The earlier change to add support for BN_bn2binpad() and
BN_bn2bin_padded() broke this function for cases where no padding is
used (padlen == 0). Those would have always failed after the changes and
the function would return -1. There are no such cases in the current
hostap.git, so this did not have any real issues, but anyway, better fix
this function to match its documentation.
Fixes: 1e237903f5 ("OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available")
Signed-off-by: Jouni Malinen <j@w1.fi>
The new certificate chain debug dumps used functions that are not
available with LibreSSL or BoringSSL.
Fixes: 857edf4bf4 ("OpenSSL: More debug prints of configured ciphers and certificates")
Signed-off-by: Jouni Malinen <j@w1.fi>
The OPENSSL_VERSION_NUMBER ifdef block left out the local variable that
is needed with all versions. In addition, SSL_set_security_level() is
not available with LibreSSL or BoringSSL.
Fixes: 3ec65a8e38 ("OpenSSL: Allow anon-DH cipher suites to be added for TEAP")
Signed-off-by: Jouni Malinen <j@w1.fi>
The tls_connection_get_cipher_suite() implementation used
SSL_CIPHER_get_protocol_id which was added in OpenSSL 1.1.1. Need to use
compatibility code with older versions.
Fixes: 94714ec341 ("OpenSSL: Add tls_connection_get_cipher_suite()")
Signed-off-by: Jouni Malinen <j@w1.fi>
This will hopefully not be needed for EAP-TLS use cases since there
should not really be a middlebox that looks at the TLS layer details in
case of EAP authentication.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd EAP server can now be configured with two separate server
certificates/keys to enable parallel operations using both RSA and ECC
public keys. The server will pick which one to use based on the client
preferences for the cipher suite (in the TLS ClientHello message). It
should be noted that number of deployed EAP peer implementations do not
filter out the cipher suite list based on their local configuration and
as such, configuration of alternative types of certificates on the
server may result in interoperability issues.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.
This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a new TLS_CONN_* flag to provide a higher level mechanism for adding
(instead of fully replacing) allowed list of TLS ciphersuites for TEAP
provisioning purposes.
Signed-off-by: Jouni Malinen <j@w1.fi>
This implements "tls-unique" derivation per RFC 5929, Section 3. This
will be needed for channel binding, e.g., with EAP-TEAP.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds a CTRL-EVENT-EAP-PEER-CERT even for depth=0 even if a depth >
0 certificate results in peer certificate validation error. Previously,
this case resulted in the upper layers not getting any information about
the used peer certificate. Now that information is available, e.g., to
allow server certificate -based overriding of the trust to be done.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed to allow upper layer software to learn the hash of the
server certificate for allowing user to override trust root
configuration.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add tod=1 to CTRL-EVENT-EAP-PEER-CERT events if the peer certificate
includes the TOD policy in the X.509v3 Certificate Policies extension.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it easier to add new information to the callbacks without
having to modify each callback function type in EAPOL and EAP code every
time.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
GnuTLS backend already accepts CA cert blobs in both DER and PEM
formats. Implement similar trial-and-error handling in OpenSSL backend.
Signed-off-by: Santtu Lakkala <santtu.lakkala@jolla.com>
gcc 8.3.0 was apparently clever enough to optimize away the previously
used os_memset() to explicitly clear a stack buffer that contains keys
when that clearing happened just before returning from the function.
Since memset_s() is not exactly portable (or commonly available yet..),
use a less robust mechanism that is still pretty likely to prevent
current compilers from optimizing the explicit clearing of the memory
away.
Signed-off-by: Jouni Malinen <j@w1.fi>
The rcons[] and Td4s[] array values need to be type cast explicitly to
u32 for the left shift 24 operation to be defined due to the implicit
conversion to int not handling the case where MSB would become 1 without
depending on UB.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14929
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If OCSP_resp_find_status() fails with the first OCSP_CERTID, the
generation of the second OCSP_CERTID ended up leaking memory. Fix this
by freeing the previously allocated OCSP_CERTID on that code path.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
BN_clear() does not free the BIGNUM; it only clears its value. Fix this
memory leak by using the appropriate BN_clear_free() function instead.
Fixes: b11fa98bcb ("Add explicit checks for peer's DH public key")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
ec_params needs to be freed before returning from the function.
Extension of this function to support BoringSSL introduced this memory
leak and that was later extended to be the only variant and apply to
OpenSSL and LibreSSL cases as well in commit c23e87d0d1 ("OpenSSL:
Replace EVP_PKEY_paramgen() with EC_KEY_new_by_curve_name()").
Fixes: f29761297b ("BoringSSL: Implement crypto_ecdh_init()")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and
deprecated APIs") removed a call to ENGINE_load_dynamic() for newer
versions of OpenSSL, asserting that it should happen automatically.
That appears not to be the case, and loading engines now fails because
the dynamic engine isn't present.
Fix it by calling ENGINE_load_builtin_engines(), which works for all
versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings()
because that should have happened when SSL_load_error_strings() is
called anyway.
Fixes: 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and deprecated APIs")
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL
functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid
differences in runtime and memory access patterns depending on the
leading bytes of the BIGNUM value.
OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases
are still using the previous implementation where the BN_num_bytes()
call may result in different memory access pattern.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It looks like SSL_CTX_set1_curves_list() command alone is not sufficient
to enable ECDH curve selection with older OpenSSL versions for TLS
server, so enable automatic selection first and specify the exact list
of curves after that.
This fixes failures in openssl_ecdh_curves test case when hostapd uses
OpenSSL 1.0.2.
Signed-off-by: Jouni Malinen <j@w1.fi>
Get rid of the branches that depend on the result of the Legendre
operation. This is needed to avoid leaking information about different
temporary results in blinding mechanisms.
