)) {
5166 tls_show_errors(
5167 MSG_INFO, __func__,
5168 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
5169 X509_free(cert);
5170 }
5171 }
5172 }
5173 }
5174
5175 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
5176 sk_X509_pop_free(certs, X509_free);
5177 if (status <= 0) {
5178 tls_show_errors(MSG_INFO, __func__,
5179 "OpenSSL: OCSP response failed verification");
5180 OCSP_BASICRESP_free(basic);
5181 OCSP_RESPONSE_free(rsp);
5182 return 0;
5183 }
5184
5185 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
5186
5187 if (!conn->peer_cert) {
5188 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
5189 OCSP_BASICRESP_free(basic);
5190 OCSP_RESPONSE_free(rsp);
5191 return 0;
5192 }
5193
5194 if (!conn->peer_issuer) {
5195 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
5196 OCSP_BASICRESP_free(basic);
5197 OCSP_RESPONSE_free(rsp);
5198 return 0;
5199 }
5200
5201 id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer);
5202 if (!id) {
5203 wpa_printf(MSG_DEBUG,
5204 "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
5205 OCSP_BASICRESP_free(basic);
5206 OCSP_RESPONSE_free(rsp);
5207 return 0;
5208 }
5209
5210 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
5211 &this_update, &next_update);
5212 if (!res) {
5213 OCSP_CERTID_free(id);
5214 id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
5215 if (!id) {
5216 wpa_printf(MSG_DEBUG,
5217 "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
5218 OCSP_BASICRESP_free(basic);
5219 OCSP_RESPONSE_free(rsp);
5220 return 0;
5221 }
5222
5223 res = OCSP_resp_find_status(basic, id, &status, &reason,
5224 &produced_at, &this_update,
5225 &next_update);
5226 }
5227
5228 if (!res) {
5229 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
5230 (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" :
5231 " (OCSP not required)");
5232 OCSP_CERTID_free(id);
5233 OCSP_BASICRESP_free(basic);
5234 OCSP_RESPONSE_free(rsp);
5235 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
5236 }
5237 OCSP_CERTID_free(id);
5238
5239 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
5240 tls_show_errors(MSG_INFO, __func__,
5241 "OpenSSL: OCSP status times invalid");
5242 OCSP_BASICRESP_free(basic);
5243 OCSP_RESPONSE_free(rsp);
5244 return 0;
5245 }
5246
5247 OCSP_BASICRESP_free(basic);
5248 OCSP_RESPONSE_free(rsp);
5249
5250 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
5251 OCSP_cert_status_str(status));
5252
5253 if (status == V_OCSP_CERTSTATUS_GOOD)
5254 return 1;
5255 if (status == V_OCSP_CERTSTATUS_REVOKED)
5256 return 0;
5257 if (conn->flags & TLS_CONN_REQUIRE_OCSP) {
5258 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
5259 return 0;
5260 }
5261 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
5262 return 1;
5263 }
5264
5265
ocsp_status_cb(SSL * s,void * arg)5266 static int ocsp_status_cb(SSL *s, void *arg)
5267 {
5268 char *tmp;
5269 char *resp;
5270 size_t len;
5271
5272 if (tls_global->ocsp_stapling_response == NULL) {
5273 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - no response configured");
5274 return SSL_TLSEXT_ERR_OK;
5275 }
5276
5277 resp = os_readfile(tls_global->ocsp_stapling_response, &len);
