This makes some static analyzers complain about stored value never being
read. While it is good to clear some other temporary variables, this
local variable i has no security private information (it has a fixed
value of 20 here) and trying to clear it to 0 does not add any value.
Remove that part of the "wipe variables" to avoid one useless static
analyzer complaint.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends multi-OCSP support to verify status for intermediate CAs in
the server certificate chain.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows hostapd with the internal TLS server implementation to
support the extended OCSP stapling mechanism with multiple responses
(ocsp_stapling_response_multi).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for hostapd-as-authentication-server to be build with
the internal TLS implementation and OCSP stapling server side support.
This is more or less identical to the design used with OpenSSL, i.e.,
the cached response is read from the ocsp_stapling_response=<file> and
sent as a response if the client requests it during the TLS handshake.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for hostapd-as-authentication-server to be build
against GnuTLS with OCSP stapling server side support. This is more or
less identical to the design used with OpenSSL, i.e., the cached
response is read from the ocsp_stapling_response=<file> and sent as a
response if the client requests it during the TLS handshake.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.
This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.
By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.
The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>
Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).
The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>
It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
The EVP_MD_CTX and HMAC_CTX definitions are now hidden from applications
using OpenSSL. Fix compilation issues with OpenSSL 1.1.x-pre1 by using
the new API for allocating these structures.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to share the OCSP implementation needed for
BoringSSL outside tls_openssl.c. For now, this is mainly for
http_curl.c.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
BoringSSL modified the struct sha_state_st (SHA_CTX) definition by
converting h0..h4 with h[5] array. This broke wpa_supplicant/hostapd
build with EAP-SIM enabled. BoringSSL restored the old version for
ANDROID builds, but only the new version is currently defined for
non-Android cases. For now, fix this by having matching selection in
fips_prf_openssl.c based on OPENSSL_IS_BORINGSSL and ANDROID defines.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
OpenSSL 1.1.x will apparently go out with "SSLeay" renamed in the API to
"OpenSSL", which broke the build here for fetching the version of the
running OpenSSL library when wpa_supplicant/hostapd is built against the
current OpenSSL snapshot.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit af851914f8 ('Make
tls_connection_get_keyblock_size() internal to tls_*.c') broke
tls_connection_prf() with the internal TLS implementation when using
skip_keyblock=1. In practice, this broke EAP-FAST. Fix this by deriving
the correct number of PRF bytes before skipping the keyblock.
Signed-off-by: Jouni Malinen <j@w1.fi>
md4_vector(), md5_vector(), sha1_vector(), and sha256_vector() already
supported TEST_FAIL() with the OpenSSL crypto implementation, but the
same test functionality is needed for the internal crypto implementation
as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for some NFC DH generation error paths to leak memory
since the old private/public key was not freed if an allocation failed.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it simpler to add support for new TLS_CONN_* flags without
having to add a new configuration function for each flag.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows wpa_supplicant to return eap_tls_version STATUS information
when using the internal TLS client implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
The internal TLS client implementation can now be used with
ca_cert="probe://" to probe the server certificate chain. This is also
adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and
CTRL-EVENT-EAP-PEER-CERT events.
Signed-off-by: Jouni Malinen <j@w1.fi>
These will be used with the internal TLS implementation to extend hash
algorithm support for new certificates and TLS v1.2.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
The old wpa_supplicant/Makefile target test-eap_sim_common did not work
anymore and anyway, this test is better placed in the newer hwsim
framework to make sure the test case gets executed automatically.
Signed-off-by: Jouni Malinen <j@w1.fi>
LibreSSL does not yet support the new API, so do not use it
when LIBRESSL_VERSION_NUMBER macro is defined.
Signed-off-by: Marek Behun <kabel@blackhole.sk>
When using CONFIG_TLS=internal and starting hostapd with multiple
configuration files that each initialize TLS server, the server
certificate and related data was not freed for all the interfaces on
exit path. Fix this by freeing the credential data that is stored
separately for each call to tls_init().
Signed-off-by: Jouni Malinen <j@w1.fi>
hmac_sha256_kdf() got pulled in only if CONFIG_ERP=y is set. Fix
test_sha256() by making the test case conditional on the function being
present.
Signed-off-by: Jouni Malinen <j@w1.fi>
Write a text version of the content type and handshake type in debug log
to make it easier to follow TLS exchange.