This is related to CVE-2019-9494 and CVE-2019-9495.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This helps in reducing measurable timing differences in operations
involving private information. BoringSSL has removed BN_FLG_CONSTTIME
and expects specific constant time functions to be called instead, so a
bit different approach is needed depending on which library is used.
The main operation that needs protection against side channel attacks is
BN_mod_exp() that depends on private keys (the public key validation
step in crypto_dh_derive_secret() is an exception that can use the
faster version since it does not depend on private keys).
crypto_bignum_div() is currently used only in SAE FFC case with not
safe-prime groups and only with values that do not depend on private
keys, so it is not critical to protect it.
crypto_bignum_inverse() is currently used only in SAE FFC PWE
derivation. The additional protection here is targeting only OpenSSL.
BoringSSL may need conversion to using BN_mod_inverse_blinded().
This is related to CVE-2019-9494 and CVE-2019-9495.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These wpa_supplicant network profile parameters could be used to specify
a single match string that would be used against the dNSName items in
subjectAltName or CN. There may be use cases where more than one
alternative match string would be useful, so extend these to allow a
semicolon delimited list of values to be used (e.g.,
"example.org;example.com"). If any of the specified values matches any
of the dNSName/CN values in the server certificate, consider the
certificate as meeting this requirement.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Incorrect gen->type value was used to check whether subjectAltName
contained dNSName entries. This resulted in all domain_match and
domain_suffix_match entries failing to find a match and rejecting the
server certificate. Fix this by checking against the correct type
definition for dNSName.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
While commit 1c156e783d ("Fixed tls_prf() to handle keys with
odd length") added support for keys with odd length, the function
never reached this code as the function would return earlier in
case the key length was odd. Fix this by removing the first check
for the key length.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
SSL_use_certificate_chain_file() is not available in the current
BoringSSL even though the defined OPENSSL_VERSION_NUMBER is large enough
to claim that this function would be present in the OpenSSL API.
Fall back to using SSL_use_certificate_file() with BoringSSL to fix the
build.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Allow an additional context value to be passed to TLS exporter as
specified in RFC 5705 section 4.
This does not yet implement it for the internal TLS implementation.
However, as currently nothing uses context yet, this will not break
anything right now. WolfSSL maintainers also stated that they are not
going to add context support yet, but would look into it if/when this is
required by a published draft or a standard.
Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
X509_get_subject_name() in OpenSSL 1.0.2 does not mark its argument as a
const pointer, so need to type cast this to avoid a build warning.
Fixes: 841205a1ce ("OpenSSL: Add 'check_cert_subject' support for TLS server")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This patch added 'check_cert_subject' support to match the value of
every field against the DN of the subject in the client certificate. If
the values do not match, the certificate verification will fail and will
reject the user.
This option allows hostapd to match every individual field in the right
order, also allow '*' character as a wildcard (e.g OU=Development*).
Note: hostapd will match string up to 'wildcard' against the DN of the
subject in the client certificate for every individual field.
Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
Pass the group order (if known/specified) to crypto_dh_derive_secret()
(and also to OpenSSL DH_generate_key() in case of Group 5) and verify
that the public key received from the peer meets 1 < pubkey < p and
pubkey^q == 1 mod p conditions.
While all these use cases were using only ephemeral DH keys, it is
better to use more explicit checks while deriving the shared secret to
avoid unexpected behavior.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The flags variable needs to be initialized to 0 if check_crl is 0 in
the updated configuration.
Fixes: 159a7fbdea ("crl_reload_interval: Add CRL reloading support")
Signed-off-by: Jouni Malinen <j@w1.fi>
Add test-tls program that can be used for fuzzing the internal TLS
client and server implementations. This tool can write client or server
messages into a file as an initialization step and for the fuzzing step,
that file (with potential modifications) can be used to replace the
internally generated message contents.
The TEST_FUZZ=y build parameter is used to make a special build where a
hardcoded random number generator and hardcoded timestamp are used to
force deterministic behavior for the TLS operations.
Signed-off-by: Jouni Malinen <j@w1.fi>
This patch adds a new flag 'crl_reload_interval' to reload CRL
periodically. This can be used to reload ca_cert file and the included
CRL information on every new TLS session if difference between the last
reload and the current time in seconds is greater than
crl_reload_interval.
This reloading is used for cases where check_crl is 1 or 2 and the CRL
is included in the ca_file.
Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
When using LibreSSL build fails with:
../src/crypto/tls_openssl.o: in function `tls_connection_client_cert':
../src/crypto/tls_openssl.c:2817: undefined reference to `SSL_use_certificate_chain_file'
collect2: error: ld returned 1 exit status
make: *** [Makefile:1901: wpa_supplicant] Error 1
There is no such function in LibreSSL.
Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>
Some distributions (e.g., Debian) have started introducting systemwide
OpenSSL policies to disable older protocol versions and ciphers
throughout all programs using OpenSSL. This can result in significant
number of interoperability issues with deployed EAP implementations.
Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server)
parameters to be used to request systemwide policies to be overridden if
older versions are needed to be able to interoperate with devices that
cannot be updated to support the newer protocol versions or keys. The
default behavior is not changed here, i.e., the systemwide policies will
be followed if no explicit override configuration is used. The overrides
should be used only if really needed since they can result in reduced
security.
In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network
profile parameter can be used to explicitly enable TLS versions that are
disabled in the systemwide configuration. For example,
phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS
v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces
TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter
can be used to override systemwide policy, e.g., with
openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1
in Debian to allow shorter keys to be used.