5278 if (resp == NULL) {
5279 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - could not read response file");
5280 /* TODO: Build OCSPResponse with responseStatus = internalError
5281 */
5282 return SSL_TLSEXT_ERR_OK;
5283 }
5284 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - send cached response");
5285 tmp = OPENSSL_malloc(len);
5286 if (tmp == NULL) {
5287 os_free(resp);
5288 return SSL_TLSEXT_ERR_ALERT_FATAL;
5289 }
5290
5291 os_memcpy(tmp, resp, len);
5292 os_free(resp);
5293 SSL_set_tlsext_status_ocsp_resp(s, tmp, len);
5294
5295 return SSL_TLSEXT_ERR_OK;
5296 }
5297
5298 #endif /* HAVE_OCSP */
5299
5300
max_str_len(const char ** lines)5301 static size_t max_str_len(const char **lines)
5302 {
5303 const char **p;
5304 size_t max_len = 0;
5305
5306 for (p = lines; *p; p++) {
5307 size_t len = os_strlen(*p);
5308
5309 if (len > max_len)
5310 max_len = len;
5311 }
5312
5313 return max_len;
5314 }
5315
5316
match_lines_in_file(const char * path,const char ** lines)5317 static int match_lines_in_file(const char *path, const char **lines)
5318 {
5319 FILE *f;
5320 char *buf;
5321 size_t bufsize;
5322 int found = 0, is_linestart = 1;
5323
5324 bufsize = max_str_len(lines) + sizeof("\r\n");
5325 buf = os_malloc(bufsize);
5326 if (!buf)
5327 return 0;
5328
5329 f = fopen(path, "r");
5330 if (!f) {
5331 os_free(buf);
5332 return 0;
5333 }
5334
5335 while (!found && fgets(buf, bufsize, f)) {
5336 int is_lineend;
5337 size_t len;
5338 const char **p;
5339
5340 len = strcspn(buf, "\r\n");
5341 is_lineend = buf[len] != '\0';
5342 buf[len] = '\0';
5343
5344 if (is_linestart && is_lineend) {
5345 for (p = lines; !found && *p; p++)
5346 found = os_strcmp(buf, *p) == 0;
5347 }
5348 is_linestart = is_lineend;
5349 }
5350
5351 fclose(f);
5352 bin_clear_free(buf, bufsize);
5353
5354 return found;
5355 }
5356
5357
is_tpm2_key(const char * path)5358 static int is_tpm2_key(const char *path)
5359 {
5360 /* Check both new and old format of TPM2 PEM guard tag */
5361 static const char *tpm2_tags[] = {
5362 "-----BEGIN TSS2 PRIVATE KEY-----",
5363 "-----BEGIN TSS2 KEY BLOB-----",
5364 NULL
5365 };
5366
5367 return match_lines_in_file(path, tpm2_tags);
5368 }
5369
5370
tls_connection_set_params(void * tls_ctx,struct tls_connection * conn,const struct tls_connection_params * params)5371 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
5372 const struct tls_connection_params *params)
5373 {
5374 struct tls_data *data = tls_ctx;
5375 int ret;
5376 unsigned long err;
5377 int can_pkcs11 = 0;
5378 const char *key_id = params->key_id;
5379 const char *cert_id = params->cert_id;
5380 const char *ca_cert_id = params->ca_cert_id;
5381 const char *engine_id = params->engine ? params->engine_id : NULL;
5382 const char *ciphers;
5383
5384 if (conn == NULL)
5385 return -1;
5386
5387 if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
5388 wpa_printf(MSG_INFO,
5389 "OpenSSL: ocsp=3 not supported");
5390 return -1;
5391 }
5392
5393 /*
5394 * If the engine isn't explicitly configured, and any of the
5395 * cert/key fields are actually PKCS#11 URIs, then automatically
5396 * use the PKCS#11 ENGINE.