Signed-off-by: Jouni Malinen <j@w1.fi>
The utf8_string_len comparison was off by one and ended up accepting a
truncated three-byte encoded UTF-8 character at the end of the string if
the octet was missing. Since the password string gets null terminated in
the configuration, this did not result in reading beyond the buffer, but
anyway, it is better to explicitly reject the string rather than try to
use an incorrectly encoded UTF-8 string as the password.
Signed-off-by: Jouni Malinen <j@w1.fi>
BoringSSL has removed the OpenSSL OCSP implementation (OCSP_*()
functions) and instead, provides only a minimal mechanism for include
the status request extension and fetching the response from the server.
As such, the previous OpenSSL-based implementation for OCSP stapling is
not usable with BoringSSL.
Add a new implementation that uses BoringSSL to request and fetch the
OCSP stapling response and then parse and validate this with the new
implementation within wpa_supplicant. While this may not have identical
behavior with the OpenSSL-based implementation, this should be a good
starting point for being able to use OCSP stapling with BoringSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The switch to BoringSSL broke keystore-backed keys because
wpa_supplicant was using the dynamic ENGINE loading to load
the keystore module.
The ENGINE-like functionality in BoringSSL is much simpler
and this change should enable it.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
While the EAPOL-Key MIC derivation was already changed from SHA256 to
SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly.
Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK
from PMK when using the Suite B 192-bit AKM.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit de2a7b796d ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs') added a new
mechanism for doing this with OpenSSL 1.0.2 and newer. However, it did
not poinr out anything in debug log if SSL_add1_chain_cert() failed. Add
such a debug print and also silence static analyzer warning on res being
stored without being read (since the error case is ignored at least for
now).
Signed-off-by: Jouni Malinen <j@w1.fi>
The new tls_connection_set_success_data(),
tls_connection_set_success_data_resumed(),
tls_connection_get_success_data(), and tls_connection_remove_session()
functions can be used to mark cached sessions valid and to remove
invalid cached sessions. This commit is only adding empty functions. The
actual functionality will be implemented in followup commits.
Signed-off-by: Jouni Malinen <j@w1.fi>
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.
Signed-off-by: Jouni Malinen <j@w1.fi>
BoringSSL does not support 192-bit AES, so these parts of the
wpa_supplicant module tests would fail.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed at least with BoringSSL to avoid accepting OCSP-required
configuration with a TLS library that does not support OCSP stapling.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Unlike OpenSSL PKCS12_parse(), the BoringSSL version seems to require
the password pointer to be non-NULL even if no password is present. Map
passwrd == NULL to passwd = "" to avoid a NULL pointer dereference
within BoringSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
BoringSSL commit 533ef7304d9b48aad38805f1997031a0a034d7fe ('Remove
SSL_clear calls in handshake functions.') triggered a regression for
EAP-TLS/TTLS/PEAP session resumption in wpa_supplicant due to the
removed SSL_clear() call in ssl3_connect() going away and wpa_supplicant
not calling SSL_clear() after SSL_shutdown(). Fix this by adding the
SSL_clear() call into wpa_supplicant after SSL_shutdown() when preparing
the ssl instance for another connection.
While OpenSSL is still call SSL_clear() in ssl3_connect(), it looks to
be safe to add this call to wpa_supplicant unconditionally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This function does not seem to be available in BoringSSL. Since it is
needed for EAP-FAST (which is not currently working with BoringSSL),
address this by commenting out the EAP-FAST specific step from builds
that do not include EAP-FAST support.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like BoringSSL does include that function even though it claims
support for OPENSSL_VERSION_NUMBER where this is available (1.0.2). For
now, comment out that call to fix build.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like BoringSSL has removed the AES_wrap_key(), AES_unwrap_key()
API. This broke wpa_supplicant/hostapd build since those functions from
OpenSSL were used to replace the internal AES key wrap implementation.
Add a new build configuration option
(CONFIG_OPENSSL_INTERNAL_AES_WRAP=y) to allow the internal
implementation to be used with CONFIG_OPENSSL=y build to allow build
against the latest BoringSSL version.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When using OpenSSL 1.0.2 or newer, this replaces the older
SSL_CTX_add_extra_chain_cert() design with SSL_add1_chain_cert() to keep
the extra chain certificates out from SSL_CTX and specific to each
connection. In addition, build and rearrange extra certificates with
SSL_build_cert_chain() to avoid incorrect certificates and incorrect
order of certificates in the TLS handshake.
Signed-off-by: Jouni Malinen <j@w1.fi>