In hostapd, tls_flags parameter can be used to configure similar
options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1]
Signed-off-by: Jouni Malinen <j@w1.fi>
SSL_use_certificate_chain_file() was added in OpenSSL 1.1.0, so need to
maintain the old version using SSL_use_certificate_file() for backwards
compatibility.
Fixes: 658c39809b ("OpenSSL: Load chain certificates from client_cert file")
Signed-off-by: Jouni Malinen <j@w1.fi>
The PADDING array used when adding padding bits in MD4 never change
so can be made const. Making it const puts the array in .rodata
section and can save a few bytes of RAM for systems running without
virtual memory.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
The function sha512_compress() has a local variable that consumes 640
bytes. This is very heavy for embedded devices that have limited stack
resources. Handle this by replacing the static allocation with a dynamic
one.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:
"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."
An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.
It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
This helps the server to build the chain to trusted CA when PEM encoding
of client_cert is used with multiple listed certificates. This was
already done for the server certificate configuration, but the client
certificate was limited to using only the first certificate in the file.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.
This causes the following:
- This setting does nothing when CRL checking is not enabled.
- When CRL is enabled, "strict mode" will cause CRL time errors to not
be ignored and will continue behaving as it currently does.
- When CRL is enabled, disabling strict mode will cause CRL time
errors to be ignored and will allow connections.
By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.
Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
Build configurations with CONFIG_TLS=internal and NEED_SHA512 failed due
to missing sha512.c file. Add that file even though this is not really
used in the currently available configuration combinations since DPP and
OWE are the only users of it and the internal crypto implementation
supports neither.
Signed-off-by: Jouni Malinen <j@w1.fi>
Some versions of OpenSSL need server support for ECDH to be explicitly
enabled, so provide a new parameter for doing so and all
SSL_{,CTX_}set_ecdh_auto() for versions that need it to enable automatic
selection.
Signed-off-by: Hristo Venev <hristo@venev.name>
When using LibreSSL instead of OpenSSL, linkage of hostapd executable
fails with the following error when using some LibreSSL versions
../src/crypto/tls_openssl.o: In function `tls_verify_cb':
tls_openssl.c:(.text+0x1273): undefined reference to `ASN1_STRING_get0_data'
../src/crypto/tls_openssl.o: In function `tls_connection_peer_serial_num':
tls_openssl.c:(.text+0x3023): undefined reference to `ASN1_STRING_get0_data'
collect2: error: ld returned 1 exit status
make: *** [Makefile:1278: hostapd] Error 1
ASN1_STRING_get0_data is present in recent OpenSSL, but absent in some
versions of LibreSSL (confirmed for version 2.6.5), so fallback needs to
be defined in this case, just like for old OpenSSL.
This patch was inspired by similar patches to other projects, such as
spice-gtk, pjsip.
Link: https://bugs.gentoo.org/672834
Signed-off-by: Andrey Utkin <andrey_utkin@gentoo.org>
This can be used to fetch the serial number of the peer certificate in
the EAP server. For now, this is implemented only with OpenSSL.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
SSL_session_reused() is the same as the deprecated SSL_cache_hit(). The
engine load stuff is now handled by OPENSSL_init().
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The n argument to this function is number of bits, not bytes, to shift.
As such, need to use mp_rshb() instead of mp_rshd(). This fixes EAP-pwd
with P-521 curve.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Implement tls_connection_get_eap_fast_key() using cryptographic
primitives as wolfSSL implements different spec.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Depend on proper wolfSSL configuration instead of trying to define these
build configuration values externally.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Use the correct intermediate result from mp_sqrmod() in the following
mp_mulmod() call (t is not initialized here; it is used only after this
step).
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Provide full uncompressed DER data length to wc_ecc_import_point_der()
even though a compressed form is used here. In addition, use
ECC_POINT_COMP_* defined values to make this more readable.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
This may be needed to avoid interoperability issues with the new
protocol version and significant changes for EAP use cases in both key
derivation and handshake termination.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes this more easily available throughout the handshake
processing, if needed, compared to having to pass through the function
argument through the full path from
tls_connection{,_server}_handshake().
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 1.1.1 added cases where ClientHello generation may fail due to
"no ciphers available". There is no point in sending out the resulting
TLS Alert message to the server since the server does not know what to
do with it before ClientHello. Instead, simply terminate the TLS
handshake locally and report EAP failure to avoid getting stuck waiting
for a timeout.
Signed-off-by: Jouni Malinen <j@w1.fi>
LibreSSL v2.7 claims an OPENSSL_VERSION_NUMBER value that would indicate
that SSL_OP_NO_TLSv1_3 is available, but that does not seem to be the
case with LibreSSL. As such, skip this step based on whether
SSL_OP_NO_TLSv1_3 is defined to avoid build issues.
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit takes care of the sigalg configuration using the relatively
recent SSL_CTX_set_verify_algorithm_prefs() addition from April 2017 to
address the functionality that was already there with OpenSSL using
SSL_set1_sigalgs_list().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
BoringSSL removed the special OpenSSL cipher suite value "SUITEB192", so
need to map that to the explicit ciphersuite
(ECDHE-ECDSA-AES256-GCM-SHA384), curve (P-384), and sigalg
(SSL_SIGN_ECDSA_SECP384R1_SHA384) to allow 192-bit level Suite B with
ECDSA to be used.
This commit takes care of the sigalg configuration using the relatively
recent SSL_CTX_set_verify_algorithm_prefs() addition from April 2017.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
BoringSSL removed the special OpenSSL cipher suite value "SUITEB192", so
need to map that to the explicit ciphersuite
(ECDHE-ECDSA-AES256-GCM-SHA384), curve (P-384), and sigalg
(SSL_SIGN_ECDSA_SECP384R1_SHA384) to allow 192-bit level Suite B with
ECDSA to be used.