5397 */
5398 if (!engine_id || os_strcmp(engine_id, "pkcs11") == 0)
5399 can_pkcs11 = 1;
5400
5401 if (!key_id && params->private_key && can_pkcs11 &&
5402 os_strncmp(params->private_key, "pkcs11:", 7) == 0) {
5403 can_pkcs11 = 2;
5404 key_id = params->private_key;
5405 }
5406
5407 if (!cert_id && params->client_cert && can_pkcs11 &&
5408 os_strncmp(params->client_cert, "pkcs11:", 7) == 0) {
5409 can_pkcs11 = 2;
5410 cert_id = params->client_cert;
5411 }
5412
5413 if (!ca_cert_id && params->ca_cert && can_pkcs11 &&
5414 os_strncmp(params->ca_cert, "pkcs11:", 7) == 0) {
5415 can_pkcs11 = 2;
5416 ca_cert_id = params->ca_cert;
5417 }
5418
5419 /* If we need to automatically enable the PKCS#11 ENGINE, do so. */
5420 if (can_pkcs11 == 2 && !engine_id)
5421 engine_id = "pkcs11";
5422
5423 /* If private_key points to a TPM2-wrapped key, automatically enable
5424 * tpm2 engine and use it to unwrap the key. */
5425 if (params->private_key &&
5426 (!engine_id || os_strcmp(engine_id, "tpm2") == 0) &&
5427 is_tpm2_key(params->private_key)) {
5428 wpa_printf(MSG_DEBUG, "OpenSSL: Found TPM2 wrapped key %s",
5429 params->private_key);
5430 key_id = key_id ? key_id : params->private_key;
5431 engine_id = engine_id ? engine_id : "tpm2";
5432 }
5433
5434 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
5435 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
5436 if (params->flags & TLS_CONN_EAP_FAST) {
5437 wpa_printf(MSG_DEBUG,
5438 "OpenSSL: Use TLSv1_method() for EAP-FAST");
5439 if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) {
5440 tls_show_errors(MSG_INFO, __func__,
5441 "Failed to set TLSv1_method() for EAP-FAST");
5442 return -1;
5443 }
5444 }
5445 #endif
5446 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
5447 #ifdef SSL_OP_NO_TLSv1_3
5448 if (params->flags & TLS_CONN_EAP_FAST) {
5449 /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1
5450 * refuses to start the handshake with the modified ciphersuite
5451 * list (no TLS v1.3 ciphersuites included) for EAP-FAST. */
5452 wpa_printf(MSG_DEBUG, "OpenSSL: Disable TLSv1.3 for EAP-FAST");
5453 SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_3);
5454 }
5455 #endif /* SSL_OP_NO_TLSv1_3 */
5456 #endif
5457 #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
5458
5459 while ((err = ERR_get_error())) {
5460 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",
5461 __func__, ERR_error_string(err, NULL));
5462 }
5463
5464 if (tls_set_conn_flags(conn, params->flags,
5465 params->openssl_ciphers) < 0) {
5466 wpa_printf(MSG_ERROR, "TLS: Failed to set connection flags");
5467 return -1;
5468 }
5469
5470 if (engine_id) {
5471 wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s",
5472 engine_id);
5473 ret = tls_engine_init(conn, engine_id, params->pin,
5474 key_id, cert_id, ca_cert_id);
5475 if (ret)
5476 return ret;
5477 }
5478 if (tls_connection_set_subject_match(conn,
5479 params->subject_match,
5480 params->altsubject_match,
5481 params->suffix_match,
5482 params->domain_match,
5483 params->check_cert_subject)) {
5484 wpa_printf(MSG_ERROR, "TLS: Failed to set subject match");
5485 return -1;
5486 }
5487
5488 if (engine_id && ca_cert_id) {
5489 if (tls_connection_engine_ca_cert(data, conn, ca_cert_id))
5490 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5491 } else if (tls_connection_ca_cert(data, conn, params->ca_cert,
5492 params->ca_cert_blob,
5493 params->ca_cert_blob_len,
5494 params->ca_path)) {
5495 wpa_printf(MSG_ERROR, "TLS: Failed to parse Root CA certificate");
5496 return -1;
5497 }
5498
5499 if (engine_id && cert_id) {
5500 if (tls_connection_engine_client_cert(conn, cert_id))
