1 /*
2 * SSL/TLS interface functions for OpenSSL
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #ifdef CONFIG_TESTING_OPTIONS
11 #include <fcntl.h>
12 #endif /* CONFIG_TESTING_OPTIONS */
13
14 #ifndef CONFIG_SMARTCARD
15 #ifndef OPENSSL_NO_ENGINE
16 #ifndef ANDROID
17 #define OPENSSL_NO_ENGINE
18 #endif
19 #endif
20 #endif
21
22 #ifndef OPENSSL_NO_ENGINE
23 /* OpenSSL 3.0 has moved away from the engine API */
24 #define OPENSSL_SUPPRESS_DEPRECATED
25 #include <openssl/engine.h>
26 #endif /* OPENSSL_NO_ENGINE */
27 #include <openssl/ssl.h>
28 #include <openssl/err.h>
29 #include <openssl/opensslv.h>
30 #include <openssl/pkcs12.h>
31 #include <openssl/x509v3.h>
32 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
33 #include <openssl/core_names.h>
34 #include <openssl/decoder.h>
35 #include <openssl/param_build.h>
36 #include <openssl/store.h>
37 #include <openssl/provider.h>
38 #else /* OpenSSL version >= 3.0 */
39 #ifndef OPENSSL_NO_DSA
40 #include <openssl/dsa.h>
41 #endif
42 #ifndef OPENSSL_NO_DH
43 #include <openssl/dh.h>
44 #endif
45 #endif /* OpenSSL version >= 3.0 */
46
47 #include "common.h"
48 #include "utils/list.h"
49 #include "crypto.h"
50 #include "sha1.h"
51 #include "sha256.h"
52 #include "tls.h"
53 #include "tls_openssl.h"
54
55 #if !defined(CONFIG_FIPS) && \
56 (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
57 defined(EAP_SERVER_FAST))
58 #define OPENSSL_NEED_EAP_FAST_PRF
59 #endif
60
61 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
62 defined(EAP_SERVER_FAST) || defined(EAP_TEAP) || \
63 defined(EAP_SERVER_TEAP)
64 #define EAP_FAST_OR_TEAP
65 #endif
66
67
68 #if defined(OPENSSL_IS_BORINGSSL)
69 /* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */
70 typedef size_t stack_index_t;
71 #else
72 typedef int stack_index_t;
73 #endif
74
75 #ifdef SSL_set_tlsext_status_type
76 #ifndef OPENSSL_NO_TLSEXT
77 #define HAVE_OCSP
78 #include <openssl/ocsp.h>
79 #endif /* OPENSSL_NO_TLSEXT */
80 #endif /* SSL_set_tlsext_status_type */
81
82 #if OPENSSL_VERSION_NUMBER < 0x10100000L && \
83 !defined(BORINGSSL_API_VERSION)
84 /*
85 * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL
86 * 1.1.0 and newer BoringSSL revisions. Provide compatibility wrappers for
87 * older versions.
88 */
89
SSL_get_client_random(const SSL * ssl,unsigned char * out,size_t outlen)90 static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
91 size_t outlen)
92 {
93 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
94 return 0;
95 os_memcpy(out, ssl->s3->client_random, SSL3_RANDOM_SIZE);
96 return SSL3_RANDOM_SIZE;
97 }
98
99
SSL_get_server_random(const SSL * ssl,unsigned char * out,size_t outlen)100 static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
101 size_t outlen)
102 {
103 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
104 return 0;
105 os_memcpy(out, ssl->s3->server_random, SSL3_RANDOM_SIZE);
106 return SSL3_RANDOM_SIZE;
107 }
108
109
110 #ifdef OPENSSL_NEED_EAP_FAST_PRF
SSL_SESSION_get_master_key(const SSL_SESSION * session,unsigned char * out,size_t outlen)111 static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
112 unsigned char *out, size_t outlen)
113 {
114 if (!session || session->master_key_length < 0 ||
115 (size_t) session->master_key_length > outlen)
116 return 0;
117 if ((size_t) session->master_key_length < outlen)
118 outlen = session->master_key_length;
119 os_memcpy(out, session->master_key, outlen);
120 return outlen;
121 }
122 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
123
124 #endif
125
126 #if OPENSSL_VERSION_NUMBER < 0x10100000L
ASN1_STRING_get0_data(const ASN1_STRING * x)127 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
128 {
129 return ASN1_STRING_data((ASN1_STRING *) x);
130 }
131 #endif
132
133 static int tls_openssl_ref_count = 0;
134 static int tls_ex_idx_session = -1;
135
136 struct tls_session_data {
137 struct dl_list list;
138 struct wpabuf *buf;
139 };
140
141 struct tls_context {
142 void (*event_cb)(void *ctx, enum tls_event ev,
143 union tls_event_data *data);
144 void *cb_ctx;
145 int cert_in_cb;
146 char *ocsp_stapling_response;
147 struct dl_list sessions; /* struct tls_session_data */
148 };
149
150 struct tls_data {
151 SSL_CTX *ssl;
152 unsigned int tls_session_lifetime;
153 int check_crl;
154 int check_crl_strict;
155 char *ca_cert;
156 unsigned int crl_reload_interval;
157 struct os_reltime crl_last_reload;
158 char *check_cert_subject;
159 char *openssl_ciphers;
160 };
161
162 struct tls_connection {
163 struct tls_context *context;
164 struct tls_data *data;
165 SSL_CTX *ssl_ctx;
166 SSL *ssl;
167 BIO *ssl_in, *ssl_out;
168 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
169 ENGINE *engine; /* functional reference to the engine */
170 #endif /* OPENSSL_NO_ENGINE */
171 EVP_PKEY *private_key; /* the private key if using engine/provider */
172 char *subject_match, *altsubject_match, *suffix_match, *domain_match;
173 char *check_cert_subject;
174 int read_alerts, write_alerts, failed;
175
176 tls_session_ticket_cb session_ticket_cb;
177 void *session_ticket_cb_ctx;
178
179 /* SessionTicket received from OpenSSL hello_extension_cb (server) */
180 u8 *session_ticket;
181 size_t session_ticket_len;
182
183 unsigned int ca_cert_verify:1;
184 unsigned int cert_probe:1;
185 unsigned int server_cert_only:1;
186 unsigned int invalid_hb_used:1;
187 unsigned int success_data:1;
188 unsigned int client_hello_generated:1;
189 unsigned int server:1;
190
191 u8 srv_cert_hash[32];
192
193 unsigned int flags;
194
195 X509 *peer_cert;
196 X509 *peer_issuer;
197 X509 *peer_issuer_issuer;
198 char *peer_subject; /* peer subject info for authenticated peer */
199
200 unsigned char client_random[SSL3_RANDOM_SIZE];
201 unsigned char server_random[SSL3_RANDOM_SIZE];
202
203 u16 cipher_suite;
204 int server_dh_prime_len;
205 };
206
207 static struct tls_context *tls_global = NULL;
208 static tls_get_certificate_cb certificate_callback_global = NULL;
209 static tls_openssl_failure_cb openssl_failure_callback_global = NULL;
210
211 #ifdef ANDROID
212 #include <openssl/pem.h>
213
214 #include <log/log.h>
215 #include <log/log_event_list.h>
216
217 #define CERT_VALIDATION_FAILURE 210033
218 #define ANDROID_KEYSTORE_PREFIX "keystore://"
219 #define ANDROID_KEYSTORE_PREFIX_LEN os_strlen(ANDROID_KEYSTORE_PREFIX)
220 #define ANDROID_KEYSTORE_ENCODED_PREFIX "keystores://"
221 #define ANDROID_KEYSTORE_ENCODED_PREFIX_LEN os_strlen(ANDROID_KEYSTORE_ENCODED_PREFIX)
222
log_cert_validation_failure(const char * reason)223 static void log_cert_validation_failure(const char *reason)
224 {
225 android_log_context ctx = create_android_logger(CERT_VALIDATION_FAILURE);
226 android_log_write_string8(ctx, reason);
227 android_log_write_list(ctx, LOG_ID_SECURITY);
228 android_log_destroy(&ctx);
229 }
230
231
BIO_from_keystore(const char * alias,struct tls_connection * conn)232 static BIO* BIO_from_keystore(const char *alias, struct tls_connection *conn)
233 {
234 BIO *bio = NULL;
235 uint8_t *value = NULL;
236
237 void *cb_ctx = NULL;
238 if (conn != NULL && conn->context != NULL) {
239 cb_ctx = conn->context->cb_ctx;
240 }
241
242 if (cb_ctx != NULL && certificate_callback_global != NULL) {
243 wpa_printf(MSG_INFO, "Retrieving certificate using callback");
244 int length = (*certificate_callback_global)(cb_ctx, alias, &value);
245 if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL)
246 BIO_write(bio, value, length);
247 free(value);
248 }
249 return bio;
250 }
251
tls_add_ca_from_keystore(X509_STORE * ctx,const char * alias,struct tls_connection * conn)252 static int tls_add_ca_from_keystore(X509_STORE *ctx, const char *alias, struct tls_connection *conn)
253 {
254 BIO *bio = BIO_from_keystore(alias, conn);
255 STACK_OF(X509_INFO) *stack = NULL;
256 stack_index_t i;
257 int ret = 0;
258
259 if (!bio) {
260 wpa_printf(MSG_ERROR, "OpenSSL: Failed to parse certificate: %s",
261 alias);
262 return -1;
263 }
264
265 // Keystore returns X.509 certificates in PEM encoding
266 stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
267 BIO_free(bio);
268
269 if (!stack) {
270 wpa_printf(MSG_ERROR, "OpenSSL: Failed to parse certificate: %s",
271 alias);
272 return -1;
273 }
274
275 for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
276 X509_INFO *info = sk_X509_INFO_value(stack, i);
277
278 if (info->x509)
279 if (!X509_STORE_add_cert(ctx, info->x509)) {
280 wpa_printf(MSG_ERROR,
281 "OpenSSL: Failed to add Root CA certificate");
282 ret = -1;
283 break;
284 }
285 if (info->crl)
286 X509_STORE_add_crl(ctx, info->crl);
287 }
288
289 sk_X509_INFO_pop_free(stack, X509_INFO_free);
290 return ret;
291 }
292
293
tls_add_ca_from_keystore_encoded(X509_STORE * ctx,const char * encoded_alias,struct tls_connection * conn)294 static int tls_add_ca_from_keystore_encoded(X509_STORE *ctx,
295 const char *encoded_alias,
296 struct tls_connection *conn)
297 {
298 int rc = -1;
299 int len = os_strlen(encoded_alias);
300 unsigned char *decoded_alias;
301
302 if (len & 1) {
303 wpa_printf(MSG_WARNING, "Invalid hex-encoded alias: %s",
304 encoded_alias);
305 return rc;
306 }
307
308 decoded_alias = os_malloc(len / 2 + 1);
309 if (decoded_alias) {
310 if (!hexstr2bin(encoded_alias, decoded_alias, len / 2)) {
311 decoded_alias[len / 2] = '\0';
312 rc = tls_add_ca_from_keystore(
313 ctx, (const char *) decoded_alias, conn);
314 }
315 os_free(decoded_alias);
316 }
317
318 return rc;
319 }
320
321 #endif /* ANDROID */
322
323
tls_context_new(const struct tls_config * conf)324 static struct tls_context * tls_context_new(const struct tls_config *conf)
325 {
326 struct tls_context *context = os_zalloc(sizeof(*context));
327 if (context == NULL)
328 return NULL;
329 dl_list_init(&context->sessions);
330 if (conf) {
331 context->event_cb = conf->event_cb;
332 context->cb_ctx = conf->cb_ctx;
333 context->cert_in_cb = conf->cert_in_cb;
334 }
335 return context;
336 }
337
338
339 #ifdef CONFIG_NO_STDOUT_DEBUG
340
_tls_show_errors(void)341 static void _tls_show_errors(void)
342 {
343 unsigned long err;
344
345 while ((err = ERR_get_error())) {
346 /* Just ignore the errors, since stdout is disabled */
347 }
348 }
349 #define tls_show_errors(l, f, t) _tls_show_errors()
350
351 #else /* CONFIG_NO_STDOUT_DEBUG */
352
tls_show_errors(int level,const char * func,const char * txt)353 static void tls_show_errors(int level, const char *func, const char *txt)
354 {
355 unsigned long err;
356
357 wpa_printf(level, "OpenSSL: %s - %s %s",
358 func, txt, ERR_error_string(ERR_get_error(), NULL));
359
360 while ((err = ERR_get_error())) {
361 wpa_printf(MSG_INFO, "OpenSSL: pending error: %s",
362 ERR_error_string(err, NULL));
363 }
364 }
365
366 #endif /* CONFIG_NO_STDOUT_DEBUG */
367
368
tls_crl_cert_reload(const char * ca_cert,int check_crl)369 static X509_STORE * tls_crl_cert_reload(const char *ca_cert, int check_crl)
370 {
371 int flags;
372 X509_STORE *store;
373
374 store = X509_STORE_new();
375 if (!store) {
376 wpa_printf(MSG_DEBUG,
377 "OpenSSL: %s - failed to allocate new certificate store",
378 __func__);
379 return NULL;
380 }
381
382 if (ca_cert && X509_STORE_load_locations(store, ca_cert, NULL) != 1) {
383 tls_show_errors(MSG_WARNING, __func__,
384 "Failed to load root certificates");
385 X509_STORE_free(store);
386 return NULL;
387 }
388
389 flags = check_crl ? X509_V_FLAG_CRL_CHECK : 0;
390 if (check_crl == 2)
391 flags |= X509_V_FLAG_CRL_CHECK_ALL;
392
393 X509_STORE_set_flags(store, flags);
394
395 return store;
396 }
397
398
399 #ifndef ANDROID
400 #ifdef OPENSSL_NO_ENGINE
401
402 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
403 static OSSL_PROVIDER *openssl_pkcs11_provider = NULL;
404 #endif /* OpenSSL version >= 3.0 */
405
openssl_load_pkcs11_provider(void)406 static void openssl_load_pkcs11_provider(void)
407 {
408 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
409 if (openssl_pkcs11_provider)
410 return;
411
412 openssl_pkcs11_provider = OSSL_PROVIDER_try_load(NULL, "pkcs11", 1);
413 if (!openssl_pkcs11_provider)
414 wpa_printf(MSG_WARNING, "PKCS11 provider not present");
415 #endif /* OpenSSL version >= 3.0 */
416 }
417
418
openssl_unload_pkcs11_provider(void)419 static void openssl_unload_pkcs11_provider(void)
420 {
421 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
422 if (openssl_pkcs11_provider) {
423 OSSL_PROVIDER_unload(openssl_pkcs11_provider);
424 openssl_pkcs11_provider = NULL;
425 }
426 #endif /* OpenSSL version >= 3.0 */
427 }
428
429
openssl_can_use_provider(const char * engine_id,const char * req)430 static bool openssl_can_use_provider(const char *engine_id, const char *req)
431 {
432 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
433 if (!os_strcmp(engine_id, "pkcs11") && openssl_pkcs11_provider)
434 return true;
435
436 wpa_printf(MSG_ERROR,
437 "Cannot find OpenSSL provider for '%s' (missing '%s')",
438 req, engine_id);
439 #endif /* OpenSSL version >= 3.0 */
440 return false;
441 }
442
443
provider_load_key(const char * uri)444 static EVP_PKEY * provider_load_key(const char *uri)
445 {
446 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
447 OSSL_STORE_CTX *store;
448 OSSL_STORE_INFO *info;
449 EVP_PKEY *key = NULL;
450
451 if (!uri) {
452 tls_show_errors(MSG_ERROR, __func__,
453 "Invalid NULL uri for key");
454 goto err_key;
455 }
456
457 store = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL);
458 if (!store) {
459 wpa_printf(MSG_DEBUG, "Bad uri for private key:%s", uri);
460
461 tls_show_errors(MSG_ERROR, __func__,
462 "Failed to open key store");
463 goto err_key;
464 }
465
466 if (os_strncmp(uri, "pkcs11:", 7) &&
467 os_strstr(uri, "type=private") == NULL) {
468 /* This is a workaround for OpenSSL < 3.2.0 where the code fails
469 * to correctly source public keys unless explicitly requested
470 * via an expect hint. */
471 if (OSSL_STORE_expect(store, OSSL_STORE_INFO_PUBKEY) != 1) {
472 tls_show_errors(MSG_ERROR, __func__,
473 "Failed to expect Public Key File");
474 goto err_store;
475 }
476 }
477
478 while (!OSSL_STORE_eof(store)) {
479 info = OSSL_STORE_load(store);
480 if ((OSSL_STORE_INFO_get_type(info)) == OSSL_STORE_INFO_PKEY)
481 key = OSSL_STORE_INFO_get1_PKEY(info);
482
483 OSSL_STORE_INFO_free(info);
484 if (key)
485 break;
486 }
487
488 err_store:
489 OSSL_STORE_close(store);
490 err_key:
491 if (!key)
492 wpa_printf(MSG_ERROR, "OpenSSL: Failed to load key from URI");
493
494 return key;
495 #else /* OpenSSL version >= 3.0 */
496 return NULL;
497 #endif /* OpenSSL version >= 3.0 */
498 }
499
500
provider_load_cert(const char * cert_id)501 static X509 * provider_load_cert(const char *cert_id)
502 {
503 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
504 OSSL_STORE_CTX *store;
505 OSSL_STORE_INFO *info;
506 X509 *cert = NULL;
507
508 if (!cert_id) {
509 tls_show_errors(MSG_ERROR, __func__, "Invalid NULL uri");
510 goto err_cert;
511 }
512
513 store = OSSL_STORE_open(cert_id, NULL, NULL, NULL, NULL);
514 if (!store) {
515 tls_show_errors(MSG_ERROR, __func__, "Failed to open store");
516 goto err_cert;
517 }
518
519 while (!OSSL_STORE_eof(store)) {
520 info = OSSL_STORE_load(store);
521 if ((OSSL_STORE_INFO_get_type(info)) == OSSL_STORE_INFO_CERT)
522 cert = OSSL_STORE_INFO_get1_CERT(info);
523
524 OSSL_STORE_INFO_free(info);
525 if (cert)
526 break;
527 }
528 OSSL_STORE_close(store);
529
530 err_cert:
531 if (!cert)
532 tls_show_errors(MSG_ERROR, __func__,
533 "Failed to load cert from URI");
534 return cert;
535 #else /* OpenSSL version >= 3.0 */
536 return NULL;
537 #endif /* OpenSSL version >= 3.0 */
538 }
539
540 #endif /* OPENSSL_NO_ENGINE */
541 #endif /* !ANDROID */
542
543
544 #ifdef CONFIG_NATIVE_WINDOWS
545
546 /* Windows CryptoAPI and access to certificate stores */
547 #include <wincrypt.h>
548
549 #ifdef __MINGW32_VERSION
550 /*
551 * MinGW does not yet include all the needed definitions for CryptoAPI, so
552 * define here whatever extra is needed.
553 */
554 #define CERT_SYSTEM_STORE_CURRENT_USER (1 << 16)
555 #define CERT_STORE_READONLY_FLAG 0x00008000
556 #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
557
558 #endif /* __MINGW32_VERSION */
559
560
561 struct cryptoapi_rsa_data {
562 const CERT_CONTEXT *cert;
563 HCRYPTPROV crypt_prov;
564 DWORD key_spec;
565 BOOL free_crypt_prov;
566 };
567
568
cryptoapi_error(const char * msg)569 static void cryptoapi_error(const char *msg)
570 {
571 wpa_printf(MSG_INFO, "CryptoAPI: %s; err=%u",
572 msg, (unsigned int) GetLastError());
573 }
574
575
cryptoapi_rsa_pub_enc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)576 static int cryptoapi_rsa_pub_enc(int flen, const unsigned char *from,
577 unsigned char *to, RSA *rsa, int padding)
578 {
579 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
580 return 0;
581 }
582
583
cryptoapi_rsa_pub_dec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)584 static int cryptoapi_rsa_pub_dec(int flen, const unsigned char *from,
585 unsigned char *to, RSA *rsa, int padding)
586 {
587 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
588 return 0;
589 }
590
591
cryptoapi_rsa_priv_enc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)592 static int cryptoapi_rsa_priv_enc(int flen, const unsigned char *from,
593 unsigned char *to, RSA *rsa, int padding)
594 {
595 struct cryptoapi_rsa_data *priv =
596 (struct cryptoapi_rsa_data *) rsa->meth->app_data;
597 HCRYPTHASH hash;
598 DWORD hash_size, len, i;
599 unsigned char *buf = NULL;
600 int ret = 0;
601
602 if (priv == NULL) {
603 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
604 ERR_R_PASSED_NULL_PARAMETER);
605 return 0;
606 }
607
608 if (padding != RSA_PKCS1_PADDING) {
609 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
610 RSA_R_UNKNOWN_PADDING_TYPE);
611 return 0;
612 }
613
614 if (flen != 16 /* MD5 */ + 20 /* SHA-1 */) {
615 wpa_printf(MSG_INFO, "%s - only MD5-SHA1 hash supported",
616 __func__);
617 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
618 RSA_R_INVALID_MESSAGE_LENGTH);
619 return 0;
620 }
621
622 if (!CryptCreateHash(priv->crypt_prov, CALG_SSL3_SHAMD5, 0, 0, &hash))
623 {
624 cryptoapi_error("CryptCreateHash failed");
625 return 0;
626 }
627
628 len = sizeof(hash_size);
629 if (!CryptGetHashParam(hash, HP_HASHSIZE, (BYTE *) &hash_size, &len,
630 0)) {
631 cryptoapi_error("CryptGetHashParam failed");
632 goto err;
633 }
634
635 if ((int) hash_size != flen) {
636 wpa_printf(MSG_INFO, "CryptoAPI: Invalid hash size (%u != %d)",
637 (unsigned) hash_size, flen);
638 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
639 RSA_R_INVALID_MESSAGE_LENGTH);
640 goto err;
641 }
642 if (!CryptSetHashParam(hash, HP_HASHVAL, (BYTE * ) from, 0)) {
643 cryptoapi_error("CryptSetHashParam failed");
644 goto err;
645 }
646
647 len = RSA_size(rsa);
648 buf = os_malloc(len);
649 if (buf == NULL) {
650 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
651 goto err;
652 }
653
654 if (!CryptSignHash(hash, priv->key_spec, NULL, 0, buf, &len)) {
655 cryptoapi_error("CryptSignHash failed");
656 goto err;
657 }
658
659 for (i = 0; i < len; i++)
660 to[i] = buf[len - i - 1];
661 ret = len;
662
663 err:
664 os_free(buf);
665 CryptDestroyHash(hash);
666
667 return ret;
668 }
669
670
cryptoapi_rsa_priv_dec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)671 static int cryptoapi_rsa_priv_dec(int flen, const unsigned char *from,
672 unsigned char *to, RSA *rsa, int padding)
673 {
674 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
675 return 0;
676 }
677
678
cryptoapi_free_data(struct cryptoapi_rsa_data * priv)679 static void cryptoapi_free_data(struct cryptoapi_rsa_data *priv)
680 {
681 if (priv == NULL)
682 return;
683 if (priv->crypt_prov && priv->free_crypt_prov)
684 CryptReleaseContext(priv->crypt_prov, 0);
685 if (priv->cert)
686 CertFreeCertificateContext(priv->cert);
687 os_free(priv);
688 }
689
690
cryptoapi_finish(RSA * rsa)691 static int cryptoapi_finish(RSA *rsa)
692 {
693 cryptoapi_free_data((struct cryptoapi_rsa_data *) rsa->meth->app_data);
694 os_free((void *) rsa->meth);
695 rsa->meth = NULL;
696 return 1;
697 }
698
699
cryptoapi_find_cert(const char * name,DWORD store)700 static const CERT_CONTEXT * cryptoapi_find_cert(const char *name, DWORD store)
701 {
702 HCERTSTORE cs;
703 const CERT_CONTEXT *ret = NULL;
704
705 cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0,
706 store | CERT_STORE_OPEN_EXISTING_FLAG |
707 CERT_STORE_READONLY_FLAG, L"MY");
708 if (cs == NULL) {
709 cryptoapi_error("Failed to open 'My system store'");
710 return NULL;
711 }
712
713 if (strncmp(name, "cert://", 7) == 0) {
714 unsigned short wbuf[255];
715 MultiByteToWideChar(CP_ACP, 0, name + 7, -1, wbuf, 255);
716 ret = CertFindCertificateInStore(cs, X509_ASN_ENCODING |
717 PKCS_7_ASN_ENCODING,
718 0, CERT_FIND_SUBJECT_STR,
719 wbuf, NULL);
720 } else if (strncmp(name, "hash://", 7) == 0) {
721 CRYPT_HASH_BLOB blob;
722 int len;
723 const char *hash = name + 7;
724 unsigned char *buf;
725
726 len = os_strlen(hash) / 2;
727 buf = os_malloc(len);
728 if (buf && hexstr2bin(hash, buf, len) == 0) {
729 blob.cbData = len;
730 blob.pbData = buf;
731 ret = CertFindCertificateInStore(cs,
732 X509_ASN_ENCODING |
733 PKCS_7_ASN_ENCODING,
734 0, CERT_FIND_HASH,
735 &blob, NULL);
736 }
737 os_free(buf);
738 }
739
740 CertCloseStore(cs, 0);
741
742 return ret;
743 }
744
745
tls_cryptoapi_cert(SSL * ssl,const char * name)746 static int tls_cryptoapi_cert(SSL *ssl, const char *name)
747 {
748 X509 *cert = NULL;
749 RSA *rsa = NULL, *pub_rsa;
750 struct cryptoapi_rsa_data *priv;
751 RSA_METHOD *rsa_meth;
752
753 if (name == NULL ||
754 (strncmp(name, "cert://", 7) != 0 &&
755 strncmp(name, "hash://", 7) != 0))
756 return -1;
757
758 priv = os_zalloc(sizeof(*priv));
759 rsa_meth = os_zalloc(sizeof(*rsa_meth));
760 if (priv == NULL || rsa_meth == NULL) {
761 wpa_printf(MSG_WARNING, "CryptoAPI: Failed to allocate memory "
762 "for CryptoAPI RSA method");
763 os_free(priv);
764 os_free(rsa_meth);
765 return -1;
766 }
767
768 priv->cert = cryptoapi_find_cert(name, CERT_SYSTEM_STORE_CURRENT_USER);
769 if (priv->cert == NULL) {
770 priv->cert = cryptoapi_find_cert(
771 name, CERT_SYSTEM_STORE_LOCAL_MACHINE);
772 }
773 if (priv->cert == NULL) {
774 wpa_printf(MSG_INFO, "CryptoAPI: Could not find certificate "
775 "'%s'", name);
776 goto err;
777 }
778
779 cert = d2i_X509(NULL,
780 (const unsigned char **) &priv->cert->pbCertEncoded,
781 priv->cert->cbCertEncoded);
782 if (cert == NULL) {
783 wpa_printf(MSG_INFO, "CryptoAPI: Could not process X509 DER "
784 "encoding");
785 goto err;
786 }
787
788 if (!CryptAcquireCertificatePrivateKey(priv->cert,
789 CRYPT_ACQUIRE_COMPARE_KEY_FLAG,
790 NULL, &priv->crypt_prov,
791 &priv->key_spec,
792 &priv->free_crypt_prov)) {
793 cryptoapi_error("Failed to acquire a private key for the "
794 "certificate");
795 goto err;
796 }
797
798 rsa_meth->name = "Microsoft CryptoAPI RSA Method";
799 rsa_meth->rsa_pub_enc = cryptoapi_rsa_pub_enc;
800 rsa_meth->rsa_pub_dec = cryptoapi_rsa_pub_dec;
801 rsa_meth->rsa_priv_enc = cryptoapi_rsa_priv_enc;
802 rsa_meth->rsa_priv_dec = cryptoapi_rsa_priv_dec;
803 rsa_meth->finish = cryptoapi_finish;
804 rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK;
805 rsa_meth->app_data = (char *) priv;
806
807 rsa = RSA_new();
808 if (rsa == NULL) {
809 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,
810 ERR_R_MALLOC_FAILURE);
811 goto err;
812 }
813
814 if (!SSL_use_certificate(ssl, cert)) {
815 RSA_free(rsa);
816 rsa = NULL;
817 goto err;
818 }
819 pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
820 X509_free(cert);
821 cert = NULL;
822
823 rsa->n = BN_dup(pub_rsa->n);
824 rsa->e = BN_dup(pub_rsa->e);
825 if (!RSA_set_method(rsa, rsa_meth))
826 goto err;
827
828 if (!SSL_use_RSAPrivateKey(ssl, rsa))
829 goto err;
830 RSA_free(rsa);
831
832 return 0;
833
834 err:
835 if (cert)
836 X509_free(cert);
837 if (rsa)
838 RSA_free(rsa);
839 else {
840 os_free(rsa_meth);
841 cryptoapi_free_data(priv);
842 }
843 return -1;
844 }
845
846
tls_cryptoapi_ca_cert(SSL_CTX * ssl_ctx,SSL * ssl,const char * name)847 static int tls_cryptoapi_ca_cert(SSL_CTX *ssl_ctx, SSL *ssl, const char *name)
848 {
849 HCERTSTORE cs;
850 PCCERT_CONTEXT ctx = NULL;
851 X509 *cert;
852 char buf[128];
853 const char *store;
854 #ifdef UNICODE
855 WCHAR *wstore;
856 #endif /* UNICODE */
857
858 if (name == NULL || strncmp(name, "cert_store://", 13) != 0)
859 return -1;
860
861 store = name + 13;
862 #ifdef UNICODE
863 wstore = os_malloc((os_strlen(store) + 1) * sizeof(WCHAR));
864 if (wstore == NULL)
865 return -1;
866 wsprintf(wstore, L"%S", store);
867 cs = CertOpenSystemStore(0, wstore);
868 os_free(wstore);
869 #else /* UNICODE */
870 cs = CertOpenSystemStore(0, store);
871 #endif /* UNICODE */
872 if (cs == NULL) {
873 wpa_printf(MSG_DEBUG, "%s: failed to open system cert store "
874 "'%s': error=%d", __func__, store,
875 (int) GetLastError());
876 return -1;
877 }
878
879 while ((ctx = CertEnumCertificatesInStore(cs, ctx))) {
880 cert = d2i_X509(NULL,
881 (const unsigned char **) &ctx->pbCertEncoded,
882 ctx->cbCertEncoded);
883 if (cert == NULL) {
884 wpa_printf(MSG_INFO, "CryptoAPI: Could not process "
885 "X509 DER encoding for CA cert");
886 continue;
887 }
888
889 X509_NAME_oneline(X509_get_subject_name(cert), buf,
890 sizeof(buf));
891 wpa_printf(MSG_DEBUG, "OpenSSL: Loaded CA certificate for "
892 "system certificate store: subject='%s'", buf);
893
894 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
895 cert)) {
896 tls_show_errors(MSG_WARNING, __func__,
897 "Failed to add ca_cert to OpenSSL "
898 "certificate store");
899 }
900
901 X509_free(cert);
902 }
903
904 if (!CertCloseStore(cs, 0)) {
905 wpa_printf(MSG_DEBUG, "%s: failed to close system cert store "
906 "'%s': error=%d", __func__, name + 13,
907 (int) GetLastError());
908 }
909
910 return 0;
911 }
912
913
914 #else /* CONFIG_NATIVE_WINDOWS */
915
tls_cryptoapi_cert(SSL * ssl,const char * name)916 static int tls_cryptoapi_cert(SSL *ssl, const char *name)
917 {
918 return -1;
919 }
920
921 #endif /* CONFIG_NATIVE_WINDOWS */
922
923
ssl_info_cb(const SSL * ssl,int where,int ret)924 static void ssl_info_cb(const SSL *ssl, int where, int ret)
925 {
926 const char *str;
927 int w;
928
929 wpa_printf(MSG_DEBUG, "SSL: (where=0x%x ret=0x%x)", where, ret);
930 w = where & ~SSL_ST_MASK;
931 if (w & SSL_ST_CONNECT)
932 str = "SSL_connect";
933 else if (w & SSL_ST_ACCEPT)
934 str = "SSL_accept";
935 else
936 str = "undefined";
937
938 if (where & SSL_CB_LOOP) {
939 wpa_printf(MSG_DEBUG, "SSL: %s:%s",
940 str, SSL_state_string_long(ssl));
941 } else if (where & SSL_CB_ALERT) {
942 struct tls_connection *conn = SSL_get_app_data((SSL *) ssl);
943 wpa_printf(MSG_INFO, "SSL: SSL3 alert: %s:%s:%s",
944 where & SSL_CB_READ ?