This commit takes care of the ciphersuite and curve configuration.
sigalg change is in a separate commit since it requires a newer
BoringSSL API function that may not be available in all builds.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
In practice, this does the same thing (i.e., allows only the P-384 curve
to be used), but using an older API function that happens to be
available in some BoringSSL builds while the newer one is not.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
TLS v1.3 needs to be explicitly disabled to allow cipher suite selection
for EAP-FAST to work with OpenSSL builds that include TLS v1.3 support.
Without this, OpenSSL refuses to generate ClientHello due to the cipher
suite list including only ciphers allowed with older versions than TLS
v1.3.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
GnuTLS-based builds can now be done using either libnettle or libgcrypt
for crypto functionality:
CONFIG_TLS=gnutls
CONFIG_CRYPTO=nettle
CONFIG_TLS=gnutls
CONFIG_CRYPTO=gnutls
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows OpenSSL-style configuration of Suite B parameters to be used
in the wpa_supplicant network profile. 128-bit and 192-bit level
requirements for ECDHE-ECDSA cases are supported. RSA >=3K case is
enforced using GnuTLS %PROFILE_HIGH special priority string keyword.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends GnuTLS support for tls_disable_v1_{0,1,2}=1 flags in the
phase1 network profile parameter in wpa_supplicant.
Signed-off-by: Jouni Malinen <j@w1.fi>
Indicate more clearly when the parsing succeeds to avoid ending the
debug prints with various internal GnuTLS internal error messages even
when the parsing actually succeeded in the end.
Signed-off-by: Jouni Malinen <j@w1.fi>
Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with
the ones from libgcrypt and also add the SHA384 and SHA512 versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Replace the internal SHA256 implementation with the one from libgcrypt
and also add the SHA384 and SHA512 versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a shared helper function instead of implementing practically same
sequence separately for each hash function.
Signed-off-by: Jouni Malinen <j@w1.fi>
The patch offers alternate implementations of some functions using the
abstract cryptographic API.
This work was done in preparation for the changes to allow hostap to be
compiled with the wolfSSL cryptography and TLS library.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
This implements crypto_dh_init() and crypto_dh_derive_secret() using
os_get_random() and crypto_mod_exp() for all crypto_*.c wrappers that
include crypto_mod_exp() implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
The BoringSSL version of crypto_ecdh_init() and dpp_gen_keypair() works
fine with OpenSSL as well, so use that same implementation for both to
avoid unnecessary maintanence of multiple versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to go through EC_GROUP_new_by_curve_name(),
EC_KEY_new(), and EC_KEY_set_group() when a single call to
EC_KEY_new_by_curve_name() takes care of all that.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows wpa_supplicant configuration with phase1="tls_suiteb=1" to
use openssl_ciphers="ECDHE-RSA-AES256-GCM-SHA384" to further limit the
possible TLS cipher suites when using Suite B with RSA >3K keys. This
combination disables use of DHE and as such, mandates ECDHE to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
These functions are a bit awkward to use for one-off file loads, as
suggested by the tls_clear_default_passwd_cb() logic. There was also
some historical mess with OpenSSL versions and either not having per-SSL
settings, having per-SSL settings but ignoring them, and requiring the
per-SSL settings.
Instead, loading the key with the lower-level functions seems a bit
tidier and also allows abstracting away trying both formats, one after
another.
Signed-off-by: David Benjamin <davidben@google.com>
There's no need to make an extra copy of private_key_passwd for
SSL_{CTX_,}set_default_passwd_cb().
Signed-off-by: David Benjamin <davidben@google.com>
BoringSSL restored the previously removed AES-192 ECB support in ("Add
AES-192 ECB.") commit. Since this is needed for DPP with the P-384
curve, restore support for this through EVP_aes_192_ecb().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it clearer why some AES operations fail especially with
BoringSSL where the 192-bit case is not supported.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
BoringSSL does not provide some of the OpenSSL API that was used here,
so update this to use similar design to what was already done with DPP
key derivation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide SSL_set_default_passwd_cb*(). For
now, comment out this regardless of the version BoringSSL claims to be.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide SSL_set1_sigalgs_list(). For now,
comment out this regardless of the version BoringSSL claims to be.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide RSA_bits(). For now, add this
backwards compatibility wrapper for BoringSSL regardless of the version
it claims to be.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Reject a DHE handshake if the server uses a DH prime that does not have
sufficient length to meet the Suite B 192-bit level requirement (<= 3k
(3072) bits).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network
profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite
B RSA constraints with ECDHE disabled. This is mainly to allow
the DHE TLS cipher suite to be tested.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Reject a peer certificate chain if it includes an RSA public key that
does not use sufficient key length to meet the Suite B 192-bit level
requirement (<= 3k (3072) bits).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds phase1 parameter tls_suiteb=1 into wpa_supplicant
configuration to allow TLS library (only OpenSSL supported for now) to
use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
ubsan reported:
../src/crypto/random.c:69:30: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int'
Explicitly check for the ROL32(x, 0) case which is supposed to be a
no-op.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Previously, the pointer to strdup passwd was left in OpenSSL library
default_passwd_cb_userdata and even the default_passwd_cb was left set
on an error path. To avoid unexpected behavior if something were to
manage to use there pointers, clear them explicitly once done with
loading of the private key.
Signed-off-by: Jouni Malinen <j@w1.fi>
Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
callback from the SSL object instead of the one from the CTX, so let's
set the callback on both SSL and CTX. Note that
SSL_set_default_passwd_cb*() is available only in 1.1.0.
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".
This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.
