Commit graph

594 commits

Author SHA1 Message Date
Jouni Malinen
9a0edf1700 wlantest: Add PTK derivation support with SAE, OWE, DPP
wlantest build did not define build options to determine key management
values for SAE, OWE, and DPP. Add those and the needed SHA512 functions
to be able to decrypt sniffer captures with PMK available from an
external source.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-10 21:58:10 +02:00
Jouni Malinen
12da39b389 crypto: Allow up to 10 fragments for hmac_sha*_vector()
This increases the limit of how many data fragments can be supported
with the internal HMAC implementation. The previous limit was hit with
some FT use cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-26 17:04:54 +02:00
Jouni Malinen
297d69161b OpenSSL: Fix memory leak in TOD policy validation
Returned policies from X509_get_ext_d2i() need to be freed.

Fixes: 21f1a1e66c ("Report TOD policy")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-07 20:40:12 +02:00
Daniel Kobras
18780c6d67 OpenSSL: Add support for TPM2-wrapped keys
If the header of a PEM-formatted certificate or key in private_key file
indicates that it is wrapped with a TPM2 key, try to autoload the
appropriate OpenSSL engine that can transparently unwrap the key. This
enables systems to use TPM2-wrapped keys as drop-in replacements to
ordinary SSL keys.

This functionality needs
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git
to be installed as an OpenSSL engine.

Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
2019-12-29 11:28:19 +02:00
Jouni Malinen
b2e2a8588d OpenSSL: Extend key_block size determination to support GCM/CCM ciphers
These ciphers do not use a separate MAC algorithm, so digest nid will be
NID_undef. In addition, the fixed_iv_length needs to be set to 4 which
is the implicit part of the IV from PRF. This is needed to fix EAP-FAST
key derivation for cases where GCM/CCM ciphers are used for TLS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-23 20:02:45 +02:00
Jouni Malinen
de580bf6c4 crypto: Remove unused crypto_bignum_sqrtmod()
This wrapper function is not used anymore, so drop it instead of trying
to figure out good way of implementing it in constant time with various
crypto libraries.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-25 19:29:53 +03:00
Jouni Malinen
1766e608ba wolfSSL: Fix crypto_bignum_sub()
The initial crypto wrapper implementation for wolfSSL seems to have
included a copy-paste error in crypto_bignum_sub() implementation that
was identical to crypto_bignum_add() while mp_sub() should have been
used instead of mp_add().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-14 19:38:41 +03:00
Jouni Malinen
2a1c84f4e5 crypto: Add more bignum/EC helper functions
These are needed for implementing SAE hash-to-element.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-14 19:38:41 +03:00
Jouni Malinen
100b2edb28 OpenSSL: Write peer certificate chain details in debug log
This makes it more convenient to debug TLS certificate validation
issues.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-19 16:34:22 +03:00
Jouni Malinen
52069c7eff Add TLS-PRF using HMAC with P_SHA384 for TEAP
This version of TLS PRF is needed when using TEAP with TLS ciphersuites
that are defined to use SHA384 instead of SHA256.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-16 21:16:37 +03:00
Jouni Malinen
a647a0ad75 Extend server certificate TOD policy reporting to include TOD-TOFU
The previously used single TOD policy was split into two policies:
TOD-STRICT and TOD-TOFU. Report these separately in the
CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for
TOD-TOFU).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-16 16:40:31 +03:00
Jouni Malinen
1c7e61a35a wolfssl: Avoid void pointer arithmetic
This is a compiler specific extension and not compliant with the C
standard.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-06 13:12:37 +03:00
Jouni Malinen
d001fe31ab OpenSSL: Handle EVP_PKEY_derive() secret_len changes for ECDH
It looks like EVP_PKEY_derive() may change the returned length of the
buffer from the initial length determination (NULL buffer) to the
fetching of the value. Handle this by updating the secret length based
on the second call instead of the first one. This fixes some cases where
ECDH result has been used with extra data (zeros in the end) with OWE or
FILS PFS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-04 15:03:08 +03:00
Jouni Malinen
c65168ccd2 OpenSSL: Fix crypto_bignum_to_bin() with padlen == 0
The earlier change to add support for BN_bn2binpad() and
BN_bn2bin_padded() broke this function for cases where no padding is
used (padlen == 0). Those would have always failed after the changes and
the function would return -1. There are no such cases in the current
hostap.git, so this did not have any real issues, but anyway, better fix
this function to match its documentation.