945 "read (remote end reported an error)" :
946 "write (local SSL3 detected an error)",
947 SSL_alert_type_string_long(ret),
948 SSL_alert_desc_string_long(ret));
949 if ((ret >> 8) == SSL3_AL_FATAL) {
950 if (where & SSL_CB_READ)
951 conn->read_alerts++;
952 else
953 conn->write_alerts++;
954 }
955 if (conn->context->event_cb != NULL) {
956 union tls_event_data ev;
957 struct tls_context *context = conn->context;
958 os_memset(&ev, 0, sizeof(ev));
959 ev.alert.is_local = !(where & SSL_CB_READ);
960 ev.alert.type = SSL_alert_type_string_long(ret);
961 ev.alert.description = SSL_alert_desc_string_long(ret);
962 context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
963 }
964 } else if (where & SSL_CB_EXIT && ret <= 0) {
965 wpa_printf(MSG_DEBUG, "SSL: %s:%s in %s",
966 str, ret == 0 ? "failed" : "error",
967 SSL_state_string_long(ssl));
968 }
969 }
970
971
972 #ifndef OPENSSL_NO_ENGINE
973 /**
974 * tls_engine_load_dynamic_generic - load any openssl engine
975 * @pre: an array of commands and values that load an engine initialized
976 * in the engine specific function
977 * @post: an array of commands and values that initialize an already loaded
978 * engine (or %NULL if not required)
979 * @id: the engine id of the engine to load (only required if post is not %NULL
980 *
981 * This function is a generic function that loads any openssl engine.
982 *
983 * Returns: 0 on success, -1 on failure
984 */
tls_engine_load_dynamic_generic(const char * pre[],const char * post[],const char * id)985 static int tls_engine_load_dynamic_generic(const char *pre[],
986 const char *post[], const char *id)
987 {
988 ENGINE *engine;
989 const char *dynamic_id = "dynamic";
990
991 engine = ENGINE_by_id(id);
992 if (engine) {
993 wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already "
994 "available", id);
995 /*
996 * If it was auto-loaded by ENGINE_by_id() we might still
997 * need to tell it which PKCS#11 module to use in legacy
998 * (non-p11-kit) environments. Do so now; even if it was
999 * properly initialised before, setting it again will be
1000 * harmless.
1001 */
1002 goto found;
1003 }
1004 ERR_clear_error();
1005
1006 engine = ENGINE_by_id(dynamic_id);
1007 if (engine == NULL) {
1008 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]",
1009 dynamic_id,
1010 ERR_error_string(ERR_get_error(), NULL));
1011 return -1;
1012 }
1013
1014 /* Perform the pre commands. This will load the engine. */
1015 while (pre && pre[0]) {
1016 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", pre[0], pre[1]);
1017 if (ENGINE_ctrl_cmd_string(engine, pre[0], pre[1], 0) == 0) {
1018 wpa_printf(MSG_INFO, "ENGINE: ctrl cmd_string failed: "
1019 "%s %s [%s]", pre[0], pre[1],
1020 ERR_error_string(ERR_get_error(), NULL));
1021 ENGINE_free(engine);
1022 return -1;
1023 }
1024 pre += 2;
1025 }
1026
1027 /*
1028 * Free the reference to the "dynamic" engine. The loaded engine can
1029 * now be looked up using ENGINE_by_id().
1030 */
1031 ENGINE_free(engine);
1032
1033 engine = ENGINE_by_id(id);
1034 if (engine == NULL) {
1035 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]",
1036 id, ERR_error_string(ERR_get_error(), NULL));
1037 return -1;
1038 }
1039 found:
1040 while (post && post[0]) {
1041 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", post[0], post[1]);
1042 if (ENGINE_ctrl_cmd_string(engine, post[0], post[1], 0) == 0) {
1043 wpa_printf(MSG_DEBUG, "ENGINE: ctrl cmd_string failed:"
1044 " %s %s [%s]", post[0], post[1],
1045 ERR_error_string(ERR_get_error(), NULL));
1046 ENGINE_remove(engine);
1047 ENGINE_free(engine);
1048 return -1;
1049 }
1050 post += 2;
1051 }
1052 ENGINE_free(engine);
1053
1054 return 0;
1055 }
1056
1057
1058 /**
1059 * tls_engine_load_dynamic_pkcs11 - load the pkcs11 engine provided by opensc
1060 * @pkcs11_so_path: pksc11_so_path from the configuration
1061 * @pcks11_module_path: pkcs11_module_path from the configuration
1062 */
tls_engine_load_dynamic_pkcs11(const char * pkcs11_so_path,const char * pkcs11_module_path)1063 static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path,
1064 const char *pkcs11_module_path)
1065 {
1066 char *engine_id = "pkcs11";
1067 const char *pre_cmd[] = {
1068 "SO_PATH", NULL /* pkcs11_so_path */,
1069 "ID", NULL /* engine_id */,
1070 "LIST_ADD", "1",
1071 /* "NO_VCHECK", "1", */
1072 "LOAD", NULL,
1073 NULL, NULL
1074 };
1075 const char *post_cmd[] = {
1076 "MODULE_PATH", NULL /* pkcs11_module_path */,
1077 NULL, NULL
1078 };
1079
1080 if (!pkcs11_so_path)
1081 return 0;
1082
1083 pre_cmd[1] = pkcs11_so_path;
1084 pre_cmd[3] = engine_id;
1085 if (pkcs11_module_path)
1086 post_cmd[1] = pkcs11_module_path;
1087 else
1088 post_cmd[0] = NULL;
1089
1090 wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
1091 pkcs11_so_path);
1092
1093 return tls_engine_load_dynamic_generic(pre_cmd, post_cmd, engine_id);
1094 }
1095
1096
1097 /**
1098 * tls_engine_load_dynamic_opensc - load the opensc engine provided by opensc
1099 * @opensc_so_path: opensc_so_path from the configuration
1100 */
tls_engine_load_dynamic_opensc(const char * opensc_so_path)1101 static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
1102 {
1103 char *engine_id = "opensc";
1104 const char *pre_cmd[] = {
1105 "SO_PATH", NULL /* opensc_so_path */,
1106 "ID", NULL /* engine_id */,
1107 "LIST_ADD", "1",
1108 "LOAD", NULL,
1109 NULL, NULL
1110 };
1111
1112 if (!opensc_so_path)
1113 return 0;
1114
1115 pre_cmd[1] = opensc_so_path;
1116 pre_cmd[3] = engine_id;
1117
1118 wpa_printf(MSG_DEBUG, "ENGINE: Loading OpenSC Engine from %s",
1119 opensc_so_path);
1120
1121 return tls_engine_load_dynamic_generic(pre_cmd, NULL, engine_id);
1122 }
1123 #endif /* OPENSSL_NO_ENGINE */
1124
1125
get_session_data(struct tls_context * context,const struct wpabuf * buf)1126 static struct tls_session_data * get_session_data(struct tls_context *context,
1127 const struct wpabuf *buf)
1128 {
1129 struct tls_session_data *data;
1130
1131 dl_list_for_each(data, &context->sessions, struct tls_session_data,
1132 list) {
1133 if (data->buf == buf)
1134 return data;
1135 }
1136
1137 return NULL;
1138 }
1139
1140
remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)1141 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
1142 {
1143 struct wpabuf *buf;
1144 struct tls_context *context;
1145 struct tls_session_data *found;
1146
1147 wpa_printf(MSG_DEBUG,
1148 "OpenSSL: Remove session %p (tls_ex_idx_session=%d)", sess,
1149 tls_ex_idx_session);
1150
1151 if (tls_ex_idx_session < 0)
1152 return;
1153 buf = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
1154 if (!buf)
1155 return;
1156
1157 context = SSL_CTX_get_app_data(ctx);
1158 SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, NULL);
1159 found = get_session_data(context, buf);
1160 if (!found) {
1161 wpa_printf(MSG_DEBUG,
1162 "OpenSSL: Do not free application session data %p (sess %p)",
1163 buf, sess);
1164 return;
1165 }
1166
1167 dl_list_del(&found->list);
1168 os_free(found);
1169 wpa_printf(MSG_DEBUG,
1170 "OpenSSL: Free application session data %p (sess %p)",
1171 buf, sess);
1172 wpabuf_free(buf);
1173 }
1174
1175
tls_init(const struct tls_config * conf)1176 void * tls_init(const struct tls_config *conf)
1177 {
1178 struct tls_data *data;
1179 SSL_CTX *ssl;
1180 struct tls_context *context;
1181 const char *ciphers;
1182 #ifndef OPENSSL_NO_ENGINE
1183 #ifdef CONFIG_OPENSC_ENGINE_PATH
1184 char const * const opensc_engine_path = CONFIG_OPENSC_ENGINE_PATH;
1185 #else /* CONFIG_OPENSC_ENGINE_PATH */
1186 char const * const opensc_engine_path =
1187 conf ? conf->opensc_engine_path : NULL;
1188 #endif /* CONFIG_OPENSC_ENGINE_PATH */
1189 #ifdef CONFIG_PKCS11_ENGINE_PATH
1190 char const * const pkcs11_engine_path = CONFIG_PKCS11_ENGINE_PATH;
1191 #else /* CONFIG_PKCS11_ENGINE_PATH */
1192 char const * const pkcs11_engine_path =
1193 conf ? conf->pkcs11_engine_path : NULL;
1194 #endif /* CONFIG_PKCS11_ENGINE_PATH */
1195 #ifdef CONFIG_PKCS11_MODULE_PATH
1196 char const * const pkcs11_module_path = CONFIG_PKCS11_MODULE_PATH;
1197 #else /* CONFIG_PKCS11_MODULE_PATH */
1198 char const * const pkcs11_module_path =
1199 conf ? conf->pkcs11_module_path : NULL;
1200 #endif /* CONFIG_PKCS11_MODULE_PATH */
1201 #endif /* OPENSSL_NO_ENGINE */
1202
1203 if (tls_openssl_ref_count == 0) {
1204 void openssl_load_legacy_provider(void);
1205
1206 openssl_load_legacy_provider();
1207 #if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
1208 openssl_load_pkcs11_provider();
1209 #endif /* !ANDROID && OPENSSL_NO_ENGINE */
1210
1211 tls_global = context = tls_context_new(conf);
1212 if (context == NULL)
1213 return NULL;
1214 #ifdef CONFIG_FIPS
1215 #ifdef OPENSSL_FIPS
1216 if (conf && conf->fips_mode) {
1217 static int fips_enabled = 0;
1218
1219 if (!fips_enabled && !FIPS_mode_set(1)) {
1220 wpa_printf(MSG_ERROR, "Failed to enable FIPS "
1221 "mode");
1222 ERR_load_crypto_strings();
1223 ERR_print_errors_fp(stderr);
1224 os_free(tls_global);
1225 tls_global = NULL;
1226 return NULL;
1227 } else {
1228 wpa_printf(MSG_INFO, "Running in FIPS mode");
1229 fips_enabled = 1;
1230 }
1231 }
1232 #else /* OPENSSL_FIPS */
1233 if (conf && conf->fips_mode) {
1234 wpa_printf(MSG_ERROR, "FIPS mode requested, but not "
1235 "supported");
1236 os_free(tls_global);
1237 tls_global = NULL;
1238 return NULL;
1239 }
1240 #endif /* OPENSSL_FIPS */
1241 #endif /* CONFIG_FIPS */
1242 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1243 SSL_load_error_strings();
1244 SSL_library_init();
1245 #ifndef OPENSSL_NO_SHA256
1246 EVP_add_digest(EVP_sha256());
1247 #endif /* OPENSSL_NO_SHA256 */
1248 /* TODO: if /dev/urandom is available, PRNG is seeded
1249 * automatically. If this is not the case, random data should
1250 * be added here. */
1251
1252 #ifdef PKCS12_FUNCS
1253 #ifndef OPENSSL_NO_RC2
1254 /*
1255 * 40-bit RC2 is commonly used in PKCS#12 files, so enable it.
1256 * This is enabled by PKCS12_PBE_add() in OpenSSL 0.9.8
1257 * versions, but it looks like OpenSSL 1.0.0 does not do that
1258 * anymore.
1259 */
1260 EVP_add_cipher(EVP_rc2_40_cbc());
1261 #endif /* OPENSSL_NO_RC2 */
1262 PKCS12_PBE_add();
1263 #endif /* PKCS12_FUNCS */
1264 #endif /* < 1.1.0 */
1265 } else {
1266 context = tls_context_new(conf);
1267 if (context == NULL)
1268 return NULL;
1269 }
1270 tls_openssl_ref_count++;
1271
1272 data = os_zalloc(sizeof(*data));
1273 if (data)
1274 ssl = SSL_CTX_new(SSLv23_method());
1275 else
1276 ssl = NULL;
1277 if (ssl == NULL) {
1278 tls_show_errors(MSG_INFO, "SSL_CTX_new", "init");
1279 tls_openssl_ref_count--;
1280 if (context != tls_global)
1281 os_free(context);
1282 if (tls_openssl_ref_count == 0) {
1283 os_free(tls_global);
1284 tls_global = NULL;
1285 }
1286 os_free(data);
1287 return NULL;
1288 }
1289 data->ssl = ssl;
1290 if (conf) {
1291 data->tls_session_lifetime = conf->tls_session_lifetime;
1292 data->crl_reload_interval = conf->crl_reload_interval;
1293 }
1294
1295 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
1296 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
1297
1298 SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
1299
1300 #ifdef SSL_MODE_NO_AUTO_CHAIN
1301 /* Number of deployed use cases assume the default OpenSSL behavior of
1302 * auto chaining the local certificate is in use. BoringSSL removed this
1303 * functionality by default, so we need to restore it here to avoid
1304 * breaking existing use cases. */
1305 SSL_CTX_clear_mode(ssl, SSL_MODE_NO_AUTO_CHAIN);
1306 #endif /* SSL_MODE_NO_AUTO_CHAIN */
1307
1308 SSL_CTX_set_info_callback(ssl, ssl_info_cb);
1309 SSL_CTX_set_app_data(ssl, context);
1310 if (data->tls_session_lifetime > 0) {
1311 SSL_CTX_set_quiet_shutdown(ssl, 1);
1312 /*
1313 * Set default context here. In practice, this will be replaced
1314 * by the per-EAP method context in tls_connection_set_verify().
1315 */
1316 SSL_CTX_set_session_id_context(ssl, (u8 *) "hostapd", 7);
1317 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_SERVER);
1318 SSL_CTX_set_timeout(ssl, data->tls_session_lifetime);
1319 SSL_CTX_sess_set_remove_cb(ssl, remove_session_cb);
1320 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && \
1321 !defined(LIBRESSL_VERSION_NUMBER) && \
1322 !defined(OPENSSL_IS_BORINGSSL)
1323 /* One session ticket is sufficient for EAP-TLS */
1324 SSL_CTX_set_num_tickets(ssl, 1);
1325 #endif
1326 } else {
1327 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_OFF);
1328 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && \
1329 !defined(LIBRESSL_VERSION_NUMBER) && \
1330 !defined(OPENSSL_IS_BORINGSSL)
1331 SSL_CTX_set_num_tickets(ssl, 0);
1332 #endif
1333 }
1334
1335 if (tls_ex_idx_session < 0) {
1336 tls_ex_idx_session = SSL_SESSION_get_ex_new_index(
1337 0, NULL, NULL, NULL, NULL);
1338 if (tls_ex_idx_session < 0) {
1339 tls_deinit(data);
1340 return NULL;
1341 }
1342 }
1343
1344 #ifndef OPENSSL_NO_ENGINE
1345 wpa_printf(MSG_DEBUG, "ENGINE: Loading builtin engines");
1346 ENGINE_load_builtin_engines();
1347
1348 if (opensc_engine_path || pkcs11_engine_path || pkcs11_module_path) {
1349 if (tls_engine_load_dynamic_opensc(opensc_engine_path) ||
1350 tls_engine_load_dynamic_pkcs11(pkcs11_engine_path,
1351 pkcs11_module_path)) {
1352 tls_deinit(data);
1353 return NULL;
1354 }
1355 }
1356 #endif /* OPENSSL_NO_ENGINE */
1357
1358 if (conf && conf->openssl_ciphers)
1359 ciphers = conf->openssl_ciphers;
1360 else
1361 ciphers = TLS_DEFAULT_CIPHERS;
1362 if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
1363 wpa_printf(MSG_ERROR,
1364 "OpenSSL: Failed to set cipher string '%s'",
1365 ciphers);
1366 tls_deinit(data);
1367 return NULL;
1368 }
1369
1370 return data;
1371 }
1372
1373
tls_deinit(void * ssl_ctx)1374 void tls_deinit(void *ssl_ctx)
1375 {
1376 struct tls_data *data = ssl_ctx;
1377 SSL_CTX *ssl = data->ssl;
1378 struct tls_context *context = SSL_CTX_get_app_data(ssl);
1379 struct tls_session_data *sess_data;
1380
1381 if (data->tls_session_lifetime > 0) {
1382 wpa_printf(MSG_DEBUG, "OpenSSL: Flush sessions");
1383 SSL_CTX_flush_sessions(ssl, 0);
1384 wpa_printf(MSG_DEBUG, "OpenSSL: Flush sessions - done");
1385 }
1386 while ((sess_data = dl_list_first(&context->sessions,
1387 struct tls_session_data, list))) {
1388 wpa_printf(MSG_DEBUG,
1389 "OpenSSL: Freeing not-flushed session data %p",
1390 sess_data->buf);
1391 wpabuf_free(sess_data->buf);
1392 dl_list_del(&sess_data->list);
1393 os_free(sess_data);
1394 }
1395 if (context != tls_global)
1396 os_free(context);
1397 os_free(data->ca_cert);
1398 SSL_CTX_free(ssl);
1399
1400 tls_openssl_ref_count--;
1401 if (tls_openssl_ref_count == 0) {
1402 #if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
1403 openssl_unload_pkcs11_provider();
1404 #endif /* !ANDROID && OPENSSL_NO_ENGINE */
1405 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1406 #ifndef OPENSSL_NO_ENGINE
1407 ENGINE_cleanup();
1408 #endif /* OPENSSL_NO_ENGINE */
1409 CRYPTO_cleanup_all_ex_data();
1410 ERR_remove_thread_state(NULL);
1411 ERR_free_strings();
1412 EVP_cleanup();
1413 #endif /* < 1.1.0 */
1414 os_free(tls_global->ocsp_stapling_response);
1415 tls_global->ocsp_stapling_response = NULL;
1416 os_free(tls_global);
1417 tls_global = NULL;
1418 }
1419
1420 os_free(data->check_cert_subject);
1421 os_free(data->openssl_ciphers);
1422 os_free(data);
1423 }
1424
1425
1426 #ifndef OPENSSL_NO_ENGINE
1427
1428 /* Cryptoki return values */
1429 #define CKR_PIN_INCORRECT 0x000000a0
1430 #define CKR_PIN_INVALID 0x000000a1
1431 #define CKR_PIN_LEN_RANGE 0x000000a2
1432
1433 /* libp11 */
1434 #define ERR_LIB_PKCS11 ERR_LIB_USER
1435
tls_is_pin_error(unsigned int err)1436 static int tls_is_pin_error(unsigned int err)
1437 {
1438 return ERR_GET_LIB(err) == ERR_LIB_PKCS11 &&
1439 (ERR_GET_REASON(err) == CKR_PIN_INCORRECT ||
1440 ERR_GET_REASON(err) == CKR_PIN_INVALID ||
1441 ERR_GET_REASON(err) == CKR_PIN_LEN_RANGE);
1442 }
1443
1444 #endif /* OPENSSL_NO_ENGINE */
1445
1446
1447 // Imported from system/security/keystore-engine. This method
1448 // is not used by the mainline supplicant.
1449 #if defined(ANDROID) && !defined(MAINLINE_SUPPLICANT)
1450 EVP_PKEY * EVP_PKEY_from_keystore(const char *key_id);
1451 #endif /* ANDROID */
1452
tls_engine_init(struct tls_connection * conn,const char * engine_id,const char * pin,const char * key_id,const char * cert_id,const char * ca_cert_id)1453 static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
1454 const char *pin, const char *key_id,
1455 const char *cert_id, const char *ca_cert_id)
1456 {
1457 #if defined(ANDROID) && !defined(MAINLINE_SUPPLICANT) && defined(OPENSSL_IS_BORINGSSL)
1458 #if !defined(OPENSSL_NO_ENGINE)
1459 #error "This code depends on OPENSSL_NO_ENGINE being defined by BoringSSL."
1460 #endif
1461 if (!key_id)
1462 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1463 conn->engine = NULL;
1464 conn->private_key = EVP_PKEY_from_keystore(key_id);
1465
1466 if (!conn->private_key) {
1467 wpa_printf(MSG_ERROR,
1468 "ENGINE: cannot load private key with id '%s' [%s]",
1469 key_id,
1470 ERR_error_string(ERR_get_error(), NULL));
1471 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1472 }
1473 #endif /* ANDROID && OPENSSL_IS_BORINGSSL */
1474
1475 #ifndef OPENSSL_NO_ENGINE
1476 int ret = -1;
1477 if (engine_id == NULL) {
1478 wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
1479 return -1;
1480 }
1481
1482 ERR_clear_error();
1483 #ifdef ANDROID
1484 ENGINE_load_dynamic();
1485 #endif
1486 conn->engine = ENGINE_by_id(engine_id);
1487 if (!conn->engine) {
1488 wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]",
1489 engine_id, ERR_error_string(ERR_get_error(), NULL));
1490 goto err;
1491 }
1492 if (ENGINE_init(conn->engine) != 1) {
1493 wpa_printf(MSG_ERROR, "ENGINE: engine init failed "
1494 "(engine: %s) [%s]", engine_id,
1495 ERR_error_string(ERR_get_error(), NULL));
1496 goto err;
1497 }
1498 wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
1499
1500 #ifndef ANDROID
1501 if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
1502 wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
1503 ERR_error_string(ERR_get_error(), NULL));
1504 goto err;
1505 }
1506 #endif
1507 if (key_id) {
1508 /*
1509 * Ensure that the ENGINE does not attempt to use the OpenSSL
1510 * UI system to obtain a PIN, if we didn't provide one.
