Commit graph

20 commits

Author SHA1 Message Date
Juliusz Sosinowicz
0225301fde wolfSSL: Client cert loading API fix
Client cert loading API should check equality to SSL_SUCCESS for
success.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2020-12-04 12:42:17 +02:00
Juliusz Sosinowicz
a49f628845 wolfSSL: Fix wrong types in tls_wolfssl.c
wolfSSL_X509_get_ext_d2i() returns STACK_OF(GENERAL_NAME)* for
ALT_NAMES_OID therefore wolfSSL_sk_value needs to expect a
WOLFSSL_GENERAL_NAME*.

In addition, explicitly check for NULL return from wolfSSL_sk_value().

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2020-10-11 10:56:47 +03:00
Jouni Malinen
6a28c4dbc1 wolfssl: Fix compiler warnings on size_t printf format use
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 21:01:51 +03:00
Jouni Malinen
1c7e61a35a wolfssl: Avoid void pointer arithmetic
This is a compiler specific extension and not compliant with the C
standard.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-06 13:12:37 +03:00
Jouni Malinen
31bc66e4d1 More forceful clearing of stack memory with keys
gcc 8.3.0 was apparently clever enough to optimize away the previously
used os_memset() to explicitly clear a stack buffer that contains keys
when that clearing happened just before returning from the function.
Since memset_s() is not exactly portable (or commonly available yet..),
use a less robust mechanism that is still pretty likely to prevent
current compilers from optimizing the explicit clearing of the memory
away.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-26 16:11:56 +03:00
Jouni Malinen
242e857285 Extend domain_match and domain_suffix_match to allow list of values
These wpa_supplicant network profile parameters could be used to specify
a single match string that would be used against the dNSName items in
subjectAltName or CN. There may be use cases where more than one
alternative match string would be useful, so extend these to allow a
semicolon delimited list of values to be used (e.g.,
"example.org;example.com"). If any of the specified values matches any
of the dNSName/CN values in the server certificate, consider the
certificate as meeting this requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 16:24:38 +03:00
Jouni Malinen
dcc0ccd5b0 wolfSSL: Fix dNSName matching with domain_match and domain_suffix_match
Incorrect gen->type value was used to check whether subjectAltName
contained dNSName entries. This resulted in all domain_match and
domain_suffix_match entries failing to find a match and rejecting the
server certificate. Fix this by checking against the correct type
definition for dNSName.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 16:24:38 +03:00
Ervin Oro
a916ff5cd8 Add support for an optional context parameter to TLS exporter
Allow an additional context value to be passed to TLS exporter as
specified in RFC 5705 section 4.

This does not yet implement it for the internal TLS implementation.
However, as currently nothing uses context yet, this will not break
anything right now. WolfSSL maintainers also stated that they are not
going to add context support yet, but would look into it if/when this is
required by a published draft or a standard.

Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
2019-03-16 18:52:09 +02:00
Jared Bents
841205a1ce OpenSSL: Add 'check_cert_subject' support for TLS server
This patch added 'check_cert_subject' support to match the value of
every field against the DN of the subject in the client certificate. If
the values do not match, the certificate verification will fail and will
reject the user.

This option allows hostapd to match every individual field in the right
order, also allow '*' character as a wildcard (e.g OU=Development*).

Note: hostapd will match string up to 'wildcard' against the DN of the
subject in the client certificate for every individual field.

Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-03-11 14:09:45 +02:00
Sam Voss
dd5d325b0a hostapd: Add configuration option check_crl_strict
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.

This causes the following:

- This setting does nothing when CRL checking is not enabled.

- When CRL is enabled, "strict mode" will cause CRL time errors to not
  be ignored and will continue behaving as it currently does.

- When CRL is enabled, disabling strict mode will cause CRL time
  errors to be ignored and will allow connections.

By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.

Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
2018-12-31 12:51:51 +02:00
Hristo Venev
0521c6ebb3 OpenSSL: Add openssl_ecdh_curves parameter
Some versions of OpenSSL need server support for ECDH to be explicitly
enabled, so provide a new parameter for doing so and all
SSL_{,CTX_}set_ecdh_auto() for versions that need it to enable automatic
selection.

Signed-off-by: Hristo Venev <hristo@venev.name>
2018-12-30 17:21:55 +02:00
Jouni Malinen
0ec3e77a13 TLS: Add tls_connection_peer_serial_num()
This can be used to fetch the serial number of the peer certificate in
the EAP server. For now, this is implemented only with OpenSSL.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-11 12:12:30 +03:00
Sean Parkinson
ab35793ec1 wolfSSL: Fix EAP-FAST key derivation
Implement tls_connection_get_eap_fast_key() using cryptographic
primitives as wolfSSL implements different spec.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2018-05-02 13:32:51 +03:00
Sean Parkinson
71faf06cb6 wolfSSL: Do not free cert store after setting it
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2018-05-02 13:32:51 +03:00
Sean Parkinson
b7f5b0ec65 wolfSSL: Fix OCSP ifdefs
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2018-05-02 13:32:51 +03:00
Sean Parkinson
ca620a3642 wolfSSL: Fix altSubjectName handling
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2018-05-02 13:32:51 +03:00
Sean Parkinson
7be462084e wolfSSL: Use defines from wolfssl/options.h
Depend on proper wolfSSL configuration instead of trying to define these
build configuration values externally.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2018-05-02 13:32:51 +03:00
Sean Parkinson
6590d84664 wolfSSL: Load certificates using 'chain' APIs
This allows the full chain to be loaded.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2018-05-02 13:32:51 +03:00
Sean Parkinson
847665ebec wolfSSL: Fix conditional EAP-FAST compilation issue
Variable name was partially renamed during earlier cleanup.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2018-05-02 00:37:57 +03:00
Sean Parkinson
fec03f9838 Add support for wolfSSL cryptographic library
Allow hostapd/wpa_supplicant to be compiled with the wolfSSL
cryptography and TLS library.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2018-03-03 11:52:40 +02:00