5501 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5502 } else if (tls_connection_client_cert(conn, params->client_cert,
5503 params->client_cert_blob,
5504 params->client_cert_blob_len)) {
5505 wpa_printf(MSG_ERROR, "TLS: Failed to parse client certificate");
5506 return -1;
5507 }
5508
5509 if (engine_id && key_id) {
5510 wpa_printf(MSG_DEBUG, "TLS: Using private key from engine");
5511 if (tls_connection_engine_private_key(conn))
5512 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5513 } else if (tls_connection_private_key(data, conn,
5514 params->private_key,
5515 params->private_key_passwd,
5516 params->private_key_blob,
5517 params->private_key_blob_len)) {
5518 wpa_printf(MSG_INFO, "TLS: Failed to load private key '%s'",
5519 params->private_key);
5520 return -1;
5521 }
5522
5523 ciphers = params->openssl_ciphers;
5524 #ifdef CONFIG_SUITEB
5525 #ifdef OPENSSL_IS_BORINGSSL
5526 if (ciphers && os_strcmp(ciphers, "SUITEB192") == 0) {
5527 /* BoringSSL removed support for SUITEB192, so need to handle
5528 * this with hardcoded ciphersuite and additional checks for
5529 * other parameters. */
5530 ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384";
5531 }
5532 #endif /* OPENSSL_IS_BORINGSSL */
5533 #endif /* CONFIG_SUITEB */
5534 if (ciphers && SSL_set_cipher_list(conn->ssl, ciphers) != 1) {
5535 wpa_printf(MSG_INFO,
5536 "OpenSSL: Failed to set cipher string '%s'",
5537 ciphers);
5538 return -1;
5539 }
5540
5541 if (!params->openssl_ecdh_curves) {
5542 #ifndef OPENSSL_IS_BORINGSSL
5543 #ifndef OPENSSL_NO_EC
5544 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5545 if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) {
5546 wpa_printf(MSG_INFO,
5547 "OpenSSL: Failed to set ECDH curves to auto");
5548 return -1;
5549 }
5550 #endif /* < 1.1.0 */
5551 #endif /* OPENSSL_NO_EC */
5552 #endif /* OPENSSL_IS_BORINGSSL */
5553 } else if (params->openssl_ecdh_curves[0]) {
5554 #ifdef OPENSSL_IS_BORINGSSL
5555 wpa_printf(MSG_INFO,
5556 "OpenSSL: ECDH configuration not supported");
5557 return -1;
5558 #else /* !OPENSSL_IS_BORINGSSL */
5559 #ifndef OPENSSL_NO_EC
5560 if (SSL_set1_curves_list(conn->ssl,
5561 params->openssl_ecdh_curves) != 1) {
5562 wpa_printf(MSG_INFO,
5563 "OpenSSL: Failed to set ECDH curves '%s'",
5564 params->openssl_ecdh_curves);
5565 return -1;
5566 }
5567 #else /* OPENSSL_NO_EC */
5568 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
5569 return -1;
5570 #endif /* OPENSSL_NO_EC */
5571 #endif /* OPENSSL_IS_BORINGSSL */
5572 }
5573
5574 #ifdef OPENSSL_IS_BORINGSSL
5575 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5576 SSL_enable_ocsp_stapling(conn->ssl);
5577 }
5578 #else /* OPENSSL_IS_BORINGSSL */
5579 #ifdef HAVE_OCSP
5580 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5581 SSL_CTX *ssl_ctx = data->ssl;
5582 SSL_set_tlsext_status_type(conn->ssl, TLSEXT_STATUSTYPE_ocsp);
5583 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
5584 SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
5585 }
5586 #else /* HAVE_OCSP */
5587 if (params->flags & TLS_CONN_REQUIRE_OCSP) {
5588 wpa_printf(MSG_INFO,
5589 "OpenSSL: No OCSP support included - reject configuration");
5590 return -1;
5591 }
5592 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5593 wpa_printf(MSG_DEBUG,
5594 "OpenSSL: No OCSP support included - allow optional OCSP case to continue");
5595 }
5596 #endif /* HAVE_OCSP */
5597 #endif /* OPENSSL_IS_BORINGSSL */
5598
5599 conn->flags = params->flags;
5600
5601 tls_get_errors(data);
5602
5603 return 0;
5604 }
5605
5606
openssl_debug_dump_cipher_list(SSL_CTX * ssl_ctx)5607 static void openssl_debug_dump_cipher_list(SSL_CTX *ssl_ctx)