1511 */
1512 struct {
1513 const void *password;
1514 const char *prompt_info;
1515 } key_cb = { "", NULL };
1516
1517 /* load private key first in-case PIN is required for cert */
1518 conn->private_key = ENGINE_load_private_key(conn->engine,
1519 key_id, NULL,
1520 &key_cb);
1521 if (!conn->private_key) {
1522 unsigned long err = ERR_get_error();
1523
1524 wpa_printf(MSG_ERROR,
1525 "ENGINE: cannot load private key with id '%s' [%s]",
1526 key_id,
1527 ERR_error_string(err, NULL));
1528 if (tls_is_pin_error(err))
1529 ret = TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN;
1530 else
1531 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1532 goto err;
1533 }
1534 }
1535
1536 /* handle a certificate and/or CA certificate */
1537 if (cert_id || ca_cert_id) {
1538 const char *cmd_name = "LOAD_CERT_CTRL";
1539
1540 /* test if the engine supports a LOAD_CERT_CTRL */
1541 if (!ENGINE_ctrl(conn->engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
1542 0, (void *)cmd_name, NULL)) {
1543 wpa_printf(MSG_ERROR, "ENGINE: engine does not support"
1544 " loading certificates");
1545 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1546 goto err;
1547 }
1548 }
1549
1550 return 0;
1551
1552 err:
1553 if (conn->engine) {
1554 ENGINE_free(conn->engine);
1555 conn->engine = NULL;
1556 }
1557
1558 if (conn->private_key) {
1559 EVP_PKEY_free(conn->private_key);
1560 conn->private_key = NULL;
1561 }
1562
1563 return ret;
1564 #else /* OPENSSL_NO_ENGINE */
1565 #ifndef ANDROID
1566 conn->private_key = provider_load_key(key_id);
1567 if (!conn->private_key)
1568 return -1;
1569 #endif /* !ANDROID */
1570 return 0;
1571 #endif /* OPENSSL_NO_ENGINE */
1572 }
1573
1574
tls_engine_deinit(struct tls_connection * conn)1575 static void tls_engine_deinit(struct tls_connection *conn)
1576 {
1577 if (conn->private_key) {
1578 EVP_PKEY_free(conn->private_key);
1579 conn->private_key = NULL;
1580 }
1581 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
1582 wpa_printf(MSG_DEBUG, "ENGINE: engine deinit");
1583 if (conn->engine) {
1584 #if !defined(OPENSSL_IS_BORINGSSL)
1585 ENGINE_finish(conn->engine);
1586 #endif /* !OPENSSL_IS_BORINGSSL */
1587 conn->engine = NULL;
1588 }
1589 #endif /* ANDROID || !OPENSSL_NO_ENGINE */
1590 }
1591
1592
tls_get_errors(void * ssl_ctx)1593 int tls_get_errors(void *ssl_ctx)
1594 {
1595 int count = 0;
1596 unsigned long err;
1597
1598 while ((err = ERR_get_error())) {
1599 wpa_printf(MSG_INFO, "TLS - SSL error: %s",
1600 ERR_error_string(err, NULL));
1601 count++;
1602 }
1603
1604 return count;
1605 }
1606
1607
openssl_content_type(int content_type)1608 static const char * openssl_content_type(int content_type)
1609 {
1610 switch (content_type) {
1611 case 20:
1612 return "change cipher spec";
1613 case 21:
1614 return "alert";
1615 case 22:
1616 return "handshake";
1617 case 23:
1618 return "application data";
1619 case 24:
1620 return "heartbeat";
1621 case 256:
1622 return "TLS header info"; /* pseudo content type */
1623 case 257:
1624 return "inner content type"; /* pseudo content type */
1625 default:
1626 return "?";
1627 }
1628 }
1629
1630
openssl_handshake_type(int content_type,const u8 * buf,size_t len)1631 static const char * openssl_handshake_type(int content_type, const u8 *buf,
1632 size_t len)
1633 {
1634 if (content_type == 257 && buf && len == 1)
1635 return openssl_content_type(buf[0]);
1636 if (content_type != 22 || !buf || len == 0)
1637 return "";
1638 switch (buf[0]) {
1639 case 0:
1640 return "hello request";
1641 case 1:
1642 return "client hello";
1643 case 2:
1644 return "server hello";
1645 case 3:
1646 return "hello verify request";
1647 case 4:
1648 return "new session ticket";
1649 case 5:
1650 return "end of early data";
1651 case 6:
1652 return "hello retry request";
1653 case 8:
1654 return "encrypted extensions";
1655 case 11:
1656 return "certificate";
1657 case 12:
1658 return "server key exchange";
1659 case 13:
1660 return "certificate request";
1661 case 14:
1662 return "server hello done";
1663 case 15:
1664 return "certificate verify";
1665 case 16:
1666 return "client key exchange";
1667 case 20:
1668 return "finished";
1669 case 21:
1670 return "certificate url";
1671 case 22:
1672 return "certificate status";
1673 case 23:
1674 return "supplemental data";
1675 case 24:
1676 return "key update";
1677 case 254:
1678 return "message hash";
1679 default:
1680 return "?";
1681 }
1682 }
1683
1684
1685 #ifdef CONFIG_SUITEB
1686
check_server_hello(struct tls_connection * conn,const u8 * pos,const u8 * end)1687 static void check_server_hello(struct tls_connection *conn,
1688 const u8 *pos, const u8 *end)
1689 {
1690 size_t payload_len, id_len;
1691
1692 /*
1693 * Parse ServerHello to get the selected cipher suite since OpenSSL does
1694 * not make it cleanly available during handshake and we need to know
1695 * whether DHE was selected.
1696 */
1697
1698 if (end - pos < 3)
1699 return;
1700 payload_len = WPA_GET_BE24(pos);
1701 pos += 3;
1702
1703 if ((size_t) (end - pos) < payload_len)
1704 return;
1705 end = pos + payload_len;
1706
1707 /* Skip Version and Random */
1708 if (end - pos < 2 + SSL3_RANDOM_SIZE)
1709 return;
1710 pos += 2 + SSL3_RANDOM_SIZE;
1711
1712 /* Skip Session ID */
1713 if (end - pos < 1)
1714 return;
1715 id_len = *pos++;
1716 if ((size_t) (end - pos) < id_len)
1717 return;
1718 pos += id_len;
1719
1720 if (end - pos < 2)
1721 return;
1722 conn->cipher_suite = WPA_GET_BE16(pos);
1723 wpa_printf(MSG_DEBUG, "OpenSSL: Server selected cipher suite 0x%x",
1724 conn->cipher_suite);
1725 }
1726
1727
check_server_key_exchange(SSL * ssl,struct tls_connection * conn,const u8 * pos,const u8 * end)1728 static void check_server_key_exchange(SSL *ssl, struct tls_connection *conn,
1729 const u8 *pos, const u8 *end)
1730 {
1731 size_t payload_len;
1732 u16 dh_len;
1733 BIGNUM *p;
1734 int bits;
1735
1736 if (!(conn->flags & TLS_CONN_SUITEB))
1737 return;
1738
1739 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
1740 if (conn->cipher_suite != 0x9f)
1741 return;
1742
1743 if (end - pos < 3)
1744 return;
1745 payload_len = WPA_GET_BE24(pos);
1746 pos += 3;
1747
1748 if ((size_t) (end - pos) < payload_len)
1749 return;
1750 end = pos + payload_len;
1751
1752 if (end - pos < 2)
1753 return;
1754 dh_len = WPA_GET_BE16(pos);
1755 pos += 2;
1756
1757 if ((size_t) (end - pos) < dh_len)
1758 return;
1759 p = BN_bin2bn(pos, dh_len, NULL);
1760 if (!p)
1761 return;
1762
1763 bits = BN_num_bits(p);
1764 BN_free(p);
1765
1766 conn->server_dh_prime_len = bits;
1767 wpa_printf(MSG_DEBUG, "OpenSSL: Server DH prime length: %d bits",
1768 conn->server_dh_prime_len);
1769 }
1770
1771 #endif /* CONFIG_SUITEB */
1772
1773
tls_msg_cb(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg)1774 static void tls_msg_cb(int write_p, int version, int content_type,
1775 const void *buf, size_t len, SSL *ssl, void *arg)
1776 {
1777 struct tls_connection *conn = arg;
1778 const u8 *pos = buf;
1779
1780 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1781 if ((SSL_version(ssl) == TLS1_VERSION ||
1782 SSL_version(ssl) == TLS1_1_VERSION) &&
1783 SSL_get_security_level(ssl) > 0) {
1784 wpa_printf(MSG_DEBUG,
1785 "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm");
1786 SSL_set_security_level(ssl, 0);
1787 }
1788 #endif /* OpenSSL version >= 3.0 */
1789 if (write_p == 2) {
1790 wpa_printf(MSG_DEBUG,
1791 "OpenSSL: session ver=0x%x content_type=%d",
1792 version, content_type);
1793 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Data", buf, len);
1794 return;
1795 }
1796
1797 wpa_printf(MSG_DEBUG, "OpenSSL: %s ver=0x%x content_type=%d (%s/%s)",
1798 write_p ? "TX" : "RX", version, content_type,
1799 openssl_content_type(content_type),
1800 openssl_handshake_type(content_type, buf, len));
1801 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Message", buf, len);
1802 if (content_type == 24 && len >= 3 && pos[0] == 1) {
1803 size_t payload_len = WPA_GET_BE16(pos + 1);
1804 if (payload_len + 3 > len) {
1805 wpa_printf(MSG_ERROR, "OpenSSL: Heartbeat attack detected");
1806 conn->invalid_hb_used = 1;
1807 }
1808 }
1809
1810 #ifdef CONFIG_SUITEB
1811 /*
1812 * Need to parse these handshake messages to be able to check DH prime
1813 * length since OpenSSL does not expose the new cipher suite and DH
1814 * parameters during handshake (e.g., for cert_cb() callback).
1815 */
1816 if (content_type == 22 && pos && len > 0 && pos[0] == 2)
1817 check_server_hello(conn, pos + 1, pos + len);
1818 if (content_type == 22 && pos && len > 0 && pos[0] == 12)
1819 check_server_key_exchange(ssl, conn, pos + 1, pos + len);
1820 #endif /* CONFIG_SUITEB */
1821 }
1822
1823
1824 #ifdef CONFIG_TESTING_OPTIONS
1825 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
1826 /*
1827 * By setting the environment variable SSLKEYLOGFILE to a filename keying
1828 * material will be exported that you may use with Wireshark to decode any
1829 * TLS flows. Please see the following for more details:
1830 *
1831 * https://gitlab.com/wireshark/wireshark/-/wikis/TLS#tls-decryption
1832 *
1833 * Example logging sessions are (you should delete the file on each run):
1834 *
1835 * rm -f /tmp/sslkey.log
1836 * env SSLKEYLOGFILE=/tmp/sslkey.log hostapd ...
1837 *
1838 * rm -f /tmp/sslkey.log
1839 * env SSLKEYLOGFILE=/tmp/sslkey.log wpa_supplicant ...
1840 *
1841 * rm -f /tmp/sslkey.log
1842 * env SSLKEYLOGFILE=/tmp/sslkey.log eapol_test ...
1843 */
tls_keylog_cb(const SSL * ssl,const char * line)1844 static void tls_keylog_cb(const SSL *ssl, const char *line)
1845 {
1846 int fd;
1847 const char *filename;
1848 struct iovec iov[2];
1849
1850 filename = getenv("SSLKEYLOGFILE");
1851 if (!filename)
1852 return;
1853
1854 fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR);
1855 if (fd < 0) {
1856 wpa_printf(MSG_ERROR,
1857 "OpenSSL: Failed to open keylog file %s: %s",
1858 filename, strerror(errno));
1859 return;
1860 }
1861
1862 /* Assume less than _POSIX_PIPE_BUF (512) where writes are guaranteed
1863 * to be atomic for O_APPEND. */
1864 iov[0].iov_base = (void *) line;
1865 iov[0].iov_len = os_strlen(line);
1866 iov[1].iov_base = "\n";
1867 iov[1].iov_len = 1;
1868
1869 if (writev(fd, iov, ARRAY_SIZE(iov)) < 01) {
1870 wpa_printf(MSG_DEBUG,
1871 "OpenSSL: Failed to write to keylog file %s: %s",
1872 filename, strerror(errno));
1873 }
1874
1875 close(fd);
1876 }
1877 #endif
1878 #endif /* CONFIG_TESTING_OPTIONS */
1879
1880
tls_connection_init(void * ssl_ctx)1881 struct tls_connection * tls_connection_init(void *ssl_ctx)
1882 {
1883 struct tls_data *data = ssl_ctx;
1884 SSL_CTX *ssl = data->ssl;
1885 struct tls_connection *conn;
1886 long options;
1887 X509_STORE *new_cert_store;
1888 struct os_reltime now;
1889 struct tls_context *context = SSL_CTX_get_app_data(ssl);
1890
1891 /* Replace X509 store if it is time to update CRL. */
1892 if (data->crl_reload_interval > 0 && os_get_reltime(&now) == 0 &&
1893 os_reltime_expired(&now, &data->crl_last_reload,
1894 data->crl_reload_interval)) {
1895 wpa_printf(MSG_INFO,
1896 "OpenSSL: Flushing X509 store with ca_cert file");
1897 new_cert_store = tls_crl_cert_reload(data->ca_cert,
1898 data->check_crl);
1899 if (!new_cert_store) {
1900 wpa_printf(MSG_ERROR,
1901 "OpenSSL: Error replacing X509 store with ca_cert file");
1902 } else {
1903 /* Replace old store */
1904 SSL_CTX_set_cert_store(ssl, new_cert_store);
1905 data->crl_last_reload = now;
1906 }
1907 }
1908
1909 conn = os_zalloc(sizeof(*conn));
1910 if (conn == NULL)
1911 return NULL;
1912 conn->data = data;
1913 conn->ssl_ctx = ssl;
1914 conn->ssl = SSL_new(ssl);
1915 if (conn->ssl == NULL) {
1916 tls_show_errors(MSG_INFO, __func__,
1917 "Failed to initialize new SSL connection");
1918 os_free(conn);
1919 return NULL;
1920 }
1921
1922 conn->context = context;
1923 SSL_set_app_data(conn->ssl, conn);
1924 SSL_set_msg_callback(conn->ssl, tls_msg_cb);
1925 SSL_set_msg_callback_arg(conn->ssl, conn);
1926 options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
1927 SSL_OP_SINGLE_DH_USE;
1928 #ifdef SSL_OP_NO_COMPRESSION
1929 options |= SSL_OP_NO_COMPRESSION;
1930 #endif /* SSL_OP_NO_COMPRESSION */
1931 SSL_set_options(conn->ssl, options);
1932 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
1933 /* Hopefully there is no need for middlebox compatibility mechanisms
1934 * when going through EAP authentication. */
1935 SSL_clear_options(conn->ssl, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
1936 #endif
1937
1938 #ifdef CONFIG_TESTING_OPTIONS
1939 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
1940 /* Set the keylog file if the admin requested it. */
1941 if (getenv("SSLKEYLOGFILE"))
1942 SSL_CTX_set_keylog_callback(conn->ssl_ctx, tls_keylog_cb);
1943 #endif
1944 #endif /* CONFIG_TESTING_OPTIONS */
1945
1946 conn->ssl_in = BIO_new(BIO_s_mem());
1947 if (!conn->ssl_in) {
1948 tls_show_errors(MSG_INFO, __func__,
1949 "Failed to create a new BIO for ssl_in");
1950 SSL_free(conn->ssl);
1951 os_free(conn);
1952 return NULL;
1953 }
1954
1955 conn->ssl_out = BIO_new(BIO_s_mem());
1956 if (!conn->ssl_out) {
1957 tls_show_errors(MSG_INFO, __func__,
1958 "Failed to create a new BIO for ssl_out");
1959 SSL_free(conn->ssl);
1960 BIO_free(conn->ssl_in);
1961 os_free(conn);
1962 return NULL;
1963 }
1964
1965 SSL_set_bio(conn->ssl, conn->ssl_in, conn->ssl_out);
1966
1967 return conn;
1968 }
1969
1970
tls_connection_deinit(void * ssl_ctx,struct tls_connection * conn)1971 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
1972 {
1973 if (conn == NULL)
1974 return;
1975 if (conn->success_data) {
1976 /*
1977 * Make sure ssl_clear_bad_session() does not remove this
1978 * session.
1979 */
1980 SSL_set_quiet_shutdown(conn->ssl, 1);
1981 SSL_shutdown(conn->ssl);
1982 }
1983 SSL_free(conn->ssl);
1984 tls_engine_deinit(conn);
1985 os_free(conn->subject_match);
1986 os_free(conn->altsubject_match);
1987 os_free(conn->suffix_match);
1988 os_free(conn->domain_match);
1989 os_free(conn->check_cert_subject);
1990 os_free(conn->session_ticket);
1991 os_free(conn->peer_subject);
1992 os_free(conn);
1993 }
1994
1995
tls_connection_established(void * ssl_ctx,struct tls_connection * conn)1996 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn)
1997 {
1998 return conn ? SSL_is_init_finished(conn->ssl) : 0;
1999 }
2000
2001
tls_connection_peer_serial_num(void * tls_ctx,struct tls_connection * conn)2002 char * tls_connection_peer_serial_num(void *tls_ctx,
2003 struct tls_connection *conn)
2004 {
2005 ASN1_INTEGER *ser;
2006 char *serial_num;
2007 size_t len;
2008
2009 if (!conn->peer_cert)
2010 return NULL;
2011
2012 ser = X509_get_serialNumber(conn->peer_cert);
2013 if (!ser)
2014 return NULL;
2015
2016 len = ASN1_STRING_length(ser) * 2 + 1;
2017 serial_num = os_malloc(len);
2018 if (!serial_num)
2019 return NULL;
2020 wpa_snprintf_hex_uppercase(serial_num, len,
2021 ASN1_STRING_get0_data(ser),
2022 ASN1_STRING_length(ser));
2023 return serial_num;
2024 }
2025
2026
tls_connection_shutdown(void * ssl_ctx,struct tls_connection * conn)2027 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)
2028 {
2029 if (conn == NULL)
2030 return -1;
2031
2032 /* Shutdown previous TLS connection without notifying the peer
2033 * because the connection was already terminated in practice
2034 * and "close notify" shutdown alert would confuse AS. */
2035 SSL_set_quiet_shutdown(conn->ssl, 1);
2036 SSL_shutdown(conn->ssl);
2037 return SSL_clear(conn->ssl) == 1 ? 0 : -1;
2038 }
2039
2040
tls_match_altsubject_component(X509 * cert,int type,const char * value,size_t len)2041 static int tls_match_altsubject_component(X509 *cert, int type,
2042 const char *value, size_t len)
2043 {
2044 GENERAL_NAME *gen;
2045 void *ext;
2046 int found = 0;
2047 stack_index_t i;
2048
2049 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
2050
2051 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
2052 gen = sk_GENERAL_NAME_value(ext, i);
2053 if (gen->type != type)
2054 continue;
2055 if (os_strlen((char *) gen->d.ia5->data) == len &&
2056 os_memcmp(value, gen->d.ia5->data, len) == 0)
2057 found++;
2058 }
2059
2060 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2061
2062 return found;
2063 }
2064
2065
tls_match_altsubject(X509 * cert,const char * match)2066 static int tls_match_altsubject(X509 *cert, const char *match)
2067 {
2068 int type;
2069 const char *pos, *end;
2070 size_t len;
2071
2072 pos = match;
2073 do {
2074 if (os_strncmp(pos, "EMAIL:", 6) == 0) {
2075 type = GEN_EMAIL;
2076 pos += 6;
2077 } else if (os_strncmp(pos, "DNS:", 4) == 0) {
2078 type = GEN_DNS;
2079 pos += 4;
2080 } else if (os_strncmp(pos, "URI:", 4) == 0) {
2081 type = GEN_URI;
2082 pos += 4;
2083 } else {
2084 wpa_printf(MSG_INFO, "TLS: Invalid altSubjectName "
2085 "match '%s'", pos);
2086 return 0;
2087 }
2088 end = os_strchr(pos, ';');
2089 while (end) {
2090 if (os_strncmp(end + 1, "EMAIL:", 6) == 0 ||
2091 os_strncmp(end + 1, "DNS:", 4) == 0 ||
2092 os_strncmp(end + 1, "URI:", 4) == 0)
2093 break;
2094 end = os_strchr(end + 1, ';');
2095 }
2096 if (end)
2097 len = end - pos;
2098 else
2099 len = os_strlen(pos);
2100 if (tls_match_altsubject_component(cert, type, pos, len) > 0)
2101 return 1;
2102 if (!end)
2103 break;
2104 pos = end + 1;
2105 } while (end);
2106
2107 return 0;
2108 }
2109
2110
2111 #ifndef CONFIG_NATIVE_WINDOWS
domain_suffix_match(const u8 * val,size_t len,const char * match,size_t match_len,int full)2112 static int domain_suffix_match(const u8 *val, size_t len, const char *match,
2113 size_t match_len, int full)
2114 {
2115 size_t i;
2116
2117 /* Check for embedded nuls that could mess up suffix matching */
2118 for (i = 0; i < len; i++) {
2119 if (val[i] == '\0') {
2120 wpa_printf(MSG_DEBUG, "TLS: Embedded null in a string - reject");
2121 return 0;
2122 }
2123 }
2124
2125 if (match_len > len || (full && match_len != len))
2126 return 0;
2127
2128 if (os_strncasecmp((const char *) val + len - match_len, match,
2129 match_len) != 0)
2130 return 0; /* no match */
2131
2132 if (match_len == len)
2133 return 1; /* exact match */
2134
2135 if (val[len - match_len - 1] == '.')
2136 return 1; /* full label match completes suffix match */
2137
2138 wpa_printf(MSG_DEBUG, "TLS: Reject due to incomplete label match");
2139 return 0;
2140 }
2141 #endif /* CONFIG_NATIVE_WINDOWS */
2142
2143
2144 struct tls_dn_field_order_cnt {
2145 u8 cn;
2146 u8 c;
2147 u8 l;
2148 u8 st;
2149 u8 o;
2150 u8 ou;
2151 u8 email;
2152 };
2153
2154
get_dn_field_index(const struct tls_dn_field_order_cnt * dn_cnt,int nid)2155 static int get_dn_field_index(const struct tls_dn_field_order_cnt *dn_cnt,
2156 int nid)
2157 {
2158 switch (nid) {
2159 case NID_commonName:
2160 return dn_cnt->cn;
2161 case NID_countryName:
2162 return dn_cnt->c;
2163 case NID_localityName:
2164 return dn_cnt->l;
2165 case NID_stateOrProvinceName:
2166 return dn_cnt->st;
2167 case NID_organizationName:
2168 return dn_cnt->o;
2169 case NID_organizationalUnitName:
2170 return dn_cnt->ou;
2171 case NID_pkcs9_emailAddress:
2172 return dn_cnt->email;
2173 default:
2174 wpa_printf(MSG_ERROR,
2175 "TLS: Unknown NID '%d' in check_cert_subject",
2176 nid);
2177 return -1;
2178 }
2179 }
2180
2181
2182 /**
2183 * match_dn_field - Match configuration DN field against Certificate DN field
2184 * @cert: Certificate
2185 * @nid: NID of DN field
2186 * @field: Field name
2187 * @value DN field value which is passed from configuration
2188 * e.g., if configuration have C=US and this argument will point to US.
2189 * @dn_cnt: DN matching context
2190 * Returns: 1 on success and 0 on failure
2191 */
match_dn_field(const X509 * cert,int nid,const char * field,const char * value,const struct tls_dn_field_order_cnt * dn_cnt)2192 static int match_dn_field(const X509 *cert, int nid, const char *field,
2193 const char *value,
2194 const struct tls_dn_field_order_cnt *dn_cnt)
2195 {
2196 int i, ret = 0, len, config_dn_field_index, match_index = 0;
2197 X509_NAME *name;
2198
2199 len = os_strlen(value);
2200 name = X509_get_subject_name((X509 *) cert);
2201
2202 /* Assign incremented cnt for every field of DN to check DN field in
2203 * right order */
2204 config_dn_field_index = get_dn_field_index(dn_cnt, nid);
2205 if (config_dn_field_index < 0)
2206 return 0;
2207
2208 /* Fetch value based on NID */
2209 for (i = -1; (i = X509_NAME_get_index_by_NID(name, nid, i)) > -1;) {
2210 X509_NAME_ENTRY *e;
2211 ASN1_STRING *cn;
2212
2213 e = X509_NAME_get_entry(name, i);
2214 if (!e)
2215 continue;
2216
2217 cn = X509_NAME_ENTRY_get_data(e);
2218 if (!cn)
2219 continue;
2220
2221 match_index++;
2222
2223 /* check for more than one DN field with same name */
2224 if (match_index != config_dn_field_index)
2225 continue;
2226
2227 /* Check wildcard at the right end side */
2228 /* E.g., if OU=develop* mentioned in configuration, allow 'OU'
2229 * of the subject in the client certificate to start with
2230 * 'develop' */
2231 if (len > 0 && value[len - 1] == '*') {
2232 /* Compare actual certificate DN field value with
2233 * configuration DN field value up to the specified
2234 * length. */
2235 ret = ASN1_STRING_length(cn) >= len - 1 &&
2236 os_memcmp(ASN1_STRING_get0_data(cn), value,
2237 len - 1) == 0;
2238 } else {
2239 /* Compare actual certificate DN field value with
2240 * configuration DN field value */
2241 ret = ASN1_STRING_length(cn) == len &&
2242 os_memcmp(ASN1_STRING_get0_data(cn), value,
2243 len) == 0;
2244 }
2245 if (!ret) {
2246 wpa_printf(MSG_ERROR,
2247 "OpenSSL: Failed to match %s '%s' with certificate DN field value '%s'",
2248 field, value, ASN1_STRING_get0_data(cn));
2249 }
2250 break;
2251 }
2252
2253 return ret;
2254 }
2255
2256
2257 /**
2258 * get_value_from_field - Get value from DN field
2259 * @cert: Certificate
2260 * @field_str: DN field string which is passed from configuration file (e.g.,
2261 * C=US)
2262 * @dn_cnt: DN matching context
2263 * Returns: 1 on success and 0 on failure
2264 */
get_value_from_field(const X509 * cert,char * field_str,struct tls_dn_field_order_cnt * dn_cnt)2265 static int get_value_from_field(const X509 *cert, char *field_str,
2266 struct tls_dn_field_order_cnt *dn_cnt)
2267 {
2268 int nid;
2269 char *context = NULL, *name, *value;
2270
2271 if (os_strcmp(field_str, "*") == 0)
2272 return 1; /* wildcard matches everything */
2273
2274 name = str_token(field_str, "=", &context);
2275 if (!name)
2276 return 0;
2277
2278 /* Compare all configured DN fields and assign nid based on that to
2279 * fetch correct value from certificate subject */
2280 if (os_strcmp(name, "CN") == 0) {
2281 nid = NID_commonName;
2282 dn_cnt->cn++;
2283 } else if(os_strcmp(name, "C") == 0) {
2284 nid = NID_countryName;
2285 dn_cnt->c++;
2286 } else if (os_strcmp(name, "L") == 0) {
2287 nid = NID_localityName;
2288 dn_cnt->l++;
2289 } else if (os_strcmp(name, "ST") == 0) {
2290 nid = NID_stateOrProvinceName;
2291 dn_cnt->st++;
2292 } else if (os_strcmp(name, "O") == 0) {
2293 nid = NID_organizationName;
2294 dn_cnt->o++;
2295 } else if (os_strcmp(name, "OU") == 0) {
2296 nid = NID_organizationalUnitName;
2297 dn_cnt->ou++;
2298 } else if (os_strcmp(name, "emailAddress") == 0) {
2299 nid = NID_pkcs9_emailAddress;
2300 dn_cnt->email++;
2301 } else {
2302 wpa_printf(MSG_ERROR,
2303 "TLS: Unknown field '%s' in check_cert_subject", name);
2304 return 0;
2305 }
2306
2307 value = str_token(field_str, "=", &context);
2308 if (!value) {
2309 wpa_printf(MSG_ERROR,
2310 "TLS: Distinguished Name field '%s' value is not defined in check_cert_subject",
2311 name);
2312 return 0;
2313 }
2314
2315 return match_dn_field(cert, nid, name, value, dn_cnt);
2316 }
2317
2318
2319 /**
2320 * tls_match_dn_field - Match subject DN field with check_cert_subject
2321 * @cert: Certificate
2322 * @match: check_cert_subject string
2323 * Returns: Return 1 on success and 0 on failure
2324 */
tls_match_dn_field(X509 * cert,const char * match)2325 static int tls_match_dn_field(X509 *cert, const char *match)
2326 {
2327 const char *token, *last = NULL;
2328 char field[256];
2329 struct tls_dn_field_order_cnt dn_cnt;
2330
2331 os_memset(&dn_cnt, 0, sizeof(dn_cnt));
2332
2333 /* Maximum length of each DN field is 255 characters */
2334
2335 /* Process each '/' delimited field */
2336 while ((token = cstr_token(match, "/", &last))) {
2337 if (last - token >= (int) sizeof(field)) {
2338 wpa_printf(MSG_ERROR,
2339 "OpenSSL: Too long DN matching field value in '%s'",
2340 match);
2341 return 0;
2342 }
2343 os_memcpy(field, token, last - token);
2344 field[last - token] = '\0';
2345
2346 if (!get_value_from_field(cert, field, &dn_cnt)) {
2347 wpa_printf(MSG_DEBUG, "OpenSSL: No match for DN '%s'",
2348 field);
2349 return 0;
2350 }
2351 }
2352
2353 return 1;
2354 }
2355
2356
2357 #ifndef CONFIG_NATIVE_WINDOWS
tls_match_suffix_helper(X509 * cert,const char * match,size_t match_len,int full)2358 static int tls_match_suffix_helper(X509 *cert, const char *match,
2359 size_t match_len, int full)
2360 {
2361 GENERAL_NAME *gen;
2362 void *ext;
2363 int i;
2364 stack_index_t j;
2365 int dns_name = 0;
2366 X509_NAME *name;
2367
2368 wpa_printf(MSG_DEBUG, "TLS: Match domain against %s%s",
2369 full ? "": "suffix ", match);
2370
2371 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
2372
2373 for (j = 0; ext && j < sk_GENERAL_NAME_num(ext); j++) {
2374 gen = sk_GENERAL_NAME_value(ext, j);
2375 if (gen->type != GEN_DNS)
2376 continue;
2377 dns_name++;
2378 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName",
2379 gen->d.dNSName->data,
2380 gen->d.dNSName->length);
2381 if (domain_suffix_match(gen->d.dNSName->data,
2382 gen->d.dNSName->length,
2383 match, match_len, full) == 1) {
2384 wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found",
2385 full ? "Match" : "Suffix match");
2386 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2387 return 1;
2388 }
2389 }
2390 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2391
2392 if (dns_name) {
2393 wpa_printf(MSG_DEBUG, "TLS: None of the dNSName(s) matched");
2394 return 0;
2395 }
2396
2397 name = X509_get_subject_name(cert);
2398 i = -1;
2399 for (;;) {
2400 X509_NAME_ENTRY *e;
2401 ASN1_STRING *cn;
2402
2403 i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
2404 if (i == -1)
2405 break;
2406 e = X509_NAME_get_entry(name, i);
2407 if (e == NULL)
2408 continue;
2409 cn = X509_NAME_ENTRY_get_data(e);
2410 if (cn == NULL)
2411 continue;
2412 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName",
2413 cn->data, cn->length);
2414 if (domain_suffix_match(cn->data, cn->length,
2415 match, match_len, full) == 1) {
2416 wpa_printf(MSG_DEBUG, "TLS: %s in commonName found",
2417 full ? "Match" : "Suffix match");
2418 return 1;
2419 }
2420 }
2421
2422 wpa_printf(MSG_DEBUG, "TLS: No CommonName %smatch found",
2423 full ? "": "suffix ");
2424 return 0;
2425 }
2426 #endif /* CONFIG_NATIVE_WINDOWS */
2427
2428
tls_match_suffix(X509 * cert,const char * match,int full)2429 static int tls_match_suffix(X509 *cert, const char *match, int full)
2430 {
2431 #ifdef CONFIG_NATIVE_WINDOWS
2432 /* wincrypt.h has conflicting X509_NAME definition */
2433 return -1;
2434 #else /* CONFIG_NATIVE_WINDOWS */
2435 const char *token, *last = NULL;
2436
2437 /* Process each match alternative separately until a match is found */
2438 while ((token = cstr_token(match, ";", &last))) {
2439 if (tls_match_suffix_helper(cert, token, last - token, full))
2440 return 1;
2441 }
2442
2443 return 0;
2444 #endif /* CONFIG_NATIVE_WINDOWS */
2445 }
2446
2447
openssl_tls_fail_reason(int err)2448 static enum tls_fail_reason openssl_tls_fail_reason(int err)
2449 {
2450 switch (err) {
2451 case X509_V_ERR_CERT_REVOKED:
2452 return TLS_FAIL_REVOKED;
2453 case X509_V_ERR_CERT_NOT_YET_VALID:
2454 case X509_V_ERR_CRL_NOT_YET_VALID:
2455 return TLS_FAIL_NOT_YET_VALID;
2456 case X509_V_ERR_CERT_HAS_EXPIRED:
2457 case X509_V_ERR_CRL_HAS_EXPIRED:
2458 return TLS_FAIL_EXPIRED;
2459 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
2460 case X509_V_ERR_UNABLE_TO_GET_CRL:
2461 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
2462 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
2463 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
2464 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
2465 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
2466 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
2467 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
2468 case X509_V_ERR_INVALID_CA:
2469 return TLS_FAIL_UNTRUSTED;
2470 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
2471 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
2472 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
2473 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
2474 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
2475 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
2476 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
2477 case X509_V_ERR_CERT_UNTRUSTED:
2478 case X509_V_ERR_CERT_REJECTED:
2479 return TLS_FAIL_BAD_CERTIFICATE;
2480 default:
2481 return TLS_FAIL_UNSPECIFIED;
2482 }
2483 }
2484
2485
get_x509_cert(X509 * cert)2486 static struct wpabuf * get_x509_cert(X509 *cert)
2487 {
2488 struct wpabuf *buf;
2489 u8 *tmp;
2490
2491 int cert_len = i2d_X509(cert, NULL);
2492 if (cert_len <= 0)
2493 return NULL;
2494
2495 buf = wpabuf_alloc(cert_len);
2496 if (buf == NULL)
2497 return NULL;
2498
2499 tmp = wpabuf_put(buf, cert_len);
2500 i2d_X509(cert, &tmp);
2501 return buf;
2502 }
2503
2504
openssl_tls_fail_event(struct tls_connection * conn,X509 * err_cert,int err,int depth,const char * subject,const char * err_str,enum tls_fail_reason reason)2505 static void openssl_tls_fail_event(struct tls_connection *conn,
2506 X509 *err_cert, int err, int depth,
2507 const char *subject, const char *err_str,
2508 enum tls_fail_reason reason)
2509 {
2510 union tls_event_data ev;
2511 struct wpabuf *cert = NULL;
2512 struct tls_context *context = conn->context;
2513
2514 #ifdef ANDROID
2515 log_cert_validation_failure(err_str);
2516 #endif
2517
2518 if (context->event_cb == NULL)
2519 return;
2520
2521 cert = get_x509_cert(err_cert);
2522 os_memset(&ev, 0, sizeof(ev));
2523 ev.cert_fail.reason = reason != TLS_FAIL_UNSPECIFIED ?
