DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP peer status notification for server not supporting RFC 5746

Browse source 
Add a notification message to indicate reason for TLS handshake failure
due to the server not supporting safe renegotiation (RFC 5746).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2022-05-04 23:55:38 +03:00 committed by Jouni Malinen
parent 566ce69a8d
commit a561d12d24
4 changed files with 23 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/ap/authsrv.c
View file

@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev,
wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s", wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s",
data->alert.description); data->alert.description);
break; break;
case TLS_UNSAFE_RENEGOTIATION_DISABLED:
/* Not applicable to TLS server */
break;
} }
} }
#endif /* EAP_TLS_FUNCS */ #endif /* EAP_TLS_FUNCS */

3
src/crypto/tls.h
View file

@ -22,7 +22,8 @@ enum tls_event {
TLS_CERT_CHAIN_SUCCESS, TLS_CERT_CHAIN_SUCCESS,
TLS_CERT_CHAIN_FAILURE, TLS_CERT_CHAIN_FAILURE,
TLS_PEER_CERTIFICATE, TLS_PEER_CERTIFICATE,
TLS_ALERT TLS_ALERT,
TLS_UNSAFE_RENEGOTIATION_DISABLED,
}; };
/* /*

15
src/crypto/tls_openssl.c
View file

@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
static struct wpabuf * static struct wpabuf *
openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
{ {
struct tls_context *context = conn->context;
int res; int res;
struct wpabuf *out_data; struct wpabuf *out_data;
@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to " wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
"write"); "write");
else { else {
unsigned long error = ERR_peek_last_error();
tls_show_errors(MSG_INFO, __func__, "SSL_connect"); tls_show_errors(MSG_INFO, __func__, "SSL_connect");
if (context->event_cb &&
ERR_GET_LIB(error) == ERR_LIB_SSL &&
ERR_GET_REASON(error) ==
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) {
context->event_cb(
context->cb_ctx,
TLS_UNSAFE_RENEGOTIATION_DISABLED,
NULL);
}
conn->failed++; conn->failed++;
if (!conn->server && !conn->client_hello_generated) { if (!conn->server && !conn->client_hello_generated) {
/* The server would not understand TLS Alert /* The server would not understand TLS Alert
@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
if ((conn->flags & TLS_CONN_SUITEB) && !conn->server && if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 && os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
conn->server_dh_prime_len < 3072) { conn->server_dh_prime_len < 3072) {
struct tls_context *context = conn->context;
/* /*
* This should not be reached since earlier cert_cb should have * This should not be reached since earlier cert_cb should have
* terminated the handshake. Keep this check here for extra * terminated the handshake. Keep this check here for extra

5
src/eap_peer/eap.c
View file

@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
eap_notify_status(sm, "remote TLS alert", eap_notify_status(sm, "remote TLS alert",
data->alert.description); data->alert.description);
break; break;
case TLS_UNSAFE_RENEGOTIATION_DISABLED:
wpa_printf(MSG_INFO,
"TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this");
eap_notify_status(sm, "unsafe server renegotiation", "failure");
break;
} }
os_free(hash_hex); os_free(hash_hex);