5608 {
5609 SSL *ssl;
5610 int i;
5611
5612 ssl = SSL_new(ssl_ctx);
5613 if (!ssl)
5614 return;
5615
5616 wpa_printf(MSG_DEBUG,
5617 "OpenSSL: Enabled cipher suites in priority order");
5618 for (i = 0; ; i++) {
5619 const char *cipher;
5620
5621 cipher = SSL_get_cipher_list(ssl, i);
5622 if (!cipher)
5623 break;
5624 wpa_printf(MSG_DEBUG, "Cipher %d: %s", i, cipher);
5625 }
5626
5627 SSL_free(ssl);
5628 }
5629
5630
5631 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
5632
openssl_pkey_type_str(const EVP_PKEY * pkey)5633 static const char * openssl_pkey_type_str(const EVP_PKEY *pkey)
5634 {
5635 if (!pkey)
5636 return "NULL";
5637 switch (EVP_PKEY_type(EVP_PKEY_id(pkey))) {
5638 case EVP_PKEY_RSA:
5639 return "RSA";
5640 case EVP_PKEY_DSA:
5641 return "DSA";
5642 case EVP_PKEY_DH:
5643 return "DH";
5644 case EVP_PKEY_EC:
5645 return "EC";
5646 default:
5647 return "?";
5648 }
5649 }
5650
5651
openssl_debug_dump_certificate(int i,X509 * cert)5652 static void openssl_debug_dump_certificate(int i, X509 *cert)
5653 {
5654 char buf[256];
5655 EVP_PKEY *pkey;
5656 ASN1_INTEGER *ser;
5657 char serial_num[128];
5658
5659 if (!cert)
5660 return;
5661
5662 X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
5663
5664 ser = X509_get_serialNumber(cert);
5665 if (ser)
5666 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num),
5667 ASN1_STRING_get0_data(ser),
5668 ASN1_STRING_length(ser));
5669 else
5670 serial_num[0] = '\0';
5671
5672 pkey = X509_get_pubkey(cert);
5673 wpa_printf(MSG_DEBUG, "%d: %s (%s) %s", i, buf,
5674 openssl_pkey_type_str(pkey), serial_num);
5675 EVP_PKEY_free(pkey);
5676 }
5677
5678
openssl_debug_dump_certificates(SSL_CTX * ssl_ctx)5679 static void openssl_debug_dump_certificates(SSL_CTX *ssl_ctx)
5680 {
5681 STACK_OF(X509) *certs;
5682
5683 wpa_printf(MSG_DEBUG, "OpenSSL: Configured certificate chain");
5684 if (SSL_CTX_get0_chain_certs(ssl_ctx, &certs) == 1) {
5685 int i;
5686
5687 for (i = sk_X509_num(certs); i > 0; i--)
5688 openssl_debug_dump_certificate(i, sk_X509_value(certs,
5689 i - 1));
5690 }
5691 openssl_debug_dump_certificate(0, SSL_CTX_get0_certificate(ssl_ctx));
5692 }
5693
5694 #endif
5695
5696
openssl_debug_dump_certificate_chains(SSL_CTX * ssl_ctx)5697 static void openssl_debug_dump_certificate_chains(SSL_CTX *ssl_ctx)
5698 {
5699 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
5700 int res;
5701
5702 for (res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
5703 res == 1;
5704 res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_NEXT))
5705 openssl_debug_dump_certificates(ssl_ctx);
5706
5707 SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
5708 #endif
5709 }
5710
5711
openssl_debug_dump_ctx(SSL_CTX * ssl_ctx)5712 static void openssl_debug_dump_ctx(SSL_CTX *ssl_ctx)
5713 {
5714 openssl_debug_dump_cipher_list(ssl_ctx);
5715 openssl_debug_dump_certificate_chains(ssl_ctx);
5716 }
5717
5718
tls_global_set_params(void * tls_ctx,const struct tls_connection_params * params)5719 int tls_global_set_params(void *tls_ctx,
5720 const struct tls_connection_params *params)
5721 {
5722 struct tls_data *data = tls_ctx;
5723 SSL_CTX *ssl_ctx = data->ssl;
5724 unsigned long err;
5725
5726 while ((err = ERR_get_error())) {
5727 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",
5728 __func__, ERR_error_string(err, NULL));
5729 }
5730
5731 os_free(data->check_cert_subject);
5732 data->check_cert_subject = NULL;
5733 if (params->check_cert_subject) {
5734 data->check_cert_subject =
5735 os_strdup(params->check_cert_subject);
5736 if (!data->check_cert_subject)
5737 return -1;
5738 }
5739
5740 if (tls_global_ca_cert(data, params->ca_cert) ||