Fixes: 1e237903f5 ("OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-03 16:28:02 +03:00
Jouni Malinen
b8491ae5ac OpenSSL: Fix build with LibreSSL and BoringSSL
The new certificate chain debug dumps used functions that are not
available with LibreSSL or BoringSSL.

Fixes: 857edf4bf4 ("OpenSSL: More debug prints of configured ciphers and certificates")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-13 22:49:46 +03:00
Jouni Malinen
7456cf57d3 OpenSSL: Fix TLS_CONN_TEAP_ANON_DH build with some library versions
The OPENSSL_VERSION_NUMBER ifdef block left out the local variable that
is needed with all versions. In addition, SSL_set_security_level() is
not available with LibreSSL or BoringSSL.

Fixes: 3ec65a8e38 ("OpenSSL: Allow anon-DH cipher suites to be added for TEAP")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-13 22:49:22 +03:00
Jouni Malinen
20f1cfc5b2 OpenSSL: Fix build with OpenSSL 1.0.2 and 1.1.0 and LibreSSL
The tls_connection_get_cipher_suite() implementation used
SSL_CIPHER_get_protocol_id which was added in OpenSSL 1.1.1. Need to use
compatibility code with older versions.

Fixes: 94714ec341 ("OpenSSL: Add tls_connection_get_cipher_suite()")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-13 22:49:08 +03:00
Jouni Malinen
0ef509f15e OpenSSL: Parse msg_callback inner content type into debug messages
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-12 22:42:13 +03:00
Jouni Malinen
8b57a37808 OpenSSL: disable TLS 1.3 middlebox compatibility
This will hopefully not be needed for EAP-TLS use cases since there
should not really be a middlebox that looks at the TLS layer details in
case of EAP authentication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-12 22:29:33 +03:00
Jouni Malinen
e2722bf81d OpenSSL: Allow two server certificates/keys to be configured on server
hostapd EAP server can now be configured with two separate server
certificates/keys to enable parallel operations using both RSA and ECC
public keys. The server will pick which one to use based on the client
preferences for the cipher suite (in the TLS ClientHello message). It
should be noted that number of deployed EAP peer implementations do not
filter out the cipher suite list based on their local configuration and
as such, configuration of alternative types of certificates on the
server may result in interoperability issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-12 18:13:10 +03:00
Jouni Malinen
857edf4bf4 OpenSSL: More debug prints of configured ciphers and certificates
This adds TLS server mode debug prints to make it easier to see what
exactly has been configured in OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-11 22:40:08 +03:00
Jouni Malinen
0ed57c5ea8 EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.

This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:56:02 +03:00
Jouni Malinen
fd7778b5ed Return success/failure result from tls_prf_sha256()
The hash functions used within this function could fail in theory, so
provide the result to the caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:38:32 +03:00
Jouni Malinen
3ec65a8e38 OpenSSL: Allow anon-DH cipher suites to be added for TEAP
Add a new TLS_CONN_* flag to provide a higher level mechanism for adding
(instead of fully replacing) allowed list of TLS ciphersuites for TEAP
provisioning purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:38:32 +03:00
Jouni Malinen
94714ec341 OpenSSL: Add tls_connection_get_cipher_suite()
This can be used to fetch the 16-bit TLS cipher suite identifier.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:10:44 +03:00
Jouni Malinen
063d28ec83 OpenSSL: Reject empty cipher list in tls_connection_set_cipher_list()
Previously, this invalid call would have resulted in printing out a
string from uninitialized memory