2524 reason : openssl_tls_fail_reason(err);
2525 ev.cert_fail.depth = depth;
2526 ev.cert_fail.subject = subject;
2527 ev.cert_fail.reason_txt = err_str;
2528 ev.cert_fail.cert = cert;
2529 context->event_cb(context->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
2530 wpabuf_free(cert);
2531 }
2532
2533
openssl_cert_tod(X509 * cert)2534 static int openssl_cert_tod(X509 *cert)
2535 {
2536 CERTIFICATEPOLICIES *ext;
2537 stack_index_t i;
2538 char buf[100];
2539 int res;
2540 int tod = 0;
2541
2542 ext = X509_get_ext_d2i(cert, NID_certificate_policies, NULL, NULL);
2543 if (!ext)
2544 return 0;
2545
2546 for (i = 0; i < sk_POLICYINFO_num(ext); i++) {
2547 POLICYINFO *policy;
2548
2549 policy = sk_POLICYINFO_value(ext, i);
2550 res = OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 0);
2551 if (res < 0 || (size_t) res >= sizeof(buf))
2552 continue;
2553 wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf);
2554 if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0)
2555 tod = 1; /* TOD-STRICT */
2556 else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod)
2557 tod = 2; /* TOD-TOFU */
2558 }
2559 sk_POLICYINFO_pop_free(ext, POLICYINFO_free);
2560
2561 return tod;
2562 }
2563
2564
openssl_tls_cert_event(struct tls_connection * conn,X509 * err_cert,int depth,const char * subject)2565 static void openssl_tls_cert_event(struct tls_connection *conn,
2566 X509 *err_cert, int depth,
2567 const char *subject)
2568 {
2569 struct wpabuf *cert = NULL;
2570 union tls_event_data ev;
2571 struct tls_context *context = conn->context;
2572 char *altsubject[TLS_MAX_ALT_SUBJECT];
2573 int alt, num_altsubject = 0;
2574 GENERAL_NAME *gen;
2575 void *ext;
2576 stack_index_t i;
2577 ASN1_INTEGER *ser;
2578 char serial_num[128];
2579 #ifdef CONFIG_SHA256
2580 u8 hash[32];
2581 #endif /* CONFIG_SHA256 */
2582
2583 if (context->event_cb == NULL)
2584 return;
2585
2586 os_memset(&ev, 0, sizeof(ev));
2587 if (conn->cert_probe || (conn->flags & TLS_CONN_EXT_CERT_CHECK) ||
2588 context->cert_in_cb) {
2589 cert = get_x509_cert(err_cert);
2590 ev.peer_cert.cert = cert;
2591 }
2592 #ifdef CONFIG_SHA256
2593 if (cert) {
2594 const u8 *addr[1];
2595 size_t len[1];
2596 addr[0] = wpabuf_head(cert);
2597 len[0] = wpabuf_len(cert);
2598 if (sha256_vector(1, addr, len, hash) == 0) {
2599 ev.peer_cert.hash = hash;
2600 ev.peer_cert.hash_len = sizeof(hash);
2601 }
2602 }
2603 #endif /* CONFIG_SHA256 */
2604 ev.peer_cert.depth = depth;
2605 ev.peer_cert.subject = subject;
2606
2607 ser = X509_get_serialNumber(err_cert);
2608 if (ser) {
2609 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num),
2610 ASN1_STRING_get0_data(ser),
2611 ASN1_STRING_length(ser));
2612 ev.peer_cert.serial_num = serial_num;
2613 }
2614
2615 ext = X509_get_ext_d2i(err_cert, NID_subject_alt_name, NULL, NULL);
2616 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
2617 char *pos;
2618
2619 if (num_altsubject == TLS_MAX_ALT_SUBJECT)
2620 break;
2621 gen = sk_GENERAL_NAME_value(ext, i);
2622 if (gen->type != GEN_EMAIL &&
2623 gen->type != GEN_DNS &&
2624 gen->type != GEN_URI)
2625 continue;
2626
2627 pos = os_malloc(10 + gen->d.ia5->length + 1);
2628 if (pos == NULL)
2629 break;
2630 altsubject[num_altsubject++] = pos;
2631
2632 switch (gen->type) {
2633 case GEN_EMAIL:
2634 os_memcpy(pos, "EMAIL:", 6);
2635 pos += 6;
2636 break;
2637 case GEN_DNS:
2638 os_memcpy(pos, "DNS:", 4);
2639 pos += 4;
2640 break;
2641 case GEN_URI:
2642 os_memcpy(pos, "URI:", 4);
2643 pos += 4;
2644 break;
2645 }
2646
2647 os_memcpy(pos, gen->d.ia5->data, gen->d.ia5->length);
2648 pos += gen->d.ia5->length;
2649 *pos = '\0';
2650 }
2651 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2652
2653 for (alt = 0; alt < num_altsubject; alt++)
2654 ev.peer_cert.altsubject[alt] = altsubject[alt];
2655 ev.peer_cert.num_altsubject = num_altsubject;
2656
2657 ev.peer_cert.tod = openssl_cert_tod(err_cert);
2658
2659 context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
2660 wpabuf_free(cert);
2661 for (alt = 0; alt < num_altsubject; alt++)
2662 os_free(altsubject[alt]);
2663 }
2664
2665
debug_print_cert(X509 * cert,const char * title)2666 static void debug_print_cert(X509 *cert, const char *title)
2667 {
2668 #ifndef CONFIG_NO_STDOUT_DEBUG
2669 BIO *out;
2670 size_t rlen;
2671 char *txt;
2672 int res;
2673
2674 if (wpa_debug_level > MSG_DEBUG)
2675 return;
2676
2677 out = BIO_new(BIO_s_mem());
2678 if (!out)
2679 return;
2680
2681 X509_print(out, cert);
2682 rlen = BIO_ctrl_pending(out);
2683 txt = os_malloc(rlen + 1);
2684 if (txt) {
2685 res = BIO_read(out, txt, rlen);
2686 if (res > 0) {
2687 txt[res] = '\0';
2688 wpa_printf(MSG_DEBUG, "OpenSSL: %s\n%s", title, txt);
2689 }
2690 os_free(txt);
2691 }
2692
2693 BIO_free(out);
2694 #endif /* CONFIG_NO_STDOUT_DEBUG */
2695 }
2696
2697
tls_verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)2698 static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
2699 {
2700 char buf[256];
2701 X509 *err_cert;
2702 int err, depth;
2703 SSL *ssl;
2704 struct tls_connection *conn;
2705 struct tls_context *context;
2706 char *match, *altmatch, *suffix_match, *domain_match;
2707 const char *check_cert_subject;
2708 const char *err_str;
2709
2710 err_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
2711 if (!err_cert)
2712 return 0;
2713
2714 err = X509_STORE_CTX_get_error(x509_ctx);
2715 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
2716 ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
2717 SSL_get_ex_data_X509_STORE_CTX_idx());
2718 os_snprintf(buf, sizeof(buf), "Peer certificate - depth %d", depth);
2719 debug_print_cert(err_cert, buf);
2720 X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
2721
2722 conn = SSL_get_app_data(ssl);
2723 if (conn == NULL)
2724 return 0;
2725
2726 if (depth == 0)
2727 conn->peer_cert = err_cert;
2728 else if (depth == 1)
2729 conn->peer_issuer = err_cert;
2730 else if (depth == 2)
2731 conn->peer_issuer_issuer = err_cert;
2732
2733 context = conn->context;
2734 match = conn->subject_match;
2735 altmatch = conn->altsubject_match;
2736 suffix_match = conn->suffix_match;
2737 domain_match = conn->domain_match;
2738
2739 if (!preverify_ok && !conn->ca_cert_verify)
2740 preverify_ok = 1;
2741 if (!preverify_ok && depth > 0 && conn->server_cert_only)
2742 preverify_ok = 1;
2743 if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
2744 (err == X509_V_ERR_CERT_HAS_EXPIRED ||
2745 err == X509_V_ERR_CERT_NOT_YET_VALID)) {
2746 wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
2747 "time mismatch");
2748 preverify_ok = 1;
2749 }
2750 if (!preverify_ok && !conn->data->check_crl_strict &&
2751 (err == X509_V_ERR_CRL_HAS_EXPIRED ||
2752 err == X509_V_ERR_CRL_NOT_YET_VALID)) {
2753 wpa_printf(MSG_DEBUG,
2754 "OpenSSL: Ignore certificate validity CRL time mismatch");
2755 preverify_ok = 1;
2756 }
2757
2758 err_str = X509_verify_cert_error_string(err);
2759
2760 #ifdef CONFIG_SHA256
2761 /*
2762 * Do not require preverify_ok so we can explicity allow otherwise
2763 * invalid pinned server certificates.
2764 */
2765 if (depth == 0 && conn->server_cert_only) {
2766 struct wpabuf *cert;
2767 cert = get_x509_cert(err_cert);
2768 if (!cert) {
2769 wpa_printf(MSG_DEBUG, "OpenSSL: Could not fetch "
2770 "server certificate data");
2771 preverify_ok = 0;
2772 } else {
2773 u8 hash[32];
2774 const u8 *addr[1];
2775 size_t len[1];
2776
2777 addr[0] = wpabuf_head(cert);
2778 len[0] = wpabuf_len(cert);
2779 if (sha256_vector(1, addr, len, hash) < 0 ||
2780 os_memcmp(conn->srv_cert_hash, hash, 32) != 0) {
2781 err_str = "Server certificate mismatch";
2782 err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
2783 preverify_ok = 0;
2784 } else if (!preverify_ok) {
2785 /*
2786 * Certificate matches pinned certificate, allow
2787 * regardless of other problems.
2788 */
2789 wpa_printf(MSG_DEBUG,
2790 "OpenSSL: Ignore validation issues for a pinned server certificate");
2791 preverify_ok = 1;
2792 }
2793 wpabuf_free(cert);
2794 }
2795 }
2796 #endif /* CONFIG_SHA256 */
2797
2798 if (!preverify_ok) {
2799 /* Send cert events for the peer certificate chain so that
2800 * the upper layers get information about it even if
2801 * validation of a CA certificate fails. */
2802 STACK_OF(X509) *chain;
2803 int num_of_certs;
2804
2805 chain = X509_STORE_CTX_get1_chain(x509_ctx);
2806 num_of_certs = sk_X509_num(chain);
2807 if (chain && num_of_certs > 0) {
2808 char buf2[256];
2809 X509 *cert;
2810 int cur_depth;
2811
2812 for (cur_depth = num_of_certs - 1; cur_depth >= 0; cur_depth--) {
2813 cert = sk_X509_value(chain, cur_depth);
2814 X509_NAME_oneline(X509_get_subject_name(cert),
2815 buf2, sizeof(buf2));
2816
2817 openssl_tls_cert_event(conn, cert, cur_depth, buf2);
2818 }
2819 }
2820 if (chain)
2821 sk_X509_pop_free(chain, X509_free);
2822
2823 char *format_str = "TLS: Certificate verification failed,"
2824 " error %d (%s) depth %d for '%s'";
2825 int msg_len = snprintf(NULL, 0, format_str, err, err_str, depth, buf) + 1;
2826 char *msg = os_malloc(msg_len);
2827 snprintf(msg, msg_len, format_str, err, err_str, depth, buf);
2828
2829 wpa_printf(MSG_WARNING, "%s", msg);
2830 if (conn != NULL && conn->context != NULL
2831 && openssl_failure_callback_global != NULL) {
2832 (*openssl_failure_callback_global)(conn->context->cb_ctx, msg);
2833 }
2834 os_free(msg);
2835
2836 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2837 err_str, TLS_FAIL_UNSPECIFIED);
2838 return preverify_ok;
2839 }
2840
2841 openssl_tls_cert_event(conn, err_cert, depth, buf);
2842
2843 wpa_printf(MSG_DEBUG, "TLS: tls_verify_cb - preverify_ok=%d "
2844 "err=%d (%s) ca_cert_verify=%d depth=%d buf='%s'",
2845 preverify_ok, err, err_str,
2846 conn->ca_cert_verify, depth, buf);
2847 check_cert_subject = conn->check_cert_subject;
2848 if (!check_cert_subject)
2849 check_cert_subject = conn->data->check_cert_subject;
2850 if (check_cert_subject) {
2851 if (depth == 0 &&
2852 !tls_match_dn_field(err_cert, check_cert_subject)) {
2853 preverify_ok = 0;
2854 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2855 "Distinguished Name",
2856 TLS_FAIL_DN_MISMATCH);
2857 }
2858 }
2859 if (depth == 0 && match && os_strstr(buf, match) == NULL) {
2860 wpa_printf(MSG_WARNING, "TLS: Subject '%s' did not "
2861 "match with '%s'", buf, match);
2862 preverify_ok = 0;
2863 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2864 "Subject mismatch",
2865 TLS_FAIL_SUBJECT_MISMATCH);
2866 } else if (depth == 0 && altmatch &&
2867 !tls_match_altsubject(err_cert, altmatch)) {
2868 wpa_printf(MSG_WARNING, "TLS: altSubjectName match "
2869 "'%s' not found", altmatch);
2870 preverify_ok = 0;
2871 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2872 "AltSubject mismatch",
2873 TLS_FAIL_ALTSUBJECT_MISMATCH);
2874 } else if (depth == 0 && suffix_match &&
2875 !tls_match_suffix(err_cert, suffix_match, 0)) {
2876 wpa_printf(MSG_WARNING, "TLS: Domain suffix match '%s' not found",
2877 suffix_match);
2878 preverify_ok = 0;
2879 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2880 "Domain suffix mismatch",
2881 TLS_FAIL_DOMAIN_SUFFIX_MISMATCH);
2882 } else if (depth == 0 && domain_match &&
2883 !tls_match_suffix(err_cert, domain_match, 1)) {
2884 wpa_printf(MSG_WARNING, "TLS: Domain match '%s' not found",
2885 domain_match);
2886 preverify_ok = 0;
2887 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2888 "Domain mismatch",
2889 TLS_FAIL_DOMAIN_MISMATCH);
2890 }
2891
2892 if (conn->cert_probe && preverify_ok && depth == 0) {
2893 wpa_printf(MSG_DEBUG, "OpenSSL: Reject server certificate "
2894 "on probe-only run");
2895 preverify_ok = 0;
2896 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2897 "Server certificate chain probe",
2898 TLS_FAIL_SERVER_CHAIN_PROBE);
2899 }
2900
2901 #ifdef CONFIG_SUITEB
2902 if (conn->flags & TLS_CONN_SUITEB) {
2903 EVP_PKEY *pk;
2904 int len = -1;
2905
2906 pk = X509_get_pubkey(err_cert);
2907 if (pk) {
2908 len = EVP_PKEY_bits(pk);
2909 EVP_PKEY_free(pk);
2910 }
2911
2912 if (len >= 0) {
2913 wpa_printf(MSG_DEBUG,
2914 "OpenSSL: RSA modulus size: %d bits", len);
2915 if (len < 3072) {
2916 preverify_ok = 0;
2917 openssl_tls_fail_event(
2918 conn, err_cert, err,
2919 depth, buf,
2920 "Insufficient RSA modulus size",
2921 TLS_FAIL_INSUFFICIENT_KEY_LEN);
2922 }
2923 }
2924 }
2925 #endif /* CONFIG_SUITEB */
2926
2927 #ifdef OPENSSL_IS_BORINGSSL
2928 if (depth == 0 && (conn->flags & TLS_CONN_REQUEST_OCSP) &&
2929 preverify_ok) {
2930 enum ocsp_result res;
2931
2932 res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert,
2933 conn->peer_issuer,
2934 conn->peer_issuer_issuer);
2935 if (res == OCSP_REVOKED) {
2936 preverify_ok = 0;
2937 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2938 "certificate revoked",
2939 TLS_FAIL_REVOKED);
2940 if (err == X509_V_OK)
2941 X509_STORE_CTX_set_error(
2942 x509_ctx, X509_V_ERR_CERT_REVOKED);
2943 } else if (res != OCSP_GOOD &&
2944 (conn->flags & TLS_CONN_REQUIRE_OCSP)) {
2945 preverify_ok = 0;
2946 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2947 "bad certificate status response",
2948 TLS_FAIL_UNSPECIFIED);
2949 }
2950 }
2951 #endif /* OPENSSL_IS_BORINGSSL */
2952
2953 if (depth == 0 && preverify_ok && context->event_cb != NULL)
2954 context->event_cb(context->cb_ctx,
2955 TLS_CERT_CHAIN_SUCCESS, NULL);
2956
2957 if (depth == 0 && preverify_ok) {
2958 os_free(conn->peer_subject);
2959 conn->peer_subject = os_strdup(buf);
2960 }
2961
2962 return preverify_ok;
2963 }
2964
2965
2966 #ifndef OPENSSL_NO_STDIO
tls_load_ca_der(struct tls_data * data,const char * ca_cert)2967 static int tls_load_ca_der(struct tls_data *data, const char *ca_cert)
2968 {
2969 SSL_CTX *ssl_ctx = data->ssl;
2970 X509_LOOKUP *lookup;
2971 int ret = 0;
2972
2973 lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(ssl_ctx),
2974 X509_LOOKUP_file());
2975 if (lookup == NULL) {
2976 tls_show_errors(MSG_WARNING, __func__,
2977 "Failed add lookup for X509 store");
2978 return -1;
2979 }
2980
2981 if (!X509_LOOKUP_load_file(lookup, ca_cert, X509_FILETYPE_ASN1)) {
2982 unsigned long err = ERR_peek_error();
2983 tls_show_errors(MSG_WARNING, __func__,
2984 "Failed load CA in DER format");
2985 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
2986 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
2987 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
2988 "cert already in hash table error",
2989 __func__);
2990 } else
2991 ret = -1;
2992 }
2993
2994 return ret;
2995 }
2996 #endif /* OPENSSL_NO_STDIO */
2997
2998
tls_connection_ca_cert(struct tls_data * data,struct tls_connection * conn,const char * ca_cert,const u8 * ca_cert_blob,size_t ca_cert_blob_len,const char * ca_path)2999 static int tls_connection_ca_cert(struct tls_data *data,
3000 struct tls_connection *conn,
3001 const char *ca_cert, const u8 *ca_cert_blob,
3002 size_t ca_cert_blob_len, const char *ca_path)
3003 {
3004 SSL_CTX *ssl_ctx = data->ssl;
3005 X509_STORE *store;
3006
3007 /*
3008 * Remove previously configured trusted CA certificates before adding
3009 * new ones.