5741 tls_global_client_cert(data, params->client_cert) ||
5742 tls_global_private_key(data, params->private_key,
5743 params->private_key_passwd) ||
5744 tls_global_client_cert(data, params->client_cert2) ||
5745 tls_global_private_key(data, params->private_key2,
5746 params->private_key_passwd2) ||
5747 tls_global_dh(data, params->dh_file)) {
5748 wpa_printf(MSG_INFO, "TLS: Failed to set global parameters");
5749 return -1;
5750 }
5751
5752 if (params->openssl_ciphers &&
5753 SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) {
5754 wpa_printf(MSG_INFO,
5755 "OpenSSL: Failed to set cipher string '%s'",
5756 params->openssl_ciphers);
5757 return -1;
5758 }
5759
5760 if (!params->openssl_ecdh_curves) {
5761 #ifndef OPENSSL_IS_BORINGSSL
5762 #ifndef OPENSSL_NO_EC
5763 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5764 if (SSL_CTX_set_ecdh_auto(ssl_ctx, 1) != 1) {
5765 wpa_printf(MSG_INFO,
5766 "OpenSSL: Failed to set ECDH curves to auto");
5767 return -1;
5768 }
5769 #endif /* < 1.1.0 */
5770 #endif /* OPENSSL_NO_EC */
5771 #endif /* OPENSSL_IS_BORINGSSL */
5772 } else if (params->openssl_ecdh_curves[0]) {
5773 #ifdef OPENSSL_IS_BORINGSSL
5774 wpa_printf(MSG_INFO,
5775 "OpenSSL: ECDH configuration not supported");
5776 return -1;
5777 #else /* !OPENSSL_IS_BORINGSSL */
5778 #ifndef OPENSSL_NO_EC
5779 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5780 SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
5781 #endif
5782 if (SSL_CTX_set1_curves_list(ssl_ctx,
5783 params->openssl_ecdh_curves) !=
5784 1) {
5785 wpa_printf(MSG_INFO,
5786 "OpenSSL: Failed to set ECDH curves '%s'",
5787 params->openssl_ecdh_curves);
5788 return -1;
5789 }
5790 #else /* OPENSSL_NO_EC */
5791 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
5792 return -1;
5793 #endif /* OPENSSL_NO_EC */
5794 #endif /* OPENSSL_IS_BORINGSSL */
5795 }
5796
5797 #ifdef SSL_OP_NO_TICKET
5798 if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
5799 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
5800 else
5801 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TICKET);
5802 #endif /* SSL_OP_NO_TICKET */
5803
5804 #ifdef HAVE_OCSP
5805 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_status_cb);
5806 SSL_CTX_set_tlsext_status_arg(ssl_ctx, ssl_ctx);
5807 os_free(tls_global->ocsp_stapling_response);
5808 if (params->ocsp_stapling_response)
5809 tls_global->ocsp_stapling_response =
5810 os_strdup(params->ocsp_stapling_response);
5811 else
5812 tls_global->ocsp_stapling_response = NULL;
5813 #endif /* HAVE_OCSP */
5814
5815 openssl_debug_dump_ctx(ssl_ctx);
5816
5817 return 0;
5818 }
5819
5820
5821 #ifdef EAP_FAST_OR_TEAP
5822 /* Pre-shared secred requires a patch to openssl, so this function is
5823 * commented out unless explicitly needed for EAP-FAST in order to be able to
5824 * build this file with unmodified openssl. */
5825
5826 #if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
tls_sess_sec_cb(SSL * s,void * secret,int * secret_len,STACK_OF (SSL_CIPHER)* peer_ciphers,const SSL_CIPHER ** cipher,void * arg)5827 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
5828 STACK_OF(SSL_CIPHER) *peer_ciphers,
5829 const SSL_CIPHER **cipher, void *arg)
5830 #else /* OPENSSL_IS_BORINGSSL */
5831 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
5832 STACK_OF(SSL_CIPHER) *peer_ciphers,
5833 SSL_CIPHER **cipher, void *arg)
5834 #endif /* OPENSSL_IS_BORINGSSL */
5835 {
5836 struct tls_connection *conn = arg;
5837 int ret;
5838
5839 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5840 if (conn == NULL || conn->session_ticket_cb == NULL)
5841 return 0;
5842