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:10:44 +03:00
Jouni Malinen
3af37ece19 Add tls_get_tls_unique() to fetch "tls-unique" for channel binding
This implements "tls-unique" derivation per RFC 5929, Section 3. This
will be needed for channel binding, e.g., with EAP-TEAP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:10:44 +03:00
Jouni Malinen
84db90e484 OpenSSL: Send cert event for the peer even on CA cert failure
This adds a CTRL-EVENT-EAP-PEER-CERT even for depth=0 even if a depth >
0 certificate results in peer certificate validation error. Previously,
this case resulted in the upper layers not getting any information about
the used peer certificate. Now that information is available, e.g., to
allow server certificate -based overriding of the trust to be done.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-20 23:44:51 +03:00
Jouni Malinen
3539738cf5 OpenSSL: Report peer certificate before stopping due to validation issue
This is needed to allow upper layer software to learn the hash of the
server certificate for allowing user to override trust root
configuration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:50 +03:00
Jouni Malinen
21f1a1e66c Report TOD policy in peer certificate events
Add tod=1 to CTRL-EVENT-EAP-PEER-CERT events if the peer certificate
includes the TOD policy in the X.509v3 Certificate Policies extension.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:50 +03:00
Jouni Malinen
bc0634da4a Pass full struct to peer certificate callbacks
This makes it easier to add new information to the callbacks without
having to modify each callback function type in EAPOL and EAP code every
time.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:50 +03:00
Santtu Lakkala
8ba809f67b OpenSSL: Allow ca_cert_blob in PEM format
GnuTLS backend already accepts CA cert blobs in both DER and PEM
formats. Implement similar trial-and-error handling in OpenSSL backend.

Signed-off-by: Santtu Lakkala <santtu.lakkala@jolla.com>
2019-05-28 13:39:01 +03:00
Jouni Malinen
31bc66e4d1 More forceful clearing of stack memory with keys
gcc 8.3.0 was apparently clever enough to optimize away the previously
used os_memset() to explicitly clear a stack buffer that contains keys
when that clearing happened just before returning from the function.
Since memset_s() is not exactly portable (or commonly available yet..),
use a less robust mechanism that is still pretty likely to prevent
current compilers from optimizing the explicit clearing of the memory
away.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-26 16:11:56 +03:00
Jouni Malinen
312ec34e40 UBSan: Avoid dependency on undefined behavior in internal AES operation
The rcons[] and Td4s[] array values need to be type cast explicitly to
u32 for the left shift 24 operation to be defined due to the implicit
conversion to int not handling the case where MSB would become 1 without
depending on UB.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14929
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-25 01:51:12 +03:00
Jouni Malinen
e3b39e62c2 OpenSSL: Fix a memory leak in OCSP handling
If OCSP_resp_find_status() fails with the first OCSP_CERTID, the
generation of the second OCSP_CERTID ended up leaking memory. Fix this
by freeing the previously allocated OCSP_CERTID on that code path.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 21:08:53 +03:00
Jouni Malinen
8925d2010d OpenSSL: Fix memory leak in crypto_dh_derive_secret()
BN_clear() does not free the BIGNUM; it only clears its value. Fix this
memory leak by using the appropriate BN_clear_free() function instead.

Fixes: b11fa98bcb ("Add explicit checks for peer's DH public key")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 18:53:32 +03:00
Jouni Malinen
f9cd1327ad OpenSSL: Fix memory leak in crypto_ecdh_init()
ec_params needs to be freed before returning from the function.
Extension of this function to support BoringSSL introduced this memory
leak and that was later extended to be the only variant and apply to
OpenSSL and LibreSSL cases as well in commit c23e87d0d1 ("OpenSSL:
Replace EVP_PKEY_paramgen() with EC_KEY_new_by_curve_name()").

Fixes: f29761297b ("BoringSSL: Implement crypto_ecdh_init()")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 12:16:03 +03:00
David Woodhouse
6326fa0c40 Fix ENGINE support with OpenSSL 1.1+
Commit 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and
deprecated APIs") removed a call to ENGINE_load_dynamic() for newer
versions of OpenSSL, asserting that it should happen automatically.

That appears not to be the case, and loading engines now fails because
the dynamic engine isn't present.

Fix it by calling ENGINE_load_builtin_engines(), which works for all
versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings()
because that should have happened when SSL_load_error_strings() is
called anyway.

Fixes: 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and deprecated APIs")
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2019-04-30 12:10:40 +03:00
Jouni Malinen
e0e15fc236 Remove unused crypto_bignum_bits()
This wrapper function is not needed anymore.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-26 17:43:45 +03:00
Jouni Malinen
1e237903f5 OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available
This converts crypto_bignum_to_bin() to use the OpenSSL/BoringSSL
functions BN_bn2binpad()/BN_bn2bin_padded(), when available, to avoid
differences in runtime and memory access patterns depending on the
leading bytes of the BIGNUM value.