3010 */
3011 store = X509_STORE_new();
3012 if (store == NULL) {
3013 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
3014 "certificate store", __func__);
3015 return -1;
3016 }
3017 SSL_CTX_set_cert_store(ssl_ctx, store);
3018
3019 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
3020 conn->ca_cert_verify = 1;
3021
3022 if (ca_cert && os_strncmp(ca_cert, "probe://", 8) == 0) {
3023 wpa_printf(MSG_DEBUG, "OpenSSL: Probe for server certificate "
3024 "chain");
3025 conn->cert_probe = 1;
3026 conn->ca_cert_verify = 0;
3027 return 0;
3028 }
3029
3030 if (ca_cert && os_strncmp(ca_cert, "hash://", 7) == 0) {
3031 #ifdef CONFIG_SHA256
3032 const char *pos = ca_cert + 7;
3033 if (os_strncmp(pos, "server/sha256/", 14) != 0) {
3034 wpa_printf(MSG_DEBUG, "OpenSSL: Unsupported ca_cert "
3035 "hash value '%s'", ca_cert);
3036 return -1;
3037 }
3038 pos += 14;
3039 if (os_strlen(pos) != 32 * 2) {
3040 wpa_printf(MSG_DEBUG, "OpenSSL: Unexpected SHA256 "
3041 "hash length in ca_cert '%s'", ca_cert);
3042 return -1;
3043 }
3044 if (hexstr2bin(pos, conn->srv_cert_hash, 32) < 0) {
3045 wpa_printf(MSG_DEBUG, "OpenSSL: Invalid SHA256 hash "
3046 "value in ca_cert '%s'", ca_cert);
3047 return -1;
3048 }
3049 conn->server_cert_only = 1;
3050 wpa_printf(MSG_DEBUG, "OpenSSL: Checking only server "
3051 "certificate match");
3052 return 0;
3053 #else /* CONFIG_SHA256 */
3054 wpa_printf(MSG_INFO, "No SHA256 included in the build - "
3055 "cannot validate server certificate hash");
3056 return -1;
3057 #endif /* CONFIG_SHA256 */
3058 }
3059
3060 if (ca_cert_blob) {
3061 X509 *cert = d2i_X509(NULL,
3062 (const unsigned char **) &ca_cert_blob,
3063 ca_cert_blob_len);
3064 if (cert == NULL) {
3065 BIO *bio = BIO_new_mem_buf(ca_cert_blob,
3066 ca_cert_blob_len);
3067
3068 if (bio) {
3069 cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3070 BIO_free(bio);
3071 }
3072
3073 if (!cert) {
3074 tls_show_errors(MSG_WARNING, __func__,
3075 "Failed to parse ca_cert_blob");
3076 return -1;
3077 }
3078
3079 while (ERR_get_error()) {
3080 /* Ignore errors from DER conversion. */
3081 }
3082 }
3083
3084 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
3085 cert)) {
3086 unsigned long err = ERR_peek_error();
3087 tls_show_errors(MSG_WARNING, __func__,
3088 "Failed to add ca_cert_blob to "
3089 "certificate store");
3090 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
3091 ERR_GET_REASON(err) ==
3092 X509_R_CERT_ALREADY_IN_HASH_TABLE) {
3093 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
3094 "cert already in hash table error",
3095 __func__);
3096 } else {
3097 X509_free(cert);
3098 return -1;
3099 }
3100 }
3101 X509_free(cert);
3102 wpa_printf(MSG_DEBUG, "OpenSSL: %s - added ca_cert_blob "
3103 "to certificate store", __func__);
3104 return 0;
3105 }
3106
3107 #ifdef ANDROID
3108 /* Single alias */
3109 if (ca_cert && os_strncmp(ANDROID_KEYSTORE_PREFIX, ca_cert,
3110 ANDROID_KEYSTORE_PREFIX_LEN) == 0) {
3111 if (tls_add_ca_from_keystore(SSL_CTX_get_cert_store(ssl_ctx),
3112 &ca_cert[ANDROID_KEYSTORE_PREFIX_LEN], conn) < 0)
3113 return -1;
3114 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
3115 return 0;
3116 }
3117
3118 /* Multiple aliases separated by space */
3119 if (ca_cert && os_strncmp(ANDROID_KEYSTORE_ENCODED_PREFIX, ca_cert,
3120 ANDROID_KEYSTORE_ENCODED_PREFIX_LEN) == 0) {
3121 char *aliases = os_strdup(
3122 &ca_cert[ANDROID_KEYSTORE_ENCODED_PREFIX_LEN]);
3123 const char *delim = " ";
3124 int rc = 0;
3125 char *savedptr;
3126 char *alias;
3127
3128 if (!aliases)
3129 return -1;
3130 alias = strtok_r(aliases, delim, &savedptr);
3131 for (; alias; alias = strtok_r(NULL, delim, &savedptr)) {
3132 if (tls_add_ca_from_keystore_encoded(
3133 SSL_CTX_get_cert_store(ssl_ctx), alias, conn)) {
3134 wpa_printf(MSG_ERROR,
3135 "OpenSSL: Failed to add ca_cert %s from keystore",
3136 alias);
3137 rc = -1;
3138 break;
3139 }
3140 }
3141 os_free(aliases);
3142 if (rc)
3143 return rc;
3144
3145 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
3146 return 0;
3147 }
3148 #endif /* ANDROID */
3149
3150 #ifdef CONFIG_NATIVE_WINDOWS
3151 if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) ==
3152 0) {
3153 wpa_printf(MSG_DEBUG, "OpenSSL: Added CA certificates from "
3154 "system certificate store");
3155 return 0;
3156 }
3157 #endif /* CONFIG_NATIVE_WINDOWS */
3158
3159 if (ca_cert || ca_path) {
3160 #ifndef OPENSSL_NO_STDIO
3161 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, ca_path) !=
3162 1) {
3163 tls_show_errors(MSG_WARNING, __func__,
3164 "Failed to load root certificates");
3165 if (ca_cert &&
3166 tls_load_ca_der(data, ca_cert) == 0) {
3167 wpa_printf(MSG_DEBUG, "OpenSSL: %s - loaded "
3168 "DER format CA certificate",
3169 __func__);
3170 } else
3171 return -1;
3172 } else {
3173 wpa_printf(MSG_DEBUG, "TLS: Trusted root "
3174 "certificate(s) loaded");
3175 tls_get_errors(data);
3176 }
3177 #else /* OPENSSL_NO_STDIO */
3178 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO",
3179 __func__);
3180 return -1;
3181 #endif /* OPENSSL_NO_STDIO */
3182 } else {
3183 /* No ca_cert configured - do not try to verify server
3184 * certificate */
3185 conn->ca_cert_verify = 0;
3186 }
3187
3188 return 0;
3189 }
3190
3191
tls_global_ca_cert(struct tls_data * data,const char * ca_cert)3192 static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert)
3193 {
3194 SSL_CTX *ssl_ctx = data->ssl;
3195
3196 if (ca_cert) {
3197 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1)
3198 {
3199 tls_show_errors(MSG_WARNING, __func__,
3200 "Failed to load root certificates");
3201 return -1;
3202 }
3203
3204 wpa_printf(MSG_DEBUG, "TLS: Trusted root "
3205 "certificate(s) loaded");
3206
3207 #ifndef OPENSSL_NO_STDIO
3208 /* Add the same CAs to the client certificate requests */
3209 SSL_CTX_set_client_CA_list(ssl_ctx,
3210 SSL_load_client_CA_file(ca_cert));
3211 #endif /* OPENSSL_NO_STDIO */
3212
3213 os_free(data->ca_cert);
3214 data->ca_cert = os_strdup(ca_cert);
3215 }
3216
3217 return 0;
3218 }
3219
3220
tls_global_set_verify(void * ssl_ctx,int check_crl,int strict)3221 int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
3222 {
3223 int flags;
3224
3225 if (check_crl) {
3226 struct tls_data *data = ssl_ctx;
3227 X509_STORE *cs = SSL_CTX_get_cert_store(data->ssl);
3228 if (cs == NULL) {
3229 tls_show_errors(MSG_INFO, __func__, "Failed to get "
3230 "certificate store when enabling "
3231 "check_crl");
3232 return -1;
3233 }
3234 flags = X509_V_FLAG_CRL_CHECK;
3235 if (check_crl == 2)
3236 flags |= X509_V_FLAG_CRL_CHECK_ALL;
3237 X509_STORE_set_flags(cs, flags);
3238
3239 data->check_crl = check_crl;
3240 data->check_crl_strict = strict;
3241 os_get_reltime(&data->crl_last_reload);
3242 }
3243 return 0;
3244 }
3245
3246
tls_connection_set_subject_match(struct tls_connection * conn,const char * subject_match,const char * altsubject_match,const char * suffix_match,const char * domain_match,const char * check_cert_subject)3247 static int tls_connection_set_subject_match(struct tls_connection *conn,
3248 const char *subject_match,
3249 const char *altsubject_match,
3250 const char *suffix_match,
3251 const char *domain_match,
3252 const char *check_cert_subject)
3253 {
3254 os_free(conn->subject_match);
3255 conn->subject_match = NULL;
3256 if (subject_match) {
3257 conn->subject_match = os_strdup(subject_match);
3258 if (conn->subject_match == NULL)
3259 return -1;
3260 }
3261
3262 os_free(conn->altsubject_match);
3263 conn->altsubject_match = NULL;
3264 if (altsubject_match) {
3265 conn->altsubject_match = os_strdup(altsubject_match);
3266 if (conn->altsubject_match == NULL)
3267 return -1;
3268 }
3269
3270 os_free(conn->suffix_match);
3271 conn->suffix_match = NULL;
3272 if (suffix_match) {
3273 conn->suffix_match = os_strdup(suffix_match);
3274 if (conn->suffix_match == NULL)
3275 return -1;
3276 }
3277
3278 os_free(conn->domain_match);
3279 conn->domain_match = NULL;
3280 if (domain_match) {
3281 conn->domain_match = os_strdup(domain_match);
3282 if (conn->domain_match == NULL)
3283 return -1;
3284 }
3285
3286 os_free(conn->check_cert_subject);
3287 conn->check_cert_subject = NULL;
3288 if (check_cert_subject) {
3289 conn->check_cert_subject = os_strdup(check_cert_subject);
3290 if (!conn->check_cert_subject)
3291 return -1;
3292 }
3293
3294 return 0;
3295 }
3296
3297
3298 #ifdef CONFIG_SUITEB
suiteb_cert_cb(SSL * ssl,void * arg)3299 static int suiteb_cert_cb(SSL *ssl, void *arg)
3300 {
3301 struct tls_connection *conn = arg;
3302
3303 /*
3304 * This cert_cb() is not really the best location for doing a
3305 * constraint check for the ServerKeyExchange message, but this seems to
3306 * be the only place where the current OpenSSL sequence can be
3307 * terminated cleanly with an TLS alert going out to the server.
3308 */
3309
3310 if (!(conn->flags & TLS_CONN_SUITEB))
3311 return 1;
3312
3313 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
3314 if (conn->cipher_suite != 0x9f)
3315 return 1;
3316
3317 if (conn->server_dh_prime_len >= 3072)
3318 return 1;
3319
3320 wpa_printf(MSG_DEBUG,
3321 "OpenSSL: Server DH prime length (%d bits) not sufficient for Suite B RSA - reject handshake",
3322 conn->server_dh_prime_len);
3323 return 0;
3324 }
3325 #endif /* CONFIG_SUITEB */
3326
3327
tls_set_conn_flags(struct tls_connection * conn,unsigned int flags,const char * openssl_ciphers)3328 static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
3329 const char *openssl_ciphers)
3330 {
3331 SSL *ssl = conn->ssl;
3332
3333 #ifdef SSL_OP_NO_TICKET
3334 if (flags & TLS_CONN_DISABLE_SESSION_TICKET)
3335 SSL_set_options(ssl, SSL_OP_NO_TICKET);
3336 else
3337 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
3338 #endif /* SSL_OP_NO_TICKET */
3339
3340 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
3341 if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
3342 SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
3343 #endif /* SSL_OP_LEGACY_SERVER_CONNECT */
3344
3345 #ifdef SSL_OP_NO_TLSv1
3346 if (flags & TLS_CONN_DISABLE_TLSv1_0)
3347 SSL_set_options(ssl, SSL_OP_NO_TLSv1);
3348 else
3349 SSL_clear_options(ssl, SSL_OP_NO_TLSv1);
3350 #endif /* SSL_OP_NO_TLSv1 */
3351 #ifdef SSL_OP_NO_TLSv1_1
3352 if (flags & TLS_CONN_DISABLE_TLSv1_1)
3353 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
3354 else
3355 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_1);
3356 #endif /* SSL_OP_NO_TLSv1_1 */
3357 #ifdef SSL_OP_NO_TLSv1_2
3358 if (flags & TLS_CONN_DISABLE_TLSv1_2)
3359 SSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
3360 else
3361 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
3362 #endif /* SSL_OP_NO_TLSv1_2 */
3363 #ifdef SSL_OP_NO_TLSv1_3
3364 if (flags & TLS_CONN_DISABLE_TLSv1_3)
3365 SSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
3366 else
3367 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3);
3368 #endif /* SSL_OP_NO_TLSv1_3 */
3369 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
3370 if (flags & (TLS_CONN_ENABLE_TLSv1_0 |
3371 TLS_CONN_ENABLE_TLSv1_1 |
3372 TLS_CONN_ENABLE_TLSv1_2)) {
3373 int version = 0;
3374
3375 /* Explicit request to enable TLS versions even if needing to
3376 * override systemwide policies. */
3377 if (flags & TLS_CONN_ENABLE_TLSv1_0)
3378 version = TLS1_VERSION;
3379 else if (flags & TLS_CONN_ENABLE_TLSv1_1)
3380 version = TLS1_1_VERSION;
3381 else if (flags & TLS_CONN_ENABLE_TLSv1_2)
3382 version = TLS1_2_VERSION;
3383 if (!version) {
3384 wpa_printf(MSG_DEBUG,
3385 "OpenSSL: Invalid TLS version configuration");
3386 return -1;
3387 }
3388
3389 if (SSL_set_min_proto_version(ssl, version) != 1) {
3390 wpa_printf(MSG_DEBUG,
3391 "OpenSSL: Failed to set minimum TLS version");
3392 return -1;
3393 }
3394 }
3395 #endif /* >= 1.1.0 */
3396 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3397 !defined(LIBRESSL_VERSION_NUMBER) && \
3398 !defined(OPENSSL_IS_BORINGSSL)
3399 {
3400 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3401 int need_level = 0;
3402 #else
3403 int need_level = 1;
3404 #endif
3405
3406 if ((flags &
3407 (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
3408 SSL_get_security_level(ssl) > need_level) {
3409 /*
3410 * Need to drop to security level 1 (or 0 with OpenSSL
3411 * 3.0) to allow TLS versions older than 1.2 to be used
3412 * when explicitly enabled in configuration.
3413 */
3414 SSL_set_security_level(conn->ssl, need_level);
3415 }
3416 }
3417 #endif
3418
3419 if (!openssl_ciphers)
3420 openssl_ciphers = conn->data->openssl_ciphers;
3421
3422 #ifdef CONFIG_SUITEB
3423 #ifdef OPENSSL_IS_BORINGSSL
3424 /* Start with defaults from BoringSSL */
3425 SSL_set_verify_algorithm_prefs(conn->ssl, NULL, 0);
3426 #endif /* OPENSSL_IS_BORINGSSL */
3427 if (flags & TLS_CONN_SUITEB_NO_ECDH) {
3428 const char *ciphers = "DHE-RSA-AES256-GCM-SHA384";
3429
3430 if (openssl_ciphers) {
3431 wpa_printf(MSG_DEBUG,
3432 "OpenSSL: Override ciphers for Suite B (no ECDH): %s",
3433 openssl_ciphers);
3434 ciphers = openssl_ciphers;
3435 }
3436 if (SSL_set_cipher_list(ssl, ciphers) != 1) {
3437 wpa_printf(MSG_INFO,
3438 "OpenSSL: Failed to set Suite B ciphers");
3439 return -1;
3440 }
3441 } else if (flags & TLS_CONN_SUITEB) {
3442 #if OPENSSL_VERSION_NUMBER < 0x30000000L
3443 EC_KEY *ecdh;
3444 #endif
3445 const char *ciphers =
3446 "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
3447 int nid[1] = { NID_secp384r1 };
3448
3449 if (openssl_ciphers) {
3450 wpa_printf(MSG_DEBUG,
3451 "OpenSSL: Override ciphers for Suite B: %s",
3452 openssl_ciphers);
3453 ciphers = openssl_ciphers;
3454 }
3455 if (SSL_set_cipher_list(ssl, ciphers) != 1) {
3456 wpa_printf(MSG_INFO,
3457 "OpenSSL: Failed to set Suite B ciphers");
3458 return -1;
3459 }
3460
3461 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3462 if (SSL_set1_groups(ssl, nid, 1) != 1) {
3463 wpa_printf(MSG_INFO,
3464 "OpenSSL: Failed to set Suite B groups");
3465 return -1;
3466 }
3467
3468 #else
3469 if (SSL_set1_curves(ssl, nid, 1) != 1) {
3470 wpa_printf(MSG_INFO,
3471 "OpenSSL: Failed to set Suite B curves");
3472 return -1;
3473 }
3474
3475 ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
3476 if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) {
3477 EC_KEY_free(ecdh);
3478 wpa_printf(MSG_INFO,
3479 "OpenSSL: Failed to set ECDH parameter");
3480 return -1;
3481 }
3482 EC_KEY_free(ecdh);
3483 #endif
3484 }
3485 if ((flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH))
3486 #ifdef EAP_TLSV1_3
3487 && (flags & TLS_CONN_DISABLE_TLSv1_3)
3488 #endif
3489 ) {
3490 #ifdef OPENSSL_IS_BORINGSSL
3491 uint16_t sigalgs[1] = { SSL_SIGN_RSA_PKCS1_SHA384 };
3492
3493 if (SSL_set_verify_algorithm_prefs(conn->ssl, sigalgs,
3494 1) != 1) {
3495 wpa_printf(MSG_INFO,
3496 "OpenSSL: Failed to set Suite B sigalgs");
3497 return -1;
3498 }
3499 #else /* OPENSSL_IS_BORINGSSL */
3500 /* ECDSA+SHA384 if need to add EC support here */
3501 if (SSL_set1_sigalgs_list(ssl, "RSA+SHA384") != 1) {
3502 wpa_printf(MSG_INFO,
3503 "OpenSSL: Failed to set Suite B sigalgs");
3504 return -1;
3505 }
3506 #endif /* OPENSSL_IS_BORINGSSL */
3507
3508 SSL_set_options(ssl, SSL_OP_NO_TLSv1);
3509 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
3510 SSL_set_cert_cb(ssl, suiteb_cert_cb, conn);
3511 }
3512
3513 #ifdef OPENSSL_IS_BORINGSSL
3514 if (openssl_ciphers && os_strcmp(openssl_ciphers, "SUITEB192") == 0) {
3515 uint16_t sigalgs[1] = { SSL_SIGN_ECDSA_SECP384R1_SHA384 };
3516 int nid[1] = { NID_secp384r1 };
3517
3518 if (SSL_set1_curves(ssl, nid, 1) != 1) {
3519 wpa_printf(MSG_INFO,
3520 "OpenSSL: Failed to set Suite B curves");
3521 return -1;
3522 }
3523
3524 if (SSL_set_verify_algorithm_prefs(conn->ssl, sigalgs,
3525 1) != 1) {
3526 wpa_printf(MSG_INFO,
3527 "OpenSSL: Failed to set Suite B sigalgs");
3528 return -1;
3529 }
3530 }
3531 #else /* OPENSSL_IS_BORINGSSL */
3532 if (!(flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) &&
3533 openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
3534 wpa_printf(MSG_INFO,
3535 "OpenSSL: Failed to set openssl_ciphers '%s'",
3536 openssl_ciphers);
3537 return -1;
3538 }
3539 #endif /* OPENSSL_IS_BORINGSSL */
3540 #else /* CONFIG_SUITEB */
3541 if (openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
3542 wpa_printf(MSG_INFO,
3543 "OpenSSL: Failed to set openssl_ciphers '%s'",
3544 openssl_ciphers);
3545 return -1;
3546 }
3547 #endif /* CONFIG_SUITEB */
3548
3549 if (flags & TLS_CONN_TEAP_ANON_DH) {
3550 #ifndef TEAP_DH_ANON_CS
3551 #define TEAP_DH_ANON_CS \
3552 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:" \
3553 "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:" \
3554 "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:" \
3555 "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" \
3556 "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:" \
3557 "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" \
3558 "ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:" \
3559 "ADH-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA:ADH-AES128-SHA"
3560 #endif
3561 static const char *cs = TEAP_DH_ANON_CS;
3562
3563 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3564 !defined(LIBRESSL_VERSION_NUMBER) && \
3565 !defined(OPENSSL_IS_BORINGSSL)
3566 /*
3567 * Need to drop to security level 0 to allow anonymous
3568 * cipher suites for EAP-TEAP.
3569 */
3570 SSL_set_security_level(conn->ssl, 0);
3571 #endif
3572
3573 wpa_printf(MSG_DEBUG,
3574 "OpenSSL: Enable cipher suites for anonymous EAP-TEAP provisioning: %s",
3575 cs);
3576 if (SSL_set_cipher_list(conn->ssl, cs) != 1) {
3577 tls_show_errors(MSG_INFO, __func__,
3578 "Cipher suite configuration failed");
3579 return -1;
3580 }
3581 }
3582
3583 return 0;
3584 }
3585
3586
tls_connection_set_verify(void * ssl_ctx,struct tls_connection * conn,int verify_peer,unsigned int flags,const u8 * session_ctx,size_t session_ctx_len)3587 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
3588 int verify_peer, unsigned int flags,
3589 const u8 *session_ctx, size_t session_ctx_len)
3590 {
3591 static int counter = 0;
3592 struct tls_data *data = ssl_ctx;
3593
3594 if (conn == NULL)
3595 return -1;
3596
3597 if (verify_peer == 2) {
3598 conn->ca_cert_verify = 1;
3599 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
3600 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
3601 } else if (verify_peer) {
3602 conn->ca_cert_verify = 1;
3603 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
3604 SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
3605 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
3606 } else {
3607 conn->ca_cert_verify = 0;
3608 SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
3609 }
3610
3611 if (tls_set_conn_flags(conn, flags, NULL) < 0)
3612 return -1;
3613 conn->flags = flags;
3614
3615 SSL_set_accept_state(conn->ssl);
3616
3617 if (data->tls_session_lifetime == 0) {
3618 /*
3619 * Set session id context to a unique value to make sure
3620 * session resumption cannot be used either through session
3621 * caching or TLS ticket extension.
3622 */
3623 counter++;
3624 SSL_set_session_id_context(conn->ssl,
3625 (const unsigned char *) &counter,
3626 sizeof(counter));
3627 } else if (session_ctx) {
3628 SSL_set_session_id_context(conn->ssl, session_ctx,
3629 session_ctx_len);
3630 }
3631
3632 return 0;
3633 }
3634
3635
tls_connection_client_cert(struct tls_connection * conn,const char * client_cert,const u8 * client_cert_blob,size_t client_cert_blob_len)3636 static int tls_connection_client_cert(struct tls_connection *conn,
3637 const char *client_cert,
3638 const u8 *client_cert_blob,
3639 size_t client_cert_blob_len)
3640 {
3641 if (client_cert == NULL && client_cert_blob == NULL)
3642 return 0;
3643
3644 #ifdef PKCS12_FUNCS
3645 #ifdef LIBRESSL_VERSION_NUMBER
3646 /*
3647 * Clear previously set extra chain certificates, if any, from PKCS#12
3648 * processing in tls_parse_pkcs12() to allow LibreSSL to build a new
3649 * chain properly.
3650 */
3651 SSL_CTX_clear_extra_chain_certs(conn->ssl_ctx);
3652 #endif /* LIBRESSL_VERSION_NUMBER */
3653 #endif /* PKCS12_FUNCS */
3654
3655 if (client_cert_blob &&
3656 SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob,
3657 client_cert_blob_len) == 1) {
3658 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_ASN1 --> "
3659 "OK");
3660 return 0;
3661 } else if (client_cert_blob) {
3662 #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20901000L
3663 tls_show_errors(MSG_DEBUG, __func__,
3664 "SSL_use_certificate_ASN1 failed");
3665 #else
3666 BIO *bio;
3667 X509 *x509;
3668
3669 tls_show_errors(MSG_DEBUG, __func__,
3670 "SSL_use_certificate_ASN1 failed");
3671 bio = BIO_new(BIO_s_mem());
3672 if (!bio)
3673 return -1;
3674 BIO_write(bio, client_cert_blob, client_cert_blob_len);
3675 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3676 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) {
3677 X509_free(x509);
3678 BIO_free(bio);
3679 return -1;
3680 }
3681 X509_free(x509);
3682 wpa_printf(MSG_DEBUG,
3683 "OpenSSL: Found PEM encoded certificate from blob");
3684 while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))) {
3685 wpa_printf(MSG_DEBUG,
3686 "OpenSSL: Added an additional certificate into the chain");
3687 SSL_add0_chain_cert(conn->ssl, x509);
3688 }
3689 BIO_free(bio);
3690 return 0;
3691 #endif
3692 }
3693
3694 if (client_cert == NULL)
3695 return -1;
3696
3697 #ifdef ANDROID
3698 if (os_strncmp(ANDROID_KEYSTORE_PREFIX, client_cert,
3699 ANDROID_KEYSTORE_PREFIX_LEN) == 0) {
3700 BIO *bio = BIO_from_keystore(&client_cert[ANDROID_KEYSTORE_PREFIX_LEN], conn);
3701 X509 *x509 = NULL;
3702 if (!bio) {
3703 return -1;
3704 }
3705 // Keystore returns X.509 certificates in PEM encoding
3706 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3707 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) {
3708 X509_free(x509);
3709 BIO_free(bio);
3710 wpa_printf(MSG_ERROR, "OpenSSL: Unknown certificate encoding");
3711 return -1;
3712 }
3713 X509_free(x509);
3714 wpa_printf(MSG_DEBUG,
3715 "OpenSSL: Found PEM encoded certificate from keystore: %s",
3716 client_cert);
3717
3718 // Read additional certificates into the chain
3719 while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))) {
3720 wpa_printf(MSG_DEBUG,
3721 "OpenSSL: Added an additional certificate into the chain");
3722 // Takes ownership of x509, no need to free it here
3723 SSL_add0_chain_cert(conn->ssl, x509);
3724 }
3725 BIO_free(bio);
3726 return 0;
3727 }
3728 #endif /* ANDROID */
3729
3730 #ifndef OPENSSL_NO_STDIO
3731 if (SSL_use_certificate_file(conn->ssl, client_cert,
3732 SSL_FILETYPE_ASN1) == 1) {
3733 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (DER)"
3734 " --> OK");
3735 return 0;
3736 }
3737
3738 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3739 !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
3740 if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
3741 ERR_clear_error();
3742 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
3743 " --> OK");
3744 return 0;
3745 }
3746 #else
3747 if (SSL_use_certificate_file(conn->ssl, client_cert,
3748 SSL_FILETYPE_PEM) == 1) {
3749 ERR_clear_error();
3750 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
3751 " --> OK");
3752 return 0;
3753 }
3754 #endif
3755
3756 tls_show_errors(MSG_DEBUG, __func__,
3757 "SSL_use_certificate_file failed");
3758 #else /* OPENSSL_NO_STDIO */
3759 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3760 #endif /* OPENSSL_NO_STDIO */
3761
3762 return -1;
3763 }
3764
3765
tls_global_client_cert(struct tls_data * data,const char * client_cert)3766 static int tls_global_client_cert(struct tls_data *data,
3767 const char *client_cert)
3768 {
3769 #ifndef OPENSSL_NO_STDIO
3770 SSL_CTX *ssl_ctx = data->ssl;
3771
3772 if (client_cert == NULL)
3773 return 0;
3774
3775 if (SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
3776 SSL_FILETYPE_ASN1) != 1 &&
3777 SSL_CTX_use_certificate_chain_file(ssl_ctx, client_cert) != 1 &&
3778 SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
3779 SSL_FILETYPE_PEM) != 1) {
3780 tls_show_errors(MSG_INFO, __func__,
3781 "Failed to load client certificate");
3782 return -1;
3783 }
3784 return 0;
3785 #else /* OPENSSL_NO_STDIO */
3786 if (client_cert == NULL)
3787 return 0;
3788 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3789 return -1;
3790 #endif /* OPENSSL_NO_STDIO */
3791 }
3792
3793
3794 #ifdef PKCS12_FUNCS
tls_parse_pkcs12(struct tls_data * data,SSL * ssl,PKCS12 * p12,const char * passwd)3795 static int tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12,
3796 const char *passwd)
3797 {
3798 EVP_PKEY *pkey;
3799 X509 *cert;
3800 STACK_OF(X509) *certs;
3801 int res = 0;
3802 char buf[256];
3803
3804 pkey = NULL;
3805 cert = NULL;
3806 certs = NULL;
3807 if (!passwd)
3808 passwd = "";
3809 if (!PKCS12_parse(p12, passwd, &pkey, &cert, &certs)) {
3810 tls_show_errors(MSG_DEBUG, __func__,
3811 "Failed to parse PKCS12 file");
3812 PKCS12_free(p12);
3813 return -1;
3814 }
3815 wpa_printf(MSG_DEBUG, "TLS: Successfully parsed PKCS12 data");
3816
3817 if (cert) {
3818 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3819 sizeof(buf));
3820 wpa_printf(MSG_DEBUG, "TLS: Got certificate from PKCS12: "
3821 "subject='%s'", buf);
3822 if (ssl) {
3823 if (SSL_use_certificate(ssl, cert) != 1)
3824 res = -1;
3825 } else {
3826 if (SSL_CTX_use_certificate(data->ssl, cert) != 1)
3827 res = -1;
3828 }
3829 X509_free(cert);
3830 }
3831
3832 if (pkey) {
3833 wpa_printf(MSG_DEBUG, "TLS: Got private key from PKCS12");
3834 if (ssl) {
3835 if (SSL_use_PrivateKey(ssl, pkey) != 1)
3836 res = -1;
3837 } else {
3838 if (SSL_CTX_use_PrivateKey(data->ssl, pkey) != 1)
3839 res = -1;
3840 }
3841 EVP_PKEY_free(pkey);
3842 }
3843
3844 if (certs) {
3845 #ifndef LIBRESSL_VERSION_NUMBER
3846 if (ssl)
3847 SSL_clear_chain_certs(ssl);
3848 else
3849 SSL_CTX_clear_chain_certs(data->ssl);
3850 while ((cert = sk_X509_pop(certs)) != NULL) {
3851 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3852 sizeof(buf));
3853 wpa_printf(MSG_DEBUG, "TLS: additional certificate"
3854 " from PKCS12: subject='%s'", buf);
3855 if ((ssl && SSL_add1_chain_cert(ssl, cert) != 1) ||
3856 (!ssl && SSL_CTX_add1_chain_cert(data->ssl,
3857 cert) != 1)) {
3858 tls_show_errors(MSG_DEBUG, __func__,
3859 "Failed to add additional certificate");
3860 res = -1;
3861 X509_free(cert);
3862 break;
3863 }
3864 X509_free(cert);
3865 }
3866 if (!res) {
3867 /* Try to continue anyway */
3868 }
3869 sk_X509_pop_free(certs, X509_free);
3870 #ifndef OPENSSL_IS_BORINGSSL
3871 if (ssl)
3872 res = SSL_build_cert_chain(
3873 ssl,
3874 SSL_BUILD_CHAIN_FLAG_CHECK |
3875 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
3876 else
3877 res = SSL_CTX_build_cert_chain(
3878 data->ssl,
3879 SSL_BUILD_CHAIN_FLAG_CHECK |
3880 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
3881 if (!res) {
3882 tls_show_errors(MSG_DEBUG, __func__,
3883 "Failed to build certificate chain");
3884 } else if (res == 2) {
3885 wpa_printf(MSG_DEBUG,
3886 "TLS: Ignore certificate chain verification error when building chain with PKCS#12 extra certificates");
3887 }
3888 #endif /* OPENSSL_IS_BORINGSSL */
3889 /*
3890 * Try to continue regardless of result since it is possible for
3891 * the extra certificates not to be required.