5843 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
5844 conn->session_ticket,
5845 conn->session_ticket_len,
5846 s->s3->client_random,
5847 s->s3->server_random, secret);
5848 #else
5849 unsigned char client_random[SSL3_RANDOM_SIZE];
5850 unsigned char server_random[SSL3_RANDOM_SIZE];
5851
5852 if (conn == NULL || conn->session_ticket_cb == NULL)
5853 return 0;
5854
5855 SSL_get_client_random(s, client_random, sizeof(client_random));
5856 SSL_get_server_random(s, server_random, sizeof(server_random));
5857
5858 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
5859 conn->session_ticket,
5860 conn->session_ticket_len,
5861 client_random,
5862 server_random, secret);
5863 #endif
5864
5865 os_free(conn->session_ticket);
5866 conn->session_ticket = NULL;
5867
5868 if (ret <= 0)
5869 return 0;
5870
5871 *secret_len = SSL_MAX_MASTER_KEY_LENGTH;
5872 return 1;
5873 }
5874
5875
tls_session_ticket_ext_cb(SSL * s,const unsigned char * data,int len,void * arg)5876 static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
5877 int len, void *arg)
5878 {
5879 struct tls_connection *conn = arg;
5880
5881 if (conn == NULL || conn->session_ticket_cb == NULL)
5882 return 0;
5883
5884 wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len);
5885
5886 os_free(conn->session_ticket);
5887 conn->session_ticket = NULL;
5888
5889 wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
5890 "extension", data, len);
5891
5892 conn->session_ticket = os_memdup(data, len);
5893 if (conn->session_ticket == NULL)
5894 return 0;
5895
5896 conn->session_ticket_len = len;
5897
5898 return 1;
5899 }
5900 #endif /* EAP_FAST_OR_TEAP */
5901
5902
tls_connection_set_session_ticket_cb(void * tls_ctx,struct tls_connection * conn,tls_session_ticket_cb cb,void * ctx)5903 int tls_connection_set_session_ticket_cb(void *tls_ctx,
5904 struct tls_connection *conn,
5905 tls_session_ticket_cb cb,
5906 void *ctx)
5907 {
5908 #ifdef EAP_FAST_OR_TEAP
5909 conn->session_ticket_cb = cb;
5910 conn->session_ticket_cb_ctx = ctx;
5911
5912 if (cb) {
5913 if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
5914 conn) != 1)
5915 return -1;
5916 SSL_set_session_ticket_ext_cb(conn->ssl,
5917 tls_session_ticket_ext_cb, conn);
5918 } else {
5919 if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
5920 return -1;
5921 SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
5922 }
5923
5924 return 0;
5925 #else /* EAP_FAST_OR_TEAP */
5926 return -1;
5927 #endif /* EAP_FAST_OR_TEAP */
5928 }
5929
5930
tls_get_library_version(char * buf,size_t buf_len)5931 int tls_get_library_version(char *buf, size_t buf_len)
5932 {
5933 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
5934 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
5935 OPENSSL_VERSION_TEXT,
5936 OpenSSL_version(OPENSSL_VERSION));
5937 #else
5938 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
5939 OPENSSL_VERSION_TEXT,
5940 SSLeay_version(SSLEAY_VERSION));
5941 #endif
5942 }
5943
5944
tls_connection_set_success_data(struct tls_connection * conn,struct wpabuf * data)5945 void tls_connection_set_success_data(struct tls_connection *conn,
5946 struct wpabuf *data)
5947 {
5948 SSL_SESSION *sess;
5949 struct wpabuf *old;
5950 struct tls_session_data *sess_data = NULL;
5951
5952 if (tls_ex_idx_session < 0)
5953 goto fail;
5954 sess = SSL_get_session(conn->ssl);
5955 if (!sess)
5956 goto fail;
5957 old = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
5958 if (old) {
5959 struct tls_session_data *found;
5960
5961 found = get_session_data(conn->context, old);
5962 wpa_printf(MSG_DEBUG,
5963 "OpenSSL: Replacing old success data %p (sess %p)%s",