[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
The additional SHA-384 and SHA-512 functionality is needed to support
DPP with various ECC curves.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, only SHA1 hash -based server certificate matching was used,
but the OCSP response may use SHA256 instead of SHA1, so check the match
with both hash functions, if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The KDF define in RFC 5295 is very similar to HKDF-Expand() defined in
RFC 5869. Allow a NULL label to be used to select the RFC 5869 version
with arbitrary seed (info in RFC 5869) material without forcing the
label and NULL termination to be included. HKDF-Expand() will be needed
for OWE.
Signed-off-by: Jouni Malinen <j@w1.fi>
These allow ECDH to be used with compressed public key encoding (only
x-coordinate). This is needed for FILS PFS and OWE.
Signed-off-by: Jouni Malinen <j@w1.fi>
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.
The mechanical conversions all over the code were done with
the following spatch:
@@
expression SIZE, SRC;
expression a;
@@
-a = os_malloc(SIZE);
+a = os_memdup(SRC, SIZE);
<...
if (!a) {...}
...>
-os_memcpy(a, SRC, SIZE);
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
CONFIG_TLS=linux can now be used to select the crypto implementation
that uses the user space socket interface (AF_ALG) for the Linux kernel
crypto implementation. This commit includes some of the cipher, hash,
and HMAC functions. The functions that are not available through AF_ALG
(e.g., the actual TLS implementation) use the internal implementation
(CONFIG_TLS=internal).
Signed-off-by: Jouni Malinen <j@w1.fi>
These operations may fail with some crypto wrappers, so allow the
functions to report their results to the caller.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is a copy of the internal HMAC-SHA256 implementation with the hash
block size and output length updated to match SHA384 parameters.
Signed-off-by: Jouni Malinen <j@w1.fi>
The output length was incorrect (32 from the copy-pasted SHA256
version). Fix this to return the correct number of octets (48) for
SHA384. This fixes incorrect key derivation in FILS when using the
SHA384-based AKM.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the keychain holds additional certificates other than the end
certificate, read them into the certificate chain.
Signed-off-by: Paul Stewart <pstew@google.com>
Number of deployed use cases assume the default OpenSSL behavior of auto
chaining the local certificate is in use. BoringSSL removed this
functionality by default, so we need to restore it here to avoid
breaking existing use cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This simplifies the implementation since the SSL_clear_options() and
SSL_CTX_clear_options() are available in all supported versions of
OpenSSL. These were previously needed with older (now obsolete) versions
of OpenSSL, but the ifdefs were missed when removing the more explicit
version macro based backwards compatibility sections.
In practice, this reverts commit
d53d2596e4.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous implementation was hardcoded to use 128-bit AES key
(AEAD_AES_SIV_CMAC_256). Extend this by allowing AEAD_AES_SIV_CMAC_384
and AEAD_AES_SIV_CMAC_512 with 192-bit and 256-bit AES keys.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This basically just follows commit
587b0457e0 ('LibreSSL: Fix build with
LibreSSL') with the same pattern, which was missed here.
Signed-off-by: Julian Ospald <hasufell@hasufell.de>
Due to a missing guard for old OpenSSL code, SSL_library_init() was not
called, which is required for LibreSSL. Likewise for cleanup.
Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
Add LibreSSL check to old OpenSSL #ifdef guard as DH_{get0,set0}_key()
is not implemented in LibreSSL.
Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
To be consistent with OpenSSL 1.1.0, the free functions should
internally check for NULL. EVP_MD_CTX_free also was missing an
EVP_MD_CTX_cleanup, so this leaked a little.
OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace
with get_rfc3526_prime_1536 as a compatibility-only name. Use that
instead in 1.1.0.
Signed-off-by: David Benjamin <davidben@google.com>
Commit 49fe2ada20 ('OpenSSL: Support
OpenSSL 1.1.0 DH opacity') started using the new accessor functions, but
used incorrect success check for the DH_set0_key() call. This resulted
in dh5_init_fixed() failures and double-free on error path if the build
was linked against OpenSSL 1.1.0. Fix this by checking DH_set0_key()
return value to be 1 for the success case.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 1.1.0 (master branch) apparently ended up modifying the API
after the beta 2 release that was supposed to complete the work. Mark
the variables const to fix the compilation with the modified OpenSSL
API.
Signed-off-by: Jouni Malinen <j@w1.fi>
Since crypto_openssl.c is now implementing couple of functions
internally, pull in the relevant header files md5.h and aes_wrap.h to
make sure the function declaration are consistent.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Recent versions of engine_pkcs11 are set up to be autoloaded on demand
with ENGINE_by_id() because they don't need explicit configuration.
But if we *do* want to explicitly configure them with a PKCS#11 module
path, we should still do so.
We can't tell whether it was already initialised, but it's harmless to
repeat the MODULE_PATH command if it was.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Michael Schaller <misch@google.com>
This avoids internal access of structs and also removes the dependency
on the reimplemented TLS PRF functions when EAP-FAST support is not
enabled. Notably, BoringSSL doesn't support EAP-FAST, so there is no
need to access its internals with openssl_get_keyblock_size().
Signed-Off-By: David Benjamin <davidben@google.com>
Most protocols extracting keys from TLS use RFC 5705 exporters which is
commonly implemented in TLS libraries. This is the mechanism used by
EAP-TLS. (EAP-TLS actually predates RFC 5705, but RFC 5705 was defined
to be compatible with it.)
EAP-FAST, however, uses a legacy mechanism. It reuses the TLS internal
key block derivation and derives key material after the key block. This
is uncommon and a misuse of TLS internals, so not all TLS libraries
support this. Instead, we reimplement the PRF for the OpenSSL backend
and don't support it at all in the GnuTLS one.