3892 */
3893 res = 0;
3894 #else /* LIBRESSL_VERSION_NUMBER */
3895 SSL_CTX_clear_extra_chain_certs(data->ssl);
3896 while ((cert = sk_X509_pop(certs)) != NULL) {
3897 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3898 sizeof(buf));
3899 wpa_printf(MSG_DEBUG, "TLS: additional certificate"
3900 " from PKCS12: subject='%s'", buf);
3901 /*
3902 * There is no SSL equivalent for the chain cert - so
3903 * always add it to the context...
3904 */
3905 if (SSL_CTX_add_extra_chain_cert(data->ssl, cert) != 1)
3906 {
3907 X509_free(cert);
3908 res = -1;
3909 break;
3910 }
3911 }
3912 sk_X509_pop_free(certs, X509_free);
3913 #endif /* LIBRSESSL_VERSION_NUMBER */
3914 }
3915
3916 PKCS12_free(p12);
3917
3918 if (res < 0)
3919 tls_get_errors(data);
3920
3921 return res;
3922 }
3923 #endif /* PKCS12_FUNCS */
3924
3925
tls_read_pkcs12(struct tls_data * data,SSL * ssl,const char * private_key,const char * passwd)3926 static int tls_read_pkcs12(struct tls_data *data, SSL *ssl,
3927 const char *private_key, const char *passwd)
3928 {
3929 #ifdef PKCS12_FUNCS
3930 FILE *f;
3931 PKCS12 *p12;
3932
3933 f = fopen(private_key, "rb");
3934 if (f == NULL)
3935 return -1;
3936
3937 p12 = d2i_PKCS12_fp(f, NULL);
3938 fclose(f);
3939
3940 if (p12 == NULL) {
3941 tls_show_errors(MSG_INFO, __func__,
3942 "Failed to use PKCS#12 file");
3943 return -1;
3944 }
3945
3946 return tls_parse_pkcs12(data, ssl, p12, passwd);
3947
3948 #else /* PKCS12_FUNCS */
3949 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot read "
3950 "p12/pfx files");
3951 return -1;
3952 #endif /* PKCS12_FUNCS */
3953 }
3954
3955
tls_read_pkcs12_blob(struct tls_data * data,SSL * ssl,const u8 * blob,size_t len,const char * passwd)3956 static int tls_read_pkcs12_blob(struct tls_data *data, SSL *ssl,
3957 const u8 *blob, size_t len, const char *passwd)
3958 {
3959 #ifdef PKCS12_FUNCS
3960 PKCS12 *p12;
3961
3962 p12 = d2i_PKCS12(NULL, (const unsigned char **) &blob, len);
3963 if (p12 == NULL) {
3964 tls_show_errors(MSG_INFO, __func__,
3965 "Failed to use PKCS#12 blob");
3966 return -1;
3967 }
3968
3969 return tls_parse_pkcs12(data, ssl, p12, passwd);
3970
3971 #else /* PKCS12_FUNCS */
3972 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot parse "
3973 "p12/pfx blobs");
3974 return -1;
3975 #endif /* PKCS12_FUNCS */
3976 }
3977
3978
3979 #ifndef OPENSSL_NO_ENGINE
tls_engine_get_cert(struct tls_connection * conn,const char * cert_id,X509 ** cert)3980 static int tls_engine_get_cert(struct tls_connection *conn,
3981 const char *cert_id,
3982 X509 **cert)
3983 {
3984 /* this runs after the private key is loaded so no PIN is required */
3985 struct {
3986 const char *cert_id;
3987 X509 *cert;
3988 } params;
3989 params.cert_id = cert_id;
3990 params.cert = NULL;
3991
3992 if (!ENGINE_ctrl_cmd(conn->engine, "LOAD_CERT_CTRL",
3993 0, ¶ms, NULL, 1)) {
3994 unsigned long err = ERR_get_error();
3995
3996 wpa_printf(MSG_ERROR, "ENGINE: cannot load client cert with id"
3997 " '%s' [%s]", cert_id,
3998 ERR_error_string(err, NULL));
3999 if (tls_is_pin_error(err))
4000 return TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN;
4001 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
4002 }
4003 if (!params.cert) {
4004 wpa_printf(MSG_ERROR, "ENGINE: did not properly cert with id"
4005 " '%s'", cert_id);
4006 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
4007 }
4008 *cert = params.cert;
4009 return 0;
4010 }
4011 #endif /* OPENSSL_NO_ENGINE */
4012
4013
tls_connection_engine_client_cert(struct tls_connection * conn,const char * cert_id)4014 static int tls_connection_engine_client_cert(struct tls_connection *conn,
4015 const char *cert_id)
4016 {
4017 #ifndef ANDROID
4018 X509 *cert;
4019
4020 #ifndef OPENSSL_NO_ENGINE
4021 if (tls_engine_get_cert(conn, cert_id, &cert))
4022 return -1;
4023 #else /* OPENSSL_NO_ENGINE */
4024 cert = provider_load_cert(cert_id);
4025 if (!cert)
4026 return -1;
4027 #endif /* OPENSSL_NO_ENGINE */
4028
4029 if (!SSL_use_certificate(conn->ssl, cert)) {
4030 tls_show_errors(MSG_ERROR, __func__,
4031 "SSL_use_certificate failed");
4032 X509_free(cert);
4033 return -1;
4034 }
4035 X509_free(cert);
4036 wpa_printf(MSG_DEBUG, "ENGINE/provider: SSL_use_certificate --> "
4037 "OK");
4038 return 0;
4039 #else /* ANDROID */
4040 return -1;
4041 #endif /* ANDROID */
4042 }
4043
4044
tls_connection_engine_ca_cert(struct tls_data * data,struct tls_connection * conn,const char * ca_cert_id)4045 static int tls_connection_engine_ca_cert(struct tls_data *data,
4046 struct tls_connection *conn,
4047 const char *ca_cert_id)
4048 {
4049 #ifndef ANDROID
4050 X509 *cert;
4051 SSL_CTX *ssl_ctx = data->ssl;
4052 X509_STORE *store;
4053
4054 #ifndef OPENSSL_NO_ENGINE
4055 if (tls_engine_get_cert(conn, ca_cert_id, &cert))
4056 return -1;
4057 #else /* OPENSSL_NO_ENGINE */
4058 cert = provider_load_cert(ca_cert_id);
4059 if (!cert)
4060 return -1;
4061 #endif /* OPENSSL_NO_ENGINE */
4062
4063 /* start off the same as tls_connection_ca_cert */
4064 store = X509_STORE_new();
4065 if (store == NULL) {
4066 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
4067 "certificate store", __func__);
4068 X509_free(cert);
4069 return -1;
4070 }
4071 SSL_CTX_set_cert_store(ssl_ctx, store);
4072 if (!X509_STORE_add_cert(store, cert)) {
4073 unsigned long err = ERR_peek_error();
4074 tls_show_errors(MSG_WARNING, __func__,
4075 "Failed to add CA certificate from engine/provider "
4076 "to certificate store");
4077 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
4078 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
4079 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring cert"
4080 " already in hash table error",
4081 __func__);
4082 } else {
4083 X509_free(cert);
4084 return -1;
4085 }
4086 }
4087 X509_free(cert);
4088 wpa_printf(MSG_DEBUG,
4089 "OpenSSL: %s - added CA certificate from engine/provider to certificate store",
4090 __func__);
4091 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
4092 conn->ca_cert_verify = 1;
4093
4094 return 0;
4095 #else /* ANDROID */
4096 return -1;
4097 #endif /* ANDROID */
4098 }
4099
4100
tls_connection_engine_private_key(struct tls_connection * conn)4101 static int tls_connection_engine_private_key(struct tls_connection *conn)
4102 {
4103 if (SSL_use_PrivateKey(conn->ssl, conn->private_key) != 1) {
4104 tls_show_errors(MSG_ERROR, __func__,
4105 "ENGINE/provider: cannot use private key for TLS");
4106 return -1;
4107 }
4108 if (!SSL_check_private_key(conn->ssl)) {
4109 tls_show_errors(MSG_INFO, __func__,
4110 "Private key failed verification");
4111 return -1;
4112 }
4113 return 0;
4114 }
4115
4116
4117 #ifndef OPENSSL_NO_STDIO
tls_passwd_cb(char * buf,int size,int rwflag,void * password)4118 static int tls_passwd_cb(char *buf, int size, int rwflag, void *password)
4119 {
4120 if (!password)
4121 return 0;
4122 os_strlcpy(buf, (const char *) password, size);
4123 return os_strlen(buf);
4124 }
4125 #endif /* OPENSSL_NO_STDIO */
4126
4127
tls_use_private_key_file(struct tls_data * data,SSL * ssl,const char * private_key,const char * private_key_passwd)4128 static int tls_use_private_key_file(struct tls_data *data, SSL *ssl,
4129 const char *private_key,
4130 const char *private_key_passwd)
4131 {
4132 #ifndef OPENSSL_NO_STDIO
4133 BIO *bio;
4134 EVP_PKEY *pkey;
4135 int ret;
4136
4137 /* First try ASN.1 (DER). */
4138 bio = BIO_new_file(private_key, "r");
4139 if (!bio)
4140 return -1;
4141 pkey = d2i_PrivateKey_bio(bio, NULL);
4142 BIO_free(bio);
4143
4144 if (pkey) {
4145 wpa_printf(MSG_DEBUG, "OpenSSL: %s (DER) --> loaded", __func__);
4146 } else {
4147 /* Try PEM with the provided password. */
4148 bio = BIO_new_file(private_key, "r");
4149 if (!bio)
4150 return -1;
4151 pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_passwd_cb,
4152 (void *) private_key_passwd);
4153 BIO_free(bio);
4154 if (!pkey)
4155 return -1;
4156 wpa_printf(MSG_DEBUG, "OpenSSL: %s (PEM) --> loaded", __func__);
4157 /* Clear errors from the previous failed load. */
4158 ERR_clear_error();
4159 }
4160
4161 if (ssl)
4162 ret = SSL_use_PrivateKey(ssl, pkey);
4163 else
4164 ret = SSL_CTX_use_PrivateKey(data->ssl, pkey);
4165
4166 EVP_PKEY_free(pkey);
4167 return ret == 1 ? 0 : -1;
4168 #else /* OPENSSL_NO_STDIO */
4169 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
4170 return -1;
4171 #endif /* OPENSSL_NO_STDIO */
4172 }
4173
4174
tls_connection_private_key(struct tls_data * data,struct tls_connection * conn,const char * private_key,const char * private_key_passwd,const u8 * private_key_blob,size_t private_key_blob_len)4175 static int tls_connection_private_key(struct tls_data *data,
4176 struct tls_connection *conn,
4177 const char *private_key,
4178 const char *private_key_passwd,
4179 const u8 *private_key_blob,
4180 size_t private_key_blob_len)
4181 {
4182 BIO *bio;
4183 int ok;
4184
4185 if (private_key == NULL && private_key_blob == NULL)
4186 return 0;
4187
4188 ok = 0;
4189 while (private_key_blob) {
4190 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, conn->ssl,
4191 (u8 *) private_key_blob,
4192 private_key_blob_len) == 1) {
4193 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
4194 "ASN1(EVP_PKEY_RSA) --> OK");
4195 ok = 1;
4196 break;
4197 }
4198
4199 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA, conn->ssl,
4200 (u8 *) private_key_blob,
4201 private_key_blob_len) == 1) {
4202 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
4203 "ASN1(EVP_PKEY_DSA) --> OK");
4204 ok = 1;
4205 break;
4206 }
4207
4208 #ifndef OPENSSL_NO_EC
4209 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, conn->ssl,
4210 (u8 *) private_key_blob,
4211 private_key_blob_len) == 1) {
4212 wpa_printf(MSG_DEBUG,
4213 "OpenSSL: SSL_use_PrivateKey_ASN1(EVP_PKEY_EC) --> OK");
4214 ok = 1;
4215 break;
4216 }
4217 #endif /* OPENSSL_NO_EC */
4218
4219 #if OPENSSL_VERSION_NUMBER < 0x30000000L
4220 if (SSL_use_RSAPrivateKey_ASN1(conn->ssl,
4221 (u8 *) private_key_blob,
4222 private_key_blob_len) == 1) {
4223 wpa_printf(MSG_DEBUG, "OpenSSL: "
4224 "SSL_use_RSAPrivateKey_ASN1 --> OK");
4225 ok = 1;
4226 break;
4227 }
4228 #endif
4229
4230 bio = BIO_new_mem_buf((u8 *) private_key_blob,
4231 private_key_blob_len);
4232 if (bio) {
4233 EVP_PKEY *pkey;
4234
4235 pkey = PEM_read_bio_PrivateKey(
4236 bio, NULL, tls_passwd_cb,
4237 (void *) private_key_passwd);
4238 if (pkey) {
4239 if (SSL_use_PrivateKey(conn->ssl, pkey) == 1) {
4240 wpa_printf(MSG_DEBUG,
4241 "OpenSSL: SSL_use_PrivateKey --> OK");
4242 ok = 1;
4243 EVP_PKEY_free(pkey);
4244 BIO_free(bio);
4245 break;
4246 }
4247 EVP_PKEY_free(pkey);
4248 }
4249 BIO_free(bio);
4250 }
4251
4252 if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob,
4253 private_key_blob_len,
4254 private_key_passwd) == 0) {
4255 wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> "
4256 "OK");
4257 ok = 1;
4258 break;
4259 }
4260
4261 break;
4262 }
4263
4264 while (!ok && private_key) {
4265 if (tls_use_private_key_file(data, conn->ssl, private_key,
4266 private_key_passwd) == 0) {
4267 ok = 1;
4268 break;
4269 }
4270
4271 if (tls_read_pkcs12(data, conn->ssl, private_key,
4272 private_key_passwd) == 0) {
4273 wpa_printf(MSG_DEBUG, "OpenSSL: Reading PKCS#12 file "
4274 "--> OK");
4275 ok = 1;
4276 break;
4277 }
4278
4279 if (tls_cryptoapi_cert(conn->ssl, private_key) == 0) {
4280 wpa_printf(MSG_DEBUG, "OpenSSL: Using CryptoAPI to "
4281 "access certificate store --> OK");
4282 ok = 1;
4283 break;
4284 }
4285
4286 break;
4287 }
4288
4289 if (!ok) {
4290 tls_show_errors(MSG_INFO, __func__,
4291 "Failed to load private key");
4292 return -1;
4293 }
4294 ERR_clear_error();
4295
4296 if (!SSL_check_private_key(conn->ssl)) {
4297 tls_show_errors(MSG_INFO, __func__, "Private key failed "
4298 "verification");
4299 return -1;
4300 }
4301
4302 wpa_printf(MSG_DEBUG, "SSL: Private key loaded successfully");
4303 return 0;
4304 }
4305
4306
tls_global_private_key(struct tls_data * data,const char * private_key,const char * private_key_passwd)4307 static int tls_global_private_key(struct tls_data *data,
4308 const char *private_key,
4309 const char *private_key_passwd)
4310 {
4311 SSL_CTX *ssl_ctx = data->ssl;
4312
4313 if (private_key == NULL)
4314 return 0;
4315
4316 if (tls_use_private_key_file(data, NULL, private_key,
4317 private_key_passwd) &&
4318 tls_read_pkcs12(data, NULL, private_key, private_key_passwd)) {
4319 tls_show_errors(MSG_INFO, __func__,
4320 "Failed to load private key");
4321 ERR_clear_error();
4322 return -1;
4323 }
4324 ERR_clear_error();
4325
4326 if (!SSL_CTX_check_private_key(ssl_ctx)) {
4327 tls_show_errors(MSG_INFO, __func__,
4328 "Private key failed verification");
4329 return -1;
4330 }
4331
4332 return 0;
4333 }
4334
4335
4336 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4337 #ifndef OPENSSL_NO_DH
4338 #ifndef OPENSSL_NO_DSA
4339 /* This is needed to replace the deprecated DSA_dup_DH() function */
openssl_dsa_to_dh(EVP_PKEY * dsa)4340 static EVP_PKEY * openssl_dsa_to_dh(EVP_PKEY *dsa)
4341 {
4342 OSSL_PARAM_BLD *bld = NULL;
4343 OSSL_PARAM *params = NULL;
4344 BIGNUM *p = NULL, *q = NULL, *g = NULL;
4345 EVP_PKEY_CTX *ctx = NULL;
4346 EVP_PKEY *pkey = NULL;
4347
4348 if (!EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_P, &p) ||
4349 !EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_Q, &q) ||
4350 !EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_G, &g) ||
4351 !(bld = OSSL_PARAM_BLD_new()) ||
4352 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) ||
4353 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q) ||
4354 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) ||
4355 !(params = OSSL_PARAM_BLD_to_param(bld)) ||
4356 !(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL)) ||
4357 EVP_PKEY_fromdata_init(ctx) != 1 ||
4358 EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS,
4359 params) != 1)
4360 wpa_printf(MSG_INFO,
4361 "TLS: Failed to convert DSA parameters to DH parameters");
4362
4363 EVP_PKEY_CTX_free(ctx);
4364 OSSL_PARAM_free(params);
4365 OSSL_PARAM_BLD_free(bld);
4366 BN_free(p);
4367 BN_free(q);
4368 BN_free(g);
4369 return pkey;
4370 }
4371 #endif /* !OPENSSL_NO_DSA */
4372 #endif /* OPENSSL_NO_DH */
4373 #endif /* OpenSSL version >= 3.0 */
4374
tls_global_dh(struct tls_data * data,const char * dh_file)4375 static int tls_global_dh(struct tls_data *data, const char *dh_file)
4376 {
4377 #ifdef OPENSSL_NO_DH
4378 if (dh_file == NULL)
4379 return 0;
4380 wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
4381 "dh_file specified");
4382 return -1;
4383 #else /* OPENSSL_NO_DH */
4384 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4385 SSL_CTX *ssl_ctx = data->ssl;
4386 BIO *bio;
4387 OSSL_DECODER_CTX *ctx = NULL;
4388 EVP_PKEY *pkey = NULL, *tmpkey = NULL;
4389 bool dsa = false;
4390
4391 if (!ssl_ctx)
4392 return -1;
4393 if (!dh_file) {
4394 SSL_CTX_set_dh_auto(ssl_ctx, 1);
4395 return 0;
4396 }
4397
4398 bio = BIO_new_file(dh_file, "r");
4399 if (!bio) {
4400 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
4401 dh_file, ERR_error_string(ERR_get_error(), NULL));
4402 return -1;
4403 }
4404 ctx = OSSL_DECODER_CTX_new_for_pkey(
4405 &tmpkey, "PEM", NULL, NULL,
4406 OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, NULL, NULL);
4407 if (!ctx ||
4408 OSSL_DECODER_from_bio(ctx, bio) != 1) {
4409 wpa_printf(MSG_INFO,
4410 "TLS: Failed to decode domain parameters from '%s': %s",
4411 dh_file, ERR_error_string(ERR_get_error(), NULL));
4412 BIO_free(bio);
4413 OSSL_DECODER_CTX_free(ctx);
4414 return -1;
4415 }
4416 OSSL_DECODER_CTX_free(ctx);
4417 BIO_free(bio);
4418
4419 if (!tmpkey) {
4420 wpa_printf(MSG_INFO, "TLS: Failed to load domain parameters");
4421 return -1;
4422 }
4423
4424 #ifndef OPENSSL_NO_DSA
4425 if (EVP_PKEY_is_a(tmpkey, "DSA")) {
4426 pkey = openssl_dsa_to_dh(tmpkey);
4427 EVP_PKEY_free(tmpkey);
4428 if (!pkey)
4429 return -1;
4430 dsa = true;
4431 }
4432 #endif /* !OPENSSL_NO_DSA */
4433 if (!dsa) {
4434 if (EVP_PKEY_is_a(tmpkey, "DH") ||
4435 EVP_PKEY_is_a(tmpkey, "DHX")) {
4436 } else {
4437 wpa_printf(MSG_INFO,
4438 "TLS: No DH parameters found in %s",
4439 dh_file);
4440 EVP_PKEY_free(tmpkey);
4441 return -1;
4442 }
4443 pkey = tmpkey;
4444 tmpkey = NULL;
4445 }
4446
4447 if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, pkey) != 1) {
4448 wpa_printf(MSG_INFO,
4449 "TLS: Failed to set DH params from '%s': %s",
4450 dh_file, ERR_error_string(ERR_get_error(), NULL));
4451 EVP_PKEY_free(pkey);
4452 return -1;
4453 }
4454 return 0;
4455 #else /* OpenSSL version >= 3.0 */
4456 SSL_CTX *ssl_ctx = data->ssl;
4457 DH *dh;
4458 BIO *bio;
4459
4460 if (!ssl_ctx)
4461 return -1;
4462 if (!dh_file) {
4463 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(OPENSSL_IS_BORINGSSL)
4464 SSL_CTX_set_dh_auto(ssl_ctx, 1);
4465 #endif
4466 return 0;
4467 }
4468
4469 bio = BIO_new_file(dh_file, "r");
4470 if (bio == NULL) {
4471 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
4472 dh_file, ERR_error_string(ERR_get_error(), NULL));
4473 return -1;
4474 }
4475 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
4476 BIO_free(bio);
4477 #ifndef OPENSSL_NO_DSA
4478 while (dh == NULL) {
4479 DSA *dsa;
4480 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
4481 " trying to parse as DSA params", dh_file,
4482 ERR_error_string(ERR_get_error(), NULL));
4483 bio = BIO_new_file(dh_file, "r");
4484 if (bio == NULL)
4485 break;
4486 dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
4487 BIO_free(bio);
4488 if (!dsa) {
4489 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
4490 "'%s': %s", dh_file,
4491 ERR_error_string(ERR_get_error(), NULL));
4492 break;
4493 }
4494
4495 wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
4496 dh = DSA_dup_DH(dsa);
4497 DSA_free(dsa);
4498 if (dh == NULL) {
4499 wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
4500 "params into DH params");
4501 break;
4502 }
4503 break;
4504 }
4505 #endif /* !OPENSSL_NO_DSA */
4506 if (dh == NULL) {
4507 wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
4508 "'%s'", dh_file);
4509 return -1;
4510 }
4511
4512 if (SSL_CTX_set_tmp_dh(ssl_ctx, dh) != 1) {
4513 wpa_printf(MSG_INFO, "TLS: Failed to set DH params from '%s': "
4514 "%s", dh_file,
4515 ERR_error_string(ERR_get_error(), NULL));
4516 DH_free(dh);
4517 return -1;
4518 }
4519 DH_free(dh);
4520 return 0;
4521 #endif /* OpenSSL version >= 3.0 */
4522 #endif /* OPENSSL_NO_DH */
4523 }
4524
4525
tls_connection_get_random(void * ssl_ctx,struct tls_connection * conn,struct tls_random * keys)4526 int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn,
4527 struct tls_random *keys)
4528 {
4529 SSL *ssl;
4530
4531 if (conn == NULL || keys == NULL)
4532 return -1;
4533 ssl = conn->ssl;
4534 if (ssl == NULL)
4535 return -1;
4536
4537 os_memset(keys, 0, sizeof(*keys));
4538 keys->client_random = conn->client_random;
4539 keys->client_random_len = SSL_get_client_random(
4540 ssl, conn->client_random, sizeof(conn->client_random));
4541 keys->server_random = conn->server_random;
4542 keys->server_random_len = SSL_get_server_random(
4543 ssl, conn->server_random, sizeof(conn->server_random));
4544
4545 return 0;
4546 }
4547
4548
4549 #ifdef OPENSSL_NEED_EAP_FAST_PRF
openssl_get_keyblock_size(SSL * ssl)4550 static int openssl_get_keyblock_size(SSL *ssl)
4551 {
4552 #if OPENSSL_VERSION_NUMBER < 0x10100000L
4553 const EVP_CIPHER *c;
4554 const EVP_MD *h;
4555 int md_size;
4556
4557 if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL ||
4558 ssl->read_hash == NULL)
4559 return -1;
4560
4561 c = ssl->enc_read_ctx->cipher;
4562 h = EVP_MD_CTX_md(ssl->read_hash);
4563 if (h)
4564 md_size = EVP_MD_size(h);
4565 else if (ssl->s3)
4566 md_size = ssl->s3->tmp.new_mac_secret_size;
4567 else
4568 return -1;
4569
4570 wpa_printf(MSG_DEBUG, "OpenSSL: keyblock size: key_len=%d MD_size=%d "
4571 "IV_len=%d", EVP_CIPHER_key_length(c), md_size,
4572 EVP_CIPHER_iv_length(c));
4573 return 2 * (EVP_CIPHER_key_length(c) +
4574 md_size +
4575 EVP_CIPHER_iv_length(c));
4576 #else
4577 const SSL_CIPHER *ssl_cipher;
4578 int cipher, digest;
4579 const EVP_CIPHER *c;
4580 const EVP_MD *h;
4581 int mac_key_len, enc_key_len, fixed_iv_len;
4582
4583 ssl_cipher = SSL_get_current_cipher(ssl);
4584 if (!ssl_cipher)
4585 return -1;
4586 cipher = SSL_CIPHER_get_cipher_nid(ssl_cipher);
4587 digest = SSL_CIPHER_get_digest_nid(ssl_cipher);
4588 wpa_printf(MSG_DEBUG, "OpenSSL: cipher nid %d digest nid %d",
4589 cipher, digest);
4590 if (cipher < 0 || digest < 0)
4591 return -1;
4592 if (cipher == NID_undef) {
4593 wpa_printf(MSG_DEBUG, "OpenSSL: no cipher in use?!");
4594 return -1;
4595 }
4596 c = EVP_get_cipherbynid(cipher);
4597 if (!c)
4598 return -1;
4599 enc_key_len = EVP_CIPHER_key_length(c);
4600 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE ||
4601 EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
4602 fixed_iv_len = 4; /* only part of IV from PRF */
4603 else
4604 fixed_iv_len = EVP_CIPHER_iv_length(c);
4605 if (digest == NID_undef) {
4606 wpa_printf(MSG_DEBUG, "OpenSSL: no digest in use (e.g., AEAD)");
4607 mac_key_len = 0;
4608 } else {
4609 h = EVP_get_digestbynid(digest);
4610 if (!h)
4611 return -1;
4612 mac_key_len = EVP_MD_size(h);
4613 }
4614
4615 wpa_printf(MSG_DEBUG,
4616 "OpenSSL: keyblock size: mac_key_len=%d enc_key_len=%d fixed_iv_len=%d",
4617 mac_key_len, enc_key_len, fixed_iv_len);
4618 return 2 * (mac_key_len + enc_key_len + fixed_iv_len);
4619 #endif
4620 }
4621 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4622
4623
tls_connection_export_key(void * tls_ctx,struct tls_connection * conn,const char * label,const u8 * context,size_t context_len,u8 * out,size_t out_len)4624 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
4625 const char *label, const u8 *context,
4626 size_t context_len, u8 *out, size_t out_len)
4627 {
4628 if (!conn ||
4629 SSL_export_keying_material(conn->ssl, out, out_len, label,
4630 os_strlen(label), context, context_len,
4631 context != NULL) != 1)
4632 return -1;
4633 return 0;
4634 }
4635
4636
tls_connection_get_eap_fast_key(void * tls_ctx,struct tls_connection * conn,u8 * out,size_t out_len)4637 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
4638 u8 *out, size_t out_len)
4639 {
4640 #ifdef OPENSSL_NEED_EAP_FAST_PRF
4641 SSL *ssl;
4642 SSL_SESSION *sess;
4643 u8 *rnd;
4644 int ret = -1;
4645 int skip = 0;
4646 u8 *tmp_out = NULL;
4647 u8 *_out = out;
4648 unsigned char client_random[SSL3_RANDOM_SIZE];
4649 unsigned char server_random[SSL3_RANDOM_SIZE];
4650 unsigned char master_key[64];
4651 size_t master_key_len;
4652 const char *ver;
4653
4654 /*
4655 * TLS library did not support EAP-FAST key generation, so get the
4656 * needed TLS session parameters and use an internal implementation of
4657 * TLS PRF to derive the key.