5964 old, sess, found ? "" : " (not freeing)");
5965 if (found) {
5966 dl_list_del(&found->list);
5967 os_free(found);
5968 wpabuf_free(old);
5969 }
5970 }
5971
5972 sess_data = os_zalloc(sizeof(*sess_data));
5973 if (!sess_data ||
5974 SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, data) != 1)
5975 goto fail;
5976
5977 sess_data->buf = data;
5978 dl_list_add(&conn->context->sessions, &sess_data->list);
5979 wpa_printf(MSG_DEBUG, "OpenSSL: Stored success data %p (sess %p)",
5980 data, sess);
5981 conn->success_data = 1;
5982 return;
5983
5984 fail:
5985 wpa_printf(MSG_INFO, "OpenSSL: Failed to store success data");
5986 wpabuf_free(data);
5987 os_free(sess_data);
5988 }
5989
5990
tls_connection_set_success_data_resumed(struct tls_connection * conn)5991 void tls_connection_set_success_data_resumed(struct tls_connection *conn)
5992 {
5993 wpa_printf(MSG_DEBUG,
5994 "OpenSSL: Success data accepted for resumed session");
5995 conn->success_data = 1;
5996 }
5997
5998
5999 const struct wpabuf *
tls_connection_get_success_data(struct tls_connection * conn)6000 tls_connection_get_success_data(struct tls_connection *conn)
6001 {
6002 SSL_SESSION *sess;
6003
6004 if (tls_ex_idx_session < 0 ||
6005 !(sess = SSL_get_session(conn->ssl)))
6006 return NULL;
6007 return SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
6008 }
6009
6010
tls_connection_remove_session(struct tls_connection * conn)6011 void tls_connection_remove_session(struct tls_connection *conn)
6012 {
6013 SSL_SESSION *sess;
6014
6015 sess = SSL_get_session(conn->ssl);
6016 if (!sess)
6017 return;
6018
6019 if (SSL_CTX_remove_session(conn->ssl_ctx, sess) != 1)
6020 wpa_printf(MSG_DEBUG,
6021 "OpenSSL: Session was not cached");
6022 else
6023 wpa_printf(MSG_DEBUG,
6024 "OpenSSL: Removed cached session to disable session resumption");
6025 }
6026
6027
tls_get_tls_unique(struct tls_connection * conn,u8 * buf,size_t max_len)6028 int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len)
6029 {
6030 size_t len;
6031 int reused;
6032
6033 reused = SSL_session_reused(conn->ssl);
6034 if ((conn->server && !reused) || (!conn->server && reused))
6035 len = SSL_get_peer_finished(conn->ssl, buf, max_len);
6036 else
6037 len = SSL_get_finished(conn->ssl, buf, max_len);
6038
6039 if (len == 0 || len > max_len)
6040 return -1;
6041
6042 return len;
6043 }
6044
6045
tls_connection_get_cipher_suite(struct tls_connection * conn)6046 u16 tls_connection_get_cipher_suite(struct tls_connection *conn)
6047 {
6048 const SSL_CIPHER *cipher;
6049
6050 cipher = SSL_get_current_cipher(conn->ssl);
6051 if (!cipher)
6052 return 0;
6053 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
6054 return SSL_CIPHER_get_protocol_id(cipher);
6055 #else
6056 return SSL_CIPHER_get_id(cipher) & 0xFFFF;
6057 #endif
6058 }
6059
6060
tls_connection_get_peer_subject(struct tls_connection * conn)6061 const char * tls_connection_get_peer_subject(struct tls_connection *conn)
6062 {
6063 if (conn)
6064 return conn->peer_subject;
6065 return NULL;
6066 }
6067
6068
tls_connection_get_own_cert_used(struct tls_connection * conn)6069 bool tls_connection_get_own_cert_used(struct tls_connection *conn)
6070 {
6071 if (conn)
6072 return SSL_get_certificate(conn->ssl) != NULL;
6073 return false;
6074 }
6075
tls_register_cert_callback(tls_get_certificate_cb cb)6076 void tls_register_cert_callback(tls_get_certificate_cb cb)
6077 {
6078 certificate_callback_global = cb;
6079 }
6080
tls_register_openssl_failure_callback(tls_openssl_failure_cb cb)6081 void tls_register_openssl_failure_callback(tls_openssl_failure_cb cb)
6082 {
6083 openssl_failure_callback_global = cb;
6084 }
6085