OpenSSL 1.0.2 and LibreSSL do not include such functions, so those cases
are still using the previous implementation where the BN_num_bytes()
call may result in different memory access pattern.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-25 19:24:32 +03:00
Jouni Malinen
cb5db189ed Remove the unused crypto_ec_cofactor() function
All users of this wrapper function were removed, so the wrapper can be
removed as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-13 18:28:05 +03:00
Jouni Malinen
6fe3ee722d tests: EAP-pwd local failure in crypto_bignum_rand()
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-13 18:28:05 +03:00
Jouni Malinen
6570949b2c OpenSSL: Fix server side openssl_ecdh_curves configuration with 1.0.2
It looks like SSL_CTX_set1_curves_list() command alone is not sufficient
to enable ECDH curve selection with older OpenSSL versions for TLS
server, so enable automatic selection first and specify the exact list
of curves after that.

This fixes failures in openssl_ecdh_curves test case when hostapd uses
OpenSSL 1.0.2.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-13 18:28:05 +03:00
Jouni Malinen
52b1cb5d73 tests: crypto_hash_finish() failure in eap_pwd_kdf()
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-13 12:53:42 +03:00
Jouni Malinen
c93461c1d9 OpenSSL: Use constant time selection for crypto_bignum_legendre()
Get rid of the branches that depend on the result of the Legendre
operation. This is needed to avoid leaking information about different
temporary results in blinding mechanisms.

This is related to CVE-2019-9494 and CVE-2019-9495.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
d42c477cc7 OpenSSL: Use constant time operations for private bignums
This helps in reducing measurable timing differences in operations
involving private information. BoringSSL has removed BN_FLG_CONSTTIME
and expects specific constant time functions to be called instead, so a
bit different approach is needed depending on which library is used.

The main operation that needs protection against side channel attacks is
BN_mod_exp() that depends on private keys (the public key validation
step in crypto_dh_derive_secret() is an exception that can use the
faster version since it does not depend on private keys).

crypto_bignum_div() is currently used only in SAE FFC case with not
safe-prime groups and only with values that do not depend on private
keys, so it is not critical to protect it.

crypto_bignum_inverse() is currently used only in SAE FFC PWE
derivation. The additional protection here is targeting only OpenSSL.
BoringSSL may need conversion to using BN_mod_inverse_blinded().

This is related to CVE-2019-9494 and CVE-2019-9495.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 17:11:15 +03:00
Jouni Malinen
242e857285 Extend domain_match and domain_suffix_match to allow list of values
These wpa_supplicant network profile parameters could be used to specify
a single match string that would be used against the dNSName items in
subjectAltName or CN. There may be use cases where more than one
alternative match string would be useful, so extend these to allow a
semicolon delimited list of values to be used (e.g.,
"example.org;example.com"). If any of the specified values matches any
of the dNSName/CN values in the server certificate, consider the
certificate as meeting this requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 16:24:38 +03:00
Jouni Malinen
dcc0ccd5b0 wolfSSL: Fix dNSName matching with domain_match and domain_suffix_match
Incorrect gen->type value was used to check whether subjectAltName
contained dNSName entries. This resulted in all domain_match and
domain_suffix_match entries failing to find a match and rejecting the
server certificate. Fix this by checking against the correct type
definition for dNSName.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 16:24:38 +03:00
Ilan Peer
277fa92b37 crypto: Fix unreachable code in tls_prf_sha1_md5()
While commit 1c156e783d ("Fixed tls_prf() to handle keys with
odd length") added support for keys with odd length, the function
never reached this code as the function would return earlier in
case the key length was odd. Fix this by removing the first check
for the key length.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2019-04-06 17:00:07 +03:00
Jouni Malinen
bf84e78cbc OpenSSL: Fix build with current BoringSSL
SSL_use_certificate_chain_file() is not available in the current
BoringSSL even though the defined OPENSSL_VERSION_NUMBER is large enough
to claim that this function would be present in the OpenSSL API.

Fall back to using SSL_use_certificate_file() with BoringSSL to fix the
build.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-19 18:24:09 +02:00