Since these two are very different operations, split
tls_connection_prf() in two. tls_connection_export_key() implements the
standard RFC 5705 mechanism that we expect most TLS libraries to
support. tls_connection_get_eap_fast_key() implements the
EAP-FAST-specific legacy mechanism which may not be implemented on all
backends but is only used by EAP-FAST.
Signed-Off-By: David Benjamin <davidben@google.com>
Commit 68ae4773a4 ('OpenSSL: Use library
wrapper functions to access cert store') fixed most of these, but missed
a few.
Signed-Off-By: David Benjamin <davidben@google.com>
Commit 4104267e81 ('Fix memory leak on NFC
DH generation error path') modified the generic (non-OpenSSL)
implementation of dh5_init() to free the previously assigned public key,
if any. However, that commit did not modify the OpenSSL specific version
of this function. Add the same change there to maintain consistent
behavior between these two implementations of the same function.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
BoringSSL added OpenSSL 1.1.0's SSL_get_client_random() and friends in
working towards opaquifying the SSL struct. But it, for the moment,
still looks more like 1.0.2 than 1.1.0 and advertises
OPENSSL_VERSION_NUMBER as such. This means that there is no need to
define those in BoringSSL and defining them causes conflicts. (C does
not like having static and non-static functions with the same name.)
As requested, this is conditioned on defined(BORINGSSL_API_VERSION) so
wpa_supplicant may continue to support older BoringSSLs for a time.
(BoringSSL revisions without the accessors predate BoringSSL maintaining
a BORINGSSL_API_VERSION.)
Also add a missing opensslv.h include. tls_openssl.c is sensitive to
OPENSSL_VERSION_NUMBER, so it should include the header directly rather
than rely on another header to do so.
Signed-off-by: David Benjamin <davidben@google.com>
The OpenSSL 1.1.0 Beta 2 release made DH opaque and that broke
compilation of crypto_openssl.c. Fix this by using the new accessor
functions when building against OpenSSL 1.1.0 or newer.
Signed-off-by: Jouni Malinen <j@w1.fi>
While this function could return NULL if the parameter issued to it were
NULL, that does not really happen here. Anyway, since this can result in
a warning from a static analyzer that does can see the return NULL
without fully understanding what it means here, check the return value
explicitly against NULL to avoid false warnings.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 8bcf8de827 ('OpenSSL: Fix memory
leak in PKCS12 additional certificate parsing') tried to fix a memory
leak in both the 1.0.2(and newer) and 1.0.1 branches of PKCS12 parsing.
However, the 1.0.1 case was not properly tested and freeing of the
certificate after a successful SSL_CTX_add_extra_chain_cert() call
resulted in use of freed memory when going through the TLS handshake.
Fix this by not freeing the certificate in that specific case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The additional PKCS12 certificates were not freed properly in the loop
added in commit de2a7b796d ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs').
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 5c9a33702f ('OpenSSL: Clean up
crypto_hash_*() to use a single implementation') added a wrapper
function to allow the new OpenSSL API to be used with older OpenSSL
versions. However, the HMAC_CTX_free() wrapper was incorrectly skipping
the call to HMAC_CTX_cleanup() which is still needed to free the
resources OpenSSL allocated internally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
SSL_library_init() does not work properly after EVP_cleanup() starting
from OpenSSL 1.1.0 pre release 3. The automated library init/deinit
functions in that pre release are supposed to handle all initialization
and deinitialiation, so comment out the explicit calls to these function
with OpenSSL 1.1.0 and newer.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 1eb87ae48d ('OpenSSL: Use
EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0') started using
EVP_CIPHER_CTX_new() to allocate EVP_CIPHER_CTX from heap instead of
using stack memory. This commit used incorrect EVP_CIPHER_CTX_reset()
function in number of cases when the allocated memory was supposed to be
freed instead of just reset for reuse. Fix this by using
EVP_CIPHER_CTX_free() properly.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If SSL_CTX_new(SSLv23_method()) fails, tls_init() error path did not
free the allocated struct tls_data instance.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Fix a possible null pointer dereference in tls_parse_pkcs12() when
loading a PKCS#12 file for the server keys and the file includes extra
certificates.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
In the Android-specific case, make ca_cert directive parse a
space-separated list of hex-encoded CA certificate aliases following the
"keystores://" prefix. Server certificate validation should succeed as
long as the chain ends with one of them.
Signed-off-by: Rubin Xu <rubinxu@google.com>
Use compatibility wrapper functions to allow a single implementation
based on the latest OpenSSL API to be used to implement these functions
instead of having to maintain two conditional implementation based on
the library version.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use compatibility wrapper functions to allow a single implementation
based on the latest OpenSSL API to be used to implement these functions
instead of having to maintain two conditional implementation based on
the library version.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The changes needed for OpenSSL 1.1.0 had broken this since LibreSSL is
defining OPENSSL_VERSION_NUMBER in a manner that claims it to be newer
than the current OpenSSL version even though it does not support the
current OpenSSL API.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Now the these functions cannot be made to fail by forcing the memory
allocation fail since the OpenSSL-internal version is used, add
TEST_FAIL check to allow OOM test cases to be converted to use the
TEST_FAIL mechanism without reducing coverage.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The EVP_CIPHER_CTX structure will be made opaque in OpenSSL 1.1.0, so
need to use EVP_CIPHER_CTX_new() with it instead of stack memory. The
design here moves the older OpenSSL versions to use that dynamic
allocation design as well to minimize maintenance effort.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The SSL_CIPHER **cipher argument was marked const in OpenSSL 1.1.0
pre-release 2 similarly to how this is in BoringSSL. Fix build with that
in preparation for supporting OpenSSL 1.1.0.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If wpa_supplicant was first configured with PKCS #12 -based client
certificate chain and then used with another network profile that used a
different certificate chain from a X.509 certificate PEM file instead of
PKCS#12, the extra certificate chain was not reconstructed properly with
older versions of OpenSSL that 1.0.2. This could result in the
authentication failing due to the client certificate chain not being
complete or including incorrect certificates.