4658 */
4659
4660 if (conn == NULL)
4661 return -1;
4662 ssl = conn->ssl;
4663 if (ssl == NULL)
4664 return -1;
4665 ver = SSL_get_version(ssl);
4666 sess = SSL_get_session(ssl);
4667 if (!ver || !sess)
4668 return -1;
4669
4670 skip = openssl_get_keyblock_size(ssl);
4671 if (skip < 0)
4672 return -1;
4673 tmp_out = os_malloc(skip + out_len);
4674 if (!tmp_out)
4675 return -1;
4676 _out = tmp_out;
4677
4678 rnd = os_malloc(2 * SSL3_RANDOM_SIZE);
4679 if (!rnd) {
4680 os_free(tmp_out);
4681 return -1;
4682 }
4683
4684 SSL_get_client_random(ssl, client_random, sizeof(client_random));
4685 SSL_get_server_random(ssl, server_random, sizeof(server_random));
4686 master_key_len = SSL_SESSION_get_master_key(sess, master_key,
4687 sizeof(master_key));
4688
4689 os_memcpy(rnd, server_random, SSL3_RANDOM_SIZE);
4690 os_memcpy(rnd + SSL3_RANDOM_SIZE, client_random, SSL3_RANDOM_SIZE);
4691
4692 if (os_strcmp(ver, "TLSv1.2") == 0) {
4693 tls_prf_sha256(master_key, master_key_len,
4694 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE,
4695 _out, skip + out_len);
4696 ret = 0;
4697 } else if (tls_prf_sha1_md5(master_key, master_key_len,
4698 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE,
4699 _out, skip + out_len) == 0) {
4700 ret = 0;
4701 }
4702 forced_memzero(master_key, sizeof(master_key));
4703 os_free(rnd);
4704 if (ret == 0)
4705 os_memcpy(out, _out + skip, out_len);
4706 bin_clear_free(tmp_out, skip);
4707
4708 return ret;
4709 #else /* OPENSSL_NEED_EAP_FAST_PRF */
4710 wpa_printf(MSG_ERROR,
4711 "OpenSSL: EAP-FAST keys cannot be exported in FIPS mode");
4712 return -1;
4713 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4714 }
4715
4716
4717 static struct wpabuf *
openssl_handshake(struct tls_connection * conn,const struct wpabuf * in_data)4718 openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
4719 {
4720 struct tls_context *context = conn->context;
4721 int res;
4722 struct wpabuf *out_data;
4723
4724 /*
4725 * Give TLS handshake data from the server (if available) to OpenSSL
4726 * for processing.
4727 */
4728 if (in_data && wpabuf_len(in_data) > 0 &&
4729 BIO_write(conn->ssl_in, wpabuf_head(in_data), wpabuf_len(in_data))
4730 < 0) {
4731 tls_show_errors(MSG_INFO, __func__,
4732 "Handshake failed - BIO_write");
4733 return NULL;
4734 }
4735
4736 /* Initiate TLS handshake or continue the existing handshake */
4737 if (conn->server)
4738 res = SSL_accept(conn->ssl);
4739 else
4740 res = SSL_connect(conn->ssl);
4741 if (res != 1) {
4742 int err = SSL_get_error(conn->ssl, res);
4743 if (err == SSL_ERROR_WANT_READ)
4744 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want "
4745 "more data");
4746 else if (err == SSL_ERROR_WANT_WRITE)
4747 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
4748 "write");
4749 else {
4750 unsigned long error = ERR_peek_last_error();
4751
4752 tls_show_errors(MSG_INFO, __func__, "SSL_connect");
4753
4754 if (context->event_cb &&
4755 ERR_GET_LIB(error) == ERR_LIB_SSL &&
4756 ERR_GET_REASON(error) ==
4757 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) {
4758 context->event_cb(
4759 context->cb_ctx,
4760 TLS_UNSAFE_RENEGOTIATION_DISABLED,
4761 NULL);
4762 }
4763 conn->failed++;
4764 if (!conn->server && !conn->client_hello_generated) {
4765 /* The server would not understand TLS Alert
4766 * before ClientHello, so simply terminate
4767 * handshake on this type of error case caused
4768 * by a likely internal error like no ciphers
4769 * available. */
4770 wpa_printf(MSG_DEBUG,
4771 "OpenSSL: Could not generate ClientHello");
4772 conn->write_alerts++;
4773 return NULL;
4774 }
4775 }
4776 }
4777
4778 if (!conn->server && !conn->failed)
4779 conn->client_hello_generated = 1;
4780
4781 #ifdef CONFIG_SUITEB
4782 if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
4783 os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
4784 conn->server_dh_prime_len < 3072) {
4785 /*
4786 * This should not be reached since earlier cert_cb should have
4787 * terminated the handshake. Keep this check here for extra
4788 * protection if anything goes wrong with the more low-level
4789 * checks based on having to parse the TLS handshake messages.
4790 */
4791 wpa_printf(MSG_DEBUG,
4792 "OpenSSL: Server DH prime length: %d bits",
4793 conn->server_dh_prime_len);
4794
4795 if (context->event_cb) {
4796 union tls_event_data ev;
4797
4798 os_memset(&ev, 0, sizeof(ev));
4799 ev.alert.is_local = 1;
4800 ev.alert.type = "fatal";
4801 ev.alert.description = "insufficient security";
4802 context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
4803 }
4804 /*
4805 * Could send a TLS Alert to the server, but for now, simply
4806 * terminate handshake.
4807 */
4808 conn->failed++;
4809 conn->write_alerts++;
4810 return NULL;
4811 }
4812 #endif /* CONFIG_SUITEB */
4813
4814 /* Get the TLS handshake data to be sent to the server */
4815 res = BIO_ctrl_pending(conn->ssl_out);
4816 wpa_printf(MSG_DEBUG, "SSL: %d bytes pending from ssl_out", res);
4817 out_data = wpabuf_alloc(res);
4818 if (out_data == NULL) {
4819 wpa_printf(MSG_DEBUG, "SSL: Failed to allocate memory for "
4820 "handshake output (%d bytes)", res);
4821 if (BIO_reset(conn->ssl_out) < 0) {
4822 tls_show_errors(MSG_INFO, __func__,
4823 "BIO_reset failed");
4824 }
4825 return NULL;
4826 }
4827 res = res == 0 ? 0 : BIO_read(conn->ssl_out, wpabuf_mhead(out_data),
4828 res);
4829 if (res < 0) {
4830 tls_show_errors(MSG_INFO, __func__,
4831 "Handshake failed - BIO_read");
4832 if (BIO_reset(conn->ssl_out) < 0) {
4833 tls_show_errors(MSG_INFO, __func__,
4834 "BIO_reset failed");
4835 }
4836 wpabuf_free(out_data);
4837 return NULL;
4838 }
4839 wpabuf_put(out_data, res);
4840
4841 return out_data;
4842 }
4843
4844
4845 static struct wpabuf *
openssl_get_appl_data(struct tls_connection * conn,size_t max_len)4846 openssl_get_appl_data(struct tls_connection *conn, size_t max_len)
4847 {
4848 struct wpabuf *appl_data;
4849 int res;
4850
4851 appl_data = wpabuf_alloc(max_len + 100);
4852 if (appl_data == NULL)
4853 return NULL;
4854
4855 res = SSL_read(conn->ssl, wpabuf_mhead(appl_data),
4856 wpabuf_size(appl_data));
4857 if (res < 0) {
4858 int err = SSL_get_error(conn->ssl, res);
4859 if (err == SSL_ERROR_WANT_READ ||
4860 err == SSL_ERROR_WANT_WRITE) {
4861 wpa_printf(MSG_DEBUG, "SSL: No Application Data "
4862 "included");
4863 } else {
4864 tls_show_errors(MSG_INFO, __func__,
4865 "Failed to read possible "
4866 "Application Data");
4867 }
4868 wpabuf_free(appl_data);
4869 return NULL;
4870 }
4871
4872 wpabuf_put(appl_data, res);
4873 wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application Data in Finished "
4874 "message", appl_data);
4875
4876 return appl_data;
4877 }
4878
4879
4880 static struct wpabuf *
openssl_connection_handshake(struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4881 openssl_connection_handshake(struct tls_connection *conn,
4882 const struct wpabuf *in_data,
4883 struct wpabuf **appl_data)
4884 {
4885 struct wpabuf *out_data;
4886
4887 if (appl_data)
4888 *appl_data = NULL;
4889
4890 out_data = openssl_handshake(conn, in_data);
4891 if (out_data == NULL)
4892 return NULL;
4893 if (conn->invalid_hb_used) {
4894 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4895 wpabuf_free(out_data);
4896 return NULL;
4897 }
4898
4899 if (SSL_is_init_finished(conn->ssl)) {
4900 wpa_printf(MSG_DEBUG,
4901 "OpenSSL: Handshake finished - resumed=%d",
4902 tls_connection_resumed(conn->ssl_ctx, conn));
4903 if (conn->server) {
4904 char *buf;
4905 size_t buflen = 2000;
4906
4907 buf = os_malloc(buflen);
4908 if (buf) {
4909 if (SSL_get_shared_ciphers(conn->ssl, buf,
4910 buflen)) {
4911 buf[buflen - 1] = '\0';
4912 wpa_printf(MSG_DEBUG,
4913 "OpenSSL: Shared ciphers: %s",
4914 buf);
4915 }
4916 os_free(buf);
4917 }
4918 }
4919 if (appl_data && in_data)
4920 *appl_data = openssl_get_appl_data(conn,
4921 wpabuf_len(in_data));
4922 }
4923
4924 if (conn->invalid_hb_used) {
4925 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4926 if (appl_data) {
4927 wpabuf_free(*appl_data);
4928 *appl_data = NULL;
4929 }
4930 wpabuf_free(out_data);
4931 return NULL;
4932 }
4933
4934 return out_data;
4935 }
4936
4937
4938 struct wpabuf *
tls_connection_handshake(void * ssl_ctx,struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4939 tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
4940 const struct wpabuf *in_data,
4941 struct wpabuf **appl_data)
4942 {
4943 return openssl_connection_handshake(conn, in_data, appl_data);
4944 }
4945
4946
tls_connection_server_handshake(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4947 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
4948 struct tls_connection *conn,
4949 const struct wpabuf *in_data,
4950 struct wpabuf **appl_data)
4951 {
4952 conn->server = 1;
4953 return openssl_connection_handshake(conn, in_data, appl_data);
4954 }
4955
4956
tls_connection_encrypt(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data)4957 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
4958 struct tls_connection *conn,
4959 const struct wpabuf *in_data)
4960 {
4961 int res;
4962 struct wpabuf *buf;
4963
4964 if (conn == NULL)
4965 return NULL;
4966
4967 /* Give plaintext data for OpenSSL to encrypt into the TLS tunnel. */
4968 if ((res = BIO_reset(conn->ssl_in)) < 0 ||
4969 (res = BIO_reset(conn->ssl_out)) < 0) {
4970 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
4971 return NULL;
4972 }
4973 res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data));
4974 if (res < 0) {
4975 tls_show_errors(MSG_INFO, __func__,
4976 "Encryption failed - SSL_write");
4977 return NULL;
4978 }
4979
4980 /* Read encrypted data to be sent to the server */
4981 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
4982 if (buf == NULL)
4983 return NULL;
4984 res = BIO_read(conn->ssl_out, wpabuf_mhead(buf), wpabuf_size(buf));
4985 if (res < 0) {
4986 tls_show_errors(MSG_INFO, __func__,
4987 "Encryption failed - BIO_read");
4988 wpabuf_free(buf);
4989 return NULL;
4990 }
4991 wpabuf_put(buf, res);
4992
4993 return buf;
4994 }
4995
4996
tls_connection_decrypt(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data)4997 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
4998 struct tls_connection *conn,
4999 const struct wpabuf *in_data)
5000 {
5001 int res;
5002 struct wpabuf *buf;
5003
5004 /* Give encrypted data from TLS tunnel for OpenSSL to decrypt. */
5005 res = BIO_write(conn->ssl_in, wpabuf_head(in_data),
5006 wpabuf_len(in_data));
5007 if (res < 0) {
5008 tls_show_errors(MSG_INFO, __func__,
5009 "Decryption failed - BIO_write");
5010 return NULL;
5011 }
5012 if (BIO_reset(conn->ssl_out) < 0) {
5013 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
5014 return NULL;
5015 }
5016
5017 /* Read decrypted data for further processing */
5018 /*
5019 * Even though we try to disable TLS compression, it is possible that
5020 * this cannot be done with all TLS libraries. Add extra buffer space
5021 * to handle the possibility of the decrypted data being longer than
5022 * input data.
5023 */
5024 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
5025 if (buf == NULL)
5026 return NULL;
5027 res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf));
5028 if (res < 0) {
5029 int err = SSL_get_error(conn->ssl, res);
5030
5031 if (err == SSL_ERROR_WANT_READ) {
5032 wpa_printf(MSG_DEBUG,
5033 "SSL: SSL_connect - want more data");
5034 res = 0;
5035 } else {
5036 tls_show_errors(MSG_INFO, __func__,
5037 "Decryption failed - SSL_read");
5038 wpabuf_free(buf);
5039 return NULL;
5040 }
5041 }
5042 wpabuf_put(buf, res);
5043
5044 if (conn->invalid_hb_used) {
5045 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
5046 wpabuf_free(buf);
5047 return NULL;
5048 }
5049
5050 return buf;
5051 }
5052
5053
tls_connection_resumed(void * ssl_ctx,struct tls_connection * conn)5054 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
5055 {
5056 return conn ? SSL_session_reused(conn->ssl) : 0;
5057 }
5058
5059
tls_connection_set_cipher_list(void * tls_ctx,struct tls_connection * conn,u8 * ciphers)5060 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
5061 u8 *ciphers)
5062 {
5063 char buf[500], *pos, *end;
5064 u8 *c;
5065 int ret;
5066
5067 if (conn == NULL || conn->ssl == NULL || ciphers == NULL)
5068 return -1;
5069
5070 buf[0] = '\0';
5071 pos = buf;
5072 end = pos + sizeof(buf);
5073
5074 c = ciphers;
5075 while (*c != TLS_CIPHER_NONE) {
5076 const char *suite;
5077
5078 switch (*c) {
5079 case TLS_CIPHER_RC4_SHA:
5080 suite = "RC4-SHA";
5081 break;
5082 case TLS_CIPHER_AES128_SHA:
5083 suite = "AES128-SHA";
5084 break;
5085 case TLS_CIPHER_RSA_DHE_AES128_SHA:
5086 suite = "DHE-RSA-AES128-SHA";
5087 break;
5088 case TLS_CIPHER_ANON_DH_AES128_SHA:
5089 suite = "ADH-AES128-SHA";
5090 break;
5091 case TLS_CIPHER_RSA_DHE_AES256_SHA:
5092 suite = "DHE-RSA-AES256-SHA";
5093 break;
5094 case TLS_CIPHER_AES256_SHA:
5095 suite = "AES256-SHA";
5096 break;
5097 default:
5098 wpa_printf(MSG_DEBUG, "TLS: Unsupported "
5099 "cipher selection: %d", *c);
5100 return -1;
5101 }
5102 ret = os_snprintf(pos, end - pos, ":%s", suite);
5103 if (os_snprintf_error(end - pos, ret))
5104 break;
5105 pos += ret;
5106
5107 c++;
5108 }
5109 if (!buf[0]) {
5110 wpa_printf(MSG_DEBUG, "OpenSSL: No ciphers listed");
5111 return -1;
5112 }
5113
5114 wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
5115
5116 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
5117 #ifdef EAP_FAST_OR_TEAP
5118 if (os_strstr(buf, ":ADH-")) {
5119 /*
5120 * Need to drop to security level 0 to allow anonymous
5121 * cipher suites for EAP-FAST.
5122 */
5123 SSL_set_security_level(conn->ssl, 0);
5124 } else if (SSL_get_security_level(conn->ssl) == 0) {
5125 /* Force at least security level 1 */
5126 SSL_set_security_level(conn->ssl, 1);
5127 }
5128 #endif /* EAP_FAST_OR_TEAP */
5129 #endif
5130
5131 if (SSL_set_cipher_list(conn->ssl, buf + 1) != 1) {
5132 tls_show_errors(MSG_INFO, __func__,
5133 "Cipher suite configuration failed");
5134 return -1;
5135 }
5136
5137 return 0;
5138 }
5139
5140
tls_get_version(void * ssl_ctx,struct tls_connection * conn,char * buf,size_t buflen)5141 int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
5142 char *buf, size_t buflen)
5143 {
5144 const char *name;
5145 if (conn == NULL || conn->ssl == NULL)
5146 return -1;
5147
5148 name = SSL_get_version(conn->ssl);
5149 if (name == NULL)
5150 return -1;
5151
5152 os_strlcpy(buf, name, buflen);
5153 return 0;
5154 }
5155
5156
tls_get_cipher(void * ssl_ctx,struct tls_connection * conn,char * buf,size_t buflen)5157 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
5158 char *buf, size_t buflen)
5159 {
5160 const char *name;
5161 if (conn == NULL || conn->ssl == NULL)
5162 return -1;
5163
5164 name = SSL_get_cipher(conn->ssl);
5165 if (name == NULL)
5166 return -1;
5167
5168 os_strlcpy(buf, name, buflen);
5169 return 0;
5170 }
5171
5172
tls_connection_enable_workaround(void * ssl_ctx,struct tls_connection * conn)5173 int tls_connection_enable_workaround(void *ssl_ctx,
5174 struct tls_connection *conn)
5175 {
5176 SSL_set_options(conn->ssl, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
5177
5178 return 0;
5179 }
5180
5181
5182 #ifdef EAP_FAST_OR_TEAP
5183 /* ClientHello TLS extensions require a patch to openssl, so this function is
5184 * commented out unless explicitly needed for EAP-FAST in order to be able to
5185 * build this file with unmodified openssl. */
tls_connection_client_hello_ext(void * ssl_ctx,struct tls_connection * conn,int ext_type,const u8 * data,size_t data_len)5186 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
5187 int ext_type, const u8 *data,
5188 size_t data_len)
5189 {
5190 if (conn == NULL || conn->ssl == NULL || ext_type != 35)
5191 return -1;
5192
5193 if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
5194 data_len) != 1)
5195 return -1;
5196
5197 return 0;
5198 }
5199 #endif /* EAP_FAST_OR_TEAP */
5200
5201
tls_connection_get_failed(void * ssl_ctx,struct tls_connection * conn)5202 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)
5203 {
5204 if (conn == NULL)
5205 return -1;
5206 return conn->failed;
5207 }
5208
5209
tls_connection_get_read_alerts(void * ssl_ctx,struct tls_connection * conn)5210 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)
5211 {
5212 if (conn == NULL)
5213 return -1;
5214 return conn->read_alerts;
5215 }
5216
5217
tls_connection_get_write_alerts(void * ssl_ctx,struct tls_connection * conn)5218 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)
5219 {
5220 if (conn == NULL)
5221 return -1;
5222 return conn->write_alerts;
5223 }
5224
5225
5226 #ifdef HAVE_OCSP
5227
ocsp_debug_print_resp(OCSP_RESPONSE * rsp)5228 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
5229 {
5230 #ifndef CONFIG_NO_STDOUT_DEBUG
5231 BIO *out;
5232 size_t rlen;
5233 char *txt;
5234 int res;
5235
5236 if (wpa_debug_level > MSG_DEBUG)
5237 return;
5238
5239 out = BIO_new(BIO_s_mem());
5240 if (!out)
5241 return;
5242
5243 OCSP_RESPONSE_print(out, rsp, 0);
5244 rlen = BIO_ctrl_pending(out);
5245 txt = os_malloc(rlen + 1);
5246 if (!txt) {
5247 BIO_free(out);
5248 return;
5249 }
5250
5251 res = BIO_read(out, txt, rlen);
5252 if (res > 0) {
5253 txt[res] = '\0';
5254 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP Response\n%s", txt);
5255 }
5256 os_free(txt);
5257 BIO_free(out);
5258 #endif /* CONFIG_NO_STDOUT_DEBUG */
5259 }
5260
5261
ocsp_resp_cb(SSL * s,void * arg)5262 static int ocsp_resp_cb(SSL *s, void *arg)
5263 {
5264 struct tls_connection *conn = arg;
5265 const unsigned char *p;
5266 int len, status, reason, res;
5267 OCSP_RESPONSE *rsp;
5268 OCSP_BASICRESP *basic;
5269 OCSP_CERTID *id;
5270 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
5271 X509_STORE *store;
5272 STACK_OF(X509) *certs = NULL;
5273
5274 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
5275 if (!p) {
5276 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
5277 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
5278 if (SSL_version(s) == TLS1_3_VERSION && SSL_session_reused(s)) {
5279 /* TLS 1.3 sends the OCSP response with the server
5280 * Certificate message. Since that Certificate message
5281 * is not sent when resuming a session, there can be no
5282 * new OCSP response. Allow this since the OCSP response
5283 * was validated when checking the initial certificate
5284 * exchange. */
5285 wpa_printf(MSG_DEBUG,
5286 "OpenSSL: Allow no OCSP response when using TLS 1.3 and a resumed session");
5287 return 1;
5288 }
5289 #endif
5290 #endif
5291 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
5292 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
5293 }
5294
5295 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
5296
5297 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
5298 if (!rsp) {
5299 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
5300 return 0;
5301 }
5302
5303 ocsp_debug_print_resp(rsp);
5304
5305 status = OCSP_response_status(rsp);
5306 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
5307 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
5308 status, OCSP_response_status_str(status));
5309 return 0;
5310 }
5311
5312 basic = OCSP_response_get1_basic(rsp);
5313 if (!basic) {
5314 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
5315 return 0;
5316 }
5317
5318 store = SSL_CTX_get_cert_store(conn->ssl_ctx);
5319 if (conn->peer_issuer) {
5320 debug_print_cert(conn->peer_issuer, "Add OCSP issuer");
5321
5322 if (X509_STORE_add_cert(store, conn->peer_issuer) != 1) {
5323 tls_show_errors(MSG_INFO, __func__,
5324 "OpenSSL: Could not add issuer to certificate store");
5325 }
5326 certs = sk_X509_new_null();
5327 if (certs) {
5328 X509 *cert;
5329 cert = X509_dup(conn->peer_issuer);
5330 if (cert && !sk_X509_push(certs, cert)) {
5331 tls_show_errors(
5332 MSG_INFO, __func__,
5333 "OpenSSL: Could not add issuer to OCSP responder trust store");
5334 X509_free(cert);
5335 sk_X509_free(certs);
5336 certs = NULL;
5337 }
5338 if (certs && conn->peer_issuer_issuer) {
5339 cert = X509_dup(conn->peer_issuer_issuer);
5340 if (cert && !sk_X509_push(certs, cert)) {
5341 tls_show_errors(
5342 MSG_INFO, __func__,
5343 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
5344 X509_free(cert);
5345 }
5346 }
5347 }
5348 }
5349
5350 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
5351 sk_X509_pop_free(certs, X509_free);
5352 if (status <= 0) {
5353 tls_show_errors(MSG_INFO, __func__,
5354 "OpenSSL: OCSP response failed verification");
5355 OCSP_BASICRESP_free(basic);
5356 OCSP_RESPONSE_free(rsp);
5357 return 0;
5358 }
5359
5360 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
5361
5362 if (!conn->peer_cert) {
5363 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
5364 OCSP_BASICRESP_free(basic);
5365 OCSP_RESPONSE_free(rsp);
5366 return 0;
5367 }
5368
5369 if (!conn->peer_issuer) {
5370 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
5371 OCSP_BASICRESP_free(basic);
5372 OCSP_RESPONSE_free(rsp);
5373 return 0;
5374 }
5375
5376 id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer);
5377 if (!id) {
5378 wpa_printf(MSG_DEBUG,
5379 "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
5380 OCSP_BASICRESP_free(basic);
5381 OCSP_RESPONSE_free(rsp);
5382 return 0;
5383 }
5384
5385 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
5386 &this_update, &next_update);
5387 if (!res) {
5388 OCSP_CERTID_free(id);
5389 id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
5390 if (!id) {
5391 wpa_printf(MSG_DEBUG,
5392 "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
5393 OCSP_BASICRESP_free(basic);
5394 OCSP_RESPONSE_free(rsp);
5395 return 0;
5396 }
5397
5398 res = OCSP_resp_find_status(basic, id, &status, &reason,
5399 &produced_at, &this_update,
5400 &next_update);
5401 }
5402
5403 if (!res) {
5404 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
5405 (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" :
5406 " (OCSP not required)");
5407 OCSP_CERTID_free(id);
5408 OCSP_BASICRESP_free(basic);
5409 OCSP_RESPONSE_free(rsp);
5410 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
5411 }
5412 OCSP_CERTID_free(id);
5413
5414 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
5415 tls_show_errors(MSG_INFO, __func__,
5416 "OpenSSL: OCSP status times invalid");
5417 OCSP_BASICRESP_free(basic);
5418 OCSP_RESPONSE_free(rsp);
5419 return 0;
5420 }
5421
5422 OCSP_BASICRESP_free(basic);
5423 OCSP_RESPONSE_free(rsp);
5424
5425 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
5426 OCSP_cert_status_str(status));
5427
5428 if (status == V_OCSP_CERTSTATUS_GOOD)
5429 return 1;
5430 if (status == V_OCSP_CERTSTATUS_REVOKED)
5431 return 0;
5432 if (conn->flags & TLS_CONN_REQUIRE_OCSP) {
5433 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
5434 return 0;
5435 }
5436 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
5437 return 1;
5438 }
5439
5440
ocsp_status_cb(SSL * s,void * arg)5441 static int ocsp_status_cb(SSL *s, void *arg)
5442 {
5443 char *tmp;
5444 char *resp;
5445 size_t len;
5446
5447 if (tls_global->ocsp_stapling_response == NULL) {
5448 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - no response configured");
5449 return SSL_TLSEXT_ERR_OK;
5450 }
5451
5452 resp = os_readfile(tls_global->ocsp_stapling_response, &len);
5453 if (resp == NULL) {
5454 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - could not read response file");
5455 /* TODO: Build OCSPResponse with responseStatus = internalError
5456 */
5457 return SSL_TLSEXT_ERR_OK;
5458 }
5459 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - send cached response");
5460 tmp = OPENSSL_malloc(len);
5461 if (tmp == NULL) {
5462 os_free(resp);
5463 return SSL_TLSEXT_ERR_ALERT_FATAL;
5464 }
5465
5466 os_memcpy(tmp, resp, len);
5467 os_free(resp);
5468 SSL_set_tlsext_status_ocsp_resp(s, tmp, len);
5469
5470 return SSL_TLSEXT_ERR_OK;
5471 }
5472
5473 #endif /* HAVE_OCSP */
5474
5475
max_str_len(const char ** lines)5476 static size_t max_str_len(const char **lines)
5477 {
5478 const char **p;
5479 size_t max_len = 0;
5480
5481 for (p = lines; *p; p++) {
5482 size_t len = os_strlen(*p);
5483
5484 if (len > max_len)
5485 max_len = len;
5486 }
5487
5488 return max_len;
5489 }
5490
5491
match_lines_in_file(const char * path,const char ** lines)5492 static int match_lines_in_file(const char *path, const char **lines)
5493 {
5494 FILE *f;
5495 char *buf;
5496 size_t bufsize;
5497 int found = 0, is_linestart = 1;
5498
5499 bufsize = max_str_len(lines) + sizeof("\r\n");
5500 buf = os_malloc(bufsize);
5501 if (!buf)
5502 return 0;
5503
5504 f = fopen(path, "r");
5505 if (!f) {
5506 os_free(buf);
5507 return 0;
5508 }
5509
5510 while (!found && fgets(buf, bufsize, f)) {
5511 int is_lineend;
5512 size_t len;
5513 const char **p;
5514
5515 len = strcspn(buf, "\r\n");
5516 is_lineend = buf[len] != '\0';
5517 buf[len] = '\0';
5518
5519 if (is_linestart && is_lineend) {
5520 for (p = lines; !found && *p; p++)
5521 found = os_strcmp(buf, *p) == 0;
5522 }
5523 is_linestart = is_lineend;
5524 }
5525
5526 fclose(f);
5527 bin_clear_free(buf, bufsize);
5528
5529 return found;
5530 }
5531
5532
is_tpm2_key(const char * path)5533 static int is_tpm2_key(const char *path)
5534 {
5535 /* Check both new and old format of TPM2 PEM guard tag */
5536 static const char *tpm2_tags[] = {
5537 "-----BEGIN TSS2 PRIVATE KEY-----",
5538 "-----BEGIN TSS2 KEY BLOB-----",
5539 NULL
5540 };
5541
5542 return match_lines_in_file(path, tpm2_tags);
5543 }
5544
5545
tls_connection_set_params(void * tls_ctx,struct tls_connection * conn,const struct tls_connection_params * params)5546 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
5547 const struct tls_connection_params *params)
5548 {
5549 struct tls_data *data = tls_ctx;
5550 int ret;
5551 unsigned long err;
5552 int can_pkcs11 = 0;
5553 const char *key_id = params->key_id;
5554 const char *cert_id = params->cert_id;
5555 const char *ca_cert_id = params->ca_cert_id;
5556 const char *engine_id = params->engine ? params->engine_id : NULL;
5557 const char *ciphers;
5558
5559 if (conn == NULL)
5560 return -1;
5561
5562 if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
5563 wpa_printf(MSG_INFO,
5564 "OpenSSL: ocsp=3 not supported");
5565 return -1;
5566 }
5567
5568 /*
5569 * If the engine isn't explicitly configured, and any of the
5570 * cert/key fields are actually PKCS#11 URIs, then automatically
5571 * use the PKCS#11 ENGINE.