Fix this by clearing the extra certificate chain when setting up a new
TLS connection with OpenSSL 1.0.1. This allows OpenSSL to build the
chain using the default mechanism in case the new TLS exchange does not
use PKCS#12.
The following hwsim test case sequence was able to find the issue:
ap_wpa2_eap_tls_pkcs12 ap_wpa2_eap_tls_intermediate_ca_ocsp
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add SSL_SESSION_get_master_key() compatibility wrapper for older OpenSSL
versions to be able to use the new openssl_tls_prf() implementation for
OpenSSL 1.1.0 with all supported versions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
SSL_get_client_random() and SSL_get_server_random() will be added in
OpenSSL 1.1.0. Provide compatibility wrappers for older versions to
simplify the tls_connection_get_random() implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The OpenSSL project will not support version 1.0.0 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 1.0.0 and we might as well drop support for it to allow
cleaning up the conditional source code blocks.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The OpenSSL project will not support version 0.9.8 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 0.9.8 and we might as well drop support for it to allow
cleaning up the conditional source code blocks.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes some static analyzers complain about stored value never being
read. While it is good to clear some other temporary variables, this
local variable i has no security private information (it has a fixed
value of 20 here) and trying to clear it to 0 does not add any value.
Remove that part of the "wipe variables" to avoid one useless static
analyzer complaint.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends multi-OCSP support to verify status for intermediate CAs in
the server certificate chain.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows hostapd with the internal TLS server implementation to
support the extended OCSP stapling mechanism with multiple responses
(ocsp_stapling_response_multi).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for hostapd-as-authentication-server to be build with
the internal TLS implementation and OCSP stapling server side support.
This is more or less identical to the design used with OpenSSL, i.e.,
the cached response is read from the ocsp_stapling_response=<file> and
sent as a response if the client requests it during the TLS handshake.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for hostapd-as-authentication-server to be build
against GnuTLS with OCSP stapling server side support. This is more or
less identical to the design used with OpenSSL, i.e., the cached
response is read from the ocsp_stapling_response=<file> and sent as a
response if the client requests it during the TLS handshake.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.
This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.
By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.
The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>
Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).
The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>
It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
The EVP_MD_CTX and HMAC_CTX definitions are now hidden from applications
using OpenSSL. Fix compilation issues with OpenSSL 1.1.x-pre1 by using
the new API for allocating these structures.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to share the OCSP implementation needed for
BoringSSL outside tls_openssl.c. For now, this is mainly for
http_curl.c.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
BoringSSL modified the struct sha_state_st (SHA_CTX) definition by
converting h0..h4 with h[5] array. This broke wpa_supplicant/hostapd
build with EAP-SIM enabled. BoringSSL restored the old version for
ANDROID builds, but only the new version is currently defined for
non-Android cases. For now, fix this by having matching selection in
fips_prf_openssl.c based on OPENSSL_IS_BORINGSSL and ANDROID defines.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
OpenSSL 1.1.x will apparently go out with "SSLeay" renamed in the API to
"OpenSSL", which broke the build here for fetching the version of the
running OpenSSL library when wpa_supplicant/hostapd is built against the
current OpenSSL snapshot.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit af851914f8 ('Make
tls_connection_get_keyblock_size() internal to tls_*.c') broke
tls_connection_prf() with the internal TLS implementation when using
skip_keyblock=1. In practice, this broke EAP-FAST. Fix this by deriving
the correct number of PRF bytes before skipping the keyblock.
Signed-off-by: Jouni Malinen <j@w1.fi>
md4_vector(), md5_vector(), sha1_vector(), and sha256_vector() already
supported TEST_FAIL() with the OpenSSL crypto implementation, but the
same test functionality is needed for the internal crypto implementation
as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for some NFC DH generation error paths to leak memory
since the old private/public key was not freed if an allocation failed.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it simpler to add support for new TLS_CONN_* flags without
having to add a new configuration function for each flag.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows wpa_supplicant to return eap_tls_version STATUS information
when using the internal TLS client implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
The internal TLS client implementation can now be used with
ca_cert="probe://" to probe the server certificate chain. This is also
adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and
CTRL-EVENT-EAP-PEER-CERT events.
Signed-off-by: Jouni Malinen <j@w1.fi>
These will be used with the internal TLS implementation to extend hash
algorithm support for new certificates and TLS v1.2.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
The old wpa_supplicant/Makefile target test-eap_sim_common did not work
anymore and anyway, this test is better placed in the newer hwsim
framework to make sure the test case gets executed automatically.
Signed-off-by: Jouni Malinen <j@w1.fi>
LibreSSL does not yet support the new API, so do not use it
when LIBRESSL_VERSION_NUMBER macro is defined.
Signed-off-by: Marek Behun <kabel@blackhole.sk>
When using CONFIG_TLS=internal and starting hostapd with multiple
configuration files that each initialize TLS server, the server
certificate and related data was not freed for all the interfaces on
exit path. Fix this by freeing the credential data that is stored
separately for each call to tls_init().
Signed-off-by: Jouni Malinen <j@w1.fi>
hmac_sha256_kdf() got pulled in only if CONFIG_ERP=y is set. Fix
test_sha256() by making the test case conditional on the function being
present.
Signed-off-by: Jouni Malinen <j@w1.fi>
Write a text version of the content type and handshake type in debug log
to make it easier to follow TLS exchange.
Signed-off-by: Jouni Malinen <j@w1.fi>
The utf8_string_len comparison was off by one and ended up accepting a
truncated three-byte encoded UTF-8 character at the end of the string if
the octet was missing. Since the password string gets null terminated in
the configuration, this did not result in reading beyond the buffer, but
anyway, it is better to explicitly reject the string rather than try to
use an incorrectly encoded UTF-8 string as the password.
Signed-off-by: Jouni Malinen <j@w1.fi>
BoringSSL has removed the OpenSSL OCSP implementation (OCSP_*()
functions) and instead, provides only a minimal mechanism for include
the status request extension and fetching the response from the server.
As such, the previous OpenSSL-based implementation for OCSP stapling is
not usable with BoringSSL.
Add a new implementation that uses BoringSSL to request and fetch the
OCSP stapling response and then parse and validate this with the new
implementation within wpa_supplicant. While this may not have identical
behavior with the OpenSSL-based implementation, this should be a good
starting point for being able to use OCSP stapling with BoringSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The switch to BoringSSL broke keystore-backed keys because
wpa_supplicant was using the dynamic ENGINE loading to load
the keystore module.
The ENGINE-like functionality in BoringSSL is much simpler
and this change should enable it.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
While the EAPOL-Key MIC derivation was already changed from SHA256 to
SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly.
Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK
from PMK when using the Suite B 192-bit AKM.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit de2a7b796d ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs') added a new
mechanism for doing this with OpenSSL 1.0.2 and newer. However, it did
not poinr out anything in debug log if SSL_add1_chain_cert() failed. Add
such a debug print and also silence static analyzer warning on res being
stored without being read (since the error case is ignored at least for
now).
Signed-off-by: Jouni Malinen <j@w1.fi>
The new tls_connection_set_success_data(),
tls_connection_set_success_data_resumed(),
tls_connection_get_success_data(), and tls_connection_remove_session()
functions can be used to mark cached sessions valid and to remove
invalid cached sessions. This commit is only adding empty functions. The
actual functionality will be implemented in followup commits.
Signed-off-by: Jouni Malinen <j@w1.fi>
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.
Signed-off-by: Jouni Malinen <j@w1.fi>
BoringSSL does not support 192-bit AES, so these parts of the
wpa_supplicant module tests would fail.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed at least with BoringSSL to avoid accepting OCSP-required
configuration with a TLS library that does not support OCSP stapling.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Unlike OpenSSL PKCS12_parse(), the BoringSSL version seems to require
the password pointer to be non-NULL even if no password is present. Map
passwrd == NULL to passwd = "" to avoid a NULL pointer dereference
within BoringSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
BoringSSL commit 533ef7304d9b48aad38805f1997031a0a034d7fe ('Remove
SSL_clear calls in handshake functions.') triggered a regression for
EAP-TLS/TTLS/PEAP session resumption in wpa_supplicant due to the
removed SSL_clear() call in ssl3_connect() going away and wpa_supplicant
not calling SSL_clear() after SSL_shutdown(). Fix this by adding the
SSL_clear() call into wpa_supplicant after SSL_shutdown() when preparing
the ssl instance for another connection.
While OpenSSL is still call SSL_clear() in ssl3_connect(), it looks to
be safe to add this call to wpa_supplicant unconditionally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This function does not seem to be available in BoringSSL. Since it is
needed for EAP-FAST (which is not currently working with BoringSSL),
address this by commenting out the EAP-FAST specific step from builds
that do not include EAP-FAST support.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like BoringSSL does include that function even though it claims
support for OPENSSL_VERSION_NUMBER where this is available (1.0.2). For
now, comment out that call to fix build.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like BoringSSL has removed the AES_wrap_key(), AES_unwrap_key()
API. This broke wpa_supplicant/hostapd build since those functions from
OpenSSL were used to replace the internal AES key wrap implementation.
Add a new build configuration option
(CONFIG_OPENSSL_INTERNAL_AES_WRAP=y) to allow the internal
implementation to be used with CONFIG_OPENSSL=y build to allow build
against the latest BoringSSL version.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When using OpenSSL 1.0.2 or newer, this replaces the older
SSL_CTX_add_extra_chain_cert() design with SSL_add1_chain_cert() to keep
the extra chain certificates out from SSL_CTX and specific to each
connection. In addition, build and rearrange extra certificates with
SSL_build_cert_chain() to avoid incorrect certificates and incorrect
order of certificates in the TLS handshake.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the possible extra certificate(s) from a PKCS#12 file was
added once for each authentication attempt. This resulted in OpenSSL
concatenating the certificates multiple time (add one copy for each try
during the wpa_supplicant process lifetime). Fix this by clearing the
extra chain certificates before adding new ones when using OpenSSL 1.0.1
or newer that include the needed function.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.
This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.
Signed-off-by: Jouni Malinen <j@w1.fi>
FIPS_mode_set(1) cannot be called multiple times which could happen in
some dynamic interface cases. Avoid this by enabling FIPS mode only
once. There is no code in wpa_supplicant to disable FIPS mode, so once
it is enabled, it will remain enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
MD4 is not allowed in such builds, so comment out md4_vector() from the
build to force compile time failures for cases that cannot be supported
instead of failing the MD¤ operations at runtime. This makes it easier
to detect and fix accidental cases where MD4 could still be used in some
older protocols.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 94f1fe6f63 ('Remove master key
extraction from tls_connection_get_keys()') left only fetching of
server/client random, but did not rename the function and structure to
minimize code changes. The only name is quite confusing, so rename this
through the repository to match the new purpose.
Signed-off-by: Jouni Malinen <j@w1.fi>