5572 */
5573 if (!engine_id || os_strcmp(engine_id, "pkcs11") == 0)
5574 can_pkcs11 = 1;
5575
5576 if (!key_id && params->private_key && can_pkcs11 &&
5577 os_strncmp(params->private_key, "pkcs11:", 7) == 0) {
5578 can_pkcs11 = 2;
5579 key_id = params->private_key;
5580 }
5581
5582 if (!cert_id && params->client_cert && can_pkcs11 &&
5583 os_strncmp(params->client_cert, "pkcs11:", 7) == 0) {
5584 can_pkcs11 = 2;
5585 cert_id = params->client_cert;
5586 }
5587
5588 if (!ca_cert_id && params->ca_cert && can_pkcs11 &&
5589 os_strncmp(params->ca_cert, "pkcs11:", 7) == 0) {
5590 can_pkcs11 = 2;
5591 ca_cert_id = params->ca_cert;
5592 }
5593
5594 /* If we need to automatically enable the PKCS#11 ENGINE, do so. */
5595 if (can_pkcs11 == 2 && !engine_id)
5596 engine_id = "pkcs11";
5597
5598 /* If private_key points to a TPM2-wrapped key, automatically enable
5599 * tpm2 engine and use it to unwrap the key. */
5600 if (params->private_key &&
5601 (!engine_id || os_strcmp(engine_id, "tpm2") == 0) &&
5602 is_tpm2_key(params->private_key)) {
5603 wpa_printf(MSG_DEBUG, "OpenSSL: Found TPM2 wrapped key %s",
5604 params->private_key);
5605 key_id = key_id ? key_id : params->private_key;
5606 engine_id = engine_id ? engine_id : "tpm2";
5607 }
5608
5609 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
5610 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
5611 if (params->flags & TLS_CONN_EAP_FAST) {
5612 wpa_printf(MSG_DEBUG,
5613 "OpenSSL: Use TLSv1_method() for EAP-FAST");
5614 if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) {
5615 tls_show_errors(MSG_INFO, __func__,
5616 "Failed to set TLSv1_method() for EAP-FAST");
5617 return -1;
5618 }
5619 }
5620 #endif
5621 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
5622 #ifdef SSL_OP_NO_TLSv1_3
5623 if (params->flags & TLS_CONN_EAP_FAST) {
5624 /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1
5625 * refuses to start the handshake with the modified ciphersuite
5626 * list (no TLS v1.3 ciphersuites included) for EAP-FAST. */
5627 wpa_printf(MSG_DEBUG, "OpenSSL: Disable TLSv1.3 for EAP-FAST");
5628 SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_3);
5629 }
5630 #endif /* SSL_OP_NO_TLSv1_3 */
5631 #endif
5632 #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
5633
5634 while ((err = ERR_get_error())) {
5635 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",
5636 __func__, ERR_error_string(err, NULL));
5637 }
5638
5639 if (tls_set_conn_flags(conn, params->flags,
5640 params->openssl_ciphers) < 0) {
5641 wpa_printf(MSG_ERROR, "TLS: Failed to set connection flags");
5642 return -1;
5643 }
5644
5645 if (engine_id) {
5646 wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s",
5647 engine_id);
5648 ret = tls_engine_init(conn, engine_id, params->pin,
5649 key_id, cert_id, ca_cert_id);
5650 if (ret)
5651 return ret;
5652 }
5653 if (tls_connection_set_subject_match(conn,
5654 params->subject_match,
5655 params->altsubject_match,
5656 params->suffix_match,
5657 params->domain_match,
5658 params->check_cert_subject)) {
5659 wpa_printf(MSG_ERROR, "TLS: Failed to set subject match");
5660 return -1;
5661 }
5662
5663 if (engine_id && ca_cert_id) {
5664 #if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
5665 if (!openssl_can_use_provider(engine_id, ca_cert_id))
5666 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
5667 #endif /* !ANDROID && OPENSSL_NO_ENGINE */
5668 if (tls_connection_engine_ca_cert(data, conn, ca_cert_id))
5669 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5670 } else if (tls_connection_ca_cert(data, conn, params->ca_cert,
5671 params->ca_cert_blob,
5672 params->ca_cert_blob_len,
5673 params->ca_path)) {
5674 wpa_printf(MSG_ERROR, "TLS: Failed to parse Root CA certificate");
5675 return -1;
5676 }
5677
5678 if (engine_id && cert_id) {
5679 #if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
5680 if (!openssl_can_use_provider(engine_id, cert_id))
5681 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
5682 #endif /* !ANDROID && OPENSSL_NO_ENGINE */
5683 if (tls_connection_engine_client_cert(conn, cert_id))
5684 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5685 } else if (tls_connection_client_cert(conn, params->client_cert,
5686 params->client_cert_blob,
5687 params->client_cert_blob_len)) {
5688 wpa_printf(MSG_ERROR, "TLS: Failed to parse client certificate");
5689 return -1;
5690 }
5691
5692 if (engine_id && key_id) {
5693 #if !defined(ANDROID) && defined(OPENSSL_NO_ENGINE)
5694 if (!openssl_can_use_provider(engine_id, key_id))
5695 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
5696 #endif /* !ANDROID && OPENSSL_NO_ENGINE */
5697 wpa_printf(MSG_DEBUG,
5698 "TLS: Using private key from engine/provider");
5699 if (tls_connection_engine_private_key(conn))
5700 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5701 } else if (tls_connection_private_key(data, conn,
5702 params->private_key,
5703 params->private_key_passwd,
5704 params->private_key_blob,
5705 params->private_key_blob_len)) {
5706 wpa_printf(MSG_INFO, "TLS: Failed to load private key '%s'",
5707 params->private_key);
5708 return -1;
5709 }
5710
5711 ciphers = params->openssl_ciphers;
5712 #ifdef CONFIG_SUITEB
5713 #ifdef OPENSSL_IS_BORINGSSL
5714 if (ciphers && os_strcmp(ciphers, "SUITEB192") == 0) {
5715 /* BoringSSL removed support for SUITEB192, so need to handle
5716 * this with hardcoded ciphersuite and additional checks for
5717 * other parameters. */
5718 ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384";
5719 }
5720 #endif /* OPENSSL_IS_BORINGSSL */
5721 #endif /* CONFIG_SUITEB */
5722 if (ciphers && SSL_set_cipher_list(conn->ssl, ciphers) != 1) {
5723 wpa_printf(MSG_INFO,
5724 "OpenSSL: Failed to set cipher string '%s'",
5725 ciphers);
5726 return -1;
5727 }
5728
5729 if (!params->openssl_ecdh_curves) {
5730 #ifndef OPENSSL_IS_BORINGSSL
5731 #ifndef OPENSSL_NO_EC
5732 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5733 if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) {
5734 wpa_printf(MSG_INFO,
5735 "OpenSSL: Failed to set ECDH curves to auto");
5736 return -1;
5737 }
5738 #endif /* < 1.1.0 */
5739 #endif /* OPENSSL_NO_EC */
5740 #endif /* OPENSSL_IS_BORINGSSL */
5741 } else if (params->openssl_ecdh_curves[0]) {
5742 #ifdef OPENSSL_IS_BORINGSSL
5743 wpa_printf(MSG_INFO,
5744 "OpenSSL: ECDH configuration not supported");
5745 return -1;
5746 #else /* !OPENSSL_IS_BORINGSSL */
5747 #ifndef OPENSSL_NO_EC
5748 if (SSL_set1_curves_list(conn->ssl,
5749 params->openssl_ecdh_curves) != 1) {
5750 wpa_printf(MSG_INFO,
5751 "OpenSSL: Failed to set ECDH curves '%s'",
5752 params->openssl_ecdh_curves);
5753 return -1;
5754 }
5755 #else /* OPENSSL_NO_EC */
5756 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
5757 return -1;
5758 #endif /* OPENSSL_NO_EC */
5759 #endif /* OPENSSL_IS_BORINGSSL */
5760 }
5761
5762 #ifdef OPENSSL_IS_BORINGSSL
5763 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5764 SSL_enable_ocsp_stapling(conn->ssl);
5765 }
5766 #else /* OPENSSL_IS_BORINGSSL */
5767 #ifdef HAVE_OCSP
5768 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5769 SSL_CTX *ssl_ctx = data->ssl;
5770 SSL_set_tlsext_status_type(conn->ssl, TLSEXT_STATUSTYPE_ocsp);
5771 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
5772 SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
5773 }
5774 #else /* HAVE_OCSP */
5775 if (params->flags & TLS_CONN_REQUIRE_OCSP) {
5776 wpa_printf(MSG_INFO,
5777 "OpenSSL: No OCSP support included - reject configuration");
5778 return -1;
5779 }
5780 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5781 wpa_printf(MSG_DEBUG,
5782 "OpenSSL: No OCSP support included - allow optional OCSP case to continue");
5783 }
5784 #endif /* HAVE_OCSP */
5785 #endif /* OPENSSL_IS_BORINGSSL */
5786
5787 conn->flags = params->flags;
5788
5789 tls_get_errors(data);
5790
5791 return 0;
5792 }
5793
5794
openssl_debug_dump_cipher_list(SSL_CTX * ssl_ctx)5795 static void openssl_debug_dump_cipher_list(SSL_CTX *ssl_ctx)
5796 {
5797 SSL *ssl;
5798 int i;
5799
5800 ssl = SSL_new(ssl_ctx);
5801 if (!ssl)
5802 return;
5803
5804 wpa_printf(MSG_DEBUG,
5805 "OpenSSL: Enabled cipher suites in priority order");
5806 for (i = 0; ; i++) {
5807 const char *cipher;
5808
5809 cipher = SSL_get_cipher_list(ssl, i);
5810 if (!cipher)
5811 break;
5812 wpa_printf(MSG_DEBUG, "Cipher %d: %s", i, cipher);
5813 }
5814
5815 SSL_free(ssl);
5816 }
5817
5818
5819 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
5820
openssl_pkey_type_str(const EVP_PKEY * pkey)5821 static const char * openssl_pkey_type_str(const EVP_PKEY *pkey)
5822 {
5823 if (!pkey)
5824 return "NULL";
5825 switch (EVP_PKEY_type(EVP_PKEY_id(pkey))) {
5826 case EVP_PKEY_RSA:
5827 return "RSA";
5828 case EVP_PKEY_DSA:
5829 return "DSA";
5830 case EVP_PKEY_DH:
5831 return "DH";
5832 case EVP_PKEY_EC:
5833 return "EC";
5834 default:
5835 return "?";
5836 }
5837 }
5838
5839
openssl_debug_dump_certificate(int i,X509 * cert)5840 static void openssl_debug_dump_certificate(int i, X509 *cert)
5841 {
5842 char buf[256];
5843 EVP_PKEY *pkey;
5844 ASN1_INTEGER *ser;
5845 char serial_num[128];
5846
5847 if (!cert)
5848 return;
5849
5850 X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
5851
5852 ser = X509_get_serialNumber(cert);
5853 if (ser)
5854 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num),
5855 ASN1_STRING_get0_data(ser),
5856 ASN1_STRING_length(ser));
5857 else
5858 serial_num[0] = '\0';
5859
5860 pkey = X509_get_pubkey(cert);
5861 wpa_printf(MSG_DEBUG, "%d: %s (%s) %s", i, buf,
5862 openssl_pkey_type_str(pkey), serial_num);
5863 EVP_PKEY_free(pkey);
5864 }
5865
5866
openssl_debug_dump_certificates(SSL_CTX * ssl_ctx)5867 static void openssl_debug_dump_certificates(SSL_CTX *ssl_ctx)
5868 {
5869 STACK_OF(X509) *certs;
5870
5871 wpa_printf(MSG_DEBUG, "OpenSSL: Configured certificate chain");
5872 if (SSL_CTX_get0_chain_certs(ssl_ctx, &certs) == 1) {
5873 int i;
5874
5875 for (i = sk_X509_num(certs); i > 0; i--)
5876 openssl_debug_dump_certificate(i, sk_X509_value(certs,
5877 i - 1));
5878 }
5879 openssl_debug_dump_certificate(0, SSL_CTX_get0_certificate(ssl_ctx));
5880 }
5881
5882 #endif
5883
5884
openssl_debug_dump_certificate_chains(SSL_CTX * ssl_ctx)5885 static void openssl_debug_dump_certificate_chains(SSL_CTX *ssl_ctx)
5886 {
5887 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
5888 int res;
5889
5890 for (res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
5891 res == 1;
5892 res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_NEXT))
5893 openssl_debug_dump_certificates(ssl_ctx);
5894
5895 SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
5896 #endif
5897 }
5898
5899
openssl_debug_dump_ctx(SSL_CTX * ssl_ctx)5900 static void openssl_debug_dump_ctx(SSL_CTX *ssl_ctx)
5901 {
5902 openssl_debug_dump_cipher_list(ssl_ctx);
5903 openssl_debug_dump_certificate_chains(ssl_ctx);
5904 }
5905
5906
tls_global_set_params(void * tls_ctx,const struct tls_connection_params * params)5907 int tls_global_set_params(void *tls_ctx,
5908 const struct tls_connection_params *params)
5909 {
5910 struct tls_data *data = tls_ctx;
5911 SSL_CTX *ssl_ctx = data->ssl;
5912 unsigned long err;
5913
5914 while ((err = ERR_get_error())) {
5915 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",
5916 __func__, ERR_error_string(err, NULL));
5917 }
5918
5919 os_free(data->check_cert_subject);
5920 data->check_cert_subject = NULL;
5921 if (params->check_cert_subject) {
5922 data->check_cert_subject =
5923 os_strdup(params->check_cert_subject);
5924 if (!data->check_cert_subject)
5925 return -1;
5926 }
5927
5928 if (tls_global_ca_cert(data, params->ca_cert) ||
5929 tls_global_client_cert(data, params->client_cert) ||
5930 tls_global_private_key(data, params->private_key,
5931 params->private_key_passwd) ||
5932 tls_global_client_cert(data, params->client_cert2) ||
5933 tls_global_private_key(data, params->private_key2,
5934 params->private_key_passwd2) ||
5935 tls_global_dh(data, params->dh_file)) {
5936 wpa_printf(MSG_INFO, "TLS: Failed to set global parameters");
5937 return -1;
5938 }
5939
5940 os_free(data->openssl_ciphers);
5941 if (params->openssl_ciphers) {
5942 data->openssl_ciphers = os_strdup(params->openssl_ciphers);
5943 if (!data->openssl_ciphers)
5944 return -1;
5945 } else {
5946 data->openssl_ciphers = NULL;
5947 }
5948 if (params->openssl_ciphers &&
5949 SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) {
5950 wpa_printf(MSG_INFO,
5951 "OpenSSL: Failed to set cipher string '%s'",
5952 params->openssl_ciphers);
5953 return -1;
5954 }
5955
5956 if (!params->openssl_ecdh_curves) {
5957 #ifndef OPENSSL_IS_BORINGSSL
5958 #ifndef OPENSSL_NO_EC
5959 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5960 if (SSL_CTX_set_ecdh_auto(ssl_ctx, 1) != 1) {
5961 wpa_printf(MSG_INFO,
5962 "OpenSSL: Failed to set ECDH curves to auto");
5963 return -1;
5964 }
5965 #endif /* < 1.1.0 */
5966 #endif /* OPENSSL_NO_EC */
5967 #endif /* OPENSSL_IS_BORINGSSL */
5968 } else if (params->openssl_ecdh_curves[0]) {
5969 #ifdef OPENSSL_IS_BORINGSSL
5970 wpa_printf(MSG_INFO,
5971 "OpenSSL: ECDH configuration not supported");
5972 return -1;
5973 #else /* !OPENSSL_IS_BORINGSSL */
5974 #ifndef OPENSSL_NO_EC
5975 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5976 SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
5977 #endif
5978 if (SSL_CTX_set1_curves_list(ssl_ctx,
5979 params->openssl_ecdh_curves) !=
5980 1) {
5981 wpa_printf(MSG_INFO,
5982 "OpenSSL: Failed to set ECDH curves '%s'",
5983 params->openssl_ecdh_curves);
5984 return -1;
5985 }
5986 #else /* OPENSSL_NO_EC */
5987 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
5988 return -1;
5989 #endif /* OPENSSL_NO_EC */
5990 #endif /* OPENSSL_IS_BORINGSSL */
5991 }
5992
5993 #ifdef SSL_OP_NO_TICKET
5994 if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
5995 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
5996 else
5997 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TICKET);
5998 #endif /* SSL_OP_NO_TICKET */
5999
6000 #ifdef HAVE_OCSP
6001 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_status_cb);
6002 SSL_CTX_set_tlsext_status_arg(ssl_ctx, ssl_ctx);
6003 os_free(tls_global->ocsp_stapling_response);
6004 if (params->ocsp_stapling_response)
6005 tls_global->ocsp_stapling_response =
6006 os_strdup(params->ocsp_stapling_response);
6007 else
6008 tls_global->ocsp_stapling_response = NULL;
6009 #endif /* HAVE_OCSP */
6010
6011 openssl_debug_dump_ctx(ssl_ctx);
6012
6013 return 0;
6014 }
6015
6016
6017 #ifdef EAP_FAST_OR_TEAP
6018 /* Pre-shared secred requires a patch to openssl, so this function is
6019 * commented out unless explicitly needed for EAP-FAST in order to be able to
6020 * build this file with unmodified openssl. */
6021
6022 #if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
tls_sess_sec_cb(SSL * s,void * secret,int * secret_len,STACK_OF (SSL_CIPHER)* peer_ciphers,const SSL_CIPHER ** cipher,void * arg)6023 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
6024 STACK_OF(SSL_CIPHER) *peer_ciphers,
6025 const SSL_CIPHER **cipher, void *arg)
6026 #else /* OPENSSL_IS_BORINGSSL */
6027 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
6028 STACK_OF(SSL_CIPHER) *peer_ciphers,
6029 SSL_CIPHER **cipher, void *arg)
6030 #endif /* OPENSSL_IS_BORINGSSL */
6031 {
6032 struct tls_connection *conn = arg;
6033 int ret;
6034
6035 #if OPENSSL_VERSION_NUMBER < 0x10100000L
6036 if (conn == NULL || conn->session_ticket_cb == NULL)
6037 return 0;
6038
6039 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
6040 conn->session_ticket,
6041 conn->session_ticket_len,
6042 s->s3->client_random,
6043 s->s3->server_random, secret);
6044 #else
6045 unsigned char client_random[SSL3_RANDOM_SIZE];
6046 unsigned char server_random[SSL3_RANDOM_SIZE];
6047
6048 if (conn == NULL || conn->session_ticket_cb == NULL)
6049 return 0;
6050
6051 SSL_get_client_random(s, client_random, sizeof(client_random));
6052 SSL_get_server_random(s, server_random, sizeof(server_random));
6053
6054 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
6055 conn->session_ticket,
6056 conn->session_ticket_len,
6057 client_random,
6058 server_random, secret);
6059 #endif
6060
6061 os_free(conn->session_ticket);
6062 conn->session_ticket = NULL;
6063
6064 if (ret <= 0)
6065 return 0;
6066
6067 *secret_len = SSL_MAX_MASTER_KEY_LENGTH;
6068 return 1;
6069 }
6070
6071
tls_session_ticket_ext_cb(SSL * s,const unsigned char * data,int len,void * arg)6072 static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
6073 int len, void *arg)
6074 {
6075 struct tls_connection *conn = arg;
6076
6077 if (conn == NULL || conn->session_ticket_cb == NULL)
6078 return 0;
6079
6080 wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len);
6081
6082 os_free(conn->session_ticket);
6083 conn->session_ticket = NULL;
6084
6085 wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
6086 "extension", data, len);
6087
6088 conn->session_ticket = os_memdup(data, len);
6089 if (conn->session_ticket == NULL)
6090 return 0;
6091
6092 conn->session_ticket_len = len;
6093
6094 return 1;
6095 }
6096 #endif /* EAP_FAST_OR_TEAP */
6097
6098
tls_connection_set_session_ticket_cb(void * tls_ctx,struct tls_connection * conn,tls_session_ticket_cb cb,void * ctx)6099 int tls_connection_set_session_ticket_cb(void *tls_ctx,
6100 struct tls_connection *conn,
6101 tls_session_ticket_cb cb,
6102 void *ctx)
6103 {
6104 #ifdef EAP_FAST_OR_TEAP
6105 conn->session_ticket_cb = cb;
6106 conn->session_ticket_cb_ctx = ctx;
6107
6108 if (cb) {
6109 if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
6110 conn) != 1)
6111 return -1;
6112 SSL_set_session_ticket_ext_cb(conn->ssl,
6113 tls_session_ticket_ext_cb, conn);
6114 } else {
6115 if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
6116 return -1;
6117 SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
6118 }
6119
6120 return 0;
6121 #else /* EAP_FAST_OR_TEAP */
6122 return -1;
6123 #endif /* EAP_FAST_OR_TEAP */
6124 }
6125
6126
tls_get_library_version(char * buf,size_t buf_len)6127 int tls_get_library_version(char *buf, size_t buf_len)
6128 {
6129 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
6130 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
6131 OPENSSL_VERSION_TEXT,
6132 OpenSSL_version(OPENSSL_VERSION));
6133 #else
6134 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
6135 OPENSSL_VERSION_TEXT,
6136 SSLeay_version(SSLEAY_VERSION));
6137 #endif
6138 }
6139
6140
tls_connection_set_success_data(struct tls_connection * conn,struct wpabuf * data)6141 void tls_connection_set_success_data(struct tls_connection *conn,
6142 struct wpabuf *data)
6143 {
6144 SSL_SESSION *sess;
6145 struct wpabuf *old;
6146 struct tls_session_data *sess_data = NULL;
6147
6148 if (tls_ex_idx_session < 0)
6149 goto fail;
6150 sess = SSL_get_session(conn->ssl);
6151 if (!sess)
6152 goto fail;
6153 old = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
6154 if (old) {
6155 struct tls_session_data *found;
6156
6157 found = get_session_data(conn->context, old);
6158 wpa_printf(MSG_DEBUG,
6159 "OpenSSL: Replacing old success data %p (sess %p)%s",
6160 old, sess, found ? "" : " (not freeing)");
6161 if (found) {
6162 dl_list_del(&found->list);
6163 os_free(found);
6164 wpabuf_free(old);
6165 }
6166 }
6167
6168 sess_data = os_zalloc(sizeof(*sess_data));
6169 if (!sess_data ||
6170 SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, data) != 1)
6171 goto fail;
6172
6173 sess_data->buf = data;
6174 dl_list_add(&conn->context->sessions, &sess_data->list);
6175 wpa_printf(MSG_DEBUG, "OpenSSL: Stored success data %p (sess %p)",
6176 data, sess);
6177 conn->success_data = 1;
6178 return;
6179
6180 fail:
6181 wpa_printf(MSG_INFO, "OpenSSL: Failed to store success data");
6182 wpabuf_free(data);
6183 os_free(sess_data);
6184 }
6185
6186
tls_connection_set_success_data_resumed(struct tls_connection * conn)6187 void tls_connection_set_success_data_resumed(struct tls_connection *conn)
6188 {
6189 wpa_printf(MSG_DEBUG,
6190 "OpenSSL: Success data accepted for resumed session");
6191 conn->success_data = 1;
6192 }
6193
6194
6195 const struct wpabuf *
tls_connection_get_success_data(struct tls_connection * conn)6196 tls_connection_get_success_data(struct tls_connection *conn)
6197 {
6198 SSL_SESSION *sess;
6199
6200 if (tls_ex_idx_session < 0 ||
6201 !(sess = SSL_get_session(conn->ssl)))
6202 return NULL;
6203 return SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
6204 }
6205
6206
tls_connection_remove_session(struct tls_connection * conn)6207 void tls_connection_remove_session(struct tls_connection *conn)
6208 {
6209 SSL_SESSION *sess;
6210
6211 sess = SSL_get_session(conn->ssl);
6212 if (!sess)
6213 return;
6214
6215 if (SSL_CTX_remove_session(conn->ssl_ctx, sess) != 1)
6216 wpa_printf(MSG_DEBUG,
6217 "OpenSSL: Session was not cached");
6218 else
6219 wpa_printf(MSG_DEBUG,
6220 "OpenSSL: Removed cached session to disable session resumption");
6221 }
6222
6223
tls_get_tls_unique(struct tls_connection * conn,u8 * buf,size_t max_len)6224 int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len)
6225 {
6226 size_t len;
6227 int reused;
6228
6229 reused = SSL_session_reused(conn->ssl);
6230 if ((conn->server && !reused) || (!conn->server && reused))
6231 len = SSL_get_peer_finished(conn->ssl, buf, max_len);
6232 else
6233 len = SSL_get_finished(conn->ssl, buf, max_len);
6234
6235 if (len == 0 || len > max_len)
6236 return -1;
6237
6238 return len;
6239 }
6240
6241
tls_connection_get_cipher_suite(struct tls_connection * conn)6242 u16 tls_connection_get_cipher_suite(struct tls_connection *conn)
6243 {
6244 const SSL_CIPHER *cipher;
6245
6246 cipher = SSL_get_current_cipher(conn->ssl);
6247 if (!cipher)
6248 return 0;
6249 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
6250 return SSL_CIPHER_get_protocol_id(cipher);
6251 #else
6252 return SSL_CIPHER_get_id(cipher) & 0xFFFF;
6253 #endif
6254 }
6255
6256
tls_connection_get_peer_subject(struct tls_connection * conn)6257 const char * tls_connection_get_peer_subject(struct tls_connection *conn)
6258 {
6259 if (conn)
6260 return conn->peer_subject;
6261 return NULL;
6262 }
6263
6264
tls_connection_get_own_cert_used(struct tls_connection * conn)6265 bool tls_connection_get_own_cert_used(struct tls_connection *conn)
6266 {
6267 if (conn)
6268 return SSL_get_certificate(conn->ssl) != NULL;
6269 return false;
6270 }
6271
tls_register_cert_callback(tls_get_certificate_cb cb)6272 void tls_register_cert_callback(tls_get_certificate_cb cb)
6273 {
6274 certificate_callback_global = cb;
6275 }
6276
tls_register_openssl_failure_callback(tls_openssl_failure_cb cb)6277 void tls_register_openssl_failure_callback(tls_openssl_failure_cb cb)
6278 {
6279 openssl_failure_callback_global = cb;
6280 }
6281